Modern Cryptography Theory and Practice

Table of Cont ent s
Moder n Cr ypt ography : Theor y and Pract i ce

By Wenbo Mao Hewlet t - Packard Company
Publi sher: Prent i ce Hal l PTR

Pub Dat e: Jul y 25, 2003
I SBN: 0- 13-066943-1
Pages: 648
Many cr y pt ographi c schemes and prot ocol s, especi al l y t hose based on publ i c- key cry pt ogr aphy ,
have basi c or so- cal l ed " t ext book cr ypt o" ver si ons, as t hese ver sionsar e usual ly t he subj ect s for
many t ext books on cry pt ogr aphy . Thi s book t akes adi ff er ent appr oach t o i nt roduci ng
cry pt ogr aphy : it pay s much more at t ent i on t ofi t - f or- appl i cat i on aspect s of cr ypt ogr aphy . I t
expl ains why " t ext book cr y pt o" isonl y good in an i deal wor l d wher e dat a ar e r andom and bad
guys behave ni cel y . I t r eveal s t he gener al unf it ness of "t ext book cr y pt o" for t he r eal worl d by
demonst r at i ngnumer ous at t acks on such schemes, pr ot ocol s and syst ems under var i ousr eal -
wor ld appl i cat i on scenari os. Thi s book chooses t o i nt r oduce a set of pract i cal cr y pt ogr aphi c
schemes, pr ot ocol s and syst ems, many of t hem st andar ds or de fact oones, st udies t hem cl osel y,
expl ains t hei r wor ki ng pri nci pl es, di scusses t hei r pr act i cal usages, and exami nes t hei r st r ong
( i . e. , f i t - for - appl i cat i on) securi t y pr opert i es, oft enwi t h securi t y evi dence for mal l y est abl ished.
The book al so i ncl udes self - cont ai nedt heor et i cal backgr ound mat er ial t hat i s t he f oundat i on for
moder n cr ypt ogr aphy.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Copyri ght
Hewl et t- Packard Prof essional Books
A Shor t Descri pt ion of the Book
Pref ace

Scope

Acknowl edgement s
Li st of Fi gures
Li st of Al gori t hms, Prot ocol s and At t acks
Part I : I nt roducti on

Chapter 1. Begi nni ng wi t h a Si mpl e Communi cat i on Game

Secti on 1.1. A Communicati on Game

Secti on 1.2. Cri t eri a for Desi rable Crypt ographi c Systems and Prot ocol s

Secti on 1.3. Chapt er Summar y

Exerci ses

Chapter 2. Wrest l ing Bet ween Safeguard and At t ack

Secti on 2.1. I nt roduct i on

Secti on 2.2. Encrypt i on

Secti on 2.3. Vul ner abl e Envi ronment ( the Dol ev- Yao Threat Model)

Secti on 2.4. Aut hent icati on Servers

Secti on 2.5. Securi t y Pr opert ies for Aut henti cated Key Est abl i shment

Secti on 2.6. Protocol s f or Authent i cat ed Key Est abl i shment Usi ng Encrypt i on


Exerci ses
Part I I : Mat hemati cal Foundat ions: St andard Not at i on

Chapter 3. Probabi l i t y and I nfor mat i on Theory


Secti on 3.2. Basi c Concept of Probabi l i t y

Secti on 3.3. Proper ti es

Secti on 3.4. Basi c Cal cul at i on

Secti on 3.5. Random Vari abl es and t hei r Probabi l i t y Di st ri but i ons

Secti on 3.6. Bi rt hday Paradox

Secti on 3.7. I nfor mat i on Theory

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648

Secti on 3.8. Redundancy i n Nat ural Languages


Exerci ses

Chapter 4. Comput at i onal Compl exi t y


Secti on 4.2. Turi ng Machi nes

Secti on 4.3. Determi ni st i c Pol ynomial Ti me

Secti on 4.4. Probabi l isti c Pol ynomi al Ti me

Secti on 4.5. Non- det ermi ni st i c Polynomi al Ti me

Secti on 4.6. Non- Pol ynomi al Bounds

Secti on 4.7. Pol ynomi al -t i me I ndi sti ngui shabi l it y

Secti on 4.8. Theory of Comput at i onal Compl exi t y and Moder n Cryptography


Exerci ses

Chapter 5. Algebr aic Foundat i ons


Secti on 5.2. Groups

Secti on 5.3. Ri ngs and Fi el ds

Secti on 5.4. The St ruct ur e of Fi ni t e Fi el ds

Secti on 5.5. Group Const ruct ed Usi ng Poi nt s on an El l i pt i c Curve


Exerci ses

Chapter 6. Number Theory


Secti on 6.2. Congruences and Resi due Cl asses

Secti on 6.3. Eul er's Phi Functi on

Secti on 6.4. The Theorems of Fermat , Euler and Lagrange

Secti on 6.5. Quadr at ic Resi dues

Secti on 6.6. Squar e Root s Modul o I nteger

Secti on 6.7. Bl um I nt egers


Exerci ses
Part I I I : Basic Crypt ographi c Techni ques

Chapter 7. Encrypt ion Symmet ri c Techni ques


Secti on 7.2. Defi ni t i on

Secti on 7.3. Substi t ut i on Ci pher s

Secti on 7.4. Transposi t i on Ci phers

Secti on 7.5. Cl assi cal Ci phers: Usefulness and Secur it y

Secti on 7.6. The Dat a Encrypt i on Standard (DES)

Secti on 7.7. The Advanced Encr ypt i on St andard ( AES)

Secti on 7.8. Confi dent i al i t y Modes of Operat i on

Secti on 7.9. Key Channel Est abl i shment f or Symmet ri c Cryptosystems

Secti on 7.10. Chapt er Summary

Exerci ses

Chapter 8. Encrypt ion Asymmet ri c Techni ques


Secti on 8.2. I nsecuri t y of " Textbook Encrypt i on Al gori t hms"

Secti on 8.3. The Di ff ie- Hel l man Key Exchange Prot ocol

Secti on 8.4. The Di ff ie- Hel l man Problem and t he Discrete Logar it hm Probl em

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648

Secti on 8.5. The RSA Crypt osyst em (Text book Versi on)

Secti on 8.6. Crypt anal ysi s Agai nst Publ i c-key Crypt osyst ems

Secti on 8.7. The RSA Probl em

Secti on 8.8. The I nteger Factori zat ion Probl em

Secti on 8.9. I nsecuri t y of t he Textbook RSA Encrypt i on

Secti on 8.10. The Rabin Cr ypt osyst em ( Text book Versi on)

Secti on 8.11. I nsecuri ty of t he Text book Rabin Encrypt i on

Secti on 8.12. The El Gamal Cryptosyst em ( Text book Versi on)

Secti on 8.13. I nsecuri ty of t he Text book El Gamal Encr ypt i on

Secti on 8.14. Need f or St ronger Securi t y Not ions for Publ i c- key Cryptosyst ems

Secti on 8.15. Combi nat ion of Asymmet ri c and Symmet ri c Crypt ography

Secti on 8.16. Key Channel Est abl i shment for Publi c- key Crypt osyst ems

Secti on 8.17. Chapt er Summary

Exerci ses

Chapter 9. I n An I deal Worl d: Bi t Securi t y of The Basi c Publ i c- Key Crypt ographi c Funct i ons


Secti on 9.2. The RSA Bi t

Secti on 9.3. The Rabi n Bi t

Secti on 9.4. The El Gamal Bi t

Secti on 9.5. The Di scret e Logar i thm Bit


Exerci ses

Chapter 10. Dat a I nt egri t y Techniques

Secti on 10. 1. I nt roduct i on

Secti on 10. 2. Def ini t ion

Secti on 10. 3. Symmet ri c Techni ques

Secti on 10. 4. Asymmet ri c Techni ques I : Di gi t al Si gnat ures

Secti on 10. 5. Asymmet ri c Techni ques I I : Dat a I nt egri t y Wi t hout Source I dent i fi cat i on

Secti on 10. 6. Chapt er Summary

Exerci ses
Part I V: Aut henti cati on

Chapter 11. Aut hent icat ion Pr ot ocol s Pri nci pl es


Secti on 11. 2. Aut hent i cat i on and Refi ned Not i ons

Secti on 11. 3. Convent i on

Secti on 11. 4. Basic Aut henti cat i on Techni ques

Secti on 11. 5. Password- based Authent i cat i on

Secti on 11. 6. Aut hent i cat ed Key Exchange Based on Asymmet ri c Crypt ography

Secti on 11. 7. Typical At tacks on Aut henti cat i on Prot ocols

Secti on 11. 8. A Bri ef Li t erature Not e


Exerci ses

Chapter 12. Aut hent icat ion Pr ot ocol s The Real Worl d


Secti on 12. 2. Aut hent i cat i on Prot ocol s for I nternet Securi t y

Secti on 12. 3. The Secur e Shel l (SSH) Remot e Logi n Protocol

Secti on 12. 4. The Kerberos Prot ocol and i ts Real i zat i on in Wi ndows 2000

Secti on 12. 5. SSL and TLS


Exerci ses

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648

Chapter 13. Aut hent icat ion Framework f or Publ i c-Key Crypt ography


Secti on 13. 2. Di rect ory- Based Aut hent i cat i on Framewor k

Secti on 13. 3. Non- Dir ector y Based Publ ic-key Aut hent i cat i on Framewor k


Exerci ses
Part V: Formal Approaches t o Securi ty Est abl i shment

Chapter 14. Formal and St rong Securi t y Defi nit i ons f or Publ i c- Key Crypt osyst ems


Secti on 14. 2. A Formal Treat ment for Securi t y

Secti on 14. 3. Semant i c Securi ty t he Debut of Provabl e Secur it y

Secti on 14. 4. I nadequacy of Semant ic Securi t y

Secti on 14. 5. Beyond Semant i c Securi t y


Exerci ses

Chapter 15. Provabl y Secure and Eff icient Publi c- Key Crypt osystems


Secti on 15. 2. The Opt i mal Asymmet ri c Encrypt i on Paddi ng

Secti on 15. 3. The Cr amer- Shoup Publ i c- key Cryptosystem

Secti on 15. 4. An Over vi ew of Provabl y Secure Hybri d Cr ypt osyst ems

Secti on 15. 5. Li t erat ure Not es on Practi cal and Provabl y Secur e Publ i c- key Cryptosyst ems


Secti on 15. 7. Exerci ses

Chapter 16. St rong and Provabl e Securi ty for Di git al Signat ures


Secti on 16. 2. St rong Secur it y Not i on for Di gi tal Signat ures

Secti on 16. 3. St rong and Provabl e Securi t y f or El Gamal -f amil y Si gnat ures

Secti on 16. 4. Fi t - for- appl i cat i on Ways f or Si gni ng i n RSA and Rabi n

Secti on 16. 5. Si gncrypt i on


Secti on 16. 7. Exerci ses

Chapter 17. Formal Met hods f or Aut hent i cat i on Prot ocol s Anal ysi s


Secti on 17. 2. Toward For mal Speci f i cat i on of Aut hent i cat i on Prot ocol s

Secti on 17. 3. A Comput at i onal Vi ew of Correct Pr otocol s t he Bel lare- Rogaway Model

Secti on 17. 4. A Symbol i c Mani pul ati on Vi ew of Cor rect Prot ocol s

Secti on 17. 5. For mal Anal ysi s Techni ques: St at e System Expl or at ion

Secti on 17. 6. Reconci l i ng Two Vi ews of For mal Techni ques f or Secur it y


Exerci ses
Part VI : Crypt ographi c Pr ot ocol s

Chapter 18. Zero-Knowl edge Prot ocol s


Secti on 18. 2. Basic Def i ni t i ons

Secti on 18. 3. Zero- knowl edge Propert i es

Secti on 18. 4. Proof or Argument ?

Secti on 18. 5. Prot ocol s wit h Two- si ded-error

Secti on 18. 6. Round Eff iciency

Secti on 18. 7. Non- i nt eract i ve Zer o-knowl edge


Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648

Exerci ses

Chapter 19. Ret urni ng t o " Coi n Fl i ppi ng Over Tel ephone"

Secti on 19. 1. Bl um' s " Coi n- Fli ppi ng-By-Tel ephone" Prot ocol

Secti on 19. 2. Securi ty Anal ysi s

Secti on 19. 3. Ef fi ci ency


Chapter 20. Aft erremark

Bi bl iography

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Copyright
Li br ar y of Cong r ess Cat al ogi ng- i n- Pu bl i cat i on Dat a
A CI P cat al og r ecord f or t hi s book can be obt ai ned fr om t he Li brar y of Congr ess.
Edit ori al / pr oduct i on super vi si on: Mar y Sud ul
Cover design di rect or : Jer ry Vot t a
Cover design: Tal ar Booru j y
Manufact ur i ng manager : Mau ra Zald ivar
Acqui si t i ons edi t or : Ji ll Har r y
Mar ket i ng manager: Dan DePasqu ale
Publi sher , Hewlet t - Packar d Books: Wal t er Bru ce
2004by Hewl et t - PackardCompany
Publi shed by Pr ent i ce Hal l PTR
Pr ent i ce- Hal l , I nc.
Upper Saddl e Ri ver , NewJer sey 07458
Pr ent i ce Hall books ar e wi dely used by cor por at i ons and gover nment agenci es for t r ai ni ng,
mar ket i ng, and r esal e.
The publ i sher of fers di scount s on t hi s book when order ed i n bul k quant i t i es. For mor e
i nf ormat i on, cont act Corporat e Sales Depart ment , Phone: 800- 382- 3419; FAX: 201- 236- 7141;
E- mai l : corpsales@pr enhal l . com
Or wr i t e: Pr ent i ce Hal l PTR, Cor por at e Sal es Dept . , One Lake St r eet , Upper Saddl e River , NJ
07458.
Ot her pr oduct or company names ment i oned her ei n ar e t he t r ademar ks or r egi st er ed t r ademar ks
of t hei r r espect i ve owners.
Al l r i ght s reserved. No par t of t hi s book may be repr oduced, i n any for m or by any means,
wi t hout per missi on in wr i t i ng fr om t he publ i sher .
Pr i nt ed in t he Uni t ed St at es of Ameri ca
1st Pri nt i ng
Pearson Educat i onLTD.
Pearson Educat i onAust ral i aPTY, Li mi t ed
Pearson Educat i onSi ngapor e, Pt e. Lt d.
Pearson Educat i onNor t hAsi aLt d.
Pearson Educat i onCanada, Lt d.
Pearson Educaci ndeMexi co, S. A. deC.V.
Pearson Educat i onJapan
Pearson Educat i onMalay si a, Pt e. Lt d.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Dedication
To
Ronghui | | Yiwei | | Yi fan

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Hewlett-Packard
Professional Books
HP- UX
Fer nandez Confi guri ng CDE
Madel l Di sk and Fi le Management Tasks on HP- UX
Ol k er Opt i mi zi ng NFS Per for mance
Poni at ow sk i HP- UX 11i Vi r t ual Par t i t i ons
Poni at ow sk i HP- UX 11i Sy st em Admini st r at i on Handbook and
Tool kit , Second Edi t i on
Poni at ow sk i The HP- UX 11. x Sy st em Admini st r at i on Handbook
and Tool kit
Poni at ow sk i HP- UX 11.x Syst em Admi ni st r at i on "How To" Book
Poni at ow sk i HP- UX 10.x Syst em Admi ni st r at i on "How To" Book
Poni at ow sk i HP- UX Sy st em Admini st r at i on Handbook and Tool kit
Poni at ow sk i Lear ni ng t he HP- UX Oper at i ng Syst em
Rehman HP Cer t i f ied: HP- UX Sy st em Admini st r at i on
Sauer s/ Wey gant HP- UX Tuni ng and Per f ormance
Wey gant Cl ust er s for High Avai l abi l i t y, Second Edi t i on
Wong HP- UX 11i Securi t y
UNI X, LI NUX, WI NDOWS, AND MPE I / X
Mosber g er / Er ani an I A- 64 Li nux Kernel
Poni at ow sk i UNI X User' s Handbook, Second Edi t i on
St on e/ Sy mons UNI X Faul t Management
COMPUTER ARCHI TECTURE
Ev an s/ Tr i mper I t ani um Archi t ect ur e f or Pr ogr ammer s
Kane PA- RI SC 2. 0 Archi t ect ur e
Mar kst ei n I A- 64 and El ement ar y Funct i ons
NETWORKI NG/ COMMUNI CATI ONS
Bl ommer s Ar chi t ect i ng Ent erpri se Sol ut i ons wi t h UNI X
Net worki ng
Bl ommer s OpenView Net wor k Node Manager
Bl ommer s Pr act ical Pl anni ng for Net wor k Gr owt h
Br ans Mobil i ze Your Ent er pr i se
Cook Bui l di ng Ent erpr ise I nf or mat i on Ar chi t ect ure

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Lu ck e Designi ng and I mpl ement ing Comput er Wor kgr oups
Lu nd I nt egr at i ng UNI X and PC Net wor k Oper at i ng
Sy st ems
SECURI TY
Br u ce Securi t y in Di st r i but ed Comput i ng
Mao Moder n Cr ypt ogr aphy: Theor y and Pr act i ce
Pear son et al . Tr ust ed Comput i ng Pl at f orms
Pi pk i n Hal t i ng t he Hacker , Second Edit ion
Pi pk i n I nf ormat i on Securi t y
WEB/ I NTERNET CONCEPTS AND PROGRAMMI NG
Amor E- busi ness ( R) evol ut ion, Second Edi t i on
Ap t e/ Meh t a UDDI
Mow b r ey/ Wer r y Onli ne Communi t i es
Tapadi y a . NET Programmi ng
OTHER PROGRAMMI NG
Bl i nn Por t abl e Shel l Pr ogr ammi ng
Car uso Power Pr ogr ammi ng i n HP Open Vi ew
Chaudhr i Obj ect Dat abases i n Pr act ice
Chew The Java/ C+ + Cr oss Refer ence Handbook
Gr ady Pr act ical Sof t war e Met r ics f or Pr oj ect Management
and Pr ocess I mpr ovement
Gr ady Soft war e Met r i cs
Gr ady Successful Soft war e Pr ocess I mpr ovement
Lew i s The Ar t and Science of Smal l t al k
Li ch t en bel t I nt r oduct i on t o Volume Render i ng
Mel l qu i st SNMP+ +
Mi k k el sen Pr act ical Sof t war e Conf i gur at i on Management
Nor t on Thr ead Time
Tapadi y a COM+ Pr ogr amming
Yuan Wi ndows 2000 GDI Pr ogr amming
STORAGE
Thor nbur gh Fi br e Channel for Mass St or age
Thor nbur gh/ Sch oenb or n St or age Ar ea Net wor ks
Todman Designi ng Dat a War ehouses
I T/ I S

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Mi ssb ach/ Hof f man SAP Har dwar e Sol ut i ons
I MAGE PROCESSI NG
Cr ane A Si mpl i f ied Appr oach t o I mage Pr ocessi ng
Gann Deskt op Scanner s

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
A Short Description of the Book
Many cr y pt ographi c schemes and prot ocol s, especi al l y t hose based on publ i c- key cr y pt ogr aphy,
have basi c or so- cal l ed " t ext book cr ypt o" ver si ons, as t hese ver sions ar e usual l y t he subj ect s f or
many t ext books on cry pt ogr aphy . Thi s book t akes a di f fer ent appr oach t o i nt r oduci ng
cry pt ogr aphy : it pay s much more at t ent i on t o fi t - f or- appl icat i on aspect s of cr ypt ogr aphy. I t
expl ains why " t ext book cr y pt o" is onl y good i n an i deal worl d wher e dat a are random and bad
guys behave ni cel y . I t r eveal s t he gener al unfi t ness of "t ext book cr ypt o" f or t he real wor l d by
demonst r at i ng numer ous at t acks on such schemes, prot ocol s and sy st ems under var ious r eal -
wor ld appl i cat i on scenari os. Thi s book chooses t o i nt r oduce a set of pract i cal cry pt ogr aphi c
schemes, pr ot ocol s and syst ems, many of t hem st andar ds or de fact o ones, st udi es t hem cl osel y ,
expl ains t hei r wor ki ng pri nci pl es, di scusses t hei r pr act i cal usages, and examines t hei r st rong
( i . e. , f i t - for - appl i cat i on) securi t y pr opert i es, oft en wi t h secur i t y evi dence f or mal l y est abl i shed.
The book al so i ncl udes self - cont ai ned t heor et ical backgr ound mat er i al t hat i s t he foundat i on f or

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Preface
Our soci et y has ent er ed an er a wher e commer ce act ivi t i es, busi ness t r ansact i ons and
government servi ces have been, and mor e and more of t hem wi ll be, conduct ed and of fer ed over
open comput er and communi cat i ons net wor ks such as t he I nt er net , i n par t i cul ar, vi a
Wor l dWi deWeb- based t ool s. Doi ng t hi ngs onl i ne has a gr eat advant age of an alway s- on
avai labi li t y t o peopl e i n any cor ner of t he worl d. Her e ar e a few exampl es of t hi ngs t hat have
been, can or wi l l be done onli ne:
Banki ng, bi l l pay ment , home shoppi ng, st ock t r adi ng, auct i ons, t axat i on, gambl ing, mi cro-
pay ment ( e. g. , pay- per - downl oadi ng) , el ect r oni c i dent i t y , onl i ne access t o medi cal r ecor ds,
vi rt ual pr i vat e net wor ki ng, secure dat a ar chi val and r et ri eval , cer t i fi ed del iver y of
document s, f ai r exchange of sensi t i ve document s, f ai r signi ng of cont r act s, t i mest ampi ng,
not ar i zat i on, vot i ng, adver t i si ng, l i censi ng, t i cket booking, i nt er act i ve games, di gi t al
l i br ar ies, di git al r ight s management , pi r at e t r aci ng,
And mor e can be i magi ned.
Fasci nat i ng commer ce act i vi t i es, t r ansact ions and ser vi ces l i ke t hese ar e onl y possi bl e i f
communi cat ions over open net wor ks can be conduct ed i n a secure manner. An ef fect ive sol ut i on
t o secur i ng communi cat i ons over open net wor ks i s t o appl y cr ypt ogr aphy . Encry pt ion, di git al
si gnat ures, password- based user aut hent i cat i on, ar e some of t he most basi c cr y pt ographi c
t echni ques for securi ng communi cat i ons. However , as we shal l wi t ness many t i mes i n t hi s book,
t her e ar e sur pr i si ng subt l et i es and seri ous secur i t y consequences i n t he appl icat i ons of even t he
most basi c cr ypt ogr aphic t echni ques. Mor eover , for many " fancier " appl i cat ions, such as many
l i st ed i n t he precedi ng par agr aph, t he basi c cr y pt ogr aphi c t echni ques ar e no l onger adequat e.
Wi t h an i ncreasi ngl y l ar ge demand f or safeguar ding communi cat i ons over open net wor ks for
mor e and more sophi st icat ed for ms of elect r oni c commer ce, busi ness and ser vices
[ a]
, an
i ncr easi ngly lar ge number of i nf or mat ion securi t y pr ofessi onal s wi l l be needed f or desi gni ng,
devel oping, analy zi ng and mai nt ai ni ng i nfor mat i on secur it y sy st ems and cr y pt ographi c
pr ot ocol s. These pr ofessi onal s may r ange f rom I T syst ems admi ni st rat ors, i nf or mat ion securi t y
engi neer s and soft war e/ har dwar e syst ems devel oper s whose pr oduct s have secur i t y
r equi r ement s, t o cry pt ogr apher s.
[ a]
Gart ner Gr oup f orecast s t hat t ot al elect r onic business r evenues f or business t o business ( B2B) and
business t o consumer ( B2C) in t he European Union will reach a pr oj ect ed US $2.6 t rillion in 2004 ( wit h
pr obabilit y 0. 7) which is a 28- f old incr ease f r om t he level of 2000 [ 5] . Also, eMar ket er [ 104] (page 41) r epor t s
t hat t he cost t o f inancial inst it ut ions ( in USA) due t o elect ronic ident it y t heft was US $1. 4 billion in 2002, and
f orecast s t o gr ow by a compound annual gr owt h r at e of 29%.
I n t he past few y ears, t he aut hor , a t echni cal consul t ant on i nf or mat i on securi t y and
cry pt ogr aphi c sy st ems at Hewl et t - Packard Labor at ori es i n Br ist ol , has wi t nessed t he
phenomenon of a pr ogr essi vel y i ncr eased demand for i nf or mat ion securi t y pr ofessi onal s
unmat ched by an evi dent short age of t hem. As a resul t , many engi neers, who ar e or ient ed t o
appli cat i on pr obl ems and may have l i t t l e pr oper t r ai ni ng i n cry pt ogr aphy and i nfor mat i on
secur i t y have become " r ol l - up- sl eeves" desi gner s and devel oper s f or i nf ormat i on secur i t y
syst ems or cr ypt ogr aphi c pr ot ocol s. This is i n spi t e of t he f act t hat designi ng cr ypt ogr aphi c
syst ems and pr ot ocol s i s a di ff icult j ob even f or an exper t cr ypt ogr apher .
The aut hor ' s j ob has gr ant ed hi m pr i vil eged oppor t uni t i es t o r evi ew many i nfor mat i on secur it y
syst ems and cr ypt ogr aphi c prot ocol s, some of t hem proposed and designed by " r ol l - up- sl eeves"
engi neer s and ar e for uses i n seri ous appl i cat i ons. I n sever al occasions, t he aut hor obser ved so-
cal led " t ext book cr ypt o" f eat ur es i n such sy st ems, which ar e t he r esul t of appl i cat i ons of
cry pt ogr aphi c al gori t hms and schemes i n way s t hey ar e usual ly int r oduced i n many

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
cry pt ogr aphi c t ext books. Di r ect encry pt i on of a passwor d ( a secr et number of a smal l
magni t ude) under a basi c publ ic- key encr y pt i on al gor i t hm ( e. g. , " RSA") i s a t y pi cal exampl e of
t ext book cr ypt o. The appear ances of t ext book cr y pt o in seri ous appl i cat i ons wi t h a "non-
negl i gi bl e pr obabi l i t y " have caused a concer n for t he aut hor t o r eal i ze t hat t he gener al danger of
t ext book cr ypt o i s not wi del y known t o many peopl e who desi gn and develop i nf or mat ion
secur i t y sy st ems f or ser i ous r eal - worl d appl icat i ons.
Mot i vat ed by an i ncreasi ng demand for i nfor mat i on secur it y pr ofessi onal s and a bel i ef t hat t heir
knowl edge i n cry pt ogr aphy shoul d not be l imi t ed t o t ext book cr ypt o, t he aut hor has wr i t t en t hi s
book as a t ext book on non - t ex t b ook cr y pt ogr aph y. This book endeavor s t o:
I nt r oduce a wi de r ange of cr y pt ographi c al gor i t hms, schemes and prot ocol s wi t h a
par t i cul ar emphasi s on t hei r non - t ext b ook ver si ons.
Reveal general i nsecur i t y of t ext book cr ypt o by demonst r at ing a l ar ge number of at t acks on
and summar izi ng t y pi cal at t acki ng t echni ques f or such sy st ems.
Pr ovi de pr i nci pl es and gui del i nes f or t he desi gn, anal y si s and implement at i on of
cry pt ogr aphi c sy st ems and prot ocol s wi t h a f ocus on st andar ds.
St udy for mal i sm t echni ques and met hodol ogies f or a ri gor ous est abli shment of st rong and
fi t - for - appl i cat i on secur i t y not i ons for cr y pt ogr aphi c syst ems and pr ot ocol s.
I ncl ude sel f- cont ai ned and el abor at ed mat er i al as t heor et i cal foundat i ons of moder n
cry pt ogr aphy f or r eaders who desi r e a sy st emat i c under st andi ng of t he subj ect .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Scope
Moder n cr y pt ography i s a vast ar ea of st udy as a r esul t of fast advances made i n t he past t hi r t y
y ear s. Thi s book focuses on one aspect : i nt r oduci ng fi t - f or - appl i cat i on cr y pt ogr aphi c schemes
and pr ot ocol s wi t h t hei r st r ong secur i t y pr oper t i es evi dent l y est abl i shed.
The book i s or gani zed i nt o t he f oll owi ng si x par t s:
Par t I Thi s par t cont ai ns t wo chapt ers ( 12) and ser ves an el ement ar y - l evel i nt r oduct ion
for t he book and t he areas of cr ypt ogr aphy and i nfor mat i on secur i t y . Chapt er 1 begi ns wi t h
a demonst r at i on on t he ef fect iveness of cr y pt ography i n sol vi ng a subt l e communi cat ion
pr obl em. A si mpl e cr ypt ogr aphi c pr ot ocol ( fi r st prot ocol of t he book) for achi eving " fai r coi n
t ossing over t el ephone" wil l be pr esent ed and discussed. Thi s chapt er t hen car r i es on t o
conduct a cult ur al and "t r ade" int r oduct i on t o t he ar eas of st udy . Chapt er 2 uses a ser i es of
si mpl e aut hent icat i on pr ot ocol s t o manif est an unf or t unat e fact i n t he areas: pi t fal l s ar e
ever ywher e.
As an element ar y - level i nt r oduct i on, t hi s part i s i nt ended f or newcomer s t o t he ar eas.
Par t I I Thi s par t cont ai ns f our chapt er s ( 36) as a set of mat hemat i cal backgr ound
knowl edge, fact s and basi s t o serve as a sel f - cont ai ned mat hemat i cal r efer ence gui de for
t he book. Reader s who onl y i nt end t o " knowhow," i . e. , know how t o use t he fi t - f or -
appli cat i on cry pt o schemes and pr ot ocol s, may ski p t hi s part y et st i l l be able t o f ol low most
cont ent s of t he r est of t he book. Readers who al so want t o " know- why ," i . e. , know why
t hese schemes and prot ocol s have st r ong securi t y proper t i es, may fi nd t hat t hi s sel f -
cont ai ned mat hemat ical par t i s a suff i ci ent ref er ence mat eri al . When we present wor king
pr i nci pl es of cry pt ographi c schemes and prot ocol s, r eveal i nsecur it y for some of t hem and
r eason about securi t y for t he r est , i t wi ll al way s be possibl e for us t o refer t o a pr eci se poi nt
i n t hi s par t of t he book for suppor t i ng mat hemat i cal foundat i ons.
Thi s part can also be used t o conduct a sy st emat ic background st udy of t he t heor et i cal
foundat ions for moder n cry pt ogr aphy .
Par t I I I Thi s par t cont ai ns f our chapt er s ( 710) int r oduci ng t he most basi c cr y pt ographi c
al gor i t hms and t echni ques for pr ovi di ng pr ivacy and dat a i nt egr i t y pr ot ect i ons. Chapt er 7 i s
for sy mmet ri c encr ypt i on schemes, Chapt er 8, asy mmet r i c t echni ques. Chapt er 9 consi der s
an i mpor t ant secur i t y quali t y possessed by t he basi c and popul ar asy mmet r i c cr y pt ographi c
funct i ons when t hey ar e used i n an i deal wor l d in whi ch dat a are random. Fi nal l y, Chapt er
10 covers dat a i nt egri t y t echni ques.
Si nce t he schemes and t echni ques i nt roduced her e ar e t he most basi c ones, many of t hem
ar e i n fact i n t he t ext book cr y pt o cat egory and are consequent l y i nsecur e. Whi le t he
schemes ar e i nt r oduced, abundant at t acks on many schemes wi l l be demonst r at ed wit h
war ni ng r emar ks expl i ci t l y st at ed. For pr act i t i oners who do not pl an t o pr oceed wi t h an i n-
dept h st udy of fi t - f or - appl i cat i on cr y pt o and t hei r st rong secur i t y not i ons, t hi s t ext book
cry pt o par t wil l st i l l pr ovi de t hese reader s wi t h expl i ci t ear ly war ning si gnal s on t he gener al
i nsecuri t y of t ext book cr y pt o.
Par t I V Thi s par t cont ai ns t hr ee chapt er s ( 1113) int r oduci ng an i mport ant not i on in
appli ed cry pt ography and i nfor mat i on secur it y: aut hent icat i on. These chapt er s pr ovide a
wi de cover age of t he t opic. Chapt er 11 i ncl udes t echni cal backgr ound, pr i nci pl es, a ser i es of
basi c pr ot ocol s and st andards, common at t acki ng t ri cks and pr event i on measures. Chapt er
12 i s a case st udy f or four well - known aut hent i cat ion prot ocol sy st ems f or r eal worl d
appli cat i ons. Chapt er 13 i nt r oduces t echni ques whi ch ar e par t i cul arl y sui t abl e for open

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
syst ems whi ch cover up- t o- dat e and novel t echniques.
Pr act it ioner s, such as i nf ormat i on secur i t y sy st ems admi ni st r at i on st af f i n an ent er pr i se and
soft war e/ har dwar e devel oper s whose pr oduct s have securi t y consequences may f ind t hi s
par t hel pful.
Par t V Thi s par t cont ai ns f our chapt er s ( 1417) whi ch pr ovi de f ormal i sm and r i gor ous
t r eat ment s for st r ong ( i . e., fi t - f or- appl i cat i on) secur it y not i ons for publ i c- key cr ypt ogr aphic
t echni ques ( encr y pt i on, si gnat ur e and si gncr y pt i on) and for mal met hodologi es f or t he
anal y sis of aut hent i cat i on pr ot ocol s. Chapt er 14 i nt r oduces for mal def ini t i ons of st r ong
secur i t y not i ons. The next t wo chapt er s ar e f i t - for - appl icat i on count er par t s t o t ext book
cry pt o schemes i nt r oduced i n Par t I I I , wi t h st r ong secur i t y pr oper t i es for mal ly est abl i shed
( i . e. , evi dent l y r easoned) . Final ly , Chapt er 17 i nt r oduces for mal anal y si s met hodol ogi es
and t echni ques for t he anal y sis of aut hent i cat i on pr ot ocols, whi ch we have not been abl e t o
deal wi t h i n Par t I V.
Par t VI Thi s i s t he f i nal par t of t he book. I t cont ai ns t wo t echni cal chapt ers ( 1819) and a
shor t f i nal r emark ( Chapt er 20) . The main t echni cal cont ent of t hi s par t , Chapt er 18,
i nt r oduces a cl ass of cr ypt ogr aphic pr ot ocol s cal l ed zer o- knowl edge pr ot ocol s. These
pr ot ocol s pr ovi de an i mpor t ant secur i t y ser vi ce whi ch i s needed in var ious "f ancy"
el ect r oni c commer ce and busi ness appl icat i ons: ver i fi cat i on of a clai med pr opert y of secret
dat a ( e.g. , i n confor ming wi t h a busi ness r equi rement ) whi l e pr eser vi ng a st ri ct pr ivacy
quali t y for t he clai mant . Zer o- knowl edge pr ot ocol s t o be int r oduced i n t his par t exempl i f y
t he di ver sit y of speci al securi t y needs i n var i ous r eal wor ld appl i cat i ons, whi ch ar e bey ond
conf ident i ali t y , i nt egri t y , aut hent i cat i on and non- r epudi at i on. I n t he f i nal t echni cal chapt er
of t he book ( Chapt er 19) we wi l l compl et e our j ob whi ch has been lef t over fr om t he fi r st
pr ot ocol of t he book: t o r eal i ze " f ai r coin t ossi ng over t el ephone. " That fi nal real i zat i on wi l l
achi eve a pr ot ocol whi ch has evident l y- est abl i shed st r ong securi t y pr opert i es y et wi t h an
eff ici ency sui t abl e f or pr act i cal appl i cat i ons.
Needless t o say , a descr i pt i on for each fi t - f or - appl i cat i on cr y pt o scheme or prot ocol has t o begi n
wi t h a r eason why t he t ext book cr ypt o count er par t i s unf i t f or appl icat i on. I nvar i abl y , t hese
r easons are demonst rat ed by at t acks on t hese schemes or prot ocol s, whi ch, by t he nat ur e of
at t acks, oft en cont ai n a cer t ai n degr ee of subt l et i es. I n addit ion, a descr i pt i on of a f it - for -
appli cat i on scheme or pr ot ocol must al so end at an anal ysi s t hat t he st r ong ( i . e. , fi t - f or -
appli cat i on) secur i t y proper t i es do hol d as clai med. Consequent l y , some par t s of t hi s book
i nevit abl y cont ai n mat hemat i cal and l ogical r easoni ngs, deduct i ons and t ransf or mat i ons i n or der
t o mani fest at t acks and fi xes.
Whi l e admi t t edl y f i t - for - appl i cat i on cr ypt ogr aphy is not a t opi c for qui ck mast er y or t hat can be
mast er ed vi a li ght r eadi ng, t hi s book, nonet hel ess, i s not one for in- dept h r esear ch t opics which
wi l l onl y be of int erest t o speci al i st cr ypt ogr apher s. The t hi ngs repor t ed and explai ned i n it ar e
well - known and qui t e element ar y t o cr y pt ogr aphers. The aut hor bel ieves t hat t hey can also be
compr ehended by non- speci al i st s if t he i nt r oduct ion t o t he subj ect i s provi ded wit h plent y of
expl anat i ons and exampl es and i s suppor t ed by sel f- cont ai ned mat hemat i cal background and
r ef erence mat er ial .
The book i s ai med at t he f ol lowi ng r eader s.
St udent s who have compl et ed, or ar e near t o compl et i on of, fi r st degr ee cour ses i n
comput er , i nf ormat i on sci ence or appl i ed mat hemat i cs, and pl an t o pur sue a car eer i n
i nf ormat i on secur i t y . For t hem, t his book may serve as an advanced course i n appli ed
crypt ogr aphy .
Securi t y engi neer s i n hi gh- t ech compani es who ar e responsi bl e f or t he desi gn and
devel opment of i nf ormat i on secur i t y sy st ems. I f we say t hat t he consequence of t ext book

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
cry pt o appear i ng i n an academi c r esear ch proposal may not be t oo har mful si nce t he wor st
case of t he consequence woul d be an embar r assment , t hen t he use of t ext book cry pt o i n an
i nf ormat i on secur i t y product may l ead t o a ser i ous l oss. Ther ef ore, knowi ng t he unf i t ness of
t ext book cr ypt o f or r eal worl d appli cat i ons i s necessar y f or t hese r eader s. Mor eover , t hese
r eader s shoul d have a good under st andi ng of t he secur i t y pr i nci pl es behi nd t he fi t - f or-
appli cat i on schemes and pr ot ocol s and so t hey can appl y t he schemes and t he pri nci pl es
corr ect l y. The sel f - cont ai ned mat hemat i cal f oundat i ons mat er ial i n Par t I I makes t he book a
sui t abl e sel f- t eachi ng t ext for t hese reader s.
I nf ormat i on secur i t y sy st ems admi ni st r at i on st af f i n an ent er pr i se and soft war e/ har dwar e
syst ems devel oper s whose pr oduct s have securi t y consequences. For t hese r eader s, Par t I
i s a si mpl e and essent ial cour se f or cul t ur al and "t r ade" t r ai ni ng; Par t s I I I and I V f or m a
sui t abl e cut - down set of knowl edge i n cr y pt ogr aphy and i nf ormat i on secur i t y . These t hr ee
par t s cont ain many basic cr y pt o schemes and pr ot ocol s accompani ed wi t h pl ent y of
at t acking t ri cks and pr event ion measur es which shoul d be known t o and can be gr asped by
t hi s popul at i on of r eader s wi t hout demandi ng t hem t o be bur dened by t heor et i cal
foundat ions.
New Ph. D. candi dat es begi nni ng t hei r r esear ch i n cry pt ogr aphy or comput er secur i t y . These
r eader s wi l l appr eci at e a si ngl e- poi nt refer ence book whi ch cover s for mal t r eat ment of
st r ong secur i t y not i ons and elabor at es t hese not i ons adequat el y. Such a book can hel p
t hem t o quickl y ent er i nt o t he vast ar ea of st udy. For t hem, Par t s I I , I V, V, and VI
const i t ut e a sui t abl e l evel of l i t er at ur e sur vey mat er i al whi ch can l ead t hem t o f i nd fur t her
l i t er at ures, and can hel p t hem t o shape and speci al i ze t hei r own r esear ch t opics.
A cut - down subset of t he book ( e. g. , Par t I , I I , I I I and VI ) also for m a suit abl e cour se in
appli ed cry pt ography f or undergraduat e st udent s i n comput er sci ence, i nf ormat i on sci ence
and appl ied mat hemat i cs courses.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Acknowledgements
I am deeply gr at ef ul t o Feng Bao, Col i n Boyd, Ri char d DeMi ll o, St even Galbr ait h, Di et er
Gol l mann, Kei t h Har ri son, Mar cus Leech, Hel ger Li pmaa, Hoi - Kwong Lo, Javi er Lopez, John
Mal one- Lee, Car y Mel t zer , Chri st i an Paqui n, Kenny Pat er son, Davi d Point cheval , Vi ncent Ri j men,
Ni gel Smar t , Davi d Solder a, Paul van Oor schot , Ser ge Vaudenay and St ef ek Zaba. These peopl e
gave gener ousl y of t hei r t i me t o revi ew chapt er s or t he whol e book and provi de i nval uabl e
comment s, cr i t i ci sms and suggest i ons whi ch make t he book bet t er .
The book al so benefi t s fr om t he fol l owi ng peopl e answeri ng my quest ions: Mi hi r Bel l are, Jan
Cameni sch, Neil Dunbar , Yai r Frankel , Shai Hal evi , Ant oine Joux, Mar c Joy e, Chal ie Kaufman,
Adr i an Kent , Hugo Kr awczy k, Cat her i ne Meadows, Bil l Munr o, Phong Nguy en, Radi a Per l man,
Mar co Ri cca, Ronald Rivest , St eve Schnei der , Vi ct or Shoup, I gor Shpar l i nski and Mot i Yung.
I woul d al so l i ke t o t hank Ji l l Har r y at Pr ent i ce- Hall PTR and Susan Wri ght at HP Pr of essi onal
Books for int r oduci ng me t o book wr it ing and for t he encour agement and prof essi onal suppor t
t hey provi ded dur i ng t he lengt hy per i od of manuscri pt wr i t i ng. Thanks al so t o Jenni fer Bl ackwel l ,
Robin Carr ol l , Br enda Mul l i gan, Just i n Somma and Mary Sudul at Pr ent i ce- Hall PTR and t o
Wal t er Br uce and Pat Pekar y at HP Pr ofessi onal Books.
I am also gr at ef ul t o my col l eagues at Hewl et t - Packar d Labor at or i es Bri st ol , i ncl uding Davi d Bal l ,
Ri char d Car dwell , Li qun Chen, I an Col e, Gar et h Jones, St ephen Pear son and Mart i n Sadl er f or
t echni cal and l i t erat ur e ser vices and management suppor t .
Br i st ol , Engl and
May 2003

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
List of Figures
2. 1 A Si mpl i f ied Pi ct ori al Descr ipt i on of a Cr y pt ogr aphi c Syst em 25
3. 1 Bi nomi al Di st r i but i on 70
4. 1 A Tur ing Machi ne 87
4. 2 The oper at i on of machi ne Di v3 90
4. 3 Bi t wi se Time Compl exi t i es of t he Basi c Modul ar Ar it hmet i c
Oper at i ons
103
4. 4 Al l Possibl e Moves of a Non- det er mini st i c Tur ing Machi ne 124
5. 1 El l i pt i c Cur ve Gr oup Oper at i on 168
7. 1 Cr ypt ogr aphi c Syst ems 208
7. 2 Fei st el Ci pher ( One Round) 220
7. 3 The Ci pher Bl ock Chai ning Mode of Oper at i on 233
7. 4 The Ci pher Feedback Mode of Operat i on 238
7. 5 The Out put Feedback Mode of Oper at i on 239
10.1 Dat a I nt egr i t y Syst ems 299
12.1 An Unpr ot ect ed I P Packet 390
12.2 The St ruct ur e of an Aut hent i cat i on Header and it s Posi t i on
i n an I P Packet
392
12.3 The St ruct ur e of an Encapsul at i ng Secur it y Payl oad 393
12.4 Kerber os Exchanges 412
14.1 Summar y of t he I ndi st i ngui shabl e At t ack Games 489
14.2 Reduct i on f rom an NM- at t ack t o an I ND- at t ack 495
14.3 Reduct i on f rom I ND- CCA2 t o NM- CCA2 497
14.4 Rel at i ons Among Secur it y Not i ons f or Publ i c- key
Cr y pt osy st ems
498
15.1 Opt i mal Asy mmet r i c Encry pt i on Paddi ng ( OAEP) 503
15.2 OAEP as a Two- round Fei st el Ci pher 504
15.3 Reduct i on f rom I nver sion of a One- way Tr apdoor Funct i on f
t o an At t ack on t he f - OAEP Scheme
511
15.4 Reduct i on f rom t he DDH Pr obl em t o an At t ack on t he
Cr amer- Shoup Cr ypt osyst em
532
16.1 Reduct i on f rom a Si gnat ur e Forger y t o Sol vi ng a Hard
Pr obl em
551
16.2 Successful Forki ng Answers t o Random Oracl e Quer i es 553

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
16.3 The PSS Padding 560
16.4 The PSS- R Paddi ng 563
17.1 The CSP Language 609
17.2 The CSP Ent ai l ment Axi oms 613

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
List of Algorithms, Protocols and Attacks
Pr ot ocol 1. 1: Coi n Fl i ppi ng Over Tel ephone 5
Pr ot ocol 2. 1: Fr om Al i ce To Bob 32
Pr ot ocol 2. 2: Session Key Fr om Tr ent 34
At t ack 2. 1 : An At t ack on Pr ot ocol " Sessi on Key Fr om
Tr ent "
35
Pr ot ocol 2. 3: Message Aut hent i cat i on 39
Pr ot ocol 2. 4: Chal l enge Response ( t he Needham-
Schr oeder Prot ocol )
43
At t ack 2. 2 : An At t ack on t he Needham- Schroeder Pr ot ocol 44
Pr ot ocol 2. 5: Needham- Schr oeder Publ ic- key
Aut hent i cat ion Pr ot ocol
47
At t ack 2. 3 : An At t ack on t he Needham- Schroeder Publ i c-
key Prot ocol
50
Al gor i t hm 4 . 1: Eucl i d Al gori t hm for Gr eat est Common
Di vi sor
93
Al gor i t hm 4 . 2: Ext ended Eucl i d Al gor i t hm 96
Al gor i t hm 4 . 3: Modul ar Exponent i at i on 101
Al gor i t hm 4 . 4: Sear chi ng Thr ough Phone Book ( a ZPP
Al gor i t hm)
108
Al gor i t hm 4 . 5: Probabi l ist i c Pr i mal it y Test ( a Mont e Car l o
Al gor i t hm)
110
Al gor i t hm 4 . 6: Proof of Pr i mali t y ( a Las Vegas Al gor i t hm) 113
Pr ot ocol 4. 1: Quant um Key Di st r ibut i on ( an At l ant i c Ci t y
Al gor i t hm)
117
Al gor i t hm 4 . 7: Random k- bi t Pr obabi l i st ic Pri me
Gener at i on
121
Al gor i t hm 4 . 8: Squar e- Fr eeness I nt eger 123
Al gor i t hm 5 . 1: Random Pr imi t i ve Root Modulo Pr ime 166
Al gor i t hm 5 . 2: Point Mul t i pl i cat i on f or El l i pt i c Cur ve
El ement
171
Al gor i t hm 6 . 1: Chi nese Remainder 182
Al gor i t hm 6 . 2: Legendr e/ Jacobi Symbol 191
Al gor i t hm 6 . 3: Squar e Root Modul o Pr i me ( Speci al Cases) 194
Al gor i t hm 6 . 4: Squar e Root Modul o Pr i me ( General Case) 196

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Al gor i t hm 6 . 5: Squar e Root Modul o Composi t e 197
Pr ot ocol 7. 1: A Zero- knowl edge Prot ocol Usi ng Shi ft
Ci pher
216
Pr ot ocol 8. 1: The Di f fi e- Hel l man Key Exchange Pr ot ocol 249
At t ack 8. 1 : Man- i n- t he- Mi ddl e At t ack on t he Di ff i e-
Hell man Key Exchange Prot ocol
251
Al gor i t hm 8 . 1: The RSA Cr ypt osyst em 258
Al gor i t hm 8 . 2: The Rabin Cry pt osy st em 269
Al gor i t hm 8 . 3: The El Gamal Cr ypt osy st em 274
Al gor i t hm 9 . 1: Binary Sear chi ng RSA Pl aint ext Usi ng a
Par i t y Or acle
289
Al gor i t hm 9 . 2: Ext ract i ng Di scr et e Logar i t hm Usi ng a
Par i t y Or acle
293
Al gor i t hm 9 . 3: Ext ract i ng Di scr et e Logar i t hm Usi ng a
"Hal f- or der Oracl e"
294
Al gor i t hm 1 0. 1: The RSA Si gnat ure Scheme 309
Al gor i t hm 1 0. 2: The Rabin Si gnat ur e Scheme 312
Al gor i t hm 1 0. 3: The El Gamal Signat ur e Scheme 314
Al gor i t hm 1 0. 4: The Schnor r Si gnat ur e Scheme 319
Al gor i t hm 1 0. 5: The Di gi t al Si gnat ure St andar d 320
Al gor i t hm 1 0. 6: Opt i mal Asy mmet r i c Encr y pt i on Paddi ng
for RSA ( RSA- OAEP)
324
Pr ot ocol 11. 1: I SO Publi c Key Three- Pass Mut ual
346
At t ack 11 . 1: Wi ener 's At t ack on I SO Publi c Key Three- Pass
Mut ual Aut hent i cat i on Pr ot ocol
347
Pr ot ocol 11. 2: The Woo- Lam Pr ot ocol 350
Pr ot ocol 11. 3: Needham' s Passwor d Aut hent i cat i on
Pr ot ocol
352
Pr ot ocol 11. 4: The S/ KEY Pr ot ocol 355
Pr ot ocol 11. 5: Encr ypt ed Key Exchange ( EKE) 357
Pr ot ocol 11. 6: The St at i on- t o- St at i on ( STS) Pr ot ocol 361
Pr ot ocol 11. 7: Fl awed " Aut hent i cat i on- only " STS Pr ot ocol 363
At t ack 11 . 2: An At t ack on t he " Aut hent i cat i on- onl y" STS
Pr ot ocol
364
At t ack 11 . 3: Lowe' s At t ack on t he STS Pr ot ocol ( a Mi nor
Fl aw)
366
At t ack 11 . 4: An At t ack on t he S/ KEY Prot ocol 371

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
At t ack 11 . 5: A Par al lel - Sessi on At t ack on t he Woo- Lam
Pr ot ocol
372
At t ack 11 . 6: A Refl ect i on At t ack on a "Fixed" Ver si on of
t he Woo- Lam Pr ot ocol
374
Pr ot ocol 11. 8: A Mi nor Vari at i on of t he Ot way- Rees
Pr ot ocol
379
At t ack 11 . 7: An At t ack on t he Mi nor Var i at i on of t he
Ot way - Rees Pr ot ocol
381
Pr ot ocol 12. 1: Signat ur e- based I KE Phase 1 Mai n Mode 397
At t ack 12 . 1: Aut hent i cat i on Fai l ur e i n Si gnat ur e- based I KE
Phase 1 Mai n Mode
399
Pr ot ocol 12. 2: A Ty pi cal Run of t he TLS Handshake
Pr ot ocol
421
Al gor i t hm 1 3. 1: Shamir ' s I dent i t y - based Si gnat ur e
Scheme
437
Al gor i t hm 1 3. 2: The I dent i t y - Based Cr y pt osy st em of
Boneh and Frankl i n
451
Pr ot ocol 14. 1: I ndi st ingui shable Chosen- pl ai nt ext At t ack 465
Pr ot ocol 14. 2: A Fai r Deal Pr ot ocol for t he SRA Ment al
Poker Game
469
Al gor i t hm 1 4. 1: The Pr obabi l i st i c Cr y pt osyst em of
Gol dwasser and Mi cali
473
Al gor i t hm 1 4. 2: A Semant i cal l y Secur e Versi on of t he
El Gamal Cr ypt osyst em
476
Pr ot ocol 14. 3: " Luncht i me At t ack" ( Non- adapt i ve
I ndi st i ngui shabl e Chosen- ci pher t ext At t ack)
483
Pr ot ocol 14. 4: " Smal l - hour s At t ack" ( I ndi st i ngui shabl e
Adapt i ve Chosen- ciphert ext At t ack)
488
Pr ot ocol 14. 5: Mal leabi l i t y At t ack i n Chosen- pl aint ext
Mode
491
Al gor i t hm 1 5. 1: The Cr amer- Shoup Publ i c- key
Cr y pt osy st em
526
Al gor i t hm 1 5. 2: Product of Exponent i at i ons 529
Al gor i t hm 1 6. 1: The Pr obabi l i st i c Si gnat ure Scheme ( PSS) 561
Al gor i t hm 1 6. 2: The Uni ver sal RSA- Paddi ng Scheme f or
Si gnat ur e and Encr ypt i on
564
Al gor i t hm 1 6. 3: Zheng' s Si gncr ypt i on Scheme SCSI 568
Al gor i t hm 1 6. 4: Two Bi rds One St one: RSA- TBOS
Si gncr ypt i on Scheme
573
Pr ot ocol 17. 1: The Needham- Schr oeder Sy mmet ri c- key
Aut hent i cat ion Pr ot ocol i n Refi ned Speci f i cat i on
585

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Pr ot ocol 17. 2: The Woo- Lam Pr ot ocol i n Ref i ned
Speci fi cat i on
586
Pr ot ocol 17. 3: The Needham- Schr oeder Publ i c- key
588
Pr ot ocol 17. 4: The Needham- Schr oeder Publ i c- key
Aut hent i cat ion Pr ot ocol i n Refi ned Speci f i cat i on
588
Pr ot ocol 17. 5: Anot her Ref ined Speci fi cat i on of t he
Needham- Schr oeder Publ i c- key Aut hent i cat ion Pr ot ocol
589
Pr ot ocol 17. 6: MAP1 595
Pr ot ocol 18. 1: An I nt er act i ve Pr oof Pr ot ocol f or Subgr oup
Membershi p
623
Pr ot ocol 18. 2: Schnor r' s I dent i f icat i on Pr ot ocol 630
Pr ot ocol 18. 3: A Perf ect Zero- knowl edge Proof Pr ot ocol f or
Quadr at i c Resi duosi t y
642
Pr ot ocol 18. 4: ZK Pr oof t hat N Has Two Di st i nct Pr i me
Fact ors
645
Pr ot ocol 18. 5: " Not To Be Used" 651
Pr ot ocol 18. 6: Chaum' s ZK Pr oof of Di s- Log- EQ Pr ot ocol 654
Pr ot ocol 19. 1: Blum' s Coi n- Fl i ppi ng- by- Tel ephone Prot ocol 667

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Part I: Introduction
The f i r st par t of t hi s book consi st s of t wo int r oduct or y chapt er s. They i nt r oduce us t o some
of t he most basi c concept s i n cr y pt ogr aphy and i nf ormat i on secur i t y , t o t he envi r onment i n
whi ch we communicat e and handl e sensi t i ve infor mat i on, t o several wel l known f igur es who
act i n t hat envi ronment and t he st andar d modus oper andi of some of t hem who pl ay r ol e of
bad guys, t o t he cul t ur e of t he communi t i es f or r esearch and devel opment of cry pt ogr aphi c
and i nf or mat i on securi t y sy st ems, and t o t he f act of ext reme er ror pr oneness of t hese
syst ems.
As an element ar y - level i nt r oduct i on, t hi s part i s i nt ended f or newcomer s t o t he ar eas.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Chapter 1. Beginning with a Simple
Communication Game
We begin t hi s book wi t h a si mpl e exampl e of appl y ing cr y pt ogr aphy t o sol ve a si mpl e problem.
Thi s exampl e of cry pt ographi c appl icat i on ser ves t hr ee pur poses f rom whi ch we wi l l unfol d t he
t opi cs of t his book:
To pr ovi de an i nit i al demonst rat i on on t he ef fect i veness and pr act i cal i t y of usi ng
cry pt ogr aphy f or sol vi ng subt l e pr obl ems i n appl i cat ions
To suggest an i ni t i al hint on t he foundat i on of cry pt ogr aphy
To begi n our pr ocess of est abl i shi ng a r equi r ed mi ndset for conduct i ng t he devel opment of
cry pt ogr aphi c sy st ems f or i nf ormat i on secur i t y
To begi n wi t h, we shal l pose a t r i vi al l y simple pr obl em and t hen solve i t wit h an equal l y si mpl e
sol ut i on. The solut i on is a t wo- par t y game whi ch i s ver y fami l iar t o al l of us. However, we wil l
r eal i ze t hat our simple game soon becomes t r oubl esome when our game- pl ayi ng par t ies ar e
physi call y r emot e fr om each ot her . The phy si cal separ at i on of t he game- pl ay i ng par t i es
el imi nat es t he basi s for t he game t o be pl ay ed fai r l y . The t r oubl e t hen i s, t he game- pl ay i ng
par t i es cannot t r ust t he ot her si de t o pl ay t he game f ai rl y .
The need for a f air pl ay ing of t he game f or r emot e pl ayer s wi l l "i nspi r e" us t o st r engt hen our
si mpl e game by pr ot ect i ng i t wi t h a shi el d of ar mor . Our st r engt hening met hod f ol lows t he l ong
est abl i shed i dea f or pr ot ect i ng communi cat i ons over open net wor ks: hi di ng i nf or mat ion usi ng
crypt ogr aphy .
Aft er havi ng appl i ed cr ypt ogr aphy and r eached a qual i t y solut i on t o our fi r st securi t y probl em,
we shal l conduct a ser i es of di scussi ons on t he qual i t y cr i t er i a f or cr ypt ogr aphic sy st ems ( 1. 2) .
The di scussi ons wi l l ser ve as a backgr ound and cul t ur al int r oduct i on t o t he ar eas in whi ch we
r esear ch and develop t echnol ogies f or pr ot ect i ng sensi t i ve i nfor mat i on.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
1.1 A Communication Game
Here is a si mpl e pr obl em. Two f ri ends, Al i ce and Bob
[ a]
, want t o spend an eveni ng out t oget her ,
but t hey cannot deci de whet her t o go t o t he ci nema or t he oper a. Never t hel ess, t hey r each an
agr eement t o l et a coi n deci de: pl ayi ng a coin t ossi ng game whi ch is ver y fami l i ar t o al l of us.
[ a]
They are t he most well- kn own f igures in t he ar ea of cry pt ogr aphy, cr ypt ogr aphic prot ocols and inf or mat ion
secur it y; t hey will appear in most of t he cr ypt ogr aphic pr ot ocols in t his book.
Al i ce hol ds a coi n and say s t o Bob, " You pi ck a si de t hen I wi l l t oss t he coi n. " Bob does so and
t hen Al i ce t osses t he coi n i n t he ai r . Then t hey bot h l ook t o see which si de of t he coi n l anded on
t op. I f Bob's choi ce i s on t op, Bob may deci de wher e t hey go; i f t he ot her si de of t he coin l ands
on t op, Al i ce makes t he deci si on.
I n t he st udy of communi cat i on pr ocedur es, a mul t i - par t y - pl ay ed game li ke t his one can be gi ven
a " sci ent i fi c soundi ng" name: prot ocol . A pr ot ocol i s a wel l - defi ned pr ocedur e r unni ng among a
pl ur al number of part i ci pat i ng ent i t i es. We shoul d not e t he i mpor t ance of t he pl ur al i t y of t he
game part i ci pant s; i f a procedur e i s execut ed ent i r el y by one ent i t y onl y t hen i t i s a pr ocedur e
and cannot be cal l ed a pr ot ocol .
1.1.1 Our First Application of Cryptography
Now i magi ne t hat t he t wo fr i ends ar e t r y i ng t o r un t his pr ot ocol over t he t el ephone. Al i ce off ers
Bob, "You pi ck a si de. Then I wi ll t oss t he coi n and t ell you whet her or not you have won." Of
cour se Bob wi l l not agree, because he cannot veri f y t he out come of t he coi n t oss.
However we can add a l i t t l e bi t of cry pt ogr aphy t o t hi s pr ot ocol and t ur n i t i nt o a ver si on
wor kable over t he phone. The r esul t wi l l become a cr ypt ogr aphic pr ot ocol , our f ir st cr y pt ogr aphi c
pr ot ocol i n t hi s book! For t he t ime bei ng, l et us j ust consi der our " cr y pt ogr aphy" as a
mat hemat i cal funct i on f ( x) whi ch maps over t he int egers and has t he fol l owi ng magi c pr oper t i es:
Pr oper t y 1 . 1: Magi c Funct i on f
For ever y in t eger x , i t is easy t o com pu t e f( x ) fr om x , whi le giv en an y val ue f ( x ) i t i s
i mp ossi ble t o f in d an y in for m at ion abou t a pr e- im age x , e. g., whet her x i s an odd or even
nu mb er .
I .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Protocol 1.1: Coin Flipping Over Telephone
PREMI SE
Al i ce and Bob have agr eed:
a " magi c funct i on" f wi t h pr oper t i es speci f ied i n Pr oper t y 1. 1 i .
an even number x i n f ( x) repr esent s HEADS and t he ot her case r epr esent s
TAI LS
i i .
( * Caut ion: due t o ( i i) , t hi s prot ocol has a weakness, see Exerci se 1. 2 * )
Al i ce pi cks a l arge r andom int eger x and comput es f ( x) ; she r eads f ( x) t o
Bob over t he phone;
1.
Bob t ell s Al i ce hi s guess of x as even or odd; 2.
Al i ce reads x t o Bob; 3.
Bob ver i fi es f ( x) and sees t he cor r ect ness/ i ncorr ect ness of hi s guess. 4.
I t i mp ossi ble t o f in d a pai r of in t eger s ( x , y ) sat isf yi ng x y and f( x) = f ( y) . I I .
I n Pr oper t y 1. 1, t he adj ect i ves "easy " and " impossi bl e" have meani ngs whi ch need furt her
expl anat i ons. Al so because t hese wor ds ar e r elat ed t o a degr ee of di f fi cul t y , we shoul d be cl ear
about t hei r quant if i cat ions. However, si nce f or now we vi ew t he funct i on f as a magi c one, it i s
safe f or us t o use t hese wor ds in t he way t hey ar e used in t he common l anguage. I n Chapt er 4
we wi l l pr ovi de mat hemat i cal for mul at i ons f or var ious uses of " easy " and " i mpossi bl e" i n t hi s
book. One i mpor t ant t ask for t hi s book i s t o est abl i sh var ious quant i t at i ve meanings f or " easy , "
"di f fi cul t " or even "i mpossi bl e. " I n fact , as we wi l l event ual l y see i n t he fi nal t echni cal chapt er of
t hi s book ( Chapt er 19) t hat in our fi nal r eal i zat i on of t he coi n- f l ippi ng pr ot ocol , t he t wo uses of
"i mpossi ble" for t he " magi c f unct i on" i n Pr oper t y 1. 1 wi l l have ver y di ff erent quant i t at i ve
measures.
Suppose t hat t he t wo fr i ends have agr eed on t he magi c f unct i on f . Suppose al so t hat t hey have
agr eed t hat , e. g. , an even number r epr esent s HEADS and an odd number r epr esent s TAI LS. Now
t hey ar e r eady t o run our f ir st cr y pt ogr aphi c pr ot ocol , Pr ot 1.1, over t he phone.
I t i s not dif fi cul t t o ar gue t hat Pr ot ocol "Coi n Fli ppi ng Over Tel ephone" wor ks quit e wel l over t he
t el ephone. The fol l owi ng i s a r udiment ar y " secur it y anal y si s. " ( War ni ng: t he r eason f or us t o
quot e "secur i t y analy si s" i s because our anal ysi s pr ovi ded here i s f ar f rom adequat e. )
1.1.1.1 A Rudimentary "Security Analysis"
Fi rst , f r om " Pr oper t y I I " of f , Al i ce i s unabl e t o f i nd t wo dif fer ent number s x and y, one i s odd
and t he ot her even ( t hi s can be expr essed as x y ( mod 2) ) such t hat f ( x) = f ( y) . Thus, once
havi ng r ead t he val ue f ( x) t o Bob over t he phone ( St ep 1) , Ali ce has commi t t ed t o her choi ce of

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
x and cannot change her mi nd. That 's when Al i ce has compl et ed her coi n fl i ppi ng.
Secondl y , due t o " Pr oper t y I " of f , given t he val ue f ( x) , Bob cannot det er mi ne whet her t he pr e-
i mage used by Al i ce is odd or even and so has t o place hi s guess ( i n St ep 2) as a r eal guess ( i . e. ,
an uneducat ed guess) . At t hi s point , Al i ce can convi nce Bob whet her he has guessed r i ght or
wr ong by r eveal i ng her pr e- i mage x ( St ep 3) . I ndeed, Bob shoul d be convi nced i f his own
eval uat ion of f ( x) ( in St ep 4) mat ches t he val ue t ol d by Al i ce i n St ep 1 and i f he bel i eves t hat t he
pr oper t i es of t he agreed f unct i on hol d. Al so, t he coi n- f l ippi ng i s fai r if x i s t aken fr om an
adequat el y l ar ge space so Bob coul d not have a guessi ng advant age, t hat i s, some st r at egy t hat
gi ves hi m a gr eat er t han 50- 50 chance of winni ng.
We should not i ce t hat i n our "secur i t y anal y sis" for Pr ot 1.1 we have made a number of
si mpl if i cat ions and omi ssi ons. As a r esul t , t he cur r ent versi on of t he prot ocol is far f r om a
concr et e r eal i zat i on. Some of t hese si mpl if i cat ions and omi ssi ons wi l l be di scussed i n t hi s
chapt er . However , necessar y t echni ques f or a pr oper and concr et e r eal i zat i on of t hi s pr ot ocol
and met hodol ogies f or anal y zi ng i t s secur i t y wi l l be t he mai n t opi cs for t he r emai nder of t he
whol e book. We shal l defer t he pr oper and concr et e r eal i zat i on of Pr ot 1.1 ( mor e preci sel y , t he
"magi c f unct i on" f ) t o t he fi nal t echni cal chapt er of t his book ( Chapt er 19) . Ther e, we wi l l be
t echni cal ly ready t o pr ovi de a for mal secur i t y analy si s on t he concr et e r eal i zat i on.
1.1.2 An Initial Hint on Foundations of Cryptography
Al t hough our f i rst pr ot ocol i s ver y si mpl e, i t i ndeed qual i f ies as a cry pt ogr aphi c prot ocol because
t he " magi c funct i on" t he pr ot ocol uses i s a fundament al i ngr edi ent f or modern cr ypt ogr aphy:
one- w ay f u nct i on. The t wo magi c proper t i es l i st ed i n Pr oper t y 1. 1 pose t wo comp ut at i onal l y
i n t r act ab l e pr obl ems, one for Al i ce, and t he ot her for Bob.
From our r udi ment ar y secur it y anal y si s f or Pr ot 1.1 we can cl aim t hat t he exi st ence of one- way
funct i on impli es a possi bil i t y f or secur e sel ect i on of r ecr eat i on venue. The fol l owing is a
r easonabl e gener ali zat i on of t hi s cl ai m:
The ex ist ence of a one- way fun ct ion im p li es t he exi st en ce of a secu re cr y pt ogr aphi c sy st em .
I t i s now well under st ood t hat t he conver se of t hi s cl aim is al so t r ue:
The ex ist ence of a secur e cry pt ogr ap hic sy st em im pl ies t h e exi st en ce of a one- way f unct i on .
I t i s wi del y bel i eved t hat one- way funct i on does exi st . Ther ef or e we ar e opt i mi st i c on secur ing
our infor mat i on. Our opt imi sm i s of t en conf i rmed by our every day exper i ence: many pr ocesses
i n our wor l d, mat hemat i cal or ot her wi se, have a one- way proper t y . Consider t he f ol lowi ng
phenomenon i n physi cs ( t hough not an ext r emel y pr eci se anal ogy for mat hemat i cs) : i t is an easy
pr ocess f or a gl ass t o f al l on t he f l oor and br eak i nt o pi eces whi l e di sper sing a cer t ai n amount of
energy ( e.g. , heat , sound or even some dim li ght ) int o t he sur r ounding envi r onment . The
r ever se pr ocess, recol lect i ng t he di sper sed ener gy and usi ng i t t o r ei nt egr at e t he br oken pi eces
back i nt o a whole gl ass, must be a ver y hard pr obl em i f not i mpossi ble. ( I f possi bl e, t he f ul l y
r ecol l ect ed energy coul d act uall y bounce t he r ei nt egrat ed gl ass back t o t he hei ght wher e i t
st ar t ed t o fal l ! )
I n Chapt er 4 we shall see a cl ass of mat hemat i cal funct i ons whi ch pr ovide t he needed one- way
pr oper t i es for moder n cr y pt ography .
1.1.3 Basis of Information Security: More than Computational
Intractability

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
We have j ust cl ai med t hat i nf or mat ion securi t y requir es cert ai n mat hemat i cal pr oper t i es.
Mor eover , we have f ur t her made an opt i mi st i c asser t i on i n t he conver se di r ect i on: mat hemat i cal
pr oper t i es i mply ( i .e. , guar ant ee) i nf ormat i on secur i t y .
However , i n real i t y, t he l at t er st at ement i s not uncondi t i onal l y t r ue! Secur i t y i n r eal worl d
appli cat i ons depends on many r eal wor l d i ssues. Let us explai n t his by cont i nui ng usi ng our f i rst
pr ot ocol exampl e.
We should point out t hat many import ant i ssues have not been consi der ed i n our r udi ment ary
secur i t y analysi s for Pr ot 1.1. I n fact , Pr ot 1.1 i t sel f is a much simpl i f ied speci f i cat i on. I t has
omi t t ed some det ai l s whi ch are impor t ant t o t he secur i t y ser vices t hat t he pr ot ocol i s desi gned t o
off er. The omi ssi on has prevent ed us fr om aski ng several quest i ons.
For i nst ance, we may ask: has Al i ce r eal l y been for ced t o st ick t o her choi ce of x? Li kewi se, has
Bob r eal l y been for ced t o st i ck t o hi s even- odd guess of x? By " for ced," we mean whet her voi ce
over t el ephone i s suf fi cient f or guar ant eei ng t he st r ong mat hemat i cal pr oper t y t o t ake ef fect . We
may al so ask whet her Al i ce has a good r andom number gener at or f or her t o acqui r e t he random
number x. This qual i t y can be cr uci all y i mpor t ant i n a mor e ser i ous appl i cat i on which r equi r es
maki ng a fai r deci si on.
Al l t hese det ai l s have been omit t ed f rom t hi s si mpl if i ed prot ocol speci fi cat i on and t her ef or e t hey
become hi dden assumpt i ons ( mor e on t hi s l at er ) . I n fact , i f t his pr ot ocol i s used f or making a
mor e ser i ous deci sion, i t shoul d i ncl ude some exp li ci t i nst r uct i ons. For exampl e, bot h
par t i ci pant s may consi der r ecording t he ot her par t y' s voi ce when t he val ue f ( x) and t he
even/ odd guess ar e pr onounced over t he phone, and r epl ay t he record i n case of di sput e.
Of t en cr ypt ogr aphic sy st ems and pr ot ocols, i n par t i cul ar , t hose i nt roduced by a t ext book on
cry pt ogr aphy , ar e specif i ed wi t h simpli f i cat i ons simi l ar t o t he case i n Pr ot ocol "Coi n Fli ppi ng
Over Telephone." Si mpl i f icat i ons can hel p t o achi eve pr esent at i on cl ari t y , especi al l y when some
agr eement may be t hought of as obvi ous. But somet i mes a hi dden agr eement or assumpt i on
may be subt l e and can be expl oit ed t o resul t in a surpr isi ng consequence. Thi s i s somewhat
i r oni c t o t he " present at i on cl ar i t y " whi ch i s ori ginal ly int ended by omi t t i ng some det ai l s. A
vi olat i on of an assumpt i on of a secur i t y sy st em may al l ow an at t ack t o be expl oi t ed and t he
consequence can be t he nul l i fi cat i on of an i nt ended ser vi ce. I t i s par t i cul ar l y di ff i cul t t o not i ce a
vi olat i on of a hi dden assumpt i on. I n 1. 2. 5 we shall pr ovi de a discussion on t he i mport ance of
expl ici t desi gn and speci fi cat i on of cr y pt ogr aphi c sy st ems.
A mai n t heme of t hi s book i s t o expl ai n t hat secur i t y f or r eal wor l d appl i cat i ons has many
appli cat i on r el at ed subt l et i es whi ch must be consi dered ser i ousl y.
1.1.4 Modern Role of Cryptography: Ensuring Fair Play of Games
Cr y pt ogr aphy was once a pr eser ve of gover nment s. Mi l i t ar y and di plomat i c or gani zat i ons used it
t o keep messages secret . Nowadays, however, cr y pt ography has a moder ni zed r ol e i n addi t i on
t o keepi ng secr ecy of i nf or mat ion: ensur i ng f air pl ay of " games" by a much enl arged popul at i on
of "game play er s. " That is par t of t he r easons why we have chosen t o begi n t hi s book on
cry pt ogr aphy wi t h a communicat i on game.
Decidi ng on a r ecr eat i on venue may not be seen as a ser ious busi ness, and so doing it via
fl i ppi ng a coi n over t he phone can be consi dered as j ust pl ay i ng a smal l communi cat i on game for
fun. However , t her e ar e many communi cat i ons " games" whi ch must be t aken much mor e
ser i ousl y . Wi t h more and mor e business and e- commer ce act i vi t i es bei ng and t o be conduct ed
el ect r oni cal ly over open communi cat ions net wor ks, many cases of our communi cat i ons i nvol ve
vari ous ki nds of "game pl ayi ng. " ( I n t he Pr eface of t his book we have l i st ed var i ous busi ness and
ser vi ces exampl es whi ch can be conduct ed or of fer ed el ect r oni cal l y over open net wor ks; al l of

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
t hem i nvol ve some int eract i ve act i ons of t he par t i ci pant s by fol l owi ng a set of r ul es, whi ch can
be vi ewed as " play i ng communi cat i on games". ) These "games" can be ver y i mport ant !
I n general , t he " pl ay ers" of such "games" ar e phy si cal l y di st ant fr om each ot her and t hey
communi cat e over open net wor ks whi ch ar e not or ious for lack of securi t y . The physi cal di st ance
combi ned wi t h t he l ack of secur it y may hel p and/ or encour age some of t he " game pl ay ers"
( some of whom can even be uni nvit ed) t o t r y t o def eat t he rul e of game i n some cl ever way . The
i nt ent i on f or defeat i ng t he rul e of game i s t o t ry t o gain some unent it led advant age, such as
causi ng di scl osur e of conf ident i al i nf ormat i on, modi fi cat i on of dat a wi t hout det ect i on, for ger y of
fal se evidence, r epudi at i on of an obl i gat ion, damage of account abi l i t y or t r ust , r educt i on of
avai labi li t y or nul l i fi cat i on of ser vi ces, and so on. The i mpor t ance of our moder n communi cat i ons
i n busi ness, in t he conduct of commer ce and in pr ovi di ng ser vi ces ( and many more ot hers, such
as securi ng mi ssi ons of compani es, per sonal infor mat i on, mi l i t ar y act ions and st at e af fai r s)
mean t hat no unent i t l ed advant age shoul d be gai ned t o a pl ayer who does not conf orm t he r ul e
of game.
I n our devel opment of t he si mpl e "Coi n- Fl i pping- Over - Tel ephone" cr y pt ogr aphi c pr ot ocol , we
have wi t nessed t he pr ocess wher eby an easy - t o- sabot age communi cat i on game evol ves t o a
cry pt ogr aphi c prot ocol and t her eby off er s desi r ed securi t y ser vi ces. Our exampl e demonst r at es
t he ef fect i veness of cry pt ogr aphy i n mai nt ai ni ng t he or der of "game pl ay i ng. " I ndeed, t he use of
cry pt ogr aphy i s an eff ect i ve and t he onl y pr act ical way t o ensur e secure communi cat i ons over
open comput er s and communi cat i ons net wor ks. Cry pt ogr aphi c prot ocol s ar e j ust communi cat i on
pr ocedur es ar mor ed wi t h t he use of cry pt ogr aphy and t hereby have pr ot ect i ve f unct i ons
desi gned t o keep communi cat i ons i n good or der. The endl ess need f or securi ng communi cat i ons
for el ect r oni c commer ce, busi ness and ser vi ces coupl ed wi t h anot her need f or ant i ci pat i ng t he
ceasel ess t empt at i on of " br eaking t he r ul es of t he game" have r esul t ed i n t he exi st ence of many
cry pt ogr aphi c sy st ems and prot ocol s, whi ch for m t he subj ect mat t er of t hi s book.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
1.2 Criteria for Desirable Cryptographic Systems and
Protocols
We should st ar t by aski ng a fundament al quest ion:
What i s a good cr y pt ographi c syst em/ pr ot ocol ?
Undoubt edl y t hi s quest ion i s not easy t o answer ! One r eason i s t hat t her e ar e many answer s t o it
depending on var i ous meani ngs t he wor d good may have. I t i s a mai n t ask for t hi s book t o
pr ovi de compr ehensi ve answers t o t hi s fundament al quest ion. However , her e i n t hi s fi r st chapt er
we shoul d pr ovi de a few i ni t i al answer s.
1.2.1 Stringency of Protection Tuned to Application Needs
Let us begi n wi t h consider i ng our fi r st cr ypt ogr aphi c prot ocol we desi gned i n 1. 1. 1.
We can say t hat Pr ot ocol "Coi n Fli ppi ng Over Tel ephone" i s good in t he sense t hat it i s
concept ual l y ver y si mpl e. Some reader s who may al ready be fami l i ar wi t h many pr act i cal one-
way hash funct i ons, such as SHA- 1 ( see 10.3. 1) , mi ght f ur t her consi der t hat t he funct ion f ( x) is
al so easy t o i mpl ement even i n a pocket cal culat or. For exampl e, an out put f r om SHA- 1 is a bi t
st r ing of lengt h of 160 bi t s, or 20 by t es ( 1 by t e = 8 bi t s) ; using t he hexadecimal encoding
scheme ( see Exampl e 5. 17) such an out put can be encoded i nt o 40 hexadeci mal char act ers
[ b]
and so i t i s j ust not t oo t edious for Ali ce ( Bob) t o read ( and j ot down) over t he phone. Such an
i mpl ement at ion should al so be consi der ed suff ici ent l y secur e f or Al i ce and Bob t o deci de t hei r
r ecr eat i on venue: if Al i ce want s t o cheat , she f aces a non- t r ivi al dif fi cul t y i n or der t o fi nd x y
( mod 2) wi t h f ( x) = f ( y) ; li kewise, Bob wi ll al so have t o face a non- t r i vi al di ff i cult y, t hat is, gi ven
f ( x) , t o det er mi ne whet her x i s even or odd.
[ b]
Hexadecimal char act ers ar e t hose in t he set { 0, 1, 2, , 9, A, B, , F} r epr esen t ing t he 16 cases of 4- bit
number s.
However , our j udgement on t he qual i t y of Pr ot ocol "Coi n Fli ppi ng Over Tel ephone" r eal i zed usi ng
SHA- 1 i s based on a level of non- ser iousness t hat t he game play er s expect on t he consequence
of t he game. I n many mor e seri ous appl i cat i ons ( e. g. , one whi ch we shal l di scuss i n 1. 2. 4) , a
fai r coi n- fl i ppi ng pri mi t i ve for cr y pt ogr aphi c use wi ll i n gener al requir e much st r onger one- way
and commi t ment - bi ndi ng pr oper t i es t han a pr act i cal one- way hash f unct i on, such as SHA- 1, can
off er. We shoul d not i ce t hat a funct ion wi t h t he pr opert i es specif i ed i n Pr oper t y 1. 1, i f we t ake
t he wor d " i mpossibl e" l it er al l y, is a com plet ely secur e one- way funct ion. Such a f unct i on i s not
easi l y i mpl ement abl e. Wor se, even i t s very exi st ence remai ns an open quest i on ( even t hough we
ar e opt i mi st i c about t he exi st ence, see our opt i mi st i c vi ew i n 1. 1. 2, we shal l fur t her di scuss t he
condi t i on for t he exist ence of a one- way funct i on i n Chapt er 4) . Ther efor e, for more ser ious
appli cat i ons of f ai r coi n- fl i ppi ng, pr act i cal hash f unct i ons won't be consi der ed good; much mor e
st r ingent cr y pt ographi c t echni ques are necessar y . On t he ot her hand, f or deci di ng a r ecr eat i on
venue, use of heavywei ght cr ypt ogr aphy is cl ear ly unnecessar y or overki l l .
We should point out t hat t her e ar e appl i cat i ons where a t oo- st r ong pr ot ect i on wi l l even pr event
an i nt ended secur i t y servi ce fr om f unct i oni ng proper l y . For exampl e, Ri vest and Shami r propose
a mi cr opay ment scheme, cal l ed Mi cr oMi nt [ 242] , which wor ks by maki ng use of a known
defi ci ency i n an encr ypt i on al gori t hm t o t heir advant age. That payment sy st em exploi t s a
r easonabl e assumpt i on t hat onl y a r esour ceful ser vi ce pr ovi der ( e. g. , a l arge bank or fi nanci al
i nst i t ut e) is abl e t o pr epare a l ar ge number of " coll i si ons" under a pr act ical one- way funct ion,
and do so economical l y . Thi s i s t o say t hat t he ser vi ce pr ovi der can comput e k di st i nct number s

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
( x
1
, x
2
, , x
k
) sat i sfy i ng
The number s x
1
, x
2
, , x
k
, ar e cal l ed col li si on under t he one- way f unct i on f . A pai r of col li si ons
can be checked ef fi ci ent l y si nce t he one- way f unct i on can be eval uat ed eff ici ent l y , t hey can be
consi dered t o have been i ssued by t he r esourceful ser vi ce pr ovi der and hence can r epr esent a
cer t i f ied value. The Dat a Encr y pt i on St andard ( DES, see 7. 6) is suggest ed as a sui t abl e
al gor i t hm f or i mpl ement ing such a one- way funct i on ( [ 242] ) and so t o achieve a r el at i vel y small
out put space ( 64 bi nar y bit s) . Thus, unl i ke i n t he nor mal cry pt ographi c use of one- way f unct i ons
wher e a col l i si on al most cer t ai nl y const i t ut es a successful at t ack on t he sy st em ( f or example, i n
t he case of Pr ot ocol "Coi n Fli ppi ng Over Tel ephone" ) , i n Mi cr oMi nt , col l i si ons are used i n order t o
enabl e a fancy mi cr opay ment ser vi ce! Cl ear l y , a st r ong one- way f unct i on wi t h a si gni f icant ly
l ar ger out put space ( i. e. , 64 bi t s, such as SHA- 1 wi t h 160 bi t s) wi l l null i f y t hi s servi ce even
for a r esourceful ser vi ce pr ovi der ( i n 3. 6 we wi l l st udy t he comput at i onal compl exit y for f i ndi ng
col li si ons under a hash funct i on) .
Al t hough i t i s under st andabl e t hat usi ng heavy wei ght cr y pt ogr aphi c t echnol ogi es i n t he desi gn of
secur i t y sy st ems ( f or example, wr apping wi t h l ay er s of encr ypt i on, ar bi t r ar i l y usi ng di gi t al
si gnat ures, cal li ng f or onl i ne ser vi ces fr om a t r ust ed t hi rd part y or even fr om a l arge number of
t hem) may pr ovi de a bet t er f eel i ng t hat a st r onger secur i t y may have been achi eved ( i t may also
ease t he desi gn j ob) , oft en t his feel i ng only pr ovi des a fal se sense of assur ance. Reachi ng t he
poi nt of over ki l l wi t h unnecessar y ar mor i s undesi r abl e because i n so doi ng i t i s mor e l i kel y t o
r equi r e st ronger secur i t y assumpt i ons and t o r esul t i n a mor e compl ex sy st em. A compl ex
syst em can al so mean an i ncreased di ffi cul t y f or securi t y anal ysi s ( hence mor e l i kel i hood t o be
err or - pr one) and secur e i mpl ement at i on, a poor er perf or mance, and a hi gher over head cost for
r unni ng and maint enance.
I t i s mor e i nt er est i ng and a more chal lengi ng j ob t o desi gn cr ypt ogr aphic or secur i t y sy st ems
whi ch use onl y necessar y t echni ques whil e achi eving adequat e secur i t y pr ot ect ion. Thi s i s an
i mpor t ant el ement f or cr ypt ogr aphi c and secur i t y syst ems t o qual i fy as good.
1.2.2 Confidence in Security Based on Established "Pedigree"
How can we be conf i dent t hat a cr ypt ogr aphi c al gori t hm or a pr ot ocol i s secur e? I s i t val i d t o say
t hat an al gor i t hm i s secur e because nobody has broken it ? The answer i s, unfor t unat ely , no. I n
gener al , what we can say about an unbr oken al gor i t hm is mer el y t hat we do not know how t o
br eak i t y et . Because i n cr ypt ogr aphy, t he meani ng of a broken algor it hm somet i mes has
quant i t at i ve measur es; i f such a measur e i s mi ssi ng f r om an unbroken algor it hm, t hen we
cannot even asser t whet her or not an unbr oken al gori t hm i s more secur e t han a known broken
one.
Never t hel ess, t her e ar e a few except i ons. I n most cases, t he t ask of br eaki ng a cr y pt ographi c
al gor i t hm or a scheme boi l s down t o sol ving some mat hemat i cal pr obl ems, such as t o f ind a
sol ut i on t o an equat i on or t o i nver t a f unct i on. These mat hemat i cal probl ems ar e consi der ed
"har d" or " i nt ract able. " A for mal def i ni t i on f or " hard" or " int r act abl e" wi ll be given in Chapt er 4.
Here we can i nf ormal l y , y et safel y, say t hat a mat hemat i cal pr obl em i s i nt r act abl e i f i t cannot be
sol ved by any known met hods wi t hi n a r easonabl e l engt h of t i me.
Ther e ar e a number of well - known i nt r act abl e pr oblems t hat have been fr equent l y used as
st andar d i ngredi ent s i n moder n cr y pt ogr aphy, i n part icul ar , i n publ i c- key or asy mmet r i c
cry pt ogr aphy ( see 8. 38. 14) . For exampl e, in publ i c- key cr ypt ogr aphy , i nt ract able pr obl ems

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
i ncl ude t he i nt eger f act ori zat i on pr obl em, t he di scr et e l ogar i t hm pr obl em, t he Di f fi e- Hel l man
pr obl em, and a few associ at ed pr obl ems ( we wil l defi ne and di scuss t hese probl ems i n Chapt er
8) . These problems can be r efer red t o as est abl i shed " pedi gr ee" ones because t hey have
sust ai ned a l ong hi st or y of st udy by gener at i ons of mat hemat i cians and as a resul t , t hey are now
t r ust ed as real l y har d wi t h a hi gh degree of conf i dence.
Today , a st andar d t echni que for est abl i shi ng a high degr ee of confi dence i n secur i t y of a
cry pt ogr aphi c al gori t hm i s t o conduct a for mal proof which demonst r at es t hat an at t ack on t he
al gor i t hm can l ead t o a sol ut i on t o one of t he accept ed " pedi gr ee" har d pr obl ems. Such a pr oof i s
an ef fi ci ent mat hemat i cal t r ansf ormat i on, or a sequence of such t r ansfor mat i ons, l eadi ng fr om
an at t ack on an algori t hm t o a sol ut i on t o a har d pr obl em. Such an eff i ci ent t r ansfor mat i on is
cal led a r educt i on whi ch " reduces" an at t ack t o a sol ut i on t o a har d pr obl em. Si nce we ar e hi ghl y
conf ident t hat t he r esul t ant sol ut i on t o t he har d pr obl em i s unl i kel y t o exi st ( especi al l y under t he
t i me cost measur ed by t he at t ack and t he reduct ion t r ansf ormat i on) , we wi ll be able t o der i ve a
measurable confi dence t hat t he al leged at t ack shoul d not exi st . This way of secur i t y pr oof i s
t her efor e named "reduct ion t o cont r adi ct i on: " an easy solut i on t o a har d pr obl em.
Formal l y pr ovabl e securi t y , i n par t i cul ar under vari ous powerf ul at t acki ng model cal l ed adap t ive
at t ack s, f or ms an i mpor t ant cr it er i on for cr ypt ogr aphic al gor it hms and pr ot ocol s t o be r egar ded
as good. We shall use fi t - f or- appl icat i on secu r it y t o name secur it y qual i t i es whi ch ar e est abl i shed
t hr ough for mal and r educt i on- t o- cont radi ct i on approach under powerf ul at t acki ng model s.
As an i mpor t ant t opi c of t his book, we shal l st udy fi t - f or - appl i cat i on secur it y for many
cry pt ogr aphi c al gori t hms and pr ot ocols.
1.2.3 Practical Efficiency
When we say t hat a mat hemat i cal pr obl em i s eff i cient or i s eff i ci ent l y sol vabl e, we basi cal l y
asser t t hat t he pr oblem i s sol vabl e i n t i me whi ch can be measured by a pol y nomi al i n t he si ze of
t he pr obl em. A f ormal def i ni t i on for ef fi ciency , whi ch wil l let us pr ovi de preci se measur es of t hi s
asser t i on, wi l l be pr ovided i n Chapt er 4.
Wi t hout l ooki ng i nt o quant it at i ve det ail s of t hi s asser t i on f or t he t i me bei ng, we can r oughl y say
t hat t hi s assert ion di vi des al l t he pr obl ems i nt o t wo cl asses: t r act abl e and i nt r act abl e. Thi s
di vi si on pl ay s a fundament al r ol e i n t he f oundat i ons f or modern cr ypt ogr aphy: a compl exi t y -
t heor et i cal l y based one. Cl earl y , a cr y pt ographi c al gor i t hm must be desi gned such t hat i t i s
t r act abl e on t he one hand and so i s usabl e by a l egi t i mat e user , but i s i nt r act abl e on t he ot her
hand and so const it ut es a di ff icul t pr obl em f or a non- user or an at t acker t o sol ve.
We should however not e t hat t hi s asser t i on for sol ubi l i t y cover s a vast span of quant it at i ve
measures. I f a pr oblem's comput i ng t i me for a l egi t i mat e user is measur ed by a huge
pol y nomi al , t hen t he " ef fi ci ency " is in gener al i mpr act i cal , i. e. , can have no val ue f or a pr act ical
use. Thus, an i mpor t ant cr i t er i on for a cry pt ogr aphi c al gor i t hm bei ng good i s t hat it shoul d be
pr act ical ly ef fi ci en t f or a l egit i mat e user . I n speci fi c, t he pol y nomi al t hat measures t he r esour ce
cost f or t he user shoul d be smal l ( i. e. , have a smal l degree, t he degr ee of a pol y nomi al wi l l be
i nt r oduced i n Chapt er 4) .
I n Chapt er 14 we wi l l di scuss sever al pi oneer i ng works on pr ovabl y st r ong publ ic- key
cry pt osy st ems. These wor ks pr opose publ i c- key encry pt ion al gor i t hms under a common
mot i vat ion t hat many basic ver si ons of publ ic- key encr y pt i on al gor i t hms ar e i nsecure ( we name
t hose i nsecur e schemes "t ext book cr ypt o" because most t ext books i n cr y pt ography i nt roduce
t hem up t o t hei r basi c and pr imi t i ve ver si ons; t hey wi l l be i nt r oduced i n Par t I I I of t hi s book) .
However , most pi oneer ing wor ks on pr ovabl y st r ong publi c- key cr y pt osy st ems r esor t t o a bi t - by -
bi t encr ypt i on met hod, [ 125, 210, 241] , some even t ake ext r aor di nar y st eps of addi ng pr oofs of
knowl edge on t he cor r ect encry pt i on of each i ndi vi dual bi t [ 210] pl us usi ng publ i c- key

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
aut hent i cat ion f ramewor k [ 241] . Whi le t hese ear l y pi oneer i ng works ar e i mpor t ant i n pr ovi di ng
i nsi ght s t o achi eve st rong secur it y, t he sy st ems t hey propose are in gener al t oo i neff ici ent for
appli cat i ons. Af t er Chapt er 14, we wi l l f ur t her st udy a seri es of subsequent wor ks fol l owing t he
pi oneer ing ones on pr obabl y st r ongly secur e publ i c- key cry pt osy st ems and di gi t al si gnat ur e
schemes. The cr y pt ogr aphi c schemes pr oposed by t hese l at t er wor ks pr opose have not onl y
st r ong secur i t y , but al so pr act i cal eff ici ency. They ar e i ndeed very good cr y pt ographi c schemes.
A cr y pt ogr aphi c pr ot ocol i s not onl y an al gor i t hm, i t i s al so a communi cat i on pr ocedur e whi ch
i nvol ves t r ansmi t t i ng of messages over comput er net wor ks bet ween di ff er ent pr ot ocol
par t i ci pant s under a set of agr eed r ul es. So a pr ot ocol has a furt her di mensi on f or effi ci ency
measure: t he number of communi cat i on i nt er act ions whi ch are of t en cal l ed communi cat i on
r ounds. Usual l y a st ep of communi cat ion i s r egar ded t o be mor e cost l y t han a st ep of l ocal
comput at i on ( t y pi cal ly an execut ion of a set of comput er i nst r uct i ons, e.g. a mult ipl icat i on of t wo
number s on a comput i ng device) . Ther efor e i t i s desi r abl e t hat a cr y pt ographi c pr ot ocol should
have f ew communicat i on r ounds. The st andard eff i ci ency cr it er i on for decl ar i ng an al gori t hm as
bei ng eff ici ent is if i t s runni ng t i me i s bounded by a smal l pol ynomial i n t he si ze of t he probl em.
I f we appl y t hi s eff ici ency cri t er i on t o a prot ocol , t hen an eff i ci ent pr ot ocol shoul d have i t s
number of communicat i on r ounds bounded by a pol ynomial of an ext r em el y smal l degr ee: a
const ant ( degr ee 0) or at most a l i near ( degr ee 1) funct i on. A pr ot ocol wi t h communicat i on
r ounds exceedi ng a l i near f unct i on shoul d not be r egar ded as pr act i cal l y eff ici ent , t hat i s, no
good f or any pr act ical use.
I n 18.2. 3 we wi l l di scuss some zero- knowl edge pr oof pr ot ocols whi ch have communi cat i on
r ounds measur ed by non- l i near pol y nomi als. We shoul d not e t hat t hose pr ot ocols wer e not
pr oposed for r eal appl icat i ons; i nst ead, t hey have i mpor t ance i n t he t heor y of cr y pt ography and
comput at i onal compl exi t y . I n Chapt er 18 we wi l l wi t ness much r esearch eff ort for desi gni ng
pr act i cal l y eff i cient zero- knowl edge pr ot ocols.
1.2.4 Use of Practical and Available Primitives and Services
A l evel of secur i t y whi ch i s good for one appl i cat i on needn't be good enough f or anot her . Again,
l et us use our coi n- f l i ppi ng pr ot ocol as an exampl e. I n 1. 2. 1 we have agr eed t hat , i f
i mpl ement ed wi t h t he use of a pr act i cal one- way hash funct i on, Pr ot ocol "Coi n Fli ppi ng Over
Tel ephone" i s good enough f or Al ice and Bob t o decide t hei r r ecr eat i on venue over t he phone.
However , i n many cry pt ographi c appl icat i ons of a f air coi n- fl i ppi ng pri mi t i ve, secur i t y ser vi ces
agai nst cheat ing and/ or for f ai rness ar e at much mor e st r i ngent l evel s; i n some appl icat i ons t he
st r ingency must be i n an absol ut e sense.
For exampl e, i n Chapt er 18 we wi l l di scuss a zer o- knowl edge pr oof pr ot ocol whi ch needs random
bi t st ri ng i nput and such r andom i nput must be mut ual l y t r ust ed by bot h pr ovi ng/ veri f i cat i on
par t i es, or else ser ious damages wi l l occur t o one or bot h par t i es. I n such zer o- knowl edge proof
pr ot ocol s, i f t he t wo communicat i on par t i es do not have access t o, or do not t r ust , a t hi r d- part y-
based ser vi ce f or suppl y i ng r andom number s ( such a servi ce i s usual l y ni cknamed " r andom
number s f r om t he sky " t o i mpl y i t s i mpr act i cal i t y) t hen t hey have t o gener at e t hei r mut ual ly
t r ust ed random numbers, bi t - by - bi t vi a a f air coi n- fl i ppi ng prot ocol . Not i ce t hat her e t he need f or
t he randomness t o be gener at ed i n a bit - by - bi t ( i. e. , via fai r coi n- f l i ppi ng) manner i s i n or der t o
sat i sf y cer t ai n r equi r ement s, such as t he cor r ect ness and zer o- knowl edge- ness of t he prot ocol .
I n such a si t uat i on, a level of pr act i cal l y good ( e. g. , i n t he sense of usi ng a pr act i cal hash
funct i on in Pr ot ocol "Coi n Fli ppi ng Over Tel ephone" ) is most l ikel y t o be i nadequat e.
A chal l engi ng t ask i n appl ied r esearch on cry pt ography and cr y pt ogr aphi c pr ot ocol s i s t o bui l d
hi gh qual i t y secur i t y servi ces f r om pr act ical and av ail abl e cr y pt ogr aphi c pr i mit ives. Once mor e,
l et us use a coi n- f l ippi ng pr ot ocol t o make t hi s poi nt cl ear . The pr ot ocol i s a remot e coi n- f li ppi ng
pr ot ocol proposed by Bl um [ 43] . Bl um' s pr ot ocol empl oy s a pr act ical ly secu r e and easi ly
i mp lem en t abl e " one- way" funct i on but achieves a high- qual it y secur i t y i n a v er y st r ong f ashi on

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
whi ch can be expr essed as:
Fi rst , i t achi eves a quant it at ive measur e on t he di f fi cul t y against t he coi n fl i ppi ng par t y
( e. g. , Al i ce) for cheat i ng, i . e. , f or pr epar i ng a pair of col l i sion x y sat i sfy i ng f ( x) = f ( y) .
Here, t he di f fi cul t y i s quant i fi ed by t hat f or f act or i ng a lar ge composi t e i nt eger , i . e., t hat for
sol vi ng a " pedi gr ee" har d pr obl em.
Second, t her e i s absol ut ely n o way f or t he guessing par t y t o have a guessi ng st rat egy
bi ased away f r om t he 50- 50 chance. Thi s i s i n t er ms of a compl et e securi t y .
Thus, Blum's coi n- f l ippi ng pr ot ocol i s par t i cu lar l y good i n t he sense of havi ng achi eved a st r ong
secur i t y whil e usi ng onl y pr act ical cr y pt ogr aphi c pr i mit ives. As a st r engt heni ng and concret e
r eal i zat i on for our f i rst cr y pt ographi c pr ot ocol , we wi l l descr i be Bl um' s coi n- f li ppi ng pr ot ocol as
t he fi nal cr y pt ogr aphi c pr ot ocol of t his book.
Sever al y ear s af t er t he di scover y of publ i c- key cr ypt ogr aphy [ 97, 98, 246] , i t became gr adual l y
apparent t hat sever al basi c and best - known publi c- key encr y pt i on al gor i t hms ( we wi l l r efer t o
t hem as " t ext book cr y pt o" ) gener al ly have t wo ki nds of weakness: ( i ) t hey leak part i al
i nf ormat i on about t he message encr ypt ed; ( i i ) t hey ar e ext r emel y vul ner abl e t o act ive at t acks
( see Chapt er 14) . These weaknesses mean t hat "t ext book cr ypt o" ar e not f i t f or appli cat i ons.
Ear l y approaches t o a gener al fi x f or t he weaknesses i n "t ext book cr y pt o" i nvari ant l y appl y bi t -
by - bi t st yl e of encr ypt i on and even appl y zer o- knowledge pr oof t echni que at bi t - by - bi t level as a
means t o pr event act i ve at t acks, pl us aut hent i cat i on fr amewor k. These r esul t s, whil e val uable in
t he devel opment of pr ovably secur e publ i c- key encry pt i on al gor i t hms, ar e not sui t abl e f or most
encry pt ion appl i cat i ons si nce t he need for zer o- knowl edge pr oof or f or aut hent i cat ion f r amewor k
i s not pr act i cal for t he case of encr y pt i on al gor i t hms.
Si nce t he successf ul i ni t i al wor k of usi ng a r andomi zed paddi ng scheme i n t he st r engt heni ng of a
publ i c key encr y pt i on algor it hm [ 24] , a gener al approach emer ges whi ch st r engt hens popul ar
t ext book publ i c- key encr ypt ion al gor i t hms i nt o ones wi t h pr ovabl e securi t y by usi ng popul ar
pr i mi t i ves such as hash funct ions and pseudor andom number gener at ors. These st r engt hened
encry pt ion schemes ar e pract i cal si nce t hey use pract i cal pr i mi t i ves such as hash funct i ons, and
consequent l y t hei r ef fi ciency i s si mi lar t o t he under l y i ng " t ext book cry pt o" count er par t s. Due t o
t hi s i mpor t ant qual i t y element , some of t hese al gor i t hms enhanced fr om usi ng pr act i cal and
popul ar pr i mi t i ves become publ ic- key encr y pt i on and di git al signat ure st andar ds. We shal l st udy
sever al such schemes in Chapt ers 15 and 16.
Designi ng cr ypt ogr aphi c schemes, prot ocol s and secur it y sy st ems usi ng avai l abl e and popul ar
t echni ques and pr i mi t i ves i s al so desir abl e i n t he sense t hat such r esul t s are mor e l i kel y t o be
secur e as t hey at t r act a wider int erest f or publ i c scr ut iny.
1.2.5 Explicitness
I n t he l at e 1960's, soft war e sy st ems gr ew very lar ge and complex. Comput er pr ogr ammer s
began t o exper i ence a cr isi s, t he so- cal l ed " soft war e cr i si s. " Large and compl ex sof t war e sy st ems
were get t i ng mor e and mor e er ror pr one, and t he cost of debuggi ng a pr ogr am became far i n
excess of t he cost of t he pr ogr am desi gn and devel opment . Soon comput er sci ent i st s di scover ed
a f ew per pet r at or s who hel ped t o set - up t he cri si s whi ch resul t ed fr om bad pr ogrammi ng
pr act i ce. Bad programmi ng pr act i ce incl udes:
Ar bi t r ar y use of t he GOTO st at ement ( j umpi ng up and down seems ver y conveni ent )
Abundant use of global var iabl es ( causi ng uncont r ol led change of t hei r values, e. g. , i n an

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
unexpect ed execut ion of a subr out i ne)
The use of var i abl es wi t hout decl arat i on of t hei r t y pes ( i mpl i ci t t y pes can be used i n
Fort ran, so, for exampl e, a r eal val ue may be t runcat ed t o an i nt eger one wi t hout being
not i ced by t he pr ogr ammer )
Unst r uct ur ed and unor gani zed l arge chunk of codes for many t asks ( can be t housands of
l i nes a pi ece)
Few comment ar y l i nes ( si nce t hey don't execut e! )
These wer e a few "conveni ent " t hi ngs for a pr ogr ammer t o do, but had proved t o be capabl e of
causi ng gr eat di f fi cul t i es i n progr am debuggi ng, mai nt enance and f ur t her development . Soft war e
codes designed wi t h t hese "conveni ent " feat ur es can be j ust t oo obscure t o be compr ehensi bl e
and mai nt ai ned. Back t hen i t was not uncommon t hat a pr ogrammer woul d not be abl e t o t o
underst and a pi ece of code s/ he had wr i t t en mer el y a coupl e of mont hs or even weeks ago.
Once t he di sast r ous consequences resul t i ng f rom t he bad progr ammi ng pr act i ce wer e bei ng
gr adual ly under st ood, Pr ogr am Desi gn Met h odol ogy became a subj ect of st udy i n whi ch bei ng
exp li ci t became an i mpor t ant pr i nci pl e for pr ogr ammi ng. Bei ng expl i ci t i ncl udes l i mi t i ng t he use
of GOTO and global var iabl es ( bet t er not t o use t hem at al l ) , expl i ci t ( vi a mandat ory ) t ype
decl arat i on f or any var i abl es, which per mit s a compi l er t o check t y pe f laws sy st emat i cal l y and
aut omat i cal l y, modul ar izi ng pr ogr ammi ng ( divi di ng a l arge pr ogr am i nt o many smal ler part s,
each f or one t ask) , and usi ng abundant ( as clear as possi bl e) comment ar y mat eri al which ar e
t ext s i nsi de a pr ogr am and document at i on out si de.
A secur it y sy st em ( cr ypt ogr aphi c al gori t hm or pr ot ocol ) i ncl udes pr ogr am par t s impl ement ed i n
soft war e and/ or har dwar e, and i n t he case of pr ot ocol , t he pr ogr am par t s r un on a number of
separat e host s ( or a number of pr ogr ams concur rent l y and int eract i vel y r unni ng on t hese host s) .
The expl i cit ness pr inci ple for soft war e engi neer i ng appli es t o a securi t y sy st em' s desi gn by
defaul t ( t hi s i s t r ue i n par t i cul ar for pr ot ocols) . However , because a secur i t y sy st em i s assumed
t o run i n a host i le envi r onment in whi ch even a l egi t i mat e user may be mal i ci ous, a desi gner of
such sy st ems must al so be expl i cit about many addi t i onal t hi ngs. Her e we l i st t hr ee i mpor t ant
aspect s t o ser ve as general gui del i nes for secur i t y syst em desi gner s and i mpl ement ors. ( I n t he
r est of t he book we wi ll see many at t acks on al gor i t hms and pr ot ocol s due t o bei ng i mpl ici t in
desi gn or speci f i cat i on of t hese syst ems. )
Be exp l i ci t about al l assumpt i ons n eeded.
A secur it y sy st em oper at es by i nt er act i ng wit h an envi ronment and t her efor e i t has a set of
r equi r ement s whi ch must be sat i sf i ed by t hat envi r onment . These r equi r ement s ar e cal l ed
assumpt i ons ( or pr emi ses) for a syst em t o r un. A viol at i on of an assumpt i on of a pr ot ocol
may al l ow t he possi bil i t y of expl oi t i ng an at t ack on t he syst em and t he consequence can be
t he nul l i fi cat i on of some i nt ended servi ces. I t i s par t i cul arl y di ff icul t t o not i ce a vi olat ion of
an assumpt i on which has not been clear l y speci f i ed ( a hi dden assumpt i on) . Ther efor e al l
assumpt i ons of a secur i t y sy st em shoul d be made expl ici t .
For exampl e, i t is qui t e common t hat a pr ot ocol has an impli ci t assumpt i on or expect at ion
t hat a comput er host upon whi ch t he pr ot ocol r uns can suppl y good r andom number s, but
i n real i t y f ew deskt op machi nes or handhel d devi ces ar e capabl e of sat i sf y ing t hi s
assumpt i on. A so- cal l ed low- ent r opy at t ack i s appli cabl e t o pr ot ocol s usi ng a poor r andom
sour ce. A wi dely publi ci zed at t ack on an ear ly impl ement at i on of t he Secur e Socket s Layer
( SSL) Pr ot ocol ( an aut hent icat i on pr ot ocol f or Wor l d Wide Web br owser and server, see
12.5) is a well - known example of t he l ow- ent r opy at t ack [ 123] .
Expl i ci t i dent i f i cat i on and specif i cat ion of assumpt i ons can al so hel p t he anal ysi s of compl ex
1.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
syst ems. DeMi l lo et al . ( Chapt er 4 of [ 91] ) , DeMil l o and Merr i t t [ 92] suggest a t wo- st ep
approach t o cr y pt ogr aphi c pr ot ocol desi gn and anal y si s, which ar e l ist ed bel ow ( af t er a
modi fi cat i on by Moor e [ 204, 205] ) :
I dent i f y al l assumpt i ons made i n t he prot ocol . i .
For each assumpt i on i n st ep ( i ) , det er mi ne t he eff ect on t he secur it y of t he prot ocol i f
t hat assumpt i on wer e vi ol at ed.
i i .
Be exp l i ci t about exact secur i t y ser v i ces t o b e of f er ed .
A cr y pt ogr aphi c al gor i t hm/ pr ot ocol pr ovi des cer t ai n secur i t y servi ces. Exampl es of some
i mpor t ant secur i t y ser vi ces i ncl ude: confi dent i ali t y ( a message cannot be compr ehended by
a non- r eci pient ) , aut hent i cat i on ( a message can be r ecogni zed t o confi r m i t s i nt egri t y or i t s
or i gi n) , non- r epudiat ion ( i mpossibi li t y for one t o deny a connect i on t o a message) , proof of
knowl edge ( demonst r at i on of evi dence wi t hout discl osi ng i t ) , and commi t ment ( e. g. , a
ser vi ce off er ed t o our fi r st cry pt ogr aphi c pr ot ocol " Coin Fl i ppi ng Over Tel ephone" i n whi ch
Al i ce is for ced t o st i ck t o a st r i ng wi t hout bei ng abl e t o change) .
When designi ng a cr y pt ogr aphi c pr ot ocol , t he desi gner shoul d be very cl ear r egardi ng
exact l y what ser vi ces t he pr ot ocol i nt ends t o ser ve and shoul d expl i ci t l y speci fy t hem as
well . The expl ici t ident i fi cat i on and speci fi cat i on wil l not onl y hel p t he desi gner t o choose
corr ect cr ypt ogr aphic pr i mi t i ves or al gor i t hms, but al so hel p an implement or t o corr ect ly
i mpl ement t he pr ot ocol . Oft en, an i dent i fi cat i on of servi ces t o t he r ef i nement l evel of t he
gener al ser vi ces gi ven i n t hese exampl es is not adequat e, and f ur t her r efi nement of t hem i s
necessar y. Her e ar e a f ew possi bl e ways t o f ur t her r efi ne some of t hem:
Confi dent i al i t y pr ivacy, anony mi t y , i nvisi bi l i t y , i ndi st i ngui shabi l i t y
Aut hent i cat ion dat a- or i gi n, dat a- i nt egr i t y , peer- ent i t y
Non- r epudi at i on message- i ssuance, message- r ecei pt
Pr oof of
knowl edge
knowl edge possession, knowl edge st r uct ur e
A mi si dent i fi cat i on of ser vices i n a pr ot ocol desi gn can cause mi suse of cry pt ogr aphi c
pr i mi t i ves, and t he consequence can be a secur i t y f l aw i n t he prot ocol . I n Chapt er 2 and
Chapt er 11 we wi l l see di sast rous exampl es of securi t y f l aws i n aut hent i cat i on pr ot ocols
due t o mi si dent i fi cat i on of secur i t y ser vi ces bet ween conf i dent i al i t y and aut hent i cat i on.
Ther e can be many mor e kinds of securi t y ser vi ces wi t h mor e ad hoc names ( e. g. , message
fr eshness, non- mal l eabi l it y, f or ward secr ecy , per f ect zer o- knowl edge, f ai rness, bi ndi ng,
deni abi l i t y , r ecei pt fr eeness, and so on) . These may be consi der ed as der i vat i ves or f ur t her
r ef i nement f rom t he gener al ser vi ces t hat we have l i st ed earl i er ( a der i vat i ve can be in
t er ms of negat i on, e. g. , deniabi li t y is a negat ive der i vat ive f r om nonrepudi at i on) .
Never t hel ess, expl ici t ident i fi cat i on of t hem i s oft en necessar y i n or der t o avoi d desi gn
fl aws.
2.
Be exp l i ci t about speci al cases i n mat hemat i cs.
As we have di scussed i n 1. 2. 2, some har d pr obl ems i n comput at i onal compl exi t y t heory
can pr ovi de a hi gh conf i dence i n t he securi t y of a cry pt ogr aphi c al gor i t hm or pr ot ocol .
However , oft en a har d probl em has some speci al cases whi ch ar e not har d at all . For
3.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
exampl e, we know t hat t he probl em of f act or izat ion of a lar ge composi t e i nt eger is in
gener al ver y hard. However t he fact or i zat i on of a l arge composi t e i nt eger N = PQ wher e Q
i s t he next pr i me number of a l arge pr ime number P i s not a har d pr obl em at all ! One can
do so eff ici ent l y by comput i ng ( i s cal l ed t he fl oor funct ion and denot es t he
i nt eger part of ) and f ol lowed by a few t r i al di vi si ons ar ound t hat number t o pi npoi nt P and
Q.
Usual al gebr ai c st r uct ur es upon whi ch cr y pt ographi c al gor i t hms wor k ( such as gr oups,
r i ngs and fi elds, t o be st udi ed in Chapt er 5) cont ai n speci al cases whi ch pr oduce
except i onal l y easy pr obl ems. El ement s of smal l mul t i pl i cat i ve order s ( al so def i ned i n
Chapt er 5) in a mul t i pl i cat i ve gr oup or a f ini t e fi el d pr ovi de such an exampl e; an ext reme
case of t hi s i s when t he base for t he Di ff i e- Hel l man key exchange pr ot ocol ( see 8. 3) is t he
unit y el ement i n t hese al gebr ai c st r uct ur es. Weak cases of el l i pt i c cur ves, e. g. ,
"super singul ar curves" and "anomal ous curves, " for m anot her example. The di scr et e
l ogar i t hm pr obl em on " supersi ngul ar cur ves" can be r educed t o t he di scr et e l ogar i t hm
pr obl em on a f i ni t e f i el d, known as t he Menezes- Okamot o- Vanst one at t ack [ 197] ( see
13.3. 4. 1) . An "anomal ous curve" i s one wi t h t he number of poi nt s on i t bei ng equal t o t he
si ze of t he under l yi ng f i el d, whi ch al l ows a pol ynomi al t i me sol ut i on t o t he discr et e
l ogar i t hm pr obl em on t he cur ve, known as t he at t ack of Sat oh- Araki [ 252] , Semaev [ 258]
and Smar t [ 278] .
An easy speci al case, i f not underst ood by an al gori t hm/ pr ot ocol desi gner and/ or not
cl ear l y speci f i ed i n an algori t hm/ pr ot ocol speci f icat i on, may easi l y go i nt o an
i mpl ement at ion and can t hus be expl oi t ed by an at t acker . So an al gor i t hm/ pr ot ocol
desi gner must be awar e of t he speci al cases i n mat hemat i cs, and shoul d expl i cit ly speci fy
t he pr ocedures f or t he i mplement or t o eli mi nat e such cases.
I t i s not dif fi cul t t o l i st many mor e i t ems for expl i ci t ness ( for exampl e, a key- management
pr ot ocol should st i pulat e expl i ci t l y t he key- management r ul es, such as separ at i on of key s for
di f fer ent usages, and t he pr ocedur es for proper key disposal , et c. ) . Due t o t he speci f ic nat ur e of
t hese i t ems we cannot li st all of t hem her e. However, expl i ci t ness as a gener al pr inci ple for
cry pt ogr aphi c al gori t hm/ pr ot ocol desi gn and speci fi cat i on wi l l be fr equent ly rai sed i n t he rest of
t he book. I n gener al , t he more expl i ci t l y an al gori t hm/ pr ot ocol i s designed and speci fi ed, t he
easi er i t is for t he al gor i t hm/ pr ot ocol t o be anal yzed; t her ef or e t he mor e l i kel y i t is for t he
al gor i t hm/ pr ot ocol t o be cor r ect l y i mpl ement ed, and t he less l i kel y i t i s for t he
al gor i t hm/ pr ot ocol t o suff er an unexpect ed at t ack.
1.2.6 Openness
Cr y pt ogr aphy was once a pr eser ve of gover nment s. Mi l i t ar y and di plomat i c or gani zat i ons used it
t o keep messages secret . I n t hose days, most cr y pt ogr aphi c r esearch was conduct ed behi nd
cl osed door s; al gor i t hms and pr ot ocol s wer e secr et s. I ndeed, government s di d, and t hey st i ll do,
have a val i d poi nt i n keepi ng t hei r cr ypt ogr aphi c r esear ch act i vi t i es secret . Let us i magine t hat a
government agency publ i shes a ci pher . We shoul d onl y consi der t he case t hat t he ci pher
publ i shed i s provabl y secure; ot her wi se t he publ icat i on can be t oo danger ous and may act ual ly
end up causi ng embar r assment t o t he government . Then ot her gover nment s may use t he
pr ovabl y secure ci pher and consequent l y undermi ne t he eff ect i veness of t he code- br eaker s of t he
government whi ch publ ished t he ci pher .
Nowaday s, however , cr ypt ogr aphi c mechani sms have been i ncor por at ed i n a wi de r ange of
ci vi l i an sy st ems ( we have pr ovided a non- exhaust i ve l i st of appl i cat i ons i n t he ver y begi nni ng of
t hi s chapt er) . Cr ypt ogr aphic research for ci vi li an use should t ake an open appr oach.
Cr y pt ogr aphi c al gor i t hms do use secr et s, but t hese secr et s shoul d be conf i ned t o t he
cry pt ogr aphi c keys or key i ng mat er i al ( such as passwor ds or PI Ns) ; t he al gor i t hms t hemselves

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
shoul d be made publ ic. Let 's expl or e t he r easons for t hi s st i pulat i on.
I n any ar ea of st udy , qual i t y r esear ch depends on t he open exchange of i deas vi a conf erence
pr esent at i ons and publ i cat i ons i n schol ar l y j our nal s. However, in t he ar eas of cr y pt ogr aphi c
al gor i t hms, pr ot ocol s and securi t y sy st ems, open r esear ch i s mor e t han j ust a common means t o
acqui r e and advance knowl edge. An i mpor t ant funct i on of open r esear ch i s publ i c expert
exami nat i on. Cr y pt ogr aphi c al gor i t hms, pr ot ocol s and secur i t y sy st ems have been not or i ousl y
err or pr one. Once a cr y pt ographi c r esear ch r esul t i s made publ i c i t can be exami ned by a l ar ge
number of exper t s. Then t he oppor t uni t y for f i ndi ng er ror s ( i n desi gn or maybe i n secur i t y
anal y sis) whi ch may have been over l ooked by t he desi gner s wi ll be great l y i ncr eased. I n
cont r ast , i f an algor it hm i s desi gned and devel oped i n secret , t hen i n or der t o keep t he secr et ,
onl y f ew, if any, exper t s can have access t o and exami ne t he det ai ls. As a r esult t he chance for
fi ndi ng err or s i s decr eased. A worse scenari o can be t hat a desi gner may know an er r or and may
expl oit i t secret l y .
I t i s now an est abl ished pr i nci pl e t hat cr ypt ogr aphi c al gori t hms, pr ot ocol s, and secur it y sy st ems
for ci vi l ian use must be made publi c, and must go t hr ough a l engt hy publi c examinat i on pr ocess.
Peer revi ew of a secur i t y sy st em shoul d be conduct ed by a host i l e exper t .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
1.3 Chapter Summary
I n t hi s chapt er we began wi t h an easy exampl e of appl ied cry pt ogr aphy . The t hr ee pur poses
ser ved by t he exampl e ar e:
Showi ng t he ef fect i veness of cry pt ogr aphy i n pr obl em sol ving i .
Ai ming for a fundament al under st andi ng of cr ypt ogr aphy i i .
Emphasi zi ng t he i mpor t ance of non- t ext book aspect s of secur it y i i i .
They f orm t he mai n t opi cs t o be devel oped i n t he r est of t hi s book.
We t hen conduct ed a ser i es of di scussi ons whi ch ser ved t he pur pose f or an i ni t i al backgr ound
and cul t ur al int r oduct i on t o t he ar eas of st udy . Our di scussi ons i n t hese di r ect ions ar e by no
means of compl et e. Sever al ot her aut hors have al so conduct ed ext ensi ve st udy on pr i nci pl es,
guidel i nes and cult ur e for t he ar eas of cr y pt ography and i nf or mat ion securi t y . The fol l owi ng
books f orm good furt her r eading mat er i al : Schnei er [ 254] , Goll mann [ 129] and Ander son [ 14] .
Schnei er' s mont hly di st ri but ed " Cr ypt o- Gr am Newsl et t ers" are also good r eading mat er i al . To
subscr ibe for recei vi ng t he newsl et t ers, send an emai l t o schnei er @count er pane. com.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exercises
1. 1 What i s t he di ff er ence bet ween a pr ot ocol and an al gor i t hm?
1. 2 I n Pr ot 1.1 Al i ce can deci de HEADS or TAI LS. Thi s may be an unf ai r advant age for
some appl i cat i ons. Modif y t he pr ot ocol so t hat Al i ce can no l onger have t hi s
advant age.
Hi nt : l et a cor r ect guess decide t he si de.
1. 3 Let funct ion f map f rom t he space of 200- bi t i nt eger s t o t hat of 100- bi t ones wi t h t he
fol l owi ng mappi ng r ul e:
her e " " denot es bi t - by- bit XOR oper at i on, i . e.,
I s f ef fi ci ent ? i .
Does f have t he " Magi c Pr opert y I " ? i i .
Does f have t he " Magi c Pr opert y I I " ? i i i .
Can t his funct ion be used i n Pr ot 1.1? i v .
1. 4 I s an unbroken cr y pt ographi c al gor i t hm mor e secure t han a known br oken one? I f
not , why ?
1. 5 Compl ex syst ems ar e err or - pr one. Give an addi t ional r eason f or a compl ex secur i t y
syst em t o be even mor e err or - pr one.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Chapter 2. Wrestling Between Safeguard
and Attack
Sect i on 2. 1. I nt roduct i on
Sect i on 2. 2. Encry pt ion
Sect i on 2. 3. Vulner able Envi ronment ( t he Dol ev- Yao Thr eat Model )
Sect i on 2. 4. Aut hent i cat i on Ser ver s
Sect i on 2. 5. Secur i t y Pr opert ies f or Aut hent i cat ed Key Est abl i shment
Sect i on 2. 6. Pr ot ocol s for Aut hent icat ed Key Est abl i shment Usi ng Encry pt ion
Sect i on 2. 7. Chapt er Summar y
Exerci ses

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
2.1 Introduction
One reason for t he exi st ence of many cr ypt ogr aphi c pr ot ocol s i s t he consequence of a fact : i t i s
ver y dif fi cul t t o make cry pt ogr aphi c prot ocol s cor r ect . Endl ess endeavor s have been made t o
desi gn cor r ect pr ot ocol s. Many new pr ot ocols wer e pr oposed as a r esul t of f i xi ng exist i ng ones i n
whi ch secur i t y fl aws wer e di scovered. A securi t y fl aw i n a cr ypt ogr aphic pr ot ocol can al way s be
descr i bed by an at t ack scenari o i n which some secur i t y ser vi ces t hat t he pr ot ocol pur por t s t o
pr ovi de can be sabot aged by an at t acker or by a number of t hem vi a t hei r col l usi on. I n t he ar ea
of cry pt ogr aphi c prot ocol s i t i s as i f t her e i s a per manent wrest l i ng bet ween pr ot ocol desi gner s
and at t acker s: A pr ot ocol i s proposed, an at t ack is di scovered, a f ix fol l ows, t hen anot her at t ack,
and anot her fi x
I n t hi s chapt er we shall demonst rat e a seri es of exampl es of a wrest l ing bat t l e bet ween at t ack
and f ix. We shal l st art f rom an ar t i f ici al prot ocol whi ch i s made f l awed del i ber at el y . Fr om t hat
pr ot ocol we wi l l go t hr ough a "f ix, at t ack, f i x agai n and at t ack agai n" pr ocess. Event ual ly we wi l l
r each t wo pr ot ocol s which have been pr oposed f or solvi ng i nf or mat i on securi t y probl ems i n t he
r eal worl d ( al l of t he fl awed and "fi xed" t hen broken pr ot ocol s pri or t o t hese t wo fi nal resul t s ar e
ar t i fi ci al pr ot ocol s) . The t wo real pr ot ocol resul t s f r om our " at t ack, f i x, at t ack, fi x, " process ar e
not onl y r eal pr ot ocol s, but al so well - known ones f or t wo r easons. They have play ed semi nal
r ol es bot h i n appl i cat ions and i n under l y ing an i mpor t ant st udy on for mal anal y si s of
crypt ogr aphi c prot ocol s.
Unfor t unat el y, t hese t wo r eal pr ot ocol s fr om our fi xi ng at t empt s st i l l cont ai n secur i t y f laws whi ch
were onl y di scover ed l ong af t er t hei r publ i cat i on. One fl aw in one of t hem was f ound t hr ee y ear s
aft er t he publ i cat ion, and anot her fl aw in t he ot her pr ot ocol was exposed af t er anot her four t een
y ear s passed! Havi ng r eveal ed t hese f l aws, we wi l l make a fi nal at t empt f or fi xi ng, al t hough we
wi l l del ay t he r evel at i on of some fur t her secur it y pr obl ems i n t he r esul t fr om our fi nal fi xat i on t o
a l at er chapt er when we become t echni cal l y bet t er pr epar ed t o deal wi t h t he probl ems. Leavi ng
secur i t y probl ems unsolved in t hi s chapt er , we i nt end t hi s chapt er t o ser ve an " ear l y- war ni ng"
message: cr y pt ogr aphi c al gor i t hms, pr ot ocol s and syst ems r eadil y cont ain securi t y fl aws.
Thi s chapt er al so ser ves a t echni cal i nt r oduct ion t o mat er i al and i deas t hat wi l l enabl e us ( i n
par t i cul ar , r eader s who ar e new t o t he areas of cr ypt ogr aphy , cr y pt ogr aphi c pr ot ocol s and
i nf ormat i on secur i t y ) t o est abl ish some common and i mpor t ant concept s, defi ni t i ons and
agr eement s in t he ar eas of st udy . These i nclude some basi c t er mi nologi es and t he meani ngs
behi nd t hem ( a t er m appear i ng f or t he f i r st t i me wil l be i n bol d f or m) , and t he nami ng
convent i on f or t he pr ot ocol par t i ci pant s whom we wi l l fr equent l y be meet i ng t hr oughout t he
book. Al so, t he at t acks on t hese f l awed pr ot ocol s wi l l l et us become f ami l i ar wi t h some t ypical
behavi or of a speci al r ol e i n our game pl ay: t he enemy , agai nst whom we desi gn cry pt ographi c
pr ot ocol s.
2.1.1 Chapter Outline
I n 2. 2 we int r oduce a si mpl i fi ed not i on of encr y pt i on whi ch wi l l be used f or t his chapt er onl y . I n
2. 32. 5 we int r oduce t he st andar d t hr eat model , envi ronment and goal for cr y pt ographi c, i n
par t i cul ar aut hent i cat i on, pr ot ocol s. Final ly , i n 2. 6 we devel op a ser i es of aut hent i cat i on
pr ot ocol s.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
2.2 Encryption
Al l pr ot ocol s t o be desi gned i n t hi s chapt er wi l l use encr y pt i on . We shoul d pr ovi de an ear l y
war ni ng on t hi s " one- t hi ng- f or - al l- pur pose" st y le of using encr y pt i on: i n many cases such uses
ar e i ncor rect and some ot her cr y pt ogr aphi c pr i mit ives shoul d be used i nst ead. I n t hi s book we
wi l l gr aduall y devel op t he sense of pr eci sel y usi ng cr ypt ogr aphic pr i mi t i ves for obt ai ni ng pr ecise
secur i t y servi ces. However , t o ease our i nt r oduct ion, l et us rel y on encry pt i on sol el y i n t hi s
chapt er .
Encr y pt i on ( somet i mes call ed enci ph er ment ) is a pr ocess t o t r ansfor m a pi ece of i nfor mat i on
i nt o an incomprehensi bl e f orm. The i nput t o t he t ransfor mat i on i s cal l ed pl ai nt ex t ( or
cl ear t ext ) and t he out put fr om i t i s cal led ci ph er t ex t ( or cr y pt ogr am) . The r everse process of
t r ansfor mi ng cipher t ext int o pl aint ext i s call ed decr y pt i on ( or deci ph er ment ) . Not i ce t hat
pl ai nt ext and ci pher t ext ar e a pai r of r espect i ve not i ons: t he f ormer r efers t o messages i nput t o,
and t he l at t er , out put f rom, an encr ypt i on algori t hm. Pl ai nt ext needn' t be i n a compr ehensi bl e
for m; for exampl e, in t he case of doubl e encr y pt i on, a cipher t ext can be in t he posi t i on of a
pl ai nt ext f or r e- encr y pt i on; we wi l l al so see many t i mes i n t hi s chapt er t hat encry pt ion of
r andom number i s ver y common i n cr y pt ogr aphi c pr ot ocol s. Usual l y , clear t ext means messages
i n a small subset of al l possi bl e messages which have cer t ai n r ecogni zabl e di st r i but i ons. I n 3. 7
we wi l l st udy t he di st r i but ion of a message.
The encr y pt i on and decry pt i on al gor i t hms ar e col l ect i vel y cal l ed cr y pt ogr ap hi c al gor i t hms
( cr y pt ogr ap hi c sy st ems or cr y pt osyst ems) . Bot h encr ypt i on and decr y pt i on pr ocesses are
cont r ol l ed by a cr ypt ogr aphi c k ey, or key s. I n a symmet r i c ( or shar ed- k ey ) cr ypt osyst em,
encry pt ion and decr y pt i on use t he same ( or essent ial l y t he same) key ; i n an asy mmet r i c ( or
pu bl i c- k ey ) cr y pt osy st em, encr ypt i on and decr y pt i on use t wo di ff er ent key s: an encr y pt i on
k ey and a ( mat chi ng) decr y pt i on k ey, and t he encry pt ion key can be made publ i c ( and hence
i s al so cal led pu bl i c k ey) wi t hout causi ng t he mat chi ng decry pt i on key being di scovered ( and
t hus a decr y pt i on key i n a publ i c- key cr ypt osyst em i s al so cal l ed a pr i v at e k ey ) . Fi g 2.1
i l l ust rat es a simpli f i ed pi ct or i al descr i pt i on of a cr y pt ogr aphi c syst em. A mor e compl et e vi ew of a
cry pt osy st em wi ll be gi ven i n Chapt er 7 ( Fi g 7.1) .
Fi gu r e 2. 1 . A Si mpl i f i ed Pi ct or i al Descr i pt i on of a Cr y pt og r aph i c Syst em

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
We should point out t hat , wi t hi n t he scope of t hi s chapt er , t he t er ms "plai nt ext , " "ci phert ext , "
"encr ypt i on, " "decr ypt i on, " "encr y pt i on key " and " decr y pt i on key " ar e pair s of r el at i ve not i ons.
For a message M ( whet her i t i s plai nt ext or cipher t ext ) , a cry pt o al gor i t hm A ( whet her i t
r epr esent s encr ypt i on or decr y pt i on) and a cr y pt ographi c key K ( whet her an encr y pt i on key or a
decry pt ion key) , we may denot e by
a cr y pt ogr ap hi c t r ansf or mat i on whi ch i s r epr esent ed by t he funct ional it y of ei t her t he upper
box or t he l ower box i n Fi g 2.1. Thus, we can use A' and K' t o denot e
namel y,
compl et es t he ci rcl e i n Fi g 2.1. I n t he case of symmet r ic cr y pt osy st em, we may vi ew K' = K, and
i n t he case of asymmet ri c cr y pt osyst em, K' r epr esent s t he mat chi ng publ ic or pr i vat e component
of K. I n t hi s chapt er ci phert ext i n a pr ot ocol message wi l l be convent i onall y speci fi ed as
Lat er when we have l ear ned probabi l i t y di st r ibut i ons of messages ( t o be i nt r oduced i n
3. 73. 8) , we wi l l know t hat pl ai nt ext ( mor e pr eci sely , cl eart ext or comprehensi bl e) messages
ar e i n a small subset of t he ent i re message space, whi l e ci phert ext messages are much mor e
wi del y di st ri but ed in t hat space. Thi s i s t he essent i al di ffer ence bet ween pl ai nt ext and ci pher t ext .
We should not i ce t hat , i n t hi s chapt er, our not at i on f or ci pher t ext al ways means a r esul t of usi ng
a " perf ect " cry pt ogr aphi c al gor i t hm i n t he fol l owi ng t wo senses:
Pr oper t y 2 . 1: Per fect Encr ypt i on wi t h Not at i on { M}
K
Wi t hout t he key K ( in t he case of a sy m m et r i c cry pt osy st em ) , or t he m at chi ng pr iv at e k ey of
K ( in t he case of an asym m et ri c cr yp t osy st em) , t he ci pher t ex t { M}
K
does n ot pr ov id e any
cry pt analy t i c m ean s for fi ndi ng t he p lai nt ext m essage M.
i .
The ci pher t ext { M}
K
and m ay be t oget her wi t h som e k nown in for m at ion ab out t he pl ain t ext
m essage M do not p r ovi de an y cr y pt an aly t ic means for f in di ng t h e k ey K ( i n t h e case of a
sym m et r ic cr yp t osyst em ) , or t h e m at ch in g pr i vat e key of K ( in t he case of an asym m et ri c
cry pt osy st em) .
i i .
Perf ect encry pt ion wi t h t hese t wo proper t i es ( t her e wi l l be an addi t i onal proper t y which we shal l

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
di scuss i n 2. 6. 3) is an i deal i zat i on fr om t he encry pt i on al gor i t hms t hat exi st i n t he r eal worl d.
The i deal i zat i on i s a conveni ent t reat ment whi ch al l ows a segr egat i on of responsi bi l i t i es of t he
pr ot ocol desi gn and anal y sis fr om t hose of t he underl y i ng cry pt ogr aphi c al gor i t hm desi gn and
anal y sis. The segregat i on eases t he j ob of prot ocol desi gn and analy si s. We shal l see i n a
moment t hat per fect encr y pt i on does not pr event a prot ocol fr om cont ai ni ng a secur i t y f l aw. I n
fact , for ever y at t ack on each prot ocol t o be demonst rat ed i n t hi s chapt er , none of t hem depends
on any def i ci ency i n t he under l yi ng cr ypt osy st ems.
We wi l l i nt r oduce t he f or mal not i on of encr y pt i on and number of encr y pt i on al gor i t hms i n several
l at er chapt er s ( Chapt ers 7, 8, 13 and 15) . Never t hel ess t he abst r act - l evel descri pt i on on t he
funct i onal i t y of encr ypt ion/ decry pt i on gi ven her e shal l suff ice f or our use i n t hi s chapt er . I t i s
har ml ess now for us t o t hi nk of an encr y pt i on algor it hm as a key ed padl ock and a piece of
ci pher t ext as a box of t ext s wit h t he box bei ng padl ocked.
The r eader i s al so r efer red t o [ 266] for a usef ul gl ossar y i n i nfor mat i on secur i t y .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
2.3 Vulnerable Environment (the Dolev-Yao Threat
Model)
A l ar ge net work of comput er s, devi ces and r esour ces ( f or exampl e, t he I nt er net ) i s t y pi cal l y
open, whi ch means t hat a pr i nci pal ( or ent i t y, agent , user ) , which can be a comput er , a
devi ce, a resour ce, a ser vi ce pr ovi der , a per son or an or gani zat i on of t hese t hings, can j oi n such
a net wor k and st ar t sendi ng and r ecei vi ng messages t o and fr om ot her pr i nci pal s acr oss i t ,
wi t hout a need of bei ng aut hori zed by a " super " pri nci pal . I n such an open envi ronment we must
ant i ci pat e t hat t here are bad guy s ( or at t ack er , adv er sar y, en emy , i n t r ud er ,
eav esd r opper , i mpost or , et c. ) out t her e who wi ll do al l sor t s of bad t hi ngs, not j ust passi vel y
eavesdr oppi ng, but al so act i vely alt er i ng ( maybe usi ng some unknown cal culat ions or met hods) ,
for ging, dupl i cat i ng, rer out i ng, del et ing or i nj ect i ng messages. The i nj ect ed messages can be
mal ici ous and cause a dest r uct i ve ef fect t o t he pri nci pal s on t he r ecei vi ng end. I n t he l i t er at ure
of cry pt ogr aphy such a bad guy i s cal l ed an act i v e at t ack er . I n t hi s book we shal l name an
at t acker Mal i ce ( someone who does har m or mischi ef, and oft en does so under t he masquer ade
of a di ff er ent ident i t y ) . Mal i ce can be an i ndi vi dual , a coal i t i on of a gr oup of at t ackers, and, as a
speci al case, a l egi t i mat e pri nci pal in a pr ot ocol ( an i n si der ) .
I n general , i t i s assumed t hat Mal i ce i s ver y cl ever i n mani pul at i ng communi cat i ons over t he
open net wor k. Hi s manipul at i on t echni ques ar e unpr edi ct abl e because t hey ar e unspeci fi ed. Al so
because Mal i ce can r epr esent a coal i t i on of bad guy s, he may si mul t aneousl y cont r ol a number
of net wor k nodes which ar e geogr aphical l y far apar t . The real r eason why Mal i ce can do t hese
t hi ngs wi l l be di scussed i n 12.2.
I n ant i cipat i on of such a power f ul adver sar y over such a vul ner abl e envir onment , Dol ev and Yao
pr opose a t hr eat mod el whi ch has been wi del y accept ed as t he st andar d t hr eat model f or
crypt ogr aphi c prot ocol s [ 101] . I n t hat model , Mal i ce has t he fol l owi ng char act er i st ics:
He can obt ai n any message passi ng t hrough t he net work.
He i s a legi t i mat e user of t he net wor k, and t hus in part i cul ar can i ni t i at e a conver sat i on
wi t h any ot her user .
He wi l l have t he oppor t uni t y t o become a r eceiver t o any pr i nci pal .
He can send messages t o any pri nci pal by i mper sonat i ng any ot her pr i ncipal .
Thus, in t he Dol ev - Yao t hr eat model , any message sent t o t he net work is consi der ed t o be
sent t o Mal i ce for hi s di sposal ( according t o what ever he i s able t o comput e) . Consequent l y , any
message r ecei ved f rom t he net wor k i s t r eat ed t o have been received fr om Mal i ce aft er hi s
di sposal . I n ot her wor ds, Mal i ce i s consi der ed t o have t he compl et e cont rol of t he ent i r e net wor k.
I n fact , i t is har mless t o j ust t hi nk of t he open net wor k as Mal i ce.
However , unless expli ci t l y st at ed, we do not consi der Mal i ce t o be al l power f ul. This means t hat
t her e ar e cer t ai n t hi ngs t hat Mal i ce cannot do, even i n t he case t hat he repr esent s a coal i t i on of
bad guys and t her eby may use a l ar ge number of comput er s acr oss t he open net wor k i n par all el .
We l i st bel ow a few t hi ngs Mal ice cannot do wi t hout quant i f yi ng t he meaning of " cannot do; "
pr eci se quant i f icat i on wi ll be made in Chapt er 4:
Mal i ce cannot guess a r andom number whi ch i s chosen fr om a suff ici ent l y l ar ge space.
Wi t hout t he corr ect secr et ( or pr i vat e) key , Mal i ce cannot ret r i eve plai nt ext fr om given

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
ci pher t ext , and cannot cr eat e val id ci pher t ext fr om gi ven pl ai nt ext , wi t h respect t o t he
per fect encr ypt i on al gori t hm.
Mal i ce cannot fi nd t he pr i vat e component , i . e., t he pri vat e key , mat chi ng a gi ven publ i c
key .
Whi l e Mal i ce may have cont r ol of a l arge publ i c par t of our comput i ng and communi cat i on
envi ronment , i n gener al , he i s not i n cont rol of many pr i vat e ar eas of t he comput i ng
envi ronment , such as accessi ng t he memor y of a pri nci pal ' s off l i ne comput i ng devi ce.
The Dol ev- Yao t hr eat model wi l l apply t o al l our pr ot ocol s.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
2.4 Authentication Servers
Suppose t hat t wo pri nci pal s Al i ce and Bob ( whom we have al r eady met i n our f i rst
crypt ogr aphi c pr ot ocol " Coin Fl i ppi ng Over Tel ephone" , Pr ot 1.1) wi sh t o communi cat e wi t h each
ot her i n a secur e manner . Suppose al so t hat Al i ce and Bob have never met bef ore, and t herefor e
t hey do not al r eady shar e a secr et key bet ween t hem and do not al r eady know f or sur e t he ot her
par t y 's publi c key. Then how can t hey communi cat e secur el y over compl et el y i nsecur e net wor ks?
I t i s st r ai ght for ward t o see t hat at l east Al i ce and Bob can make an ar r angement t o meet each
ot her phy si cal l y and t her eby est abl ish a shared secr et key bet ween t hem, or exchange sur e
knowl edge on t he ot her par t y 's publi c key. However, in a sy st em wi t h N user s who wi sh t o hol d
pr i vat e conver sat i ons, how many t r i ps do t hese user s need t o make i n or der t o secur ely est abl i sh
t hese key s? The answer is N( N 1) / 2. Unf or t unat el y , t hi s means a pr ohi bi t i ve cost f or a l ar ge
syst em. So t hi s st r aight f orwar d way for secur e key est abl i shment i s not pract i cal f or use i n
moder n communi cat i on sy st ems.
I t i s never t heless f easi bl e f or each pr i nci pal who chooses t o communi cat e securel y t o obt ai n an
aut hent i cat i on ( and a di r ect or y ) ser vi ce. Needham and Schr oeder suggest t hat such a ser vice
can be pr ovi ded by an aut hent i cat i on ser v er [ 213] . Such a ser ver i s l i ke a name regi st r at i on
aut hor it y ; i t mai nt ai ns a dat abase i ndexed by names of t he pr i nci pal s i t ser ves, and can del i ver
i dent i f yi ng i nf or mat ion comput ed fr om a r equest ed pr i nci pal ' s cr y pt ographi c key t hat is al ready
shar ed bet ween t he ser ver and t he pr inci pal.
An aut hent icat i on ser ver i s a speci al pr i nci pal who has t o be t rust ed by it s user s ( cl i en t
pr i nci pal s) t o al way s behave honest l y . Namel y , upon a cl ient pr i nci pal 's request i t wi l l r espond
exact l y accordi ng t o t he pr ot ocol 's speci fi cat i on, and wi l l not engage i n any ot her act i vi t y whi ch
wi l l del i berat el y compr omise t he secur i t y of i t s cl i ent s ( so, f or i nst ance, i t wi l l never di scl ose any
secr et key i t shar es wi t h i t s cl i ent s t o any t hi rd part y ) . Such a pr i nci pal i s cal l ed a t r u st ed t hi r d
par t y or TTP f or shor t . I n t hi s book we shal l use Tr ent t o name a t r ust ed t hi rd part y .
We suppose t hat bot h Al i ce and Bob use aut hent icat i on ser vi ces of fer ed by t hei r r espect i ve
aut hent i cat ion servers. I n an ext ended net wor k i t i s inexpedi ent t o have a si ngl e cent r al
aut hent i cat ion server. Needham and Schr oeder pr oposed t o use mul t i pl e aut hent i cat i on ser ver s
who know each ot her . Thus, pr i nci pal s served by an aut hent i cat i on ser ver have names of t he
for m " Aut hent i cat i onAut hor i t y. Si mpl eName. " The i dea of usi ng mul t i pl e aut hent i cat i on ser ver s
has also been pr oposed by Di f fi e and Hel l man [ 97] .
However , i n order t o descri be our prot ocol s i n t hi s chapt er wit h si mpl i ci t y and cl ar i t y we suppose
t hat Al i ce and Bob use t he same aut hent i cat i on server Tr ent . I n Chapt er 12 we wi l l i nt roduce t he
net wor k aut hent i cat i on basi s f or Wi ndows 2000 oper at i ng sy st em, t he Ker ber os aut hent i cat i on
pr ot ocol [ 90] , wher e a general archit ect ur e of mul t i pl e aut hent i cat i on ser ver s servi ng i n di ff er ent
net wor k r eal ms wi l l be consi der ed.
Being ser ved by t he same Trent , we assume t hat Ali ce ( Bob) shar es a cr ypt ogr aphic key wi t h
Tr ent ; l et t he key be denot ed by K
AT
( K
BT
) . Lat er we shal l see t hat such a key i s cal l ed k ey-
encr y pt i on k ey because i t s use i s mainl y for encr y pt i on of ot her cr ypt ogr aphi c keys. Al so due t o
t he hi gh cost i n t he est abl i shment of such a key , i t shoul d be used for a pr ol onged per i od of
t i me, and hence i s al so cal l ed a l on g- t er m k ey .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
2.5 Security Properties for Authenticated Key
Establishment
Al l pr ot ocol s t o be descri bed i n t hi s chapt er are of a kind: t hey achi eve aut hent i cat ed k ey -
est abl i shment . The pr eci se meani ng of t hi s secur i t y ser v i ce can be el abor at ed by t he
fol l owi ng t hr ee pr oper t i es.
Let K denot e a shared secr et key t o be est abl i shed bet ween Al ice and Bob, t he pr ot ocols t o be
desi gned i n t hi s chapt er should achi eve a securi t y ser vi ce wi t h t he f ol lowi ng t hree proper t i es:
At t he end of t he pr ot ocol r un:
Only Ali ce and Bob ( or per haps a pri nci pal who i s t rust ed by t hem) shoul d know K. 1.
Al i ce and Bob shoul d know t hat t he ot her pr i nci pal knows K. 2.
Al i ce and Bob shoul d know t hat K i s newl y gener at ed. 3.
The f i r st pr oper t y fol l ows t he most basi c meani ng of aut hent icat i on: i dent i f yi ng t he pr i nci pal who
i s t he int ended obj ect of communi cat i on. Ali ce ( r espect i vel y , Bob) shoul d be assur ed t hat t he
ot her end of t he communi cat i on, i f " padl ocked" by t he key K, can onl y be Bob ( r espect i vely ,
Al i ce) . I f t he key est abl i shment servi ce i s achi eved wi t h t he hel p of Tr ent , t hen Tr ent i s t r ust ed
t hat he wi l l not i mper sonat e t hese t wo pr inci pals.
The second pr oper t y ext ends aut hent i cat i on ser vi ce t o an addit ional di mensi on, t hat i s, ent i t y
aut hent i cat i on, or t he l i v en ess of an i dent if i ed pr i nci pal who i s t he i nt ended obj ect of t he
communi cat ion. Al i ce ( respect i vel y, Bob) shoul d be assur ed t hat Bob ( r espect i vel y , Al i ce) i s ali ve
and r esponsive t o t he communi cat i ons in t he cur rent pr ot ocol r un. We shal l see l at er t hat t hi s
pr oper t y i s necessar y i n order t o t hwar t an at t acki ng scenari o based on r epl ayi ng of ol d
messages.
The need for t he t hi rd pr oper t y f ol lows a l ong est abl ished k ey managemen t pr inci ple in
cry pt ogr aphy . That pri nci pl e st i pulat es t hat a secr et cr ypt ogr aphi c key shoul d have a short
l i fet i me i f it i s a shared key and i s used for bul k dat a encr ypt i on. Such a key usage is rat her
di f fer ent f rom t hat of a " key- encr y pt i on key " or a l ong- t er m key whi ch we have descr i bed at t he
end of 2. 4. Ther e ar e t wo reasons behind t hi s key management pr i nci pl e. Fi rst , i f a key f or dat a
encry pt ion i s a shar ed one, t hen even i f one of t he shar i ng par t y , say, Al i ce, i s ver y car ef ul i n her
key management and di sposal , compr omise of t he shar ed key by t he ot her shar i ng par t y , say,
Bob, due t o Bob' s carel essness whi ch is t ot al l y out of Ali ce's cont r ol , wi l l st i l l r esult i n Ali ce's
secur i t y bei ng compr omi sed. Secondly , most dat a i n conf ident i al communi cat ions usual l y cont ai n
( possi bl y a l ar ge vol ume of ) known or predi ct abl e i nfor mat i on or st r uct ure. For exampl e, a pi ece
of comput er pr ogram cont ai ns a lar ge quant i t y of known t ext s such as "begi n," "end, " "class, "
"i nt , " "i f, " " t hen, " " el se, " "+ + ," et c. Such dat a ar e sai d t o cont ai n a lar ge quant i t y of
r edu ndancy ( defi ni t i on see 3. 8) . Encry pt ion of such dat a makes t he key a t ar get f or
cr y pt anal y si s whi ch ai ms for fi nding t he key or t he pl aint ext . Prol onged such use of a key f or
encry pt ion of such dat a may ease t he di ff i cul t y of cry pt anal ysi s. We should al so consi der t hat
Mal i ce has unl i mi t ed t i me t o spend on fi ndi ng an ol d dat a- encry pt i on key and t hen reusi ng i t as
t hough i t wer e new. The wel l est abl i shed and wi del y accept ed pr i nci pl e f or key management t hus
st i pul at es t hat a shared dat a- encr y pt i on key should be used f or one communi cat i on session only .
Hence, such a key i s al so r efer red t o as a sessi on k ey and a shor t - t er m k ey. The t hi r d
pr oper t y of aut hent i cat ed key est abl i shment ser vi ce assur es Ali ce and Bob t hat t he sessi on key K
est abl i shed i s one t hat has been newl y gener at ed.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
2.6 Protocols for Authenticated Key Establishment
Using Encryption
Now we ar e r eady t o desi gn pr ot ocol s f or aut hent i cat ed key est abli shment . The fi r st prot ocol t o
be desi gned merel y i nt ends t o r eal i ze st rai ght for war dl y t he fol l owi ng simpl e i dea: Al i ce and Bob,
t hough t hey do not know each ot her, bot h know Tr ent and share respect ive l ong- t erm key s wi t h
Tr ent ; so it i s possi bl e f or Tr ent t o secur ely pass messages bet ween t hem.
2.6.1 Protocols Serving Message Confidentiality
Si nce t he envi r onment for our pr ot ocol s t o r un i s a vul nerabl e one, our pr ot ocols wi l l use
encry pt ion t o safeguar d agai nst any t hreat . At t hi s ini t ial st age of our st ep- by - st ep di scussi ons t o
fol l ow, we shal l rest r ict our at t ent i on t o a t hr eat whi ch ai ms f or undermi ni ng message
conf ident i ali t y.
2.6.1.1 Protocol "From Alice to Bob"
Let Ali ce i ni t i at e a r un of such a pr ot ocol . She st ar t s by generat ing a sessi on key at random,
encry pt s i t under t he key she al r eady shar es wi t h Trent , and sends t o Trent t he resul t ant
ci pher t ext t oget her wi t h t he i dent i t i es of her self and Bob. Upon receipt of Al i ce' s r equest f or
sessi on key del i ver y, Tr ent shal l f i rst fi nd f rom hi s dat abase t he shar ed long- t er m key s of t he
t wo pr inci pals ment ioned i n Al ice's request . He shall t hen decr y pt t he ci pher t ext usi ng Al i ce' s
key , r e- encry pt t he resul t usi ng Bob's key, and t hen send t o Bob t he r esul t ant ci phert ext . Fi nal l y,
upon r ecei pt and decr ypt i on of t he del i ver ed sessi on key mat er ial , Bob shal l acknowl edge t he
r ecei pt by sendi ng an encry pt ed message t o Al i ce using t he newl y r ecei ved session key. Pr ot 2.1
i l l ust rat es a pr ot ocol descri pt ion whi ch r eal i zes del i ver y of a sessi on key f r om Al ice t o Bob. I n
t hi s pr ot ocol , Al i ce i s an i n i t i at or , and Bob, a r espond er .
I n t hi s chapt er we shall i nt r oduce most of our pr ot ocol s ( and at t acks on t hem) i n t wo part s, a
pi ct or i al par t whi ch i l l ust r at es message fl ows among pri nci pal s, and a speci f icat i on par t whi ch
pr ovi des t he det ail s of t he act i ons per for med by pr i nci pal s r egar di ng t he messages sent or
r ecei ved. Alt hough t he speci f i cat i on par t al one shoul d be suffi ci ent f or us t o descr ibe a prot ocol
wi t h needed pr ecisi on ( t he speci fi cat i on par t al one wi l l be t he pr ot ocol descr i pt i on met hod in t he
r est of t he book beyond t hi s chapt er ) , by addi ng pi ct or i al present at i on of message f lows we
i nt end t o al low t hose r eader s who ar e new t o t he area of cr y pt ogr aphi c pr ot ocol s an easy st ar t .
Thi s i s a purpose t hat t hi s chapt er shoul d ser ve.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Protocol 2.1: From Alice To Bob
PREMI SE Al i ce and Trent shar e key K
AT
; Bob and Tr ent shar e
key K
BT
.
GOAL Al i ce and Bob want t o est abli sh a new and shar ed
secr et key K.
Al i ce generat es K at r andom, cr eat es { K}
KAT
, and sends t o Tr ent : Ali ce, Bob,
{ K}
KAT
;
1.
Tr ent f i nds key s K
AT
, K
BT
, decr ypt s { K}
KAT
t o r eveal K, cr eat es { K}
KBT
and sends
t o Bob: Ali ce, Bob, { K}
KBT
;
2.
Bob decr y pt s { K}
KBT
t o r eveal K, f or ms and sends t o Al i ce: { Hell o Al ice, I ' m
Bob! }
K
.
3.
Befor e i nvest i gat i ng whet her Pr ot ocol "From Al ice To Bob" cont ains any secur i t y fl aw we shoul d
comment on a desi gn feat ur e of i t . The pr ot ocol l et s Al i ce generat e a sessi on key t o be shar ed
wi t h Bob. Wi l l Bob be happy about t hi s? I f i t t ur ns out t hat t he sessi on key gener at ed by Al ice i s
not suff i ci ent l y r andom ( a cr y pt ographi c key shoul d be r andom t o make i t di ff icul t t o be
det er mi ned by guessi ng) , t hen Bob' s secur i t y can be compr omi sed si nce t he key is a shar ed one.
May be Al i ce does not care whet her t he sessi on key i s st r ong, or may be she j ust want s t he key t o
be easi l y memor abl e. So l ong as Bob does not t r ust Al i ce ( may not even know her pr i or t o a
pr ot ocol r un) , he shoul d not f eel comf ort abl e accept i ng a session key gener at ed by her and
shar i ng wit h her . We shal l modi fy t hi s pr ot ocol by removing t hi s desi gn feat ur e and di scuss
secur i t y i ssues of t he modi f i ed pr ot ocol .
2.6.1.2 Protocol "Session Key from Trent"

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Si nce Tr ent i s t rust ed by bot h cl i ent pr i ncipal s, he shoul d be t rust ed t o be abl e t o pr oper l y
gener at e t he sessi on key . Pr ot 2.1 i s t hus modif i ed t o Pr ot 2.2. I t st ar t s wi t h Al i ce sendi ng t o
Tr ent t he i dent i t i es of her sel f and Bob, t he t wo pr i ncipal s who i nt end t o shar e a sessi on key for
secur e communi cat i ons bet ween t hem. Upon r ecei pt of Al i ce' s r equest , Trent shal l f i nd fr om hi s
dat abase t he r espect i ve key s of t he t wo pri nci pal s, shal l gener at e a new sessi on key t o be shar ed
bet ween t he t wo pri nci pal s and shall encr y pt t he sessi on key under each of t he pr i nci pal s' key s.
Tr ent shoul d t hen send t he encr y pt ed sessi on key mat er i al back t o Al ice. Al i ce shal l pr ocess her
own par t and shall rel ay t o Bob t he par t i nt ended for hi m. Fi nall y , Bob shal l process hi s shar e of
t he pr ot ocol whi ch ends by sendi ng out an acknowl edgement for t he r ecei pt of t he sessi on key .
We shal l name t he modi f i ed Pr ot ocol "Sessi on Key Fr om Tr ent .
Wi t h t he sessi on key K bei ng encr y pt ed under t he per fect encr ypt i on scheme, a passi ve
eavesdr opper , upon seei ng t he communi cat i ons i n a r un of Pr ot ocol "Sessi on Key Fr om Tr ent and
wi t hout t he encr y pt i on key s K
AT
and K
BT
, wi l l not gai n any t hi ng about t he sessi on key K si nce i t
may onl y be r ead by t he l egi t i mat e r eci pi ent s vi a decr ypt i on using t he r espect i ve key s t hey have.
2.6.2 Attack, Fix, Attack, Fix
We now i l lust rat e a st andard scene of t hi s book, t hat is, at t ack, f i x, at t ack, fi x
2.6.2.1 An Attack
However , Pr ot ocol "Sessi on Key Fr om Tr ent i s fl awed. The pr obl em wit h t he pr ot ocol i s t hat t he
i nf ormat i on about who shoul d get t he session key i s not pr ot ect ed. An at t ack is shown i n At t ack
2. 1. I n t he at t ack, Mali ce i nt er cept s some messages t r ansmi t t ed over t he net wor k, modi fi es
t hem and sends t hem t o some pr inci pals by i mpersonat ing some ot her pr i ncipal s. I n t he at t ack
shown i n At t ack 2. 1 we wr i t e
Al i ce sends t o Mali ce( "Tr ent " ) :
t o denot e Mal i ce' s act i on of int ercept i ng Al i ce' s message i nt ended f or Tr ent , and we use
Mal i ce( " Al i ce" ) sends t o Tr ent :
t o denot e Mal i ce' s act i on of sendi ng message t o Trent by i mper sonat i ng Al i ce. We shoul d not e
t hat accor ding t o t he Dol ev- Yao t hr eat model f or our pr ot ocol envir onment t hat we have agr eed
t o in 2. 3, Mal i ce i s assumed t o have t he ent ir e cont rol of t he vul ner abl e net wor k. So Mal i ce i s
capabl e of per f ormi ng t he above mali ci ous act i ons. We can i magi ne t hat t he sy mbol
( " pr i nci pal _name") i s a mask wor n by Mal i ce when he i s mani pulat ing pr ot ocol messages
passi ng al ong t he net wor k. I n 12.2 we shall see t echni cal l y how Mal ice coul d mani pulat e
messages t r ansmi t t ed over t he net work t hi s way .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Protocol 2.2: Session Key From Trent
AT
key K
BT
.
secr et key K.
Al i ce sends t o Tr ent : Ali ce, Bob; 1.
AT
, K
BT
, gener at es K at r andom and sends t o Al ice: { K}
KAT
,
{ K}
KBT
;
2.
Al i ce decr ypt s { K}
KAT
, and sends t o Bob: Tr en t , Al ice, { K}
KBT
; 3.
Bob decr y pt s { K}
KBT
t o r eveal K, f or ms and sends t o Al i ce: { Hell o Al ice, I ' m
Bob! }
K
.
4.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Attack 2.1: An Attack on Protocol "Session Key From Trent"
PREMI SE I n addi t i on t o t hat i n Pr ot ocol "Sessi on Key
From Trent ," Mal ice and Tr ent shar e key K
MT
.
RESULT OF ATTACK
Al i ce t hi nks she i s shar i ng a key wi t h Bob

whi l e act ual l y shar i ng i t wi t h Mal i ce.
Al i ce sends t o Mali ce( "Tr ent " ) : Ali ce, Bob; 1.
Mal i ce( " Al i ce" ) sends t o Tr ent : Ali ce, Mali ce; 2.
AT
, K
MT
, gener at es K
AM
at r andom and sends t o Al ice:
{ K
AM
}
KAT
, { K
AM
}
KMT
;
3.
Al i ce decr ypt s { K
AM
}
KAT
, and sends t o Mal i ce( "Bob") : Tr en t , Al ice, { K
AM
}
KMT
; 4.
Mal i ce( " Bob") sends t o Al i ce: { Hell o Al ice, I ' m Bob! }
KAM
. 5.
Mal i ce begi ns wi t h i nt er cept ing t he i ni t i al message fr om Al i ce t o Trent . That message i s meant
for i nst ruct ing Trent t o generat e a sessi on key t o share wit h Al i ce and Bob. Mal ice al t er s i t by
r epl aci ng Bob's i dent it y wit h his own and t hen sends t he al t er ed message t o Tr ent . Tr ent wil l
t hi nk t hat Al ice want s t o t alk t o Mal i ce. So he generat es a new sessi on key K
AM
t o shar e bet ween
Al i ce and Mal i ce, and encr ypt s i t wi t h t he r espect i ve key s t hat he shar es wi t h t hese t wo
pr i nci pal s. Si nce Al i ce cannot di st i ngui sh bet ween encr y pt ed messages meant f or ot her pr inci pals
she wi l l not det ect t he al t er at i on. Mal i ce t hen i nt er cept s t he message f rom Ali ce i nt ended f or Bob
so t hat Bob wi l l not know t hat he i s request ed t o r un t he pr ot ocol . The r esul t of t he at t ack i s t hat
Al i ce wi l l bel i eve t hat t he prot ocol has been successf ul l y complet ed wit h Bob wher eas in f act

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Mal i ce knows K
AM
and so can masquer ade as Bob as wel l as l ear n all t he i nf or mat ion t hat Al i ce
i nt ends t o send t o Bob. Not i ce t hat t hi s at t ack wi l l onl y succeed i f Mal i ce i s a l egi t i mat e user
known t o Tr ent . Thi s, agai n, i s a r eal i st i c assumpt i on an i nsi der at t acker is oft en more of a
t hr eat t han out si ders.
We have seen t hat t he above at t ack wor ks as a r esul t of Mali ce's al t er at i on of Bob's i dent i t y. We
shoul d not i ce t he fact t hat t he al t er at i on i s possi bl e because Bob's i dent it y is sent i n cl ear t ext .
Thi s suggest s t o us t o r epai r t he pr ot ocol by hi di ng Bob' s i dent i t y .
2.6.2.2 A Fix
Having seen t he at t ack i n whi ch Mali ce al t er s Bob' s i dent i t y , i t seems st r ai ght for war d t o r epai r
Pr ot ocol "Sessi on Key Fr om Tr ent . " For exampl e, we can modi f y t he pr ot ocol i nt o one wi t h Bob's
i dent i t y i n t he fi r st message l i ne being t reat ed as a secret and encr y pt ed under t he key shar ed
bet ween Al i ce and Tr ent . Namel y , t he fi r st message li ne i n Pr ot ocol "Sessi on Key Fr om Tr ent
shoul d be cor r ect l y modi f i ed i nt o
Al i ce sends t o Tr ent : Ali ce, { Bob}
KAT
; 1.
Not i ce t hat i t i s necessar y f or Al ice's ident i t y t o remai n i n cl ear t ext so Tr ent wil l be abl e t o know
whi ch key he shoul d use t o decr y pt t he ci pher t ext par t .
2.6.2.3 Another Attack
However , t he above way of " repai r " does not pr ovide a sound f i x for Pr ot ocol "Sessi on Key Fr om
Tr ent . " For exampl e, i t i s easy t o see t hat Mal i ce can do t he fol l owing:
Mal i ce( " Al i ce" ) sends t o Tr ent : Ali ce, { Mal ice}
KAT
; 1.
whi l e t he rest of t he at t ack r uns exact l y t he same as t hat i n At t ack 2. 1. I f i ni t i al l y Mal i ce di d not
know t o whom Al i ce was i nt ending t o r un t he pr ot ocol, he woul d know t hat pi ece of i nf or mat i on
when he i nt er cept s Al i ce's message t o Bob si nce t hat message has t o cont ai n Bob's addr ess in
or der for t he net wor k t o corr ect ly deli ver t he message. So Mal i ce can i n t he end st i l l successful ly
masquer ade as Bob. Not i ce t hat in t hi s at t ack we assume t hat Mal i ce has t he ci pher t ext
{ Mal ice}
KAT
; t hi s i s possi bl e as i t can be t he case t hat Mal i ce has r ecor ded i t f r om a previ ous
pr ot ocol r un ( a cor r ect r un) bet ween Al i ce and Mal i ce.
2.6.2.4 Yet Another Attack
I n fact , anot her way t o at t ack Pr ot ocol "Sessi on Key Fr om Tr ent ( or i t s " f ix" shown above) does
not r el y on change of any pr inci pal' s i dent i t y . I nst ead, Mal ice can al t er t he message fr om Tr ent
t o Ali ce ( message li ne 2 in Pr ot ocol "Sessi on Key Fr om Tr ent ) int o t he fol l owi ng:
Mal i ce( " Tr ent ") sends t o Al ice: { K' }
KAT
, ;
Here K' i s a sessi on key t r anspor t ed in a pr evi ous pr ot ocol r un ( a cor rect r un) bet ween Ali ce and
Mal i ce such t hat Mali ce has recor ded t he ci pher t ext par t { K' }
KAT
. The r est of t he at t ack r un i s
si mi l ar t o t hat i n t he at t ack i n At t ack 2. 1: Mal ice shoul d i nt er cept t he subsequent message f r om
Al i ce t o Bob, and fi nal l y acknowl edges Al i ce by masquer adi ng as Bob:

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Mal i ce( " Bob") sends t o Al i ce: { Hell o Al ice, I ' m Bob! }
K'
.
The f act t hat t he "fi xed" ver si ons of Pr ot ocol "Sessi on Key Fr om Tr ent can be at t acked wi t h or
wi t hout al t eri ng Bob's i dent i t y clear l y shows t hat t o have Bob' s i dent i t y i n t he f i rst l ine of
Pr ot ocol "Sessi on Key Fr om Tr ent pr ot ect ed i n t er ms of confi dent ial i t y cannot be a cor r ect
secur i t y servi ce. The at t acks demonst r at ed so far have shown possi bi l i t i es f or Mal i ce t o al t er
some pr ot ocol messages wi t hout det ect i on. This suggest s t hat t he pr ot ocol needs a secur i t y
ser vi ce whi ch can guar d agai nst t amperi ng of messages.
Thi s bri ngs us t o t he fol l owi ng secur i t y servi ce.
2.6.3 Protocol with Message Authentication
We have seen i n t he at t acks shown so f ar t hat Mal i ce has al way s been abl e t o al t er some
pr ot ocol messages wi t hout det ect i on. I ndeed, none of t he prot ocol s desi gned so f ar has provi ded
any cr y pt ogr aphi c pr ot ect ion against message al t er at i on. Thus, one way t o f ix t hese pr ot ocols is
t o pr ovi de such prot ect i on. The pr ot ect ion should enable legi t i mat e pri nci pal s who have t he r ight
cry pt ogr aphi c keys t o det ect any unaut hor i zed al t er at i on of any pr ot ect ed pr ot ocol messages.
Such pr ot ect ion or secur it y ser vice i s cal l ed messag e au t hent i cat i on ( in some t ext s t hi s not ion
i s al so cal led dat a i nt egr i t y, but we shall di ff erent i at e t hese t wo not i ons i n Chapt er 11) .
2.6.3.1 Protocol "Message Authentication"
We obser ve t hat Mal i ce's alt er at i on of t he prot ocol messages has caused t he f oll owi ng t wo
eff ect s. Ei t her a sessi on key i s shar ed bet ween wrong pri nci pals, or a wr ong sessi on key get s
est abl i shed. Ther ef or e we pr opose t hat t he message aut hent i cat ion prot ect i on shoul d pr ovi de a
cry pt ogr aphi c bi ndi ng bet ween t he sessi on key t o be est abl ished and i t s i nt ended user s. Thi s
l eads t o a new pr ot ocol : Pr ot 2.3, wher e t he i dent i t i es of Ali ce and Bob ar e i ncl uded i n t he
encry pt ed message par t s sent by Trent . We shoul d name t he new pr ot ocol "Message
Aut hent i cat ion."
We should pay a part i cul ar at t ent i on t o t he speci fi cat i on par t of Pr ot ocol "Message
Aut hent i cat ion" wher e i t i nst ruct s
3. Ali ce ( decr ypt s { Bob, K}
KAT
) , check s Bob ' s i dent i t y,
4. Bob ( decr ypt s { Ali ce, K}
KBT
) , check s Al i ce' s i dent i t y ,
Here in Pr ot ocol "Message Aut hent icat i on, " st eps for checki ng t he i nt ended pr i nci pal s' i dent i t i es
make a cr ucial di st i nct i on bet ween t hi s pr ot ocol and i t s pr edecessor s ( i . e., Pr ot ocol "Sessi on Key
From Trent and it s "fi xes") . These checki ng st eps are possi ble onl y aft er cor r ect decr y pt i on of t he
r espect i ve ci phert ext bl ocks usi ng t he cor r ect cry pt ogr aphi c keys. Thus, t he cr y pt ographi c
oper at i on "decr y pt i on- and- checki ng" per f ormed by t he reci pi ent at t empt s t o achi eve a message
aut hent i cat ion servi ce whi ch enables t he r eci pi ent t o veri f y t he cr y pt ogr aphi c bi ndi ngs bet ween
t he sessi on key t o be est abli shed and i t s i nt ended user s. A corr ect decr ypt i on r esul t shoul d i mpl y
t hat t he ci phert ext message bl ocks in quest i on have not been alt er ed i n t r ansi t i on. That i s how
Pr ot ocol "Message Aut hent icat i on" shoul d t hwar t t he at t acks shown so far .
We should point out t hat t o achi eve message aut hent icat i on, t he oper at i on of " decry pt i on- and-
checki ng" ( per for med by a r ecipi ent ) i s not a cor r ect " mode of oper at i on". I n Chapt er 17 we shall
see t hat t he cor rect mode of operat ion should be "r e- encr ypt i on- and- checki ng" ( agai n per for med
by a r eci pi ent ) . The r eason t hat we use an i ncor r ect or i mpreci se mode of oper at i on i n t hi s
chapt er i s mer el y because "encr y pt i on- by- sender " and " decr y pt i on- by- r ecipi ent " ar e t he onl y

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
avai labl e cr y pt ographi c oper at i ons f or us t o use at t hi s st age.
Si nce we wi l l use an i ncor rect mode of operat i on t o real i ze t he message aut hent i cat ion servi ce, it
i s necessar y for us t o expl i ci t l y st at e an addi t i onal pr oper t y r equi rement t hat our encr ypt i on
al gor i t hm must sat i sf y. The proper t y i s gi ven bel ow ( i t s enumer at i on ( ii i ) fol l ows t he
enumer at i on of t he ot her t wo pr oper t i es f or "The Per f ect Encr ypt i on wi t h Not at i on { M}
K
" t hat we
have l i st ed i n 2. 2) .
Protocol 2.3: Message Authentication
AT
key K
BT
.
secr et key K.
AT
, K
BT
, gener at es K at r andom and sends t o Al ice: { Bob,
K}
KAT
, { Ali ce, K}
KBT
;
2.
Al i ce decr ypt s { Bob, K}
KAT
, checks Bob's ident i t y , and sends t o Bob: Tr en t ,
{ Ali ce, K}
KBT
;
3.
Bob decr y pt s { Ali ce, K}
KBT
, checks Ali ce's i dent it y, and sends t o Al i ce: { Hell o
Ali ce, I ' m Bob! }
K
.
4.
Pr oper t y 2 . 2: Per fect Encr ypt i on wi t h Not at i on { M}
K
( for message aut hent icat i on ser vi ce)
i i i ) Wi t hout t he key K, ev en wi t h t he k nowl ed ge of t he p lai nt ext M, i t sh ould b e im possib le
for som eone t o al t er { M}
K
wi t hou t b ei ng det ect ed by t h e r ecip ient du ri ng t he t i m e of

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
decry pt ion.
I n order t o show t he i mpor t ance of t his pr opert y, below we demonst r at e an at t ack on Pr ot ocol
"Message Aut hent i cat i on" supposi ng t hat our per f ect encr y pt i on al gor i t hm does not possess t he
above message aut hent i cat i on pr oper t y ( namel y, we assume t hat t he encry pt ion al gor i t hm onl y
possesses t he per f ect confi dent i al i t y proper t i es l i st ed i n 2. 2) . For ease of exposi t i on, we modi fy
t he pr esent at i on of t he ci pher t ext blocks
i n t he prot ocol i nt o t he fol l owi ng pr esent at ion
Wi t h t hi s present at i on of ci phert ext bl ocks, we i mpl y t hat t he cr y pt ographi c bi ndi ng bet ween
pr i nci pal s' i dent i t i es and t he sessi on key has been dest r oy ed whi l e t he encr y pt i on r et ains t he
per fect conf i dent i al i t y ser vi ce f or any pl ai nt ext message bei ng encr y pt ed. Pr ot ocol "Message
Aut hent i cat ion" using t hi s "per fect " encr y pt i on scheme shoul d have i t s message l ines 2, 3 and 4
l ook l i ke t he f oll owi ng:
2. Trent , sends t o Al i ce: { Bob}
KAT
, { K}
KAT
, { Ali ce}
KBT
, { K}
KBT
;
3. Ali ce decr ypt s { Bob}
KAT
and { K}
KAT
, checks Bob's ident i t y ,
4. Bob decr y pt s { Ali ce}
KBT
and { K}
KBT
, checks Ali ce's i dent it y,
Obvi ousl y , t he confi dent i al i t y pr ot ect i on pr ovi ded on t he pri nci pal s i dent i t i es does not make a
poi nt ; by si mpl y obser vi ng t he pr ot ocol messages f l owing over t he net wor k ( fr om sender s and t o
r eci pi ent s) Mal ice shoul d be abl e t o det ermi ne exact ly t he plai nt ext cont ent i nsi de t he ci pher t ext
bl ocks { Bob}
KAT
and { Ali ce}
KBT
. Thus, t he modif i ed prot ocol is essent i all y t he same as Pr ot ocol
"Sessi on Key Fr om Tr ent , " and t hus can be at t acked by essent i al l y t he same at t acks
demonst r at ed i n 2. 6. 2. The r eader can apply t hese at t acks as an exer ci se.
2.6.3.2 Attack on Protocol "Message Authentication"
Even consi der i ng t hat t he encr y pt i on al gor it hm used possesses t he message aut hent i cat i on
pr oper t y , Pr ot ocol "Message Aut hent icat i on" can st i l l be at t acked. The pr obl em st ems f r om t he
di f fer ence i n qual it y bet ween t he l ong- t er m key - encry pt ing key s shar ed i ni t i al l y bet ween Tr ent
and i t s cl i ent s, and t he sessi on key s gener at ed for each pr ot ocol r un.
Fi rst , we not e t hat t he rel at i onshi p bet ween Tr ent and each of hi s cl ient s i s a l ong- t erm based
one. This means t hat a shar ed key bet ween hi m and hi s cl ient i s a long- t er m key . I n gener al, t o
est abl i sh a key bet ween an aut hent i cat ion server and a cl i ent is mor e dif fi cul t and more cost l y
t han t o est abl ish a sessi on key bet ween t wo cl ient pr i nci pal s ( i t shoul d requi re t hor ough securi t y
checki ng r out i nes, even maybe based on a face- t o- face cont act ) . For t unat ely , such a key i s
mai nl y used i n aut hent i cat i on prot ocol s, wi t h i nfr equent use f or encry pt ing few messages wi t h
l i t t l e r edundancy, and hence such use of a key pr ovi des l i t t l e i nfor mat i on avai l abl e f or
cry pt anal ysi s. Ther ef or e, secr et key s shar ed bet ween an aut hent i cat i on ser ver and i t s cl i ent s can
be used for a l ong per i od of t ime. Of t en t hey ar e cal l ed long- t er m key s.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
On t he ot her hand, we should r ecal l a key management pr i nci pl e we have di scussed i n 2. 5,
whi ch st i pul at es t hat a sessi on key should be used f or one sessi on onl y . Consequent l y, no r un of
a sessi on- key est abl i shment pr ot ocol should est abl i sh a session key whi ch i s i dent i cal t o one
whi ch was est abl i shed i n a pr evi ous run of t he pr ot ocol . However , t hi s i s not t he case for Pr ot ocol
"Message Aut hent i cat i on." An at t ack r un of t he pr ot ocol wi l l br each t he session key management
pr i nci pl e. I n t hi s at t ack, al l Mal i ce needs t o do i s f i r st t o i nt er cept Al i ce's r equest ( see Pr ot 2.3) :
Al i ce sends t o Mali ce( "Tr ent " ) : 1.
and t hen i nj ect a message li ne 2 as fol l ows:
Mal i ce( " Tr ent ") sends t o Al ice: { Bob, K' }
KAT
, { Ali ce, K' }
KBT
2.
Here, t he t wo ci pher t ext bl ocks cont ai ni ng K' ar e a r epl ay of ol d messages whi ch Mal i ce has
r ecor ded fr om a pr evi ous run of t he pr ot ocol ( a nor mal r un bet ween Al i ce and Bob) , and
t her efor e t hi s at t ack wi l l cause Al i ce and Bob t o r euse t he old sessi on key K' whi ch t hey shoul d
not use. Not i ce t hat , si nce K' i s ol d, i t may be possi bl e f or Mal i ce t o have di scover ed i t s value
( may be because i t has been di scar ded by a car el ess pr i nci pal , or may be due t o ot her
vul ner abi l it ies of a session key t hat we have di scussed i n 2. 5) . Then he can ei t her eavesdr op
t he confi dent i al sessi on communi cat i ons bet ween Al i ce and Bob, or imper sonat e Bob t o t al k t o
Al i ce.
An at t ack i n t he above f ashi on i s cal l ed a messag e r epl ay at t ack .
2.6.4 Protocol With Challenge-Response
Ther e ar e several mechanisms t hat may be empl oy ed t o al l ow users t o check t hat a message i n a
pr ot ocol i s not a repl ay of an ol d message. These mechani sms wi l l be consi der ed in det ai l i n
Chapt er 11. However f or now we wi ll i mprove our pr ot ocol usi ng a wel l known met hod cal l ed
chal l eng e- r esponse ( also cal l ed handshak e) . Usi ng t hi s met hod Al ice wi l l gener at e a new
r andom number N
A
at t he st art of t he pr ot ocol and send t hi s t o Tr ent wit h t he r equest f or a new
sessi on key . I f t hi s same val ue ( N
A
) is ret ur ned wi t h a sessi on key such t hat t he t wo pi eces ar e
bound t oget her cr ypt ogr aphical l y and t he cr y pt ographi c bi ndi ng pr ovides a message
aut hent i cat ion servi ce ( i .e. , Al i ce can veri f y t he message i nt egr i t y r egar di ng t he ci pher t ext
cont ai ni ng N
A
) , t hen Al i ce can deduce t hat t he cr y pt ogr aphi c bi nding has been cr eat ed by Tr ent
aft er having r ecei ved her random number N
A
. Mor eover , r ecal l our st i pulat i on on t he
t r ust wor t hi ness of Tr ent ( see 2. 4) ; Ali ce knows t hat Tr ent wil l alway s f oll ow t he prot ocol
honest l y . So Tr ent has i ndeed creat ed a new sessi on key aft er r ecei vi ng Al ice's random
chal l enge. Consequent l y, t he sessi on key should be new ( or f r esh, cu r r ent ) , namel y, i s not a
r epl ay of an old key. The r andom number N
A
cr eat ed by Al ice f or enabl i ng t he chal lenge-
r esponse mechanism i s cal l ed a non ce whi ch st ands for a number used once [ 61] .
2.6.4.1 Protocol "Challenge Response" (Needham-Schroeder)
Pr ot 2.4 speci fi es a new pr ot ocol whi ch ut i l i zes t he chal l enge- r esponse mechani sm f or Al i ce t o
check t he f reshness of t he sessi on key . We shal l t empor ari l y name i t "Chall enge Response" ( we
wi l l soon change i t s name) .
I n Pr ot ocol "Chall enge Response, " Bob al so cr eat es a nonce ( N
B
) , but t hi s nonce is not sent t o
Tr ent si nce i n t hi s prot ocol Bob does not di rect l y cont act Tr ent . I nst ead, Bob's nonce i s sent t o

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Al i ce and t hen is repl i ed fr om her af t er her sl ight modi fi cat i on ( subt r act ing 1) . So i f Al i ce i s
sat i sf i ed t hat t he sessi on key K i s fr esh and uses i t i n her r esponse t o Bob's fr eshly cr eat ed
nonce, t hen Bob shoul d deduce t he f reshness of t he sessi on key . Thus, t he mut ual confi dence i n
t he sessi on key is est abl i shed.
Pr ot ocol "Chall enge Response, " whi ch we have reached by a ser i es of st eps, i s probabl y t he most
cel ebr at ed in t he subj ect of aut hent icat i on and key est abl i shment pr ot ocol s. I t is exact l y t he
pr ot ocol of Needham and Schroeder whi ch t hey publ i shed i n 1978 [ 213] . Bel ow we r ename t he
pr ot ocol t he Needham- Schroeder Sy mmet r i c- key Aut hent i cat i on Pr ot ocol . Thi s pr ot ocol has al so
been t he basi s f or a whole cl ass of r el at ed pr ot ocol s.
2.6.4.2 Attack on the Needham-Schroeder Symmetric-key Authentication Protocol
Unfor t unat el y t he Needham- Schr oeder Pr ot ocol i s vul nerabl e t o an at t ack discover ed by Denni ng
and Sacco i n 1981 [ 94] . I n t he at t ack of Denni ng and Sacco, Mal i ce i nt ercept s t he messages sent
by and t o Al i ce i n t he message l i nes 3, 4 and 5, and r epl aces t hem wi t h hi s own ver sion. The
at t ack i s gi ven i n At t ack 2. 2.
I n t he at t ack, Mal i ce becomes act i ve i n message l ine 3 and i nt er cept s Ali ce's message sent t o
Bob. He t hen compl et el y bl ockades Al i ce's communi cat i on channel and r epl ay s ol d sessi on key
mat eri al { K' , Ali ce}
KBT
whi ch he recorded f rom a previ ous r un of t he pr ot ocol bet ween Al i ce and
Bob. By our assumpt i on on t he vul ner abi l i t y on an old sessi on key , Mal i ce may know t he val ue K'
and t her efor e he can l aunch t his at t ack t o t al k t o Bob by masquer adi ng as Al i ce.
We should point out t hat t he vul ner abi l it y of an ol d sessi on key i s onl y one aspect of t he danger
of t hi s at t ack. Anot her danger of t hi s at t ack i s Mal ice's successf ul def eat of an i mport ant goal of
aut hent i cat ion. We shal l speci fy t hat goal i n 11.2. 2 and see how t he goal i s easil y def eat ed by
Mal i ce i n 11.7. 1.
Protocol 2.4: Challenge Response
AT
; Bob and Tr ent
shar e key K
BT
.
GOAL Al i ce and Bob want t o est abli sh a new and
shar ed secr et key K.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Al i ce cr eat es N
A
at r andom and sends t o Trent : Ali ce, Bob, N
A
; 1.
Tr ent gener at es K at r andom and sends t o Al ice: { N
A
, K, Bob, { K, Ali ce}
KBT
}
KAT
; 2.
Al i ce decr y pt s, checks her nonce N
A
, checks Bob's I D and sends t o Bob: Tr en t ,
{ K, Ali ce}
KBT
;
3.
Bob decr y pt s, checks Ali ce's I D, cr eat es r andom N
B
and sends t o Al i ce: { I ' m
Bob! N
B
}
K
;
4.
Al i ce sends t o Bob: { I ' m Al ice! N
B
1}
K
. 5.
Attack 2.2: An Attack on the Needham-Schroeder Symmetric-
key Authentication Protocol
RESULT OF ATTACK
Bob t hi nks he i s shar ing a new sessi on key wi t h Al i ce whi le act ual ly t he key i s an old
one and may be known t o Mali ce.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
1 and 2. ( same as i n a nor mal r un)
3. Ali ce sends t o Mal i ce( "Bob" ) :
3' . Mal i ce( " Ali ce") sends t o Bob: { K' , Ali ce}
KBT
;
4. Bob decr y pt s, checks Al i ce' s I D and sends t o Mal ice( "Al i ce") : { I ' m Bob ! N
B
}
K'
;
5. Mal ice( "Al i ce") sends t o Bob: { I ' m Al ice! N
B
1}
K'
.
2.6.5 Protocol With Entity Authentication
The chall enge- r esponse mechani sm used i n t he Needham- Schr oeder Pr ot ocol ( t he i nt er act i on
par t bet ween Al ice and Tr ent ) pr ovi des a securi t y ser vi ce cal led ent i t y au t hent i cat i on . Like
message aut hent i cat i on, t he ser vi ce of ent it y aut hent icat i on i s al so obt ai ned vi a ver i f yi ng a
cry pt ogr aphi c oper at i on ( by a ver i fi cat i on pr i ncipal ) . The di ff er ence bet ween t he t wo servi ces i s
t hat i n t he l at t er case, an evi dence of l i veness of a pri nci pal ( pr oving pr inci pal) i s shown. The
l i veness evi dence i s shown i f t he pr ovi ng pri nci pal has per for med a cry pt ogr aphi c oper at i on aft er
an event whi ch i s known as r ecent t o t he ver i fi cat i on pr inci pal. I n t he case of t he Needham-
Schr oeder Prot ocol , when Al i ce recei ves t he message l i ne 2, her decry pt i on oper at i on reveal i ng
her nonce N
A
shows her t hat Tr ent has onl y oper at ed t he encr ypt ion aft er t he event of her
sendi ng out t he nonce N
A
( si nce t he key used i s shar ed bet ween she and Tr ent ) . So Al i ce knows
t hat Tr ent i s al i ve aft er t hat event . This accompl i shes an ent i t y aut hent i cat i on f rom Trent t o
Al i ce.
However , i n Bob's posit ion i n t he Needham- Schr oeder Pr ot ocol , he has no evi dence of ent i t y
aut hent i cat ion r egar di ng Tr ent 's li veness.
As usual, once a probl em has been spot t ed, i t becomes r el at i vely easy t o suggest way s of f ixi ng
i t : Trent shoul d have hi msel f aut hent i cat ed i n ent i t y aut hent i cat i on t o bot h of t he cl ient
pr i nci pal s. Thi s can be done by , f or i nst ance, Bob sendi ng a nonce t o Tr ent t oo, whi ch wi ll be
i ncl uded by Tr ent i n t he sessi on key message r et ur ned fr om Tr ent . Thi s way of fi xi ng wil l add
mor e message f lows t o t he pr ot ocol ( an addi t i onal handshake bet ween Bob and Tr ent ) . Denning
and Sacco suggest usi ng t i mest amps t o avoi d addi ng message f l ows [ 94] .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
2.6.5.1 Timestamps
Let T denot e a t i mest amp. The fol l owi ng fi x was suggest ed by Denni ng and Sacco:
1. Ali ce sends t o Tr ent : Ali ce, Bob;
2. Trent sends t o Al ice: { Bob, K, T, { Ali ce, K, T}
KBT
}
KAT
;
3. Ali ce sends t o Bob: { Ali ce, K, T}
KBT
;
When Al i ce and Bob r ecei ve t hei r pr ot ocol messages f r om Tr ent , t hey can ver i fy t hat t heir
messages ar e not r epl ays by checki ng t hat
wher e Cl ock gi ves t he r eci pi ent ' s l ocal t i me, t
1
i s an i nt er val r epr esent i ng t he nor mal
di screpancy bet ween Trent 's cl ock and t he l ocal cl ock, and t
2
i s an i nt er val r epr esent i ng t he
expect ed net work delay t i me. I f each cl i ent pri nci pal set s i t s cl ock manual l y by r ef er ence t o a
st andar d sour ce, a val ue of about one or t wo mi nut es for t
1
woul d suf fi ce. As l ong as t
1
+ t
2
i s l ess t han t he i nt er val si nce t he l ast use of t he prot ocol , t hi s met hod wi l l pr ot ect agai nst t he
r epl ay at t ack i n At t ack 2. 2. Si nce t i mest amp T i s encr y pt ed under t he secr et keys K
AT
and K
BT
,
i mpersonat ion of Tr ent is impossi bl e gi ven t he per fect ness of t he encr ypt i on scheme.
Needham and Schr oeder have consi der ed t he use of t i mest amps, but t hey rej ect it on t he
gr ounds t hat i t requi res a good- qual i t y t i me val ue t o be uni ver sal l y avai l abl e [ 212] .
2.6.6 A Protocol Using Public-key Cryptosystems
The f i nal pr ot ocol t o be i nt r oduced in t hi s chapt er i s cal l ed t he Needham- Schr oeder Publ ic- key
Aut hent i cat ion Pr ot ocol [ 213] . We int r oduce t his pr ot ocol her e wi t h t wo r easons, bot h of whi ch
fal l wit hi n t he agenda of t his chapt er . Fi r st , t he pr ot ocol l et s us obt ai n an i ni t i al fami l iar i t y wi t h
t he use of publ ic- key cr y pt osy st ems. Secondl y , we shal l show a subt l e at t ack on t hi s pr ot ocol .
Even t hough t he pr ot ocol l ooks simple, t he at t ack was f ound sevent een y ear s aft er t he
publ i cat i on of t he pr ot ocol.
2.6.6.1 Public-key Cryptosystems
We use key l abel s such as K
A
f or Al i ce' s publ i c key and f or t he mat chi ng pr i vat e key
( Al i ce' s pr i vat e key ) . I t i s supposed t hat Al i ce i s t he onl y per son who i s i n possessi on of her
pr i vat e key . The ci phert ext bl ock

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
denot es t he per fect encr ypt i on of t he pl ai nt ext M using Al i ce's publ i c key K
A
. I t is supposed t hat
t o decr y pt t he above ci pher t ext one must use t he mat chi ng pr i vat e key . Si nce i t i s
supposed t hat Al i ce i s t he onl y per son t o possess t he pri vat e key , onl y she i s abl e t o per for m
decry pt ion t o r et r i eve t he pl ai nt ext M. Analogousl y, t he ci pher t ext bl ock
denot es t he per fect encr ypt i on of t he pl ai nt ext M using Al i ce's pri vat e key , and decr ypt i on
i s onl y possi bl e wi t h t he use of Ali ce's publ i c key K
A
. Wi t h t he knowledge of K
A
bei ng Al i ce' s
publ i c key , an act i on of decr y pt i on usi ng K
A
pr ovi des one wit h f ur t her knowl edge t hat t he
ci pher t ext i s cr eat ed by Al ice si nce t he cr eat i on requir es t he use of a key t hat onl y she
has in possessi on. For t hi s r eason, t he ci pher t ext i s also cal l ed Al i ce' s ( di gi t al )
si gn at u r e of message M, and an act i on of decr y pt i on usi ng K
A
i s cal l ed ver if i cat ion of Al i ce' s
si gnat ure of message M.
Protocol 2.5: Needham-Schroeder Public-key Authentication
Protocol
PREMI SE Al i ce' s publ ic key i s K
A
,
Bob' s publ i c key i s K

B
,
Tr ent 's publi c key i s K

T
.
GOAL Al i ce and Bob est abl i sh a new and shar ed secr et .
Tr ent sends t o Al i ce: { K
B
, Bob} ; 2.
Al i ce ver if i es Trent 's si gnat ur e on " K
B
, Bob, " cr eat es her nonce N
A
at r andom,
and sends t o Bob: { N
A
, Ali ce}
KB
;
3.
Bob decr y pt s, checks Ali ce's I D and sends t o Tr ent : Bob, Ali ce; 4.
Tr ent sends t o Bob: { K
A
, Ali ce} ; 5.
Bob ver i fi es Tr ent 's si gnat ur e on "K
A
, Ali ce, " cr eat es hi s nonce N
B
at r andom,
and sends t o Al i ce: { N
A
, N
B
}
KA
;
6.
Al i ce decr y pt s, and sends t o Bob: { N
B
}
KB
. 7.
2.6.6.2 Needham-Schroeder Public-key Authentication Protocol

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Suppose t hat Tr ent has i n hi s possession t he publ ic key s of al l t he cl i ent pr i ncipal s he serves.
Al so, ever y cl i ent pr i nci pal has an aut hent i cat ed copy of Trent 's publ i c key. Pr ot 2.5 speci fi es t he
Needham- Schr oeder Publ i c- key Aut hent i cat ion Pr ot ocol .
Here Al i ce i s an i ni t i at or who seeks t o est abl i sh a sessi on wi t h r esponder Bob, wit h t he hel p of
Tr ent . I n st ep 1, Ali ce sends a message t o Tr ent , r equest ing Bob's publi c key. Tr ent r esponds i n
st ep 2 by ret ur ning t he key K
B
, al ong wi t h Bob' s i dent i t y ( t o pr event t he sor t of at t acks i n
2. 6. 2) , encr y pt ed usi ng Tr ent ' s pr i vat e key . This for ms Tr ent 's di gi t al si gnat ur e on t he
pr ot ocol message whi ch assur es Ali ce t hat t he message i n st ep 2 i s or i gi nat ed fr om Tr ent ( Ali ce
shoul d ver i fy t he si gnat ur e usi ng Tr ent 's publ i c key) . Ali ce t hen seeks t o est abl i sh a connect i on
wi t h Bob by sel ect ing a nonce N
A
at r andom, and sendi ng i t al ong wi t h her i dent i t y t o Bob ( st ep
3) , encr y pt ed usi ng Bob' s publ ic key . When Bob recei ves t hi s message, he decry pt s t he message
t o obt ai n t he nonce N
A
. He r equest s ( st ep 4) and recei ves ( st ep 5) t he aut hent ic copy of Al ice's
publ i c key . He t hen r et ur ns t he nonce N
A
, al ong wi t h hi s own new nonce N
B
, t o Al i ce, encr ypt ed
wi t h Ali ce's publ i c key ( st ep 6) . When Al ice r ecei ves t hi s message she shoul d be assur ed t hat she
i s t al ki ng t o Bob, since onl y Bob shoul d be abl e t o decr ypt message 3 t o obt ai n N
A
and t hi s must
have been done aft er her act ion of sendi ng t he nonce out ( a r ecent act i on) . Al i ce t hen r et ur ns
t he nonce N
B
t o Bob, encr y pt ed wit h Bob's publ i c key. When Bob r ecei ves t hi s message he
shoul d, t oo, be assur ed t hat he i s t al ki ng t o Al i ce, si nce onl y Al ice shoul d be abl e t o decr y pt
message 6 t o obt ai n N
B
( also a r ecent act i on) . Thus, a successful r un of t hi s prot ocol does
achi eve t he est abl i shment of t he shared nonces N
A
and N
B
and t hey ar e shar ed secr et s
excl usi vel y bet ween Al i ce and Bob. Furt her not i ce t hat since bot h pr i nci pal s cont r i but e t o t hese
shar ed secr et s r ecent l y , t hey have t he f r eshness pr oper t y . Al so, each pr i nci pal shoul d t rust t he
r andomness of t he secr et s as l ong as her / hi s par t of t he cont ri but i on is suff ici ent l y r andom.
Needham and Schr oeder suggest t hat N
A
and N
B
, whi ch ar e fr om a l arge space, can be used t o
i ni t i al i ze a shar ed secret key ( " as t he base f or seri at i on of encry pt i on bl ocks") [ 213] for
subsequent secur e communi cat i ons bet ween Al i ce and Bob.
Denning and Sacco have poi nt ed out t hat t hi s prot ocol pr ovi des no guarant ee t hat t he publ i c
key s obt ai ned by t he cl i ent pri nci pals are curr ent , r at her t han r eplay s of ol d, possi bly
compr omi sed keys [ 94] . Thi s pr obl em can be over come i n var i ous way s, for exampl e by
i ncl udi ng t i mest amps i n t he key del iveri es
[ a]
. Bel ow we assume t hat t he cl i ent s' publ ic key s t hat
ar e obt ai ned fr om Trent ar e cur rent and good.
[ a]
Denning and Sacco propose such a f ix [ 94] . However, t heir f ix is f lawed f or a dif fer ent r eason. We will see
t heir f ix an d st udy t he r eason of t he f law in 11. 7. 7.
2.6.6.3 Attack on the Needham-Schroeder Public-key Authentication Protocol
Lowe di scover s an at t ack on t he Needham- Schr oeder Publ ic- key Aut hent icat i on Pr ot ocol [ 180] .
Lowe obser ves t hat t hi s pr ot ocol can be consi der ed as t he i nt er leavi ng of t wo l ogi cal l y di sj oi nt
pr ot ocol s; st eps 1, 2, 4 and 5 ar e concer ned wi t h obt ai ni ng publ i c key s, wher eas st eps 3, 6 and
7 ar e concer ned wit h t he aut hent i cat ion of Al i ce and Bob. Ther efor e, we can assume t hat each
pr i nci pal i nit ial l y has t he aut hent i c copi es of each ot her ' s publ ic key , and r est r i ct our at t ent i on t o
j ust t he fol l owi ng st eps ( we onl y l i st message fl ows; t he reader may r efer t o Pr ot 2.5 f or
det ai l s) :
3. Ali ce sends t o Bob: { N
A
, Ali ce}
KB
;
6. Bob sends t o Al i ce: { N
A
, N
B
}
KA
;
7. Ali ce sends t o Bob: { N
B
}
KB
.
We shal l consi der how Mal i ce can i nt er act wi t h t hi s pr ot ocol . We assume t hat Mal ice i s a

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
l egi t i mat e pr i nci pal i n t he sy st em, and so ot her pr i nci pal s may t r y t o set up st andar d sessi ons
wi t h Mal i ce. I ndeed, t he at t ack bel ow st ar t s wi t h Al i ce t ry i ng t o est abli sh a sessi on wit h Mali ce.
At t ack 2. 3 descr i bes t he at t ack.
The at t ack invol ves t wo si mul t aneous r uns of t he pr ot ocol; i n t he f i rst run ( st eps 1- 3, 1- 6 and 1-
7) , Ali ce est abl i shes a val id sessi on wit h Mali ce; i n t he second run ( st eps 2- 3, 2- 6 and 2- 7) ,
Mal i ce i mper sonat es Al i ce t o est abl i sh a bogus sessi on wi t h Bob. I n st ep 1- 3, Ali ce st ar t s t o
est abl i sh a nor mal session wi t h Mal i ce, sendi ng hi m a nonce N
A
. I n st ep 2- 3, Mal i ce
i mpersonat es Al i ce t o t ry t o est abl i sh a bogus sessi on wi t h Bob, sending t o Bob t he nonce N
A
fr om Al i ce. Bob responds i n st ep 2- 6 by sel ect i ng a new nonce N
B
, and t ry i ng t o ret ur n i t , al ong
wi t h N
A
, t o Al i ce. Mal i ce i nt er cept s t hi s message, but cannot decr y pt i t because i t i s encr y pt ed
wi t h Ali ce's publ i c key. Mal ice t her efor e seeks t o use Al i ce t o use Al i ce t o do t he decry pt i on f or
hi m, by for war di ng t he message t o Al i ce i n st ep 1- 6; not e t hat t hi s message i s of t he f or m
expect ed by Al i ce i n t he fi r st r un of t he pr ot ocol . Al ice decr ypt s t he message t o obt ai n N
B
, and
r et ur ns t his t o Mal i ce i n st ep 1- 7 ( encr ypt ed wi t h Mal i ce' s publ i c key ) . Mal i ce can t hen decr y pt
t hi s message t o obt ai n N
B
, and r et ur ns t hi s t o Bob i n st ep 2.7, t hus compl et ing t he second r un of
t he pr ot ocol. Hence Bob bel i eves t hat Al i ce has cor rect l y est abl ished a sessi on wi t h hi m and t hey
shar e excl usi vel y t he secr et nonces N
A
and N
B
.
A cr uci al st ep f or Mal i ce t o succeed i n t he at t ack is Ali ce's decr ypt i on of Bob's nonce N
B
f or Mal i ce
unwit t ingl y . We say t hat a pr incipal i s used as an or acl e or pr ovi ding an or acl e ser v i ce when
t he pr i ncipal per for ms a cr y pt ogr aphi c oper at i on i nadver t ent l y f or an at t acker . We wi l l see many
cases of or acl e ser vices i n t hi s book and wil l gr adual l y develop a general met hodol ogy t hat
cry pt ogr aphi c al gori t hms and pr ot ocols shoul d be desi gned such t hat t hey are secur e even i f
t hei r user s pr ovide or acl e ser vi ces t o at t ackers.
We can i magi ne t he fol l owi ng consequences of t hi s at t ack. Mal i ce may i ncl ude t he shared nonces
wi t hi n a subsequent message suggest i ng a sessi on key , and Bob wi l l bel i eve t hat t his message
or i gi nat ed fr om Al i ce. Si mi l ar ly , i f Bob i s a bank, t hen Mal i ce coul d i mper sonat e Al i ce t o send a
message such as:
Mal i ce( " Al i ce" ) sends t o Bob:
{ N
A
, N
B
, Tr ansf er 1, 000, 000 f rom my account t o Mal i ce' s"}
KB
.
2.6.6.4 A Fix
I t i s f ai rl y easy t o change t he pr ot ocol so as t o prevent t he at t ack. I f we include t he r esponder' s
i dent i t y i n message 6 of t he pr ot ocol
6. Bob sends t o Al i ce: { Bob, N
A
, N
B
}
KA
;

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Attack 2.3: Lowe's Attack on the Needham-Schroeder Public-
key Authentication Protocol
PREMI SE Al i ce' s publ ic key i s K
A
, Bob's publ i c key is
K
B
, Mal i ce's publ i c key is K
M
.
RESULT OF ATTACK
Bob t hi nks he i s shar ing secret s N

A
, N
B
wi t h
Al i ce whi le act ual ly shari ng t hem wit h
Mal i ce.
t hen st ep 2- 6 of t he at t ack woul d become
2- 6. Bob sends t o Mal ice( "Al i ce") : { Bob, N
A
, N
B
}
KA
.
Now because Al i ce i s expect i ng a message wi t h Mali ce's i dent i t y, Mal i ce cannot successful ly
r epl ay t hi s message in st ep 1- 6 wi t h an i nt ent ion t o use Al i ce as a decr ypt i on oracl e.
Thi s f i x r epresent s an i nst ance of a pr inci ple for cr y pt ogr aphi c pr ot ocols desi gn suggest ed by
Abadi and Needham [ 1] :

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I f t he i dent it y of a pr i nci pal is essent i al t o t he meani ng of a message, it i s pr udent t o
ment i on t he pr i nci pal ' s name expl ici t l y i n t he message.
However , we shoul d r ef r ain f rom cl ai mi ng t hat t hi s way of " fi xing" shoul d resul t i n a secur e
pr ot ocol . I n 17.2. 1 we wi l l r eveal sever al addi t i onal pr obl ems i n t hi s pr ot ocol due t o an
undesi r abl e desi gn feat ure whi ch can be r ef err ed t o as " message aut hent i cat i on vi a decr ypt i on-
and- checki ng" ( we have l abel ed i t a wr ong mode of oper at i on, see 2. 6. 3.1) . That desi gn feat ure
appear s gener al l y i n aut hent i cat i on pr ot ocols usi ng secr et - key or publ i c- key cr ypt ogr aphi c
t echni ques and has appear ed i n al l pr ot ocol s i n t his chapt er ( t he desi gn f eat ur e has been
r et ained i n our "f i x" of t he Needham- Schr oeder Publ ic- key Aut hent icat i on Pr ot ocol , and hence
our " fi x" i s st i l l not a cor r ect one) . Met hodi cal fi xes f or t he Needham- Schroeder Aut hent i cat i on
Pr ot ocols ( bot h symmet r ic- key and publ ic- key) wi ll be given in 17.2. 3.
The er r or- pr one nat ur e of aut hent icat i on pr ot ocol s has i nspir ed t he consi der at i on of sy st emat i c
approaches t o t he devel opment of cor r ect pr ot ocols. That t opi c wi ll be i nt r oduced i n Chapt er 17.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
2.7 Chapter Summary
Some design pr ot ect i on mechani sms, ot her s want t o cr ack t hem. This is a f act of l i fe and t her e i s
not hi ng speci al about it . However, i n t hi s chapt er we have wi t nessed a rat her sad part of t hi s
fact of l if e i n aut hent icat i on pr ot ocol s: t hey , as prot ect i on mechani sms, ar e ver y easi l y
compr omi sed.
Act ual l y, al l compl ex sy st ems easi ly cont ai n desi gn er ror s. However , unli ke i n t he case of
syst ems whi ch pr ovi de secur i t y ser vi ces, users and t he envi r onment of ot her complex sy st em ar e
gener al ly non- host i l e or even f r iendl y. For exampl e, a car ef ul user of a buggy sof t ware may
l earn t o avoi d cer t ai n usages i n or der t o avoi d a sy st em cr ash. However , f or an infor mat i on
secur i t y sy st em, i t s envi r onment and some of i t s user s ar e al ways host i le: t he whol e r eason f or
t hei r exist ence i s t o at t ack t he sy st em. Expl oit ing desi gn er ror s i s of cour se an i rr esist i bl e source
of t r i cks f or t hem.
We have used aut hent i cat ion pr ot ocol s as a means t o manif est t he er r or- pr one nat ur e of secur i t y
syst ems. Al t hough i t seems t hat pr ot ocol s ar e more not or i ously er r or - pr one due t o t hei r
communi cat ion nat ur e, t he r eal r eason f or us t o use aut hent i cat i on prot ocol s i s t hat t hey requi re
r el at i vely si mpl er cr ypt ogr aphi c t echniques and t her efor e ar e more sui t abl e for ser ving our
i nt r oduct ory pur pose at t hi s ear ly st age of t he book. We shoul d r emember t hat i t i s t he host i l i t y
of t he envi r onment for al l secur it y sy st ems t hat shoul d al way s al er t us t o be careful when we
devel op secur i t y sy st ems.
We wi l l r et ur n t o st udyi ng aut hent i cat i on pr ot ocol s i n sever al l at er chapt er s. The f ur t her st udy
wi l l i ncl ude a st udy on t he pr i nci pl es and st ruct ur es of aut hent i cat i on pr ot ocol s and a t axonomy
of at t acks on aut hent i cat i on pr ot ocol s ( Chapt er 11) , case st udi es of sever al pr ot ocol s for real
wor ld appl i cat i ons ( Chapt er 12) , and f or mali sm appr oaches t o t he devel opment of cor r ect
aut hent i cat ion prot ocol s ( Chapt er 17) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exercises
2. 1 What sor t of t hings can an act i ve at t acker do?
2. 2 Under t he Dol ev- Yao Thr eat Model , Mali ce i s very power f ul because he i s i n cont rol
of t he ent i re open communi cat i ons net wor k. Can he decr y pt or creat e a ci phert ext
message wi t hout using t he cor rect key? Can he f i nd t he key encry pt ion key fr om a
ci pher t ext message? Can he pr edi ct a nonce value?
2. 3 What i s t he rol e of Tr ent i n aut hent i cat ed key est abl ishment pr ot ocol s?
2. 4 What i s a long- t er m key , a key - encry pt i on key , a shor t - t erm key and a sessi on key?
2. 5 Why wi t h t he per fect encr ypt i on and t he per fect message aut hent icat i on ser vi ces,
can aut hent i cat i on pr ot ocols st il l be br oken?
2. 6 What i s a nonce? What i s a t i mest amp? What are t hei r r oles i n aut hent i cat i on or
aut hent i cat ed key est abl i shment pr ot ocol s?
2. 7 Why must some messages t r ansmit t ed i n aut hent icat i on or aut hent i cat ed key
est abl i shment pr ot ocol s be f r esh?
2. 8 How can a pri nci pal deci de t he f r eshness of a pr ot ocol message?
2. 9 For t he perf ect encr y pt i on not at ion { M}
K
, dif fer ent i at e t he fol l owi ng t hr ee
pr oper t i es: ( i ) message confi dent i al i t y , ( i i ) key secr ecy , and ( i i i ) message
aut hent i cat ion.
2. 10 Pr ovi de anot her at t ack on Pr ot ocol "Sessi on Key Fr om Tr ent ( Pr ot 2.2) , which al l ows
Mal i ce t o masquer ade not onl y as Bob t oward Al i ce as i n At t ack 2. 1, but at t he
same t i me also as Al ice t owar d Bob, and hence Mal i ce can r elay " confi dent i al "
communi cat ions bet ween Al i ce and Bob.
Hi nt : r un anot her i nst ance of At t ack 2. 1 bet ween Mal i ce( " Al i ce" ) and Bob.
2. 11 What i s t he di ff er ence bet ween message aut hent icat i on and ent i t y aut hent i cat i on?
2. 12 Pr ovi de anot her at t ack on t he Needham- Schr oeder Aut hent i cat i on Prot ocol in whi ch
Al i ce ( and Trent ) st ay s off l i ne compl et el y .
2. 13 Does di git al signat ure pl ay an import ant r ol e i n t he Needham- Schr oeder Publ i c- key
Aut hent i cat ion Pr ot ocol ?
Hi nt : consider t hat t hat pr ot ocol can be simpli f i ed t o t he versi on whi ch only cont ai ns
message l i nes 2, 6 and 7.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Part II: Mathematical Foundations:
Standard Notation
Thi s part i s a col l ect i on of mat hemat i cal mat er i al which pr ovides t he basi c not at i ons,
met hods, basi s of al gebr ai c oper at i ons, bui l di ng bl ocks of algor it hmic pr ocedur es and
r ef erences for model i ng, specif y ing, analy zi ng, t r ansfor mi ng and sol vi ng var ious pr obl ems
t o appear i n t he r est of t his book.
Thi s part has four chapt er s: pr obabil i t y and i nfor mat i on t heory ( Chapt er 3) , comput at i onal
compl exi t y ( Chapt er 4) , al gebrai c f oundat i ons ( Chapt er 5) and number t heor y ( Chapt er 6) .
Thi s part ser ves as a sel f- cont ai ned mat hemat i cal r ef er ence guide. I n t he r est of t he book
whenever we meet non- t r i vi al mat hemat i cal probl ems we wi l l be abl e t o refer t o pr eci se
pl aces i n t hese f our chapt ers t o obt ain suppor t i ng fact s and/ or f oundat i ons. Ther ef or e our
way of i ncl udi ng t he mat hemat i cal mat er i al i n t hi s book wil l help t he r eader t o conduct an
act i ve and int eract i ve way of l ear ni ng t he mat hemat i cal foundat i ons for moder n
crypt ogr aphy .
We wi l l pay in- dept h at t ent i on t o, and pr ovi de suff i ci ent l y det ai l ed el abor at i ons for , t he
al gor i t hms and t heor ems whi ch ar e i mpor t ant t o t he t heor et i cal foundat i ons and pr act i cal
appli cat i ons of moder n cry pt ogr aphy . We wi l l provi de a pr oof for a t heor em i f we bel ieve
t hat t he pr oof wil l help t he r eader t o devel op ski l l s whi ch ar e rel evant t o t he st udy of t he
cry pt ogr aphi c t opi cs in t his book. Somet imes, our devel opment of mat hemat i cal t opi cs has
t o make use of f act s fr om ot her br anches of mat hemat i cs ( e. g., li near algebra) whi ch do
not have a di rect r el evance t o t he cr y pt ogr aphi c ski l l s t o be devel oped her e; i n such cases
we wi l l simply use t he needed fact s wi t hout pr oof.
The f ol l owing st andar d not at i on i s used t hroughout t he r est of t he book. Some not at i on wil l
be def i ned local l y near i t s f i rst use, ot her not at i on wi l l be used wi t hout f ur t her def i ni t i on.
empt y set
S T
union of set s S and T
S T
i nt er sect i on of set s S and T
S \ T di f fer ence of set s S and T
S T
S i s a subset of T
# S
number of el ement s i n set S ( e. g. , # = 0)
x S, x S
el ement x i n ( not i n) set S
x
U
S sampl i ng el ement x uni for ml y r andom i n set
S
x ( a, b ) , x [ a, b ] , x i n open i nt er val ( a, b ) ( x i n cl osed i nt er val
[ a, b ] )
set s of nat ur al number s, i nt egers, r at i onal s,
r eal s and compl ex numbers
i nt eger s modul o n

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
mul t i pl i cat i ve gr oup of int egers modul o n
fi nit e fi el d of q el ement s
desc( A) descr i pt i on of al gebr ai c st r uct ur e A
x D val ue assi gnment accor di ng t o t he
di st r i but i on D
x
U
S val ue assi gnment accor di ng t o t he unif or m
di st r i but i on i n S
a ( mod b) modul o oper at ion: r emainder of a di vi ded by
b
x | y,
i nt eger y i s di vi si bl e ( not di vi si ble) by
i nt eger x
defi ned t o be
for al l
t her e exi st s
gcd( x , y ) gr eat est common di vi sor of x and y
l cm( x , y ) l east common mul t i pl e of x and y
l og
b
x l ogar i t hm t o base b of x; nat ur al l og i f b i s
omi t t ed
x
t he maxi mum i nt eger less t han or equal t o x
x
t he least i nt eger gr eat er t han or equal t o x
| x|
l engt h of i nt eger x ( = 1 + l og
2
x f or x 1) ,
al so absol ut e val ue of x
( n) Euler 's funct ion of n
( n) Car mi chael ' s funct i on of n
or d( x) or der of a gr oup el ement
or d
n
( x) or der of x ( mod n)
g
cycl i c gr oup gener at ed by g
Legendre- Jacobi sy mbol of i nt eger x modul o
i nt eger y
J
n
( 1)
{ x | x , = 1 }
QR
n
t he set of quadrat i c r esidues modul o i nt eger
n;
QNR
n
t he set of quadrat i c non- r esi dues modul o
i nt eger n;
deg( ) degr ee of a pol ynomi al

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
sum of val ues v
i
f or i = 1, 2, , n, or for i S
pr oduct of val ues v
i
f or i = 1, 2, , n, or for i
S
compl ement of event E
E F
sum of event s E, F, i . e., ei t her E or F occur s
E F
pr oduct of event s E, F, i . e., bot h E and F
occur
E F
event F cont ains event E, i . e., occur r ence of
E i mpl i es occur rence of F
E \ F
di f fer ence of event s E,
sum of event s E
i
f or i = 1, 2, , n, or for i
S
pr oduct of event s E
i
f or i = 1, 2, , n, or for i
S
Pr op [ E] pr obabi li t y of event E occur r i ng
Pr ob [ E | F] condi t i onal pr obabil i t y of event E occur r i ng
gi ven t hat event F has occur red
n! fact or i al of n ( = n( n 1) ( n 2) 1 wi t h 0!
= 1)
way s of pi cki ng k out of
b( k ; n , p) bi nomi al di st r i but i on of k successes i n n
Bernoul l i t r i al s wi t h t he success pr obabi l it y
bei ng
O( f ( n) )
funct i on g( n) such t hat | g( n) | c| f ( n) | for
some const ant c > 0 and al l suff i ci ent l y l ar ge
n
O
B
( ) O( ) in t he bi t wi se comput at i on mode
x l ogi cal oper at i on NOT ( x i s a Bool ean
vari able) , al so bi t oper at i on: bi t - wi se
negat i on ( x i s a bi t st ri ng)
x y
l ogi cal oper at i on AND ( x , y ar e Bool ean
vari ables) , al so bit oper at i on: bi t - wi se and
( x , y ar e bi t st r i ngs)

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
x y
l ogi cal oper at i on OR ( x , y ar e Bool ean
vari ables) , al so bit oper at i on: bi t - wi se or ( x ,
y ar e bi t st r i ngs)
x y
l ogi cal oper at i on XOR ( x , y ar e Bool ean
vari ables) , al so bit oper at i on: bi t - wi se xor
( x , y ar e bi t st r i ngs)
( * * ) non- execut abl e comment par t s in al gor i t hms
or prot ocol s
end of pr oof, remar k or exampl e

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Chapter 3. Probability and Information
Theory
Sect i on 3. 2. Basi c Concept of Pr obabi l i t y
Sect i on 3. 3. Pr oper t i es
Sect i on 3. 4. Basi c Cal cul at i on
Sect i on 3. 5. Random Var i abl es and t hei r Pr obabi l it y Di st ri but i ons
Sect i on 3. 6. Bi r t hday Par adox
Sect i on 3. 7. I nf or mat ion Theor y
Sect i on 3. 8. Redundancy i n Nat ur al Languages
Exerci ses

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
3.1 Introduction
Pr obabi l i t y and i nf or mat ion t heor y ar e essent i al t ool s for t he devel opment of moder n
cry pt ogr aphi c t echniques.
Pr obabi l i t y i s a basi c t ool f or t he anal ysi s of securi t y . We oft en need t o est i mat e how pr obabl e i t
i s t hat an i nsecur e event may occur under cert ai n condi t i ons. For exampl e, consider i ng Pr ot ocol
"Coi n Fl ippi ng Over Tel ephone" i n Chapt er 1, we need t o est i mat e t he pr obabi l i t y for Ali ce t o
succeed in f i ndi ng a col l i sion f or a gi ven one- way funct i on f ( whi ch shoul d desi rabl y be bounded
by a ver y smal l quant i t y ) , and t hat f or Bob t o succeed i n fi ndi ng t he par i t y of x when gi ven f ( x)
( whi ch shoul d desi r abl y be ver y cl ose t o ) .
I nf ormat i on t heor y i s cl osel y r el at ed t o probabi l i t y. An i mpor t ant aspect of securi t y for an
encry pt ion al gor i t hm can be ref er r ed t o as " uncer t ai nt y of ci pher s: " an encr ypt i on algori t hm
shoul d desi rably out put ci pher t ext whi ch has a random dist r i but ion i n t he ent ir e space of i t s
ci pher t ext message space. Shannon quant if i es t he uncer t ai nt y of infor mat i on by a not i on whi ch
he names ent ropy. Hist or i call y , t he desir e f or achi evi ng a hi gh ent r opy i n ci pher s comes f rom t he
need f or t hwart i ng a cry pt anal ysi s t echni que whi ch makes use of t he fact t hat nat ur al l anguages
cont ai n r edundancy, whi ch i s r elat ed t o fr equent appear ance of some known pat t erns i n nat ur al
l anguages.
Recent l y, t he need for moder n cr y pt ographi c sy st ems, i n par t i cular publi c- key cr y pt osy st ems, t o
have pr obabi l ist i c behavi or has r eached a r at her st r i ngent degr ee: semant i c secur i t y . Thi s can be
descr i bed as t he fol l owi ng pr opert y: i f Ali ce encr ypt s eit her 0 or 1 wit h equal pr obabi li t y under a
semant ical l y secur e encr y pt i on algor it hm, sends t he r esul t ant ci pher t ext c t o Bob and asks hi m
t o answer which i s t he case, t hen Bob, wi t hout t he cor rect decr y pt i on key , shoul d not have an
al gor i t hmi c st r at egy t o enabl e hi m t o di scer n bet ween t he t wo cases wi t h any " advant age" bet t er
t han a random guessi ng. We not ice t hat many "t ext book" ver si ons of encr ypt i on al gor i t hms do
not have t his desi r abl e proper t y .
The basic not i ons of probabi l i t y whi ch ar e suf fi ci ent f or our use i n t hi s book wi l l be i nt r oduced in
3. 23. 6. I nf or mat ion t heor y wi l l be int r oduced i n 3. 73. 8.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
3.2 Basic Concept of Probability
Let be an ar bi t r ary , but fi xed, set of poi nt s cal l ed pr obabi l i t y space ( or sampl e space) . Any
el ement x i s cal l ed a sampl e poi nt ( also cal l ed out come, si mpl e ev en t or
i n decomposabl e ev en t ; we shall j ust use poi nt f or shor t ) . An event ( also cal l ed compound
event or decomposabl e event ) i s a subset of and is usual l y denot ed by a capi t al l et t er ( e. g.,
E) . An exp er i men t or obser vat i on is an act i on of y iel di ng ( t aki ng) a poi nt fr om . An
occur rence of an event E i s when an exper i ment y i elds x E f or some poi nt x .
Exampl e 3. 1.
Consi der an experi ment of dr awi ng one pl ay i ng car d fr om a fai r deck ( here " fai r " means dr awi ng
a car d at r andom) . Here ar e some examples of probabi l it y spaces, poi nt s, event s and
occur rences of event s.
1
: The space consi st s of 52 poi nt s, 1 f or each card i n t he deck. Let event E
1
be " aces"
( i . e. , E
1
= { A , A , A , A } ) . I t occur s i f t he car d dr awn i s an ace of any sui t .
1.
2
= { r ed, black} . Let event E
2
= { r ed} . I t occurs if t he card drawn i s of r ed col or . 2.
3
: Thi s space consist s of 13 poi nt s, namel y, 2, 3, 4, , 10, J, Q, K, A. Let event E
3
be
"numbers. " I t occur s i f t he card dr awn i s 2, or 3, or , or 10.
3.
Def i n i t i on 3 . 1: Cl assi cal Def i ni t i on of Pr obabi l i t y Sup pose t hat an ex per im ent can y iel d on e
of n = # equal ly pr obabl e poi nt s an d t hat ev ery ex per im ent mu st y ield a poi nt . Let m be t he
nu mb er of poin t s whi ch f or m event E. Th en v alu e i s call ed t he pr obab il it y of t he ev en t E
occu r ing and is denot ed by
Exampl e 3. 2.
I n Exampl e 3. 1:
1.
2.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
2.
3.
Def i n i t i on 3 . 2: St at i st i cal Def i n i t i on of Pr obabi l i t y Sup pose t hat n ex per im ent s ar e car r ied
out un der t he sam e condi t i on, i n wh ich ev ent E has occu r red t im es. I f v alu e becom es an d
r em ai ns st abl e f or all suf fi cient l y lar ge n , t hen t he ev ent E i s said t o hav e pr obabi l it y wh ich is
denot ed by
I n 3. 5. 3 we wi l l see t hat Defi nit ion 3. 2 can be der i ved as a t heor em ( a cor ol lar y of t he l aw of
l ar ge numbers) fr om a few ot her i nt ui t i ve not i ons. We however pr ovi de i t in t he for m of a
defi nit ion because we consi der t hat i t sel f i s suf fi ci ent l y i nt ui t i ve.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
3.3 Properties
A pr obabi l i t y space i t sel f i s an event call ed sur e ev en t . For exampl e, = { HEADS,
TAI LS} . We have
Pr ob [ ] = 1.
1.
Denot i ng by t he event t hat cont ai ns no poi nt ( i. e. , t he event t hat never occur s) . For
exampl e, black . I t is cal l ed an i mp ossi b l e event . We have
Pr ob [ ] = 0.
2.
Any event E sat i sfi es
0 Pr ob [ E] 1.
3.
I f E F, we say t hat event E i mpl i es event F, and
Pr ob [ E] Pr ob [ F] .
4.
Denot e by t he comp l ement ar y ev ent of E. Then
Pr ob [ E] + Pr ob [ ] = 1.
5.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
3.4 Basic Calculation
Denot e by E F t he sum of event s E, F t o r epr esent an occur r ence of at l east one of t he t wo
event s, and by E F t he pr oduct of event s E, F t o r epr esent t he occur rence of bot h of t he t wo
event s.
3.4.1 Addition Rules
Pr ob [ E F] = Pr ob [ E] + Pr ob [ F] Pr ob [ E F] . 1.
I f , we say t hat t he t wo event s ar e mut ual l y
excl usi ve or di sj oi nt , and
2.
I f wi t h t hen 3.
Exampl e 3. 3. Sh ow
Equ at i on 3. 4 .1
Because E F = E ( F ) wher e E and F ar e mut ual l y excl usi ve, ( 3. 4. 1) hol ds as a
r esul t of Addi t i on Rul e 2.
Def i n i t i on 3 . 3: Con di t i onal Pr obabi l i t y Let E, F b e t wo ev en t s wit h E hav i ng n on- zer o
pr obab il it y . Th e pr obab il it y of occur r ing F gi ven t hat E has occur red is cal led t he con dit i onal
pr obab il it y of F giv en E and i s denot ed by

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exampl e 3. 4.
Consi der f ami li es wi t h t wo chi l dr en. Let g and b st and f or gi r l and boy , r espect i vel y , and t he fi r st
l et t er for t he ol der chi l d. We have four possibi li t i es gg, gb , bg, b b and t hese are t he f our poi nt s
i n . We associ at e pr obabil i t y wi t h each point . Let event E be t hat a f ami ly has a gi r l. Let
event F be t hat bot h chi l dr en in t he fami l y ar e gi r l s. What is t he probabi l it y of F gi ven E ( i. e. ,
Pr ob [ F | E] ) ?
The event E F means gg, and so Prob [ E F] = . Si nce t he event E means gg, or gb, or bg,
and hence Pr ob . Ther efor e by Defi nit ion 3. 3, Pr ob . I ndeed, in one- t hi rd
of t he fami l ies wi t h t he charact er ist i c E we can expect t hat F wi l l occur .
Def i n i t i on 3 . 4: I ndependent Ev ent s Ev ent s E, F ar e said t o be i ndepend en t i f and onl y if
Pr ob [ F | E] = Prob[ F]
3.4.2 Multiplication Rules
Pr ob [ E F] = Pr ob [ F | E] Pr ob [ E] = Pr ob [ E | F] Pr ob [ F] . 1.
I f event s E, F ar e i ndependent , t hen
Pr ob [ E F] = Pr ob [ E] Pr ob [ F] .
2.
Exampl e 3. 5.
Consi der Exampl e 3. 1. We expect t hat t he event s E
1
and E
2
ar e i ndependent . Their pr obabi l i t i es
ar e and , r espect i vel y ( Exampl e 3. 2) . Si nce t hese t wo event s are i ndependent , appl y i ng
"Mult ipl icat i on Rul e 2, " t he pr obabi l i t y of t hei r si mul t aneous real i zat i on ( a r ed ace i s drawn) i s
.
3.4.3 The Law of Total Probability
The l aw of t ot al pr obabi l i t y i s a useful t heor em.
. Th eor em 3 .1
I f and , t hen f or any event A

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Pr oof Si nce
wher e A E
i
and A E
j
( i j ) are mut ual l y excl usi ve, t he pr obabil i t i es of t he ri ght - hand- si de
sum of event s can be added up usi ng Addi t i on Rul e 2, in whi ch each t er m fol l ows f rom an
appli cat i on of "Mul t i pl i cat i on Rul e 1."
The l aw of t ot al probabi l it y i s ver y useful. We wi l l fr equent ly use i t when we eval uat e ( or
est imat e a bound of) t he probabi l i t y of an event A whi ch i s condi t i onal gi ven some ot her
mut uall y excl usi ve event s ( e. g. and t y pi cal ly , E and ) . The useful ness of t his for mul a i s
because oft en an eval uat i on of condi t i onal pr obabil i t i es Pr ob [ A | E
i
] is easi er t han a di rect
cal culat ion of Pr ob [ A] .
Exampl e 3. 6.
( Thi s exampl e uses some el ement ary fact s of number t heor y. The r eader who f i nds t hi s example
di f fi cul t may r et ur n t o r eview i t aft er havi ng st udi ed Chapt er 6. )
Let p = 2
q
+ 1 su ch t h at b ot h p an d q ar e pr i m e num ber s. Consi der choosin g t wo num ber s g an d
h at r and om f rom t he set S = { 1, 2, , p 1} ( wit h r epl acem ent ) . Let event A b e " h is gener at ed
by g, " t hat is, h g
x
( mod p) for som e x < p ( equi v alent l y, t hi s m ean s " log
g
h ( mod p 1)
exi st s" ) . What is t he p rob abil i t y of A f or r andom g and h ?
I t i s not very st r ai ght for war d t o eval uat e Pr ob [ A] di rect l y . However, t he evaluat i on can be made
easy by f ir st eval uat i ng a few condi t i onal pr obabil i t i es fol l owed by apply i ng t he t heor em of t ot al
pr obabi li t y .
Denot e by or d
p
( g) t he ( mul t i pl i cat i ve) or der of g ( mod p) , which i s t he least nat ur al number i
such t hat g
i
1 ( mod p) . The value Pr ob [ A] depends on t he fol l owi ng four mut ual l y excl usi ve
event s.
E
1
: or d
p
( g) = p 1 = 2q and we know Pr ob ( here i s Eul er' s phi
funct i on; i n S t here are exact ly ( 2q) = q 1 el ement s of or der 2q) . I n t hi s case, any h < p
must be gener at ed by g ( g i s a gener at or of t he set S) , and so we have Pr ob [ A | E
1
] = 1.
i .
E
2
: or d
p
( g) = q and si mi l ar t o case ( i ) we know Pr ob . I n t hi s case, h can be
gener at ed by g i f and onl y i f ord
p
( h) |
q
. Si nce i n t he set S t here are exact ly q el ement s of
i i .
i i i .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
or der s di vidi ng q, we have Pr ob .
i i .
E
3
: or d
p
( g) = 2. Because t her e i s onl y one element , p 1, of or der 2, so Prob
. Onl y 1 and p 1 can be gener at ed by p 1, so we have Pr ob
.
i i i .
E
4
: or d
p
( g) = 1. Onl y el ement 1 i s of or der 1, and so Pr ob . Al so only 1 can
be gener at ed by 1, and we have Pr ob .
The above four event s not only are mut ual l y excl usi ve, but also for m al l possi bl e cases for
t he order s of g. Ther efor e we can appl y t he t heor em of t ot al probabi l i t y t o obt ai n Pr ob [ A] :
i v .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
3.5 Random Variables and their Probability Distributions
I n cr y pt ogr aphy , we mai nl y consider funct ions defi ned on di scret e spaces ( such as an int er val of
i nt eger s used as a cr ypt ogr aphi c key - space, or a f ini t e al gebr ai c st ruct ur e such as fi ni t e group or
fi el d) . Let di scr et e space S have a f ini t e or count abl e number of isol at ed poi nt s x
1
, x
2
, , x
n
, ,
x
# S
. We consi der t he gener al case t hat S may cont ain a count able number of poi nt s, and i n t hat
case, # S = . This wil l all ow us t o conduct comput at i onal compl exit y anal y si s of our al gor i t hms
and pr ot ocol s i n an asy mpt ot i c manner ( see 4. 6) .
Def i n i t i on 3 . 5: Di scr et e Random Var i abl es and t hei r Di st r i b ut i on Funct i on
A ( discr et e) ran dom v ar iab le i s a n um eri cal resul t of an exp er i ment . I t is a fu nct ion d ef in ed
on a ( d iscret e) sam pl e space.
1.
Let b e a ( discr et e) pr obabi li t y space and be a r andom var i able. A ( di scr et e) di st ri bu t ion
fu nct ion of i s a f unct i on of t yp e pr ov id ed by a l ist of p rob abi li t y v alues
such t hat t he f oll owing condi t ion s ar e sat isfi ed :
p
i
0; i .
i i .
2.
Now l et us l ook at t wo di scret e probabi l i t y di st r ibut i ons whi ch ar e f requent l y used i n
cry pt ogr aphy . Fr om now on we shall al way s drop t he word "discr et e" fr om " discr et e pr obabi l i t y
space, " " di scr et e probabi l it y di st ri but i on, " et c. Al l si t uat ions i n our consi der at i ons wi l l al ways be
di scret e.
3.5.1 Uniform Distribution
The most fr equent l y used r andom var i abl es i n cr y pt ogr aphy fol l ows un i f or m di st r i b ut i on:
Exampl e 3. 7.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Let S be t he set of non- negat i ve number s up t o k bi t s ( bi nary di gi t s) . Sampl e a poi nt in S at
r andom by f oll owi ng t he uni f orm di st r ibut i on. Show t hat t he pr obabil i t y t hat t he sampl ed poi nt i s
a k- bi t number is .
S = { 0, 1,2, , 2
k
1} can be part it ioned i nt o t wo di sj oi nt subset s S
1
= { 0, 1,2, , 2
k1
1} and
S
2
= { 2
k1
, 2
k1
+ 1, , 2
k
1} wher e S
2
cont ains al l k- bi t number s, .
Applyi ng "Addi t i on 2," we have
I n t hi s example, t he i nst r uct i on " sampl e ( a poi nt ) p i n ( a set ) S at r andom by f ol lowi ng t he
unif or m di st r i but i on" i s qui t e l ong whi l e i t i s al so a fr equent i nst r uct i on in cr ypt ogr aphy. For t hi s
r eason, we shal l shor t en t hi s l ong i nst r uct i on i nt o " picki ng p i n S at uni for mly random, " or i nt o
an even short er not at i on: p
U
S.
3.5.2 Binomial Distribution
Suppose an exper i ment has t wo r esul t s, t it l ed "success" and " f ai lure" ( e. g., t ossi ng a coi n r esult s
i n HEADS or TAI LS) . Repeat ed i ndependent such exper i ment s ar e cal l ed Ber noul l i t r i al s i f t her e
ar e onl y t wo possi ble poi nt s f or each experi ment and t hei r pr obabi li t i es r emai n t he same
t hr oughout t he exper i ment s. Suppose t hat i n any one t r i al .
t hen

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Equ at i on 3. 5 .1
wher e i s t he number of ways for " picki ng k out of n. "
Here is why ( 3. 5. 1) hol ds. Fi rst , event "n t ri al s r esul t i n k " successes" and nk " fai l ur es" can
happen i n t he number of way s f or "pi cki ng k out of n, " t hat i s, t he event has poi nt s.
Secondl y , each poi nt consi st s of k " successes" and n k " fai l ur es, " we have t he probabi l i t y p
k
( 1
p)
nk
f or t his poi nt .
I f random var i abl e
n
t akes val ues 0, 1, , n, and f or val ue p wi t h 0 < p < 1
t hen we say t hat
n
f ol l ows bi nomi al di st r i b ut i on . Compari ng wi t h ( 3. 5. 1) , we know t hat
Bernoul l i t r i al f oll ows t he bi nomi al di st r i but i on. We denot e by b( k; n, p) a bi nomi al t er m wher e k
= 0,1, , n and 0 < p < 1.
Exampl e 3. 8.
Let a f air coi n be t ossed 10 t i mes. What i s t he pr obabil i t y f or al l possi bl e numbers of
"HEADS appear ance" ( i . e. , appear s 0, or 1, or, , or 10 t i mes) ?
i .
The pr obabi l i t y for " HEADS appear s 5 t i mes?" i i .
What i s t hat f or "HEADS appear s l ess t han or equal t o 5 t i mes?" i i i .
For ( i ) , si nce t hi s event al way s occur s, it shoul d have pr obabi l it y 1. I ndeed, appl y i ng "Addi t i on
Rule 2, " we have

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
For ( i i ) , we have
For ( i i i ) , we must sum t he probabi l i t ies f or al l cases of 5 or less " HEADS appear ances: "
Fi g 3.1 pl ot s t he bi nomi al di st r i but i on for p = 0. 5 and n = 10, i .e. , t hat used i n Exampl e 3. 8.
Fi gu r e 3. 1 . Bi n omi al Di st r i bu t i on

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The r eader should pay par t i cul ar at t ent i on t o t he di f fer ence bet ween Exampl e 3. 8. ( i i ) and
Exampl e 3. 8. ( i i i) . The f ormer i s t he ar ea of t he cent r al r ect angul ar in Fi g 3.1 whi le t he l at t er i s
t he sum of t he l eft si x of t hem.
I n appl i cat i ons of bi nomi al di st r i but i ons ( e. g. , i n 4. 4. 1, 4. 4. 5.1 and 18.5. 1) , t he pr obabi li t y
of havi ng exact l y r " successes" ( as i n Exampl e 3. 8. ( i i ) , a si ngle t er m) is less i nt er est i ng t han t he
pr obabi li t y of r or l ess ( or mor e) " successes" ( as i n Exampl e 3. 8. ( i i i) , t he sum of many t erms) .
Mor eover , t he sum of some t er ms wi l l be much mor e signi fi cant t han t hat of some ot her s. Let us
now i nvest i gat e " t he si gni f i cant sum" and "t he negl igi bl e sum" i n bi nomi al dist r i but i ons.
3.5.2.1 The Central Term and the Tails
St acki ng consecut i ve bi nomi al t er ms, we have
Equ at i on 3. 5 .2
The second t erm in t he r ight - hand si de i s posi t i ve when k < ( n + 1) p and t hen becomes negat i ve
aft er k > ( n + 1) p. So, t he r at i o i n ( 3. 5. 2) is gr eat er t han 1 when k < ( n + 1) p and is less t han 1
aft er k > ( n + 1) p. Consequent l y , b( k; n, p) incr eases as k does befor e k r eaches ( n + 1) p and
t hen decreases aft er k > ( n + 1) p. Ther efor e, t he bi nomi al t er m b( k ; n, p) reaches t he maxi mum
val ue at t he point k = ( n + 1) p . The bi nomi al t er m
Equ at i on 3. 5 .3
i s cal led t he cen t r al t er m. Si nce t he cent ral t erm reaches t he maxi mum val ue, t he poi nt ( n +
1) p i s one wi t h "t he most pr obabl e number of successes. " Not i ce t hat when ( n + 1) p i s an
i nt eger , t he rat i o i n ( 3. 5. 2) is 1, and t her efor e i n t hi s case we have t wo cent ral t er ms b( ( n + 1) p
1; n, p) and b( ( n + 1) p; n, p) .
Let r > ( n + 1) p, i . e., r i s a poi nt somewher e r i ght t o t he poi nt of " t he most pr obabl e number of
successes. " We know t hat t er ms b( k; n, p) decr ease for al l k r . We can est imat e t he speed of
t he decr easi ng by r epl aci ng k wi t h r i n t he ri ght - hand si de of ( 3. 5. 2) and obt ai n
Equ at i on 3. 5 .4

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I n par t i cular , we have
Not i ce t hat ( 3. 5. 4) hol ds f or al l k = r + 1, r + 2, , n. Ther efor e we have
Equ at i on 3. 5 .5
Now f or r > np , l et us see an upper bound of t he pr obabi l i t y of havi ng r or more " successes,"
whi ch is
Equ at i on 3. 5 .6
By ( 3. 5. 5) , we have
Repl aci ng s back t o , we have
Now we not i ce t hat t here are onl y r ( n + 1) p bi nomi al t erms bet ween t he cent r al t er m and b( r ;
n, p) , each is gr eat er t han b( r ; n, p) , and t heir sum i s st i l l l ess t han 1. Ther efor e i t t ur ns out t hat
b( r ; n, p) < ( r ( n + 1) p)
1
. We t heref ore fi nal l y r each

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Equ at i on 3. 5 .7
The bound i n ( 3. 5. 7) is cal l ed a r i ght t ai l of t he bi nomi al di st r i but i on f unct i on. We can see t hat
i f r i s sli ght l y away fr om t he cent r al poi nt ( n + 1) p, t hen t he denomi nat or i n t he fr act i on of
( 3. 5. 7) is not zer o and hence t he whole " ri ght t ail " i s bounded by a quant i t y whi ch i s at t he
magni t ude of ( np )
1
. Hence, a r i ght t ai l i s a small quant i t y and di mi ni shes t o 0 when n get s
l ar ge.
We can anal ogousl y der i ve t he bound f or a l ef t t ai l :
Equ at i on 3. 5 .8
The der i vat i on is lef t f or t he r eader as an exer ci se ( Exerci se 3. 7) .
At fi r st si ght of ( 3. 5. 7) and ( 3. 5. 8) it seems t hat t he t wo t ai l s ar e bounded by quant i t i es whi ch
ar e at t he magnit ude of . We shoul d however not i ce t hat t he est i mat es der i ved i n ( 3. 5. 7) and
( 3. 5. 8) are onl y t wo upper bounds. The r eal speed t hat a t ail di mini shes t o 0 i s much fast er t han
does. The fol l owi ng numer i cal exampl e r eveal s t hi s fact ( al so see t he soundness and
compl et eness pr oper t i es of Pr ot 18. 4 i n 18.5. 1. 1) .
Exampl e 3. 9.
Let p = 0. 5. For var i ous cases of n, l et us comput e l eft t ai l s of bi nomi al di st r i but i on f unct i ons
bounded t o t he poi nt r = n( p 0.01) .
For n = 1, 000, t he corr espondi ng l eft t ai l i s: i .
For n = 10, 000, t he cor respondi ng l ef t t ai l becomes: i i .
I f n i s incr eased t o 100,000, t hen t he cor respondi ng t ai l i s t r i vi al i zed t o: i i i .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
i i i .
Compar i ng t hese r esult s, it i s evi dent t hat a t ai l di mi ni shes t o 0 much fast er t han does.
Si nce p = 0. 5, t he di st r i but ion densi t y f unct i on i s symmet r ic ( see Fi g 3.1) . For a symmet ri c
di st r i but i on, a r i ght t ai l equal s a l eft one i f t hey have t he equal number of t er ms. Thus, f or case
( i i i ) , t he sum of t he t wo t ai l s of 98,000 t erms ( i . e. , 98% of t he t ot al t er ms) i s pr act i cal l y 0, whi l e
t he sum of t he t er ms of t he most pr obabl e number of successes ( i. e. , 2% of t he t ot al t er ms
ar ound t he cent er , t her e ar e 2,001 such t er ms) i s pr act i call y 1.
3.5.3 The Law of Large Numbers
Recal l Defi nit ion 3. 2: it st at es t hat i f i n n i dent i cal t r ial s E occur s st abl y t imes and i f n i s
suf fi cient ly lar ge, t hen i s t he pr obabi l it y of E.
Consi der t hat i n Bernoul l i t r i al s wi t h pr obabi l i t y p f or "success, " t he r andom var i abl e
n
i s t he
number of " successes" i n n t ri al s. Then i s t he aver age number of "successes" i n n t ri al s. By
Defi nit ion 3. 2, shoul d be cl ose t o p.
Now we consi der , for exampl e, t he pr obabi l i t y t hat exceeds p + f or any > 0 ( i .e. , i s
ar bi t r ar il y smal l but f i xed) . Cl ear l y , t hi s pr obabi l i t y i s
By ( 3. 5. 7) , we have
Equ at i on 3. 5 .9
Thus,
Equ at i on 3. 5 .1 0

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Anal ogousl y we can al so see
Ther ef or e we have ( t he l aw of l ar ge nu mber s) :
Thi s f or m of t he l aw of lar ge number s i s al so cal l ed Ber noul l i ' s t heor em. I t is now cl ear t hat
Defi nit ion 3. 2 can be der i ved as a corol l ar y of t he law of l arge number s. However , we have
pr ovi ded i t i n t he f orm of a def ini t ion because we consi der t hat i t sel f i s suf fi ci ent l y i nt ui t i ve.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
3.6 Birthday Paradox
For any f unct i on f : X Y wher e Y i s a set of n el ement s, let us sol ve t he f ol lowi ng problem:
For a probabi l i t y bound ( i. e. , 0 < < 1) , fi nd a val ue k such t hat f or k pai rwi se di st i nct
val ues x
1
, x
2
, , x
k

U
X, t he k eval uat i ons f ( x
1
) , f ( x
2
) , , f ( x
k
) sat i sfy
That i s, i n k eval uat i ons of t he f unct i on, a coll i si on has occur red wi t h t he pr obabi li t y no l ess
t han .
Thi s probl em asks f or a val ue k t o sat i sf y t he gi ven pr obabi li t y bound f r om bel ow f or any
funct i on. We onl y need t o consi der funct i ons whi ch have a so- cal l ed r andom pr oper t y: such a
funct i on maps unif or m i nput val ues i n X t o uni for m out put val ues i n Y. Clear l y, onl y a f unct i on
wi t h such a random proper t y can enl ar ge t he val ue k f or t he gi ven pr obabi l it y bound, whi ch can
t hen be abl e t o sat i sfy ot her funct i ons f or t he same pr obabi li t y bound. Consequent l y, i t i s
necessar y t hat # X > # Y; ot herwi se i t i s possi bl e t hat f or some funct i ons t her e wi l l be no col l i si on
occur ri ng at al l .
Thus, we can assume t hat t he funct ion evaluat i on i n our pr obl em has n di st i nct and equal l y
possi bl e poi nt s. We can model such a f unct i on eval uat i on as dr awing a bal l f r om a bag of n
di f fer ent l y col or ed bal ls, r ecordi ng t he col or and t hen r epl aci ng t he bal l . Then t he pr obl em i s t o
fi nd t he val ue k such t hat at l east one mat chi ng color i s met wi t h pr obabi l i t y .
Ther e i s no col or rest r ict i on on t he f i rst bal l . Let y
i
be t he col or f or t he i t h i nst ance of bal l
dr awi ng. The second bal l shoul d not have t he same col or as t he fi r st one, and so t he pr obabi l i t y
for y
2
y
1
i s 1 1/ n; t he pr obabi l it y for y
3
y
1
and y
3
y
2
i s 1 2/ n, and so on. Upon
dr awi ng t he kt h bal l , t he pr obabil i t y f or no coll i si on so far i s
For suff i ci ent l y l ar ge n and rel at i vel y smal l x, we know
or

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
So
The equat i on in t he most r i ght - hand side i s due t o Gauss summat ion on t he exponent val ue.
Thi s i s t he pr obabi li t y for drawi ng k bal ls wit hout col l i si on. Ther efor e t he pr obabi l i t y f or at l east
one col l i si on shoul d be
Equal i zi ng t hi s val ue t o , we have
or
t hat i s,
Equ at i on 3. 6 .1
Thus, for a r andom funct i on mapping ont o Y, we only need t o perf or m t hi s amount of eval uat i ons
i n order t o meet a col l i si on wi t h t he given pr obabi l i t y . Fr om ( 3. 6. 1) we can see t hat even if i s
a si gni fi cant val ue ( i. e. , ver y cl ose t o 1) , t he val ue log wi l l r emain t r i vial l y smal l , and hence
i n general k i s pr opor t i onal t o .
I f we consider = , t hen
Equ at i on 3. 6 .2

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The squar e- r oot rel at i onshi p bet ween k and n shown i n ( 3. 6. 1) and i n ( 3. 6. 2) suggest s t hat for a
r andom funct ion wi t h t he car di nal i t y of t he out put space being n, we need onl y t o make r oughl y
eval uat i ons of t he f unct i on and fi nd a col l i sion wi t h a non- negl i gi ble pr obabi l i t y .
Thi s f act has a pr of ound i mpact on t he design of cr y pt osyst ems and cr ypt ogr aphi c pr ot ocol s. For
exampl e, f or a pi ece of dat a ( e. g. , a cr y pt ogr aphi c key or a message) hi dden as a pr e- i mage of a
cry pt ogr aphi c f unct i on ( whi ch is t ypi cal l y a random f unct i on) , i f t he square r oot of t hi s dat a i s
not a suf fi ci ent l y l ar ge quant i t y , t hen t he dat a may be di scover ed by random evaluat i on of t he
funct i on. Such an at t ack i s of t en cal l ed squar e- r oot at t ack or bi r t h day at t ack . The l at t er
name i s due t o t he f ol lowi ng seemi ngl y "par adoxi cal phenomenon: " t aki ng n = 365 i n ( 3. 6. 2) ,
we f ind k 22. 49; t hat i s, i n order for t wo peopl e i n a r oom of r andom peopl e t o have t he
same bi r t hday wi t h mor e t han 50% chance, we onl y need 23 people in t he r oom. Thi s seems t o
be a l i t t l e bi t of count er - int ui t i on at f i rst gl ance.
3.6.1 Application of Birthday Paradox: Pollard's Kangaroo Algorithm for
Index Computation
Let p be a pr ime number . Under cer t ai n condi t i ons ( whi ch wi l l become appar ent i n Chapt er 5)
t he modul o exp onent i at i on f unct i on f ( x) = g
x
( mod p) is essent i al ly a r andom funct ion. That
i s, for x = 1, 2, , p 1, t he val ue f ( x) j umps wil dly in t he r ange i nt er val [ 1, p 1] . Thi s
funct i on has wi de appl i cat i ons i n cr y pt ogr aphy because i t has a one- way pr opert y : comput i ng y
= f ( x) is ver y easy ( using Al g 4. 3) whi le inver t i ng t he funct ion, i . e. , ext r act i ng x = f
1
( y) , i s
ext r emel y di ff icul t for almost all y [ 1, p 1] .
Somet imes f or y = f ( x) we know x [ a, b ] for some a and b. Clear l y, eval uat i ons of f ( a) , f ( a +
1) , , can r eveal x bef or e exhaust i ng b a st eps. I f b a i s t oo l ar ge, t hen t hi s exhaust i ve
sear ch met hod cannot be pr act i cal . However , i f i s a t r act abl e val ue ( f or exampl e, b a
2
100
and so 2
50
, a gaspi ngly handleabl e quant i t y ) , t hen bi rt hday paradox can
pl ay a r ole in i nvert ing f ( x) in st eps. Pol l ar d di scovers such a met hod [ 238] ; he names
t he algor it hm - met h od and k angar oo met hod f or i ndex comput at i on. The meanings of t hese
names wi l l become cl ear i n a moment .
Pol l ard descri bes hi s al gor i t hm usi ng t wo kangar oos. One is a t ame kangaroo T and t he ot her is
a wi l d one W. The t ask of ext r act i ng t he unknown i ndex val ue x f r om y = g
x
( mod p) is model ed
by cat chi ng W using T. This is done by l et t i ng t he t wo kangar oos j ump ar ound in t he fol l owi ng
way s. Let S be an i nt eger set of J el ement s ( J = l og
2
( b a) , hence smal l ) :
Each j ump made by a kangar oo uses a di st ance whi ch i s r andoml y pi cked f r om S. Each kangar oo
carr i es a mi l eageomet er t o accumulat e t he dist ance it has t ravel led.
T st ar t s i t s j our ney f r om t he known poi nt t
0
= g
b
( mod p) . The known poi nt is b whi ch can be
consi dered as t he home- base si nce T i s t ame. I t s pat h i s
Equ at i on 3. 6 .3

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Let T j ump n st eps t hen i t st ops. We wi l l deci de how l ar ge n shoul d be i n a moment . Af t er n- t h
j ump, t he mil eageomet er car r i ed by T r ecords t he di st ance so far as
Usi ng t he di st ance r ecor ded on T' s mil eageomet er , we can r e- expr ess ( 3. 6. 3) int o
W st ar t s i t s j our ney f r om an unknown poi nt hi dden i n w
0
= g
x
( mod p) . The unknown poi nt i s x
and t hat i s why t hi s kangar oo is a wi l d one. I t s pat h i s
Equ at i on 3. 6 .4
The mi l eageomet er car ri ed by W al so records t he di st ance so far :
Si mil ar t o t he expr essi on for T' s foot pri nt s, usi ng t he dist ance r ecorded on W' s mil eageomet er
we can also re- expr ess ( 3. 6. 4) int o
I t i s cl ear t hat foot pr int s of t he t wo kangar oos, t ( i ) and w( j ) , ar e t wo r andom f unct i ons. The
for mer r anges over a set of i poi nt s and t he l at t er , j poi nt s. Due t o bi rt hday paradox, wi t hi n
r oughl y

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
j umps made by T and by W, r espect i vel y , a col l i si on t ( ) = w( ) shoul d occur for some n and
n. This is when T and W l anded on t he same poi nt . One may i magi ne t hi s as W l andi ng on a
t r ap set by T. Now W i s caught . The pr obabi li t y of occur r i ng a col l i si on t ends t o 1 quickl y i f t he
number of random j umps t he t wo kangar oo make exceed .
When t he col l i si on t ( ) = w( ) occur s, obser vi ng ( 3. 6. 3) and ( 3. 6. 4) , we wi l l have t ( + 1) = w(
+ 1) , t ( + 2) = w( + 2) , , et c. , t hat i s, event ual l y w( m) = t ( n) wi l l show up for some i nt eger s
m n. One may i magi ng t hat t he col l i si on equat ion t ( ) = w( ) repr esent s t he poi nt wher e t he
t wo l egs of t he Gr eek let t er meet , and af t er t hat meet i ng poi nt , t he t wo kangar oos j umps on
t he same pat h whi ch wi l l event ual ly lead t o t he det ect i on of w( m) = t ( n) ( recal l t hat T j umps a
fi xed n st eps) . Thi s i s expl ai ns as t he ot her name for t he al gor i t hm.
When t he col l i si on i s det ect ed, we have
Namel y , we have ext r act ed
Si nce we have kept t he t wo mi l eageomet er s d( m 1) and D( n 1) , we can comput e x using t he
"mi l es" accumul at ed i n t hem. I t i s possi bl e t hat t he t wo kangar oos over r un a l ong dist ance aft er
t hey have l anded on t he same poi nt , and so t he ext r act ed i ndex val ue can be x + o f or some o
sat i sf y ing g
o
( mod p) = 1. I f t hi s i s t he case, i t 's har ml ess t o j ust consi der x + o as t he t ar get ed
i ndex val ue.
Thi s i s a pr obabi l i st i c al gor i t hm, whi ch means t hat i t may f ai l wi t hout fi ndi ng a col l i si on ( i . e. ,
fai l t o out put t he t arget ed i ndex val ue) . Never t hel ess, due t o t he si gni f i cant col l i si on pr obabil i t y
we have seen i n 3. 6, t he pr obabil i t y of f ai l ur e can be cont r ol led t o adequat el y smal l . Repeat i ng
t he algor it hm by off set t i ng W' s st art i ng poi nt wi t h a known of fset val ue , t he al gor i t hm wi l l
t er mi nat ed wi t hi n several r epet i t i ons.
The val ue bei ng f easi bl y smal l i s t he condi t i on for t he - al gor i t hm t o be pr act ical .
Ther ef or e, set t i ng ( t he number of j umps made by T) , t he al gor i t hm r uns i n t i me
pr opor t i onal t o comput ing modul o exponent i at i ons. The space r equi r ement is t r ivi al :
t her e ar e onl y J = l og( b a) el ement s t o be st ored. The t i me const r ai nt means t hat
t he algor it hm cannot be pr act i cal f or ext ract i ng a lar ge index value. Pol lar d consi ders t hi s
l i mi t at ion as t hat kangar oos cannot j ump acr oss cont inent s.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
3.7 Information Theory
Shannon' s defi nit ion f or ent r op y [ 262, 263] of a message sour ce i s a measur e of t he amount of
i nf ormat i on t he source has. The measure i s in t he for m of a funct i on of t he pr obabil i t y
di st r i but i on over t he set of al l possi bl e messages t he sour ce may out put .
Let L = { a
1
, a
2
, , a
n
} be a l anguage of n di ff er ent sy mbol s. Suppose a sour ce S may out put
t hese symbols wi t h i ndependent pr obabi l i t i es
r espect i vel y , and t hese pr obabi l it i es sat i sfy
Equ at i on 3. 7 .1
The ent ropy of t he sour ce S i s
Equ at i on 3. 7 .2
The ent ropy funct i on H( S) defi ned i n ( 3. 7. 2) capt ur es a quant i t y which we can name "nu mb er of
bi t s per sour ce out put . "
Let us expl ai n t he ent r opy f unct i on by assi gni ng oursel ves a si mpl e j ob: consi der i ng t hat t he
sour ce S i s memor yl ess, we must r ecor d t he out put fr om S. A st rai ght for war d way t o do t he j ob
i s t o recor d what ever S out put s. However, fr om ( 3. 7. 1) we know t hat each out put fr om S wi l l be
one of t he n sy mbol s a
1
, a
2
, , a
n
whi ch ar e al r eady known t o us. I t can be qui t e uni nt er est i ng
and i neff i ci ent t o record known t hi ngs. Thus, t he quest i on for us i s, how can we eff icient ly r ecord
somet hing i nt erest in g i n t he out put f r om S?
Let S out put t hese sy mbol s i n a k consecut i ve sequence, i . e. , S out put s a wor d of k sy mbol s
Let L
k
denot e t he mi nimum expect ed number of bit s we have t o use i n or der t o r ecor d a k-

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
symbol word out put fr om S. We have t he f ol lowi ng t heor em f or measur i ng t he quant i t y L
k
.
. Th eor em 3 .2 Shann on
[ 262, 263]
Pr oof The fol l owi ng " sandwi ch" st yl e r el at ion holds for al l i nt eger s k > 0:
The st at ement is in i t s l i mi t f or m.
I n ot her wor ds, t he mi ni mum aver age number of bi t s needed for recor di ng per out put fr om S i s
H( S) .
3.7.1 Properties of Entropy
The f unct i on H( S) has t he mi nimum value 0 i f S out put s some sy mbol , say a
1
, wi t h pr obabil i t y 1,
si nce t hen
Thi s case capt ur es t he fact t hat when we ar e sur e t hat S wi l l onl y and defi ni t el y out put a
1
, t hen
why shoul d we wast e any bi t t o r ecor d i t ?
The f unct i on H( S) reaches t he maxi mum val ue of l og
2
n i f S out put s each of t hese n sy mbol s wi t h
equal pr obabi l i t y 1/ n, i . e., S i s a r andom source of t he unif or m di st r i but i on. Thi s i s because
under t hi s si t uat i on
Thi s case capt ur es t he fol l owi ng fact : si nce S can out put any one of t hese n symbol s wi t h equal
pr obabi li t y , we have t o pr epar e l og
2
n bi t s i n order t o mar k any possi bl e one of t he n number s.
To t hi s end we can t hi nk of H( S) as t he amount of un cer t ain t y , or i nfor mat i on, cont ai ned i n each
out put fr om S.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exampl e 3. 10 .
Consi der Pr ot 1.1 ( " Coi n Fl i pping Over Tel ephone" ) . Whet her r unni ng over t el ephones or on
connect ed comput er s, t hat pr ot ocol i s f or Al i ce and Bob t o agr ee on a r andom bi t . I n t he
pr ot ocol , Al i ce pi cks a l arge r andom int eger , t hen sends f ( x) t o Bob under t he one- way
funct i on f , and f i nal l y r eveal s x t o Bob aft er hi s random guess. Vi ewed by Bob, x as a whol e
number shoul d not be r egar ded as a pi ece of new i nf or mat i on si nce he knows al r eady t hat x i s
one el ement i n N bef ore even r ecei vi ng f ( x) . Bob onl y uses an i nt er est i ng part of Al i ce' s out put :
t he par i t y of x i s used t o comput e a random bit agr eed wi t h Al i ce. Thus, we have
That i s, Al ice i s a sour ce of 1 bit per out put , even t hough her out put i s a l arge i nt eger .
I f Al ice and Bob r epeat r unni ng Pr ot 1.1 n t imes, t hey can agr ee on a st r ing of n bi t s: a cor r ect
guess by Bob out put s 1, whi le an i ncor r ect guess out put s 0. I n t hi s usage of t he pr ot ocol , bot h
Al i ce and Bob ar e 1- bi t - per - pr ot ocol - r un random sour ces. The agr eed bit st r ing is mut ual l y t r ust
by bot h par t i es as r andom because each par t y has her/ hi s own r andom i nput and knows t hat t he
ot her part y cannot cont r ol t he out put .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
3.8 Redundancy in Natural Languages
Consi der a sour ce S( L) out put s wor ds i n a nat ur al l anguage L. Suppose t hat , on aver age, each
wor d i n L has k charact er s. Since by Shannon' s Theor em ( Theor em 3. 2) , H( S( L) ) is t he mi ni mum
aver age number of bit s per out put fr om S( L) ( remember t hat per out put fr om S( L) is a wor d of k
char act er s) , t he val ue
shoul d be t he mi ni mum average number of bi t s per char act er i n l anguage L. The val ue r ( L) is
cal led t he r at e of l an guage L. Let L be Engl i sh. Shannon cal cul at ed t hat r ( Engl i sh) i s i n t he
r ange of 1. 0 t o 1. 5 bi t s/ l et t er [ 265] .
Let = { a, b , , z} . Then we know r ( ) = l og
2
26 4. 7 bi t s/ l et t er . r ( ) is cal l ed absol ut e
r at e of l an guage wi t h al phabet set . Compari ng r ( Engl i sh) wi t h r ( ) , we see t hat t he act ual
r at e of Engl i sh i s consi der abl y l ess t han it s absol ut e r at e.
The r edu ndancy of l angu ag e L wi t h al phabet set i s
r ( ) r ( L) ( bi t s per char act er) .
Thus for a conser vat i ve consi der at i on of r ( Engl i sh) = 1. 5, r edundancy of Engl i sh i s 4. 7 1.5 =
3. 2 bi t s per let t er . I n t er ms of per cent age, t he redundancy rat i o i s 3. 2/ 4.7 68%. I n ot her
wor ds, about 68% of t he l et t er s i n an Engl ish wor d ar e r edundant . Thi s means a possi bil i t y t o
compr ess an Engl i sh ar t i cle down t o 32% of i t s ori gi nal volume wit hout l oss of infor mat i on.
Redundancy i n a nat ur al l anguage ari ses fr om some known and fr equent ly appear ing pat t er ns i n
t he language. For exampl e, i n Engl i sh, l et t er q i s almost al way s f oll owed by u; "t he, " "i ng" and
"ed" are a f ew ot her known exampl es of pat t er ns. Redundancy in nat ur al l anguages pr ovi des an
i mpor t ant means for cr y pt anal y si s whi ch ai ms for recover i ng pl ai nt ext messages or a
cry pt ogr aphi c key fr om a cipher t ext .
Exampl e 3. 11 .
We have ment i oned i n Chapt er 1 t hat in t his book we wi l l st udy many kinds of at t acks on
cry pt ogr aphi c al gori t hms and pr ot ocols. I n a l at er chapt er ( Chapt er 14) we wi l l i nt r oduce and
di scuss four kinds of at t acks on encry pt i on al gor i t hms whi ch have r at her l ong names. They ar e:
Passi ve pl ai nt ext indi st i ngui shabl e at t ack
Act i ve pl aint ext i ndi st i ngui shabl e at t ack i n t he chosen- plai nt ext mode
Act i ve pl aint ext i ndi st i ngui shabl e at t ack i n t he non- adapt i ve chosen- ci pher t ext mode
Act i ve pl aint ext i ndi st i ngui shabl e at t ack i n t he adapt i ve chosen- ci phert ext mode
Ful l meani ngs of t hese at t acks wi l l be expl ai ned i n t hat chapt er . Her e we onl y need t o poi nt out

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
t he fol l owing t wo f act s about t hese at t acks:
The use of long names is ver y appropri at e because behi nd each of t hese l ong- named
at t acks t her e i s a non- t r i vial amount of i nfor mat i on t o convey.
1.
I n Chapt er 14 we wi l l onl y deal wi t h t hese four at t acks. 2.
Si nce i n Chapt er 14 we wi l l onl y deal wi t h t hese four at t acks, t he act ual ent ropy of t hese names
can be as l ow as 2 bi t s per name. However , because number s 0, 1, 2, and 3 and a few ot her
si ngl e char act ers ( e. g. , l et t er " a", index " i " , " j ", secur it y par amet er "k", et c. ) wi l l appear i n
Chapt er 14, i n or der t o uni quel y i dent if y t hese at t acks, we act ual l y have t o use more t han t wo
bi t s of i nfor mat i on t o name t hese at t acks.
Not i ce t hat we wi ll not use st ri ngs a0, a1, a2, a3 i n any par t of Chapt er 14; we can act ual l y
shor t en t he four l ong at t acking names t o t hese f our st r i ngs, r espect i vely , wi t hout causi ng any
ambi guit y. Consequent l y , wi t hi n Chapt er 14, t he ent r opy f or nami ng t hese f our at t acks can
r easonabl y be as l ow as 4. 7 + 2 = 6.7 ( bit s per name) . Her e 4. 7 bi t s ar e f or r epresent i ng t he
l et t er " a" , and 2 bi t s are f or r epr esent i ng t he number s 0, 1, 2, 3.
On t he ot her hand, by si mpl e count i ng t he r eader can fi nd t hat t he aver age l engt h of t he four
l ong names i s 62.75 ( let t er s) . Ther ef or e, t he average number of bi t s per l et t er i n t hese l ong
names i s 6. 7/ 62. 75 < 0. 107. From t hi s r esult , we can f ur t her cal cul at e t he redundancy of t hese
l ong names as ( wi t hi n t he scope of Chapt er 14) :
So t hese l ong at t acki ng names ar e ver y , ver y r edundant !
However , t he ar ea of st udy for cr y pt ographi c syst ems wi t h pr ovabl e st rong secur it y i s an
envi ronment much lar ger t han Chapt er 14. Ther efor e t he ext r emel y shor t ened names a0, a1, a2,
a3 used i n Exampl e 3. 11 ar e i n f act t oo shor t for nami ng t hese at t acks ( using so shor t names
may cause ambi gui t y in under st andi ng and uncomf or t abl eness) . As a mat t er of fact , t he l at t er
t hr ee at t acki ng names li st ed in Exampl e 3. 11 ar e shor t ened i nt o I ND- CPA, I ND- CCA and I ND-
CCA2, r espect i vel y . We wi l l adopt t hese names in Chapt er 14 t oo.
Fi nal l y we poi nt out t hat t he r eason why onl y t he lat t er t hr ee long names are short ened i s
because i n t he ar ea of st udy t he l at t er t hree at t acks ar e di scussed more fr equent l y . For "passi ve
( pl ai nt ext i ndi st ingui shable) at t ack, " we ar e comf ort abl e enough t o use t he l ong name si nce t he
at t ack i s a less f requent l y di scussed t opi c due t o i t s ease of pr event i on.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
3.9 Chapter Summary
I n t hi s chapt er we have conduct ed a ver y r udi ment ary st udy of pr obabi li t y and i nfor mat i on
t heor y . However, t he mat er i al i s suff i ci ent for t he use i n t hi s book.
I n pr obabi l i t y , i t i s very import ant t o underst and and be fami l i ar wi t h t he basi c not i ons, t he
pr oper t i es and t he r ul es f or t he basic cal cul at i ons. We shoul d emphasi ze t hat a good
underst andi ng of t he ver y basi cs, whi ch i s not a dif fi cul t t ask at al l , wi l l hel p t he most . We have
wi t nessed t hat useful t heor ems and t ool s, e. g. , t he l aw of t ot al pr obabi l i t y , t he l aw of lar ge
number s and bi rt hday paradox, can be deri ved sol el y fr om a few basi c and i nt ui t i ve pr oper t ies
and r ul es.
I n t he r est of t hi s book we wi ll fr equent l y meet appl i cat i ons of condi t i onal pr obabi l i t y , t he l aw of
t ot al pr obabi l i t y , bi nomi al dist r i but i ons, and bi r t hday par adox ( we have alr eady seen Pol l ar d' s -
al gor i t hm as a good appl i cat i on of bi r t hday par adox) . I n t hese appli cat i ons we wi l l become mor e
and mor e fami l i ar wi t h t hese usef ul t ool s.
We have al so conduct ed a basi c st udy of infor mat i on t heory . We now under st and t hat ent r opy of
a message sour ce is a measure on t he amount of i nf ormat i on cont ai ned i n messages f r om t he
sour ce, or on t he degr ee of r andomness ( unpr edi ct abi l it y) of t hese messages.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exercises
3. 1 Thr ow t wo di ce one af t er t he ot her. Fi nd t he pr obabi li t y of t he f oll owi ng event s:
sum i s 7, 1, and l ess t han or equal t o 12; i .
second die < fi r st die; i i .
at least one di e i s 6; i i i .
gi ven t hat t he fi r st di e i s 6, t he second di e i s 6. i v .
3. 2 I n t he pr eceding pr obl em, fi nd t he pr obabi l i t y t hat t he fi r st die is 3 gi ven t hat t he
sum i s great er or equal t o 8.
3. 3 Gi ven t hat 4.5% of t he popul at i on and 0. 6% of f emal es ar e col or bl i nd, what is t he
per cent age of col or bl i ndness i n mal es who consi st s of 49. 9% of t he popul at ion?
Hi nt : appl y t he l aw of t ot al pr obabi l i t y .
3. 4
Suppose i s uni for ml y di st r i but ed i n [ / 2, / 2] . Fi nd t he pr obabi li t y t hat si n
, and t hat | si n | .
3. 5 A quar t er number s i n a set of number s ar e squar e number s. Randoml y pi cki ng 5
number s f r om t he set , f i nd t he probabi l i t y for maj or it y of t hem bei ng squar e
number s.
Hi nt : anal ogous t o Exampl e 3. 8. ( i i i) , sum up t he maj or i t y cases of number of
squar es 3.
3. 6 What ar e ( l eft , r i ght ) t ai l s of a bi nomi al dist r i but ion f unct i on?
3. 7 Der i ve ( 3. 5. 8) , an upper bound for a " l eft t ai l" of t he bi nomi al di st r i but i on f unct i on.
3. 8 Why can Defi nit ion 3. 2 be viewed as a t heor em whi ch can be deri ved f r om t he l aw
of l ar ge number s?
3. 9 Let n = pq wi t h p and q bei ng di st i nct l ar ge pr i mes of roughl y equal size. We know
t hat f or any a < n and gcd( a, n ) = 1, it hol ds a
p+ q
= a
n+ 1
( mod n) . Pr ove t hat n can
be f act or ed i n n
st eps of sear chi ng.

Hi nt : sear ch i ndex p+ q f r om a
p+ q
( mod n) by appl yi ng Pol l ar d's - al gor i t hm, wi t h
not i ci ng p+ q n
; t hen f act or n using p+ q and pq.

3. 10 I n Pr ot ocol "Coi n Fli ppi ng Over Tel ephone," Al i ce pi cks a l ar ge and uni for ml y
r andom i nt eger. What i s t he ent r opy of Ali ce's sour ce measured at Al i ce's end, and
what i s t hat measur ed by Bob?

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
3. 11 I n Exampl e 3. 11 we have measur ed t he r edundancy for four ver y l ong at t acking
names t o be i nt r oduced Chapt er 14 wi t h r espect t o f our ext remely short ened
names: a0, a1, a2, a3. Now, in t he scope of t hat chapt er measure t he r edundancy
for t he f ol lowi ng f our r easonabl y shor t ened at t acki ng names:
Passi ve I ND- At t ack,
I ND- CPA,
I ND- CCA,
I ND- CCA2.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Chapter 4. Computational Complexity
Sect i on 4. 2. Turi ng Machines
Sect i on 4. 3. Det er mini st i c Pol y nomi al Ti me
Sect i on 4. 4. Pr obabi li st i c Pol y nomi al Ti me
Sect i on 4. 5. Non- det er mi ni st i c Pol ynomial Ti me
Sect i on 4. 6. Non- Poly nomi al Bounds
Sect i on 4. 7. Pol y nomi al - t i me I ndi st i nguishabi li t y
Sect i on 4. 8. Theor y of Comput at i onal Compl exi t y and Modern Cry pt ography
Exerci ses

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
4.1 Introduction
I f a r andom vari abl e f ol l ows t he uni for m dist r i but i on and i s i ndependent fr om any gi ven
i nf ormat i on, t hen t her e i s no way t o r elat e a uni for mly random var i abl e t o any ot her i nfor mat i on
by any means of " comput at i on." Thi s i s exact ly t he securi t y basi s behi nd t he onl y un con di t ional l y
( or i nfor m at i on- t heor et icall y ) secur e encry pt ion scheme: one- t i me pad, t hat is, mi xi ng a
unif or mly random st r i ng ( call ed key st r i ng) wi t h a message st r i ng i n a bi t by bit f ashion ( see
7. 3. 3) . The need f or i ndependence bet ween t he key st r ing and t he message st ri ng r equi r es t he
t wo st r i ngs t o have t he same l engt h. Unfor t unat el y , t his poses an al most unpassabl e l i mit at ion
for a pract i cal use of t he one- t i me- pad encr y pt i on scheme.
Never t hel ess ( and somewhat i r oni cal ) , we ar e st i l l i n a "f ort unat e" posit ion. At t he t i me of
wr it ing, t he comput at i onal devices and met hods whi ch ar e wi del y avai l abl e t o us ( hence t o code
br eaker s) ar e based on a not i on of comput at i on whi ch is not ver y powerf ul . To dat e we have not
been ver y successf ul i n r elat ing, vi a comput at i on, bet ween t wo pi eces of i nf or mat i on i f one of
t hem mer el y "l ooks r andom" whi l e i n fact t hey are compl et el y dependent one anot her ( f or
exampl e, plai nt ext , ci pher t ext messages i n many cr ypt osyst ems) . As a r esul t , moder n
cry pt ogr aphy has i t s securi t y based on a so- cal led com plex it y - t h eor et ic model . Secur i t y of such
cry pt osy st ems is condi t i onal on var i ous assumpt i ons t hat cer t ai n probl ems ar e i nt r act able. Her e,
"i nt r act abl e" means t hat t he wi del y avai l abl e comput at i onal met hods cannot ef fect i vel y handl e
t hese pr obl ems.
We should point out t hat our " for t unat e" posi t i on may onl y be t emporar y . A new and much mor e
power ful model of comput at i on, qu ant um in for m at ion pr ocessin g ( QI P) , has emerged. Under t his
new model of comput at i on, exponent i al l y many comput at i on st eps can be par all el i zed by
mani pulat ing so- cal l ed " super - posi t i on" of quant um st at es. The consequence: many useful har d
pr obl ems underl y i ng t he secur it y bases for compl exi t y - t heor et i c based cr y pt ogr aphy wi ll
col lapse, t hat i s, wi l l become useless. For exampl e, usi ng a quant um comput er , f act or i zat i on and
mul t i pl i cat i on of i nt eger s wi l l t ake si mi l ar t ime i f t he i nt egers pr ocessed have si mil ar si zes, and
hence, e.g. , t he f amous publ i c- key cr ypt osyst ems of Ri vest , Shami r and Adl eman ( RSA) [ 246]
( see 8. 5) wi l l be t hr own out of st age. However, at t he t i me of wri t i ng, t he QI P t echni que i s st i l l
quit e di st ant fr om pract i cal appli cat i ons. The cur rent r ecor d for f act ori ng a composi t e number :
15 ( see e. g., [ 300] ) , which i s t he least si ze, odd and non- squar e composi t e i nt eger .
Ther ef or e, let us not wor r y t oo much about t he QI P f or t he t i me being. The r est of t hi s chapt er
pr ovi des an int r oduct i on t o our " l ess- power ful " convent i onal comput at ional model and t o t he
compl exi t y - t heor et i c based approach t o moder n cry pt ogr aphy .
4. 2 i nt r oduces t he Turi ng comput at i on model . 4. 3 i nt r oduces t he cl ass of det ermi ni st i c
pol y nomi al - t i me, sever al useful det er mi nist i c pol ynomi al - t i me al gor i t hms and expr essi ons f or
compl exi t y measurement . 4. 4 and 4. 5 i nt r oduce t wo subclasses of nondet er mi ni st ic
pol y nomi al - t i me ( NP) problems. The f i rst subcl ass ( 4. 4) is pr obabi l i st i c pol y nomi al- t ime which
i s f ur t her br oken down t o four subcl asses of eff i ci ent l y sol vabl e pr obl ems ( 4. 4. 24. 4. 5) . The
second subcl ass ( 4. 5) is t he problems whi ch are ef fi ci ent l y sol vabl e only wit h an i nt er nal
knowl edge and play an i mpor t ant r ol e i n t he compl exi t y - t heor et ic- based modern cr ypt ogr aphy .
4. 6 i nt r oduces t he not i on of compl exi t i es whi ch are not bound by any poly nomi al . 4. 7
i nst ant i at es t he non- pol ynomial bounded pr obl ems t o a deci si onal case: pol y nomi al - t i me
i ndi st i ngui shabi l i t y. Fi nall y, 4. 8 di scusses t he r el at i onshi p bet ween t he t heor y of comput at i onal
compl exi t y and moder n cr y pt ography .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
4.2 Turing Machines
I n order t o make pr eci se t he not i on of an ef fect ive procedur e ( i . e. , an algor it hm) , Tur i ng
pr oposed an i magi nary comput i ng devi ce, call ed a Tur i ng mach i ne, t o pr ovide a pr imi t i ve yet
suf fi cient ly general model of comput at i on. The comput at i onal compl exi t y mat eri al t o be
i nt r oduced her e fol l ows t he comput at i on model of Tur i ng machines. Bel ow we i nt roduce a var i ant
ver si on of Tur ing machi nes which ar e suff i ci ent for our pur pose of comput at i onal compl exit y
st udy . A gener al descr i pt i on of Tur i ng machi nes can be st udi ed i n, e. g. , 1. 6 of [ 9] .
I n our var iant , a Tur i ng machi ne ( see pi ct ur e i n Fi g 4.1) consi st s of a fi ni t e- st at e cont r ol uni t ,
some number k ( 1) of t apes and t he same number of t apeheads. The fi ni t e- st at e cont r ol uni t
cont r ol s t he operat i ons of t he t apeheads whi ch read or wr i t e some i nfor mat i on f r om or t o t he
t apes; each t apehead does so by accessi ng one t ape, call ed i t s t ape, and by movi ng al ong i t s
t ape ei t her t o l eft or t o ri ght . Each of t hese t apes i s part it i oned i nt o an i nfi ni t e number of cel ls.
The machi ne sol ves a problem by havi ng a t apehead scanni ng a st ri ng of a fi ni t e number of
symbols whi ch ar e pl aced sequent ial l y i n t he l eft most cel l s of one t ape; each sy mbol occupi es
one cel l and t he r emai ni ng cell s t o t he ri ght on t hat t ape ar e bl ank . This st r i ng i s cal l ed an i nput
of a pr obl em. The scanni ng st ar t s fr om t he l eft most cell of t he t ape t hat cont ai ns t he i nput whi le
t he machi ne i s i n a designat ed i nit i al st at e. At any t i me only one t apehead of t he machi ne i s
accessing it s t ape. A st ep of access made by a t apehead on i t s t ape is cal l ed a ( l egal ) m ove. I f
t he machi ne st art s fr om t he i ni t i al st at e, makes l egal moves one af t er anot her , compl et es
scanni ng t he input st r ing, event ual l y causes t he sat i sfact i on of a t er mi nat i ng con di t ion and
t her eby t er mi nat es, t hen t he machi ne i s sai d t o r ecogni ze t he i nput . Ot herwi se, t he machi ne wi l l
at some point have no l egal move t o make; t hen i t wi ll hal t wi t hout recogni zi ng t he i nput . An
i nput which i s r ecogni zed by a Tur i ng machi ne i s cal l ed an i nst ance i n a recogni zable l anguage.
Fi gu r e 4. 1 . A Tur i n g Machi n e

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
For a gi ven pr obl em, a Turi ng machi ne can be f ul l y speci f i ed by a f unct i on of it s fi ni t e- st at e
cont r ol uni t . Such a f unct i on can be gi ven i n t he for m of a t abl e whi ch li st s t he machi ne's nex t -
st ep m ov e f or each st at e. We shall pr ovide a probl em exampl e and a speci fi cat i on of a Tur i ng
machi ne i n a moment ( see Exampl e 4. 1 bel ow) .
Upon t ermi nat i on, t he number of moves t hat a Tur i ng machi ne M has t aken t o r ecogni ze an input
i s sai d t o be t he r unni ng t i me or t he t i me com pl exi t y of M and is denot ed by T
M
. Clear l y, T
M
can
be expr essed as a f unct i on T
M
( n) : wher e n i s t he l en gt h or size of t he i nput i nst ance,
i . e. , t he number of sy mbol s t hat consi st s of t he i nput st ri ng when M i s in t he i ni t i al st at e.
Obvi ousl y , T
M
( n) n. I n addi t i on t o t he t i me r equi r ement , M has al so a space r equir ement S
M
whi ch is t he number of t ape cel l s t hat t he t apeheads of M have vi si t ed i n wr it ing access. The
quant i t y S
M
can al so be expr essed as a f unct i on S
M
( n) : and is sai d t o be t he space
com plex it y of M.
We wi l l see a concr et e Tur i ng machine i n t he next sect ion.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
4.3 Deterministic Polynomial Time
We begin wi t h consider i ng t he class of l anguages t hat ar e r ecogni zabl e by det er mi ni st i c Tur i ng
machi nes i n pol yn omi al t i me. A funct i on p( n) is a pol ynomi al i n n over t he i nt egers if i t i s of t he
for m
Equ at i on 4. 3 .1
wher e k and c
i
( i = 0, 1, 2, , k) are const ant i nt eger s wi t h c
k
0. When k > 0, t he f ormer i s
cal led t he degr ee, denot ed by deg( p( n) ) , and t he l at t er , t he coef f i ci en t s, of t he pol y nomi al
p( n) .
Def i n i t i on 4 . 1: Cl ass We wri t e t o denot e t he cl ass of l angu ages wi t h t he f oll owin g
char act er i st i cs. A l anguage L i s i n i f t her e exi st s a Tu ri ng m ach ine M an d a pol yn om ial p ( n)
such t hat M r ecogn izes an y in st an ce I L in t i m e T
M
( n) wit h T
M
( n) p( n) for all n on- negat i ve
i nt eger s n , wher e n i s an i nt eger par amet er r epr esent i ng t he size of t he i nst ance I . We say t hat L
i s recogni zabl e in pol y nom ial t i m e.
Roughl y speaking, l anguages which ar e r ecogni zabl e i n pol ynomi al t i me are consi der ed as
al way s " easy ." I n ot her wor ds, pol y nomi al - t i me Tur ing machi nes ar e consi der ed as al way s
"eff i ci ent " ( we wi ll defi ne t he not ion of " easy" or " eff i ci ent " i n 4. 4. 6) . Her e l et us expl ai n t he
meani ng for al way s. Turi ng machi nes whi ch r ecognize languages in ar e al l det er mi n i st i c. A
det er mi nist i c Turi ng machi ne out put s an ef fect whi ch i s ent i r el y det er mined by t he i nput t o, and
t he ini t i al st at e of, t he machi ne. I n ot her wor ds, r unni ng a det er mi ni st ic Tur i ng machi ne t wi ce
wi t h t he same i nput and t he same i ni t i al st at e, t he t wo out put ef fect s wi l l be i dent i cal .
We should not i ce t hat i n Defi nit ion 4. 1, t he universal - st y le rest r i ct i ons "any i nst ance I L" and
"f or al l non- negat i ve i nt eger s n" are ver y i mport ant . I n t he st udy of comput at i onal compl exi t y , a
pr obl em i s consi der ed sol ved onl y i f any i nst ance of t he problem can be sol ved by t he same
Tur i ng machi ne ( i . e., t he same met hod) . Onl y so, t he met hod i s suffi ci ent l y gener al and t her eby
can indeed be consi der ed as a met hod. Let us l ook at t he f oll owi ng example for an i l l ust rat ion.
Exampl e 4. 1. Lan gu age DI V3
Let DI V3 be t he set of non- negat ive i nt eger s divi sibl e by 3. Show DI V3 .
We do so by const ruct ing a si ngl e- t ape Turi ng machi ne t o r ecogni ze DI V3 i n pol ynomi al t i me.
We f i rst not i ce t hat i f we wri t e t he i nput as i nt egers in t he base- 3 ( i. e. , t ernar y) r epresent at i on,
t hat i s, an i nput i s a st r i ng of sy mbols i n { 0, 1, 2} , t hen t he r ecogni t i on pr obl em becomes
t r i vi al l y easy: an input x i s in DI V3 i f and onl y i f t he last di gi t of x i s 0. Consequent l y, t he
machi ne t o be const r uct ed shoul d si mpl y make consecut i ve moves t o r i ght unt i l r eachi ng a bl ank
symbol, and t hen i t st ops wi t h a YES answer i f and onl y i f t he fi nal non- bl ank sy mbol i s 0.
Cl ear ly , t hi s machi ne can recogni ze any i nst ance i n number of moves whi ch i s t he size of t he
i nst ance. Hence DI V3 .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
However , we want t o show t hat t he f act DI V3 shoul d be i ndependent f r om t he base
r epr esent at i on of t he i nput . I t suff i ces f or us t o show t he case when t he i nput i s wr i t t en i n t he
base- 2 ( i .e. , bi nary ) repr esent at i on. Let t hi s machi ne be named Di v3. The f i ni t e- st at e cont r ol of
Di v3 fol l ows a "next move" f unct i on speci f i ed i n Fi g 4.2.
Fi gu r e 4. 2 . The oper at i on of machi ne Di v 3
We now ar gue t hat t he machi ne Div3 defi ned by t he f unct i on i n Fi g 4.2 i s suff ici ent l y gener al f or
r ecogni zi ng all i nst ances i n DI V3.
Fi rst , we not i ce t hat for r ecogni zi ng whet her or not a bi nar y st r i ng x DI V3, i t i s suff ici ent for
Di v3 t o have t hr ee st at es, corr esponding t o t he cases when i t ( i t s t apehead) compl et es scanni ng
st r ings 3k, 3k+ 1 and 3k+ 2 ( for k 0) , r espect i vel y . The least i nput i nst ance 0 st i pul at es t hat
Di v3 must be i n an i ni t i al st at e ( wi t hout l oss of gener al i t y, l et t he i nit ial st at e be q
0
) upon i t s
compl et i on of scanni ng i nput st r i ng 0. Wi t hout l oss of general i t y , we can assi gn Di v3 t o st at e q
1
upon i t s compl et i on of scanni ng i nput st r i ng 1, and t o st at e q
2
upon i t s compl et ion of scanni ng
i nput st r i ng 2 ( = ( 10)
2
)
[ a]
.
[ a]
We use ( a
1
a
2
a
n
)
b
, wit h a
i
< b and i = 1, 2, , n, t o denot e a number wr it t en in t he base- b
r epr esent at ion; t he cases of b = 10 and b = 2 ar e of t en omit t ed if no conf usion arises.
For any non- negat ive i nt eger a i n t he bi nar y r epr esent at i on, post fi xi ng a wi t h sy mbol 0
( r espect i vel y , symbol 1) yi el ds val ue 2a ( respect ivel y, val ue 2a + 1) . Thus, af t er complet i on of
scanni ng a = 3k ( when Di v3 i s i n st at e q
0
) , Div3 must r emain i n q
0
upon furt her scanni ng
symbol 0, si nce at t hat poi nt i t compl et es scanni ng 2a = 6k = 3k' , and must evol ve t o q
1
upon
fur t her scanni ng symbol 1, si nce at t hat poi nt i t compl et es scanni ng 2a + 1 = 6k + 1 = 3k' + 1.
Si mil ar l y , aft er compl et i on of scanning a = 3k + 1 ( when Div3 i s i n st at e q
1
) , Div3 must evol ve
t o q
2
upon compl et i on of scanni ng 2a = 6k + 2 = 3k' + 2, and must evol ve t o q
0
upon
compl et i on of scanni ng 2a + 1 = 6k + 3 = 3k' . The r emaini ng t wo cases f or a = 3k + 2 are: 2a =
6k + 4 = 3k' + 1 ( Di v3 evol ves fr om q
2
t o q
1
) , and 2a + 1 = 6k + 5 = 3k' + 2 ( Di v3 st ays in q
2
) .
So, t he t hr ee st at es q
0
, q
1
and q
2
cor r espond t o Di v3' s compl et i on of scanni ng st r i ngs 3k, 3k + 1

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
and 3k + 2, r espect i vely , f or any k 0. Now upon t he head meet i ng t he speci al sy mbol " bl ank, "
onl y i n st at e q
0
Di v3 i s conf igur ed t o r i ng t he bel l and st op ( meani ng t o t er mi nat e wi t h YES
answer) and hence t o r ecognize t he i nput 3k; in t he ot her t wo st at es, Div3 wi ll have no l egal
move t o make and t her efor e hal t wit h no r ecogni t i on.
Fi nal l y, i t i s easy t o see T
Di v3
( n) = n. Thus, Di v3 does recogni ze language DI V3 in poly nomi al
t i me.
Exampl e 4. 2.
The bi t st r i ng 10101( = ( 21)
10
) is recogni zable; Di v3 r ecogni zes t he st r i ng i n T
Di v3
( | 10101| )
= | 10101| = 5 moves;
i .
The bi t st r i ng 11100001( = ( 225)
10
) is anot her r ecogni zabl e i nst ance; Di v3 r ecogni zes i t i n
T
Di v3
( | 11100001| ) = | 11100001| = 8 moves;
i i .
The bi t st r i ng 10( = ( 2)
10
) is not recogni zable; Di v3 deci des t hat i t i s unr ecogni zabl e i n t wo
moves.
i i i .
4.3.1 Polynomial-Time Computational Problems
By def ini t i on, i s t he cl ass of pol ynomial - t i me l anguage r ecogni t i on pr obl ems. A l anguage
r ecogni t i on probl em is a deci si onal pr obl em. For ever y possi bl e i nput , a deci si onal pr obl em
r equi r es YES or NO as out put . However, cl ass i s suff ici ent l y gener al t o encl ose pol y nomi al -
t i me comp ut at i onal pr obl ems. For ever y possi bl e i nput , a comput at i onal pr obl em r equi r es an
out put t o be more gener al t han a YES/ NO answer . Si nce a Turi ng machi ne can wr i t e symbol s t o
a t ape, i t can of cour se out put i nf or mat i on mor e gener al t han a YES/ NO answer .
For i nst ance, we can desi gn anot her Tur i ng machi ne whi ch wi l l not onl y recognize any i nst ance x
DI V3, but wi l l al so out put upon r ecogni t i on of x. Let t hi s new machine be named Di v3-
Comp. A ver y si mpl e way t o real i ze Di v3- Comp i s t o have i t s i nput wr i t t en in t he base- 3
r epr esent at i on. Then t he i nput i s an i nst ance i n DI V3 i f and onl y i f i t s f inal di gi t i s 0, and t he
out put fr om t he machine, upon r ecogni t i on of t he i nput , shoul d be t he cont ent on t he input - t ape
aft er having er ased t he l ast 0 unl ess 0 is t he only sy mbol on t he t ape. I f one i nsi st s t hat Di v3-
Comp must only input and out put bi nar y numbers, t hen Div3- Comp can be r eal i zed as f ol lows. I t
fi r st t ransl at es an i nput x f r om t he base- 2 r epr esent at i on i nt o t he base- 3 r epresent at i on, and
upon obt ai ni ng i n t he base- 3 r epr esent at i on i t t ransl at es t he number back t o t he base- 2
r epr esent at i on as t he fi nal out put . I t i s evi dent t hat t hese t ranslat i ons can be done di gi t - by - digi t
m ech anical ly i n c | x| moves wher e c i s a const ant . To t his end we know
wher e C i s a const ant . Fr om t hi s exampl e we see evi dent ly t hat t he cl ass must i ncl ude t he
pr obl em whi ch can be sol ved by Di v3- Comp.
A gener al argument f or t o encl ose pol ynomi al - t i me comput at ional pr obl ems can be gi ven as
fol l ows. A comput i ng devi ce i n t he so- cal l ed von Neumann ar chi t ect ur e ( t hat i s, t he moder n

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
comput er ar chi t ect ur e we ar e fami l iar wit h, [ 227] ) has a count er , a memory , and a cent r al
pr ocessor uni t ( CPU) whi ch can per for m one of t he f oll owi ng basi c i nst r uct i ons, cal l ed mi cro-
i nst r uct i ons, at a t i me:
Load: Loadi ng t he cont ent i n a memor y l ocat i on t o
a r egi st er ( i n CPU)
St or e: St or i ng t he cont ent of a regi st er t o a
memor y l ocat i on
Add: Adding cont ent s of t wo r egi st ers
Comp: Compl ement i ng t he cont ent of a regi st er ( f or
subt r act i on vi a "Add")
Jump: Set t i ng t he count er t o a new val ue
JumpZ: "Jump" upon zero cont ent of a r egi st er ( for
condi t i onal br anchi ng)
St op: Termi nat ing.
I t i s wel l known ( see e. g. , 1. 4 of [ 9] ) t hat t he above smal l set of mi cr o- i nst r uct i ons is suff ici ent
for const ruct ing al gori t hms for sol ving arbi t rar y ar i t hmet i c pr obl ems on a von Neumann
comput er ( however not i ce t hat by " arbit rar y ar i t hmet i c pr obl ems" we do not mean t o consi der
i nst ances of ar bi t r ary si zes; we wi l l f ur t her di scuss t hi s i n a moment ) . I t can be shown ( e. g. ,
Theor em 1. 3 in [ 9] ) t hat each mi cr o- i nst r uct i on in t he above set can be si mul at ed by a Tur i ng
machi ne i n pol y nomi al t i me. Consequent l y , a pr obl em t hat can be solved in poly nomi al t ime on a
von Neumann comput er ( whi ch i mpl i es t hat t he number of mi cr o- i nst r uct i ons used i n t he
al gor i t hm must be a pol y nomi al i n t he si ze of t he input t o t he al gor i t hm) can al so be sol ved by a
Tur i ng machi ne i n pol y nomi al t i me. Thi s i s because for any poly nomi al s p( n) and q( n) , any ways
of ar i t hmet ic combi ning p( n) , q( n) , p( q( n) ) and q( p( n) ) wil l resul t i n a pol ynomial i n n. Not i ce
t hat we have del i ber at el y excluded mult ipl icat i on and di vi si on f rom our ( si mpl i fi ed) set of mi cr o-
i nst r uct i ons. A mult ipl icat i on bet ween numbers of si ze n can be done vi a n addi t i ons and hence
has it s t ot al cost should be measur ed by n x cost ( Add) . Divi si on has t he same cost as
mul t i pl i cat i on si nce i t is repeat ed subt r act i on which i s addit ion of a complement ar y number .
We should ment i on an uni mpor t ant di f fer ence bet ween t he comput at ion model based on Tur i ng
machi nes and t hat based on von Neumann comput ers. By Defi nit ion 4. 1, we r egar d a pr oblem
sol vable on a Tur i ng machi ne onl y i f any i nst ance i s sol vabl e on t he sam e machi ne ( "one
machi ne t o sol ve t hem all ! ") . The cost f or sol vi ng a pr obl em on a Turi ng machi ne i s measur ed by
t he si ze of t he pr obl em i n a un if orm manner across t he whol e spect rum of t he si ze of t he
pr obl em. Ther e i s no need t o have a pr e- det er mi ned bound f or t he si ze of a pr obl em. Machi ne
Di v3 in Exampl e 4. 1 shows t hi s evi dent l y. Due t o t hi s proper t y i n cost measurement we say t hat
t he Tur i ng- machi ne- based comput at i on model uses t he un i f or m cost measur e t o measure
compl exi t i es. I n cont r ast , r egi st er s and l ogi cal ci r cui t s whi ch ar e t he basi c bui ldi ng bl ocks of a
von Neumann comput er have fi xed si zes. As a r esult , pr obl ems sol vabl e on a von Neumann
comput er must also have a pre- det er mined si ze: for t he same pr obl em, t he bi gger an i nst ance
i s, t he bi gger a machi ne i s needed f or sol vi ng i t . I n gener al , machi nes of di ff erent sizes do not
agr ee on a uni for m measurement on t he cost for sol vi ng t he same problem. We t heref ore say
t hat a ci r cui t - based comput at i on model ( upon whi ch a von Neumann comput er i s based) has a
non - uni f or m cost measur e. However , so f ar , t he di ff er ence bet ween t he uni f orm and non-
unif or m cost measures has not cr eat ed any new compl exi t y cl ass, or caused any known cl asses
t o col l apse. That i s why we say t hat t hi s di ff erence i s not i mpor t ant .
I n t he r est of t hi s chapt er we shal l oft en negl ect t he di ff erence bet ween a decisi onal pr obl em and

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
a comput at i onal probl em, and t he di f fer ence among a Tur i ng machi ne, a moder n comput er, a
pr ocedur e, or an al gor i t hm. Deci si onal or comput at i onal pr obl ems wi ll be gener al l y call ed
pr obl ems, whi l e machines, comput er s, pr ocedur es or al gor i t hms wi l l be general l y r efer red t o as
met hods or al gor it hms. Occasi onal l y , we wi ll r et urn t o descr i bi ng a language r ecogni t i on
pr obl em, and onl y t hen we wi l l r et ur n t o usi ng Turi ng machi nes as our basi c i nst r ument of
comput at i on.
4.3.2 Algorithms and Computational Complexity Expressions
Let us now st udy t hr ee ver y useful pol ynomial - t i me al gor i t hms. Through t he st udy of t hese
al gor i t hms, we shal l ( i ) get f amil i ar wi t h a pr ogr ammi ng l anguage whi ch we shal l use t o wr i t e
al gor i t hms and prot ocol s i n t hi s book, ( i i) agr ee on some not at i on and convent ion f or expressi ng
comput at i onal compl exi t y f or al gor i t hms and pr ot ocol s, and ( i i i ) est abl i sh t he t i me complexi t i es
for a number of ar it hmet i c operat i ons whi ch wi l l be most fr equent l y used i n cr y pt ography .
Above we have expl ai ned t hat Tur ing machi nes pr ovi de us wi t h a gener al model of comput at i on
and wi t h a preci se not i on for measur ing t he comput at i onal compl exi t y f or pr ocedur es. However ,
we do not gener all y wi sh t o descri be al gor it hms i n t er ms of such a pr i mi t i ve machi ne, not even
i n t er ms of t he micr o- i nst r uct i ons of a moder n comput er ( i . e., t he set of i nst r uct i ons we
descr i bed i n 4. 3. 1) . I n or der t o descr i be al gor i t hms and mat hemat i cal st at ement s effect i vel y
and cl ear l y , we shal l use a hi gh- l evel pr ogr ammi ng language call ed "Pseudo Pr ogr ammi ng
Language" whi ch i s ver y cl ose t o a number of popul ar hi gh- l evel pr ogr ammi ng l anguages such
as Pascal or C and can be underst ood wi t hout any di ff i cul t y due t o i t s pl ainl y sel f- expl anat or y
feat ure.
4.3.2.1 Greatest Common Divisor
The f i r st al gor i t hm we shal l st udy i s t he famous al gor it hm of Eucl i d for comput i ng gr eat est
common di vi sor ( Al g 4. 1) . Denot ed by gcd( a, b ) t he gr eat est common di vi sor of i nt egers a and
b, gcd( a, b ) is defi ned t o be t he l ar gest i nt eger t hat di vi des bot h a and b.
Algorithm 4.1: Euclid Algorithm for Greatest Common Divisor
I NPUT
I nt eger s a > b 0;
OUTPUT gcd( a, b ) .
i f b = 0 ret urn( a ) ; 1.
r et ur n( gcd( b, a mod b) ) . 2.
I n Al g 4. 1, " a mod b" denot es t he r emai nder of a di vi ded by b. ( I n 4. 3. 2.5 we wi l l f or mal l y
defi ne t he modul ar oper at i on and pr ovi de some usef ul f act s on modul ar ar i t hmet ic. ) The
condi t i on a > b 0 i s mer el y f or t he pur pose of ease of exposi t i on. I n t he implement at i on, t hi s

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
condi t i on can be sat i sf i ed by repl aci ng a, b wi t h t hei r absol ut e val ues, and by i nvoki ng gcd( | b| ,
| a| ) in case | a| < | b| .
Now l et us exami ne how Al g 4. 1 wor ks. For posi t i ve i nt eger s a b, we can al ways wr i t e
Equ at i on 4. 3 .2
for some i nt eger q 0 ( t he quot i ent of a di vi ded by b) and 0 r < b ( t he r emai nder of a
di vi ded by b) . Si nce by defi ni t i on, gcd( a, b ) di vi des bot h a and b, equat i on ( 4. 3. 2) shows t hat i t
must al so di vi de r t oo. Consequent ly , gcd( a, b ) equal s gcd( b, r) . Si nce t he r emai nder r ( of a
di vi ded by b) is denot ed by a mod b, we have der i ved
gcd( a, b ) = gcd( b, a mod b) .
Thi s i s t he fact we have used in Al g 4. 1, namel y , gcd( a, b ) is defi ned by gcd( b, a mod b)
r ecur si vel y . The ser ies of r ecur si ve call s of gcd comput e t he f ol l owi ng ser ies of equat ions, each i s
i n t he f orm of ( 4. 3. 2) and i s for med by a divi sion bet ween t he t wo i nput values:
Equ at i on 4. 3 .3
wher e r
k
= 0 ( whi ch causes t he t er mi nat i ng condi t i on i n st ep 1 bei ng met ) and q
1
, q
2
, , q
k
, r
1
,
r
2
, , r
k1
ar e non- zer o i nt eger s. Wi t h r
k
= 0, t he l ast equat ion i n ( 4. 3. 3) means r
k1
di vi des
r
k2
, and i n t he last - but - one equat i on, it must al so di vi de r
k3
, , event ual l y , as shown i n t he
fi r st equat i on i n ( 4. 3. 3) , r
k1
must di vi de bot h a and b. None of ot her r emai nder s i n ot her
equat i ons has t hi s pr oper t y ( t hat 's why t hey ar e call ed remai nder s, not a divi sor; onl y r
k1
i s a
di vi sor in t he l ast equat i on i n ( 4. 3. 3) ) . Ther efor e, r
k1
i s indeed t he gr eat est common di visor of a
and b, i . e., r
k1
= gcd( a, b ) .
For exampl e, gcd( 108, 42) wi l l i nvoke t he f ol lowi ng sequence of r ecursi ve cal l s:
gcd( 108, 42) = gcd( 42, 24) = gcd( 24, 18) = gcd( 18, 6) = gcd( 6, 0) = 6.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
4.3.2.2 Extended Euclid Algorithm
Al g 4. 1 has t hr own away al l t he i nt ermedi at e quot i ent s. I f we accumul at e t hem dur ing t he
comput at i on of gcd( a, b ) , we can obt ai n somet hing mor e t han j ust gcd( a, b ) .
Let us see what we can obt ain.
The f i r st equat i on i n ( 4. 3. 3) can be wr i t t en as
Mult i ply i ng bot h si des of t his equat i on wit h q
2
, we can obt ai n
Usi ng t hi s equat i on and t he second equat i on i n ( 4. 3. 3) , we can der i ve
Equ at i on 4. 3 .4
The same way of cal cul at i on can be car r ied out . I n gener al , f or i = 1, 2, , k, we can der ive
Equ at i on 4. 3 .5
wher e
i
,
i
ar e some i nt eger s whi ch are, as i ndi cat ed i n ( 4. 3. 4) , cer t ain f or m of accumulat ions
of t he int ermedi at e quot i ent s. We have seen i n 4. 3. 2.1 t hat fol l owing t hi s way of cal culat ion we
wi l l event ual ly reach r
k
= 0, and t hen we have
Equ at i on 4. 3 .6
An al gor i t hm t hat i nput s a, b and out put s t he int egers
i 1
,
k1
sat i sfy i ng ( 4. 3. 6) is cal l ed
ext end ed Eucl i d al gor i t hm. Ext ended Eucli d al gor i t hm wi l l have an ext ensive use i n t he rest of
t he book f or comput i ng di vi si on modulo i nt eger s. Let us now speci fy t hi s al gor i t hm, t hat i s, fi nd
a gener al met hod f or accumul at i ng t he i nt er medi at e quot i ent s.
Obser ve t he equat ions i n ( 4. 3. 3) and denot e r
1
= a, r
0
= b,
1
= 1,
1
= 0,
0
= 0,
0
= 1.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Then for i = 1, 2, , k 1, t he i t h equat i on i n ( 4. 3. 3) rel at es r
i 1
, r
i
and r
i + 1
by
Equ at i on 4. 3 .7
Repl aci ng r
i 1
and r
i
i n t he ri ght - hand si de of ( 4. 3. 7) using equat i on ( 4. 3. 5) , we der i ve
Equ at i on 4. 3 .8
Compar i ng bet ween ( 4. 3. 8) and ( 4. 3. 5) , we obt ai n ( for i = 0, 1, , k 1)
Equ at i on 4. 3 .9
These t wo equat i ons pr ovi de us wit h a gener al met hod for accumul at i ng t he i nt er medi at e
quot i ent s whi l e comput i ng great est common divi sor ( see Al g 4. 2) .
Algorithm 4.2: Extended Euclid Algorithm
I NPUT
a, b : int egers wi t h a > b 0;
OUTPUT i nt eger s , sat i sfy i ng a + b = gcd( a, b ) .
i 0; r
1
a; r
0
b;
1
1;
1
0;
0
0;
0
1; ( * i ni t i al i ze * )
1.
whi l e ( r
i
= a
i
+ b
i
0) do ( * i t al ways hol ds a
i
+ b
i
= r
i
* )
q r
i 1
r
i
; ( * denot es di vi sion i n i nt eger s * ) a.
i + 1

i 1
q
i
;
i + 1

i 1
q
i
; ( * sum up quot ient s * ) b.
c.
2.
3.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
a.
b.
i i + 1; c.
r et ur n( (
i 1
,
i 1
) ) . 3.
. Remar k 4 .1
I n or der t o exp ose t he wor ki ng pr in ci pl e of Alg 4. 1 an d Alg 4. 2 i n an easi ly u nder st an dabl e way ,
we hav e chosen t o sacr i fi ce ef fi ciency. I n t he next t wo sect ions ( 4. 3. 2 .3 4. 3. 2 .4 ) we wi l l
anal y ze t heir t im e com pl ex it ies and cont r ast ou r r esul t wi t h t he b est kn own t im e com plex it y
r esul t for com put ing gr eat est com m on div i sor .
4.3.2.3 Time Complexity of Euclid Algorithms
Let us now measur e t he t i me complexi t i es for t he t wo Eucl id al gor i t hms. I t is cl ear t hat t he
number of recur sive cal l s i n Al g 4. 1 i s equal t o t he number of l oops i n Al g 4. 2 whi ch i s i n t ur n
equal t o k i n ( 4. 3. 3) .
Consi der t he case a > b and obser ve ( 4. 3. 7) for i = 0, 1, , k 1. We have ei t her of t he
fol l owi ng t wo cases:
Equ at i on 4. 3 .1 0
or
Equ at i on 4. 3 .1 1
Fur t her not ici ng r
i + 1
< r
i
, so case ( 4. 3. 10) also impli es case ( 4. 3. 11) , t hat i s, case ( 4. 3. 11) hol ds
i nvar iant l y. Thi s means t hat t he maxi mum val ue f or k i s bounded by 2 | a| . I f we consi der t he
modul o oper at ion as a basi c oper at i on whi ch t akes one uni t of t i me, t hen t he t i me compl exit y of
gcd r eal i zed i n Al g 4. 1 i s bounded by 2 | a| . Thi s i s a l i near f unct i on i n t he si ze of a.
. Th eor em 4 .1
Gr eat est comm on di vi sor gcd( a, b ) can be com put ed by p er for m i ng n o m or e t han 2max( | a| , | b| )
m odul o op er at i ons. Ther efor e, Alg 4. 1 an d Alg 4. 2 t er m in at e wit h in 2max( | a| , | b| ) l oops.
G. Lam ( 17951870) was t he f ir st per son who proved t he f i rst sent ence i n t he st at ement s of
Theor em 4. 1. I t is consi der ed t o be t he f i rst t heorem ever pr oved about t he t heor y of
comput at i onal compl exi t y ( page 35 of [ 176] ) .
The ser ies of equat i ons i n ( 4. 3. 3) whi ch ar e f ormed by a ser i es of di vi si ons suggest an inher ent

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
seq uent i ali t y charact er ist i c i n t he comput at i on of gr eat est common di vi sor . Si nce Eucl i d
di scover ed his algori t hm ( i . e. , Al g 4. 1) , no si gni f i cant i mpr ovement has been found t o cut shor t
t hi s seemi ngl y necessary sequent i al pr ocess.
4.3.2.4 Two Expressions for Computational Complexity
When we measur e t he comput at i onal compl exi t y f or an algori t hm, i t i s of t en di ff icul t or
unnecessar y t o pi npoi nt exact l y t he const ant coeff ici ent in an expression t hat bounds t he
compl exi t y measure. Or der n ot at i on al l ows us t o ease t he t ask of compl exit y measur ement .
Def i n i t i on 4 . 2: Or d er Not at i on We wr it e O( f ( n) ) t o denot e a fun ct ion g( n) such t hat t here
exi st s a const an t c > 0 and a nat ur al nu mber N wi t h | g( n) | c| f ( n) | for all n N.
Usi ng t he not at i on O( ) we can expr ess t he t i me complexi t i es of Al g 4. 1 and Al g 4. 2 as O( l og a) .
Not i ce t hat i n t hi s expressi on we have r epl aced | a| wi t h l og a wi t hout expl i cit ly gi vi ng t he base
of t he logari t hm ( t hough we convent i onal l y agr ee t hat t he omi t t ed base i s nat ur al base e) . The
r eader may confi r m t hat any base b > 1 wil l pr ovi de a cor rect measur ement expr essi on under
t he order not at i on ( Exerci se 4. 10) .
So f ar we have consi der ed t hat comput ing one modul o operat ion cost s one uni t of t ime, t hat i s,
i t has t he t i me compl exit y O( 1) . As a mat t er of f act , modul o operat ion "a ( mod b) " in t he gener al
case invol ves di vi si on a b, whi ch i s act ual l y done i n Al g 4. 2 i n or der t o keep t he quot i ent .
Ther ef or e t he t ime compl exi t y of modul o oper at i on, t he same as t hat of di vi si on, shoul d depend
on t he si zes of t he t wo oper ands. I n pr act i cal t er ms ( f or t he meani ng of "pr act i cal , " see t he end
of 4. 4. 6) , usi ng O( 1) t o repr esent t he t i me for a di visi on i s t oo coar se for a sensi ble resour ce
management .
A si mpl e modi f icat i on of t he or der not at i on is t o measur e an ari t hmet i c i n t erms of bi t w i se
comp ut at i on. I n bi t wi se comput at i on, all var i abl es have t he val ues 0 or 1, and t he oper at i ons
used are l ogical r at her t han ar it hmet i c: t hey ar e ( for AND) , ( for OR) , ( for XOR, i . e.,
"excl usi ve or" ) , and ( f or NOT) .
Def i n i t i on 4 . 3: Bi t w i se Or der Not at i on We wr it e O
B
( ) t o denot e O( ) un der t he b it wi se
com put at i on m odel.
Under t he bi t wi se model , addi t i on and subt r act i on bet ween t wo i nt eger s i and j t ake max( | i | , | j | )
bi t wi se oper at i ons, i . e. , O
B
( max( | i | , | j | ) ) t i me. I nt ui t i vel y , mul t i pl i cat i on and di vi si on bet ween i
and j t ake | i | | j | bi t wi se oper at i ons, i . e. , O
B
( l og i . l og j ) t i me. We shoul d poi nt out t hat for
mul t i pl i cat i on ( and di vi si on) a l ower t i me complexi t y of O
B
( l og( i + j ) log l og( i + j ) ) can be
obt ai ned i f t he f ast Four i er Tr ansfor mat i on ( FFT) met hod i s used. However , t hi s l ower compl exit y
i s an asympt ot ic one whi ch i s associ at ed wi t h a much l ar ger const ant coef fi cient ( r elat ed t o t he
cost of FFT) and may act ual l y cause a hi gher compl exi t y f or oper ands having rel at i vel y smal l
si zes ( e. g. , si zes for moder n cry pt ogr aphi c use) . Ther efor e i n t hi s book we shal l not consi der t he
FFT i mpl ement ed mul t i pl i cat i on and divi sion. Consequent l y we shal l onl y use t he i nt ui t i ve
compl exi t y measurement for mul t i pl i cat i on and di visi on.
Let us now express t he t ime compl exi t i es of Al g 4. 1 and Al g 4. 2 using t he mor e pr eci se bi t wi se
or der not at ion O
B
( ) . I n Theor em 4. 1 we have obt ai ned t hat for a > b, gcd( a, b ) can be comput ed
i n O( l og a) t i me. Given t hat bot h i nput val ues ar e bounded by a, and t hat modul o oper at i on or
di vi si on cost O
B
( ( l og a)
2
) , t he t i me compl exi t i es of Al g 4. 1 and Al g 4. 2 ar e bot h O
B
( ( l og a)
3
) .
Now we shoul d r ecal l Remar k 4.1: we have chosen t o present t hese al gori t hms wit h easi ly
underst andabl e wor king pr inci ples by sacr i fi ci ng t he ef fi ciency . As a mat t er of fact , our sacr i fi ce
on ef fi ci ency i s r at her l arge!

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Car eful r eal i zat i ons of t hese t wo al gor i t hms shoul d make use of t he fol l owing t wo fact s:
Modul o oper at i on or di vi si on for cr eat i ng a = bq + r cost O
B
( ( l og a) ( l og q) ) . i .
Quot i ent s q
1
, q
2
, , q
k
i n ( 4. 3. 3) sat i sfy i i .
Equ at i on 4. 3 .1 2
Hence t he t ot al t i me for comput i ng gr eat est common di vi sor , vi a a car eful r eal i zat i on, can be
bounded by
Car eful r eal i zat i ons of t he count er par t s f or Al g 4. 1 and Al g 4. 2 can be f ound i n Chapt er 1 of
[ 79] .
I n t he r est of t hi s book, we shal l use t he best known resul t O
B
( ( l og a)
2
) for expr essi ng t he t ime
compl exi t y f or comput i ng gr eat est common di vi sor, ei t her usi ng Eucl id al gor i t hm or t he
ext ended Eucli d al gor i t hm.
4.3.2.5 Modular Arithmetic
An i mport ant pol ynomi al - t i me det er mini st i c al gori t hm we shal l st udy i s one f or comput i ng
modul ar exponent iat ion. Modul ar exponent i at i on i s widel y used i n publi c- key cr y pt ogr aphy . Let
us fi r st t ake a shor t cour se on modul ar ar it hmet i c ( reader s who are fami li ar wi t h modular
ar i t hmet ic can skip t hi s sect i on) .
Def i n i t i on 4 . 4: Modu l ar Oper at i on Gi ven in t eger s x an d n > 1, t he operat i on " x ( mod n) " i s
t he rem ain der of x di v ided by n , t hat i s, a non - negat iv e i nt eger r [ 0, n 1] sat isf yi ng
for som e i nt eger k .
. Th eor em 4 .2 Pr oper t i es of Modu l ar Oper at i on
Let x, y, n 0 be i nt eger s wit h gcd( y , n) = 1. The m od ular operat ion has t he fol l owi ng

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
pr oper t ies.
( x + y) ( mod n) = [ ( x ( mod n) ) + ( y ( mod n) ) ] ( mod n) ; 1.
( x) ( mod n) = ( n x) ( mod n) = n ( x ( mod n) ) ; 2.
( x y ) ( mod n) = [ ( x ( mod n) ) ( y ( mod n) ) ] ( mod n) ; 3.
Denot e b y y
1
( mod n) t he mul t i pl i cat i v e i n ver se of y m odu lo n. I t i s a u ni que i nt eger in
[ 1, n 1] sat isf yi ng
( y y
1
) ( mod n) = 1.
4.
Pr oof We shal l onl y show 1 and 4 whil e l eaving 2 and 3 as an exer ci se ( Exerci se 4. 4) .
We can wri t e x = kn + r , y = ln + s f or 0 r , s n 1.
For 1, we have
For 4, because gcd( y , n) = 1, appl y i ng ext ended Eucl i d al gor i t hm ( Al g 4. 2) on i nput y , n, we
obt ai n i nt eger s and sat i sfy i ng
Equ at i on 4. 3 .1 3
Wi t hout l oss of gener al it y, we have < n because ot herwi se we can r epl ace wi t h ( mod n) and
r epl ace wi t h y k + f or some k whi le keepi ng equat i on ( 4. 3. 13) .
By Defi nit ion 4. 4, y ( mod n) = 1. Therefor e we have found y
1
= < n as t he mul t i pli cat i ve
i nverse of y modul o n. Bel ow we show t he uni queness of y
1
i n [ 1, n 1] . Suppose t her e exi st s
anot her mul t i pl i cat i ve i nverse of y mod n; denot e i t by ' [ 1, n 1] , ' . We have
i . e. ,
Equ at i on 4. 3 .1 4

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
for some i nt eger a. We know y = l n + 1 for some i nt eger . Ther efor e equat ion ( 4. 3. 14) is
or
for some i nt eger b. This cont r adi ct s our assumpt i on , ' [ 1, n 1] , ' .
Same as i n t he case of di vi si on i n rat i onals , divi si on by a number modul o n i s defi ned t o be
mul t i pl i cat i on wi t h t he inver se of t he di vi sor , of cour se, t hi s requi res t he exi st ence of t he i nver se,
j ust as i n t he case i n . Thus, for any y wi t h gcd( y , n) = 1, we wr i t e x / y mod n f or x y
1
mod n.
Si nce comput i ng y
1
i nvol ves appl y i ng ext ended Eucl i d al gor i t hm, i t needs t i me O
B
( ( l og n)
2
) .
Ther ef or e t he t ime compl exi t y for divi sion modul o n i s O
B
( ( l og n)
2
) .
Theor em 4. 2 shows t hat modul ar ar i t hmet i c i s ver y si mil ar t o t he int eger ar it hmet i c. I t i s easy t o
see t hat addi t i on and mul t i pl i cat i on obey t he f oll owi ng l aws of commut at i vi t y and associ at i vi t y
( wher e "o" denot es eit her addi t i on or mul t i pl i cat i on) :
a b mod n = b a
mod n
( Commut at ivi t y)
a ( b c) mod n = ( a
b) c mod n
( Associ at i vi t y)
Fi nal l y we shoul d poi nt out t hat , in t he defi ni t i on f or t he modul ar oper at i on x mod n ( see
Defi nit ion 4. 4) , t he value of k ( t he quot i ent of x di vi ded by n) is not an i mpor t ant el ement .
Ther ef or e i n equat i on
Equ at i on 4. 3 .1 5
we shoul d not care whet her x and y may di ff er by a mult ipl e of n. I n t he sequel , t he above
equat i on wi l l al ways be wr i t t en as ei t her

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
or
We shal l cal l t hi s way of denot i ng equat i on ( 4. 3. 15) a congr uence modul o n, or we say : x i s
congr uent t o y modul o n.
4.3.2.6 Modular Exponentiation
For x , y < n, modul ar ex ponent i at i on x
y
( mod n) fol l ows t he usual def ini t i on of exponent i at i on
i n int egers as r epeat ed mul t i pl i cat ions of x t o i t sel f y t imes, but i n t erms of modul o n:
Let y 2 denot e y di vi ded by 2 wi t h t r uncat i on t o i nt eger s, t hat i s,
Then appl y i ng t he "Associ at i vi t y Law" of modular mul t i pl i cat i on, we have
The above comput at i on pr ovi des t he well - known al gor i t hm for r eal izi ng modul ar exponent i at i on
cal led " r epeat ed squar e- and- mul t i pl y. " The al gor i t hm repeat s t he f oll owi ng pr ocess: di vi ding t he
exponent int o 2, per for mi ng a squari ng, and per for mi ng an ext r a mult ipl icat i on i f t he exponent i s
odd. Al g 4. 3 speci fi es a r ecur si ve ver si on of t he met hod.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Algorithm 4.3: Modular Exponentiation
I NPUT
x , y , n: int egers wi t h x > 0, y 0, n > 1;
OUTPUT x
y
( mod n) .
mod_exp( x , y , n)
i f y = 0 ret urn( 1) ; 1.
i f y ( mod 2) = 0 r et ur n( mod_exp( x
2
( mod n) , y 2, n) ) ; 2.
r et ur n( x mod_exp( x
2
( mod n) , y 2, n) ( mod n) ) . 3.
We should not i ce a pr oper t y i n Al g 4. 3 t hat is resul t ed f r om t he recur sive def i ni t i on: t he
execut i on of a " r et ur n" st at ement i mpl i es t hat t he subsequent st ep( s) f ol lowi ng t he "r et ur n"
st at ement wi l l never be execut ed. Thi s i s because t he st at ement r et ur n( " val ue" ) causes t he
pr ogr am t o go back, wi t h " val ue, " t o t he poi nt where t he cur r ent cal l of mod_exp was made. So
i n Al g 4. 3, i f st ep 2 i s execut ed, t hen st ep 3 wil l not be execut ed.
For exampl e, st ar t i ng fr om mod_exp( 2, 21, 23) , Al g 4. 3 wi l l i nvoke t he fol l owi ng fi ve r ecur si ve
cal ls:
mod_exp( 2, 21, 23)
= 2 mod_exp( 4( 2
2
( mod 23) ) , 10, 23) ( i n st ep 3)
= 2 mod_exp( 16( 4
2
( mod 23) ) , 5, 23) ( i n st ep 2)
= 2 16 mod_exp( 3( 16
2
( mod 23) ) , 2, 23) ( i n st ep 3)
= 2 16 mod_exp( 9( 3
2
( mod 23) ) , 1, 23) ( i n st ep 2)
= 2 16 9 mod_exp( 12( 9
2
( mod 23) ) , 0, 23) ( i n st ep 3)
= 2 16 9 1 ( i n st ep 1)
Not i ce t hat t he above si x l i nes cont ai n fi ve r ecursi ve cal l s of mod_exp. The f i nal l i ne
"mod_exp( 12, 0, 23) " merel y r epr esent s "r et ur n val ue 1" and i s not a r ecursi ve call . The fi nal
val ue r et ur ned t o mod_exp( 2, 21, 23) i s 12 whi ch i s const ruct ed fr om sever al mul t i pli cat i ons
made i n st ep 3:
Let us now exami ne t he t i me compl exi t y of mod_exp real i zed i n Al g 4. 3. Si nce f or y > 0, t he

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
oper at i on "di vi ding int o 2" can be per for med exact l y [ l og
2
y] + 1 t i mes t o r each 0 as t he
quot i ent , a r un of mod_exp( x , y , n) wi l l i nvoke exact l y [ l og
2
y] + 1 recur si ve cal l s of t he funct i on
i t sel f t o r each t he t er mi nat i ng condi t i on i n st ep 1 ( zer o exponent ) . Each r ecur si ve cal l consi st s of
a squar ing or a squari ng pl us a mult ipl icat i on whi ch cost s O
B
( ( l og x)
2
) . Thus, consi deri ng x , y as
number s l ess t han n, t he t i me complexi t y for mod_exp r eal ized i n Al g 4. 3 i s bounded by O
B
( ( l og
n)
3
) .
Si mil ar t o a seemi ngl y unavoi dabl e sequent i al it y i n t he comput at i on of gcd, t here is al so an
i nher ent sequent i ali t y i n t he comput at i on of mod_exp. Thi s i s seen as a si mpl e fact in t he
r epeat ed squar i ng: x
4
can onl y be comput ed aft er x
2
has been comput ed, and so on. Over t he
y ear s, no signi fi cant pr ogr ess has been made t o improve t he complexi t y fr om O
B
( ( l og n)
3
)
( wi t hout consi der ing using FFT, r evi ew our di scussi on i n 4. 3. 2.4) .
Fi g 4.3 summar i zes our exami nat ion on t he t i me compl exit ies f or t he basi c modul ar ar i t hmet i c
oper at i ons. We shoul d not i ce t hat in t he case of addi t i on and subt r act i on, t he modul o operat i on
shoul d not be consi der ed t o i nvol ve di vi si on; t hi s i s because for 0 a, b < n, we have n < a
b < 2n, and t herefor e
Fi gu r e 4. 3 . Bi t wi se Ti me Compl ex i t i es of t h e Basi c Modu l ar Ar i t h met i c
Oper at i ons

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
4.4 Probabilistic Polynomial Time
I t i s gener al l y accept ed t hat i f a l anguage is not in t hen t here i s no Turi ng machi ne t hat
r ecogni zes it and i s al way s ef fi ci ent
[ b]
. However , t her e i s a cl ass of l anguages wi t h t he f ol l owi ng
pr oper t y : t hei r membershi p i n has not been proven, but t hey can al way s be r ecogni zed
eff icient ly by a ki nd of Tur i ng machi ne whi ch may som et i m es make mi st akes.
[ b]
The precise meaning f or an "ef f icient machine" will be def ined in 4. 4. 6; her e we can r oughly say t hat an
ef f icient machine is a f ast one.
The r eason why such a machi ne may somet i mes make a mi st ake i s t hat i n some st ep of i t s
oper at i on t he machi ne wi l l make a r and om move. Whi le some r andom moves l ead t o a cor r ect
r esul t , ot her s l ead t o an incor r ect one. Such a Tur ing machi ne i s cal l ed a non - det er mi ni st i c
Tur i ng mach i ne. A subcl ass of deci si onal probl ems we ar e now i nt r oduci ng shar e t he fol l owi ng
bounded er r or proper t y:
The pr obabi l i t y for a nondet ermi ni st i c Tur i ng machi ne t o make a mi st ake when answeri ng
a deci si onal problem i s bounded by a const ant ( t he pr obabi l i t y space i s t he machine' s
r andom t ape) .
We convent i onal l y cal l a nondet er mini st i c Tur ing machi ne wit h a bounded er r or a pr obabi l i st i c
Tur i ng mach i ne. For t his reason, t he name "nondet er mi nist i c Turi ng machi ne" is act ual l y
r eser ved for a di f fer ent cl ass of deci si onal probl ems whi ch we wi ll i nt r oduce i n 4. 5.
A pr obabi l i st ic Tur ing machi ne al so has a pl ur al number of t apes. One of t hese t apes i s cal l ed a
r and om t ape whi ch cont ai ns some uni for ml y di st r ibut ed random sy mbol s. Dur i ng t he scanning
of an i nput i nst ance I , t he machi ne wi l l al so i nt er act wi t h t he r andom t ape, pick up a r andom
symbol and t hen pr oceed l i ke a det ermi ni st i c Tur i ng machi ne. The random st r i ng i s call ed t he
r and om i n put t o a pr obabi l i st ic Tur i ng machine. Wi t h t he i nvol vement of t he r andom i nput , t he
r ecogni t i on of an i nput inst ance I by a pr obabi l i st ic Tur ing machi ne i s no longer a det er mi ni st i c
funct i on of I , but is associ at ed wi t h a r andom vari able, t hat i s, a funct i on of t he machi ne's
r andom i nput . Thi s r andom vari able assi gns cer t ai n er r or p r obabi l i t y t o t he event of
r ecogni zi ng I .
The cl ass of l anguages t hat ar e r ecogni zabl e by probabi l i st i c Tur ing machi nes i s cal l ed
pr obabi l i st i c pol y nomi al - t i me ( PPT) l anguages, whi ch we denot e by .
Def i n i t i on 4 . 5: Cl ass We wri t e t o denot e t he cl ass of l angu ages wi t h t he f oll owin g
char act er i st i cs. A l anguage L i s i n i f t her e exi st s a p rob abi li st ic Tu ri ng machi ne PM and a
pol y nom ial p( n) , such t hat PM recogni zes an y in st ance I L wi t h cer t ain er ror pr obabi li t y whi ch
i s a r and om v ari abl e of PM' s ran dom m ov e, in t i m e T
PM
( n) wit h T
PM
( n) p ( n) for al l non negat iv e
i nt eger s n , wher e n i s an i nt eger par amet er r epr esent i ng t he size of t he i nst ance I .
I n Defi nit ion 4. 5 we have l ef t one el ement t o have a par t i cul arl y vague meaning, which i s: "PM
r ecogni zes I L, wi t h cer t ai n err or probabi l i t y. " The "cert ain er r or p r obabi l i t y" shoul d be
for mul at ed i nt o t he f oll owi ng t wo expr essi ons of condi t i onal probabi l i t y bounds:
Equ at i on 4. 4 .1

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
and
Equ at i on 4. 4 .2
wher e and ar e const ant s sat i sf yi ng
Equ at i on 4. 4 .3
The pr obabi l i t y space i s t he random t ape of PM.
The expr essi on ( 4. 4. 1) is t he probabi l it y bound f or a cor r ect r ecogni t i on of an i nst ance. I t i s
cal led t he comp l et eness p r obabi l i t y ( boun d) . Her e " compl et eness" means event ual l y
r ecogni t i on of an i nst ance i n t he language. The need for bounding t hi s pr obabi li t y fr om bel ow i s
i n order t o l i mi t t he possibi li t y f or a mi st aken r ej ect i on of an i nst ance. A mor e meani ngful
mani fest at i on for ( 4. 4. 1) is t he f ol lowi ng equival ent r e- expression:
Equ at i on 4. 4 .4
I n t hi s expression t he value 1 i s t he pr obabi l it y bound f or a fal se r ej ect i on. We say t hat t he
compl et eness of PM i s a bounded pr obabi l i t y f or fal se r ej ect ion.
The expr essi on ( 4. 4. 2) is t he probabi l it y bound f or a mi st aken r ecogni t i on of a non- i nst ance. I t
i s cal led t he soundn ess p r obabi l i t y ( boun d) , Her e " soundness" means no r ecogni t i on of a
non- i nst ance. The need for boundi ng t he probabi l it y fr om above i s obvi ous. We say t hat t he
soundness of PM i s a bounded pr obabi l i t y f or fal se r ecogni t i on.
4.4.1 Error Probability Characterizations
We have expr essed er r or pr obabil i t y bounds for a PM wi t h t wo const ant s , i n t wo int erval s
( 4. 4. 3) wi t h no any pr eci sion. Now l et us explai n t hat t he i mpreci si on wi l l not cause any
pr obl em.
4.4.1.1 Polynomial-time Characterizations
For a probabi l i st i c Tur ing machi ne PM wi t h er ror pr obabi l i t i es bounded by any f i xed value

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
( for compl et eness) and and any f ixed val ue ( for soundness) , i f we
r epeat edly run PM n t imes on an i nput I , t he r epet i t i on, denot ed by PM' ( I , n) , i s al so a
pr obabi li st i c Tur i ng machi ne. We can use " maj or i t y el ect i on" as t he cri t er i on f or PM' ( I , n) t o
deci de whet her t o r ecogni ze or r ej ect I . That i s, i f or more r uns of PM( I ) out put
r ecogni t i on ( r ej ect i on) , t hen PM' ( I , n) recogni zes ( r ej ect s) . I t i s cl ear t hat t he compl et eness and
soundness pr obabi l i t i es of PM' ( I , n) are f unct i ons of n. We now show t hat PM' ( I , n) remai ns
bei ng pol y nomi al t i me i n t he si ze of I .
Si nce t he random moves of t he n r uns of PM( I ) are i ndependent , each r un of PM( I ) can be
vi ewed as a Ber noul l i Tr i al of ( or f or soundness) pr obabil i t y f or "success" and 1 ( or 1
for soundness) probabi l i t y for "fai l ur e." Apply i ng bi nomi al di st ri but i on ( see 3. 5. 2) , t he maj or i t y
el ect i on cr i t er ion made by PM' ( I , n) pr ovi des t he err or probabi l i t y bound for PM' ( I , n) as t he sum
of al l pr obabi l it i es f or n Ber noull i Tri al s wi t h or more " successes." For complet eness, t he
sum i s
Equ at i on 4. 4 .5
For soundness, we have
Equ at i on 4. 4 .6
These t wo expr essi ons ar e accumul at i ve sums of t he r espect i ve bi nomi al di st r i but i ons. Because
and , t he cent ral t erm ( defi ned i n 3. 5. 2.1) of t he f ir st di st ri but i on is at t he poi nt
( wher e t he bi nomi al t er m r eaches t he maxi mum value) and t hat f or
l at t er i s at t he point .
I n 3. 5. 2.1 we have i nvest i gat ed t he behavi or of t hese sums. The sum i n ( 4. 4. 6) is a "r i ght t ai l "
of t he bi nomi al di st r i but i on funct i on si nce . Appl yi ng ( 3. 5. 7) using
and = , we obt ai n

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Wi t h bei ng const ant , we have
The r eader may anal ogously deri ve t he fol l owi ng resul t
for some const ant c. The der ivat i on i s l ef t as an exer ci se ( Exerci se 4. 7, a hi nt i s gi ven t her e) .
Si nce t he " t ai ls" di mi ni sh t o zero fast er t han does
[ c]
, we can l et n = | I | , and hence t he
machi ne PM' ( I , n) runs i n t i me | I | pol y( | I | ) where pol y( | I | ) is t he r unni ng t i me of t he machi ne
PM on t he i nput I . Ther efor e, PM' r emai ns being pol ynomial t i me.
[ c]
Our est imat es derived in ( 3. 5. 7) and (3. 5. 8) ar e only t wo upper bounds. The r eal speed t hat a t ail
diminishes t o 0 is much f ast er t han t hat of . See Example 3. 9 f or numer ical cases. This will f ur t her be
con fir med by t he soun dness and complet eness pr oper t ies of Pr ot 18. 4 in 18. 5. 1. 1.
4.4.1.2 Why Bounded Away from ?
I f , t hen bot h di st r i but i ons ( 4. 4. 5) and ( 4. 4. 6) have cent ral t er ms at t he poi nt . I t
i s easy t o check t hat for odd n
and f or even n
That i s, ( n) can never be enl ar ged and ( n) can never be r educed; t hey wi ll remai n at t he
l evel r egar dl ess of how many t imes PM( I ) is repeat ed. So machi ne PM' ( I , n) , as n i ndependent
r uns of PM( I ) , can r each no deci si on because f or bot h compl et eness and soundness cases, hal f of
t he n r uns of PM( I ) reach accept ances and t he ot her hal f of t he n r uns r each r ej ect i ons. Wi t h n
unbounded and PM( I ) remai ni ng i n t he i ndeci sion st at e, machi ne PM' ( I , n) wi l l never t er mi nat e
and hence cannot be a poly nomi al - t i me al gor i t hm.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Ther ef or e, for bei ng t he cl ass of l anguages wi t h member shi p r ecognizabl e i n pr obabi l i st ic
pol y nomi al t i me, we must r equi r e bot h er r or pr obabil i t i es expressed i n ( 4. 4. 1) and ( 4. 4. 2) be
bounded away fr om .
However , we shoul d not i ce t hat t he requi rement f or er ror pr obabi l i t i es bei ng "bounded- away -
fr om- " is onl y necessar y for t he most general case of l anguage recognit i on pr oblems i n t he
cl ass whi ch must i ncl ude t he subcl ass of t he "t wo- si ded er r or" pr obl ems ( see 4. 4. 5) . I f a
pr obl em has one- sided er ror ( i .e. , ei t her = 1 or = 0, see 4. 4. 3 and 4. 4. 4) , t hen bounded
away f rom i s unnecessar y. Thi s i s because, i n t he case of one- si ded er ror algori t hms, we do
not have t o use t he maj or it y el ect i on cr i t er i on. A " mi nor i t y el ect i on cr i t er ion" can be used
i nst ead. For exampl e, a " unani mous el ect i on cri t er i on" can be used wi t h whi ch PM' ( I , n)
r ecogni zes ( rej ect s) I onl y i f all n r uns of PM( I ) reaches t he same deci si on. I n such a el ect ion
cri t er i on, ( n) 1 or ( n) 0 i n a exponent ial speed for any quant i t i es , ( 0, 1) .
I n appl i cat i ons, i t i s possi bl e t hat some useful pr obl ems have or ( but , as we have
r easoned, must not hol ding of bot h) . For such pr oblems, changing el ect ion cr it er i on ( e. g., t o a
mi nor i t y elect i on one) can pr ovi de us wi t h r oom t o enl ar ge or r educe t he er r or pr obabil i t y . I n
18.5. 1, we wi l l see a prot ocol exampl e whi ch has t he recogni t i on pr obabi li t y , but we can
st i l l enl arge t he compl et eness pr obabi l i t y by repeat i ng t he pr ot ocol usi ng a mi nor i t y el ect i on
cri t er i on.
Several Subclasses in
The cl ass has sever al subcl asses whi ch are defi ned by di f fer ent way s t o charact er i ze t he
err or - pr obabi li t y bound expr essi ons i n ( 4. 4. 1) and i n ( 4. 4. 2) , usi ng di ffer ent val ues of and ,
r espect i vel y . Let us now i nt r oduce t hese subcl asses. We wil l exempl if y each subcl ass wi t h an
al gor i t hm. Si mi l ar t o t he case wher e a det ermi ni st i c Tur i ng machi ne si mul at es a poly nomi al - t i me
al gor i t hm, a pr obabi l i st i c Tur i ng machi ne si mul at es a r and omi zed ( pol yn omi al - t i me)
al gor i t h m. Ther efor e, t he algori t hm exampl es shown i n our i nt r oduct ion wi l l not be li mi t ed t o
t hose f or l anguage r ecogni t i on.
4.4.2 Subclass "Always Fast and Always Correct"
A subclass of i s named ( whi ch st ands for Zer o- si ded - er r or Pr ob ab i l i st i c
Pol y nomi al t i me) if t he err or probabi l i t y bounds i n ( 4. 4. 1) and ( 4. 4. 2) have t he f ol lowi ng
char act er i zat i on: for any L t here exi st s a r andomi zed al gor i t hm A such t hat f or any
i nst ance I
and

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Thi s er r or- probabi l i t y char act er i zat i on means t hat a r andom oper at i on i n a r andomi zed
al gor i t hm makes no er r or at al l. So, at a fi r st gl ance, shoul d have no di ff er ence fr om .
However , t her e ar e a cl ass of pr obl ems whi ch can be sol ved by det er mi ni st ic al gor it hms as well
as by randomi zed al gor i t hms, bot h i n poly nom i al t im e; whi le t he r andomi zed al gor i t hms can
y i el d no er r or what soever , t hey ar e much qui cker t han t hei r det er mini st i c count erpar t s. We wi ll
pr ovi de an exampl e f or cont r ast i ng t he t ime compl exi t y i n a moment .
4.4.2.1 An Example of "Zero-sided-error" Algorithms
Some r andomi zed al gori t hms are so nat ural t hat we have been usi ng t hem i nst ead of t hei r
det er mi nist i c count er par t s for a l ong hi st ory . For exampl e, t o wei gh an obj ect usi ng a
st eel y ard
[ d]
, t he user shoul d move ar ound t he count er balance on t he scal ed arm i n a
r andomi zed way whi ch wi l l al l ow one t o f ind t he wei ght much qui cker t han t o do t he j ob i n a
det er mi nist i c way . One such al gori t hm we al l ar e fami l i ar wi t h is a r andomi zed pr ocess f or
l ooking up someone's phone number f r om a phone book. Thi s al gor i t hm is speci fi ed i n Al g 4. 4.
[ d]
The weighing inst r ument is called "Gancheng" in Chinese and has been used f or more t han t wo t housand
year s.
Algorithm 4.4: Searching Through Phone Book (a
Algorithm)
I NPUT Nam e: a per son's name;
Book : a phone book;

OUTPUT The per son' s phone number.
Repeat t he f oll owi ng unt i l Book has one page
{
( a) Open Book at a random page;
( b) I f Nam e occur s bef ore t he page, Book Ear li er _pages( Book ) ;
( c) El se Book Lat er_pages( Book ) ;
}
1.
Ret ur n( Phone number besi de Nam e) ; 2.
Cl ear ly , t he r andom operat ion i n Al g 4. 4 wi l l not i nt roduce any er r or t o t he out put resul t .
Ther ef or e t hi s i s i ndeed a " zer o- si ded- er ror " randomi zed al gor i t hm. For a phone book of N
pages, Al g 4. 4 wi l l onl y need t o execut e O( l og N) st eps and fi nd t he page cont ai ni ng t he name
and t he number . We shoul d not i ce t hat a det er mini st i c al gori t hm for "sear chi ng t hr ough phone
book" wi l l execut e aver age O( N) st eps.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The r eason why Al g 4. 4 wor ks so f ast i s t hat names i n a phone book have been sor t ed
al phabet ical l y . We shoul d not ice t hat sor t i ng i s i t sel f a pr obl em: " qui ck- sort " ( see, e. g. ,
pages 92- 97 of [ 9] ) is a r andomi zed sor t i ng al gor i t hm, can sor t N el ement s i n ( N l og N) st eps,
and i t s r andom oper at i ons wi l l not i nt r oduce any err or t o t he out come r esul t . I n cont r ast ,
"bubbl e- sort " i s a det er mi ni st i c sort i ng al gori t hm; i t sor t s N el ement s i n ( N
2
) st eps ( see e. g. ,
pages 77 of [ 9] ) .
We can say t hat i s a subcl ass of l anguages whi ch can be r ecogni zed by r andomi zed
al gor i t hms i n an "al way s f ast and al way s corr ect " f ashi on.
4.4.3 Subclass "Always Fast and Probably Correct"
A subclass of whi ch we name ( Mont e Car l o) ( wher e " ( Mont e Car l o) " st ands f or
"Mont e Car l o" which i s t y pi call y used as a generi c t er m f or " r andomi zed" ) i f t he er ror pr obabi l i t y
bounds i n ( 4. 4. 1) and ( 4. 4. 2) have t he f ol lowi ng char act eri zat i on: f or any L ( Mont e Car l o)
t her e exi st s a r andomi zed al gor i t hm A such t hat f or any i nst ance I
and
her e i s any const ant i n t he i nt er val ( 0, ) . However , as we have poi nt ed out in 4. 4. 1.2, si nce
for one- sided- er r or al gor i t hms we do not have t o use t he maj or i t y elect i on cr i t eri on i n t he
pr ocess of r educi ng a soundness er ror pr obabi l i t y bound, can act ual l y be any const ant i n ( 0,
1) .
Not i ce t hat now 0; ot her wi se t he subclass degener at es t o t he speci al case .
Randomi zed al gor i t hms wi t h t hi s er r or- pr obabi l i t y char act er i zat i on have one- si d ed er r or i n t he
soundness si de. I n ot her wor ds, such an al gor it hm may make a mi st ake in t er ms of a f al se
r ecogni t i on of a non- inst ance. However , i f an i nput i s i ndeed an i nst ance t hen i t wi l l al way s be
r ecogni zed. Thi s subcl ass of al gor i t hms ar e cal l ed Mon t e Car l o al gor i t hms.
From our st udy i n 4. 4. 1 we know t hat t he er r or pr obabi li t y of a Mont e Car l o al gor i t hm can be
r educed t o ar bi t r ari l y cl osing t o 0 by i ndependent i t er at i ng t he al gor i t hm and t he i t erat ed
al gor i t hm r emai ns i n pol y nomi al t i me. We t her ef or e say t hat a Mont e Car l o al gori t hm i s al ways
fast and i s pr obabl y cor r ect .
We now show t hat PRI MES ( t he set of al l pri me numbers) is in t he subcl ass ( Mont e Car l o) .
4.4.3.1 An Example of Monte Carlo Algorithms
Si nce Fer mat , i t has been known t hat i f p i s a pr i me number and x i s rel at i vel y pr i me t o p, t hen
x
p 1
1 ( mod p) . Thi s for ms a basi s for t he fol l owi ng Mont e Car l o met hod for pr imal i t y t est
( [ 282] ) , t hat i s, picki ng x
U
( 1, p 1] wi t h gcd( x , p) = 1 and checki ng

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Equ at i on 4. 4 .7
The t est is repeat ed k = l og
2
p t imes wi t h t he 1 case occur ri ng at l east once. Al g 4. 5 speci fi es
t hi s t est algor it hm.
Algorithm 4.5: Probabilistic Primality Test (a Monte Carlo
Algorithm)
I NPUT p: a posi t i ve i nt eger;
OUTPUT YES i f p i s pr ime, NO ot her wise.
Pr i me_Test ( p)
r epeat l og
2
p t imes:
x
U
( 1, p 1] ; a.
i f gcd( x , p) > 1 or x
( p 1)/ 2
1 ( mod p) ret ur n( NO ) ; b.
end_of_r epeat ;
1.
i f ( t est i n 1. ( b) never shows 1 ) ret ur n( NO ) ; 2.
r et ur n( YES ) . 3.
Fi rst of all , we know fr om Fer mat ' s Li t t l e Th eor em ( Theor em 6. 10 i n 6. 4) t hat if p i s pr ime
t hen for all x < p:
Equ at i on 4. 4 .8
So i f p i s pr ime t hen Pr i me_Test ( p) wi l l al way s r et ur n YES, t hat i s, we al ways have ( i ncl udi ng t he
case of p bei ng t he even pr i me)

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
On t he ot her hand, i f p i s a composit e number t hen congruence ( 4. 4. 7) wi l l not hol d i n gener al .
I n fact ( a fact i n Group Theor y , see Exampl e 5. 2. 3 and Theor em 5. 1 ( in 5. 2. 1) if t he i nequal i t y
agai nst congr uence ( 4. 4. 7) shows for one x < p wi t h gcd( x , p) = 1 t hen t he i nequal it y must
show f or at l east hal f t he numbers of t hi s ki nd. Thus we concl ude t hat for x
U
( 1, p 1] wi t h
gcd( x , p) = 1:
Equ at i on 4. 4 .9
Ther ef or e, if t he t est passes k t imes f or x chosen at uni for ml y r andom ( remember t hat t he 1
case is seen t o hol d at l east once) , t hen t he pr obabi l it y t hat p i s not pr ime i s l ess t han 2
k
. Her e
we have used t he " unani mous el ect ion cr i t er i on": p wi l l be r ej ect ed i f t here is a si ngl e f ai lur e i n
l og
2
p t est s. Not i ce t hat t hi s el ect i on cr it er i on is di ff er ent fr om t he maj or i t y el ect i on one whi ch we
have st udied i n 4. 4. 1 ( for t he gener al case of t wo- si ded err or probl ems) wher e f ai lures wi l l be
t ol erat ed as l ong as t he number of fai l ur es does not exceed hal f t he number of t est s. I n t hi s
"unani mous el ect i on" t he soundness pr obabi l it y t ends t o 0 much f ast er t han t he maj ori t y el ect ion
case.
We have set k = l og
2
p, and so any i nput i nst ance p:
I n 4. 3 we have seen t hat comput i ng modul o exponent i at i on and comput i ng t he great est
common di vi sor wit h l og
2
p - bi t l ong i nput val ue have t hei r t i me compl exi t i es bounded by
O
B
( ( l og
2
p)
3
) . Ther efor e t he t i me complexi t y of Pr ime_Test ( p) is bounded by O
B
( ( l ogp)
4
) .
To t hi s end we know t hat PRI MES t he language of al l pr i me number s i s i n ( Mont e
Car l o) .
Never t hel ess wi t hout i nval i dat i ng t hi s st at ement , in August 2002, t hr ee I ndi an comput er
sci ent i st s, Agr awal , Kay al and Saena, f i nd a det er mi ni st ic pol ynomi al - t i me pr i mal i t y t est
al gor i t hm [ 8] ; consequent l y, PRI MES is i n f act i n .
4.4.4 Subclass "Probably Fast and Always Correct"
A subclass of whi ch we name ( Las Vegas) ( st ands for " Las Vegas" ) i f t he er r or
pr obabi li t y bounds i n ( 4. 4. 1) and ( 4. 4. 2) have t he f ol lowi ng char act eri zat i on: f or any L
( Las Vegas) t her e exi st s a randomi zed al gor i t hm A such t hat f or any i nst ance I

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
and
her e i s any const ant i n t he i nt er val ( , 1) Agai n, as in t he case of one- si ded- er r or i n t he
soundness si de ( 4. 4. 3) , because t her e i s no need t o use t he maj or i t y el ect i on cri t er i on i n t he
pr ocess of enl ar gi ng t he compl et eness pr obabil i t y bound, can act ual l y be any const ant i n ( 0,
1) .
Al so agai n we shoul d not i ce 1; ot her wi se t he subclass degener at es t o t he speci al case
. Randomi zed al gori t hms wi t h t his er r or - pr obabi l i t y char act eri zat i on have one- si ded er r or
i n t he compl et eness si de. I n ot her wor ds, such an al gori t hm may make a mi st ake i n t erms of a
fal se non- r ecogni t i on of an i nst ance. However , i f an inst ance i s r ecognized t hen no mi st ake i s
possi bl e: t he inst ance must be a genui ne one. Thi s subcl ass of algor it hms ar e cal l ed Las Vegas
al gor i t h ms. The t erm Las Vegas, f ir st int r oduced i n [ 16] , r efer s t o randomi zed al gor i t hms whi ch
ei t her gi ve t he cor r ect answer or no answer at al l .
From our analysi s i n 4. 4. 1.1, we know t hat t he probabi l i t y for a Las Vegas al gor i t hm t o gi ve
YES answer t o an i nst ance can be enl ar ged t o ar bi t r ar i ly cl osi ng t o 1 by i ndependent i t er at ing
t he algor it hm and t he i t er at ed al gor i t hm r emains i n pol ynomi al t i me. I f we say t hat Mont e Car l o
al gor i t hms ar e al way s fast and pr obabl y cor r ect , t hen Las Vegas al gor i t hms ar e al way s cor r ect
and pr obabl y fast .
Obser vi ng t he err or probabi l i t y char act er i zat i ons of , ( Mont e Car l o) and ( Las
Vegas) , t he fol l owi ng equat i on i s obvi ous
4.4.4.1 An Example of Las Vegas Algorithms
Let p be an odd posi t i ve int eger and l et p 1 = q1q2 qk as t he compl et e pr i me fact or i zat i on of
p 1 ( some of t he pri me f act ors may repeat ) . I n Chapt er 5 we wi l l est abl i sh a fact ( 5. 4. 4) : p i s
pr i me i f and onl y i f t her e exi st s a posi t i ve i nt eger g [ 2, p 1] such t hat
Equ at i on 4. 4 .1 0
Thi s f act pr ovi des us wi t h an al gor i t hm f or pr ovi ng pr i mali t y . I nput t i ng an odd number p and t he
compl et e pr i me fact or izat ion of p 1, t he al gori t hm t r i es t o f ind a number g sat i sfy i ng ( 4. 4. 10) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I f such a number i s f ound, t he al gor i t hm out put s YES and t er mi nat es successful l y , and p must be
pr i me. Ot her wi se, t he al gor i t hm wi l l be in an undeci ded st at e; t hi s means, it does not know i f p
i s pr i me or not . The al gori t hm i s speci f ied i n Al g 4. 6.
Fi rst we not i ce k l og
2
( p 1) , t her efor e Al g 4. 6 t er mi nat es i n t i me pol ynomial i n t he size of p.
From t he f act t o be est abl i shed i n Theor em 5. 12 ( in 5. 4. 4) , we wi l l see t hat i f Al g 4. 6 out put s
YES, t hen t he i nput i nt eger p must be pri me; no er ror is possi ble. Al so, i f t he algori t hm out put s
NO, t he answer i s al so corr ect si nce ot her wi se Fer mat ' s Lit t le Theorem ( 4. 4. 8) wi l l be viol at ed.
These t wo cases ref lect t he al gor i t hm' s "al ways cor r ect " nat ure. The er r or - fr ee pr oper t y of t he
al gor i t hm ent it les i t t o be named "Pr oof of Pr i mali t y . "
Algorithm 4.6: Proof of Primality (a Las Vegas Algorithm)
I NPUT p: an odd posit i ve number;
q1, q2, , qk : all pr i me fact or s of p 1;

OUTPUT YES i f p i s pr ime, NO ot her wise;
NO_DECI SI ON wi t h cer t ai n pr obabi li t y of

err or .
pi ck g
U
[ 2, p 1] ; 1.
for ( i = 1, i + + , k) do 2.
i f g
( p1)/ q
i
1 ( mod p) out put NO_DECI SI ON and t ermi nat e; 3.
i f g
p1
1 ( mod p) out put NO and t er mi nat e; 4.
out put YES and t er mi nat e. 5.
However , when Al g 4. 6 out put s NO_DECI SI ON, i t does not know whet her or not t he i nput
i nt eger p i s pr ime. I t is possi ble t hat p i s not pr ime, but i t i s al so possibl e t hat an er r or has
occur red. I n t he l at t er case p i s indeed pr i me, but t he t est i ng number g whi ch t he algor it hm
pi cks at r andom i s a wr ong one. Aft er we have st udi ed Theor em 5. 12 i n 5. 4. 4, we wi l l know
t hat t he wrong number g i s not a "pr i mi t i ve r oot . "
To t hi s end we know t hat Al g 4. 6 i s a one- si ded- err or al gori t hm i n t he compl et eness si de, i . e. , a
Las Vegas al gor it hm. We may r evi se t he al gor it hm i nt o one which does not t er mi nat e at a
NO_DECI SI ON answer , but car r ies on t he t est i ng st ep by pi cking anot her r andom t est er g. The
modi fi ed al gor i t hm i s st i l l a Las Vegas al gor i t hm, and becomes "probabl y fast " since it 's possi bl e
t hat i t al way s pi cks a non- pr i mi t i ve r oot as a t est er . For t unat el y, for any odd pr i me p, t he
mul t i pl i cat i ve gr oup modul o p ( t o be defi ned i n Chapt er 5) cont ai ns pl ent y of pr imi t i ve r oot s and
so such an el ement can be pi cked up wi t h a non- t r i vial pr obabi l i t y by random sampl i ng t he
gr oup modulo p ( in Chapt er 5 we wi l l est abl i sh t he pr opor t i on of pr i mit ive r oot s i n a
mul t i pl i cat i ve gr oup modul o a pr i me) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Las Vegas al gor it hms and Mont e Car l o al gor i t hms col l ect i vely are r efer r ed t o as " r and omi zed
al gor i t h ms wi t h one- si ded er r or . " Al gor i t hms in t his uni on ( r ecal l t hat t he union i ncl udes
) are r eal l y ef fi ci ent ones; even t hey ar e nondet er mi ni st ic al gor it hms, t hei r t i me-
compl exi t y behavi or s ar e simi l ar t o t hose of t he algor it hms i n .
4.4.4.2 Another Example of Las Vegas Algorithms: Quantum Factorization
A quant um comput er can fact or an i nt eger i n t i me pol y nomi al i n t he si ze of t he int eger ( i . e. ,
FACTORI ZATI ON Q ) . Shor devises such an al gori t hm ( [ 267] , al so see, e. g., pages 108- 115
of [ 300] ) . We now expl ai n t hat Shor 's quant um f act or i zat i on pr ocedur e i s al so a Las Vegas
al gor i t hm.
To f act or an i nt eger N, a r andom i nt eger a i s pi cked; a quant um al gor i t hm, whi ch uses Simon' s
i dea of f i ndi ng per i od in quant um st at e by sampl i ng f rom t he Four i er t r ansfor m [ 276] , can fi nd
t he peri od of t he funct ion f ( x) = a
x
( mod N) , i . e., t he l east posi t i ve i nt eger r sat i sfy i ng f ( r ) = 1.
I n Chapt er 6 we shall see t hat f or a composi t e N, a non- t ri vi al pr opor t i on of i nt eger s a sat i sfy i ng
gcd( a, N) = 1 has an even per iod ( cal l ed t he mul t i pl i cat ive or der of t he element a) , i . e., r i s
even.
Once an even per i od r i s found, i f a
r / 2
1 ( mod N) , t hen a
r / 2
( mod N) is a non- t r i vi al square-
r oot of 1 modulo N. I n 6. 6. 2 ( Theor em 6. 17) we shall show t hat gcd( a
r / 2
1, N) must be a
non- t r ivi al f act or of N, i . e., t he al gor i t hm has successful ly fact or ed N.
I f r i s odd or i f a
r / 2
= 1 ( mod N) , t hen gcd( a
r / 2
1, N) is a t r i vi al fact or of N, i . e., 1 or N; so
t he algor it hm f ail s wi t h no answer . However , f or r andoml y chosen int eger a < N, t he pr obabil i t y
for encount er ing a
r / 2
1 ( mod N) is bounded f r om bel ow by a const ant > 1/ 2, and t her efor e
t he pr ocedure can be repeat ed usi ng anot her r andom el ement a. By our anal ysis in 4. 4. 1.1,
Shor ' s al gor i t hm r emai ns i n pol ynomi al t i me.
4.4.5 Subclass "Probably Fast and Probably Correct"
A subclass of i s named ( whi ch st ands for "Bounded er r or pr obabil i t y Pr obabi l i st i c
Pol y nomial t i me") i f t he er ror pr obabi l i t y bounds i n ( 4. 4. 1) and ( 4. 4. 2) bot h hol d for t he
fol l owi ng cases:
Equ at i on 4. 4 .1 1
her e > 0 and > 0. We shoul d pay at t ent ion t o t wo t hi ngs i n t hi s er r or pr obabi li t y
char act er i zat i on:
1 and 0. Ot her wi se, t he subcl ass degener at es t o one of t he t hr ee simpler
cases: , or ( Mont e Car l o) , or ( Las Vegas) . Now wi t h 1 and 0,
al gor i t hms i n have t w o- si d ed er r or s, bot h fal se no- r ecogni t i on ( a compl et eness
1.
2.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
err or ) and fal se r ecognit ion ( a soundness er r or) ar e possibl e.
1.
> 0 and/ or > 0. Thi s means t hat al gor i t hms i n have t hei r err or probabi l i t ies
clear ly bounded away f r om . I n 4. 4. 1 we have reasoned t hat i f t hen
r epeat ing t he al gor i t hm wi t h t he maj or i t y el ect i on cr i t er ion can l ead t o t he enl ar gement of
t he compl et eness ( r educt i on of t he soundness) er r or pr obabi li t y . I f or , t hen
t he maj or it y el ect i on t echnique won' t wor k, si nce t he for mer ( t he l at t er ) case means t hat
t her e i s no maj or i t y f ract i on of t he r andom moves t o l ead t o a r ecogni t i on ( r ej ect i on) .
However , a "mi nor i t y el ect i on cri t er i on" may st i l l be used ( we wi l l see such an exampl e i n
18.5. 1) . Fi nal l y, i f and , t hen no el ect i on cr i t er ion can work and t he
pr obl em i s not i n ( i. e. , cannot be r ecogni zed by a nondet er mini st i c Tur ing machi ne
r egar dl ess of how l ong a machi ne runs) .
2.
Si nce besi des Mont e Car lo and Las Vegas, At lant i c Ci t y i s anot her f amous gambl i ng pl ace t o l ur e
peopl e t o i ncr ease t hei r wi nni ng pr obabi l i t i es by i ncr easi ng t he number of games t hey pl ay ,
r andomi zed algori t hms wit h t wo- si ded- er r ors are also cal l ed At l an t i c Ci t y al gor i t hms. Now let
us look at an exampl e of At l ant i c Ci t y al gor i t hms.
4.4.5.1 An Example of Atlantic City Algorithms
Ther e i s a f amous prot ocol i n qu ant um cr y pt ogr ap hy named t he qu ant um k ey di st r i bu t i on
pr ot ocol ( t he QKD pr ot ocol , see e. g. [ 31] ) . The QKD pr ot ocol al l ows a bit st r i ng t o be agr eed
bet ween t wo communicat i on ent i t i es wit hout havi ng t he t wo par t i es t o meet f ace t o f ace, and y et
t hat t he t wo par t i es can be sur e wi t h a hi gh conf i dence t hat t he agr eed bi t st r i ng i s excl usi vel y
shar ed bet ween t hem. The QKD pr ot ocol i s a t wo- sided- err or r andomi zed al gor i t hm. Let us
descr i be t hi s al gor i t hm and exami ne i t s t wo- si ded- er ror pr oper t y.
Let us f ir st pr ovi de a br i ef descr i pt i on on t he phy si cal pr i nci pl e f or t he QKD pr ot ocol . The
di st r i but i on of a secret bi t st r i ng i n t he QKD pr ot ocol i s achi eved by a sender ( l et Al i ce be t he
sender) t r ansmi t t i ng a st r i ng of four- way - pol ar i zed phot ons. Each of t hese phot ons is in a st at e
( cal led a phot on st at e or a st at e) denot ed by one of t he f our fol l owing sy mbol s:
The f i r st t wo phot on st at es ar e emi t t ed by a pol ar izer which i s set wi t h a r ect i l i near or i ent at i on;
t he lat t er t wo st at es ar e emi t t ed by a pol ar i zer whi ch i s set wi t h a diagonal or i ent at i on. Let us
denot e by + and x t hese t wo dif fer ent l y or ient ed pol ar i zers, r espect i vely . We can encode
i nf ormat i on i nt o t hese four phot on st at es. The f ol l owi ng i s a bi t - t o- phot on- st at e encodi ng
scheme:
Equ at i on 4. 4 .1 2
Thi s encodi ng scheme i s t he publ i c knowl edge. I f Al i ce want s t o t ransmi t t he convent i onal bi t 0
( r espect i vel y , 1) , she may choose t o use + and consequent l y send out over a quant um channel

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
( respect i vel y, | ) , or choose t o use x and consequent ly send out / ( respect ivel y, \ ) . For each
convent i onal bit t o be t r ansmi t t ed i n t he QKD pr ot ocol Al ice wi l l set dif fer ent l y or i ent ed
pol ar i zer s + or x uni for ml y random.
To r ecei ve a phot on st at e, a r ecei ver ( who may be Bob, t he i nt ended r ecei ver , or Eve, an
eavesdr opper ) must use a devi ce cal led a phot on observer whi ch is also set wit h r ect il i near or
di agonal or i ent at i ons. We shal l also denot e by + and x t hese t wo di ff erent ly ori ent ed obser vers,
r espect i vel y . Let and denot e t he t wo di f fer ent l y or ient ed obser ver s r ecei vi ng and
i nt er pr et ing phot on st at es t r ansmi t t ed f rom l ef t t o r i ght . The obser vat i on of t he phot on st at es
obeys t he f ol l owing r ules:
Cor r ect obser v at i ons ( st at es ar e mai nt ai n ed)
I ncor r ect obser vat i on s ( st at es ar e d est r oy ed)
These observat i on r ul es say t he f oll owi ng t hings. Rect i li near l y or i ent ed st at es can be cor rect l y
observed by r ect i l i near l y set obser vers cor r ect l y ; l i kewi se, di agonall y or i ent ed st at es can be
corr ect l y obser ved by di agonal ly set obser ver s cor r ect l y . However, i f a r ect i l i near ly ( di agonal l y )
or i ent ed st at e i s obser ved by a di agonal ly ( rect i l inear l y ) or i ent ed obser ver , t hen a 45
"r ect i f i cat i on" of t he ori ent at i on wi l l occur , wi t h 0. 5 probabi l i t y i n ei t her di rect i ons. These ar e
wr ong obser vat i ons and are an i nevi t abl e r esult of "Heisenber g Uncer t ai nt y Pr i nci pl e." whi ch
underl i es t he wor ki ng pr i nci pl e for t he QKD Pr ot ocol .
So i f t he or ient at i on set t i ng of t he r ecei ver' s observer agr ees wit h ( i . e. , i s t he same as) t he
set t ing of Ali ce's polar i zer t hen a phot on st at e wi l l be cor r ect l y r ecei ved. The publ i c bit - t o- phot on
encodi ng scheme i n ( 4. 4. 12) is a 1- 1 mappi ng bet ween t he convent i onal bi t s and t he phone
st at es. So i n such a case, t he convent ional bi t sent by Ali ce can be cor rect l y decoded. On t he
ot her hand, if t he or i ent at i on set t i ngs of t he phot on devices i n t he t wo ends disagr ee, a wr ong
observat i on must occur and i t al so necessar il y dest r oy s t he phot on st at e t r ansmi t t ed, al t hough
t he recei ver can have no i dea whi ch phot on st at e has act uall y been sent and dest r oy ed.
We ar e now r eady t o speci fy t he QKD Pr ot ocol . The pr ot ocol i s speci fi ed i n Pr ot 4.1.
Let us expl ai n how t hi s pr ot ocol works and measur e t he probabi l i t i es f or t he t wo- sided er ror s t o
occur .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Protocol 4.1: Quantum Key Distribution (an Atlantic City
Algorithm)
Hi g h- l ev el Descr i p t i on of t he Pr ot ocol
Quant u m channel Al i ce sends t o Bob m phot on st at es, each of t hem i s r andoml y
or i ent ed i n .
Convent i onal ch an nel , op en di scussi ons They choose " si f t ed bit s" whi ch
ar e t r ansmit t ed as t he r esul t of Al i ce's set t i ngs of her pol ar i zers agr ee wi t h Bob' s
set t ings of his obser ver s. They f ur t her compar e r andom ( < k) " t est i ng bit s" i n t he k
si ft ed bi t s t o det ect eavesdr oppi ng, and i n absence of an eavesdropper, t hey agr ee
on t he r emaini ng k secret e bit s.
Al i ce generat es m r andom convent i onal bi t s a
1
, a
2
, , a
m

U
{ 0, 1} ; she set s m
r andoml y or i ent ed pol ari zer s p
1
, p
2
, , p
m

U
{ + , x} ; she sends t o Bob m
phot on st at es p
1
( a
1
) , p
2
( a
2
) , , p
m
( a
m
) accor di ng t o t he bit - t o- phot on- st at e
encodi ng scheme i n ( 4. 4. 12) ;
1.
Bob set s m r andoml y ori ent ed phot on obser ver s o
1
, o
2
, , o
m

U
{ + , x} and
uses t hem t o r ecei ve t he m phot on st at es; usi ng t he bi t - t o- phot on- st at e
encodi ng scheme i n ( 4. 4. 12) Bob decodes and obt ai ns convent i onal bi t s b
1
, b
2
,
, b
m
; he t el l s Al ice: "Al l recei ved! ";
2.
They openl y compar e t hei r set t i ngs ( p
1
, o
1
) , ( p
2
, o
2
) , , ( p
m
, o
m
) ; if t here ar e
mor e t han pai rs of t he set t i ngs agr ee as fol l ows: ( * wi t hout l oss of
gener al it y we have r el abel ed t he subscr i pt s * )
t hen t hey proceed t o execut e t he fol l owi ng st eps; ot her wise t he r un fai l s ( * t he
fai l ur e i s an er ror i n t he compl et eness si de * ) ;
3.
( * now t he set cont ains k pai rs of si f t ed bit s di st ri but ed vi a t he
agr eed set t i ngs of pol ari zer s and obser ver s * ) Al ice and Bob openl y compar e
r andom pai rs in ; t he compar ed bit s are cal l ed t est i ng bi t s; i f
any pai r of t he t est i ng bi t s do not mat ch, t hey announce " Eavesdropper
det ect ed! " and abor t t he run;
4.
They out put t he r emai ni ng k bi t s as t he di st r ibut ed secret key ; t he r un
t er mi nat es successf ul l y ( * but an er r or i n t he soundness si de may have
occur red * ) .
5.
St eps 1 and 2 ar e quit e st rai ght for war d: Ali ce sends t o Bob m r andom phot on st at es using m

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
r andom set t i ngs p
1
, p
2
, , p
m

U
{ + , x} ( St ep 1) and Bob has t o observe t hem i n a r andom
pr ocess usi ng m r andom set t i ngs o
1
, o
2
, , o
m

U
{ + , x} ( St ep 2) . The m convent i onal bi t s Al i ce
encoded and t r ansmi t t ed ar e a
1
, a
2
, , a
m
and t hose Bob received and decoded ar e b
1
, b
2
, ,
b
m
.
I n St ep 3, Al ice and Bob di scuss over a convent i onal communi cat i on channel t o see whet her or
not i n t hei r r andom m pai rs of t he devi ces set t i ngs t here are pai rs of
set t ings bei ng t he same. I f t her e ar e k agr eed set t i ngs t hey wi l l proceed f ur t her . Ot her wi se, t he
r un has f ai l ed and t his is an er r or i n t he compl et eness si de. We shal l pr ovi de a pr obabi l it y
measure f or t he complet eness- si de er r or i n a moment .
Suppose t hat a compl et eness- si de err or has not occurr ed and t he t wo par t i es ar e now i n St ep 4.
They now have a set of k si f t ed bi t s whi ch ar e di st r i but ed by t he k agr eed devi ces set t i ngs.
Wi t hout l oss of gener al it y we can r el abel t he subscr i pt s of t hese bi t s; so Al i ce' s si ft ed bi t s ar e a
1
,
a
2
, , a
k
and t hose of Bob are b
1
, b
2
, , b
k
. They now conduct an open di scussi on agai n over t he
convent i onal channel : compar i ng a r andom pai rs of t he si ft ed bi t s. Any mi smat ch wi l l be
consi dered as bei ng caused by an eavesdropper Eve. I f t hey do not fi nd t he exi st ence of Eve i n
St ep 4, t he pr ot ocol r eaches t he happy end i n St ep 5. Ali ce and Bob now shar e k bi t s whi ch
t hey consi der as not havi ng been eavesdr opped. However , i t i s possibl e t hat t he r eason of non-
det ect ion i s t he occurr ence of a soundness- si de er r or . Let us now i nvest i gat e t he probabi l it y for
t hi s er r or.
Probability of the Soundness-side Error
Suppose Eve has l i st ened t he quant um channel . The onl y way f or Eve t o obser ve t he phot on
st at es sent f rom Ali ce i s t o use t he same t echni que t hat Bob uses. So Eve has t o set m r andom
or i ent at i ons f or her obser ver s and she al so has t o send m st at es t o Bob. Due t o " Hei senber g
Uncer t ai nt y Pri nci pl e" her wrong obser vat i ons wi l l dest r oy Al ice's st at es. Si nce Eve can have no
i dea on t he cor r ect ness of her obser vat i ons, she wi l l have no i dea on what shoul d be passed t o
Bob. One st r at egy f or Eve i s t o send t o Bob a compl et el y new set of m st at es which she i nvent s
r andoml y ( j ust as Ali ce does) , hopi ng t hat what ever she sends and what ever Ali ce sends wi l l be
observed by Bob wi t hout di f fer ence; anot her st r at egy i s t o j ust pass over t o Bob what ever she
has obser ved, hoping t hat she has not dest r oy ed Al i ce' s st at es. Act uall y , t her e wi l l be no
di f fer ence bet ween t hese t wo st r at egi es in t er ms of ef fect i ng t he soundness- si de er r or pr obabi li t y
whi ch we now der i ve.
Let us consi der t he second st rat egy ( t he f i rst st rat egy wil l lead t o t he same soundness- si de err or
pr obabi li t y resul t , Exerci se 4. 9) . For st at e p
i
( a
i
) , i f Eve has set her obser ver e
i
cor r ect l y , i . e. , e
i
=
p
i
, t hen she wi l l r ecei ve t he st at e p
i
( a
i
) and hence t he bi t a
i
cor r ect l y , and consequent l y Bob wi l l
r ecei ve t he st at e and t he bi t cor r ect l y t oo. So i n t hi s case t her e i s no way for Ali ce and Bob t o
det ect Eve's exi st ence. Si nce t he pr obabil i t y f or Eve t o have corr ect l y set her i - t h observer i s ,
we have as par t of t he probabi l it y val ue for nondet ect i on ( in t he i - t h posi t i on) .
I f Eve has set her i - t h observer i ncor rect l y t hen t he i - t h st at e she obser ves i s i ncor r ect and
hence she wi l l send an incor r ect st at e t o Bob. Never t hel ess, Bob's obser ver wi l l " r ect i fy " t hat
wr ong st at e by 45, 50: 50 chance ei t her way . Thus, Bob may r ecei ve t hat st at e cor rect l y or
i ncor rect l y wi t h pr obabi l i t y f or ei t her case bei ng 1/ 2. A cor r ect r ecei pt wi l l agai n l eave Eve
undet ect ed. Not ice t hat t hi s sub- case of nondet ect i on i s aft er Eve' s wrong set t i ng of her devi ce
whi ch also has t he pr obabi l i t y 1/ 2. Si nce Eve's and Bob' s devi ces set t ings ar e i ndependent , t he
pr obabi li t y of t hi s sub- case of nondet ect i on i s .
Summi ng t he pr obabi l i t y values obt ai ned i n t he above t wo par agr aphs, we have deri ved
as t he probabi l i t y for nondet ect i on of Eve in her li st eni ng of t he i - t h st at e. Si nce Eve

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
must l i st en t o al l t he sif t ed st at es i n or der for her t o obt ai n t he di st r i but ed key , and Al i ce and
Bob compare random t est i ng bi t s and any si ngl e mi smat ch wi l l si gnal a det ect i on ( t hi s i s a
"unani mous el ect i on cri t er i on", not even a si ngl e fai l ur e i s t ol er at ed, see 4. 4. 1.2) , t he
pr obabi li t y for nondet ect ion of Eve i n al l posi t i ons is . This is t he probabi l i t y for t he
soundness- si de er ror . Thi s quant i t y di mi ni shes t o 0 very fast .
Probability of the Completeness-side Error
Fi nal l y l et us l ook at t he pr obabi l i t y f or a compl et eness- side err or t o occur . Consi der Al i ce' s m
set t ings of her devi ces being a r andom bi nar y vect or V = ( v
1
, v
2
, , v
m
) and t hose of Bob' s, W =
( w
1
, w
2
, , w
m
) . A complet eness- si de er r or occurs when
has less t han zer os. Si nce t he set t i ngs of Al ice and t hose of Bob are i ndependent and unif or m,
V W shoul d al so be a uni for ml y r andom bi nar y vect or of m bi nar y bi t s. The pr obabi l i t y of
number of zer o' s i appear ing in t his vect or f oll ows t he bi nomi al di st r i but i on of m t ri al s wi t h i
successes wher e t he pr obabil i t y f or success i s 0.5. Cl ear ly , t he " most pr obabl e number of zer os"
i n vect or V W i s . That i s, t he " cent ral t er m" ( see 3. 5. 2.1) of t hi s bi nomi al di st r i but i on i s
at poi nt . So poi nt i s far away ( f ar l eft ) fr om point wher e t he cent ral t erm is.
Thus, t he probabi l it y of a compl et eness- side err or
i s a " lef t t ai l " of t hi s bi nomi al di st r i but i on f unct i on. By t he pr obabi l i t y bound for a l eft t ai l whi ch
we have est abl i shed i n ( 3. 5. 8) , we der i ve t he f ol l owi ng bound f or t he pr obabi l i t y of occur ri ng a
compl et eness- si de er r or :
Ther ef or e, t he probabi l it y for Al i ce and Bob t o r un t he pr ot ocol bey ond St ep 3 i s great er t han
Summary of the Two-sided-error Probabilities
We summar i ze t he probabi l i t i es of t wo- si ded er r or s for Pr ot 4.1 as fol l ows. For compl et eness
si de we have:

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
and f or soundness si de we have:
We should not i ce t hat t he "l eft t ai l " bound , obt ai ned f r om ( 3. 5. 8) , f or t he complet eness- si de
err or pr obabi l i t y i s a l oose upper bound. The l eft t ai l di mi ni shes t o zer o much f ast er t han does
( see t he numer i cal exampl e i n Exampl e 3. 9) .
These err or probabi l i t y r esul t s show t hat t he QKD pr ot ocol can be pr act ical l y used for key
di st r i but i on. I n t he r eal appl i cat i on, t he convent i onal communi cat i on channel over whi ch Al i ce
and Bob conduct open di scussi ons shoul d have t he aut hent i cat i on proper t y . That i s necessar y i n
or der for t hem t o be sur e t hat t hey share t he secr et key wit h t he r i ght communi cat i on par t ner .
Aut hent i cat ion wi l l be t he t opic of Par t I V.
Commerci al QKD sy st ems ar e expect ed t o be i n pract i cal use i n y ear 2004 or so [ 268] .
4.4.6 Efficient Algorithms
To t hi s end of our i nt roduct i on t o t he pol ynomial - t i me cl ass and t o t he pr obabi li st i c poly nomi al -
t i me ( PPT) subclasses, we have est abli shed t he f ol l owi ng cl ass i ncl usi on r el at i on:
Al gor i t hms whi ch can sol ve pr obl ems in any of t hese cl asses are cal l ed eff i cient al gor i t hms.
Def i n i t i on 4 . 6: Ef f i ci ent Al g or i t hms An algor i t hm i s said t o be eff ici en t i f it is d et er m in ist i c or
r andom i zed wi t h ex ecu t ion t i m e ex pr essed by a pol yn omi al in t h e si ze of t h e in put .
Thi s def i ni t i on charact er i zes a not i on of t r act abi l i t y : whet her det ermi ni st i c or r andomi zed, a
pol y nomi al - t i me pr obl em i s solvabl e, i . e., such a pr obl em r equi r es r esour ces whi ch ar e
manageabl e even i f t he si ze of t he pr obl em can be very l ar ge. Pr obl ems out si de t he t r act abl e
cl ass ar e i n t r act ab l e.
However , since pol ynomial s can have vast l y di ff er ent degr ees, wi t hi n or , probl ems have
vast ly di ff er ent t i me compl exit ies. Ther efor e an ef fi ci ent al gori t hm for sol vi ng a t r act abl e
pr obl em need not be eff i ci ent i n a pr act i cal sense. We wi l l see a f ew pr ot ocol exampl es i n a l at er
chapt er , whi ch have t hei r t i me compl exi t i es bounded by pol y nomi al s i n t heir i nput si zes. Thus,
t hese pr ot ocol s ar e eff ici ent by Defi nit ion 4. 6) , however, t hey have l i t t l e val ue for pr act ical use
because t he pol ynomi al s t hat bound t hei r t i me compl exi t i es ar e simply t oo l ar ge ( i . e., t hei r
degr ees are t oo l ar ge) . Thi s i s in cont r ast t o t he si t uat i ons i n appl i cat i ons wher e some al gor it hms
wi t h non- pol ynomi al ( t o be defi ned i n 4. 6) t i me compl exit i es ar e st i l l useful for sol vi ng smal l
i nst ances of i nt r act abl e pr obl ems eff ect i vel y ( e. g. , Pol l ar d' s Kangar oo Met hod for I ndex
Comput at i on 3. 6. 1) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
We shal l use t he t er m pr act i cal l y ef f i ci ent t o r efer t o pol ynomi al - t i me al gor i t hms wher e t he
pol y nomi al s have ver y smal l degr ees. For exampl e, Tur i ng machi ne Di v3, al gor i t hms gcd,
mod_exp and Pri me_Test , and t he QKD pr ot ocol ar e al l pr act i cal l y eff i ci ent . Now l et us see
anot her exampl e of a pr act ical l y eff ici ent algori t hm whi ch is widel y used i n moder n
crypt ogr aphy .
4.4.6.1 Efficient Algorithms: An Example
The i dea of pr obabi l i st i c pr i mali t y t est can be t r anslat ed st r aight f orwar dl y t o an al gor i t hm f or
gener at i ng a r andom pr obabi l i st i c pr i me number of a gi ven size. We say t hat n i s a
pr obabi li st i c pr i me number i f Pr i me_Test ( n) ret ur ns t he YES answer. Al g 4. 7 speci fi es how t o
gener at e such a number of a given si ze.
Algorithm 4.7: Random k-bit Probabilistic Prime Generation
I NPUT k: a posi t i ve i nt eger;
( * t he i nput i s wr it t en t o have t he si ze of t he
i nput * )
OUTPUT a k- bi t r andom pr ime.
Pr i me_Gen( k)
p u ( 2
k1
, 2
k
1] wi t h p odd; 1.
i f Pr ime_Test ( p) = NO ret ur n( Pr i me_Gen( k) ) ; 2.
r et ur n( p ) . 3.
Fi rst , l et us suppose t hat Pri me_Gen( k) t er mi nat es. Thi s means t hat t he al gor i t hm event ual l y
fi nds a number p whi ch sat i sf i es Pri me_Test ( p) = YES ( i n st ep 2) . Fr om our est i mat e on t he er r or
pr obabi li t y bound f or Pr i me_Test , t he pr obabil i t y f or t he out put p not bei ng pri me i s bounded
fr om above by 2
k
wher e k = l og
2
p.
An obvi ous quest i on ar i ses: Wi l l Pr i me_Gen( k) t er mi nat e at al l ?
The wel l - known pr ime number t heor em ( see e. g. , page 28 of [ 170] ) st at es t hat t he number of
pr i mes less t han X i s bounded bel ow by . So t he number of pr i mes of exact l y k bi nar y bi t s
i s about

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Thus, we can exp ect t hat Pri me_Gen( k) may recur si vel y cal l it sel f 2k t imes i n st ep 2 unt il a
pr obabi li st i c pr i me i s f ound, and t hen i t t er minat es.
Wi t h t he t ime compl exi t y for Pr i me_Test ( p) being bounded by O
B
( ( l ogp)
4
) = O
B
( k
4
) , af t er 2k
cal ls of Pri me_Test , t he t i me compl exi t y of Pr i me_Gen( k) is bounded by O
B
( k
5
) .
Anot her quest i on ar i ses: whi l e O
B
( k
5
) is indeed a pol y nomi al i n k, can t hi s quant i t y be a
pol ynomi al i n t he size of t he i nput t o Al gor i t hm Pr i me_Gen( k) , i . e., a poly nomi al of t he size of k?
When we wr it e a number n i n t he base- b r epr esent at ion f or any b > 1, t he si ze of t he number n
i s l og
b
n and is alway s l ess t han n. I n or der t o make Pr i me_Gen( k) a pol ynomi al - t i me al gor it hm
i n t he si ze of i t s i nput , we have expl i cit ly requir ed i n t he speci f i cat i on of Pr i me_Gen( k) t hat it s
i nput shoul d be wr it t en t o have t he si ze of t he i nput . Usi ng t he un ar y, or base- 1, r epresent at i on,
k can i ndeed be wr i t t en t o have t he si ze k.
Def i n i t i on 4 . 7: Un ar y Repr esen t at i on of a Number The u nar y r ep r esent at i on of a posi t iv e
nat u r al num ber n i s
From now on we shal l use Pri me_Gen( 1
k
) t o denot e an invocat i on i nst ance of t he algor it hm
Pr i me_Gen. I n t he r est of t hi s book, t he unar y repr esent at i on of a number alway s provi des an
expl ici t emphasi s t hat t he si ze of t hat number i s t he number i t sel f.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
4.5 Non-deterministic Polynomial Time
Consi der t he fol l owi ng deci si onal pr obl em:
Pr opl em SQUARE- FREENESS
I NPUT N: a posi t i ve and odd composit e int eger;
QUESTI ON I s N squar e fr ee?
Answer YES if t her e exi st s no pr ime p such

t hat p
2
| N.
Pr obl em SQUARE- FREENESS is ver y di f fi cul t . To dat e t her e exist s no known al gor i t hm ( whet her
det er mi nist i c or pr obabi l i st ic) whi ch can answer it i n t i me pol ynomial i n t he si ze of t he i nput . Of
cour se, t here exi st s al gor i t hms t o answer t hi s quest i on. For exampl e, t he f ol lowi ng i s one: on
i nput N, per f orm t ri al di vi si on exhaust i vel y usi ng t he square of all odd pr i mes up t o , and
answer YES when al l di vi si ons f ai l. However , for N bei ng a gener al i nst ance i nput , t hi s met hod
r uns in t i me , i . e., i n t i me exponent i al in ( half ) si ze of N.
Never t hel ess, Pr obl em SQUARE- FREENESS shoul d not be r egar ded as t oo di f fi cul t . I f we know
some " i nt ernal i nf or mat i on" of t he pr obl em, cal l ed a w i t n ess ( or a cer t i f i cat e or an aux i l i ar y
i n put ) , t hen an answer can be v er i fi ed i n t i me pol y nomi al i n t he si ze of t he i nput . For exampl e,
for i nput N, t he i nt eger ( N) , which i s named Eul er ' s p hi f u nct i on of N and is t he number of al l
posi t i ve number s l ess t han N and co- pri me t o N ( see Defi nit ion 5. 11 i n 5. 2. 3) , can be used as a
wi t ness for an eff i ci ent ver i fi cat i on al gor it hm t o ver i fy an answer t o whet her N i s squar e fr ee. Al g
4. 8 i s an eff i cient ver i fi cat i on al gor it hm.
Algorithm 4.8: Square-Free(N,p (N))
d gcd( N, ( N) ) ; 1.
i f d = 1 or answer YES el se answer NO. 2.
The r eader who i s al ready fami l iar wit h t he meani ng of ( N) may confi r m t he cor r ect ness of Al g
4. 8 ( Exerci se 4. 13) . Thi s ver i fi cat i on al gori t hm i s due t o a basi c number t heor et i c f act whi ch wil l
become appar ent t o us i n Chapt er 6 ( 6. 3) . Fr om our st udy of t he t i me complexi t y of t he gr eat
common di vi sor al gor i t hm ( 4. 3. 2.3) , i t i s clear t hat t hi s al gor i t hm r uns i n t i me pol ynomi al in
t he si ze of N.
Now l et us descr i be a comput at i on device: i t model s a met hod t o sol ve t he cl ass of pr obl ems
whi ch share t he same pr oper t y wi t h Problem SQUARE- FREENESS. The comput at i on of t he devi ce

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
can be descr i bed by a t r ee in Fi g 4.4.
Fi gu r e 4. 4 . Al l Possi bl e Mov es of a Non- det er mi n i st i c Tu r i n g Mach i n e
( wi t h a r ecogn i t i on sequen ce)
The devi ce i s call ed a non - det er mi ni st i c Tu r i n g machi n e. This is a var iant Turi ng machi ne
( r evi ew our descr i pt i on of Tur i ng machines in 4. 2) . At each st ep t he machi ne wi l l have a fi ni t e
number of choi ces as t o i t s next - st ep move. An i nput st ri ng i s sai d t o be r ecogni zed i f t her e
exi st s at l east one sequence of l egal moves whi ch st ar t s f rom t he machi ne's ini t i al st at e when
t he machi ne scans t he f i rst i nput sy mbol, and l eads t o a st at e af t er t he machi ne has compl et ed
scanni ng t he input st r ing wher e a t ermi nat ing condi t i on i s sat i sfi ed. We shal l name such a
sequence of moves a r ecogni t i on sequence.
We can i magi ne t hat a nondet er mi ni st ic Tur ing machi ne fi nds a sol ut i on t o a r ecogni zabl e i nput
i nst ance by a seri es of guesses; a sequence of moves t hat consi st of cor r ect guesses f orms a
r ecogni t i on sequence. Thus, al l possi bl e moves t hat t he machi ne can make f orm a t r ee ( cal led
comp ut at i onal t r ee of a nondet er mi ni st i c Tur i ng machi ne, see pi ct ur e i n Fi g 4.4) . The size
( t he number of nodes) of t he t ree i s obvi ousl y an exponent i al f unct i on i n t he si ze of t he i nput .
However , since t he number of moves i n a r ecogni t i on sequence for a r ecogni zabl e i nput i nst ance
i s t he dept h d of t he t r ee, we have d = O( l og( number of nodes i n t he t r ee) ) and t her ef or e t he
number of moves i n a r ecogni t i on sequence must be bounded by a pol y nomi al i n t he si ze of t he
i nput i nst ance. Thus, t he t i me compl exit y for r ecogni zi ng a recogni zable input , vi a a seri es of
corr ect guesses, i s a poly nomi al i n t he si ze of t he i nput .
Def i n i t i on 4 . 8: Cl ass We wr it e t o denot e t h e class of lan guages r ecogni zabl e by n on-
det er mi ni st ic Tu ri ng mach ines i n poly nom i al t im e .
I t i s st r ai ght for ward t o see

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
namel y, every language ( decisi onal pr obl em) i n i s t ri vi al ly recogni zable by a non-
det er mi nist i c Turi ng machi ne. I t is also t r ivi al t o see
I n fact , , ( Mont e Car l o) and ( Las Vegas) ar e al l genuine NP probl ems si nce t hey
ar e i ndeed non - det erm i nist i c pol y nom ial - t im e pr obl ems
[ e]
. The onl y r eason f or t hese subcl asses
of NP probl ems t o be ef fi cient ly sol vabl e i s because t hese NP pr obl ems have abundant wit nesses
whi ch can be easi l y found vi a random guessi ng. I t i s only a cust omar y convent ion t hat we
usual l y conf i ne t o be t he cl ass of nondet er mi ni st ic pol ynomial - t i me ( deci sional ) pr oblems
whi ch have spar se w i t nesses. Her e i s t he meani ng of " spar se wi t nesses: " i n a comput at i onal
t r ee of an NP pr obl em, t he f r act ion
[ e]
Recall t he r eason given in t he beginning of 4. 4 f or r enaming a subclass of nondet erminist ic poly nomial-
t ime Turing machines int o "pr obabilist ic Tur ing machines. "
i s a negl i gi bl e quant i t y ( Defi nit ion 4. 13) .
I n 18.2. 3 we shall furt her est abl i sh t he f ol lowi ng r esul t
Equ at i on 4. 5 .1
I f an NP pr obl em has sparse wi t nesses, t hen wi t h t he i nvol vement of r andom guessi ng st eps, a
nondet ermi ni st i c Tur i ng machi ne does not r eal ly off er any useful ( i .e. , eff i ci ent ) al gor i t hmi c
met hod for r ecogni zi ng i t . This i s di ff erent fr om t he cases of nondet er mi nist i c Turi ng machi nes
bei ng eff ici ent devi ces for NP pr obl ems wit h abundant wi t nesses. For NP pr obl ems wi t h spar se
wi t nesses, nondet er mi ni st i c Tur i ng machi nes mer el y model a cl ass of decisi onal pr obl ems whi ch
shar e t he fol l owing pr opert y:
Gi ven a wit ness, an answer t o a deci si onal pr obl em can be ver i fi ed i n pol ynomi al t ime.
A wi t ness f or an NP pr oblem i s model l ed by a r ecogni t i on sequence in t he comput at i onal t r ee f or
a nondet er mini st i c Tur ing machi ne ( see t he dashed br anches i n t he comput at i onal t r ee i n Fi g
4. 4) .
Now we ask: wi t hout usi ng a wi t ness, what i s t he exact t ime compl exi t y for any gi ven pr oblem i n
? The answer i s not k nown. Al l known al gor i t hms f or sol vi ng any pr obl em i n wi t hou t
usi ng a wit n ess show pol y nomi al ly - unbounded t ime compl exi t i es. Yet t o dat e no one has been

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
abl e t o pr ove i f t hi s i s necessar y, i .e. , t o pr ove . Al so, no one has so f ar been able t o
demonst r at e t he opposi t e case, i . e. , t o pr ove = . The quest i on
i s a wel l - known open quest i on i n t heor et i c comput er sci ence.
Def i n i t i on 4 . 9: Low er and Upper Compl ex i t y Bounds A q uant it y B is sai d t o be t he l ower
( com plex it y ) boun d f or a pr obl em P i f an y algor i t hm A solv in g P has a com pl exi t y cost C( A) B.
A q uant it y U i s said t o be an up per bou nd for a pr obl em P i f t her e ex i st s an al gor it h m A sol vi ng P
and A has a com pl exi t y cost C( A) U.
I t i s usual ly possi ble ( and easy ) t o i dent i f y t he l ower bound for any pr obl em i n , namel y , t o
pi npoi nt pr eci sel y t he pol y nomi al bound t hat declar es t he necessar y number of st eps needed for
sol vi ng t he pr obl em. Machi ne Div3 ( Exampl e 4. 1) pr ovi des such an exampl e: i t recognizes an n-
bi t st ri ng i n pr eci sel y n st eps, i . e., usi ng t he l east possi bl e number of st eps per mi t t ed by t he way
of wr it ing t he i nput inst ance.
However , for pr obl ems in , i t i s al way s di ffi cul t t o i dent i fy t he l ower compl exi t y bound or
even fi ndi ng a new ( i .e. , l ower ed) upper bound. Known compl exi t y bounds for NP pr obl ems ar e
al l upper bounds. For exampl e, we have "demonst r at ed" t hat i s an upper bound for
answeri ng Pr obl em SQUARE- FREENESS wi t h input N ( vi a t ri al di vi si on) . An upper bound
essent i al l y says: "onl y t hi s number of st eps ar e needed for sol ving t hi s pr obl em" wi t hout addi ng
an i mpor t ant unt ol d par t : "but f ewer st eps may be possi bl e. " I n fact , f or Pr obl em SQUARE-
FREENESS, t he Number Fiel d Si eve met hod for fact or ing N has compl exi t y gi ven by ( 4. 6. 1)
whi ch has much fewer st eps t han but i s st il l an upper bound.
One shoul d not be conf used by " t he l ower bound" and " a l ower bound. " The l at t er of t en appears
i n t he l i t erat ur e ( e.g. , used by Cook i n hi s f amous ar t i cl e [ 80] t hat di scovered "Sat i sfi abi l i t y
Pr obl em" bei ng " NP- compl et e") t o mean a newl y i dent i f ied compl exi t y cost whi ch i s l ower t han
al l known ones ( hence a l ower bound) . Even t he i dent i f i cat i on of a ( not t he) l ower bound usual l y
r equi r es a pr oof f or t he l owest cost . I dent i fi cat i on of t he l ower bound for an NP pr obl em quali f i es
a maj or br eakt hr ough i n t he t heor y of comput at i onal compl exi t y .
The di ff icul t y for i dent if y ing t he l ower non- pol ynomi al bound f or NP pr obl ems has a ser ious
consequence i n moder n cry pt ogr aphy which has a compl exi t y - t heor et i c basis for i t s secur it y. We
shal l discuss t hi s in 4. 8.
4.5.1 Non-deterministic Polynomial-time Complete
Even t hough we do not know whet her or not = , we do know t hat cer t ai n pr obl ems i n
ar e as di ff i cult as any i n , i n t he sense t hat i f we had an eff ici ent algori t hm t o sol ve
one of t hese pr obl ems, t hen we coul d fi nd an eff i ci ent al gor it hm t o sol ve any pr obl em i n .
These pr obl ems ar e cal l ed non - det er mi ni st i c p ol y nomi al - t i me compl et e ( NP- compl et e or
NPC for shor t ) .
Def i n i t i on 4 . 10: Pol y nomi al Reduci b l e We say t h at a lan guage L is poly nom i all y r ed ucib le t o

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
anot h er lan guage L
0
i f t her e exi st s a d et er m in ist ic pol yn omi al- t im e- boun ded Tu ri ng m ach ine M
whi ch wi ll conv ert each i nst ance I L i nt o an inst an ce I
0
L
0
, such t hat I L i f and onl y if I
0
L.
Def i n i t i on 4 . 11: NP- Compl et e A l angu age L
0
i s n on- det erm i ni st i c p oly nom ial t i m e
com plet e ( NP- com pl et e) if an y L can be p oly nom i all y r ed ucibl e t o L
0
.
A wel l - known NP- compl et e pr obl em i s so- cal l ed SATI SFI ABI LI TY probl em ( ident i fi ed by Cook
[ 80] ) , which i s t he fi r st pr obl em f ound as NP- compl et e ( page 344 of [ 227] ) . Let E( x
1
, x
2
, , x
n
)
denot e a Bool ean expr essi on const r uct ed fr om n Bool ean var i abl es x
1
, x
2
, , x
n
using Bool ean
oper at or s, such as , and .
Pr obl em SATI SFI ABI LI TY
I NPUT X = ( x
1
, x
1
, x
2
, x
2
, , x
n
, x
n
) ;
E( x
1
, x
2
, , x
n
) .
A t rut h assi gnment for E( x
1
, x
2
, , x
n
) is a subl i st X' of X such t hat f or 1 i n, X' cont ains
ei t her x
i
or x
i
but not bot h, and t hat E( X' ) = Tr ue.
QUESTI ON I s E( x
1
, x
2
, , x
n
) is sat i sfi able?
That i s, does a t rut h assi gnment for it exi st ?
Answer YES if E( x
1
, x
2
, , x
n
) is sat i sfi able.
I f a sat i sfi abl e t r ut h assi gnment i s gi ven, t hen obvi ously t he YES answer can be ver i fi ed in t i me
bounded by a pol y nomi al i n n. Ther efor e by Defi nit ion 4. 8 we know SATI SFI ABI LI TY .
Not i ce t hat t her e ar e 2
n
possi bl e t rut h assi gnment s, and so far we know of no det er mi ni st i c
pol y nomi al - t i me algor it hm t o det ermi ne whet her t her e exi st s a sat i sfi abl e one.
A pr oof f or SATI SFI ABI LI TY being NP- compl et e ( due t o Cook [ 80] ) can be seen in Chapt er 10 of
[ 9] ( t he proof i s const r uct i ve, whi ch t r ansf orms an ar bi t r ar y nondet er mi ni st i c pol y nomi al- t ime
Tur i ng machi ne t o one t hat sol ves SATI SFI ABI LI TY) .
A l ar ge li st of NP- compl et e pr oblems has been pr ovi ded i n [ 118] .
For an NP- complet e probl em, any newl y i dent i fi ed lower ed upper bound can be pol y nomi al ly
"r educed" ( t ransf or med) t o a new r esul t f or a whol e class of NP pr obl ems. Ther efor e i t is
desi rable, as suggest ed by [ 98] , t hat cr y pt ogr aphi c al gor i t hms ar e designed t o have secur it y
based on an NP- compl et e pr obl em. A successful at t ack t o such a cr y pt osy st em shoul d hopefull y
l ead t o solut i on t o t he whol e cl ass of di ff icul t pr obl ems, whi ch shoul d be unl i kel y . However , such
a r easonabl e desi r e has so f ar not l ed t o f ruit ful resul t s, ei t her i n t er ms of r eali zi ng a secur e and
pr act i cal cry pt osy st em, or in t er ms of solvi ng t he whol e class NP pr obl ems using an at t ack t o
such a cr ypt osy st em. We shal l di scuss t hi s seemi ngl y st range phenomenon i n 4. 8. 2.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
4.6 Non-Polynomial Bounds
Ther e ar e pl ent y of f unct i ons lar ger t han any pol y nomi al .
Def i n i t i on 4 . 12: Non- Pol y nomi al l y- Bounded Quant i t y A f un ct i on f( n) : i s sai d t o b e
un boun ded b y any p oly nom i al in n if f or any p oly nom ial p ( n) t her e exi st s a n at ur al nu mb er n
0
such t hat for al l n > n
0
, f ( n) > p( n) .
A f unct i on f ( n) is sai d t o be pol yn omi al l y bound ed i f i t i s not a non- pol y nomi al ly - bounded
quant i t y .
Exampl e 4. 3.
Show t hat for any a > 1, 0 < < 1, f unct i ons
ar e not bounded by any pol ynomial i n n.
Let p( n) be any pol ynomi al . Denot i ng by d i t s degr ee and by c i t s lar gest coeff i ci ent t hen p( n)
cn
d
. Fi r st , l et n
o
= max( c, , t hen f
1
( n) > p( n) for al l n > n
0
. Secondl y , l et n
o
= max( c,
, t hen f
2
( n) > p( n) for al l n > n
0
.
I n cont rast t o pol ynomi al - t i me pr obl ems ( det er mi nist i c or randomi zed) , a pr obl em wit h t i me
compl exi t y whi ch i s non- pol ynomi al l y bounded i s consi dered t o be comput at i onal l y i nt ract abl e or
i nf easi bl e. Thi s i s because t he r esour ce r equi r ement for sol vi ng such a pr obl em gr ows t oo fast
when t he si ze of t he pr obl em i nst ances gr ows, so fast t hat i t qui ckl y becomes i mpr act i call y l ar ge.
For i nst ance, l et N be a composi t e i nt eger of si ze n ( i. e. , n = l og N) ; t hen funct ion f
1
( l og N) in
Exampl e 4. 3 wi t h a exp( 1.9229994+ 0 ( 1) ) ( wher e 0 ( 1) ) and pr ovi des a
t i me- compl exit y expr essi on for fact or i ng N by t he Number Fiel d Sieve met hod ( see, e. g. , [ 70] ) :
Equ at i on 4. 6 .1
Expr essi on ( 4. 6. 1) is a subex ponent i al ex pr essi on i n N. I f i s repl aced wi t h 1, t hen t he
expression becomes an exponent ial one. A subexponent i al f unct i on gr ows much sl ower t han an
exponent i al one, but much f ast er t han a pol ynomi al . For N bei ng a 1024- bit number , expr essi on
( 4. 6. 1) pr ovi des a quant i t y l ar ger t han 2
86
. This quant i t y i s cur rent ly not manageabl e even wit h
t he use of a vast number of comput er s r unning i n par al l el. The subexponent i al t i me complexi t y
for mul a al so appl i es t o t he best al gori t hm for sol vi ng a " di scr et e l ogar it hm problem" i n a fi ni t e
fi el d of magni t ude N ( see Defi nit ion 8. 2 i n 8. 4) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
We should, however , not i ce t he asy mpt ot i c f ashi on in t he compari son of funct i ons used in
Defi nit ion 4. 12 ( f ( n) in Defi nit ion 4. 12 i s also sai d t o be asympt ot i cal l y l ar ger t han any
pol y nomi al , or l ar ger t han any pol y nomi al i n n f or suf fi ci ent l y l arge n) . Even i f f ( n) is unbounded
by any pol ynomi al i n n, of t en i t i s t he case t hat f or a qui t e l ar ge number n
0
, f ( n) is less t han
some pol ynomial p( n) for n n
0
. For i nst ance, f unct i on f
2
( n) in Exampl e 4. 3 wi t h = 0. 5
r emai ns being a small er quant i t y t han t he quadr at i c f unct i on n
2
f or al l n
2
742762245454927736743541
, even t hough f
2
( n) is asy mpt ot i cal l y l arger t han n
d
f or any d 1. That
i s why i n pr act i ce, some al gor i t hms wi t h non- pol y nomi all y - bounded t i me compl exi t ies can st i ll
be ef fect ive f or sol vi ng problems of small i nput si ze. Pol lar d's - met hod for ext r act ing smal l
di scret e l ogar i t hm, whi ch we have i nt roduced i n 3. 6. 1, i s j ust such an al gor i t hm.
Whi l e usi ng t he or der not at i on ( see Defi nit ion 4. 2 i n 4. 3. 2.4) we deli ber at el y negl ect any
const ant coef fi ci ent i n complexi t y expressions. However, we shoul d not i ce t he si gnif i cance of a
const ant coef fi ci ent whi ch appear s i n t he exponent posi t i on of a non- pol ynomial - bounded
quant i t y ( e. g. , 1. 9229994+ 0 ( 1) i n t he expr essi on ( 4. 6. 1) ) . For exampl e, if a new f act ori ng
al gor i t hm advances f r om t he curr ent NFS met hod by r educi ng t he const ant exponent 1. 9229994
i n t he expr essi on i n ( 4. 6. 1) t o 1, t hen t he t i me compl exi t y f or f act or i ng a 1024- bi t composi t e
i nt eger usi ng t hat al gor i t hm wil l be r educed f r om about 2
86
t o about 2
45
. The l at t er i s no longer
r egar ded a t oo huge quant it y for t oday 's comput ing t echnol ogy . I n speci fi c f or t he NFS met hod,
one curr ent resear ch ef for t for speedi ng up t he met hod is t o r educe t he exponent const ant , e.g. ,
vi a t i me- memor y t r ade- off ( and i t i s act ual l y possibl e t o achi eve such a r educt i on t o some
ext ent , t hough a r educt i on i n t ime cost may be penal i zed by an increment i n memor y cost ) .
We have def i ned t he not ion of non- pol y nomi al bound for lar ge quant i t ies. We can al so defi ne a
not i on f or smal l quant it ies.
Def i n i t i on 4 . 13: Negl i gi bl e Quant i t y A f un ct i on ( n) : i s sai d t o b e a n egl igi bl e
qu ant i t y ( or ( n) i s negli gib le) i n n i f it s r ecip r ocal , i .e. , , i s a n on- p oly nom ial ly - bou nded
qu ant i t y in n .
For exampl e, f or any pol ynomi al p, i s a negl i gi bl e quant it y. For t hi s r eason, we somet i mes
al so say t hat a subset of p( n) poi nt s i n t he set { 1, 2, 3, , 2
n
} has a negl i gi bl e- fr act i on number
of poi nt s ( wi t h r espect t o t he l at t er set ) , or t hat any p( n) poi nt s i n { 1, 2, 3, , 2
n
} ar e spar se i n
t he set .
I f i s a negl i gi bl e quant it y, t hen 1 i s sai d t o be an ov er wh el mi ng qu an t i t y . Thus, for
exampl e we also say t hat any non - spar se ( i. e. , dense) subset of { 1, 2, , 2
n
} has an
over whel ming- f ract i on number of poi nt s ( wi t h r espect t o t he l at t er set ) .
A negl igi bl e funct i on di mi nishes t o 0 fast er t han t he r eci pr ocal of any pol ynomi al does. I f we
r egar d a non- pol ynomi al l y - bounded quant it y as an unmanageabl e one ( f or example, i n r esour ce
al l ocat ion) , t hen i t shoul d be har ml ess f or us t o negl ect any quant i t y at t he l evel of t he r eci pr ocal
of a non- pol y nomi al l y- bounded quant i t y .
Mor e examples:
i s negl i gi ble in k and

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
i s over whel mi ng in k.
Review Exampl e 3. 6; for p bei ng a k bi t pri me number ( bei ng al so a pr i me) , we can
negl ect quant i t i es at t he l evel of or smal l er and t her eby obt ai n Pr ob
Fi nal l y, i f a quant i t y i s not negl i gi bl e, t hen we of t en say i t is a non- negl i gi bl e quant i t y , or a
si gn i f i can t q uan t i t y . For exampl e, we have seen t hr ough a ser i es of exampl es t hat for a
deci si onal pr obl em i n whose member ship i s eff i cient l y deci dabl e, t here is a si gni f icant
pr obabi li t y , vi a r andom sampl i ng t he space of t he comput at i onal t ree ( Fi g 4.4) , f or f indi ng a
wi t ness for confi r mi ng t he member shi p.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
4.7 Polynomial-time Indistinguishability
We have j ust consi der ed t hat negl ect i ng a negl i gi bl e quant i t y i s harml ess. However , somet imes
when we negl ect a quant i t y , we f eel hop el ess because we ar e f or ced t o abandon an at t empt not
t o negl ect i t . Let us now descr i be such a si t uat ion t hrough an exampl e.
Consi der t wo exper i ment s over t he space of l ar ge odd composi t e i nt eger s of a f i xed l engt h. Let
one of t hem be cal l ed E
2_Pri me
, and t he ot her , E
3_Pri me
. These t wo exper i ment s yi el d lar ge and
r andom i nt egers of t he same size: every int eger y iel ded fr om E
2_Pri me
i s t he pr oduct of t wo lar ge
di st i nct pr ime f act ors; ever y i nt eger y iel ded fr om E
3_Pri me
i s t he pr oduce of t hr ee or mor e di st i nct
pr i me fact or s. Now l et someone suppl y you an i nt eger N by fol l owi ng one of t hese t wo
exper i ment s. Can y ou t el l wi t h conf idence fr om whi ch of t hese t wo exper i ment s N i s yi el ded?
( Recal l t hat E
2_Pri me
and E
3_Pri me
y i el d i nt eger s of t he same l engt h. )
By Defi nit ion 3. 5 ( in 3. 5) , such an exper i ment r esult i s a random var iabl e of t he i nt er nal
r andom moves of t hese exper i ment s. We know t hat random var i abl es yi el ded f r om E
2_Pri me
and
t hose yi elded f rom E
3_Pri me
have dr ast ical l y di f fer ent pr obabi l it y di st ri but i ons: E
2_Pri me
y i el ds a
t wo- pr i me pr oduct wi t h pr obabi l i t y 1 whi l e E
3_Pri me
never does so. However , i t is in f act a ver y
har d pr obl em t o di st i ngui sh r andom var i abl es fr om t hese t wo exper i ment s.
Let us now defi ne pr eci sel y what we mean by i n di st i ngu i shabl e ensembl es ( also cal l ed
i n di st i ngu i shabl e ex per i ment s) .
Def i n i t i on 4 . 14: Di st i ngui sher f or en sembl es Let E = { e
1
, e
2
, } , E' = { e
1
' , e
2
' , } be t wo
set s of en sem bl es in whi ch e
i
, e
j
' ar e r andom var i ables i n a f ini t e sam pl e sp ace . Denot e k =
l og
2
# . Let a = ( a
1
, a
2
, , a
l
) be r an dom v ar iabl es such t hat al l of t hem ar e y iel ded f r om eit h er
E or E' , wher e i s b ounded by a pol yn om ial i n k .
A d ist i ngui sher D f or ( E, E' ) i s a p rob abil ist i c al gori t hm wh ich hal t s in t i m e pol yn om ial i n k wi t h
out p ut in { 0, 1} and sat isf ies ( i ) D( a, E) = 1 i ff a i s f rom E; ( ii ) D( a, E' ) = 1 i ff a i s f rom E' .
We say t h at D dist i ngui shes ( E, E' ) wit h ad van t age Adv > 0 i f
I t i s i mpor t ant t o not i ce t he use of pr obabi l i t y dist r i but ions i n t he f ormulat i on of an advant age
for a dist i ngui sher D: a di st i ngui sher is pr obabi l i st i c al gor i t hm; al so i t i s a pol ynomi al - t i me
al gor i t hm: it s i nput has a pol y nomi al l y bounded si ze.
Many random var i abl es can be easi l y di st i ngui shed. Her e i s an exampl e.
Exampl e 4. 4.
Let E = { k- bi t Pr imes} and E' = { k- bi t Composi t es} . Defi ne D( a, E) = 1 i ff Pr i me_Test ( a)
YES, and D( a, E' ) = 1 i f f Pri me_Test ( a) NO ( Pr i me_Test is speci fi ed i n Al g 4. 5) . Then D i s a
di st i ngui sher for E and E' . When a E, we have Pr ob [ D( a, E) = 1] = 1 and Pr ob [ D( a, E' ) = 1] =
0; when a E' , we have Pr ob [ D( a, E) = 1] = 2
k
and Prob [ D( a, E' ) = 1] = 1 2
k
. Hence,
Adv( D) 1 2
( k 1).
Def i n i t i on 4 . 15: Pol y nomi al - t i me I nd i st i n gui sh ab i l i t y Let en sem bl es E, E' and secu ri t y

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
par am et er k be t h ose defi ned i n Defi nit ion 4. 14 . E, E' ar e said t o be pol y nom ial ly
i ndi st ingu ishab le i f t her e ex i st s no d ist i ngui sher for ( E, E' ) wit h ad van t age Adv > 0 non - negli gib le
i n k f or al l su ff icient ly l ar ge k.
The f ol l owing assumpt i on i s wi del y accept ed as pl ausi bl e i n comput at ional compl exi t y t heor y .
Assumpt i on 4. 1 : Gener al I ndi st i ngu i shabi l i t y Assu mp t i on Ther e exi st pol y nom ial ly
i ndi st ingu ishab le ensemb les.
Ensembl es E
2_Pri me
and E
3_Pri me
ar e assumed t o be pol ynomi al l y i ndist i ngui shabl e. I n ot her
wor ds, i f someone suppl i es us wi t h a set of poly nomi al l y many i nt eger s whi ch are ei t her al l fr om
E
2_Pri me
, or all fr om E
3_Pri me
, and i f we use t he best known al gor i t hm as our dist i ngui sher, we wil l
soon feel hopel ess and have t o abandon our di st ingui shi ng at t empt .
Not i ce t hat since we can f act or N and t hen be abl e t o answer t he quest ion cor rect l y, our
advant age Adv must be no l ess t han t he r eciprocal of t he f unct i on in ( 4. 6. 1) . However , t hat
val ue i s t oo smal l not t o be neglect ed. We say t hat we are hopel ess i n di st i nguishing t hese t wo
ensembles because t he best di st i ngui sher we can have wi l l have a negl i gi bl e advant age i n t he
si ze of t he i nt eger yi el ded f r om t he ensembl es. Such an advant age i s a sl ow- gr owi ng funct i on of
our comput at i onal r esour ces. Here "sl ow- growi ng" means t hat even i f we add our comput at i onal
r esour ces i n a t r emendous manner , t he advant age wi ll onl y gr ow i n a mar gi nal manner so t hat
we wi l l soon become hopel ess.
Pol y nomial i ndi st i ngui shabi l it y i s an import ant secur it y cr i t er ion f or many cr ypt ogr aphic
al gor i t hms and prot ocol s. Ther e ar e many pract i cal way s t o const r uct pol ynomial l y
i ndi st i ngui shabl e ensembl es f or bei ng useful i n moder n cry pt ogr aphy . For example, a pseudo-
r and om number gener at or i s an i mpor t ant i ngredi ent i n cr y pt ogr aphy; such a gener at or
gener at es pseudo- r andom number s whi ch have a di st r i but i on t ot al ly det er mi ned ( i. e. , i n a
det er mi nist i c f ashi on) by a seed. Yet , a good pseudo- r andom number generat or yi el ds pseudo-
r andom number s whi ch are pol ynomial l y i ndi st i ngui shabl e f r om t r ul y r andom number s, t hat i s,
t he di st ri but i on of t he r andom vari abl es out put fr om such a gener at or is indi st i nguishabl e fr om
t he uni f orm di st ri but i on of st r i ngs whi ch ar e of t he same lengt h as t hose of t he pseudo- r andom
vari ables. I n fact , t he fol l owi ng assumpt i on is an i nst ant i at i on of Assumpt i on 4. 1:
Assumpt i on 4. 2 : ( I ndi st i ngu i shabi l i t y bet ween Pseu do- r an domness and Tr u e
Randomness) Ther e exi st pseudo- ran dom f unct i ons whi ch ar e p oly nom i all y in dist i ngui shabl e
fr om t ru ly r and om f unct i ons.
I n Chapt er 8 we shall see a pseudo- r andom funct i on ( a pseudo- r andom number gener at or)
whi ch is pol ynomial l y i ndi st i ngui shabl e f r om a uni for ml y r andom di st ri but i on. I n Chapt er 14 we
shal l f ur t her st udy a wel l- known pu bl i c- k ey cr yp t osy st em named t he Gol dw asser - Mi cal i
cr y pt osyst em; t hat cr y pt osy st em has i t s securi t y based on pol y nomi all y i ndi st ingui shable
ensembles whi ch ar e rel at ed t o E
2_Pri me
and E
3_Pri me
( we shall di scuss t he r el at ionshi p i n 6. 5. 1) .
For a f ur t her exampl e, a Di f f i e- Hel l man t u pl e ( Defi nit ion 13. 1 i n 13.3. 4. 3) of four el ement s i n
some abel i an gr oup and a r andom quadrupl e i n t he same gr oup f orm i ndi st i ngui shabl e
ensembles whi ch pr ovide secur i t y basi s f or t he El Gamal cr y pt osyst em and many zer o-
k now l edg e pr oof p r ot ocol s. We wi l l f r equent l y use t he not i on of pol y nomi al
i ndi st i ngui shabi l i t y i n sever al l at er chapt er s.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
4.8 Theory of Computational Complexity and Modern
Cryptography
I n t he end of our short cour se in comput at ional compl exi t y , we shal l provi de a di scussi on on t he
r el at i onship bet ween t he comput at i onal compl exi t y and moder n cr y pt ogr aphy .
4.8.1 A Necessary Condition
On t he one hand, we ar e able t o say t hat t he complexi t y- t heoret i c- based moder n cr y pt ography
uses as a necessar y condi t i on. Let us call i t t he conj ect ur e
[ f ]
[ f]
A r ecent sur vey shows t hat most t heor et ic comput er scient ist s believe .
An encr y pt i on al gor i t hm shoul d, on t he one hand, provi de a user who is in possessi on of cor r ect
encry pt ion/ decry pt i on key s wi t h eff ici ent algor it hms for encr y pt i on and/ or decr y pt i on, and on t he
ot her hand, pose an int r act abl e pr obl em for one ( an at t acker or a cr y pt anal y st ) who t r i es t o
ext r act pl ai nt ext fr om ci pher t ext , or t o const ruct a val i d ci phert ext wi t hout using cor r ect key s.
Thus, a cr ypt ogr aphi c key pl ay s t he rol e of a wi t ness, or an auxi l i ar y i nput ( a more suit abl e
name) t o an NP- pr obl em- based cr ypt osy st em.
One might want t o ar gue agai nst our asser t i on on t he necessar y condi t i on for compl exi t y -
t heor et i c- based cry pt ogr aphy by t hi nki ng t hat t her e mi ght exi st a cry pt osy st em whi ch would be
based on an asy mmet r i c pr obl em i n : encr y pt i on woul d be an O( n) - al gor i t hm and t he best
cracki ng al gor i t hm would be of order O( n
100
) . I ndeed, even for t he t i ny case of n = 10, O( n
100
)
i s a 2
332
- l evel quant i t y whi ch i s way , way, way beyon d t he gr asp of t he wor l d- wi de combi nat i on
of t he most advanced comput at ion t echnol ogies. Ther efor e, i f such a pol ynomial - t i me
cry pt osy st em exi st s, we shoul d be i n a good shape even i f i t t urns out = . However , t he
t r ouble is, whil e does encl ose O( n
k
) pr obl ems f or any i nt eger k, i t does not cont ai n any
pr obl em wi t h an asym m et r ic compl exit y behavior . For any gi ven problem i n , i f an i nst ance of
si ze n i s sol vabl e i n t i me n
k
, t hen t i me n
k+
f or any > 0 is unnecessar y due t o t he det er mi ni st ic
behavi or of t he algor it hm.
The conj ect ur e al so for ms a necessar y condit ion f or t he exi st ence of one- w ay f u nct i on. I n t he
begi nni ng of t hi s book ( 1. 1. 1) we have assumed t hat a one- way f unct i on f ( x) shoul d have a
"magi c proper t y" ( Pr oper t y 1. 1) : for al l int eger x, i t i s easy t o comput e f ( x) fr om x whi le gi ven
most val ues f ( x) it i s ext remel y di ff icul t t o f i nd x, except for a negl i gi ble fr act i on of t he i nst ances
i n t he problem. Now we know t hat t he cl ass pr ovi des us wi t h candi dat es for real i zi ng a
one- way f unct i on wit h such a "magic pr opert y. " For exampl e, pr obl em Sat i sfi abi l i t y def ines a
one- way f unct i on fr om an n- t upl e Bool ean space t o { Tr ue, Fal se} .
I n t ur n, t he exi st ence of one- way funct i ons f or ms a necessar y condi t i on for t he exi st ence of
di gi t al si g nat ur es. A di gi t al si gnat ur e shoul d have such pr oper t i es: easy t o ver i fy and di ff icul t
for ge.
Mor eover , t he not i on of pol y nomial - t ime i ndi st i ngui shabi l i t y whi ch we have st udied i n 4. 7 i s
al so based on t he conj ect ur e. Thi s i s t he deci si onal case of har d pr obl ems i n .
I n Chapt ers 14, 15 and 17 we shall see t he i mpor t ant rol e of pol ynomi al - t i me i ndi st i ngui shabi l i t y
pl ay s i n moder n cr ypt ogr aphy : t he cor rect ness of cry pt ogr aphi c al gor i t hms and pr ot ocol s.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I n par t i cular , we shoul d ment i on t he fundament al l y i mpor t ant rol e t hat t he
conj ect ur e play s i n a f asci nat ing subj ect of publ i c- key cr y pt ogr aphy: zer o- k now l edg e pr oof
pr ot ocol s [ 126] and i nt eract i ve pr oof syst em.
A zer o- knowl edge prot ocol i s an i nt er act i ve pr ocedure runni ng bet ween t wo pr i nci pal s cal led a
pr over and a v er i f i er wi t h t he l at t er havi ng a pol y nomi al l y- bounded comput at ional power . The
pr ot ocol al l ows t he for mer t o pr ove t o t he l at t er t hat t he for mer knows a YES answer t o an NP-
pr obl em ( e. g. , a YES answer t o Pr obl em SQUARE- FREENESS, or t o quest i on: " I s N f r om E
2_Pri me
?
") , because t he for mer has i n possessi on of an auxi l i ar y i nput , wi t hout l et t i ng t he l at t er l ear n
how t o conduct such a proof ( i . e. , wi t hout di sclosi ng t he auxil i ar y i nput t o t he l at t er ) . Hence t he
ver i fi er get s " zer o- knowl edge" about t he prover' s auxi l i ary input . Such a pr oof can be model l ed
by a nondet er mi ni st i c Tur i ng machi ne wi t h an added random t ape. The prover can make use of
auxi l i ary i nput and so t he machine can al way s be inst ruct ed ( by t he pr over) t o move al ong a
r ecogni t i on sequence ( i . e. , t o demonst r at e t he YES answer ) regar ding t he i nput pr obl em.
Consequent l y, t he t i me compl exi t y f or a pr oof i s a pol y nomi al i n t he si ze of t he i nput i nst ance.
The ver if i er shoul d chal lenge t he pr over t o i nst r uct t he machine t o move ei t her al ong a
r ecogni t i on sequence, or al ong a di ff erent sequence, and t he chal l enge shoul d be uni for mly
r andom. Thus, f rom t he veri f i er 's obser vat i on, t he pr oof syst em behaves pr ecisel y i n t he f ashion
of a r andomized Tur i ng machi ne ( r evi ew 4. 4) . As a mat t er of fact , it i s t he pr opert y t hat t he
err or pr obabi l i t y of such a r andomi zed Tur ing machi ne can be reduced t o a negl i gi ble quant it y
by r epeat ed independent execut i ons ( as anal y zed i n 4. 4. 1.1) t hat for ms t he basi s for
convi ncing t he veri f ier t hat t he pr over does know t he YES answer t o t he input pr obl em.
The conj ect ur e pl ay s t he f ol l owi ng t wo r oles i n zero- knowl edge pr ot ocol s: ( i ) an
auxi l i ary i nput of an NP pr obl em per mi t s t he pr over t o conduct an ef fi ci ent proof , and ( i i ) t he
di f fi cul t y of t he pr obl em means t hat t he ver if i er al one cannot ver i fy t he prover' s cl ai m. I n
Chapt er 18 we wi l l st udy zer o- knowl edge pr oof pr ot ocol s.
4.8.2 Not a Sufficient Condition
On t he ot her hand, t he conj ect ur e does not pr ovide a suf fi ci ent condi t i on f or a
secur e cr y pt osyst em even i f such a cry pt osy st em is based on an NP- complet e pr obl em. The wel l -
known br oken NP- compl et e knapsack pr obl em pr ovi des a count er exampl e [ 200] .
Aft er our cour se i n comput at i onal compl exi t y , we ar e now abl e t o pr ovide t wo bri ef but cl ear
expl anat i ons on why cr y pt osyst ems based on NP ( or even NP- compl et e) pr obl ems are of t en
br oken.
Fi rst , as we have poi nt ed out i n an ear l y st age of our course ( e. g. , r evi ew Defi nit ion 4. 1) , t he
compl exi t y - t heor et i c appr oach t o comput at i onal compl exi t y r est r i ct s a l anguage L ( a pr obl em) i n
a compl exit y cl ass wi t h a uni ver sal- st y l e quant i fi er : "any i nst ance I L. " Thi s rest r i ct i on r esult s
i n t he w or st - case compl ex i t y anal ysi s: a pr obl em i s r egar ded di ff i cult even i f t her e onl y exi st s
negl i gi bl y f ew di f fi cul t i nst ances. I n cont r ast , a cr ypt anal y si s can be consi der ed successful as
l ong as i t can br eak a non- t r i vial fr act i on of t he i nst ances. That i s exact l y why breaki ng of an NP-
compl et e- based cr y pt osy st em does not l ead t o a sol ut i on t o t he underl y i ng NP- complet e
pr obl em. I t i s cl ear t hat t he wor st - case complexi t y cri t er i on i s hopel ess and usel ess f or
measuri ng securi t y for t he pr act i cal cr y pt osy st ems.
The second expl anat i on l i es i n t he i nher en t di ff icul t y of ident i fy i ng new l ower upper bounds f or
NP probl ems ( not i ce, phr ase " new l ower upper bounds" makes sense f or NP problems, r evi ew
our di scussi on on l ower and upper bounds i n 4. 5) . Secur i t y basi s for an NP- pr obl em- based
cry pt osy st em, even i f t he basi s has been pr oven t o be t he i nt r act abi l i t y of an under l y ing NP-
pr obl em, i s at best an open pr obl em si nce we onl y know an upper bound complexi t y for t he
pr obl em. Mor e of t en, t he under l y ing i nt r act abi li t y f or such an NP- based cr ypt osy st em i s not even

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
cl ear l y i dent i f ied.
A f ur t her di mensi on of insuff i ci ency f or basi ng secur i t y of moder n cr y pt ogr aphi c syst ems on t he
compl exi t y i nt r act abi l i t y i s t he main t opi c of t hi s book: non- t ext book aspect s of securi t y for
appli ed crypt ography ( r evi ew 1. 1. 3) . Cry pt ogr aphi c sy st ems f or r eal worl d appli cat i ons can be
compr omi sed i n many pract i cal way s whi ch may have li t t le t o do wi t h mat hemat i cal i nt ract abi l i t y
pr oper t i es under l y ing t he securi t y of an al gor i t hm. We wi ll pr ovi de abundant explanat i ons and
evi dence t o mani fest t hi s di mension i n t he r est of t his book.
A posi t i ve at t i t ude t owar d t he desi gn and anal y sis of secur e cry pt osy st ems, which i s get t i ng wi de
accept ance r ecent l y , i s t o f or mall y prove t hat a cry pt osy st em is secur e ( pr ovabl e secur i t y )
usi ng pol y nomi al r educt i on t echni ques ( see Defi nit ion 4. 10) : t o "r educe" vi a an eff i ci ent
t r ansfor mat i on any ef fi ci ent at t ack on t he cr y pt osy st em t o a sol ut ion t o an inst ance of a known
NP probl em. Usual l y t he NP pr obl em i s i n a smal l set of wi dely accept ed "pedi gr ee class. " Such a
r educt i on is usual l y call ed a r edu ct i on t o cont r adi ct i on because i t i s wi dely beli eved t hat t he
wi del y accept ed "pedi gr ee pr obl em" does not have an eff i ci ent solut i on. Such a pr oof pr ovi des a
hi gh conf i dence of t he secur it y of t he cr ypt osyst em i n quest i on. We shall st udy t hi s met hodol ogy
i n Chapt ers 14 and 15.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
4.9 Chapter Summary
Comput at i onal compl exi t y is one of t he foundat i ons ( i ndeed, t he most i mpor t ant foundat i on) for
moder n cr y pt ogr aphy. Due t o t hi s i mpor t ance, t hi s chapt er pr ovi des a sel f- cont ai ned and
syst emat i c i nt r oduct i on t o t hi s f oundat i on.
We st ar t ed wi t h t he not i on of Tur i ng comput abi l i t y as t he cl ass of comput abl e pr obl ems. Some
pr obl ems i n t he cl ass are t ract able ( ef fi ci ent l y solvabl e i n pol y nomi al t i me) whi ch are ei t her
det er mi nist i c ( i n ) or nondet er mi ni st i c ( several subcl asses i n whi ch ar e cal led
pr obabi li st i c pol y nomi al t i me) . Ot her s ar e i nt ract abl e ( t he cl ass whi ch i s st i l l a subcl ass i n
, t hi s wil l become cl ear i n 18.2. 3) . Pr obl ems i n do not appear t o be solvabl e by
eff ici ent algor it hms, det er mi ni st i c or ot her wi se, whil e wi t h t hei r membershi p i n t he cl ass bei ng
eff ici ent l y veri f iabl e gi ven a wi t ness.
I n our cour se, we also i nt r oduced var i ous i mpor t ant not ions i n comput at i onal compl exi t y and i n
i t s appl icat i on i n moder n cry pt ogr aphy . These i ncl ude ef fi ci ent al gor i t hms ( sever al i mpor t ant
al gor i t hms ar e const r uct ed wi t h pr ecise t i me compl exi t y analy si s) , or der not at i on, pol y nomi al
r educi bi l it y, negl i gi bl e quant i t y , l ower , upper and non- poly nomi al bounds, and
i ndi st i ngui shabi l i t y. These not i ons wi l l be fr equent l y used i n t he r est par t of t he book.
Fi nal l y, we conduct a di scussi on on t he f undament al r ol es of pr obl ems and t he compl exi t y -
t heor et i c basi s pl ay ing in moder n cr y pt ography .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exercises
4. 1 Const r uct a Turi ng machi ne t o r ecogni ze even i nt eger s. Then const r uct a machi ne t o
r ecogni ze i nt eger s whi ch ar e divi sibl e by 6.
Hi nt : t he second machi ne can use an oper at i on t abl e whi ch conj unct s t hat of t he
fi r st and t hat of Di v3 i n Fi g 4.2.
4. 2 I n t he measurement of comput at i onal compl exi t y of an al gor i t hm, why i s t he bi t -
compl exi t y , i . e. , based on count i ng t he number of bi t oper at i ons, mor e pr efer abl e
t han a measur e based on count i ng, e. g., t he number of i nt eger mul t i pl i cat i ons?
Hi nt : consider a pr obl em can have i nst ances of vari ant si zes.
4. 3 Our cost measur e f or gcd( x , y ) ( for x > y) gi ven by Theor em 4. 1 i s log x modul o
oper at i ons. Wi t h a modul o oper at i on havi ng t he cost same as a di vi si on O
B
( ( l og
x)
2
) , our measur e f or gcd( x , y ) t ur ns out t o be O
B
( ( l og x)
3
) . However , i n st andar d
t ext books t he cost f or gcd( x , y ) is O
B
( ( l og x)
2
) . What we have mi ssed i n our
measurement ?
Hi nt : obser ve i nequali t y ( 4. 3. 12) .
4. 4 Pr ove st at ement s 2 and 3 i n Theor em 4. 2.
4. 5
Show t hat ( Mont e Car l o) and ( Las Vegas) ar e complement t o each ot her
( t his is denot ed by ( Mont e Car l o) = co ( Las Vegas) ) . That i s, a Mont e Car l o
al gor i t hm f or r ecogni zi ng I L i s a Las Vegas al gor it hm f or r ecogni zing , and
vi se ver sa. Usi ng t he same met hod t o show = co .
4. 6
I n t he comput at ional compl exi t y l i t erat ur e, we oft en see t hat t he class i s
defi ned by ( 4. 4. 1) and f or ( 4. 4. 2) . We have used any const ant s
, f or > 0, > 0. Do t hese t wo di ff er ent ways of
for mul at i on make any di f fer ence?
4. 7 Show t hat for ( k) in ( 4. 4. 5) , ( k) 1 when k .
Hi nt : consider 1 ( k) 0.
4. 8
Expl ai n why i n t he er r or pr obabil i t y char act eri zat i on f or , er ror pr obabi l i t i es
must be clear ly bounded away f r om , i . e., and i n ( 4. 4. 11) must be some non-
zero const ant .
Hi nt : consider a "bi ased" coi n: one si de is mor e l i kel y t han t he ot her by a negl i gi bl e
quant i t y . Ar e y ou abl e t o f i nd t he mor e l i kel y si de by fl i ppi ng t he coi n and usi ng t he
maj or i t y el ect i on cri t er i on?

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
4. 9 I n our measure of t he soundness er r or pr obabi l it y for t he QKD pr ot ocol ( Pr ot 4.1) ,
we have ment i oned t wo st r at egi es for Eve: sendi ng t o Bob compl et el y new m
phot on st at es or for war di ng t o hi m what ever she obser ves. We have onl y measur ed
t he soundness er ror pr obabi l i t y by consi der i ng Eve t aki ng t he l at t er st r at egy . Use
t he t he f ormer st r at egy t o deri ve t he same r esul t f or t he soundness er ror
pr obabi li t y .
4. 10 For a posi t i ve nat ur al number n we use | n| = l og
2
n as t he measur e of t he si ze of n
( whi ch is t he number of bi t s i n n' s bi nar y r epr esent at i on) . However i n most cases
t he si ze of n can be wr i t t en as l og n wi t hout gi vi ng an expl i ci t base ( t he omi t t i ng
case is t he nat ur al base e) . Show t hat f or any base b > 1, l og
b
n pr ovi des a cor r ect
si ze measur e f or n, i . e., t he st at ement "a pol y nomi al i n t he si ze of n" remai ns
i nvar iant f or any base b > 1.
4. 11 Except i onal t o t he cases i n t he pr eceding pr obl em, we somet i mes wr i t e a posi t ive
number i n t he unary r epr esent at ion, i . e. , wr i t e 1
n
f or n. Why i s t hi s necessar y ?
4. 12 What i s an eff ici ent algori t hm? What i s a pr act ical l y eff ici ent algori t hm?
4. 13 I f you ar e al r eady fami l i ar wi t h t he pr oper t i es of t he Eul er' s phi funct i on ( N) ( t o be
i nt r oduced i n 6. 3) , t hen conf i rm t he cor r ect ness of Al g 4. 8.
4. 14 Pr ovi de t wo exampl es of i ndi st ingui shable ensembl es.
4. 15 Why does a cr ypt osyst em wi t h secur i t y based on an NP- Complet e probl em need not
be secur e?
4. 16 Di f ferent iat e and r el at e t he fol l owi ng pr obl ems:
Tur i ng comput able. i .
I nt r act abl e. i i .
Tr act abl e. i i i .
Det ermi ni st i c pol ynomi al t i me. i v .
Pr act ical l y eff ici ent . v .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Chapter 5. Algebraic Foundations
Sect i on 5. 2. Groups
Sect i on 5. 3. Rings and Fi elds
Sect i on 5. 4. The St r uct ur e of Fi ni t e Fiel ds
Sect i on 5. 5. Group Const r uct ed Using Point s on an El l ipt i c Curve
Exerci ses

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
5.1 Introduction
Cr y pt ogr aphi c al gor i t hms and prot ocol s process messages as number s or el ement s i n a fi nit e
space. Encodi ng ( encr y pt i on) and t he necessar y decodi ng ( decr ypt i on) operat ions must
t r ansfor m messages t o messages so t hat t he t r ansf ormat i on obey s a closur e pr opert y insi de a
fi nit e space of t he messages. However , t he usual ar i t hmet i c over number s such as addi t i on,
subt r act i on, mult ipl icat i on and di vi si on whi ch are fami l iar t o us do not have a cl osure pr opert y
wi t hi n a f i ni t e space ( i nt eger s or numbers in an i nt er val ) . Theref ore, cr ypt ogr aphic algor it hms
whi ch operat e in a fi ni t e space of messages ar e i n gener al not const r uct ed only usi ng t he f amil i ar
ar i t hmet ic over numbers. I nst ead, t hey i n general operat e i n spaces wi t h cer t ai n algebrai c
st r uct ur es t o mai nt ai n t he cl osur e pr oper t y .
I n t hi s chapt er we i nt r oduce t hr ee al gebr ai c st r uct ur es whi ch not only are cent r al concept s of
abst r act al gebr a, but al so pr ovi de t he basi c el ement s and oper at i ons f or modern cr ypt ogr aphy
and cr ypt ogr aphi c pr ot ocol s. These t hree st r uct ur es ar e: gr oup, r ing and fi el d.
We st udy gr oups i n 5. 2, r i ngs and fi el ds i n 5. 3 and t he st r uct ur e of f ini t e fi el ds i n 5. 4. Fi nal l y
i n 5. 5, we provi de a r eal i zat i on of a f i ni t e gr oup usi ng point s on an el l i pt i c cur ve.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
5.2 Groups
Roughl y speaking, a gr oup i s a set of obj ect s wi t h an operat i on def ined bet ween any t wo obj ect s
i n t he set . The need for an operat i on over a set of obj ect s is ver y nat ural . For exampl e, upon
ever y sunset , an anci ent shepher d woul d have count ed hi s her d of sheep. May be t he shepher d
di d not even know numbers; but t hi s woul d not pr event hi m fr om per for mi ng hi s oper at i on
pr oper l y. He coul d keep wi t h hi m a sack of pebbl es and mat ch each sheep agai nst each pebbl e.
Then, as l ong as he al way s ended up hi s mat chi ng oper at i on when no mor e pebble wer e l eft t o
mat ch, he knew t hat hi s her d of sheep wer e f i ne. I n t hi s way , t he shepher d had act ual l y
gener at ed a gr oup usi ng t he " add 1" operat ion. Sheep or pebbl es or some ot her obj ect s, t he
i mpor t ant poi nt her e i s t o per f orm an oper at i on over a set of obj ect s and obt ai n a r esul t whi ch
r emai ns in t he set .
Def i n i t i on 5 . 1: Gr oup A gr ou p ( G, ) is a set G t oget h er wit h an oper at ion sat i sfy in g t he
fol l owi ng con di t ion s:
1. a, b G : a b G
( Cl osur e Axi om)
2. a, b , c G : a ( b c) = ( a b) c
( Associ at i vi t y Axi om)
3. un iqu e elem en t e G : a G : a e = e a
= a
( I dent i t y Axi om)
The el em ent e is cal led t he i d en t i t y elem en t .
4. a G : a
-1
G : a a
-1
= a
-1
a = e
( I nverse Axi om)
I n t he denot at i on of a gr oup ( G, ) , we of t en omi t t he oper at i on and use G t o denot e a gr oup.
Def i n i t i on 5 . 2: Fi ni t e an d I nf i ni t e Gr oups A gr ou p G i s sai d t o b e fi ni t e i f t he nu m ber of
elem en t s i n t h e set G is f in it e, ot h er wi se, t h e gr oup is i nf in it e .
Def i n i t i on 5 . 3: Abel i an Gr oup A gr ou p G i s abeli an if f or all a, b G, a b = b a.
I n ot her wor ds, an abel ian gr oup i s a commut at i ve g r oup . I n t hi s book we shal l have no
occasi on t o deal wit h non- abel i an gr oup. So al l gr oups t o appear i n t he r est of t his book ar e
abel i an, and we shal l oft en omit t he pr ef i x " abel i an. "
Exampl e 5. 1. Gr oups
The set of i nt eger s i s a gr oup under addi t i on + , i . e. , ( , + ) i s a group, wi t h e = 0 and
a
-1
= a. This is an addi t i v e gr oup and i s an infi ni t e gr oup ( and i s abel i an) . Li kewi se, t he
set of r at i onal number s , t he set of r eal number s , and t he set of compl ex number s
ar e addit ive and i nf i ni t e groups wi t h t he same def ini t i ons f or i dent i t y and i nver se.
1.
Non- zer o el ement s of , and under mul t i pli cat i on ar e gr oups wi t h e = 1 and a
-1
bei ng t he mul t ipl icat i ve i nverse ( def i ned i n t he usual way ) . We denot e by , , t hese
2.
3.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
gr oups, respect i vel y. Thus, t he ful l denot at i ons for t hese gr oups ar e: ( , ) , ( , ) and (
, ) . They are cal l ed mul t i pl i cat i v e gr oups. They ar e i nf i ni t e.
2.
For any n 1, t he set of int egers modul o n f or ms a f i ni t e addit ive group of n el ement s;
her e addit ion i s i n t erms of modul o n, t he i dent i t y el ement i s 0, and for al l el ement a i n t he
gr oup, a
1
= n a ( pr opert y 2 of Theor em 4. 2, i n 4. 3. 2.5) . We denot e by t hi s gr oup.
Thus, t he f ul l denot at i on of t hi s gr oup i s ( , + ( mod n) ) . ( Not ice t hat i s a shor t -
hand not at i on for a for mal and st andar d not at i on / n . We shall see t he r eason i n
Exampl e 5. 5. )
3.
The number s for hour s over a cl ock for m under addi t i on modul o 12. Let us name (
, + ( mod 12) ) "clock gr oup . "
4.
The subset of cont aini ng el ement s r elat i vel y pr i me t o n ( i. e. , gcd( a, n ) = 1) for ms a
fi nit e mul t i pl i cat ive group; her e mult i pli cat i on i s i n t er ms of modul o n, e = 1, and for any
el ement a i n t he gr oup, a
1
can be comput ed usi ng ext ended Eucl i d al gori t hm ( Al g 4. 2) .
We denot e by t hi s gr oup. For exampl e, , ( mod 15) ) = ( { 1, 2, 4, 7, 8, 11, 13, 14} ,
( mod 15) ) .
5.
For set B = { F, T} , let = be ( l ogi cal XOR) : F F = F, F T = T F = T, T T = F.
Then B under i s a fi nit e gr oup wi t h e = F and T
1
= T.
6.
The r oot s of x
3
1 = 0 i s a fi ni t e gr oup under mul t i pl i cat i on wi t h e = 1 ( obvi ously 1 i s a
r oot ) . Denot e by Root s( x
3
1) t his gr oup. Let us fi nd t he ot her group el ement s i n Root s( x
3
1) and t hei r i nverses. As a degree- 3 pol ynomial , x
3
1 has t hr ee root s onl y . Let , be
t he ot her t wo r oot s. Fr om x
3
1 = ( x 1) ( x
2
+ x + 1) , and must be t he t wo r oot s of
x
2
+ x + 1 = 0. By t he r el at i on bet ween t he r oot s and t he coef fi ci ent of a quadrat ic
equat i on, we have = 1. Thus,
1
= and
1
= . The r eader may check t hat Cl osur e
Axiom i s sat isf i ed ( i . e. ,
2
and
2
ar e r oot s of x
3
1 = 0) .
7.
Def i n i t i on 5 . 4: Shor t hand Repr esen t at i on of Rep eat ed Gr ou p Op er at i ons Let G b e a gr oup
wit h op er at i on . For an y el ement a G, and for an y non- negat iv e i nt eger , we denot e by
a
i
G t he f oll owin g elem en t
We should pay at t ent i on t o t wo poi nt s in t he fol l owi ng r emar k.
. Remar k 5 .1
We wr it e a
i
G onl y for a shor t hand p resen t at i on of Not i ce t hat t he
" oper at ion " b et ween t he i nt eger i and t he el em ent a i s not a gr oup oper at i on .
i .
i i .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
i .
Som e gr oups are conv ent i onal ly wr it t en ad dit i v el y , e.g . , ( , + ( mod n) ) . For t hese
gr oups, t he r ead er may vi ew a
i
as i a. However , i n t his sh ort hand v iew, one m u st not i ce
t hat " " h er e i s not a gr ou p op er at i on and t he i nt eger i is usuall y not a gr ou p el em ent
( consid er i ng t he case ( , + ( mod n) ) wit h i > n) .
i i .
Def i n i t i on 5 . 5: Sub gr ou p A sub gr oup of a gr oup G is a non - em pt y su bset H of G whi ch i s i t sel f
a gr ou p u nder t h e same operat i on as t hat of G. We wri t e H G t o denot e t hat H is a subgr oup
of G, an d H G t o denot e t hat H is a pr oper sub grou p of G ( i . e. , H G) .
Exampl e 5. 2.
Under addi t i on, ; 1.
Under addi t i on, t he set of even int egers pl us 0 i s a subgr oup of t he gr oups in ( 1) ; so i s t he
set of odd numbers pl us 0.
2.
The " cl ock gr oup" ( , + ( mod 12) ) has t he fol l owi ng subgr oups: ( { 0} , + ) , ( { 0, 6} , + ) ,
( { 0, 4, 8} , + ) , ( { 0, 3, 6, 9} , + ) , ( { 0, 2, 4, 6, 8, 10} , + ) , ( , + ) .
3.
Under mul t i pl i cat i on, . 4.
Let n be an odd posi t i ve int eger and l et Fer mat ( n) denot e t he subset of such t hat any a
Fer mat ( n) sat i sfi es ( mod n) . Then
Mor eover , i f n i s a pr i me number , t hen by Fer mat 's Li t t l e Theor em ( Theor em 6. 10 i n 6. 4) ,
; ot herwi se, Fer mat ( n) is a pr oper subgr oup of
5.
{ F} i s a proper subgr oup of t he gr oup B i n Exampl e 5. 1( 6) . However, { T} i s not a
subgroup of B si nce i t does not cont ai n an i dent i t y ( i . e. , breach of I dent i t y Axi om) .
6.
( Revi ew Exampl e 4. 1) Poly nomi al - t i me l anguage DI V3 i s a subgr oup of ; 7.
Set { e} i s a subgr oup of any group. 8.
Def i n i t i on 5 . 6: Or d er of a Gr oup The n um ber of elem en t s i n a fi ni t e gr oup G is cal led t he or der
of G and is denot ed b y # G.
Exampl e 5. 3.
# Z
n
= n; 1.
2.
3.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
1.
I n Exampl e 5. 1( 6) , # B = 2; 2.
I n Exampl e 5. 1( 7) , # Root s( x
3
1) = 3. 3.
5.2.1 Lagrange's Theorem
Let us now i nt r oduce a beaut i f ul and i mpor t ant t heor em i n gr oup t heor y.
Def i n i t i on 5 . 7: Coset Let G b e a ( ab el ian ) gr oup an d H G. For a G, set a
i s cal led a ( left ) coset of H.
. Th eor em 5 .1 Lagr ang e' s Th eor em
I f H is a subgr oup of G t hen # H | # G, t h at i s, # H di vi des # G.
Pr oof For H = G, # H | # G hol ds t r i vial l y . Let us consi der H G.
For any a G \ H, by Cl osur e Axi om, coset a H i s a subset of G. We can show t he f oll owi ng t wo
fact s:
For any a a' , i f a a' H t hen ( a H) ( a' H) = . i .
# ( a H) = # H. i i .
For ( i ) , suppose b ( a H) ( a' H) . So c, c' H: a c = b = a' c' . Appl yi ng I nver se
Axiom, I dent i t y Axiom, Cl osure Axi om and Associat i ve Axi om on el ement s i n H, we have
a = a e = a ( c c
1
) = b c
1
= ( a' c' ) c
1
= a' ( c' c
1
) a' H.
Thi s cont radict s our assumpt i on: a a' H. As a speci al case, for a H = e H, we have H
( a H) = .
For ( i i ) , # ( a H) # H hol ds t r i vial l y by coset 's defi ni t i on. Suppose t hat t he i nequali t y is
r i gor ous. Thi s i s onl y possi ble because for some b c, b , c H, a b = a c. Appl yi ng I nver se
Axiom i n G, we r each b = c, cont r adict i ng t o b c.
Thus, G i s par t i t i oned by H and t he f ami l y of i t s mut ual l y di sj oi nt coset s, each has t he si ze # H.
Hence # H | # G. ( I n gener al , par t i t i oni ng a set means spli t t ing i t i nt o di sj oi nt subset s. )
Exampl e 5. 4.
Check Exampl e 5. 2( 3) : # H | # hol ds f or ever y H as a subgr oup of t he "cl ock gr oup"
.
1.
I nst ant i at e Exampl e 5. 2( 5) usi ng n = 21; we have Fermat ( 21) = { 1, 8, 13, 20} sat isf yi ng 2.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
.
2.
Lagrange's Theor em i s not onl y ver y beaut i f ul i n gr oup t heor y , but al so ver y i mpor t ant i n
appli cat i ons. Revi ew our probabi l i st i c pr imal i t y t est al gor i t hm Pr ime_Test i n 4. 4. 3.1. That
al gor i t hm t est s whet her an odd i nt eger n i s pr ime by t est ing congr uence
usi ng r andom x U . I n Exampl e 5. 2( 5) we have seen t hat Fer mat ( n) is t he subgr oup of
defi ned by t hi s congr uence, and i s a pr oper subgr oup of i f and onl y i f n i s not pr ime. Thus,
by Lagr ange' s Theor em, # Fermat ( n) | . Hence, i f n i s not pr ime, # Fer mat ( n) can be at
most hal f t he quant i t y . This pr ovi des us wi t h t he er ror pr obabi l i t y bound for each st ep
of t est , i . e. , t he wor ki ng pr i nci pl e of Pr i me_Test ( t he probabi l i t y space bei ng ) .
I n 5. 2. 2 we wi l l di scuss anot her i mpor t ant appl i cat i on of Lagr ange' s Theor em in publ i c- key
crypt ogr aphy .
Def i n i t i on 5 . 8: Quot i en t Gr oup Let G b e a ( ab el ian ) gr oup an d H G. The qu ot ient gr oup of G
m odul o H, denot ed by G/ H, is t h e set of all coset s a H wi t h a r angi ng over G, wit h t he grou p
oper at ion d ef in ed b y ( a H) ( b H) = ( a b) H, an d wi t h t he i dent i t y elem en t b ei ng e
H.
Exampl e 5. 5.
Let n > 0 be an i nt eger . Set = { 0, n, 2n, , } i s cl earl y a subgr oup of under t he
i nt eger addi t i on. Quot i ent group
can onl y have n el ement s. Thi s i s because , and
so on, and consequent l y
Consi der t hat onl y cont ai ns zer o modul o n, we can equat e

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I n fact , i s t he f ormal and st andar d not at i on for . However , f or pr esent at ion
conveni ence, i n t hi s book we wi ll al way s use t he shor t - hand not at i on i n pl ace of .
. Cor ol l ar y 5. 1
Let G b e a f in it e ( abeli an) gr ou p an d H G. Then
Exampl e 5. 6.
Let m , n be posi t i ve int egers sat i sfy i ng m| n. Fol l owing Exampl e 5. 5, we have
i s a subgroup of wi t h n/ m el ement s; 1.
; and 2.
3.
For i nst ance, consi der t he "cl ock gr oup" ( i. e. , n = 12) and i t s subgr oup
( i. e. , m = 3) . The r eader may fol l ow Exampl e 5. 5 and confi r m
. Hence . The r eader
may al so check all ot her cases of m| 12.
5.2.2 Order of Group Element
I f we say t hat i n a gr oup, t he i dent i t y el ement i s speci al i n a uni que way , t hen ot her el ement s
al so have some speci al pr opert i es. One of such proper t i es can be t hought of as t he " di st ance"
fr om t he i dent i t y el ement .
Def i n i t i on 5 . 9: Or d er of Gr oup El emen t Let G b e a gr oup an d a G. The or der of t he el em ent
a i s t h e least p osi t i ve i nt eger sat i sfy in g a
i
= e, and is denot ed by or d( a) . I f such an
i nt eger i does not ex i st , t hen a i s call ed an elem en t of i nfi ni t e or der .
We should r emind t he r eader t he shor t hand meaning of a
i
wher e i i s an i nt eger and a i s a gr oup
el ement . The shor t hand meani ng of t he not at i on has been defi ned i n Defi nit ion 5. 4 and fur t her
expl ained i n Remar k 5. 1.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exampl e 5. 7.
I n t he "cl ock gr oup" , or d( 1) = 12, si nce 12 i s t he l east posi t i ve number sat i sfy i ng 12
1 0 ( mod 12) ; t he r eader may ver if y t he fol l owi ng: or d( 2) = 6, or d( 3) = 4, or d( 4) = 3,
or d( 5) = 12. Tr y t o fi nd t he or ders for t he r est of t he el ement s.
1.
I n B i n Exampl e 5. 1( 6) , or d( F) = 1 and or d( T) = 2. 2.
I n Root s( x
3
1) i n Exampl e 5. 1( 7) , or d( ) = or d( ) = 3, and ord( 1) = 1. 3.
I n Z, or d( 1) = . 4.
. Cor ol l ar y 5. 2 Lagr ange
Let G b e a f in it e gr ou p an d a G be an y el ement . Then or d( a) | # G.
Pr oof For any a G, i f a = e t hen or d( a) = 1 and so or d( a) | # G i s a t r i vi al case. Let a e.
Si nce G i s fi ni t e, we have 1 < or d( a) < . Element s
Equ at i on 5. 2 .1
ar e necessar il y di st i nct . Suppose t hey wer e not , t hen a
r
= a
s
f or some non- negat i ve i nt egers r
and s sat i sfy i ng 1 r < s or d( a) . Appl yi ng " I nver se Axi om" of ( a
r
)
1
t o bot h si des, we wi ll
have, a
sr
= e wher e 0 < s r < or d( a) . Thi s cont r adi ct s t he def i ni t i on of ord( a) being t he l east
posi t i ve i nt eger sat i sf yi ng a
ord( a)
= e.
I t i s easy t o check t hat t he or d( a) el ement s i n ( 5. 2. 1) for m a subgr oup of G. By Lagr ange' s
Theor em, ord( a) | # G.
Cor ol l ary 5. 2, whi ch we have shown as a di rect appl i cat ion of Lagr ange's Theorem, pr ovi des a
r el at i onship bet ween t he or der of a gr oup and t he or der s of el ement s i n t he gr oup. Thi s
r el at i onship has an import ant appl i cat i on i n publ ic- key cr y pt ography : t he famous cr y pt osy st ems
of Ri vest , Shamir and Adl eman ( RSA) [ 246] wor k i n a gr oup of a secr et or der whi ch i s known
excl usi vel y t o t he key owner . A ci pher t ext can be consi dered as a r andom el ement i n t he gr oup.
Wi t h t he knowl edge of t he group or der t he key owner can use t he r el at i onship bet ween t he or der
of t he el ement and t he or der of t he gr oup t o t r ansf orm t he ci pher t ext back t o pl ai nt ext ( i . e., t o
decry pt ) . We wi l l st udy t he RSA cr ypt osy st ems in 8. 5.
5.2.3 Cyclic Groups
Exampl e 5. 1( 4) i ndi cat es t hat we can conveni ent l y vi ew as n poi nt s divi di ng a ci r cl e. Thi s
ci rcl e i s ( or t hese n poi nt s ar e) f or med by n r epeat ed operat i ons a
1
, a
2
, , a
n
f or some element

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
. This is a cycl ic v i ew of . For addi t i on modul o n as t he group oper at i on, a = 1
pr ovi des a cy cl i c vi ew of . The r eader may check t hat f or t he case of n = 12 as i n Exampl e
5. 1( 4) , 5, 7, 11 ar e t he ot her t hr ee el ement s which can al so pr ovi de cy cli c vi ews for .
I nf ormal l y speaki ng, i f a group has a cy cl ic vi ew, t hen we say t hat t he gr oup is a cycl i c gr oup.
Cy cl ic gr oups ar e groups wi t h ni ce pr oper t i es. They have wi de appli cat i ons in cr ypt ogr aphy .
Def i n i t i on 5 . 10: Cycl i c Gr oup , Gr oup Gener at or A gr ou p G i s sai d t o b e cycl ic i f t her e ex i st s
an el ement a G su ch t h at f or any b G, t here ex ist s an i nt eger i 0 such t hat b = a
i
. Elem en t
a i s call ed a generat or of G. G is also cal led t he gr oup gener at ed by a .
When a gr oup i s generat ed by a, we can wr i t e G = a .
A gener at or of a cycl i c gr oup i s al so cal l ed a pr i mi t i v e r oot of t he gr oup's i dent i t y element . The
meani ng of t hi s name wi l l become cl ear in 5. 4. 3 ( Theor em 5. 11) .
Exampl e 5. 8.
For n 1, t he addi t i ve i s cy cli c because, obvi ousl y , 1 i s a gener at or . 1.
B i n Exampl e 5. 1( 6) i s cycl i c and i s gener at ed by T. 2.
Root s( x
3
1) i n Exampl e 5. 1( 7) i s cycl i c and i s gener at ed by or . 3.
Let p be a pr ime number . Then t he mul t i pl i cat i ve gr oup i s cy cli c. This i s because
cont ai ns el ement of or der and hence such an el ement gener at es t he whol e
gr oup. I n Al g 4. 6 we have seen infor mal ly an evi dence for cont aini ng a gener at or . We
wi l l pr ovide a f or mal pr oof of bei ng cy cli c i n Theor em 5. 12.
4.
I n gr oup , 3 i s a generat or . Thi s element pr ovi des a cy cl i c vi ew f or as fol l ows
( r emember t he gr oup oper at i on bei ng mul t i pli cat i on modul o 7) :
5.
Def i n i t i on 5 . 11: Eul er ' s Fun ct i on For wit h n 1, Eu ler ' s f unct i on ( n) i s t he n um ber of

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
i nt eger s k wi t h 0 k < n and gcd( k , n) = 1.
A number of useful r esul t s can be deri ved f or cycl i c gr oups.
. Th eor em 5 .2
Ev ery su bgr oup of a cy cl ic grou p is cy cl ic . 1.
For ever y posit iv e di vi sor d of # a , a cont ai ns p recisely on e su bgr oup of or der d. 2.
I f # a = m, t h en # a
k
= or d( a
k
) = m/ gcd( k , m ) . 3.
For ever y posit iv e di vi sor d of # a , a cont ai ns ( d) elem en t s of or der d. 4.
Let # a = m . Then a cont ai ns ( m) generat ors. Th ey ar e el em ent s a
r
su ch t hat gcd( r , m)
= 1.
5.
Pr oof
Let H a . I f H = e or H = a t hen H i s obviousl y cy cli c. So we onl y consi der ot her
cases of H. Let d > 1 be t he l east int eger such t hat a
d
H, and l et a
s
H f or some s > d.
Di vi di ng s by d: s = dq + r f or some 0 r < d. Si nce a
dq
H we have a
r
= a
s dq
H. The
mi ni mali t y of d and H a i mpl y r = 0. So s i s a mul t i pl e of d. So H onl y cont ai ns t he
power s of a
d
, and hence is cy cl ic.
1.
Let d > 1 and d| m = # a . Then i s an or der - d subgr oup of a si nce d i s t he l east
i nt eger sat i sfyi ng . Let us assume t hat t her e exist s anot her or der - d subgr oup
of a whi ch i s di f fer ent f rom . By 1, such a subgroup must be cy cli c and hence be a
k
f or some k > 1. Fr om a
kd
= e wi t h mi ni mal it y of m we have m| k d, or equi val ent l y, .
So a
k
, i . e., . The same or der of t hese t wo gr oups means
. This cont r adi ct s our assumpt i on .
2.
Let d = gcd( k , m ) . Then by 2 t here exi st s a uni que or der - d subgr oup of a . Let t hi s
subgroup be a
l
f or some l east > 1, i . e. , i s t he l east i nt eger sat i sfy i ng a
dl
= e. By t he
mi ni mali t y of m, we have m| dl , or equi val ent l y, . The l east case f or i s when d =
gcd( l , m) , i . e., l = k .
3.
Let d| m = # a and let a
k
be any el ement i n a f or 0 k < m. By 3, el ement a
k
i s of
or der i f and onl y i f = gcd( k , m) . Wr i t e wi t h 0 c < d. Then gcd( k , m) =
i s equi val ent t o gcd( c, d) = 1. By Defi nit ion 5. 11, t her e ar e ( d) such c.
4.
For m = # a , by 4, a cont ains ( m) el ement s of or der m, and t hey are of order m and
hence ar e gener at or s of a . Fur t her by 3, t hese gener at or s ar e a
r
wi t h gcd( r , m) = 1.
5.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
5.
A p r im e- ord er grou p i s cy cl ic, an d an y non - id en t it y el em ent in t he grou p is a gen er at or .
Pr oof Let G be a gr oup of pr i me or der p. Let a G be any non- i dent i t y el ement . From Cor ol l ary
5. 2, or d( a) | # G = p. Si nce a e, or d( a) 1. Then i t has t o be t he case or d( a) = p. Ther efor e
a = G, i . e., a i s a gener at or of G.
Exampl e 5. 9.
Consi der t he "cl ock gr oup" whi ch i s cycl i c:
for 1| 12, i t cont ains an or der- 1 subgr oup { 0} ; because ( 1) = 1, t he onl y element of or der
1 i s 0;
for 2| 12, i t cont ains an or der- 2 subgr oup { 0, 6} ; because ( 2) = 1, t he onl y element of
or der 2 i s 6;
for 3| 12, i t cont ains an or der- 3 subgr oup { 0, 4, 8} ; 4 and 8 ar e t he 2 = ( 3) element s of
or der 3;
for 4| 12, i t cont ains an or der- 4 subgr oup { 0, 3, 6, 9} ; 3 and 9 ar e t he 2 = ( 4) element s of
or der 4;
for 6| 12, i t cont ains an or der- 6 subgr oup { 0, 2, 4, 6, 8, 10} ; 2 and 10 are t he 2 = ( 6)
el ement s of or der 6;
for 12| 12, i t cont ai ns an or der - 12 subgroup Z
12
; in i t , 1, 5, 7 and 11 are t he 4 = ( 12)
el ement s of or der 12.
The r eader may anal y ze t he mul t i pl i cat ive group anal ogousl y .
5.2.4 The Multiplicative Group
Let n = pq f or p and q bei ng di st i nct odd pr i me number s. The mul t i pl i cat i ve gr oup i s ver y
i mpor t ant i n moder n cr y pt ography . Let us now have a look at i t s st r uct ur e. We st i pul at e t hat al l
n i n t his subsect i on i s such a composi t e.
Si nce el ement s i n ar e posi t i ve i nt eger s l ess t han n and co- pri me t o n. By Defi nit ion 5. 11, t hi s
gr oup cont ai ns ( n) = ( p 1) ( q 1) el ement s ( see Lemma 6. 1 t o conf ir m ( n) = ( p 1) ( q 1) ) .
. Th eor em 5 .3
Any el ement i n has an or der di vidi ng l cm( p 1, q 1) .
Pr oof Let . By Fer mat ' s Lit t le Theorem ( Theor em 6. 10 i n 6. 4) we know

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Denot i ng = l cm( p 1, q 1) , t r i vi al l y we have
Sy mmet r i cal l y we can al so der ive
These t wo congruences act uall y say t hat a
1 i s a mul t i pl e of p and also a mul t i pl e of q. Si nce p

and q ar e di st i nct pr i me number s, a

1 must be a mult ipl e of n = pq. This means
Ther ef or e, i s a mul t i pl e of t he or der of a modul o n.
Not i ce t hat bot h p 1 and q 1 ar e even, t her ef ore = l cm( p 1, q 1) < ( p 1) ( q 1) =
( n) . Theor em 5. 3 says t hat t her e i s no el ement i n i s of or der ( n) . That i s, cont ains no
gener at or . So by Defi nit ion 5. 10, i s non- cy cl i c. Val ue ( n) is cal l ed Car mi chael nu mb er of
n.
Exampl e 5. 10 .
For n = 5 x 7 = 35, l et be such an el ement : ( i ) has t he maxi mum
or der 4 and hence i t pr ovi des a cycl i c view f or t he cy cl i c gr oup ( t he l eft ci r cl e bel ow, of
per i od 4) ; ( i i ) has t he maxi mum or der 6 and hence i t pr ovides a cy cl i c vi ew for
t he cycl ic gr oup ( t he r i ght ci rcl e bel ow, of per i od 6) .
Then t he or der of can be vi ewed as t he per iod deci ded by t wo engaged t oot hed wheel s.
One has f our t eet h and t he ot her has si x t eet h. We i nit ial l y chal k- mark a l ar ge dot ( see t he
pi ct ur e bel ow) at t he engaged poi nt of t he t wo wheels. Now let t he engaged gear revol ve, and
t he lar ge chal k mark becomes t wo separ at e mar ks on t he t wo wheel s. These t wo separ at e marks
wi l l meet agai n aft er t he mark on t he four- t oot hed wheel has t r avel l ed 3 r evol ut ions, and t hat on
t he si x- t oot hed wheel, 2 r evolut i ons. Ther ef or e, t he or der ( per i od) of i s exact l y t he
di st ance bet ween t he separat ion and t he r euni on of t he l ar ge chal k mar k, and i s 3 x 4 = 2 x 6 =
12 = l cm( ( 5 1) , ( 7 1) ) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Let ord
x
( a) denot e t he or der of an el ement modulo a posi t i ve number n. I n gener al, any el ement
has t he order ord
n
( a) defi ned by or d
p
( a) and ord
q
( a) in t he fol l owi ng r el at i on:
Equ at i on 5. 2 .2
Si nce and ar e bot h cy cl ic, t hey have element s of maximum or ders p 1 and q 1,
r espect i vel y . Consequent l y, cont ains el ement s of t he maxi mum order lcm( p 1, q 1) . On
t he ot her hand, some maxi mum- or der el ement can sat i sf y t he cases of or d
p
( a) < p 1
and/ or or d
q
( a) < q 1. For exampl e, because l cm( 4, 3) = l cm( 4, 6) and because cont ains an
el ement of order 3, gr oup cont ains an el ement of t he maxi mum peri od 12 whi ch i s
r epr esent ed by t wo engaged t oot hed wheel s of f our t eet h and t hr ee t eet h.
I n t he next chapt er we wi ll pr ovide a 1- 1 ont o mappi ng bet ween t he el ement s i n and t he
pai r s of el ement s i n . The mappi ng i s comput abl e and hence i t pr ovi des a met hod t o
const r uct el ement s in out of t hose i n t he cycl i c gr oups and . The l at t er j ob i s usual l y
easi er because i t can make use of t he ni ce pr opert i es of t he l at er t wo gr oups ( cycl i c gr oups) . For
exampl e, because comput i ng squar e root s i n and i s easy , we can use t he mappi ng t o
const r uct square root s in using t he squar e r oot s comput ed i n and .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
5.3 Rings and Fields
One day our anci ent shepher d set t l ed down and became a f armer . He needed t o fi gur e out wi t h
hi s nei ghbor s t he areas of t hei r lands. The shepherds- t ur ned- far mers began t o r eal i ze t hat i t was
no l onger possi bl e f or t hem t o use one basic operat i on f or ever yt hi ng: t hey needed not onl y sum,
but al so product . The need f or t wo oper at i ons over a set of obj ect s st ar t ed t hen.
Def i n i t i on 5 . 12: Ri ng A r i ng R i s a set t oget h er wit h t wo op er at i ons: ( addi t ion ) + and
( m ul t ip li cat ion) , and has t he f oll owing pr oper t ies:
Under add it i on + , R is an ab el ian gr oup ; denot e by 0 t he addi t iv e i dent i t y ( call ed t h e zer o-
el ement ) ;
1.
Under m ul t ip li cat ion , R sat isfi es Cl osure Axi om, Associ at i vi t y Axi om and I dent i t y Axi om;
denot e by 1 t he mu lt i pl icat i ve i dent i t y ( cal led t he un i t y - el emen t ) ; 1 0;
2.
a, b R : a b = b a ( Commut at i ve Axi om) 3.
a, b , c R : a ( b + c) = a b + a c ( Di st r i but i on Axi om) 4.
I n t hi s def ini t ion, t he bol d for m 0 and 1 ar e used t o hi ghl i ght t hat t hese t wo el ement s ar e
abst r act el ement s and are not necessar i l y t hei r i nt eger count erpart s ( see, e. g. , Exampl e 5. 11( 3)
i n a moment ) .
Si mil ar t o our confi nement of oursel ves t o t he commut at i ve gr oups, i n Defi nit ion 5. 12 we have
st i pul at ed mul t i pl i cat ion t o sat isf y t he Commut at i ve Axi om. So Defi nit ion 5. 12 def i nes a
commut at i ve r i n g and t hat is t he r i ng t o be consi dered i n t hi s book. We shoul d also st r ess t hat
+ and ar e abst r act oper at i ons: t hat i s, t hey ar e not necessar i l y t he or di nary addi t i on and
mul t i pl i cat i on bet ween int egers. Whenever possi bl e, we shal l shor t en a b i nt o ab; expl i cit
pr esent at i on of t he oper at i on " " wi ll onl y be needed wher e t he oper at i on i s wr it t en wi t hout
oper ands.
Exampl e 5. 11 . Ri n gs
, , and ar e al l ri ngs under usual addi t i on and mul t i pl i cat i on wi t h 0 = 0 and 1 =
1.
1.
For any n > 0, Z
n
i s a r i ng under addi t i on and mul t i pl i cat i on modul o n wi t h 0 = 0 and 1 =
1.
2.
Let B be t he addi t i ve gr oup def ined i n Exampl e 5. 1( 6) wi t h t he zer o- el ement F. Let t he
mul t i pl i cat i on oper at i on be ( logi cal And) : F F = F, F T = T F = F, T T = T.
Then B i s a r i ng wit h t he unit y- el ement T.
3.
At fi r st gl ance, Defi nit ion 5. 12 has onl y def i ned mult ipl icat i on for non- zer o el ement s. I n fact ,
mul t i pl i cat i on bet ween t he zer o- el ement and ot her el ement s has been def ined by Di st ri but i on
Axiom. For exampl e, 0a = ( b + ( b) ) a = ba + ( b) a = ba ba = 0. Mor eover , a r ing can have
zer o- di vi sor s, t hat i s, el ement s a, b sat i sfy i ng ab = 0 wi t h a 0 and b 0. For exampl e, f or

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
n = k l bei ng a nont ri vi al f act or i zat i on of n, bot h k and ar e non- zer o el ement s i n t he ri ng ,
and t he pr oduct k l = n = 0 ( mod n) is t he zer o- el ement .
Def i n i t i on 5 . 13: Fi el d I f t he non - zer o el ement s of a r in g f orm s a gr oup und er mu lt i pl icat i on,
t hen t he ri ng is cal led a f ield .
The Cl osure Axi om f or t he mul t i pl i cat i ve gr oup ( i . e., t he non- zer o el ement s) of a fi el d impl i es
t hat a fi eld F cannot cont ain a zer o- divi sor, t hat i s, for any a, b F, ab = 0 i mpl i es ei t her a = 0
or b = 0.
Exampl e 5. 12 . Fi el ds
, and ar e al l fi elds under usual addi t i on and mul t i pl i cat ion wi t h 0 = 0 and 1 = 1. 1.
The t wo- el ement r i ng B i n Exampl e 5. 11( 3) i s a f i el d. 2.
For p bei ng a pr i me number , i s a fi el d under addi t i on and mul t i pl i cat ion modul o p wi t h
0 = 0 and 1 = 1.
3.
We shal l see mor e exampl es of fi el ds i n a moment .
Not e t hat under i nt eger addi t i on and mul t i pl i cat i on i s not a fi el d because any non- zer o
el ement does not have a mul t i pli cat i ve i nver se i n ( a vi olat ion of t he I nver se Axi om) . Al so, f or
n bei ng a composi t e, i s not a fi el d t oo si nce we have seen t hat cont ains zero- di vi sor s ( a
vi olat i on of t he Cl osur e Axi om) .
Somet imes t her e wi l l be no need for us t o car e about t he di f fer ence among a gr oup, a r i ng or a
fi el d. I n such a si t uat i on we shal l use an al gebr ai c st r uct ur e t o r efer t o ei t her of t hese
st r uct ur es.
The not i ons of f i ni t e gr oup, subgroup, quot i ent gr oup and t he or der of gr oup can be ext ended
st r aight f orwar dl y t o r i ngs and fi elds.
Def i n i t i on 5 . 14: An algebr ai c st ru ct ur e is sai d t o be fi nit e if i t cont ai ns a fi ni t e nu m ber of
elem en t s. The n um ber of elem en t s is cal led t he or d er of t he st r uct ur e .
A sub st ru ct ur e of an algebr aic st r uct u re A i s a n on- emp t y subset S of A whi ch i s i t sel f an
al geb rai c st r uct ur e un der t he op er at i on( s) of A. I f S A t hen S is cal led a p rop er su bst r uct ur e of
A.
Let A be an al gebr aic st r uct ur e an d B A b e a sub st ru ct ur e of A. The q uot i en t st r uct ur e of A
m odul o B, denot ed by A/ B, i s t h e set of all coset s a B wi t h a r angi ng ov er A, wi t h t he oper at i on
d ef in ed b y ( a B) ( b B) = ( a b) B, an d wi t h t he i dent i t y elem en t s bei ng 0 B an d 1
B.
From Defi nit ion 5. 14, a r ing ( respect ivel y, a f iel d) not onl y can have a subri ng ( r espect i vely , a
subf i el d) , but al so can have a subgr oup ( r espect i vel y , a subr ing and a subgr oup) . We shal l see
such exampl es i n 5. 4.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
5.4 The Structure of Finite Fields
Fi ni t e fi el ds f i nd wide appli cat i ons i n cr ypt ogr aphy and cr y pt ographi c pr ot ocol s. The pioneer
wor k of Di ff i e and Hell man i n publ i c- key cr y pt ogr aphy, t he Dif fi e- Hell man key exchange pr ot ocol
[ 98] ( 8. 3) , i s or i gi nal l y proposed t o wor k i n fi nit e fi el ds of a par t i cular for m. Si nce t he wor k of
Di f fi e and Hel lman, numer ous f i ni t e- fi elds- based cr ypt osy st ems and pr ot ocols have been
pr oposed: t he ElGamal cry pt osy st ems [ 102] , t he Schnorr ident i fi cat i on pr ot ocol and signat ure
scheme [ 257] , t he zer o- knowl edge undeni abl e si gnat ur es of Chaum, and t he zer o- knowl edge
pr oof pr ot ocol s of Chaum and Peder sen [ 73] , ar e wel l - known exampl es. Some new
cry pt osy st ems, such as t he Advanced Encry pt i on St andar d [ 219] ( 7. 7) and t he XTR
cry pt osy st ems [ 175] , wor k i n f i ni t e f iel ds of a more general for m. Fi ni t e fi el ds al so under l ie
el li pt ic curves whi ch in t urn f orm t he basi s of a class of cr ypt osyst ems ( e.g. , [ 166] ) .
Let us now conduct a sel f- cont ai ned cour se in t he st ruct ur e of fi ni t e fi elds.
5.4.1 Finite Fields of Prime Numbers of Elements
Fi ni t e fi el ds wi t h t he si mpl est st r uct ur e ar e t hose of or der s ( i . e. , t he number of el ement s) as
pr i me number s. Yet , such fi el ds have been t he most wi del y used ones i n cr y pt ogr aphy .
Def i n i t i on 5 . 15: Pr i me Fi el d A f iel d t hat con t ains no p r oper subf ield i s call ed a pr im e f ield .
For exampl e, i s a pr i me fi el d wher eas i s not , si nce i s a pr oper subfi el d of . But i s
an i nfi nit e fi el d. I n fi ni t e f i el ds, we shal l soon see t hat a pr ime f i el d must cont ain a pr i me number
of element s, t hat i s, must have a pr i me or der.
Def i n i t i on 5 . 16: Homomor phi sm an d I somor ph i sm Let A, B b e t wo al geb r aic st r uct ur es. A
m appi ng f : A B is cal led a h omom or ph ism of A int o B i f f pr eser v es op er at i ons of A. That i s, if
i s an operat i on of A and , an oper at ion of B, t hen x , y A, we h ave f ( x) y) = f ( x) f ( y) .
I f f i s a one- t o- one h omom or ph ism of A ont o B, t hen f is cal led an i somor ph ism an d we say t h at
A an d B ar e isomor phi c.
I f f : A B i s a homomor phi sm and e i s an i dent it y el ement i n A ( ei t her addi t i ve or
mul t i pl i cat i ve) , t hen
so t hat f ( e) is t he i dent i t y el ement i n B. Al so, f or any a A
so t hat f ( a
1
) = f ( a)
1
f or al l a A. Mor eover , i f t he mappi ng i s one- one ont o ( i .e. , A and B ar e
i somor phi c) , t hen A and B have t he same number of el ement s. Two i somor phi c al gebr ai c
st r uct ur es wil l be vi ewed t o have t he same st ruct ur e.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exampl e 5. 13 . I somor ph i c Al gebr ai c St r u ct ur es
Denot e by t he set { 0, 1} wi t h oper at ions + and bei ng i nt eger addit ion modulo 2 and
i nt eger mul t i pl i cat i on, r espect i vely . Then must be a fi el d because i t i s i somor phi c t o
fi el d B i n Exampl e 5. 12( 2) . I t i s r out i ne t o check t hat mappi ng f ( 0) = F, f ( 1) = T i s an
i somor phi sm.
i .
For any pri me number p, addi t i ve gr oup i s isomor phi c t o mul t i pl i cat i ve group . I t
i s r out i ne t o check t hat funct i on f ( x) = g
x
( mod p) is an i somor phi sm bet ween t hese t wo
set s.
i i .
Cl ear ly , al l fi elds of t wo el ement s are isomor phi c t o each ot her and hence t o . A fi el d of t wo
el ement s i s t he si mplest f i el d: i t cont ai ns t he t wo necessar y el ement s, namel y, t he zer o- element
and t he uni t y - el ement , and not hi ng el se. Si nce under i somor phi sms, t here is no need t o
di f fer ent i at e t hese fi el ds, we can t reat as t he uni que fi eld of or der 2.
Exampl e 5. 14 . Fi n i t e Fi el d of Pr i me Or der
Let p be any pr ime number . Then , t he i nt eger s modul o p, i s a fi ni t e fi eld of or der p ( i. e. , of
p el ement s) wi t h addi t i on and mul t i pl i cat ion modul o p as t he f i el d oper at i ons. I ndeed, we have
al r eady shown, i n Exampl e 5. 11( 2) t hat i s an addi t i ve ri ng, and i n Exampl e 5. 1( 5) t hat t he
non- zer o el ement s of , denot ed by , f or ms a mul t i pl i cat i ve gr oup.
Def i n i t i on 5 . 17: Fi el d Let p b e a p ri m e nu mb er . We denot e b y t he fi nit e fi el d .
Let F be any f i ni t e f i el d of a pri me- or der p. Si nce we can const ruct a one- one mapping fr om F
ont o ( i. e. , t he mappi ng i s an i somor phism) , any fi ni t e fi eld of or der p i s isomor phi c t o . As
t her e i s no need f or us t o dif fer ent i at e fi el ds which ar e i somor phic t o each ot her, we can
har ml essl y call t he f i ni t e f i el d of or der p.
Let A be a f i ni t e al gebr ai c st r uct ur e wi t h addi t i ve oper at i on " + ," and l et a be any non- zer o
el ement in A. Obser ve t he f ol l owi ng sequence:
Equ at i on 5. 4 .1
Si nce A i s fi ni t e, t he el ement a has a f i ni t e or der and t her efor e i n t hi s sequence t her e must exi st
a pai r ( i a, j a) wi t h i < j bei ng i nt eger s and j a i a = ( j i ) a = 0.
We should r emind t he r eader t o not i ce Defi nit ion 5. 4 and Remar k 5. 1 f or t he shor t hand meani ng
of wr it ing mult ipl icat i on i a wher e i i s an i nt eger and a i s an al gebr ai c el ement .
Def i n i t i on 5 . 18: Char act er i st i c of an Al g ebr ai c St r uct ur e The ch aract er ist ic of an al gebr aic
st r uct ur e A, d en ot ed by ch ar( A) , is t he l east posit i v e in t eger n such t hat na = 0 for ev er y a A. I f

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
no such p osi t i ve i nt eger n ex i st s, t hen A is sai d t o h ave t h e char act er i st i c 0.
. Th eor em 5 .4
Ev ery fi nit e fi el d has a pr im e char act eri st ic .
Pr oof Let F be a f i ni t e f i el d and a F be any non- zer o el ement . Wit h ( j i ) a = 0 and j > i
der i ved fr om t he sequence i n ( 5. 4. 1) we know F must have a posit ive char act eri st i c. Let i t be n.
Si nce F has at least t wo element s ( i . e., t he zer o- element and t he uni t y- el ement ) , n 2. I f n > 2
were not pri me, we coul d wri t e n = k l wi t h . Then
Thi s i mpl i es eit her k1 = 0 or 1 = 0 si nce non- zer o el ement s of F f or m a mult ipl icat i ve gr oup
( whi ch does not cont ai n 0) . I t fol l ows eit her ka1 = ( k1) a = 0 for al l a F or a1 = ( 1) a = 0 for
al l a F, i n cont r adi ct i on t o t he defi ni t i on of t he charact er ist i c n.
5.4.2 Finite Fields Modulo Irreducible Polynomials
The or der of a fi nit e pr i me fi eld i s equal t o t he char act er i st i c of t he f i el d. However, t hi s i s not t he
gener al case for f i ni t e f iel ds. A more gener al for m of f ini t e fi el ds can be const r uct ed usi ng
pol y nomi al s.
5.4.2.1 Polynomials Over an Algebraic Structure
I n Chapt er 4 we have al ready used pol y nomi al s over i nt eger s. Now l et us be fami li ar wi t h
pol y nomi al s over an abst r act al gebrai c st r uct ure.
Def i n i t i on 5 . 19: Pol y nomi al s Over an Al gebr ai c St r uct ur e Let A be an al gebr aic st r uct ur e
wit h ad dit ion and m ul t ip li cat ion. A pol y nom ial ov er A i s an ex pr essi on of t he f orm
wher e n is a non- negat iv e i nt eger , t h e coef fi cient s a
i
, 0 i n ar e el ement s in A, an d x is a
sym b ol not b el ongi ng t o A. Th e coef fi cient a
n
i s call ed t he l ead ing coef fi ci ent and is n ot t h e zero-
elem en t i n A f or n 0. The i nt eger n is cal led t he d egr ee of f ( x) and i s denot ed by n = deg( f ( x) )
= deg( f ) . I f t he l ead ing coef fi ci ent is a
0
, t hen f is cal led a const an t pol y nom ial . I f t he l ead ing
coef fi cient is a
0
= 0, t hen f is cal led t he zer o- pol y nom ial and i s denot ed by f = 0. We d en ot e by
A[ x] t he set of all pol y nom ial s ov er algebr aic st r uct u re A.
For f, g A[ x] wi t h

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
we have
Equ at i on 5. 4 .2
and
Equ at i on 5. 4 .3
I t i s easy t o see t hat i f A i s a r i ng, t hen A[ x] is a r i ng wi t h A bei ng a subr i ng of A[ x] . Addi t i on
and mul t i pl i cat i on bet ween pol y nomial s over a ri ng wi l l r esul t i n t he f ol l owi ng r el at i onshi p on t he
pol ynomi al degr ees:
Now i f A i s a fi el d, t hen because a fi el d has no zer o- divi sors, we wi l l have c
n+ m
= a
n
b
m
0 f or
a
n
0 and b
m
0. So if A i s a fi el d, t hen
Let f, g A[ x] such t hat g 0. Anal ogous t o t he case of di visi on bet ween i nt eger s ( see
4. 3. 2.1) , we can al ways wr i t e
Equ at i on 5. 4 .4

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exampl e 5. 15 .
Consi der . We can
comput e q, r [ x] by l ong di vi si on
Ther ef or e q = x
2
+ x and r = x
2
+ 1.
Def i n i t i on 5 . 20: I r r educi b l e Pol y nomi al Let A be an al gebr aic st r uct ur e. A poly nom i al f A[ x]
i s sai d t o b e ir r educib le ov er A ( or ir r educib le i n A[ x] , or p ri m e in A[ x] i f f h as a p osi t i ve d egr ee
and f = gh wi t h g, h A[ x] i mp li es t hat ei t her g or h is a const ant pol yn omi al. A pol y nom ial i s
said t o be r educib le ov er A i f it i s not ir r ed ucib le ov er A.
Not i ce t hat t he r educi bi l i t y of a pol ynomial depends on t he al gebr ai c st r uct ur e over whi ch t he
pol y nomi al i s def ined. A pol ynomi al can be reduci ble over one st ruct ur e, but i s i rr educi bl e over
anot her .
Exampl e 5. 16 .
For quadr at i c pol ynomi al f ( x) = x
2
2x + 2: ( i ) Di scuss i t s r educi bi l i t y over t he usual i nfi nit e
al gebr ai c st r uct ur es; ( i i ) I nvest i gat e i t s r educi bi l it y over f i ni t e f iel ds f or any odd pr i me
number p; ( ii i ) Fact or f ( x) over f or p < 10.
Usi ng t he r oot i ng for mul a i n el ement ar y al gebr a, we can comput e t he t wo r oot s of f ( x) = 0 as
Si nce i s not i n , f ( x) is ir r educi bl e over ( and hence i s i r reduci bl e over or ) .
But because , t her efor e f ( x) is reduci ble over :
i .
i i .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Cl ear ly , f ( x) is reduci ble over , f or any odd pr i me p i f and onl y i f i s an el ement i n
, or equi val ent l y , 1 i s a squar e number modul o p.
A number x i s a squar e modul o p i f and onl y i f t here exi st s y ( mod p) sat i sfy i ng
( mod p) . By Fer mat 's Lit t l e Theorem ( Theor em 6. 10 i n 6. 4) , we know t hat al l x ( mod p)
sat i sf i es ( mod p) . For p bei ng an odd pri me, Fer mat ' s Li t t l e Theor em i s
equi val ent t o
Equ at i on 5 . 4. 5
for al l x wi t h 0 < x < p ( wher e 1 denot es p 1) . I f x i s a squar e modul o p, t hen ( 5. 4. 5)
becomes
Ther ef or e, we know t hat ( 5. 4. 5) pr ovi des a cri t er i on f or t est i ng whet her x i s a squar e
modul o an odd pr i me p: x i s a squar e ( r espect i vely , non- squar e) modul o p i f t he t est y i el ds
1 ( r espect i vel y , 1) .
To t hi s end we know t hat f or any odd pr ime p, f( x) is reduci ble over i f and onl y i f
( mod p) , and i s ir r educi bl e i f and onl y i f . I n ot her wor ds, f ( x)
i s r educi bl e ( or i r r educi bl e) over i f p 1 ( mod 4) ( or p 3 ( mod 4) ) .
i i .
For p = 2, f ( x) = x
2
2x + 2 = x
2
0x + 0 = x
2
and is reduci ble over .
The onl y odd pr i me l ess t han 10 and congr uent t o 1 modulo 4 i s 5. Si nce 1 4 2
2
( mod 5) , i . e., 2
2
( mod 5) , we can compl et ely fact or f ( x) over :
The ot her squar e r oot of 1 in i s 3. The reader may check t hat t he r oot 3 wil l pr ovi de
t he same f act ori zat i on of f ( x) over F
5
as does t he r oot 2.
i i i .
5.4.2.2 Field Construction Using Irreducible Polynomial
Let us const r uct f i ni t e f i el d usi ng an ir r educi bl e poly nomi al .
Def i n i t i on 5 . 21: Set A [ x ] Modu l o a Pol yn omi al Let A be an al gebr aic st r uct ur e an d l et f , g, q ,
r A[ x] wit h g 0 sat isf y t he d iv isi on ex pr ession ( 5. 4. 4 ) , we say r is t h e r em ai nder of f di v ided
by g and denot e r f ( mod g) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The set of t he r em ai nder s of al l poly nom i als i n A[ x] m odul o g is cal led t he p oly nom i als i n A[ x]
m odul o g, and is denot ed b y A[ x]
g
.
Anal ogous t o t he i nt eger s modulo a posi t i ve i nt eger , A[ x]
f
i s t he set of al l poly nomi al s of degr ees
l ess t han deg( f ) .
. Th eor em 5 .5
Let F be a fi el d and f be a non- zer o p oly nom i al in F[ x] . Then F[ x]
f
i s a ri ng, and is a fi eld if an d
onl y i f f i s i rr edu ci bl e over F.
Pr oof Fi r st , F[ x]
f
i s obviousl y a r ing under addi t i on and mul t i pl i cat ion modul o f def i ned by
( 5. 4. 2) , ( 5. 4. 3) and ( 5. 4. 4) wi t h t he zero- el ement and t he uni t y - el ement t he same as t hose of F.
Secondl y , l et F[ x]
f
be a f i el d. Suppose f = gh f or g, h bei ng non- const ant pol y nomi al s i n F[ x] .
Then because 0 < deg( g) < deg( f ) and 0 < deg( h) < deg( f ) , g and h ar e non- zer o pol ynomi al s i n
F[ x]
f
wher eas f i s t he zer o pol ynomi al i n F[ x]
f
. This vi ol at es t he Cl osur e Axi om f or t he
mul t i pl i cat i ve gr oup of F[ x]
f
. So F[ x]
f
cannot be a f i el d. Thi s cont r adi ct s t he assumpt i on t hat
F[ x]
f
i s a fi el d.
Fi nal l y, l et f be i r reduci ble over F. Si nce F[ x]
f
i s a r i ng, it suff i ces f or us t o show t hat any non-
zero element in F[ x]
f
has a mult ipl icat i ve i nver se i n F[ x]
f
. Let r be a non- zer o pol ynomi al i n F[ x]
f
wi t h gcd( f, r ) = c. Because deg( r ) < deg( f ) and f i s ir r educi bl e, c must be a const ant pol y nomial .
Wr i t i ng r = cs, we have c F and s F[ x]
f
wi t h gcd( f, s) = 1. Anal ogous t o t he i nt eger case, we
can use t he ext ended Eucl i d al gori t hm for pol ynomial s t o comput e s
( mod f ) F[ x]
f
. Al so si nce
c F, t her e exi st s c
1
F. Thus we obt ain r
1
= c
1
s
1
F[ x]
f
.
For fi nit e fi el d F[ x]
f
, l et us call t he i r r educi bl e pol y nomi al f def i ni t i on pol yn omi al of t he f iel d
F[ x]
f
.
. Th eor em 5 .6
Let F be a fi el d of p el em ent s, an d f b e a d egr ee- n i r redu ci bl e pol yn om ial ov er F. Then t he
nu mb er of el ement s in t he fi el d F[ x]
f
i s p
n
.
Pr oof Fr om Defi nit ion 5. 21 we know F[ x]
f
i s t he set of al l poly nomi al s i n F[ x] of degr ees l ess
t han deg( f ) = n wi t h t he coef fi cient s r angi ng t hrough F of p el ement s. There are exact ly p
n
such
pol y nomi al s i n F[ x]
j
.
For ever y pr im e p an d f or ever y posi t iv e i nt eger n t here ex ist s a fi ni t e fi eld of p
n
el em ent s.
As i ndicat ed by Cor ol l ary 5. 4, f or F bei ng a pr i me fi el d , t he st ruct ur e of t he f i el d i s
ver y cl ear: i t i s mer el y t he set of al l pol y nomi al s of degr ee l ess t han n wi t h coeffi ci ent s i n .
Under i somorphi sm, we can even say t hat i s t he f i ni t e f i el d of or der p
n
.
Exampl e 5. 17 . I nt eger Rep r esen t at i on of Fi n i t e Fi el d El ement

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Pol y nomial f ( x) = x
8
+ x
4
+ x
3
+ x + 1 is i rr educi bl e over . The set of al l pol y nomi al s modul o
f ( x) over f or ms a f i el d of 2
8
el ement s; t hey ar e al l poly nomi al s over of degr ee l ess t han 8.
So any element in f iel d i s
wher e b
7
, b
6
, b
5
, b
4
, b
3
, b
2
, b
1
, b
0
, . Thus, any el ement i n t hi s f iel d can be r epresent ed as an
i nt eger of 8 bi nar y bi t s b
7
b
6
bb
5
b
4
b
3
b
2
b
1
b
0
, or a by t e. I n t he hexadecimal encoding, we can use a
l et t er t o encode an i nt eger val ue r epr esent ed by 4 bit s:
Si nce a byt e has ei ght bi t s, t he hexadeci mal encodi ng of a by t e can use t wo quot ed char act er s
' XY' such t hat ' 0' ' X' ' F' and '0' ' Y' ' F'. That i s, any el ement i n fi el d can be
vi ewed as a byt e in t he i nt erval [ '00', 'FF' ] .
Conver sel y , any byt e i n t he i nt er val [ '00', 'FF'] can be vi ewed as an el ement i n f i el d . For
exampl e, t he by t e 01010111 ( or t he hexadecimal val ue ' 57') cor r esponds t o t he el ement
( pol y nomi al )
From Cor ol l ary 5. 4 and Exampl e 5. 17, we can view f i el d as t he f i el d of al l non- negat i ve
i nt eger s up t o deg( f ) bi nar y bi t s. Clear l y, t hi s f iel d has 2
deg(f)
el ement s. Theref ore, f or any
nat ur al number n > 0, t he set { 0, 1}
n
f or ms a f i el d of 2
n
el ement s. Let us use "n- bi t bi nar y f i el d"
t o name t hi s f i el d. Oper at i ons i n t hi s f i el d f oll ows t he oper at i ons bet ween poly nomi al s of degr ees
l ess t han n over . Addi t i on i s ver y simpl e as shown i n Exampl e 5. 18.
Exampl e 5. 18 .
Let f be a degr ee- 8 i rr educi bl e poly nomi al over . I n t he 8- bi t bi nar y fi el d, addi t i on fol l ows
pol y nomi al addi t i on by addi ng coeff i ci ent s modul o 2 ( so 1 + 1 = 0) . For exampl e ( i n
hexadeci mal ) ' 57' + '83' = ' D4':
So, addi t i on i n t his fi eld i s i ndependent fr om t he defi ni t i on pol y nomi al f .
Mult i pli cat i on i n f i el d depends on t he defi ni t i on pol y nomi al f : it i s mul t i pl i cat i on bet ween

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
t wo pol ynomi al s modul o f . The modul o operat i on can be done by appl yi ng t he ext ended Eucl id
al gor i t hm f or poly nomi al s. Lat er ( i n Exampl e 5. 19) we shall show anot her met hod for achi eving
fi el d mul t i pl i cat i on whi ch is based on a di ff er ent way for t he fi el d repr esent at i on.
The n- bi t bi nar y f i el d i s a usef ul f i el d because of i t s nat ural i nt erpr et at i on of i nt eger s. I t has
many appl i cat i ons i n codi ng and cr y pt ogr aphy . A new encr y pt i on st andar d, t he Advanced
Encr y pt i on St andard ( AES) , works i n t he 8- bi t bi nar y f iel d. We wi ll i nt r oduce t he AES in Chapt er
7.
Fi nal l y we not i ce t hat i n Theorem 5.6 we have never assumed p as pr i me. I n fact , in Theor em
5. 5, F can be any fi el d, and F[ x]
f
i s cal l ed an ext end ed f i el d f r om t he un der l y i n g sub f i el d F
vi a f i el d ex t ensi on. Si nce F can be any fi el d, i t can of cour se be an ext ended fi eld f rom anot her
underl y i ng subf i el d. I n many appl i cat i ons of fi nit e fi el ds, we need t o know mor e i nf or mat i on
about t he r el at i on bet ween ext ended f i el ds and under l y i ng subf iel ds ( f or exampl e, we wi l l need
t o know t hi s r el at i on when we st udy t he AES l at er ) . Al so, a dif fer ent way f or f ini t e fi el ds
r epr esent at i on may al so ease comput at i on ( e. g. , t he mul t i pl i cat i on i n Exampl e 5. 18 can be
eased wi t hout usi ng t he Eucl i d al gori t hm i f we use a di ff er ent fi eld r epr esent at i on) . The next
sect i on ser ves t he pur pose for a bet t er under st andi ng of t he st r uct ure of fi ni t e f i el ds.
5.4.3 Finite Fields Constructed Using Polynomial Basis
Thi s sect ion i s i nt ended t o pr ovi de t he knowledge for helpi ng a bet t er under st andi ng of some
cry pt osy st ems based on a gener al f or m of fi nit e fi elds. We pr esent i t by assuming t hat t he r eader
i s f ami l i ar wi t h t he knowl edge of vect or space i n l i near al gebra. However , t hi s sect i on may be
ski pped wi t hout causi ng di f fi cul t y f or r eadi ng most par t s of t he r est of t hi s book.
I n 5. 4. 2 we have shown t hat under i somorphi sm, fi el d i s t he f i ni t e f i el d of or der p
deg
( f ) .
However , oft en i t may not be ver y conveni ent f or us t o use f i el ds modul o an i r r educibl e
pol y nomi al . I n t hi s fi nal par t of our cour se i n al gebrai c f oundat i ons, l et us const ruct f ini t e fi el ds
usi ng t he root s of an i r r educi bl e pol y nomi al over a f i ni t e fi el d F. Fi el ds const ruct ed t his way are
mor e fr equent l y used i n appl i cat i ons.
Let F be a f i ni t e f i el d and n be any posi t i ve i nt eger . Let f ( x) be an i rr educi bl e pol ynomi al over F
of degr ee n. We know t hat f ( x) has exact l y n r oot s in somewher e si nce f ( x) can be fact or ed i nt o n
l i near pol y nomi al s t her e. We shal l see in a moment t hat "somewher e" or "t here" is exact l y t he
space we ar e const r uct i ng.
Denot e t hese n r oot s of f ( x) = 0 by
Equ at i on 5. 4 .6
Si nce f ( x) is ir r educi bl e over F, none of t hese r oot s can be i n F.
. Th eor em 5 .7
Let F be an y fi ni t e fi eld and l et f ( x) F[ x] be an i r redu ci bl e pol yn om ial of degr ee n ov er F. Then
for b ei ng any r oot of f ( x) = 0, elem en t s

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
ar e li near ly i nd ep en dent ov er F, t hat i s, for r
i
F wi t h i = 0, 1, 2, , n 1:
Equ at i on 5. 4 .7
Pr oof Let be any r oot of f ( x) = 0. We know 1 si nce f ( x) is ir r educi bl e over fi el d F whi ch
cont ai ns 1. Suppose t hat t he el ement s 1, ,
2
, ,
n1
wer e not l i nearl y i ndependent over F.
That i s, t he l i near combi nat i on ( 5. 4. 7) is possi ble for some r
i
F whi ch ar e not al l zer o ( i = 0, 1,
2, , n1) . Thi s i s equi val ent t o bei ng a r oot of
Wi t h r
i
F ( i = 0, 1, , n1) , by Defi nit ion 5. 21, r ( x) is an el ement i n t he f i el d F[ x]
f
and
t her efor e r ( x) = 0 means r ( x) = 0 ( mod f ( x) ) . Let a
n
be t he leadi ng coeff i ci ent of f ( x) . Then a
n
F, a
n
0 and a
n
1
f ( x) | r ( x) . Bu t t h is i s i mp ossi bl e si nce a
n
1
f ( x) is of d egr ee n wh il e r ( x) is of
degr ee less t han n, u nless r ( x) is t h e zero pol yn omi al . Thi s cont r adi ct s t he sup posed condi t i on
t hat r
i
F ar e n ot al l zero ( i = 0, 1 , , n1 ) .
Def i n i t i on 5 . 22: Pol y nomi al Basi s Let F be a fi ni t e fi eld and f( x) be a degr ee- n ir r ed ucib le
pol y nom ial ov er F. Then for an y root of f ( x ) = 0, elem ent s 1 , ,
2
, ,
n1
ar e cal led a
( pol y nom ial ) b asi s ( of a fi nit e vect or space) ov er F.
We know fr om a fact i n l i near al gebr a t hat a basi s of n el ement s spans an n- di mensi on vect or
space. The spanni ng uses t he scal ars in F, t hat i s, t he space so spanned has t he f oll owi ng
st r uct ur e
Equ at i on 5. 4 .8
. Th eor em 5 .8
Let F be a fi ni t e fi eld and f ( x) be a degr ee- n i rr educi bl e pol ynomi al over F. Then for any r oot of
f( x) = 0, t he vect or space in ( 5. 4. 8 ) is a fi ni t e fi eld of ( # F)
n
el em ent s.
Pr oof Fi r st , we show t hat t he space i n ( 5. 4. 8) is a r i ng. The onl y non- t r i vial par t i s t o show t hat
Cl osur e Axi om hol ds for mul t i pl i cat i on. To do so, we not e t hat f r om

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Equ at i on 5. 4 .9
wi t h a
n
F and a
n
0, we have
and so
n
i s a l i near combi nat i on of t he basi s 1, ,
2
, ,
n1
. Mul t i pl yi ng t o ( 5. 4. 9) , we can
fur t her der i ve t hat f or any posit ive i nt eger m n,
m
can be expr essed as a l i near combi nat i on
of t he same basi s. Ther efor e, for any u, v i n t he space in ( 5. 4. 8) , uv , as a l i near combi nat i on of
1, , ,
m
f or m 2( n1) , must be a l i near combi nat i on of t he basi s 1, , ,
n1
, and hence is
i n t he space i n ( 5. 4. 8) . So we have shown Cl osur e Axi om.
Secondl y , t o show t hat t he space i n ( 5. 4. 8) is a f iel d, we onl y need t o show t hat t he space does
not cont ai n zer o- divi sors. To do so, we can use t he l i near i ndependence rel at i on i n ( 5. 4. 7) and
check t hat for uv = 0, ei t her t he scal ar s of u, or t hose of v, must al l be zer o, and hence ei t her u
= 0 or v = 0.
Fi nal l y, not i ce t hat si nce t he spanni ng pr ocess uses # F el ement s of F as scal ar s and t he basi s of
n el ement s, t he space spanned has exact l y ( # F)
n
el ement s.
Def i n i t i on 5 . 23: Fi ni t e Fi el d Let q b e t he num ber of elem ent s i n a fi ni t e f ield F. The fi nit e
fi eld spann ed by a basi s of n el ement s over F i s denot ed by .
. Th eor em 5 .9
Let F be a fi ni t e fi eld of q el ement s and let be a f i ni t e f i el d spanned over F. Then
t he ch aract er ist i c of i s t hat of F; i .
F i s a sub fi el d of ; i i .
any el em ent sat i sfy in g a
q
i f and onl y i f a F. i i i .
Pr oof Let 1, ,
2
,
n1
be a basi s of over F.
Let char( F) denot e t he char act er i st ic of F. Then addi ng any el ement i n t o i t sel f char ( F)
t i mes we obt ai n
i .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Thus char ( ) = char ( F) .
i .
Si nce t he basis cont ai n 1, usi ng scalar s i n F, any el ement i n F i s a l i near combi nat i on of 1
and hence i s a l i near combinat i on of t he basi s.
i i .
( ) Consi der t he subf i el d F = { 0} F* wher e F* i s a mul t i pl i cat i ve gr oup of t he non-
zero element s. So for any a F, ei t her a = 0 or a F* . The for mer case sat i sfi es a
q
= a
t r i vi al l y . For t he l at t er case, by Lagr ange' s Theor em ( Cor ol l ary 5. 2) , or d( a) | # F* = q1 and
t her efor e a
q1
= 1. So a
q
= a i s also sat i sfi ed.
i i i .
( ) Any sat i sfy i ng a
q
= a must be r oot of pol y nomi al x
q
x = 0. Thi s pol ynomi al
has degr ee q and t heref ore has at most q r oot s in i ncl udi ng 0. By ( ii ) , F i s a subf i el d of ,
whi ch alr eady cont ai ns al l t he root s of x
q
x = 0. No ot her el ement s of , can be a r oot of x
q
x.
I n our cour se of spanni ng t he fi el d over a fi eld F of q el ement s, we have never assumed or
r equi r ed t hat q be a pr ime number , t hat i s, we have not assumed or r equi r ed t hat F be a pr ime
fi el d. The fol l owi ng t heor em pr ovides t he r elat ionshi p bet ween F and fi eld spanned over F
and st i pul at es t he nat ure of q.
. Th eor em 5 .1 0 Su bf i el d Cr i t er i on
Let p b e a p ri m e nu mb er . Th en F i s a su bfi eld of i f an d only if F h as p
m
el em ent s f or m b ei ng
a p osit i ve div i sor of n .
Pr oof ( ) Let F be a subfi el d of . ar e t he t wo t ri vi al cases. Let F
be a pr oper subfi eld of ot her t han F
p
. By Theor em 5. 9( i) , has char act er i st i c p.
Consequent l y F must al so have char act er i st i c p. So F cont ains F
p
as a subfi eld and i s spanned
over F
p
by a basi s of m el ement s for some m wi t h 1 m n. We onl y need t o show m | n. The
t wo mult ipl icat i ve gr oups and F* have p
n
1 and p
m
1 el ement s, respect i vel y. Si nce t he
l at t er i s a subgr oup of t he for mer , by Lagrange's Theor em ( Theor em 5. 1) , p
m
1| p
n
1. Thi s i s
onl y possi bl e i f m | n.
( ) Let m be a posi t i ve pr oper di vi sor of n and let F be a f i el d of p
m
el ement s. Since n/ m i s a
posi t i ve i nt eger, usi ng a degr ee- ( n/ m) ir r educi bl e pol ynomi al over F we can span a f i el d of ( p
m
)
= p
n
el ement s. Denot e by t he spanned f i el d, by Theor em 5. 9( i i ) , F i s a subf i el d of .
Let f ( x) be any degr ee- n i r r educi bl e pol ynomi al over . Revi ewi ng Theor em 5. 6, we now know
i s isomor phi c t o . Even t hough t wo i somor phi c fi el ds should be vi ewed wi t hout
essent i al di ff er ence, one can be much easi er t o wor k wi t h t han t he ot her . I ndeed, t he ease of
pr ovi ng t he Subfi el d Cr it er i on Theorem f or pr ovi des such a cl ear evi dence. The f ol l owing

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
exampl e pr ovi des anot her evi dence.
Exampl e 5. 19 . Fi el d
We have seen t hat [ X] x
8
+ x
4
+ x
3
+ x+ 1 ( i n Exampl e 5. 18) is t he set of al l poly nomi al s
modul o t he i r r educi bl e pol ynomi al x
8
+ x
4
+ x
3
+ x + 1 over and has 2
8
el ement s. Now we
know t hat i s also a f iel d of 2
8
el ement s and can be r epresent ed by t he fol l owing space
wher e i s a r oot of ( e. g. ) t he equat ion x
8
+ x
4
+ x
3
+ x + 1 = 0, and t he scal ars
. Clear l y, t hese t wo f iel ds ar e i somor phi c; i n par t i cul ar , we can
al so use a by t e t o repr esent an element in t he l at t er r epresent at i on of .
I n Exampl e 5. 18 we ment i oned t hat mul t i pl i cat i on in i s a bi t compli cat ed
and needs modul o pol y nomi al whi ch r equi res t he Eucl i d al gor i t hm f or pol y nomi al di vi si on.
Mult i pli cat i on i n spanned fr om pol y nomi al basi s can be easi er : st r ai ght for war d mult ipl yi ng
t wo el ement s and r epresent i ng any r esul t ant t erms wi t h
i
f or i > 7 usi ng a l i near combi nat i on of
t he basis 1, , ,
7
.
For exampl e, l et us comput e ' 57' . '83', or
Si nce
we have t he fol l owi ng l inear combinat i ons ( not i ce 1 = 1 i n ) :
Thus,

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
That i s, we have '57' . ' 83' = 'C1' .
We now pr ovi de a remar k as a summar y on our st udy of fi nit e fi elds.
. Remar k 5 .2
We h ave st u died t wo m et hod s for con st r u ct i ng fi ni t e fi el ds: fi el d mod ul o an ir r educib le p oly nom i al
( 5. 4. 2 ) and fi el d sp anned fr om a pol yn omi al basi s ( 5. 4. 3 ) . I n our st ud y of fi ni t e fi elds we hav e
used t o denot e a fi el d of t he l at t er const r uct ion . Howev er, und er isom orp hi sm , t wo fi elds of
t he sam e n um ber of elem en t s can b e v iewed wi t hout di ff er ence. Ther ef or e fr om n ow on, we wi ll
denot e by any f in it e fi el d of q el em ent s wh er e q is a pr i m e power .
5.4.4 Primitive Roots
We asser t ed i n 4. 5 t hat t he compl et e fact or i zat i on of n 1 pr ovi des a pi ece of "i nt er nal
i nf ormat i on" ( i . e. , auxil i ar y i nput f or ver i f yi ng a pr obl em i n ) for answer ing whet her n i s
pr i me wi t h an eff i cient det er mi ni st i c al gor i t hm. Now wit h t he knowl edge of f ini t e fi el ds, t hat
asser t i on can be easi l y pr oved.
. Th eor em 5 .1 1
The m u lt i pl icat iv e gr oup of fi eld i s cy cli c.
Pr oof By Theorem 5.9( i i i) , t he ent i r e r oot s of poly nomi al x
pn1
1 = 0 f orms . However ,
t he ent i re r oot s of t hi s pol y nomi al ar e t he p
n
1 di st i nct ( nont r i vi al) r oot s of 1, spread over t he
unit y ci r cl e. So t her e exi st s a ( p
n
1) - t h root of 1, whi ch gener at es t he gr oup . Hence
i s cy cli c.
Def i n i t i on 5 . 24: Pr i mi t i v e Root A m u lt i pl icat iv e gener at or of t he grou p i s cal led a
pr i mi t i ve r oot of fi el d .
. Th eor em 5 .1 2
Let n b e a p osi t i ve i nt eger wit h n 1 = r
1
r
2
r
k
as t h e comp let e pr i m e fact or izat i on of n 1 ( som e
of t he pr im e f act or s m ay r epeat ) . Th en n is pr im e i f and onl y if t h er e ex ist s a posit i v e in t eger a <
n such t h at a
n 1
1 ( m od n) and a
( n 1 ) / r
i
1 ( mod n) for i = 1, 2, , k.
Pr oof ( ) I f n i s pr ime, t hen by Theor em 5. 11, t he gr oup ( )
*
i s cy cli c and has a generat or
whi ch is an ( n 1) - t h root of 1. Denot i ng by a t hi s r oot , t hen a sat i sfi es t he condi t i ons i n t he
t heor em st at ement .
( ) Let i nt eger a < n sat i sfy t he condi t i ons i n t he t heor em st at ement . Then a, a
2
, , a
n
1 ar e
sol ut i ons of x
n
1 1 0 ( m od n) . For an y 1 i < j n 1 , it i s necessary a
i
a
j
( mod n) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Sup pose ot her wise a
j
i 1 ( m od n) for som e i , j wi t h 0 < j i < n 1 ; t h en by Defi nit ion 5. 9
or d( a) | j i | n 1 , cont r adi ct i ng t o t he condi t i ons i n t h e t heor em st at em ent . Now we k now t h at a
i s a m ul t ip li cat iv e gr oup of n 1 elem en t s ( m ul t ip li cat ion m odul o n) . Th is gr oup can cont ain at
most ( n) el em ent s. So ( n) = n 1 . Hen ce n i s p ri m e by d ef in it i on of Eul er ' s fu nct ion ( Defi nit ion
5. 11 ) .
Theor em 5. 12 suggest s an ef fi ci ent al gor i t hm for fi ndi ng a pr i mit ive r oot modul o a pr i me p, i . e.,
a gener at or of t he gr oup . The al gor i t hm i s speci fi ed i n Al g 5. 1.
By Theor em 5. 2( 4) , we know t hat i n t he gr oup t here are exact ly ( p 1) el ement s of or der p
1, and t hese el ement s ar e gener at ors of t he gr oup. Ther efor e Al g 5. 1 i s expect ed t o t ermi nat e
i n
( see e. g. , page 65 of [ 198] ) st eps of r ecursi ve cal l s. Si nce t he number of pri me f act ors of p 1 i s
bounded by l ogp, t he t i me complexi t y of t he algori t hm i s bounded by O
B
( ( l og p)
4
l og logp) .
Algorithm 5.1: Random Primitive Root Modulo Prime
I NPUT p: a pr i me; q1, q2, , qk: al l pri me f act ors
of p 1;
OUTPUT g: a r andom pr i mi t i ve r oot modul o p.
Pr i mi t i veRoot ( p, q1, q2, , qk )
pi ck g u [ 2, p 1) ; 1.
for ( i = 1, i + + , k ) do i f ( g
( p 1)
/ q
i
1 ( mod p) ) r et ur n( Pri mi t i veRoot ( p, q1,
q2, , qk ) ) ;
2.
r et ur n( g ) . 3.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
5.5 Group Constructed Using Points on an Elliptic
Curve
A cl ass of gr oups whi ch ar e very import ant t o modern cr ypt ogr aphy i s t hose const r uct ed by
poi nt s on el l i pt i c cur v es. Mi l l er [ 203] and Kobl i t z [ 166] or igi nal l y suggest t o use el l ipt i c cur ve
gr oups for real i zi ng publ ic- key cr y pt ography .
El l i pt i c cur ves for cr y pt ogr aphy ar e defi ned over fi ni t e al gebr ai c st r uct ur es such as fi ni t e f i el ds.
For ease of exposi t i on, l et us confi ne our sel ves t o t he easy case of pr i me fi el ds of
char act er i st i c gr eat er t han 3. Such a cur ve i s t he set of geomet ri c sol ut i ons P = ( x , y ) t o an
equat i on of t he fol l owi ng for m
Equ at i on 5. 5 .1
wher e a and b ar e const ant s i n ( p > 3) sat isf yi ng ( mod p)
[ a]
. To have t he
poi nt s on E t o f orm a gr oup, an ext r a poi nt denot ed by O i s incl uded. Thi s ext r a point i s cal l ed
t he poi nt at i n f i n i t y and can be for mul at ed as
[ a]
Reason t o be given af t er Def init ion 5. 25.
So f or t he gr oup for mat , we wr i t e
Equ at i on 5. 5 .2
Thi s set of point s f orm a gr oup under a gr oup oper at i on which i s convent i onal l y wri t t en
addit ivel y usi ng t he not at i on " + " . We wil l defi ne t he oper at i on i n a moment .
Denot e by f ( x) t he cubic pol ynomial i n t he r i ght - hand side of ( 5. 5. 1) . I f f ( x) is reduci ble over
t hen for bei ng a zero of f ( x) ( i. e. f ( ) 0 ( mod p) ) , poi nt ( , 0) E. We wi l l see i n a
moment t hat t hese point s have or der 2 under t he gr oup operat ion "+ " . Si nce f ( x) is a cubi c
pol y nomi al , t her e ar e at most t hr ee such point s ( ei t her 1 or 3 dependi ng on t he r educibi li t y of
f ( x) over ; answer why by doing Exerci se 5. 13) .
Al l ot her poi nt s apart for m O ar e made fr om such t hat f ( ) 0 ( mod p) is a quadr at i c

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
r esi due el ement i n ( i. e. , a squar e number modul o p, see 6. 5) . I n such cases, for each such
, t her e ar e t wo di st i nct sol ut i ons for y ( every quadr at i c r esidue el ement i n has t wo squar e
r oot s modulo p, see Cor ol l ary 6. 2) . Si nce f ( ) is a const ant , t he t wo squar e r oot s wi l l be
and . Thus, we can denot e by , and such t wo poi nt s of sol ut i ons.
To t hi s end we know t hat t he poi nt s on t he cur ve ar e O, ( , 0) , ( , ) and ( ,
) for al l , i n sat i sfy i ng f ( ) 0 ( mod p) and f ( ) being a quadr at i c r esi due i n .
5.5.1 The Group Operation
The set E def i ned in ( 5. 5. 2) for ms an abeli an gr oup under t he oper at ion "+ " defi ned as f oll ows.
Def i n i t i on 5 . 25: El l i p t i c Cur ve Gr ou p Oper at i on ( " t an gent and chor d met hod" ) Let P, Q
E, l be t h e li ne cont ai ni ng P and Q ( t angent li ne t o E if P = Q) , and R, t he t h ir d poin t of
i nt ersect ion of l wit h E. Let l ' be t he l ine con nect i ng R and O. Th en P " + " Q is t he poi nt such t h at l '
i nt ersect s E at R, O an d P " + " Q.
For t he moment l et us suppose t hat under Defi nit ion 5. 25, ( E, "+ " ) does f orm a gr oup. We
shoul d fi r st expl ai n why we have r equi r ed t he coef fi ci ent s of t he cubi c pol y nomi al i n ( 5. 5. 1) t o
sat i sf y 4a
3
+ 27b
2
0 ( mod p) . Not i ce t hat
i s t he di scr i minant of t he cubic pol y nomial f ( x) = x
3
+ ax + b. I f = 0 t hen f ( x) = 0 has at l east
a doubl e zer o X ( root whi ch makes f ( X) = 0) and clear l y ( X, 0) i s on E. For F( x , y ) = y
2
x
3
ax
b = 0, t hi s poi nt sat i sf i es
That i s, ( X, 0) i s a si ngul ar point at whi ch t here is no def i ni t i on for a r eal t angent value. Wi t h t he
t angent - and- chord oper at i on fai l i ng at t he si ngular poi nt ( X, 0) , E cannot be a group.
Fi g 5.1 i l l ust r at es t he t angent - and- chor d oper at i on. The t op curve i s t he case of < 0 ( t he cubi c
pol y nomi al has onl y one r eal r oot ) and t he l ower , > 0. We have i nt ent i onal l y plot t ed t he
cur ves as dot t ed li nes t o i ndicat e ) being a di scret e set . The di scr et e poi nt s are cal l ed
- r at i onal poi nt s. Thei r number i s fi ni t e ( see ( 5. 5. 6) t o be gi ven i n a moment ) .
Fi gu r e 5. 1 . El l i pt i c Cu r ve Gr ou p Oper at i on

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Now l et us show t hat ( E, "+ " ) does f orm a gr oup under t he t angent - and- chor d oper at i on.
Fi rst , f or any P = ( X, Y) E, l et us apply Defi nit ion 5. 25 t o a speci al case of Q bei ng O ( si nce we
have i ncl uded O i n E) . Li ne i nt er sect i ng P and O i s
Si nce P E means f ( X) = X
3
+ aX + b ( mod p) being a quadr at i c r esi due i n F
p
, t her efor e Y i s
t he ot her sol ut i on t o y
2
= f ( X) ( i. e. , t he ot her squar e r oot of f ( X) modul o p) . That i s, al so
i nt er sect s poi nt R = ( X, Y) E. Clear l y, because ' = , i t i nt ersect s t he same t hree point s on E
as does. By Defi nit ion 5. 25, we obt ai n

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
for any P E. Mor eover , f or al l ( x, y) E, we have al so deri ved
By denot ing ( x, y) = " " ( x, y) , we see t hat poi nt O behaves exact ly as t he i dent it y el ement
under t he oper at i on "+ " . Ther ef ore we have obt ai ned I dent i t y Axi om and I nverse Axi om for ( E,
"+ " ) .
A speci al case of t hi s special case i s y
1
= y
2
= 0. Thi s i s t he case of P = "" P ( poi nt S on t he
l ower curve i n Fi g 5.1) . At t hi s doubl y speci al poi nt we have P " + " P = O. That i s, P i s an or der - 2
el ement . We have ment i oned t hi s speci al el ement ear li er : i t is a sol ut i on of y
2
= f ( x) 0 ( mod
p) . Such special poi nt s onl y exi st when f ( x) has zer os i n , i . e., when f ( x) is reduci ble over .
Now l et us consi der t he gener al case of bei ng a non- ver t i cal l ine. The f ormula for i s
Equ at i on 5. 5 .3
wher e
Equ at i on 5. 5 .4
Si nce wi l l meet R = ( x
3
, y
3
) on t he cur ve, we can use f ormulae ( 5. 5. 1) and ( 5. 5. 3) t o f ind t he
poi nt R. The x par t of t he poi nt R i s a sol ut i on of
Not i ce t hat E i s a cubi c pol ynomi al whi ch has sol ut ions x
1
, x
2
, x
3
, we can al so wr it e it as
wher e c i s some const ant . Compar i ng t he coeff i ci ent s in t hese t wo ways of wr i t i ng E ( t he

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
coef fi ci ent s of x
3
and x
2
) we obt ai n c = 1 and
Fi nal l y, by Defi nit ion 5. 25, and t he fact t hat P " + " Q = "" R, we obt ai n t he coordi nat es of t he
poi nt P " + " Q as
Equ at i on 5. 5 .5
wher e i s defi ned in ( 5. 5. 4) . We not i ce t hat because l ine i nt er sect s P, Q and R, R must be on
t he curve, and consequent l y , P " + " Q = " " R must al so be on t he cur ve. Thus, we have
obt ai ned Cl osur e Axi om for ( E, "+ " ) .
Associ at i vit y Axi om can be ver if i ed st ep by st ep appl y ing t he f ormul ae ( 5. 5. 5) . Because of t he
t edi ous nat ur e, we shal l not conduct t he demonst rat ion her e and l eave it as exer ci se f or t he
r eader .
To t hi s end, we know t hat ( E, "+ " ) i s i ndeed a gr oup. Moreover, it i s cl ear l y an abel i an group.
Exampl e 5. 20 .
The equ at ion E : y
2
= x
3
+ 6x+ 4 ov er defi nes an ell ip t ic cur v e gr oup since 4 x 6
3
+ 27 x 4
2

0 ( mod 7) . The f oll owin g p oint s are on :
Som e app li cat i ons of t he add it i on law are ( 3, 0) "+ " ( 3, 0) = O, ( 3, 0) " + " ( 4, 1) = ( 1, 2) and ( 1,
2) "+ " ( 1, 2) = ( 0, 2) . The r eader m ay check, e. g. , ( 1, 2) , i s a gener at or of t he grou p. Th er efor e
i s cy cli c.
We have i nt roduced el l i pt i c cur ve gr oups for t he simplest case of E def i ned over a pr i me fi eld
wi t h
p
> 3. I n gener al , E can be def i ned over wher e q i s a pr i me power . The cases for p = 2
and 3 ar e a l i t t l e mor e compl ex, however, t he wor ki ng pr inci ple remai ns t he same. We
r ecommend [ 272] t o more i nt er est ed r eaders for f ur t her st udy.
5.5.2 Point Multiplication
From now on, we shal l drop t he quot at ion mar k fr om t he oper at i on " + " and "" .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
For m bei ng an i nt eger and P E, we denot e
The comput at i on of [ m] P ( or a mul t i ple number of t he gr oup oper at i on i n any addi t i ve gr oup) i s
anal ogous t o exponent i at i on i n a mult ipl icat i ve gr oup and i s given in Al g 5. 2.
Algorithm 5.2: Point Multiplication for Elliptic Curve Element
I NPUT poi nt P E; int eger m > 0;
OUTPUT [ m] P.
EC_Mul t i ple( P, m )
i f m = 0 ret urn( O ) ; 1.
i f m ( mod 2) = 0 r et ur n( EC_Mul t i pl y ( P + P, m 2) ) ;
( * denot es di vi si on in i nt eger s, i . e. , m 2 = m/ 2 * )
2.
r et ur n( P + EC_Mul t i pl y ( P + P, m 2, ) ) . 3.
For exampl e, execut i ng EC_Mul t i pl y( P, 14) , Al g 5. 2 wi l l i nvoke t he fol l owi ng four recur sive cal l s:
EC_Mul t i ply ( P, 14)
= EC_exp( P + P, 7) ( i n st ep 2)
= [ 2] P + EC_Mul t i pl y( [ 2] P + [ 2] P, 3) ( i n st ep 3)
= [ 2] P + [ 4] P + EC_Mul t i pl y( [ 4] P + [ 4] P, 1) ( i n st ep 3)
= [ 2] P + [ 4] P + [ 8] P + EC_Mul t i pl y( [ 8] P +
[ 8] P, 0)
( i n st ep 3)
= [ 2] P + [ 4] P + [ 8] P + O ( i n st ep 1)
The r esul t i s [ 14] P.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Consi der i ng t hat m p and t hat t he comput at ions i n ( 5. 5. 4) and ( 5. 5. 5) invol ve squar i ng
number s of p' s magni t ude, t he t i me compl exi t y of Al g 5. 2 i s O
B
( ( l og p)
3
) . We shoul d not i ce t hat
Al g 5. 2 does not make use of any pr oper t i es of t he under ly i ng fi el d, and hence i t i s not an
eff ici ent real i zat i on, r at her , i t i s onl y f or t he pur pose of pr ovi di ng a succi nct exposi t ion f or how t o
comput e a poi nt mul t i pl i cat i on. Sever al point mul t i pli cat i on met hods wi t h i mpl ement at i on
consi derat i ons for an i mpr oved eff i ci ency , such as pr ecomput at i ons and maki ng use of speci al
fi el d pr opert ies, can be f ound i n, e. g. , [ 35] .
5.5.3 Elliptic Curve Discrete Logarithm Problem
To r ever se t he ef fect of a mul t i pl i cat i on, t hat i s, gi ven a pai r of poi nt s ( P, [ m] P) , f i nd t he i nt eger
m, i s a pr obl em wi t h a ver y di ff er ent nat ur e f rom t hat of poi nt mul t i pl i cat ion. The pr obl em i s
cal led el l i pt i c- cur v e di scr et e l ogar i t hm p r obl em, , or ECDLP f or shor t . I t i s wi dely beli eved
t hat t he ECDLP i s di ffi cul t t o sol ve ( comput at i onal l y i nf easi bl e) when t he poi nt P has a l ar ge
pr i me or der.
Hasse' s t heor em st at es
Equ at i on 5. 5 .6
Here t i s cal l ed t he " t r ace of Fr obenious" at q. Fr om t hi s we see t hat i s at t he
magni t ude of q. For a curve def i ned over ( general case) , i t is ver y easy t o devi se a l ar ge
pr i me p of si ze sl i ght l y l ess t han q such t hat E( ) cont ai ns a subgr oup of or der p. The best
known al gor it hm f or solvi ng t he ECDLP has a t i me compl exi t y expr essi on ( because p
q) . Thi s i s more- or - l ess a r esul t of a brut ef or ce sear ch met hod hel ped wi t h t he bi r t hday par adox.
Such a r esul t appl i es t o di scret e l ogar i t hm pr obl ems i n any abel i an group wi t h si ze at t he
magni t ude q. I ndeed, Poll ar d' s - met hod ( see 3. 6. 1) can easi l y be modi fi ed t o t he case f or t he
ECDLP. Ther efor e, we can say t hat a sol ut i on wit h compl exi t y f or t he ECDLP i s not a
sol ut i on at al l due t o i t s i r rel evance t o t he gr oup st ruct ur e i n quest ion.
I n t he case of t he discr et e logar it hm pr oblem i n a f i ni t e f i el d ( t o be for mal l y defi ned i n Defi nit ion
8. 2) , t her e exi st al gor i t hmi c met hods cal l ed i ndex cal cul us for sol ving t he pr obl em. The t i me
compl exi t y of an i ndex cal cul us met hod for di scr et e l ogar i t hm i n a fi ni t e f i el d has a
subexponent i al expr essi on sub- exp( q) gi ven i n ( 8. 4. 2) .
The compl exit y expr essi on i s exponent ial i n t he si ze of q. For t he same i nput , as
a f unct i on of l ar ge quant i t y grows much qui cker t han t he subexponent i al f unct i on sub- exp( q)
does. Thi s means t hat t he underl y i ng fi el d for t he ECDLP can use a si ze much small er t han t hat
of a f i ni t e f i el d on whi ch an or di nar y di scr et e l ogari t hm pr obl em i s based, whi le achievi ng t he
same l evel of t i me for sol vi ng t he probl ems. For t he ECDLP, t he common sense i s t o set q
2
160
. This all ows a 2
80
- l evel dif fi cul t y of count eri ng brut ef or ce sear ch met hods. To obt ai n a
si mi l ar dif fi cul t y of t he di scret e l ogar i t hm pr obl em i n a f ini t e fi el d, t he subexponent i al expr essi on
( 8. 4. 2) wi l l r equir e q t o have a magni t ude at t he l evel of 2
1000
. We shoul d fur t her not i ce t hat t he
pr ogr ess of t he hardware comput i ng t echnol ogy mean t hat q shoul d gr ow accor di ngl y. Wi t h t he

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
dr ast i cal l y dif fer ent asy mpt ot i c behavi or s of and sub_exp( q) , q f or t he el l i pt i c curve case can
gr ow much sl ower t han t hat for t he f ini t e fi el d case.
The comput at i onal i nfeasi bil i t y mai nt ai ned by t he ECDLP over a r el at i vely smal l f i el d means t hat
el li pt ic curve groups have a good appli cat i on i n t he r eal i zat i on of more ef fi ci ent publ i c- key
cry pt ogr aphi c sy st ems. Si nce publ i c- key cr ypt ogr aphy is also cal l ed asy mmet r i c cr ypt ogr aphy ,
meani ng encr y pt i on wi t h a publ i c key i s easy and decr ypt i on wi t hout t he cor rect pri vat e key i s
har d. Thus we may say t hat publ i c- key cr y pt ogr aphy based on el l ipt i c cur ve gr oup i s more
asymmet r ic t han t hat based on f i ni t e fi el ds.
However , we shoul d pr ovi de an ear l y war ni ng t hat t her e ar e weak cases i n ell i pt i c curves. For
weak cases an under l y i ng fi el d of magni t ude 2
160
wi l l be t oo smal l . We wi l l see such a weak
case, and surpri zi ngl y, it s posi t i ve appl i cat ions i n Chapt er 13.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
5.6 Chapter Summary
Aft er our st udy of abst r act al gebr ai c st ruct ur e i n t hi s chapt er we now know t hat al gebrai c
st r uct ur es such as gr oup, r i ng, and f iel d have fi nit e ver sions of ar it hmet i c operat i ons. For
exampl e, we have seen t hat f or any posit ive i nt eger n, al l non- negat ive i nt eger s up t o n bi nar y
bi t s f or m a f i ni t e f i el d of 2
n
el ement s, i. e. , t he st r uct ure is cl osed i n addi t ion and mult i pli cat i on
( hence al so cl osed i n subt r act i on, divi sion, and al l ot her al gebr aic operat ions such as
exponent i at i on, root i ng, et c., si nce t hey ar e al l der ived fr om t he most basi c addit ion and
mul t i pl i cat i on oper at i ons) . Al gebrai c st r uct ures wi t h t he cl osur e pr oper t y i n fi ni t e spaces pr ovi de
t he basic bui l di ng blocks f or const ruct ing cr y pt ogr aphi c al gor i t hms and prot ocol s.
Our cour se i s not onl y sel f- cont ai ned f or r eference pur pose for most r eader s, but al so
accompani ed by pl ent y of di gest i on and explanat i on mat er i al so t hat an i n- dept h under st andi ng
of t hese subj ect s can be achieved by more mat hemat i cal l y i ncli ned r eader s. A mor e
compr ehensi ve st udy of abst r act al gebr ai c t opi cs can be found i n [ 177] and for el l i pt i c cur ves
can be found i n e. g. , [ 272] .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exercises
5. 1
I n Exampl e 5. 2( 5) we have shown t hat Fer mat ( n) is a subgr oup of . Show t hat
for n bei ng an odd composi t e i nt eger , # Fer mat ( n) < . Ar gue t hat t hi s
i nequal i t y i s t he basi s f or t he wor ki ng pr i nci pl e of t he pr obabi l i st ic pr imal i t y t est Al g
4. 5.
5. 2
Show t hat DI V3 = { 0} 3 N ( set DI V3 is defi ned i n 4. 3, Exampl e 4. 1) .
5. 3
I n gr oup : ( i) how many gener at or s i n i t ? ( i i ) Fi nd al l t he generat ors of i t . ( i ii )
Fi nd all subgr oups of i t .
5. 4
Let n be an odd composi t e and i s not a power of a pr i me. Does t he gr oup have
a gener at or ?
5. 5 Use " chalk- mar ki ng- on- t oot hed- wheels" met hod gi ven i n Exampl e 5. 10 t o conf ir m
t hat t he lar gest order el ement s i n gr oup i s 12, and t he or der of any el ement s
must di vi de 12.
5. 6 Let n = pq wi t h p, q bei ng odd di st inct pr i mes. Pr ove t he general i zat i on case f or t he
pr ecedi ng pr obl em, t hat i s: ( i ) t he l argest order of el ement s i n i s ( n) = l cm( p
1, q 1) ; ( i i ) t he or der of ever y el ement i n di vi des ( n) .
5. 7 Why must t he charact er i st i c of a fi nit e ri ng or fi eld be pr i me?
5. 8 Usi ng l ong divi sion f or pol y nomi al s as a subr out i ne, const r uct t he ext ended Eucl id
al gor i t hm f or polynomi al s.
5. 9 Let n be any nat ur al number. Const r uct a f ini t e fi el d of n- bi t i nt eger s { 0, 1}
n
.
Hi nt : map bet ween and { 0, 1}
n
using t he mapping met hod given in
Exampl e 5. 17, her f i s a degr een- n pol ynomi al over .
5. 10
How many isomor phi c subfi el ds does have? I s one of t hem?
5. 11 Why is a gr oup gener at or al so cal l ed a pr i mit ive r oot ?
5. 12 For an odd i nt eger p, knowi ng t he complet e f act ori zat i on of p 1, const r uct an
eff ici ent algor it hm t o answer t he quest i on "I s p pr ime?" wi t h t he cor r ect ness
pr obabi li t y 1 ( not usi ng Pr i me_Test ( p) si nce i t cannot achi eve t he cor r ect ness
pr obabi li t y 1, al so not usi ng t r i al di vi sion si nce i t i s not eff i cient ) .
5. 13
For an el l i pt i c cur ve E : y
2
= x
3
+ ax + b over wi t h p > 3, show t hat E has no
or der - 2 poi nt i f f ( x) = x
3
+ ax + b i s ir r educi bl e over and has 1 or 3 such poi nt s
ot her wi se.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
5. 14 Confi r m Associ at i vit y Axi om f or gr oup ( E, "+ " ) def i ned i n 5. 5. 1.
5. 15 Confi r m t hat t he poi nt ( 1, 2) i n Exampl e 5. 20 i s a gr oup gener at or .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Chapter 6. Number Theory
Sect i on 6. 2. Congr uences and Resi due Classes
Sect i on 6. 3. Eul er ' s Phi Funct i on
Sect i on 6. 4. The Theor ems of Fermat , Eul er and Lagrange
Sect i on 6. 5. Quadr at i c Resi dues
Sect i on 6. 6. Squar e Root s Modul o I nt eger
Sect i on 6. 7. Bl um I nt egers
Exerci ses

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
6.1 Introduction
Pr obl ems such as f act ori zat i on or pri mal i t y of l ar ge i nt eger s, r oot ext ract i on, sol ut ion t o
si mul t aneous equat ions modul o di ff erent modul i , et c. , ar e among t he f r equent l y used ingr edi ent s
i n moder n cry pt ogr aphy . They ar e al so f asci nat ing t opi cs i n t he t heor y of number s. I n t hi s
chapt er we st udy some basi c fact s and al gori t hms i n number t heor y , whi ch have import ant
r el evance t o moder n cry pt ography .
6. 2 i nt r oduces t he basi c not i ons and oper at i ons of congr uences and resi due cl asses. 6. 3
i nt r oduces Eul er ' s phi funct i on. 6. 4 shows a uni fi ed vi ew of t he t heorems of Fer mat , Eul er and
Lagrange. 6. 5 i nt r oduces t he not i on of quadr at i c r esi dues. 6. 6 i nt r oduces al gor i t hms for
comput i ng square root s modul o an i nt eger . Fi nal l y, 6. 7 i nt r oduces t he Bl um i nt egers.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
6.2 Congruences and Residue Classes
I n 4. 3. 2.5 we have defi ned congr uence sy st em modul o a posit ive i nt eger n > 1 and st udi ed a
few pr opert i es of such sy st ems. Her e we shal l st udy a f ew more fact s of t he congr uence syst ems.
. Th eor em 6 .1
For in t eger n > 1, t he rel at ion of congr uence ( mod n) i s r efl exive, symmet r ic and t ransi t i ve. That
i s, for ev er y a, b , c ,
a a ( mod n) ; i .
I f a b ( mod n) , t hen b a ( mod n) ; i i .
I f a b ( mod n) and b c ( mod n) , t hen a c ( mod n) . i i i .
A r el at i on havi ng t he t hr ee pr oper t i es i n Theor em 6. 1 i s cal l ed an equi val ence r el at i on. I t is
well known t hat an equival ence r el at i on over a set par t i t i ons t he set i nt o equi val ence cl asses.
Let us denot e by " " t he equi val ence rel at i on of congr uence modul o n. This rel at i on i s defi ned
over t he set , and t herefor e i t par t i t i ons i nt o exact l y n equi val ence cl asses, each class
cont ai ns int eger s which ar e congr uent t o an i nt eger modul o n. Let us denot e t hese n cl asses by
wher e
Equ at i on 6. 2 .1
We cal l each of t hem a r esi du e cl ass modul o n. Clear l y, we can vi ew
Equ at i on 6. 2 .2
On t he ot her hand, i f we consi der as a ( t r i vial ) subset of , t hen coset ( Defi nit ion 5. 7 i n
5. 2. 1) is t he set al l i nt eger s whi ch ar e mul t i pl es of n, i . e.,
Equ at i on 6. 2 .3

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Now consi der quot i ent group ( Defi nit ion 5. 8 i n 5. 2. 1) wi t h addi t i on as t he group oper at i on:
Equ at i on 6. 2 .4
I f we unf ol d ( 6. 2. 4) using i n ( 6. 2. 3) , we have
Equ at i on 6. 2 .5
Ther e ar e onl y n di st i nct element s i n t he st r uct ure ( 6. 2. 5) . No more case i s possi bl e. For
exampl e
and
and so on. Compar i ng ( 6. 2. 2) and ( 6. 2. 5) wi t h not ici ng t he defi ni t i on of i n ( 6. 2. 1) , we now
know exact ly t hat for n > 1:

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
i s t he st andard not at i on ( i n f act , t he def i ni t i on) for t he r esi due cl asses modul o n,
al t hough for pr esent at i on convenience, i n t hi s book we wil l alway s use t he shor t not at i on i n
pl ace of .
. Th eor em 6 .2
For any a, b , defi ne ad di t ion and m ul t ip li cat ion bet ween t h e r esid ue classes an d b y
Then for any n > 1, t he map pi ng f : defi ned by " ( mod n) " i s a h omom or ph ism f rom
ont o .
6.2.1 Congruent Properties for Arithmetic in
The homomor phi sm fr om ont o means t hat ari t hmet i c i n ( ari t hmet i c modul o n)
i nher es t he proper t i es of ar i t hmet i c i n , as shown i n t he f ol l owi ng t heorem.
. Th eor em 6 .3
For in t eger n > 1, i f a b ( mod n) and c d ( mod n) , t hen a c b d ( mod n) and ac b d
( mod n) .
Al t hough t he st at ement s i n t hi s t heor em hol d t r i vi al l y as an i mmedi at e resul t of t he
homomor phi c r el at i onshi p bet ween and , we provi de a pr oof whi ch i s based purel y on
usi ng t he pr opert ies of ar i t hmet i c i n .
Pr oof I f n| a b and n| c d t hen n| ( a c) ( b d) .
Al so n| ( a b ) ( c d) = ( ac bd ) b( c d) ( c d) d( a b ) . So n| ( ac bd ) .
The pr opert i es of t he ari t hmet i c i n shown i n Theor em 6. 3 ar e cal l ed congr uent
pr oper t i es, meani ng per for mi ng t he same cal cul at ion on bot h si des of an equat i on der i ves a
new equat i on. However , Theor em 6. 3 has l eft out di vi si on. Divi si on i n has t he congr uent
pr oper t y as f ol lows:
Equ at i on 6. 2 .6

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The count erpart congr uent pr oper t y f or di vi si on i n wi l l t ake a for mul a whi ch i s sl ight l y
di f fer ent f rom ( 6. 2. 6) . Befor e we f i nd out what t hi s f ormul a i s, let us provi de an expl anat i on on
( 6. 2. 6) in . We may imagi ne t hat i s t he case of f or n = , and t hat i s di vi si bl e by
any i nt eger and t he r esul t ant quot ient i s st i l l . Thus, we may furt her i magi ne t hat t he fi r st
equat i on i n ( 6. 2. 6) hol ds i n t erms of modul o whi le t he second equat i on hol ds i n t erms of
modul o / d. Si nce / d = , t he t wo equat i ons i n ( 6. 2. 6) t ake t he same for mul a. This
congr uent pr oper t y f or di vi si on i n i s inhered i nt o i n t he fol l owi ng for mul a.
. Th eor em 6 .4
For in t eger n > 1 and d 0, i f ab b d ( mod n) t hen a b ( mod ) .
Pr oof Denot e k = gcd( d, n) . Then n| ( ad bd) impli es ( n/ k ) | ( d/ k ) ( a b ) . Si nce gcd( d/ k , n / k) =
1, we know ( n/ k ) | ( k / k) ( a b ) impli es ( n/ k ) | ( a b ) .
To t hi s end we know t hat t he ar it hmet i c i n f ul l y pr eser ves t he congruent proper t i es of t he
ar i t hmet ic i n . Consequent l y , we have
I f f ( x ) i s a p oly nom i al over , and a b ( mod n) for n > 1, t hen f( a) f ( b) ( mod n) .
6.2.2 Solving Linear Congruence in
I n Theor em 4. 2 ( in 4. 3. 2.5) we have defi ned t he mult ipl icat i ve i nver se modulo n and shown
t hat f or an int eger a t o have t he mul t i pl i cat ive i nver se modul o n, i . e., a uni que number x < n
sat i sf y ing ax 1 ( mod n) , i t i s necessary and suff i ci ent for a t o sat i sf y gcd( a, n ) = 1. The
fol l owi ng t heor em pr ovides t he condit ion f or gener al case of sol vi ng l inear congr uence equat i on.
. Th eor em 6 .5
For in t eger n > 1, a n ecessar y an d suf fi cient con di t ion t hat t h e con gru en ce
Equ at i on 6. 2 .7
be sol vab le i s t h at gcd( a, n ) | b.
Pr oof By Defi nit ion 4. 4 ( in 4. 3. 2.5) , t he congr uence ( 6. 2. 7) is t he l i near equat ion
Equ at i on 6. 2 .8

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
for some i nt eger k.
( ) Let ( 6. 2. 8) hol d. Si nce gcd( a, n ) di vi des t he l eft - hand si de, it must di vi de t he r i ght - hand
si de.
( ) For a and n, usi ng Ext ended Eucli d Al gor i t hm ( Al g 4. 2) we can comput e
Si nce b/ gcd( a, n ) is an i nt eger , mult i ply i ng t his int eger t o bot h si des, we obt ai n ( 6. 2. 8) or
( 6. 2. 7) , wher e ( mod n) is one sol ut i on.
I t i s easy t o check t hat given sol ut ion x f or ( 6. 2. 7) ,
ar e gcd( a, n ) di ff er ent sol ut i ons l ess t han n. Clear l y, gcd( a, n ) = 1 i s t he condi t i on f or t he
congr uence ( 6. 2. 8) t o have a uni que sol ut i on l ess t han n.
Exampl e 6. 1. Con gr uence
i s unsol vabl e si nce gcd( 2, 10) = 2 5. I n fact , t he l ef t - hand si de, 2x, must be an even
number , whi le t he r i ght - hand si de, 10k + 5, can onl y be an odd number , and so t ry i ng t o sol ve
t hi s congr uence i s an at t empt t o equal i ze an even number t o an odd number , which i s of cour se
i mpossi ble.
On t he ot her hand, congruence
i s sol vable because gcd( 6, 36) | 18. The si x sol ut i ons ar e 3, 9, 15, 21, 27, and 33.
. Th eor em 6 .6
For in t eger n > 1, i f gcd( a, n ) = 1, t h en ai + b aj + b ( mod n) for all b , i, j su ch t h at 0 i < j
< n.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Pr oof Suppose on t he cont r ary ai + b aj + b ( mod n) . Then by Theor em 6. 4 we have i j
( mod n) , a cont r adi ct i on t o 0 i < j < n.
Thi s proper t y i mpl i es t hat f or a, n sat i sfy i ng gcd( a, n ) = 1, ai + b ( mod n) ( i = 0, 1, , n1) i s a
comp l et e r esi du e syst em modul o n, t hat i s, t he expr essi on ai + b ( mod n) ranges t hr ough
f or i r angi ng t hr ough .
6.2.3 The Chinese Remainder Theorem
We have st udi ed t he condi t i on for sol vi ng a si ngl e l i near congruence in t he for m of ( 6. 2. 7) . Oft en
we wi l l meet t he probl em of sol vi ng a sy st em of si mul t aneous l i near congruences wi t h di f fer ent
modul i :
Equ at i on 6. 2 .9
wher e a
i
, b
i
wi t h a
i
0 f or i = 1, 2, , r .
For t hi s sy st em of congr uences t o be sol vabl e i t i s cl ear l y necessary f or each congr uence t o be
sol vable. So for i = 1, 2, , r and denot i ng
by Theor em 6. 5, i t i s necessary d
i
\ b
i
. Wi t h t his being t he case, t he congruent proper t i es for
mul t i pl i cat i on ( Theor em 6. 3) and for di vi si on ( Theor em 6. 4) all ow us t o t r ansfor m t he sy st em
( 6. 2. 9) int o t he fol l owi ng l i near congr uence sy st em which i s equi val ent t o but si mpl er t han t he
syst em ( 6. 2. 9) :
Equ at i on 6. 2 .1 0

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
wher e for i = 1, 2, , r :
and
Not i ce t hat ( a
i
/ d
i
)
1
( mod m
i
) exi st s since gcd( a
i
/ d
i
, m
i
) = 1 ( r evi ew Theor em 4. 2 i n 4. 3. 2.5) .
I n li near al gebra, t he sy st em ( 6. 2. 10) can be repr esent ed by t he f oll owi ng vect or space ver si on:
Equ at i on 6. 2 .1 1
wher e
Equ at i on 6. 2 .1 2
Equ at i on 6. 2 .1 3

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Equ at i on 6. 2 .1 4
Not i ce t hat because t he i - t h equat i on ( f or i = 1, 2, , r ) in t he congr uence sy st em ( 6. 2. 10) hol ds
modul o m
i
, i n t he di agonal par t of t he t he mat r i x A, denot es t he r esidue cl ass 1 modul o m
i
,
t hat i s,
Equ at i on 6. 2 .1 5
for some i nt eger k
i
( i = 1, 2, , r ) . The bl ank par t of t he mat ri x A r epr esent s 0 modul o
r espect i ve modul us ( i. e. , zeros in t he i r ow are means zer os modulo m
i
) .
Thus, gi ven any r - di mensi on vect or t he pr obl em of sol vi ng t he syst em ( 6. 2. 10) , or it s vect or -
space ver si on ( 6. 2. 11) , boi ls down t o t hat of i dent i f yi ng t he di agonal mat r i x A, or in ot her wor ds,
fi ndi ng t he resi due cl ass 1 modul o m
i
as requi red i n ( 6. 2. 15) for i = 1, 2, , r . We know fr om a
fact i n l i near al gebra t hat i f t he mat r i x A exi st s, t hen because none of t he el ement s i n i t s
di agonal l i ne i s zer o, t he mat ri x has t he f ul l r ank r and consequent l y, t here exi st s a un iqu e
sol ut i on.
When t he modul i i n ( 6. 2. 10) are pai rwi se r el at i vely pr i me t o each ot her , i t i s not di ff i cul t t o fi nd
a sy st em of resi due cl asses 1. Thi s i s accor di ng t o t he useful Chi n ese Remai nder Theor em
( CRT) .
. Th eor em 6 .7 Chi nese Remai n der Th eor em
For t he li near congr uence syst em ( 6. 2. 1 0) , i f gcd( m
i
, m
j
) = 1 for 1 i < j r , t hen t her e exi st s
sat i sfy in g

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Equ at i on 6. 2 .1 6
Con sequ en t ly , t h er e ex ist s x as t h e uni qu e sol ut i on t o t h e syst em ( 6. 2. 10) wher e M
= m
1
m
2
m
r
.
Pr oof We pr ove fi r st t he exi st ence and t hen t he uni queness of t he sol ut ion.
Ex i st en ce For each i = 1, 2, , r , gcd( m
i
, M/ m
i
) = 1. By Theor em 4. 2 ( 4. 3. 2.5) , t her e exi st s y
i
sat i sfy i ng
Equ at i on 6. 2 .1 7
Mor eover , f or j i , because m
j
| ( M/ m
i
) , we have
Equ at i on 6. 2 .1 8
So ( M/ m
i
) y
i
i s exact l y t he number t hat we ar e l ooking f or t o pl ay t he rol e of . Let
Equ at i on 6. 2 .1 9
Then x i s a sol ut i on t o t he syst em ( 6. 2. 10) and i s a r esi due cl ass modul o M.
Uni q ueness Vi ew t he l i near syst em def ined by ( 6. 2. 11) , ( 6. 2. 12) , ( 6. 2. 13) and ( 6. 2. 14) such
t hat t he el ement s of t he mat r i x A and t hose of t he vect or ar e al l in ( i. e. , t hey ar e al l
i nt eger s) . Not i ce t hat in
Equ at i on 6. 2 .2 0

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Thi s means t hat t he r col umns ( vect or s) of t he mat r i x A f or m a basis for t he r - di mensi on vect or
space ( t hi s basi s i s si mil ar t o a so- cal l ed "nat ur al basi s" i n l i near al gebr a
wher e t he onl y non- zer o el ement i n any basi s- vect or i s 1) . Ther ef or e, for any vect or
, t he syst em ( 6. 2. 11) has a uni que solut i on . We
have seen i n t he exist ence part of t he pr oof t hat t he uni que el ement s of ar e gi ven by
( 6. 2. 19) .
The pr oof of Theor em 6. 7 i s const r uct i ve, t hat i s, we have const r uct ed an al gor i t hm f or f indi ng
t he sol ut ion t o t he sy st em ( 6. 2. 10) . Thi s al gor it hm i s now speci f i ed i n Al g 6. 1.
Algorithm 6.1: Chinese Remainder
I NPUT i nt eger t upl e ( m
1
, m
2
, , m
r
) , pai rwi se
r el at i vely pr i me;
i nt eger t upl e ( c
1
( mod m
1
) , c
2
( mod m
2
) , ,
c
r
( mod m
r
) ) .
OUTPUT i nt eger x < M = m
1
m
2
m
r
sat i sfy i ng t he
syst em ( 6. 2. 10) .
M m
1
m
2
m
r
; 1.
for ( i f r om 1 t o r ) do
y
i
( M/ m
i
)
1
( mod m
i
) ; ( * by Ext ended Eucl i d Al gor it hm * ) a.
y
i
M/ m
i
; b.
2.
. 3.
I n Al g 6. 1, t he onl y t i me- consuming par t i s i n st ep 2( a) wher e a mult ipl icat i ve i nver si on of a
l ar ge number i s comput ed. Thi s can be done by apply i ng t he Ext ended Eucl i d Al gori t hm ( Al g
4. 2) . Consi deri ng m
i
< M f or i = 1, 2, , r , t he t i me complexi t y of Al g 6. 1 i s O
B
( r ( l og M)
2
) .
I t i s al so easy t o see t he fol l owi ng r esul t s f r om Theor em 6. 7:
ever y x y i el ds a vect or ; fr om ( 6. 2. 19) we can see i .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
t hat t he el ement s i n ar e comput ed by ( for i = 1, 2, , r )
i .
i n par t i cul ar, 0 and 1 i n y i el d and i n , r espect i vel y ; i i .
for x , x ' y i el di ng , r espect i vel y , x x ' y i el ds i i i .
Thus, we have al so pr oven t he fol l owi ng t heor em ( fol l owi ng Defi nit ion 5. 16) :
. Th eor em 6 .8
I f gcd( m
i
, m
j
) = 1 for 1 i < j r , t hen for M = m
1
m
2
m
r
, i s isom or phi c t o
, and t h e isom or phi sm
i s
Theor em 6. 8 i s ver y useful in t he st udy of cr y pt ogr aphi c syst ems or pr ot ocol s whi ch use gr oups
modul o composi t e i nt eger s. I n many pl aces i n t he r est of t hi s book we wil l need t o make use of
t he isomor phi sm bet ween and wher e n = pq wi t h p, q pr ime number s. For
exampl e, we wi l l make use of a pr opert y t hat t he non- cycl i c gr oup i s generat ed by t wo
gener at or s of t he cy cli c groups and , r espect i vel y .
Let us now l ook at an appl i cat i on of t he Chi nese Remai nder Theor em: a cal cul at i on is made easy
by appl y ing t he i somorphi c r el at i onship.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exampl e 6. 2.
At t hi s st age we do not y et know how t o comput e square r oot modul o an i nt eger ( we wil l st udy
t he t echni ques i n 6. 6) . However i n some cases a squar e number in some space ( such as in )
i s evi dent and so squar e r oot ing in t hat space i s easy wi t hout need of usi ng modul o ar i t hmet i c.
Let us appl y Theor em 6. 8 t o comput e one of t he squar e r oot s of 29 i n .
Li mi t ed t o our knowl edge for t he moment , i t is not evi dent t o us t hat 29 i s a squar e number i n
and so for t he t i me bei ng we do not know how t o r oot i t dir ect ly . However , i f we appl y
Theor em 6. 8 and map 29 t o t he isomor phi c space x , we have
t hat i s, t he i mage is ( 4, 1) . Bot h 4 and 1 are evi dent squar e number s wi t h 2 bei ng a square r oot
of 4 and 1 bei ng a squar e r oot of 1. By i somor phi sm, we know one of t he square root s of 29 i n
cor r esponds t o ( 2, 1) i n x . Appl yi ng t he Chinese Remai nder Al gori t hm ( Al g 6. 1) , we
obt ai n
and
I ndeed, 22
2
= 484 29 ( mod 35) .
As a mat t er of fact , 29 has four di st i nct square root s i n . For an exer cise, t he reader may
fi nd t he ot her t hr ee squar e root s of 29 ( Exerci se 6. 4) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
6.3 Euler's Phi Function
I n 5. 2. 3 we have defi ned Eul er 's phi f unct i on i n Defi nit ion 5. 11. Now let us st udy some usef ul
pr oper t i es of it .
. Lemma 6. 1
Let ( n) be Eul er ' s phi f un ct i on defi ned in Defi nit ion 5. 11 . Th en
( 1) = 1. i .
I f p i s pr i me t hen ( p) = p 1. i i .
Eu ler ' s p hi fu nct ion i s m ul t ip li cat i v e. That is, i f gcd( m , n) = 1, t hen ( m n) = ( m) ( n) . i i i .
i s t he p ri m e fact or iz at ion of n, t hen i v .
Pr oof ( i) and ( i i ) ar e t r i vi al fr om Defi nit ion 5. 11.
i i i ) Si nce ( 1) = 1, t he equat i on ( m n) = ( m) ( n) hol ds when eit her m = 1 or n = 1. So suppose
m > 1 and n > 1. For gcd( m , n) = 1, consi der t he ar ray
Equ at i on 6. 3 .1
On t he one hand, ( 6. 3. 1) consi st s of m n consecut i ve i nt egers, so i t i s al l t he number s modul o m n
and t her efor e cont ai ns ( m n) el ement s pr i me t o m n.
On t he ot her hand, obser ve ( 6. 3. 1) . The fi r st r ow i s al l t he numbers modul o m, and al l t he
el ement s i n any col umn ar e congr uent modul o m. So t her e ar e ( m) col umns consist i ng ent i r ely
of i nt eger s pr i me t o m. Let
be any such col umn of n el ement s. Wi t h gcd( m , n) = 1, by Theor em 6. 6, such a col umn i s a

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
compl et e resi due sy st em modul o n. So i n each such col umn t here are ( n) el ement s pr i me t o n.
To t hi s end we know t hat i n ( 6. 3. 1) t here are ( m) ( n) el ement s pr i me t o bot h m and n. Fur t her
not i ce t hat any el ement pri me t o bot h m and t o n i f and onl y i f it i s pr i me t o m n.
Combi ning t he r esult s of t he above t wo par agr aphs, we have der i ved ( m n) = ( m) ( n) .
i v) For any pr ime p, i n 1, 2, , p
e
, t he element s whi ch ar e not pr i me t o p
e
ar e t he mul t i pl es of p,
i . e. , p, 2p, , p
e1
p. Clear l y, t her e are exact l y p
e1
such number s. So
Thi s hol ds f or each pr i me power p
e
| n wi t h p
e+ 1
n. Not i ci ng t hat di f ferent such pr i me power s of
n ar e r el at i vel y pr i me t o each ot her , t he t arget ed r esul t fol l ows f rom ( i ii ) .
I n 4. 5 we consi der ed a pr obl em named SQUARE- FREENESS: answer i ng whet her a gi ven odd
composit e i nt eger n i s squar e fr ee. Thr ee we used ( n) t o serve an auxi l iar y i nput t o show t hat
SQUARE- FREENESS i s i n . Now fr om Pr oper t y ( i v) of Lemma 6. 1 we know t hat for any
pr i me p > 1, i f p
2
| n t hen p| ( n) . Thi s i s why we used gcd( n, ( n) ) = 1 as a wi t ness f or n bei ng
squar e f r ee. The reader may consi der t he case gcd( n, ( n) ) > 1 ( be car eful of t he case, e. g. , n =
pq wi t h p| ( q) , see Exerci se 6. 5) .
Euler 's phi funct ion has t he f ol lowi ng el egant pr oper t y.
. Th eor em 6 .9
Pr oof Let S
d
= { x | 1 x n, gcd( x , n) = d} . I t i s cl ear t hat set S = { 1, 2, , n} i s
par t i t i oned i nt o di sj oi nt subset s S
d
f or each d| n. Hence
Not i ce t hat for each d| n # S
d
= ( n/ d) , t her efor e
However , for any d| n , we have ( n/ d) | n, t her efor e

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exampl e 6. 3.
For n = 12, t he possi bl e val ues of d| 12 ar e 1, 2, 3, 4, 6, and 12. We have ( 1) + ( 2) + ( 3) +
( 4) + ( 6) + ( 12) = 1 + 1 + 2 + 2 + 2 + 4 = 12.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
6.4 The Theorems of Fermat, Euler and Lagrange
We have i nt roduced Fermat ' s Li t t le Theorem i n Chapt er 4 ( congr uence ( 4. 4. 8) ) and have since
used it for a f ew t i mes but wi t hout having pr oved i t . Now we prove Fermat ' s Li t t le Theorem by
showi ng t hat i t i s a speci al case of anot her famous t heorem i n number t heor y: Eul er 's Theor em.
. Th eor em 6 .1 0 Fer mat ' s Li t t l e Theor em
I f p i s pr i me an d p a, t hen a
p1
1 ( mod p) .
Si nce ( p) = p 1 f or p bei ng pr ime, Fer mat ' s Li t t l e Theor em i s a speci al case of t he f ol lowi ng
t heor em.
. Th eor em 6 .1 1 Eul er ' s Theor em
I f gcd( a, n ) = 1 t hen a
( n)
1 ( mod n) .
Pr oof For gcd( a, n ) = 1, we know a ( mod n) . Al so . By Corol l ar y 5. 2, we have
or d
n
( a) | whi ch i mpl i es a
( n)
1 ( mod n) .
Si nce Cor ol l ary 5. 2 used i n t he proof of Theor em 6. 11 i s a di r ect appli cat i on of Lagr ange' s
Theor em ( Theor em 5. 1) , we t herefor e say t hat Fermat ' s Li t t l e Theor em and Eul er ' s Theor em are
speci al cases of t he beaut i ful Theor em of Lagr ange.
I n Chapt er 4 we have seen t he i mpor t ant r ol e of Fer mat 's Li t t l e Theor em in probabi l ist i c
pr i mal it y t est , whi ch i s useful f or t he gener at i on of key mat er i al for many publ i c- key
cry pt ogr aphi c sy st ems and prot ocol s. Eul er ' s Theor em wi l l have an i mpor t ant appl icat i on for t he
RSA cr y pt osy st em whi ch wi l l be i nt roduced i n 8. 5

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
6.5 Quadratic Residues
Quadr at i c r esi dues play import ant r ol es i n number t heor y . For exampl e, i nt eger f act or izat ion
al gor i t hms i nvar i ant l y i nvol ve using quadrat i c r esidues. They al so have f requent uses i n
encry pt ion and i nt er est ing cr y pt ogr aphi c pr ot ocol s.
Def i n i t i on 6 . 1: Quadr at i c Resi du e Let int eger n > 1. For a , a is cal led a q uadr at i c r esid ue
m odul o n i f x
2
a ( mod n) for som e x ; ot herwi se, a i s call ed a quad rat ic n on- r esi due
m odul o n . The set of q uadr at i c r esi dues m odu lo n i s d en ot ed by QR
n
, and t h e set of quad rat ic
non - resid ues m odul o n i s denot ed by QNR
n
.
Exampl e 6. 4.
Let us comput e QR
11
, t he set of al l quadr at i c r esi dues modul o 11. QR
11
= { 1
2
, 2
2
, 3
2
, 4
2
, 5
2
, 6
2
,
7
2
, 8
2
, 9
2
, 10
2
} ( mod 11) = { 1, 3, 4, 5, 9 } .
I n t hi s example, we have comput ed QR
11
by exhaust i vel y squar i ng el ement s i n . However ,
t hi s i s not necessar y . I n fact , t he r eader may check
i . e. , exhaust i vel y squar ing el ement s up t o hal f t he magni t ude of t he modul us suff i ces. The
fol l owi ng t heor em clai ms so f or any pr i me modul us.
. Th eor em 6 .1 2
Let p b e a p ri m e nu mb er . Th en
QR
p
= { x
2
( mod p) | 0 < x ( p 1) / 2} ; i .
Ther e ar e pr eci sel y ( p 1) / 2 qu adr at ic resid ues and ( p 1) / 2 qu adr at ic non- r esi du es
m odul o p , t hat i s, i s par t it ioned in t o t wo eq ual - si ze sub set s QR
p
and QNR
p
.
i i .
Pr oof ( i) Cl ear ly, set S = { x
2
( mod p) | 0 < x ( p 1) / 2 } QR
p
. To show QR
p
= S we onl y
need t o pr ove QR
p
S.
Let any a QR
p
. Then x
2
a ( mod p) for some x < p. I f x ( p1) / 2 t hen a S. Suppose x >
( p1) / 2. Then y = px ( p1) / 2 and y
2
( px)
2
p
2
2px + x
2
x
2
a ( mod p) . So QR
p

S.
i i ) To show # QR
p
= ( p 1) / 2 i t suff ices t o show t hat for 0 < x < y ( p1) / 2, x
2
y
2
( mod p) .
Suppose on t he cont r ar y , x
2
y
2
( x + y) ( x y) 0 ( mod p) . Then p| x + y or p| x y. Onl y
t he lat t er case i s possi bl e si nce x + y < p. Hence x = y, a cont r adi ct i on.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Then # QNR
p
= ( p1) / 2 si nce and .
I n t he pr oof of Theor em 6. 12( i ) we have act ual l y shown t he fol l owi ng:
Let p b e a p ri m e nu mb er . Th en f or any a QR
p
, t her e ar e exact l y t wo squ are root s of a m odu lo
p. Den ot ing by x one t o t hem , t hen t he ot her is x ( = p x ) .
6.5.1 Quadratic Residuosity
Of t en we need t o deci de i f a number i s a quadr at i c r esi due el ement modul o a gi ven modul us.
Thi s i s t he so- call ed qu adr at i c r esi d uosi t y p r obl em.
. Th eor em 6 .1 3 Eul er ' s Cr i t er i on
Let p b e a p ri m e nu mb er . Th en f or any , x QR
p
i f an d only if
Equ at i on 6. 5 .1
Pr oof ( ) For x QR
p
, t her e exi st s such t hat y
2
x ( mod p) . So x
( p1)/ 2
y
p1

1 ( mod p) fol l ows fr om Fermat ' s Theor em ( Theor em 6. 10) .
( ) Let x
( p1)/ 2
1 ( mod p) . Then x i s a r oot of poly nomi al y
( p1)/ 2
1 0 ( mod p) . Not i ce
t hat i s a fi el d, by Theor em 5. 9( i i i ) ( i n 5. 4. 3) every el ement i n t he f i el d i s a root of t he
pol y nomi al y
p
y 0 ( mod p) . I n ot her wor ds, ever y non- zero element of t he f iel d, i . e. , ever y
el ement in t he gr oup i s a r oot of
These r oot s ar e al l di st i nct si nce t hi s degr ee- ( p 1) pol y nomi al can have at most p 1 r oot s.
Consequent l y, t he ( p 1) / 2 root s of pol ynomial y
( p1)/ 2
1 0 ( mod p) must al l be di st inct . We
have shown i n Theor em 6. 12 t hat QR
p
cont ains exact l y ( p 1) / 2 el ement s, and t hey al l sat i sfy
y
( p1)/ 2
1 0 ( mod p) . Any ot her el ement i n must sat i sf y y
( p1)/ 2
+ 1 0 ( mod p) .
Ther ef or e x QR
p
.
I n t he pr oof of Theor em 6. 13 we have shown t hat i f t he cri t er i on i s not met f or x , t hen

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Equ at i on 6. 5 .2
Euler 's Cr i t er i on pr ovi des a cri t er i on t o t est whet her or not an el ement i n i s a quadr at i c
r esi due: i f congr uence ( 6. 5. 1) is sat i sfi ed, t hen x QR
p
; ot herwi se ( 6. 5. 2) is sat i sfi ed and x
QNR
p
.
Let n be a composi t e nat ur al number wit h i t s pr ime f act ori zat i on as
Equ at i on 6. 5 .3
Then by Theor em 6. 8, i s isomor phi c t o . Si nce i somorphi sm
pr eser ves ar i t hmet i c, we have:
. Th eor em 6 .1 4
Let n b e a com posit e in t eger wi t h com pl et e fact or i zat ion i n ( 6. 5. 3 ) . Th en x QR
n
i f an d only if
and hence i f and onl y if x ( mod p
i
) QR
pi
for pr ime p
i
wi t h i = 1,
2, , k.
Ther ef or e, if t he f act or i zat i on of n i s known, gi ven t he quadr at i c r esi duosi t y of x
modul o n can be deci ded by deci di ng t he r esi duosi t y of x ( mod p) for each pr ime p| n . The l at t er
t ask can be done by t est i ng Euler 's cr i t eri on.
However , i f t he f act ori zat i on of n i s unknown, deci ding quar dr at i c r esi duosi t y modul o n i s a non-
t r i vi al t ask.
Def i n i t i on 6 . 2: Quadr at i c Resi du osi t y ( QR) Pr obl em
I NPUT n: a com posit e num ber ;
OUTPUT YES i f x QR
n
.
The QRP i s a well - known har d pr obl em i n number t heory and is one of t he mai n f our al gor i t hmi c
pr obl ems di scussed by Gauss i n hi s "Di squi si t i ones Ar it hmet i cae" [ 119] . An eff i ci ent sol ut i on f or
i t would i mpl y an eff i ci ent sol ut i on t o some ot her open pr obl ems i n number t heor y . I n Chapt er
14 we wi l l st udy a wel l - known publ i c- key cr y pt osyst em named t he Gol dw asser - Mi cal i
cr y pt osyst em; t hat cr y pt osy st em has i t s securi t y based on t he dif fi cul t for deci di ng t he QRP.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Combi ning Theor em 6. 12 and Theor em 6. 14 we can obt ai n:
. Th eor em 6 .1 5
Let n b e a com posit e in t eger wi t h k > 1 di st in ct pr im e f act ors. Th en ex act l y f r act ion of
elem en t s i n ar e q uadr at i c r esi dues m odu lo n.
Thus, for a composi t e number n, an eff i ci ent al gor it hm f or decidi ng quadrat ic resi duosi t y modulo
n wi l l provi de an eff i ci ent st at i st ic t est on t he pr opor t i on of quadr at i c r esi dues i n , and hence
by Theor em 6. 15, provi de an eff i ci ent al gor i t hm f or answeri ng t he quest i on whet her n has t wo or
t hr ee di st i nct pr ime f act ors. Thi s i s because, by Theor em 6. 15, i n t he for mer case ( n has t wo
di st i nct pr ime f act ors) , exact l y a quar t er of el ement s i n ar e quadr at i c r esi dues, and i n t he
l at t er case, exact ly one- ei ght h of t hem ar e. Consequent ly , ensembl es E
2Pri me
and E
3Pri me
( see
4. 7) can be di st ingui shed.
To dat e, for a composit e n of unknown fact or i zat i on, no al gor i t hm is known t o be abl e t o deci de
quadr at i c r esi duosi t y modul o n i n t i me pol y nomi al i n t he si ze of n.
6.5.2 Legendre-Jacobi Symbols
Test ing quadr at i c r esiduosi t y modul o a pr i me usi ng Euler 's cr i t eri on ( 6. 5. 1) invol ves eval uat i ng
modul o exponent i at i on whi ch i s qui t e comput at i on i nt ensi ve. However , quadr at i c r esi duosi t y can
be t est ed by a much f ast er al gori t hm. Such an al gor i t hm i s based on t he not i on of Legendr e-
Jacobi sy mbol .
Def i n i t i on 6 . 3: Legendr e- Jacob i Symbol For each pr i m e num ber p and f or any l et
i s cal led Legendr e sy mb ol of x m odul o p .
Let n = p
1
p
2
p
k
b e t he pr im e f act or i zat ion of n ( som e of t hese pr im e f act ors may r epeat ) . Th en
i s cal led Jacobi sym b ol of x m odul o n .
I n t he r est of t hi s book wi l l al way s be r efer r ed t o as Jacobi sy mbol whet her or not b i s
pr i me.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
For p bei ng pr ime, compar i ng ( 6. 5. 1) , ( 6. 5. 2) wi t h Defi nit ion 6. 3, we know
Equ at i on 6. 5 .4
Mor eover , Jacobi sy mbol has t he f ol l owi ng pr opert i es.
. Th eor em 6 .1 6
Jacobi sy mb ol has t h e fol lowi ng p r opert i es:
; i .
; i i .
; i i i .
i f x y ( mod n) t hen ; ( bel ow m, n ar e odd numb er s) i v .
; v .
; v i .
i f gcd( m , n) = 1 and m, n > 2 t hen . v i i .
I n Theor em 6. 16, ( i iv) are immedi at e f rom t he def i ni t i on of Jacobi symbol . A pr oof for ( vvi i )
uses no speci al t echni que ei t her . However, due t o t he l engt hi ness and l ack of i mmedi at e
r el evance t o t he t opi c of t hi s book, we shal l not i ncl ude a proof but ref er t he r eader t o t he
st andar d t ext books for number t heor y ( e. g. , [ 170, 176] ) .
Theor em 6. 16( vi i) i s known as t he Gauss' Law of Quadr at i c Reci pr oci t y . Thanks t o t hi s l aw, i t i s
not har d t o see t hat t he eval uat i on of f or gcd ( x , n) = 1 has a fashi on and hence t he same

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
comput at i onal compl exi t y of comput i ng t he gr eat est common di vi sor .
. Remar k 6 .1
When we eval uat e Jacob i sy m bol by appl yi ng Theor em 6. 16, t h e eval uat i on of t he r igh t - han d
sid es of ( v v i i) m ust n ot be done v i a exp onent i at ion s. Since or d( 1) = 2 ( i n m u lt i pl icat ion ) , al l
we need is t h e par it y of t hese ex pon en t s. I n Alg 6. 2 we reali ze t h e ev al uat i on b y t est ing whet her
2 di v ides t h ese ex ponent s.
Al g 6. 2 pr ovi des a r ecur si ve speci fi cat i on of t he pr oper t i es of Jacobi sy mbol l i st ed i n Theor em
6. 2.
Algorithm 6.2: Legendre/Jacobi Symbol
I NPUT
odd i nt eger n > 2, i nt eger .
OUTPUT
.
Jacobi ( x , n)
i f ( x = = 1 ) r et ur n ( 1 ) ; 1.
i f ( 2| x )
i f ( 2| ( n
2
1) / 8 ret ur n ( Jacobi ( x/ 2, n) ) ; a.
r et ur n( Jacobi ( x/ 2, n) ) ; b.
( * now x i s odd * )
2.
i f ( 2| ( x 1) ( n 1) / 4 ) r et ur n( Jacobi ( n mod x , x ) ) ; 3.
r et ur n( Jacobi ( n mod x , x ) ) . 4.
I n Al g 6. 2, each r ecur si ve cal l of t he funct ion Jacobi ( , ) wi l l cause ei t her t he fi r st i nput val ue
bei ng di vi ded by 2, or t he second input val ue bei ng r educed modul o t he fi r st . Ther ef ore t her e
can be at most l og
2
n cal l s and t he fi r st i nput val ue is reduced t o 1, r eaching t he t er minat i ng
condi t i on. So r i gor ousl y expressed, because each modul o operat ion cost s O
B
( ( l og n)
2
) t i me, Al g
6. 2 comput es can be comput ed i n O
B
( ( l og n)
3
) t i me.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
However we shoul d not ice t hat , i n or der t o present t he al gor i t hm wi t h ease of under st anding, we
have agai n chosen t o sacr i fi ce eff i ci ency !
I nst ead of bounding each modul o operat i on wi t h O
B
( ( l og n)
2
) , vi a a careful r eali zat i on, t ot al
modul o oper at ions i n st eps 3, 4 can be bounded by O
B
( ( l og n)
2
) . Thi s si t uat i on i s exact l y t he
same as t hat for comput i ng gr eat est common di vi sor wi t h a car efull y desi gned al gor i t hm: t o
expl oit t he fact expr essed i n ( 4. 3. 12) . Consequent l y, for , can be comput ed i n
O
B
( ( l og n)
2
) t i me. A car eful r eal i zat i on of t he count erpart f or Al g 6. 2 can be f ound i n Chapt er 1
of [ 79] .
Compar ed wit h t he compl exi t y of eval uat ing Eul er 's cr i t er i on ( 5. 4. 5) , which i s O
B
( ( l og p)
3
) due
t o modul o exponent i at i on, t est ing quadr at i c r esiduosi t y modul o pr i me p using Al g 6. 2 i s log p
t i mes fast er.
Exampl e 6. 5.
Let us show t hat 384 QNR
443
.
Goi ng t hrough Al g 6. 2 st ep by st ep, we have
Ther ef or e 384 QNR
443
.
Fi nal l y, we shoul d not i ce t hat eval uat i on of Jacobi sy mbol using Al g 6. 2 does not need t o
know t he fact or i zat i on of n. This is a very i mpor t ant proper t y which has a wi de appl icat i on i n
publ i c- key cry pt ogr aphy , e. g. , i n Gol dwasser - Mi cal i cry pt osy st em ( 14.3. 3) and i n Bl um' s coi n-
fl i ppi ng pr ot ocol ( Chapt er 19) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
6.6 Square Roots Modulo Integer
I n Exampl e 6. 2 we have had an exper i ence of "comput i ng a square r oot modul o an i nt eger . "
However t he " al gor i t hm" used t her e shoul d not qual i f y as an al gor i t hm because we wer e l ucky t o
have managed t o map, usi ng t he i somor phi sm i n Theor em 6. 8, a seemingl y di f fi cul t t ask t o t wo
t r i vi al l y easy ones: comput i ng square r oot s of 1 and 4, whi ch happen t o be squar e number s i n
and t he " r oot i ng algor it hm" i s known even t o pri mar y school pupi l s. I n gener al , t he i somor phism
i n Theor em 6. 8 wi l l not be so kind t o us: for over whelmi ng cases t he i mage should not be a
squar e number i n .
Now we i nt roduce al gor i t hmi c met hods f or comput i ng square root s of a quadr at i c r esi due
el ement modul o a posi t i ve int eger . We st art by consi der i ng pr i me modul us. By Cor ol l ary 6. 2, t he
t wo r oot s of a quadr at i c r esi due complement s t o one anot her modul o t he pri me modulus; so i t
suf fi ces f or us t o consi der comput i ng one squar e r oot of a quadr at i c r esi due el ement .
For most of t he odd pr i me number s, t he t ask i s ver y easy . These cases i ncl ude pr i mes p such
t hat p 3, 5, 7 ( mod 8) .
6.6.1 Computing Square Roots Modulo Prime
Case p 3, 7 ( mod 8)
I n t hi s case, p + 1 is di visi bl e by 4. For a QR
p
, l et
Then because a
( p1)/ 2
1 ( mod p) , we have
So i ndeed, x i s a squar e r oot of a modul o p.
Case p 5 ( mod 8)
I n t hi s case, p + 3 is di visi bl e by 8; also because ( p 1) / 2 is even, 1 meet s Eul er 's cr i t eri on as
a quadr at i c r esidue. For a QR
p
, l et
Equ at i on 6. 6 .1
From a
( p1)/ 2
1 ( mod p) we know a
( p1)/ 4
1 ( mod p) ; t hi s i s because i n fi el d 1 has onl y
t wo squar e r oot s: 1 and 1. Consequent ly

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
That i s, we have found t hat x comput ed i n ( 6. 6. 1) is a squar e r oot of ei t her a or a. I f t he si gn i s
+ we ar e done. I f t he si gn i s , t hen we have
Ther ef or e
Equ at i on 6. 6 .2
wi l l be t he sol ut i on. So t he t ask boi ls down t o comput ing ( mod p) . Let b be any quadr at i c
non- resi due mod p. Then by Eul er' s cr i t er i on
so b
( p1)/ 4
( mod p) can be used i n pl ace of . By t he way , since
and t he ri ght - hand si de is 8 t imes an odd number ; so by Theor em 6. 16( vi ) 2 QNR
p
. That i s, f or
t hi s case of p we can use 2
( p1)/ 4
i n pl ace of . Then, one may check t hat ( 6. 6. 2) becomes
Equ at i on 6. 6 .3
We can save one modul o exponent i at i on by usi ng t he r i ght - hand- side of ( 6. 6. 3) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Algorithm 6.3: Square Root Modulo p 3, 5, 7 (mod 8)
I NPUT pr i me p sat i sfy i ng p 3, 5, 7 ( mod 8) ;
i nt eger a QR
p
.
OUTPUT a squar e r oot of a modul o p.
i f ( p 3, 7 ( mod 8) ) r et ur n( a(
p+ 1) / 4
( mod p) ) ;
( * bel ow p 5 ( mod 8) * )
1.
i f ( a(
p1)/ 4
1 ( mod p) ) r et ur n( a(
p+ 3) / 8
( mod p) ) ; 2.
r et ur n( ( 4a) (
( p+ 3) / 8
/ 2) . 3.
The t ime compl exi t y of Al g 6. 3 i s O
B
( ( l og p)
3
) .
Computing Square Roots Modulo Prime in General Case
The met hod descri bed her e i s due t o Shanks ( see 1. 5. 1 of [ 79] ) .
For gener al case of pr ime p, we can wri t e
wi t h q odd and e 1. By Theor em 5. 2 ( in 5. 2. 3) , cycl i c group has a uni que cy cl i c subgr oup
G of or der 2
e
. Clear l y, quadrat i c resi dues i n G have order s as power s of 2 si nce t hey divi de 2
e1
.
For a QR
p
, si nce
so a
q
( mod p) is in G and is of course a quadrat ic resi due. So t her e exi st s an even int eger k wi t h
0 k > 2
e
such t hat
Equ at i on 6. 6 .4
wher e g i s a gener at or of G. Suppose t hat we have f ound t he gener at or g and t he even i nt eger k.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Then set t i ng
i t i s easy t o check t hat x
2
a ( mod p) .
Thus, t he t ask boil s down t o t wo sub- t asks: ( i ) f i ndi ng a generat or g of gr oup G, and ( i i ) fi ndi ng
t he least non- negat ive even i nt eger k, such t hat ( 6. 6. 4) is sat i sfi ed.
Sub- t ask ( i ) i s r at her easy. For any f QNR
p
, because q i s odd, f
q
QNR
p
and ord
p
( f
q
) = 2
e
;
hence f
q
i s a gener at or of G. Fi ndi ng f i s rat her easy : picki ng a r andom element and
t est ing ( using Al g 6. 2) . Si nce hal f t he el ement s i n ar e quadr at i c non- r esi dues,
t he pr obabi l i t y of f indi ng a cor r ect f i n one go i s one- hal f.
Sub- t ask ( i i) i s not t oo di ff i cult ei t her. The search of k f r om ( 6. 6. 4) is fast by ut i l i zi ng t he f act
t hat non- uni t y quadr at i c- r esi due el ement s i n G have order s as power s of 2. Thus, let t i ng i ni t i al l y
Equ at i on 6. 6 .5
t hen b G. We can sear ch t he l east i nt eger m f or 0 m < e such t hat
Equ at i on 6. 6 .6
and t hen modi fy b i nt o
Equ at i on 6. 6 .7
Not i ce t hat b, af t er t he modif i cat ion i n ( 6. 6. 7) , has i t s or der been reduced fr om t hat i n ( 6. 6. 5)
whi l e r emai ni ng a quadr at i c r esi due in G and so t he r educed order shoul d remai n being a power
of 2. Therefor e, t he r educt i on must be i n t erms of a power of 2, and consequent l y, repeat i ng
( 6. 6. 6) and ( 6. 6. 7) , m i n ( 6. 6. 6) wi l l st r i ct l y decr ease. Upon m = 0, ( 6. 6. 6) shows b = 1, and
t her eby ( 6. 6. 7) becomes ( 6. 6. 4) and so k can be f ound by accumul at i ng 2
m
i n each l oop of
r epet it ion. The sear ch wi l l t er mi nat e i n at most e l oops.
I t i s now st r ai ght f or war d t o put our descr ipt i ons i nt o Al g 6. 4.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Si nce e < l og
2
p, t he t i me complexi t y of Al g 6. 4 i s O
B
( ( l ogp)
4
) .
. Remar k 6 .2
For t he pur pose of bet t er ex posit i on, we h ave pr esent ed Alg 6. 4 b y fol lowi ng our ex plan at ion on
t he wor k in g p ri ncip le of Sh ank s' al gor it h m; in p art i cul ar, we hav e fol lowed pr eci sel y t he
exp lan at ion on Sub- t ask ( ii ) f or sear chi ng t h e even ex pon en t k . I n so doi ng, ou r pr esent at ion of
Shan ks' al gori t hm sacr if ices a l it t le b it of ef fi ciency: exp li ci t l y fi ndi ng k, whil e i s unn ecessar y sin ce
g
k/ 2
can be ob t ain ed as a by pr odu ct in st ep 3, cost s an addi t i onal m odul o ex ponent i at i on i n st ep
4. For t he opt im ized v er sion of Shan ks' al gori t hm , see Algor i t hm 1 . 5. 1 i n [ 79 ] .
Fi nal l y we shoul d poi nt out t hat Al g 6. 4 cont ains Al g 6. 3 as t hr ee speci al cases.
Algorithm 6.4: Square Root Modulo Prime
I NPUT pr i me p; int eger a QR
p
.
OUTPUT a squar e r oot of a modul o p.
( * i nit ial i ze* )
set p 1 = 2
e
q wi t h q odd; b a
q
( mod p) ; r e; k 0;
1.
( * sub- t ask ( i ) , using Al g 6. 2 * )
fi nd f QNR
p
; g f
q
( mod p) ;
2.
( * sub- t ask ( i i ) , sear ching even exponent k * )
whi l e ( b 1) do
3. 1 fi nd t he l east non- negat i ve int eger m such t hat b
2m
1 ( mod p) ;
3. 2 b bg
2r m
( mod p) ; k k + 2
r m
; r m;
3.
r et ur n( a
( q+ 1) / 2
g
k/ 2
( mod p) ) . 4.
6.6.2 Computing Square Roots Modulo Composite
Thanks t o Theor em 6. 8, we know t hat , for n = pq wi t h p, q pr imes i s isomor phi c t o
. Si nce i somorphi sm pr eser ves t he ar i t hmet ic, r el at i on

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
hol ds i f and onl y i f i t hol ds modul o bot h p and q. Ther efor e, i f t he f act ori zat i on of n i s gi ven,
squar e r oot i ng modulo n can comput ed usi ng Al g 6. 5.
Cl ear ly , t he t i me compl exi t y of Al g 6. 5 i s O
B
( ( log n)
4
) .
By Cor ol l ary 6. 2, y ( mod p) has t wo di st inct squar e r oot s, whi ch we denot e by x
p
and p x
p
,
r espect i vel y . So does y ( mod q) , which we denot e by x
q
and q x
q
, r espect i vel y . By t he
i somor phi c r el at i onshi p bet ween and ( Theor em 6. 8) , we know t hat y QR
n
has
exact l y f our square root s in . By Al g 6. 5, t hese f our r oot s ar e
Equ at i on 6. 6 .8
Thus, if we appl y ( 6. 6. 8) in St ep 2 of Al g 6. 5, we can comput e al l f our squar e r oot s of t he
el ement input t o t he al gor i t hm.
Algorithm 6.5: Square Root Modulo Composite
I NPUT pr i mes p, q wi t h n = pq; int eger y QR
n
.
OUTPUT a squar e r oot of y modul o n.
;
; ( * appl y ing Al gor i t hms 6. 3 or 6. 4 * )
1.
r et ur n( ( mod n) ) . ( * appl yi ng Al g 6. 1 * ) 2.
For an exer ci se, we ask: i f n = pq r wi t h p, q, r di st i nct pr i me number s, how many squar e r oot s
for each y QR
n
?
We now know t hat i f t he fact or i zat i on of n i s known, t hen comput i ng square r oot s of any gi ven
el ement in QR
n
can be done eff i ci ent l y . Now, what can we say about squar e r oot i ng modul o n
wi t hout knowi ng t he fact or izat ion of n? The t hi r d par t of t he f oll owi ng t heor em answers t hi s
quest i on.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
. Th eor em 6 .1 7
Let n = pq wit h p , q being di st inct odd pr i mes an d l et y QR
n
. Then t he f our squ ar e root s of y
const r uct ed i n ( 6. 6. 8 ) hav e t he f oll owin g pr oper t i es:
t hey ar e d ist in ct f rom one anot h er ; i .
x
1
+ x
4
= x
2
+ x
3
= n; i i .
gcd( x
1
+ x
2
, n) = gcd( x
3
+ x
4
, n) = q, gcd( x
1
+ x
3
, n) = gcd( x
2
+ x
4
, n) = p. i i i .
Pr oof
Not i cing t he meani ng of
p
and
q
def i ned by ( 6. 2. 15) and ( 6. 2. 16) , we have, e. g. , x
1
( mod q) = x
q
and x
2
( mod q) = q x
q
. Remember, x
q
and q x
q
ar e t wo di st i nct square
r oot s of y ( mod q) . So x
1
x
2
( mod q) impli es x
1
x
2
( mod n) , i . e., x
1
and x
2
ar e
di st i nct . Ot her cases can be shown anal ogousl y .
i .
From ( 6. 6. 8) we have
The r i ght - hand si de val ue i s congr uent t o 0 modul o p and modul o q. Fr om t hese r oot s'
member shi p i n we have 0 < x
1
+ x
4
= x
2
+ x
3
< 2n. Clear l y, n i s t he onl y val ue i n t he
i nt er val ( 0, 2n) and i s congr uent t o 0 modulo p and q. So x
1
= n x
4
and x
2
= n x
3
.
i i .
We only st udy t he case x
1
+ x
2
; ot her cases ar e anal ogous. Obser vi ng ( 6. 6. 8) we have i i i .
Ther ef or e x
1
+ x
2
( mod p) 2x
p
0 and x
1
+ x
2
0 ( mod q) . Namel y, x
1
+ x
2
i s a non- zer o
mul t i pl e of q, but not a mul t i pl e of p. This impli es gcd( x
1
+ x
2
, n) = q.
Suppose t her e exi st s an eff ici ent algori t hm A, whi ch, on i nput ( y , n) for y QR
n
, out put s x such
t hat x
2
y ( mod n) . Then we can run A( x
2
, n) t o obt ain a squar e r oot of x
2
whi ch we denot e by
x' . By Theor em 6. 17( i i i ) , t he pr obabi l i t y f or 1 < gcd( x + x' , n) < n i s exact l y one half ( t he
pr obabi li t y space bei ng t he four squar e r oot s of y) . That i s, t he al gor it hm A i s an eff i cient
al gor i t hm f or f act ori ng n.
Combi ning Al g 6. 5 and Theor em 6. 5( i i i ) , we have
Let n = pq wit h p and q bein g d ist in ct odd p ri m es. Th en f act or i ng n i s com put at i onal ly equ iv al en t
t o com pu t in g squ are r oot m odul o n .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Al so fr om Theor em 6. 17( i i ) and t he f act t hat n i s odd, we have
Let n = pq wit h p and q bein g d ist in ct odd p ri m es. Th en f or any y QR
n
, t wo sq uar e r oot s of y
ar e less t han n / 2, an d t he ot her t wo r oot s ar e lar ger t han n / 2 .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
6.7 Blum Integers
Bl um i nt eger s have wi de appl i cat i ons i n publ ic- key cry pt ography .
Def i n i t i on 6 . 4: Bl um I nt eger A com posi t e in t eger n i s call ed a Blum in t eger i f n = pq wher e p
and q ar e di st inct pr im e n um bers sat i sfy in g p q 3 ( mod 4) .
A Bl um i nt eger has many i nt er est i ng pr oper t i es. The fol l owi ng ar e some of t hem whi ch are ver y
useful i n publ i c- key cr y pt ogr aphy and cr ypt ogr aphi c prot ocol s.
. Th eor em 6 .1 8
Let n b e a Bl um i nt eger . Then t he f oll owing pr oper t ies h old for n :
; i .
For , i f t hen eit h er y QR
n
or y = n y QR
n
; i i .
Any y QR
n
has four sq uar e r oot s u, u, v , v and t hey sat i sf y ( w. l. o. g . )
; a.
; b.
; c.
; d.
i i i .
Funct i on f ( x ) = x
2
( mod n) i s a p er m ut at i on over QR
n
; i v .
For any y QR
n
, exact l y one squ are root of y wi t h Jacob i sy m bol 1 is less t han n/ 2 ; v .
i s p art i t i oned i nt o fou r equi val ence cl asses: on e m ul t ipl i cat i v e grou p QR
n
, and t h ree
coset s ( 1) QR
n
, QR
n
, ( ) QR
n
; her e i s a sq uar e r oot of 1 wit h Jacob i sy m bol 1.
v i .
Pr oof

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Not i ce t hat p 3 ( mod 4) i mpl ies . Then by Eul er' s Cr i t er ion ( 6. 5. 1) , we
have
Anal ogousl y , .
i .
i mpl i es ei t her or . For t he fi r st
case, y QR
n
due t o t he def i ni t i on of Legendr e sy mbol ( Defi nit ion 6. 3) and Theor em 6. 14.
For t he second case, ( i ) impli es . Hence y QR
n
.
i i .
Fi rst of all , by Theor em 6. 17( i i ) , we can i ndeed denot e t he four di st inct squar e r oot s of x by
u, u( = n u ) , v and v .
Next , fr om u
2
v
2
( mod n) , we have ( u + v ) ( u v) 0 ( mod p) , t hat i s, u v ( mod
p) . Si mi l arl y , u v ( mod q) . However , by Theor em 6. 17( i ) , u v ( mod n) , so onl y
t he fol l owing t wo cases ar e possi bl e:
or
These t wo cases pl us ( i ) i mpl y .
Thus, if t hen and if t hen . Wi t hout loss of
gener al it y, t he f our di st i nct Legendr e- symbol charact er i zat i ons i n ( a) - ( d) fol l ow t he
mul t i pl i cat i ve pr opert y of Legendr e- Jacobi sy mbol and ( i ) .
For any y QR
n
, by ( i i i) t her e exi st s a uni que x QR
n
sat i sfy i ng f ( x) = y. Thus, f ( x) is
a 1- 1 and ont o mappi ng, i . e. , a per mut at i on, over QR
n
.
i v .
By ( i i i ) , t he squar e r oot wi t h Jacobi sy mbol 1 i s ei t her u or n u. Onl y one of t hem v .
i i i .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
i v .
can be l ess t han n/ 2 since n i s odd. ( So, exact l y one squar e root wi t h Jacobi sy mbol
1 i s l ess t han n/ 2; t he ot her t wo r oot s ar e l ar ger t han n/ 2 and have t he opposi t e
Jacobi symbol s.)
v .
I t i s t ri vi al t o check t hat QR
n
f or ms a group under mul t i pli cat i on modul o n wi t h 1 as
t he ident i t y . Now by ( ii i ) , t he f our di st i nct squar e r oot s of 1 have t he four di st inct
Legendre- sy mbol char act er i zat i ons i n ( a) , ( b) , ( c) , and ( d) , r espect i vely . Ther efor e
t he four set s QR
n
, ( 1) QR
n
, QR
n
, ( ) QR
n
ar e pai r wi se di sj oi nt . These f our set s make
up because by Theor em 6. 15, .
v i .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
6.8 Chapter Summary
I n t hi s chapt er we have conduct ed a st udy i n t he fol l owi ng t opi cs of el ement ar y number t heor y:
Li near congr uences
Chinese Remai nder Theor em ( wi t h al gor i t hm)
Lagrange's, Eul er ' s and Fer mat ' s t heor ems
Quadr at i c r esi dues and Legendr e- Jacobi symbols ( wit h al gori t hm)
Square root s modul o i nt eger s and t he r el at i on t o fact or i zat i on ( wi t h al gor i t hm for r oot
ext r act i on)
Bl um i nt eger s and t heir pr opert ies
I n addi t i on t o i nt roduci ng t he basi c knowl edge and fact s, we have al so st udi ed sever al i mpor t ant
al gor i t hms ( Chi nese Remai nder, Jacobi symbol, squar e- root i ng) , wi t h t hei r wor ki ng pri nci pl es
expl ained and t hei r t ime compl exi t y behavior s anal yzed. I n so doing, we consi der ed t hat t hese
al gor i t hms not onl y have t heoret i c i mpor t ance, but al so have pr act ical i mpor t ance: t hese
al gor i t hms ar e f requent l y used i n cry pt ogr aphy and cr y pt ogr aphi c pr ot ocol s.
I n t he r est of t hi s book we wi ll fr equent l y appl y t he knowledge, fact s, ski l l s and al gor i t hms which
we have l earned i n t hi s chapt er.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exercises
6. 1 Let m , n be posi t i ve int egers sat i sfy i ng m| n. Show t hat oper at i on " ( mod m) "
par t i t i ons i nt o n/ m equi val ence cl asses, each has m el ement s.
6. 2
Under t he same condi t i on of t he pr ecedi ng probl em, show .
6. 3
Use t he Chi nese Remai nder Algori t hm ( Al g 6. 1) t o const r uct an el ement i n
whi ch maps t o ( 2, 3) under t he i somor phi sm in Theor em 6. 1. Pr ove
t hat t hi s el ement has t he maxi mum or der.
6. 4
Use t he met hod i n Exampl e 6. 2 t o f ind t he ot her t hr ee squar e r oot s of 29 i n .
Fi nd anal ogousl y t he four squar e r oot s of 1 i n .
Hi nt : 29 ( mod 5) = 4 whi ch has squar e r oot s 2 and 3 ( = 2 ( mod 5) ) , and 29 ( mod
7) = 1 whi ch has squar e r oot s 1 and 6 ( = 1 ( mod 7) ) ; t he f our squar e r oot s of 29
modul o 35 ar e i somor phic t o ( 2, 1) , ( 2, 6) , ( 3, 1) and ( 3, 6) i n .
6. 5 Const r uct an odd composi t e number n such t hat n i s squar e fr ee, i .e. , t her e exi st s
no pr i me p such t hat p
2
| N, however gcd( n, ( n) ) > 1.
6. 6
Let m| n. Pr ove t hat for any , or d
m
( x) | or d
n
( x) .
6. 7 Let n = pq wi t h p, q bei ng di st i nct pr i mes. Si nce p 1| ( n) , t her e exi st s el ement s i n
of or der di vi di ng p 1. ( Si mil ar l y , t her e ar e el ement s of or der di vi di ng q 1.)
Pr ove t hat for any , i f or d
n
( g) | p 1 and , t hen gcd( g
1, n) = q. ( Si mi l arl y, any of or d
n
( h) | q 1 and or d
n
( h) | p 1, gcd( h 1,
n) = p. )
6. 8
Let n = pq wi t h p, q bei ng di st i nct pr i mes. Show t hat for any , i t hol ds g
p+ q
g
n+ 1
( mod n) . For | p| | q| , show t hat an upper bound f or fact or i ng n i s n
1/ 4
.
Hi nt : fi nd p + q f r om g
n+ 1
( mod n) using Poll ar d' s - al gor i t hm; t hen fact or n using p
+ q and pq.
6. 9
Let p be a pr ime. Show t hat a gener at or of t he gr oup must be a quadr at i c non-
r esi due. Anal ogousl y , l et n be an odd composi t e; show t hat el ement s i n of t he
maxi mum order must be quadrat i c non- r esi dues.
6. 10 Test ing quadr at i c r esiduosi t y modul o p using Eul er' s cr it er i on is l ogp t imes sl ower
t han doing so vi a eval uat i on of Legendre sy mbol . Why?
6. 11 Fact or 35 usi ng t he squar e r oot s comput ed in Exerci se 6. 4

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
6. 12
Show t hat QR
n
i s a subgroup of J
n
( 1) and t he l at t er i s a subgr oup of .
6. 13 Let n = pq wi t h p and q bei ng di st i nct pr i mes. Under what condit ion 1 QR
n
?
Under what condi t i on
6. 14 Let n be a Bl um i nt eger . Const r uct t he i nver si on of t he f unct i on f ( x) = x
2
( mod n)
over QR
n
.
Hi nt : appl y t he Chinese Remai nder Theor em ( Al g 6. 1) t o Case 1 of Al g 6. 3.
6. 15 Let n = pq be a Bl um i nt eger sat i sf y ing gcd( p 1, q 1) = 2. Show t hat gr oup J
n
( 1)
i s cycl i c.
Hi nt : appl y Chi nese Remai nder Theor em t o const r uct an el ement usi ng a gener at or
of and one of . Pr ove t hat t hi s el ement i s i n J
n
( 1) and i s of or der # J
n
( 1) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Part III: Basic Cryptographic Techniques
Thi s part cont ai ns four chapt er s whi ch i nt roduce t he most basic cr y pt ographi c t echni ques
for confi dent ial i t y and dat a i nt egri t y . Chapt er 7 i nt r oduces sy mmet ri c encr y pt i on
t echni ques, Chapt er 8 i nt r oduces asy mmet ri c encr y pt i on t echni ques, Chapt er 9 consi der s
an i mpor t ant secur i t y quali t y possessed by t he basi c and popul ar asy mmet r i c cr y pt ographi c
funct i ons when t hey ar e used i n an i deal wor l d ( where dat a ar e r andom) , and fi nall y ,
Chapt er 10 i nt r oduces basi c t echni ques f or dat a i nt egr i t y .
The basic cr y pt ogr aphi c al gor i t hms and schemes t o be i nt roduced i n t hi s par t can be
consi dered as "t ext book cr ypt o" si nce t hey can be f ound i n many t ext books on
cry pt ogr aphy . I n t hi s part we shal l expose var i ous weaknesses of t hese "t ext book cr ypt o"
al gor i t hms and schemes by demonst r at i ng abundant at t acks, even t hough we wi l l not , i n
fact cannot for t he moment , f ix t hese weaknesses f or t he t ime bei ng. However , t hi s book
wi l l not st op at "t ext book cr ypt o" l evel of int r oduct i on t o cr ypt ogr aphy. Fi t - f or - appl i cat i on,
i . e. , non- t ext book, ver si ons of encr ypt i on al gori t hms and dat a- i nt egri t y mechani sms wi ll be
i nt r oduced i n lat er chapt ers, and most of t hem ar e r esul t s of enhancement t o t heir
"t ext book cr ypt o" count er part s.
For r eader s who do not pl an t o proceed an i n- dept h st udy of f it - for - appli cat i on cr y pt o and
t hei r st r ong secur i t y not i ons, t hi s " t ext book cr y pt o" par t wi l l st i l l pr ovi de t hem wi t h expl i ci t
earl y war ni ng si gnals on gener al i nsecur i t y of " t ext book cr ypt o."

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Chapter 7. Encryption Symmetric
Techniques
Sect i on 7. 2. Def i ni t i on
Sect i on 7. 3. Subst i t ut i on Ci pher s
Sect i on 7. 4. Tr ansposi t i on Ci pher s
Sect i on 7. 5. Classi cal Ci pher s: Usef ul ness and Securi t y
Sect i on 7. 6. The Dat a Encr ypt i on St andar d ( DES)
Sect i on 7. 7. The Advanced Encry pt ion St andar d ( AES)
Sect i on 7. 8. Confi dent i ali t y Modes of Oper at i on
Sect i on 7. 9. Key Channel Est abl i shment for Symmet ri c Cr ypt osy st ems
Exerci ses

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
7.1 Introduction
Secr ecy i s at t he hear t of cr ypt ogr aphy. Encr y pt i on i s a pr act i cal means t o achi eve i nfor mat i on
secr ecy . Moder n encry pt ion t echni ques ar e mat hemat ical t ransf or mat i ons ( al gor i t hms) whi ch
t r eat messages as number s or al gebr ai c el ement s i n a space and t ransf or m t hem bet ween a
r egi on of "meani ngful messages" and a regi on of "uni nt el li gibl e messages" . A messages i n t he
meani ngf ul r egi on and i nput t o an encr y pt i on al gor i t hm i s cal l ed cl ear t ext and t he uni nt el li gibl e
out put fr om t he encry pt i on al gor i t hm is cal l ed ci ph er t ex t . I f we di sr egard t he i nt el li gibi li t y of a
message, t hen a message i nput t o an encry pt i on al gor i t hm is convent i onall y cal l ed pl ai nt ex t
whi ch may or may not be i nt el l i gi bl e. For exampl e, a pl ai nt ext message can be a r andom nonce
or a ci phert ext message; we have seen such cases i n some prot ocol s st udied Chapt er 2.
Ther ef or e, pl ai nt ext and ci pher t ext ar e a pair of respect ive not i ons: t he for mer r ef er s t o
messages i nput t o, and t he lat t er , out put f rom, an encr ypt i on al gori t hm.
I n order t o r est or e i nfor mat i on, an encry pt ion t r ansf ormat i on must be r eversi bl e and t he
r ever si ng t r ansf ormat i on i s cal led decr y pt i on . Convent i onal l y, encr y pt i on and decry pt i on
al gor i t hms ar e par amet er i zed by cr ypt ogr aphi c keys. An encr ypt i on al gori t hm and a decr y pt i on
al gor i t hm pl us t he descr i pt i on on t he f or mat of messages and key s f or m a cr y pt ogr aphi c sy st em
or a cr y pt osyst em.
Semant i cal l y , Shannon char act er i zes a desi red pr oper t y f or a cr ypt osyst em as f ol lows: t he
ci pher t ext message space i s t he space of all possi ble messages whi l e t he cl eart ext ( not i ce: not
pl ai nt ext accor di ng t o our convent i on gi ven t he f i r st par agr aph above) message space i s a
spar se regi on i nsi de t he message space, i n whi ch messages have a cer t ai n fai r l y si mple
st at i st ical st r uct ure, i . e., t hey ar e meani ngf ul ; a ( good) encr ypt i on al gori t hm i s a mi xi ng-
t r ansfor mat i on whi ch dist r i but es t he meani ngf ul messages fr om t he spar se and meani ngful
r egi on f ai rl y uni for ml y over t he ent i r e message space ( pages 711- 712 of [ 264] ) . Shannon
char act er i zes t hi s mi xing pr opert y as fol l ows:
Equ at i on 7. 1 .1
Here, F denot es a mappi ng ( an encr y pt i on al gor i t hm) of a space ( message space) i nt o i t sel f, R
denot es an i ni t i al and smal l r egi on ( t he cl eart ext r egi on) i n . Shannon's semant i c
char act er i zat i on for encr y pt i on expr esses t hat a good encr y pt i on al gor i t hm shoul d have such a
mi x- t ransf or mat i on behavi or : i t can map a smal l i ni t i al r egi on of a space i nt o t he ent ir e space.
Al t hough nowaday s, i n par t i cular aft er t he i nvent i on of publ i c- key cr ypt ogr aphy, it needn' t be
t he case an encry pt ion al gor i t hm i s a mappi ng fr om a space int o t he space i t sel f , ( t hi s i s st i l l t r ue
for most cry pt osy st ems, secr et - key or publi c- key ) , Shannon's semant i c char act er i zat i on for
encry pt ion as a mi xi ng- t r ansfor mat i on remai ns ver y meani ngful . The cont empor ar y defi ni t i on for
semant i c secur i t y of an encr ypt i on al gori t hm, whi ch wi l l be gi ven i n 14.3, essent ial l y means
t hat a ci pher t ext has a dist r i but ion i n t he message space whi ch i s i ndi st ingui shable fr om t he
unif or m di st r i but i on i n t he same space.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I n t hi s chapt er we wi l l i nt roduce t he not i on of cr y pt osy st ems, several wel l - known sy mmet ri c
cry pt osy st ems and t he st andard modes of oper at i ons. We begi n by pr ovi di ng a f or mal sy nt act i c
defi nit ion f or cry pt osy st ems t o be used i n t he r est of t hi s book ( 7. 2) . We t hen int r oduce sever al
i mpor t ant cl assi cal ci phers ( 7. 37. 4) . We wil l make expl i ci t t he i mpor t ance of t he classi cal
ci pher t echni ques by showi ng t hei r wi despr ead r ol es i n moder n ci phers and in cr ypt ogr aphic
pr ot ocol s ( 7. 5) . Af t er classi cal ci phers, t wo i mpor t ant moder n bl ock ci pher s wi ll be descri bed:
t he Dat a Encr ypt i on St andar d ( DES, 7. 6) and t he Advanced Encr y pt i on St andar d ( AES, 7. 7) ,
and t hei r desi gn st r at egi es wi l l be expl ai ned. We wi l l al so pr ovi de a br ief di scussi on on t he AES's
posi t i ve i mpact on appl i ed cr y pt ogr aphy ( 7. 7. 5) . The par t on sy mmet r i c t echni ques wi l l al so
i ncl ude var i ous st andar d modes of oper at i ons for usi ng block ci pher s whi ch achi eve pr obabi l ist i c
encry pt ion ( 7.8) . We end our i nt r oduct i on t o sy mmet r i c encr ypt i on t echniques by posi ng t he
cl assi cal pr obl em of key channel est abl i shment ( 7. 9) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
7.2 Definition
Sy nt act i cal l y , a cr y pt osy st em can be def i ned as fol l ows.
Def i n i t i on 7 . 1: Cr yp t ogr aph i c Syst em A cr y pt ogr aphi c sy st em consi st s of t he f oll owing :
a p lai nt ex t m essage space M: a set of st r i ngs ov er som e al ph abet
a ci pher t ext m essage space C: a set of possib le ci pher t ext m essages
an en cry pt i on key space K: a set of possib le encr y pt i on k eys, an d a decry pt ion k ey space
K
1
: a set of possib le d ecr yp t ion k eys
an ef fi cient key gener at ion al gori t hm
an ef fi cient en cry pt i on algor i t hm
an ef fi cient decry pt i on algor i t hm .
For in t eger 1 , G( 1 ) out p ut s a k ey p air ( k e, kd ) K x K' of lengt h .
For k e K an d m M, we denot e by
t he encr y pt i on t r ansfor mat i on and read i t as "c i s an encr y pt i on of m under key ke, " and we
denot e by
t he decr y pt i on t ran sf or mat ion and r ead i t as " m is t he d ecr yp t ion of c u nder k ey kd . " I t i s
necessar y t hat for all m M and all k e K, t h er e ex ist s k d K' :
Equ at i on 7. 2 .1
I n t he r est of t he book we wi l l use t his set of sy nt act i c not at i on t o denot e abst r act
cry pt osy st ems, except i n t he some pl aces where di ff er ent not at i ons have been convent i onal l y
used in t he l it er at ur e. Fi g 7.1 pr ovi des an i l l ust r at ion of cr ypt osyst ems.
Fi gu r e 7. 1 . Cr y pt ogr aph i c Sy st ems

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Defi nit ion 7. 1 appl i es t o cr ypt osyst ems whi ch use secret key s as wel l as publ i c key s ( publ i c- key
cry pt osy st ems wi l l be i nt r oduced i n t he next chapt er ) . I n a secr et - key cr y pt osy st ems
encry pt ion and decr y pt i on use t he same key . The pr i nci pal who encry pt s a message must shar e
t he encr y pt i on key wi t h t he pr i ncipal who wil l be r ecei vi ng and decr y pt i ng t he encr y pt ed
message. The fact k d = k e pr ovi des secr et key cr y pt osyst em anot her name: symmet r i c
cr y pt osyst ems. I n a pu bl i c- k ey cr yp t osy st em, encr ypt i on and decr y pt i on use di f fer ent keys;
for ever y key k e K, t her e exi st s k d K' , t he t wo keys are di ff er ent and mat ch each ot her; t he
encry pt ion key k e needn't be kept secr et , and t he pri nci pal who i s t he owner of k e can decry pt a
ci pher t ext encr y pt ed under k e using t he mat chi ng pr i vat e key k d. The fact k d k e pr ovi des
publ i c- key cry pt osy st ems anot her name: asy mmet r i c cr y pt osy st ems.
By r equi r i ng encr y pt i on al gor i t hms eff i ci ent , we consi der t hat such al gor i t hms i ncl ude
pr obabi li st i c pol y nomi al - t i me ones. Hence, al t hough t he abst r act not at i on l ooks a
det er mi nist i c, i t can have a int ernal r andom move, and so an out put cipher t ext can be a r andom
vari able of t hi s i nt er nal r andom move. Al so not i ce t hat t he i nt eger input t o t he key generat ion
al gor i t hm G pr ovi des t he size of t he out put encry pt i on/ decr y pt i on key s. Si nce t he key gener at i on
al gor i t hm i s ef fi ci ent wi t h r unning t ime pol ynomi al in t he si ze of i t s input , t he i nput i nt eger val ue
shoul d use t he unar y r epr esent at ion ( r eason expl ai ned i n 4. 4. 6.1) .
I n 1883, Ker choff s wrot e a l i st of r equi r ement s for t he design cr y pt osy st ems ( see page 14 of
[ 198] ) . One of t he i t ems i n Kerchof fs' l i st has evol ved i nt o a wi del y accept ed convent i on known
as Ker chof f s' pr i nci p l e:
Knowl edge of t he al gor i t hm and key si ze as wel l as t he avai l abi l i t y of known pl ai nt ext , ar e
st andar d assumpt i ons i n moder n cr y pt anal y sis. Si nce an adver sar y may obt ai n t hi s
i nf ormat i on event ual ly , i t i s pr efer abl e not t o r el y on it s secr ecy when assessi ng
crypt ogr aphi c st r engt h.
Combi ning Shannon's semant i c char act er i zat i on for cr y pt osy st em and Ker choff s' pr i ncipl e, we
can pr ovi de a summary for a good cry pt osy st em as fol l ows:
Al gor i t hms and D cont ain no component or desi gn par t which i s secr et ;
di st r i but es meaningful messages f ai rl y uni for ml y over t he ent i r e cipher t ext message
space; i t may even be possi ble t hat t he r andom di st r i but i on i s due t o some i nt er nal r andom

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
oper at i on of ;
Wi t h t he cor r ect cr y pt ographi c key , and D ar e pr act ical ly ef fi ci ent ;
Wi t hout t he corr ect key, t he t ask f or r ecover i ng f rom a ci pher t ext t he cor r espondent
pl ai nt ext i s a pr obl em of a di ff i cult y det er mi ned sol el y by t he si ze of t he key par amet er ,
whi ch usual l y t akes a size s such t hat sol vi ng t he pr obl em r equi r es comput at i onal resour ce
of a quant it at ive measur e beyond p( s) for p bei ng any pol ynomi al .
We should not i ce t hat t hi s l i st of desir able pr opert ies f or a cr y pt osyst em have become
i nadequat e f or cry pt osy st ems f or moder n day appli cat i ons. Mor e st r i ngent r equi r ement s wi l l be
devel oped t hr ough our st udy of cry pt osy st ems.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
7.3 Substitution Ciphers
I n a subst i t ut i on ci p her , t he encrypt i on al gor i t hm
k
( m) is a subst i t ut i on f unct i on whi ch
r epl aces each m M wi t h a cor r espondi ng c C. The subst i t ut i on funct i on is par amet er i zed by a
secr et key k. The decr y pt i on al gor i t hm D
k
( c) is mer ely t he r ever se subst i t ut i on. I n gener al , t he
subst i t ut ion can be given by a mappi ng , and t he r ever se subst it ut i on i s j ust t he
corr esponding inver se mappi ng .
7.3.1 Simple Substitution Ciphers
Exampl e 7. 1. A Si mp l e Subst i t u t i on Ci ph er
Let and int erpret A = 0, B = 1, , Z 25. Def i ne encr ypt i on al gori t hm
k
( m) as
t he fol l owing permut at i on over
Then t he cor r espondi ng decry pt ion al gor i t hm D
K
( C) is gi ven by
Pl ai nt ext messages
proceed meeting as agreed

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
wi l l be encr y pt ed i nt o t he fol l owi ng ciphert ext messages ( spaces ar e not t r ansf ormed)
cqkzyyr jyyowft vl vtqyyr
I n t hi s si mpl e subst i t ut i on ci pher example, t he message spaces M and C coi nci de wi t h t he
al phabet . I n ot her wor ds, a pl ai nt ext or ci pher t ext message i s a singl e char act er i n t he
al phabet . For t hi s r eason, t he pl ai nt ext message st r i ng proceedmeetingasagreed i s not a singl e
message, but compr i ses 22 messages; l ikewi se, t he ciphert ext message st r ing
cqkzyyrjyyowftvlvtqyyr compr i ses 22 messages. The key space of t hi s cipher has t he si ze 26!
> 4 x 10
26
, whi ch i s huge i n compar i son wi t h t he size of t he message space. However , t his
ci pher i s i n fact ver y weak: each pl ai nt ext char act er i s encry pt ed t o a uni que ci pher t ext
char act er . Thi s weakness r enders t hi s ci pher ext remely vulner able t o a cr y pt anal y si s t echnique
cal led f r eq uency an al ysi s whi ch expl oit s t he f act t hat nat ur al l anguages cont ai n a high vol ume
of r edundancy ( see 3. 8) . We wil l fur t her di scuss t he secur i t y of si mpl e subst i t ut i on ci pher i n
7. 5.
Sever al special cases of si mple subst i t ut i on cipher s appear i n hi st or y. The si mpl est and t he most
well - known case is cal l ed shi f t ci pher s. I n shi ft ciphers, K = M = C; let N = # M, t he encrypt i on
and decr ypt i on mappi ngs ar e def i ned by
Equ at i on 7. 3 .1
wi t h m, c, . For t he case of M bei ng t he capi t al l et t er s of t he Lat i n al phabet , i . e.,
, t he shi ft cipher i s al so known as Caesar ci p her , because Juli us Caesar used i t wit h
t he case of k = 3 ( 2. 2 of [ 93] ) .
By Theor em 6. 6 ( in 6. 2. 2) we know t hat i f gcd( k , N) = 1, t hen f or ever y m < N:

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
r anges over t he ent ir e message space . Ther efor e f or such k and for m , c < N
Equ at i on 7. 3 .2
pr ovi de a si mpl e subst i t ut i on ci pher . Si mi l arl y ,
can also defi ne a simple subst i t ut i on ci pher call ed af f i ne ci pher :
Equ at i on 7. 3 .3
I t i s not dif fi cul t t o see t hat usi ng vari ous ar it hmet i c oper at i ons bet ween key s i n K and messages
i n M, var i ous cases of si mpl e subst i t ut ion ci pher s can be desi gned. These ci pher s ar e cal l ed
monoal ph ab et i c ci ph er s: for a gi ven encr ypt i on, key , each el ement i n t he pl aint ext message
space wi ll be subst i t ut ed i nt o a uni que element i n t he ci phert ext message space. Therefor e,
monoal phabet i c ci phers are ext r emel y vul ner abl e t o f r equency anal y si s at t acks.
However , due t o t hei r si mpl i cit y, si mpl e subst i t ut i on ci pher s have been wi dely used i n modern
secr et - key encr ypt i on algori t hms. We wi ll see t he ker nel r ol e t hat si mpl e subst i t ut i on ci pher s
pl ay i n t he Dat a Encr ypt ion St andar d ( DES) ( 7. 6) and i n t he Advanced Encr ypt ion St andar d
( AES) ( 7. 7) . I t has been agr eed t hat a combi nat ion of sever al si mpl e ci pher al gor i t hms can
r esul t i n a st r ong ci pher al gor i t hm. That i s why si mpl e ci pher s ar e st i ll i n wi de use. Simple
subst i t ut ion ci pher s ar e al so wi del y used i n cry pt ogr aphi c prot ocol s; we wi l l i l l ust r at e a pr ot ocol ' s
appli cat i on of a si mpl e subst i t ut ion ci pher i n 7. 5 and see many f ur t her such exampl es i n t he
r est of t he book.
7.3.2 Polyalphabetic Ciphers
A subst it ut i on ci pher i s call ed a pol yal p habet i c ci p her i f a pl ai nt ext message el ement i n P may

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
be subst i t ut ed int o many , possi bl y any, ci pher t ext message el ement i n C.
We shal l use t he Vi g en r e ci pher t o exempl i fy a pol y al phabet i c ci pher si nce t he Vi genr e ci pher
i s t he best known among pol yal phabet i c ci pher s.
The Vi genr e ci pher i s a st ri ng- based subst i t ut i on ci pher: a key i s a st r i ng compr isi ng a pl ur al
number of charact er s. Let m be t he key l engt h. Then a plai nt ext st r i ng i s divi ded i nt o sect i ons of
m charact er s, t hat is, each sect i on is a st r ing of m charact er s wit h possi bl y an except i on t hat t he
fi nal sect i on of st ri ng may have f ewer char act er s. The encry pt ion al gor i t hm operat es t hat of t he
shi ft ci pher bet ween t he key st r i ng and a pl ai nt ext st r ing, one pl ai nt ext st r i ng at a t i me wit h t he
key st r i ng bei ng r epeat ed. The decr y pt i on fol l ows t he same manner , usi ng t he decry pt i on
oper at i on of t he shi ft ci pher .
Exampl e 7. 2. Vi genr e Ci ph er
Let t he key st ri ng be gold. Using t he encodi ng r ul e A = 0, B = 1, , Z = 25, t he numer i cal
r epr esent at i on of t hi s key st ri ng i s ( 6, 14, 11, 3) . The Vi genr e encr y pt i on of t he pl ai nt ext st r ing
has t he f oll owi ng oper at i on whi ch i s char act er- wi se addit ion modul o 26:
Thus, t he ci pher t ext st r ing is

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
vfzfkso pkseltu lv guchkr
Ot her wel l - known pol yal phabet i c ci pher s i ncl ude t he book ci pher ( also cal l ed t he Beal e ci ph er )
wher e t he key st r ing i s an agreed t ext in a book, and t he Hi l l ci ph er . See, e.g., 2. 2 of [ 93] or
1.1 of [ 284] , f or det ai l ed descr ipt i on of t hese subst it ut i on ci phers.
7.3.3 The Vernam Cipher and the One-Time Pad
The Ver nam ci p her i s one of t he si mpl est cr ypt osy st ems. I f we assume t hat t he message i s a
st r ing of n bi nar y bi t s
t hen t he key i s al so a st r i ng of n bi nar y bi t s
( not ice her e t he sy mbol "
U
: " is chosen at uni for ml y r andom) . Encr ypt i on t akes pl ace one bi t at
a t ime and t he ci pher t ext st ri ng c = c
1
c
2
c
n
i s found by t he bi t oper at i on XOR ( excl usi ve or )
each message bi t wi t h t he cor r espondi ng key bi t
for 1 i n, wher e t he operat ion i s defi ned by
Decry pt ion i s t he same as encr y pt i on, si nce i s addi t i on modul o 2, and t her eby subt r act i on i s
i dent i cal t o addi t i on.
Consi der i ng M = C = K = { 0, 1} * , t he Ver nam ci pher i s a speci al case of subst it ut i on ci phers. I f

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
t he key st r i ng i s used f or one t ime onl y, t hen t he Vernam ci pher s. I f t he key st r i ng i s used for
one t ime onl y, t hen t he Vernam ci pher sat i sfi es t wo st r ong secur i t y condit ions for subst i t ut i on
ci pher s whi ch we wi l l be summar i zi ng i n 7. 5. Ther e we shal l ar gue t hat conf ident i al it y off er ed
by t he one- t i me- key Ver nam ci pher i s i n t he infor mat i on- t heor et i cal l y secure sense, or i s,
uncondi t i onal . A si mpl e way t o see t hi s secur i t y qual i t y i s t he fol l owing: a ci pher t ext message
st r ing c pr ovi des ( an eavesdr opper ) no i nfor mat i on what soever about t he pl ai nt ext message
st r ing m si nce any m could have y i eld c i f t he key k i s equal t o c m ( bi t by bi t ) .
The one- t i me- key Ver nam ci pher i s al so call ed t he one- t i me pad ci pher . I n pr i nci pl e, as l ong
as t he usage of encr ypt i on key sat i sf i es t he t wo condi t i ons f or secure subst i t ut i on ci phers whi ch
we wi l l l i st i n 7. 5, t hen any subst i t ut i on cipher i s a one- t i me pad ci pher. Convent i onal l y
however , only t he ci pher usi ng t he bi t - wi se XOR oper at i on i s cal l ed t he one- t i me pad ci pher .
I n compar i son wi t h ot her subst i t ut i on ci phers ( e. g. , t he shi f t ci pher usi ng addi t i on modul o 26) ,
t he bi t - wi se XOR operat i on ( whi ch i s addi t i on modul o 2) can be easi l y r eal i zed by an el ect r oni c
ci rcui t . Because of t his reason, t he bi t - wi se XOR oper at i on i s a wi dely used i ngredi ent i n t he
desi gn of moder n secr et - key encr ypt i on algori t hms. I t wi ll be used i n t wo i mpor t ant moder n
ci pher s t he DES ( 7. 6) and t he AES ( 7. 7) .
The one- t i me pad st y l e of encr ypt i on i s al so wi del y used in cr ypt ogr aphic pr ot ocols. We wil l see
such a pr ot ocol i n 7. 5. 1.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
7.4 Transposition Ciphers
A t r ansposi t i on ci pher ( also cal l ed per mut at i on ci pher ) t ransf or ms a message by
r ear r anging t he posi t i ons of t he el ement s of t he message wi t hout changi ng t he i dent i t i es of t he
el ement s. Tr ansposi t i on ci pher s ar e an i mpor t ant fami l y of cl assi cal ciphers, i n addi t i onal
subst i t ut ion ci pher s, whi ch ar e wi del y used in t he const ruct ions of moder n block ci pher s.
Consi der t hat t he el ement s of a pl ai nt ext message are let t er s i n ; let b be a f i xed posi t i ve
i nt eger r epr esent i ng t he size of a message bl ock; let ; fi nal l y , l et K be al l
per mut at i ons, i . e., rear r angement s, of ( 1, 2, , b) .
Then a per mut at i on = ( ( 1) , ( 2) , , ( b) ) i s a key si nce K. For a pl ai nt ext bl ock ( x
1
, x
2
, ,
x
b
) P, t he encry pt i on al gor i t hm of t hi s t r ansposi t i on ci pher i s
Let
1
denot e t he i nver se of , i . e.,
( ( i ) ) = i f or i = 1, 2, , b. Then t he cor r espondi ng

decry pt ion al gor i t hm of t hi s t r ansposi t i on ci pher i s
For a message of l engt h l arger t han t he bl ock si ze b, t he message i s divi ded i nt o mul t ipl e bl ocks
and t he same procedures ar e r epeat ed bl ock by bl ock.
Si nce for message bl ock si ze b t here are b! di ff er ent number of keys, a pl ai nt ext message bl ock
can be t r ansposi t i on- enci pher ed t o b! possi ble ci pher t ext s. However, si nce t he i dent i t i es of t he
l et t er s do not change, t r ansposi t i on ci pher i s al so ext r emel y vul ner abl e t o t he f requency anal ysi s
t echni ques.
Exampl e 7. 3. Tr an sposi t i on Ci ph er
Let b = 4 and
Then t he pl aint ext message

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
i s f ir st di vi ded i nt o 6 bl ocks of f our l et t ers each:
proc eedm eeti ngas agre ed
whi ch can t hen be t ransposi t i on- enci phered t o t he fol l owi ng ci pher t ext
rcpoemedeietgsnagearde
Not i ce t hat t he f i nal shor t bl ock of pl ai nt ext ed i s act ual ly padded as ed and t hen enci pher ed
i nt o d e , f ol lowed by del et i ng t he padded spaces fr om t he ci phert ext bl ock.
The decr y pt i on key i s

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The f act t hat t he fi nal shor t ened ci pher t ext bl ock de cont aini ng onl y t wo let t er s means t hat i n t he
corr esponding pl ai nt ext bl ock t her e i s no l et t er t o mat ch t he posi t i ons for 3
1
and 4
1
. Ther efor e
spaces shoul d be r e- inser t ed int o t he shor t ened ci pher t ext bl ock at t hese posit i ons t o r est or e t he
bl ock i nt o t he padded for m d e , bef or e t he decr ypt i on pr ocedure can be appl i ed proper l y .
Not i ce t hat i n t he case of t he f i nal pl ai nt ext bl ock is a shor t one ( as i n t he case of Exampl e 7. 3) ,
l eavi ng t he padded l et t ers, such as , i n t he ci pher t ext message, shoul d be avoided because t he
padded l et t er s expose i nfor mat i on about t he key used.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
7.5 Classical Ciphers: Usefulness and Security
Fi rst of all we shoul d poi nt out t hat t he t wo basi c wor ki ng pri nci pl es of t he cl assical ci pher s:
subst i t ut ion and t r ansposi t i on, are st i l l t he most i mpor t ant ker nel t echniques i n t he const r uct i on
of moder n sy mmet r i c encry pt ion al gor i t hms. We wi l l cl earl y see combi nat i ons of subst it ut i on and
t r ansposi t i on ci pher s i n t wo impor t ant moder n sy mmet r i c encr ypt i on al gori t hms: DES and AES,
whi ch we shall i nt r oduce i n 7. 6 and 7. 7.
Consi der char act er- based subst i t ut i on ci pher s. Because t he pl ai nt ext message space coinci des
wi t h t he al phabet , each message i s a char act er i n t he al phabet and encr ypt i on i s t o subst i t ut e
char act er - by - char act er each pl ai nt ext char act er wi t h a ci pher t ext char act er and t he subst i t ut i on
i s accor ding t o a secret key . I f a key i s fi xed f or encr ypt ing a l ong st r ing of charact er s, t hen t he
same charact er i n t he pl aint ext messages wi l l be encr y pt ed t o a fi xed char act er in t he ciphert ext
messages.
I t i s wel l known t hat l et t er s i n a nat ur al l anguage have st abl e fr equenci es ( r evi ew 3. 8) . The
knowl edge of t he fr equency dist r i but ion of l et t ers in a nat ur al language pr ovides cl ue for
cry pt anal ysi s, a t echnique ai mi ng at f i ndi ng i nfor mat i on about t he plai nt ext or t he encr y pt i on
key fr om gi ven ci pher t ext messages. Thi s phenomenon is shown i n Exampl e 7. 1, wher e t he
ci pher t ext message show a hi gh f r equent appear ance of t he l et t er y, and suggest t hat a fi xed
l et t er must appear i n t he corr esponding pl aint ext message wi t h t he same f requency ( i n f act t he
l et t er i s e whi ch appear s i n Engl i sh wi t h a high fr equency) . Si mpl e subst i t ut i on ci pher s ar e not
secur e f or hi ding nat ur al - l anguage- based i nfor mat i on. For det ai l s of t he cr y pt analy si s t echni que
based on st udyi ng t he f requenci es of l et t er s, see any st andard t ext s i n cr y pt ography , e.g. , 2.2
of [ 93] , or 7. 3. 5 of [ 198] . )
Pol y alphabet i c ci pher s and t r ansposi t i on ci phers are st r onger t han simple subst i t ut i on ci phers.
However , i f t he key i s shor t and t he message i s l ong, t hen var ious cry pt anal ysi s t echni ques can
be appl i ed t o br eak such ci pher s.
However , classi cal ci phers, even si mpl e subst i t ut ion ci pher s can be secur e i n a v er y st r ong sense
i f t he use of cr y pt ogr aphi c key s f oll ows cer t ai n condi t ions. I n f act , wi t h t he proper key usages,
si mpl e subst i t ut i on cipher s ar e widel y used i n cr y pt ogr aphi c syst ems and pr ot ocol s.
7.5.1 Usefulness of Classical Ciphers
Let us now l ook at an exampl e of t he shi f t ci pher ( i . e. , t he si mpl est subst i t ut ion ci pher ) bei ng
secur el y used i n a cr y pt ogr aphi c pr ot ocol . Aft er showi ng t he exampl e, we wi l l summari ze t wo
i mpor t ant condi t i ons f or secure use of cl assi cal ci pher s.
Suppose we have a f unct i on f ( x) over wi t h t he fol l owi ng t wo proper t i es:
One- way : gi ven any , evaluat i on of f ( x) can be done ef fi cient ly ( revi ew 4. 4. 6
for t he meani ng of eff i ci ent comput at i on) whi l e for almost all and for any ef fi ci ent
al gor i t hms A, Pr ob [ x A( y) f ( x) = y] is a negl i gi ble quant it y i n si ze of y ( revi ew 4. 6 f or
t he meani ng of negli gibl e quant i t y ) ;
Homomor phi c: for al l x
1
, , f ( x
1
+ x
2
) = f ( x
1
) . f ( x
2
) .
Ther e ar e many f unct i ons which apparent ly sat i sfy t hese t wo pr oper t i es; we shal l see many such
funct i ons l at er i n t hi s book.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Usi ng t hi s funct i on, we can const ruct a so- cal l ed " zer o- knowl edge pr oof " pr ot ocol , whi ch al lows a
pr over ( let i t be Ali ce) t o show a v er i f i er ( let i t be Bob) t hat she knows t he pre- i mage of f ( z)
( whi ch is z < n) wi t hout di scl osi ng t o t he l at t er t he pr e- i mage. This can be achi eved by a si mpl e
pr ot ocol whi ch uses t he shi f t ci pher . The pr ot ocol i s speci f i ed i n Pr ot 7.1.
Pr ot 7.1 i s a ver y useful one. I n appli cat i ons, t he value X = f ( z) can be Ali ce's cr ypt ogr aphic
credent ial for pr ovi ng her i dent i t y or ent i t l ement t o a servi ce. Onl y Al i ce can use t he credent ial
because onl y she knows how t o use i t as a r esult of t he fact t hat onl y she knows t he pr e- i mage
z. This pr ot ocol shows how Ali ce should use her cr edent i al wi t hout t he ver i f ier Bob know any
i nf ormat i on about t he pr e- image z.
Protocol 7.1: A Zero-knowledge Protocol Using Shift Cipher
COMMON I NPUT
i ) f ( ) : a one- way and homomor phi c funct i on over ;
i i ) X = f ( z) for some .
Al i ce' s I NPUT z < n. ( * pr over; s pr i vat e input * )
OUTPUT t o Bob
Al i ce knows such t hat X = f ( z) .
Repeat t he f oll owi ng st eps m t imes:
Al i ce pi cks , comput er s Commi t f ( k) and sends i t t o Bob; 1.
Bob pi cks Chal l enge
U
{ 0, 1} and sends i t t o Al i ce; 2.
Al i ce comput es
She sends Respons t o Bob;
( * when Chal l enge = 1, Response i s a ci pher t ext out put f r om shi ft cipher
encry pt ion of z under t he one- t i me key k, see ( 7. 3. 1) * )
3.
Bob checks
he r ej ect s and abort s t he r un i f any checking st ep shows an er r or ;
4.
Bob accept s.
I n Chapt er 18 we wi l l make an ext ensi ve use of t hi s prot ocol and i t s several var i at i ons when we

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
st udy t he subj ect of zer o- knowl edge pr oof pr ot ocol s. For t hi s moment , al l we should concern i s
t he qual i t y of conf i dent i al it y ser vice t hat t hi s pr ot ocol pr ovi des for hi di ng Al i ce' s pr i vat e
i nf ormat i on z.
7.5.2 Security of Classical Ciphers
Let us now see t he quali t y of confi dent i al i t y servi ce t hat t he shi f t - cipher encr ypt ion of fer s i n Pr ot
7. 1. We cl ai m t hat t he quali t y i s per fect . That i s, af t er runni ng t hi s pr ot ocol Bob get s absol ut el y
no new i nfor mat i on about bey ond what he may have al ready obt ai ned fr om t he
common i nput f ( z) ( t he common i nput onl y pr ovi des apr i ori i nfor mat i on) .
We should not i ce t hat t he shi ft ci pher encr ypt i on
for ms a permut at i on over . Wi t h , t he per mut at i on render s Response
si nce a permut at i on maps t he uni for m di st r i but i on t o t he uni f orm di st ri but i on. Thi s
means t hat f or a given ci pher t ext Response, any key i n could have been used wi t h t he
same pr obabi l i t y i n t he cr eat i on of Response ( t he pr obabi l it y space being t he key space and t he
message space) . This is equi val ent t o say t hat any i s equal l y l ikel y t o have been
encry pt ed i nsi de Response. So t he plai nt ext z i s independent fr om t he ci pher t ext Response, or
t he ci pher t ext l eaks no infor mat i on what soever about t he pl ai nt ext .
I f a ci pher achi eves i ndependence bet ween t he di st r ibut i ons of it s pl ai nt ext and ci pher t ext , t hen
we say t hat t he ci pher i s secur e i n an i n f or mat i on - t h eor et i cal l y secur e sense. I n cont rast t o a
secur i t y i n t he compl exit y- t heor et i c sense whi ch we have est abl i shed i n Chapt er 4, t he secur i t y
i n t he i nf or mat ion- t heor et i c sense i s un con di t ional and is immune t o any met hod of
crypt anal ysi s. I n Pr ot 7.1, t hi s sense of secur it y means t hat runs of t he pr ot ocol wi l l not pr ovide
Bob wit h any knowl edge r egar di ng Al i ce's pr i vat e input z, except t he convi ct i on t hat Ali ce has
t he cor r ect pr i vat e i nput .
The not i on of infor mat i on- t heor et i c- based cry pt ogr aphi c securi t y is devel oped by Shannon
[ 264] . Accor di ng t o Shannon's t heor y , we can summar i ze t wo condi t i ons f or secure use of
cl assi cal cipher s:
Condi t i ons f or Secu r e Use of Cl assi cal Ci p her s
# K # M; i .
k
U
K and is used once i n each encr ypt i on onl y. i i .
So i f a cl assi cal ci pher ( whet her i t i s a si mpl e subst i t ut i on cipher i n charact er - based or st r i ng-
based, a pol y alphabet i c ci pher , or t he Vernam ci pher ) encr ypt s a message st r ing of l engt h ,
t hen i n order for t he encry pt i on t o be secure, t he l engt h of a key st r ing shoul d be at least , and
t he key st r i ng shoul d be used once onl y . Whi l e t hi s r equi rement may not be ver y pr act i cal for
appli cat i ons whi ch i nvol ve encr y pt i on of bul k vol umes of messages, i t i s cert ainl y pr act i cal for
encry pt ing smal l dat a, such as a nonce ( see 2. 6. 4) or a sessi on key ( see 2. 5) . Pr ot 7.1 i s j ust
such an exampl e.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I n t he r est of t hi s book we wi ll meet numerous cry pt ogr aphi c sy st ems and prot ocol s whi ch appl y
vari ous for ms of subst i t ut ion ci pher s such as shi ft ciphers ( as i n Pr ot 7.1) , mul t i pli cat i on ci phers
( def ined i n ( 7. 3. 2) ) , af fi ne ci phers ( defi ned i n ( 7. 3. 3) ) , and subst i t ut i on ciphers under t he
gener al f orm of permut at i ons ( as i n Exampl e 7. 1) . Most of such appl i cat ions fol l ow t he t wo
condi t i ons for secur e use of classi cal ciphers.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
7.6 The Data Encryption Standard (DES)
Wi t hout doubt t he f i r st and t he most si gni fi cant modern symmet r ic encr y pt i on al gor i t hm i s t hat
cont ai ned i n t he Dat a Encr y pt i on St andar d ( DES) [ 211] . The DES was publ i shed by t he Uni t ed
St at es' Nat ional Bur eau of St andar ds in Januar y 1977 as an algor it hm t o be used for uncl assi fi ed
dat a ( i nf ormat i on not concer ned wi t h nat i onal secur it y) . The al gor i t hm has been in wi de
i nt er nat i onal use, a pr i mar y exampl e bei ng i t s empl oy ment by banks f or funds t ransf er secur i t y .
Or i gi nal l y appr oved for a fi ve- year per i od, t he st andard st ood t he t est of t ime and was
subsequent ly appr oved f or t hr ee furt her fi ve- year per i ods.
7.6.1 A Description of the DES
The DES i s a bl ock ci ph er i n whi ch messages ar e di vided i nt o dat a bl ocks of a f ixed lengt h and
each block i s t r eat ed as one message ei t her i n M or i n C. I n t he DES, we have M = C = { 0, 1}
64
and K = { 0, 1}
56
; namel y , t he DES encr y pt i on and decr ypt i on al gori t hms t ake as i nput a 64- bit
pl ai nt ext or ci phert ext message and a 56- bi t key , and out put a 64- bi t cipher t ext or pl ai nt ext
message.
The oper at i on of t he DES can be descr i bed i n t he fol l owi ng t hr ee st eps:
Apply a f ixed " ini t i al per mut at i on" I P t o t he i nput bl ock. We can wr i t e t hi s i nit ial
per mut at i on as
Here L
0
and R
0
ar e cal l ed "( l eft , r ight ) - hal f bl ocks, " each i s a 32- bi t block. Not i ce t hat I P i s
a f i xed funct i on ( i. e. , i s not par amet er i zed by t he input key ) and i s publ icl y known;
t her efor e t hi s i nit ial permut at i on has no appar ent cry pt ographi c si gni f i cance.
1.
I t erat e t he f ol lowi ng 16 r ou nds of oper at i ons ( for i = 1, 2, , 16)
Here k
i
i s cal l ed "r ound key " whi ch i s a 48- bi t subst r i ng of t he 56- bi t i nput key; f i s cal l ed
2.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
"S- box Funct i on" ( " S" f or subst i t ut i on, we wi l l pr ovide a bri ef descr i pt i on on t hi s f unct i on i n
7. 6. 2) and i s a subst i t ut i on ci pher ( 7. 3) . Thi s operat ion f eat ur es swappi ng t wo hal f
bl ocks, t hat is, t he l eft hal f bl ock i nput t o a r ound i s t he r i ght hal f bl ock out put fr om t he
pr evi ous r ound. The swapping oper at i on i s a si mpl e t r ansposi t i on ci pher ( 7. 4) whi ch ai ms
t o achieve a bi g degr ee of " message di ff usi on, " essent i all y t he mi xi ng proper t y model ed by
Shannon i n ( 7. 1. 1) . Fr om our di scussi on we can see t hat t hi s st ep of DES is a combi nat i on
of a subst it ut i on ci pher and a t ransposi t i on ci pher .
The r esul t f r om r ound 16, ( L
16
, R
16
) , i s i nput t o t he i nverse of I P t o cancel t he eff ect of t he
i ni t i al per mut at i on. The out put fr om t hi s st ep i s t he out put of t he DES al gor i t hm. We can
wr it e t hi s f i nal st ep as
Pl ease pay a part icul ar at t ent i on t o t he i nput t o I P
1
: t he t wo hal f bl ocks out put f rom round
16 t ake an addit i onal swap bef or e bei ng i nput t o I P
1
.
3.
These t hr ee st eps ar e shar ed by t he encr ypt i on and t he decr ypt i on al gori t hms, wi t h t he onl y
di f fer ence i n t hat , i f t he r ound key s used by one al gor i t hm are k
1
, k
2
, , k
16
, t hen t hose used by
t he ot her al gor i t hm shoul d be k
16
, k
15
, , k
1
. This way of arr angi ng r ound key s i s cal l ed "key
schedul e," and can be denot ed by
Equ at i on 7. 6 .5
Exampl e 7. 4.
Let a pl ai nt ext message m be encry pt ed t o a ci pher t ext message c under an encr ypt i on key k.
Let us go t hr ough t he DES al gor i t hm t o conf i rm t he proper wor ki ng of t he decr y pt i on funct ion,
i . e. , decr ypt i on of c under k wi l l out put m.
The decr y pt i on al gor it hm st ar t s by input ing t he ci pher t ext c as "I nput Bl ock. " By ( 7. 6. 1) we have
But since c i s act ual ly " Out put Bl ock" f r om t he f i nal st ep of t he encr ypt i on al gori t hm, by ( 7. 6. 4)
we have
Equ at i on 7. 6 .6

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I n round 1, f r om ( 7. 6. 2) , ( 7. 6. 3) and ( 7. 6. 6) , we have
I n t he r i ght - hand si des of t hese t wo assi gnment s, L
16
shoul d be r epl aced wit h R
15
due t o ( 7. 6. 2) ,
R
16
shoul d be r epl aced wit h L
15
f ( R
15
, k
16
) due t o ( 7. 6. 3) , and due t o t he key
schedul e ( 7. 6. 5) . Thus, t he above t wo assi gnment s ar e i n fact t he f ol lowi ng t wo:
So, af t er r ound 1 of decr y pt i on, we obt ai n
Ther ef or e, at t he begi nning of round 2, t he t wo hal f bl ocks ar e ( R
15
, L
15
) .
I t i s r out ine t o check t hat , i n t he subsequent 15 r ounds, we wi l l obt ai n
The t wo fi nal hal f bl ocks fr om r ound 16, ( ) are swapped t o
and ar e i nput t o I P
1
( not i ce ( 7. 6. 4) for t he addit i onal swappi ng) t o cancel t he eff ect of t he I P in
( 7. 6. 1) . I ndeed, t he out put fr om t he decr ypt i on f unct i on i s t he ori ginal pl ai nt ext bl ock m.
We have shown t hat t he DES encry pt i on and decr ypt i on al gori t hms do keep equat i on ( 7. 2. 1) t o
hol d for al l m M and all k K. I t is cl ear t hat t hese al gor i t hms wor k wi t h no regar d of t he
i nt er nal det ai l s of t he "S- box Funct i on" and t he key schedul e funct i on.
The DES i t er at i ons which use ( 7. 6. 2) and ( 7. 6. 3) t o pr ocess t wo hal f bl ocks i n a swappi ng
fashion i s cal l ed t he Fei st el ci p her . Fi g 7.2 i l l ust r at es t he swappi ng st ruct ur e of one r ound
Fei st el ci pher . Fei st el pr oposed t hi s ci pher or i gi nal l y [ 107] . As we have ment ioned ear l ier , t he
swappi ng f eat ur e ai ms t o achi eve a bi g degr ee of dat a di ff usi on. Fei st el ci pher also has an
i mpor t ant appl i cat i on in publ i c- key cr ypt ogr aphy : a st r uct ur e named Opt i mal Asy mmet r i c
Encr y pt i on Paddi ng ( OAEP) i s essent i all y a t wo- r ound Feist el ci pher . We wi l l st udy OAEP i n
15.2.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Fi gu r e 7. 2 . Fei st el Ci pher ( One Roun d)
7.6.2 The Kernel Functionality of the DES: Random and Non-linear
Distribution of Message
The ker nel par t of t he DES i s i nsi de t he "S- box Funct i on" f . This is where t he DES r eali zes a
r andom and non- li near di st r i but i on of pl aint ext messages over t he ci pher t ext message space.
I n t he i - t h r ound, f ( R
i 1
, k
i
) does t he f ol l owi ng t wo sub- oper at i ons:
add t he round key k
i
, vi a bit - wise XOR, t o t he half block R
i 1
; t hi s pr ovi des t he r andomness
needed i n message di st ri but i on;
i .
subst i t ut e t he r esul t of ( i ) under a f ixed permut at i on which consist s of ei ght " subst it ut i on
boxes" ( S- boxes) , each S- box is a non- l inear permut at i on f unct i on; t his pr ovi des t he non-
l i neari t y needed i n message di st r i but i on.
i i .
The non- l i near it y of t he S- boxes i s very import ant t o t he secur i t y of t he DES. We not i ce t hat t he
gener al case of t he subst i t ut i on ci pher ( e. g. , Exampl e 7. 1 wi t h r andom key ) i s non- l i near whi l e
t he shif t ci pher and t he af fi ne ci pher ar e l inear subcases. These l i near subcases not onl y
dr ast i cal l y r educe t he size of t he key space fr om t hat of t he gener al case, but al so render t he
r esul t ant ci pher t ext vul ner abl e t o a di f f er en t i al cr yp t an al y si s ( DC) t echni que [ 33] . DC at t acks
a ci pher by expl oit ing t he l i near di f fer ence bet ween t wo pl ai nt ext messages and t hat bet ween
t wo ci pher t ext messages. Let us l ook at such an at t ack usi ng t he aff i ne ci pher ( 7. 3. 3) for
exampl e. Suppose Mal i ce ( t he at t acker ) somehow knows t he di ff erence m m ' but he does not
know m nor m ' . Given t he cor respondi ng ci phert ext s c = k
1
m + k
2
( mod N) , c' = k
1
m ' + k
2
( mod
N) , Mali ce can cal cul at e
Wi t h k
1
, i t becomes much easi er for Mal i ce t o fur t her fi nd k
2
, e. g. , k
2
can be f ound i f Mal i ce has a
known pl ai nt ext - ci phert ext pai r. Subsequent t o i t s di scovery i n 1990, DC has been shown as
ver y power ful agai nst many known bl ock ciphers. However , i t i s not ver y successful agai nst t he
DES. I t t urned out t hat t he desi gner of t he DES had ant i cipat ed DC 15 y ear s ear l i er [ 81] t hr ough

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
t he non- l i near desi gn of t he S- boxes.
An i nt erest i ng feat ure of t he DES ( i n fact , t he Fei st el ci pher ) i s t hat t he S- boxes i n f unct i on
f ( R
i 1
, k
i
) need not be i nver t i bl e. Thi s i s shown i n Exampl e 7. 4 as encr y pt i on and decr ypt ion
wor ki ng f or ar bi t r ar y f ( R
i 1
, k
i
) . Thi s feat ur e saves space f or t he har dwar e r eal i zat i on of t he DES.
We shal l omi t t he descr ipt i on of t he i nt er nal det ai l s of t he S- boxes, of t he key- schedul e f unct i on
and of t he i ni t i al- permut at i on f unct i on. These det ai ls are out of t he scope of t he book. The
i nt er est ed reader i s r efer r ed t o 2. 6. 2 of [ 93] for t hese det ai l s.
7.6.3 The Security of the DES
Debat es on t he secur i t y of t he DES st ar t ed soon af t er t he DES was pr oposed as t he encry pt i on
st andar d. Det ai l ed di scussi ons and hi st or ical account s can be found i n var i ous cr ypt ogr aphic
t ext s, e. g. , 7. 2 of [ 279] , 3. 3 of [ 284] , and 7. 4. 3 of [ 198] . Lat er, it became mor e and mor e
cl ear t hat t hese debat es r eached a si ngl e mai n cri t i que: t he DES has a rel at i vel y shor t key
l engt h. Thi s i s r egar ded as t he onl y most ser i ous weakness of t he DES. At t acks rel at ed t o t his
weakness i nvol ve exhaust ivel y t est i ng keys, usi ng a known pai r of pl ai nt ext and ci pher t ext
messages, unt i l t he cor r ect key i s f ound. Thi s i s t he so- cal l ed br ut e- f or ce or exh aust i ve k ey
sear ch at t ack .
However , we shoul d not r egard a br ut e- for ce key sear ch at t ack as a r eal at t ack. Thi s i s because
t he ci pher desi gners not onl y have ant i ci pat ed i t , but al so have hoped t hi s t o be t he onl y means
for an adver sary . Ther efor e, gi ven t he comput at i on t echnol ogy of t he 1970s, t he DES i s a ver y
successful ci pher.
One sol ut i on t o over come t he shor t - key l i mi t at i on i s t o run t he DES al gor i t hm a mul t i pl e number
of t i mes using di ff er ent key s. One such pr oposal is cal l ed encr y pt i on- decr ypt i on- encr ypt i on-
t r i pl e DES scheme [ 290] . Encry pt ion under t his scheme can be denot ed by
and decr ypt i on by
I n addi t i on t o achi eving an ef fect of enl ar gi ng t he key space, t hi s scheme also achi eves an easy
compat i bi l i t y wi t h t he si ngl e- key DES, i f k
1
= k
2
i s used. The t r i pl e DES can al so use t hree
di f fer ent keys, but t hen i s not compat i bl e wi t h t he si ngl e- key DES.
The short - key weakness of t he DES became evi dent in t he 1990s. I n 1993, Wi ener ar gued t hat a
speci al - pur pose VLSI DES key sear ch machi ne can be bui l t at t he cost of US$1, 000, 000. Gi ven a
pai r of pl aint ext - ci pher t ext messages, t hi s machi ne can be expect ed t o fi nd t he key i n 3. 5 hours
[ 299] . On Jul y 15, 1998, a coal i t i on of Cr y pt ogr aphy Resear ch, Advanced Wi r el ess Technol ogi es
and El ect r oni c Front i er Foundat i on announced a r ecor d- breaki ng DES key search at t ack: t hey
buil t a key sear ch machi ne, cal l ed t he DES Cr acker ( al so know as Deep Cr ack) , wi t h a cost under
US$250, 000, and successful l y f ound t he key of t he RSA' s DES Chal l enge aft er sear chi ng f or 56
hours [ 110] . Thi s resul t demonst rat es t hat a 56- bi t key i s t oo short for a secure secret - key
ci pher f or t he l at e 1990s comput at i on t echnol ogy .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
7.7 The Advanced Encryption Standard (AES)
On Januar y 2, 1997, t he Uni t ed St at es' Nat i onal I nst i t ut e of St andar ds and Technology ( NI ST)
announced t he i ni t i at i on of a new sy mmet r i c- key block ci pher al gori t hm as t he new encr ypt i on
st andar d t o repl ace t he DES. The new al gori t hm woul d be named t he Advanced Encr y pt i on
St andard ( AES) . Unl i ke t he cl osed desi gn pr ocess for t he DES, an open cal l f or t he AES
al gor i t hms was f or mal l y made on Sept ember 12, 1997. The cal l st i pul at ed t hat t he AES woul d
speci f y an uncl assi f i ed, publ icl y di scl osed symmet ri c- key encr y pt i on al gor i t hm( s) ; t he
al gor i t hm( s) must suppor t ( at a mi ni mum) block si zes of 128- bi t s, key si zes of 128- , 192- , and
256- bi t s, and shoul d have a st r engt h at t he l evel of t he t r i pl e DES, but shoul d be mor e eff i ci ent
t hen t he t ri ple DES. I n addit ion, t he algori t hm( s) , i f sel ect ed, must be avai l abl e r oy alt y- f r ee,
wor ldwi de.
On August 20, 1998, NI ST announced a gr oup of fi f t een AES candi dat e algor it hms. These
al gor i t hms had been submi t t ed by member s of t he cry pt ographi c communi t y f rom ar ound t he
wor ld. Publ ic comment s on t he fi ft een candi dat es wer e sol i ci t ed as t he i ni t i al r evi ew of t hese
al gor i t hms ( t he per iod f or t he ini t i al publ i c comment s was al so cal l ed t he Round 1) . The Round 1
cl osed on Apr il 15, 1999. Using t he anal y ses and comment s r ecei ved, NI ST sel ect ed f i ve
al gor i t hms f rom t he f i ft een. The fi ve AES fi nal i st candidat e al gor i t hms wer e MARS [ 62] , RC6
[ 247] , Rij ndael [ 86] , Ser pent [ 15] , and Twof i sh [ 255] . These f i nal i st al gor i t hms r ecei ved furt her
anal y sis dur i ng a second, mor e i n- dept h revi ew peri od ( t he Round 2) . I n t he Round 2, comment s
and anal y si s wer e sought on any aspect of t he candi dat e al gor i t hms, i ncl uding, but not l i mi t ed
t o, t he fol l owi ng t opi cs: cr ypt anal y si s, i nt el l ect ual pr oper t y , cross- cut t i ng analy ses of all of t he
AES fi nal i st s, over al l r ecommendat i ons and i mpl ement at i on i ssues. Af t er t he cl ose of t he Round
2 publ ic anal ysi s per i od on May 15, 2000, NI ST st udi ed al l avai l abl e i nf ormat i on i n order t o
make a select i on for t he AES. On Oct ober 2, 2000, NI ST announced t hat it has sel ect ed Ri j ndael
t o pr opose for t he AES.
Ri j ndael i s desi gned by t wo Belgi um cr ypt ogr apher s: Daemen and Ri j men.
7.7.1 An Overview of the Rijndael Cipher
Ri j ndael i s a bl ock cipher wi t h a vari able bl ock si ze and var i abl e key si ze. The key si ze and t he
bl ock si ze can be i ndependent l y speci fi ed t o 128, 192 or 256 bi t s. For si mpli ci t y we wi l l onl y
descr i be t he mi ni mum case of t he 128- bi t key size and t he same bl ock si ze. Our conf i ned
descr i pt i on wi l l not cause any l oss of gener al it y t o t he wor ki ng pri nci pl e of t he Ri j ndael ci pher .
I n t hi s case, a 128- bi t message ( plai nt ext , ci pher t ext ) block i s segment ed i nt o 16 byt es ( a by t e
i s a uni t of 8 bi nar y bi t s, so 128 = 16 x 8) :
So i s a key bl ock:
The dat a st r uct ur e f or t hei r i nt er nal repr esent at i on i s a 4 x 4 mat ri x:

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Li ke t he DES ( and most moder n sy mmet r i c- key bl ock ci pher s) , t he Ri j ndael algor it hm compr i ses
a pl ur al number of i t er at i ons of a basi c uni t of t r ansf ormat i on: "r ound. " I n t he mi ni mum case of
128- bi t message- bl ock and key - bl ock si ze, t he number of r ounds i s 10. For l arger message si zes
and key si zes, t he number of r ounds shoul d be incr eased accordingl y and i s given in Fi gur e 5 of
[ 219] .
A r ound t r ansfor mat i on i n Ri j ndael i s denot ed by
Here St at e i s a r ound- message mat r i x and i s t r eat ed as bot h input and out put ; Rou ndKey i s a
r ound- key mat r i x and i s der i ved fr om t he i nput key via key schedule. The execut i on of a r ound
wi l l cause t he el ement s of St at e t o change value ( i . e. , t o change i t s st at e) . For encry pt ion
( r espect i vel y , decr ypt i on) , St at e i nput t o t he f ir st r ound i s I nput Bl ock whi ch i s t he pl ai nt ext
( r espect i vel y , ci pher t ext ) message mat r i x, and St at e out put f rom t he f i nal r ound i s t he
ci pher t ext ( r espect i vel y , pl ai nt ext ) message mat ri x.
The r ound ( ot her t han t he fi nal r ound) t r ansf ormat i on i s composed of four di f fer ent
t r ansfor mat i ons which ar e i nt er nal f unct i ons t o be descr i bed in a moment :
Round( St at e, Rou ndKey ) {
SubByt es( St at e) ;
Shi f t Rows( St at e) ;
Mi xCol umns( St at e) ;
AddRoundKey( St at e, Rou ndKey ) ;
}
The f i nal r ound, denot ed by

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
i s sl ight l y dif fer ent : i t i s equal t o Round( St at e, Rou ndKey ) wi t h t he Mi xCol umns f unct i on
r emoved. This is anal ogous t o t he sit uat i on of t he f inal r ound i n t he DES wher e an addi t i onal
swap bet ween t he out put hal f dat a bl ocks is appl i ed.
The r ound t r ansfor mat i ons ar e i nvert i ble for t he purpose of decr y pt i on. The r espect i ve rever se
r ound t r ansf ormat i ons shoul d be denot ed by
Round
1
( St at e, Rou ndKey ) , and
Fi nal Round
1
( St at e, Rou ndKey ) ,
r espect i vel y . We shal l see bel ow t hat t he four i nt er nal f unct i ons are all i nver t i bl e.
7.7.2 The Internal Functions of the Rijndael Cipher
Let us now descr i be t he four i nt er nal f unct i ons of t he Rij ndael ci pher . We shal l onl y descri be t he
funct i ons f or t he encr y pt i on di r ect i on. Because each of t he f our i nt er nal f unct i ons i s i nver t i bl e,
decry pt ion i n Ri j ndael merel y appl ies t hei r r espect i ve i nversi ons i n t he reverse di r ect ion.
The i nt er nal funct i ons of t he Ri j ndael ci pher wor k i n a fi nit e fi el d. The fi el d i s r eal ized as al l
pol y nomi al s modul o t he i r r educibl e pol y nomi al
over . That i s, speci f i cal l y , t he fi eld used by t he Ri j ndael ci pher i s [ x] x
8
+ x
4
+ x
3
+ x+ 1. Any
el ement in t hi s fi el d i s a pol y nomi al over of degr ee l ess t han 8 and t he operat i ons ar e done
modul o f ( x) . Let us name t hi s f i el d t he " Ri j ndael fi el d. " Due t o i somor phi sm, we wi l l oft en use
t o denot e t hi s f iel d whi ch has 2
8
= 256 el ement s.
We have act uall y st udi ed t he Ri j ndael f iel d i n Chapt er 5, Exampl es 5. 17, 5. 18 and 5. 19, wher e
we demonst r at ed t he fol l owi ng oper at i ons:
Mappi ng bet ween an i nt eger by t e and a fi el d el ement ( Exampl e 5. 17)
Addit ion bet ween t wo fi el d el ement s ( Exampl e 5. 18)
Mult i pli cat i on bet ween t wo f i el d el ement s ( Exampl e 5. 19)
Our st udy t here can now hel p us t o descr ibe t he Ri j ndael i nt er nal f unct i ons.
Fi rst of all , as we have al r eady descr i bed, a bl ock of message ( a st at e) and a bl ock of key i n t he
Ri j ndael ci pher ar e segment ed i nt o by t es. From t he si mpl e 1- 1 mapping scheme descr i bed i n
Exampl e 5. 17, t hese byt es wi l l be vi ewed as f i el d el ement s and wi l l be pr ocessed by sever al
Ri j ndael i nt er nal funct ions whi ch we now descri be.
7.7.2.1 Internal Function SubBytes(State)
Thi s f unct i on pr ovi des a non- l i near subst i t ut i on on each by t e ( i . e. , x) of St at e. Any non- zer o byt e
i s subst i t ut ed by t he fol l owi ng t r ansfor mat i on:

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Equ at i on 7. 7 .1
wher e
I f x i s t he zer o by t e, t hen y = b i s t he SubByt es t ransf or mat ion r esul t .
We should not i ce t hat t he non- l inear i t y of t he t r ansfor mat i on in ( 7. 7. 1) comes fr om t he i nversi on
x
1
onl y. Shoul d t he t ransf or mat ion be appl i ed on x di rect l y, t he af fi ne equat i on i n ( 7. 7. 1) woul d
t hen be absol ut ely l in ear !
Si nce t he 8 x 8 const ant mat r i x A i s an i nver t i bl e one ( i . e. , i t s r ows ar e l inear l y i ndependent in
) , t he t r ansfor mat i on i n ( 7. 7. 1) is inver t i bl e. Hence, funct ion SubByt es( St at e) is inver t i bl e.
7.7.2.2 Internal Function ShiftRows(State)
Thi s f unct i on oper at es on each row of St at e. For t he case of 128- bi t bl ock si ze, i t i s t he fol l owi ng
t r ansfor mat i on:
Equ at i on 7. 7 .2
Thi s oper at i on i s act ual l y a t ransposi t i on ci pher ( 7. 4) . I t onl y r ear r anges t he posi t i ons of t he
el ement s wi t hout changi ng t hei r i dent it i es: f or el ement s i n t he i t h r ow ( i = 0, 1, 2, 3) , t he
posi t i on rear r angement i s "cy cli c shi f t i ng t o r i ght " by 4 i posit i ons.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Si nce t he t ransposit ion ci pher only rear r anges posi t i ons of t he r ow el ement s, t he t r ansfor mat i on
i s of cour se mechanical l y i nver t i bl e.
7.7.2.3 Internal Function MixColumns(State)
Thi s f unct i on oper at es on each col umn of St at e. So for St at e of f our col umns of t he r i ght - hand-
si de mat r i x i n ( 7. 7. 2) , Mi xCol umns( St at e) repeat s f our i t er at i ons. The fol l owing descr i pt i on is for
one col umn onl y . The out put of an i t erat ion i s st i l l a col umn.
Fi rst , l et
be a col umn i n t he ri ght - hand- si de mat r i x i n ( 7. 7. 2) . Not i ce t hat we have omi t t ed t he col umn
number for cl ar i t y i n exposi t i on.
Thi s col umn i s i nt er pr et ed i nt o a degree- 3 pol ynomi al :
Not i ce t hat because t he coeff i ci ent s of s( x) are byt es, i . e., are el ement s i n , t hi s pol ynomi al
i s ov er , and hence is not an el ement i n t he Ri j ndael f i el d.
The oper at i on on t he col umn s( x) is defi ned by mul t i pl y i ng t hi s pol ynomi al wi t h a fi xed degr ee- 3
pol y nomi al c( x) , modul o x
4
+ 1:
Equ at i on 7. 7 .3
wher e t he f i xed pol y nomi al c( x) is
The coeff i ci ent s of c( x) are al so el ement s i n ( denot ed by t he hexadeci mal r epresent at i ons of
t he respect ive byt es, or f i el d element s) .
We should not i ce t hat t he mul t i pl i cat i on i n ( 7. 7. 3) is not an oper at i on i n t he Ri j ndael f i el d: c( x)
and s( x) are not even Rij ndael f i el d el ement s. Al so because x
4
+ 1 is reduci ble over ( x
4
+ 1
= ( x + 1)
4
) , t he mul t i pl i cat i on i n ( 7. 7. 3) is not even an oper at i on i n any fi el d ( review Theor em
5. 5 i n 5. 4. 2.2) . The onl y r eason f or t hi s mul t i pli cat i on bei ng perf or med modul o a degree- 4

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
pol y nomi al i s i n or der for t he oper at i on t o out put a degree- 3 pol y nomi al, t hat i s, t o achi eve a
t r ansfor mat i on fr om a col umn ( a degr ee- 3 pol y nomi al ) t o a col umn ( a degree- 3 pol y nomi al) .
Thi s t r ansf or mat i on can be vi ewed as a poly al phabet i c subst i t ut i on ( mul t i pl i cat i on) ci pher usi ng
a known key.
The r eader may appl y t he l ong divi si on met hod i n Exampl e 5. 15 t o conf ir m t he f oll owi ng
equat i on comput ed over ( not i cing t hat subt r act ion i n t hi s r i ng i s i dent i cal t o addit ion) :
Ther ef or e, in t he pr oduct ( 7. 7. 3) , t he coef fi ci ent f or x
i
( for i = 0, 1, 2, 3) must be t he sum of c
j
s
k
sat i sf y ing j + k = i ( mod 4) ( wher e j , k = 0, 1, 2, 3) . For exampl e, t he coeffi ci ent f or x
2
i n t he
pr oduct i s
The mult ipl icat i on and addit ion ar e i n . For t his reason, i t i s now easy t o check t hat t he
pol ynomi al mul t i pl i cat i on in ( 7. 7. 3) can be achieved by t aking t he f oll owi ng l i near al gebr ai c one:
Equ at i on 7. 7 .4
We f ur t her not ice t hat because c( x) is rel at i vel y pri me t o x
4
+ 1 over , t he i nver si on c( x)
1
( mod x
4
+ 1) exi st s i n [ x] . Thi s i s equi valent t o say i ng t hat t he mat ri x, and hence t he
t r ansfor mat i on, in ( 7. 7. 4) are i nver t i bl e.
7.7.2.4 Internal Function AddRoundKey(State, RoundKey)
Thi s f unct i on mer el y adds, by t e by byt e and bi t by bi t , t he el ement s of Rou ndKey t o t hose of
St at e. Her e "add" i s addi t i on i n ( i. e. , bi t - wi se XOR) and i s t r i vial l y i nvert ibl e; t he i nver si on i s
"add" i t self .
The Rou ndKey bi t s have been "schedul ed," i . e. , t he key bi t s for di ff er ent r ounds ar e di ff er ent ,
and ar e der i ved fr om t he key usi ng a fi xed ( non- secr et ) " key schedul e" scheme. For det ai l s f or

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
"key schedul e" see Fi gur e 12 of [ 219] .
To t hi s end we have compl et ed t he descr i pt i on of t he Ri j ndael i nt er nal funct i ons and hence t he
encrypt ion oper at i on.
7.7.2.5 Decryption Operation
As we have seen t hat each of t he f our i nt er nal f unct i ons ar e i nver t i bl e, t he decr y pt i on i s mer el y
t o inver t t he encr ypt i on i n t he rever se di r ect i on, i . e. , appl yi ng
AddRoundKey ( St at e, Rou ndKey )
1
;
Mi xCol umns ( St at e)
1
;
Shi f t Rows ( St at e)
1
;
SubByt es ( St at e)
1
.
We should not i ce t hat , unl i ke i n t he case of a Fei st el ci pher wher e encr y pt i on and decr ypt ion use
t he same ci r cuit ( har dwar e) or code ( soft war e) , t he Ri j ndael cipher must i mpl ement dif fer ent
ci rcui t s and codes for encr ypt i on and decr y pt i on, respect i vel y.
7.7.3 Summary of the Roles of the Rijndael Internal Functions
At t he end of our descr i pt i on of t he Ri j ndael ci pher let us pr ovi de a summar y on t he rol es of t he
four i nt er nal f unct i ons.
SubByt es i s int ended t o achi eve a non- l inear subst i t ut i on ci pher . As we have discussed i n
7. 6. 2, non- l i neari t y is an i mpor t ant pr oper t y f or a bl ock ci pher t o prevent dif fer ent i al
crypt anal ysi s.
Shi f t Rows and Mi xCol umns ar e i nt ended t o achi eve a mi xt ure of t he byt es posi t i oned i n
di f fer ent pl aces of a pl aint ext message bl ock. Ty pi call y , plai nt ext messages have a l ow-
ent r opy di st r i but i on i n t he message space due t o t he hi gh r edundancy cont ai ned i n nat ur al
l anguages and busi ness dat a ( t hat i s, t y pi cal pl ai nt ext s concent r at e i n a smal l subspace of
t he whol e message space) . A mi xt ur e of t he by t es i n dif fer ent posit i ons of a message bl ock
causes a wi der di st r i but i on of messages i n t he whole message space. Thi s i s essent i al l y t he
mi xi ng proper t y model ed by Shannon i n 7.1. 1.
AddRoundKey pr ovi des t he necessary secr et r andomness t o t he message di st ri but i on.
These funct i ons r epeat a pl ur al number of t i mes ( mi nimum 10 for t he case of 128- bi t key and
dat a size) , and t he r esul t i s t he Ri j ndael ci pher .
7.7.4 Fast and Secure Implementation
We have seen t hat t he Ri j ndael i nt er nal funct ions ar e ver y si mpl e and oper at e i n t ri vi al ly smal l
al gebr ai c spaces. As a r esult , i mpl ement at i ons of t hese int ernal funct i ons can be done wi t h
ext r emel y good ef fi ci ency . Fr om our descr i pt i ons of t he Ri j ndael i nt er nal funct i ons, we see t hat
onl y SubByt es and Mi xCol umns have non- t r i vi al al gebr ai c oper at i ons and hence ar e wor t hy of
fast i mpl ement at i on consi derat i ons.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Fi rst , i n SubByt es, t he calcul at i on of x
1
can be ef fi ci ent ly done usi ng a " t abl e l ookup" met hod: a
small t abl e of 2
8
= 256 pair s of byt es can be bui l t once and used f orever ( i .e. , t he t abl e can be
"har dwi r ed" int o hardware or sof t war e i mpl ement at i ons) . I n t his t abl e of pai r s, t he zer o by t e i s
pai r ed wi t h t he zer o by t e; t he rest of t he 255 ent r i es i n t he t able are t he 255 cases of t he pai r
( x , x
1
) wher e i nver si on i s per for med i n t he fi eld . The " t abl e l ookup" met hod not onl y i s
eff ici ent , but al so pr event s a t i mi ng an al y si s at t ack whi ch i s based on obser ving t he oper at i on
t i me di f ference f or di f fer ent dat a whi ch may suggest whet her an oper at i on i s per for med on bi t 0
or bit 1 ( see 12.5. 4) .
Because t he mat r i x A and t he vect or b i n ( 7. 7. 1) are const ant s, t he " t abl e l ookup" met hod can
act ual l y i ncl ude t he whol e t r ansf ormat i on ( 7. 7. 1) alt oget her, t hat i s, t he t able of 256 ent r i es are
t he pai r s ( x , y ) wi t h wi t h ( 0, b) being a speci al case of ( x , y ) .
Cl ear ly , i nver si on i s merel y t o use t he i nver si on t abl e. Ther efor e, SubByt es can be i mpl ement ed
by t wo smal l t abl es, each of t he si ze 256 by t es.
Next , i n Mi xCol umns, mul t i pli cat i on bet ween element s i n , i . e., t hat bet ween coef fi ci ent s
ofc( x) and s( x) , or mor e preci sel y , t hat bet ween an element of t he fi xed mat r i x and t hat i n a
col umn vect or i n ( 7. 7. 4) , can al so be r eal i zed vi a a "t abl e l ookup" met hod: z = x . y ( fi eld
mul t i pl i cat i on) wher e x { '01', ' 02' , ' 03' } and . Fur t her not i ce t hat t he byt e ' 01' is
si mpl y t he mul t i pli cat i ve i dent i t y i n t he f i el d, i .e. , ' 01' . y = y. Thus, i mpl ement at i on ( ei t her i n
soft war e or hardware) of t hi s mul t i pl i cat i on t abl e onl y needs 2 x 256 = 512 ent r ies. Thi s smal l
t abl e i s not much l ar ger t han one whi ch ever y pr i mar y school pupi l has t o r eci t e. Thi s real i zat i on
not onl y i s f ast , but al so decr eases t he ri sk of t he t i mi ng analy si s at t ack.
The l i near al gebrai c oper at i on i n ( 7. 7. 4) and i t s i nver si on al so have a f ast " har dwi r ed"
i mpl ement at ion met hod. The r eader wi t h a mor e i nvest i gat i ve appet i t e is ref er r ed t o [ 87] .
7.7.5 Positive Impact of the AES on Applied Cryptography
The i nt r oduct i on of t he AES wi ll i n t ur n i nt roduce a f ew posi t i ve changes i n appli ed cr y pt ography .
Fi rst , mult i ple encr y pt i on, such as t ri pl e- DES, wi ll become unnecessar y wi t h t he AES: t he
enl ar ged and var i abl e key and dat a- block si zes of 128, 192 and 256 can accommodat e a wide
spect rum of secur i t y st r engt hs for var i ous appl i cat i on needs. Si nce mul t i pl e encr ypt i on uses a
pl ur al number of keys, t he avoidance of usi ng mul t i pl e encr ypt i on wi l l mean a r educt i on on t he
number of cr y pt ographi c key s t hat an appl icat i on has t o manage, and hence wil l si mpl i fy t he
desi gn of secur i t y pr ot ocol s and syst ems.
Secondl y , wi de use of t he AES wi l l l ead t o t he emer gence of new hash f unct i ons of compat i ble
secur i t y st r engt hs. I n sever al way s, bl ock ci pher encry pt i on al gor i t hms ar e cl osel y r elat ed t o
hash funct i ons ( see 10.3. 1) . I t has been a st andard pract i ce t hat bl ock ci pher encr ypt i on
al gor i t hms ar e of t en used t o play t he r ol e of one- way hash funct i ons. The loggi ng- in
aut hent i cat ion prot ocol of t he UNI X
[ a]
oper at i ng syst em [ 206] is a well - known example; we shal l
see in 11.5. 1 a t y pi cal "one- way t r ansf ormat i on" usage of t he DES f unct i on in t he r eal i zat i on of
t he UNI X passwor d scheme. Anot her exampl e of usi ng bl ock cipher encry pt ion al gor i t hms t o
r eal i ze ( keyed) one- way hash funct i ons can be seen i n 10.3. 3. I n pr act i ce, hash f unct i ons ar e
al so commonl y used as pseudo- r andom number f unct i ons for gener at i ng key s f or bl ock ci pher
al gor i t hms. Wi t h t he AES's var i abl e and enl ar ged key and dat abl ock si zes, hash funct i ons of
compat i bl e si zes wi l l be needed. However , due t o t he squar e- r oot at t ack ( t he bi r t hday at t ack,
see 3. 6 and 10.3. 1) , a hash funct ion should have a size whi ch doubl es t he si ze of a bl ock
ci pher 's key or dat a- bl ock si ze. Thus, mat chi ng t he AES's si zes of 128, 192 and 256, new hash
funct i ons of out put si zes of 256, 384 and 512 are needed. The I SO/ I EC ar e cur r ent l y i n t he

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
pr ocess of st andar di zi ng hash funct ions SHA- 256, SHA- 384 and SHA- 512 [ 151] .
[ a]
UNI X is a t r ademar k of Bell Labor at or ies.
Fi nal l y, as i n t he case t hat t he DES's st andar d posi t i on had at t r act ed much cr ypt anal y si s
at t ent i on t r y ing t o br eak t he algor it hm, and t hat t hese eff ort s have cont r i but ed t o t he advance of
knowl edge i n bl ock cipher cry pt anal ysi s, t he AES as t he new bl ock ci pher st andar d wil l also gi ve
r i se t o a new r esur gence of high resear ch i nt erest i n bl ock ci pher cr ypt anal y si s which wi l l
cer t ai nl y f ur t her advance t he knowl edge i n t he area.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
7.8 Confidentiality Modes of Operation
A bl ock ci pher pr ocesses ( encr y pt s or decr y pt s) messages as dat a bl ocks. Usual l y, t he si ze of a
bulk message ( i . e. , a message st r i ng) i s l ar ger t han t he si ze of t he message bl ock of a bl ock
ci pher , t he long message i s di vi ded i nt o a ser i es of sequent ial l y l i st ed message bl ocks, and t he
ci pher pr ocesses t hese bl ocks one at a t i me.
A number of di f fer ent modes of oper at i on have been devi sed on t op of an under l yi ng bl ock ci pher
al gor i t hm. These modes of oper at i on ( except a t r i vi al case of t hem) pr ovi de sever al desi r abl e
pr oper t i es t o t he cipher t ext bl ocks, such as adding nondet er mini sm ( randomness) t o a bl ock
ci pher al gor i t hm, paddi ng plai nt ext messages t o an ar bi t r ar y l engt h ( so t hat t he l engt h of a
ci pher t ext needn' t be rel at ed t o t hat of t he cor r espondi ng plai nt ext ) , cont rol of er r or
pr opagat i on, gener at i on of key st r eam for a st r eam ci pher , et c.
However , we shoul d not consider t hat t he use of t hese modes of oper at i ons can t urn a "t ext book
cry pt o" bl ock ci pher i nt o a fi t - f or- appl i cat ion one. Thi s poi nt wi ll be made cl ear i n t he st udy ( i n
par t i cul ar , i n 7. 8. 2.1 wher e we wi l l see an act i ve at t ack whi ch i s appl i cabl e t o several pr ot ocols
i n wide use i n t he r eal wor l d) .
We descri be her e fi ve usual modes of operat i on. They ar e el ect r oni c cod eb ook ( ECB) mode,
ci ph er b l ock chai ni ng ( CBC) mode, out p ut f eedb ack ( OFB) mode, ci ph er f eedb ack ( CFB)
mode, and count er ( CTR) mode. Our descr ipt i on f ol l ow t he most recent NI ST recommendat i on
[ 218] .
I n our descri pt ion, we wi l l use t he fol l owi ng not at i on:
( ) : t he encr ypt i on algori t hm of t he under l y ing bl ock ci pher ;
D( ) : t he decr ypt i on algori t hm of t he under l y ing bl ock ci pher ;
n: t he bi nary si ze of t he message block of t he underl y i ng bl ock cipher al gor i t hm ( i n al l
bl ock ci pher s we consi der, t he pl ai nt ext and ci phert ext message spaces coi nci de, and so n
i s t he bl ock si ze of bot h input and out put of t he bl ock ci pher algori t hm) ;
P
1
, P
2
, , P
m
: m successi ve segment s of pl ai nt ext messages i nput t o a mode of oper at i on;
t he m- t h segment may have a smal l er size t han t he ot her segment s and i n t hat case a
paddi ng i s appli ed t o make t he m- t h segment t he same si ze as t he ot her segment s;
t he si ze of a message segment i s equal t o n ( t he bl ock si ze) i n some modes of oper at i on,
and i s any posi t ive number l ess t han or equal t o n i n ot her modes of oper at i on;
C
1
, C
2
, , C
m
: m successi ve segment s of ci pher t ext messages out put f rom a mode of
oper at i on;
LSB
u
( B) , MSB
v
( B) : t he l east u, and t he most v, si gni f i cant bit s of t he block B, r espect i vel y ;
for exampl e
A | | B: concat enat ion of t he dat a bl ocks A and B; for exampl e,

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
7.8.1 The Electronic Codebook Mode (ECB)
The most st r ai ght for war d way of encr y pt i ng ( or decr y pt i ng) a ser ies of sequent i al l y l i st ed
message segment s i s j ust t o encry pt ( or decr y pt ) t hem one anot her separ at el y . I n t hi s case, a
message segment is j ust a message bl ock. Anal ogous t o t he assi gnment of code wor ds i n a
codebook, t hi s nat ur al and si mpl e met hod get s an off i ci al name: el ect r oni c codebook mode of
oper at i on ( ECB) . The ECB mode i s def i ned as fol l ows:
ECB Encr y pt i on C
i
( P
i
) , i = 1, 2, , m;
ECB Decr ypt i on P
i
( C
i
) , i = 1, 2, , m.
The ECB mode i s det ermi ni st i c, t hat i s, i f P
1
, P
2
, , P
m
ar e encr y pt ed t wi ce under t he same key,
t he out put ci pher t ext bl ocks wil l be t he same. I n appl i cat i ons, dat a usual l y have part ial
i nf ormat i on whi ch can be guessed. For exampl e, a sal ar y fi gure has a guessabl e range. A
ci pher t ext fr om a det ermi ni st i c encry pt ion scheme can al l ow an at t acker t o guess t he pl ai nt ext
by t ri al - and- err or i f t he pl ai nt ext message i s guessable. For exampl e, if a cipher t ext fr om t he
ECB mode i s known t o encr y pt a sal ar y fi gure, t hen a smal l number of t r i al s wi ll al low an
at t acker t o r ecover t he fi gur e. I n gener al, we do not wi sh t o use a det ermi ni st i c ci pher , and
hence t he ECB mode shoul d not be used i n most appl i cat i ons.
7.8.2 The Cipher Block Chaining Mode (CBC)
The ci pher bl ock chai ni ng ( CBC) mode of oper at i on i s a common bl ock- ci pher al gor i t hm for
encry pt ion of gener al dat a. Wor king wi t h t he CBC mode, t he out put i s a sequence of n- bi t cipher
bl ocks whi ch ar e chai ned t oget her so t hat each cipher bl ock i s dependent , not j ust on t he
pl ai nt ext bl ock f r om whi ch it i mmedi at el y came, but on all t he previ ous dat a bl ocks. The CBC
mode has t he f ol l owi ng oper at i ons:
CBC Encr y pt i on I NPUT: I V, P
1
, , P
m
; OUTPUT: I V, C
1
, , C
m
;
CBC Decr y pt i on I NPUT: I V, C
1
, , C
m
; OUTPUT: P
1
, , P
m
;

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The comput at i on of t he f ir st ci pher t ext block C
1
needs a special i nput bl ock C
0
whi ch i s
convent i onal l y call ed t he "i nit ial vect or " ( I V) . An I V i s a r andom n- bi t bl ock. I n each sessi on of
encry pt ion a new and r andom I V shoul d be used. Si nce an I V i s t r eat ed as a ci phert ext bl ock, i t
need not be secr et , but i t must be unpr edi ct abl e. From t he encr ypt i on pr ocedure we know t hat
t he fi r st ci pher t ext bl ock C
1
i s randomi zed by t he I V; and in t he same way and in t urn, a
subsequent out put ci phert ext bl ock i s r andomi zed by t he i mmediat e pr ecedi ng ci pher t ext bl ock.
Hence, t he CBC mode out put s r andomi zed ci pher t ext bl ocks. The ci pher t ext messages sent t o
t he recei ver shoul d i ncl ude t he I V. Thus, for m bl ocks of plai nt ext , t he CBC mode out put s m + 1
ci pher t ext bl ocks.
Let Q
1
, Q
2
, , Q
m
be t he dat a bl ocks out put fr om decr y pt i on of t he ci pher t ext bl ocks C
0
, C
1
, C
2
,
, C
m
. Then si nce
i ndeed, t he decr ypt ion wor ks pr oper ly . Fi g 7.3 pr ovi des an i l l ust r at ion of t he CBC mode.
Fi gu r e 7. 3 . The Ci ph er Bl ock Ch ai ni ng Mode of Oper at i on
7.8.2.1 A Common Misconception
I t seems t hat , because i n CBC t he dat a bl ocks ar e chai ned t oget her , t he mode may pr ovide a
pr ot ect i on agai nst unaut hori zed dat a modi fi cat i on such as del et i on and inser t i on ( such a
pr ot ect i on i s dat a i nt egr i t y whi ch we wi l l st udy in Chapt er 10) . Some block ci pher al gori t hms
t her efor e speci f y al gor i t hmi c met hods usi ng t he CBC mode as a means for ser vi ng dat a i nt egri t y .
For exampl e, t he RC5- CBC- PAD mode [ 17] speci fi es t he fol l owi ng CBC pl ai n t ex t paddi ng
sch eme f or processi ng pl ai nt ext message bl ocks befor e appl yi ng encr ypt i on i n t he CBC mode:
The pl aint ext message st r i ng i s di vi ded i nt o a sequence of byt es ( a by t e i s 8 bi t s) ; ever y
ei ght message by t es f orm a ( plai nt ext ) message bl ock ( so t he bl ock si ze i s 64) .
1.
The f i nal pl aint ext message block of ei ght by t es must be a "padded bl ock" . I t st ar t s wi t h
t he fi nal a pl aint ext message byt es wher e 0 a 7, f oll owed by 8 a " padding byt es. "
Each of t he "paddi ng byt es" has t he fi xed hexadeci mal val ue 8 a. For exampl e, i f t he fi nal
2.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
message bl ock has seven pl ai nt ext message byt es, t hen t hese message byt es ar e t r ai l ed by
one " padding byt e" whi ch i s ' 01'; t her ef ore t he padded bl ock i s
wher eas if t he fi nal message block has onl y one pl ai nt ext message byt e, t hen t he padded
bl ock i s
I f t he number of message byt es i s di vi si bl e by 8, t hen t he message by t es ar e t r ai led by t he
fol l owi ng padded bl ock of al l "padding by t es":
2.
Ot her CBC encr y pt i on schemes use si mil ar paddi ng schemes. For exampl e, i n " I P Encapsul at i ng
Securi t y Payl oad ( ESP) " used f or I PSec [ 162] ( t o be i nt r oduced in Chapt er 12) , X " padding
by t es" ( f or 1 X 255) ar e
Here '0' ' x' ' F' and '0' ' y ' ' F', sy mbol ' xy' i s t he hexadeci mal present at i on for t he
i nt eger X. I n t he decr y pt i on t i me, t he r eveal ed "paddi ng by t es" wi l l be delet ed fr om t he r et r i eved
pl ai nt ext message ( of cour se, af t er checki ng of t he " dat a i nt egr it y " consi st ency ) .
Sever al aut hent i cat ion prot ocol s i n t wo ear l y dr aft document s f r om t he I nt er nat ional
Or ganizat ion f or St andards ( I SO) [ 144, 145] also suggest ed t o "dat a- i nt egr it y pr ot ect i on"
ser vi ced by t he CBC encry pt ion mode ( general gui del i ne f or t hese pr ot ocol s t o use CBC i s
document ed i n [ 146, 142] ) .
However , i t i s i n fact ut t er l y wrong t o bel i eve t hat CBC can pr ovi de dat ai nt egri t y pr ot ect i on i n
any sense.
For a CBC "paddi ng byt e" scheme, i f t he use of t he scheme int ends t o pr ovi de dat a- int egr it y
pr ot ect i on, Vaudenay demonst r at es an at t ack [ 294] whi ch bet r ay s t he absence of t he pr ot ect i on.
I n Vaudenay 's at t ack, Mal ice ( t he at t acker ) sends t o a pr i nci pal ( a key hol der, who i s named a
decr y pt i on or acl e
[ b]
and pr ovi des or acl e ser v i ce) t wo adapt i vel y mani pulat ed ci pher t ext
bl ocks
[ b]
The t er m "or acle" appear s f requent ly in t he lit er at ur e of cr y pt ogr aphy, usually f or naming any unknown
algor it hm or met hod which is alleged t o be able t o solve a diff icult pr oblem. An or acle ser vice means a user
pr oviding ( of t en inadver t ent ly) an at t acker wit h cr ypt ographic oper at ions using a key which is not available t o
t he at t acker .
wher e r i s a r andom dat a bl ock and C
i
= ( P C
i 1
) is a ci pher t ext bl ock for whi ch Mal i ce i s

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
i nt er est ed i n knowi ng t he i nfor mat i on about t he cor r espondi ng pl ai nt ext message P ( e. g. , P i s a
password) . Fr om " CBC Decry pt i on" we know t hat t he cor respondi ng decr y pt i on wi l l be
The " dat a- i nt egr i t y " checki ng met hod wi l l i nst r uct how t he decr y pt i on or acl e shoul d behave.
From t he behavi or of t he decry pt ion or acl e Mal i ce may have a good chance t o fi gur e out cer t ai n
i nf ormat i on about t he pl ai nt ext message P. For exampl e, i f t he " dat a- i nt egr it y pr ot ect i on
mechani sm" i nst r uct s t he decr y pt i on oracl e t o answer YES upon seei ng a "val i d padding, " t hen
most l i kel y t he "vali d paddi ng" i s t he case of t he fi nal "paddi ng by t e" bei ng ' 01' . The pr obabi l i t y
of t hi s event i s cl ose t o 2
8
si nce t he pr obabil i t y space i s a by t e whi ch has ei ght bi t s. This is
under t he condi t i on t hat , because of t he r andomness of r , ot her cases of " corr ect paddi ng" wi l l
have much l ower pr obabi l i t y ( due t o a much lar ger probabi l i t y space of t wo or mor e byt es) f or
t he decr y pt i on or acl e t o answer YES and can be negl ect ed. Then Mali ce di scover s
i . e. , Mali ce has successf ul l y r et r i eved t he fi nal byt e of P, a si gni fi cant amount of i nfor mat i on
about P!
I f t he decr ypt i on pr ocedure det ect s t hat a paddi ng err or has occurr ed ( wit h probabi l i t y close t o 1
2
8
as reasoned above) , t he or acl e may gi ve an expl i cit NO answer , or may gi ve no answer at
al l ( t he pr ocedur e t ermi nat es as if t he or acl e expl odes, and hence Vaudenay names t his oracl e a
bomb or acl e) . However , " no answer" i s i n fact an answer , whi ch is NO i n t hi s case. I n t he case
of t he answer bei ng NO ( expl ici t or i mpl ici t ) , Mal ice f ai ls t o ext ract t he l ast by t e. But he can
change r and ret r y . Thi s i s an act i v e at t ack whi ch mai nl y t ar get s a pr i ncipal whi ch pr ovi des an
or acl e ser vi ce. We wi l l for mal l y defi ne an act i ve at t ack i n 8. 6. Mor e scenar ios on pr inci pals
pl ay i ng t he r ol e of an or acl e ser vi ce pr ovi der wi ll be seen i n many pl aces i n t he r est of t hi s book.
Vaudenay appl i es hi s at t acki ng t echni que on sever al cr y pt ogr aphi c pr ot ocols whi ch ar e i n
wi despr ead use i n many r eal- wor l d appl i cat i ons, such as I PSec, SSH and SSL ( t hese pr ot ocol s
wi l l be i nt roduced i n Chapt er 12) . I n t hese r eal - wor l d appl i cat i ons, a YES/ NO answer i s easil y
avai labl e t o Mal i ce even i f answer s ar e not gi ven i n an expli ci t way ( e. g. , answer s ar e
encry pt ed) .
I n t he basi c f orm of t hi s at t ack t he decry pt ion or acle onl y answers t he l ast byt e wi t h a rat her
small pr obabi l i t y 2
8
i f t he or acl e "does not expl ode" . Never t hel ess, under f ai rl y st andar d
set t ings i n many appl i cat i ons t her e ar e ways t o mai nt ai n an oracl e t o be a non- expl osive one,
and so i t can answer f ur t her quest i ons t o al l ow Mal i ce t o ext r act f ur t her pl ai nt ext byt es. Suppose
t hat af t er gi vi ng a YES answer wi t h r espect t o t he fi nal pl ai nt ext by t e, t he or acl e i s st i l l i n one
pi ece. Then Mali ce can modi fy r i nt o r ' such t hat
Then sendi ng r ' , C t o t he oracl e, Mal i ce can ai m t o ext r act t he l ast but one by t e of t he pl ai nt ext
wi t h t he same pr obabil i t y 2
8
. I f t he oracl e can be mai nt ai ned t o be non- expl osi ve, t he at t ack
can car r y on, and all ow Mal i ce t o ext ract t he whol e pl aint ext bl ock i n 8 x 2
8
= 2048 oracl e cal ls.
I n 12.5. 4 we wi l l see Vaudenay' s at t ack appl ied t o a CBC- pl ai nt ext - padding i mpl ement at i on of
an e- mai l appl i cat i on which uses t he SSL/ TLS Prot ocol . I n t hat at t ack, t he decr y pt i on oracl e i s an

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
e- mail ser ver whi ch never expl odes and hence al lows Mali ce t o ext r act t he whol e bl ock of
pl ai nt ext message whi ch i s a user' s password f or accessing e- mai l s. The at t ack ut i li zes si de
channel i nfor mat i on which i s avai labl e vi a t i mi ng an al y si s. The at t ack i s t her ef or e call ed a
si de ch ann el at t ack .
The I SO pr ot ocol s whi ch use CBC for dat a- i nt egr i t y pr ot ect i on ar e al so f at al l y fl awed [ 184, 185] .
We shal l demonst r at e t he f law i n 17.2. 1. 2 by anal y zi ng an aut hent i cat i on pr ot ocol i n whi ch t he
use of encr ypt i on f ol l ows t he st andard CBC i mpl ement at i on; t he pr ot ocol i s desi gned t o expect
t hat t he use of CBC shoul d pr ovide dat a- i nt egri t y pr ot ect i on on t he ci pher s, however , t he
pr ot ocol i s f l awed pr eci sel y due t o t he mi ssi ng of t hi s servi ce.
To r andomi ze out put ci pher t ext appear s t o be t he onl y secur it y ser vice t hat t he CBC mode of fer s.
Dat a i nt egr i t y of ci pher t ext s out put f rom CBC wi l l have t o be ser ved by addi t i onal cr y pt ographi c
t echni ques whi ch we shal l st udy i n Chapt er 10.
7.8.2.2 A Warning
Knudsen obser ves a confi dent i al i t y l i mi t at i on i n CBC [ 165] whi ch can be descri bed as f oll ows.
When t wo ci pher t ext bl ocks C
i
, C
j
' ar e equal , t hen f r om CBC Encr y pt i on we have
Si nce pl ai nt ext usual ly cont ai ns r edundancy , t hi s equat i on hel ps t o r ecover t he pl ai nt ext s fr om
t he ci pher t ext s whi ch are avai l abl e t o an eavesdropper . To make an at t ack usi ng t hi s equat i on
i nf easi bl e, we must al way s use r andom I Vs for each encry pt i on sessi on and so t he pr obabi l i t y for
t wo ci pher t ext s t o be equal is negl i gi bl y smal l ( a r andom I V provi des a ver y l arge pr obabil i t y
space) .
7.8.3 The Cipher Feedback Mode (CFB)
The ci pher feedback ( CFB) mode of oper at ion f eat ur es feedi ng t he successi ve ci pher segment s
whi ch are out put f rom t he mode back as i nput t o t he under l yi ng bl ock ci pher algor it hm. A
message ( pl aint ext or ci pher t ext ) segment has a si ze s such t hat 1 s n. The CFB mode
r equi r es an I V as t he i nit i al random n- bi t i nput block. The I V need not be secr et since in t he
syst em i t is i n t he posi t i on of a ci pher t ext . The CFB mode has t he fol l owi ng oper at i ons:
CFB Encr y pt i on I NPUT: I V, P
1
, , P
m
; OUTPUT: I V, C
1
, C
m
;
CFB Decr y pt i on I NPUT: I V, C
1
, , C
m
; OUTPUT: P
1
, , P
m
;

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Obser ve t hat , i n t he CFB mode, t he encr y pt i on funct i on of t he under ly i ng bl ock ci pher i s used i n
bot h ends of t he encr ypt i on and t he decr ypt i on. As a r esul t , t he under l yi ng ci pher f unct i on E can
be any ( key ed) one- way t r ansfor mat i on, such as a one- way hash f unct i on. The CFB mode can be
consi dered as a key st r eam generat or for a st r eam ci pher wi t h t he encry pt i on bei ng t he Ver nam
ci pher bet ween t he key st r eam and t he message segment s. Si mi l ar t o t he CBC mode, a
ci pher t ext segment i s a f unct i on of al l pr eceding pl ai nt ext segment and t he I V. Fi g 7.4 pr ovi des
an i ll ust r at i on of t he CFB mode.
Fi gu r e 7. 4 . The Ci ph er Feed back Mode of Oper at i on
7.8.4 The Output Feedback Mode (OFB)
The out put f eedback ( OFB) mode of oper at i on feat ur es f eedi ng t he successi ve out put bl ocks f r om
t he under l y ing bl ock ci pher back t o i t . These feedback bl ocks for m a st ri ng of bit s whi ch i s used
as t he key st r eam of t he Ver nam ci pher , t hat i s, t he key st r eam i s XOR- ed wi t h t he plai nt ext
bl ocks. The OFB mode requi res an I V as t he i ni t i al r andom n- bi t i nput block. The I V need not be
secr et si nce i n t he sy st em i t i s i n t he posi t i on of a ci pher t ext . The OFB mode has t he fol l owi ng
oper at i ons:
OFB Encr ypt i on I NPUT: I V, P
1
, , P
m
; OUTPUT: I V, C
1
, , C
m
;

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
OFB Decr yp t i on I NPUT: I V, C
1
, , C
m
; OUTPUT: P
1
, , P
m
;
I n t he OFB mode, t he encr ypt i on and t he decr ypt i on ar e i dent ical : XORi ng t he input message
bl ocks wit h t he key st r eam whi ch is generat ed by t he f eedback ci r cui t . The feedback cir cui t
act ual l y for ms a fi ni t e st at e machi ne wit h t he st at e sol el y det er mi ned by t he encr y pt i on key f or
t he under l y ing bl ock ci pher algor it hm and t he I V. Thus, i f a t r ansmi ssi on er r or occurr ed t o a
ci pher bl ock, t hen onl y t he pl ai nt ext block i n t he cor r espondi ng posi t i on can be gar bl ed.
Ther ef or e, t he OFB mode i s sui t abl e f or encry pt ion messages f or whi ch ret r ansmi ssi on i s not
possi bl e, l ike r adi o si gnal s. Simi l ar t o t he CFB mode, t he under l yi ng bl ock ci pher algori t hm can
be r epl aced wi t h a keyed one- way hash funct i on. Fi g 7.5 pr ovi des an i l l ust r at ion of t he CFB
mode.
Fi gu r e 7. 5 . The Out put Feedback Mod e of Op er at i on ( f or bot h
encr y pt i on an d d ecr ypt i on)
7.8.5 The Counter Mode (CTR)

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The count er ( CTR) mode f eat ur es feedi ng t he under l yi ng block ci pher al gori t hm wi t h a count er
val ue whi ch count s up f r om an i ni t i al value. Wi t h t he count er count i ng up, t he under l y ing bl ock
ci pher al gor i t hm out put s successive blocks t o for m a st r i ng of bi t s. Thi s st ri ng of bit s i s used as
t he key st r eam of t he Ver nam ci pher , t hat i s, t he key st r eam i s XOR- ed wi t h t he pl ai nt ext bl ocks.
The CTR mode has t he fol l owi ng oper at i ons ( wher e Ct r
1
i s an i ni t i al non- secr et val ue of t he
count er ) :
CTR En cr yp t i on I NPUT: Ct r
1
, P
1
, , P
m
; OUTPUT: Ct r
1
, C
1
, , C
m
;
CTR Decr y pt i on I NPUT: Ct r
1
, C
1
, , C
m
; OUTPUT: P
1
, , P
m
;
Wi t hout f eedback, t he CTR mode encr y pt i on and decr y pt i on can be per for med i n par al l el . Thi s i s
t he advant age t hat t he CTR mode has over t he CFB and OFB modes. Due t o i t s si mpl i ci t y , we
omi t t he i l lust rat i on f or t he CTR mode.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
7.9 Key Channel Establishment for Symmetric
Cryptosystems
Befor e t wo pr inci pals can st ar t conf i dent i al communi cat i ons by usi ng symmet ri c cr y pt osyst ems,
t hey must fi r st est abl i sh cor rect cr y pt ogr aphi c key s shar ed bet ween t hem. Her e, "cor rect " not
onl y means t hat a key est abl i shed i s bi t - by - bi t cor r ect , i .e. , not corr upt ed, but also means t hat
bot h part i es must be assur ed t hat t he key i s excl usi vel y shar ed wit h t he i nt ended communi cat i on
par t ner .
A communi cat i on channel over whi ch a key is cor r ect l y est abl i shed i s cal l ed a k ey ch an nel ( see
Fi g 7.1) . A key channel i s a separ at e channel fr om a message channel . The dif fer ence bet ween
t hem i s t hat a key channel i s a pr ot ect ed one, whi l e a communicat i on channel is an unpr ot ect ed
one. I n symmet ri c cr y pt osyst ems, si nce t he encr ypt i on key i s equal t o t he decr y pt i on key , t he
key channel must pr eser ve bot h t he conf i dent i al i t y and t he aut hent i ci t y of t he key .
A key channel for a symmet ri c cr y pt osyst em can be est abl i shed by t hr ee means: convent i onal
t echni ques, publ i c- key t echni ques, and t he Quant um Key Di st ri but i on ( QKD) t echni que.
Convent i onal Techn i qu es I n t he sy st em set t i ng- up t i me, a phy si cal l y secur e means, e.g. ,
a couri er del i ver y ser vi ce, can be empl oy ed t o make t wo users exclusivel y shar e an i nit ial
key . Usual l y, one of t hese t wo user s i s a t r ust ed t hi rd par t y ( TTP) who wil l be pr ovi di ng
aut hent i cat ion servi ce ( see 2. 4 f or t he meaning of t hi s t r ust ) . Once an ini t i al key i s shared
bet ween an end- user pri nci pal and a TTP, whi ch a l ong- t er m key channel , any t wo end-
users can r un an aut hent i cat i on pr ot ocol t o mai nt ai n est abl i sh a secure key channel
bet ween t hem. The use of TTP r educes t he bur den of key management for end- user s: an
end- user does not have t o manage many key s as she/ he woul d have t o shoul d l ong- t er m
key channel s be bet ween any t wo pai r of end- user pri nci pal s. I n Chapt er 2 we have seen a
few exampl es of aut hent icat i on and key est abl i shment pr ot ocol s which ser ve for set t i ng up
sessi on key s bet ween any t wo end- user pri nci pal s usi ng l ong- t erm key channels bet ween
end- user pri nci pal s and an aut hent i cat i on ser ver . We wi l l see more such prot ocol s i n
Chapt ers 11, 12 and 17 when we st udy aut hent i cat i on pr ot ocol s, syst ems and for mal
met hodol ogi es f or t hei r secur i t y anal ysi s.
A ser ious dr awback of t he convent ional key channel est abl i shment t echni que i s t he
necessar y r el y i ng on an on- l ine aut hent i cat i on ser vi ce. Thi s di sadvant age li mi t s t he
scal abil i t y of t he t echni que for any open sy st ems appl i cat i ons. I n real i t y, t hi s t echni que so
far onl y f inds good appl i cat i ons i n an ent er pr i se envi r onment ; we shal l conduct a det ail ed
st udy of t hat appl i cat i on i n 12.4.
Publ i c- k ey Techn i q ues An i mpor t ant advant age of publ i c- key cry pt ogr aphy i s t he ease of
est abl i shing a key channel bet ween any t wo r emot e end- user pri nci pal s wi t hout havi ng
t hem t o meet each ot her or using an on- l ine aut hent i cat i on servi ce. Thi s over comes
pr eci sel y t he drawback of t he convent i onal t echniques. Theref ore, publ i c- key based
t echni ques can easi l y scal e up for a l ar ge open syst ems. There are a number of publi c- key
t echni ques for key channel est abl i shment . We shall i nt r oduce publ i c- key cr ypt ogr aphy i n
t he next chapt er , and st udy publ ic- key based t echni ques for aut hent i cat i on fr amewor k i n
Chapt er 13.
However , wi t h publ i c- key cr y pt ogr aphy, t her e i s st i ll a need for est abl i shi ng a secur e key
channel fr om a user t oward t he syst em. Her e, "secure" means aut hent icat i on: a gi ven
publ i c key can be i dent if i ed as r eal l y owned by a cl ai med pr i nci pal . Never t hel ess, key
channel est abli shment usi ng publi c- key t echni ques does not i nvol ve handl ing of any secr et .
I ndeed, t he set t ing up of a key channel r egar di ng a publi c key i s purel y an aut hent i cat i on

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
pr obl em. I n Fi g 7.1 we have i ll ust r at ed t hat a publ i c key channel can be based on a
di r ect or y ser vi ce. We wi l l st udy some pract i cal aut hent i cat ion t echni ques for est abl i shi ng a
publ i c- key aut hent i cat ion channel i n Chapt er 12 ( 12.3) and t he gener al t echniques for
set t ing up publ ic- key aut hent icat i on fr amewor k i n Chapt er 13.
The Quan t um Key Di st r i b ut i on Tech ni que I n 4. 4. 5.1 we have seen a t echni que for
achi evi ng Quant um Key Di st ri but i on ( QKD, Pr ot 4.1) . The QKD Pr ot ocol al lows t wo
pr i nci pal s t o agr ee on a secr et key alt hough t hey may have never phy si cal l y met . Simi l ar t o
t he case of publ i c- key t echni ques, t here i s st i l l a need t o i ni t i al l y est abli sh an aut hent i cat i on
channel fr om a user t oward t he syst em. Thi s aut hent i cat i on channel can be based on some
one- way f unct i ons such t hat an end- user has i n possessi on of a secr et pr e- i mage of a one-
way f unct i on all owi ng i t s communi cat i on par t ner t o ver i fy wi t hout t he for mer di scl osi ng t he
secr et t o t he l at t er . Usi ng t he aut hent i cat ion channel, par t i ci pant s of t he QKD Pr ot ocol can
be sure t hat t he pr ot ocol i s r un wi t h t he i nt ended communicat i on par t ner . Commerci al QKD
syst ems ar e expect ed t o be in pract i cal use i n y ear 2004 or so [ 268] .
We must emphasize t he f ut ur e i mpor t ance of t he QKD t echni que for key channel
est abl i shment . Most pract i cal compl exi t y - t heor et ic based publ i c- key t echni ques ( based on
di f fi cul t i es for f i ndi ng t he per i od of a per iodi cal funct ion) woul d f all upon t he avai l abi l i t y of
pr act i cal quant um comput i ng t echnol ogi es. The QKD t echni que, never t hel ess, i s quant um-
t echnol ogy i mmune ( and t her e seems t o exi st non- per iodi cal one- way funct i ons whi ch are
quant um- t echnol ogy i mmune and can ser ve t he aut hent i cat i on pur pose) . Ther ef or e, even
when quant um comput ing t echnol ogi es become pract i cal ly avai l abl e, t he QKD t echni que
wi l l st and for ser vi ng key channel est abl i shment wi t hout a need for t he key shar i ng par t i es
t o meet phy si cal l y or r el y on on- l in e aut hent i cat i on ser vice f rom a t r ust ed t hi r d par t y.
Fi nal l y, we shoul d not i ce t hat t he publ i c- key based t echni ques and t he QKD t echni que mani fest
t hat a confi dent i al i t y communi cat i on channel can be est abl i shed t hough pure publi c di scussi ons.
Thi s i s a wel l - known pr i nci pl e ( see e. g. , [ 188, 189] ) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
7.10 Chapter Summary
I n t hi s chapt er we have st udi ed t he pr i nci pl e of sy mmet r i c encr y pt i on al gor i t hms and i nt roduced
sever al symmet ri c encr y pt i on schemes.
We st ar t ed wi t h i nt r oducing cl assi cal ci pher s and consi der i ng t hei r condi t i onal secur i t y under
Shannon' s i nf ormat i on t heor y. We poi nt out t hat t he worki ng pr i nci pl e of t he cl assical ci pher s:
subst i t ut ion, i s st i l l t he most import ant ker nel t echni que in t he const r uct i on of moder n
symmet r ic encr y pt i on al gor i t hms.
Two moder n bl ock encr y pt i on al gor i t hms, t he DES and t he AES, ar e i nt r oduced. The DES i s
i nt r oduced for t he r easons of i t s hi st or i cal posi t ion and t he st i l l- al i ve useful ness of i t s Fei st el
ci pher desi gn st ruct ur e. The AES, as t he newl y est abl i shed encr ypt i on st andar d, i s descr ibed wi t h
det ai l ed expl anat i ons on i t s wor ki ng pr i nci pl e. We al so consi der met hods f or f ast and secur e
r eal i zat i on of t he AES, and di scuss t he posit ive i mpact t he AES may have on appl i ed
crypt ogr aphy .
We t hen i nt r oduced var ious st andar d modes of oper at i on f or usi ng bl ock ci pher s. A common
mode of oper at i on, CBC, i s st udi ed wi t h a common mi sconcept i on exposed. The mi sconcept i on i s
t hat CBC pr ovi des dat a- i nt egri t y ser vi ce, whi ch we have demonst rat ed bei ng fal se. Mor e cl ear
evi dence of t hi s misconcept i on wil l be gi ven i n Chapt er 17 when we st udy aut hent i cat i on
pr ot ocol s whi ch appl y CBC encr ypt i on.
Fi nal l y we l ist ed t hr ee t echni ques f or t he est abl i shment of secur e key channel s bet ween
communi cat ion part ner s who wi sh t o communi cat e confi dent ial i nfor mat i on. Among t he t hr ee,
t he QKD t echni que, al t hough i n i t s ini t i al and pr i mi t i ve shape, i s vi t al l y i mpor t ant for t he f ut ure
owi ng t o i t s immuni zat i on f r om t he quant um comput at ion t echnol ogy .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exercises
7. 1 Why shoul d not an encr ypt i on algori t hm cont ai n secr et desi gn par t s?
7. 2 Uneven fr equenci es of cer t ai n let t er s i n Engli sh i s an exampl e of pl ai nt ext being i n a
small regi on of t he ent i re message space. Gi ve t wo ot her exampl es whi ch al so
cont r i but e t o t he fact t hat Engl ish pl ai nt ext messages have a small regi on
di st r i but i on.
7. 3 Let S
P
, S
C
denot e a pl ai nt ext message sour ce and t he cor r espondi ng ci pher t ext
message sour ce, r espect i vel y . Use t he ent r opy f or mul at ion given in 3. 7 t o expl ain
t hat ci pher t ext messages out put fr om t he si mpl e subst it ut i on or t r ansposi t i on
ci pher s do not change t he di st r i but i on of t he cor r espondi ng pl ai nt ext messages, t hat
i s, t he ci pher t ext s r emai n i n a smal l regi on of t he ent ir e message space.
Hi nt : H( S
P
) = H( S
C
) .
7. 4 I s t he Ver nam ci pher a subst i t ut i on ci pher ? I s it monoal phabet i c or pol y al phabet i c?
7. 5 What i s t he di ff er ence bet ween t he Vernam cipher and one- t i me pad?
7. 6 Why is t he one- t i me pad encr y pt i on uncondit ional ly secur e agai nst eavesdr oppi ng?
7. 7 The shif t ci pher in Pr ot 7.1 i s a per fect l y secur e encr ypt i on scheme si nce a one- t i me
key is used and t he key has t he same si ze as t hat of t he message. I f t he shi f t ci pher
i s comput ed as addit ion wi t hout modul o r educt i on, can i t st i l l be a per fect l y secur e
encry pt ion scheme?
7. 8 Why are si mpl e subst i t ut i on ci pher s and t ransposi t i on ci pher s, even t hough
ext r emel y vul ner abl e t o t he fr equency anal y sis at t ack, st i l l i n wi de use i n moder n
day encr y pt i on al gor it hms and cr ypt ogr aphi c prot ocol s?
7. 9 A moder n cipher i s usual l y const r uct ed as a combi nat i on of several cl assi cal ci pher
t echni ques. I dent if y par t s i n t he DES and t he AES wher e ( i ) subst it ut i on ci pher
t echni ques are used, ( i i ) t r ansposi t i on ci pher t echni ques ar e used, and ( i ii ) t he
Vernam ci pher i s used.
7. 10 ( i ) Why i s t he AES r egar ded ver y eff i ci ent ? ( i i) How shoul d mul t i pli cat i on i n t he
fi nit e fi el d be r eal i zed in t he i mpl ement at i on of t he AES?
7. 11 I n t he ci pher block chai ning ( CBC) mode of oper at i on f or bl ock ci pher , i f t he
decry pt ion of a received ci pher t ext "has t he r i ght paddi ng, " wi l l y ou consi der t hat
t he t ransmi t t ed pl ai nt ext has a val i d dat a i nt egri t y ?

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Chapter 8. Encryption Asymmetric
Techniques
Sect i on 8. 2. I nsecur it y of " Text book Encr y pt i on Algori t hms"
Sect i on 8. 3. The Di ff i e- Hel l man Key Exchange Pr ot ocol
Sect i on 8. 4. The Di ff i e- Hel l man Pr obl em and t he Di scr et e Logar it hm Pr obl em
Sect i on 8. 5. The RSA Cr ypt osy st em ( Text book Versi on)
Sect i on 8. 6. Cry pt anal ysi s Agai nst Publ i c- key Cr ypt osy st ems
Sect i on 8. 7. The RSA Pr oblem
Sect i on 8. 8. The I nt eger Fact or i zat i on Pr obl em
Sect i on 8. 9. I nsecur it y of t he Text book RSA Encr y pt i on
Sect i on 8. 10. The Rabi n Cry pt osy st em ( Text book Ver si on)
Sect i on 8. 11. I nsecur i t y of t he Text book Rabi n Encr y pt i on
Sect i on 8. 12. The El Gamal Cr ypt osyst em ( Text book Versi on)
Sect i on 8. 13. I nsecur i t y of t he Text book El Gamal Encr y pt i on
Sect i on 8. 14. Need for St ronger Securi t y Not i ons for Publ i c- key Cr y pt osy st ems
Sect i on 8. 15. Combi nat i on of Asymmet ri c and Symmet ri c Cry pt ogr aphy
Sect i on 8. 16. Key Channel Est abl i shment f or Publi c- key Cr ypt osyst ems
Exerci ses

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
8.1 Introduction
Ear l y ci pher s ( such as t he Caesar ci pher ) depended on keepi ng t he ent i r e encr ypt i on pr ocess
secr et . Moder n ci phers such as t he DES and t he AES f ol l ow Kerchof fs' pr i nci pl e ( see 7. 1) : t he
al gor i t hmi c det ai l s of t hese ci pher s ar e made publ i c for open scr ut i ny . I n so doi ng, t he desi gner s
of t hese ci pher s wi sh t o demonst rat e t hat t he securi t y of t hei r cr y pt osy st ems r esi de sol el y i n t he
choi ce of t he secr et encr y pt i on key s.
Ther e i s fur t her r oom t o pr act i ce Ker choff s' pri nci pl e of r educi ng t he secr et component in an
encry pt ion al gor i t hm. Consi der Shannon' s semant ic pr opert y of encr y pt i on: a mi xi ng-
t r ansfor mat i on whi ch dist r i but es meani ngful messages f rom t he pl ai nt ext regi on f ai r ly
unif or mly over t he ent i re message space C ( pages 711- 712 of [ 264] ) . We now know t hat such a
r andom di st ri but i on can be achi eved wi t hout using any secr et . Di ff i e and Hel lman fi r st r eal ized
t hi s i n 1975 [ 97] ( t he publ i cat i on dat e of t hi s paper was 1976, but t he paper was f ir st
di st r i but ed i n December 1975 as a prepr i nt , see [ 96] ) . They named t hei r di scover y pu bl i c- k ey
cr y pt ogr ap hy . At t hat t i me i t was a t ot al l y new under st andi ng of cr ypt ogr aphy .
I n a publ i c- key cry pt osy st em, encr y pt i on uses no secret key ; secr et key i s onl y needed i n
decrypt ion t i me. I n [ 97] , Dif fi e and Hel l man sket ched sever al mat hemat i cal t r ansfor mat i ons,
whi ch t hey t ermed one- w ay t r apd oor f unct i ons, as possibl e candi dat es f or r eal i zi ng publ i c- key
cry pt ogr aphy . I nf or mal l y speaking, a one- way t r apdoor funct i on has t he f ol l owing pr opert y :
Pr oper t y 8 . 1: One- w ay Tr apdoor Funct i on A on e- way t rap door f unct i on, wh ich we denot e
by f
t
( x) : , i s a on e- way f unct i on, i . e. , i t is easy t o ev alu at e for al l x D and di ff icul t t o
i nv er t for al m ost all v al ues in R. Howev er, if t h e t r apdoor i nf or mat i on t i s used, t hen f or al l val ues
y R i t i s easy t o com put e x D sat isfy i ng y = f
t
( x) .
The not i on of one- way t r apdoor f unct i on for ms t he enabl er for publi c- key cr y pt ography .
Opposing t o t he not i on of secr et - key or sy mmet r i c cry pt osy st ems, a publ ic- key cr y pt osy st em
based on a one- way t r apdoor funct ion i s al so r efer red t o as asy mmet r i c cr y pt osy st ems due t o
t he asy mmet r i c proper t y of one- way t rapdoor f unct i ons. Al t hough t he sever al one- way t rapdoor
funct i ons consi der ed i n t he f i rst paper of Dif fi e and Hel l man on publ i c- key cr ypt ogr aphy ( i .e. ,
[ 97] ) wer e not ver y plausibl e due t o t hei r poor asymmet ry , Dif fi e and Hel l man soon pr oposed a
successful funct i on: modul o exponent i at i on, and used i t t o demonst r at e t he famous
cry pt ogr aphi c prot ocol : t he Di f f i e- Hel l man k ey exchang e pr ot ocol [ 98] ( see 8. 3) . To t hi s
day , t hi s fi r st successful r eal i zat i on of publ ic- key cr y pt o- al gori t hm i s st i ll i n wi de use and under
endl ess furt her devel opment .
I n 1974, Mer kl e di scover ed a mechani sm t o r eal i ze cr y pt ographi c key agr eement vi a an
apparent asymmet r ic comput at i on, which i s now known as Mer kl e' s p uzzle [ 199] . The
asymmet r ic comput at i on in Mer kle' s puzzle means t hat t he comput at ional compl exi t y f or
l egi t i mat e par t i ci pant s of a key agreement pr ot ocol and t hat f or an eavesdr opper ar e drast i cal ly
di f fer ent : t he for mer i s feasi bl e and t he lat t er is not . Mer kl e' s puzzle was t he f i rst ef fect i ve
r eal i zat i on of a one- way t rapdoor f unct i on. Alt hough Mer kle' s puzzle may not be consi dered
sui t abl e f or moder n cr y pt ogr aphi c appl i cat i ons ( as t he asy mmet r y i s bet ween n and n
2
) , t he
i nsi ght i t r eveal ed was monument al t o t he di scover y of publ i c- key cr ypt ogr aphy.
I t i s now known t hat Cocks, a Br i t ish cry pt ogr apher , i nvent ed t he f ir st publ i c- key cr y pt osyst em
i n 1973 ( see e. g. , [ 277] ) . Cocks' encry pt i on al gor i t hm, named "non- secr et key encr y pt i on, " is
based on t he di f fi cul t y of i nt eger f act ori zat i on and i s essent i al l y t he same as t he RSA
cry pt osy st em ( see 8. 5) . Unf or t unat el y , Cocks' al gor i t hm was classi fi ed. I n December 1997, t he
Br i t i sh government 's Communi cat ions Servi ces El ect r oni cs Securi t y Gr oup ( CESG) , r el eased
Cocks' al gori t hm.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Al t hough i t happened t hat t he discover y of publ i c- key cry pt ogr aphy by t he open r esear ch
communi t y t ook pl ace af t er t he not i on was known i n a cl osed ci r cl e, we must poi nt out t hat it
was t he open r esear ch communit y t hat i dent i fi ed t he t wo most i mpor t ant appl i cat i ons of publ i c-
key cr y pt ogr aphy : ( i ) di gi t al si gnat ur es ( see 10.4) , and ( ii ) secr et key est abl i shment over
publ i c communi cat i ons channel s ( see 8. 3) . These t wo appl i cat i ons have enabl ed t oday ' s
pr ol i fer at i on of secur e el ect r oni c commer ce over t he I nt ernet .
We begin t he t echni cal par t of t hi s chapt er wi t h an i nt r oduct i on t o a "t ext book cr ypt o" secur it y
not i on and provi di ng an earl y war ni ng t hat al l publ i c key cry pt ographi c al gor i t hms t o be
i nt r oduced i n t hi s chapt er ar e act ual l y i nsecur e for st andar d appl i cat i on scenar ios in t he r eal
wor ld ( 8. 2) . We t hen int r oduce sever al well - known publ i c- key cry pt ogr aphi c pri mi t i ves. These
ar e: t he Di ff ie- Hel l man key exchange pr ot ocol ( 8. 3) , t he t ext book ver si ons of t he RSA ( 8. 5) ,
Rabin ( 8. 10) and El Gamal ( 8. 12) cr y pt osy st ems. These basi c publ ic- key cry pt ographi c
pr i mi t i ves ar e i nt r oduced t oget her wi t h for mal and compl exit y - t heor et i c based st at ement s on t he
r espect i ve under l y ing int r act abi li t y assumpt ions. These are: t he Di f fi e- Hel l man pr obl em and t he
di scret e l ogar i t hm pr obl em ( 8. 4) , t he RSA pr obl em ( 8. 7) and t he i nt eger f act or izat ion problem
( 8. 8) . We wi l l al so begi n i n t hi s chapt er t o develop f ormal not i ons f or descr i bi ng var i ous
at t acking model s agai nst publ i c- key cr ypt osyst ems ( 8. 6) . I nsecur it y of t he t ext book ver si ons of
t he cr y pt ographi c al gor i t hms wi l l be demonst r at ed i n 8. 9 ( RSA) , 8. 11 ( Rabi n) and 8. 13
( El Gamal ) . We wil l consi der t he need for a st ronger secur i t y not i on f or publ i c- key encry pt ion
( 8. 14) . Havi ng i nt r oduced bot h symmet r ic and asy mmet ri c cr y pt osyst ems, we wil l int r oduce
t hei r combi nat i on: hy br i d encr y pt i on schemes ( 8. 15) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
8.2 Insecurity of "Textbook Encryption Algorithms"
We should not i ce t hat t he encr ypt i on al gor i t hms t o be int r oduced i n t his chapt er shoul d be
l abel ed t ext book cr ypt o. They ar e so l abel ed because t hese al gori t hms can be found in most
t ext books on cr y pt ography . However, t hese basi c encry pt i on al gor i t hms ar e act ual l y not sui t abl e
for use i n real - wor ld appl i cat i ons. Wit hi n t he scope of publ i c- key cry pt osy st ems, a t ext book
encry pt ion al gor i t hm i n gener al has a conf i dent i al i t y pr oper t y st at ed in Pr oper t y 8. 2.
Pr oper t y 8 . 2: I nsecur i t y Pr op er t y of Tex t book Encr y pt i on Al gor i t hms Wi t hi n t he scop e of
t hi s chap t er , secu r it y ( conf id en t ial it y) for a cr yp t osy st em is con si der ed i n t he fol l owi ng t wo
sen ses:
Al l - or - n ot hi n g secr ecy For a gi v en cip hert ex t ou t pu t f rom a gi ven encry pt i on algor i t hm ,
t he at t acker ' s t ask i s t o ret r i ev e t h e whole plai nt ex t b lock whi ch i n gen er al has a size
st ip ul at ed by a secu ri t y par am et er of t he cr yp t osyst em ; or f or a giv en p air of p lai nt ext and
cip hert ex t u nder a giv en encr y pt i on al gor it h m, t he at t ack er' s t ask i s t o u ncover t h e whol e
bl ock of t he u nder ly in g secr et k ey. The at t ack er ei t her succeeds wit h obt ai ni ng t he whol e
bl ock of t he t ar get ed secret , or fai ls wi t h not hi ng. We shoul d pay par t i cu lar at t en t ion t o t he
m ean in g of " not hin g: " i t means t hat t he at t ack er does not hav e any k nowl edge abou t t h e
t ar get ed secr et b ef or e or aft er i t s at t ack in g at t em pt .
i .
Passi v e at t ack er The at t ack er does n ot m ani pul at e or m od if y ci ph er t ex t s usin g d at a
she/ he h as in possessi on, and d oes n ot ask a key owner f or pr ov id in g encry pt ion or
decry pt ion ser v ices.
i i .
Thi s not i on of secur it y ( confi dent ial i t y ) i s ext r emel y weak, i n f act , i s usel essl y weak and
t her efor e shoul d be bet t er named "a not i on of i nsecur i t y . "
Let us f ir st expl ai n why Pr oper t y 8. 2( i ) i s an i nsecur i t y pr oper t y. I n appl i cat i ons, pl ai nt ext dat a
ar e l i kel y t o have some non- secr et " part ial i nfor mat i on" whi ch can be known t o an at t acker. For
exampl e, some dat a ar e al ways i n a smal l r ange: a usual sal ary f i gur e shoul d be l ess t han one
mi ll i on whi ch is, t hough a l arge salar y , a smal l number i n cr y pt ogr aphi c sense. For anot her
exampl e, a usual passwor d is a bi t st r ing up t o ei ght char act er s. Of t en, t he known par t ial
i nf ormat i on wi l l per mi t an at t acker t o succeed and obt ai n t he whol e pl aint ext message, r at her
t han "f ai l wi t h not hi ng. "
Now l et us explai n f ur t her why Pr oper t y 8. 2( i i ) i s al so an i nsecur it y pr oper t y. We shoul d never
expect an at t acker t o be so nice and r emai n i n passi ve. The t y pi cal behavi or of an at t acker i s
t hat i t wi l l t r y al l means avai l abl e t o i t . Thi s par t icular l y i ncl udes t he at t acker engagi ng i n
i nt er act ions wi t h a t ar get ed user , sendi ng a ci phert ext t o t he l at t er for bei ng decr y pt ed wi t h t he
pl ai nt ext r et ur ned t o t he f ormer . Thi s way of i nt er act i on i s known as a user ( a publ i c key owner)
t o pr ovi de an or acl e d ecr y pt i on ser v i ce f or an at t acker . We wil l see i n t hi s chapt er and a f ew
l at er chapt er s t hat i t i s har d t o avoi d provi di ng or acl e ser vices.
The ni ce algebrai c pr opert i es t hat ar e gener al l y hel d by t ext book cry pt ogr aphi c al gor i t hms can
oft en enabl e an at t acker who i s ser ved wi t h or acl e ser vi ces t o br eak a t ext book cr ypt ogr aphic
al gor i t hm. We wi l l see a f ew such exampl es i n t hi s chapt er and wi l l f ur t her see t he gener al
appli cabi l i t y of such at t acki ng t echni ques i n a few l at er chapt er s.
Whi l e i n t hi s chapt er we wi ll somet i mes pr ovi de warnings t hat a user shoul d not be used as an
or acl e ser vi ce pr ovi der, we shoul d not i ce t hat or di nar y user s of a publ i c- key al gor i t hm are t oo
nai ve t o be educat ed not t o provi de an or acle ser vi ce t o an at t acker . Al so, avoi ding being used
as an or acl e i s a ver y hard pr oblem ( we wi l l see t hi s poi nt i n 12.5. 4) . The corr ect st r at egy i s t o

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
desi gn fi t - f or- appl i cat i on cr ypt osyst ems t o be secur el y used by nai ve users.
By st at i ng Pr oper t y 8. 2, we make i t expl i ci t t hat wi t hi n t he scope of t hi s chapt er , we wi l l not
consi der a st r onger not i on of secur i t y for publi c- key encr y pt i on al gor i t hms, and consequent l y , for
t he t ext book encr y pt i on al gor i t hms t o be i nt r oduced her e, we wi ll not hope t hat t hey ar e secur e
i n any st r ong sense. On t he cont r ar y, we wi l l demonst r at e, but not t ry t o f ix, a number of
conf ident i ali t y fl aws wi t h t he t ext book encr ypt i on algori t hms i n bot h insecur i t y pr oper t i es, i. e. ,
par t i al i nfor mat i on l eakage and/ or r esul t s of act i ve at t acks.
Defi nit ions for a number of more st r i ngent securi t y not i ons against st r onger ( i . e., mor e r eal )
at t acking scenar i os wi ll be i nt r oduced i n Chapt er 14. Fi t - for - appl i cat i on count er par t s t o t he
t ext book encr ypt i on al gor i t hms wi l l be fol l owed up in Chapt er 15.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
8.3 The Diffie-Hellman Key Exchange Protocol
Wi t h a sy mmet r i c cry pt osy st em i t i s necessar y t o t ransfer a secret key t o bot h communi cat ing
par t i es befor e secur e communicat i on can begi n. Pr i or t o t he bir t h of publ i c- key cr ypt ogr aphy , t he
est abl i shment of a shar ed secr et key bet ween communi cat i on par t i es had al ways been a di ff icul t
pr obl em because t he t ask needed a secur e conf ident i al channel , and oft en such a channel meant
physi cal del i ver y of key s by a speci al couri er . An i mport ant advant age t hat publ i c key
cry pt ogr aphy pr ovi des over symmet ri c cr y pt ogr aphy i s t he achievement of exchangi ng a secr et
key bet ween remot e communi cat i on par t i es wi t h no need of a secur e conf ident i al channel . The
fi r st pract i cal scheme t o achi eve t hi s was pr oposed by Di f fi e and Hel l man, known as t he Di ff ie-
Hell man exponent i al key exchange pr ot ocol [ 98] .
To begi n wi t h, users Ali ce and Bob ar e assumed t o have agr eed on a f i ni t e fi el d and an
el ement whi ch gener at es a group of a l ar ge or der . For si mpl i ci t y, we consider t he case
of fi el d wher e p i s a l ar ge pr i me, i .e. , i s a pr i me number . The t wo part ies may t est t he
pr i mal it y of p using Al g 4. 5 wher e t hey have const ruct ed p such t hat t hey know t he compl et e
fact or i zat i on of p 1; and t hen t hey may f i nd a gener at or g ( e. g. , of ) using Al g 5. 1. By
Theor em 5. 11, each number i n [ 1, p) can be expr essed as g
x
( mod p) for some x. Now p and g
ar e t he common input t o t he part i ci pant s i n a basi c ver si on of a so- cal l ed Di f f i e- Hel l man Key
Ex ch ang e pr ot ocol whi ch i s speci fi ed i n Pr ot 8.1.
Protocol 8.1: The Diffie-Hellman Key Exchange Protocol
COMMON I NPUT ( p, g) : p i s a l ar ge pr i me, g i s a gener at or
el ement in .
OUTPUT
An el ement i n shared bet ween Al i ce and
Bob.
Al i ce pi cks a U [ 1, p 1) ; comput es g
a
g
a
( mod p) ; sends g
a
t o Bob; 1.
Bob pi cks b U [ 1, p 1) ; comput es g
b
g
b
( mod p) ; sends g
b
t o Al i ce; 2.
Al i ce comput es ( mod p) ; 3.
Bob comput es ( mod p) . 4.
I t i s easy t o see f rom Pr ot ocol 8. 1 t hat for Al i ce

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
and f or Bob
We not e t hat since ab ba ( mod p 1) , t he t wo par t i es have comput ed t he same val ue. Thi s i s
how t he Dif fi e- Hell man key exchange pr ot ocol achi eves a shar ed key bet ween t wo
communi cat ion part i es.
A sy st em- wi de user s may shar e t he common publ ic par amet er s p and g.
Exampl e 8. 1.
Let p = 43. Appl yi ng Al g 5. 1 we fi nd t hat 3 i s a pri mi t i ve root modul o 43. Let Al i ce and Bob
shar e t he publi c mat er i al element s ( p, g) = ( 43, 3) .
For Al i ce and Bob t o agr ee a secr et key , Al ice picks her r andom secr et exponent 8, and sends t o
Bob 3
8
25 ( mod 43) . Bob pi cks hi s r andom secr et 37, and sends t o Al i ce 3
37
20 ( mod 43) .
The secret key agr eed bet ween t hem i s
We should add a few caut ionary det ai ls t o t he i mpl ement at i on and t he use of t he Di ff ie- Hel lman
key exchange pr ot ocol.
The common input p shoul d be such a pr i me ( or a pr i me power ) t hat p 1 has a suf fi cient ly
l ar ge pr i me fact or p' ; her e " suf fi cient ly lar ge" means p' > 2
160
. The need f or p t o have t hi s
pr oper t y wi l l be di scussed i n 8. 4.
The common input g needn't be a gener at or of i t sel f; but i t i s necessar y t o be a
gener at or of a lar ge- or der subgr oup of , e. g. , a subgr oup of or der p' . I n t hi s case, Al i ce
and Bob shoul d check g 1 and ( mod p) . For t hi s pur pose, p' shoul d be par t of
t he common i nput t o t he prot ocol .
Al i ce ( respect ivel y, Bob) shoul d check g
b
1 ( r espect i vely , g
a
1) . Then for t hei r
r espect i ve exponent s chosen f rom ( 1, p' ) , t hese checki ng st eps wi l l guarant ee t hat t he
shar ed key g
ab
wi l l be one i n t he order - p' subgroup of , t hat i s, i n a suf fi ci ent l y l arge
subgroup.
Al i ce ( respect ivel y, Bob) shoul d er ase her exponent a ( respect ivel y, hi s exponent b) upon
t er mi nat ion of t he pr ot ocol . I n so doi ng, t hey wi l l have a f or w ar d secr ecy pr opert y on t he
exchanged key g
ab
i f t hey also pr operl y di spose t he exchanged key af t er t hei r sessi on
communi cat ion ends. We wi ll furt her di scuss t he "f orwar d secr ecy " proper t y in 8. 15 and
11.6. 1.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
8.3.1 The Man-in-the-Middle Attack
I t shoul d be not ed t hat t he Dif fi e- Hell man key exchange pr ot ocol does not support t he
aut hent i ci t y of t he key agr eed. An act i ve adversar y i n t he mi ddle of t he communi cat i ons bet ween
Al i ce and Bob can mani pulat e t he prot ocol messages t o succeed an at t ack cal l ed man - i n- t h e-
mi d dl e at t ack. At t ack 8. 1 i l l ust r at es such an at t ack.
Attack 8.1: Man-in-the-Middle Attack on the Diffie-Hellman Key
Exchange Protocol
COMMON I NPUT: Same as Pr ot 8.1.
1 Al ice picks a
U
[ 1, p 1) , comput es g
a
g
a
( mod p) ; she sends g
a
t o
Mal i ce( "Bob") ;
1' Mali ce( "Al ice") comput es g
m
g
m
( mod p) for some m [ 1, p 1) ; he sends
g
m
t o Bob;
2 Bob pi cks b
U
[ 1, p 1) , comput es g
b
g
b
( mod p) ; he sends t o g
b
Mal i ce( "Al i ce" ) ;
2' Mali ce( "Bob" ) sends t o Al i ce: g
m
;
3 Al ice comput es ( mod p) ;
( * t hi s key i s shar ed bet ween Al i ce and Mal i ce si nce Mal ice can comput e
( mod p) . * )
4 Bob comput es ( mod p) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
( * t hi s key i s shar ed bet ween Bob and Mal i ce si nce Mal i ce can comput e
( mod p) . * )
I n an at t ack t o a run of t he pr ot ocol , Mal i ce ( t he bad guy ) i nt er cept s and bl ocks Al i ce' s fi r st
message t o Bob, g
a
, and he masquerades as Al i ce and sends t o Bob
Mal i ce( " Al i ce" ) sends t o Bob: ( mod p) ;
( The reader may r ecal l our convent i on agr eed i n 2. 6. 2 f or denot ing Mal ice's act i on of
masquer adi ng as ot her pr inci pals. ) Bob wi l l f oll ow t he prot ocol i nst r uct i ons by r epl y ing g
b
t o
Mal i ce( " Al i ce" ) . Thi s means t hat t he value t r ansmit t ed i s again i nt er cept ed and bl ocked by
Mal i ce. Now Mal i ce and Bob have agr eed a key g
bm
( mod p) whi ch Bob t hi nks t o shar e wi t h Ali ce.
Anal ogousl y , Mal i ce can masquer ade as Bob and agr ee anot her key wi t h Al i ce ( e. g. , g
am
( mod
p) ) . Af t er t hi s, Mal i ce can use t hese t wo keys t o r ead and r el ay " confi dent i al" communi cat ions
bet ween Al i ce and Bob, or t o i mper sonat e one of t hem t o t he ot her .
The man- i n- t he- mi ddl e at t ack on t he Di ff i e- Hel l man key exchange pr ot ocol i s possi bl e because
t he pr ot ocol does not pr ovi de an aut hent i cat i on ser vi ce on t he sour ce of t he prot ocol messages.
I n order t o agr ee on a key whi ch i s exclusi vely shared bet ween Al i ce and Bob, t hese pri nci pal s
must make sur e t hat t he messages t hey r ecei ve in a pr ot ocol r un ar e i ndeed f r om t he int ended
pr i nci pal s. I n Chapt er 11 we wi l l st udy aut hent i cat ion t echni ques; t her e ( 11.6) we wi l l
i nt r oduce met hods for secur ely appl y i ng t he Dif fi e- Hell man key exchange pr ot ocol .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
8.4 The Diffie-Hellman Problem and the Discrete
Logarithm Problem
The secrecy of t he agr eed shar ed key fr om t he Di ff i e- Hel l man key exchange pr ot ocol i s exact l y
t he pr obl em of comput i ng g
ab
( mod p) gi ven g
a
and g
b
. This pr obl em i s call ed comp ut at i onal
Di f f i e- Hel l man p r obl em ( CDH pr obl em) .
Def i n i t i on 8 . 1: Compu t at i onal Di f f i e- Hel l man Pr obl em ( CDH Pr obl em) ( i n f in it e f iel d)
I NPUT
desc( ) : t he descr ip t ion of f ini t e f ield ;
: a gener at or elem ent of ;
g
a
, for som e i nt egers 0 < a, b < q.
OUTPUT g
ab
.
We have f or mul at ed t he pr obl em i n a gener al f orm worki ng i n a f ini t e fi el d . The Di ff i e-
Hell man key exchange pr ot ocol i n 8. 3 uses a speci al case. For for mal i sm pur pose, i n defi ni t i on
of a gener al pr obl em, an assumpt i on, et c. , we wi l l t r y t o be as general as possibl e, whi le in
expl anat i ons out si de for mal def ini t i ons we wi l l of t en use speci al cases whi ch hel p t o expose ideas
wi t h cl ar i t y .
I f t he CDH problem i s easy , t hen g
ab
( mod p) can be comput ed f r om t he val ues p, g, g
a
, g
b
, whi ch
ar e t r ansmit t ed as part of t he pr ot ocol messages. Accor di ng t o our assumpt i ons on t he abi l i t y of
our adver sary ( see 2. 3) , t hese val ues ar e avai labl e t o an adver sar y .
The CDH probl em li es, i n t ur n, on t he di ff i cul t y of t he di scr et e l ogar i t hm pr obl em ( DL
pr obl em) .
Def i n i t i on 8 . 2: Di scr et e Logar i t hm Pr ob l em ( DL Pr obl em) ( i n f in it e f iel d)
I NPUT
desc( ) : t he descr ip t ion of f ini t e f ield ;
: a gener at or elem ent of ;
.
OUTPUT t he uni que int eger a < q such t h at h = g
a
.
We d en ot e t he i nt eger a by l og
g
h.
The DL pr obl em l ooks si mi l ar t o t aki ng or di nar y l ogar i t hms i n t he real s. But unli ke l ogar i t hms i n
t he real s wher e we onl y need appr oxi mat ed "sol ut i ons, " t he DL pr obl em i s def i ned i n a di scr et e
domai n where a sol ut i on must be exact .
We have di scussed i n Chapt er 4 t hat t he securi t y t heory of moder n publ ic- key cr y pt ography i s

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
est abl i shed on a compl exi t y - t heor et i c foundat i on. Upon t hi s foundat ion, t he secur i t y of a publ i c-
key cr y pt osy st em i s condi t i onal on some assumpt i ons t hat cer t ain probl ems ar e i nt r act abl e. The
CDH pr obl em and t he DL pr obl em ar e t wo assumed int r act abl e pr obl ems. I nt ui t i vel y we can
i mmedi at el y see t hat t he dif fi cul t i es of t hese pr obl ems depend on t he si ze of t he pr obl ems ( here,
i t i s t he si ze of t he f i el d ) , as wel l as on t he choi ce of t he paramet ers ( here, i t i s t he choi ce of
t he publi c par amet er g and t he pri vat e dat a a, b ) . Clear l y, t hese pr obl ems need not be di ff icult
for smal l i nst ances. I n a moment we wi l l f ur t her see t hat t hese pr obl ems need not be di ff i cult f or
poor l y chosen i nst ances. Thus, a pr ecise descr ipt i on of t he di f fi cul t y must for mul at e pr oper l y
bot h t he pr obl em si ze and t he choice of t he i nst ances. Wi t h t he compl exi t y - t heor et i c foundat i ons
t hat we have est abl i shed i n Chapt er 4, we can now descr i be pr ecisel y t he assumpt i ons on t he
i nt r act abi l i t i es of t hese t wo pr obl ems. The r eader may r evi ew Chapt er 4 t o r efr esh several
not i ons t o be used i n t he fol l owi ng for mul at i ons ( such as "1
k
, " "pr obabi l i st ic pol ynomial t i me, "
and "negli gibl e quant i t y i n k") .
Assumpt i on 8. 1 : Comput at i onal Di f f i e- Hel l man Assu mpt i on ( CDH Assumpt i on ) A CDH
pr obl em solv er is a PPT al gor it h m such t hat wi t h an adv ant age > 0:
wher e t he i np ut t o i s defi ned in Defi nit ion 8. 1.
Let b e an in st an ce gen er at or t hat on i npu t 1
k
, r uns in t i me poly nom i al in k , and out put s ( i)
desc( ) wi t h | q| = k , ( i i) a gener at or elem en t .
We say t h at sat i sfi es t he com put at i onal Di ff ie- Hell man ( CDH) assu m pt ion i f t her e ex i st s no
CDH pr obl em sol ver f or ( 1
k
) wit h ad van t age > 0 non - negli gib le i n k for al l suf fi ci en t ly lar ge
k.
Assumpt i on 8. 2 : Di scr et e Logar i t hm Assumpt i on ( DL Assumpt i on ) A DL p rob lem solv er is
a PPT algor i t hm such t hat wi t h an adv ant age > 0:
wher e t he i np ut t o i s defi ned in Defi nit ion 8. 2.
Let b e an in st an ce gen er at or t hat on i npu t 1
k
, r uns in t i me poly nom i al in k , and out put s ( i)
desc( ) wit h | q| = k , ( i i) a gener at or elem en t , ( i ii ) .
We say t h at sat i sfi es t he di scr et e l ogari t hm ( DL) assum pt i on if t h er e ex ist s n o DL pr obl em
solv er for ( 1
k
) wit h ad van t age > 0 non - negli gib le i n k for al l suf fi ci en t ly lar ge k .
I n a nut shell , t hese t wo assumpt i ons st at e t hat i n f ini t e fi el ds f or al l suf fi ci ent ly lar ge i nst ances,
t her e exi st s no eff i ci ent al gor it hm t o solve t he CDH pr obl em or t he DL pr obl em f or al most al l
i nst ances. A negl i gi ble fr act i on of except ions ar e due t o t he exi st ence of weak i nst ances.
However , much mor e decent el abor at i ons are needed f or t hese t wo assumpt i ons. Let us fi r st
make a f ew import ant r emarks, i n whi ch we wi l l keep t he "for mal t one".

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
. Remar k 8 .1
I n Assu m pt ion s 8. 1 an d 8. 2, t h e r espect iv e p rob abil i t y space sh oul d consi der ( i ) t h e
i nst ance space, i. e., arb it ar y f in it e f iel ds and ar bi t r ar y el ement s are sam pl ed ( t he
i mp ort ance of t hi s wil l be d iscussed in 8. 4. 1 ) , an d ( ii ) t h e sp ace of t he r and om oper at ion s
i n an eff ici en t al gori t hm . Th e need f or consid er i ng ( ii ) i s because by " p oly nom i al- t i m e" or
" eff icient " al gori t hm we in cl ude ran dom ized algor i t hm s ( see Defi nit ion 4. 6 i n 4. 4. 6 ) .
1.
The n um ber k i n t he b ot h f or m ulat i ons is call ed a secur i t y p ar amet er . ( 1
k
) i s a
r andom in st an ce of t he f ield and t h e elem en t ( s) . Fr om our st ud y of t he p rob abi li st i c pr i m e
generat ion in 4. 4. 6 .1 an d t he f ield const r uct i on i n 5. 4 we kn ow t hat ( 1
k
) i ndeed
t er mi nat es i n poly nom i al t im e i n k. I t is n ow wid el y accep t ed t h at k = 1024 i s t he l ower
bou nd set t i ng of secur it y par am et er f or t he DLP i n fi ni t e fi el ds. Th is l ower boun d i s a resul t
of a sub ex pon en t ial t im e al gori t hm ( ind ex cal culu s) f or sol v in g t he DLP i n fi ni t e fi el ds. Th e
subex ponent i al com plex it y ex pr essi on i s i n ( 8. 4. 2 ) . For | q | = 1024, t he ex pr essi on y i el ds a
qu ant i t y gr eat er t h an 2
80
. Thi s i s why t h e set t i ng of k = 1024 becom es t he wid el y agr eed
l ower b ound . Thu s, as st ipu lat ed by t h e ph rase " f or al l su ff icient l y l arge k" in bot h
assu m pt i ons, we shoul d only con si der k gr eat er t han t hi s l ower b ound .
2.
Hold in g of t he DL assum pt i on m ean s t hat t he f unct i on
i s one- way. Theref ore, h oldi ng of t he DL assum pt i on i m pl ies t he ex ist ence of one- way
fu nct ion . I t i s wid el y beli eved t hat t he DL assum pt i on sh ould act ual ly hold ( a case u nder t h e
bel ief , see 4. 5) , or t he f unct i on i n ( 8. 4. 1 ) sh ould b e one- way, or in ot h er
wor ds, one- way f unct i on shou ld exi st .
3.
I t i s not kn own t o dat e wh et her or not t he fun ct ion in ( 8. 4. 1 ) is a t r apdoor fun ct i on ( see
Pr oper t y 8. 1 i n 8. 1 f or t h e m ean ing of one- way t r apd oor fu nct ion ) . That is, n o one kn ows
how t o em bed t rap door i nf orm at i on insi de t h is f unct i on t o enab le an eff icient i nv er sion of
t he fun ct ion ( i. e. , an effi cient m et h od t o com put e x fr om g
x
u sing t r apdoor inf or mat ion) .
Howev er , if t h e fu nct ion u ses a com posi t e m odul us ( t he f unct i on r em ain s one- way) , t hen
t he fun ct ion becomes a t r apdoor wh er e t h e pr i me f act or izat i on of t he m odu lus for m s t he
t r apd oor in for m at ion . The r eader i s r ef er r ed t o [ 22 9, 22 4, 22 8] for t h e t ech ni cal d et ai ls.
4.
We st i l l need mor e "common- l anguage" expl anat i ons for t hese t wo assumpt i ons.
These t wo assumpt i ons essent i al ly say t hat " t her e i s no pol ynomi al in k al gori t hms for sol ving
t hese t wo pr obl ems" . However , we must read t hi s st at ement wi t h gr eat car e. A "pol y( k) sol ver ",
i f i t exist s, r uns i n t ime k
n
f or some i nt eger n. On t he ot her hand, we know t her e exi st s a
"subexponent ial sol ver" for t he DLP r unni ng i n t i me
Equ at i on 8. 4 .2

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
wher e c i s a small const ant ( e. g. , c < 2) . Combi ni ng "no pol y( k) sol ver " and "havi ng an
sub_exp( q) sol ver " , we are essent i all y say i ng t hat k
n
i s much much smal l er t han sub_exp( k l og
2) ( for k = | q| = l og
2
q, we have l ogq = kl og2) . However, t hi s "much much smal l er " r el at i on can
onl y be t r ue when n i s fi xed and k ( as a f unct i on of n) is suff ici ent l y l ar ge. Let us make t hi s point
expl ici t .
Suppose k i s not suf fi ci ent l y l ar ge. Taking nat ur al l ogar i t hm on pol y ( k) and on sub_exp( k l og
2) , we become compar i ng t he fol l owing t wo quant i t i es:
wher e . Now we see t hat t he known subexponent i al sol ver wi l l be qui cker
t han a supposedl y "non- exi st i ng pol y sol ver " when n i s at t he l evel of . The r eal meani ng of
"no pol y ( k) sol ver " i s when k i s consi der ed as a vari able whi ch i s not bounded ( and hence can be
"suf fi cient ly lar ge" as st at ed i n t he t wo assumpt i ons) , whil e n i s a fi xed const ant . I n real i t y , k
cannot be unbounded. I n part i cul ar , f or t he commonl y agr eed l ower bound set t i ng f or securi t y
par amet er : k = 1024, and for c < 2, t here does exi st a "pol y ( k) sol ver " whi ch has a r unni ng t i me
bounded by a degr ee- 9 pol y nomi al i n k ( confi r m t hi s by doi ng Exerci se 8. 4) .
From our discussions so f ar, we r each an asym p t ot ic expl anat i on f or "no pol y( k) sol ver ": k i s
unbound and is suff ici ent l y l ar ge. I n real i t y k m ust be bou nded, and hence a pol y ( k) sol ver does
exi st . Never t hel ess, we can set a l ower bound for k so t hat we can be cont ent t hat t he pol y
sol ver wi l l r un i n t i me whi ch i s an unmanageabl e quant i t y . I n fact , t he widel y agr eed l ower
bound k = 1024 is worked out t hi s way.
Thi s asy mpt ot i c meani ng of "no pol y sol ver " wi l l appl y t o al l compl exit y- t heor et i c based
i nt r act abi l i t y assumpt i ons t o appear in t he r est of t he book.
Fi nal l y l et us l ook at t he rel at i onshi p bet ween t hese t wo probl ems.
Not i ce t hat t he avai l abi l i t y of a = l og
g
g1 or b = l og
g
g2 wi ll permi t t he cal cul at i on of
That i s, an ef fi ci ent al gor i t hm whi ch sol ves t he DLP wi l l l ead t o an ef fi ci ent al gor i t hm t o sol ve t he
CDH pr obl em. Ther ef or e i f t he DL assumpt i on does not hol d, t hen we cannot have t he CDH
assumpt i on. We say t hat t he CDH pr oblem i s weaker t han t he DL pr obl em, or equi valent ly , t he
CDH assumpt i on is a st r onger assumpt i on t han t he DL assumpt i on. The conver se of t hi s
st at ement i s an open quest i on:
Can t h e DL assum pt i on be t r ue if t h e CDH assum pt i on is f alse?
Maurer and Wol f give a st rong heur ist i c ar gument on t he r el at i on bet ween t hese t wo pr oblems;
t hey suggest t hat i t i s ver y l ikel y t hat t hese t wo probl ems ar e equi val ent [ 190] .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
8.4.1 Importance of Arbitrary Instances for Intractability Assumptions
We should emphasi ze t he i mport ance of ar bi t r ary i nst ances r equi r ed in t he DL assumpt i on. Let
us consi der wi t h p bei ng a k- bi t pr i me and t he pr obl em of ext r act i ng a f rom h g
a
( mod p) .
We know t hat a i s an el ement i n . I f p 1 = q
1
q
2
q
e
wi t h each f act or q
i
bei ng smal l
( meani ng, q
i
pol ynomi al ( k) for i = 1, 2, , ) , t hen t he di scr et e- l ogar i t hm- ext r act i on pr obl em
can be t ur ned i nt o ext r act i ng a
i
a ( mod q
i
) fr om h
( p - 1) / q
i
( mod p) but now a
i
ar e smal l and can
be ext r act ed i n t i me pol ynomial i n k. Af t er a
1
, a
2
, , a
e
ar e ext r act ed, a can be const r uct ed by
apply i ng t he Chi nese Remai nder Theor em ( Theor em 6. 7) . Thi s i s t he i dea behi nd t he pol ynomial -
t i me al gor i t hm of Pohl ig and Hel l man [ 231] for sol ving t he DL pr oblem modul o p i f p 1 has no
l ar ge pr i me fact or . Clear l y, i f every pr ime f act or of p 1 i s bounded by a pol y nomi al i n k, t hen
t he Pohl i g- Hell man al gor i t hm has a r unni ng t i me i n pol ynomial i n k.
A pr ime number p wi t h p 1 cont ai ni ng no l ar ge pri me f act or i s cal l ed a smoot h pr i me. But
somet i mes we al so say "p 1 i s smoot h" wit h t he same meani ng. A st andar d way t o avoi d t he
smoot h- pr i me weak case i s t o const r uct t he pr i me p such t hat p 1 i s di vi sibl e by anot her l arge
pr i me p' . By Theor em 5. 2( 2) , t he cycl i c group cont ains t he uni que subgroup of or der p' . I f p'
i s made publ i c, t he user s of t he Di ff i e- Hel l man key exchange pr ot ocol can make sur e t hat t he
pr ot ocol i s wor king in t his l arge subgr oup; al l t hey need t o do i s t o f i nd an el ement such
t hat
Thi s el ement g gener at es t he gr oup of t he pr i me or der p' . The Di ff i e- Hel l man key exchange
pr ot ocol should use ( p, p' , g) so gener at ed as t he common i nput . An accept ed val ue f or t he si ze
of t he pr ime p' i s at l east 160 ( bi nar y bi t s) , i . e., p' > 2
160
. ( Al so see our di scussi on i n 10.4. 8. 1. )
The DLP and t he CDH problem ar e al so bel i eved as i nt r act abl e i n a gener al f i ni t e abel i an gr oup
of a l ar ge order , such as a lar ge pr i me- or der subgr oup of a f ini t e fi el d, or a gr oup of point s on an
el li pt ic curve def i ned over a fi ni t e f i el d ( for gr oup const r uct i on: 5. 5, and f or t he el l i pt i c- cur ve
di scret e l ogar i t hm pr obl em, ECDLP: 5. 5. 3) . Thus, t he Di ff ie- Hel l man key exchange pr ot ocol wi l l
al so wor k wel l in t hese groups.
Ther e ar e several exponent i al- t i me al gori t hms whi ch ar e very ef fect ive f or ext r act i ng t he di scr et e
l ogar i t hm when t he val ue t o be ext r act ed i s known t o be smal l. We have descri bed Pol l ard's -
met hod ( 3. 6. 1) . Ext r act i ng small di scr et e l ogar i t hms has usef ul appl i cat i ons i n many
crypt ogr aphi c prot ocol s.
Resear ch int o t he DLP i s ver y act i ve. Odl y zko pr ovi ded a sur vey of t he ar ea whi ch i ncl uded an
ext ensi ve l i t er at ure on t he t opi c [ 221] .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
8.5 The RSA Cryptosystem (Textbook Version)
The best known publ i c- key cr y pt osyst em i s t he RSA, named aft er i t s invent ors Ri vest , Shami r
and Adl eman [ 246] . The RSA is t he f ir st pr act i cal r eal izat ion of publ i c- key cr ypt ogr aphy based
on t he not i on of one- way t rapdoor f unct i on whi ch Di ff ie and Hel l man envi si on [ 97, 98] .
The RSA cr ypt osy st em i s speci f i ed i n Al g 8. 1. We not i ce t hat t hi s i s a t ext book ver si on f or
encrypt ion i n RSA.
We now show t hat t he syst em specif i ed i n Al g 8. 1 i s indeed a cr y pt osy st em, i . e., Ali ce's
decry pt ion procedur e wi l l act ual l y r et ur n t he same pl ai nt ext message t hat Bob has encry pt ed.
Algorithm 8.1: The RSA Cryptosystem
Key Set up
To set up a user 's key mat er i al , user Al i ce perf or ms t he f ol lowi ng st eps:
choose t wo r andom pr i me number s p and q such t hat | p| | q| ; ( * t hi s can be
done by appl yi ng a Mont e- Carl o pr i me number f i ndi ng al gor i t hm, e. g. , Al g 4. 7
* )
1.
comput e N = pq; 2.
comput e ( N) = ( p 1) ( q 1) ; 3.
choose a r andom i nt eger e < ( N) such t hat gcd( e, ( N) ) = 1, and comput e t he
i nt eger d such t hat
( * since gcd( e, ( N) ) = 1, t hi s congr uence does have a sol ut i on for d whi ch can
be f ound by apply i ng t he Ext ended Eucl i d Al gor i t hm ( Al g 4. 2) . * )
4.
publ i ci ze ( N, e) as her publ i c key , safel y dest r oy p, q and ( N) , and keep d as
her pri vat e key.
5.
Encr y pt i on
To send a confi dent i al message m < N t o Al i ce, t he sender Bob cr eat es t he ci pher t ext
c as fol l ows
( * viewed by Bob, t he pl ai nt ext message space i s t he set of al l posit ive numbers less

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
N, al t hough i n fact t he space i s . * )
Decr yp t i on
To decr y pt t he ci pher t ext c, Al i ce comput es
From t he def i ni t i on of t he modulo oper at i on ( see Defi nit ion 4. 4 i n 4. 3. 2.5) , congruence ed 1
( mod ( N) ) in Al g 8. 1 means
for some i nt eger k. Ther efor e, t he number r et ur ned fr om Al i ce' s decry pt ion pr ocedur e i s
Equ at i on 8. 5 .1
We should not i ce t hat f or m < N, i t i s al most al way s t he case t hat ( t he mul t i pl i cat i ve
gr oup of i nt eger s r elat i vel y pr i me t o N) . I n fact , t he cases f or ar e m = up or m = v q
for some u < q or v < p. I n such cases, Bob can fact or N by comput i ng gcd( m, N) . Assumi ng t hat
t he fact or i ng is di ff i cul t ( we wi l l f ormul at e t he f act ori zat i on pr obl em and an assumpt i on on i t s
di f fi cul t y i n a moment ) , we can assume t hat any message m < N pr epared by Bob sat i sf i es
.
For , by Lagr ange's Theor em ( Cor ol l ary 5. 2) , we have
Thi s i s t rue for al l . By t he defi nit ion of t he or der of a group el ement ( see Defi nit ion
5. 9 i n 5. 2. 2) , t hi s means t hat for all
Obvi ousl y , t hi s f ur t her i mpl i es

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
for any i nt eger k. Thus, t he val ue in ( 8. 5. 1) is, i ndeed, m.
Exampl e 8. 2.
Let Ali ce set N = 7x13 = 91 and e = 5. Then ( N) = 6x12 = 72. Appl yi ng Al g 4. 2 ( by i nput t i ng
( a, b ) = ( 72, 5) ) , Ali ce obt ains:
t hat i s, 5x29 1 ( mod 72) . Ther ef or e Al ice has comput ed 29 t o be her pr i vat e decry pt ion
exponent . She publ ici zes ( N, e) = ( 91, 5) as her publ i c key mat er i al f or t he RSA cr ypt osy st em.
Let Bob encr y pt a pl ai nt ext m = 3. Bob per for ms encr ypt i on by comput i ng
The r esul t ant ciphert ext message i s 61.
To decr y pt t he ci pher t ext message 61, Al i ce comput es

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
8.6 Cryptanalysis Against Public-key Cryptosystems
I t makes sense t o say " Cr y pt osyst em X i s secur e agai nst at t ack Y but i s i nsecur e against at t ack
Z, " t hat i s, t he secur i t y of a cr y pt osy st em i s def i ned by an at t ack. Act ive at t acks have been
model ed i nt o t hr ee usual modes. These modes of act i ve at t acks wi l l be used i n t he anal y si s of
t he cr y pt osy st ems t o be i nt r oduced i n rest of t hi s chapt er . They ar e def i ned as fol l ows.
Def i n i t i on 8 . 3: Act i v e At t ack s on Cr yp t osy st ems
Chosen- pl ai nt ext at t ack ( CPA) An at t acker chooses pl ain t ex t m essages and get s
encry pt ion assi st ance t o obt ain t h e corr espondi ng ciph er t ex t m essages. The t ask f or t he
at t ack er is t o weak en t he t ar get ed cr y pt osyst em usi ng t he obt ained pl ain t ex t - cip her t ex t
pai r s.
Chosen- ci ph er t ex t at t ack ( CCA) An at t acker chooses cip hert ex t m essages and get s
decry pt ion assi st ance t o obt ain t h e corr espondi ng pl aint ex t messages. The t ask for t h e
at t ack er is t o weak en t he t ar get ed cr y pt osyst em usi ng t he obt ained pl ain t ex t - cip her t ex t
pai r s. The at t ack er is successfu l if h e can r et r ieve som e secr et p lai nt ex t i nf orm at i on fr om a
" t ar get cip her t ex t " which is giv en t o t he at t acker af t er t he d ecr yp t ion assist ance i s st opped.
That is, u pon t he at t ack er r eceip t of t h e t ar get cip hert ex t , t h e decry pt i on assi st ance is n o
l onger avai lab le.
Ad apt i v e ch osen- ci pher t ex t at t ack ( CCA2 ) Thi s i s a CCA wher e t he decr y pt i on
assi st ance for t he t ar get ed cr y pt osyst em wi ll b e avai lab le f or ev er, ex cep t f or t h e t ar get
cip hert ex t .
We may i magi ne t hese at t acks wi t h t he fol l owing scenar i os:
I n a CPA, an at t acker has i n i t s possessi on an encr y pt i on box.
I n a CCA, an at t acker i s ent i t l ed t o a condi t i onal use of a decr ypt i on box: t he box wi l l be
swit ched of f befor e t he t arget ci pher t ext i s gi ven t o t he at t acker.
I n a CCA2, an at t ack has in i t s possessi on a decr y pt i on box f or use as l ong as he wi shes,
befor e or aft er t he t ar get ci pher t ext i s made avai l abl e t o t he at t acker , pr ovi ded t hat he
does not f eed t he t ar get ciphert ext t o t he decr y pt i on box. This si ngl e r est r i ct ion on CCA2 i s
r easonabl e since ot herwi se t her e wi l l be no dif fi cul t pr obl em for t he at t acker t o sol ve.
I n all cases, t he at t acker shoul d not have i n i t s possessi on t he r espect i ve cr y pt ographi c key s.
CPA and CCA ar e or igi nal l y pr oposed as act i ve cry pt anal ysi s model s agai nst secr et - key
cry pt osy st ems wher e t he obj ect i ve of an at t acker i s t o weaken t he t ar get ed cr y pt osy st em using
t he pl ai nt ext - ci pher t ext message pai r s he obt ai ns f rom t he at t acks ( see e. g., 1. 2 of [ 284] ) .
They have been adopt ed f or modeli ng act i ve cry pt anal ysi s on publ i c- key cry pt osy st ems. We
shoul d not i ce t he fol l owi ng t hr ee poi nt s whi ch ar e specif i c t o publ i c- key cr y pt osyst ems.
The encr y pt i on assi st ance of a publ i c- key cr y pt osyst em i s al way s avail able t o any body si nce
gi ven a publ ic key any one has com plet e cont rol of t he encr ypt i on algori t hm. I n ot her
wor ds, CPA can al way s be mount ed against a publi c- key cr y pt osy st em. So, we can cal l an
at t ack agai nst a publ i c- key cr y pt osyst em CPA i f t he at t ack does not make use of any
decry pt ion assi st ance. Consequent l y and obvi ousl y , any publ i c- key cr y pt osyst em must
r esi st CPA or el se i t i s not a usef ul cr y pt osyst em.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I n general , t he mat hemat i cs under l y ing most publi c- key cr y pt osy st ems has some nice
pr oper t i es of an al gebrai c st r uct ur e under l yi ng t hese cr ypt osyst ems, such as cl osur e,
associ at i vit y, and homomorphi sm, et c. , ( r evi ew Chapt er 5 f or t hese al gebr ai c pr oper t i es) .
An at t acker may expl or e t hese ni ce pr oper t i es and make up a ciphert ext vi a some cl ever
cal culat ions. I f t he at t acker is assi st ed by a decr ypt i on ser vi ce, t hen hi s cl ever calculat i ons
may enabl e him t o obt ai n some pl ai nt ext i nfor mat i on, or even t he pr i vat e key of t he
t ar get ed cr y pt osyst em, whi ch ot her wi se shoul d be comput at i onal l y i nf easi bl e f or hi m t o
obt ai n. Ther ef or e, publ i c- key cr y pt osyst ems ar e par t i cul ar ly vulner able t o CCA and CCA2.
We wi l l see t hat ever y publ ic- key cr y pt osy st em t o be int r oduced i n t his chapt er i s
vul ner abl e t o CCA or CCA2. As a general pr i ncipl e, we have pr ovi ded i n Pr oper t y 8. 2( i i ) an
advi ce t hat t he owner of a publ i c key should al way s be car eful not t o al l ow oneself t o
pr ovi de any decr y pt i on assi st ance t o any body . This advi ce must be f ol lowed for every
publ i c- key cry pt osy st em i nt r oduced in t hi s chapt er . I n Chapt er 14 we wi l l i nt roduce
st r onger publ i c- key cr ypt osy st ems. Such cr ypt osyst ems do not r equir e user s t o keep i n
such an al er t st at e al l t he t i me.
I t seems t hat CCA i s t oo r est r i ct i ve. I n appli cat i ons a user under at t ack ( i . e. , i s asked t o
pr ovi de decr ypt i on assi st ance) act ual l y does not know t he at t ack. Theref ore t he user can
never know when ( s) he shoul d begi n t o st op provi di ng decr ypt i on assi st ance. We general l y
assume t hat nor mal users are t oo nai ve t o know t he exi st ence of at t acker s, and hence
decry pt ion assi st ance shoul d be gener al ly avai l abl e al l t he t i m e. On t he ot her hand, any
publ i c- key cry pt osy st em must be secur e agai nst CPA si nce an at t acker can al way s hel p
hi msel f t o per for m encr ypt ion " assi st ance" on chosen pl ai nt ext messages. For t hese
r easons, we wi l l mai nl y consi der t echni ques t o count er CCA2.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
8.7 The RSA Problem
Agai nst CPA, t he secur i t y of RSA l i es on t he di ff i cul t y of comput i ng t he e- t h r oot of a ciphert ext c
modul o a composi t e i nt eger n. This is t he so- cal led t he RSA pr obl em.
Def i n i t i on 8 . 4: RSA Pr obl em
I NPUT N = pq wi t h p , q pr im e n um ber s;
e: an i nt eger su ch t h at gcd( e, ( p 1) ( q
1) ) = 1;
.
OUTPUT
t he uni que int eger sat isf yi ng m
e
c ( mod N) .
No di ff er ence fr om al l under l yi ng di ff icul t pr obl ems for t he securi t y of publ i ckey cr ypt osyst ems, it
i s al so assumed t hat t he RSA pr obl em is onl y di f fi cul t under proper l y chosen paramet er s.
Assumpt i on 8. 3 : RSA Assumpt i on An RSA p r oblem sol ver i s a PPT algor i t hm su ch t hat wit h
an adv ant age > 0:
wher e t he i np ut t o i s d ef in ed i n Defi nit ion 8. 4.
Let b e an RSA i nst ance gener at or t h at on in put 1
k
, r uns in t i me poly nom i al in k , and out put s
( i ) a 2k - bi t m odu lus N = p q wh er e p and q ar e t wo d ist i nct u nif or m ly r and om pr im es, each i s k -
bi t l ong, ( i i) .
We say t h at sat i sfi es t he RSA assum p t ion i f t here ex ist s n o RSA pr obl em solv er
for ( 1
k
Si mil ar t o our di scussi on i n Remar k 8. 1( 3) ( i n 8. 4) , we know t hat hol di ng of t he RSA
assumpt i on impli es t he exi st ence of one- way funct i on. Al so r elat ed t o our discussion i n Remar k
8. 1( 4) , t he one- way f unct i on i mpl i ed by t he RSA assumpt i on is a t r apdoor funct i on: t he pr i me
fact or i zat i on of t he modul us enabl es an eff ici ent inver sion procedur e.
We should not i ce t hat t he pr obabi li t y space in t his assumpt ion i ncl udes t he i nst ance space, t he
pl ai nt ext message space and t he space of t he r andom operat i ons of a r andomi zed al gor i t hm f or
sol vi ng t he RSA pr obl em.
We f ur t her not ice t hat i n t he descr i pt i on of t he RSA assumpt i on, t he ( al l eged) al gori t hm t akes
t he encr y pt i on exponent e as par t of i t s i nput . Thi s pr ecisel y descr i bes t he t arget of t he pr obl em:
br eaki ng t he RSA pr obl em under a given encr y pt i on exponent . Ther e i s a di ff er ent ver sion of t he
RSA pr obl em call ed st r ong RSA p r obl em ( [ 85] ) ; i t s t ar get i s: f or some odd encry pt ion

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
exponent e > 1, which may be t he choi ce of t he al gori t hm, sol ve t he RSA probl em under t hi s e.
Cl ear ly , sol ving t he st r ong RSA pr obl em i s easi er t han doing t hat for t he RSA pr obl em whi ch i s
for a f i xed encr y pt i on exponent . I t i s widel y bel i eved ( assumed) t hat t he st rong RSA problem i s
st i l l an int r act abl e one. Ther efor e some encr y pt i on al gor i t hms or prot ocol s base t heir secur i t y on
t hat i nt r act abi l i t y ( st r ong RSA assu mp t i on ) .
I t i s cl ear t hat for publi c key ( N, e) , i f m < N
1/ e
t hen encr ypt i on c = m
e
( mod N) wi l l t ake no
modul o r educt i on, and hence m can be f ound ef fi cient ly by ext ract i ng t he e- t h r oot i n i nt eger s.
Thi s i s one of t he r easons why t he case e = 3 shoul d be avoi ded. I n t he case of e = 3, i f one
message m i s encr y pt ed in t hree dif fer ent modul i : c
i
= m
3
( mod N
i
f or i = 1, 2, 3, t hen because
t he modul i ar e pai r - wi se co- pr ime, t he Chi nese Remai nder Al gor i t hm ( Al g 6. 1) can be appl i ed t o
const r uct C = m
3
( mod N
1
N
2
N
3
) . Now because m < ( N
1
N
2
N
3
)
1/ 3
, t he encry pt i on exponent i at i on i s
act ual l y t he same as i t i s per for med i n t he i nt eger space. So decry pt i on of C i s t o ext ract t he 3rd
r oot i n i nt eger s and can be eff i ci ent l y done ( see hi nt i n Ex. 8.8) .
Coppersmi t h [ 82] fur t her ext ends t hi s t r i vi al case t o a non- t r i vi al one: f or m ' = m + t wher e m i s
known and t i s unknown but t < N
1/ e
, given c = m '
e
( mod N) , t can be ext r act ed eff i ci ent l y .
Because in appl i cat i ons, par t i all y known pl ai nt ext i s not uncommon ( we wi l l see a case i n
Chapt er 15) , i t i s now wi del y agreed t hat RSA encr ypt i on shoul d avoi d usi ng ver y small
encry pt ion exponent s. A wi dely accept ed encr y pt i on exponent i s e = 2
16
+ 1 = 65537 whi ch is
al so a pr ime number . Thi s exponent makes encr ypt i on suf fi ci ent l y eff ici ent whi le ref ut i ng a smal l
exponent at t ack.
RSA i s al so CPA i nsecur e i f t he decr y pt i on exponent d i s smal l . Wi ener di scover s a met hod based
on cont i nued fr act i on expansi on of e/ N t o f ind d i f d < N
1/ 4
[ 298] . Thi s resul t has been improved
t o d < N
0. 292
[ 50] .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
8.8 The Integer Factorization Problem
The di ff icul t y of t he RSA pr obl em depends, i n t ur n, on t he di ff icult y of t he i n t eg er f act or i zat i on
pr obl em.
Def i n i t i on 8 . 5: I nt eger Fact or i zat i on Pr ob l em ( I F Pr obl em)
I NPUT N: od d com posi t e in t eger wi t h at l east t wo
di st in ct pr im e f act ors.
OUTPUT pr i me p such t hat p| N.
Agai n, i t i s assumed t hat t he I F pr obl em i s di f fi cul t onl y under pr oper ly chosen par amet er s.
Assumpt i on 8. 4 : I nt eger Fact or i zat i on Assu mp t i on ( I F Assumpt i on) An in t eger f act ori zer
i s a PPT algor it hm su ch t hat wit h an ad van t age > 0:
wher e t he i np ut t o i s d ef in ed i n Defi nit ion 8. 5.
Let b e an in t eger i nst ance gener at or t hat on in put 1
k
, r uns in t i me poly nom i al in k , and
out p ut s a 2k - bi t modu lus N = pq wher e p and q are each a k - bi t u ni for mly r and om odd pr i me.
We say t h at sat i sfi es t he i nt eger fact or izat i on ( I F) assum pt i on if t h er e ex ist s n o i nt eger
fact or i zer for ( 1
k
Obvi ousl y , an al gor it hm whi ch sol ves t he I F probl em wi l l sol ve t he RSA pr oblem si nce Al i ce
decry pt s an RSA ci pher t ext exact l y by fi r st comput i ng d e
1
( mod ( p 1) ( q 1) ) , i . e. , f r om
t he knowl edge of t he f act ori zat i on of N. Si mi l ar t o t he r el at i on bet ween t he CDH pr obl em and t he
DL pr obl em, t he conver se i s al so an open quest ion: Can t he I F assumpt i on be t r ue i f t he RSA
assumpt i on is fal se?
Si mil ar t o t he si t uat i on of a smoot h pri me maki ng a weak case DL pr obl em, a smoot h pr ime
fact or of N wi l l al so make a weak case I F pr obl em. One such a weak case i s shown by Pol l ar d
usi ng an ef fi ci ent f act or izat ion al gor i t hm known as Pol l ar d' s p 1- al gor i t hm [ 237] . The i dea
behi nd Pol l ar d' s p 1 al gor i t hm can be descr i bed as fol l ows. Let p be a pr ime f act or of N wher e
t he lar gest pr ime f act or of p 1 i s bounded by B = Pol y( k) wher e k = | N| and Pol y( k) is a
pol y nomi al i n k ( B i s cal l ed "t he smoot hness bound of p 1") . We can const ruct
By t his const r uct i on, p 1| A, and so a
A
1 ( mod p) for any a wi t h gcd( a, p ) = 1 due t o
Fer mat ' s Li t t l e Theor em ( Theor em 6. 10) . I f a 1 ( mod q) for some ot her pri me f act or q of N

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
( t his is easi l y sat i sf i abl e) , t hen a
A
1 ( mod N) = l p f or some i nt eger whi ch i s not a mult ipl e of
q. Thus, gcd( a
A
1 ( mod N) , N) must be a pr oper pri me f act or of N, and i t must be p i f N = pq.
I t r emains t o show t hat t he si ze of A i s a pol ynomi al i n k, and so comput i ng a
A
( mod N) t akes
t i me i n a pol ynomi al i n k.
By t he pr i me number t heor em ( see e. g., page 28 of [ 170] ) , t here ar e no mor e t han B/ l og B
pr i me number s l ess t han B. So we have
t hat i s,
Cl ear ly , t he r i ght - hand side i s a pol ynomi al in k. Thus, a
A
( mod N) can be comput ed i n a number
of mul t i pl i cat i ons modulo N ( using Al g 4. 3) wher e t he number is a pol y nomi al i n k. Not i ce t hat
t he expl i ci t const r uct i on of A i s unnecessar y; a
A
( mod N) can be comput ed by comput i ng a
r [ l og
N/ l og r ]
( mod N) for al l pr ime r < B.
I t i s ver y easy t o const ruct an RSA modul us N = pq such t hat t he smoot hness bound of p 1 and
t hat of q 1 ar e non- pol y nomi all y ( i n | N| ) smal l , and so t he modul us woul d resi st t hi s f act or ing
met hod. One may st ar t by fi ndi ng l arge pr i me p' such t hat p = 2p' + 1 is al so a pri me; and l ar ge
pr i me q' such t hat q = 2q' + 1 is al so pr i me. A pr i me of t hi s f ormat i s call ed a saf e pr i me and
an RSA modul us wi t h t wo saf e pr i me fact or s i s cal led a saf e- pr i me RSA modul us. Ther e i s a
debat e on t he need of usi ng saf e- pri me RSA modul us for t he RSA cr y pt osy st ems. The poi nt
agai nst t he use ( see e. g. , [ 273] ) is t hat an RSA modulus shoul d be as random as possi bl e, and
t hat f or a r andoml y chosen pr i me p, t he pr obabil i t y t hat p 1 has a l ar ge pr i me f act or is
over whel ming. However , many cr y pt ogr aphi c pr ot ocol s based on t he I F pr obl em do requi re
usi ng safe- pr i me RSA modul i i n or der t o achi eve t he cor r ect ness of t he ef fect s ser ved by t he
pr ot ocol s.
I t i s al so wel l - known t hat par t i al i nfor mat i on of a pri me f act or of N can pr oduce ef fi ci ent
al gor i t hms t o fact or N. For i nst ance, f or N = pq wi t h p and q pr imes of r oughl y equal si ze,
knowl edge of up t o hal f t he bi t s of p wi l l suf fi ce t o fact or N i n pol y nomi al t i me i n t he si ze of N,
see e. g. , [ 82] .
I f not usi ng any apr i ori i nfor mat i on about t he pri me f act or s of t he i nput composi t e, t hen t he
cur r ent best f act or izat ion al gor i t hm i s t he number fi el d si eve ( NFS) met hod whi ch has t he t i me
compl exi t y expr essed i n ( 4. 6. 1) . Thus, si mi l ar t o t he set t i ng of t he secur i t y par amet er for t he
DLP i n fi ni t e f i el ds, 1024 i s t he wi del y agr eed l ower bound set t i ng for t he si ze of an RSA modul us
i n order t o achi eve a hi gh conf i dence i n secur i t y.
Recent l y, t he number fi el d si eve met hod demonst r at ed an ef fect iveness of massi ve
par al l el i zat i on: i n ear l y 2000, a coal i t ion of 9,000 workst at i ons wor l dwi de r an a par all el
al gor i t hm and fact or ed a 512- bi t RSA modulus ( t he RSA- 512 Chal l enge) af t er mor e t han four
mont hs of runni ng t he par al l el al gor i t hm [ 70] .
Resear ch int o i nt eger fact or i zat i on i s very act i ve and i t i s i mpossi bl e t o r ul e out a deci si ve
advance. Boneh pr ovided a survey on t he RSA pr obl em [ 48] . Discussions on t he progr ess i n t he
ar ea of I F pr obl em wi t h a l i t erat ur e revi ew can be found in Chapt er 3 of [ 198] .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
8.9 Insecurity of the Textbook RSA Encryption
We have l abel ed t he RSA encry pt i on al gor i t hm in Al g 8. 1 a t ext book ver si on because t hat ver si on
i s what t he RSA encr ypt i on al gori t hm i s i n most t ext book on cr y pt ogr aphy . Now l et us l ook at t he
secur i t y ( or insecur i t y ) proper t i es of t he t ext book RSA encr ypt i on al gori t hm.
For r andom key i nst ance and r andom message inst ance, by Defi nit ion 8. 5 and Assumpt i on 8. 3,
t he exi st ence of an eff i ci ent CPA agai nst t he RSA cr y pt osy st em means t he RSA assumpt i on must
be f al se. Ther efor e we have
. Th eor em 8 .1
The RSA cr yp t osy st em is " all - or - not hi ng" secur e agai nst CPA i f and onl y if t h e RSA assum pt i on
hol ds.
Here, t he meani ng of " al l- or - not hi ng" secure i s expl ai ned i n Pr oper t y 8. 2( i ) ; whi le CPA means
t he at t acker r emai ns passive as st i pul at ed i n Pr oper t y 8. 2( i i ) .
However , confi dent i ali t y of t hi s quali t y is act ual ly not a ver y useful one for r easons we now
expl ain.
Fi rst , l et us consi der " al l - or- not hi ng" secur it y. Not ice t hat "al l " here means t o f ind t he whol e
bl ock of pl ai nt ext message i n t he gener al case: t he message has t he size of t he modul us. Thi s
needn' t be t he case i n appl i cat i ons. I n real - wor ld appl i cat i ons, a pl ai nt ext t ypical l y cont ai ns
some non- secret par t i al i nf ormat i on whi ch i s known t o an at t ack. The t ext book RSA does not
hi de some part ial i nfor mat i on about a pl aint ext . For exampl e, i f a pl ai nt ext i s known as a
number l ess t han 1,000, 000 ( e. g., a secr et bid or a sal ary f i gur e) , t hen gi ven a cipher t ext , an
at t acker can pi npoi nt t he plai nt ext in l ess t han 1, 000, 000 t r i al - ander r or encr ypt i ons.
I n general , f or a pl ai nt ext m( < N) , wi t h a non- negli gibl e pr obabi l i t y , onl y number of t r i al s
ar e needed t o pi npoi nt m i f si ze of memor y i s avai l abl e. Thi s i s due t o a cl ever obser vat i on
made by Boneh, Joux and Nguyen [ 52] whi ch expl oit s t he f act t hat f act ori zat i on of smal l
pl ai nt ext message i s not a hard pr oblem and t he mul t i pl i cat i ve pr opert y of t he RSA funct i on. The
mul t i pl i cat i ve pr opert y of t he RSA funct i on i s as fol l ows
Equ at i on 8. 9 .1
That i s, fact or i zat i on of pl aint ext i mpl ies t hat of t he corr esponding ci pher t ext . I t i s nor mal l y a
har d pr obl em t o fact or an RSA ci phert ext si nce t he mix- t r ansf ormat i on pr oper t y of t he
encry pt ion f unct i on wi ll al most al way s cause a ci phert ext t o have t he si ze of t hat of t he modulus.
However , t he mult ipl icat i ve pr oper t y i ndicat es t hat i f a pl aint ext i s easy t o fact or , t hen so i s t he
corr esponding ci pher t ext . The ease of f act or i ng t he l at t er l eads t o a "meet - i n- t he- middl e" at t ack.
Thi s i s expl ai ned in t he fol l owi ng exampl e.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exampl e 8. 3.
Let c = m
e
( mod N) such t hat Mal i ce knows m < 2 . Wi t h non- negl i gi bl e probabi l i t y m i s a
composit e number sat i sfy i ng
Equ at i on 8. 9 .2
Wi t h RSA' s mul t i pl i cat ive proper t y , we have
Equ at i on 8. 9 .3
Mal i ce can bui l d a sort ed dat abase
Then he can sear ch t hr ough t he sor t ed dat abase t ry i ng t o fi nd c/ i
e
( mod N) ( for i =
) fr om t he dat abase. Because of ( 8. 9. 2) and ( 8. 9. 3) , a fi ndi ng, si gnal ed by
wi l l show up bef or e st eps of comput i ng i
e
( mod N) . Now t hat Mal i ce knows pl ai nt ext s i , j , he
uncovers m = i j .
Let ' s measur e Mali ce's cost . The dat abase has a space cost of . l og N bi t s. For t i me cost :
creat i ng el ement s in t he dat abase cost s , sor t i ng t he dat abase cost s
, and f i nal l y, sear chi ng t hr ough t he sor t ed dat abase t o f i nd j
e
( mod N) cost s
. This fi nal par t compr i ses t i me f or modul o exponent i at i on pl us t hat f or
bi nar y sear ch ( usi ng Al g 4. 4) . So t he t ot al t i me cost measur ed i n bit - complexi t y i s
. I f t he space of . l og N bi t s i s aff or dabl e, t hen t he t i me
compl exi t y i s si gni f i cant l y l ess t han 2 . This at t ack achi eves a square- r oot level r educt i on i n t i me
compl exi t y .
For cases of a pl ai nt ext message havi ng si zes r angi ng f r om 40- 64 bi t s, t he pr obabi l i t i es t hat t he
pl ai nt ext can be f act ored t o t wo si mi l ar si ze i nt eger s r ange fr om 18%- 50% ( see Tabl e 1 of [ 52] ) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exampl e 8. 4. A Real -l i f e I n st ant i at i on of At t ack 8 . 3
Now i magi ne a scenar i o of using an 1024- bi t RSA t o encr y pt a DES key of 56 bi t s i n t he t ext book
st y le. For a random DES key, t he discover y of t he key can be done wi t h a non- negl i gi bl e
pr obabi li t y ( of fact or ing t he DES key i nt o t wo i nt eger s of 28 bi t s) , usi ng 2
28
1024 = 2
38
- bi t
st or age ( = 32 gi gaby t es) and comput ing 2
29
modul o exponent i at i ons. Bot h t he space and t i me
cost s can be r eal i st i cal l y handl ed by a good per sonal comput er, whi le di r ect sear chi ng for t he
DES key fr om t he encr y pt i on r equi r es comput i ng 2
56
modul o exponent i at i ons whi ch can be qui t e
pr ohi bit ive even usi ng a dedi cat ed devi ce.
Now we know t hat we m ust n ot use t he t ext book RSA t o encr y pt a shor t key or a passwor d
whi ch are l ess t han 2
64
. What happens i f i n an appl i cat i on we have t o per f orm RSA encr ypt i on of
small number s, even t he message i s as smal l as a si ngle bi t ? We suggest t hat t he r eader shoul d
use t he encry pt i on met hods ( incl udi ng an RSA- based scheme) t o be i nt r oduced i n Chapt er 15.
The next exampl e f ur t her shows t he i nadequacy of t he CPA secur i t y of t he t ext book RSA: agai nst
an act ive at t ack, t he t ext book RSA fai l s mor e mi serabl y.
Exampl e 8. 5.
Let Mal i ce be i n a condi t i onal cont r ol of Al i ce' s RSA decr y pt i on box. The condi t i on i s qui t e
"r easonabl e: " i f t he decr y pt i on resul t of a ci pher t ext submi t t ed by Mal i ce i s not meani ngful
( l ooks r andom) , t hen Al i ce shoul d r et urn t he pl ai nt ext t o Mal i ce. We say t hat t hi s condi t i on i s
"r easonabl e" for t he f ol lowi ng t wo r easons:
"A random r esponse for a r andom chal lenge" i s qui t e a st andar d mode of operat i on i n
many cr ypt ogr aphic pr ot ocols, and hence, a user shoul d fol l ow such a "chall enge- r esponse"
i nst r uct i on. I ndeed, oft en cr y pt ogr aphi c pr ot ocol s have been desi gned t o al low t hi s ki nd of
condi t i onal cont r ol of a decr y pt i on box by a pr ot ocol part ici pant . For exampl e, t he
Needham- Schr oeder publ i c- key aut hent i cat i on pr ot ocol ( see Pr ot 2.5) has exact l y such a
feat ure: Ali ce i s i nst r uct ed t o decr ypt a ci phert ext f r om Bob.
i .
Any way , we woul d l ike t o hope t hat a r andom- l ooki ng decry pt i on r esult shoul d not pr ovi de
an at t acker wi t h any usef ul i nf or mat ion.
i i .
Now suppose Mal i ce want s t o know t he pl ai nt ext of a ci pher t ext c m
e
( mod N) whi ch he has
eavesdr opped or i nt er cept ed f rom a previ ous conf ident i al communi cat ion bet ween Al i ce and
someone el se ( not wi t h hi m! ) . He picks a r andom number , comput es c' = r
e
c ( mod
N) and sends hi s chosen ci pher t ext c' t o Al i ce. The decry pt i on r esult by Al i ce wi l l be
whi ch can be compl et el y random f or Al i ce si nce t he mul t i pl i cat i on of r i s a per mut at i on over
. So Al ice r et ur ns t he decry pt ion r esul t r m back t o Mal i ce. Al as, Mal i ce has r and t hereby can
obt ai n m wi t h a di vi si on modul o N.
Exampl es 8. 38. 5 show t hat t he t ext book RSA i s t oo weak t o f i t f or r eal - wor l d appl i cat i ons. A
syst emat i c fi x f or t hese weaknesses is necessary . We wi l l conduct a fi x wor k i n t wo st eps:

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
i n Chapt er 14 we wi l l st r engt hen securi t y not i ons f or publ i c- key encr ypt ion schemes i nt o
fi t - for - appl i cat i on ones;
i n Chapt er 15 we wi l l st udy a fi t - f or- appl i cat ion versi on of t he RSA encry pt i on whi ch i s al so
a st andar d for encr ypt i on i n RSA; we wi ll show f ormal evi dence of i t s securi t y under t he
st r ong and fi t - f or - appl i cat i on secur i t y not i on.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
8.10 The Rabin Cryptosystem (Textbook Version)
Rabin developed a publ ic- key cr y pt osy st em based on t he di ff icul t y of comput i ng a square r oot
modul o a composi t e i nt eger [ 240] . Rabi n' s work has a t heor et i c i mpor t ance; i t pr ovi ded t he fi r st
pr ovabl e securi t y f or publ i c- key cr ypt osy st ems: t he securi t y of t he Rabi n cr y pt osyst em i s exact l y
t he int r act abi li t y of t he I F pr obl em. ( Recal l our di scussi on for t he case of t he RSA: i t i s not
known i f t he RSA pr obl em i s equi val ent t o t he I F probl em) . The encry pt ion al gor i t hm i n t he
Rabin cr ypt osyst em i s al so ext remely ef fi ci ent and hence i s ver y sui t abl e i n cer t ai n appl i cat i ons
such as encr y pt i on per for med by handhel d devi ces.
Algorithm 8.2: The Rabin Cryptosystem
Key Set up
choose t wo r andom pr i me number s p and q such t hat | p| | q| ( * same as
gener at i ng an RSA modul us i n Al g 8. 1 * )
1.
comput e N = pq; 2.
pi ck a random i nt eger ; 3.
publ i ci ze ( N, b ) as her publ i c key mat er i al, and keep ( p, q) as her pr i vat e key . 4.
Encr y pt i on
To send a confi dent i al message t o Al i ce, t he sender Bob cr eat es cipher t ext
c as fol l ows:
Decr yp t i on
To decr y pt t he ci pher t ext c, Al i ce solves t he quadr at i c equat i on
for m < N.
The Rabi n cr y pt osy st em is speci fi ed in Al g 8. 2. We not i ce t hat t hi s i s a t ext book ver si on f or

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
encrypt ion i n Rabi n.
We know fr om el ement ar y mat hemat i cs t hat t he gener al sol ut ion t o t hi s equat i on can be wr i t t en
as
Equ at i on 8. 1 0. 1
wher e
Equ at i on 8. 1 0. 2
Si nce c i s for med usi ng , of cour se t he quadr at i c equat i on
has sol ut ions i n , and t hese sol ut i ons i nclude m sent fr om Bob. Thi s i mpl i es t hat
c
must be a
quadr at i c r esi due modul o N, i . e., an el ement i n QR
N
.
The decr y pt i on comput at i on i nvolves comput i ng square root s modul o N. Fr om our st udy of t he
squar e- r oot i ng pr obl em i n 6. 6. 2 we know t hat t he di ff icult y of t hi s pr obl em i s comput at i onal l y
equi val ent t o t hat of fact or i ng N ( Cor ol l ary 6. 3) . Ther efor e, t he onl y per son who can comput e
( 8. 10. 1) is Ali ce si nce onl y she knows t he f act or i zat i on of N. Al i ce can comput e using Al g
6. 5. I n 6. 6. 2 we also know t hat for each cipher t ext c sent by Bob, t her e ar e four di st i nct val ues
for and hence t her e ar e four di ff erent decry pt ion r esul t s. We assume t hat , i n appl icat i ons,
a pl aint ext message should cont ai n r ed und ant inf or m at ion t o al l ow Al i ce t o r ecogni ze t he cor r ect
pl ai nt ext f r om t he four decr y pt i on r esul t s. We wi l l provi de i n 10.4. 3 t he meani ng for
"r ecogni zabl e r edundancy " and a common met hod for a message t o be f ormat ed t o cont ain
r ecogni zabl e r edundancy.
We not i ce t hat i f N i s a so- call ed Bl u m i n t eg er , t hat i s, N = pq wi t h p q 3 ( mod 4) , t hen it
i s easi er t o comput e square root s modul o N ( by comput i ng square root s modul o p and q using
Al g 6. 3, Case p 3, 7 ( mod 8) and t hen const r uct i ng t he squar e r oot s by appl y i ng t he Chi nese
Remai nder Theor em) . Ther ef ore, i n pr act i ce, t he publ i c modul us i n t he Rabin cr ypt osyst em i s set
t o be a Blum i nt eger .
The Rabi n encr y pt i on al gor i t hm onl y i nvolves one mult ipl icat i on and one addi t i on and hence i s
much fast er t han t he RSA encr y pt i on.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exampl e 8. 6.
Let Ali ce set N = 11 x 19 = 209 and b = 183. She publ i ci zes ( N, b ) = ( 209, 183) as her publ i c
key mat er i al f or t he Rabi n cr y pt osy st em.
Let Bob encr y pt a pl ai nt ext message m = 31. Bob perf or ms Rabi n encr y pt i on:
The r esul t ant ciphert ext is 155.
To decr y pt t he ci pher t ext 155, Al i ce fi r st comput es
c
using ( 8. 10. 2) :
Now appl yi ng Al g 6. 5, Al i ce fi nds t hat t he four squar e r oot s of 42 modulo 209 ar e 135, 173, 36,
74. Final ly , she can appl y equat i on 8. 10.1 and obt ai ns t he four decr y pt i on r esul t s: 185, 204, 31,
50. I n r eal appl i cat i on of t he Rabi n cry pt osy st em, t he pl ai nt ext shoul d cont ain addi t i onal
i nf ormat i on for t he r ecei ver t o pi npoi nt t he cor r ect decr y pt i on r esul t .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
8.11 Insecurity of the Textbook Rabin Encryption
We have a more devast at i ng act i ve at t ack agai nst t he t ext book Rabi n. The fol l owi ng t heor em
mani fest s t his at t ack i n a " pr ovabl e" way .
. Th eor em 8 .2
The Rabi n cr y pt osyst em i s pr ov abl y " all - or - not hi ng" secur e agai nst CPA i f and onl y if t h e I F
pr obl em is har d.
I .
The Rabi n cr y pt osyst em i s comp let ely i nsecu re if i t i s at t ack ed un der CCA. I I .
Pr oof ( I ) Because t he speci f i ed decr ypt i on procedur e of t he Rabin cr ypt osyst em uses t he
fact or i zat i on of an RSA modulus, t he secur it y of t he Rabi n encr y pt i on t her ef or e i mpli es t he
i nt r act abi l i t y of fact or i ng of RSA modul i . Thus for ( I ) , we onl y need t o prove t he st at ement for
t he ot her di r ect i on: t he i nt r act abi l it y of t he I F problem i mpl i es t he secur i t y of t he Rabi n
cry pt osy st em.
Suppose t hat t her e exi st s an or acl e O whi ch br eaks t he Rabi n cr y pt osy st em wi t h a non- negl i gi ble
advant age , i . e.,
We choose a random message m, comput es c = m( m+ b) ( mod N) and cal l O( c, N) whi ch wi l l
r et ur n ( mod N) wi t h advant age . Her e denot es any one of t he f our
squar e r oot s of
c
. By Theor em 6. 17 ( in 6. 6. 2) we know wi t h pr obabi l i t y 1/ 2:
But because
so as shown i n Theor em 6. 17,
Equ at i on 8. 1 1. 1

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
That i s, N can be f act or ed wi t h t he non- negl i gi bl e advant age / 2. Thi s cont r adi ct s t he assumed
i nt r act abi l i t y of fact or i ng of RSA modul i ( t he I F assumpt i on) . We have t hus shown ( I ) .
St at ement ( I I ) hol ds t r i vial l y t r ue if an at t acker can obt ai n a decry pt i on assi st ance: t he
decry pt ion assi st ance pl ays exact l y t he r ol e of t he oracl e used i n t he pr oof of st at ement ( I ) !
Si nce t he at t acker wi l l gener at e ( choose) ci pher t ext for t he decr ypt i on or acl e t o decr y pt , such an
at t ack i s CCA.
Theor em 8. 2 t el l s us t wo opposit e t hi ngs. Fi r st , t he Rabi n cry pt osy st em is pr ovabl y secur e, i n an
"al l - or - not hi ng" sense i n Pr oper t y 8. 2( i ) , wi t h r espect t o t he di ff i cult y of fact or i zat i on ( N. B.
pr ovi ded t he pl ai nt ext i t sel f is " al l- or - not hi ng" secr et , i . e. , does not have known apr i ori
i nf ormat i on) . Thi s i s a st rong and desi r abl e r esul t because i t r el at es t he ( t ext book) secur i t y of
t he Rabi n encry pt i on scheme t o a reput abl y har d pr obl em. I f t he I F problem i s i ndeed
i nt r act abl e, t hen t he all eged oracl e O i n t he pr oof of ( I ) shoul d not exi st . However , we should
pay par t i cular at t ent i on t o t he modi fi er "al l - or - not hi ng" for t he CPA secur i t y pr oper t y . Her e " al l "
means t o fi nd t he whol e bl ock of pl ai nt ext message in t he general case: t he message has t he
si ze of t he modul us. Cl earl y , due t o t he f act t hat t he Rabi n encry pt ion i s det er mini st i c, f i ndi ng
some speci al messages, such as shor t ones, needn't be as har d as fact or izat ion. We wi l l come
back t o t hi s point when we di scuss meet - i n- t he- middl e at t ack on t he Rabi n scheme at t he end of
t hi s sect i on.
Secondl y , i t i s now cl ear t hat , i n t he Rabi n cr y pt osy st em, one shoul d nev er al l ow onesel f t o be
used as a decr ypt i on or acl e. CCA i s devast at i ng agai nst t he Rabi n cry pt osy st em: t he
consequence of such an at t ack i s not mer el y f i ndi ng som e pl aint ext i nf ormat i on ( as i n t he case of
CCA2 against t he RSA cr y pt osyst em as i l l ust r at ed i n Exampl e 8. 5) , i t i s t he di scover y of t he
pr i vat e key of t he key owner , and hence t he at t acker wi ll be able t o r ead al l confi dent i al
messages encr ypt ed under t he t ar get ed publ i c key .
Exampl e 8. 7.
I n Exampl e 8. 6 f or t he Rabi n cr ypt osy st em we have seen t hat for publi c key mat eri al ( N, b ) =
( 209, 183) , t he f our decr ypt i on resul t s of t he ci phert ext 31 are 185, 204, 31, 50.
I f t hese number s ar e made avai l abl e t o a non- owner of t he publ i c key, e. g. , vi a a CCA, t hey can
be used t o fact or t he modul us 209. For exampl e, apply i ng ( 8. 11. 1) :
or
Al t hough we have war ned t hat a publ ic key owner of t he Rabi n encr ypt i on scheme shoul d never

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
pr ovi de a decr y pt i on ser vice, i t is unr eal ist i c f or a user t o keep t hi s hi gh degr ee of vi gi l ance i n
r eal worl d appl icat i ons. Ther efor e, t he t ext book Rabi n encry pt ion scheme is not a fi t - for -
appli cat i on one. I n Chapt er 15 we shall i nt r oduce a fi t - f or - appl i cat i on met hod f or encry pt i ng i n
Rabin ( and i n RSA) . There we wi l l al so pr ovi de for mal ar gument on fi t - f or- appl i cat ion securi t y
for t hose encr ypt ion schemes.
We should al so not i ce t hat si nce t he modul us of t he Rabi n cr y pt osyst em i s t he same as t hat of
t he RSA cr ypt osyst em, t he caut ionar y measur es t hat we have di scussed for t he proper choice of
t he RSA modul us appl y t o t he Rabin modulus.
Fi nal l y, meet - i n- t he- mi ddle at t ack al so appl i es t o t he f oll owi ng var iat ion of t he t ext book Rabi n
encry pt ion scheme:
Encr y pt i on: c = m
2
( mod N) .
Decr yp t i on: Comput i ng square root of c modul o N.
Si mil ar t o case for t he t ext book RSA encry pt i on, ease of f act ori ng a smal l pl ai nt ext message and
t he mul t i pl i cat i ve pr oper t y ( expl ai ned i n 8. 9) of t hi s Rabin encr ypt i on scheme enabl es a meet -
i n- t he- mi ddl e at t ack as we have shown i n Exampl e 8. 3 f or t he t ext book RSA case.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
8.12 The ElGamal Cryptosystem (Textbook Version)
El Gamal wor ks out an i ngeni ous publi c- key cr y pt osy st em [ 102] . The cry pt osy st em is a successful
appli cat i on of t he Dif fi e- Hell man one- way t r apdoor funct i on which t ur ns t he f unct i on i nt o a
publ i c- key encry pt ion scheme. El Gamal' s wor k i nspi r es gr eat i nt er est i n bot h resear ch and
appli cat i ons whi ch has remai ned hi gh t o t hi s day . We wi l l see t wo f ur t her development of t his
cry pt osy st em i n Chapt er 13 ( an i dent it y- based El Gamal encr y pt i on scheme) , and i n Chapt er 15
( a var i at i on wi t h a st rong pr ovable secur i t y) .
One reason for t he gr eat moment um fol l owi ng up El Gamal 's wor k i s i t s enabl i ng of t he use of t he
wi del y bel ieved r el iabl e i nt r act abi l it y for under l yi ng t he secur i t y of publ i c- key cr ypt osy st ems: t he
CDH pr obl em, whi ch i s wi del y bel i eved t o be as har d as t he DL pr obl em and t he l at t er i s
consi dered t o be a good alt er nat i ve t o t he ot her wi del y accept ed r el iabl e i nt r act abi l i t y: t he I F
pr obl em ( t he basi s for t he RSA and Rabi n) .
The El Gamal cry pt osy st em i s speci f ied i n Al g 8. 3. We not i ce t hat t hi s i s a t ext book ver si on f or
encrypt ion i n El Gamal .
Si nce
t he decr y pt i on calcul at i on ( 8. 12. 2) does i ndeed r est ore t he plai nt ext m.
The di vi si on in t he decr y pt i on st ep ( 8. 12. 2) needs t o use t he ext ended Eucl id al gor i t hm ( Al g 4. 2)
whi ch is general l y mor e cost l y t han a mul t i pl i cat i on. However Al i ce may avoid t he di vi si on by
comput i ng
One may ver i fy t hat t hi s decry pt i on met hod works, but not i ce t hat x her e means p 1 x.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Algorithm 8.3: The ElGamal Cryptosystem
Key Set up
choose a r andom pr i me number p; 1.
comput e a r andom mul t i pl i cat i ve gener at or el ement g of ; 2.
pi ck a random number as her pr i vat e key ; 3.
comput e her publi c key by 4.
publ i ci ze ( p, g, y ) as her publ i c key , and keep x as her pr i vat e key . 5.
( * simi l ar t o t he case of t he Di ff ie- Hel lman key exchange pr ot ocol , a sy st em- wi de
users may share t he common publ i c par amet ers ( p, g) . * )
Encr y pt i on
To send a confi dent i al message m < p t o Al i ce, t he sender Bob pi cks
and comput es ci pher t ext pai r ( c
1
, c
2
) as fol l ows:
Equ at i on 8. 1 2. 1
Decr yp t i on
To decr y pt ci pher t ext ( c
1
, c
2
) , Al i ce comput es
Equ at i on 8. 1 2. 2

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exampl e 8. 8.
From Exampl e 8. 1 we know t hat 3 i s a pri mi t i ve root modul o 43. Let Al i ce choose 7 as her
pr i vat e key . She comput es her publ i c key as
Al i ce publ i ci zes her publ i c key mat er ial ( p, g, y ) = ( 43, 3, 37) .
Let Bob encr y pt a pl ai nt ext message m = 14. Bob pi cks a r andom exponent 26 and comput es
The r esul t ant ciphert ext message pai r i s ( 15, 31) .
To decr y pt t he ci pher t ext message ( 15, 31) , Al i ce comput es
Di vi si on r equi r es appl i cat i on of Al g 4. 2. But Al i ce can avoi d it by comput i ng:

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
8.13 Insecurity of the Textbook ElGamal Encryption
The encr y pt i on al gor it hm ( 8. 12. 1) of t he El Gamal cr y pt osy st em i s pr obabi l i st ic: i t uses a random
i nput . Suppose t hat Al i ce' s pr i vat e key x i s rel at i vel y pr i me t o p 1; t hen by
Theor em 5. 2( 3) ( i n 5. 2. 3) , her publi c key y g
x
( mod p) remai ns bei ng a generat or of
( si nce g i s) , and t hereby y
k
( mod p) wi l l r ange over when k r anges over . Si nce
mul t i pl i cat i on modul o p i s a per mut at i on over f or any pl ai nt ext message , c
2
y
k
m
( mod p) wi l l r ange over when k r anges over ( Theor em 6. 6 i n 6. 2. 2) . Consequent l y , we
have c
2
U f or . This means t hat t he ElGamal encry pt i on achi eves t he
di st r i but i on of t he pl ai nt ext message un if orm l y over t he ent i re message space. Thi s i s t he i deal
semant ic pr oper t y for an encr ypt i on algori t hm.
However , we shoul d not be t oo opt i mi st i c! The ci pher t ext of t he El Gamal encr ypt i on i s not j ust
t he si ngl e bl ock c
2
, but t he pai r ( c
1
, c
2
) , and t hese t wo bl ocks ar e st at i st i cal ly r el at ed. Ther efor e,
l i ke all ot her publ i c- key cry pt osy st ems, t he secur i t y of t he El Gamal cr ypt osyst em i s condit i onal
under an i nt r act abi l it y assumpt i on. Mor eover , we shal l see i n a moment ( 8. 13. 1) t hat in or der
for t he i deal semant i c pr oper t y t o hol d, t he plai nt ext message must be i n t he group < g> .
Unfor t unat el y, t hi s i s usual l y not t he case i n t he real - wor ld appl i cat i ons.
Fi rst , we pr esent an " al l - or - not hi ng" secur i t y r esult f or t he El Gamal encry pt i on scheme.
. Th eor em 8 .3
For a p lai nt ex t m essage u nif or ml y di st r ibu t ed i n t he p lai nt ext m essage space, t he ElGam al
cry pt osy st em is " all - or- not hi ng" secur e agai nst CPA if an d only if t he CDH p rob lem i s har d .
Pr oof ( ) We need t o show t hat i f t he El Gamal cr ypt osyst em i s secure, t hen t he CDH
assumpt i on hol ds.
Suppose on t he cont r ar y t he CDH assumpt ion does not hold. Then gi ven any ci phert ext ( c
1
, c
2
)
( g
k
, y
k
m) ( mod p) const r uct ed under t he publ i c key y g
x
( mod p) , a CDH or acl e wi l l
comput e f r om ( p, g, g
x
, g
k
) t o g
xk
y
k
( mod p) wi t h a non- negl igi bl e advant age. Then m
c
2
/ y
k
( mod p) wi t h t he same advant age. This cont radi ct s t he assumed secur it y of t he ElGamal
cry pt osy st em.
( ) We now need t o show t hat i f t he CDH assumpt i on hol ds, t hen t here exi st s no ef fi ci ent
al gor i t hm t hat can r ecover pl ai nt ext message encr y pt ed i n an El Gamal ci phert ext wi t h non-
negl i gi bl e advant age.
Suppose on t he cont r ar y t her e exi st s an eff i ci ent or acl e O agai nst t he El Gamal cr y pt osyst em,
t hat i s, gi ven any publi c key ( p, g, y ) and ci phert ext ( c
1
, c
2
) , O out put s
wi t h a non- negl i gi bl e advant age such t hat m sat i sfi es

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Then for an ar bi t r ar y CDH pr obl em i nst ance ( p, g, g
1
, g
2
) , we set ( p, g, g
1
) as publ ic key and set
( g
2
, c
2
) as ci phert ext pai r for a r andom . Then wi t h t he advant age O out put s
wi t h m sat i sfy i ng
Thi s cont radict s t he hol ding of t he CDH assumpt i on.
Si nce t he CPA secur it y of t he ElGamal cr y pt osy st em is equi val ent t o t he CDH pr obl em, our
di scussi ons for t he CDH pr obl em and DL probl em in 8. 4) , such as t he caut i onar y consi derat i ons
on t he set t i ngs of t he publ i c- key paramet ers, al l appl y t o t he El Gamal cry pt osy st em. As in t he
Di f fi e- Hel l man key exchange prot ocol , t he El Gamal cr y pt osyst em can al so work in a l arge pr i me-
or der subgroup of , or in a lar ge gr oup of poi nt s on an el l ipt i c cur ve defi ned over a fi ni t e fi eld.
8.13.1 Meet-in-the-Middle Attack and Active Attack on Textbook
ElGamal
The r eason we have label ed t he El Gamal cry pt osy st em speci fi ed i n Al g 8. 3 a t ext book scheme i s
because i t i s a ver y weak encry pt i on scheme. Now let us see why .
The El Gamal encry pt ion scheme, i n a usual f orm used i n appli cat i ons, may l eak par t i al
i nf ormat i on even t o a passive at t acker. I n pract i ce, t he ElGamal cry pt osy st em oft en uses g of
or der r = or d
p
( g) p as a means t o obt ai n an improved ef fi ci ency . I n such a case, i f a message
m i s not i n t he subgr oup < g> , t hen a meet - i n- t he- mi ddle at t ack si mi l ar t o t hat on t he t ext book
RSA ( see Exampl e 8. 3) can al so be appl i ed t o t he t ext book El Gamal . Thi s i s because, f or
ci pher t ext ( c
1
, c
2
) = ( g
k
, y
k
m) ( mod p) , Mali ce can obt ai n
That i s, Mal i ce has t r ansfor med t he " pr obabi l ist i c" encr y pt i on scheme of El Gamal i nt o a
det er mi ni st ic ver si on! Mor eover , i t has t he mul t i pl i cat i ve pr oper t y j ust as t he t ext book RSA does
( expl ained i n 8. 9) . Ther efor e, for a smal l message whi ch i s easy t o be fact or ed, Mal i ce can
l aunch t he meet - i n- t he- mi ddl e at t ack on m
r
( mod p) exact l y t he same way as he does on t he
t ext book RSA ( t hi s meet - i n- t he- mi ddl e at t ack on t he t ext book El Gamal encr y pt i on scheme i s
observed in [ 52] ) .
From t hi s at t ack we now know t hat when a pl ai nt ext message i s not i n t he subgr oup gener at ed

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
by g, t he El Gamal cr y pt osyst em becomes a det er mi nist i c scheme. A det er mi ni st i c encr ypt i on
scheme of cour se l eaks par t ial i nfor mat i on si nce it per mit s a t r i al - ander r or met hod t o f i nd smal l
pl ai nt ext messages, such as a secret bi d or a sal ar y fi gur e.
Fi nal l y we pr ovi de an exampl e of El Gamal ' s vul nerabi li t y t o act i ve at t ack.
Exampl e 8. 9.
Let Mal i ce be i n a condi t i onal cont r ol of Al i ce' s El Gamal decr ypt i on box. As i n Exampl e 8. 5, t he
condi t i on i s a " reasonabl e" one i n t hat if a decry pt i on of a ci pher t ext submi t t ed by Mal ice r esul t s
i n a message whi ch i s not meani ngf ul ( looks r andom) , t hen Al ice should r et ur n t he decr ypt i on
r esul t t o Mal ice.
Let Mal i ce have a ci pher t ext ( c
1
, c
2
) ( g
k
, y
k
m) ( mod p) whi ch he has eavesdr opped or
i nt er cept ed f rom a pr evi ous confi dent ial communi cat i on bet ween Al i ce and someone el se ( not
wi t h Mal i ce! ) . I f Mal i ce want s t o know t he corr esponding pl ai nt ext . He pi cks a r andom number
comput es c'
2
= r c2 ( mod p) and sends hi s chosen ci pher t ext ( c
1
, c'
2
) t o Al i ce. The
decry pt ion r esul t by Ali ce wi l l be
whi ch, vi ewed by Al i ce, i s complet el y r andom si nce t he mul t i pl i cat i on of r < p i s a per mut at i on
over . So Al ice r et ur ns t he decry pt ion r esul t r m back t o Mal i ce. Al as, Mal i ce has r and t hereby
can obt ai n m wi t h a di vi si on modul o p.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
8.14 Need for Stronger Security Notions for Public-key
Cryptosystems
We have i nt roduced sever al basi c and t ext book publ i c- key cr y pt osyst ems. These basic schemes
can be vi ewed as di r ect appl i cat i ons of var ious one- way t r apdoor funct i ons. ( The meani ng of
one- way t r apdoor funct i ons has been given in Pr oper t y 8. 1. ) .
Now i t i s t i me t o provi de a summar y on t he i nsecur i t y f eat ur es of t hese t ext book schemes. We
shoul d pr ovi de a br ief di scussi on her e on t wo aspect s of vul ner abi l it ies t hat a t ext book publ i c-
key cr y pt osy st em has.
Fi rst , as having st at ed i n Pr oper t y 8. 2( i ) , wi t hi n t he scope of t hi s chapt er we have onl y
consi dered a very weak not i on of secur it y: secr ecy i n an "al l- or - not hi ng" sense. I n most
appli cat i ons of publ i c- key cr y pt osyst ems, such a weak not i on of secrecy i s f ar fr om bei ng good
enough and is also not ver y useful . I n many appl i cat i ons pl ai nt ext messages cont ain apr i ori
i nf ormat i on known t o an at t acker . For exampl e, if a cipher encry pt s a vot e, t hen t he apr i ori
i nf ormat i on can be "YES" or "NO, " or a handf ul names of t he candi dat es; t hus, r egar dl ess of how
st r ong a t r apdoor funct i on is, an at t acker onl y needs sever al t r i al - ander r or t o pi npoi nt t he
corr ect plai nt ext . I n some ot her appl icat i ons, some par t i al apr i ori i nfor mat i on about t he plai nt ext
wi l l pr ovide an at t acker an unent i t l ed advant age ( we wi l l see such an at t ack i n 14.3. 2) . I n
gener al , a t ext book encr y pt i on al gor it hm does not hide such par t i al i nfor mat i on ver y well . Thus,
st r onger publ i c- key cr ypt osy st ems secur e for hi di ng any apr i ori i nfor mat i on about t he plai nt ext
ar e needed.
Secondl y , as havi ng st at ed i n Pr oper t y 8. 2( i i ) , wi t hi n t he scope of t hi s chapt er we have onl y
consi dered a very weak mode of at t ack: " passive at t acker. " However, for each t ext book scheme
i nt r oduced i n t hi s chapt er we have demonst rat ed an act ive at t ack on i t ( Exampl es 8. 5, 8. 7, 8. 9) .
I n such an at t ack, t he at t acker can pr epare a cl everl y cal cul at ed ci pher t ext message and submi t
i t t o a key owner f or an oracl e decr ypt i on ser vi ce i n CCA or CCA2 modes. Our at t acks show t hat
t ext book publ i c- key cr ypt osy st ems are i n gener al vul ner abl e t o CCA or CCA2. Al t hough we have
pr ovi ded an advi ce as a general pr i ncipl e for a user t o ant i cipat e an act ive at t acker: a publ i c key
owner shoul d al way s be vi gi l ant not t o pr ovi de a decr y pt i on ser vi ce, however, consi der i ng t hat i t
wi l l be i mpr act i cal t o r equi r e an i nnocent user t o keep i n an al er t st at e al l t he t ime, advi si ng a
user not t o r espond t o a decr ypt i on r equest cannot be a cor r ect st r at egy agai nst an act i ve
at t acker .
Publi c- key cr y pt osy st ems wi t h st ronger not i ons of secur i t y wi t h respect t o t hese t wo aspect s
have been pr oposed by var i ous aut hor s. I n Chapt er 14 we wi l l st udy t he course of est abl i shi ng
vari ous st ronger confi dent i ali t y not i ons and how t o achi eve f or mal l y p r ov abl e secur i t y . I n
Chapt er 15 we shall i nt r oduce f i t - for - appl icat i on publ i c- key cry pt osy st ems which ar e pr ovabl y
secur e under a ver y st r ong secur i t y not i on.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
8.15 Combination of Asymmetric and Symmetric
Cryptography
Publi c- key cr y pt ography sol ves t he key di st r i but i on probl em ver y ni cel y . However , i n general ,
publ i c- key cry pt ogr aphi c f unct i ons operat e i n very lar ge al gebr aic st r uct ures which mean
expensi ve al gebr ai c oper at i ons. Compar at i vely , sy mmet r i c cry pt ogr aphi c f unct i ons are in gener al
much mor e ef fi cient . Consi der i ng t he AES for exampl e, i t wor ks i n a f iel d of 256 el ement s; t he
basi c oper at i ons such as mul t i pl i cat i on and inver sion can be conduct ed by "t abl e l ookup" met hod
( r evi ew 7. 7. 4) whi ch i s ext remely ef fi ci ent . I n general , publ i c- key cr y pt osyst ems ar e
compar at i vel y much mor e comput at i onal l y i nt ensi ve t han t hei r symmet ri c- key count erpar t s.
I n appl i cat i ons, i n par t i cular i n t hose whi ch need encr y pt i on of bulk dat a, i t i s now a st andar d
approach t hat encry pt ion uses a hy br i d scheme. I n such a scheme, publ i c- key cr ypt ogr aphy is
used t o encr ypt a so call ed ephemer al k ey f or keyi ng a sy mmet r i c cr ypt osyst em; t his
est abl i shes t he shar ed ephemer al key bet ween a sender and a recei ver; t he bul k dat a pay l oad i s
t hen encry pt ed under t he shared ephemer al key usi ng a sy mmet r i c cry pt osy st em. Such a
combi ned scheme achi eves t he best out of t he t wo kinds of cr ypt osyst ems: t he ease of key
di st r i but i on fr om publ i c- key cr y pt osyst ems and t he ef fi ci ency fr om t he sy mmet ri c cr y pt osyst ems.
A wi del y used combinat i on of publ i c- key and sy mmet r i c- key cr ypt osyst ems i n cr y pt ogr aphi c
pr ot ocol s i s a so- cal l ed di gi t al env el ope t echnique. Thi s i s t he combi nat i on of t he RSA
cry pt osy st em wi t h a symmet ri c- key cr y pt osy st em such as t he DES, t he t r i pl e- DES or t he AES.
Thi s common combi nat ion ( RSA + DES or RSA + t r ipl e DES) i s t he basi c mode for t he secur e
sock et s l ay er ( SSL) pr ot ocol ( [ 136] , we wi l l i nt roduce t he SSL prot ocol i n Chapt er 12) whi ch
has been used in popul ar Web br owser s such as Net scape and I nt ernet Expl or er and Web
ser vers. I n t he SSL prot ocol , t he i ni t i at or of t he pr ot ocol ( l et i t be Al i ce, usual ly in t he posi t i on of
a Web cl ient ) wi l l f ir st downl oad t he publ i c- key mat er ial of t he ot her communicat i on par t y ( l et i t
be Bob, usual l y i n t he posit i on of a Web server) ; t hen Al i ce ( in f act , her web- br owser sof t war e)
wi l l gener at e a r andom sessi on key , encry pt s ( "envel opes" ) t he sessi on key usi ng Bob' s publ i c
key and send t he "envel ope" t o Bob. Aft er Bob ( i n fact , his web- ser ver sof t ware) has decr ypt ed
t he " envel ope" and ret r i eved t he sessi on key , t he t wo par t i es can t hen use t he sessi on key t o key
a sy mmet r i c encr ypt i on scheme for t heir subsequent confi dent i al communicat i ons.
I n t he cont ext of prot ocol s, t he si mpl e hybri d encry pt ion scheme is concept ual l y ver y si mpl e. But
i t has t wo l i mi t at i ons. Fi rst , t he scheme uses a sessi on key whi ch is cr eat ed by one part y ( t he
message sender or t he prot ocol i nit iat or) ; t he ot her par t y ( t he message r ecei ver or t he pr ot ocol
r esponder ) wi l l have t o complet el y r el y on t he sender ' s or t he pr ot ocol i ni t i at or 's compet ence ( or
honest y ) i n key generat i on f or secur i t y . Thi s may not be desi r abl e i n some ci r cumst ances, f or
i nst ance, i n t he SSL pr ot ocol 's cl i ent - ser ver set t i ng wher e t he cli ent i s t he sender and is
i mpl ement ed i n sof t ware whi ch i s not ori ousl y weak i n generat ion of r andomness.
The second l imi t at i on of t he si mpl e hy br i d encry pt i on scheme is due t o i t s nonevanescent
pr oper t y . I n hybr id encr ypt i on scheme, an eavesdropper who can coer ce t he receiver i nt o
r eveal ing her/ hi s pr i vat e key can t hen recover t he ful l Pay load_Message. Thi s weakness i s of t en
r ef err ed t o as l ack of "f orwar d secr ecy proper t y . " The for war d secrecy pr oper t y means i t i s
i mpossi ble for an eavesdr opper t o r ecover t he pl aint ext message i n a f ut ure t ime usi ng t he
ci pher t ext messages sent i n t he past , eit her by means of cr ypt anal y si s or even by means of
coer cion .
These t wo l i mi t at i ons can be overcome i f t he publ i c- key cr y pt ogr aphi c par t of a hy br i d
encry pt ion scheme uses t he Di f fi e- Hel l man key exchange prot ocol .
Let us f ir st look at how t he f i r st l i mi t at i on di sappear s i f a hybr id scheme uses t he Di f fi e- Hel l man

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
key exchange pr ot ocol. I n t he Di ff i e- Hel l man key exchange pr ot ocol r un bet ween Al i ce and Bob,
t he shared secr et g
ab
cont ains r andomness i nput fr om t he bot h par t i es: Al i ce's cont r ibut i on i s
fr om a and Bob's, f r om b. Given t hat g gener at es a pr i me- or der group and t hat t he pr ot ocol
messages sat i sfy g
a
1 and g
b
1 ( see t he "caut i onar y det ai l s" t hat we have pr ovi ded in
8. 3) , Al i ce ( r espect i vel y , Bob) can be sur e t hat t he shar ed secr et sessi on key der ived fr om g
ab
wi l l be r andom as l ong as she ( respect i vel y, he) has used a r andom exponent . Thi s i s because
t he mappi ngs and ar e per mut at ions i n t he gr oup i n quest i on and
t her eby a uni for m exponent ( l ess t han t he gr oup order ) wil l cause g
a
( respect ivel y, g
b
) being
mapped t o a unif or m gr oup el ement g
ab
.
Secondl y , l et us l ook at how t he second li mi t at i on i s over come. We not e t hat a hy br i d encr y pt i on
scheme usi ng t he Di f fi e- Hel l man key exchange prot ocol has t he for ward secr ecy pr oper t y i f Ali ce
and Bob r un t he key exchange pr ot ocol i n a caut ionar y manner whi ch we have r ecommended i n
8. 3, and i f t hey al so pr operl y process t he subsequent sessi on communi cat i ons. To r un t he
Di f fi e- Hel l man key exchange prot ocol i n a caut i onar y manner , Al i ce and Bob shoul d exchange
t he sessi on key g
ab
and t hen er ase t he exponent s a and b upon t ermi nat ion of t he pr ot ocol . To
pr oper l y pr ocess t he subsequent sessi on communi cat i ons, Al i ce and Bob shoul d dest r oy t he
sessi on key aft er t he sessi on ends and should proper l y di spose of t he pl ai nt ext messages t hey
have communi cat ed. I f t hey f oll ow t hese rat her st andar d pr ocedures, t hen obvi ousl y coer ci on
wi l l not enabl e an eavesdr opper t o fi nd out t he pl ai nt ext messages t hat Al i ce and Bob have
communi cat ed. Cr y pt anal y sis won't do t he j ob for t he eavesdr opper ei t her si nce t he for war d
secr ecy pr opert y ( of t he Di f fi e- Hel l man key exchange pr ot ocol ) i s simpl y due t o t he di ff icul t y of
t he CDH pr obl em ( see 8. 4) .
Fi nal l y we poi nt out t hat a hybri d encry pt ion scheme can be desi gned t o have a pr ovabl e
secur i t y under a ver y st r ong not i on of confi dent i ali t y . I n Chapt er 15 we shall conduct an
over vi ew of a seri es of such schemes.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
8.16 Key Channel Establishment for Public-key
Cryptosystems
The wel l - known man- i n- t he- mi ddl e at t ack on t he Di ff i e- Hel l man key exchange pr ot ocol ( see
8. 3. 1) is general i n publ i c- key cr ypt osyst ems. I n gener al , t o send a confi dent i al message t o a
r eci pi ent by encr ypt i ng under her/ hi s publ i c key , t he sender must f ir st make sur e t hat t hat t he
key t o be used r eall y bel ongs t o t he i nt ended r ecipi ent . Li kewi se, upon r ecei pt a "di gi t al
envel ope, " t he r eci pi ent must make sur e t hat t he " envel ope" i s r eal l y fr om t he clai med source
befor e engagi ng i n a conf ident i al communi cat i ons usi ng t he sy mmet r i c key r et r i eved fr om t he
"envel ope. "
Thus, no mat t er how "unconvent ional " publ i c- key cr ypt ogr aphi c t echni ques ar e, t her e i s st i ll a
need f or est abl i shi ng a secure key channel bet ween communi cat ion part i es. However , i n publ i c-
key cr y pt ogr aphy we have k e k d ( see Fi g 7.1) and t her ef ore t r anspor t i ng an encr y pt i on key k e
t o t he message sender need not i nvol ve handl i ng of any secr et . Theref ore, t he t ask for
est abl i shing a secur e key channel is pur el y an aut hent i cat i on pr obl em, namel y , t he key channel
i nvol ves no handl i ng of any secr et and shoul d onl y pr eser ve t he aut hent i cit y of t he encr ypt i on
key .
Aut hent i cat ed key channel est abl i shment f or publ i c key s wi l l be t he t opi c of Chapt er 13.
Di r ect or y based t echni ques f or publ i c- key channel set t i ng- up wi l l be i nt roduced i n 13.2 whi le
some i dent i t y based t echni ques wi l l be i nt r oduced i n 13.3.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I n t hi s chapt er we have int r oduced sever al wel l - known and wi del y used publ ic- key encr y pt i on
schemes: Di f fi e- Hel l man key exchange pr ot ocol , t he RSA, Rabi n and El Gamal encr y pt i on
al gor i t hms. Al ong wi t h t hese basic publi c- key schemes, we int r oduce r espect i ve har d pr obl ems
as compl exi t y - t heor et ic assumpt i ons whi ch are t he securi t y under pi ns for t he basi c publ i c- key
encrypt ion al gor i t hms.
We decl ar ed t hat t he qual i t y of securi t y consi der ed i n t his chapt er, al l- or- not hi ng secr ecy and
passi ve at t acker , i s a l ow one: i t is label ed as a t ext book secur i t y not i on and i s onl y sui t abl e for
an i deal wor ld i n whi ch dat a ar e al r eady r andom and bad guys ar e ni ce ( in t hat t hey do not
mount act i ve at t acks) . Al l publ i c- key schemes i nt r oduced i n t hi s chapt er ar e t ext book ones.
Var i ous at t acks on t hem have been demonst rat ed t o mani fest t hei r i nsecur i t y qual i t i es.
We t hen discussed t he need f or more st r i ngent and f i t - for - appl i cat i on secur i t y not i ons f or publ ic-
key encr y pt i on schemes, and t he need for schemes whi ch ar e secure under t he st r onger not ions.
However , we decided t o defer t hei r i nt r oduct i on t o sever al l at er chapt er s ( i n Par t V) . The r eader
who does not pl an t o st udy Par t V shoul d car eful l y r evi ew t he at t acks gi ven i n t hi s chapt er ,
especi al l y i f ( s) he pl ans t o use a t ext book cry pt o scheme i nt r oduced i n t hi s chapt er.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exercises
8. 1 What ar e t he t wo pr omi nent charact er i st i cs of a t ext book cr y pt o al gor i t hm?
8. 2 A ci pher bl ock chaini ng ( CBC) mode of oper at i on for a bl ock cipher ( i nt r oduced i n
7. 8. 2) has a random i nput and as a r esul t any par t i al i nf or mat ion of a pl ai nt ext
can be well hi dden. I s CBC st il l a t ext book cr ypt o al gor i t hm? Why ?
8. 3 Let an at t acker i n a man- i n- t he- middl e at t ack on t he Di ff ie- Hel lman key exchange
onl y r el ay messages bet ween Al i ce and Bob ( i. e. , t he "man i n t he mi ddl e" does not
al t er t he conver sat i ons of Al ice and Bob, apar t fr om per for mi ng decry pt ion and
encry pt ion usi ng t he key s t he at t acker shar es wi t h Ali ce and Bob) . I s t he at t ack a
passi ve one or an act i ve one?
Hi nt : t he at t ack t akes pl ace bef ore t he message rel ay s.
8. 4 For t he commonl y agr eed l ower bound size set t i ng f or fi nit e fi eld F
q
: | q| = 1204 and
for c < 2 in t he subexponent i al expr essi on sub_exp( q) in ( 8. 4. 2) , conf i rm t hat t her e
i s a " pol y solver " f or t he DLP in wher e t he "pol y sol ver " runs i n t i me bounded by
a degr ee- 9 pol y nomi al i n t he si ze of q.
8. 5 Let gr oup < g> have a non- secr et or der or d( g) . I s t he fol l owi ng pr obl em har d?
Gi ven g
c
, f i nd g
a
and g
b
such t hat ab c ( mod or d( g) ) , t hat i s, t o const r uct a Di ff i e-
Hell man t uple ( g, g
a
, g
b
, g
c
) fr om ( g, g
c
) .
8. 6 What i s t he rel at i onshi p bet ween t he di scr et e l ogar i t hm pr obl em and t he
comput at i onal Di ff i e- Hel l man probl em?
8. 7 I n RSA publ i c- key mat er ial ( e, N) , why must t he encr y pt i on exponent e be r el at i vely
pr i me t o ( N) ?
8. 8 Fact ori ng an odd composi t e i nt eger i s i n general a dif fi cul t pr obl em. I s fact or i ng a
pr i me power a di ff icul t pr obl em t oo? ( A pri me power i s N = p
i
wher e p i s a pr i me
number and i i s an i nt eger . Fact or N. )
Hi nt : for any i > 1, how many i ndex val ues i need t o be t r i ed i n comput i ng t he i - t h
r oot of N?
8. 9 For N bei ng a pr i me power, one met hod for "comput i ng t he i - t h r oot of N" in t he
pr ecedi ng pr obl em is bi nar y sear ch. Desi gn a bi nar y sear ch al gor it hm t o r oot p
i
( i i s
known) . Prove t hat t his al gor it hm i s eff i ci ent .
Hi nt : consider bi nar y sear chi ng pr i mes of bi t s.
8. 10 An RSA encr y pt i on funct ion i s a per mut at i on in t he mul t i pl i cat ive group modul o t he
RSA modul us. RSA funct i on is t heref ore also cal l ed a one- way t r apdoor
per mut at i on. I s Rabi n ( El Gamal ) encr y pt i on funct ion a one- way t r apdoor
per mut at i on?

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
8. 11
Let N 2
1024
. Randoml y sampl i ng el ement s i n . what i s t he pr obabi l i t y f or a
sampl i ng resul t being less t han 2
64
? Use t hi s r esul t t o expl ain why a 64- bi t r andom
password should not be regar ded as a random plai nt ext for t he RSA ( Rabi n,
El Gamal ) encr ypt i on al gor i t hms.
8. 12 Under what condi t i on can t he encr ypt ion f unct i on of t he El Gamal cry pt osy st em be
vi ewed as a det er mini st i c al gori t hm?
8. 13 What ar e CPA, CCA and CCA2? Expl ai n t hese not i ons.
8. 14 We have used "al l - or - not hi ng" as a modi f ier i n t he descr i pt i ons of t he CPA secur i t y
pr oper t i es for t he RSA and Rabi n cr ypt osy st ems ( Theor em 8. 1 and Theor em 8. 2( I ) ,
r espect i vel y ) . Why i s t hi s necessar y?
8. 15 Why must any publ i c- key encr y pt i on al gor it hm ( even a t ext book cr y pt o one) r esi st
CPA?
8. 16 What i s t he mai n r eason f or t ext book cry pt o al gor i t hms bei ng gener al l y vul nerable
t o act i ve at t acks?
8. 17 What i s an or acl e ( encr y pt i on, decr y pt i on) ser vice? For a publ ic- key encr y pt i on
al gor i t hm, does an at t acker need an or acle encr y pt i on ser vi ce?
8. 18 Si nce t ext book cr ypt o al gor i t hms ar e gener al l y vul nerabl e t o act i ve at t acks, we have
advi sed t hat one shoul d be car ef ul not t o pr ovide any ( or acl e) decr ypt ion servi ce. I s
t hi s act uall y a corr ect at t i t ude or a pr act i cal st rat egy ?
8. 19 Si nce an act ive at t ack gener al l y i nvol ves modi f i cat i on of ( ci pher t ext ) message
t r ansmi t t ed over t he net wor k, wi l l an act i ve at t ack st i l l wor k i f a publ i c- key
encry pt ion al gor i t hm has a dat a int egr i t y pr ot ect ion mechani sm whi ch det ect s
unaut hor i zed alt er at i on of ci phert ext messages?
8. 20 What i s t he vi r t ue of a hy br i d cr y pt osy st em?

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Chapter 9. In An Ideal World: Bit Security
of The Basic Public-Key Cryptographic
Functions
Sect i on 9. 2. The RSA Bi t
Sect i on 9. 3. The Rabi n Bi t
Sect i on 9. 4. The El Gamal Bi t
Sect i on 9. 5. The Di scr et e Logari t hm Bi t
Exerci ses

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
9.1 Introduction
We have seen f r om several exampl es t hat t he basic publi c- key cr y pt ogr aphi c funct i ons
i nt r oduced i n t he pr eceding chapt er i n general do not hi de par t i al i nfor mat i on abou t pl aint ext
messages ver y wel l , especi al l y when a pl ai nt ext message i s not random. However , t hese basi c
cry pt ogr aphi c pri mi t i ve funct i ons ar e not bad at all i f t hey ar e used i n an i deal wor ld i n whi ch
pl ai nt ext messages are r andom. I n such a si t uat ion, each of t hese basi c f unct i ons is act ual l y ver y
st r ong.
I n t hi s chapt er we shall st udy t he bi t secu r i t y of t he basi c publ i c- key cr ypt ogr aphi c f unct i ons.
We shal l see t hat each of t he basi c and popul ar publ i c- key cr ypt ogr aphi c pri mi t i ve funct i ons
i nt r oduced i n t he pr eceding chapt er has a st r ong bi t secur it y i n t hat , provi ded t he plai nt ext
messages ar e r andom, t o f ind an i ndi vi dual bi t of t he pl aint ext fr om a cipher t ext is j ust as
di f fi cul t as fi nding t he whol e pl aint ext bl ock.
The posit i ve r esult s on bi t secur it y for t he basi c and popul ar publ i c- key cr ypt ogr aphic funct ions
suggest t hat as l ong as a pl ai nt ext message i s r andom, t hen t he probl em of fi nding any
i nf ormat i on about t he pl ai nt ext can be as hard as i nver t i ng t hese basi c funct i ons, si nce t he l at t er
i s t he pr obl em of fi ndi ng t he whole bl ock of t he pl ai nt ext message.
Thi s obser vat ion has been appl i ed by many r esearcher s t o const ruct ing st r ong publ i c- key
encry pt ion schemes out of usi ng t he basi c and popul ar publ i c- key cr ypt ogr aphi c pri mi t i ve
funct i ons. The idea i s t o randomi ze t he pl aint ext messages usi ng some randomi zat i on schemes
befor e appl y ing a pr i mi t i ve f unct i on. I n Par t V, we wi l l st udy a gener al met hodology for secur i t y
pr oof whi ch is cal l ed r and om or acl e model . Under t he r andom oracl e model , publ i c- key
encry pt ion schemes ( i n f act , di gi t al si gnat ur e schemes t oo) whi ch ar e based on t he popul ar
publ i c- key cry pt ogr aphi c f unct i ons int r oduced in t he pr ecedi ng chapt er can be pr oved secur e
under a st r ong not ion of securi t y . An i mpor t ant st ep f or t hese pr oofs t o go t hr ough is an
assumpt i on t hat t he plai nt ext ( or message) i nput t o t hese schemes have been r andomi zed.
We should not i ce t hat " an i deal wor l d" i s one i n whi ch pl ai nt ext messages ar e r andom. Such a
wor ld i s not " t he i deal wor l d. " I n t he l at t er , i n addi t i on t o random messages, Mal i ce i s al so a ni ce
guy who never mount s an act i ve at t ack. Ther efor e, t he basi c and popul ar publi c- key
cry pt ogr aphi c f unct i ons are st i l l ver y weak i n an i deal wor l d. We wi l l see such exampl es in t hi s
chapt er .
Thi s chapt er may be skipped by a reader who does not pl an t o fi nd "know- why " about t he f i t - for -
appli cat i on cry pt ographi c schemes whi ch we wi ll st udy i n Par t V.
9. 2 st udi es t he RSA bi t secur i t y . 9. 3 st udi es t he Rabi n bi t securi t y and a t echni que for usi ng
t he Rabi n bi t t o gener at e st r ong pseudo- r andom numbers. 9. 4 st udi es t he ElGamal bi t secur i t y.
Fi nal l y, 9. 5, st udi es t he bi t secur i t y of t he di scr et e l ogar i t hm funct i on.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
9.2 The RSA Bit
I f an RSA ci pher t ext encry pt s a message whi ch cont ai ns no apr i ori guessable infor mat i on ( for
exampl e, when a message i s a uni for ml y r andom number i n ) , t hen i t i s known t hat t he
pr obl em of ext ract i ng a si ngl e bi t of t he plai nt ext message fr om a ci pher t ext i s as har d as
ext r act i ng t he whol e bl ock of t he pl aint ext [ 128, 76, 75] . Wi t hout l oss of gener al i t y , "one bi t of
t he pl ai nt ext " can be t he l east si gni fi cant bi t , i . e. , t he par i t y bit , of t he pl aint ext message. What
we ar e t r y ing t o say her e i s t he fol l owing st at ement .
. Th eor em 9 .1
Let N be an RSA m odul us. Th e fol lowi ng t wo pr obl ems are equ all y har d ( or equ all y easy ) :
gi ven t he RSA encry pt ion of a m essage, r et r ieve t he m essage; I .
gi ven t he RSA encry pt ion of a m essage, r et r ieve t he l east si gni fi can t b it of t he m essage. I I .
I f one can sol ve ( I ) t hen obvi ousl y one can sol ve ( I I ) . The converse seems not so
st r aight f orwar d. One may t hi nk t hat t hese t wo pr obl ems can har dl y be comput at i onall y
equi val ent : ( I ) i s a comput at i onal pr oblem, whi l e f or unif or ml y r andom pl ai nt ext message, ( I I ) i s
a deci si onal problem and sheer guessi ng wi ll ent i t l e one t o sol ve hal f t he i nst ances.
Never t hel ess, i f one can have possessi on an or acl e whi ch can answer ( I I ) r el iab ly , t hen one can
i ndeed sol ve ( I ) by call i ng t hi s or acl e l og
2
N t imes, and we shal l show such a met hod. Si nce l og
2
N
i s t he si ze of N, such a met hod "r educes" ( I ) t o ( I I ) i n pol y nomial t i me i n t he si ze of t he i nput ,
and i s t her efor e cal l ed a pol yn omi al t i me r educt i on. Consequent l y , ( I ) can be sol ved i n t i me
pol y nomi al i n t he si ze of t he i nput , on t op of t he t i m e f or t he or acl e t o solve ( I I ) . We vi ew t hese
t wo pr obl ems t o have t he same t ime compl exi t y because we do not dif fer ent i at e compl exi t i es
whi ch are di ff er ent up t o a pol y nomi al.
Now l et us descr i be a pol y nomi al r educt i on met hod f r om ( I ) t o ( I I ) . Let us cal l t he or acl e solvi ng
( I I ) "RSA par i t y or acle" and denot e i t by PO
N
, namel y ,
I n our pr oof of Theor em 9. 1, we denot e by x ( a, b ) an i nt eger x i n t he open int er val ( a, b )
wher e a and/ or b may or may not be i nt eger . Si nce x i s an i nt eger , x ( a, b ) impli es t hat x i s in
t he cl osed i nt er val [ a , b ] .
The cr ux of t he pr oof i s a bi nar y sear ch t echnique whi ch i s enabl ed by t he fol l owing
observat i on.
. Lemma 9. 1
Let N be an od d i nt eger and x ( 0, N) . Then 2x ( mod N) i s ev en if and onl y i f x ( mod N)
.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Pr oof For al l mult ipl icat i on 2x ( mod N) t akes no modul o oper at i on and t herefor e
t he resul t is 2x and is an even number i n ( 0, N) . Conver sel y , i f 2x ( mod N) is even t hen i t can be
di vi ded by 2 and t he di vi si on t akes no modul o oper at ion. Consequent l y .
Si nce al l occupy exact l y hal f t he int egers in ( 0, N) , Lemma 9. 1 al so say s t hat 2x
( mod N) is odd i f and onl y i f .
Now l et us pr ove Theor em 9. 1.
Pr oof ( of Theor em 9. 1) We onl y need t o show ( I I ) ( I ) . The pr oof i s const r uct i ve. We
const r uct a bi nar y search al gor i t hm which makes use of a r el i abl e PO
N
and fi nds m f r om an RSA
ci pher t ext c = m
e
( mod N) . The al gor i t hm wi l l mai nt ai n an i nt erval ( a, b ) , cal l ed "cur r ent
i nt er val , " ( CI f or shor t ) . I n t he st ar t i ng of t he al gor i t hm, t he i ni t i al case for cur r ent int er val i s ( a,
b) = ( 0, N) . The bi nar y search al gor i t hm wi l l mai nt ai n t he fol l owing t wo i nvar i ant condi t i ons:
each i t er at i on wi l l cause CI t o hal ve i t s l engt h;
t he t arget ed pl ai nt ext r emai ns i n CI .
For clar i t y i n exposi t i on, we shal l onl y consi der t he fi r st t wo i t er at i ons of t he search pr ocedur e.
I t er at i on 1 We know t hat t he pl ai nt ext i s i n ( a, b ) = ( 0, N) . We ask PO
N
by feedi ng i t 2
e
c ( mod
N) . Not i ci ng 2
e
c ( 2m)
e
( mod N) , f r om PO
N
( 2
e
c) we can deduce fr om Lemma 9. 1 whet her
or . We t heref ore obt ai n a new CI whi ch cont ai ns t he
pl ai nt ext and wi t h t he l engt h hal ved. So when ent er ing t hi s i t erat ion, ( a, b ) = ( 0, N) ; when out
of t hi s i t er at i on, we have ei t her or .
I t er at i on 2 Consi der t he case out of I t erat i on 1. Let us f eed 2
2e
c ( 2
2
m)
e
( mod N) t o PO
N
. I f PO
N
( 2
2e
c) = 0, t hen t he pl ai nt ext 2
2
m 4m ( mod N) is even. By Lemma 9. 1
we have 2m ( mod N) . But r emember 2m < 2N; so for 2m ( mod N) < i t i s onl y
possi bl e for , and t hereby . So we r each .
Now we updat e CI by per for mi ng . Thus, t he invar i ant condi t i ons are
mai nt ai ned.
The r eader may check t he cor r ect ness of t he fol l owing t wo gener al case for updat ing CI
I f PO
N
answer s 0, t he plai nt ext is i n t he l ower hal f of CI = ( a, b ) , and t heref ore b shoul d be
r educed by quant i t y ;
Ot her wi se, t he pl ai nt ext is in t he upper hal f of CI = ( a, b ) , and t heref ore a shoul d be
i ncr eased by quant i t y .
Cl ear ly , af t er i = l og
2
N + 1 st eps of sear ch, we wi l l r each t he case | CI | = b a < 1. The sear ch
al gor i t hm t er mi nat es and out put s m = b. To t hi s end we have proven Theor em 9. 1.
Al g 9. 1 summar i zes t he gener al descr ipt i on of t he bi nar y sear ch al gor i t hm whi ch we have

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
const r uct ed i n t he pr oof of Theor em 9. 1.
Exampl e 9. 1.
For RSA publi c key ( N, e) = ( 15, 3) , ci pher t ext c = 13, l et us ask PO
N
4 quest i ons and pi npoi nt
t he secret pl ai nt ext m. We feed PO
N
t he f oll owi ng r andom- l ooki ng ciphert ext quer ies:
PO
N
answer s: 0, 1, 1, 1. Fr om t hese answer s we deduce:
1st answer , i . e., m [ 1, 7] ;
2nd answer , i . e., m [ 4, 7] ;
3r d answer , i . e., m [ 6, 7] ;
4t h answer , i . e., m [ 7, 7] .
So we have found m = 7. I ndeed, 7 is t he plai nt ext : 7
3
= 13 ( mod 15) .
Algorithm 9.1: Binary Searching RSA Plaintext Using a Parity
Oracle
I NPUT ( N, e) : RSA publ i c- key mat er ial ;
c = m
e
( mod N) : an RSA ci pher t ext ;
PO
N
: a par i t y or acl e, on i nput t i ng an RSA ciphert ext ,
i t r et ur ns t he l east si gni f icant bi t of t he cor r espondi ng

pl ai nt ext .
OUTPUT m.
I ni t i al i ze ( a, b ) ( 0, N) ;
( * t he l engt h of "curr ent i nt erval " CI = ( a, b ) wi l l be hal ved i n each i t erat ion
whi l e m ( a, b ) is mai nt ai ned. * )
1.
For i = 1, 2, ,
2
N + 1 do
{
2.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
( * t he l engt h of ( a, b ) is always under )
2. 1 I f ( PO
N
( 2
i e
c) = 0 ) t hen ;
( * m i s in t he l ower hal f of ( a, b ) * )
2. 2 El se ;
( * m i s in t he upper hal f of ( a, b ) * )
}
2.
Ret ur n( b ) . 3.
Theor em 9. 1 t el l s us t hat t he RSA l east signi fi cant bi t can be as st rong as t he whole bl ock of t he
pl ai nt ext .
I n Exampl e 8. 5 we have seen t hat it i s dangerous for a user , as t he owner of an RSA publ i c key,
t o act as a decr y pt i on or acl e t o r et ur n a pl ai nt ext as a whol e dat a bl ock t o a decr ypt i on r equest .
Now f r om t he "RSA l east si gni f icant bi t secur i t y " r esult we f ur t her know t hat t he user must al so
not act as an "pari t y oracl e," or an "N/ 2- or acl e" ( due t o Lemma 9. 1) t o answer any ci pher quer y
on t he pari t y bi t of t he corr esponding pl aint ext ( or t o answer whet her t he pl aint ext i s l ess t han
N/ 2) .
We should war n t he r eader t hat an at t acker may embed such queri es i n an i nnocent - l ooki ng
pr ot ocol . See t he f ol l owi ng exampl e.
Exampl e 9. 2.
When Al i ce and Mal ice need t o agree on a secret session key t o be shar ed excl usi vel y bet ween
t hem, Mal i ce may pr ovi de a r easonabl e suggest i on as f ol lows:
"Al i ce, how about we send t o each ot her 1, 000 ci pher t ext messages encr y pt ed under our
r espect i ve publi c key s? Let t he sessi on key be t he bi t st ri ng f r om XORi ng t he par i t y bit s of
each pair of t he exchanged pl ai nt ext messages. By t he way, t o assur e y ou t hat t he sessi on
key wi l l be r andom, l et me send my 1, 000 bl ocks t o y ou f i rst ! "
Al i ce not onl y agr ees, she i s al so gr at ef ul f or t he t r ust Mali ce has shown her ( in maki ng t he
sessi on key r andom) ! However, t he 1,000 cipher t ext messages Mal i ce sends t o her wi l l be ( 2
i
)
e
c
( mod N) ( i = 1, 2, , 1000) wher e c i s a ci pher t ext someone el se sent t o Al ice and was
eavesdr opped by Mali ce.
Aft er t he pr ot ocol , Mal i ce pr et ends t o have err ed i n t he comput at i on of t he sessi on key :
"Al i ce, I ' m sorr y f or havi ng messed up my comput at i on. Woul d y ou be so ki nd and send me
t he sessi on key ? Please encr ypt i t under my publ i c key. "
Poor Al i ce off er s hel p. Al as, fr om t he session key, Mal ice can ext r act t he needed par it y bi t s and
t hen appli es Al g 9. 1 t o di scover t he pl ai nt ext encr ypt ed i nsi de c!
Here Mal ice i s an act i ve at t acker : he modi fi es t he ci pher t ext c by bi ndi ng i t usi ng mul t i pl i er s ( 2
i
)
e
( mod N) . Ther efor e, al t hough t he RSA l east signi fi cant bi t is as st rong as t he whole bl ock of t he

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
pl ai nt ext message, t he f unct i on i s st i ll hopel essl y weak agai nst an act i ve at t ack.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
9.3 The Rabin Bit
Al g 9. 1 can be easi l y modi fi ed and appl i ed t o t he Rabi n encry pt i on i f t he encr y pt i on t akes t he
si mpl e for m of c = m
2
( mod N) ( i. e. , t he case of encr ypt i on exponent bei ng e = 2, and t hat is all
t he "modi fi cat i on") .
However , t her e i s some compl i cat i on. For N havi ng t wo di st i nct pri me f act ors, by Theor em 6. 17
( i n 6. 6. 2, ) , any gi ven c OR
N
has four di st i nct squar e r oot s modul o N, i . e., t he ci pher t ext c has
four di f fer ent plai nt ext s. I f an par i t y- or acl e answers t he par i t y of a random squar e root of c ( i. e. ,
r andom among t he f our ) , t hen t hi s oracl e i s not a r el i abl e one and hence cannot be used.
Never t hel ess, i f a square root has cer t ai n pr opert i es whi ch al low an oracl e t o do t he j ob
det er mi nist i cal ly ( and hence r el i abl y ) , t hen t he bi nar y - sear ch t echni que can st i ll be appl ied t o
t he Rabi n encry pt i on.
One exampl e of such a det er mini st i c or acl e i s one which answers t he par i t y bi t of a smal l er
squar e r oot of t he posi t i ve Jacobi sy mbol . By Theor em 6. 18 ( in 6. 7) , we know t hat i f N i s a
Bl um i nt eger , t hen any quadr at ic resi due c has t wo r oot s m, m of t he posi t i ve Jacobi sy mbol .
Si nce N i s odd, onl y one of t hese t wo root s i s l ess t han , and so we can cal l i t t he " smal ler r oot
of c of t he posi t i ve Jacobi sy mbol ."
Now i f we conf ine N t o a mor e r est ri ct ed f or m of Bl um i nt eger , such t hat ( N = pq
wi t h p q ( mod 8) wi l l do) , t hen a par i t y or acl e whi ch answer s t he pari t y bi t of a smal l er
squar e r oot of t he posi t i ve Jacobi sy mbol wi l l wor k. Not i ce t hat wi t h , an i - t h quer y
made t o t hi s r el iabl e par i t y or acl e wi l l have t he pl ai nt ext ( mod N) and so wi ll keep t he si gn of
Jacobi symbol f or al l i pl aint ext quer i es. For det ail s of a modi fi ed bi nar y sear ch al gor it hm f or t he
Rabin encr ypt i on case, see [ 128] .
9.3.1 The Blum-Blum-Shub Pseudo-random Bits Generator
The f act t hat a bi nar y search al gor i t hm wor ki ng for t he Rabin encr ypt i on f unct i on suggest s t hat
t he Rabi n l east si gni fi cant bi t i s st r ong i f t he I F assumpt ion hol ds ( Assumpt i on 8. 4 i n 8. 8) . The
st r engt h of t he Rabi n least si gni fi cant bi t has an import ant appl i cat i on: cr y pt ogr ap hi cal l y
st r ong pseudo- r andom b i t s ( CSPRB) generat i on [ 42] . The so- cal l ed Bl u m- Bl u m- Shu b
pseudo- r andom n umber g en er at or uses a seed x
0
QR
N
wher e N i s a k- bi t Bl um i nt eger .
Then t he pseudor andom bi t s gener at ed f r om t he BBS gener at or usi ng t he seed x
0
ar e composed
of t he least si gnif i cant bi t of each number i n t he f ol lowi ng sequence
Equ at i on 9. 3 .1
I t can be shown [ 42, 128] t hat , wi t hout knowi ng t he seed x
0
, predi ct i ng t he least si gnif i cant bi t s

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
i n t he sequence i n ( 9. 3. 1) is comput at i onal l y equi val ent t o fact or i ng t he Bl um i nt eger N.
. Remar k 9 .1
I t i s also k nown [ 13 , 29 5] t hat t he p rob lem of ext ract i ng t he sim ul t aneous l og
2
l og
2
N l east
sign if icant bi t s fr om a Rabi n ciph er t ex t i s equi val ent t o f act or i ng N.
Bl um and Gol dwasser appl ied t hi s r esul t and pr oposed an eff ici ent cr y pt osy st em which has a
st r ong secur i t y cal led semant i c secur i t y . We wi l l st udy semant i c secur i t y i n Chapt er 14, t her e
we shal l al so i nt roduce t he semant i call y secur e cry pt osy st em of Blum and Gol dwasser based on
t he st r engt h of t he Rabin bit .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
9.4 The ElGamal Bit
For t he El Gamal cr ypt osy st em gi ven i n t he f or m of Al g 8. 3, si nce t he pl ai nt ext message space i s
wher e p i s a l ar ge pr i me number ( hence odd) , i t i s st r ai ght for ward t hat t he bi nar y search
t echni que can al so be appl i ed. To fi nd t he pl ai nt ext message encr y pt ed under a ci pher t ext pai r
( c
1
, c
2
) , t he quer y i ng ci phert ext messages sent t o a par i t y or acle shoul d be
I f t he pari t y oracl e i s a human bei ng ( t hi s i s very li kely , see Exampl e 9. 2) , t hen i n or der t o avoi d
suspi cion, t he at t acker can bl i nd t he quer ies, f or i nst ance, as fol l ows:
wher e ( g, y ) are t he publ i c key mat er i al of t he par it y oracl e. These l og
2
p + 1 pai r s of
ci pher t ext messages ar e complet el y i ndependent one anot her , however, t hey encry pt t he rel at ed
message ser ies 2
i
m ( mod p) for i = 1, 2, , l og
2
p + 1:
To t hi s end we can concl ude t hat t he bi t securi t y of t he El Gamal cr y pt osy st em i s as har d as t he
bl ock dat a secur i t y . On t he ot her hand, a publ ic key owner should be car eful not t o be t r i cked t o
pl ay t he game as i n Exampl e 9. 2.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
9.5 The Discrete Logarithm Bit
I n 8. 4 we have di scussed t hat in an abel i an gr oup i n t he gener al case, t he di scret e l ogar i t hm
pr obl em i s hard: t he funct i on g
x
i s beli eved t o be one- way . Mor eover , i t is so far not known
whet her t he funct i on i s a t r apdoor . So ext r act i on of x f r om g
x
wi t h t he hel p of an or acle is a
st r ange i dea. However , i n or der t o invest i gat e t he r el at i on bet ween t he bi t secur i t y t o t he bl ock
secur i t y f or t he di scr et e l ogar i t hm f unct i on, l et us assume t hat t her e exist s an or acl e whi ch can
answer some bi t - l evel par t i al i nfor mat i on of x upon bei ng fed a pair ( g, g
x
) .
I f t he el ement g has an odd or der, t hen t he val ue ( mod or d ( g) ) is avai l abl e i f or d( g) is not
secr et ( t hi s i s t he usual case) . I n t his si t uat i on, t he pr obl em of ext r act i ng t he di scr et e l ogar i t hm
usi ng a par it y oracl e i s i n fact , bi t - by - bi t , t he r ever se oper at i on of t he modul o exponent i at i on
al gor i t hm ( see Al g 4. 3) . Si nce t he modul o exponent i at i on al gori t hm i s al so cal led " squar i ng- and-
mul t i pl y i ng" met hod, t he r everse al gori t hm shoul d be cal l ed " square- r oot i ng- and- divi di ng"
met hod. Al g 9. 2 speci fi es such a met hod.
Now what happens i f g has an even order ? For exampl e, i f g i s a gener at or el ement of wi t h p
bei ng a pr ime number , t hen ord
p
( g) = p 1 i s even and i s not r el at i vely pr i me t o 2. Theref ore
( mod p ) does not exi st . So squar e- root ing of h cannot be done i n t he for m of St ep 2. 2 i n Al g
9. 2.
Algorithm 9.2: Extracting Discrete Logarithm Using a Parity
Oracle
I NPUT ( g, h ) : g i s a gr oup el ement of an odd order , h = g
x
;
PO
desc(g)
: a par i t y or acl e, PO
desc(g)
( g, h ) = l og
g
h ( mod 2) .
OUTPUT i nt eger x.
Set x 0; y ( mod or d( g) ) 1.
Repeat t he f oll owi ng st eps unt i l h = 1 ( * incl udi ng h = 1 * )
{
2. 1 I f ( PO
desc(g)
( g, h ) = = 1 ) t hen h h/ g; x x + 1;
( * when log
g
h i s odd, do " divi si on and pl us 1, " as r ever se t o "mul t i pl i cat i on and
mi nus 1" i n modul o exponent i at i on * )
2. 2 h h
y
; x 2x;
( * now log
g
h i s even, do "squar e r oot i ng and doubl i ng" as r ever se t o " squar ing
and hal vi ng" i n modul o exponent iat i on * )
2.
3.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
}
Ret ur n( x ) . 3.
However , i n t hi s case ( i .e. , when g i s a gener at or el ement i n , we can st i ll comput e squar e
r oot s of h modul o p using Al g 6. 4. For any quadrat ic resi due el ement h QR
p
, t hat square-
r oot i ng al gor i t hm wi l l r et ur n t wo squar e r oot s of h, whi ch we shoul d denot e by . Si nce g i s
a gener at or of , i t hol ds g QNR
p
; but h QR
p
, t her efor e l og
g
h must be an even number .
Thus, wit hout l oss of gener al i t y , we can wr i t e t he di scr et e l ogar i t hms of t he t wo squar e root s of
h t o t he base g as fol l ows:
Equ at i on 9. 5 .1
Not i ce because addi t i on i n ( 9. 5. 1) is comput ed modul o p 1, exact l y one of t he t wo val ues i n
( 9. 5. 1) is less t han , t he ot her must be gr eat er t han or equal t o . Clear l y, t he square
r oot which has t he small er di scr et e l ogari t hm t o t he base g i s t he cor rect square root . The
t r ouble is, f r om and , we cannot see whi ch one of t he t wo squar e r oot s has t he
small er di scret e l ogari t hm t o t he base g!
Algorithm 9.3: Extracting Discrete Logarithm Using a "Half-
order Oracle"
I NPUT
( g, h , p) : g i s a gener at or of wi t h p pr ime; h = g
x
( mod
p) ;
PO
desc(g)
: a hal f - or der or acl e,
PO
( p, g)
OUTPUT i nt eger x.
Set x 0; 1.
Repeat t he f oll owi ng st eps unt i l h = 1 ( * incl udi ng h = 1 * )
{
2.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
2. 1 I f ( h QNR
p
) t hen h h/ g; x x + 1;
( * h QNR
p
i mpl i es t hat l og
g
h i s odd; t hi s can be done by t est i ng Legendr e
symbol . * )
2. 2 h PO
( p, g)
( g, , ) ; x 2x;
( * we can do square- r oot i ng wi t h no di ff icul t y , but we need t he oracl e t o t ell us
whi ch root i s t he cor r ect one, i . e. , has t he smal l er di scr et e l ogar i t hm . * )
}
2.
Ret ur n( x ) . 3.
Never t hel ess, i f we have a di ff er ent " one- bi t - i nf or mat ion or acl e" whi ch, upon being fed ( g, y , y) ,
answers y or y, whi chever has t he smal l er di scr et e l ogar i t hm t o t he base g, t hen we can use
t hi s or acl e ( cal l i t "hal f- or der or acle") t o pi ck t he cor rect square root for us. Al g 9. 3, whi ch i s
modi fi ed fr om Al g 9. 2, does t he j ob usi ng t he " hal f - or der or acl e. "
Si nce t est ing Legendr e sy mbol and comput i ng squar e root s modul o a pr i me can be eff ici ent l y
done, fr om Al g 9. 3 we know t hat bei ng abl e t o decide fr om ( g, h ) whet her l og
g
h i s less t han
i s equi val ent t o ext r act i ng l og
g
h f r om ( g, h ) .
Al g 9. 3 i s mor e gener al t han Al g 9. 2 i n t hat , i t wi l l al so wor k wi t h g of odd order . Let us
t her efor e go t hr ough Al g 9. 3 wi t h a smal l numer i cal example.
Exampl e 9. 3.
Suppose we have a " hal f- or der or acl e. " For gr oup , gener at or g = 5 and el ement h = 9, l et
us ext r act x = l og
5
9 ( mod 22) by cal l ing t he " half - or der or acl e. "
An execut i on t ree of Al g 9. 3 on i nput ( 5, 9, 23) can be gi ven as fol l ows. Each double arr ow
st ands for t he "squar e- r oot i ng, " of whi ch t he hor i zont al ones ( ) are t hose chosen by t he
"hal f - or der or acl e. " Each si ngl e ar r ows ( ) st ands f or "di vi di ng- g" ( g = 5) . Al l comput at i ons
ar e per for med modulo 23.
At t he st ar t i ng of t he al gori t hm, x i s ini t ial i zed t o 0 ( st ep 1) . For each doubl e ar r ow ,
oper at i on x 2x wi l l be per for med ( st ep 2. 2) , and f or each si ngle arr ow , oper at i on x x
+ 1 wi l l be perf or med ( st ep 2.1) . Upon t ermi nat i on of t he algori t hm, t he f i nal val ue f or x i s 10.
I ndeed, 9 = 5
10
( mod 23) .
These r esul t s show t hat t he indi vidual bi t s of di scr et e l ogar i t hm are in gener al as har d as t he
whol e block. We now al so know t hat i f a generat or element i s a quadr at i c r esi due, t hen al l bi t s

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
i ncl udi ng t he l east si gni fi cant bi t of a di scret e l ogar i t hm t o t hi s base ar e har d. Thi s l eads t o a
"semant i cal l y secure" ver si on of t he El Gamal cr ypt osy st em, whi ch we shal l int r oduce i n Chapt er
14.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
9.6 Chapter Summary
Our i nvest i gat i ons on t he hardness of t he bi t - l evel secur i t y for t he basi c and popul ar publ i c- key
cry pt ogr aphi c al gori t hms have i nvari ant ly reached ver y posi t i ve resul t s: ever y si ngl e pl aint ext
bi t hi dden under t hese funct i ons i s as har d as t he whol e pl aint ext bl ock. These posit i ve r esult s
suggest t he f ol lowi ng obser vat ion: i f a pl ai nt ext message i s r andom, t hen t he probl em of fi nding
any i nfor mat i on about t he plai nt ext can be as har d as i nver t i ng t hese basi c f unct i ons.
Thi s obser vat ion has been appl i ed by many r esearcher s t o const ruct ing st r onger publi c- key
encry pt ion schemes out of t he basi c and popul ar publ i c- key cr ypt ogr aphi c pri mi t i ves. The i dea i s
t o randomi ze t he pl aint ext messages usi ng some randomi zat i on schemes. I n Par t V, we wi l l
st udy a gener al met hodol ogy named r and om or acl e model t o achi eve t he const r uct i on of
st r ong and pr ovabl y secur e publ i c- key encr ypt i on schemes ( i n f act , di gi t al si gnat ur e schemes
t oo) out of using t he basi c and popul ar publ i c- key cr y pt ogr aphi c pr i mi t i ves.
Thr ough our i nvest i gat i on on sever al basi c and popul ar publ i c- key cr ypt ogr aphic funct ions we
have al so wi t nessed an i nvari ant weakness of t hese f unct i ons: t hey ar e ext r emel y vul ner abl e t o
act i ve at t acks. The general met hodol ogy f or st r engt heni ng publ i c- key encr ypt i on algori t hms t o
be st udi ed i n Par t V wi l l al so i ncl ude mechani sms f or f oil i ng act i ve at t acks.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exercises
9. 1 Compl et e t he ot her t hree cases of " I t erat i on 2" in t he pr oof of Theor em 9. 1, i . e.,
( a, b) = ( , N) , PO
N
( 2
2e
c) = 1; i .
( a, b) = ( 0, ) , PO
N
( 2
2e
c) = 0; i i .
( a, b) = ( 0, ) , PO
N
( 2
2e
c) = 1. i i i .
9. 2 Under what condi t i on t he RSA encr ypt i on al gori t hm can have a st r ong bi t secur i t y?
Hi nt : i f a pl ai nt ext has some ver i fi abl e part i al infor mat i on, can t he encr y pt i on
al gor i t hm have a st r ong bl ock secur i t y ?
9. 3 Does t he st rong bi t securi t y of t he basi c publ i c- key encr ypt i on al gori t hms imply t hat
t hese al gor i t hms ar e secure?
9. 4 What i s t he secur i t y basi s f or t he Bl um- Bl um- Shub pseudo- r andom number
gener at or ?
9. 5
Let p be a pr ime and g be a gener at or el ement i n . The ease of comput ing
Legendre sy mbol of g
x
( mod p) means t he ease of comput i ng t he par it y bi t of x. Why
i s t he ext r act i on of x f r om g
x
( mod p) st i l l a har d pr obl em?

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Chapter 10. Data Integrity Techniques
Sect i on 10. 1. I nt r oduct i on
Sect i on 10. 2. Defi ni t i on
Sect i on 10. 3. Symmet ri c Techniques
Sect i on 10. 4. Asy mmet r i c Techni ques I : Di gi t al Signat ur es
Sect i on 10. 5. Asy mmet r i c Techni ques I I : Dat a I nt egri t y Wi t hout Sour ce I dent i fi cat i on
Exerci ses

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
10.1 Introduction
I n Chapt er 2 we made a r eal ist i c and st andar d assumpt i on on t he vul ner abi l i t y of t he open
communi cat ions net wor k: al l communi cat i ons go t hr ough an adver sary named Mal i ce who is fr ee
t o eavesdrop, i nt er cept , r el ay , modi f y, for ge or i nj ect messages. When Mal i ce i nj ect s modi f ied or
for ged messages, he wi l l t r y t o fool t he t ar get ed r ecei ver s i nt o beli eving t hat t he messages ar e
sent f r om some ot her pr i nci pal s. To use such a vulner abl e communi cat i ons medi um i n a secur e
manner , as i s r equi r ed for secure el ect roni c commer ce t ransact i ons, cr y pt ogr aphi c mechanisms
whi ch can pr ovi de t he secur i t y ser vi ce in t er ms of message conf i dent i al i t y ( i . e. , prot ect i on
agai nst eavesdr oppi ng) ar e i nadequat e. We need mechani sms whi ch can enabl e a message
r ecei ver t o ver i fy t hat a message has i ndeed come f rom t he cl ai med sour ce and has not been
al t ered i n an unaut hori zed way duri ng t he t r ansmissi on. Dat a i nt egr i t y i s t he securi t y ser vi ce
agai nst unaut hor i zed modi f i cat i on of messages.
Dat a i nt egr i t y i n moder n cry pt ogr aphy i s cl osel y r el at ed t o, and evol ves fr om, a cl assi cal subj ect
i n communicat i ons: er r or - det ect i on code. The lat t er is a pr ocedur e f or det ect i ng er r ors whi ch can
be i nt r oduced i nt o messages due t o faul t i n communi cat i ons. I t i s consi der ed t hat using
i nf ormat i on whi ch has been modif i ed i n a mal i cious way i s at t he same r i sk as using infor mat i on
whi ch cont ai ns def ect s due t o er r or s i nt r oduced i n communi cat i ons or dat a pr ocessi ng. As a
r esul t , t he wor king pr i ncipl e of t he t echni ques pr ovidi ng dat a int egr it y and t hat of t echni ques
pr ovi di ng err or - det ect ion codes ar e essent i al l y t he same: a t r ansmit t er of a message cr eat es a
"checki ng val ue" by encodi ng some r edundancy i nt o t he message t o be t r ansmi t t ed and appends
t he checki ng val ue t o t he message; a r ecei ver of t he message t hen ver i fi es t he cor r ect ness of t he
message r ecei ved usi ng t he appended checki ng val ue accor di ng t o a set of r ul es whi ch ar e
agr eed wi t h t he t ransmi t t er [ 275] . I n err or - det ect ion codes, t he redundancy i s encoded i n such a
way t hat t he receiver can use a maximum l i kel i hood det ect or t o deci de whi ch message he shoul d
i nf er as havi ng most l i kel y been t r ansmi t t ed fr om t he possibl y al t er ed codes t hat wer e r ecei ved.
I n dat a i nt egr it y pr ot ect i on, t he r edundancy i s encoded i n such a way t hat t he appended
checki ng val ue wi l l be di st r i but ed as uni for m as possi ble t o t he ent i r e message space of t he
checki ng val ues and so t o mini mi ze t he pr obabi li t y f or an at t acker t o f orge a val i d checking
val ue. The cr ypt ogr aphic t r ansfor mat i on f or t he l at t er way of addi ng r edundancy i s si mil ar t o t he
mi xi ng- t r ansfor mat i on pr opert y for encr y pt i on t hat we have descr i bed i n 7. 1) , al t hough f or t he
case of encr y pt i on t he mi x- t r ansfor mat i on is not based on addi ng ver if i abl e r edundancy.
Li ke an encry pt i on al gor i t hm, t he cry pt ogr aphi c t r ansf ormat i ons for achievi ng dat a int egr it y
shoul d al so be par amet er ized by key s. Thus, i n t he usual sense, a corr ect dat a- i nt egr i t y
ver i fi cat i on r esul t wil l also pr ovi de t he veri f i er wi t h t he knowledge of t he message sour ce, t hat
i s, t he pr inci pal who had cr eat ed t he dat a i nt egr i t y pr ot ect i on. However , r ecent l y a not i on of
"dat a i nt egr i t y wi t hout sour ce i dent i f icat i on" has emerged. Thi s new not i on i s i mpor t ant in t he
st udy of publi ckey cr y pt osyst ems secur e agai nst adapt i ve at t acker s. We wi l l use an exampl e t o
i nt r oduce t hi s not i on. The exampl e wi ll ser ve a prepar at i on for a l at er chapt er wher e we st udy
t he publi c- key cr y pt osy st ems secure agai nst adapt i ve at t acker s.
We begin t he t echni cal par t of t hi s chapt er wi t h pr ovi di ng a sy nt act i c def ini t i on f or dat a i nt egr i t y
pr ot ect i on ( 10.2) . Cry pt ogr aphi c t echni ques for pr ovi di ng dat a i nt egri t y ser vi ces wil l be
i nt r oduced. The i nt r oduct i on wi l l be di vided i nt o symmet ri c t echni ques ( 10.3) , asymmet r i c ones
( 10.4) and t he not i on of dat a i nt egri t y wi t hout source i dent i f i cat i on 10.5.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
10.2 Definition
Def i n i t i on 1 0. 1: Dat a I nt egr i t y Pr ot ect i on Let Dat a be ar b it r ar y in for m at ion . Let Ke denot e
an en codin g k ey and Kv denot e a v er i fi cat i on key wh ich mat ch es t he encodi ng k ey. Dat a i nt egr it y
pr ot ect ion on Dat a com pr ises t he f oll owin g cr yp t ograp hi c t r ansfor m at ion s:
Man ipu lat i on det ect i on cod e creat i on:
Man ipu lat i on det ect i on cod e ver if icat i on :
Here f an d g ar e eff icient cry pt ograp hi c t r ansfor m at ion s; t he for m er i s p aram et eri zed b y an
aux i li ary i np ut Ke ( en cod in g k ey ) and t he l at t er i s par am et er iz ed by an au xi li ar y in put Kv
( v er i fi cat ion k ey ) ; MDC st ands for man i pu l at i on det ect i on cod e. The p r obabi li t y space
[ a]
i nclud es t he space of al l possi bl e cases of Dat a, MDC and k ey s, and p er hap s a r and om i npu t
space if t he sign ing/ v er if icat ion al gor it h ms are p r obabi li st ic on es .
[ a]
The meaning f or t he "over whelming" pr obabilit y f ollows t he " over whelming" not ion we have def ined in
4. 6.
Fi g 10. 1 pr ovi des an i l l ust r at ion of dat a i nt egr i t y sy st ems.
Fi gu r e 10 . 1. Dat a I n t egr i t y Sy st ems

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
We should not i ce t hat al t hough i n our i nt roduct or y di scussi ons ( and i n Fi g 10. 1) we have used a
communi cat ions scenar i o t o i nt r oduce t he not i on of dat a i nt egri t y prot ect i on, Defi nit ion 10. 1
needn' t be confi ned t o communicat i ons; for exampl e, t he pai r ( Dat a, MDC) can be dat a st ored t o
or r et r ieved f rom an insecur e dat a st or age.
Si mil ar t o t he case of cr ypt osyst ems, dat a int egr it y pr ot ect i on al so have sy mmet r i c t echni ques
and asy mmet r i c t echni ques. However we should not ice a di ff erence bet ween t he t wo sy st ems i n
t he case of publ i c- key t echni ques. I n cry pt osy st ems real i zed by asy mmet r i c t echni ques, publi c
key and pr i vat e key have f i xed usages: publ i c key i s f or message encoding ( encr y pt i on) and
pr i vat e key i s f or message decoding ( decr y pt i on) . I n dat a- i nt egr i t y syst ems r eal i zed by
asymmet r ic t echni ques, publ i c ( pr i vat e) key can have bot h encodi ng and veri f i cat i on usages.
These t wo di ffer ent usages wil l be t he respect i ve t opi cs for 10.4 and 10.5.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
10.3 Symmetric Techniques
I n sy mmet r i c t echni ques for achi eving dat a int egr it y, t he cr ypt ogr aphi c t ransf or mat ions f and g
( see Defi nit ion 10. 1) are a symmet r ic cr y pt ogr aphi c al gor i t hm which means f = g and Ke = Kv ,
t hat i s, t he cr eat i on and t he ver i f icat i on of t he consi st ency bet ween Dat a and MDC use t he
i dent i cal cr ypt ogr aphi c operat i on.
Due t o a close r el at ion bet ween dat a i nt egri t y and message aut hent i cat ion ( we wi l l st udy
message aut hent i cat i on in Chapt er 11) , MDC cr eat ed by a sy mmet r i c cry pt ogr aphi c t echni que i s
oft en cal led a messag e au t hent i cat i on code ( MAC f or shor t ) . A MAC can be creat ed and
ver i fi ed usi ng a keyed hash funct ion t echni que, or usi ng a bl ock ci pher encr y pt i on al gor i t hm.
10.3.1 Cryptographic Hash Functions
A common met hod f or r eal i zi ng a MAC is t o use a so- cal l ed key ed hash f unct i on t echnique. We
fi r st i nt roduce cry pt ogr aphi c hash f unct i ons.
A hash f unct i on i s a det er mi ni st ic funct ion whi ch maps a bi t st r i ng of an arbi t rar y l engt h t o a
hashed value whi ch i s a bi t st ri ng of a fi xed l engt h. Let h denot e a hash f unct i on whose f ixed
out put l engt h i s denot ed by | h| . I t i s desi r ed t hat h shoul d have t he f ol lowi ng proper t i es:
Pr oper t y 1 0. 1: Pr oper t i es of a Hash Fu nct i on
Mi x i ng - t r ansf or mat i on On any i nput x, t he out put hashed val ue h( x) shoul d be
comput at i onall y i ndi st ingui shable fr om a uni f orm bi nar y st r ing in t he i nt erval [ 0, 2
| h|
) .
Here, t he comput at i onal i ndi st i ngui shabi l it y fol l ows Defi nit ion 4. 15 ( in 4. 7) . By
Assumpt i on 4. 2 ( also in 4. 7) , t hi s pr oper t y i s a r easonabl e one.
Col l i si on r esi st an ce I t shoul d be comput at i onal l y i nfeasi bl e t o fi nd t wo i nput s x , y wi t h x
y such t hat h( x) = h( y) . For t hi s assumpt i on t o be r easonabl e, i t is necessar y t hat t he
out put space of h shoul d be suff i cient l y l ar ge. The l east val ue for | h| is 128 whi l e a t ypi cal
val ue i s 160.
Pr e- i mage r esi st ance Gi ven a hashed val ue h, i t shoul d be comput at ional ly infeasibl e t o
fi nd an i nput st r i ng x such t hat h = h( x) . Thi s assumpt i on al so r equi r es t he out put space of
h be suff i cient l y l ar ge.
Pr act i cal ef f i ci ency Gi ven i nput st r i ng x, t he comput at i on of h( x) can be done i n t i me
bounded by a smal l - degr ee pol y nomi al ( i deal l y l inear ) i n t he si ze of x.
The mi xi ng- t r ansf or mat i on and col l isi on r esi st ance pr oper t i es of a hash funct i on can be r eal i zed
by using oper at i ons si mi l ar t o t hose used i n t he desi gn of a bl ock cipher al gor i t hm ( see
7. 67. 7) . The pr e- i mage r esi st ance pr oper t y can be r eal i zed using some dat a compr essi on
t echni ques whi ch r ender par t i al l oss of some i nput dat a and t her efor e make t he f unct i on non-
i nvert i ble.
We shal l not descr ibe t he desi gn det ai l s of any real hash f unct i on. Mor e i nquisi t i ve r eader s may
fi nd t hem i n t he l i t erat ur e ( e. g. Chapt er 9 of [ 198] ) .
10.3.1.1 Hash Functions' Applications in Cryptography

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Hash f unct i ons ar e widel y used i n cr y pt ogr aphy . We can li st here sever al i mpor t ant uses of hash
funct i ons.
I n di gi t al si gnat ur es, hash f unct i ons are gener al l y used for gener at i ng "message di gest s" or
"message f i nger pr i nt s. " This usage i s t o add cer t ai n ver i fi abl e r edundancy t o a message t o
be si gned so t hat t he hashed message cont ai ns r ecognizabl e i nfor mat i on. We wi ll see t hi s
gener al usage of hash f unct i ons i n di gi t al si gnat ur es i n t hi s chapt er ( 10.4) . Ther e we wi l l
r eal i ze t hat secur it y of a di git al signat ure scheme ( unfor geabi l i t y) crucial l y depends on
some recogni zabl e redundant i nf or mat ion cont ai ned i n t he message si gned. For mal
ar gument s t hat t hi s usage of hash f unct i ons off er s provabl e secur it y for di gi t al si gnat ur e
schemes wi l l be descr i bed i n Chapt er 16.
I n publi c- key cr y pt osy st ems wi t h fi t - f or- appl i cat i on secur it y , hash f unct i ons are wi del y used
for real i zi ng a ci pher t ext cor rect ness ver i fi cat i on mechani sm. Such a mechani sm i s
necessar y for an encr ypt i on scheme t o achieve a provabl e secur i t y agai nst act i ve at t acker s.
We wi l l see an exampl e of t hi s usage i n t hi s chapt er ( 10.5) . For mal evi dence t hat t hi s
usage of hash f unct i ons off er s provabl e secur it y for publ i c- key encr ypt i on wi l l be pr ovi ded
i n Chapt er 15 wher e we wi l l f ur t her see t he mor e fundament al rol e of hash f unct i ons pl ay i n
maki ng publ i c- key encr y pt i on pr ovabl y secur e.
I n a wi de r ange of cr y pt ographi c appl icat i ons where pseudo- r andomness i s r equi r ed, hash
funct i ons ar e wi del y used as pr act ical pseudo- r andom funct ions. These appl i cat i ons i ncl ude:
key agr eement ( e. g. , t wo pr i nci pal s pr ovi di ng t hei r own random seed i nput t o a hash and
obt ai ning a shar ed key value) , aut hent icat i on pr ot ocol s ( e.g. , for t wo pr ot ocol part i ci pant s
t o confi r m t he compl et i on of a pr ot ocol r un by exchangi ng some hashed val ues) , elect r oni c
commer ce pr ot ocols ( e. g. , t o achi eve mi cr o- pay ment aggr egat i on vi a gambl ing [ 297,
201] ) , pr oof of knowl edge pr ot ocols ( e. g. , t o achi eve a non- i nt eract i ve mode of proof , see
18.3. 2. 2) . We wil l see abundant exampl es of such usages of hash f unct i ons i n t he rest of
t hi s book.
10.3.1.2 Random Oracle
Let us r ecap t he " mixi ng- t r ansfor mat i on" pr opert y of a hash funct i on: on any i nput , t he
di st r i but i on of t he out put hashed val ue i s comput at ional ly indi st i ngui shabl e fr om t he uni f or m
di st r i but i on i n t he f unct i on' s out put space. I f we change "i s comput at ional ly indi st i nguishabl e
fr om t he uni for m di st r i but i on" i nt o " i s uni for m," t hen we t ur n t he hash f unct i on i nt o a very
power ful and i magi nar y funct i on named r and om or acl e.
We r egar d random or acl e a v er y p ower fu l f unct i on because of t he combi nat i on of t he t hr ee
pr oper t i es, i . e. : det er mi ni st ic, eff icient and un if orm out put . The r eason f or us t o have l abel ed
r andom oracl e an i magi nar y funct i on is because fr om al l comput at ional model s we know of ,
t her e exi st s no comput i ng mechani sm or machi ner y whi ch can be so power f ul .
On t he one hand, we know how t o out put uni f orml y dist r i but ed r andom val ues ef fi ci ent ly , e. g. ,
t ossing a fai r coi n. However t hi s way of out put t ing randomness i s not a det er mi nist i c procedur e.
On t he ot her hand, we can al so r el at e a set of uni f or ml y i ndependent val ues det er mi ni st i cal l y ,
e.g. , by sor t i ng a set of such values so t hat any t wo of t hem have a det ermi ni st i c r elat i on as t he
di st ance bet ween t hem i n t he sort ed l i st . However, t hi s r el at ion cannot be comput ed i n t i me
pol y nomi al i n t he si ze of t hese r andom val ues ( sor t i ng a li st of n i t ems needs n l og n st eps) .
I n fact , a random or acl e' s pr oper t i es of det er mi ni sm and uni for m out put mean t hat t he out put of
a r andom or acle has an ent r opy great er t han t hat of i t s input ( r evi ew 3. 7 f or t he defi ni t i on of
ent r opy ) . However , according t o Shannon' s ent r opy t heory ( Theor em 3. 2, i n 3. 7) , a
det er mi nist i c f unct i on can never " ampl i fy " ent ropy. Theref ore, r andom or acle does not exi st i n

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
t he real wor l d.
Si nce t he mi xi ng- t ransf or mat ion proper t y of a hash funct ion i s only a comput at i onal assumpt i on
( Assumpt i on 4. 2, i n 4. 7) , a hash funct ion i n t he real wor l d shoul d have t hi s proper t y only up t o
a comput at i onal i ndi st ingui shabil i t y given by Defi nit ion 4. 15 ( in 4. 7) , i . e., i t s out put val ues
fol l ow some probabi l it y di st ri but i on ( i n t he out put message space) whi ch may not be di scer ni ble
by a pol y nomi al ly bounded di st i ngui sher. Thus, a r eal - wor l d hash f unct i on onl y emul at es t he
r andom oracl e behavi or t o a preci si on wher e t he di ff er ence i s hopef ul l y a negli gibl e quant i t y .
Never t hel ess, hash funct i on' s emulat ed behavi or of a random or acl e pl ay s an impor t ant r ol e i n
publ i c- key cry pt ogr aphy . I n essence, t o hash a message i s t o add qual i t y r edundancy t o t he
message i n a det er mi ni st i cal l y ver i f iabl e manner .
10.3.1.3 Birthday Attack
Assuming t hat a hash funct i on h r eal l y behaves as a r andom or acl e, t he squar e- r oot at t ack ( t he
bi r t hday at t ack, see 3. 6) suggest s t hat
r andom eval uat i ons of t he hash f unct i on wil l suff ice an at t acker t o obt ai n a coll i si on wi t h a non-
negl i gi bl e pr obabi l i t y . To mount a bi r t hday at t ack, t he at t acker shoul d generat e r andom
message- hash pai r s
unt i l he ends up wi t h fi nding t wo messages m and m ' sat i sfy i ng
Equ at i on 10 . 3. 1
Such a pair of messages i s call ed a col l isi on under t he hash f unct i on h. Of course, i n order for a
bi r t hday at t ack t o be useful for t he at t acker, t he col l isi on message m and m ' shoul d cont ain
some meani ngful sub- messages. For exampl e, let a message t o be hashed ( and di gi t al l y si gned,
see 10.4) be a pay ment aut hori zat i on st at ement i n t he f ol l owi ng f or m
wher e R i s a r andom number t o make t he prot ocol messages randomi zed ( i t is al way s desi r abl e
t hat pr ot ocol messages ar e r andomized) . Then an i nt er est ing bi rt hday at t ack can be

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
and
wher e Pr ice_1 Pr i ce_2 and Goods_Descri pt i on ar e f i xed message par t s, and t he col li si on i s on
t he random numbers r r ' . Coll i si on f i ndi ng f or such messages has t he same compl exit y as
col li si on fi nding for r andom messages as i n ( 10.3. 1) si nce we can view
and
as t wo random f unct i ons.
I t i s obvi ous t hat fewer eval uat i ons wil l be needed if a hash funct i on i s not a t r uely random
funct i on.
Thus, t he si ze of t he out put space of a cr y pt ographi c hash funct i on must have a l ower bound.
The curr ent widel y used hash funct i ons i n appl i ed cr y pt ogr aphy ar e SHA- 1 [ 217] and RI PEMD-
160 [ 53] . Bot h have t he out put l engt h | h| = 160. Thei r st r engt h agai nst t he squar e- r oot at t ack
i s t her efor e 2
80
. This is compat ibl e t o t he st r engt h of a block ci pher al gori t hm of t he key l engt h
up t o 80 bi t s. The pr evi ous popul ar hash f unct i on MD5 [ 243] has t he case | h| = 128 which was
t ai l or ed t o sui t t he DES' s key l engt h of 56 bi t s and block l engt h of 64 bi t s.
Wi t h t he i nt r oduct i on of t he AES- 128, AES- 192 and AES- 256 ( t he AES of key l engt hs 128, 192
and 256 bi t s, r espect i vel y , see 7. 7) , st andar d bodi es ( e.g., t he I SO/ I EC [ 151] ) are curr ent l y
st andar dizi ng hash f unct i ons of compat i ble out put l engt hs | h| { 256, 384, 512} .
10.3.2 MAC Based on a Keyed Hash Function
Cr y pt ogr aphi c hash funct i ons nat ur all y f or m a cr y pt ogr aphi c pr i mit i ve f or dat a i nt egr i t y. For use
i n a shar ed- key scenar i o, a hash f unct i on t akes a key as par t of i t s i nput . The ot her par t of t he
i nput i s t he message t o be aut hent i cat ed. Thus, t o aut hent i cat e a message M, a t r ansmi t t er
comput es
wher e k i s a secr et key shared bet ween t he t r ansmi t t er and a r ecei ver , and "| | " denot es t he bi t
st r ing concat enat ion.
From t he proper t i es of a hash f unct i on l i st ed i n 10.3. 1, we can assume t hat in or der t o creat e a
val id MAC usi ng a hash f unct i on wi t h respect t o a key k and a message M, a pr i nci pal must

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
act ual l y be i n possessi on of t he cor rect key and t he cor r ect message. The recei ver who shares
t he key k wi t h t he t r ansmi t t er shoul d r ecalcul at e t he MAC f rom t he r ecei ved message M and
check t hat it agr ees wit h t he MAC r ecei ved. I f so t he message can be bel i eved t o have come f r om
t he cl ai med t r ansmi t t er .
Because such a MAC is const r uct ed usi ng a hash f unct i on, it i s al so cal led an HMAC. I t i s oft en a
pr udent pract i ce t hat an HMAC is comput ed i n t he fol l owi ng for mat
t hat i s, t he key i s pr e- fi xed and post - fi xed t o t he message t o be aut hent i cat ed [ 288] . Thi s i s i n
or der t o pr event an adver sary fr om expl oit ing a " r ound- funct i on i t er at i on" st ruct ur e of some
hash funct i ons. Wi t hout guar di ng t he bot h ends of t he message wi t h a secret key , such a known
st r uct ur e of cer t ai n hash funct i ons may al l ow an adversar y t o modif y t he message by pr e- f i xi ng
or post - f i xi ng some chosen dat a t o t he message wi t hout need of knowi ng t he secr et key k.
10.3.3 MAC Based on a Block Cipher Encryption Algorithm
A st andar d met hod f or for mi ng a keyed hash funct i on i s t o apply t he CBC mode of oper at i on
usi ng a bl ock ci pher algor it hm. Convent i onal l y , a key ed hash funct i on so const ruct ed i s cal led a
MAC.
Let
k
( m) denot e a bl ock ci pher encry pt i on al gor i t hm key ed wi t h t he key k on i nput i ng t he
message m. To aut hent icat e a message M, t he t r ansmit t er fi r st di vi de M as
wher e each sub- message bl ock m
i
( i = 1, 2, , ) has t he si ze of t he i nput of t he bl ock ci pher
al gor i t hm. Paddi ng of a r andom val ue t o t he l ast sub- message block m
l
may be necessar y i f t he
fi nal bl ock i s not of t he ful l bl ock si ze. Let C
0
= I V be a r andom i ni t i al i zi ng vect or . Now t he
t r ansmi t t er appl i es t he CBC encr y pt i on:
Then t he pai r
wi l l be used as t he MAC t o be appended wi t h M and sent out .
I t i s obvi ous t hat t he comput at i on f or cr eat i ng a CBC- MAC i nvol ves noni nver t i bl e dat a
compr essi on ( i n essence, a CBC- MAC i s a "short di gest " of t he whol e message) , and so a CBC-
MAC i s a one- way t ransf or mat ion. Mor eover , t he mixi ng- t ransfor mat i on proper t y of t he
underl y i ng bl ock cipher encr ypt ion al gor i t hm adds a hash feat ure t o t hi s one- way t r ansfor mat i on
( i . e. , di st r i but es a MAC over t he MAC space as uni for m as t he under ly i ng bl ock ci pher should do

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
over it s ci phert ext message space) . Thus, we can assume t hat in or der t o creat e a val i d CBC-
MAC, a pri nci pal act ual ly has t o be i n possessi on of t he key k whi ch key s t he underl y i ng bl ock
ci pher al gor i t hm. The r ecei ver who shar es t he key k wi t h t he t r ansmi t t er shoul d r ecalcul at e t he
MAC fr om t he r ecei ved message and check t hat i t agr ees wi t h t he versi on r ecei ved. I f so t he
message can be bel i eved t o have come f r om t he cl ai med t r ansmi t t er.
We wi l l somet i mes denot e by MAC( k , M) a MAC whi ch pr ovi des t he i nt egr i t y ser vi ce on t he
message M f or pri nci pal s who shar e t he key k. I n t hi s denot at i on we ignor e t he implement at i on
det ai l s such as what under l yi ng one- way t ransf or mat ion has been used for t he MAC's r eal izat ion.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
10.4 Asymmetric Techniques I: Digital Signatures
I n publi c- key cr y pt ogr aphy , a pri nci pal can use her / his pr i vat e key t o "encr y pt " a message and
t he resul t ant "ci pher t ext " can be " decry pt ed" back t o t he or i gi nal message usi ng t he pr i nci pal 's
publ i c key . Evi dent l y , t he " cipher t ext " so creat ed can play t he r ol e of a mani pul at i on det ect i on
code ( MDC) accompany i ng t he "encr y pt ed" message, t hat i s, pr ovi de dat a i nt egr i t y pr ot ect i on
for t he message. Her e, t he publ i c- key "decr y pt i on" pr ocess f orms a st ep of veri f icat i on of t he
MDC.
Mor eover , whi l e t he ver i fi cat i on of such an MDC can be per f ormed by anybody si nce t he publ i c
key is avai l abl e t o any body , i t i s consi dered t hat onl y t he owner of t he publ i c key used f or t he
MDC ver if i cat ion coul d have cr eat ed t he MDC using t he cor respondi ng pr i vat e key . Thus, t hi s
usage of publ i c key cry pt ogr aphy can model pr eci sel y t he proper t y of a signat ur e, a di gi t al
si gn at u r e, f or pr ovi ng t he aut hor shi p of a message. I n ot her wor ds, publ i c- key cry pt ogr aphy ,
mor e pr eci sel y , a one- way t r apdoor funct ion ( see Pr oper t y 8. 1, i n 8. 1) can be used t o real i ze a
di gi t al si gnat ur e scheme
[ b]
. Dif fi e and Hel l man envi sion t he not i on of di gi t al si gnat ur e f ir st [ 97]
( t he publi cat i on dat e of t hi s paper i s 1976, but t he paper was f i r st di st r ibut ed i n December 1975
as a pr epr int , see [ 96] ) .
[ b]
Alt hough t he mor e f undament al basis f or digit al signat ur es is one- way fun ct ion, see [ 173] , one-way
t r apdoor f unct ion is t he basis f or pr act i cal digit al signat ur es.
The abi li t y t o provi de a di gi t al si gnat ur e f orms a gr eat advant age of publ i c- key cry pt ogr aphy
over secret - key cry pt ogr aphy ( t he ot her si gnif i cant advant age of publ i c- key cr ypt ogr aphy i s t he
possi bi l it y of achi evi ng key di st r i but i on bet ween remot e par t i es, see, e. g. , 8. 15) . Now t hat onl y
a si ngl e ent i t y i s abl e t o creat e a di gi t al si gnat ur e of a message whi ch can be ver if i ed by
any body, it i s easy t o set t l e a di sput e over who has creat ed t he si gnat ur e. Thi s al l ows pr ovisi on
of a secur it y ser vice cal l ed non - r epu di at i on whi ch means no deni al of a connect ion wi t h a
message. Non- repudi at i on is a necessar y secur i t y r equi r ement i n el ect ronic commerce
appli cat i ons.
Sy nt act i cal l y , Defi nit ion 10. 2 speci fi es t he defi ni t i on of a digi t al si gnat ure scheme.
Def i n i t i on 1 0. 2: Di g i t al Si gnat ur e Scheme A d igi t al signat ur e sch em e consi st s of t he f oll owing
at t r i but es:
a p lai nt ex t m essage space M a set of st r in gs ov er som e al phab et
a si gnat ur e space S: a set of p ossi ble si gnat u res
a si gni ng k ey space K: a set of possibl e k ey s f or sign at ur e creat i on, an d a v er i fi cat i on key
space K' : a set of p ossi bl e key s for si gnat u re ver if icat i on
an ef fi cient key gener at ion al gori t hm Gen : wher e K, K' ar e pr i vat e, p ubl ic
k ey sp aces, r espect iv ely .
an ef fi cient signi ng algor it hm Si gn: M x K S
an ef fi cient ver if icat i on algor it hm Veri f y : M x S x K' { Tr ue, False} .
For any sk K and any m M, we denot e by

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
t he si gni ng t ran sf or mat ion and r ead i t as " s is a sign at ur e of m cr eat ed usi ng k ey sk. "
For any secret key sk K, l et pk denot e t h e pub li c k ey m at chi ng sk , an d for m M, s S, i t i s
necessar y
wher e t he p rob abi li t y space in cl ud es S, M, K and K' , and perh aps a ran dom i np ut sp ace i f t he
sign ing/ v er if icat ion al gor it h ms are p r obabi li st ic on es .
Thi s def i ni t i on can be vi ewed as a speci al case of Defi nit ion 10. 1: ( Si gn, Veri f y) , ( sk, pk ) and ( m,
s) in t he for mer cor r espond t o ( f, g) , ( Ke, Kv ) and ( Dat a, MDC) in t he l at t er, respect ivel y.
Not i ce t hat t he i nt eger input t o t he key generat ion al gor i t hm Gen pr ovi des t he size of t he out put
si gni ng/ ver i fi cat i on key s. Since t he key generat ion al gor i t hm i s ef fi ci ent wi t h r unni ng t i me
pol y nomi al i n t he si ze of i t s i nput , t he i nput i nt eger val ue shoul d be unar y encoded ( r eason see
Defi nit ion 4. 7 i n 4. 4. 6.1) . Thi s i nt eger i s t he secur i t y par amet er of t he si gnat ure scheme and
defi nes t he si ze of t he si gnat ur e space.
Wi t h t he si ze of t he signat ur e space def i ned by t he secur i t y par amet er , t he meaning for t he
"over whel mi ng" pr obabi l i t y f or t he case of Veri f y
pk
( m , s) = Fal se when f ol l ows
t he " over whel mi ng" not i on def i ned in 4. 6. However , t his pr obabi l i t y must di sr egar d an easy
for ger y case t o be r emar ked i n Remar k 10. 1. Quant i t at i ve measure f or "overwhel mi ng" wi l l be
gi ven f or sever al " fi t - f or - appl i cat i on" si gnat ur e schemes when we st udy for mal pr oof of securi t y
for di gi t al si gnat ur es i n Chapt er 16.
Semant i cal l y , Shannon' s mi xi ng- t r ansfor mat i on charact er i zat i on f or encr ypt i on al gor i t hms ( see
7. 1) also makes a gr eat sense f or a di gi t al si gnat ur e scheme. Al gor i t hm Si gn shoul d al so be a
good mi xi ng- t r ansfor mat i on funct i on: out put si gnat ure val ues which ar e fai r l y unif or ml y
di st r i but ed over t he ent i r e signat ure space S. This pr opert y pr event s an easy way of creat i ng a
val id si gnat ur e wit hout usi ng t he cor r espondi ng si gni ng key .
10.4.1 Textbook Security Notion for Digital Signatures
Anal ogous t o t he case of Pr oper t y 8. 2 ( in 8. 2) being a t ext book securi t y not i on f or t he basi c
publ i c- key encry pt ion al gor i t hms i nt roduced i n Chapt er 8, we shal l also consi der a ver y weak
secur i t y not i on f or di git al signat ure schemes t o be int r oduced in t his chapt er .
Pr oper t y 1 0. 2: Text b ook Secur i t y Not i on f or Di gi t al Si gn at u r es Wi t hi n t he scop e of t hi s
chapt er we on ly consi der a r est ri ct ed n ot ion of secur i t y f or di git al sign at ur es. We say t hat a
di git al si gnat ur e i s secu re i f it i s comp ut at i onal ly i nf easib le f or an at t ack er t o f orge ( i. e., t o
creat e) a v ali d message- sign at ur e pai r " f r om scr at ch. " That i s, t he at t acker i s giv en a pu bli c k ey
and t h e descr ip t ion of a si gnat u re schem e, and is requ ir ed t o out p ut a v ali d m essage- si gnat ur e
pai r whi ch h as nev er b een issued by a t ar get ed signer ( i . e. , t he owner of t h e giv en p ubl ic key ) .
The at t ack er i s non- ad apt i ve, t hat i s, it does n ot t r y t o ease i t s f orger y t ask v ia, e. g. , usi ng som e
ot her av ai labl e m essage- si gnat u r e pai rs or in t er act in g wi t h t he t ar get ed si gner for t he sign er t o
i ssue v al id sign at ur es on t he m essages of t he at t ack er' s choi ce .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
We should not i ce t hat t hi s not i on of secur i t y f or di git al signat ur es i s i nadequat e f or appli cat i ons
because i t assumes t hat t he at t acker i s unreasonabl y weak or t hat t he envi ronment i s ext remely
har sh t o t he at t acker . I n real i t y , message- signat ure pai rs wi t h r espect t o a gi ven publ i c key and
a si gnat ur e scheme ar e abundant l y avai labl e si nce t hey ar e not secr et i nfor mat i on. Also in
gener al t he at t acker should be ent i t l ed t o ask a si gner t o i ssue si gnat ur es on messages of i t s
choi ce. Such an at t acker i s an adapt i ve one because i t can choose messages i n an adapt ive way .
I n such an "adapt i ve chosen- message at t ack", t he at t acker i s gi ven a t ar get message, i t can
choose messages based on t he t ar get message ( maybe doi ng some al gebr ai c t r ansfor mat i on on
t he t arget message) and send t he chosen messages t o a t ar get ed si gner t o get t hem si gned. Thi s
i s l i ke t he si gner provi di ng t he at t acker wi t h a t rai ni ng cour se f or signat ur e f or gery . The t ask for
t he at t acker i s t o for ge a si gnat ure on t he t ar get message. As we have di scussed i n 8. 6 on t he
sever it y of adapt i ve at t acks on cr y pt osy st ems, wi t h t he same r easons, an adapt i ve chosen-
message at t ack on si gnat ur e schemes, al t hough much sever er t han a non- adapt i ve one, i s a
r easonabl e at t acki ng scenar io and hence should be ser i ousl y consider ed.
Recal l t hat when we consi der t ext book secur i t y not i on for t ext book publ ic- key encr y pt i on
al gor i t hms i n t he pr ecedi ng chapt er , we have expl i ci t l y war ned many t i mes t hat a publ i c key
owner must not pr ovi de a "nai ve decr ypt i on ser vi ce" t o an at t acker. That l evel of vigi lance may
be possi bl e i f a key owner i s smar t enough, even t hough demanding a user t o keep a hi gh
degr ee of vigi lance is not a cor rect sol ut i on t o adapt i ve at t acks. Now i n t he si gnat ur e case, we
can no l onger demand or war n t he user not t o provi de " nai ve si gni ng ser vices." Si gni ng servi ce
may be unavoi dabl e: t o i ssue si gnat ur es of gi ven messages can be a per fect ly nor mal ser vice i n
many appl i cat i ons.
A st r ong not ion of securi t y for digi t al si gnat ure, which can be call ed unf or geabi l i t y agai nst
adapt i v e chosen - messag e at t ack and is a f it - for - appli cat i on secur i t y not ion f or di gi t al
si gnat ures as t he count er par t t o CCA2 ( Defi nit ion 8. 3, i n 8. 6) for cr ypt osyst ems, wi l l be
i nt r oduced i n Chapt er 16. For mal secur i t y ar gument s for some di git al signat ur e schemes under
t he st r ong secur it y not i on wil l also be st udied t her e.
We r emark on an easy but beni gn f orm of si gnat ur e f orger y :
. Remar k 1 0. 1 Exi st en t i al f or ger y
The al gor it h m s ( Si gn
sk
, Veri f y
pk
) for m a one- way t r apd oor fu nct ion pai r . The one- way par t i s
Veri f y
pk
and t h e t r apdoor p ar t i s Si gn
ak
. I n gener al, t he f unct i on Veri f y
pk
( s, m ) i s com p ut ed i n t he
di r ect i on f r om s t o m . Ther ef or e, m an y di git al sign at ur e schemes b ased on a one- way t r apd oor
fu nct ion gener all y pr ov id e an ef fi ci ent m et hod f or for gi ng " val id m essage- si gnat u r e" pai rs using
t he one- way fu nct ion Veri f y
pk
com put i ng fr om s t o m . Howev er , t han ks t o t h e m ix in g-
t r ansfor m at i on p rop er t y wh ich m ust al so be p ossessed by t h e one- way fu nct ion Veri f y
pk
, a
" m essage" gener at ed f r om a " si gnat ur e" u si ng fu nct ion Veri f y
pk
wil l look ran dom an d i s al most
cer t ai nl y m ean ingl ess. Th is easy way of for ger y is par t of a for gery t echn iqu e call ed exi st ent i al
f or ger y . Digi t al sign at ur e sch em es based on on e- way t rap door f unct i ons gener all y per m it
exi st en t ial f or ger y . A u su al m et h od t o pr ev en t ex ist ent i al for ger y i s t o add r ecogni zabl e
r ed und ancy t o t he m essage t o be si gned wh ich perm i t s a v er if ier t o ver if y non - ran dom
di st ri bu t ion of a m essage.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Algorithm 10.1: The RSA Signature Scheme
Key Set up
The key set up pr ocedur e i s t he same as t hat f or t he RSA cr ypt osyst ems ( Al g 8. 1) .
( * t hus, user Ali ce's publ i c- key mat er i al i s ( N, e) wher e N = pq wi t h p and q bei ng
t wo l ar ge pr ime number s of r oughly equal si ze, and e i s an i nt eger such t hat gcd( e,
( N) ) = 1. She al so f inds an i nt eger d such t hat ed 1 ( mod ( N) ) . The i nt eger d i s
Al i ce' s pr i vat e key . * )
Si gnat ur e Gener at i on
To cr eat e a si gnat ur e of message , Al i ce creat es
Si gnat ur e Ver i f i cat i on
Let Bob be a veri f i er who knows t hat t he publ i c- key mat eri al ( N, e) belongs t o Al ice.
Gi ven a message- si gnat ur e pair ( m , s) , Bob's veri f i cat i on pr ocedur e i s
( * N. B., Message m must be a r ecogni zabl e one, see 10.4. 3. * )
Let us now i nt r oduce sever al wel l- known digi t al si gnat ure schemes.
10.4.2 The RSA Signature (Textbook Version)
The RSA si gnat ur e scheme i s t he fi r st di git al signat ure scheme fol l owi ng t he envi si on of Dif fi e
and Hel lman. I t i s r eali zed by Rivest , Shami r and Adl eman [ 246] . The RSA si gnat ur e scheme i s
speci f i ed i n Al g 10. 1. We not i ce t hat t hi s i s a t ext book ver si on f or si gni ng i n RSA.
I t i s easy t o see t hat t he RSA di gi t al si gnat ur e pr ocedur es are i n t he same f or mat as t hose for
t he RSA encr ypt i on and decr y pt i on ( see 8. 5) , except t hat now Al ice per f orms "encr y pt i on" fi r st
usi ng her pri vat e key , and Bob ( or any body ) perf or ms "decr y pt i on" l at er usi ng Al ice's publi c key.
The hol di ng of t he ver if i cat ion congruence for a val i d signat ure f ol l ows exact l y t he argument we
have made i n 8. 5 f or t he cases of t he RSA encr y pt i on and decr y pt i on.
10.4.3 Informal Security Argument for the RSA Signature
I f t he RSA si gnat ure scheme i s j ust as si mpl e as we have descr ibed, t hen i t i s not di ffi cul t at al l

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
for any body t o f orge Al ice's si gnat ur e. For exampl e, Bob can pi ck a r andom number and
comput e
Equ at i on 10 . 4. 1
Of cour se, for such a pr epared " message"- signat ure pai r, t he veri f i cat i on wi l l r et ur n Tr ue. Al so,
t he mul t i pl i cat i ve pr oper t y of t he RSA f unct i on ( see ( 8. 9. 1) i n 8. 9) pr ovi des an easy- t o- for ge
new message- si gnat ur e pai r f r om exi st i ng ones, e.g., a new message- si gnat ur e pai r ( m
1
m
2
,
s
1
s
2
) fr om exi st i ng message- si gnat ure pai r s ( m
1
, s
1
) and ( m
2
, s
2
) .
As we have r emarked in Remar k 10. 1, t he above met hods of f or gery are exi st ent i al for ger i es.
Si nce m cr eat ed i n ( 10.4. 1) or by mul t i pli cat i on shoul d l ook random, t he exi st ent i al f orger y i s
usual l y prevent ed by addi ng r ecogni zabl e r edundant i nf or mat i on t o m so t hat m becomes non-
r andom or i s "meani ngf ul . " The simpl est met hod f or addi ng r ecogni zabl e i nfor mat i on i nt o a
message i s t o have a message cont ai n a r ecogni zabl e part , e.g., m = M | | I wher e M i s t he
message r eal l y si gned and I i s a r ecogni zabl e st r ing such as t he signer 's i dent it y.
The most commonl y used met hod f or addi ng r ecognizabl e i nfor mat i on t o a message i s t o " hash"
t he message usi ng a cr y pt ogr aphi c hash funct ion ( 10.3. 1) . Let h be such a hash funct i on
mappi ng f r om { 0, 1} * t o M. Then a message m M i s regar ded as r ecogni zabl e or meani ngful i f
t her e exi st s a st ri ng M { 0, 1} * such t hat
Under such a not ion of message recogni zabil i t y , f orgi ng an RSA si gnat ur e shoul d no longer be an
easy j ob. Comput i ng m f r om s as i n ( 10.4. 1) does not const it ut e a usef ul f or gery if t he at t acker
cannot al so come up wi t h a message m whi ch i s r ecogni zabl e, e.g., t he at t acker has i n i t s
possessi on a pr e- i mage of m under t he cry pt ogr aphi c hash f unct i on used. I f we assume t hat t he
hash funct i on behaves l i ke a r andom or acl e does ( t he r andom or acle behavior is descr i bed i n
10.3. 1. 2) , t hen "f or gi ng fr om scr at ch" an RSA signat ur e f or a gi ven message should have t he
di f fi cul t y of sol vi ng t he RSA pr obl em, i. e. , t hat of ext r act i ng t he et h r oot modul o N ( Defi nit ion
8. 4, i n 8. 7) .
However , we must not i ce t hat we have not pr ovi ded any for mal evi dence ( i . e. , pr oof) for t hi s
r esul t . The t ext book RSA si gnat ure scheme i n Al g 10. 1 cer t ai nl y does not have a pr ovabl e
secur i t y . For t he si mpl e versi on usi ng hash funct ion on t he message, no one knows how t o pr ove
i t s securi t y under adapt i ve chosen- message at t ack. Hence, t hi s si mpl e ver sion should al so be
l abel ed a t ext book RSA si gnat ur e.
A bet t er algor it hm f or signi ng i n RSA usi ng hash f unct i ons wi l l be i nt r oduced i n Chapt er 16. That
al gor i t hm i s a pr obabi li st i c one, meani ng a si gnat ur e out put fr om t he si gni ng al gor i t hm has a
r andom di st ri but i on i n t he signat ure space, whi ch i s i ndi st i ngui shabl e fr om a unif or m
di st r i but i on. That al gor it hm i s al so a fi t - f or - appl i cat i on ver si on of t he RSA si gnat ur e scheme.
Formal argument f or securi t y of t hat RSA si gnat ure scheme wi l l be consi der ed under a st r onger
and f it - for - appli cat i on secur i t y not ion whi ch wil l also be i nt r oduced i n Chapt er 16.
10.4.4 The Rabin Signature (Textbook Version)

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The Rabi n si gnat ur e scheme [ 240] is ver y simi l ar t o t he RSA si gnat ure scheme. The dif fer ence
bet ween t he t wo schemes i s t hat t hey use di f ferent ki nds of ver if i cat ion exponent s. I n t he case of
RSA, t he ver i f icat i on exponent e i s an odd i nt eger si nce i t i s r equi r ed t hat gcd( e, ( N) ) = 1 where
( N) is an even number, whi l e i n t he case of t he Rabi n, e = 2.
The Rabi n si gnat ur e scheme i s speci fi ed i n Al g 10. 2. We not i ce t hat t hi s i s a t ext book ver si on f or
si gni ng i n Rabi n.
The Rabi n si gnat ur e has a couple of advant ages over RSA. Fi r st , for ger y i s pr ovabl y as hard as
fact or i ng ( f ormal ar gument def er r ed) . Secondl y , ver i f icat i on i s fast er , and i s sui t abl e t o use i n
appli cat i ons wher e si gnat ur e ver i fi cat i on uses smal l comput ing devi ces, such as handhel d ones.
Fol lowi ng Remar k 10. 1, i f m i s not a r ecogni zabl e message, t hen i t i s t ri vi al ly easy t o for ge a
val id "message" - si gnat ur e pai r f or t he Rabi n signat ur e scheme. Thi s i s an exi st ent i al f orger y .
The usual pr event i on met hod i s t o hash a message as in 10.4. 3 so t hat t he message becomes
r ecogni zabl e.
10.4.5 A Paradoxical Security Basis for Signing in Rabin
Usi ng t he same idea i n Theor em 8. 2 ( in 8. 11) we can al so show t hat if t here exi st s an
al gor i t hm f or f orgi ng a Rabi n si gnat ur e, t hen t he f or gi ng al gor i t hm can be used for fact or ing t he
composit e modul us used i n t he si gnat ur e scheme. Thi s i s a desir able pr opert y because it r el at es
si gnat ure for ger y t o a r eput abl y hard problem ( f act or izat ion) .
However , t hi s st r ong securi t y proper t y also means t hat t he Rabi n si gnat ur e scheme i s f at al l y
i nsecure agai nst an adapt i ve at t ack i n which an at t acker can ask t he si gner t o i ssue t he
si gnat ures of messages of i t s choice. For exampl e, t he at t acker can pi ck an ar bi t r ary ,
and submi t m = s
2
( mod N) t o Al i ce for her t o r et ur n a Rabi n si gnat ur e of message m. Al i ce' s
r epl y, let i t be s' , i s any one of f our square root s of m. I f s' s ( mod N) , t hen her modul us can
be f act or ed by t he adapt i ve at t acker .
Ther ef or e, t he t ext book Rabi n si gnat ur e scheme speci fi ed in Al g 10. 2 i s absolut ely unusable in
any r eal wor l d appl i cat i on wher e an adapt i ve at t ack i s unavoi dabl e. Si gning in Rabi n f or any real
wor ld appl i cat i on must pr event an adapt i ve at t acker f r om obt ai ni ng t wo di f ferent squar e r oot s of
one message.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Algorithm 10.2: The Rabin Signature Scheme
Key Set up
User Al i ce set s up her publ ic modul us same as an RSA modul us. ( * so her modul us is
N = pq wi t h p, q bei ng di st i nct odd pr i mes. N i s her publ ic key and p, q f or m her
pr i vat e key . * )
To cr eat e a si gnat ur e of message . Al i ce creat es si gnat ure
( * for t hi s cal cul at ion t o be possi bl e, i t is necessar y f or m QR
N
; fr om 6. 6. 2 we
know t hat f or N bei ng an RSA modul us, , i . e., a quar t er of t he
el ement s i n ar e i n QR
N
; t hus, Al i ce can empl oy a sui t abl e message f or mat t ing
mechani sm so t hat she can make sur e m QR
N
; for such m, Al i ce can use Al g 6. 5 t o
comput e a squar e r oot of m. * )
Let Bob be a veri f i er who knows t hat t he publ i c modul us N bel ongs t o Al ice. Gi ven a
message- si gnat ure pai r ( m , s) , Bob's veri f i cat i on pr ocedur e i s
( * N. B., Message m must be a r ecogni zabl e one, see 10.4. 3. * )
A bet t er and fi t - f or- appl i cat i on scheme for si gni ng in Rabi n using hash f unct i ons wil l be
i nt r oduced i n Chapt er 16. That al gor i t hm i s a probabi l ist i c one whi ch guar ant ees t hat mul t i pl e
i ssuances of si gnat ur es for t he same message wi l l be randomi zed so t hat an adapt i ve at t acker
cannot obt ai n t wo di ff er ent squar e r oot s of one message. That Rabi n signat ur e scheme i s
t her efor e a f i t - for - appl i cat i on one. For mal ar gument for secur it y of t hat Rabi n si gnat ure scheme
wi l l be consi der ed under a st r onger and fi t - f or - appl i cat i on secur i t y not i on whi ch wi l l al so be
i nt r oduced i n Chapt er 16.
We summar i ze a paradoxi cal r esult r egar di ng secur i t y f or signi ng i n Rabi n.
On t he one hand, usi ng t he same met hod i n Theor em 8. 2 ( in 8. 11) , t he t ext book sense of
unfor geabi l i t y for t he t ext book Rabi n si gnat ur e can be shown as equi val ent t o fact or i zat i on. Thi s
r esul t not onl y i s a ver y st r ong one si nce i t i s f or mal evi dence ( i . e., a pr oof ) , but al so i s a
desi rable one si nce i t r el at es for ger y t o a r eput abl y hard problem: int eger fact or i zat i on.
On t he ot her hand, t he t ext book ver si on of t he Rabin si gnat ur e scheme i s hopelessl y weak and
absol ut el y unusabl e i n real wor l d appl i cat i ons wher e adapt i ve chosen- message at t acks are

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
common. Such at t acks t ot al ly dest r oy t he scheme. A fi t - f or- appl i cat ion var i at i on f or si gni ng i n
Rabin i s necessar y and such a var iat ion wi l l be int r oduced i n Chapt er 16. Unf ort unat el y however ,
as we shal l see i n t hat chapt er , our pr oof of secur it y ( for mal evidence of secur i t y) for t hat
scheme wi l l no l onger r el at e unfor geabi l i t y t o int eger fact or i zat i on.
10.4.6 The ElGamal Signature
I n addi t i on t o hi s el egant publ i c- key cr ypt osy st em i n 8. 12, ElGamal al so works out an i ngenious
di gi t al si gnat ur e scheme. Si mi l ar t o t he case of t he El Gamal publ i c- key cry pt osy st em i nspi ri ng
gr eat f ol l owup resear ch and appl i cat i on int erest s whi ch last t o t hi s day , t he El Gamal si gnat ur e
scheme i s al so t he or i gi n of many furt her di gi t al si gnat ur e schemes whi ch bel ong t o t he fami l y of
El Gamal - l i ke si gnat ur e schemes ( some of t hem wi l l be i nt r oduced i n 10.4. 8 and t hei r secur i t y
pr oper t i es fur t her st udi ed i n Chapt er 16) .
The El Gamal si gnat ure scheme i s speci f i ed i n Al g 10. 3.
10.4.7 Informal Security Argument for the ElGamal Signature
Let us now i nvest i gat e a f ew secur i t y i ssues i n t he El Gamal si gnat ur e scheme.
10.4.7.1 Warnings
We not i ce a few war ni ngs i n t he ElGamal signat ur e schemes.
War ni ng 1
The f i r st war ni ng i s t he i mpor t ance of checking r < p i n t he si gnat ur e veri f i cat i on.
Bl ei chenbacher [ 41] di scovers t he f oll owi ng at t ack i f Bob woul d accept si gnat ur es wher e r i s
l ar ger t han p. Let ( r , s) be a si gnat ur e on message m. Mal i ce can for ge a new si gnat ur e on an
ar bi t r ar y message m' as f ol lows:
u m ' m
1
( mod p 1) 1.
s' su ( mod p 1) 2.
comput e r ' sat i sf y ing: r ' r u ( mod p 1) and r ' r ( mod p) ; t hi s can be done by appl y ing
t he Chi nese Remai nder Theor em ( Al g 6. 1)
3.
Then i t i s r out i ne t o go t hrough t he f ol l owi ng congr uence:

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Algorithm 10.3: The ElGamal Signature Scheme
Key Set up
The key set up pr ocedur e i s t he same as t hat f or t he El Gamal cr ypt osy st ems ( see
8. 12) .
( * t hus, user Ali ce's publ i c- key mat er i al i s a t upl e ( g, y , p ) wher e p i s a l ar ge pr i me
number , i s a r andom mul t i pl i cat i ve gener at or el ement , and y
A
g
x A
( mod
p) for a secr et i nt eger x
A
< p 1; Al i ce' s pr i vat e key i s x
A
. * )
To cr eat e a si gnat ur e of message , Al i ce pi cks a r andom number
( i. e. , < p 1 and gcd( l , p 1) = 1) and cr eat es a si gnat ur e pai r ( r , s)
wher e
Equ at i on 10 . 4. 2
( *
1
can be comput ed usi ng t he ext ended Eucl i d' s al gor i t hm ( Al g 4. 2) . * )
Let Bob be a veri f i er who knows t hat t he publ i c- key mat eri al ( g, y
A
, p) belongs t o
Al i ce. Given a message- si gnat ure pai r ( m, ( r , s) ) , Bob's ver if i cat ion procedur e i s
( * N. B., Message m must be a r ecogni zabl e one, see 10.4. 7. 2. * )
The at t ack is pr event ed i f Bob checks r < p. This is because r ' comput ed fr om t he Chi nese
Remai nder Theor em i n st ep 3 above wi ll be a val ue of a magnit ude p( p 1) .
War ni ng 2
The second warni ng is al so di scovered by Bl ei chenbacher [ 41] : Ali ce should pi ck t he publ ic

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
par amet er g r andoml y i n . I f t hi s par amet er i s not chosen by Al ice ( e. g. , i n t he case of t he
syst em- wi de users share t he same publ i c par amet er s g, p ) , t hen a publ icl y known pr ocedur e
must be i n pl ace for user s t o check t he r andom choice of g ( e. g. , g i s out put f rom a pseudo-
r andom funct ion) .
Now l et us suppose t hat publ i c paramet ers g, p ar e chosen by Mal i ce. Paramet er p can be set up
i n a st andard way whi ch we have r ecommended in 8. 4. 1: let p1 = bq wher e q can be a
suf fi cient ly lar ge pr i me but b can be smoot h ( i . e. , b onl y has smal l pr i me fact or s and so
comput i ng discr et e logari t hm i n gr oup of or der b i s easy , see 8. 4. 1) .
Mal i ce gener at es g as fol l ows
for some = cq wi t h c < b.
For Al i ce's publi c key yA, we know t hat t he ext r act i on of t he di scr et e l ogar i t hm of yA t o t he base
g i s har d. However , t he ext r act i on of t he di scret e l ogar i t hm of yA
q
t o t he base g
q
i s easy . The
di scret e l ogar i t hm i s z x
A
( mod b) , t hat i s t he f oll owi ng congr uence hol ds:
Wi t h z, Mal i ce can for ge Al i ce' s si gnat ure as fol l ows:
Then i t i s r out i ne t o go t hrough t he f ol l owi ng congr uence:
Hence, ( r , s) is indeed a val i d signat ure on m, whi ch i s creat ed wit hout usi ng x
A
( but usi ng x
A
( mod b) ) .
We not i ce t hat i n t his si gnat ur e f orger y at t ack, r i s a val ue di vi si ble by q. So i n t he st andar d
par amet er set t i ng f or p sat i sfy i ng p = bq wher e q i s a l ar ge pr i me, t hi s at t ack of Bl ei chenbacher
can be pr event ed i f i n t he ver i f icat i on t i me Bob checks ( suppose t hat t he st andar d set t i ng
up of p makes q par t of t he publ ic par amet er ) . Rel at ed t o t hi s poi nt , l at er i n 16.3. 2. 1 when we
wi l l conduct a f or mal pr ove for unfor geabil i t y of t he El Gamal si gnat ur e scheme, we wi l l see t hat
t he condi t i on must be i n pl ace i n order for t he f ormal proof t o go t hr ough.
War ni ng 3

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The t hi r d war ni ng i s t he care of t he ephemeral key . Si mi l ar t o t he case of t he El Gamal
encry pt ion: t he El Gamal si gnat ur e gener at i on is also a r andomi zed algor it hm. The
r andomi zat i on i s due t o t he r andomness of t he ephemer al key .
Al i ce shoul d never r euse an ephemer al key in dif fer ent i nst ances of si gnat ur e i ssuance. I f an
ephemer al key i s reused t o i ssue t wo si gnat ur es for t wo messages m
1
m
2
( mod p 1) , t hen
fr om t he second equat i on i n ( 10.4. 2) , we have
Si nce
1
( mod p 1) exist s, m
1
m
2
( mod p 1) i mpl i es
Equ at i on 10 . 4. 3
i . e. ,
1
i s di scl osed. I n t ur n, Al i ce' s pr i vat e key x
A
can be comput ed f rom t he second equat i on i n
( 10.4. 2) as
Equ at i on 10 . 4. 4
Not i ce al so t hat t he ephemer al key must be pi cked uni for ml y r andoml y f rom t he space . A
par t i cul ar caut i on shoul d be t aken when a signat ure i s gener at ed by a smal l comput er such as a
smart car d or a handhel d devi ce: one must make sur e t hat such devi ces shoul d be equipped wi t h
adequat el y r el i abl e r andomness sour ce.
As l ong as i s used once only per signat ur e and i s generat ed unif or ml y r andom, t he second
equat i on f or signat ur e gener at i on ( 10.4. 2) shows t hat i t essent i al l y pr ovi des a one- t ime
mul t i pl i cat i on ci pher t o encr ypt t he signer' s pr i vat e key x. Ther efor e, t hese t wo secret s prot ect
one anot her i n t he i nfor mat i on- t heor et ical secur e sense.
10.4.7.2 Prevention of Existential Forgery
Exi st ent i al for ger y gi ven i n Remar k 10. 1 appl i es t o t he El Gamal si gnat ur e t oo if t he message
si gned does not cont ai n recogni zable redundancy . That i s, i t is not di ff icul t t o for ge a val i d
"message"- si gnat ur e pai r under t he El Gamal si gnat ur e scheme wher e t he r esul t ant " message" i s
not a r ecogni zabl e one.
For exampl e, l et u, v be any i nt eger s l ess t han p 1 such t hat gcd( v , p 1) = 1; set

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
t hen ( m, ( r , s) ) is i ndeed a val i d "message" - si gnat ur e pai r f or t he El Gamal signat ure scheme
r el at ed t o Al i ce's publ i c key yA si nce
However , i n t hi s for ger y , "message" m i s not r ecogni zabl e due t o t he good mi xi ng-
t r ansfor mat i on pr oper t y of t he modul o exponent i at i on.
A message for mat t i ng mechani sm can def eat t hi s for ger y. The si mplest message for mat t i ng
mechani sm i s t o have m t o cont ai n a r ecogni zabl e part , e.g., m = M | | I wher e M i s t he message
t o be si gned and I i s a r ecogni zabl e st r ing such as t he signer 's i dent it y.
The most commonl y used message f ormat t i ng mechani sm i s t o have m t o be a hashed value of
t he message t o be si gned. An exampl e of such a hashed message can be
wher e H i s a cry pt ogr aphi c hash f unct i on and M i s a bi t st ri ng r epr esent i ng a message. Now t he
si gnat ure is of t he message M. The ver i fi cat i on st ep i ncl udes ver i f yi ng m = H( M, r ) . The one- way
pr oper t y of t he hash funct i on eff ect i vel y st ops t he exi st ent ial for ger y shown above.
I f we assume t hat t he hash funct i on H behaves l i ke a r andom or acle does ( see 10.3. 1. 2) , t hen
for mal evi dence t o r el at e t he unf orgeabi li t y of El Gamal si gnat ure t o t he di scr et e l ogar i t hm
pr obl em ( a r eput abl y hard pr oblem) can be obt ai ned. However , at t hi s moment we do not have
suf fi cient t ool t o demonst r at e such for mal evi dence. The for mal demonst r at i on wi l l be defer r ed t o
Chapt er 16.
For t he same r eason, we wi l l al so defer t o Chapt er 16 f or mal pr oof of secur i t y f or ot her si gnat ur e
schemes i n t he El Gamal signat ure f ami ly .
10.4.8 Signature Schemes in the ElGamal Signature Family

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Aft er El Gamal 's or i gi nal work, sever al var iat i ons of t he El Gamal signat ure scheme emer ged. Two
i nf luent i al ones ar e t he Schnor r si gnat ur e scheme [ 256, 257] and t he Digi t al Si gnat ur e St andar d
( DSS) [ 215, 216] .
10.4.8.1 The Schnorr Signature
The Schnor r signat ur e scheme i s a var i at i on of t he El Gamal si gnat ur e scheme but possesses a
feat ure whi ch f orms an i mpor t ant cont r i but i on t o publi c- key cr y pt ography : a consi der abl y
shor t ened r epr esent at ion of pr i me f iel d el ement s wi t hout havi ng degener at ed t he underl y i ng
i nt r act abl e problem ( whi ch i s t he DL pr obl em, see 8. 4) . Thi s i dea i s l at er fur t her devel oped t o
fi nit e fi el ds of a mor e gener al f or m i n a new cr y pt osyst em: t he XTR publi c- key sy st em [ 175] .
The short ened r epresent at i on i s real i zed by const ruct ing a f iel d F
p
such t hat i t cont ai ns a much
small er subgr oup of pr i me order q. We not i ce t hat t he cur r ent st andar d par amet er set t i ng for p
i n El Gamal - l ike cr ypt osyst ems i s p 2
1024
. We shoul d fur t her not i ce t hat t he si ze f or p i s li kely
t o gr ow t o sui t t he advances in sol ving t he DL pr oblem. However , af t er Schnor r' s wor k, i t has
become a st andard convent i on ( a r ul e of t humb) t hat par amet er set t i ng for q i s q 2
160
. I t is
quit e possibl e t hat t hi s set t i ng i s more or l ess a const ant regar dl ess of t he growt h of t he size of
p. This is because t hat t he subgr oup i nfor mat i on does not pl ay a rol e i n gener al met hods for
sol vi ng t he DL pr obl em i n F
p
, even i f t he t arget el ement is known i n t he gi ven subgroup. The
const ant - i sh 2
160
set t i ng f or q i s mer el y i mposed by t he l ower - bound requi rement due t o t he
squar e- r oot at t ack ( see 3. 6) .
The Schnor r signat ur e scheme i s speci f ied i n Al g 10. 4
Not i ce t hat i n t he set t i ng- up of publ i c par amet ers, a gener at or g can be f ound qui ckl y . Thi s i s
because for q| p 1,
i . e. , t he pr obabi li t y of r andom chosen f sat i sfy i ng g ( mod ) is negl i gi bl y
small . By Fer mat 's Li t t l e Theor em ( Theor em 6. 10 i n 6. 4) , we have
Ther ef or e g i ndeed gener at es a subgr oup of q el ement s.
The si gnat ur e ver i fi cat i on works cor r ect l y because i f ( m, ( s, e) ) is a val i d message- si gnat ur e pai r
creat ed by Al i ce, t hen
As we have di scussed ear li er , wor ki ng i n t he order - q subgr oup of , a si gnat ur e i n t he Schnor r
si gnat ure scheme i s much short er t han t hat of a si gnat ur e i n t he El Gamal si gnat ur e scheme:
2| q| bi t s ar e r equi r ed f or t r ansmit t ing a Schnor r si gnat ur e, i n compar i son wi t h 2| p| bi t s f or

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
t r ansmi t t i ng an El Gamal si gnat ure. The shor t ened si gnat ur e al so means fewer oper at i ons i n
si gnat ure generat i on and veri f icat i on: O
B
( l og
2
q l og
2
p) in Schnorr vs. O
B
( l og
3
p) in ElGamal .
Fur t her not ice t hat i n si gnat ure generat i on, t he modul o p par t of t he comput at i on can be
conduct ed i n an of f- l i ne manner . Wi t h t hi s consi der at ion, r eal- t ime si gnat ur e gener at i on onl y
needs t o comput e one mul t i pl i cat i on modulo q, t he har dwor k i s done i n off li ne t i me. Such a
desi gn arr angement i s sui t abl e f or a smal l devi ce t o per for m.
Same as t he case of t he El Gamal si gnat ur e, t he ephemer al key shoul d never be reused, and
shoul d be uni for ml y r andom. Under t hese condi t i ons, t he ephemer al key and t he si gner ' s pr i vat e
key pr ot ect one anot her i n an i nf or mat ion- t heor et ical secur e sense.
10.4.8.2 The Digital Signature Standard (DSS)
I n August 1991, t he US st andar ds body , Nat i onal I nst i t ut e of St andar ds and Technol ogy ( NI ST) ,
announced a new proposed di gi t al si gnat ur e scheme cal l ed t he Di git al Si gnat ure St andar d ( DSS)
[ 215, 216] . The DSS i s essent i all y t he El Gamal si gnat ur e scheme, but li ke t he Schnor r si gnat ure
scheme, i t works i n a much smal l er pr i me- order subgr oup of a lar ger f i ni t e f iel d i n which t he DL
pr obl em i s bel i eved t o be har d. Therefor e, t he DSS has a much r educed si gnat ur e size t han t hat
for t he ElGamal signat ur e scheme.
Algorithm 10.4: The Schnorr Signature Scheme
Set up of Sy st em Par amet er s
Set up t wo pri me numbers p and q such t hat q| p 1;
( * t y pi cal sizes f or t hese par amet er s: | p| = 1024 and | q| = 160 * )
1.
Set up an el ement of or der q;
( * t hi s can be done by pi cki ng and set t i ng ( mod ) .
I f g = 1, r epeat t he pr ocedur e unt i l g 1 * )
2.
Set up a cr y pt ogr aphi c hash funct ion ;
( * for exampl e, SHA- 1 is a good candidat e f or H * )
3.
The par amet er s ( p, q, g, H) are publ i ci zed f or use by sy st em- wi de user s.
Set up of a Pr i nci pal ' s Publ i c/ Pr i v at e Key
User Al i ce pi cks a r andom number and comput es

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Al i ce' s publ ic- key mat er i al i s ( p, q, g, y , H) ; her pr i vat e key i s x.
To cr eat e a si gnat ur e of message m { 0, 1} * , Ali ce pi cks a r andom number
and comput es a si gnat ur e pai r ( e, s) wher e
Let Bob be a veri f i er who knows t hat t he publ i c- key mat eri al ( p, q, g, y , H) belongs
t o Ali ce. Gi ven a message- si gnat ur e pair ( m, ( e, s) ) , Bob's ver if i cat ion procedur e i s
Algorithm 10.5: The Digital Signature Standard
( * t he sy st em par amet er s ar e i dent i cal t o t hose for t he Schnorr si gnat ur e scheme;
t hus, par amet er s ( p, q, g, H) , which have t he same meani ng as t hose in Al g 10. 4,
ar e publ i ci zed for use by t he sy st em- wi de user s. * )
User Al i ce pi cks a r andom number as her pr i vat e key , and comput es her
publ i c key by
Al i ce' s publ ic- key mat er i al i s ( p, q, g, y , H) ; her pr i vat e key i s x.
To cr eat e a si gnat ur e of message m { 0, 1} * , Ali ce pi cks a r andom number
and comput es a si gnat ur e pai r ( r , s) wher e

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Let Bob be a veri f i er who knows t hat t he publ i c- key mat eri al ( p, q, g, y , h ) belongs
t o Ali ce. Gi ven a message- si gnat ur e pair ( m, ( r , s) ) , Bob's ver if i cat ion procedur e i s
The DSS i s specif i ed i n Al g 10. 5
Si gnat ur e ver i fi cat i on wor ks cor rect l y because i f ( m, ( r , s) ) is a val i d message- si gnat ur e pai r
creat ed by Al i ce, t hen
compar ing t he r i ght - hand si de wi t h t he f i rst equat i on for si gnat ur e gener at i on, t hi s congr uence
shoul d r et ur n r i f i s f ur t her oper at ed modul o q.
The communi cat i on bandwidt h and t he comput at i onal r equi r ement s for t he DSS are t he same as
t hose f or t he Schnor r si gnat ure scheme i f t he publ i c par amet ers of t hese t wo schemes have t he
same si ze.
The DSS has been st andardi zed t oget her wi t h a compat ibl e st andar di zat i on pr ocess f or i t s hash
funct i on, namel y SHA- 1 [ 217] . The use of t he st andar d hash f unct i on pr ovi des t he needed
pr oper t y f or message r ecogni zabi l i t y and so prevent s exi st ent i al f or gery .
Fi nal l y, t he caut i on for t he ephemeral key i s al so necessar y as i n al l si gnat ur e schemes i n t he
El Gamal si gnat ur e f ami l y.
10.4.9 Formal Security Proof for Digital Signature Schemes
Anal ogous t o our di scussi on i n 8. 14 on t he need f or st r onger securi t y not i ons f or publ i c- key
cry pt osy st ems, we shoul d al so provi de a br i ef di scussi on on t he i ssue of pr ovabl e secur i t y f or
di gi t al si gnat ur e schemes.
The r eader may have not i ced t hat i n t hi s chapt er we have not pr ovi ded any f or mal evi dence on
showi ng secur i t y f or t he di gi t al si gnat ur e schemes i nt r oduced. I ndeed, as we have r emarked in
Remar k 10. 2, i n t hi s chapt er we wi l l not consi der for mal proof f or si gnat ure schemes. There ar e
t wo r easons behi nd t hi s.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
To expl ai n t he f i rst reason, we not i ce t hat it i s r easonabl e t o expect t hat f orgi ng a si gnat ur e
"f rom scr at ch" shoul d be har der t han doi ng t he j ob by maki ng use of some avai l abl e message-
si gnat ure pai rs whi ch an at t acker may have i n possessi on befor e i t st art s t o f orge. The f orger y
t ask may be f ur t her eased i f t he at t acker can i nt eract wit h a t ar get ed si gner and persuade t he
l at t er t o pr ovi de a si gni ng servi ce, i .e. , t o i ssue si gnat ur es of messages chosen by t he at t acker .
Si gnat ur e for ger y based on maki ng use of a t ar get ed signer' s si gni ng ser vi ce i s cal led for ger y vi a
adapt i v e chosen - messag e at t ack .
I n real i t y, message- si gnat ur e pair s wi t h r espect t o a gi ven publ i c key ar e abundant l y avail able.
Al so, adapt ive at t acks ar e har d t o pr event in appl icat i ons of di gi t al si gnat ur es: t o i ssue
si gnat ures of given messages can be a per fect l y l egi t i mat e ser vi ce i n many appl icat i ons.
Consequent l y, a f it - for - appli cat i on not i on of secur i t y f or di gi t al si gnat ur es i s necessary . Such a
secur i t y not i ons wi l l be def i ned in Chapt er 16. This is t he f i rst reason why we have def er r ed
for mal secur it y pr oof for di gi t al si gnat ur e schemes.
For t he second r eason, we have al so seen t hat i t i s gener al l y easy t o for ge a message- si gnat ur e
pai r , even t o for ge i t " fr om scr at ch" i f t he "message" i s not r ecogni zabl e ( i n gener al , see Remar k
10.1 f or ease of exi st ent i al f orger y and i n speci f i c, revi ew many concret e cases of exi st ent i al
for ger y i n our descr ipt i on of var i ous concr et e schemes) . To prevent such easy way s of f orger y ,
any di gi t al si gnat ur e scheme must be equi pped wi t h a message for mat t i ng mechani sm whi ch
r ender s a message t o be si gned i nt o a recogni zable one. Most f r equent l y , message f or mat t ing
mechani sms use cr y pt ographi c hash funct i ons. I t i s t hus r easonabl e t o expect t hat a for mal
evi dence f or securi t y of a di gi t al si gnat ur e scheme shoul d be suppl ied t oget her wi t h a for mall y
model ed behavi or of a cr y pt ographi c hash funct i on. I n absence of a f ormal l y model ed hash
funct i on behavior , we have not been abl e t o pr ovi de f ormal ar gument on secur i t y f or di git al
si gnat ure schemes i nt r oduced so far i n t his chapt er . Thi s i s t he second r eason why we have
defer r ed f ormal secur i t y pr oof for di gi t al si gnat ur e schemes.
We have di scussed i n 10.3. 1. 2 t hat cr y pt ogr aphi c hash funct i ons t r y t o emul at e random
funct i ons. For cr ypt ogr aphi c schemes whi ch use hash f unct i ons, a not i on for est abl i shi ng f ormal
evi dence f or t hei r secur it y is cal l ed r and om or acl e model ( ROM) f or provabl e securi t y . Thi s
not i on wi l l be avai l abl e i n Chapt er 16. Ther e, we shal l see t hat under t he ROM, we wi l l be abl e t o
pr ovi de f ormal evi dence t o r el at e t he di ff i cult y of si gnat ur e f orger y ( even vi a adapt i ve chosen-
message at t ack) t o some wel l - known comput at i onal assumpt i ons i n t he t heor y of comput at i onal
compl exi t y .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
10.5 Asymmetric Techniques II: Data Integrity Without
Source Identification
I n a dat a i nt egr i t y mechani sm r eal i zed by a di gi t al si gnat ur e scheme, t he usual set t i ng for key
par amet er s st i pulat es t hat Ke i s a pr i vat e key and Kv i s t he mat chi ng publ i c key . Under t hi s
set t ing, a corr ect i nt egr i t y veri f i cat i on r esult of a message pr ovides t he message ver i fi er t he
i dent i t y of t he message t r ansmi t t er who i s t he si gner of t he message, i . e., t he owner of t he
publ i c key Kv .
We should not i ce however t hat t hi s " usual set t i ng for key par amet er s, " whi l e bei ng a necessary
el ement for achi eving a di gi t al si gnat ur e scheme, is unnecessar y for a dat a- i nt egr i t y syst em. I n
fact , in Defi nit ion 10. 1 we have never put any const r aint on t he t wo keys for const r uct i ng and f or
ver i fy i ng MDC.
Thus, for exampl e, we can act ual l y set t he t wo keys, Ke and Kv , opposit e t o t hat f or a di gi t al
si gnat ure scheme, t hat i s, let Ke be a publ i c key and Kv be a pr ivat e key. Under such a key
set t ing, anybody i s able t o use t he publ i c key Ke t o cr eat e a consi st ent ( i . e. , cr y pt ogr aphi cl y
i nt egr al ) pai r ( Dat a, MDC) or a " message- si gnat ur e pai r " ( m , s) , whil e onl y t he holder of t he
pr i vat e key Kv i s abl e t o ver if y t he consi st ency of t he pai r ( Dat a, MDC) or t he val i di t y of t he
"si gnat ure" ( m , s) . Of course, under such an unusual key set t i ng, t he sy st em can no longer be
r egar ded as a di gi t al si gnat ur e scheme. However , we must not i ce t hat , accor di ng t o Defi nit ion
10.1, t he syst em under such an unusual key set t i ng r emai ns a dat a- i nt egri t y sy st em!
Si nce any body can have used t he publi c key Ke t o cr eat e t he consi st ent pai r ( Dat a, MDC) , we
shal l name t hi s kind of dat a- i nt egr i t y sy st em dat a- i nt egr i t y w i t h ou t sour ce i dent i f i cat i on .
From our f amil i ar i t y wi t h t he behavi or of Mal i ce ( t he bad guy ) , t here is no danger f or us t o
conveni ent l y rename t hi s dat a- i nt egri t y ser vi ce " dat a in t egri t y f rom Mali ce. "
Let us now l ook at an exampl e of a publ i c- key encr ypt i on scheme whi ch provi des t his sor t of
ser vi ce. Thi s i s a scheme wit h such a proper t y : Mal ice can send t o Al i ce a confi dent i al message
such t hat t he message is " non- mal l eabl e" ( e. g. , by ot her fr i ends of Mali ce) , t hat i s, i t 's
comput at i onall y hard f or any ot her member i n t he cl i que of Mal i ce t o modi f y t he message
wi t hout bei ng det ect ed by Ali ce, t he message r ecei ver . Thi s al gori t hm, wit h i t s RSA i nst ant iat ion
bei ng speci f i ed i n Al g 10. 6, i s named Opt i mal Asy mmet r i c Encr ypt i on Padd i ng ( OAEP) and
i s i nvent ed by Bell ar e and Rogaway [ 24] .
I f t he ci pher t ext has not been modi fi ed aft er i t s depart ur e fr om t he sender, t hen fr om t he
encry pt ion al gor i t hm we know t hat Al i ce wil l ret r i eve t he r andom number r cor r ect l y, and
t her efor e
Ther ef or e, Ali ce wi l l see k
1
zer os t r ai l i ng t he r et r ieved plai nt ext message.
On t he ot her hand, any modi fi cat i on of t he ci pher t ext wil l cause an al t er at i on of t he message
seal ed under t he RSA funct i on. This alt er at i on wi ll fur t her cause " uncont r ol l abl e" al t er at i on t o t he
pl ai nt ext message, incl udi ng t he random i nput and t he r edundancy of k
1
zer os t r ai l i ng t he
pl ai nt ext message, whi ch have been i nput t o t he OAEP f unct i on. I nt ui t i vel y , t he " uncont r oll able"
al t erat ion i s due t o a so- call ed "r andom oracl e" pr oper t y of t he t wo hash f unct i ons used i n t he
scheme ( see our di scussi ons of r andom or acl es i n 10.3. 1. 2) . The uncont rol l abl e al t er at i on wi l l
show i t sel f up by damaging t he r edundancy ( t he st ri ng of k
1
zer os) added i nt o t he pl ai nt ext wi t h

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
a pr obabi l i t y at least 1 2
k
1
. Given 2
k
1
bei ng negl igi bl e, 1 2
k
1
i s si gni fi cant . Thus, i ndeed,
t he scheme pr ovi des a dat a- i nt egr i t y pr ot ect i on on t he encr y pt ed message.
Not i ce t hat t he dat a- i nt egr i t y pr ot ect i on pr ovi ded by t he RSA- OAEP encr ypt i on al gori t hm i s a
st r ange one: al t hough upon seei ng t he st ri ng of k
1
zer os Al i ce i s assur ed t hat t he ci pher t ext has
not been modif i ed, she can have no idea who t he sender i s. That i s why i n Al g 10. 6 we have
del i berat el y speci fi ed Mali ce as t he sender. The not ion of "dat a i nt egr i t y f r om Mal i ce" i s ver y
useful and i mpor t ant . Thi s not i on became appar ent as a r esul t of advances i n publ ic- key
encry pt ion schemes secur e wit h r espect t o adapt i vel y chosen ci phert ext at t ack ( CCA2, see
Defi nit ion 8. 3, i n 8. 6) . I n a publ i c- key cr y pt osyst ems secur e wi t h r espect t o CCA2, t he
decry pt ion procedur e i ncl udes a dat a- int egr it y ver i fi cat i on st ep. Such a cry pt osy st em is
consi dered t o be i nvul ner abl e even i n t he f oll owi ng ext reme for m of abuse by an at t acker:
The at t acker and a publi c- key owner pl ay a chall enge- r esponse game. The at t acker i s i n t he
posi t i on of a chal l enger and i s given fr eedom t o send, as many as he wi shes ( of course t he
at t acker is pol ynomial l y bounded) , " adap t iv ely chosen ci pher t ext " messages t o t he owner of
t he publi c key for decr y pt i on i n an or acl e- ser vi ce manner ( r eview our di scussi on on " or acl e
ser vi ces" i n 8. 2 and see a concr et e example of an or acl e encry pt i on ser vi ce in 8. 2) .
The owner of t he publ i c key is in t he posi t i on of a r esponder. I f t he dat a- int egr it y
ver i fi cat i on i n t he decry pt ion procedur e passes, t he key owner shoul d si mply send t he
decry pt ion r esul t back r egar dl ess of t he f act t hat t he decr y pt i on r equest may even be f rom
an at t acker who may have cr eat ed t he ci pher t ext i n some cl ever and unpubl i cized way wi t h
t he int ent i on t o break t he t ar get cr ypt osyst em ( ei t her t o obt ai n a pl ai nt ext message whi ch
t he at t acker i s not ent i t l ed t o see, or t o discover t he pr i vat e key of t he key owner ) .
Algorithm 10.6: Optimal Asymmetric Encryption Padding for
RSA (RSA-OAEP) [24]
Key Par amet er s
Let ( N, e, d, G, H, n , k
0
, k
1
) U Gen ( 1
k
) sat i sfy : ( N, e, d) is t he RSA key mat er i al
wher e d = e
1
( mod ( N) ) and | N| = k = n + k
0
+ k
1
wi t h 2
k
0
and 2
k
1
bei ng
negl i gi bl e quant it ies; G, H ar e t wo hash funct i ons sat i sf y ing
n i s t he l engt h f or t he pl ai nt ext message.
Let ( N, e) be Al i ce' s RSA publ i c key and d be her pri vat e key .
Encr y pt i on
To send a message m { 0, 1}
n
t o Al i ce, Mali ce per for ms t he fol l owi ng st eps:
r U { 0, 1}
k
0
; s ( m | | 0
k
1
) G( r ) ; t r H( s) ; 1.
I f
[ a]
( s | | t N) go t o 1; 2.
3.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
1.
2.
c ( s | | t )
e
( mod N) . 3.
The ci pher t ext i s c.
( * her e, " | | " denot es t he bit st r i ng concat enat ion, " , " t he bi t - wi se XOR oper at i on,
and "0
k
1
, " t he st r ing of k
1
zer os f unct i oni ng as r edundancy f or dat a- int egr it y
checki ng i n decr y pt i on t i me. * )
Decr yp t i on
Upon receipt of t he cipher t ext c, Al i ce per for ms t he f ol l owi ng st eps:
s | | t c
d
( mod N) sat i sfy i ng | s| = n + k
1
= k k
0
, | t | = k
0
; 1.
u t H( s) ; v s G( u) ; 2.
( * when REJECT i s out put , t he ci pher t ext i s deemed i nval i d * )
3.
[ a]
We use t r ial- and- er r or t est in or der t o guar ant ee t hat t he padding result as an int eger is alway s less t han N.
The pr obabilit y of repeat ing t he t est i t imes is 2
i
. An alt er nat ive way is t o make r and H, and hence t , one- bit
short er t han t he lengt h of N, see a "PSS Padding" algorit hm in 16. 4. 2
I f a ci pher t ext has t he cor rect dat a i nt egr i t y , t hen i t is consi der ed t hat t he sender shoul d have
known al ready t he pl ai nt ext encr y pt ed in. Thi s i s a not i on known as " pl ai nt ex t aw ar eness. " I f
t he at t acker has known al r eady t he encr y pt ed pl ai nt ext , t hen an oracl e decr ypt i on ser vi ce shoul d
pr ovi de hi m no new i nfor mat i on, not even i n t erms of provi di ng him wit h a cry pt anal ysi s t r ai ni ng
for how t o br eak t he t arget cry pt osy st em. On t he ot her hand, i f t he at t acker has t r i ed an
adapt i ve way t o modi f y t he ci pher t ext , t hen wit h an overwhel mi ng pr obabi l i t y t he dat a i nt egr i t y
checki ng wi l l fai l , and t hen t he decr ypt ion wi l l be a nul l message. So agai nst a cry pt osy st em wit h
dat a i nt egr i t y pr ot ect i on on t he ciphert ext , an act i ve at t acker won' t be eff ect i ve.
I n Chapt er 14 we wi l l i nt roduce a f or mal model for capt ur i ng t he secur it y not i on under
adapt i vel y chosen ci pher t ext at t ack ( CCA2) . We wi l l al so st udy some publ ic- key cry pt osy st ems
whi ch are f or mall y provabl y secur e wi t h r espect t o such at t acks i n Chapt er 15. The RSA- OAEP i s
one of t hem. I n 15.2 we shall pr ovi de a det ai l ed anal ysi s on t he secur i t y of t he RSA- OAEP
encry pt ion scheme. The anal y si s wi l l be a f or mal pr oof t hat t he RSA- OAEP i s secur e under a ver y
st r ong at t acki ng scenar io: i ndi st i ngui shabi l i t y agai nst an adapt i vel y chosen ci phert ext at t acker.
Due t o t hi s st ronger secur i t y qual i t y, t he RSA- OAEP is no l onger a t ext book encr y pt i on
al gor i t hm; it i s a fi t - f or- appl i cat ion publ i c- key cr ypt osy st em.
As havi ng been shown i n t he RSA- OAEP al gor i t hm, t he usual met hod t o achi eve a CCA2- secur e
cry pt osy st em i s t o have t he cr ypt osyst em i ncl ude a dat a- int egr it y checki ng mechanism wi t hout
havi ng t he least concer n of messag e sou r ce i d en t i f i cat i on.
Message sour ce i dent i fi cat i on i s par t of aut hent i cat ion servi ce call ed dat a- or i gi n aut hent i cat i on.
Aut hent i cat ion i s t he t opi c f or t he next chapt er .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I n t hi s chapt er we have int r oduced t he basi c cr ypt ogr aphic t echni ques f or pr ovidi ng dat a-
i nt egr i t y servi ces. These t echni ques include ( i ) sy mmet r i c t echni ques based on usi ng MACs
const r uct ed f r om hash funct ions or f rom bl ock ci pher al gor i t hms, and ( i i ) asy mmet r i c t echni ques
based on digi t al si gnat ures. Dat a- int egr it y ser ved by t hese t echni ques comes t oget her wi t h a
sub- ser vi ce: message source i dent i f i cat i on.
The secur i t y not i on for di gi t al si gnat ur e schemes pr ovi ded i s t hi s chapt er i s a t ext book ver si on
and hence i s a ver y weak one. For some di gi t al si gnat ur e schemes i nt r oduced her e we have al so
pr ovi ded ear l y warni ng si gnal s on t hei r ( t ext book) i nsecur it y. The st r engt heni ng wor k f or bot h
secur i t y not i ons and f or const r uct i ng st rong si gnat ur e schemes wi l l be conduct ed i n Chapt er 16.
Fi nal l y, we also ident i fi ed a pecul i ar dat a- i nt egri t y ser vi ce whi ch does not come t oget her wi t h
i dent i f icat i on of t he message sour ce, and exempli f i ed t he ser vice by i nt r oduci ng a publi c- key
cry pt osy st em whi ch makes use of t hi s ser vi ce for obt ai ni ng a st rong secur it y ( not reasoned
her e) . I n Chapt er 15 we wi l l see t he import ant r ol e pl ay ed by t hi s pecul i ar dat a- i nt egr i t y ser vi ce
i n for mal izi ng a gener al met hodol ogy f or achi evi ng f i t - for - appl i cat i on cr ypt osy st ems.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exercises
10 .1 What i s a mani pul at i on det ect i on code ( MDC) ? How i s an MDC gener at ed and used?
I s a message aut hent i cat i on code ( MAC) an MDC? I s a di gi t al si gnat ur e ( of a
message) an MDC?
10 .2 What i s a random or acl e? Does a r andom or acle exi st ? How i s t he r andom oracl e
behavi or approxi mat ed i n t he real wor l d?
10 .3 Let t he out put space of a hash f unct i on have magni t ude 2
160
. What i s t he expect ed
t i me cost for fi nding a col li si on under t hi s hash funct i on?
10 .4 Why is a hash funct i on pr act i cal l y non- inver t i bl e?
10 .5 What i s t he mai n di f fer ence bet ween a sy mmet r i c dat a- i nt egri t y t echnique and an
asymmet r ic one?
10 .6 What i s exi st ent i al f or gery of a di gi t al si gnat ur e scheme? What ar e pr act ical
mechani sms t o pr event exi st ent i al f or gery ?
10 .7 Why is t he t ext book secur it y not i on for di gi t al si gnat ur es i nadequat e?
Hi nt : consider t he f at al vul ner abi l i t y of t he Rabi n si gnat ur e against an act ive
at t acker .
10 .8 What i s t he secur i t y not i on " dat a i nt egr i t y f rom Mal i ce?"
10 .9 I s a ci pher t ext out put fr om t he RSA- OAEP al gor i t hm ( Al g 10. 6) a val id MDC?

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Part IV: Authentication
Nowaday s, many commer ce act ivi t i es, busi ness t r ansact i ons and government ser vi ces have
been, and mor e and mor e of t hem wi l l be, conduct ed and off er ed over an open and
vul ner abl e communi cat ions net wor k such as t he I nt er net . I t is vi t al l y essent i al t o est abl i sh
t hat t he int ended communi cat i on par t ner s and t he messages t r ansmi t t ed ar e bona f i de. The
secur i t y servi ce needed her e i s aut hent i cat i on, which can be obt ai ned by appl y ing
cry pt ogr aphi c t echniques. Thi s par t has t hree chapt er s on var ious pr ot ocol t echni ques of
aut hent i cat ion. I n Chapt er 11 we st udy aut hent i cat i on prot ocol s on t hei r basi c wor ki ng
pr i nci pl es, exami ne t y pi cal er ror s i n aut hent i cat i on pr ot ocol s and i nvest igat e causes. I n
Chapt er 12 we exami ne case st udi es of several import ant aut hent i cat i on pr ot ocol
t echni ques appl i ed i n t he real wor l d. I n Chapt er 13 we int r oduce t he aut hent icat i on
fr amework for publ i c- key i nf r ast r uct ure.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Chapter 11. Authentication Protocols
Principles
Sect i on 11. 2. Aut hent i cat i on and Refi ned Not i ons
Sect i on 11. 3. Convent i on
Sect i on 11. 4. Basi c Aut hent i cat i on Techniques
Sect i on 11. 5. Passwor d- based Aut hent i cat i on
Sect i on 11. 6. Aut hent i cat ed Key Exchange Based on Asy mmet r i c Cr y pt ogr aphy
Sect i on 11. 7. Typical At t acks on Aut hent i cat ion Pr ot ocol s
Sect i on 11. 8. A Br i ef Lit er at ur e Not e
Exerci ses

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
11.1 Introduction
I n Chapt er 2 we have exposed our sel ves t o a number of aut hent i cat i on prot ocol s. Most pr ot ocols
t her e ar e fi ct i onal ones ( wi t h t wo except i ons) : we have del i berat el y desi gned t hem t o be f l awed
i n sever al way s i n or der for t hem t o ser ve as an int r oduct i on t o a cul t ur e of caut i on and vigi lance
i n t he ar eas of cry pt ogr aphy and i nfor mat i on secur it y.
I n t hi s chapt er we r et ur n t o t he t opic of aut hent i cat i on. The purpose of ret ur ning t o t he t opi c i s
for us t o have a mor e compr ehensive st udy of t he ar ea. Our st udy in t his chapt er wi l l be di vi ded
i nt o t wo cat egor i es:
An I nt r oduct i on t o Var i ous Aut h ent i cat i on Techni ques
I n t hi s cat egor y we shal l st udy var i ous basic t echni ques f or aut hent i cat i on. These i nclude
t he ver y basi c mechani sms and pr ot ocol const ruct ions for message and ent i t y
aut hent i cat ion, password- based aut hent i cat i on t echni ques and some i mpor t ant
aut hent i cat ed key est abl i shment t echni ques. We bel i eve t hat a number of basic
aut hent i cat ion mechani sms and pr ot ocol const r uct i ons i n several int ernat i onal st andards
ar e t he ones whi ch have been sel ect ed f rom t he l i t er at ur e and subsequent ly gone t hr ough a
caref ul ( and l ong) pr ocess of exper t revi ew and i mprovement r evi si on. Ther efor e, i n our
i nt r oduct ion t o t he basi c aut hent i cat i on t echni ques, we shal l pay par t i cul ar at t ent i on t o t he
mechani sms which have been st andar di zed by i nt er nat i onal st andar d bodi es. I n addi t i on,
we shal l i nt roduce a f ew ot her r eput abl e aut hent icat i on and aut hent i cat ed key
est abl i shment pr ot ocol s. We bel i eve t hat aut hent i cat i on mechani sms and pr ot ocol s
i nt r oduced i n t hi s cat egor y have a val ue f or servi ng as bui ldi ng bl ocks and gui del i nes for
desi gni ng good prot ocol s. We t her efor e consi der t hat t his cat egor y provi des t he model
aut hent i cat ion t echni ques for pr ot ocol desi gners.
An Ex empl i f i ed St udy of a Wi de Rang e of Pr ot ocol Fl aw s
Thi s i s an i nevi t abl e par t i n t he subj ect of aut hent icat i on. We shal l l i st var ious known and
t y pi cal at t acking t echni ques whi ch can be mount ed on aut hent i cat i on pr ot ocols. We shal l
anal y ze and di scuss each at t acki ng t echni que using some f l awed pr ot ocol s wi t h t he
appli cabl e at t acks demonst r at ed. Through t hi s st udy, we shal l become fami l iar wit h a
common phenomenon t hat aut hent i cat i on pr ot ocols are l i kely t o cont ai n secur i t y f l aws even
when t hey have been desi gned by exper t s. The compr ehensi ve l i st of t ypical pr ot ocol fl aws
and t he rel at ed at t acki ng t echni ques pr ovi de essent i al knowl edge f or a pr ot ocol designer:
"Di d y ou know t hi s sor t of at t ack?"
Unl i ke i n t he cases of Chapt er 2 wher e we have del i ber at el y desi gned f i ct ional pr ot ocol s wi t h
ar t i fi ci al fl aws, t he secur i t y f laws i n t he pr ot ocols t o be demonst rat ed i n t hi s chapt er are not
ar t i fi ci al ones; i ndeed, none of t hem i s! These fl aws wer e al l di scover ed af t er t he f l awed
pr ot ocol s were publ i shed by r eput able aut hor s i n i nf ormat i on secur i t y and/ or cr ypt ogr aphy. A
fact we shal l see t hr ough t he st udy i n t his chapt er i s t hat , even t hough confor mi ng t o st andard
document s, f ol lowi ng wel l - t hought - out desi gn pr i nci pl es, and even bei ng f amil i ar wi t h many
t y pi cal pr ot ocol f l aws, desi gn of aut hent i cat ion prot ocol remai ns ext remely er r or- pr one, even for
exper t s i n t he areas.
Due t o t he not or i ous er r or- pr one nat ur e of aut hent icat i on pr ot ocol s, t hi s chapt er pl us t he next ,
as f ol low- up of Chapt er 2, ar e st i l l not an end for t he t opi c of aut hent i cat i on in t his book.
Sy st emat i c appr oaches ( i. e. , for mal met hods) t o t he devel opment of corr ect aut hent i cat i on
pr ot ocol s ar e cur rent ly ser i ous r esear ch t opics. We shall st udy t he t opi cs of f ormal appr oaches t o
corr ect aut hent i cat i on pr ot ocol s i n Chapt er 17.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I n 11.2 we di scuss t he not i on of aut hent i cat ion by i nt r oduci ng sever al r ef i ned not i ons. I n 11.3
we agr ee on convent ions for expr essi ng component s i n aut hent i cat i on pr ot ocol and for t he
defaul t behavi or of prot ocol par t i ci pant s. The next t hr ee sect i ons f or m t he f i rst cat egory of our
st udy in t hi s chapt er : i n 11.4 we st udy t he ver y basi c and st andard const r uct i ons f or
aut hent i cat ion prot ocol s; i n 11.5 we st udy some passwor d based aut hent i cat i on t echni ques,
and i n 11.6 we st udy an i mpor t ant pr ot ocol whi ch achieves aut hent icat i on and aut hent i cat ed
key exchange usi ng cr y pt ographi c t echni ques whi ch ar e al t ernat i ves t o t hose used i n t he
pr evi ous t wo sect ions. The second cat egor y of our st udy i s cont ained i n 11.7 wher e we l i st and
demonst r at e t y pi cal at t acking t echni ques appl icabl e t o aut hent i cat ion prot ocol s.
Fi nal l y, we end t hi s chapt er i n 11.8 by r ecommendi ng a br ief but i mpor t ant l i st of l i t er at ure
r ef erences i n t he ar ea.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
11.2 Authentication and Refined Notions
For a ver y short descri pt ion of aut hent i cat i on, we may say t hat i t is a pr ocedur e by whi ch an
ent i t y est abl i shes a cl ai med pr oper t y t o anot her ent i t y . For exampl e, t he f ormer i s a subj ect
cl aimi ng a legi t i mat e ent r y t o, or use of , t he lat t er whi ch i s a sy st em or a ser vi ce, and by
aut hent i cat ion, t he lat t er est abl i shes t he cl ai med l egi t i macy . Fr om t his short descr i pt ion we can
al r eady see t hat aut hent i cat i on invol ves at l east t wo separ at e ent it ies i n communi cat ion.
Convent i onall y , a communicat i on pr ocedur e r un bet ween or among co- oper at i ve pr incipal s i s
cal led a prot ocol . An aut hent i cat i on procedur e i s hence an aut hent i cat i on pr ot ocol.
The not i on of aut hent i cat i on can be br oken down t o t hr ee sub- not i ons: dat aor i g i n
aut hent i cat i on, ent i t y au t hent i cat i on and aut hent i cat ed k ey est ab l i sh ment . The fi r st
concer ns val i dat ing a cl aimed pr opert y of a message; t he second pay s more at t ent i on t o
val idat i ng a cl ai med i dent i t y of a message t r ansmi t t er; and t he t hi r d fur t her ai ms t o out put a
secur e channel f or a subsequent , appl icat i on- l evel secur e communi cat ion sessi on.
11.2.1 Data-Origin Authentication
Dat a- or i gi n aut hent i cat ion ( al so cal l ed messag e au t hent i cat i on ) rel at es closel y t o dat a
i nt egr i t y . Ear l y t ext books i n cr y pt ogr aphy and i nf ormat i on secur i t y vi ewed t hese t wo not i ons
wi t h no essent i al di ff erence ( e. g. , Chapt er 5 of [ 89] and 1. 2- 1. 3 of [ 93] ) . Such a vi ew was
based on a consider at i on t hat usi ng i nf ormat i on whi ch has been modif i ed i n a mal i cious way i s at
t he same r i sk as usi ng i nf ormat i on whi ch has no r eput abl e sour ce.
However , dat a- or i gi n aut hent i cat ion and dat a i nt egr i t y ar e t wo v er y di ff er ent not i ons. They can
be cl earl y di ff er ent i at ed fr om a number of aspect s.
Fi rst , dat a- or i gi n aut hent i cat i on necessari l y i nvol ves communi cat i ons. I t is a secur i t y ser vi ce for
a message r ecei ver t o ver i fy whet her a message i s fr om a pur por t ed source. Dat a i nt egr i t y
needn' t have a communi cat i on f eat ur e: t he secur i t y ser vi ce can be pr ovi ded on st or ed dat a.
Secondl y , dat a- or i gi n aut hent i cat i on necessar i ly invol ves i dent i fy i ng t he source of a message,
whi l e dat a i nt egr i t y needn' t do so. I n 10.5, we have shown and ar gued wi t h a convi nci ng
exampl e t hat dat a i nt egri t y as a securi t y ser vi ce can be pr ovi ded wi t hout message sour ce
i dent i f icat i on. We have even coi ned a phr ase " dat a i nt egr i t y f r om Mal i ce" t o l abel a dat a-
i nt egr i t y servi ce wit h such a proper t y . We shoul d remember t hat accor di ng t o our st i pulat ion
made i n Chapt er 2 Mal ice i s a faceless pr i nci pal whose ident i t y has t he l east t o do wi t h a
r eput able source of a message. I n Chapt er 15 we shall real i ze t hat "dat a i nt egr i t y f rom Mal i ce" is
a gener al mechani sm f or achi evi ng a pr ovabl y secur e publ i c- key cr ypt osy st ems.
Thi r dl y and t he most si gni f icant ly , dat a- or i gi n aut hent i cat i on necessari l y i nvol ves est abl i shi ng
f r eshn ess of a message, whi l e, agai n, dat a int egr i t y needn' t do so: a pi ece of st al e dat a can
have per fect dat a i nt egri t y . To obt ai n dat a- or i gi n aut hent i cat i on servi ce, a message r ecei ver
shoul d ver i fy whet her or not t he message has been sent suf fi ci ent l y r ecent l y ( t hat is, t he t i me
i nt er val bet ween t he message i ssuance and i t s r ecei pt is suff ici ent l y small ) . A message whi ch i s
deemed by t he r ecei ver t o have been issued suff ici ent l y r ecent l y i s of t en refer r ed t o as a f r esh
message. Requi ri ng t hat a message be fr esh f ol lows a common sense t hat a f resh message
i mpl i es a good corr espond en ce bet ween t he communi cat i on pr inci pals, and t hi s may f ur t her
i mpl y l ess l i kel i hood t hat , e. g. , t he communicat i on pr i nci pal s, appar at us, sy st ems, or t he
message i t sel f may have been sabot aged. I n 2. 6. 4 we have seen an at t ack on t he Needham-
Schr oeder Symmet ri c- key Aut hent i cat i on Pr ot ocol ( t he at t ack of Denni ng and Sacco, At t ack 2. 2)
i n whi ch a repl ay ed ol d message has absol ut el y val id dat a i nt egr i t y but has i nval i d aut hent i ci t y.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Aut hent i cat ion f ail ure of t hi s ki nd can be ref er r ed t o as v ali d dat a i nt egr it y wit hou t l iv eness of t he
m essage sour ce.
Not i ce t hat whet her or not a message i s f resh shoul d be det er mi ned by appl i cat i ons. Some
appli cat i ons requir e a r at her shor t t i me i nt er val for a message being fr esh whi ch can be a mat t er
of seconds ( as i n many chal l enge- r esponse based r eal- t ime secur e communi cat i on appl icat i ons) .
Some appli cat i ons al l ow a l onger f r eshness per i od; for exampl e, i n Wor l d War I I , t he German
mi li t ar y communi cat i ons encr y pt ed by t he famous Eni gma machi ne st i pul at ed a r ul e t hat each
day al l Eni gma machines must be set t o a new " day - key " [ 277] . Thi s rul e has become a wi del y
used key - management pr i nci pl e f or many securi t y sy st ems t oday , t hough " day - key " may have
been changed t o " hour - key " or even " mi nut e- key . " Some ot her appl i cat ions per mi t a much
l onger t ime i nt er val f or message f reshness. For exampl e, a bank check may have passed
exami nat i ons i n t er ms of i t s i nt egr i t y and sour ce i dent i f i cat i on; t hen i t s val i di t y ( aut hent i ci t y ) for
aut hor izi ng t he pay ment shoul d be det ermi ned by t he age of t he check, t hat i s, t he t i me i nt erval
bet ween t he dat e of t he check' s i ssuance and t hat of t he check' s deposi t . Most banks per mi t
t hr ee mont hs as t he val i d age f or a check.
Fi nal l y, we poi nt out t hat some anony mous credent i al enabl ed by some cr y pt ogr aphi c schemes
( e. g. , bl i nd si gnat ure) al so pr ovide a good di ff er ent i at i on bet ween dat a- or i gi n aut hent i cat ion and
dat a i nt egr i t y . A user can be i ssued an anonymous credent i al whi ch enabl es t he hol der t o gai n a
ser vi ce by pr ovi ng member shi p t o a sy st em anony mousl y. Not i ce t hat here, t he dat a i nt egr i t y
evi dence can even be demonst r at ed in a l ivel y cor r espondent fashi on, however , t he sy st em i s
pr event ed f rom perf or mi ng sour ce i dent i f icat i on. We wi l l st udy such cr ypt ogr aphi c t echniques i n
a l at er chapt er.
From our discussions so f ar, we can char act eri ze t he not i on of dat a- ori gi n aut hent i cat i on as
fol l ows:
I t consi st s of t r ansmi t t i ng a message fr om a pur por t ed source ( t he t r ansmi t t er) t o a
r ecei ver who wi l l vali dat e t he message upon r ecept ion.
i .
The message vali dat i on conduct ed by t he r ecei ver ai ms t o est abl i sh t he i dent i t y of t he
message t ransmi t t er .
i i .
The val i dat i on al so ai ms t o est abl i sh t he dat a i nt egr i t y of t he message subsequent t o i t s
depar t ure f r om t he t ransmi t t er .
i i i .
The val i dat i on furt her ai ms t o est abl i sh l i veness of t he message t r ansmi t t er. i v .
11.2.2 Entity Authentication
Ent i t y aut hent i cat i on i s a communicat i on pr ocess ( i . e., pr ot ocol ) by whi ch a pr i ncipal est abl i shes
a l iv el y cor respond en ce wi t h a second pr i nci pal whose cl ai med i dent i t y shoul d meet what i s
sought by t he f i rst . Oft en, t he wor d "ent i t y " i s omi t t ed, as in t his st at ement : "An import ant goal
of an aut hent icat i on pr ot ocol i s t o est abl ish l i vel y corr espondence of a pr i nci pal . "
Of t en, a cl ai med i dent it y i n a pr ot ocol i s a pr ot ocol message i n i t s own ri ght . I n such a sit uat i on,
conf idence about a cl ai med i dent i t y and about t he l i veness of t he clai mant can be est abl ished by
apply i ng dat a- ori gin aut hent i cat i on mechani sms. I ndeed, as we shal l see i n many cases i n t hi s
chapt er , f or a cl ai med i dent i t y bei ng i n t he posi t i on of a pr ot ocol message, t r eat i ng i t as a
subj ect of dat a- or i gi n aut hent i cat i on does f or m a desi r abl e approach t o ent it y aut hent icat i on.
Ther e ar e several t ypes of ent i t y aut hent i cat i on scenari os i n di st r i but ed syst ems dependi ng on
vari ous ways of cl assif y ing pr inci pals. We l ist sever al usual scenari os whi ch ar e by no means

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
exhaust i ve.
Host - host t ype Communi cat i on part ners ar e comput er s cal l ed "nodes" or pl at f or ms in a
di st r i but ed syst em. Host - l evel act i vi t i es oft en r equi r e cooperat i on among t hem. For example, i n
r emot e "reboot "
[ a]
of a pl at f orm, upon r eboot , t he pl at for m must i dent i f y a t r ust ed ser ver t o
suppl y necessary i nfor mat i on, such as a t rust ed copy of an oper at i ng sy st em, t r ust ed cl ock
set t ing, or t he cur r ent t rust ed envir onment set t ings. The est abl i shment of t he t r ust ed
i nf ormat i on i s usual l y achi eved via r unning an aut hent i cat i on pr ot ocol. A cust omar y case i n t hi s
host - host t y pe of communi cat i on i s a cl i en t - ser ver set t i ng wher e one host ( cl ient ) r equest s
cer t ai n ser vi ces f rom t he ot her ( ser ver ) .
[ a]
"Reboot " is a t echnical t er m in comput er science for r e- init ializat ion of a comput er syst em f r om some
simple pr eliminary inst r uct ions or a set of infor mat ion which may be hardwir ed in t he syst em.
User - host t y pe A user gai ns access t o a comput er syst em by loggi ng i n t o a host i n t he sy st em.
The si mpl est exampl es ar e t o l ogi n in t o a comput er vi a t el net , or t o conduct f i le t r ansfer via ft p
( f il e t ransf er pr ot ocol) ; bot h can be achi eved vi a r unni ng a passwor d aut hent i cat i on pr ot ocol. I n
a mor e seri ous appl i cat i on wher e a compromi sed host wi ll cause a seri ous l oss ( e. g. , when a
user makes an el ect r oni c payment vi a a smart car d) , mut ual aut hent i cat i on i s necessar y .
Pr ocess- host t yp e Nowadays di st r i but ed comput ing has been so hi ghly advanced t hat a gr eat
many f unct i onal i t i es and ser vi ces ar e possi bl e. A host may gr ant a f or ei gn process var i ous ki nds
of access r i ght s. For exampl e, a pi ece of " mobi l e code" or a "Java applet "
[ b]
can t r avel t o a
r emot e host and r un on i t as a r emot e pr ocess. I n sensi t i ve appl i cat ions, i t i s necessar y and
possi bl e t o desi gn aut hent i cat i on mechani sms so t hat an appl et can be deemed a f ri endl y one by
a host and be gr ant ed an appr opr i at e access r i ght on i t .
[ b]
A Java applet is an execut able code t o r un by a "web browser " on a r emot e host in order t o ef f ect a
f unct ion on t he issuing host ' s behalf .
Member - cl ub t y pe A pr oof of hol di ng a credent i al by a member t o a cl ub can be viewed as a
gener al izat ion of t he "user- host t y pe. " Her e a cl ub may need onl y t o be concer ned wit h t he
val idat i on of t he member ' s cr edent i al wi t hout necessar i l y knowi ng furt her i nfor mat i on such as
t he t rue i dent i t y of t he member . Zer o- knowledge i dent i f icat i on pr ot ocol s and undeni abl e
si gnat ure schemes can enable t hi s t y pe of ent i t y aut hent i cat i on scenar i o. We shal l st udy t hese
aut hent i cat ion t echni ques i n Chapt er 18.
11.2.3 Authenticated Key Establishment
Of t en, communi cat i on part ners run an ent i t y aut hent i cat i on pr ot ocol as a means t o boot st r ap
fur t her secur e communi cat i ons at a hi gher or appl i cat i on l evel . I n moder n cr ypt ogr aphy ,
cry pt ogr aphi c keys are t he basi s f or secur e communi cat i on channel s. Ther ef ore, ent it y
aut hent i cat ion prot ocol s f or boot st r apping hi gher or appl i cat ion- l evel secure communi cat i ons
gener al ly feat ur e a sub- t ask of ( aut hent i cat ed) key est abli shment , or k ey ex change, or k ey
agr eement .
As i n t he case wher e ent i t y aut hent i cat ion can be based on dat a- or i gi n aut hent icat i on r egardi ng
t he ident i t y of a cl ai mant , i n pr ot ocol s for aut hent icat ed key est abl i shment , key est abl i shment
mat eri al also for ms i mpor t ant pr ot ocol messages whi ch shoul d be t he subj ect f or dat a- ori gin
aut hent i cat ion.
I n t he l i t erat ur e, ( ent i t y) aut hent i cat ion pr ot ocol s, aut hent i cat ed key est abl i shment ( key
exchange, key agr eement ) pr ot ocol s, securi t y pr ot ocol s, or somet i mes even cr ypt ogr aphic
pr ot ocol s, oft en r ef er t o t he same set of communi cat i on pr ot ocol s.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
11.2.4 Attacks on Authentication Protocols
Si nce t he goal of an aut hent i cat ion prot ocol ( dat a- or i gi n, ent it y , key est abl ishment ) i s t o
est abl i sh a cl ai med proper t y , cr ypt ogr aphi c t echniques ar e i nevi t abl y used. Al so i nevit abl y, t he
goal of an aut hent i cat i on pr ot ocol wi ll be mat ched wit h a count er - goal : at t ack. An at t ack on an
aut hent i cat ion prot ocol consi st s of an at t acker or a coal i t ion of t hem ( who we name col l ect ivel y
Mal i ce, see 2. 3) achievi ng an unent i t l ed gai n. Such a gai n can be a ser i ous one such as Mal i ce
obt ai ning a secr et message or key , or a l ess seri ous one such as Mal i ce successf ul l y decei vi ng a
pr i nci pal t o est abl i sh a wr ong bel i ef about a cl ai med pr oper t y . I n general , an aut hent i cat i on
pr ot ocol i s consi der ed f lawed i f a pr i nci pal concl udes a nor mal r un of t he pr ot ocol wi t h it s
i nt ended communi cat i on part ner whi l e t he i nt ended par t ner woul d have a di ff er ent concl usi on.
We must emphasize t hat at t acks on aut hent i cat i on pr ot ocol s ar e mai nl y t hose whi ch do not
i nvol ve br eaki ng t he under l yi ng cr y pt ogr aphi c al gor i t hms. Usual l y , aut hent i cat ion prot ocol s ar e
i nsecure not because t he underl y i ng cry pt ogr aphi c al gor i t hm t hey use ar e weak, but because of
pr ot ocol desi gn fl aws which per mi t Mal i ce t o break t he goal of aut hent i cat i on wi t hout necessar i l y
br eaki ng any cry pt ogr aphi c al gor i t hm. We shal l see many such at t acks i n t hi s chapt er. For t hi s
r eason, i n t he anal y sis of aut hent i cat i on pr ot ocol s, we usual l y assume t hat t he under ly i ng
cry pt ogr aphi c al gori t hms are " perf ect " wi t hout consi deri ng t hei r possi bl e weakness. Those
weakness ar e usual l y consi der ed i n ot her subj ect s of cr y pt ography .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
11.3 Convention
I n aut hent i cat i on pr ot ocol s t o appear i n t he r est of t hi s chapt er , we st i pul at e a set of convent i ons
for t he semant i cal meanings of some pr ot ocol messages accor di ng t o t heir sy nt act i c st r uct ur es.
Thi s convent i on set i s as f oll ows:
Ali ce, Bob, Tr ent , Mali ce, : pri nci pal names appear as prot ocol messages; somet i mes
t hey may be abbr evi at ed t o A, B, T, M, ;
Al i ce Bob: M; Ali ce sends t o Bob message M; a pr ot ocol speci fi cat i on i s a sequence of
sever al such message communi cat i ons;
{ M}
K
: a ci pher t ext whi ch encr ypt s t he message M under t he key K;
K, K
AB
, K
AT
, K
A
, : cr ypt ogr aphic key s, wher e K
XY
denot es a key shar ed bet ween pri nci pal s
X and Y, and K
X
denot es a publ i c key of pr i ncipal X;
N, N
A
, : nonces, whi ch st ands f or " numbers use for once" [ 61] ; t hese are random
number s sampl ed fr om a suff ici ent l y l ar ge space; N
X
i s generat ed by pri nci pal X;
T
X
: a t i mest amp creat ed by pr i nci pal X;
si g
A
( M) : a di git al signat ure on message M cr eat ed by pr i nci pal A.
. Remar k 1 1. 1
We shou ld not i ce t hat t he sem ant i cal m eani ngs of pr ot ocol m essages whi ch ar e associ at ed t o
t hei r syn t act ic st r uct ur es ( t y pes) as ab ove are n ot n ecessar il y com pr eh en si bl e by a pr ot ocol
par t i ci pan t ( say Al ice) . I n gener al, f or any message or par t of a m essage i n a pr ot ocol, if t h e
pr ot ocol speci fi cat ion does n ot r equi r e Ali ce t o per for m a cry pt ograp hic operat ion on t hat
m essage or m essage p art , t hen Ali ce ( in f act , her pr ot ocol comp il er ) wil l only und er st and t hat
m essage par t at t h e syn t act ic l evel. At t h e syn t act ic l ev el, Ali ce may m i sint er pr et t h e sem ant ical
m ean in gs of a p rot ocol m essage. We ex em p li fy v ar ious possi bi li t ies of m i si nt er pr et at ion s in
Exampl e 11. 1.
Exampl e 11 .1 .
At t he sy nt act i c l evel , Al i ce may make wr ong i nt erpr et at i ons on pr ot ocol messages. Her e ar e a
few exampl es:
She may consi der a message chunk as a ci phert ext and may t ry t o decr ypt i t if she t hi nks
she has t he r i ght key, or for war d i t t o Bob i f she t hinks t hat t he chunk i s f or hi m. However ,
t he message chunk may i n f act be a pri nci pal ' s i dent i t y ( e. g. , Ali ce or Bob) or a nonce or a
t i mest amp.
She may decr y pt a ci pher t ext and sends t he resul t out by " f oll owi ng pr ot ocol i nst r uct i on, "
wher e t he ci pher t ext i s i n fact one whi ch was cr eat ed ear l i er by her sel f, per haps i n a
di f fer ent cont ext .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
She may vi ew a key par amet er as a nonce; et c.
I t may seem t hat Al ice i s very "st upi d" i n under st andi ng prot ocol messages. No, we shoul d
r at her consi der t hat she i s t oo i nnocent and cannot al way s ant i ci pat e t he exi st ence of " cl ever "
Mal i ce who may have alr eady "r ecompi led" a prot ocol by mi spl aci ng var i ous message par t s i n
or der t o cause t he mi si nt er pret at i on.
I n general , we have a f ur t her set of convent i ons f or t he behavior of a pr ot ocol part i ci pant ,
whet her a l egit imat e one or an uninvi t ed one:
An honest pri nci pal i n a pr ot ocol does not under st and t he semant i cal meanings of any
pr ot ocol message befor e a run of t he pr ot ocol t er minat es successf ul l y.
An honest pri nci pal i n a pr ot ocol cannot r ecogni ze { M}
K
or cr eat e i t or decompose it unless
t he pr i ncipal has in i t s possessi on t he cor r ect key .
An honest pri nci pal i n a pr ot ocol cannot r ecogni ze a r andom- l ooki ng number such as a
nonce, a sequence number or a cr ypt ogr aphi c key , unl ess t he r andom- l ooki ng number
ei t her has been creat ed by t he pr i nci pal i n t he cur r ent run of t he pr ot ocol , or i s an out put t o
t he pr i ncipal as a resul t of a r un of t he pr ot ocol .
An honest pri nci pal i n a pr ot ocol does not r ecor d any pr ot ocol messages unless t he pr ot ocol
speci f i cat i on i nst r uct s so. I n gener al, an aut hent i cat i on pr ot ocol i s st at eless, t hat i s, i t does
not r equi r e a pri nci pal t o mai nt ai n any st at e infor mat i on aft er a pr ot ocol r un t er mi nat es
successful l y , except for i nfor mat i on which i s deemed t o be t he out put of t he pr ot ocol t o t he
pr i nci pal .
Mal i ce, in addi t i on t o hi s capabi li t y speci fi ed in 2. 3, knows t he " st upidi t ies" ( t o be mor e
fai r , t he weaknesses) of honest pri nci pal s which we have exempl i fi ed i n Exampl e 11. 1, and
wi l l al ways t ry t o expl oit t hem.
Aut hent i cat ion pr ot ocol s ar e meant t o t r ansmi t messages i n a publ i c communi cat i on net work,
whi ch is assumed t o be under Mal ice's cont r ol, and t o t hwart hi s at t acks i n such an envi r onment
al t hough Mal i ce i s "cl ever " and honest pri nci pal s ar e "st upi d. "
Now l et us see how t his is achi eved.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
11.4 Basic Authentication Techniques
Ther e ar e numer ous prot ocol - based t echni ques f or r eal i zi ng ( dat a- ori gi n, ent i t y ) aut hent i cat i on
and aut hent i cat ed key est abli shment . However , t he basi c pr ot ocol const r uct i ons, i n par t i cul ar
t hose which shoul d be r egar ded as good ones, and t he si mpl e t echnical i deas behi nd t he good
const r uct i ons, ar e not so di verse.
I n t hi s sect i on l et us st udy basi c aut hent i cat i on t echniques t hr ough int r oduci ng some basi c but
i mpor t ant pr ot ocol const r uct i ons. I n our st udy, we shall pay part i cul ar at t ent i on t o const r uct i ons
whi ch have been document ed i n a ser i es of i nt er nat i onal st andar ds. We consi der t hat t hese
const r uct i ons should serve as model s f or t he desi gn of aut hent i cat i on prot ocol s. We shal l also
ar gue why some const r uct i ons ar e mor e desi r abl e t han ot her s, exempl i fy a f ew bad ones and
expl ain why t hey ar e bad.
The f ol l owing basic aut hent i cat i on t echni ques wi l l be st udi ed i n t his sect i on:
St andard mechani sms for est abl i shi ng message f r eshness and pri nci pal l iveness ( 11.4. 1)
Mut ual aut hent i cat i on vs. uni lat er al aut hent i cat i on ( 11.4. 2)
Aut hent i cat ion i nvol ving a t r ust ed t hi r d part y ( 11.4. 3)
11.4.1 Message Freshness and Principal Liveness
To deem whet her a message is fr esh i s a necessar y part of dat a- or i gi n aut hent i cat ion ( please
not i ce t he di ff erence bet ween message sour ce i dent i fi cat i on and dat a- or i gi n aut h en t icat i on whi ch
we have discussed i n 11.2. 1) , as wel l as i n t he case of ent i t y aut hent i cat i on where a pr i nci pal i s
concer ned wi t h li vel y cor r espondence of an i nt ended communi cat ion part ner . Therefor e,
mechani sms which est abl ish message f r eshness or pr inci pal l i veness ar e t he most basic
component s i n aut hent i cat i on prot ocol s.
Let us now descr i be t he basi c and st andard mechani sms t o achi eve t hese funct ions. I n our
descr i pt i ons, we shal l l et Al i ce be i n t he posi t i on of a cl ai mant r egar di ng a pr oper t y ( e.g. , her
l i veness, or fr eshness of a message) , and Bob be i n t he posi t i on of a veri f i er r egar di ng t he
cl aimed pr oper t y. We assume t hat Ali ce and Bob shar e a secret key K
AB
i f a mechanism uses
symmet r ic cr y pt ographi c t echni ques, or t hat Bob knows Al i ce' s publ i c key vi a a publ i c- key
cer t i f icat i on fr amework
[ c]
i f a mechanism uses asy mmet r i c cry pt ogr aphi c t echni ques.
[ c]
Public- key cer t if icat ion f r amewor ks will be int r oduced in Chapt er 13.
11.4.1.1 Challenge-Response Mechanisms
I n a chal l enge- r esponse mechani sm, Bob ( t he ver if i er ) has his input t o a composit ion of a
pr ot ocol message and t he composi t i on invol ves a cr ypt ogr aphic operat i on per for med by Al i ce
( t he cl ai mant ) so t hat Bob can ver if y t he li vely cor r espondence of Al i ce vi a t he f reshness of hi s
own i nput . The usual f orm of Bob's input can be a r andom number ( call ed a nonce) whi ch i s
gener at ed by Bob and passed t o Ali ce bef orehand. Let N
B
denot e a nonce gener at ed by Bob. Thi s
message f r eshness mechani sm has t he f oll owi ng i nt er act ive f or mat :
Equ at i on 11 . 4. 1

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Here, t he fi r st message t r ansmi ssi on i s of t en cal l ed Bob's chal l eng e t o Al i ce, and t he second
message t ransmi ssi on i s t her eby cal l ed Al i ce' s r esponse t o Bob. Bob i s i n a posit ion of an
i n i t i at or whi le Al i ce i s i n a posi t i on of a r espond er .
The speci fi ed mechani sm uses sy mmet r i c cr y pt ographi c t echni que: symmet r ic encr y pt i on.
Ther ef or e, upon r ecei pt of Ali ce's r esponse, Bob has t o decr y pt t he ci pher t ext chunk usi ng t he
shar ed key K
AB
. I f t he decr y pt i on ext r act s hi s nonce corr ect ly ( be car ef ul of t he meani ng of
"cor rect l y, " i t act ual l y means cor rect dat a i nt egri t y , as we shall see i n a moment ) t hen Bob can
concl ude t hat Al i ce has i ndeed per for med t he r equi r ed cr ypt ogr aphi c operat i on aft er hi s act i on of
sendi ng t he chall enge; i f t he t i me i nt er val bet ween t he chal lenge and t he response i s accept abl y
small ( accor di ng t o an appl i cat i on r equir ement as we have di scussed i n 11.2. 1) , t hen t he
message M i s deemed t o be fr esh. The i nt ui t i on behi nd t hi s message fr eshness mechani sm i s a
conf idence t hat Ali ce's cr y pt ogr aphi c operat ion must have t aken pl ace af t er her r ecei pt of Bob's
nonce. This i s because Bob's nonce has been sampl ed at r andom fr om a suff ici ent l y l ar ge space
and so no one can have predi ct ed it s val ue befor e hi s sampl i ng.
Now l et us explai n what we meant by Bob' s decry pt i on and ext ract i on of hi s nonce " corr ect ly " ( as
we war ned i n t he pr evi ous par agr aph) . The use of sy mmet r i c encry pt ion i n t hi s mechani sm may
decept i vel y i mpl y t hat t he cr y pt ographi c ser vi ce pr ovi ded her e i s confi dent i ali t y . I n fact , t he
necessar y secur i t y ser vi ce for achi eving message fr eshness shoul d be dat a i nt egri t y . The reader
mi ght want t o ar gue t hat t he t wo pr i nci pal s may want t o keep t he message M confi dent i al , e. g. ,
M may be a cr y pt ogr aphi c key t o be used for secur i ng a higher- level communi cat i on sessi on lat er
( and t hus t his basi c const ruct ion i ncl udes a sub- t ask of sessi on key est abl i shment ) . Thi s does
const i t ut e a l egi t i mat e reason for usi ng encr ypt i on. We coul d act ual l y f ur t her consi der t hat t he
t wo par t i es may al so l i ke t o keep Bob's nonce secr et and so i n t hat case Bob shoul d al so encr y pt
t he fi r st message t ransmi ssi on. Ther ef or e, we are not say i ng t hat t he use of encr y pt i on for
pr ovi di ng t he confi dent i al i t y ser vi ce is wrong her e provi ded such a ser vice i s needed. What we
shoul d emphasi ze her e i s t hat i f t he encr ypt i on algori t hm does not pr ovi de a pr oper dat a-
i nt egr i t y servi ce ( an encr y pt i on al gor i t hm usual ly doesn't ) , t hen t he specif i ed mechani sm i s a
dangerous one because t he necessar y ser vice needed here, dat a i nt egri t y , i s mi ssi ng! I n 17.2. 1
we shal l see wi t h convi nci ng evi dence t he r eason behi nd t he fol l owi ng st at ement :
. Remar k 1 1. 2
I f t he encry pt ion algor i t hm i n aut h en t icat i on m echani sm ( 11 .4 . 1) does not off er a pr oper d at a-
i nt egri t y serv i ce t hen Bob cannot est abli sh t he f reshness of t he message M.
The r eal l y cor r ect and a st andar d appr oach t o achi evi ng dat a- i nt egr i t y ser vi ce using sy mmet r i c
cry pt ogr aphi c t echniques i s t o use a mani pul at i on det ect i on code ( MDC, see Defi nit ion 10. 1 i n
10.1) . Ther efor e, i n mechani sm ( 11.4. 1) , t he encry pt ion should be accompanied by an MDC
whi ch is key ed wi t h a shar ed key and i nput s t he cipher t ext chunk which needs i nt egr i t y
pr ot ect i on. I f t he message M does not need conf ident i al it y pr ot ect i on, t hen t he f ol l owi ng
mechani sm i s a proper one for achi evi ng message f r eshness:
Equ at i on 11 . 4. 2

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Not i ce t hat i n or der f or Bob t o be abl e t o r econst r uct t he MDC i n st ep 3, t he message M now
must be sent i n clear t ext i n st ep 2. Of cour se, M can be a ci pher t ext encr y pt i ng a confi dent ial
message.
I n 17.2. 1 we shall argue wi t h convincing evi dence t hat , i n t er ms of achi evi ng aut hent i cat ion
usi ng symmet r ic cr y pt ographi c t echni ques, mechani sm ( 11.4. 2) is a cor rect appr oach whi l e
mechani sm ( 11.4. 1) is an i ncor r ect one. Ther e we shal l al so see t hat , wit hout pr oper dat a-
i nt egr i t y, confi dent i ali t y of M i n ( 11.4. 1) needn't be i n pl ace even i f t he mechani sm uses a st r ong
encrypt ion al gor i t hm.
The chall enge- r esponse mechani sm can al so be achi eved by apply i ng an asymmet ri c
cry pt ogr aphi c t echnique, as i n t he f ol l owi ng mechani sm:
Equ at i on 11 . 4. 3
Not i ce t hat i n t hi s mechani sm, Al i ce' s f ree choi ce of t he message M i s ver y i mpor t ant . Al i ce' s f ree
choi ce of M shoul d be par t of t he measure t o prevent t hi s mechanism f r om bei ng exploi t ed by
Bob t o t r i ck Al i ce t o si gn i nadvert ent ly a message of Bob's pr eparat i on. For exampl e, Bob may
have pr epar ed hi s "nonce" as
N
B
= h( Tr ansfer 1000 t o Bob' s Acc. No. 123 fr om Al i ce' s Acc. No. 456. )
wher e h i s a hash funct i on.
I n some appl i cat i ons, a si gner i n t he posi t i on of Al i ce in mechani sm ( 11.4. 3) may not have
fr eedom t o choose M. I n such si t uat ions, speci al i zed keys can be def i ned t o conf ine t he usages of
key s. For exampl e, t he publ ic key f or ver i fy i ng Al i ce' s si gnat ur e i n mechani sm ( 11.4. 3) can be
speci f i ed f or t he speci fi c use i n t hi s mechani sm. Speci ali zat i on of cry pt ogr aphi c keys is a subj ect
i n k ey managemen t pr act i ce.
11.4.1.2 Standardization of the Challenge-response Mechanisms
The I SO ( t he I nt er nat i onal Or gani zat i on f or St andar di zat i on) and t he I EC ( t he I nt er nat i onal
El ect rot echnical Commi ssion) have st andar di zed t he t hr ee chal l enge- r esponse mechani sms

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
i nt r oduced so f ar as t he basic const ruct i ons for un i l at er al ent i t y aut hen t i cat i on mechani sms.
The st andar di zat i on for mechani sm ( 11.4. 1) is cal l ed " I SO Two- Pass Uni lat er al Aut hent i cat i on
Pr ot ocol" and i s as f ol l ows [ 147] :
B A : R
B
| | Text 1; 1.
A B : TokenAB.
Here TokenAB = Text 3 | |
KAB
( R
B
| | B | | Text 2) .
Upon receipt of TokenAB, Bob shoul d decr ypt i t ; he shoul d accept t he r un if t he decr ypt ion
r eveal s hi s nonce R
B
cor r ect l y , or r ej ect t he r un ot her wi se.
2.
Here and below i n t he I SO/ I EC st andar ds, we shall use pr eci sel y t he not at i on of t he I SO/ I EC for
pr ot ocol speci fi cat i on. I n t he I SO/ I EC specif i cat ion, Text 1, Text 2, et c. ar e opt i onal fi el ds, | |
denot es bit st r i ng concat enat ion, R
B
i s a nonce generat ed by Bob.
We should r emind t he r eader of t he i mpor t ance f or t he encr y pt i on al gor i t hm t o pr ovi de dat a
i nt egr i t y servi ce whi ch i s a necessary condi t i on t o al l ow t est i ng whet her or not a decr y pt i on
r esul t i s corr ect ( r evi ew Remar k 11. 2 i n 11.4. 1. 1) .
Not i ce al so t hat whi l e we r egard ( 11.4. 1) as a basi c message fr eshness mechani sm, i t s I SO/ I EC
st andar d ver si on is an ent i t y aut hent i cat i on mechanism. Ther efor e t he i nclusi on of t he message
"B, " i . e., Bob' s i dent i t y , i n pl ace of M i n ( 11.4. 1) becomes vit all y i mpor t ant : t he i ncl usion makes
i t expl i cit t hat t he I SO/ I EC mechani sm i s f or t he pur pose of est abl i shing Bob's li vely
corr espondence, i s an ent i t y aut hent i cat i on pr ot ocol i n which Bob i s t he subj ect of
aut hent i cat ion. Abadi and Needham propose a l i st of pr udent engineer i ng pr i nci pl es for
cry pt ogr aphi c prot ocol s desi gn [ 1] ; maki ng expl ici t t he i dent i t y of t he i nt ended aut hent i cat i on
subj ect i s an i mport ant pr inci ple in t hei r l i st . I n 11.7. 7 we shall see t he danger of omissi on of
t he pr i ncipal 's i dent it y i n aut hent i cat i on pr ot ocol s.
The I SO/ I EC st andar di zat i on for mechani sm ( 11.4. 2) is cal l ed " I SO Two- Pass Uni lat er al
Aut hent i cat ion Pr ot ocol Usi ng a Cr y pt ogr aphi c Check Funct i on ( CCF) , " and is as fol l ows [ 149] :
B A : R
B
| | Text 1; 1.
A B : TokenAB.
Here
[ d]
TokenAB = Text 2 | | f
KAB
( R
B
| | B | | Text 2) ; f i s a CCF, and is essent i al ly a
cry pt ogr aphi c hash f unct i on. The use of t he CCF here i s key ed.
[ d]
I n [ 149] , Text 2 in t he cleart ext part is mist aken t o Text 3. Wit hout Text 2 in clear t ext , B cannot verif y
t he CCF by r econst ruct ing it .
Upon receipt of TokenAB, B shoul d r econst r uct t he key ed CCF usi ng t he shared key , his
nonce, his i dent i t y and Text 2; he shoul d accept t he run if t he r econst r uct ed CCF bl ock i s
i dent i cal t o t he r ecei ved block, or r ej ect t he r un ot her wi se.
2.
The I SO/ I EC st andar di zat i on for mechani sm ( 11.4. 3) is cal l ed " I SO Publi c Key Two- Pass
Uni l at er al Aut hent i cat i on Prot ocol , " and is as fol l ows [ 148] :
B A : R
B
| | Text 1; 1.
2.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
1.
A B : Cer t A | | TokenAB.
Here TokenAB = R
A
| | R
B
| | B | | Text 3 | | si g
A
( R
A
| | R
B
| | B | | Text 2) ; Cert A i s Al i ce's publ i c
key cer t i fi cat e ( we shal l st udy publ i c- key cer t i fi cat i on i n t he next chapt er ) .
Upon receipt of TokenAB, B shoul d ver if y t he si gnat ur e; he shoul d accept t he r un i f t he
ver i fi cat i on passes, or r ej ect t he r un ot her wise.
2.
As we have di scussed r egar di ng mechani sm ( 11.4. 3) , i n t hi s I SO/ I EC prot ocol , A' s fr ee choi ce of
R
A
f or ms par t of t he measur e prevent i ng A f r om i nadver t ent l y signi ng a message of B' s
pr epar at i on.
11.4.1.3 Timestamp Mechanisms
I n a t i mest amp mechani sm, Al i ce adds t he cur r ent t ime t o her message composi t i on whi ch
i nvol ves a cr y pt ographi c oper at i on so t hat t he cur r ent t i me is cr y pt ogr aphi cal l y i nt egrat ed i n her
message.
Let T
A
denot e a t i mest amp cr eat ed by Ali ce when she composes her message. Thi s message
fr eshness mechani sm has t he fol l owi ng non- i nt er act i ve for mat :
Equ at i on 11 . 4. 4
Anal ogous t o mechani sm ( 11.4. 1) , t he decry pt ion per for med by Bob must be t est ed for dat a-
i nt egr i t y cor rect ness ( r evi ew 11.4. 1. 1 and Remar k 11. 2 gi ven t her e) . Aft er decr ypt i on, Bob can
compar e t he r eveal ed T
A
wi t h hi s own t i me ( we assume t hat t he pr ot ocol par t i cipant s use a
gl obal st andar d t i me, such as Greenwi ch Mean Ti me) . I f t he t i me di ff erence i s suf fi ci ent l y smal l
as al l owed by t he appl i cat i on i n Bob' s mind, t hen t he message M i s deemed f r esh.
Anal ogous t o our cr it ici sm i n 11.4. 1. 1 on encr ypt i on wi t hout dat a- i nt egr i t y as mi suse of
secur i t y servi ce, a mor e desir able ver si on of t he t i mest amp mechani sm usi ng sy mmet r i c
cry pt ogr aphi c t echniques shoul d be as fol l ows:
Equ at i on 11 . 4. 5
I n t hi s ver si on, Bob per for ms dat a- int egr it y val i dat ion by checki ng a one- way t r ansf or mat i on

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
st y le of cr y pt ogr aphi c i nt egr at i on bet ween t he t imest amp and message. Of cour se, i f M al so
needs conf i dent i al i t y pr ot ect ion, t hen i t i s necessar y t o use encry pt ion; however , t he use of
encry pt ion does not r ul e out t he necessi t y of dat a- i nt egri t y pr ot ect i on.
Obvi ousl y , a t imest amp mechani sm can al so be obt ai ned by appl y i ng asy mmet r i c cr ypt ogr aphic
t echni ques:
Equ at i on 11 . 4. 6
A t imest amp mechani sm avoi ds t he need f or i nt er act i on, and i s t her efor e sui t abl e f or
appli cat i ons whi ch i nvol ves no i nt er act i on, e. g. , i n an el ect r onic mai l appl i cat i on. However , t he
di sadvant age of a t i mest amp mechani sm i s t hat synchroni zed t i me cl ocks ar e r equi r ed and must
be mai nt ained securel y . Thi s can be dif fi cul t . Di ff icul t i es, pr ecaut i ons and obj ect ions t o
t i mest amps have been wel l- document ed i n t he li t er at ur e [ 28, 34, 115, 99] .
I n t he basi c prot ocol const r uct i ons int r oduced so far , a nonce or a t i mest amp ar e speci al
message component s. They pl ay t he r ole of i dent i fy i ng t he f r eshness of ot her messages whi ch
ar e cry pt ogr aphi cal ly int egr at ed wi t h t hem. We shal l use f r eshn ess i dent i f i er t o r efer t o a
nonce or a t i mest amp.
11.4.1.4 Standardization of Timestamp Mechanisms
The I SO/ I EC have also st andar di zed t imest amp mechani sms for aut hent i cat i on pr ot ocols.
The I SO/ I EC st andar di zat i on for mechani sm ( 11.4. 4) is cal l ed " I SO Sy mmet r i c Key One- Pass
Uni l at er al Aut hent i cat i on Prot ocol " [ 147] and i s as fol l ows:
1. A B : TokenAB.
Here TokenAB = Text 2 | |
KAB
( | | B | | Text 1) .
Agai n, because t hi s si mpl e mechanism uses an encr ypt i on- decr ypt ion appr oach, we shoul d r ecal l
Remar k 11. 2 i n 11.4. 1. 1 f or t he i mpor t ance for t he encr ypt i on al gori t hm t o ser ve dat a- i nt egr i t y
pr ot ect i on.
Here denot es t he choi ce bet ween t he use of T
A
, whi ch i s a t i mest amp, and N
A
, whi ch i s a
seq uence number . I n t he case of usi ng a sequence number , Al i ce and Bob mai nt ai n a
synchr oni zed sequence number ( e.g., a count er ) so t hat t he sequence number N
A
wi l l i ncr ease in
a manner known t o Bob. Aft er a successf ul r ecei pt and val idat i on of a sequence number , each of
t he t wo pr i nci pal s should updat e i t s sequence- number keeper t o t he new st at e.
Ther e ar e t wo disadvant ages i n a sequence- number mechani sm. Fi r st , a set of st at e infor mat i on
must be mai nt ai ned for each pot ent i al communi cat i on par t ner ; t his can be di ff i cult for
appli cat i ons in an open envi r onment where each pr i nci pal may communi cat e wi t h many ot her

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
pr i nci pal s. Ther ef or e a sequence- number mechani sm does not scal e wel l . Secondl y ,
management of a sequence- number keeper can be ver y t r oubl esome i n t he pr esence of
communi cat ion er ror s, ei t her genui ne ones or deli ber at e ones ( such as a r esul t of a deni al - of -
ser vi ce at t ack ) . Recal l our convent ion made in 11.3 t hat an aut hent i cat i on pr ot ocol shoul d be
st at eless; a st at ef ul prot ocol cannot funct ion proper l y i n a host i l e envi ronment . We t her efor e do
not r ecommend a sequence- number mechani sm even t hough such mechani sms have been
document ed i n I SO/ I EC st andar ds.
The I SO/ I EC st andar di zat i on for mechani sm ( 11.4. 5) is cal l ed " I SO One- Pass Uni l at eral
Aut hent i cat ion wi t h Cr y pt ogr aphi c Check Funct i ons" [ 149] , and i s as fol l ows:
1. A B : TokenAB.
Here
[ e]
TokenAB = | | B | | Text 1 | | f
KAB
( | | B | | Text 1) f i s a key ed CCF, e. g. , a keyed
hash funct i on.
[ e]
As in Foot not e d, [ 149] mist akenly specif ies Text 2 in t he clear t ext part of Text 1, and so B may not be able
t o check t he CCF.
The r eader may have al r eady pr edi ct ed t he fol l owi ng named pr ot ocol as t he publ i c- key
count er par t for encr ypt i on and cr y pt ographi c- check- funct i on ver si ons: "I SO Publ i c Key One- Pass
Uni l at er al Aut hent i cat i on Prot ocol " [ 148] :
1. A B : Cer t A | | TokenAB.
Here TokenAB = | | B | | Text 2 | | sig
A
( | | B | | Text 1)
11.4.1.5 Non-standard Mechanisms
We have i nt roduced so far sever al basi c const r uct i ons f or bui ldi ng aut hent icat i on pr ot ocol s. I t i s
not di f fi cul t at al l t o i magi ne numer ous ot her var i at i ons whi ch can achieve t he same pur pose as
has been achi eved by t he i nt r oduced basi c const ruct ions. For exampl e, a var i at i on f or
mechani sm ( 11.4. 1) using sy mmet r i c cr ypt ogr aphi c t echni ques can be
Equ at i on 11 . 4. 7
For anot her exampl e, a var i at i on f or mechani sm ( 11.4. 3) using asy mmet r i c cr ypt ogr aphi c
t echni ques can be:
Equ at i on 11 . 4. 8

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Here K
A
denot es a publ i c- key encr ypt i on al gori t hm under Al ice's publi c key. I n t hese t wo
vari at i ons, Bob val i dat es Al i ce' s l ivel y corr espondence by encr y pt i ng a fr eshness i dent i fi er and
t est ing if she can per for m t imel y decry pt i on. We shal l use encry pt ion- t hen- decr yp t ion ( of
fr eshness i dent i fi er ) t o r ef er t o t hese mechani sms.
Whi l e per f ormi ng encr ypt ion- t hen- decr y pt i on of fr eshness i dent i fi er does pr ovi de a means for
val idat i ng t he l i vel y cor r espondence of an int ended communi cat i on par t ner , such a mechani sm i s
not desir able for const r uct i ng aut hent i cat ion prot ocol s. I n such a mechani sm Al i ce can be used
as a decr y pt i on or acl e ( see 7. 8. 2.1 and 8. 9 f or t he meaning of an or acl e ser vice) and
i nadver t ent l y di scl ose conf i dent i al i nf or mat i on. For exampl e, Mal i ce may r ecor d a ci pher t ext
chunk fr om a confi dent ial conver sat i on bet ween Ali ce and Bob, and i nser t i t i n a prot ocol whi ch
uses an encr y pt i on- t hen- decr ypt i on mechani sm; t hen Al i ce may be t r i cked int o discl osi ng t he
conf ident i al conver sat i on. Recal l our convent ion f or honest pr i ncipal s ( i n 11.3) : Ali ce may
mi si nt er pr et a message as a nonce and t her ef ore ret ur n t he "nonce" by fai t hful l y f ol lowi ng t he
"pr ot ocol i nst r uct i on. "
The undesi rabi li t y of encr y pt i on- t hen- decry pt i on mechani sms has al so been mani fest ed by t he
fact t hat t he I SO/ I EC st andar di zat i on pr ocess has not been consider ed t o st andar di ze such a
mechani sm. That i s par t of t he reason why we name mechani sms i n ( 11.4. 7) and ( 11.4. 8) as
non- st andar d ones.
However , many aut hent i cat i on prot ocol s have been desi gned t o use an encr ypt i on- t hen-
decry pt ion mechani sm. We wi l l anal y ze several such prot ocol s i n 17.2; t here we shal l i dent i fy
as t he use of t he non- st andar d mechani sms i s t he mai n cause of t he securi t y fl aws i n t hose
pr ot ocol s.
11.4.2 Mutual Authentication
The basic mechani sms for message f reshness or pri nci pal - l i veness i nt r oduced so f ar achi eve so-
cal led " unil at er al aut hent i cat i on" which means t hat onl y one of t he t wo pr ot ocol par t i ci pant s i s
aut hent i cat ed. I n mut ual aut hent i cat i on, bot h communi cat i ng ent i t i es ar e aut hent i cat ed t o
each ot her .
I SO and I EC have st andar di zed a number of mechani sms for mut ual aut hent i cat i on. A si gnat ure
based mechani sm named " I SO Publ i c Key Thr ee- Pass Mut ual Aut hent i cat i on Prot ocol " [ 148] is
speci f i ed i n pr ot 11. 1. We choose t o specif y t hi s mechani sm i n or der t o expose a common
mi sunder st andi ng on mut ual aut hent i cat i on.
One might want t o consi der t hat mut ual aut hent icat i on i s si mpl y t wi ce uni l at eral aut hent i cat i on;
t hat i s, mut ual aut hent icat i on coul d be achi eved by appl yi ng one of t he basic uni l at eral
aut hent i cat ion prot ocol s i n 11.4. 1 t wi ce i n t he opposi t e di r ect i ons. However , t hi s i s not
gener al ly t rue!
A subt l e r el at i onship bet ween mut ual aut hent i cat i on and uni l at eral aut hent icat i on was not clear l y
underst ood i n an ear l y st age of t he I SO/ I EC st andar di zat i on pr ocess f or pr ot 11. 1. I n several
earl y st andar di zat i on dr aft s for pr ot 11. 1 [ 143, 130] ,

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Protocol 11.1: ISO Public Key Three-Pass Mutual
Authentication Protocol
PREMI SE: A has publ i c key cert if i cat e Cert
A
;
B has publ i c key cert if i cat e Cert

B
;
GOAL: They achi eve mut ual aut hent i cat i on.
B A : R
B
; 1.
A B : Cer t
A
, TokenAB; 2.
B A : Cer t
B
, TokenBA.
Here
TokenAB = R
A
| | R
B
| | B | | si g
A
( R
A
| | R
B
| | B) ;
TokenBA = R
B
| | R
A
| | A | | si g
B
| | R
A
| | A) .
3.
( * opt i onal t ext fi el ds ar e omi t t ed. * )
TokenBA was sl i ght l y di ff erent fr om t hat i n t he curr ent ver si on:
The ear l y dr aft i nt ent i onall y di sal l owed B t o r euse hi s chal l enge nonce R
B
i n or der t o avoi d hi m
si gni ng a st r i ng whi ch i s par t l y defi ned, and f ul l y known i n advance, by A. Apart fr om t hi s
r easonabl e consider at i on, TokenBA i n t he ear l y dr af t s was a sy nt act i c and sy mmet r i c mi rr or
i mage of TokenAB. This ver si on sur vived t hr ough a few r evi si ons of I SO/ I EC 9798- 3, unt i l an
at t ack was discover ed by t he Canadi an member body of I SO [ 143] . The at t ack i s hence wi del y
known as t he " Canadi an At t ack. " The at t ack i s due t o Wi ener ( see 12.9 of [ 198] ) . I n addit ion t o
t he I SO document at i on, Di ff i e, van Oor schot and Wi ener di scuss t he at t ack i n [ 99] . We shal l
t her efor e al so cal l t he at t ack Wi ener ' s at t ack.
11.4.2.1 Wiener's Attack (the Canadian Attack)
Wi ener' s at t ack on an earl y draf t f or " I SO Publ i c Key Thr ee- Pass Mut ual Aut hent icat i on Pr ot ocol "
i s gi ven i n At t ack 11. 1 ( recal l our not at i on agr eed i n 2. 6. 2 f or descri bing Mal ice sendi ng and
i nt er cept ing messages in a masqueradi ng manner ) .
Aft er t he di scover y of Wi ener' s at t ack, t he I SO/ I EC 9798 seri es f or st andar di zat i on of
aut hent i cat ion prot ocol s st ar t t o t ake a caut ious approach t o mut ual aut hent i cat i on. I f TokenAB

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
appear s i n a uni l at eral aut hent i cat i on pr ot ocol , t hen i n a mut ual aut hent icat i on pr ot ocol whi ch i s
augment ed f rom t he uni lat er al versi on, t he mat chi ng count er par t TokenB A f or mut ual
aut hent i cat ion wi l l have a cont ext - sensi t i ve li nk t o TokenAB; t hi s l i nk i s usuall y made vi a reusi ng
a f r eshness i dent if i er used i n t he same ( i . e., curr ent ) r un.
Attack 11.1: Wiener's Attack on ISO Public Key Three-Pass
Mutual Authentication Protocol
PREMI SE: I n addi t i on t o t hat of pr ot 11. 1,
Mal i ce has publ i c key cer t i fi cat e Cer t

M
;
Mal i ce( "B") A : R
B
1.
A Mal ice( " B") : Cer t
A
, R
A
| | R
B
| | B | | si g
A
( R
A
| | R
B
| | B)
1' . Mal i ce( " A") B : R
A
2' . B Mal ice( " A") : Cer t
B
, R'
B
| | R
A
| | A | | si g
B
( R'
B
| | R
A
| | A)
2.
Mal i ce( "B") A : Cer t
B
, R'
B
| | R
A
| | A | | si g
B
( R'
B
| | R
A
| | A) 3.
CONSEQUENCE:
A t hi nks t hat i t i s B who has i ni t i at ed t he r un and accept s B' s i dent i t y ; but B di d not
i ni t i at e t he r un, and is st il l awai t i ng f or t er mi nat i ng a r un st ar t ed by Mal i ce( " A") .
I n t he cur r ent versi on of " I SO Publ i c Key Thr ee- Pass Mut ual Aut hent i cat i on Pr ot ocol " ( i. e. , pr ot
11.1 whi ch has been f ixed fr om t he ear l y ver si on vulner abl e t o Wi ener' s at t ack) , A i s expl i cit ly
i nst r uct ed t o mai nt ai n t he st at e r egar di ng B' s nonce R
B
unt i l t he cur r ent r un t er mi nat es.
11.4.3 Authentication Involving Trusted Third Party
I n t he basi c const r uct i ons of aut hent i cat i on pr ot ocol s int r oduced i n t hi s chapt er so f ar, we have
assumed t hat t he t wo pr ot ocol part ici pant s eit her al ready share a secur e channel ( i n t he cases of
t he const r uct i ons usi ng sy mmet ri c cr y pt ogr aphi c t echni ques) , or one knows t he publ i c key of t he
ot her ( i n t he cases of t he const r uct i ons st ruct i ons usi ng asymmet ri c cr y pt ogr aphi c t echni ques) .
So we may say t hat t hese prot ocol const r uct i ons ar e for use by pr i nci pal s who al r eady know
each ot her . Then why do t hey st i l l want t o r un an aut hent i cat i on pr ot ocol? One si mpl e answer i s
t hat t hey want t o ref resh t he secure channel bet ween t hem by r econfi r ming a l i vel y
corr espondence bet ween t hem.
Anot her answer , a bet t er one, i s t hat t hese basi c prot ocol const r uct i ons act ual l y for m bui l di ng
bl ocks for aut hent i cat i on pr ot ocols whi ch ar e f or a mor e gener al and st andard mode of
communi cat ions i n an open sy st em envi r onment .
The st andar d mode of communi cat i ons i n an open syst em i s t hat pri nci pal s " int er act t hen

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
for get . " An open sy st em i s t oo l ar ge f or a pri nci pal t o mai nt ain t he st at e i nf ormat i on about i t s
communi cat ions wi t h ot her pr i nci pal s i n t he sy st em. I f t wo pr i ncipal s, who may be unknown t o
each ot her , want t o conduct secur e communi cat i ons, t hey wi l l f ir st est abl i sh a secur e channel . I n
moder n cr y pt ogr aphy, a secure communi cat i on channel i s under pi nned by a cr ypt ogr aphi c key .
Ther ef or e, t he t wo pr i nci pal s who wi sh t o est abl i sh a secur e channel bet ween t hem shoul d run
an aut hent i cat i on pr ot ocol whi ch has a sub- t ask of est abl i shi ng an aut hent i cat ed key . Such a
pr ot ocol i s cal l ed an aut hent i cat ed key est abl i shment pr ot ocol . Upon compl et i on of a session of
secur e communi cat i on whi ch i s under pi nned by t he key est abl i shed, t he t wo pr inci pals wi l l
pr ompt l y t hr ow t he channel away . Here, " t hr ow t he channel away " means t hat a pr i nci pal
for get s t he key under pi nni ng t hat channel and wil l never r euse i t anymor e. That i s why a secur e
channel est abli shed as an out put of a r un of an aut hent i cat ed key est abl i shment pr ot ocol i s of t en
cal led a sessi on channel and t he out put key under pi nning t he channel i s call ed a sessi on k ey .
The st andar d archi t ect ur e f or pr i nci pal s t o run aut hent i cat i on and key est abl i shment prot ocol s i n
an open sy st em i s t o use a cent r al ized aut hent i cat i on servi ce fr om a t r u st ed t hi r d par t y or a
TTP. Such a TTP ser vi ce may be an onl i ne one, or an off li ne one. I n t he next chapt er we shal l
i nt r oduce t he aut hent i cat i on f r amewor ks for aut hent i cat i on ser vi ces pr ovided by an of fl i ne TTP.
I n aut hent i cat i on ser vices pr ovi ded by an onl i ne TTP, t he TTP has a longt er m r el at i onshi p wi t h a
l ar ge number of subj ect s i n t he sy st em or i n a subsy st em. Aut hent i cat i on and/ or aut hent i cat ed
key est abl i shment pr ot ocol s under t he onl i ne TTP ar chi t ect ur e ar e so desi gned t hat t hey are bui l t
upon t he basi c pr ot ocol const r uct i ons in 11.4. 1 and 11.4. 2 wher e one of t he t wo "al ready
known t o each ot her" pr i nci pal s i s t he TTP, and t he ot her i s a subj ect . Cry pt ographi c oper at i on
per for med by t he TTP can i mpl y or int r oduce a pr oper cry pt ogr aphi c oper at i on per for med by a
subj ect . Wi t h t he hel p fr om t he TTP, a secur e channel bet ween any t wo subj ect s can be
est abl i shed even i f t he t wo pr i nci pal s may not know each ot her at al l . I n Chapt er 2 we have
al r eady seen a number of such prot ocol s, wher e we name t he TTP Tr ent .
The I SO/ I EC st andar ds f or aut hent i cat i on pr ot ocol s ( t he 9798 ser ies) have t wo st andard
const r uct i ons i nvol ving an onli ne t r ust ed t hi rd par t y [ 147] . One of t hem i s named "I SO Four-
Pass Aut hent i cat i on Pr ot ocol " and t he ot her , "I SO Fi ve- Pass Aut hent i cat i on Prot ocol . " These t wo
pr ot ocol s achi eve mut ual ent i t y aut hent i cat i on and aut hent i cat ed sessi on key est abl ishment . We
shal l , however , not specif y t hese t wo pr ot ocols here f or t wo reasons.
Fi rst , t hese prot ocol s ar e bui l t upon appl y i ng t he basi c pr ot ocol const ruct i ons we have i nt r oduced
i n 11.4. 1 and 11.4. 2, and t herefor e, i n t erms of provi di ng desi gn pr i nci pl es, t hey wi ll not off er
us any t hi ng new or posit ive i n t erms of conduct i ng our f ur t her st udy of t he t opi c. On t he
cont r ar y, t hey cont ai n a promi nent feat ur e of st andar di zat i on whi ch we do not wi sh t o i nt r oduce
i n a t ext book: many opt i onal f i el ds whi ch obscur e t he si mpl e i deas behi nd t he pr ot ocols.
Secondl y , t hey al r eady have a " nor mal si ze" of aut hent i cat i on pr ot ocol s, and shoul d no l onger be
consi dered as bui ldi ng bl ocks f or const r uct i ng aut hent i cat i on pr ot ocol s f or hi gher - l evel
appli cat i ons. Moreover , t hey act ual ly cont ai n some undesi r abl e f eat ur es such as a sequence
number mai nt ai ned by t he pr ot ocol par t i ci pant s ( i ncl udi ng TTP, i . e. , st at eful TTP! ) . Theref ore,
t hese t wo pr ot ocol s must not be consi der ed as model pr ot ocol const ruct i ons for any f ut ur e
pr ot ocol desi gner s! On t he cont r ar y agai n, gr eat care shoul d be t aken i f ei t her of t hese t wo
pr ot ocol s i s t o be appl ied i n real appl i cat i ons.
We shal l l ook at an ent i t y aut hent i cat i on prot ocol invol vi ng TTP. However , t hi s pr ot ocol i s an
i nsecure one: i t is vulner abl e t o sever al kinds of at t acks whi ch we wil l expose i n a l at er sect i on.
11.4.3.1 The Woo-Lam Protocol
The pr ot ocol i s due t o Woo and Lam [ 301] and hence we name i t t he Woo- Lam Pr ot ocol . The
pr ot ocol i s speci fi ed i n Pr ot 11. 2.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
By choosi ng t o i nt roduce t he Woo- Lam Pr ot ocol , we do not r ecommend i t as a model prot ocol .
On t he cont r ary , not only is t hi s pr ot ocol f at al l y fl awed i n sever al ways, al t hough i t has sever al
di f fer ent r epai r ed ver si ons whi ch ar e al l st i ll fl awed, i t also cont ai ns undesir abl e desi gn f eat ures
we shoul d expose, cr i t i ci ze and ident i fy as one fundament al reason for t he di scover ed f laws in i t .
So we t hi nk t hat t he Woo- Lam Prot ocol ser ves a useful rol e i n our st udy of t he di ff i cul t mat t er of
desi gni ng cor rect aut hent i cat i on pr ot ocols.
The goal of t his pr ot ocol i s for Ali ce t o aut hent icat e her self t o Bob even t hough t he t wo pr inci pals
do not know each ot her ini t i all y .
I ni t i al l y, si nce Al i ce and Bob do not know each ot her , Al i ce' s cry pt ogr aphi c capabil i t y can onl y be
shown t o Tr ent : she encry pt s Bob' s nonce N
B
using her l ong t er m key shar ed wi t h Tr ent ( st ep 3) .
Tr ent , as TTP, wil l honest l y fol l ow t he pr ot ocol and decr ypt t he ciphert ext for med by Ali ce ( af t er
r ecei vi ng t he message i n st ep 4) . Final ly , when Bob sees hi s fr esh nonce r et r i eved f r om t he
ci pher chunk fr om Tr ent , he can concl ude: Tr ent ' s honest cr y pt ogr aphi c operat ion i s only
possi bl e aft er Al i ce' s cr ypt ogr aphic operat i on, and bot h of t hese oper at i ons ar e on hi s nonce
whi ch he has deemed fr esh; t hus, Al ice's ident i t y and her l i veness have been demonst r at ed and
conf ir med.
Protocol 11.2: The Woo-Lam Protocol
PREMI SE: Al i ce and Trent shar e a sy mmet r i c key K
AT
,
Bob and Tr ent shar e a sy mmet r i c key K

BT
;
GOAL: Al i ce aut hent i cat es her sel f t o Bob
even t hough Bob does not know her .

Al i ce Bob: al ice; 1.
Bob Al i ce: N
B
; 2.
Al i ce Bob: { N
B
} K
AT
; 3.
Bob Tr ent : { Ali ce, { N
B
} K
AT
} K
BT
; 4.
Tr ent Bob: { N
B
} K
BT
; 5.
Bob decr y pt s t he ci pher chunk usi ng K
BT
, and accept s i f t he decr y pt i on r et urns
hi s nonce corr ect ly ; he r ej ect s ot her wise.
6.
On t he one hand, t he Woo- Lam Pr ot ocol can be vi ewed as bei ng bui l t upon appl y i ng a st andar d
pr ot ocol const r uct i on whi ch we have i nt roduced and r ecommended i n 11.4. 1. 1. For exampl e,
message l i nes 2 and 3 ar e compat i bl e wi t h mechanism ( 11.4. 1) ; t he same mechani sm is also
appli ed i n message l i nes 3 and 4.
We shal l def er t he r evel at i on of several secur i t y fl aws i n t he Woo- Lam Pr ot ot ol t o 11.7. I n
addit on, t his pr ot ocol has a deeper undesi r abl e desi gn feat ur e which we bel i eve t o be

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
r esponsibl e for i t s secur i t y fl aws. However , we shal l f ur t her def er our anal y sis and cri t i ci sm of
t hat undesi r abl e f eat ur e t o 17.2. 1 wher e we i nvest i gat e f ormal appr oaches t o devel opi ng
corr ect aut hent i cat i on pr ot ocol s.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
11.5 Password-based Authentication
Because it i s easi l y memorable by t he human br ai n, passw or d - based aut hent i cat i on i s wi del y
appli ed i n t he "user - host " mode of remot el y accessed comput er syst ems. I n t his t ype of
aut hent i cat ion, a user and a host share a passwor d which i s essent i al l y a l ong- t erm but r at her
small - si ze symmet r ic key .
So a user U who wi shes t o use t he servi ce of a host H must fi r st be i ni t i al ized by H and issued a
password. H keeps an ar chive of al l user s' passwor ds. Each ent r y of t he ar chive i s a pai r ( I D
U
,
P
U
) wher e I D
U
i s t he i dent i t y of U, and P
U
i s t he passwor d of U. A st rai ght for war d passwor d-
based pr ot ocol for U t o access H can be as fol l ows:
U H : I D
U
; 1.
H U : "Passwor d"; 2.
U H : P
U
; 3.
H f i nds ent r y ( I D
U
, P
U
) fr om i t s ar chi ve; 4.
Access i s gr ant ed i f P
U
r ecei ved mat ches t he ar chive.
We should not e t hat t hi s prot ocol does not act ual l y achi eve any sense of ent i t y aut hent i cat i on,
not even a uni l at er al aut hent i cat i on fr om U t o H. This is because no part of t he pr ot ocol i nvol ves
a f r eshness i dent if i er for i dent i fy i ng l ivel y cor r espondence of U. Never t hel ess, t he t er m
"password aut hent i cat i on" began t o be used i n t he ear l y 1970s when a user accessed a
mai nfr ame host fr om a dumb t er mi nal and t he communicat i on l i nk bet ween t he host and t he
t er mi nal was a dedi cat ed l i ne and was not at t ackabl e. Under such a set t i ng of devi ces and
communi cat ions, t he above pr ot ocol does pr ovi de uni lat er al ent i t y aut hent i cat i on fr om U t o H.
However , under a r emot e and open net work communicat i on set t ing, because no pr i nci pal i n t he
password prot ocol per f orms any cry pt ogr aphi c oper at i on, t hi s pr ot ocol has t wo seri ous
pr obl ems.
The f i r st pr obl em i s t he vul nerabil i t y of t he password f i le kept i n H. The st ored passwor d f il e i n H
may be r ead by Mal i ce ( now Mal i ce i s an i nsi der who can even be a sy st em admini st r at or ) . Wit h
t he passwor d fi l e, Mal i ce obt ai ns al l ri ght s of al l user s; he can gai n access t o H by i mpersonat ing
a user and cause undet ect abl e damage t o t he i mpersonat ed user or even t o t he whol e sy st em.
Obvi ousl y , causi ng damage under a user ' s name l ower s t he r i sk of Mal ice bei ng det ect ed.
The second pr obl em wi t h t he si mpl e passwor d- based r emot e access pr ot ocol i s t hat a passwor d
t r avel s f r om U t o H i n cl ear t ext and t her efor e i t can be eavesdr opped by Mal i ce. Thi s at t ack i s
cal led onl i ne passw or d eav esdr oppi ng.
11.5.1 Needham's Password Protocol and its Realization in the UNIX
Operating System
Needham i ni t i at es an ast oni shi ngl y si mpl e and eff ect i ve met hod t o over come t he secur e st or age
of passwords i n a host ( see "Acknowl edgement s" i n [ 105] , see al so [ 132] ) . The host H shoul d
use a one- way funct i on t o encode t he passwor ds, t hat is, t he ent r y ( I D
U
, P
U
) shoul d be r epl aced
wi t h ( I D
U
, f ( P
U
) ) where f i s a one- way f unct i on whi ch i s ext r emel y di ff i cul t t o i nver t . The simple

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
"password prot ocol " gi ven above shoul d al so be modi fi ed t o one shown i n Pr ot 11. 3.
Protocol 11.3: Needham's Password Authentication Protocol
PREMI SE: User U and Host H have set up U' s passwor d
ent r y ( I D
U
, f ( P
U
) ) where f i s a one- way
funct i on; U memor izes passwor d P
U
;
GOAL: U l ogs i n H using her / his passwor d.
U H : I D
U
; 1.
H U : "I nput Passwor d: "; 2.
U H : P
U
; 3.
H appl i es f on P
U
, f i nds ent ry ( I D
U
, f ( P
U
) ) for m i t s ar chi ve; Access i s gr ant ed i f
t he comput ed f ( P
U
P) mat ches t he ar chi ved.
4.
Pr ot 11. 3 i s real i zed as t he password aut hent i cat i on scheme for t he UNI X
[ f ]
oper at i ng sy st em. I n
t hi s r eal i zat i on, t he funct i on f i s real i zed usi ng t he DES encr y pt i on al gor i t hm ( 7. 6) . The syst em
at t he host H st or es i n a password f i le a user 's i dent it y ( UI D) and a ci pher t ext gener at ed fr om a
cry pt ogr aphi c t r ansf or mat i on of t he st r i ng of 64 zer os ( as i nput ) where t he t r ansf ormat i on i s t he
DES encry pt ion whi ch uses t he user 's passwor d P
U
as t he encr ypt i on key . I n or der t o pr event t he
use of of f- t he- shel f hi gh- speed DES har dwar e t o crack passwor ds, t he t ransf or mat ion f ( P
U
) is
act ual l y not a pur e encry pt ion i n t he DES. I nst ead, i t r epeat s 25 successi ve r ounds of t he DES
encry pt ion i n conj unct i on wi t h a var y i ng met hod cal l ed " bi t - swappi ng per mut at i on. " The "bi t -
swappi ng per mut at i on" i s on t he out put ci pher t ext bl ock fr om each round. I n each r ound, cer t ai n
bi t s i n t he ci phert ext bl ock out put f rom t he DES encr ypt i on are swapped accordi ng t o a 12- bi t
r andom number cal l ed sal t whi ch i s al so st or ed i n t he passwor d fi l e. The ci pher t ext bl ock aft er
t he " bi t - swappi ng per mut at i on" i s t hen used as t he i nput t o t he next r ound of t he DES
encry pt ion. For det ai l s of t he scheme, see [ 206] .
[ f]
I n t hi s way , t he t ransf or mat ion f ( P
U
) using t he DES f unct i on can be consider ed as a keyed and
par amet er i zed one- way hashi ng of t he const ant st r i ng 0
64
wher e t he key i s P
U
and t he paramet er
i s t he sal t . Wi t h t he i nvol vement of t he sal t , a passwor d ent r y st ored i n t he password f i le in H
shoul d be vi ewed as ( I D
U
, sal t , f ( P
U
, sal t ) ) , al t hough f or clar i t y i n exposi t i on, we shal l st i l l use
f ( P
U
) in place of f ( P
U
, sal t ) .
Now i n t he UNI X r eal izat ion of Needham's Passwor d Pr ot ocol , st eal ing f ( P
U
) fr om H wi l l no l onger
pr ovi de Mal i ce wi t h an easy way t o at t ack t he sy st em. Fi rst , f ( P
U
) cannot be used in Pr ot 11. 3
because usi ng i t wi l l cause H t o comput e f ( f ( P
U
) ) and fai l t he t est . Secondl y, i t i s comput at ional ly
i nf easi bl e t o i nver t t he one- way f unct i on f , especi al l y consi deri ng t he t r ansfor mat i on i nvolves 25
r ounds of " bi t - swapping permut at ion. " So if t he users choose t hei r passwor ds pr oper ly so t hat a
password cannot be guessed easi l y , t hen i t wi l l be ver y di f fi cul t f or Mal i ce t o f i nd P
U
f r om f ( P
U
) .
( We shal l di scuss t he password guessi ng pr obl em i n 11.5. 3. )

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Al t hough confi dent i al i t y of t he passwor d f il e becomes l ess of a concer n, t he dat ai nt egr it y of t he
fi l e must be mai nt ai ned. St i l l, t he prot ocol i s vulner abl e t o onl i ne passwor d eavesdr oppi ng
at t ack. A one- t ime passwor d scheme i s pr oposed t o t ackl e t hi s at t ack. Let us now descr i be i t .
11.5.2 A One-time Password Scheme (and a Flawed Modification)
Lampor t pr oposes a si mpl e i dea t o t hwar t onl i ne password eavesdr oppi ng [ 174] . The t echni que
can be consi dered as a one- t i me passwor d scheme. Here " one- t i me" means t hat t he passwor ds
t r ansmi t t ed f r om a given U t o H do not r epeat , however t hey ar e comput at i onal l y r elat ed one
anot her . Now, a password eavesdr opped f rom a prot ocol r un i s no good f or fur t her use, and
hence t he passwor d eavesdr oppi ng pr obl em is successf ul l y pr event ed.
I n t he user i ni t i al i zat i on t i me, a passwor d ent r y of U i s set t o ( I D
U
, f
n
( P
U
) ) where
for a l ar ge i nt eger n. The user U st i l l memori zes P
U
as i n t he case of t he Passwor d Aut hent i cat i on
Pr ot ocol.
When U and H engages i n t he f i rst run of passwor d aut hent icat i on, upon pr ompt ed by
"Passwor d" ( message li ne 2 i n t he Passwor d Aut hent i cat i on Pr ot ocol ) , a comput i ng devi ce of U,
such as a cl i ent plat for m or a cal cul at or , wi l l ask U t o key in P
U
, and wi l l t hen comput e f
n1
( P
U
)
by r epeat edl y appl yi ng f n 1 t i mes. Thi s can be eff ici ent l y done even for a l arge n ( e. g. , n =
1000) . The r esult wi l l be sent t o H as i n message l ine 3 i n t he Passwor d Aut hent icat i on Pr ot ocol.
Upon receipt of f
n1
( P
U
) , H wi l l appl y f once on t he r ecei ved password t o obt ai n f
n
( P
U
) and t hen
per for ms t he cor r ect ness t est as in st ep 4 i n t he Passwor d Aut hent i cat i on Prot ocol . I f t he t est
passes, i t assumes t hat t he r ecei ved val ue i s f
n1
( P
U
) and must have been comput ed fr om P
U
whi ch was set - up i n t he user ini t i ali zat i on, and hence i t must be U at t he ot her end of t he
communi cat ion. So U i s all owed t o ent er t he syst em. I n addi t i on, H wi l l updat e U' s passwor d
ent r y: r epl ace f
n
( P
U
) wi t h f
n 1
( P
U
) .
I n t he next r un of t he pr ot ocol , U ( whose comput i ng device) and H wi l l be i n t he st at e of usi ng
f
n 2
( P
U
) wi t h r espect t o f
n 1
( P
U
) , as in t he pr evi ous case of usi ng f
n 1
( P
U
) wi t h r espect t o f
n
( P
U
) .
The pr ot ocol i s hence a st at ef ul one on a count er number descendi ng fr om n t o 1. When t he
count er number r eaches 1, U and H have t o r eset a new passwor d.
The met hod r equi r es U and H t o be sy nchr onous for t he passwor d st at e: when H i s in st at e of
usi ng f
i
( P
U
) t hen U must be i n st at e of sendi ng f
i 1
( P
U
) . Thi s sy nchr onizat ion can be l ost i f t he
communi cat ion l i nk i s " unr eli able" or when t he sy st em " cr ashes. " Not i ce t hat "unr el iabi li t y " or a
"cr ash" can be t he worki ng of Mal i ce!
Lampor t consider a si mpl e met hod t o r eest abl i sh sy nchr oni zat i on i f i t i s l ost [ 174] . The met hod
i s essent i al l y t o have t he sy st em t o "j ump for ward: " i f H' s st at e i s f
i
( P
U
) whi le U' s st at e i s f
k
( P
U
)
wi t h j k + 1, t hen sy nchr oni zat i on i s l ost . The sy st em shoul d "j ump for war d" t o a st at e f
i
( P
U
)
for H and f
i 1
( P
U
) for U wher e i mi n( j , k) . I t i s cl ear t hat t hi s way of r esy nchr oni zat i on requi res
mut uall y aut hent i cat ed communi cat i ons bet ween H and U, however, no det ai l for t hi s necessi t y
i s gi ven i n Lampor t ' s shor t t echnical not e.
Lampor t ' s password- based r emot e access scheme has been modi f i ed and i mpl ement ed i nt o a

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
"one- t i me password" sy st em named S/ KEY
[ g]
[ 134] . The S/ KEY modi fi cat i on at t empt s t o
over come t he "unr eli able communicat i on" pr obl em by H mai nt aini ng a count er number c f or U.
I n t he user i ni t i al i zat i on t i me H st or es U' s passwor d ent r y ( I D
U
, f
c
( P
U
) , c) wher e c i s ini t ial i zed t o
n. Pr ot 11. 4 speci fi es t he S/ KEY scheme.
[ g]
S/ KEY is a t r ademar k of Bellcor e.
Cl ear ly , i n Pr ot 11. 4, U and H wi l l no l onger lose sy nchr oni zat i on and t her eby unrel i abl e
communi cat ion l i nk wi l l no l onger be a pr obl em.
Unfor t unat el y, t he S/ KEY modi fi cat i on t o Lampor t 's or i gi nal t echni que is a dangerous one. We
not i ce t hat a passwor d- based r emot e access pr ot ocol achi eves, at best , an i dent if i cat ion of U t o
H. Thus, t he count er number sent fr om H can act ual l y be one fr om Mal ice, or one modi fi ed by
hi m. The reader may consi der how Mal i ce shoul d, e. g. , modi f y t he count er number and how t o
fol l ow up an at t ack. The r eader is encouraged t o at t ack t he S/ KEY Pr ot ocol bef ore readi ng
11.7. 2.
One may want t o ar gue: " t he S/ KEY Pr ot ocol cannot be mor e danger ous t han Needham' s
Passwor d Aut hent i cat i on Pr ot ocol ( Pr ot 11. 3) whi ch t r ansmi t s passwords i n cl ear t ext ! " We shoul d
however not i ce t hat Needham' s Passwor d Aut hent i cat ion Pr ot ocol never cl ai ms securi t y f or
pr event ing an onli ne passwor d eavesdr oppi ng at t ack. The S/ KEY Prot ocol is desi gned t o have
t hi s cl ai m, whi ch unf ort unat el y does not st and.
Protocol 11.4: The S/KEY Protocol
PREMI SE: User U and Host H have set up U' s i ni t i al
password ent r y ( I D
U
, f
n
( P
U
) , n) wher e f i s a
cry pt ogr aphi c hash f unct i on; U memor izes
password P
U
;
The curr ent passwor d ent r y of U i n H i s ( I D

U
,
f
c
( P
U
) , c) for 1 c n.
GOAL: U aut hent i cat es t o H wi t hout t ransmi t t i ng P
U
i n cl ear t ext .
U H : I D
U
; 1.
H U : c, "I nput Passwor d: "; 2.
U H : Q = f
c1
( P
U
) ; 3.
H f i nds ent r y ( I D
U
, f
c
( P
U
) , c) fr om i t s ar chi ve;
Access i s gr ant ed i f f ( Q) = f
c
( P
U
) , and U' s passwor d ent r y i s updat ed t o ( I D
U
, Q,
c 1) .
4.
11.5.3 Add Your Own Salt: Encrypted Key Exchange (EKE)

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Most passwor d- based syst ems advi se user s t o choose t hei r passwords such t hat a password
shoul d have ei ght key boar d ( ASCI I ) char act ers. A passwor d of t hi s l engt h i s memor abl e by most
users wit hout wri t i ng down. Si nce an ASCI I char act er i s repr esent ed by a byt e ( 8 bi t s) , an ei ght -
char act er passwor d can be t r ansl at ed t o a 64- bi t st ri ng. A space of 64- bi t st ri ngs has 2
64
el ement s and i s t heref ore comfor t ably lar ge. So i t seems t hat an 8- key - boar d- char act er
password should r esi st guessi ng and even aut omat ed sear chi ng at t acks mount ed by a non-
dedi cat ed at t acker .
However , t he " 64- bit " passwor d i s not a t r ue st or y. Alt hough t he i nf ormat i on r at e of t he ful l set
of ASCI I char act er s i s not subst ant i al l y bel ow 8 bi t s/ char act er ( r eview 3. 8 f or i nf or mat ion r at e
of a l anguage) , peopl e usual l y do not choose t hei r passwords usi ng r andom charact er s i n t he
ASCI I t able. I n cont r ast , t hey choose bad passwor ds t hat ar e easil y memor abl e. A t y pi cal bad
password i s a di ct i onar y word, or a per son's name, al l in l ower case, may be t r ai l ed by a di git or
t wo. Shannon est imat ed t hat t he r at e of Engl i sh is in t he r ange of 1.0 t o 1. 5 bi t s/ char act er
( [ 265] , t hi s est i mat e i s based on Engli sh words of al l l ower case l et t er s, see 3. 8) . Thus, i n fact ,
t he space of 8- char act er passwor ds shoul d be much much small er t han 2
64
, and may be
si gni f icant ly much smal ler i f many passwor ds i n t he space ar e bad ones ( l ower case al phabet ic,
per son's names, et c. ) . The smal l er passwor d space permi t s an of f l i ne di ct i onar y at t ack . I n
such an at t ack, Mal i ce uses f ( P
U
) t o search t hr ough a di ct i onar y of bad passwor ds f or t he
mat chi ng P
U
. Because t he at t ack is mount ed off li ne, it can be aut omat ed and can be fast . We
shoul d not i ce t hat Lamport 's one- t i me passwor d scheme does not pr ovi de pr ot ect i on agai nst
off l i ne di ct i onar y at t acks ei t her: Mal i ce can eavesdr op t he curr ent st at e val ue i and f
i
( P
U
) and
hence can conduct t he dict i onar y sear ch.
Bell ovi n and Merr i t t pr opose an at t r act ive prot ocol for achi eving secur e passwor d based
aut hent i cat ion. Thei r pr ot ocol i s named encr y pt ed k ey exchang e ( EKE) [ 29] . The EKE Pr ot ocol
pr ot ect s t he passwor d agai nst not onl y onl i ne eavesdr oppi ng, but al so off l ine di ct i onar y at t acks.
The t echnique used i n t he EKE scheme is essent i all y pr obabi l i st i c en cr yp t i on. I n Chapt er 14
we shal l st udy gener al t echni ques f or probabi l ist i c encr ypt i on. Her e, t he r eader may consi der t he
t r i ck as "adding y our own sal t " t o a passwor d.
Unl i ke i n t he passwor d based prot ocol s ( Pr ot 11. 3 or Pr ot 11. 4) wher e H onl y possesses a one-
way i mage of U' s passwor d, i n t he EKE Pr ot ocol U and H share a password P
U
. The shar ed
password wi l l be used as a sy mmet ri c cr y pt ogr aphi c key , t hough, as we have ment i oned, t hi s
symmet r ic key i s chosen f r om a r at her smal l space.
The EKE Prot ocol i s speci fi ed in Pr ot 11. 5.
The i ngenui t y of t he EKE Pr ot ocol i s i n t he f i rst t wo st eps. I n st ep 1, t he ci pher chunk P
U
(
U
) is a
r esul t of encry pt i ng a pi ece of one- t i me and random i nfor mat i on
U
under t he shar ed passwor d
P
U
. I n st ep 2, t he cont ent whi ch i s doubl y encr y pt ed i n t he ci pher chunk P
U
(
U
( K) ) is anot her
one- t i me and r andom number : a sessi on key K. Si nce P
U
i s human- brai n memor abl e and hence
i s small , t he r andom st ri ngs
U
and K must have l ar ger sizes t han t hat of P
U
. So t he t wo cipher
chunks in message li nes 1 and 2 can hi de P
U
i n such a way t hat P
U
i s st at i st i cal ly independent
fr om t hese t wo ci pher chunks.
We must emphasize t hat it i s t he one- t i me randomness of
U
t hat pl ays t he " addi ng y ou own
sal t " t r i ck. Shoul d t he " publi c key" be not one- t ime, t he uni que f unct i onal i t y of t he EKE Pr ot ocol
woul d have fai l ed compl et el y: i t would even be possi bl e t o faci l i t at e Mal i ce t o sear ch t he
password P
U
using t he weakness of a t ext book publ ic- key encr y pt i on al gor i t hm ( see, e.g., a
"meet - i n- t he- mi ddl e" at t ack i n 8. 9) .
I f t he nonces N
U
, N
H
encr y pt ed in message li nes 3, 4 and 5 ar e generat ed at random and have
adequat el y l ar ge si zes ( i . e, l arger t han t hat of t he sessi on key K) , t hen t hey fur t her hi de t he
sessi on key K i n t he same f ashi on as t he passwor d P
U
i s hi dden i n t he f ir st t wo messages. Thus,
P
U
r emai ns st at i st i cal l y i ndependent fr om any messages passed i n t he EKE Pr ot ocol .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The st at i st i cal i ndependence of t he passwor d P
U
f r om t he messages passed i n a pr ot ocol r un
means t hat t he passwor d i s hi dden f rom an eavesdropper i n an i nf or mat ion- t heor et ical l y secur e
sense ( see 7. 5) . So a passi ve eavesdr opper can no l onger mount an off li ne di ct i onar y at t ack on
P
U
using t he pr ot ocol messages. The onl y possi bl e ot her way s t o at t ack t he prot ocol are ei t her t o
t r y t o guess P
U
di rect l y, or t o mount an act i ve at t ack by modif y ing pr ot ocol messages. The
guessi ng at t ack i s an uni nt er est ing one, i t can never be pr event ed, however f ort unat el y, i t can
never be eff ect i ve. An act i ve at t ack, on t he ot her hand, wi ll be det ect ed wi t h a hi gh pr obabil i t y
by an honest pr ot ocol par t i ci pant , and wi ll cause a r un bei ng pr ompt l y abandoned.
Protocol 11.5: Encrypted Key Exchange (EKE)
PREMI SE: User U and Host H share a password P
U
; The
syst em has agr eed on a sy mmet r i c
encrypt ion al gor i t hm, K( ) denot es symmet r ic
encry pt ion keyed by K; U and H have also
agr eed on an asymmet ri c encr y pt i on
scheme,
U
denot es asymmet ri c encr y pt i on
under U' s key .
GOAL: U and H achieve mut ual ent i t y
aut hent i cat ion, t hey al so agree on a shared
secr et key.
U gener at es a random " publ i c" key
U
, and sends t o H:
( * t he " publi c" key i s i n fact not publ i c, i t i s t he encr ypt i on key of an
asymmet r ic encr y pt i on al gor i t hm * )
1.
H decr y pt s t he cipher chunk usi ng P
U
and ret r i eves
U
; H gener at es r andom
symmet r ic key K, and sends t o U:
2.
U decr y pt s t he doubl y encry pt ed cipher chunk and obt ai ns K; U gener at es a
nonce N
U
, and sends t o H:
3.
H decr y pt s t he cipher chunk usi ng K, gener at es a nonce N
H
, and sends t o U: 4.
5.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
U decr y pt s t he cipher chunk usi ng K, and r et ur n t o H: 5.
I f t he chal l enge- r esponse i n st eps 3, 4, 5 i s successf ul , l ogging- i n i s gr ant ed
and t he par t i es pr oceed fur t her secur e communi cat ion usi ng t he shar ed key K.
6.
The encr y pt i on of a r andom publ ic key i n st ep 1 by U, and t hat of a r andom sessi on key in st ep 2
by H, ar e what we have r efer red t o as "add your own sal t " t o t he passwor d P
U
. The ever
changi ng " sal t " keeps an at t acker out of st ep. Ther ef or e, t he f ir st t wo message l i nes i n t he EKE
Pr ot ocol pr ovi de an i ngeni ous t echni cal novel t y . The message l i nes 3, 4 and 5 f or m a
convent i onal chal l enge- r esponse- based mut ual aut hent i cat i on pr ot ocol . I ndeed t hey can be
r epl aced by a sui t abl e mut ual pr ot ocol const r uct i on based on a shar ed sy mmet ri c key.
The EKE Prot ocol i s ver y sui t abl e f or bei ng r eal i zed usi ng t he Di f fi e- Hel l man key exchange
mechani sm. Let gener at e a gr oup of or der l ar ger t han 2
64
> 2
| P
U
|
. Then i n st ep 1, U' s
comput i ng devi ce pi cks at r andom x ( 0, 2
64
) and comput es
U
=
x
, and i n st ep 2, H pi cks at
r andom y ( 0, 2
64
) and comput es
U
( K) =
y
. The agr eed sessi on key bet ween U and H wi l l be
K =
xy
. Now, each par t y has i t s own cont r i but i on t o t he agr eed sessi on key. I n t hi s real i zat i on,
t he gr oup gener at or can be agr eed bet ween U and H i n publ i c: U sends t o H t he gr oup
descr i pt i on ( whi ch i ncludes t he gr oup gener at or ) in a pr e- negot i at i on st ep.
Not i ce t hat we have onl y r equi r ed t hat gener at es a gr oup of or der l arger t han 2
64
. This is a
ver y smal l number as a l ower bound for a gr oup or der f or use by an asy mmet r i c cry pt ogr aphi c
syst em. So t he pr ot ocol can be very ef fi ci ent . The smal l gr oup or der r ender s easy ways t o
comput e di scr et e l ogar i t hm, and hence t o sol ve t he comput at i onal Di ff i e- Hel l man probl em.
However , wi t hout
x
,
y
,
xy
, t he ease of sol ving Di ff ie- Hel l man pr oblem i s of no hel p for f i ndi ng
t he passwor d: P
U
r emai ns st at i st i cal l y i ndependent in a space of si ze 2
64
. Likewi se, f or
suf fi cient ly lar ge and random nonces encr y pt ed i n message l ines 3, 4, and 5, t he sessi on key K
shal l r emai n i ndependent i n t he gr oup of an order l arger t han 2
64
. Thus, off l i ne di ct i onar y
at t acks or onl i ne key guessi ng r emai n di ff i cul t .
I n essence, t he r andom "sal t " added t o a passwor d "ampli f i es" t he si ze of t he passwor d space
fr om t hat of a di ct i onar y t o t hat of t he r andom asymmet r ic key . Thi s i s t he t r i ck behi nd t he EKE
Pr ot ocol.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
11.6 Authenticated Key Exchange Based on Asymmetric
Cryptography
We say t hat a pr ot ocol est abl ishes a shar ed sessi on key vi a a k ey t r anspor t mechani sm i f t he
pr ot ocol out put s a shar ed key whi ch comes fr om one of t he pr ot ocol par t i ci pant s. We say t hat a
pr ot ocol est abl i shes a shar ed sessi on key vi a a k ey ex change ( or k ey ag r eement ) mechani sm
i f a r un of t he pr ot ocol out put s a shar ed key whi ch i s a funct i on of al l pr ot ocol par t i ci pant s'
r andom i nput . The advant age of key exchange over key t r anspor t i s t hat each of t he key - shari ng
par t i es can have it s own cont rol , hence a hi gh conf i dence, on t he qual i t y of t he key out put .
Apar t fr om t he Di ff i e- Hel l man r eal ized EKE pr ot ocol , t he basi c aut hent icat i on t echni ques
i nt r oduced so f ar, if i nvol vi ng key est abl i shment , ar e al l key t ranspor t mechani sms. Now l et us
i nt r oduce a key exchange mechanism.
Key exchange can be achi eved by gener at i ng a key as t he out put of a pseudo- r andom f unct i on or
a one- way hash f unct i on wher e t he key- shari ng part ies have t heir own i nput s t o t he funct ion.
The most commonl y used met hod i s t he gr eat di scover y of Dif fi e and Hel l man: Di ffi e- Hel lman
Key Exchange, which we have consi der ed as a one- way funct i on ( see Remar k 8. 1. 3 i n 8. 4) . We
have specif i ed Di f fi e- Hel l man Key Exchange i n Pr ot 8.1. This mechani sm achi eves agr eement on
a key bet ween t wo remot e pr i nci pal s wi t hout usi ng encr y pt i on.
Pr ot 8.1 i s t he basi c versi on of Di ff i e- Hel l man Key Exchange whi ch achi eves unaut hent i cat ed key
agr eement . We have seen a man - i n- t h e- mi ddl e at t ack i n At t ack 8. 1 i n whi ch Mal i ce shar es
one key wi t h Ali ce and anot her wi t h Bob and hence can r elay t he "conf i dent i al " communi cat i ons
bet ween Al i ce and Bob. A pr oper use of Dif fi e- Hell man Key Exchange must be a vari at i on of Pr ot
8. 1. The si mpl est var i at i on i s a t wo- par t y prot ocol in whi ch Al ice knows f or sur e t hat g
b
i s Bob's
publ i c key :
Equ at i on 11 . 6. 1
wher e number a i s pi cked at r andom by Al i ce fr om a sui t abl y l ar ge i nt eger i nt er val .
Aft er sending t he message i n ( 11.6. 1) , Al i ce knows t hat g
ab
i s a key exclusi vel y shared wi t h Bob
si nce for anybody ot her t han her sel f and Bob, t o f ind g
ab
i s t o sol ve t he comput at ional Di f fi e-
Hell man pr obl em ( CDH pr obl em, see Defi nit ion 8. 1 i n 8. 4) whi ch i s assumed comput at ional ly
i nf easi bl e. Si nce Al i ce has pi cked her exponent at random whi ch i s new, t he agr eed key i s f r esh
and t his means t hat t he key i s aut hent i cat ed t o Al i ce. However, upon r ecei pt of g
a
, Bob cannot
know wi t h whom he shar es t he key g
ab
or whet her t he key i s f resh. Ther efor e, t hi s si mpl e
vari at i on achi eves uni lat er al aut hent i cat ed key agr eement .
Apply i ng var ious mechani sms i nt roduced so f ar , i t i s not dif fi cul t t o augment mechani sm
( 11.6. 1) t o one whi ch al l ows t he agr eed key t o be mut ual l y aut hent i cat ed. For exampl e, Al ice
may di gi t al l y si gn g
a
wi t h her i dent it y and a t i mest amp.
Let us i nt r oduce here a wel l- known aut hent i cat ed key exchange pr ot ocol whi ch i s a var iat ion of
Di f fi e- Hel l man Key Exchange.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
11.6.1 The Station-to-Station Protocol
The St at i on- t o- St at i on ( STS) Pr ot ocol i s pr oposed by Di ff ie et al . [ 99] .
I n t he STS Prot ocol , Al i ce and Bob have agr eed on usi ng a l ar ge f i ni t e abel i an gr oup whi ch i s
gener at ed by a common el ement . Sy st em- wi de user s can use a common generat or . The
r eader may revi ew 8. 4. 1 f or caut i ons t o set t i ng up t he shared gr oup t o be used i n t he STS
Pr ot ocol.
Al i ce and Bob al so have t hei r r espect i ve publ i c key cer t i fi cat es:
wher e CA i s a cer t i f icat i on aut hori t y ( see Chapt er 13) , P
A
and P
B
ar e t he publ i c key s of Al i ce and
Bob, respect ivel y, and desc i s t he descri pt ion of t he shar ed gr oup gener at ed by . I n
addit ion, t he t wo par t i es have al so agreed on usi ng a sy mmet ri c- key encr y pt i on al gor it hm,
whi ch we shall use t he not at i on gi ven i n Defi nit ion 7. 1 ( in 7. 2) . The encry pt i on al gor i t hm can
al so be agr eed upon f or syst em- wide users.
The STS Pr ot ocol i s speci f ied i n Pr ot 11. 6.
I t i s i nt ended t hat t he STS Prot ocol shoul d have t he f ol lowi ng f our securi t y pr opert ies ( sever al of
t hem ar e only t r ue i f a mi nor f l aw i n t he prot ocol is fi xed) :
Mu t ual Ent i t y Aut h en t i cat i on However t hi s pr oper t y act ual l y does not hold accordi ng t o t he
r i gor ous def i ni t i on f or aut hent i cat i on gi ven by t he aut hors of t he STS Pr ot ocol . I n [ 99] , Dif fi e et
al . make t wo mi st akes i n t hi s r espect . We shal l di scuss t hem i n 11.6. 2 and 11.6. 3,
r espect i vel y .
Mu t ual l y Aut h en t i cat ed Key Ag r eement Key agreement i s obvi ous fr om t he Di ff i e- Hel l man
key exchange pr ot ocol; t he fr eshness of t he agr eed key i s guarant eed i f each par t y has pi cked
her / hi s r andom exponent pr operl y ; t he excl usi ve shari ng of t he agr eed key i s i mpl ied by bot h
par t i es' di gi t al si gnat ur e on t hei r key agreement mat eri al . However , pul l ing t oget her al l t hese
feat ures does not act uall y r esul t i n mut ual l y aut hent i cat ed key agr eement : t he proper t y wi l l onl y
hol d i f a mi nor f l aw i n t he prot ocol is fi xed.
Mu t ual Key Con f i r mat i on Upon t er minat i on of a r un, bot h par t i es have seen t hat t he ot her
par t y has used t he agr eed key t o encr y pt t he key agr eement mat er i al. Agai n, t he cor rect mut ual
key confi r mat ion depends on t he cor r ect mut ual aut hent i cat i on whi ch only hol ds i f a mi nor fl aw
i n t he prot ocol i s fi xed.
Per f ect For w ar d Secr ecy ( PFS) Thi s i s an at t r act ive proper t y of a key est abl i shment prot ocol
whi ch means t hat if a l ong- t er m pri vat e key used i n a key est abl ishment pr ot ocol i s
compr omi sed at a poi nt in t i me, t he secur i t y of any sessi on est abli shed earl i er t han t hat poi nt
wi l l not be eff ect ed [ 133, 99] . The PFS pr oper t y hol ds for a key est abl i shment pr ot ocol where a
sessi on key i s pr oper l y agr eed usi ng t he Di ff i e- Hel l man key exchange mechani sm. Her e i n t he
case of t he STS pr ot ocol , t he l ong- t erm key s ar e t he pri vat e keys of Al i ce and Bob. Since each
sessi on key agr eed i n a r un of t he pr ot ocol i s a one- way funct ion of t wo ephemer al secr et s whi ch
wi l l be secur el y disposed of upon t er mi nat i on of t he r un, compr omi se of ei t her of t he si gni ng
l ong- t er m keys cannot have any eff ect on t he secr ecy of t he previ ously agr eed sessi on keys.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Protocol 11.6: The Station-to-Station (STS) Protocol
PREMI SE: Al i ce has her publ i c- key cert if i cat e Cert
A
,
Bob has his publi c- key cer t i fi cat e Cer t
B
, t he
syst em- wi de users share a l ar ge f i ni t e
abel i an gr oup desc , and t hey agr ee on a
symmet r ic encr y pt i on al gor i t hm ;
GOAL: Al i ce and Bob achi eves mut ual
aut hent i cat ion and mut ual l y aut hent icat ed
key agr eement .
Al i ce pi cks a r andom l ar ge int eger x, and sends t o Bob: 1.
Bob pi cks a r andom l arge i nt eger y, and sends t o Al i ce: 2.
Al i ce sends t o Bob:
Here K =
xy
=
yx
.
3.
WARNI NG:
Thi s prot ocol is fl awed i n a mi nor way; t o be anal y sed i n 11.6. 3.
An on ymi t y ( Den i abi l i t y) I f t he publ ic- key cer t i fi cat es ar e encry pt ed i nsi de t he respect i ve
ci pher chunks, t hen t he messages communi cat ed i n a r un of t he pr ot ocol wi l l not be r eveal ed t o
any t hi r d part y who ar e i nvol ved i n t he message exchanges. However we shoul d not i ce t hat
addressing i nfor mat i on t ransmi t t ed i n a l ower - l ay er communi cat i on pr ot ocol may di sclose t he
i dent i t i es of t he pr ot ocol par t i cipant s. Ther efor e, pr eci sel y speaki ng, " anony mi t y" shoul d be
r ephr ased t o a ki nd of " deni abi l i t y " whi ch means t hat a net wor k moni t or cannot not prove t hat a
gi ven prot ocol t ranscr i pt t akes pl ace bet ween t wo specif i c pr i nci pal s. Because t he STS Pr ot ocol i s
one of t he bases for t he I nt er net Key Exchange ( I KE) pr ot ocol sui t e f or I nt er net Secur it y [ 135,
158, 225] , t hi s pr oper t y i s a f eat ur e i n t he I KE. We shal l st udy I KE ( and t hi s feat ur e) i n t he next
chapt er ( 12.2) .
The STS Pr ot ocol , alt hough t he ver si on speci fi ed i n Pr ot 11. 6 i s fl awed i n a very mi nor way, is an
i mpor t ant and i nf luent i al wor k i n t he ar ea of aut hent i cat i on and aut hent i cat ed keyexchange

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
pr ot ocol s. I t i s one of t he bases f or " I nt er net Key Exchange ( I KE) Pr ot ocol " [ 135, 225] whi ch i s
an i ndust r i al st andar d aut hent i cat i on pr ot ocol for I nt er net secur i t y . We wi l l st udy I KE i n 12.2
and see t he i nf l uence of t he STS Pr ot ocol on it .
The paper [ 99] cont ai ns t wo fl aws: a ser i ous one in a si mpl i fi ed ver sion of t he STS Pr ot ocol f or
an "aut hent i cat i on onl y " usage; a mi nor one i n t he STS Pr ot ocol pr oper . I f a wi del y r ecognized
pr ot ocol desi gn pr i nci pl e i s f oll owed ( t hat pr i nci pl e was document ed and became wi del y
acknowledged af t er t he publ i cat i on of [ 99] ) , t hen bot h fl aws di sappear . Let us now l ook at t hese
fl aws. Our st udy of t hese fl aws shal l l ead t o t hat wi del y r ecogni zed pr ot ocol desi gn pr i nci pl e.
11.6.2 A Flaw in a Simplified STS Protocol
I n order t o ar gue t he mut ual aut hent i cat i on proper t y , Dif fi e et al. si mpl i f y t he STS Pr ot ocol i nt o
one t hey name " Aut hent i cat ion- onl y " STS Prot ocol ( 5. 3 of [ 99] ) . They cl ai m t hat t he " si mpl if i ed
pr ot ocol i s essent ial l y t he same as t he t hree- way aut hent i cat ion pr ot ocol " pr oposed by I SO. The
"I SO pr ot ocol " t hey r eferr ed t o i s i n fact what we named ( af t er I SO/ I EC' s name) t he " I SO Publ i c
Key Thr ee- Pass Mut ual Aut hent i cat i on Prot ocol " ( pr ot 11. 1 wi t h Wi ener 's at t ack havi ng been
fi xed, see 11.4. 2) .
The si mpl i fi ed " Aut hent icat i on- onl y" STS Pr ot ocol i s speci fi ed i n Pr ot 11. 7.
However , Pr ot 11. 7 has an i mpor t ant di ff er ence fr om t he I SO Prot ocol . I n t hi s si mpl i fi ed STS
Pr ot ocol, t he si gned messages do not cont ai n t he i dent it i es of t he pr ot ocol par t i ci pant s, whil e i n
t he I SO Pr ot ocol t he si gned messages cont ain t he i dent i t i es. The si mpl if i ed STS Prot ocol suffer s a
"cer t i f i cat e- si gnat ur e- r epl acement at t ack" whi ch i s demonst r at ed i n At t ack 11. 2.
I n t hi s at t ack, Mal i ce, who i s a l egit imat e user of t he syst em and hence has a publ i c- key
cer t i f icat e, wai t s f or Al i ce t o i ni t i at e a r un. Upon occur r ence of such an oppor t uni t y , he st ar t s t o
t al k t o Bob by i mpersonat ing Al i ce and usi ng her nonce. Upon r ecei pt of Bob' s r epl y, Mal ice
r epl aces Bob' s cert i f i cat e and si gnat ur e wi t h hi s own copi es, respect ivel y. Doi ng so can
successful l y per suade Al i ce t o si gn Bob's nonce, whi ch i n t ur n al l ows Mal ice t o cheat Bob
successful l y . Thi s i s a per fect at t ack because nei t her Al i ce nor Bob can di scover any t hi ng wr ong.
Not i ce t hat i n t hi s at t ack, Mal i ce is not passi ve i n t he whol e at t acki ng r un or chest r at ed by hi m:
he si gns Bob' s nonce and hence successf ul l y per suades Al i ce t o si gn Bob' s nonce so t hat he can
fool Bob compl et el y. Shoul d Mal i ce be passi ve, i . e., behave l ike a wi re, t hen Bob woul d have
never recei ved Al i ce' s si gnat ur e on hi s nonce, and t her eby would not have been cheat ed.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Protocol 11.7: Flawed "Authentication-only" STS Protocol
PREMI SE: Al i ce has her publ i c- key cert if i cat e Cert
A
,
Bob has his publi c- key cer t i fi cat e Cer t

B
.
Thi s "cer t i fi cat e- si gnat ur e- repl acement at t ack" does not appl y t o t he STS Prot ocol because t he
encry pt ion used i n t he ful l ver si on of t he pr ot ocol prevent s Mal i ce fr om r epl acing Bob's si gnat ur e.
The at t ack does not appl y t o t he I SO Pr ot ocol ( pr ot 11. 1) ei t her because t her e, Mal i ce' s i dent i t y
wi l l appear i n t he message si gned by Al i ce, and hence t hat message cannot be passed t o Bob t o
fool hi m.
I t i s i nt er est ing t o point out t hat , i n t hei r paper ( 5. 1 of [ 99] ) Di ff i e et al . do di scuss a si mil ar
"cer t i f i cat e- si gnat ur e- r epl acement at t ack" on a di smi ssed si mpl i fi cat i on of t he STS Prot ocol
wher e t he encr y pt i on is removed. That at t ack has not been t r i ed on t he " Aut hent i cat i on- only "
STS Pr ot ocol , per haps because t he l at t er l ooks ver y si mil ar t o t he fi xed versi on of t he I SO
Pr ot ocol. The same paper ( 6 of [ 99] ) demonst rat es Wi ener 's at t ack on t he fl awed ver sion of t he
I SO Pr ot ocol , whi ch i s obvi ously di ff er ent fr om t he " cer t i f icat e- si gnat ure- r epl acement at t ack"
( t he reader may conf i rm t hat Wi ener ' s at t ack on t he f l awed ver si on of t he I SO Prot ocol does not
apply t o t he " Aut hent i cat i on- onl y " STS Pr ot ocol ) . Fr om t hese ent angl ement s we ar e wi t nessing
t he er r or - pr one nat ur e of aut hent i cat i on pr ot ocol s.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Attack 11.2: An Attack on the "Authentication-only" STS
Protocol
PREMI SE: I n addi t i on t o t hat i n Pr ot 11. 7,
Mal i ce has his publi c key cer t i f icat e Cer t

M
.
( * so Mal i ce i s al so a normal user in t he

syst em * )
( * Mal i ce faces Al ice usi ng his t rue i dent i t y , but he faces Bob by masquer adi ng as
Al i ce: * )
CONSEQUENCE:
Bob t hi nks he has been t al ki ng wi t h Al i ce whi le she t hi nks t o have been t alki ng wi t h
Mal i ce.
I ncl udi ng t he i dent i t y of t he i nt ended ver i fi er i nsi de a si gnat ur e does indeed const i t ut e a met hod
t o fi x t he fl aw. Of cour se, we do not suggest t hat addi ng i dent i t y i s t he onl y way t o fi x t hi s fl aw.
I n some appl i cat i ons ( e.g., " I nt ernet Key Exchange ( I KE) Pr ot ocol , " see 12.2. 3) , i dent it ies of
t he pr ot ocol par t i cipant s ar e desi r abl y omi t t ed i n or der t o obt ai n a pr i vacy pr opert y ( see
12.2. 4) . A novel way of fi xi ng such f l aws whi l e keepi ng t he desi r ed pr ivacy pr oper t y can be
devi sed by usi ng a novel cr y pt ographi c pr i mi t i ve, whi ch we shal l i nt r oduce in a l at er chapt er.
11.6.3 A Minor Flaw of the STS Protocol
Lowe di scover s a minor at t ack on t he STS Pr ot ocol [ 179] . Befor e present i ng Lowe's at t ack, let us
r evi ew a r i gor ous defi ni t i on for aut hent icat i on gi ven by t he aut hor s of t he STS Pr ot ocol.
I n [ 99] , Dif fi e et al . defi ne a secure r un of an aut hent i cat ion prot ocol using t he not ion of

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
"mat chi ng r ecor ds of r uns." Let each pr ot ocol par t i ci pant r ecor d messages recei ved dur i ng a r un.
A " mat chi ng r ecords of a r un" means t hat t he messages or i gi nat ed by one par t i ci pant must
appear in t he r ecor d of t he ot her par t ici pant i n t he same or der of sequence as t he messages ar e
sent , and vi ce ver sa. Then an i nsecur e r un of an aut hent i cat i on pr ot ocol ( Defi nit ion 1 of [ 99] ) is
one:
i f any part y invol ved i n t he run, say Al i ce, execut es t he prot ocol fai t hf ul l y, accept s t he
i dent i t y of anot her par t y , and t he fol l owi ng condi t i on hol ds: at t he t i me t hat Al ice accept s
t he ot her par t y 's ident i t y, t he ot her par t y 's r ecor d of t he par t i al or f ul l r un does not mat ch
Al i ce' s r ecor d.
Under t his defi ni t i on for an i nsecur e r un of an aut hent i cat i on pr ot ocol , what is demonst rat ed i n
At t ack 11. 3 qual i fi es a l egi t i mat e at t ack on t he STS Pr ot ocol , even t hough t he damage i t can
cause i s ver y l i mi t ed.
Lowe's at t ack i s a mi nor one i n t he f ol lowi ng t wo senses:
I n t he r un par t bet ween Al i ce and Mal ice, al t hough Mal i ce is successf ul i n fool i ng Al i ce, he
does not know t he shar ed sessi on key and hence cannot fool Al i ce any f ur t her af t er t he r un.
i .
I n t he r un par t bet ween Mal i ce and Bob, Mali ce cannot compl et e t he r un, and so t hi s par t i s
not a successful at t ack.
i i .
We however t hi nk Lowe' s at t ack qual i fi es a l egi t i mat e at t ack al so f or t wo r easons:
Al i ce accept s t he i dent i t y of Bob as a resul t of Mal ice si mpl y copy i ng bi t - by - bi t al l of Bob' s
message t o Al i ce. However , i n Bob' s end, si nce he sees t he communicat i on par t ner as
Mal i ce whi l e he si gns Ali ce's r andom chal l enge, hi s r ecorded messages do not mat ch t hose
of Al i ce. Ther efor e, t he at t ack meet s t he " i nsecur e r un" cr i t er i on defi ned by t he STS
aut hor s, i. e. , mut ual aut hent i cat i on act ual l y fai l s. Of cour se, as t he not i on of ent i t y
aut hent i cat ion i s qui t e har d t o capt ur e pr eci sely , and as t he ar ea of st udy has been
devel oping t hr ough mi st akes, a ver di ct of an at t ack gi ven on t he basi s of a qui t e ol d
defi nit ion ( i . e., t hat of an "insecur e r un" gi ven by Di ff i e et al . [ 99] ) may not be suf fi cient ly
convi ncing. Today, one may well quest i on whet her t hat earl y def i ni t i on is cor r ect at al l .
However , a bet t er quest i on shoul d be: " Wi l l t his 'at t ack' be a concer n i n pract i ce t oday ?"
Thi s i s answer ed i n ( I I ) .
I .
Mal i ce successf ul l y fool s Al i ce i nt o bel ievi ng a normal r un wi t h Bob. Her subsequent
r equest s or pr epar at i on for secur e communi cat i ons wit h Bob wi l l be deni ed wi t hout any
expl anat i on si nce Bob t hinks he has never been i n communi cat i on wi t h Al i ce. Also, nobody
wi l l not i f y Al ice of any abnor mal i t y. We shoul d compar e t hi s consequence wi t h one r esul t ed
fr om a much less i nt er est i ng "at t ack" in whi ch Mal i ce is passi ve except for cut t i ng t he f i nal
message f r om Al i ce t o Bob wi t hout l et t ing Bob r ecei ve i t . I n t hi s l ess int erest i ng " at t ack,"
due t o t he expect ed mat ching recor ds, Bob may not i fy Al i ce t he mi ssed f inal message.
Regar di ng whet her Lowe' s at t ack i s a concer n i n pr act i ce t oday, we may consi der t hat i f
Al i ce is in a cent ral i zed ser ver 's si t uat ion, and i s under a di st ri but ed at t ack ( i. e. , i s under a
mass at t ack l aunched by Mali ce's t eam di st r i but ed over t he net wor k) , l ack of not i f i cat i on
fr om end- users ( i .e. , f rom many Bobs) i s i ndeed a concer n: t he server wi l l r eser ve
r esour ces for many end- user s and i t s capaci t y t o ser ve t he end- user s can be drast i cal l y
power ed down. We should part i cul ar l y not i ce t hat i n Lowe's at t ack, Mal i ce and hi s fr i ends
do not use any cr y pt ogr aphi c cr edent i al s ( cert if i cat es) . So t hi s at t ack cost s t hem ver y l i t t l e.
Thi s i s agai n very di ff er ent fr om a convent ional deni al - of - ser vice at t ack i n whi ch Mal i ce and
hi s f r iends have t o t al k t o Al i ce i n t hei r t r ue names ( i . e., wit h cert if i cat es) .
I I .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Attack 11.3: Lowe's Attack on the STS Protocol (a Minor Flaw)
( * Mal i ce faces Bob using hi s t r ue i dent i t y , but he f aces Al i ce by masquer adi ng as
Bob: * )
CONSEQUENCE:
Al i ce is fool ed per f ect l y and t hi nks she has been t al king and shari ng a sessi on key
wi t h Bob, whi l e Bob t hi nks he has been t al king wi t h Mal i ce i n an i ncompl et e r un.
Al i ce wi l l never be not i fi ed of any abnormal i t y , and her subsequent r equest s or
pr epar at i on for secur e communicat i ons wit h Bob wi l l be deni ed wi t hout any
expl anat i on.
For t he reason expl ai ned in ( I I ) , we shal l name Lowe's at t ack a per f ect deni al of ser vi ce
at t ack agai nst Al i ce: t he at t acker s succeed usi ng ot her par t i es' cr ypt ogr aphic cr edent i al s.
Thi s at t ack can be avoi ded i f t he prot ocol i s modif i ed i nt o one whi ch f oll ows a cor r ect and wel l
r ecogni zed pr ot ocol desi gn pr i nci pl e proposed by Abadi and Needham [ 1] :
I ndeed, t he si gned messages i n t he STS Pr ot ocol shoul d i ncl ude t he i dent i t i es of bot h pr ot ocol
par t i ci pant s! Thi s way , t he message fr om and si gned by Bob wi l l cont ai n "Mal i ce" so t hat Mal i ce
cannot for war d it t o Ali ce i n Bob' s name, i . e. , Mali ce can no l onger fool Ali ce. Mor eover , i f t he
si mpl if i ed "Aut hent i cat i on- onl y " STS Pr ot ocol i s si mpl i f ied fr om t hi s i dent i t i es- i n- si gnat ur e
ver si on, t hen i t wil l not suf fer t he " cer t i f icat e- si gnat ure- r epl acement at t ack" eit her si nce now t he
si mpl if i ed versi on is essent i al ly t he I SO Prot ocol ( pr ot 11. 1) .
As we have ment i oned earl i er, t he STS Pr ot ocol i s one of t he bases for t he "I nt er net Key
Exchange ( I KE) Prot ocol " [ 135, 158, 225] . As a r esul t , we shal l see in 12.2 t hat t he "per fect
deni al of ser vi ce at t ack" wi l l al so appl y t o a coupl e of modes i n I KE.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Fi nal l y, we shoul d recap a poi nt we have made in 11.6. 2: addi ng i dent i t y of a si gnat ure ver i fi er
i s not t he onl y way t o pr event t hi s at t ack. For exampl e, usi ng a desi gn at ed ver i f i er si gnat ur e
can achieve a bet t er fi x whi l e wi t hout addi ng t he i dent it y. Such a fi x wi l l be a t opic in a l at er
chapt er .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
11.7 Typical Attacks on Authentication Protocols
I n 2. 3 we have agr eed t hat Mal i ce ( per haps by co- worki ng wi t h hi s fr i ends di st ri but ed over an
open communi cat i on net wor k) i s abl e t o eavesdr op, i nt er cept , al t er and i nj ect messages i n t he
open communi cat i on net wor k, and i s good at doi ng so by imper sonat i ng ot her pr inci pals.
Vi ewi ng f r om a high lay er ( t he appl i cat i on lay er) of communi cat ions, Mal i ce' s capabi l i t i es for
mount ing t hese at t acks seem l ike magi c: how can Mal i ce be so power ful?
However , viewi ng fr om a l ower - l ay er ( t he net wor k l ay er ) communi cat i on pr ot ocol , i t act uall y
does not r equi r e ver y sophist i cat ed t echniques for Mal i ce t o mount t hese at t acks. We shal l see
t he t echni cal knowhow f or mount i ng such at t acks on a l ower- l ay er communi cat i on pr ot ocol i n
12.2 wher e we shal l also see how communi cat i ons t ake pl ace i n t he net wor k l ayer . For t he t i me
bei ng, l et us j ust accept t hat Mal ice has magi c- li ke capabil i t i es. Then, a fl awed aut hent i cat i on
pr ot ocol may per mi t Mal i ce t o mount var i ous t ypes of at t acks.
Whi l e i t i s i mpossi bl e f or us t o know all t he prot ocol at t acki ng t echni ques Mal i ce may use ( si nce
he wi l l const ant l y devi se new t echniques) , knowi ng sever al t ypical ones wil l pr ovi de us wi t h
i nsi ght i nt o how t o devel op st r onger pr ot ocol s avoi di ng t hese at t acks. I n t his sect i on, l et us l ook
at sever al wel l - known pr ot ocol at t acki ng t echni ques i n Mali ce's por t fol i o. We shoul d not i ce t hat ,
al t hough we cl assi fy t hese at t acki ng t echni ques i nt o separ at e t y pes, Mal i ce may act uall y appl y
t hem i n a combi ned way : a bi t of t hi s and a bi t of t hat , unt i l he can end up wi t h a wor kable
at t ack.
Befor e we go ahead, we shoul d emphasi ze t he fol l owi ng i mpor t ant poi nt :
. Remar k 1 1. 3
A successf ul at t ack on an aut hent i cat ion or au t hent i cat ed k ey est abl ish ment pr ot ocol usual ly d oes
not r ef er t o b reak in g a cr y pt ogr aph ic al gor it h m, e. g. , v ia a com pl ex i t y t heor et ic- based
cry pt analy sis t echn iq ue. I n st ead, it usual ly r efer s t o Mali ce' s un aut hor i zed and u ndet ect ed
acqui sit i on of a cry pt ograp hi c cr edent i al or nu ll if icat i on of a cry pt ogr ap hic ser vi ce wi t hout
br eaki ng a cr yp t ogr aphi c algor i t hm . Of cou rse, t hi s i s due t o an err or i n pr ot ocol desi gn, not on e
i n t h e cry pt ograp hic algor it hm .
11.7.1 Message Replay Attack
I n a message r epl ay at t ack, Mal i ce has previ ousl y recor ded an ol d message f r om a previ ous r un
of a pr ot ocol and now r epl ay s t he recorded message i n a new r un of t he pr ot ocol. Since t he goal
of an aut hent icat i on pr ot ocol i s t o est abl ish l i vel y corr espondence of communi cat i on par t i es and
t he goal i s gener al l y achi eved vi a exchanging fr esh messages bet ween/ among communi cat i on
par t ner s, r epl ay of ol d messages i n an aut hent i cat i on pr ot ocol vi ol at es t he goal of
aut hent i cat ion.
I n 2. 6. 4.2 we have seen an exampl e of message r epl ay at t ack on t he Needham- Schr oeder
Sy mmet r i c- key Aut hent i cat i on pr ot ocol ( At t ack 2. 2) . Not i ce t hat t her e ( r evi ew t he l ast par agr aph
of 2. 6. 4.2) we have onl y consi dered one danger of t hat message repl ay at t ack: t he r epl ay ed
message encr y pt s an ol d sessi on key whi ch i s assumed vul ner abl e ( Mal i ce may have di scover ed
i t s val ue, maybe because i t has been discar ded by a car eless pr i nci pal , or may be due t o ot her
vul ner abi l it ies of a session key t hat we have di scussed i n 2. 5) .
Anot her consequence, probabl y a mor e seri ous one, of t hat at t ack should be ref er r ed t o as

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
aut hent i cat ion f ai lure, i . e. , absence of a l i vel y cor respondence bet ween t he t wo communi cat ion
par t ner s. I ndeed, f or t hat at t ack t o work ( revi ew At t ack 2. 2) Mal ice does not have t o wai t for an
opport uni t y t hat Al i ce st art s a r un of t he pr ot ocol wi t h Bob; he can j ust st ar t hi s at t ack by
j umpi ng t o message l i ne 3 and r epl ayi ng t he r ecor ded messages, as long as he knows t he ol d
sessi on key K' :
3. Mal ice( "Al i ce") Bob: { K' , Ali ce} K
BT
;
4. Bob Mal ice ( "Al i ce" ) : { I ' m Bob ! N
B
} K' ;
5. Mal ice( "Al i ce") Bob: { I ' m Al ice! N
B
1 } K' .
Now Bob t hi nks Al i ce i s communi cat i ng wit h him, whi le in f act Al i ce is not even onl ine at al l .
Message r eplay is a cl assi c at t ack on aut hent i cat ion and aut hent i cat ed key est abl ishment
pr ot ocol s. I t seems t hat we have al r eady est abl i shed a good awareness of message- r epl ay
at t acks. Thi s can be evi dent ly seen fr om our ubi qui t ous use of f r eshness i dent if i er s ( nonces,
t i mest amps) i n t he basi c and st andard pr ot ocol const r uct i ons int r oduced i n 11.4. However , a
good awar eness does not necessar i l y mean t hat we must al so be good at pr event ing such
at t acks. One subt l et y of aut hent i cat i on pr ot ocol s i s t hat mist akes can be made and r epeat edl y
made even when t he desi gner s know t he er ror s very wel l i n a di ff er ent cont ext . Let us l ook at t he
fol l owi ng case whi ch shows anot her for m of message r eplay at t ack.
I n [ 293] , Var adharaj an et al . pr esent a number of " pr oxy prot ocol s" by whi ch a pr i nci pal passes
on i t s t r ust i n anot her pr i nci pal t o ot her s who t rust t he for mer . I n one pr ot ocol , Bob, a cl i ent ,
shar es t he key K
BT
wi t h Tr ent , an aut hent i cat ion server . Bob has gener at ed a t i mest amp T
B
and
want s a key K
BS
t o communi cat e wi t h anot her server S. Then S const r uct s { T
B
+ 1} K
BS
, and
sends:
5. S Bop: S, B, { T
B
+ 1} K
BS
, { K
BS
} K
BT
.
The aut hor s r eason:
Having obt ai ned K
BS
, Bob i s abl e t o ver i fy using T
B
t hat S has r epl ied t o a fr esh message,
so t hat t he sessi on key i s i ndeed fr esh.
However , al t hough a f reshness i dent i f ier i s cr y pt ogr aphi cal l y i nt egr at ed wit h K
BS
, Bob can obt ai n
no assurance t hat K
BS
i s fr esh. Al l t hat he can deduce i s t hat K
BS
has been used r ecent l y , but i t
may be an ol d, or even compromi sed key.
So we r emark:
. Remar k 1 1. 4
Som et im es, a cr yp t ograp hi c in t egr at i on bet ween a f reshn ess i dent i fi er and a m essage m ay onl y
i ndi cat e t he f r esh act ion of t he i nt egr at ion , not t he fr esh ness of t he m essage bei ng i nt egr at ed .
11.7.2 Man-in-the-Middle Attack
Man- in- t he- mi ddl e at t ack i n t he spi ri t of t he wel l - known " chess gr andmast er probl em"
[ h]
i s
gener al ly appl i cabl e i n a communi cat i on prot ocol wher e mut ual aut hent i cat i on i s absent . I n such
an at t ack, Mal i ce i s abl e t o pass a di f fi cul t quest i on asked by one prot ocol par t i ci pant t o anot her
par t i ci pant for an answer , and t hen passes t he answer ( may be af t er a si mpl e pr ocessi ng) back t o
t he aski ng par t y , and/ or vi ce ver sa.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
[ h]
A novice who engages in t wo simult aneous chess games wit h t wo dist inct grandmast er s, playing Black in
one game and Whit e in t he ot her, can t ake his opponent s' moves in each game and use t hem in t he ot her t o
guar ant ee himself eit her t wo dr aws or a win and a loss, and t her eby unf air ly have his chess r at ing impr oved.
I n 2. 6. 6.3 and 8. 3. 1, we have seen t wo cases of man- i n- t he- middl e at t ack, one on t he
Needham- Schr oeder Publ i c- key Aut hent i cat ion Pr ot ocol , one on t he unaut hent i cat ed Di ff ie-
Hell man key exchange pr ot ocol.
A man- in- t he- mi ddl e at t ack on t he S/ KEY Prot ocol ( Pr ot 11. 4, at t ack shown i n At t ack 11. 4)
shows anot her good exampl e on how Mal i ce can gai n a cr y pt ographi c credent ial wit hout
br eaki ng t he cry pt ogr aphi c al gori t hm used i n t he scheme.
The cr y pt ogr aphi c hash funct ion f used i n t he S/ KEY scheme can be ver y st rong so t hat i t i s
comput at i onall y i nfeasi ble t o i nvert ; al so t he user U can have chosen t he password P
U
pr operl y
so t hat an of fl i ne di ct i onar y at t ack ai mi ng at fi nding P
U
f r om f
c
( P
U
) does not appl y ( r evi ew
11.5. 3 f or of fl i ne dict i onar y at t ack) . However , t he pr ot ocol f ail s mi serably on an act i ve at t ack
whi ch is demonst rat ed i n At t ack 11. 4.
The At t ack 11. 4 wor ks because i n t he S/ KEY Pr ot ocol, messages fr om H ar e not aut hent i cat ed t o
U.
The count ermeasur e for man- i n- t he- mi ddl e at t ack is t o provi de dat a- or igi n aut hent i cat i on
ser vi ce in bot h di rect i ons of message exchanges.
11.7.3 Parallel Session Attack
I n a par al l el session at t ack, t wo or more runs of a pr ot ocol ar e execut ed concurr ent l y under
Mal i ce' s or chest r at i on. The concur r ent r uns make t he answer t o a di f fi cul t quest i on i n one r un
avai labl e t o Mal i ce so t hat he can use t he answer i n anot her r un.
An ear l y at t ack on t he Woo- Lam Prot ocol ( Pr ot 11. 2) di scovered by Abadi and Needham [ 1]
i l l ust rat es a par al l el session at t ack. The at t ack i s shown i n At t ack 11. 5.
Thi s at t ack shoul d wor k i f Bob i s wi ll i ng t o t al k t o Ali ce and Mal i ce at roughl y t he same t i me.
Then Mal i ce can bl ock messages f l owi ng t o Al i ce. I n messages 1 and 1' , Bob i s asked t o r espond
t wo r uns, one wi t h Mal i ce and one wi t h "Al i ce. " I n messages 2 and 2' , Bob r esponds wi t h t wo
di f fer ent nonce chal lenges, of cour se bot h wi l l be recei ved by Mal i ce ( one of t hem, N
B
, wi l l be
r ecei ved via i nt er cept i on) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Attack 11.4: An Attack on the S/KEY Protocol
( * not at i ons i n t he at t ack ar e t he same as t hose i n Pr ot 11. 4 * )
CONSEQUENCE:
Mal i ce has i n hi s possessi on f
c 2
( P
U
) whi ch he can use f or l oggi ng- i n in t he name of U
i n t he next sessi on.
Mal i ce t hr ows away N'
B
whi ch i s meant f or him t o use, but uses t he i nt er cept ed N
B
whi ch i s
i nt ended f or Al ice t o use. So i n messages 3 and 3' Bob r ecei ves { N
B
} K
MT
. Not i ce t hat t he t wo
ci pher t ext chunks r ecei ved i n messages 3 and 3' may or may not be i dent i cal, t hi s depends on
t he encr y pt i on al gor i t hm det ai l s ( see Chapt ers 14 and 15) . At any r at e, Bob shoul d si mpl y fol l ow
t he pr ot ocol i nst r uct i on i n messages 4 and 4' : he j ust encr ypt s t hem and sends t hem t o Trent .
Not i ce t hat even if t he t wo ci pher chunks r ecei ved by Bob i n messages 3 and 3' ar e i dent i cal
( when t he encr y pt i on algor it hm i s det er mi nist i c, a less l i kel y case nowaday s i n appl i cat i ons of
encry pt ion al gor i t hms) , Bob shoul d not be abl e t o not i ce it si nce t he ci pher chunk i s not
r ecogni zabl e by Bob as i t i s not a message for Bob t o pr ocess. Not t o pr ocess a "f orei gn
ci pher t ext " i s consist ent wi t h our convent i on for t he behavi or of honest pr incipal s ( see 11.3) :
Bob i s not ant i ci pat i ng an at t ack and cannot r ecogni ze ciphert ext chunks whi ch are not meant for
hi m t o decr ypt . We know such a behavior i s st upi d, but we have agr eed as convent i on t hat Bob
shoul d be so "st upi d. " Now i n messages 5 and 5' , one of t he cipher chunks Bob r ecei vi ng fr om
Tr ent wi l l have t he nonce N
B
cor r ect l y r et ur ned, whi ch wi l l decei ve Bob t o accept "t he r un wi t h
Al i ce, " but Ali ce i s not onl i ne at al l ; t he ot her ci pher chunk wi l l be decr y pt ed t o " gar bage"
because i t i s a r esul t of Tr ent decr ypt i ng { N
B
} K
MT
using K
AT
. The r esul t , Bob r ej ect s t he r un wi t h
Mal i ce, but accept s t he r un " wi t h Al ice. "

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Attack 11.5: A Parallel-Session Attack on the Woo-Lam
Protocol
PREMI SE: I n addi t i on t o t hat of Pr ot 11. 2, Mal i ce and
Tr ent shar e l ong t er m key K
MT
. ( * so Mali ce
i s al so a nor mal user i n t he syst em * )
1. Mal ice( "Al i ce") Bob: Ali ce;
1' . Mal i ce Bob: Mal ice;
2. Bob Mal ice( "Al i ce") : N
B
;
2' . Bob Mal ice: N'
3. Mal ice( "Al i ce") Bob: { N
B
} K
MT
;
3' . Mal i ce Bob: { N
B
} K
MT
;
4. Bob Tr ent : { Ali ce, { N
B
} K
MT
} K
BT
;
4' . Bob Tr ent : { Mal ice, { N
B
} K
MT
} K
BT
;
5. Trent Bob: { "gar bage"} K
BT
;
( * "gar bage" i s t he resul t of Tr ent decry pt i ng { N
B
} K
MT
using K
AT
* )
5' . Tr ent Bob: { N
B
} K
BT
;
6. Bob r ej ect s t he run wi t h Mal i ce;
( * since decr y pt i on r et ur ns " gar bage" r at her t han nonce N'
B
* )
6' . Bob accept s " t he r un wi t h Al ice, " but i t i s a r un wi t h Mal i ce;
( * since decr y pt i on r et ur ns N
B
cor r ect l y * )
CONSEQUENCE:
Bob bel ieves t hat Al ice i s cor r espondi ng t o hi m i n a r un whi l e i n fact Al i ce has not
par t i ci pat ed in t he r un at al l .
I n a par al l el session at t ack, t he sequence of t he t wo par al l el l ed sessi ons are not i mpor t ant . For
exampl e, i f Bob r ecei ves message 3' befor e r ecei ving message 3, t he at t ack wor ks t he same
way . Bob can know who has sent whi ch of t hese t wo messages f rom t he addr essi ng i nfor mat i on
i n t he net wor k l ay er and we wil l see t his cl ear l y i n 12.2.
Abadi and Needham suggest a f i x for t he Woo- Lam Pr ot ocol whi ch we shall see i n a moment .
They al so i nf or m Woo and Lam about t he at t ack i n At t ack 11. 5 [ 1] . The l at t er aut hors pr opose a
ser i es of fi xes [ 302] whi ch i ncl udes t he fi x suggest ed by Abadi and Needham ( call ed I I
3
i n [ 302] )
and sever al mor e aggr essi ve fi xes. The most aggr essi ve f i x i s call ed I I
f
: addi ng t he i dent i t i es of

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
t he bot h subj ect s, i . e., Ali ce and Bob, i nsi de al l ci pher chunks. They cl ai m t hat t hei r f i xes ar e
secur e. Unf ort unat el y, none of t hem i s ( and hence t he fi x suggest ed by Abadi and Needham i s
al so f lawed) . Each of t heir fi xes can be at t acked in an at t ack t y pe which we shal l descri be now.
11.7.4 Reflection Attack
I n a r ef l ect i on at t ack, when an honest pr i nci pal sends t o an i nt ended communi cat i on par t ner a
message f or t he l at t er t o per f orm a cr ypt ogr aphi c pr ocess, Mal i ce i nt er cept s t he message and
si mpl y sends i t back t o t he message or i gi nat or . Not i ce t hat such a r efl ect ed message i s not a
case of " message bounced back: " Mal ice has mani pul at ed t he i dent i t y and address i nf ormat i on
whi ch is pr ocessed by a l ower l ay er communicat i on pr ot ocol so t hat t he or i gi nat or wi l l not not ice
t hat t he ref lect ed message i s act ual l y one "i nvent ed her e. " We shal l see t he t echni cal knowhow
i n 12.2.
I n such an at t ack, Mal i ce t ri es t o decei ve t he message or igi nat or i nt o bel i evi ng t hat t he ref lect ed
message i s expect ed by t he or i gi nat or fr om an i nt ended communi cat i on part ner, ei t her as a
r esponse t o, or as a chal l enge f or, t he or i gi nat or. I f Mal i ce i s successful , t he message ori ginat or
ei t her accept s an " answer " t o a quest i on which was i n fact asked and answer ed by t he or i gi nat or
i t sel f , or provi des Mal i ce wit h an or acl e ser vice whi ch Mal i ce needs but cannot pr ovi de t o hi msel f.
Aft er havi ng di scover ed t he paral l el - sessi on at t ack ( At t ack 11. 5) on t he or i gi nal Woo- Lam
Pr ot ocol ( Pr ot 11. 2) , Abadi and Needham suggest ed a fi x [ 1] : t he l ast message sent f rom Trent
t o Bob i n Pr ot 11. 2 shoul d cont ain t he i dent i t y of Al i ce:
Equ at i on 11 . 7. 1
Thi s f i x i ndeed r emoves t he par al l el - sessi on at t ack i n At t ack 11. 5 si nce now i f Mal i ce st i l l at t acks
t hat way t hen t he fol l owing wi l l occur :
5. Trent Bob: { Mal ice, N
B
} K
BT
whi l e Bob i s expect i ng ( 11.7. 1) , and hence det ect s t he at t ack.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Attack 11.6: A Reflection Attack on a "Fixed" Version of the
Woo-Lam Protocol
PREMI SE: Same as t hat of Pr ot 11. 2;
Mal i ce( "Al i ce" ) Bob: Ali ce; 1.
Bob Mal ice( "Al i ce") : N
B
; 2.
Mal i ce( "Al i ce" ) Bob: N
B
; 3.
Bob Mal ice( "Tr ent ") : { Ali ce, Bob, N
B
} K
BT
; 4.
Mal i ce( "Tr ent ") Bob: { Ali ce, Bob, N
B
} K
BT
; 5.
Bob accept s. 6.
CONSEQUENCE:
Bob bel ieves t hat Al ice i s al i ve i n a pr ot ocol r un, however i n fact Al ice has not
par t i ci pat ed in t he r un at al l .
However , whi l e havi ng t he i dent i t i es of t he pr ot ocol part i ci pant s expl i ci t l y speci f ied i n a pr ot ocol
i s def ini t el y an i mpor t ant and pr udent pri nci pl e f or developi ng secur e aut hent i cat ion prot ocol s
( an i ssue t o be addr essed i n a di ff erent at t acking t ype i n 11.7. 7) , i t i s onl y one of many t hi ngs
whi ch need t o be consi dered. Oft en, one count ermeasur e pr event s one at t ack but i nt roduces
anot her . The fi xed ver si on of Abadi and Needham [ 1] for t he Woo- Lam Prot ocol is st il l insecur e.
Thei r f ixed ver si on of t he Woo- Lam Pr ot ocol suf fer s a r efl ect i on at t ack whi ch i s gi ven i n At t ack
11.6 ( t he at t ack i s due t o Cl ar k and Jacob [ 77] ) .
Here, Mali ce mount s r ef l ect i on at t ack t wi ce: message 3 i s a r efl ect i on of message 2, and
message 5 i s t hat of message 4. This at t ack works under an assumpt i on t hat , i n messages 3 and
5, Bob r ecei ves messages and cannot det ect any t hi ng wr ong. Thi s assumpt i on hol ds perf ect l y f or
bot h cases accor di ng t o our agreed convent i on for t he behavi or of honest pr i nci pal s ( 11.3) .
Fi rst , t he r andom chunk Bob r ecei ves in message 3 i s act uall y Bob's nonce sent out i n message
2; however , Bob can onl y t r eat i t as an unr ecogni zabl e for ei gn cipher chunk; t o fol l ow t he
pr ot ocol i nst r uct i on i s al l t hat he can and should do. Agai n, t he ci pher chunk Bob r eceives i n
message 5 i s act ual l y one cr eat ed by hi msel f and sent out i n message 4; however, Bob i s
st at eless wi t h respect t o t he message pai r 4 and 5. Thi s al so f oll ows our convent i on on st at el ess
pr i nci pal agr eed i n 11.3) . Ther efor e Bob cannot det ect t he at t ack.
A ser ies of f i xes f or t he Woo- Lam Pr ot ocol proposed by Woo and Lam i n [ 302] are al so fl awed i n
a si mi l ar way: t hey al l suf fer var i ous way s of r ef l ect i on at t ack. For t he most aggr essi ve f i x, I I
f
i n
whi ch t he i dent i t i es of bot h user pri nci pal s wi l l be i ncl uded in each ci pher t ext , r ef l ect i on at t ack
wi l l st i ll work if Bob i s not sensi t i ve about t he si ze of a f orei gn ci pher chunk. Thi s i s of cour se a
r easonabl e assumpt i on due t o our agreement on t he "st upi di t y " of honest pr i nci pal s.
A mor e f undament al r eason for t he Woo- Lam Pr ot ocol and i t s var ious fi xed ver si ons being fl awed
wi l l be i nvest i gat ed i n 17.2. 1 wher e we t ake f or mal appr oaches t o devel opi ng cor rect

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
aut hent i cat ion prot ocol s. A cor r ect appr oach t o t he speci f icat i on of aut hent i cat i on pr ot ocol s wi l l
be pr oposed i n 17.2. 2. The cor r ect approach wi ll l ead t o a gener al f i x for t he Woo- Lam Pr ot ocol
and f or many ot her pr ot ocol s, t oo. We shal l see i n 17.2. 3. 2 t hat t he Woo- Lam Pr ot ocol under
t he general fi x ( Pr ot 17. 2) wi l l no l onger suff er any of t he at t acks we have demonst rat ed so f ar.
11.7.5 Interleaving Attack
I n an i nt er l eavi ng at t ack, t wo or more runs of a pr ot ocol ar e execut ed i n an over l apping f ashi on
under Mal i ce' s or chest r at i on. I n such an at t ack, Mali ce may compose a message and sends i t out
t o a pr i nci pal in one run, f r om whi ch he expect s t o r ecei ve an answer ; t he answer may be useful
for anot her pri nci pal i n anot her r un, and i n t he l at t er r un, t he answer obt ai ned f r om t he for mer
r un may furt her st imulat e t he l at t er pri nci pal t o answer a quest i on which i n t ur n be f ur t her used
i n t he f i rst run, and so on.
Some aut hors, e. g. , [ 34] , consi der t hat i nt er l eavi ng at t ack i s a col l ect i ve name for t he pr evi ous
t wo at t acki ng t y pes, i . e. , paral l el - sessi on at t ack and r efl ect ion at t ack. We vi ew t hese at t acki ng
t y pes di f fer ent by t hi nki ng t hat an i nt erl eaving at t ack i s more sophi st icat ed t han r ef l ect i on and
par al l el - sessi on at t acks. I n or der t o mount a successful i nt er leavi ng at t ack, Mal i ce must exploi t a
sequent i al l y dependent r elat i on among messages i n di ff erent r uns.
Wi ener' s at t ack ( At t ack 11. 1) on an ear ly dr aft of t he " I SO Publ i c Key Thr ee- Pass Mut ual
Aut hent i cat ion Pr ot ocol ," whi ch we have seen in 11.4. 2, i s a good exampl e of i nt er l eavi ng
at t ack. I n t hat at t ack, Mali ce i ni t i at es a pr ot ocol r un wit h A by masquer adi ng as B ( message l i ne
1) ; upon r ecei pt A' s response ( message l i ne 2) , Mal i ce i nit iat es a new r un wi t h B by
masquer adi ng as A ( message l i ne 1' ) ; B' s response ( message l i ne 2' ) pr ovi des Mal i ce wi t h t he
answer t hat A i s wai t i ng f or , and t hus, Mal i ce can r et ur n t o and compl et e t he r un wi t h A. I n
compar ison wi t h t he paral l el- sessi on at t ack ( e. g. , At t ack 11. 5) , an i nt er l eavi ng at t ack i s very
sensi t i ve t o t he sequence of t he message exchanges.
Rel at ed t o Wi ener' s at t ack, t he " cer t i fi cat e- si gnat ur e- r epl acement at t ack" on t he
"Aut hent i cat ion- onl y " STS Prot ocol ( At t ack 11. 2) is anot her per f ect int er l eavi ng at t ack. Al so,
Lowe's at t ack on t he Needham- Schr oeder Publ i c- key Aut hent i cat i on Pr ot ocol ( At t ack 2. 3) is an
i nt er l eavi ng at t ack.
Usuall y , a fai l ur e i n mut ual aut hent icat i on can make an i nt er leavi ng at t ack possibl e.
11.7.6 Attack Due to Type Flaw
I n a t y pe f l aw at t ack, Mal i ce expl oi t s a fact we agr eed upon i n 11.3 r egar di ng an honest
pr i nci pal 's i nabi l i t y t o associ at e a message or a message or a message component wit h i t s
semant ic meani ng ( review Remar k 11. 1 and Exampl e 11. 1 i n 11.3) .
Ty pi cal t y pe f laws incl ude a pr incipal bei ng t r i cked t o mi sint er pret a nonce, a t i mest amp or an
i dent i f y i nt o a key , et c. Mi si nt er pr et at ions ar e l i kel y t o occur when a pr ot ocol i s poor l y desi gned
i n t hat t he t y pe infor mat i on of message component s ar e not expl i ci t . Let us use a prot ocol
pr oposed by Neuman and St ubbl ebine [ 214] t o exempl i fy a t y pe f l aw at t ack [ 285, 69] . Fi r st ,
her e i s t he pr ot ocol :
Al i ce Bob: A, N
A
; 1.
Bob Tr ent : B, { A, N
A
, T
B
} K
BT
, N
B
; 2.
3.
4.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
1.
2.
Tr ent Al i ce: { B, N
A
, K
AB
, T
B
} K
AT
, { A, K
AB
, T
B
} K
BT
, N
B
; 3.
Al i ce Bob: { A, K
AB
, T
B
} K
BT
, { N
B
} K
AB
. 4.
Thi s prot ocol int ends t o l et Al i ce and Bob achieve mut ual aut hent i cat i on and aut hent i cat ed key
est abl i shement by usi ng a t rust ed servi ce fr om Tr ent . I f a nonce and a key ar e r andom number s
of t he same si ze, t hen t hi s prot ocol per mi t s Mal i ce t o mount a t y pe- fl aw at t ack:
Mal i ce( "Al i ce" ) Bob: A, N
A
; 1.
Bob Mal ice( "Tr ent ") : B, { A, N
A
, T
B
} K
BT
, N
B
; 2.
none; 3.
Mal i ce( "Al i ce" ) Bob: { A, N
A
, T
B
} K
BT
, { N
B
} N
A
. 4.
I n t hi s at t ack, Mal i ce uses t he nonce N
A
i n pl ace of t he session key K
AB
t o be est abl i shed, and
Bob can be t r icked t o accept i t i f he cannot t el l t he t y pe di ff er ence. I ndeed, t her e i s no good
mechani sm t o prevent Bob f rom being fool ed.
A t ype fl aw i s usual ly implement at i on dependent . I f a pr ot ocol speci fi cat i on does not pr ovi de
suf fi cient ly expl i cit t y pe i nf or mat ion f or t he var i abl es appear i ng i n t he prot ocol , t hen t y pe f l aw
can be ver y common i n i mpl ement at ion. Boy d [ 54] exempl if i ed t he pr obl em usi ng t he Ot way -
Rees Aut hent i cat i on Pr ot ocol [ 226] wher e he di scussed t he i mpor t ance f or avoi di ng hi dden
assumpt i ons i n cry pt ogr aphi c prot ocol s.
11.7.7 Attack Due to Name Omission
I n aut hent i cat i on pr ot ocol s oft en t he names r el evant for a message can be deduced f r om ot her
dat a par t s i n t he cont ext , and fr om what encry pt ion keys have been appl ied. However , when t his
i nf ormat i on cannot be deduced, name omi ssi on i s a bl under wi t h seri ous consequences.
I t seems t hat exper t s i n t he f iel ds ( reput abl e aut hor s i n cr y pt ogr aphy, comput er secur i t y and
pr ot ocol desi gn) ar e r eady t o make a name- omi ssion bl under . Perhaps t hi s i s because of t hei r
desi re t o obt ain an elegant prot ocol whi ch should cont ai n l i t t l e r edundancy. The t wo at t acks on
t wo ver si ons of t he STS Prot ocol , which we have st udied i n 11.6. 2 and 11.6. 3, r espect i vel y ,
ar e such vi vi d exampl es. Her e i s anot her .
Denning and Sacco pr oposed a pr ot ocol as a publ i c- key al t er nat i ve t o t hei r fi x of t he Needham-
Schr oeder Symmet ri c- key Aut hent i cat i on Pr ot ocol [ 94] . The pr ot ocol of Denning and Sacco is as
fol l ows:
Al i ce Tr ent : A, B; 1.
Tr ent Al i ce: Cer t
A
, Cer t
B
; 2.
Al i ce Bob: Cer t
A
, Cer t
B
, { si g
A
( K
AB
, T
A
) }
KB
. 3.
I n t hi s pr ot ocol , t he t hi r d message i s encry pt ed f or bot h secr ecy and aut hent i ci t y . When Bob
r ecei ves t he message f rom Al ice, he sees t hat t he sessi on key K
AB
shoul d be excl usi vel y shar ed
bet ween Al i ce and hi m because he sees Al i ce's si gnat ur e and t he use of hi s publ i c key.
Unfor t unat el y, not hi ng i n t hi s prot ocol guar ant ees such an excl usi ve- key shar i ng pr oper t y . Abadi

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
and Needham discover ed a si mpl e but r at her shocki ng at t ack [ 1] in whi ch Bob, af t er r ecei vi ng
t he message fr om Al i ce, can f ool anot her pr i nci pal t o bel i eve t his " pr opert y: "
3' . Bob( " Ali ce") Char l i e: Cert
A
, Cer t
C
, { si g
A
( K
AB
, T
A
) }
KC
.
Charl i e wi l l bel i eve t hat t he message i s f r om Al i ce, and may subsequent l y send a confi dent ial
message t o Al i ce encr y pt ed under t he sessi on key K
AB
. Al as, Bob can r ead it !
The i nt ended meani ng of message l ine 3 is: " At t ime T
A
, Al i ce says t hat K
AB
i s a good key for
communi cat ion bet ween Al i ce and Bob. " The obvi ous way t o specif y t his in t hi s pr ot ocol shoul d
be:
3. Ali ce Bob: Cer t
A
, Cer t
B
, { si g
A
( A, B, K
AB
, T
A
) }
KB
.
Maki ng expli ci t t he i dent i t i es of par t i cipant s i n aut hent i cat ion prot ocol s, especi al l y maki ng t hem
expl ici t insi de t he scope of a cr y pt ographi c oper at i on, must have been " common sense" f or
pr ot ocol desi gner s. However, we have wi t nessed t hat i t i s not r ar e for exper i enced pr ot ocol
desi gner s t o negl ect " common sense. " Abadi and Needham have document ed t hi s " common
sense" as one of t he pr udent pri nci pl es f or aut hent i cat i on pr ot ocol desi gn [ 1] . We shoul d quot e
her e agai n t hi s prudent pr i ncipl e for pr ot ocol desi gn:
Our r eemphasi s of t his pr udent pr i nci pl e i s not r edundant : i n 12.2 we shall furt her see name-
omi ssi on bl unders i n t he cur r en t ver si on of t he I KE Pr ot ocol for I nt ernet secur i t y [ 135] , even
aft er many year s of t he pr ot ocol' s development by a commi t t ee of highl y exper i enced comput er
secur i t y expert s.
11.7.8 Attack Due to Misuse of Cryptographic Services
We should ment i on fi nal l y a ver y common prot ocol desi gn f law: mi suse of cr y pt ogr aphi c
ser vi ces.
Mi suse of cry pt ogr aphi c servi ces means t hat a cr ypt ogr aphi c al gori t hm used i n a pr ot ocol
pr ovi des an incor r ect pr ot ect i on so t hat t he needed pr ot ect i on i s absent . Thi s t y pe of f law can
l ead t o vari ous at t acks. Her e ar e t wo of t he most common ones:
At t acks due t o absence of dat a- int egr it y pr ot ect i on. We wi l l demonst r at e an at t ack on a
fl awed pr ot ocol t o il l ust r at e t he i mpor t ance of dat a- i nt egri t y pr ot ect i on. Many mor e
at t acking exampl es of t hi s t y pe on publ i c- key cr ypt ogr aphic schemes wil l be shown i n
Chapt er 14 wher e we st udy t he not i on of secur i t y agai nst adapt i vel y act ive at t ackers. We
shal l f ur t her st udy t hi s t y pe of pr ot ocol fai l ur e i n dept h i n 17.2 wher e we st udy a t opi c of
for mal appr oaches t o aut hent i cat i on pr ot ocol s anal ysi s.
i .
Confi dent i al i t y f ail ure due t o absence of "semant ic secur i t y" pr ot ect i on. I n t hi s t y pe of
pr ot ocol ( and cr y pt osyst em) f ai lur e, Mal ice can ext r act some par t i al i nfor mat i on about a
secr et message encr y pt ed in a ci phert ext and hence achi eves hi s at t acki ng agenda wi t hout
ful ly br eaki ng an encry pt i on al gor i t hm in t er ms of a " al l - or - not hing" qual i t y of
conf ident i ali t y ( see Pr oper t y 8. 2 i n 8. 2) . We shal l st udy t he not ion of semant i c secur i t y i n
Chapt er 14 and show many such at t acks t her e. There and in Chapt er 15 we shall al so st udy
cry pt ogr aphi c t echniques whi ch of fer semant i c secur i t y .
i i .
These t wo common mi suses of cr y pt ographi c ser vi ces f r equent l y appear in t he l i t er at ure of

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
aut hent i cat ion prot ocol s. Apparent l y , t he misuses i ndicat e t hat t hose pr ot ocol desi gner s wer e not
awar e of t he gener al danger of " t ext book cr y pt o. "
Now l et us demonst r at e a f l aw due t o mi ssing of i nt egr it y ser vi ce. The f l awed pr ot ocol i s a
vari at i on of t he Ot way - Rees Pr ot ocol [ 226] . We have der ived t he var iat ion by fol l owi ng a
suggest i on i n [ 61] . The vari at i on i s speci f i ed i n Pr ot 11. 8.
Protocol 11.8: A Minor Variation of the Otway-Rees Protocol
PREMI SE: Al i ce and Trent shar e key K
AT
;
Bob and Tr ent shar e key K

BT
;
GOAL: Al i ce and Bob aut hent i cat e t o each ot her ;
t hey al so est abl i sh a new and shar ed sessi on

key K
AB
.
Al i ce Bob: M, Al ice, Bob, { N
A
, M, Ali ce, Bob }
KAT
; 1.
Bob Tr ent : M, Al ice, Bob, { N
A
, M, Ali ce, Bob }
KAT
, { N
B
}
KBT
, { M, Al ice,
Bob}
KBT
;
2.
Tr ent Bob: M, { N
A
, K
AB
} K
AT
, { N
B
, K
AB
} K
BT
; 3.
Bob Al i ce: M, { N
A
, K
AB
} K
AT
. 4.
( * M i s cal l ed a r un i dent i fi er f or Al ice and Bob t o keep t r acki ng t he run bet ween
t hem* )
Pr ot 11. 8 appl i es t he r at her st andar d t echnique of usi ng an onl i ne aut hent i cat i on ser ver ( Trent )
t o achieve mut ual aut hent i cat i on and aut hent i cat ed sessi on est abli shment bet ween t wo user
pr i nci pal s. Let us consi der Bob' s view on a pr ot ocol r un ( Al i ce' s vi ew can be consi der ed l i kewi se) .
Bob can concl ude t hat t he sessi on r eceived in st ep 3 i s f r esh fr om t he cry pt ogr aphi c i nt egrat ion
bet ween t he key and hi s nonce. He should al so be abl e t o concl ude t hat t he sessi on key is shared
wi t h Ali ce. Thi s i s i mpl i ed by t he cr y pt ogr aphi c i nt egr at i on bet ween t he r un i dent if i er M and t he
t wo pr inci pals' i dent i t i es; t he i nt egr at i on has been cr eat ed by Bob hi msel f and has been ver i fi ed
by Tr ent .
The var i at i on di ff er s f r om t he or i gi nal Ot way - Rees Prot ocol onl y ver y sl i ght l y : i n st ep 2 of t he
vari at i on, Bob' s encry pt ed messages ( encr ypt ed under t he key K
AT
) are i n t wo separ at e ci pher
chunks, one encry pt s hi s nonce N
B
, t he ot her encr ypt s ot her message component s. I n t he
or i gi nal Ot way- Rees Pr ot ocol , t he nonce and t he r est of t he message component s ar e encry pt ed
( mor e pr eci sely , t hey are speci fi ed t o be encr y pt ed) i nsi de one ci pher chunk: { N
B
, M, Al ice,
Bob}
KBT
.
I t i s i nt er est ing t o point out t hat f or some implement or s, t hi s var i at i on may not qual i fy as a
vari at i on at all : encry pt i on of a long message i s al ways implement ed i n a pl ur al number of
bl ocks whet her or not t he speci f icat i on uses one chunk or t wo chunks. Thi s is an i mpor t ant poi nt

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
and we shal l r et ur n t o cl ar i fy i t at t he end of our di scussion of t his t ype of pr ot ocol f ail ure.
Thi s mi nor var i at i on is act ual ly a much l ess aggr essi ve ver si on of modi fi cat i on t o t he or igi nal
pr ot ocol t han t hat suggest ed i n [ 61] . Ther e i t i s consider ed t hat Bob's nonce needn' t be a secret ,
and hence Bob can send i t in cl ear t ext . I ndeed, i f t he fr eshness i dent i fi er has been sent i n
cl ear t ext i n st ep 2, Bob can of cour se st i l l use N
B
r et ur ned i n st ep 3 t o i dent if y t he fr eshness of
t he sessi on key K
AB
. We, however, insist on using encr y pt i on i n st ep 2 i n or der t o expose our
poi nt mor e clear l y.
Pr ot 11. 8 i s fat al l y fl awed. At t ack 11. 7 shows an at t ack. This at t ack was di scover ed by Boyd and
Mao [ 55] .
I n t hi s at t ack, Mal i ce begi ns wi t h masquer adi ng as Al i ce t o i ni t i at e a r un wi t h Bob. He t hen
i nt er cept s t he message fr om Bob t o Trent ( st ep 2) ; he changes Al i ce' s i dent i t y int o his own, does
not t ouch Bob' s fi r st ci pher chunk ( no need for him t o know t he encr ypt ed nonce) and r epl aces
Bob' s second ci pher chunk { M, Al ice, Bob} K
BT
wi t h an ol d chunk { M, Mali ce, Bob } K
BT
whi ch he
has recorded f rom a previ ous nor mal r un of t he pr ot ocol bet ween hi msel f and Bob. Aft er sendi ng
t he modi fi ed messages t o Tr ent by masquer adi ng as Bob ( st ep 2' ) , ever y t hi ng wi l l go fi ne wit h
Tr ent and Bob: Tr ent t hi nks t hat t he t wo cl i ent - users request i ng aut hent i cat i on servi ce ar e
Mal i ce and Bob, whil e Bob t hi nks t hat t he r un i s bet ween Al i ce and hi msel f . Al as, Bob wi l l use t he
est abl i shed sessi on key whi ch he t hinks t o shar e wi t h Al ice but in f act wi t h Mal ice, and wi l l
di sclose t o Mal i ce t he conf i dent i al messages which shoul d be sent t o Al i ce!
Thi s at t ack r eveal s an i mpor t ant poi nt : t o pr ot ect t he f r eshness i dent if i er N
B
i n t er ms of
conf ident i ali t y is t o provi de a wrong cr y pt ogr aphi c ser vi ce! The cor rect servi ce i s dat a i nt egr i t y
whi ch must be pr ovi ded t o i nt egr at e t he nonce and t he pr i ncipal s i dent i t i es. N
B
can i ndeed be
sent i n cl ear i f a pr oper i nt egr i t y prot ect i on is in place. Wi t hout i nt egri t y pr ot ect i on, encr y pt i on of
N
B
i s mi ssing t he poi nt !
We have ment i oned t hat f or some i mpl ement or s, Pr ot 11. 8 wi l l not be vi ewed as a vari at i on f rom
t he ori ginal Ot way - Rees Pr ot ocol . Thi s i s t r ue i ndeed because, encr y pt i on of a l ong message i s
al ways implement ed i n a pl ur al number of bl ocks. I f i n an impl ement at i on, a pl ur al number of
ci pher t ext bl ocks ar e not i nt egrat ed wi t h one anot her cr y pt ographi call y , t hen bot h pr ot ocol s wi l l
be i mpl ement ed i nt o t he same code, and hence one cannot be a "var iat ion" of t he ot her .
I n t he usual and st andar d i mpl ement at ion of bl ock ci pher s, a sequence of separ at e cipher t ext
bl ocks ar e cr y pt ographi call y chai ned one anot her . The ci pher - block- chai ni ng ( CBC, see 7. 8. 2)
mode of oper at i on i s t he most li kely case. We should not i ce t hat i n t he CBC mode, t he
cry pt ogr aphi cal l y chai ned ci pher bl ocks ar e act ual l y not pr ot ect ed i n t er ms of dat a i nt egri t y
ser vi ce, as in cont r ast t o a common and wrong beli ef. Wi t hout i nt egr i t y pr ot ect i on, some of t he
chai ned bl ocks can be modif i ed wi t hout havi ng t he modi fi cat i on det ect ed dur i ng decr ypt i on t i me.
We shal l show how CBC mi sses t he poi nt of pr ovi di ng dat a- int egr it y pr ot ect i on i n 17.2. 1. 2.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Attack 11.7: An Attack on the Minor Variation of the Otway-
Rees Protocol
PREMI SE: I n addi t i on t o t hat i n Pr ot 11. 8,
Mal i ce and Tr ent shar e key K

MT
.
( * so Mal i ce i s al so a normal user in t he

syst em * )
Mal i ce( "Al i ce" ) Bob: M, Al ice, Bob, { N
M
, M, Mali ce, Bob} K
MT
; 1.
Bob Mal ice( "Tr ent ") : M, Al ice, Bob, { N
M
MT
, { N
B
} K
BT
, { M,
Ali ce, Bob} K
BT
;
2' . Mal i ce( " Bob") Tr ent : M, Mali ce, Bob , { N
M
MT
, { N
B
} K
BT
,
{ M, Mal ice, Bob} K
BT
;
( * wher e { M, Mali ce, Bob } K
BT
, i s an ol d ci pher chunk whi ch Mal i ce pr eser ves
fr om a pr evi ous nor mal r un bet ween hi msel f and Bob. * )
2.
Tr ent Bob: M, { N
M
, K
MB
} K
MT
' { N
B
, K
MB
} K
BT
; 3.
Bob Mal ice( "Al i ce") : M, { N
M
, K
MB
} K
MT
. 4.
CONSEQUENCE:
Bob bel ieves t hat he has been t al ki ng t o Al i ce and shar es a sessi on key wi t h her .
However , i n fact he has been t al ki ng t o Mal i ce and shar es t he sessi on key wi t h t he
l at t er .
Not the End of the List
I t i s st i l l possi bl e t o furt her name several ot her way s t o at t ack aut hent icat i on pr ot ocol s, such as
"si de channel at t ack" ( we shal l see such an at t ack on t he TLS/ SSL Pr ot ocol i n 12.5. 4 and in t hat
case t he si de- channel at t ack is a " t i mi ng anal y sis at t ack" ) , " i mpl ement at i on dependent at t ack, "
"bi ndi ng at t ack, " and " encapsul at i on at t ack" ( see 4 of [ 77] ) or " mi splaced t r ust i n ser ver
at t ack" ( see 12. 9. 1 of [ 198] ) , et c. Because some of t hese t ypes of at t acks have cer t ai n
over l apping par t s wi t h some of t he t y pes we have l i st ed, al so because, even i ncl udi ng t hem, we
st i l l cannot exhaust al l possi bl e t y pes of at t acks, we shoul d t her ef or e st op our l i st ing her e.
The r eadi ness for aut hent icat i on pr ot ocol s t o cont ain securi t y fl aws, even under t he gr eat car e of
exper t s i n t he fi el ds, have ur ged r esearcher s t o consider sy st emat i c appr oaches t o desi gn and
anal y sis of aut hent i cat i on pr ot ocol s. I n Chapt er 17 we shall st udy sever al t opics on f ormal
met hods f or desi gn and anal y sis of aut hent i cat i on pr ot ocols.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
11.8 A Brief Literature Note
Aut hent i cat ion i s a bi g subj ect i n cr ypt ogr aphi c pr ot ocol s. We recommend a few i mpor t ant
l i t er at ure ref er ences in t his subj ect .
A l ogic of aut hent i cat i on by Burr ows, Abadi and Needham [ 61] . Thi s semi nal paper i s
essent i al r eadi ng. Most secur it y pr ot ocol paper s r efer ence it . I t i s a good sour ce of many
earl y aut hent i cat i on pr ot ocols and an ear l y exposure of many secur i t y f laws wi t h t hem.
A sur vey on var i ous way s cr ypt ogr aphi c pr ot ocol s f ai l s by Moor e [ 204, 205] . Thi s i s an
i mpor t ant paper . I t i s a good i nt r oduct ion t o vari ous cr y pt ographi c f ail ures whi ch are not a
r esul t of any i nherent weakness i n t he cr ypt ogr aphic algor it hms t hemsel ves, r at her i t i s
because t he way in whi ch t hey ar e used r equir es t hat t hey provi de cer t ai n cr y pt ogr aphi c
ser vi ces whi ch t hey do not i n f act provi de.
Pr udent engi neer ing pr act i ce f or cry pt ogr aphi c prot ocol s summar ized by Abadi and
Needham [ 1] . Thi s paper set s out eleven heuri st i c pr i nci pl es whi ch i nt end t o gui de pr ot ocol
desi gner s t o devel op good pr ot ocol s. The pr i nci pl es fr om an engi neer ing account of pr ot ocol
devel opment , ser ving a menu for prot ocol desi gner s: " have I checked t hi s sor t of at t ack?"
An excell ent pi ece of wor k and wi l l prove of consi der abl e use f or pr ot ocol desi gner s.
A sur vey of aut hent icat i on pr ot ocol l i t erat ur e wri t t en by Cl ark and Jacob [ 77] . Thi s
document i ncludes a l i br ar y of a lar ge number of aut hent i cat i on and key - est abli shment
pr ot ocol s. Many of t he pr ot ocol s i n t he l i br ar y ar e accompani ed by at t acks. The document
al so has a compr ehensi ve and wel l annot at ed l i t erat ur e sur vey . Thi s i s an essent i al readi ng
for pr ot ocol devel oper s. A Web si t e call ed "Secur i t y Pr ot ocol s Open Reposi t or y" ( SPORE)
has been set up as t he f ur t her devel opment of t he document of Cl ark and Jacob. The Web
address for SPORE i s ht t p : / / w w w. l sv . ens- cachan. f r / sp or e/
A f or t hcoming book of Boy d and Mat huri a ent i t l ed " Pr ot ocols f or Key Est abl ishm ent and
Aut h en t icat i on" ( I nfor mat i on Secur i t y and Cr y pt ography Ser ies, Publ isher : Spr inger, I SBN:
3- 540- 43107- 1) . Thi s book is t he f i rst comprehensi ve and i nt egr at ed t reat ment of
aut hent i cat ion key- est abl i shment prot ocol s. For key - est abl i shment pr ot ocol s whi ch incl ude
t he basic pr ot ocols usi ng sy mmet r i c and asy mmet r i c cry pt ogr aphi c t echni ques, gr oup-
or i ent ed, conf er encekey, and passwor d- based pr ot ocol s, t hi s book t akes an exhaust i ve
approach t o t heir descr i pt i on, expl anat ion and r epor t i ng of t he known f l aws. The book
al l ows r esearcher s and pr act i t i oner s t o qui ckl y access a pr ot ocol f or t hei r needs and
become aware of exi st i ng pr ot ocol s which have been br oken i n t he l i t erat ur e. As wel l as a
cl ear and uni f orm pr esent at i on of t he pr ot ocol s t hi s book i ncl udes a descri pt ion of al l t he
mai n at t ack t ypes and cl assi fi es most pr ot ocol s i n t er ms of t hei r pr oper t i es and r esour ce
r equi r ement s. I t also i ncludes t ut or i al mat er i al sui t abl e f or gr aduat e st udent s.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Our st udy of aut hent i cat i on in t hi s chapt er cover s a wide r ange of t opi cs in t he subj ect wit h
i ndept h di scussi ons. The r ange i ncl udes basi c concept s ( dat a- or i gi n, ent i t y , aut hent i cat ed- key -
est abl i shment , uni l at er al, mut ual , l i veness) , good const r uct i ons of aut hent i cat i on pr ot ocols
( r ecommended by t he i nt ernat i onal st andar ds) , st andar d pr ot ocol s, several int erest i ng and
useful pr ot ocol s ( e.g., one- t i me passwor d, EKE, STS) and a t axonomy of at t acks.
As an act i ve academi c r esear ch t opic, aut hent i cat i on pr ot ocols is an i mpor t ant but al so r at her a
pr e- mat ur e subj ect i n t he ar ea of cry pt ogr aphi c prot ocol s. Our cover age of t he subj ect in t hi s
chapt er i s by no means comprehensi ve. We t her ef or e have l i st ed a bri ef l i t er at ure not e f or t he
r eader s who wi l l be i nt er est ed i n a f ur t her st udy of t he subj ect i n an academi c r esear ch
di r ect i on. For t hese r eader s, a l at er chapt er i n t hi s book ( Chapt er 17 on f or mal anal ysi s
met hodol ogi es of aut hent i cat ion prot ocol s) i s al so mat er i al for fur t her st udy .
Aut hent i cat ion pr ot ocol s have i mpor t ance i n r eal worl d appli cat i ons. This chapt er has t ouched a
few aspect s of appl i cat i ons. Let us t ur n t o t he r eal worl d appli cat i ons of aut hent i cat i on pr ot ocols
i n t he next chapt er.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exercises
11 .1 Descr i be t he di f fer ence f or t he fol l owi ng secur i t y servi ces: dat a i nt egri t y , message
aut hent i cat ion, ent i t y aut hent i cat i on.
11 .2 What i s a fr eshness i dent i fi er?
11 .3 Does t he recency of a cr ypt ogr aphic act i on per for med by a pri nci pal necessari l y
i mpl y t he fr eshness of a message sent by t he pr i ncipal ?
11 .4 Aft er t he decr ypt i on of a ci phert ext ( e. g. , f or med by t he AES- CBC encr y pt i on) Ali ce
sees a val i d fr eshness i dent i fi er ( e. g. , a nonce she has j ust sent out ) . Can she
concl ude t he fr eshness of t he ci pher t ext message?
11 .5 Why is t he dat a i nt egr i t y of an encr ypt ed pr ot ocol message i mpor t ant for t he
message's secr ecy ?
11 .6 I n 11.4 we have i nt r oduced t he most basi c const r uct i ons of aut hent i cat i on
pr ot ocol s. I n t hese const r uct i ons, what i s t he essent i al di f fer ence bet ween t he
st andar d const r uct i ons and t he non- st andar d ones?
11 .7 I dent i f y a non- st andar d const r uct i on i n t he Woo- Lam Pr ot ocol ( Pr ot 11. 2) .
Hi nt : obser ve a secur i t y ser vi ce used i n t he i nt er act i on bet ween Bob and Tr ent i n
message l i nes 4 and 5, and compar e t he const r uct i on wit h t hat i n ( 11.4. 7) .
11 .8 What i s common i n t he f ol l owi ng t hr ee at t acks? ( i ) Wi ener ' s at t ack on t he f l awed
ver si on of t he I SO Pr ot ocol ( At t ack 11. 1) , ( i i ) t he "cer t if i cat e- si gnat ur e-
r epl acement at t ack" on t he " Aut hent i cat ion- onl y " STS Prot ocol ( At t ack 11. 2) and
( i i i ) Lowe' s at t ack on t he Needham- Schr oeder Publ i c- key Aut hent i cat i on Prot ocol
( At t ack 2. 3) .
11 .9 I nsi de comput er s ever y ASCI I char act er i s r epresent ed by 8 bi t s. Why usual l y does
a passwor d of 8 ASCI I charact er s cont ai n i nfor mat i on quant i t y whi ch i s l ess t han
t hat measured by 64 bi t s?
11 .1 0 What i s a sal t i n a passwor d- based aut hent i cat i on prot ocol ? What i s t he r ol e of a
sal t ?
11 .1 1 I n t he passwor d aut hent i cat i on pr ot ocol for t he UNI X oper at i ng sy st em ( see
11.5. 1 and Pr ot 11. 3) , t he cry pt ogr aphi c t r ansf ormat i on f( P
U
) i s generat ed usi ng
t he DES encr y pt i on funct i on. Does t he pr ot ocol appl y t he DES decr y pt i on funct ion?
Di scuss an import ant dif fer ence bet ween t hi s t ransf or mat i on and t hat i n t he non-
st andar d aut hent i cat ion mechani sm ( 11.4. 7) .
11 .1 2 The S/ KEY Pr ot ocol ( Pr ot 11. 4) uses essent i all y t he same cr y pt ographi c
t r ansfor mat i on as t he UNI X passwor d aut hent i cat i on pr ot ocol ( Pr ot 11. 3) does.
Why do we say t hat t he for mer i s fl awed whi l e t he l at t er i s not ?
11 .1 3 The EKE Prot ocol ( Pr ot 11. 5) uses asy mmet r i c cr ypt ogr aphi c t echniques. I s i t a
publ i c- key based aut hent i cat i on pr ot ocol?

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
11 .1 4 We have shown a fl aw i n t he " Aut hent i cat i on- onl y" STS Pr ot ocol ( At t ack 11. 2) .
Revise t he pr ot ocol t o r emove t he f l aw.
11 .1 5 I n 11.6. 3 we have reasoned t hat si gni ng t he i nt ended ver if i er ' s i dent i t y provi des
a f i x for t he mi nor f l aw i n t he STS Pr ot ocol ( t he mi nor fl aw i s demonst r at ed in
At t ack 11. 3) . However , such a f i x damages t he anony mi t y ( deni abi l i t y ) proper t y of
t he pr ot ocol. Provi de a di f ferent f ix whi ch does not i nvol ve si gni ng i dent i t i es.
Hi nt : t he t wo par t i es act ual l y have not combi ned t he shar ed sessi on key wi t h t he
i nt ended i dent i t i es; t hat was why we di d not consi der t hat t he agr eed sessi on key
has been mut uall y conf i r med, see our di scussi ons on t he i nt ended pr oper t i es of t he
pr ot ocol i n 11.6. 1.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Chapter 12. Authentication Protocols
The Real World
Sect i on 12. 2. Aut hent i cat i on Pr ot ocol s f or I nt er net Secur i t y
Sect i on 12. 3. The Secur e Shel l ( SSH) Remot e Logi n Prot ocol
Sect i on 12. 4. The Ker beros Pr ot ocol and it s Reali zat i on i n Wi ndows 2000
Sect i on 12. 5. SSL and TLS
Exerci ses

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
12.1 Introduction
Our st udy of aut hent i cat i on pr ot ocols in t he pr ecedi ng chapt er has an academi c focus: we have
st udi ed good ( and st andard) const r uct i ons f or aut hent i cat i on prot ocol s, i nt r oduced a f ew
i mpor t ant aut hent icat i on pr ot ocol s and t echni ques sel ect ed fr om t he l i t er at ure, and conduct ed a
syst emat i c exami nat i on of vari ous "academi c at t acks" on aut hent i cat ion prot ocol s. However , we
have t ouched l i t t l e on t he appl i cat ion aspect . Undoubt edl y , r eal worl d appli cat i ons of
aut hent i cat ion prot ocol s must have r eal wor l d pr obl ems t o sol ve, some of whi ch are ver y
chal l engi ng.
I n t hi s chapt er , l et us face some aut hent i cat i on pr oblems i n t he r eal wor l d. We shal l int r oduce
and di scuss a number of aut hent i cat ion prot ocol s whi ch have been pr oposed f or, and some
al r eady widel y used i n, var i ous i mpor t ant appli cat i ons in t he r eal wor l d. All of t he prot ocol s t o be
i nt r oduced i n t hi s chapt er ar e de fact o or i ndust r i al st andar ds.
The f i r st r eal worl d pr ot ocol we shal l st udy i s t he I nt ernet Key Exchange Prot ocol ( I KE) [ 135,
158] whi ch i s t he aut hent icat i on mechani sm for t he I ETF ( I nt er net Engi neer i ng Task For ce)
st andar d f or I nt ernet Securi t y ( I PSec) . Thi s pr ot ocol sui t e ( a sy st em) cont ai ns aut hent i cat i on
and aut hent i cat ed key exchange pr ot ocol s whi ch oper at e at a low l ayer of communi cat i ons cal l ed
t he net work lay er. Our st udy shal l l et us see how communi cat i ons t ake place at t he net wor k
l ay er , under st and how var i ous at t acks demonst r at ed i n t he pr evi ous chapt er can be based on
vari ous ways for Mal i ce t o mani pul at e addr essi ng i nfor mat i on handl ed by t he net wor k l ay er
pr ot ocol , and r eali ze t hat secur i t y off er ed at t he net wor k l ayer can be very ef fect i ve i n t hwar t i ng
t hose at t acks. We shal l al so see t hat a chall enging pr obl em i n I KE i s for t he prot ocol suit e t o
off er an opt i onal pr i vacy f eat ure whi ch i s desi r abl e at t he net wor k l ayer of communi cat i ons i n
or der not t o cause pr ivacy damage t o appl icat i ons in higher l ay er s of communi cat i ons.
Next , we shal l i nt r oduce t he Secur e Shell ( SSH) Pr ot ocol [ 304, 307, 308, 305, 306] . Thi s i s a
publ i c- key based aut hent i cat i on pr ot ocol sui t e f or secur e access of r emot e comput er r esour ce
( secure r emot e l ogi n) fr om an unt r ust ed machi ne ( i. e. , fr om an unt r ust ed cl i ent machi ne t o a
r emot e ser ver host ) . I t i s a de f act o st andar d for secur e r emot e logi n comput er resour ces i n an
open syst ems envi r onment and i s al ready widel y used i n t he gl obal r ange. SSH is a cl i ent - ser ver
pr ot ocol . I t s server par t mai nly runs on machi nes whi ch use UNI X
[ a]
, or it s popular var i ant ,
Li nux, oper at i ng sy st ems ( t hi s i s t r ue especial l y on t he ser ver si de) ; i t s cli ent par t fur t her covers
ot her oper at i ng sy st ems such as Wi ndows, et c. A chall enging pr obl em for t hi s pr ot ocol i s t o
enabl e a secur i t y servi ce i n a har moni c manner : i nsecur e syst ems ar e al ready in wi de use,
secur e sol ut i ons shoul d be added on wi t h t he l east i nt er r upt i on t o t he i nsecur e syst ems whi ch
ar e al r eady i n oper at i on ( backward compat i bi l i t y ) .
[ a]
Next , we shal l i nt r oduce anot her i mpor t ant and al r eady- i n- wide- use aut hent icat i on pr ot ocol
syst em: t he Kerber os Aut hent i cat i on Pr ot ocol [ 202, 168] . Thi s i s t he net wor k aut hent i cat i on
basi s f or anot her popul ar operat i ng sy st em: Wi ndows 2000. Thi s oper at i ng syst em i s i n wi de use
i n an ent er pr i se envi r onment where a user i s ent i t l ed t o ent er pr i se- wi de dist r i but ed ser vi ces
whi l e unabl e t o keep many di ff erent cry pt ogr aphi c cr edent i al s for usi ng t he di f fer ent servers ( i t
i s unreal i st ic for a user t o memori ze many di ff erent passwords and i s uneconomi c f or a user t o
manage many smar t car ds) . We shal l see t hat Ker beros' " si ngl e- si gnon" aut hent i cat i on
ar chi t ect ure fi nds a good appl i cat i on i n such an envi ronment .
Fi nal l y, we shall over view t he Secure Socket Layer ( SSL) Pr ot ocol [ 136] , or t he Tr anspor t Lay er
Securi t y ( TLS) Prot ocol named by t he I nt er net - wi de i ndust r ial st andar ds communi t y I ETF. At t he
t i me of wr it i ng, t hi s pr ot ocol quali f i es as t he most - wi del y- used publ ic- key based aut hent i cat i on
t echni que: i t i s nowaday s an int egr al par t in ever y Wor l dWi deWeb br owser and Web server,

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
t hough i n most cases i t s use i s l i mi t ed t o unil at er al aut hent i cat ion only ( a server aut hent i cat es t o
a cl i ent ) . Thi s i s an aut hent i cat i on pr ot ocol for a t y pi cal cl i ent - ser ver envi r onment set t i ng.
Al t hough t he i dea behi nd t he pr ot ocol i s ext r emel y si mpl e ( t hi s i s t he si mpl est pr ot ocol of t he
four r eal - wor l d aut hent icat i on pr ot ocol s t o be i nt r oduced i n t hi s chapt er ) , we shal l see fr om t hi s
case t hat a r eal- wor l d r eal i zat i on of any si mpl e aut hent i cat i on pr ot ocol i s never a si mpl e j ob.
I PSec and t he I KE Pr ot ocol wil l be i nt r oduced i n 12.2. The SSH Pr ot ocol wi l l be i nt roduced i n
12.3. An ent er pr i se si ngle- si gnon scenari o sui t abl e f or usi ng t he Wi ndows 2000 oper at i ng
syst em wi l l be di scussed i n 12.4, and t hen t he Kerber os Pr ot ocol , t he net work aut hent i cat i on
basi s f or t hi s oper at i ng sy st em, wi l l be descr i bed. Fi nal l y we over view t he SSL ( TLS) Pr ot ocol i n
12.5.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
12.2 Authentication Protocols for Internet Security
We have been i nt r oduci ng var i ous cr ypt ogr aphi c t echniques for pr ot ect i ng messages t ransmi t t ed
t hr ough open net wor ks. The t echniques i nt r oduced so far i n t hi s book al l pr ovi de pr ot ect i ons at a
hi gh communi cat i on lay er or t he appl i cat i on lay er . A prot ect i on at t he appli cat i on l ayer means
t hat onl y t he cont ent par t of a message i s prot ect ed wher eas t he addr essi ng par t , regar ded as
l ow- l ayer i nf or mat ion, i s not .
However , for secur i ng communi cat i ons over t he I nt er net , pr ot ect i on provi ded at a l ow l ay er of
communi cat ion whi ch cover s t he addr essi ng i nf ormat i on as wel l as t he cont ent can be ver y
eff ect i ve. Thi s i s because, as we have wi t nessed i n 11.7, mani pul at i on of a message's
addressing i nfor mat i on i s t he mai n source of t r i cks avai l abl e t o Mal i ce for mount i ng var i ous
at t acks.
I n t hi s sect i on we shal l f ir st look at how messages ar e pr ocessed by a l ow- l ay er communi cat i on
pr ot ocol . Ther e, we shal l r eal i ze how Mal i ce coul d mat er i ali ze hi s t r i cks due t o absence of
secur i t y i n t hat pr ot ocol . We shal l t hen st udy a suit e of aut hent icat i on pr ot ocol s pr oposed by a
st andar ds body for I nt er net secur i t y. That suit e of pr ot ocols is col l ect ivel y named t he I nt er n et
Key Ex ch ang e ( I KE) ; t hey ar e i nt ended t o pr ot ect messages i n t he l ow- l ayer communi cat i on
pr ot ocol usi ng aut hent i cat i on t echniques we have st udied i n t he precedi ng chapt er . We shal l
anal y ze a coupl e of i mpor t ant "modes" i n I KE and r eveal some vul nerabi li t i es t hey have. We
shal l al so r epor t some cr it i cal comment s and concerns on I KE f rom t he r esear ch communi t y .
12.2.1 Communications at the Internet Protocol Layer
The I nt er net i s an enormous open net wor k of comput er s and devi ces cal l ed " nodes. " Each node
i s assi gned a unique net wor k addr ess so t hat messages sent t o and fr om t he node have t hi s
address at t ached. A pr ot ocol whi ch pr ocesses t he t r ansmi ssi on of messages usi ng t he net work
address i s cal led t he I nt er n et Pr ot ocol ( I P for short ) and hence, t he uni que net wor k address of
a node i s cal l ed t he I P address of t he node. Accordi ng t o t he I SO's " Open Syst ems
I nt er connect ion ( I SO- OSI ) Seven- l ay er Refer ence Model" ( e. g. , pages 416417 of [ 227] or
1.5. 1 of [ 159] ) , t he I P wor ks at "l ay er 3" ( al so call ed t he net wor k l ay er or t he I P l ayer ) . Many
communi cat ion prot ocol s i ncl uding many aut hent i cat i on pr ot ocol s whi ch are i nvoked by end-
users work at " l ay er 7" ( also cal l ed t he appl icat i on l ayer ) . This is anot her r eason why we have
cal led t he I P a "l ow- l ay er " communicat i on pr ot ocol and t he ot her prot ocol s " high- l ay er " ones.
Communicat i ons at t he I P l ay er t ake t he for m of " I P packet s. " Fi g 12. 1 i l l ust r at es an I P packet
whi ch has no cry pt ogr aphi c prot ect i on. The fi r st t hree f i el ds of an I P packet have appar ent
meani ngs. The fourt h f i el d, "Upper- lay er Fiel ds" cont ai ns t wo t hi ngs: ( i ) t he speci f icat i on of t he
pr ot ocol whi ch r uns i n t he immedi at e upper l ay er and pr ocesses t he I P packet ( e. g. ,
"t r ansmi ssi on cont r ol pr ot ocol " TCP) , and ( i i ) dat a whi ch ar e t r ansmi t t ed by t he I P packet .
Fi gu r e 12 . 1. An Unp r ot ect ed I P Pack et

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Let us use el ect r oni c mai l communi cat i on t o exempli f y I nt ernet communi cat i ons whi ch are
or gani zed i n I P packet s. We begi n wi t h consi deri ng an i nsecur e case wher e I P packet s has no
cry pt ogr aphi c prot ect i on. Let James_Bond@007. 654. 321 and Miss_Moneypenny@123. 456. 700 be
t wo e- mai l addr esses. Her e, James_Bond and Miss_Moneypenny ar e user s' ident i t i es, each is
cal led an "endpoi nt i dent i t y , " 007. 654. 321 and 123. 456. 700 ar e t wo I P addr esses
[ b]
; for
exampl e, t he for mer can be t he I P addr ess of a pal m- t op mul t i - purpose devi ce, whi l e t he lat t er
can be t he I P addr ess of an off ice comput er . An e- mail sent f rom
Miss_Moneypenny@123. 456. 700 t o James_Bond@007. 654. 321 viewed at t he I P l ayer can be
[ b]
Of t en an I P addr ess is mapped t o a "domain name" f or ease of memor y; f or inst ance, 007. 654. 321 may be
mapped t o t he following "domain name: " spy1. mi.f ive. gb.
For exposi t i on clar i t y , we have onl y pr esent ed t he dat a f i el d i n "Upper- l ay er fi el ds" and omi t t ed
t he pr ocessing pr ot ocol speci fi cat i on ( t he omi t t ed pr ot ocol specif i cat ion i n t hi s case i s "SMTP"
whi ch st ands f or si mple mai l t ransfer pr ot ocol [ 164] ) . Not i ce t hat t he t wo endpoi nt i dent i t i es wil l
appear in some "I P header f i el ds, " and hence when James_Bond r ecei ves t he e- mai l , he may
know who has sent i t and may be abl e t o r eply .
These t wo part ies may wi sh t o conduct conf ident i al communi cat i ons by appl y i ng end- t o- end
encry pt ion, usi ng ei t her a shar ed key or publ i c keys. Si nce an end- t o- end encr y pt i on oper at es in
t he appl i cat i on- l ay er pr ot ocol , onl y t he message cont ent in t he fourt h box i n t he " I P packet " wi l l
be encr y pt ed. I f t he I P t hey use of fer s no secur i t y , t hen t he dat a f i el ds i n " I P header" ar e not
pr ot ect ed. Modif i cat ion of dat a i n t hese fi el ds f orms t he mai n sour ce of t r i cks behind t he at t acks
whi ch we have l ist ed i n 11.7. Let us now see how.
12.2.2 Internet Protocol Security (IPSec)
The I nt er net Engi neer i ng Task For ce ( I ETF) has been in a ser i es of st andar di zat i on pr ocesses f or
I P securi t y wi del y known as I PSec [ 163, 161] . Br i efl y speaki ng, I PSec i s t o add cr y pt ographi c
pr ot ect i on t o " I P header " whi ch consi st s of t he f i rst t hr ee boxes i n an I P packet ( see Fi g 12. 1) .
I PSec st i pul at es a mandat or y aut hent icat i on pr ot ect ion f or " I P header " and an opt i onal
conf ident i ali t y pr ot ect i on for t he endpoi nt - i dent it y i nfor mat i on whi ch i s i n some "I P header
fi el ds. "
We should not i ce t hat , i n absence of secur i t y at t he I P lay er , i t i s t he unpr ot ect ed t r ansmi ssi on of
"I P header " t hat may permi t Mal i ce t o mount vari ous at t acks on I nt er net communi cat i ons such
as spoof i ng ( masqueradi ng) , snif fi ng ( eavesdr oppi ng) and sessi on hi j acking ( combi nat i on of
spoof ing and snif fi ng whil e t aki ng over a l egi t i mat e par t y 's communicat i on sessi on) . For

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
exampl e, i f Mal i ce i nt er cept s an I P packet ori ginat ed f r om James_Bond@007. 654. 321, copi es
"Sour ce I P addr ess" t o "Dest i nat i on I P address, " and sends i t out , t he packet wi ll go back t o
James_Bond@007. 654. 321. I f t hi s modi fi cat i on i s undet ect ed due t o l ack of secur i t y means at t he
I P l ay er , t hen t he modi fi cat i on can essent ial l y cause a " ref lect i on at t ack" whi ch we have seen i n
11.7. 4. Mor eover , i f Mal i ce al so for ges a "Sour ce I P address" and an endpoi nt i dent i t y ( say
"Miss_Moneypenny" ) , t hen James_Bond@007. 654. 321 may be f ool ed t o bel ieve t hat t he message
came fr om t he for ged sender. Thi s i s exact l y t he at t ack scenar i o which we have denot ed at t he
appli cat i on l ayer by
Vi r t ual l y al l at t acks whi ch we have seen i n 11.7 r equir e Mali ce t o perf or m some mani pul at i ons
on t he I P- addr ess and endpoi nt - i dent it y i nfor mat i on i n an " I P header . " Secur i t y pr ot ect i on
off ered at t he I P l ay er can t her efor e eff ect i vely pr event such at t acks si nce now any message
mani pulat ion i n "I P header " can be det ect ed. I n gener al , secur i t y at t he I P lay er can pr ovi de a
wi de prot ect i on on al l appl i cat i ons at hi gher l ay ers.
Mor eover , f or t r aff ic bet ween t wo f i r ew al l s
[ c]
, because each f i rewal l i s a node whi ch shi elds
many nodes " i nsi de" or " behi nd" i t , an I P- l ayer pr ot ect i on can cause encry pt ion on t he I P
address of any node " i nsi de" t he f i rewal l . Thi s means t hat unaut hori zed penet r at i on t hr ough a
fi r ewall can be pr event ed via cry pt ogr aphi c means whi ch i s a very st r ong f or m of pr ot ect i on.
Wi t hout secur it y off er ed at t he I P l ayer , t he fi r ewal l t echni que uses much weaker f orm of
"secr et s" such as I P addresses, machi ne names and user names, et c. , and so penet r at i on i s
much easi er.
[ c]
A f ir ewall is a special- pur pose comput er which connect s a clust er of pr ot ect ed comput ers and devices t o t he
I nt er net so t hat accessing t he pr ot ect ed comput er s and devices f r om t he I nt ernet r equires knowing some
ident it y and I P address inf or mat ion.
I t has been wi del y agr eed t hat of fer i ng secur i t y at t he I P l ay er i s a wi se t hi ng t o do.
12.2.2.1 Authentication Protection in IPSec
The I nt er net Prot ocol ( I P) has evol ved fr om ver si on 4 ( I Pv4) t o ver sion 6 ( I Pv6) . The dat a
st r uct ur e for I Pv6 i s a mult ipl e of 32- bi t dat a bl ocks call ed dat agr ams. I n I Pv6 wi t h I PSec
pr ot ect i on, an I P packet ( Fi g 12. 2, cf. Fi g 12. 1) has an addit i onal fi el d cal l ed " Au t hent i cat i on
Header " ( AH) . The posi t i on f or t he AH i n an I P packet i s i n bet ween " I P header " and t he "Upper -
l ay er f i el ds. " AH can have a var iant l engt h but must be a mul t i pl e of 32- bi t dat agrams which ar e
or gani zed i nt o sever al subfi el ds whi ch cont ai n dat a f or pr ovi di ng cry pt ogr aphi c prot ect i on on t he
I P packet .
Fi gu r e 12 . 2. Th e St r uct ur e of an Au t h en t i cat i on Header an d i t s Posi t i on
i n an I P Packet

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Aut hent i cat ion ( i n fact , dat a i nt egri t y wi t h or i gi n i dent i fi cat i on) i s a mandat or y ser vice f or I PSec.
The pr ot ect i on i s achi eved by dat a pr ovi ded i n t wo subfi el ds i n an AH. One of t he subf i el d i s
named "Secur i t y Par amet er s I nd ex " ( SPI ) . Thi s subf iel d i s an arbit rar y 32- bi t val ue whi ch
speci f i es ( uni quel y i dent if i es) t he cr y pt ogr aphi c al gor it hms used f or t he aut hent icat i on ser vi ce
for t hi s I P packet . The ot her subf i el d i s named "Aut hent icat i on Dat a" whi ch cont ains t he
aut hent i cat ion dat a gener at ed by t he message sender for t he message recei ver t o conduct dat a-
i nt egr i t y veri f icat i on ( hence t he dat a i s al so call ed I nt egr it y Check Val ue, I CV) . The r ecei ver of
t he I P packet can use t he al gor i t hm uni quel y i dent i fi ed i n SPI and a secr et key t o r egenerat e
"Aut hent i cat ion Dat a" and compar e wi t h t hat received. The secr et key used wi l l be di scussed i n
12.2. 3.
The subfi el d named "Sequence Number " can be used against r epl ay of I P packet s. Ot her
subf i el ds i n t he fi r st dat agr am of an AH wi t h names "Next Header ", "Payl oad Lengt h" and
"Reser ved f or f ut ur e use" do not have secur it y meanings and t her efor e t hei r expl anat i ons ar e
omi t t ed her e.
12.2.2.2 Confidentiality Protection in IPSec
Confi dent i al i t y ( encr ypt i on) is an opt i onal servi ce for I PSec. To achieve t hi s, a mul t i pl e of 32- bi t
dat agr ams named "Encapsul at i n g Secur i t y Payl oad " ( ESP) [ 162] is speci fi ed and al locat ed i n
an I P packet . An ESP can fol l ow an AH as t he second shaded f i el d i n Fi g 12. 2 ( "Upper- l ay er
fi el ds") . The for mat of an ESP i s shown i n Fi g 12. 3.
Fi gu r e 12 . 3. Th e St r uct ur e of an Encapsul at i n g Secur i t y Pay l oad

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The f i r st subf i el d i s " Securi t y Paramet ers I ndex ( SPI ) " whi ch now speci fi es ( i . e. , uni quel y
i dent i f ies) t he encry pt ion al gor i t hm. The second subfi eld "Sequence Number" has t he same
meani ng as t hat i n an AH ( see 12.2. 2. 1) . The t hi r d subf iel d "Payl oad Dat a" has a vari able
l engt h whi ch is t he ci pher t ext of t he confi dent i al dat a. Si nce an I P ( v6) packet must have a
l engt h as a mul t i pl e of 32 bi t s, t he pl ai nt ext " Pay l oad Dat a" of var i abl e l engt h must be padded,
and t he paddi ngs ar e given in "Paddi ng" . The Paddi ng by t es ar e i ni t i al ized wi t h a ser i es of
( unsi gned, 1- by t e) i nt eger val ues. The f ir st padding byt e appended t o t he pl aint ext i s number ed
1, wi t h subsequent paddi ng by t es making up a monot oni cal l y i ncr easi ng sequence:
wher e 'xy 'i s t he hexadeci mal val ue such t hat '01' xy ' FF' . Ther efor e, t he maxi mum number
of t he padding byt es i s 'FF' = 255
(10)
. The l engt h of t he paddi ng byt es i s st at ed i n " Paddi ng
Lengt h". Fi nal l y , "Aut hent i cat ion Dat a" has t he same meani ng as t hat i n an AH.
The r eader should not ice t he di f ference bet ween " Aut hent i cat i on Dat a" i n an ESP and t hat i n an
AH. I n an ESP, t his dat a i s for provi di ng a dat a int egr it y pr ot ect i on on t he ci pher t ext i n t he ESP
packet ( i . e. , t he f iel ds i n ESP packet minus t he subf i el d "Aut hent i cat ion Dat a") and i s opt i onal
[ 162] , whil e i n an AH, "Aut hent i cat ion Dat a" i s f or pr ovi di ng a dat a i nt egr i t y prot ect i on on an I P
packet and i s mandat ory.
The opt i onal i ncl usi on of "Aut hent i cat i on Dat a" i n ESP i s i n fact a mi st ake. We shal l di scuss t hi s
mi st ake i n 12.2. 5.
12.2.2.3 Security Association
Cent r al t o I PSec i s a not ion cal l ed " Secur i t y Associ at i on" ( SA) . An SA i s uni quel y i dent i f ied by
t r i pl e

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
wher e "Servi ce I dent i fi er" i dent i f ies ei t her Aut hent i cat i on or ESP.
I n essence, I PSec can be consi dered as AH + ESP. For t wo nodes t o communi cat e under I PSec
pr ot ect i on, t hey need t o negot i at e mandat ori l y one SA ( f or aut hent i cat i on) or opt i onal l y t wo SAs
( f or aut hent i cat i on and conf ident i al it y) and t he secret cr y pt ographi c key s t o be shar ed bet ween
t he t wo nodes in or der f or t hem t o comput e t he cry pt ogr aphi c prot ect i ons. The negot i at i on i s
achi eved usi ng t he I nt er n et Key Ex chang e Pr ot ocol whi ch we shal l now i nt r oduce.
12.2.3 The Internet Key Exchange (IKE) Protocol
Wi t h t he added "Aut hent icat i on Header " ( HA) and "Encapsul at i ng Secur it y Payl oad" ( ESP) , I PSec
accommodat es cr y pt ogr aphi c pr ot ect i ons on an I P packet . However , t wo nodes i n
communi cat ion must fi r st agr ee on SAs ( whi ch cont ai ns cr ypt ogr aphi c key s, algori t hms,
par amet er s) i n or der t o enabl e t he pr ot ect i ons. Thi s i s achi eved using t he I nt er n et Key
Ex ch ang e ( I KE) Pr ot ocol [ 135, 158] . I KE i s t he curr ent I ETF st andar d of aut hent i cat ed key
exchange prot ocol f or I PSec.
I KE is a sui t e of aut hent i cat i on and aut hent i cat ed key exchange prot ocol s. Each pr ot ocol i n t he
sui t e i s a hy br i d one whi ch uses part of " Oakl ey" ( t he Oakl ey Key Det ermi nat i on Pr ot ocol [ 225] ) ,
par t of " SKEME" ( a Ver sat i l e Secur e Key Exchange Mechani sm for I nt ernet [ 172] ) and par t of
"I SAKMP" ( t he I nt er net Secur i t y Associ at i on and Key Management Prot ocol [ 187] ) .
Oakl ey descr i bes a seri es of key exchanges - cal l ed " modes" - and gi ves det ai ls of t he servi ces
pr ovi ded by each ( e. g. , per fect f or war d secr ecy f or sessi on key s, endpoi nt i dent i t y hi di ng, and
mut ual aut hent i cat i on) . SKEME descri bes an aut hent i cat ed key exchange t echni que whi ch
support s deni abi l i t y of connect i ons bet ween communi cat i on par t ner s ( due t o usi ng shar ed key , a
feat ure adopt ed i n I KE and I KE v2, t o be di scussed i n a moment ) and qui ck key r efr eshment .
I SAKMP provi des a common fr amewor k f or t wo communi cat i on par t i es t o achi eve aut hent icat i on
and aut hent i cat ed key exchange, t o negot i at e and agr ee on var i ous secur i t y at t r i but es,
cry pt ogr aphi c al gori t hms, secur it y par amet er s, aut hent i cat i on mechani sms, et c. , whi ch ar e
col lect i vel y cal l ed " Secur it y Associ at i ons ( SAs) . " However I SAKMP does not defi ne any speci f i c
key exchange t echni que so t hat i t can suppor t many di f fer ent key exchange t echni ques.
As a hy br i d prot ocol of t hese wor ks, I KE can be t hought of as a sui t e of t wo- part y pr ot ocols,
feat uri ng aut hent i cat ed sessi on key exchange, most of t hem i n t he sui t e usi ng t he Di ff i e- Hel l man
key exchange mechanism, havi ng many opt i ons f or t he t wo par t i ci pant s t o negot iat e and agr ee
upon i n an on- l i ne f ashi on.
The I KE Pr ot ocol consi st s of t wo phases, cal led " Phase 1" and "Phase 2, " r espect i vel y .
Phase 1 assumes t hat each of t he t wo par t i es invol ved i n a key exchange has an ident i t y of
whi ch each par t y knows. Associ at ed wi t h t hat i dent it y is some sor t of cr y pt ogr aphi c capabi l i t y
whi ch can be shown t o t he ot her par t y . Thi s capabi li t y mi ght be enabl ed by a pr e- shar ed secret
key for a sy mmet ri c cr ypt osyst em, or by a pr i vat e key mat chi ng a r el i abl e copy of a publ i c key
for a publ i c- key cr ypt osy st em. Phase 1 at t empt s t o achi eve mut ual aut hent i cat ion
[ d]
based on
showi ng t hat cry pt ogr aphi c capabil i t y , and est abl i shes a shar ed sessi on key whi ch i s used i n t he
cur r ent r un of Phase 1, can be used t o pr ot ect Phase 2 exchanges i f t hey ar e needed, or can be
fur t her used t o secur e hi gher - l evel communi cat ions as an out put fr om t he I KE phases of
exchanges.
[ d]
We shall see in a moment t hat some modes in I KE Phase 1 f ail t o achieve mut ual aut hent icat ion in t hat an
ent it y may be f ooled per f ect ly t o believe shar ing a session key wit h an int ended par t y , wher eas act ually
shar ing it wit h anot her par t y.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
A mult ipl e number of Phase 2 exchanges may t ake pl ace af t er a Phase 1 exchange bet ween t he
same pai r of ent i t i es i nvol ved i n Phase 1. Phase 2 i s of t en r efer red t o as "Qui ck Mode. " I t r el i es
on t he shar ed session key agr eed i n Phase 1. The r eason for having a mul t i pl e number of Phase
2 exchanges i s t hat t hey al l ow t he user s t o set up mul t i pl e connect i ons wi t h dif fer ent secur it y
pr oper t i es, such as "i nt egri t y - onl y , " " conf i dent i al i t y- onl y, " " encry pt i on wi t h a shor t key " or
"encr ypt i on wi t h a st r ong key. "
To see a fl avor of I KE, l et us focus our at t ent i on onl y on a coupl e of I KE Phase 1 modes.
12.2.3.1 IKE Phase 1
Ther e ar e eight var i ant s for t he I KE Phase 1. Thi s is because t here are t hr ee t ypes of keys ( pr e-
shar ed sy mmet r i c key , publ i c key for encr ypt i on, and publ i c key for si gnat ur e ver i f icat i on) , and
i n addi t i on t her e ar e t wo versi ons of pr ot ocol s based on publ ic encr y pt i on key s, one of which i s
i nt ended t o repl ace t he ot her , but t he fi r st must st i l l be document ed for backwar d compat ibi li t y .
Thus t her e ar e act ual l y four t y pes of key s ( pr e- shar ed sy mmet r i c key , ol d- st y l e publ i c encr y pt i on
key , new- st y l e publ ic encr y pt i on key , and publ i c si gnat ur e- veri f i cat i on key ) . For each key t y pe
t her e ar e t wo t ypes of Phase 1 exchanges: a " mai n mode" and an " aggr essi ve mode. "
Each main mode has si x messages exchanges; 3 messages sent f rom an i nit iat or ( I f or shor t ) t o
a r esponder ( R f or shor t ) , 3 sent fr om R t o I . A main mode i s mandat or y i n I KE, t hat i s, t wo
users cannot run an aggr essi ve mode wi t hout r unning a mai n mode fi r st .
Each aggr essi ve mode has onl y t hree messages; I i nit iat es a message, R r esponds one, t hen I
sends a fi nal message t o t er mi nat e a r un. An aggr essi ve mode i s opt i onal, t hat i s, it can be
omi t t ed.
For I KE Phase 1, we shal l onl y descr i be and anal yze " si gnat ur e based modes. " Ot her modes
gener al ly use an encr y pt i on- t hen- decry pt ion of f reshness i dent i f ier mechani sm f or achi evi ng
aut hent i cat ion; we have l abel ed such a mechanism non- st andard ( see 11.4. 1. 5) whi ch we wi l l
fur t her cri t i ci ze i n 17.2.
12.2.3.2 Signature-based IKE Phase 1 Main Mode
Si gnat ur e- based I KE Phase 1 Main Mode ( al so named "Aut hent icat ed wit h Si gnat ur es, " 5. 1 of
[ 135] ) is speci fi ed i n Pr ot 12. 1. This mode i s bor n under t he i nf l uence of several pr ot ocol s,
however , i t s r eal r oot can be t raced back t o t wo pr ot ocol s: t he STS Pr ot ocol ( Pr ot 11. 6) , and a
pr ot ocol proposed by Kr awczyk [ 171] named SI GMA Pr ot ocol ( we shal l di scuss SI GMA desi gn i n
12.2. 4) .
I n t he f ir st pai r of messages exchange I sends t o R HDR
I
and SA
I
, and R r esponds wi t h HDR
R
and
SA
R
. The header messages HDR
I
and HDR
R
i ncl ude "cooki es" C
I
and C
R
; t he f ormer i s f or R t o
keep t he r un ( sessi on) st at e i nf ormat i on f or I , and vi ce ver sa f or t he l at t er . Of t he t wo Secur i t y
Associ at i ons, SA
I
speci fi es a l i st of secur it y at t r i but es t hat I woul d l i ke t o use; SA
R
speci fi es ones
chosen by R.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Protocol 12.1: Signature-based IKE Phase 1 Main Mode
I R: HDR
I
, SA
I
; 1.
R I : HDR
R
, SA
R
; 2.
I R: HDR
I
, g
x
, N
I
; 3.
R I : HDR
R
, g
y
, N
R
; 4.
I R: HDR
I
, { I D
I
, Cer t
I
, Si g
I
} g
xy
; 5.
R I : HDR
R
, { I D
R
, Cer t
R
, Si g
R
} g
xy
. 6.
Not at i on ( * for ease of exposi t i on, we omit t ed some minut e det ai l s. Our omi ssi on wil l
not eff ect t he f unct i onal i t y of t he pr ot ocol , i n par t i cular , i t wi ll not ef fect an at t ack we
shal l descri be i n a moment . * )
I , R: An i ni t i at or and a r esponder , r espect i vel y .
HDR
I
, HDR
R
: Message header s of I and R, r espect i vel y . These dat a cont ai n C
I
, C
R
whi ch are " cooki es"
[ a]
of I and R, r espect i vel y , whi ch ar e for keepi ng t he sessi on
st at e i nf or mat i on f or t hese t wo ent i t i es.
SA
I
, SA
R
: Secur i t y Associ at i ons of I and R, r espect i vel y . The t wo ent i t i es use SA
I
, SA
R
t o negot i at e par amet ers t o be used i n t he cur r ent r un of t he pr ot ocol ; negot i abl e
t hi ngs i ncl ude: encr y pt i on al gor i t hms, si gnat ure algori t hms, pseudo- r andom
funct i ons f or hashi ng messages t o be si gned, et c. I may pr opose mul t i pl e opt i ons,
wher eas R must r epl y wit h only one choi ce.
g
x
, g
y
: Di ff ie- Hel lman key agr eement mat er i al of I and R, r espect i vel y .
I D
I
, I D
R
: Endpoi nt ident i t i es of I and R, r espect i vel y .
N
I
, N
R
: Nonces of I and R, r espect i vel y .
Si g
I
, Si g
R
: Signat ur e cr eat ed by I and R, r espect i vel y . The si gned messages are M
I
and M
R
, r espect i vel y , wher e
wher e pr f
1
and pr f
2
ar e pseudo- r andom funct i ons agr eed i n SAs.
[ a]
A "cookie" is a t ext - only st r ing t hat get s ent er ed int o a r emot e host syst em' s memor y or saved t o file t her e
f or t he pur pose of keeping t he st at e in for mat ion f or a client - ser ver communicat ion session.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The second pai r of messages consi st s of t he Dif fi e- Hell man key exchange mat er i al .
I n message 5 and 6, t he al gor i t hms f or encry pt ion, si gnat ure and pseudo- r andom funct i ons f or
hashi ng messages t o be si gned ar e t he ones agr eed i n t he SAs.
Si gnat ur e- based I KE Phase 1 Main Mode has some si mil ar i t y t o t he STS Prot ocol ( Pr ot 11. 6) .
However , t wo si gnif i cant di ffer ences can be spot t ed:
The STS Pr ot ocol l eaves t he cer t i fi cat es out si de of t he encr y pt i ons, wher eas her e t he
cer t i f icat es ar e i nsi de t he encry pt i ons. Encr ypt i on of t he cer t i f i cat es al l ows an anony mi t y
feat ure whi ch we have discussed when we i nt r oduced t he STS Prot ocol ( 11.6. 1) . Thi s i s
possi bl e and a usef ul f eat ur e for I and/ or R bei ng endpoi nt s insi de fi r ewal l s.
i .
Si gnat ur es in t he STS Pr ot ocol do not i nvolve t he agr eed sessi on key , wher eas her e a
si gned message i s i nput t o a pseudo- r andom funct i on prf which al so t akes in t he agr eed
sessi on key g
xy
as t he seed. Hence i n t hi s mode, t he si gnat ur es ar e excl usi vel y ver i fi able by
t he par t i es who have agreed t he shar ed sessi on key .
i i .
12.2.3.3 Authentication Failure in Signature-based IKE Phase 1 Main Mode
Si mil ar t o t he si t uat i on i n t he STS Pr ot ocol , a si gned message i n t hi s mode of I KE only li nks t o
t he endpoi nt i dent i t y of t he si gner , and not al so t o t hat of t he i nt ended communi cat i on par t ner.
The l ack of t his speci fi c expl i cit ness al so makes t hi s mode suff er f r om an aut hent i cat i on- fai l ur e
fl aw si mi l ar t o Lowe' s at t ack on t he STS Pr ot ocol ( At t ack 11. 3) . The fl aw is il l ust r at ed in Exampl e
12.1. Meadows has shown a si mi l ar f l aw for t hi s mode of I KE [ 195] .
Wi t h t hi s f l aw, Mal i ce can successfull y f ool R i nt o bel i evi ng t hat I has i ni t i at ed and complet ed a
r un wi t h it . However i n f act I di d not do so. Not i ce t hat R i s fool ed per f ect l y i n t he f ol lowi ng t wo
senses: f i rst , it accept s a wr ong communi cat i on part ner and bel i eves t o have shared a key wi t h
t he wr ong part ner, and second, nobody wi ll ever r epor t t o R anyt hi ng abnormal . So At t ack 12. 1
i ndeed demonst rat es an aut hent i cat i on f ai l ur e.
The aut hent i cat i on- f ai lur e at t ack can al so be call ed a "denial of ser vice at t ack" f or a good
r eason. I n I KE, aft er a successf ul Phase 1 exchange, a ser ver in t he posi t i on of R wi l l keep t he
cur r ent st at e wi t h I so t hat t hey may use t he agr eed sessi on key for furt her engagement i n a
mul t i pl e number of Phase 2 exchanges. However , af t er t he at t ack run shown i n At t ack 12. 1, I
wi l l never come t o R and hence, R may keep t he st at e, al locat e r esour ce wi t h I and wai t for I t o
come back for fur t her exchanges. I f Mal i ce mount s t hi s at t ack i n a dist r i but ed manner , usi ng a
l ar ge t eam of hi s f r i ends over t he I nt er net t o t ar get a si ngl e server at t he same t i me, t hen t he
ser ver' s capaci t y t o ser ve ot her honest nodes can be dr ast i cal l y r educed or even nul l i fi ed. Not i ce
t hat t hi s at t ack does not demand sophi st i cat ed mani pul at i on nor compl ex comput at ion f rom
Mal i ce and hi s dist r i but ed f ri ends, and hence t he di st r i but ed denial of ser vice at t ack can be very
eff ect i ve.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Attack 12.1: Authentication Failure in Signature-based IKE
Phase 1 Main Mode
( * Mal i ce faces I using hi s t r ue i dent i t y , but he f aces R by masquer adi ng as I : * )
I Mal ice: HDR
I
, SA
I
;
1' Mali ce( "I ") R: HDR
I
, SA
I
;
2' R Mal ice( " I ") : HDR
R
, SA
R
;
1.
Mal i ce I : HDR
R
, SA
R
; 2.
I Mal ice: HDR
I
, g
x
, N
I
;
I
, g
x
, N
I
;
R
, g
y
, N
R
;
3.
Mal i ce I : HDR
R
, g
y
, N
R
; 4.
I Mal ice: HDR
I
, { I D
I
, Cer t
I
, Si g
I
}
g
xy
;
I
, { I D
I
, Cer t
I
, Si g
I
}
g
xy
;
R
, { I D
R
, Cer t
R
, Si g
R
}
g
xy
;
5.
Dr opped. 6.
CONSEQUENCE:
R i s fool ed per f ect l y and t hinks i t has been t al ki ng and shar ing a sessi on key wi t h I ,
whi l e I t hi nks i t has been t alki ng wi t h Mal i ce i n an i ncompl et e run. R wi l l never be
not i f i ed of any abnor mal it y and may ei t her be deni ed a servi ce fr om I ; it ent er s a
st at e awai t i ng a ser vi ce r equest f rom I ( perhaps onl y dr ops t he st at e upon
"t i meout ") .
Thi s at t ack wor ks because a si gned message i n t he pr ot ocol onl y cont ai ns t he i dent i t y of t he
si gner , and so i t can be used t o fool a pr i nci pal who i s not t he i nt ended communi cat i on par t ner
of t he si gner . I f bot h endpoi nt i dent i t i es of t he i nt ended pr inci pals are incl uded i n a si gned
message, t hen t he message becomes speci fi c t o t hese t wo pri nci pals, and hence cannot be used
for any ot her pur pose.
We have wi t nessed again t he gener ali t y of at t acks due t o name omi ssi on.
12.2.3.4 Signature-based IKE Phase 1 Aggressive Mode
Si gnat ur e- based I KE Phase 1 Aggr essi ve Mode i s a cut - down si mpl if i cat ion f rom Mai n Mode: i t
does not use encr ypt i on and has t hree message exchanges inst ead of si x. Usi ng t he same
not at ion as t hat i n Mai n Mode ( Pr ot 12. 1) , t hi s mode i s specif i ed as f ol l ows:

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I R: HDR
I
, SA
I
, g
x
, N
I
, I D
I
1.
R I : HDR
R
, SA
R
, g
y
, N
R
, I D
R
, Cer t
R
, Si g
R
2.
I R: HDR
R
, Cer t
I
, Si g
I
3.
At fi r st gl ance, t his mode i s ver y si mil ar t o "Aut hent i cat i on- onl y STS Prot ocol " ( Pr ot 11. 7) due t o
omi ssi on of encr y pt i on. A cl oser l ook exposes a di f fer ence: in "Aut hent i cat i on- onl y STS Pr ot ocol , "
si gned messages do not invol ve t he sessi on key , wher eas her e, a si gned message i s i nput t o
pseudo- r andom f unct i on pr f whi ch al so t akes i n t he agreed sessi on key g
xy
as t he seed. So i n
t hi s mode, t he si gnat ur es ar e excl usi vely ver if i abl e by t he pri nci pal s who hol d t he agr eed sessi on
key . This di ff er ence pr event s t he " cer t i fi cat e- si gnat ur e- r eplacement at t ack" ( At t ack 11. 2) fr om
bei ng appli ed t o t hi s mode.
However , t hi s mode fai l s t o achieve mut ual aut hent i cat i on i n a dif fer ent way . A si mi l ar "deni al of
ser vi ce at t ack" appl i es t o t hi s mode. I t i s essent i all y Lowe' s at t ack on t he STS Pr ot ocol ( see
At t ack 11. 3) . Now it i s I who can be f ooled per fect l y i n bel i evi ng t hat i t has been t al ki ng and
shar i ng a sessi on key wi t h R, wher eas R does not agr ee so. We shal l l eave t he concret e
const r uct i on of t he at t ack as an exer cise f or t he reader ( Exerci se 12.6) .
We should f ur t her not ice t hat i f t he signat ur e scheme used i n t hi s mode feat ur es message
r ecovery , t hen Mal i ce can gai n mor e. For exampl e, f rom a si gned message Mal i ce can obt ai n
pr f
2
( N
I
| N
R
| g
xy
) and so he can use t his mat er i al t o cr eat e hi s own si gnat ur e usi ng hi s own
cer t i f icat e and ident i fy . Thus he can mount a " cer t i fi cat e- si gnat ur e- r eplacement at t ack" which we
have seen i n At t ack 11. 2 agai nst t he " Aut hent i cat i on- onl y STS Pr ot ocol . " Such an at t ack i s a
per fect one because bot h i nt er leaved r uns whi ch Mali ce or chest rat es i n bet ween I and R wi l l
t er mi nat e successf ul l y and so nei t her of t he t wo honest ent i t i es can fi nd any t hi ng wr ong. Not i ce
t hat some si gnat ur e schemes do f eat ur e message r ecovery ( e. g. , [ 220] whi ch i s even
st andar dized [ 150] ) . Ther efor e, i t is not i mpossi bl e f or t he t wo communi cat i on par t ner s t o have
negot i at ed t o use a si gnat ur e scheme wi t h message r ecovery feat ur e. I n 12.2. 5, we shal l
di scuss t he I KE' s f eat ur e of suppor t i ng f l exi bl e opt i ons.
Wi t hout usi ng encr ypt i on or MAC, t he I KE' s Aggr essi ve Mode cannot have a " pl ausibl e deni abi l i t y
feat ure" whi ch we shal l di scuss i n 12.2. 4. When t his feat ur e i s not needed, a fi x f or t he
aut hent i cat ion- fai l ur e f l aw i s st andar d: bot h t wo endpoi nt i dent i t i es of t he i nt ended pr i nci pal s
shoul d be i ncl uded i nsi de t he bot h si gnat ur es so t hat t he si gned messages ar e unusabl e i n any
cont ext ot her t han t hi s mode bet ween t he i nt ended pri nci pal s.
Met hods for fi xing aut hent i cat i on fai l ur e whi l e keeping a deni abi l i t y f eat ur e wil l be di scussed i n
12.2. 4.
12.2.3.5 Other Security Analysis on IPSec and IKE
Sever al r esear cher s have conduct ed secur i t y anal y si s wor k on I KE.
Meadows, usi ng her NRL Pr ot ocol Analy zer ( an aut omat ed exhaust ive f l aw checker , t o st udy i n
17.5. 2 [ 194, 193] ) , has di scover ed t hat t he Qui ck Mode ( an I KE Phase 2 exchange) i s
vul ner abl e t o a r ef l ect i on at t ack [ 195] .
Fer guson and Schnei er conduct a compr ehensi ve cr y pt ographi c eval uat ion f or I PSec [ 108] .
Bell ovi n makes an anal y si s on a ser i ous problem wi t h I PSec: an opt i on for an I PSec mode i n
whi ch ci pher t ext messages ar e not prot ect ed i n t er ms of dat a int egr it y [ 27] . We have seen

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
t hr ough an at t acki ng example and now know t hat confi dent ial i t y wi t hout i nt egri t y compl et el y
mi sses t he poi nt ( 11.7. 8) . We shal l furt her see i n l at er chapt er s ( Chapt ers 1417) t hat most
encry pt ion al gor i t hms cannot provi de pr oper confi dent ial i t y prot ect i on i f t he ci pher t ext messages
t hey out put ar e not al so pr ot ect ed i n t er ms of dat a i nt egr i t y . However , t hi s danger ous opt i on
seems t o remai n unnot iced by t he I PSec communi t y ( see bel ow) , may be due t o t he hi gh sy st em
compl exi t y i n t he speci fi cat i ons f or I PSec.
12.2.4 A Plausible Deniability Feature in IKE
At t he t i me of wr i t ing, I KE Versi on 2 ( I KEv2) specif i cat ion has been publ i shed [ 158] . I KEv2
unit es t he many di ffer ent "modes" of " Phase 1 Exchanges" of I KE i nt o a si ngl e I KEv2 " Phase 1
Exchange. " However, t he cur r ent speci fi cat i on [ 158] li mi t s t he pr ot ocol t o usi ng di gi t al
si gnat ures as t he basi s f or aut hent i cat i on ( see Sect i on 5. 8 of [ 158] ) . Boy d, Mao and Pat er son
demonst r at e t hat I KEv2 " Phase 1 Exchange" suff er s essent i al l y t he same weakness of I KE shown
i n At t ack 12. 1 [ 56] .
A f eat ur e whi ch is adopt ed as an opt i on i n I KEv2 i s cal led "pl ausi bl e deni abi l it y" [ 139] of
communi cat ions by an ent i t y who may have been i nvolved in a connect ion wi t h a communi cat i on
par t ner . This feat ur e, whi ch or i gi nat es fr om t he SI GMA prot ocol const r uct i on of Kr awczy k
( SI GMA st ands f or "Si gn and MAc", see an expl anat i on i n [ 171] ) , and Canet t i and Kr awczy k
[ 67] , per mi t s an ent i t y t o deny "plausi bly " t he exi st ence of a connect ion wi t h a communi cat i on
par t ner . Of fer i ng such a deny i ng- of - a- connect i on feat ur e at t he I P lay er i s desi rabl e because it
per mit s var i ous fancy pri vacy ser vices, such as anony mit y, t o be off er ed at t he hi gher l ay ers
wi t h uncompr omi sed qual i t y . A pr ivacy damage caused at t he I P l ay er can cause i r r eparable
pr i vacy damage at t he appl i cat i on l ay er . For exampl e, an i dent it y connect ed t o an I P addr ess, if
not deni abl e, cert ai nly nul l i fi es an anony mous qual i t y of fered by a fancy cr y pt ogr aphi c pr ot ocol
r unni ng at t he appli cat i on l evel.
The " pl ausi bl e deni abi l i t y " f eat ur e i n t he SI GMA desi gn can be descr ibed by fol l owi ng t wo
message l i nes i n t he posit ion of message li nes 5 and 6 i n Pr ot 12. 1:
Here ( s i s sessi on i dent i f ier ) bot h par t i es can ver i f y t he r espect i ve si gnat ures and t hen use t he
shar ed sessi on key t o ver i fy t he r espect i ve MACs, and hence are convi nced t hat t he ot her end i s
t he int ended communicat i on par t ner . Now, i f t hey di spose of t he sessi on key t hen t hey cannot
l at er pr ove t o a t hi r d par t y t hat t her e was a connect ion bet ween t hem.
I t i s not dif fi cul t t o see t hat t hi s const r uct i on cont ai ns t he aut hent i cat ion- fai l ur e f l aw
demonst r at ed i n At t ack 12. 1. Canet t i and Kr awczyk di d ant i ci pat e a l ess i nt erest i ng for m of
at t ack i n whi ch Mali ce si mpl y pr event s t he f inal message f r om r eachi ng I . They suggest ed a
met hod for pr event i ng t hi s " cut t i ng- f i nal - message at t ack" by adding a f inal acknowledgement
message f r om I t o R ( see Remar k 2 in [ 67] ) . Si nce now R ( who i s normal l y i n t he server 's
posi t i on) receives t he fi nal message, t he "cut t i ng- f i nal - message at t ack" wi l l be det ect ed by R and
hence upon occur r ence of t he at t ack, R shoul d r eset t he st at e and r el ease t he r esources. I n t hi s
way , t he pr ot ocol i s l ess vul ner abl e t o a deni al of ser vi ce at t ack. The fi nal acknowl edgement may
have a usef ul si de ef fect of pr event i ng t he aut hent i cat i on- f ail ure f l aw ( dependi ng on t he
cry pt ogr aphi c f or mul at i on of t he acknowl edgement message) . But clear l y t hi s met hod of f ixi ng
t he pr ot ocol i s not par t i cul arl y desi r abl e, since i t i nvol ves addi t i onal t raf fi c and pr ot ocol

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
compl exi t y .
Si nce a deni abi l it y feat ur e i s usef ul , we shoul d keep i t whi l e f i xi ng t he aut hent i cat i on f ail ure f l aw.
We suggest augment ing t he SI GMA desi gn i nt o t he fol l owi ng t wo l i nes:
Namel y , t he t wo pri nci pal s shoul d st i l l not expl i ci t l y si gn t hei r i dent i t i es and so t o r et ain t he
"pl ausi bl e deni abi l it y" feat ur e, however , t hey shoul d exp li ci t l y ver if y bot h i nt ended i dent i t ies
i nsi de t he MACs.
Not i ce t hat t hi s denyi ng- of- a- connect i on feat ure is not hi gh qual i t y because a par t y ( cal l i t a
"t r ai t or ") who keeps t he sessi on key g
xy
can l at er st i ll show t o a t hir d par t y t he evi dence t hat a
named ( aut hent icat ed) ent i t y has been i nvol ved i n t hi s connect i on. This i s cl ear l y possi ble si nce
t he t rai t or can use exact ly t he same ver i fi cat i on operat ions i t has used when t he t wo par t i es
were i n t he aut hent icat i on connect i on. That i s why t he deni abil i t y must be pref ixed by t he
modi fi er "plausi ble. "
I n 13.3. 5 we wi l l i nt roduce a new and pr act i cal cr y pt ographi c pr i mi t i ve which can pr ovi de a
deni abl e aut hent i cat i on ser vice i n an absol ut e sense.
12.2.5 Critiques on IPSec and IKE
The most pr omi nent cr i t i ci sm of I PSec and I KE i s of t hei r i nt ensi ve sy st em compl exi t y and lack of
cl ari t y . They cont ain t oo many opt ions and t oo much f l exi bi l i t y. There are oft en many ways of
doi ng t he same or simi l ar t hings. Kauf man has a cal cul at i on on t he number of cr y pt ographi c
negot i at i ons i n I KE: 1 MUST, 806, 399 MAY [ 157] . The hi gh sy st em compl exi t y r el at es t o an
ext r eme obscur i t y i n t he syst em speci fi cat i on. The obscuri t y is act ual ly not a good t hing: it may
easi l y conf use exper t revi ewer s and bl i nd t hem f r om seei ng secur i t y weaknesses, or may mi sl ead
i mpl ement or s and cause t hem t o code fl awed i mpl ement at i ons.
Fer guson and Schnei er r egar d t he hi gh- degr ee syst em compl exi t y as a t y pi cal " commi t t ee eff ect "
[ 108] . They argue t hat "commit t ees ar e not ori ous for addi ng feat ures, opt i ons, and addi t i onal
fl exi bi l it y t o sat i sfy var i ous f act i ons wit hi n t he commi t t ee. " I ndeed, if a commi t t ee eff ect , i. e. , t he
addit ional syst em compl exi t y , i s seri ousl y det r i ment al t o a normal ( funct ional ) st andard ( as we
somet i mes exper i ence) , t hen i t shal l have a devast at i ng ef fect on a securi t y st andar d.
A ser ious pr obl em wi t h t he hi gh- degree f l exi bi l i t y and numer ous opt i ons i s not j ust an ext reme
di f fi cul t y f or r evi ewer s t o under st and t he sy st em behavi or, nor j ust a r eady possi bil i t y f or
i mpl ement or s t o code i ncor r ect sy st em, but t hat some speci fi ed opt i ons may t hemsel ves be
dangerous. I n 12.2. 3. 4, we have depi ct ed an opt i onal scenar i o f or Mal i ce t o mount a per fect
i nt er l eavi ng at t ack on I KE's Signat ur e- based Aggr essi ve Mode, by choosi ng a signat ur e scheme
wi t h message r ecovery pr opert y . Let us now see anot her exampl e of such danger s.
The exampl e of danger i s mani fest ed by an excer pt fr om an i nt er pr et at i on paper ent i t l ed
"Under st andi ng t he I PSec Pr ot ocol Suit e" [ 12] . That paper, publi shed i n March 2000, pr ovi des
expl anat i ons on I PSec and I KE at vari ous l evels, f r om a gener al concept for net work secur i t y t o
some det ai led feat ures of I PSec and I KE. The fol l owi ng excer pt ( f rom page 6 of [ 12] ) expl ai ns an
opt i onal feat ure f or "Aut hent i cat i on wi t hin t he encapsul at i ng secur i t y pay l oad ( ESP) " ( an ESP i s a
ci pher t ext chunk whi ch encr ypt s some confi dent i al dat a t ransmi t t ed i n an I P packet , see

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
12.2. 2. 2) :
The ESP aut hent i cat i on f i el d, an opt i onal fi eld i n t he ESP, cont ai ns somet hi ng cal l ed an
i nt egr i t y check val ue ( I CV) essent i al l y a di gi t al si gnat ur e comput ed over t he remai ni ng
par t of t he ESP ( mi nus t he aut hent i cat i on f i el d i t sel f ) . I t var i es in l engt h dependi ng on t he
aut hent i cat ion al gor i t hm used. I t may al so be omit t ed ent i r ely , i f aut hent i cat i on ser vi ces
ar e not sel ect ed f or t he ESP.
I n t hi s expl anat i on, we can see an opt i on t o omi t t he ent i r e dat a- i nt egri t y pr ot ect i on for a
ci pher t ext . We have seen i n 11.7. 8 and shall furt her see i n a f ew l at er chapt er s t hat encry pt ion
wi t hout i nt egr i t y ( " aut hent i cat i on" i n t he excerpt ) i s gener al l y dangerous, and most encr ypt ion
al gor i t hms cannot pr ovi de proper confi dent i al i t y pr ot ect i on wi t hout a pr oper dat a- i nt egr i t y
pr ot ect i on. Thus, a securi t y pr obl em i n I PSec whi ch Bel l ovin i dent if i ed and cr i t i ci zed in 1996 ( see
t he fi nal par agr aph of 12.2. 3. 5) is ret ai ned and explai ned as a feat ur e f our y ears lat er ( t he
I PSec expl anat ion paper was publ ished i n Mar ch 2000) ! We bel i eve t hat it i s t he hi gh compl exi t y
of t he I PSec specif i cat ions t hat cont r i but es t o t he hi di ng of t hi s danger ous er r or.
Ai el l o et al . [ 10] cr i t i cize I KE f or i t s hi gh ( sy st em desi gn) compl exi t i es i n comput at i on and
communi cat ion. They consi der t hat pr ot ocol s i n I KE ar e vul ner abl e t o deni al of servi ce at t acks:
Mal i ce and hi s f ri ends di st r ibut ed over t he I nt er net can j ust i ni t i at e numer ous r equest s f or
connect i ons, whi ch incl ude numer ous st at ef ul "cooki es" for a ser ver t o mai nt ai n. They pr oposed
a pr ot ocol named "Just Fast Keyi ng" ( JFK) and suggest t hat JFK be t he successor of I KE. Bl aze
di sclosed one r eason why t heir pr ot ocol shoul d be named JFK [ 39] :
We deci ded t hi s was an Amer i can- cent r i c pun on t he name I ke, which was t he ni ckname of
Pr esi dent Ei senhower, who had t he sl ogan "I l i ke I ke. " We don' t l i ke I KE, so we'd l i ke t o see
a successor t o I KE. We cal l our pr ot ocol JFK, whi ch we clai m st ands f or " Just Fast Key i ng, "
but i s al so t he i ni t i al s of a presi dent who succeeded Ei senhower for some amount of t i me.
We'r e hopi ng not t o ever di scuss t he pr ot ocol i n Dal l as. I f t here' s ever an I ETF i n Dal l as
agai n
[ e]
, we'r e not going t o ment i on our prot ocol at al l t her e.
[ e]
The 34t h I ETF was held in Dallas, Texas in December 1995.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
12.3 The Secure Shell (SSH) Remote Login Protocol
The Secur e Shel l ( SSH) [ 304, 307, 308, 305, 306] is a publ i c- key based aut hent i cat i on pr ot ocol
sui t e whi ch enabl es a user t o secur el y l ogi n ont o a r emot e ser ver host machine fr om a cl ient
machi ne t hrough an insecur e net wor k, t o secur el y execut e commands i n t he r emot e host , and t o
secur el y move fi l es fr om one host t o anot her . The pr ot ocol i s a de fact o i ndust r i al st andar d and
i s i n wide use f or ser ver machi nes which r un UNI X or Li nux oper at i ng sy st ems. The cli ent par t of
t he pr ot ocol can wor k f or pl at f orms r unni ng any operat i ng sy st ems. The reason for t he pr ot ocol
t o wor k mai nl y f or UNI X ( Li nux) ser ver s i s because of t hese oper at i ng sy st ems'open ar chi t ect ure
of support ing i nt er act i ve command sessi ons f or r emot e user s.
The basic idea of t he SSH Pr ot ocol i s for t he user on a cl i ent machi ne t o download a publi c key of
a r emot e ser ver, and t o est abl i sh a secur e channel bet ween t he cl i ent and t he server usi ng t he
downloaded publ i c key and some cr ypt ogr aphic cr edent i al of t he user. Now i magi ne t he case of
t he user ' s credent i al being a password: t hen t he passwor d can be encry pt ed under t he ser ver 's
publ i c key and t ransmi t t ed t o t he ser ver . Thi s i s al r eady a st r i de of i mpr ovement in securi t y f r om
t he si mpl e passwor d aut hent i cat i on pr ot ocol we have seen i n t he precedi ng chapt er .
12.3.1 The SSH Architecture
The SSH pr ot ocol r uns bet ween t wo unt r ust ed comput er s over an i nsecur e communi cat i ons
net wor k. One i s cal l ed t he r emot e ser ver ( host ) , t he ot her i s call ed t he cl i ent f r om whi ch a user
l ogs on t o t he ser ver by using t he SSH pr ot ocol .
The SSH pr ot ocol sui t e consi st s of t hr ee maj or component s:
The SSH Tr anspor t Layer Pr ot ocol [ 308] pr ovi des ser ver aut hent i cat i on t o a cl i ent . This
pr ot ocol i s publ i c- key based. The pr emise of ( i . e., i nput t o) t hi s prot ocol for t he ser ver par t
i s a publ i c key pai r cal l ed " host key " and for t he cli ent par t is t he publ i c host key . The
out put fr om t his pr ot ocol i s a uni l at eral l y aut hent i cat ed secure channel ( i n t er ms of
conf ident i ali t y and dat a int egr i t y) fr om t he serv er t o t he cli ent . This pr ot ocol wi ll t ypi cal l y
be r un over a TCP ( Tr anspor t Cont r ol Prot ocol ) and ( I nt ernet Pr ot ocol) connect i on, but
mi ght al so be used on t op of any ot her r el i abl e dat a st ream.
The SSH User Aut hent i cat ion Pr ot ocol [ 305] . Thi s pr ot ocol r uns over t he uni l at er al
aut hent i cat ion channel est abl ished by t he SSH Tr anspor t Lay er Pr ot ocol . I t support s var i ous
unil at er al aut hent i cat i on prot ocol s t o achi eve ent i t y aut hent i cat i on fr om a cli en t - sid e user
t o t he serv er . For t his di r ect i on of aut hent icat i on t o be possi bl e, t he r emot e ser ver must
have a pr i ori knowledge about t he user ' s cry pt ogr aphi c cr edent i al , i .e. , t he user must be a
known one t o t he ser ver . These pr ot ocol s can be publ ic- key based or passwor d based. For
exampl e, i t i ncludes t he si mpl e passwor d based aut hent i cat ion pr ot ocol ( Pr ot 11. 3) . The
out put fr om an execut i on of a prot ocol in t his sui t e, in conj unct i on wi t h t hat fr om t he SSH
Tr anspor t Lay er Pr ot ocol , i s a mut ual l y aut hent i cat ed secure channel bet ween t he ser ver
and a gi ven user i n t he cl i ent si de.
The SSH Connect i on Pr ot ocol [ 306] . Thi s pr ot ocol r uns over t he mut ual l y aut hent i cat ed
secur e channel est abl i shed by above t wo prot ocol s. I t mat er i ali zes an encry pt ed
communi cat ion channel and t unnel s i t i nt o sever al secur e l ogi cal channel s whi ch can be
used for a wide r ange of secur e communi cat i on purposes. I t uses st andar d met hods for
pr ovi di ng i nt er act i ve shel l sessi ons.
Cl ear ly , t he SSH Connect i on Pr ot ocol i s not an aut hent i cat ion prot ocol and is out si de t he i nt erest

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
of t hi s book, and t he SSH User Aut hent i cat ion Pr ot ocol sui t e can be consi der ed as a col l ect i on of
appli cat i ons of st andar d ( uni l at eral ) aut hent i cat i on pr ot ocol s whi ch we have i nt r oduced i n
Chapt er 11 ( however not i ce a poi nt t o be di scussed i n 12.3. 4) . Thus, we onl y need t o i nt roduce
t he SSH Tr anspor t Layer Pr ot ocol .
12.3.2 The SSH Transport Layer Protocol
I n t he new ver si on of t he SSH Pr ot ocol [ 307, 308] , t he SSH Tr anspor t Lay er Prot ocol appl i es t he
Di f fi e- Hel l man key exchange prot ocol and achieves uni l at er al aut hent i cat i on f rom t he server t o
t he cl i ent by t he ser ver si gning it s key exchange mat er i al .
12.3.2.1 Server's Host Keys Pairs
Each ser ver host has a pair of host publ i c- pr i vat e key s. A host may have mul t i pl e pai r s of host
key s f or support ing mult ipl e di ff erent al gor i t hms. I f a ser ver host has key pai rs at al l , i t must
have at l east one key pai r usi ng each r equi r ed publ i c- key al gor i t hm. The cur r ent I nt er net - Dr af t
[ 307] st i pul at es t he def aul t requir ed publ ic- key al gor it hm be t he DSS ( Di gi t al Signat ure
St andard, 10.4. 8. 2) . The default publ i c- key al gor i t hm for t he cur rent ver si on i n use ( [ 304] in t he
t i me of wr it i ng) is t he RSA signat ur e ( 10.4. 2) .
The ser ver host ( pr i vat e, publi c) key s ar e used dur ing key exchange: t he ser ver uses i t s pr i vat e
key t o si gn i t s key exchange mat er i al ; t he cli ent uses t he ser ver 's host publ i c key t o ver i fy t hat it
i s r eal l y t al ki ng t o t he cor rect ser ver . For t hi s t o be possi bl e, t he cl i ent must have a pr i ori
knowl edge of t he ser ver ' s host publ i c key.
SSH suppor t s t wo di ff er ent t r ust model s on t he ser ver 's host publ i c key :
The cl i ent has a l ocal dat abase t hat associ at es each server host name wi t h t he
corr esponding publi c part of t he host key. Thi s met hod requi res no cent r all y admini st er ed
i nf rast r uct ur e ( cal l ed publ i c- key i nf r ast ruct ur e, t o be int r oduced i n Chapt er 13) , and hence
no t r ust ed t hi rd par t y ' s coor dinat i on. The downsi de i s t hat t he dat abase for ( ser ver - name,
host - publ i c- key ) associ at i on may become bur densome f or t he user t o mai nt ai n. We shal l
exempl i fy a r eal i st i c met hod ( 12.3. 2. 2) for a r emot e user t o obt ai n an aut hent icat ed copy
of t he host publ i c key .
The ( ser ver - name, host - publ i c- key ) associ at i on i s cer t i f i ed by some t r ust ed cer t i fi cat i on
aut hor it y ( CA) using t he t echni que t o be i nt r oduced i n Chapt er 13. The cl i ent onl y needs t o
know t he publ i c key of t he CA, and can ver i fy t he val i di t y of al l host publ ic key s cer t i fi ed by
t he CA.
The second al t er nat ive eases t he key mai nt enance pr obl em, since i deall y onl y a si ngl e CA's
publ i c key needs t o be secur ely st or ed on t he cl ient ( securi t y her e means dat a i nt egri t y ) . On t he
ot her hand, each host publ i c key must be appr opr i at el y cer t i fi ed by a CA bef or e aut hent i cat i on i s
possi bl e. Al so, a l ot of t rust i s pl aced on t he cent ral infr ast r uct ur e.
As t her e i s no wi del y depl oy ed publ i c- key i nf rast r uct ure ( PKI , Chapt er 13) avai l abl e on t he
I nt er net y et , t he fi r st t r ust model , as an opt i on, makes t he prot ocol much mor e usabl e dur ing
t he t ransit i on t i me unt i l a PKI emer ges, whi le st i l l pr ovi di ng a much hi gher l evel of secur it y t han
t hat of fered by ol der sol ut i ons ( such as t he UNI X sessi on commands: rlogin, rsh, rftp, et c. ) .
12.3.2.2 Realistic Methods for Authenticating a Server's Host Public Key

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
A wor kabl e met hod for a user t o have an aut hent i cat ed copy of t he server 's host publ i c key i s f or
t he user t o br i ng wi t h her / hi m a copy of t he ser ver 's host publ i c key and put i t i n t he cl i ent
machi ne bef ore runni ng t he key exchange pr ot ocol . For exampl e, when t he user i s t r avel i ng,
( s) he can br i ng wi t h her/ hi m a f l oppy di sket t e whi ch cont ai ns t he ser ver ' s host publ i c key. I n t he
cur r ent wor ki ng ver si on of t he SSH Pr ot ocol [ 304] wi t h t he cli ent machine r unni ng UNI X or Li nux
oper at i ng syst ems, t he server' s host publ ic key used by a cl i ent machi ne i s put i n a f i le named
$HOME/.ssh/known_hosts. The user shoul d phy si cal l y secure t he server' s host publ ic key ( e. g. ,
i n a f loppy disket t e t he user t akes whi l e t r avel i ng) i n t erms of dat a i nt egri t y whi le t ravel ing. I n
t he case of cl i ent machi ne r unni ng a Windows oper at i ng syst em ( e. g. , , t he ser ver' s host publi c
key may onl y exi st s i n t he i nt er nal memor y of t he cl i ent machi ne and i n t hi s case t he publ i c key
i s downloaded i n r eal t i me fr om t he ser ver ( of cour se, via an i nsecur e l i nk) wi t h a " fi nger pr i nt "
( see t he next par agr aph) of t he publ i c key di spl ay ed t o t he user .
Anot her real i st ic met hod f or a user t o have an aut hent i cat ed copy of t he ser ver ' s host publ i c key
downloaded vi a an i nsecure l i nk is t o use voi ce aut hent i cat i on over t he t el ephone. Fi r st , t he
ser ver' s host publi c key i s downloaded by t he user i n t he cl i ent machi ne vi a an i nsecur e
communi cat ion l i nk. A hexadeci mal " f inger pr int " of t he host publi c key wi l l be di splay ed t o t he
user. Thi s " f i nger pr i nt " is
wher e H i s an agreed cr y pt ogr aphi c hash funct i on, such as SHA- 1. I n t he SHA- 1 case, t he whole
"f ingerpr int " has 160 bi t s and can t heref ore be r ead over t he phone as 40 hexadeci mal
char act er s. So t he user can make a phone call t o t he sit e of t he r emot e ser ver and check t he
"f ingerpr int " wi t h t he secur i t y admi ni st r at or of t he ser ver t o see if t he copy comput ed by t he
cl ient machi ne i s i dent i cal t o t hat r ead by t he secur it y admi ni st rat or . I n t his way , t he user at t he
cl ient si de and t he secur i t y admi ni st r at or at t he r emot e ser ver si de use t hei r voi ces t o
aut hent i cat e t he cor r ect ness of t he host publ i c key . We assume t hat t he user and t he secur i t y
admi ni st r at or r ecogni ze each ot her ' s voi ces.
These means ar e not secur e i n a f ool pr oof sense, but ar e pr act i call y secur e and wor kable t o a
quit e good degr ee. They ar e usef ul t oday when PKI i s not r eady over t he I nt er net .
12.3.2.3 The Key Exchange Protocol
A key exchange connect i on i s al way s i ni t i at ed by t he cl ient si de. The server l i st ens on a speci f i c
por t wait ing f or connect i ons. Many cli ent s may connect t o t he same ser ver machi ne.
The new ver si on of t he SSH Pr ot ocol [ 307, 308] appl i es Di ff i e- Hel l man key exchange pr ot ocol
( 8. 3) t o achi eve sessi on key agr eement . I n t he descr ipt i on of t he pr ot ocol we use t he f oll owi ng
not at ion:
C: t he cl i ent ;
S: t he server;
p: a l ar ge safe pr ime;
g: a gener at or f or a subgr oup G
q
of GF( p) ;
q: t he or der of t he subgr oup G
q
;

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
V
C
, V
S
: C' s and S' s pr ot ocol ver si ons, r espect i vel y ;
K
S
: S' s publ ic host key;
I
C
, I
S
: C' s and S' s " Key Exchange I nit i al Message" whi ch have been exchanged bef ore t hi s
par t begi ns.
The key exchange prot ocol i s as fol l ows:
C gener at es a random number x ( 1 < x < q) and comput es
C sends e t o S;
1.
S gener at es a random number y ( 0 < y < q) and comput es
S r ecei ves e; it comput es
S sends K
S
| | f | | s t o C;
2.
C ver if i es t hat K
S
r eal l y i s t he host key for S ( using any sui t abl e met hods, e. g. a cert i f i cat e
or a t r ust ed l ocal dat abase or t he met hod descr ibed i n 12.3. 2. 2) ;
C t hen comput es
and ver i f ies t he signat ure s on H; C accept s t he key exchange if t he ver i fi cat i on passes.
3.
Aft er t he key exchange, t he communi cat i ons bet ween t he t wo par t ies wi l l be encr y pt ed usi ng t he
agr eed sessi on key K. The t wo part i es t urn t o execut e t he SSH User Aut hent i cat i on Pr ot ocol
[ 305] whi ch may be any one of t he known uni l at er al aut hent i cat ion t echni que. Aft er t hat , t he
user on t he cl i ent can r equest a ser vi ce usi ng t he SSH Connect i on Pr ot ocol [ 306] .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
12.3.3 The SSH Strategy
One of t he goals of t he SSH Prot ocol i s t o i mpr ove secur i t y on t he I nt er net in a pr ogr essi ve
manner . The permi ssi on f or t he cl i ent t o use " any sui t abl e met hods" ( e. g., t hose gi ven i n
12.3. 2. 2) t o veri f y aut hent ici t y of t he ser ver ' s publ i c key cl ear l y demonst r at es SSH's st r at egy of
quick depl oyment and suppor t i ng backwar d compat i bil i t y .
At t he st age way befor e a publ i c- key i nfr ast ruct ur e i s r eady over t he I nt er net , t he improved
secur i t y f r om SSH needn' t be a ver y st rong one, but i s much st ronger and t han wi t hout . The
easy t o use and qui ck t o depl oy sol ut i on i s a gr eat val ue of SSH and i s t he r eason why t he
t echni que has been popul arl y i mpl ement ed and wi del y used in cases wher e t he ser ver s ar e UNI X
or Linux plat for ms.
From t hi s r eal- wor l d appl i cat i on of aut hent i cat i on t echni ques we al so see t hat publ i c- key
cry pt ogr aphy f or ms a vi t al enabl er f or t he easy sol ut i on. The ser ver' s host key i n t he unt r ust ed
envi ronment ( e. g. , i n t he cl i ent or i n t he rout e f rom t he server t o t he cl i ent ) only exi st s i n publ i c-
key for m, and so t he management of t hi s i mport ant key mat eri al becomes much easi er . The
pr obl em wi l l become i mmensely compl i cat ed i f t he pr ot ocol i s based on secret - key cr y pt ographi c
t echni ques.
12.3.4 Warnings
Fi nal l y, we shoul d poi nt out war ni ng f or a user t o handl e wi t h care her / his cr y pt ographi c
credent ial whi ch i s used by t he SSH User Aut hent i cat i on Prot ocol . Thi s cr edent i al , which can be
publ i c- key- based, password- based, or a secur e- har dwar e- t oken- based, wil l be used by t he
pr ot ocol part r unning on t he cl ient machi ne whi ch i s consider ed par t of t he unt rust ed
envi ronment .
I n t he cur r ent wor king ver si on of t he SSH Pr ot ocol [ 304] , a publ ic- key- based user cry pt ogr aphi c
credent ial ( i .e. , t he pr i vat e key mat chi ng t he user ' s publ i c key ) i s encr y pt ed under t he user' s
password and t he r esul t ant ci pher t ext i s st or ed i n a f i le on t he cl ient machi ne wher e t he fi l e i s
named $HOME/.ssh/identity ( in t he case of cl i ent machi ne runni ng UNI X or Linux oper at i ng
syst ems) . Thi s f il e i s read at prot ocol execut i on t ime by t he cl i ent par t of t he pr ot ocol whi ch
pr ompt s t he user t o i nput password. Nat ur al l y , t he user shoul d make sur e t hat t he pr ot ocol par t
r unni ng on t he cl ient machi ne i s a genui ne one. To mi ni mi ze t he ri sk of t he pr i vat e key bei ng
sear ched by an off - l i ne at t acker ( i t s al gor i t hm which i nput s t he user ' s publ i c key and sear ches
t he mat ching pr ivat e key by sear ching t hr ough passwor ds) , t he user shoul d also delet e t he
encry pt ed pr i vat e key f i l e $HOME/.ssh/identity f r om t he cl i ent machi ne aft er use.
A secur e- hardware- t oken- based mechani sm should be t he most secur e means for t he user si de
credent ial . Thi s mechani sm in t he user side uses a smal l har dwar e t oken of handhel d si ze or a
key r i ng si ze. The t oken has a wi ndow di spl ay ing a number of sever al di gi t s whi ch keep changi ng
i n sy nchr oni zat i on wi t h t he ser ver host and i s cust omized t o an i ndi vi dual user by a password
shar ed wi t h t he ser ver host . Of cour se, si nce t he passwor d i s small , t he user shoul d secur el y
keep i n phy sical possessi on of t he t oken and r eport i t s l oss i mmedi at el y .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
12.4 The Kerberos Protocol and its Realization in
Windows 2000
Let Ali ce be an empl oy ee of a mul t i nat i onal company. She may be provi ded wit h var i ous ki nds
of i nf ormat i on r esour ces and ser vi ces. For exampl e, f rom her " home server ," Al i ce get s t he usual
comput er net wor k servi ces ( i . e. , Wor l dWi deWeb, e- mai l , et c. ) ; on a "pr oj ect ser ver , " Al i ce and
her t eam members wi l l be t he exclusi ve user s and t he owner s of t he dat a r el at ed t o t hei r wor k;
on an "human r esour ce ser ver, " Ali ce may manage her HR rel at ed issues, e.g., managi ng how
much percent age of her next mont h's sal ar y shoul d be i nvest ed f or company shar e pur chase; i f
Al i ce is a manager , she may need t o updat e her subor di nat es' perf or mance revi ew records on an
HR dat abase; f r om an " i nt el lect ual pr opert y ser ver , " Al i ce ( as an i nvent or ) may be worki ng on
her cur r ent pat ent f i l li ng; on an "expenses ser ver , " Al i ce shall oft en make expense cl aims af t er
her business t r i ps. I t i s not di ff i cul t t o i magi ne mor e exampl es of ser vi ces.
I n an ent er pr i se envi r onment , a user ( an employ ee or a cust omer ) i s usual ly ent i t l ed t o use
ent er pr ise- wi de di st r i but ed i nf ormat i on ser vi ces. These ser vi ces ar e usual l y mai nt ai ned by
vari ous busi ness unit s i n t he ent er pr ise. As a r esul t , t he var ious i nf ormat i on ser ver s can oper at e
i n di ff er ent geogr aphical l ocat i ons ( even ar ound t he gl obe) . Speaki ng i n t erms of net wor k
or gani zat i on, t hese ser ver s ar e i n di f ferent net w or k domai ns. For secure use of t hese ser vices
( al l exampl es we have li st ed in t he pr evi ous par agr aph i nvol ve ser iously sensi t i ve infor mat i on) , a
user needs var ious credent ial s f or her / hi m t o be aut hent i cat ed befor e a ser vi ce can be gr ant ed.
However , i t would be unr eal ist i c and uneconomic t o r equi r e a user t o mai nt ai n several di ff er ent
cry pt ogr aphi c cr edent i al s, whet her i n t er ms of memor i zi ng vari ous passwor ds, or i n t er ms of
hol di ng a number of smar t cards.
A sui t abl e net wor k aut hent icat i on solut i on for t hi s envi r onment i s t he Ker ber os Aut hent icat i on
Pr ot ocol [ 202, 168] . The basi c i dea i s t o use a t rust ed t hir d par t y t o i nt r oduce a user t o a ser vi ce
by i ssui ng a shared session key bet ween t he user and t he server . Thi s i dea i s due t o Needham
and Schr oeder [ 213] and i s i ll ust r at ed i n t he Needham- Schr oeder Aut hent i cat i on Prot ocol ( Pr ot
2. 4) . As t he or i gi nal Needham- Schr oeder pr ot ocol i s f l awed ( see 2. 6. 4.2) , Ker ber os uses
essent i al l y a t imest amp versi on of t he Needham- Schr oeder pr ot ocol .
Now consi der t hat Al i ce i n Pr ot 2.4 i s in t he posi t i on of a user who shares a long- t er m secr et key
wi t h a t r ust ed t hi r d par t y ( Tr ent i n t hat pr ot ocol ) . Al so consi der t hat Bob i n t hat prot ocol is i n t he
posi t i on of a ser ver who also shares a l ong- t er m secr et key wi t h t he t r ust ed t hi r d part y. When
Al i ce want s t o use Bob' s ser vi ce, she can i ni t i at e a pr ot ocol r un wit h Tr ent and ask Tr ent f or a
cry pt ogr aphi c cr edent i al good f or accessing Bob's ser vi ce. Tr ent can pr ovi de a ( "t icket gr ant ing" )
ser vi ce by i ssuing a sessi on key t o be shar ed bet ween Ali ce and Bob, and secur el y del iver s t he
sessi on key i nsi de t wo " t i cket s" encr ypt ed under t he l ong- t er m secr et keys whi ch Tr ent shares
wi t h Ali ce and wi t h Bob, r espect i vel y. That 's t he i dea.
Wi ndows 2000, an i mpor t ant oper at i ng sy st em now wi del y used i n an ent er pr i se net work
envi ronment , uses t he Ker beros Aut hent icat i on Pr ot ocol ( based on Ver si on 5 [ 168] ) , as it s
net wor k aut hent i cat i on basi s.
Kerber os i s cr eat ed by Proj ect At hena at t he Massachuset t s I nst i t ut e of Technol ogy ( MI T) as a
sol ut i on t o net wor k securi t y pr obl ems. MI T has developed t he Ker ber os Ver si on 5 as a f r ee
soft war e ( wi t h sour ce code avai l abl e) whi ch can be downloaded f rom MI T's Web si t e
< ht t p: / / web. mit .edu/ ker ber os/ www/ > . However , due t o t he export at i on cont rol on
cry pt ogr aphi c product s r egul at ed by t he gover nment of t he Uni t ed St at es of Amer i ca, at t he t i me
of wr it ing, t hi s di st r ibut i on of Ker ber os execut ables i s onl y avai l abl e t o t he ci t i zens of t he USA
l ocat ed i n t he USA, or t o Canadi an ci t i zens l ocat ed in Canada.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The Ker ber os Pr ot ocol Ver si on 5 i s sl i ght ly mor e compl ex t han t he Needham- Schr oeder
Aut hent i cat ion Pr ot ocol ( t he t i mest amp- f i xed ver sion) . Let us now i nt r oduce Ker ber os Pr ot ocol
Versi on 5.
12.4.1 A Single-signon Architecture
The Ker ber os Aut hent i cat i on Pr ot ocol consi st s of a sui t e of t hree subpr ot ocols cal l ed
exchanges
[ f ]
. These t hree exchanges ar e:
[ f]
The suit e cont ains a much bigger number of auxiliar y subpr ot ocols f or var ious specialized t asks, such as
passwor d changing, t icket renewal, err or handling, et c. , however, we shall only describe t he t hr ee main
pr ot ocols which pr ovide aut hent icat ion f unct ions.
The Aut hent i cat i on Ser vi ce Exchange ( AS Exchange) : i t r uns bet ween a " cl i ent " C and an
"aut hent i cat ion server " AS.
1.
The Ti cket - Gr ant i ng Servi ce Exchange ( TGS Exchange) : i t r uns bet ween C and a "t i cket
gr ant ing ser ver " TGS af t er t he AS Exchange.
2.
The Cl ient / Ser ver Aut hent i cat i on Appl i cat i on Exchange ( AP Exchange) : i t r uns bet ween C
and an "appli cat i on ser ver " S af t er t he TGS Exchange.
3.
Each of t hese t hr ee exchanges i s a t wo- message exchange pr ot ocol . These exchanges have t he
sequent i al dependent rel at i on li st ed above whi ch can be i l l ust r at ed as a t hr ee- headed cr eat ur e
[ g]
i n Fi g 12. 4.
[ g]
The name Ker ber os comes f r om Gr eek myt hology ; it is t he t hr ee- headed dog t hat guar ded t he ent rance t o
Hades.
Fi gu r e 12 . 4. Ker ber os Exchanges

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Kerber os has fi ve pr i nci pal s who oper at e i n t hese t hr ee exchanges and t hese pr i ncipal s have t he
fol l owi ng r ol es:
U: a User ( a human bei ng) whose act i ons i n t he pr ot ocols are alway s per for med by her / hi s
cl ient pr ocess; so U onl y appear s i n t he prot ocol s as a message. Each user memor i zes a
password as her / his si ng l e- si g non cr edent i al f or usi ng t he Ker ber os syst em.
C: a Cl i ent ( a pr ocess) whi ch makes use of a net wor k servi ce on behal f of a user . I n an AS
Exchange, in whi ch C i s ini t iat ed by U, C wi l l need U' s Ker ber os syst em cr edent i al . Thi s user
credent ial i s gi ven t o C as i t pr ompt i ng U t o key - i n her / hi s password.
S: an appl i cat ion Ser ver ( a pr ocess) whi ch pr ovides an appl i cat ion r esource t o a net wor k
cl ient C. I n an AP Exchange, i t r ecei ves an "appl i cat i on r equest " ( AP_REQ) fr om C. I t
r esponds wi t h "appl icat i on r eply " ( AP_REP) whi ch may ent i t l e C an appl i cat i on ser vi ce.
An AP_REQ cont ains C' s cr edent i al cal l ed a " t i cket " ( TKT) whi ch i n t ur n cont ains an
appli cat i on session key K
C, S
t empor ar i l y shar ed bet ween C and S.
KDC: Key Di st r ibut i on Cent er . KDC i s a col l ect i ve name f or t he fol l owing t wo aut hent i cat ion
ser vers:
- AS: an Aut hent i cat i on Ser ver . I n an AS Exchange, i t r ecei ves a pl ai nt ext
"aut hent i cat ion servi ce r equest " ( AS_REQ) fr om a cl i ent C. I t responds wi t h a "t i cket
gr ant ing t icket " ( TGT) whi ch can l at er be used by C i n a subsequent TGS Exchange.
I ni t i al l y, AS shares a passwor d wi t h each user it ser ves. A shar ed passwor d is set up
vi a a si ngl e- si gnon means out si de t he Ker ber os sy st em.
A TGT suppl i ed t o a cl ient C as t he r esul t of an AS Exchange has t wo part s. One par t
i s f or C t o use and i s encr y pt ed under a key der i ved f rom a user 's si ngle- si gnon
password. The ot her par t is for a " t i cket gr ant i ng ser ver " ( t o be descr i bed i n t he TGS
i t em bel ow) t o use and i s encr ypt ed under a long- t er m key shared bet ween AS and
t he lat t er . Bot h part s of a TGT cont ai n a t i cket session key K
C, TGS
t o be shared
bet ween C and a "t i cket gr ant i ng server ."
- TGS: a Ti cket Grant i ng Server. I n a TGS Exchange i t receives a " t icket gr ant ing
r equest " ( TGS_REQ) ( whi ch cont ai ns a "t i cket - gr ant ing t i cket " TGT) f rom a cl i ent C. I t
r esponds wi t h a " t icket " ( TKT) whi ch ent it l es C t o use i n a subsequent AP Exchange
wi t h an appl i cat ion server S.
Si mil ar t o a TGT, a TKT has t wo par t s. One par t is for a cli ent C t o use and i s
encry pt ed under a t icket sessi on key K
C, TGS
( whi ch has been di st r i but ed t o C and
TGS i n TGT) . The ot her par t i s f or an appl i cat i on ser ver S t o use and i s encr y pt ed
under key K
S, TGS
whi ch i s a long- t er m key shared bet ween S and TGS.
Bot h par t s of a TKT cont ai n a new appl i cat i on sessi on key K
C, S
t o be shared bet ween
C and S. The appl i cat i on sessi on key is t he cr ypt ogr aphic cr edent i al f or C t o r un a
subsequent AP Exchange wi t h S t o get an appl i cat ion servi ce fr om S.
12.4.1.1 Why is KDC Divided into two Sub-servers AS and TGS?
We shal l see i n a moment t hat t he r ol es of AS and TGS ar e act uall y ver y si mi l ar: bot h ar e
col lect i vel y r eferr ed t o as a key di st ri but i on cent er ( KDC) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The r eason t o di vi de KDC i nt o t wo si mi lar rol es i s t he consider at i on t hat t he sy st em may be used
i n a ver y l ar ge net wor k "r eal m" i n whi ch appl i cat i on servers belongi ng t o di ff er ent net wor k
domai ns shoul d be or gani zed as subor di nat ors of di ff er ent TGS' s i n di ffer ent domains. Ther ef ore,
even t hough a f i xed user U onl y has a fi xed si ngl e- si gnon AS, ( s) he can be ser ved by a pl ur al
number of TGS' s and consequent l y by even a l arger number of appl i cat i on servers.
12.4.2 The Kerberos Exchanges
Now l et us descr i be each of t he t hree Ker beros exchanges. For ease of exposi t i on of t he mai n
i dea i n t he Ker ber os Aut hent i cat i on Pr ot ocol , we shal l onl y present mandat or y pr ot ocol
messages. For t he f ul l descr ipt i on of al l pr ot ocol message det ai l s whi ch i ncl ude an enor mous
vol ume of opt i onal messages, t he i nt er est ed r eader shoul d st udy [ 168] .
12.4.2.1 The Authentication Service Exchange
The AS Exchange concer ns onl y C and AS:
AS_REQ C AS : U, TGS, Lif e_t i mel , N
1
1.
TGT AS C : U, T
C, TGS
, TGT
C
2.
wher e
Message 1 is invoked by t he user U. The cl i ent C i nfor ms t he aut hent i cat i on ser ver AS using t he
pl ai nt ext AS_REQ messages t hat i t wi shes t o communi cat e on behal f of t he user U wi t h t he t i cket
gr ant ing ser ver TGS. A l if et i me Li fe_t i me1 ( bookkeepi ng i nfor mat i on) and a nonce N
1
( fr eshness
i dent i f ier ) ar e al so i ncl uded i n t he r equest .
I n response, t he aut hent icat i on ser ver AS gener at es a new t i cket session key K
C, TGS
f or shar i ng
bet ween C and TGS; it t hen encry pt s t he t i cket sessi on key i nsi de a t i cket grant i ng t i cket TGT
and sends i t back t o C as message 2.
The par t of TGT for TGS i s T
C, TGS
and is encr y pt ed usi ng t he l ong- t erm key K
AS, TGS
shared
bet ween i t self and TGS, t he par t of TGT f or C i s T
C
and is encr y pt ed under t he user 's passwor d
K
U
.
Upon receipt of message 2, C can decry pt T
C
( it has pr ompt ed U f or i nput t i ng t he passwor d K
U
) .
I f ever yt hing passes val i dat i on ( be car ef ul about t he val i dat i on, t o discuss i n 12.4. 3) , t hen C
accept s t he t i cket sessi on key K
C, TGS
and t he t i cket T
C, TGS
. C now has a val i d "t icket gr ant ing
t i cket " for use wit h TGS.
A war ni ng on pr oper decr y pt i on of a Ker beros t icket wi l l be di scussed i n 12.4. 3.
12.4.2.2 The Ticket-granting Service Exchange

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The TGS Exchange has a for mat si mi l ar t o t hat of t he AS Exchange, except t hat t he cl i ent ' s
r equest message, TGS_REQ, now cont ai ns an aut hent i cat or t rai l i ng aft er t he pl ai nt ext request
message.
3. TGS_REQ C TGS : S, Lif e_t i me2, N
2
, T
C, TGS
, A
C, TGS
4. TKT TGS C : U, T
C, S
, TKT
C
wher e
The f unct i onali t i es of t his pai r of exchange and act i ons of pri nci pals can be expl ai ned
anal ogously t o t hose f or t he AS Exchange. The only addi t i onal i t em wor t h expl ai ni ng i s A
C, TGS
.
Thi s i s an aut hent i cat or . The use of an aut hent i cat or i s t o show t he t i cket grant i ng ser ver TGS
t hat t he cl i ent C has used t he t i cket session key K
C, TGS
i n Cl i ent _t ime. TGS shoul d check i t s l ocal
host t i me t o conf i rm t hat t he dif fer ence bet ween Cl i ent _t i me and i t s l ocal t i me i s wi t hi n an
al l owabl e r ange.
A war ni ng on a Ker ber os aut hent i cat or i s di scussed i n 12.4. 3.
12.4.2.3 The Application Service Exchange
Fi nal l y, i n t he AP Exchange a cl i ent C uses t he newl y obt ai ned appli cat i on session key K
C, S
and
t he t i cket T
C, S
t o obt ain an appli cat i on ser vice f r om an appl i cat i on ser ver S.
5. AP_REQ C S : T
C, S
, A
C, S
6. AP_REP S C : A
S, C
wher e
The meani ng of t his pai r of exchange i s st r ai ght f or ward.
As we have war ned i n t he descr i pt ions of t he pr evi ous t wo exchanges, we shall pay at t ent ion t o
t he war nings bel ow.
12.4.3 Warnings

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
We must di scuss t wo war ni ngs i n Ker beros exchanges.
The f i r st one i s about car eful vali dat i on of a Ker ber os ci pher t ext i n a decry pt ion t i me.
When a pri nci pal decry pt s a t i cket , it shoul d val idat e t he decr y pt i on. Fr om t he st r uct ur e of a
Kerber os t i cket , t he val i dat i on obvi ousl y i nclude st eps f or checki ng t he fr eshness ident i fi ers and
t he cor r ect ness of t he i nt ended i dent i t i es. However, what i s not so obvious i s t he need of
ver i fy i ng dat a- int egr it y of a ci pher t ext . The i mpor t ance of t he dat a- i nt egri t y ver if i cat ion has
been i l l ust r at ed by sever al exampl es i n t he previ ous chapt er ( e. g. , 11.7. 8) , and wi l l be furt her
i nvest i gat ed i n 17.2. 1.
Thi s war ni ng appl i es t o al l encr ypt i on i n Ker beros exchanges.
The second warni ng is about "aut hent i cat or. "
Al t hough t he name " aut hent icat or " and it s posi t i on and usage ( t r ai l i ng a t i cket ) may suggest
t hat i t pl ays t he r ol e of a message aut hent icat i on code ( MAC, see 10.3) for provi di ng a dat a-
i nt egr i t y pr ot ect i on on t he t i cket it t r ai l s ( e.g., A
C, TGS
wi t h r espect t o T
C, TGS
) , t hi s i magi ned
"pr ot ect i on" is act ual ly absent .
Not onl y must t he needed i nt egri t y pr ot ect i on on t he t i cket be suppl i ed by a proper mechani sm
( e. g. , by a MAC) , but al so not i ce: usi ng encr ypt i on t o cr eat e an aut hent i cat or i s usi ng a wrong
cry pt ogr aphi c ser vi ce. I n or der t o pr event an adver sar y fr om modi f yi ng a Cl i ent _t i me i n an
aut hent i cat or, t he ci pher block of an aut hent i cat or i t sel f needs dat a- i nt egr i t y pr ot ect i on!
Thi s war ni ng appl i es t o al l aut hent i cat or s i n Ker ber os.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
12.5 SSL and TLS
An i mport ant aut hent i cat i on pr ot ocol, mainl y for Worl dWideWeb ( Web for shor t ) secur i t y , i s t he
Secure Socket s Lay er Pr ot ocol ( SSL) [ 136, 111] . The t erm " socket s" r ef ers t o st andard
communi cat ion channels l inki ng peer processes on net wor k devi ces ( e.g. , on cl i ent / server
machi nes) . A socket s- l ayer prot ocol runs under t he appl i cat i on- l ay er pr ot ocol s such as t he
Hy pert ext Tr ansf er Prot ocol ( HTTP) , Li ght wei ght Di rect or y Access Pr ot ocol ( LDAP) , or I nt er net
Messaging Access Prot ocol ( I MAP) , and above t he net wor k l ayer pr ot ocol s such as Tr anspor t
Cont rol Pr ot ocol ( TCP) and I nt ernet Pr ot ocol ( I P) . When t he socket s- l ay er communi cat i ons ar e
secur ed ( e. g., in conf i dent i al i t y and dat a i nt egr i t y ) , communi cat ions i n all appl i cat i on- l ay er
pr ot ocol s wi l l be secur ed i n t he same manner .
SSL i s a commonl y used pr ot ocol for managi ng t he secur it y of a message t ransmi ssion on t he
I nt er net . The pr ot ocol i s or igi nal l y devel oped by Net scape Communi cat i ons Corpor at ion as an
i nt egr al part of i t s Web br owser ( cl i ent - si de soft war e) and Web ser ver. I t i s l at er accept ed by
Mi cr osof t and ot her I nt ernet cl ient / ser ver devel opers as wel l , and evol ves i nt o t he de fact o
st andar d f or Web secur it y unt i l it f ur t her evol ves i nt o t he Tr anspor t Lay er Secur i t y ( TLS) [ 95] .
The l at t er i s an I nt er net st andar d for Web secur i t y developed by t he i ndust r i al st andar di zat i on
body I nt ernet Engi neeri ng Task For ce ( I ETF) .
TLS i s based on SSL and i s not dr ast i cal l y dif fer ent f r om SSL. However , si nce TLS succeeds SSL
as I nt er net st andar d f or Web secur i t y , we shal l f rom now on compl y wi t h t he st andards t r ack
and onl y use t he t er m TLS i n our descri pt ion of t he Web secur it y pr ot ocol.
12.5.1 TLS Architecture Overview
TLS i s composed of t wo l ay ered pr ot ocol s: t he TLS Recor d Pr ot ocol and t he TLS Handshak e
Pr ot ocol . The l at t er i s on t op of t he f ormer .
The TLS Recor d Prot ocol pr ovi des secure encapsul at ion of t he communi cat i on channel for use by
hi gher l ayer appl icat i on pr ot ocol s. Thi s pr ot ocol r uns on t op of t he TCP and I P l ay ers and
pr ovi des a r el iabl e session connect i on. I t t akes messages t o be t r ansmi t t ed, fr agment s t he dat a
i nt o manageabl e blocks, opt i onal l y compr esses t he dat a, appl ies a MAC ( HMAC, see 10.3. 2) for
dat a- int egr it y, encr y pt s ( sy mmet r i c al gor i t hm) for conf i dent i al i t y, and t r ansmi t s t he r esul t t o t he
peer communi cant . At t he r ecei vi ng end, i t receives cipher dat a bl ocks, decr y pt s t hem, ver if i es
t he MAC, opt i onal l y decompressed, r eassembl es t he bl ocks and deli vers t he r esul t t o hi gher l evel
appli cat i on pr ocesses.
The key s for sy mmet r i c encr ypt ion and f or HMAC ar e gener at ed uni quel y f or each sessi on
connect i on and are based on a secr et negot i at ed by t he TLS Handshake Prot ocol .
The TLS Handshake Prot ocol all ows t he ser ver and cli ent t o aut hent i cat e each ot her, negot i at e
cry pt ogr aphi c al gori t hms, agree on cr ypt ogr aphi c keys and t her eby est abl ish a secur e session
connect i on for t he TLS Recor d Pr ot ocol t o process secur e communi cat i ons f or hi gher level
appli cat i on pr ot ocol s.
From t hi s TLS ar chi t ect ure descr i pt i on it i s cl ear t hat t he TLS Record Pr ot ocol i s not an
aut hent i cat ion prot ocol , al t hough i t i s a pr ot ocol f or achi evi ng secure communi cat i ons. We
t her efor e shoul d onl y i nt roduce t he TLS Handshake Prot ocol .
12.5.2 TLS Handshake Protocol

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The TLS Handshake Prot ocol can be consi der ed as a st at eful pr ocess r unni ng on t he cl i ent and
ser ver machines. A st at eful connect ion i s cal l ed a "sessi on" i n whi ch t he communi cat ion peer s
per for m t he fol l owi ng st eps:
They exchange hel l o messages t o agree on al gor i t hms, exchange r andom values, and check
for session r esumpt i on.
They exchange t he necessar y cr y pt ographi c par amet er s t o al l ow t he cl i ent and ser ver t o
agr ee on a secr et ( cal l ed " mast er secr et ") .
They exchange cer t if i cat es and cr y pt ographi c i nf ormat i on t o all ow t he cl i ent and server t o
aut hent i cat e t hemsel ves t o one anot her .
They gener at e sessi on secr et s fr om t he mast er secr et by exchangi ng r andom val ues.
They veri f y t hat t hei r peer has cal cul at ed t he same secur i t y par amet er s t o conf ir m t hat t he
handshake has been compl et ed wi t hout havi ng been t amper ed wi t h by an at t acker.
The est abl i shed secur e channel is passed on t o t he TLS Recor d Pr ot ocol for pr ocessi ng
hi gher l evel appli cat i on communi cat i ons.
These st eps ar e r eal i zed by four message exchanges which we descr i be bel ow. I n or der t o
achi eve a bet t er exposi t i on of t he pr ot ocol i dea we shal l onl y descr i be a si mpl i f ied ver si on of t he
TLS Handshake Pr ot ocol by omi t t ing some opt ional el ement s. I n t he prot ocol descr i pt i on, C
denot es t he cli ent ( i . e. , t he cl ient - si de Web browser) , S denot es t he Web ser ver. I f a message i s
t r ai l ed wi t h * , t hi s message i s opt ional .
1. C S : Cl i ent Hel lo;
2. S C : Server Hel l o,
Server Cer t i f i cat e* ,
Server Key Exchange* ,
Cer t i fi cat eRequest * ,
Server Hel l oDone;

3. C S : Cl i ent Cer t i fi cat e* ,
Cl i ent KeyExchange,
Cer t i fi cat eVer i fy* ,
Cl i ent Fi ni shed;
4. S C : Server Fi ni shed.
Thi s prot ocol can be execut ed wi t h al l t he opt i onal messages and t he Cl ient Key Exchange
message omi t t ed. Thi s i s t he case when t he cl i ent want s t o resume an exi st i ng session.
Now l et us pr ovi de an over view l evel expl ai n on t he messages exchanged i n t he TLS Handshake
Pr ot ocol.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
12.5.2.1 Hello Message Exchange
The cl i ent st ar t s t he sessi on connect i on by sending a Cl i ent Hell o message t o whi ch t he ser ver
must r espond wi t h a Ser ver Hel l o message, or else t he connect i on wi l l f ai l. These t wo messages
est abl i sh t he fol l owi ng fi elds: "pr ot ocol _versi on, " " random, " "sessi on_id, " " ci pher _sui t es," and
"compr essi on_met hods. "
The f i el d "prot ocol _versi on" i s for backwar d compat i bi l it y use: t he ser ver and cl i ent may use t hi s
fi el d t o i nf or m t hei r peer of t he ver si on of t he pr ot ocol i t i s usi ng.
The f i el d "r andom" cont ai ns r andom numbers ( nonces as f reshness i dent i f ier s) whi ch are
gener at ed by t he bot h si des and are exchanged. I t al so cont ai ns t he l ocal t i me of t he each
communi cant .
The f i el d "sessi on_id" i dent if i es t he cur r ent sessi on connect i on. When t he cl i ent wishes t o st art a
new sessi on connect i on, Cl i ent Hel l o.sessi on_id should be empt y. I n t his case, t he ser ver
gener at es a new sessi on_i d, uses t hi s new val ue i n t he f i el d Server Hel l o. sessi on_i d, and caches
t he sessi on_i d in i t s l ocal memory . I f Cl i ent Hell o. sessi on_i d i s non- empt y ( when t he cl i ent want s
t o resume an exi st i ng sessi on) , t he ser ver shoul d t ry t o f i nd t he sessi on_id f rom i t s l ocal cache,
and r esume t he i dent i f i ed sessi on.
A poi nt of not i ci ng i s t he f iel d "cipher_sui t es. " Cl ient Hel l o. ci pher_sui t es is a l i st of t he
cry pt ogr aphi c opt i ons suppor t ed i n t he cl i ent si de machi ne, sor t ed wi t h t he cl i ent ' s fi r st
pr efer ence fi r st . A wi de r ange of publ i c- key and symmet r ic cr y pt ographi c al gor i t hms, di gi t al
si gnat ure schemes, MAC schemes and hash f unct i ons can be pr oposed by t he cl i ent . The ser ver
sel ect s a si ngle scheme f or each necessar y cr y pt ographi c oper at i on, and infor ms t he cl i ent in
Server Hel l o. ci pher _suit es.
12.5.2.2 Server's Certificate and Key-exchange Material
Aft er t he hel l o message exchange, t he server may opt i onall y send i t s cer t i f i cat e, i f i t is t o be
aut hent i cat ed. The Ser ver Cer t i fi cat e message, i f non- empt y , i s a l i st of X. 509.v3 cer t i f icat es ( see
13.2) . An X. 509 cert if i cat e cont ai ns suf fi ci ent i nf or mat ion about t he name and t he publ i c key of
t he cer t i fi cat e owner and t hat about t he i ssui ng cer t i fi cat i on aut hor i t y ( see Exampl e 13. 1) .
Sendi ng a l ist of cer t i fi cat es per mi t s t he cl i ent t o choose one wi t h t he publ i c key al gor i t hm
support ed at t he cl i ent 's machi ne.
Subsequent t o Ser verCer t i f icat e i s Ser ver KeyExchange. I t cont ai ns t he ser ver 's publ i c key
mat eri al mat chi ng t he cer t i f icat e l i st i n Ser ver Cert i f i cat e. The mat eri al f or Di f fi e- Hel l man key
agr eement wi ll be i ncl uded her e whi ch is t he t upl e ( p, g, g
y
) wher e p i s a pr i me modul us, g i s a
gener at or modulo p of a l ar ge gr oup and y i s an i nt eger cached i n t he ser ver' s l ocal memor y
( l i nked t o " sessi on_i d") .
The ser ver who pr ovi des non- anony mous ser vi ces may f ur t her r equest a cer t i fi cat e f rom t he
cl ient usi ng t he Cert i f i cat eRequest message, i f t hat i s appr opri at e t o i t s select i on of t he publ i c-
key algori t hm fr om Cl ient Hel l o. ci pher_sui t e.
Now t he ser ver wil l send t he Ser ver Hel loDone message, i ndi cat ing t hat t he hel l omessage phase
of t he handshake i s compl et e. The ser ver wi l l t hen wai t f or a cl i ent r esponse.
12.5.2.3 Client Response
I f t he server has sent t he Cer t i f i cat eRequest message, t he cl i ent must send ei t her t he
Cl i ent Cer t i fi cat e message or t he NoCer t i fi cat e al er t .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The Cl ient Key Exchange message i s now sent . The cont ent of t his message wi l l depend on t he
publ i c key al gori t hm agr eed bet ween t he Cl i ent Hell o and Ser verHel l o messages.
I n t he case of t he cl i ent 's Key ExchangeAl gor i t hm bei ng RSA, t he cl i ent generat es a
"mast er _secret " ( a 48- by t e number) and encr ypt s i t under t he ser ver ' s cer t i fi ed RSA publ i c key
( obt ained f rom t he Ser ver Cer t if i cat e) .
I f t he cl i ent has sent a cer t i fi cat e and t he cli ent has t he signi ng abi l i t y , t hen a di gi t al l y- si gned
Cer t i fi cat eVer i fy message wi ll be sent f or t he ser ver t o expl i ci t l y veri f y t he cl i ent 's cer t i fi cat e.
12.5.2.4 Finished Message Exchange
The cl i ent now sends t he Cl i ent Fi ni shed message whi ch i ncl udes a key ed HMAC ( keyed under t he
"mast er _secret ") t o al l ow t he ser ver t o conf i r m t he proper handshake execut ed at t he cl i ent si de.
I n response, t he ser ver wi l l send i t s own Ser ver Fi ni shed message whi ch al so i ncl udes a key ed
HMAC t o al l ow t he cl ient t o confi r m t he pr oper handshake execut ed at t he ser ver si de.
At t hi s poi nt , t he handshake i s compl et e and t he cl i ent and ser ver may begi n t o exchange
appli cat i on l ayer dat a.
12.5.3 A Typical Run of the TLS Handshake Protocol
Let us compl et e our descr ipt i on of t he TLS Pr ot ocol by exempl i f yi ng a t ypi cal run of t he
Handshake Pr ot ocol . The execut i on exampl e i s i l l ust rat ed i n Pr ot 12. 2.
Protocol 12.2: A Typical Run of the TLS Handshake Protocol.
1. C S : Cl i ent Hel lo. pr ot ocol _versi on = " TLS Versi on
1. 0" ,
Cl i ent Hel lo. r andom = T

C
, N
C
,
Cl i ent Hel lo. sessi on_i d = " NULL",
Cl i ent Hel lo. cr ypt o_sui t e = " RSA: encr y pt i on,

SHA- 1: HMAC",
Cl i ent Hel lo. compr essi on_met hod = " NULL" ;

2. S C : Server Hel l o. pr ot ocol_ver sion = " TLS Ver sion
1. 0" ,
Server Hel l o. random = T

S
, N
S
,
Server Hel l o. sessi on_i d = "xyz123",
Server Hel l o. cr y pt o_suit e = "RSA:

encry pt ion, SHA- 1: HMAC" ,

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Server Hel l o. compr essi on_met hod = "NULL",
Server Cer t i f i cat e = poi nt _t o( ser ver' s

cer t i f icat e) ,
Server Hel l oDone;

3. C S : Cl i ent KeyExchange =
poi nt _t o( RSA_Encr ypt i on( mast er _secret ) ) ,
Cl i ent Fi ni shed = SHA- 1( mast er _secr et | | C

| | , N
C
, N
S
, . .. ) ;
4. S C : Server Fi ni shed = SHA- 1( mast er_secr et | | S
| | , N
S
, N
C
, . .. ) .
I n t hi s execut i on of t he TLS Handshake Prot ocol , t he cl ient chooses t o be anony mous and so i s
not aut hent i cat ed t o t he server, t he cl i ent chooses t o use RSA f or encr ypt i on, SHA- 1 for
comput i ng HMACs. As a r esul t , t he ser ver uni l at er al l y aut hent i cat es i t sel f t o t he cli ent . The
out put fr om t he execut i on is a uni lat er al l y aut hent i cat ed channel fr om t he ser ver t o t he cl i ent .
Thi s execut ion shows a t y pi cal exampl e of usi ng t he TLS Prot ocol in a Web- based el ect r onic
commer ce appl i cat i on, f or exampl e, buy ing a book f r om an onl i ne booksel ler . The out put channel
assur es t he cl ient t hat onl y t he aut hent i cat ed ser ver wil l recei ve i t s i nst r uct i ons on book
purchase which may i ncl ude conf i dent i al i nf or mat ion such as i t s user 's bankcar d det ai l s, t he
book t it le, and t he del i ver y address.
12.5.4 A Side Channel Attack on a TLS Application
I n si de ch ann el at t ack s Mal ice t r i es t o f i nd some subl i mi nal i nf ormat i on whi ch a pr i nci pal
di sclose i nadver t ent l y . A t i mi ng an al y si s at t ack i s a speci al case of si de channel at t acks. I n
t hi s speci al case, Mal ice obser ves and anal yzes t he t i me behavi or of a pri nci pal in r espondi ng t o
hi s chal l enge in or der t o di scover a secret . The fi r st publ i shed si de- channel and t i mi ng- analy si s
at t ack i s t hat of Kocher [ 167] whi ch i s best appl i ed on a sy st em per for ming modul o
exponent i at i on ( e. g., si gni ng or decr ypt i ng in RSA, ephemer al - key exponent iat ion i n El Gamal
fami l y si gnat ur e scheme of i n Di ff i e- Hel l man key exchange) . The at t ack ai ms t o di scover t he
secr et exponent . Modul o exponent i at i on uses t he squar e- and- mul t ipl y t echni que and pr oceeds
bi t - by- bi t on t he exponent ( see al g 4. 3) . The oper at i on per f orms, f or each bi t 1 in t he exponent ,
squar i ng and mul t i pl i cat i on whi le for each bi t 0, squar i ng onl y . The at t ack i s t o det ect t he t i me
di f fer ence bet ween t hese t wo cases. A successf ul det ect i on means t o ext ract t he secret exponent
bi t by bit .
Recent l y, Canvel et al . [ 68] di scover a si de channel ( vi a t i mi ng anal y si s) at t acki ng t echni que
agai nst a prot ocol case: a TLS/ SSL pr ot ect ed l i nk bet ween a ser ver and a cl i ent . A t ypical t arget
of t hi s at t ack is a user 's passwor d f or accessi ng an e- mai l ( I MAP) ser ver . I n t hi s case, t he
t ar get ed passwor d i s sent f rom a cl ient machi ne t o an e- mai l server and t he communi cat i ons
bet ween t he cl i ent and t he ser ver i s prot ect ed by a TLS l i nk. The l ink i s encry pt ed usi ng a st r ong
sessi on key as a resul t of a TLS pr ot ocol r un ( e. g. , t hat i l lust rat ed i n Pr ot 12. 2) . The sessi on
encry pt ion uses a st r ong bl ock ci pher ( e. g. , t ri ple DES) in t he CBC mode of oper at i on ( see
7. 8. 2) .
The t imi ng analy si s at t ack ut i l i zes Vaudenay ' s "bomb or acl e at t ack" on t he st andar d CBC
paddi ng scheme [ 294] whi ch we have st udi ed i n 7. 8. 2.1. Let us r ecap t hat at t ack br ief ly here.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Let C be a CBC ci pher t ext bl ock whi ch encr y pt s a password and i s r ecorded by Mal ice. I n
Vaudenay' s at t ack on t he st andar d CBC pl ai nt ext paddi ng scheme, Mal i ce sends t o a decr ypt i on
or acl e
wher e r i s some r andom dat a bl ock( s) . Mal ice t hen wai t s f or t he decr y pt i on or acl e's response,
ei t her "corr ect paddi ng" or " incor r ect paddi ng" . The "cor r ect paddi ng" response r eveal s t he fi nal
pl ai nt ext byt e encr y pt ed under C ( in t he case of C encr y pt i ng a passwor d, t hi s by t e r eveal s t he
fi nal char act er of t he password) . Now we ar e t echnical l y r eady t o descr i be t he t i mi ng analy si s
at t ack agai nst t he TLS l i nk.
Now Mal i ce sends t o t he e- mai l server r , C, pret endi ng t hat he i s t he owner of t he t ar get ed
password encr ypt ed i n C and is accessi ng e- mai l. The server, upon r ecei pt of r , C, wi l l per for m
CBC decry pt ion and check t he val i di t y of t he paddi ng. I f t he paddi ng i s corr ect ( wi t h pr obabil i t y
cl ose t o 2
8
, see 7. 8. 2.1) , i t wi ll fur t her check dat a i nt egr i t y by r ecal cul at i ng a MAC ( message
aut hent i cat ion code, r evi ew t he dat a i nt egr i t y mechani sm using MAC i n 10.3. 3) . I f a padding
err or i s det ect ed, t hen t her e i s no need t o per f orm t he dat a- i nt egr i t y checki ng ( i . e. , no f ur t her
r ecal cul at i on of t he MAC) . An er r or i n eit her cases wi l l be sent back t o t he cl i ent machi ne, of
cour se, encr y pt ed under t he st r ong TLS sessi on key .
I t seems t hat Mal ice, who does not know t he st rong sessi on key , cannot get an oracl e servi ce,
t hat i s, t he e- mai l server who sends err or messages encr y pt ed, i s not a decr y pt i on or acl e.
However , for random r , i f t he CBC padding is cor r ect , t hen in an over whel mi ng pr obabi l i t y t he
dat a i nt egr i t y checki ng wi l l f ail . Ther efor e, t he e- mai l ser ver under at t ack act ual l y only responds
i n one of t he fol l owi ng t wo way s:
Sendi ng back { "i nval id paddi ng"} K, wi t h pr obabil i t y 1 2
8
, or i .
Sendi ng back { "i nval id MAC"} K, wi t h pr obabil i t y 2
8
. i i .
The case ( i i ) i mpl i es "val id paddi ng" f rom whi ch Mal i ce obt ai ns t he f i nal pl aint ext by t e under C.
Now t he t i ming at t ack ki cks i n! For a suf fi cient ly lar ge r ( a f ew bl ocks) , i n case ( ii ) t he ser ver has
t o recal culat e a l engt hy CBC MAC whi l e i n case ( i ) no such cal culat ion i s per f ormed. On a fai r l y
st andar d i mpl ement at ion of t he ser ver , Canvel et al . [ 68] det ect consi st ent di ff erence i n t he
ser ver' s r esponse t i me and t he dif fer ence i s i n t er ms of a f ew mi ll i seconds. Thus, under t imi ng
anal y sis, t he ser ver act s, indeed, as a decr y pt i on or acl e. Not i ce t hat t he er r or - handli ng
pr ocedur e, usual l y necessar y i n appl i cat ions, means t hat t he decr y pt i on oracl e never expl odes; it
i s a rel i abl e or acl e!
By changi ng r cr aft il y ( wi t hout changi ng C) , Mali ce can di scover t he whole passwor d by t e- by -
by t e backwar d. The met hod of changi ng r i s lef t as an exer cise f or t he reader ( a hi nt i s gi ven i n
Exerci se 12.12) . I f C encr y pt s a passwor d of 8 by t es, t he ext ract i on of t he whole passwor d can
be done i n 8 x 2
8
= 2048 t ri al s which ar e pr et ended e- mai l accessi ng l ogi ng- i n sessi ons.
Thi s i s an ext raor dinary at t ack, alt hough i t works bet t er on ( or i s pr obabl y conf i ned t o) t he case
of l ocal ar ea net wor k ( LAN) wher e t he cl ient and t he ser ver ar e i n t he same LAN so t hat t he
di f fer ence i n t i me del ay can be det ect ed mor e accurat el y . Thi s at t ack manif est s t hat oracl e
ser vi ces can be gener al l y avail able, somet i mes vi a si de channels. Fr om t his at t ack we al so know
t hat err or messages in cr ypt ogr aphic pr ot ocols need t o be handl ed wi t h car e.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
A possi bl e f i x for t hi s at t ack i n t hi s speci fi c appl icat i on i s t hat t he ser ver shoul d t ake a r andom
el apse of " sl eep" befor e r espondi ng an err or message.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I n t hi s chapt er we have int r oduced four aut hent i cat i on pr ot ocol s ( syst ems and st andar ds) for
r eal worl d appl icat i ons. They are: I KE as t he I ETF aut hent i cat ion st andar d f or I PSec, SSH as t he
de f act o aut hent i cat i on st andar d for r emot e secur e shel l i nt er act ion sessi ons, Ker beros as t he
i ndust ri al st andar d for Wi ndows- based oper at i ng syst ems for an ent er pr i se comput er and
i nf ormat i on r esour ce envi ronment , and TLS ( SSL) as t he de fact o st andar d for t he Web secur i t y .
Al t hough i n our descr i pt i on of each pr ot ocol sui t e ( sy st em) , we have t aken a gr eat deal of
si mpl if i cat ion, st i ll , our descri pt ions show enough engi neeri ng compl exi t i es. These complexi t i es
ar e due t o r eal - worl d necessi t i es such as al gor i t hm and par amet er negot i at i on, compat i bi l i t y f or
use by a wi de r ange of syst ems, backwar d compat i bi l it y, easy t o use, et c. I n t he case I PSec and
I KE, t he need of suppor t i ng a gener al qual i t y of conf ident i ali t y also cont r ibut ed t o t he hi gh
syst em compl exi t y . Fr om our st udy i n t hi s chapt er we know t hat f or any r eal - wor l d appli cat i on of
aut hent i cat ion prot ocol s, we ar e not onl y f aci ng a number of secur it y pr obl ems, but al so faci ng a
gr eat deal of sy st em engi neeri ng probl ems. The lat t er pr obl ems, i f not deal t wi t h due care, can
cause ser i ous consequences i n secur i t y .
We have al so seen t hat t he ext r eme err or - pr one nat ur e of aut hent i cat i on prot ocol s i nevi t abl y
appear s i n t he ver si ons for r eal wor l d appl i cat ions. For t hi s r eason, we have st i l l not compl et ed
our t opi c on aut hent i cat i on pr ot ocol s for t hi s book. We wil l ret urn t o t hi s i mpor t ant t opi c i n
Chapt er 17 on f or mal anal ysi s t echni ques.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exercises
12 .1 I n absence of I PSec pr ot ect i on f or I P communi cat i ons, by what means can Mal i ce
mani pulat e messages t r ansmit t ed over t he I nt er net ( e. g. , masquer ade as a
message or i gi nat or, rer out e a message, et c.) ?
12 .2 What r ol e does an "aut hent i cat i on header " ( AH) pl ay i n an I PSec enabled I P
packet ?
12 .3 What i s t he rel at i onshi p bet ween I PSec and I KE?
12 .4 I n whi ch t wo way s can an I P packet be cr y pt ogr aphi cal l y pr ot ect ed?
12 .5 I n Exerci se 11.15 we have consi der ed a fi x of t he mi nor f l aw i n t he STS pr ot ocol
wi t hout damaging i t s anony mi t y ( deni abi l i t y ) proper t y . Pr ovi de a si mi l ar fi x f or t he
mi nor f l aw i n t he I KE Signat ure- based Phase 1 Mai n Mode wi t hout damaging it s
"pl ausi bl e deni abi l it y" pr oper t y.
12 .6 Demonst r at e a "per f ect deni al servi ce at t ack" on Si gnat ure- based I KE Phase 1
Aggressi ve Mode i n 12.2. 3. 4.
Hi nt : such an at t ack i s si mil ar t o one in At t ack 11. 3.
12 .7 Bot h t he encr y pt ed key exchange ( EKE) pr ot ocol ( Pr ot 11. 5) and t he SSH pr ot ocol
encry pt passwords usi ng asymmet r ic encr y pt i on al gor i t hms. However, t her e i s an
essent i al di ff er ence bet ween t hem. What i s t he di f ference?
12 .8 How can a server i n t he SSH pr ot ocol be pract i cal ly aut hent icat ed t o a user on a
cl ient ?
12 .9 Why in t he gener al set t ing of t he Kerber os pr ot ocol shoul d each cli ent face t hree
di f fer ent ki nds of ser ver s?
12 .1 0 Why is t he Ker beros pr ot ocol sui t abl y used i n an ent er pr i se envi r onment ? I s i t
sui t abl e f or a cr oss- ent er pr i se ( open sy st ems) envi r onment ?
12 .1 1 The TLS ( SSL) prot ocol s have been wi dely used i n t he Web- based el ect r oni c
commer ce appl i cat i ons. However , ar e t hese pr ot ocol s nat ur al l y sui t abl e i n such
appli cat i ons? I f not , why?
Hi nt : t hese pr ot ocol s do not suppor t aut hor i zat i on of pay ment s wit h t he
nonrepudi at i on ser vi ce.
12 .1 2 I n 12.5. 4 we have i nt r oduced a t i mi ng at t ack t echni que for ext r act i ng t he f inal
by t e i n t he pl ai nt ext message encr ypt ed i n a CBC ci pher t ext block whi ch uses t he
st andar d CBC pl ai nt ext paddi ng scheme. How ar e furt her by t es ext r act ed?
Hi nt : r evi ew t he st andar d CBC pl aint ext paddi ng scheme i n 7. 8. 2.1; t o ext ract
t he- l ast - but - one byt e aft er successful ext r act i on of t he l ast byt e, y ou shoul d
consi der t he f ol l owi ng event of " val i d padding" : t he t wo fi nal by t es ( "t wo paddi ng
by t es" ) ar e ' 02' | | '02' ; now modi fy t he fi nal by t e of r t o maximi ze t he pr obabil i t y
for t hi s event t o occur.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Chapter 13. Authentication Framework for
Public-Key Cryptography
Sect i on 13. 2. Di rect or y- Based Aut hent icat i on Framework
Sect i on 13. 3. Non- Di r ect or y Based Publ i c- key Aut hent i cat ion Fr amewor k
Exerci ses

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
13.1 Introduction
I n t he usual sense of publ i c- key cr y pt ogr aphy, a key generat ion pr ocedur e i nvar i ant l y cont ai ns
t he fol l owing st ep:
Equ at i on 3. 1 .1
Here, F i s some eff i ci ent and one- way f unct i on whi ch maps fr om t he pr i vat e key space t o t he
publ i c- key space. Due t o t he one- way pr oper t y of t he f unct i on F ( a good mi xi ng- t r ansfor mat i on) ,
publ i c- key comput ed f rom pr i vat e- key al way s cont ai ns a par t whi ch l ooks r andom.
Wi t h ever y publ ic key cont ai ning a r andom- l ooki ng par t , i t is obvi ously necessar y t hat a
pr i nci pal 's publi c key be associ at ed wi t h t he pri nci pal ' s i dent i t y i nfor mat i on i n a ver if i abl e and
t r ust wor t hy way . Cl ear l y, t o send a conf ident i al message encr y pt ed under a publ i c key , t he
sender must make sur e t hat t he random- l ooki ng publ i c key used r eal ly belongs t o t he i nt ended
r eci pi ent . Li kewi se, t o est abl i sh t he or igi n of a message usi ng a di gi t al si gnat ur e scheme, t he
ver i fi er must make sur e t hat t he publ i c key used for t he si gnat ure ver i fi cat i on r eal l y bel ongs t o
t he cl ai med si gner .
I n general , t o use publ i c- key cr ypt ogr aphy i n r eal - worl d appli cat i ons, we need a mechani sm
whi ch enabl es a r eady ver i fi cat i on of t he associ at i on bet ween a publ ic key and a pr i ncipal 's
i dent i t y . Such a mechani sm i s usuall y r eal i zed i n an aut hent i cat i on fr amewor k: i t enabl es t he
owner of a publi c key t o aut hent i cat e t owar d t he sy st em.
I n t he r est of t hi s chapt er we wi ll i nt r oduce t wo di ff erent ways t o est abl i sh an aut hent i cat ion
fr amework for publ i c- key cr ypt ogr aphy: one i s cal l ed pu bl i c k ey cer t i f i cat i on i nf r ast r uct ur e
( PKI ) ( 13.2) , and t he ot her , i d en t i t y - b ased p ubl i c- k ey cr y pt ogr ap hy ( 13.3) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
13.2 Directory-Based Authentication Framework
For a pai r of pr i nci pal s who communicat e f r equent l y , i t need not be dif fi cul t for t hem t o secur el y
i dent i f y t he ot her par t y 's publ i c key: t hey can exchange t hei r publ i c key s i ni t i al l y i n a physi call y
secur e manner , e. g. , i n a face- t o- face meet i ng, and t hen st or e t he key s by a secur e means.
However , t hi s "si mpl e" k ey- managemen t met hod does not scal e up wel l . I n t he general set t i ng
for an open communi cat i ons sy st em, communi cat i ons t ake place bet ween pr inci pals who may
have never met befor e; al so i n most cases a communi cat ion may t ake pl ace bet ween a pai r of
pr i nci pal s once onl y. The "si mpl e" key - management met hod wi l l r equi r e each pri nci pal t o
manage an unr eal i st i call y huge number of publ i c key s. Mor eover , such a met hod does not r eal l y
make use of t he advant ages of publ i c- key cry pt ogr aphy .
I n 2. 4 we have seen an onl ine ser vi ce of fer ed by a t r ust ed pr i nci pal f or t he management of
secr et keys. The ser vice i s a combinat i on of sub- ser vi ces such as key r egi st r at i on, aut hent i cat i on
and name- di r ect or y . To use t he key- management ser vi ce, ever y pri nci pal shoul d fi r st est abl i sh a
one- t o- one and l ong- t er m r el at i onshi p wi t h a t r ust ed server pr i nci pal ( aut hent i cat i on ser ver ) by
shar i ng a l ong- t erm secr et key wi t h t he lat t er . When t wo ( end- user ) pri nci pal s need t o conduct a
secur e communi cat i on bet ween t hem, t hey can engage in an aut hent i cat ion prot ocol r un
t oget her wi t h t he aut hent icat i on ser ver t o est abl i sh a secur e communi cat i on channel bet ween
t hem. Thus, each end- user pri nci pal onl y need t o manage a si ngle secret key shar ed wi t h t he
aut hent i cat ion server. The key- management and aut hent i cat ion servi ce i nt r oduced in Chapt er 2
i s f or aut hent icat i on pr ot ocol s based on secr et - key cr y pt osy st ems ( even t hough i n 2. 6. 6 we
di scussed t he Needham- Schr oeder publ i ckey aut hent i cat i on pr ot ocol , t he aut hent icat i on ser vi ce
i n t hat pr ot ocol st i ll uses an onl ine t r ust ed t hi r d part y, essent i all y i n a secret - key st yl e) .
The secret - key management servi ce can nat ur al l y be ext ended t o t he management of publ i c
key s. Here t he key- management ser vice i s cal l ed pu bl i c- k ey cer t i f i cat i on ser v i ce, and a
t r ust ed ser ver i s cal l ed a cer t i f i cat i on au t hor i t y ( CA) . A CA is a speci al pr i ncipal who i s wel l -
known and t r ust ed dir ect l y by t he pr i nci pal s i n t he domai n i t ser ves, and can also be known and
t r ust ed in a bi gger domai n t hrough an indi r ect way ( we shal l di scuss more about " t r ust " i n a
moment ) . For each end- user wi t hi n t he domai n of a CA, t he CA wi l l i ssue a pu bl i c- k ey
cer t i f i cat e f or cert i f yi ng t he user 's publ i c key mat er i al . A publ i c- key cert if i cat e i s a st r uct ur ed
dat a r ecor d wit h a number of dat a ent r i es whi ch i ncl ude a uni quel y i dent if i abl e i dent i t y of t he
hol der and her/ hi s publ ic key par amet er . A cer t i f icat e i s di gi t al l y si gned by t he i ssui ng CA. Thus
t he CA's si gnat ur e of a cer t i fi cat e pr ovi des a cr ypt ogr aphic bi ndi ng bet ween t he hol der ' s i dent i t y
and her / hi s publ i c key. A pr i nci pal , af t er havi ng ver i fi ed t he cer t i f icat e of anot her pr i nci pal ,
shoul d bel i eve t he val i di t y of t he bi ndi ng i f she/ he t r ust s t he CA in t hat t he CA has i ssued t he
cer t i f icat e onl y aft er havi ng proper l y i dent i f i ed t he hol der . I n t hi s way, t he veri f i cat i on pr i nci pal
est abl i shes a secur e k ey ch an nel whi ch i s di r ect ed fr om t he cert i f i ed publ i c key t owar d her / hi m
( i n fact , t owar d t he sy st em) . Kohnf el der f i rst uses t he name " publi c key cer t i f icat e" [ 169] .
A publ i c- key channel based on a cer t i fi cat i on ser vice i s of t en cal l ed a di r ect or y based channel, as
we have i l l ust r at ed i n Fi gur es 7. 1 and 10.1. The cer t i fi cat i on ser vice i s t hus al so of t en cal l ed a
di r ect or y ser vi ce.
Not i ce t hat , in compar i son wi t h t he " t rust " r equi r ed by an aut hent i cat i on ser ver for secr et - key
based aut hent i cat i on pr ot ocols ( see 2. 4) , t he "t r ust " requi red by a CA i s much weaker . Here,
t he secur i t y ser vi ce pr ovi ded i s message aut hent i cat i on, which can be pr ovided wi t hout need of
handl i ng any secr et ( si nce veri f yi ng a CA' s si gnat ur e of a cer t i fi cat e only invol ves usi ng t he CA's
publ i c key ) . Wi t hout t he need of handli ng any secr et , t he ser vi ce can be pr ovi ded of f- l i ne, t hat
i s, a CA need not be engaged i n a pr ot ocol r un wi t h t he end- user pr i nci pal s. An import ant
feat ure of an of f- l i ne ser vi ce i s t hat i t can scale up t o deal wi t h a ver y l ar ge syst em. Obvi ousl y , a
CA' s publ i c key used for ver i fy i ng t he cert if i cat es t hat t he CA has i ssued can i t sel f , i n t ur n, be
cer t i f ied by anot her CA, and so on.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The dat a ent ri es i n a cert i f i cat e shoul d incl ude t he i dent i t y i nf ormat i on and t he publ ic key
i nf ormat i on of t he issui ng CA. They shoul d al so i ncl ude some addit ional i nf ormat i on, such as t he
descr i pt i on on t he algori t hm t o be used for veri f yi ng t he i ssuing CA's si gnat ur e and t hat t o be
used by t he publi c key cer t i f ied, t he val i d per i od, condi t i on of t he use, et c. Semi - f or mal l y , a
publ i c- key cer t i f icat e may be defi ned as i n Exampl e 13. 1.
Exampl e 13 .1 . Pub l i c- key Cer t i f i cat e
certificate ::=
{
issuer name;
issuer information;
subject name;
subject information;
validity period;
}
issuer information ::=
{
issuer public key;
signature algorithm identifier;
hash function identifier
}
subject information ::=
{
subject public key;
public key algorithm identifier
}

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
validity period ::=
{
start date;
finish date
}
13.2.1 Certificate Issuance
I n t he i ssuance of a cer t i fi cat e, a CA shoul d vali dat e t he i dent i t y of a pri nci pal who r equest s a
cer t i f icat e. The val i dat ion should of cour se i nvolve some physi cal ( i . e. , noncr ypt ogr aphi c)
means of i dent i f icat i on, as we usual l y have t o conduct i n some business i nt er act i on ( e. g. , i n t he
openi ng of a bank account ) . The pr incipal shoul d al so pr ove t hat she/ he knows t he pr i vat e
component of t he publ i c key t o be cer t i fi ed. The pr oof can ei t her be i n t he f orm of a user cr eat i ng
a si gnat ur e of a chall enge message, whi ch i s ver if i abl e usi ng t he publi c key , or be in t he for m of
a zer o- knowl edge proof prot ocol bet ween t he user and t he CA, wi t h t he publ ic key as t he
common i nput . Some appl i cat i ons r equi res t he pr i vat e component of a publ i c key t o have cert ai n
st r uct ur e. I n such appli cat i ons, a zer o- knowl edge pr ot ocol can be desi gned t o enabl e a pr oof of
t he needed st r uct ur e. We shal l see i n lat er chapt er a f ew zero- knowl edge pr ot ocols for proof of
t he st r uct ure of a secr et .
13.2.2 Certificate Revocation
Occasi onall y , i t may be necessar y t o r evoke a cer t i fi cat e. Compromi se of a user 's pr ivat e key or
a change of user i nf or mat ion ar e t wo exampl es of t hi s si t uat i on.
I n t he case of t he dir ect or y- based cer t i fi cat i on fr amewor k, t he root CA shoul d maint ai n a hot l i st
of t he revoked cer t i fi cat es. The hot l i st may be avai l abl e onli ne. Alt er nat i vely , t he r oot CA may
i ssue a " - r evocat i on l ist " t hr oughout t he sy st em, which onl y cont ai ns newl y revoked cer t i f icat es.
The sy st em- wi de user s can updat e t hei r l ocal copi es of t he cert if i cat e r evocat i on l i st whenever
t hey r ecei ve a - r evocat i on l ist .
A r evocat i on of a cer t i fi cat e shoul d be t imest amped by t he r evocat i on CA. Si gnat ur es of a
pr i nci pal i ssued pr ior t o t he dat e of her / his cer t i fi cat e's r evocat i on shoul d be consi der ed as st i l l
val id ( accordi ng t o appl i cat i on) even i f t he dat e of t he si gnat ur e veri f icat i on i s l at er t han t he dat e
of t he cer t i fi cat e's r evocat i on.
13.2.3 Examples of Public-key Authentication Framework

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Now l et us see sever al exampl es of di rect or y- based publ i c- key aut hent i cat i on f ramework.
13.2.3.1 X.509 Public-key Certification Framework
The st andar d publ i c- key cer t i fi cat i on f r amewor k, cal l ed t he X. 509 [ 152] cer t i fi cat i on
i nf rast r uct ur e, scales up i n a t ree hier ar chy, cal l ed a di r ect or y i nf or mat i on t r ee ( DI T) . I n such
a t ree hier ar chy, each node repr esent s a pri nci pal whose publ ic- key cer t i fi cat e i s i ssued by i t s
i mmedi at e par ent node. The l eaf nodes ar e end- user pr i ncipal s. The non- l eaf nodes ar e CAs at
vari ous l evel s and domai ns; f or example, a count r y l evel CA has i ndust r y , educat i on and
government or ganizat ion domai ns; each of t hese domai ns has many sub- domai ns, e.g, t he
educat i on domai n has var ious universi t y sub- domai ns. The root node i s cal l ed t he r oot CA whi ch
i s a wel l - known pr inci pal i n t he whol e sy st em. The r oot CA shoul d cer t i f y i t s own publi c key.
Si nce each CA i s pot ent ial l y capable of ser vi ng a l arge domai n ( of CAs or end- user s) , t he dept hs
of a DI T need not be a l ar ge number . Two end- user pr incipal s can est abl i sh a secur e
communi cat ion channel by f i ndi ng upwar d i n t he DI T a CA who i s t he nearest common ancest or
node of t hem.
13.2.3.2 PGP "Web of Trust"
Anot her publi c- key cer t i fi cat i on fr amewor k whi ch has a lar ge number of amat eur user s i s cal l ed
a PGP "web of t rust " or " key - ri ng" ( PGP st ands for "Pret t y Good Pri vacy" whi ch i s a secur e e- mai l
soft war e devel oped by Zimmermann [ 312] ) . Thi s aut hent i cat i on model scales up i n an
unhi er ar chi cal manner . I n t he PGP " web of t r ust , " any i ndi vi dual can be a "CA" f or any ot her
pr i nci pal s i n t he sy st em by si gni ng t hei r " key cer t i f icat es" whi ch i s simply a pai r name key .
Evi dent l y , t he si gni ng r el at i onshi p f orms a web st r uct ur e. Any si ngle " CA" i n t he web i s not well
t r ust ed or not t r ust ed at al l. The t heor y i s t hat wi t h enough such si gnat ures, t he associ at i on
name, key could be t r ust ed because not al l of t hese si gner s woul d be cor r upt . Thus, when Al i ce
want s t o est abl i sh t he aut hent ici t y of Bob's key, she shoul d r equest t o see a number of Bob' s
"key cer t i fi cat es. " I f some of t he issui ng "CAs" of t hese cer t i fi cat es ar e "known" by Al i ce "t o some
ext ent ," t hen she gai ns a cert ain l evel of aut hent i ci t y about Bob' s publ i c key . Al i ce can demand
Bob t o provi de mor e "cert if i cat es" unt i l she is sat i sf ied wi t h t he l evel of t he t r ust .
13.2.3.3 Simple Public Key Infrastructure (SPKI)
The X. 509 publi c- key cer t i fi cat i on fr amewor k can be vi ewed as a global onl i ne t el ephone book.
Each i ndi vi dual user occupi es an ent r y i n i t and t herefor e t he ent r y subj ect name i n each user 's
cer t i f icat e ( see Exampl e 13. 1) must be a gl obal l y dist i ngui shed name. Such an aut hent i cat i on
fr amework seems qui t e adequat e f or t he ear l y y ear s of appl i cat i ons of publ ic- key cr y pt ography :
secur e communi cat i ons i n t er ms of confi dent i al i t y ( i . e., agai nst eavesdr oppi ng) : t he reci pi ent of
a confi dent i al message shoul d be uni quel y i dent i f i ed t oget her wi t h her / hi s key.
Si nce t he 1990's, appl i cat ions of publ i c key became much wi der t o i ncl ude el ect roni c commer ce,
r emot e access and act ions ( see a l i st of appli cat i ons i n t he Pref ace) . El li son et al . consi der t hat
for t he newl y emer ged appli cat i ons, a gl obal l y di st i ngui shed name wi t h a key bound t o i t
becomes i nadequat e [ 103] . What an appl i cat i on needs t o do, when gi ven a publ i c key cert if i cat e,
i s t o answer t he quest i on of whet her t he remot e key hol der i s per mi t t ed some access, or some
aut hor ized act i on. That appl icat i on must make a deci si on. The dat a needed f or t hat decisi on i s
al most never t he spel l ing of a key hol der' s name. I nst ead, t he appli cat i on needs t o know i f t he
key hol der i s aut hori zed for some access. Thi s shoul d be t he pr imar y j ob of a publ i c- key
cer t i f icat e.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
El l i son et al. al so consider t hat t he or i gi nal X.500 pl an i s unli kely ever t o come t o fr ui t i on.
Col l ect i ons of di r ect or y ent r i es ( such as empl oy ee l ist s, cust omer l i st s, cont act l i st s, et c. ) ar e
consi dered valuabl e or even conf ident i al by t hose owni ng t he li st s and ar e not l i kel y t o be
r el eased t o t he wor l d in t he for m of an X. 500 di rect or y sub- t r ee. For an ext r eme exampl e, t hey
i magi ne t he CI A addi ng i t s di r ect ory of agent s t o a wor l d- wi de X. 500 pool , how can t his be
possi bl e? The X. 500 idea of a di st i ngui shed name ( a si ngle, gl obal l y uni que name t hat ever y one
coul d use when refer r i ng t o an ent i t y ) i s al so not l i kel y t o occur . That i dea r equi r es a si ngl e,
gl obal nami ng di sci pli ne and t her e ar e t oo many ent i t i es alr eady i n t he busi ness of defi ni ng
names not under a si ngl e di sci pl i ne. Legacy t herefor e mi l i t at es agai nst such an i dea.
El l i son et al. pr opose a di rect or y- based publ i c- key cer t i f icat i on fr amewor k named SPKI ( whi ch
st ands for " Si mpl e Publ i c Key I n f r ast r u ct u r e" ) [ 103] . I t i s al so a t r eest r uct ured fr amework,
si mi l ar t o an X.509 key cer t i fi cat i on f r amewor k. However , it s nami ng convent ion i ncl udes a
per son's usual name and a hash of t he publ i c key value. For exampl e:
(name (hash sha1 |TLCgPLFlGTzgUbcaYLW8kGTEnUk=|) jim therese)
i s t he pr oper SPKI name f or t he person whose usual name i s "Ji m Ther ese. " Her e, t he use of t he
SHA- 1 hash of a publ i c key makes t he SPKI name gl obal l y uni quel y i dent i fi able, even t hough
t her e may be many "Ji m Ther eses."
Thi s nami ng met hod i s suggest ed by Rivest and Lampson i n SDSI [ 245] ( whi ch st ands for "A
Si mpl e Di st r i b ut ed Secur i t y I n f r ast r u ct u r e") . SDSI feat ur es l ocali zat i on nami ng r ul es. These
feat ures al so ai m t o make a decent r al ized aut hent i cat i on and aut hor i zat i on f r amewor k. Thus, a
SPKI name i s al so cal l ed a SDSI name.
SPKI al so consi der s " aut hori zat i on" and "del egat i on" ent r i es whi ch car ry aut hor i zat i on and
del egat i on infor mat i on. A pi ece of aut hor i zat i on infor mat i on can be an aut hor i zat i on descr i pt i on
whi ch is bound t o a publ i c key. Thus, a cer t i fi cat e can di r ect l y show t o an appli cat i on whet her or
not t he request er i s aut hor ized t o perf or m an act i on. The del egat i on i nf ormat i on descr i bes t he
r equest er ' s power t o del egat e aut hor i zat i on t o anot her per son. We may say t hat SPKI ext ends
X. 509 aut hent i cat i on f r amewor k t o one wi t h aut hor i zat i on and del egat i on feat ur es. At t he heart
of t he aut hor i zat i on scheme of SPKI i s t he use of LI SP- l i ke
[ a]
S- expr essi ons pr oposed by Ri vest
[ 244] . As an exampl e, t he S- expr essi on
[ a]
LI SP: a pr ogramming language.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
(object document (attributes (name *.doc) (loc Belgium))
(op read) (principals (users OrgEU)))
mi ght express t he aut hor i zat i on of all users i n OrgEU t o r ead obj ect s of t y pe document whi ch
have names post f i xed doc and are locat ed i n Bel gi um.
Pol i cy Maker [ 40] is anot her proposal whi ch consi der s aut hori zat i on and pol i cy i ssues i n an
aut hent i cat ion f ramewor k. Poli cy Maker f eat ur es t he descri pt i ons of cer t i f icat e hol der' s r ol e and
t he rol e- based pol icy.
13.2.4 Protocols Associated with X.509 Public-key Authentication
Infrastructure
Ther e ar e several pr ot ocols for processi ng pract i cal necessi t i es in t he X. 509 Publi c- key
Aut hent i cat ion I nf rast r uct ure. They ar e:
Cer t i fi cat e Management Pr ot ocol ( CMP) [ 7, 208] . Thi s pr ot ocol suppor t s onl i ne i nt er act i ons
bet ween Publ ic Key I nfr ast ruct ur e ( PKI ) component s. For exampl e, a management pr ot ocol
mi ght be used bet ween a Cer t i f i cat i on Aut hori t y ( CA) and a cl ient syst em wi t h whi ch a key
pai r i s associat ed, or bet ween t wo CAs t hat i ssue cross- cer t i f icat es f or each ot her . These
i nt er act ions ar e needed when, e. g., an ent it y ( ei t her end- ent i t y or CA) i s r equi r ed t o pr ove
t he possessi on of a pr ivat e key upon i t s request for key cer t i fi cat i on or key updat e.
Onli ne Cert if i cat e St at us Pr ot ocol ( OCSP) [ 207] . Thi s pr ot ocol enabl es appl icat i ons t o
det er mi ne t he ( r evocat i on) st at e of an i dent i f ied cer t i fi cat e. OCSP may be used t o sat i sfy
some of t he oper at i onal requi rement s of pr ovi di ng more t i mel y r evocat i on i nfor mat i on t han
i s possi bl e wi t h CRLs and may al so be used t o obt ai n addi t i onal st at us i nf ormat i on. An
OCSP cl ient i ssues a st at us r equest t o an OCSP r esponder and suspends accept ance of t he
cer t i f icat e i n quest i on unt il t he r esponder pr ovi des a response.
I nt er net X. 509 Publ i c Key I nfr ast r uct ur e Ti me St amp Prot ocol s [ 6] . Thi s pr ot ocol consi st s of
a r equest sent t o a Ti me St ampi ng Aut hori t y ( TSA) and of t he r esponse t hat i s ret ur ned. I t
al so est abl i shes sever al secur it y - r el evant r equi rement s f or TSA oper at i on, wit h r egar ds t o
pr ocessi ng r equest s t o gener at e r esponses. Non- r epudi at i on ser vi ces r equi r e t he abi l it y t o
est abl i sh t he exi st ence of dat a bef or e speci f ied t i mes. Thi s pr ot ocol may be used as a
buil ding bl ock t o suppor t such ser vi ces.
I nt er net X. 509 Publ i c Key I nfr ast r uct ur e Oper at i onal Prot ocol s: FTP and HTTP [ 140] . Thi s i s
a speci fi cat i on of pr ot ocol convent ions for PKI t o use t he Fi l e Tr ansfer Pr ot ocol ( FTP) and
t he Hyper t ext Tr ansfer Pr ot ocol ( HTTP) t o obt ai n cer t i fi cat es and cer t i fi cat e r evocat i on l ist s
( CRLs) f r om PKI r eposi t or i es.
These pr ot ocol s ar e devel oped as st andar ds under t he I ETF st andar di zat i on body " t he Publ ic- Key

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I nf rast r uct ur e X. 509 Worki ng Gr oup" ( t he PKI X Wor king Gr oup) . We shal l not descr i bed t he
det ai l s of t hese pr ot ocol s. I nt erest ed r eader s shoul d vi si t t he PKI X Wor ki ng Gr oup' s web page:
ht t p : / / w w w. i et f . or g/ h t ml . ch ar t er s/ p k i x - char t er . ht ml
wher e document s descri bing t hese pr ot ocols ( t he r efer ences ci t ed above) can be downl oaded.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
13.3 Non-Directory Based Public-key Authentication
Framework
The key gener at i on pr ocedure in ( 13.1. 1) in t he usual sense of publ i c- key cry pt ogr aphy r ender s
al l publ i c key s r andom. Consequent l y , i t i s necessary t o associ at e a publ i c key wi t h t he i dent i t y
i nf ormat i on of i t s owner i n an aut hent ic manner. We have seen t hat such an associat ion can be
r eal i zed by a publi c- key aut hent i cat i on fr amewor k: a t r ee- l i ke hi erar chi cal publ i c- key
cer t i f icat i on i nf rast r uct ur e ( e. g. , X. 509 cer t i fi cat i on f r amewor k, see 13.2. 3) . However , t o
est abl i sh and mai nt ai n a t r ee hi er archy , PKI incur a non- t r i vi al l evel of syst em compl exi t y and
cost . I t has l ong been desi red t hat t he st andar d publi c- key aut hent i cat i on fr amewor k be
si mpl if i ed.
I t i s r easonabl e t o t hi nk t hat , i f publ i c key s ar e not r andom- l ooki ng, t hen t he sy st em compl exi t y
and t he cost for est abl i shi ng and mai nt ai ni ng t he publ i c- key aut hent i cat i on f ramework may be
r educed. I magi ne, i f a publ i c key of a pr i nci pal is sel f- evi dent l y associ at ed wit h t he pr i nci pal 's
i dent i t y i nfor mat i on such as name, af fi l i at i on i nfor mat i on pl us el ect r oni c and post al mail
addresses, t hen i n essence t her e i s no need t o aut hent icat e a publ i c key . I ndeed, our post al mai l
syst ems wor k pr oper ly t hi s way .
Shami r pi oneer s a publ i c- key cr y pt osyst em i n an unusual sense [ 260] . I t enabl es a great - deal of
r educt i on in t he syst em compl exi t y f or key aut hent i cat i on: i n essence t o one si mi lar t o t hat of a
post al mai l sy st em. I n hi s unusual publi c- key cr y pt osy st em, t he key gener at i on pr ocedur e has
t he fol l owing st ep
Equ at i on 13 . 3. 1
Thi s key gener at i on st ep t akes t he opposi t e di rect i on t o t he key gener at i on st ep f or t he usual
sense of publi c- key cr y pt osy st ems, see ( 13.1. 1) . Of course, i n order for a so- comput ed pr i vat e-
key t o be kept secr et , t he comput at i on must not be publ i c: i t is rest r i ct ed t o a pr i vil eged
pr i nci pal ( a t r ust ed aut hor i t y , TA) . TA possesses exclusi vely t he secr et key mast er - key i n or der
t o be abl e t o per for m t he comput at i on i n ( 13.3. 1) . Now t hat publ i c- key i s an i nput t o t he key
gener at i on pr ocedure, any bi t st r i ng can be publ i c- key! Since using ident i t y i nf ormat i on as a
publ i c key can gr eat l y r educe t he compl exi t y of publ i c- key aut hent i cat i on, Shami r suggest ed t hat
t he publi c keys i n his novel publi c- key cr y pt osy st em be chosen as user s' ident i t i es and t hus he
named hi s scheme i d en t i t y - b ased p ubl i c- k ey cr y pt ogr ap hy .
I t i s obvi ous t hat t he key gener at i on pr ocedure i n ( 13.3. 1) is a ser vi ce off er ed by TA t o syst em
wi de user s. The servi ce i s essent i al l y an aut hent i cat i on one: t he pr i vat e key t hat TA cr eat es for a
pr i nci pal i n connect i on t o her / hi s I D as publ i c key pr ovi des t he key owner wi t h a cr edent i al f or
her / hi s I D- based publ ic key t o be r ecogni zed and used by ot her users in t he syst em. Bef or e
creat i ng a pr i vat e key f or a pri nci pal , TA shoul d conduct a t hor ough checki ng of t he i dent i t y
i nf ormat i on of t he pr inci pal. Thi s checki ng should i ncl ude some phy si cal ( i . e. , noncr y pt ogr aphi c)
means of i dent i f icat i on. Also, TA has t o be sat i sfi ed t hat t he i dent it y i nfor mat i on suppl i ed by t he
pr i nci pal can uniquel y pi npoint t he pr i nci pal . A si mi l ar i dent i fi cat i on checki ng i s necessar y befor e
a CA i ssues a publ i c- key cert i f i cat e t o a pr i ncipal ( see 13.2. 1) .
Now t hat user s' pr ivat e keys are generat ed by TA, t hey have t o t r ust TA absol ut ely , compl et ely
and uncondi t i onal l y : namel y, t hey must not f eel uncomfor t abl e wi t h t he si t uat i on t hat TA can

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
r ead al l of t hei r pr ivat e communi cat i ons or for ge al l of t heir si gnat ur es. Ther ef ore, I D- based
cry pt ogr aphy shoul d onl y be sui t able for appl i cat i ons where an uncondi t i onal t r ust i s accept abl e
t o t he user s. I n an or gani zat i on envi ronment i n whi ch t he empl oyer has t he compl et e owner ship
of t he infor mat i on communi cat ed t o and f r om t he empl oy ees; t hen t he empl oyer can pl ay t he
r ol e of TA. I t i s however possibl e t hat TA r epr esent s a pl ur al number ent i t i es who col l ect ivel y
comput es ( 13.3. 1) for a user . Pri vacy i nt r usi on t hen must be done col lect i vel y by t hese ent i t i es.
Thi s col l ect i ve basi s of t r ust is mor e accept abl e. We wi l l see such a t echni que in 13.3. 7. 1.
Wi t h a pri nci pal ' s uni quel y i dent i fi able ident i t y bei ng di r ect l y used as her / hi s publ i c key, dur i ng
t he use of an I D- based publ i c- key cr ypt osy st em t her e i s no need f or t he user t o est abl i sh a key
channel ; namely , t he "key channel s" i n Fi gur es 7. 1 and 10.1 ar e no l onger needed. Mor eover , k e
i n Fi gur es 7. 1 and k v i n Fi g 10. 1 can be r epl aced wi t h a st r i ng of a pi ece of sel f - evi dent
i nf ormat i on, for exampl e, a global ly di st ingui shable ident i t y.
13.3.1 Shamir's ID-Based Signature Scheme
I n Shamir ' s I D- based si gnat ur e scheme t here are f our algori t hms:
Set up: t hi s al gor i t hm is operat ed by TA ( fr om now on l et us cal l TA Tr ent ) t o gener at e
gl obal syst em par amet er s and mast er - key.
User - key - gener at e: t hi s al gor i t hm ( also operat ed by Tr ent ) , i nput t i ng mast er - key and an
ar bi t r ar y bi t st r i ng i d { 0, 1} * , out put s pr i vat e- key whi ch cor responds t o i d; t hi s i s an
i nst ant i at i on of ( 13.3. 1) .
Si gn: a si gnat ure generat i on al gor i t hm; i nput t i ng a message and t he si gner 's pr i vat e key , i t
out put s a signat ure.
Veri f y: a si gnat ure ver i fi cat i on al gori t hm; i nput t i ng a message- si gnat ur e pai r and i d, i t
out put s Tr ue or Fal se.
Al g 13. 1 speci fi es Shami r 's I D- based si gnat ure scheme.
We now show t hat t he syst em specif i ed i n Al g 13. 1 i s indeed a si gnat ur e scheme.
A Tr ue case i n a si gnat ur e ver i fi cat i on shows t hat Ali ce has i n her possessi on of bot h I D t
h( t | | M)
and i t s un iqu e e- t h r oot modul o N ( whi ch i s s, and t he uniqueness i s guar ant eed by t he fact
gcd( e, ( N) ) = 1) .
The const r uct i on of I D t
h( t | | M)
need not be a di ff i cul t j ob. For exampl e, one can choose a r andom
t , const r uct h( t | | M) , t hen comput e t
h( t | | M)
( mod N) and l ast l y mul t i ply I D t o t he resul t .
However , because t he val ue so const r uct ed i s r ecogni zabl e due t o t he i nvol vement of a
cry pt ogr aphi c hash f unct i on i n t he const r uct i on, i t shoul d be dif fi cul t t o ext ract t he e- t h r oot of a
so- const ruct ed val ue. I t i s t her efor e assumed t hat Al i ce shoul d have i n her possessi on of t he e- t h
r oot of I D, whi ch i s her pr i vat e key issued by Tr ent , and shoul d have used t he pr i vat e key i n t he
const r uct i on of t he si gnat ure pai r.
However we have not provi ded a f ormal and st r ong ar gument f or t he unf orgeabil i t y of Shami r ' s
I D- based si gnat ur e scheme. Because t he di ff icult y of si gnat ur e f orger y i s r el at ed t o t hat of
const r uct i ng I D t
h( t | | M)
( mod N) and fi nding it s e- t h r oot modul o N, t he di f fi cul t y must cer t ai nl y
be r el at ed t o t he det ai ls of t he hash funct i on used ( i n addi t i on t o t he RSA pr obl em) . Si mil ar t o
t he si t uat i on of provi di ng securi t y pr oofs f or ot her di gi t al si gnat ur e schemes, a r i gor ous
ar gument on t he securi t y for Shami r 's I D- based si gnat ur e scheme r equi r es a f ormal model of t he
behavi or of t he hash f unct i on h. Such a model wil l be gi ven i n a l at er chapt er.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Algorithm 13.1: Shamir's Identity-based Signature Scheme
Tr ent set s up:
N: t he pr oduct of t wo lar ge pr i mes; 1.
e: an i nt eger sat i sfyi ng gcd( e, ( N) ) = 1;
( * ( N, e) are publ i c paramet ers for usi ng by t he sy st em- wi de user s * )
2.
d: an i nt eger sat i sfy i ng ed 1 ( mod ( N) ) ;
( * d i s Trent ' s mast er - key * )
3.
;
( * h i s a st r ong one- way hash funct ion * )
4.
Tr ent keeps d as t he sy st em pr ivat e key ( mast er - key) , and publ i ci zes t he sy st em
par amet er s ( N, e, h) .
User Key Gener at i on
Let I D denot e user Al i ce' s uni quely ident i fi abl e i dent it y. Havi ng per for med phy si cal
i dent i f icat i on of Al i ce and made sur e t he uni queness of I D, Tr ent ' s key gener at i on
ser vi ce is
To si gn a message M { 0, 1} * , Ali ce chooses , and comput es
The si gnat ur e i s t he pai r ( s, t ) .
Gi ven t he message M and t he si gnat ur e ( s, t ) , Bob uses Al i ce' s i dent i t y I D t o ver i f y
t he si gnat ur e as f ol l ows:

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
13.3.2 What Exactly does ID-Based Cryptography Offer?
I n publi c- key cr y pt ogr aphy i n t he usual sense, f or Bob t o ver if y a si gnat ur e of Al i ce using her
publ i c key , Bob shoul d al so ver i fy , separ at ely , t he aut hent i ci t y of Ali ce's publ i c- key , e. g. , by
ver i fy i ng her key cer t i fi cat e ( which l i nks Al ice's publi c key wi t h her i dent i t y ) . Namel y , Bob shoul d
make sure t hat t he key channel f r om and t o Ali ce has been proper l y est abl i shed ( see Fi g 10. 1) .
I t i s i nt er est ing t o r eali ze t hat in an I D- based si gnat ur e scheme, t her e i s no need for Bob t o
per for m a separ at e ver if i cat ion f or t he pr oper est abl ishment of a key channel . Her e, a Tr ue case
i n a si gnat ur e ver i fi cat i on shows Bob t wo t hi ngs at t he same t i me:
t he si gnat ur e has been cr eat ed by Al i ce usi ng her pr i vat e key whi ch i s behi nd her I D; and
her I D has been cer t i fi ed by Tr ent , and i t is t he r esul t of Tr ent ' s cer t i fi cat i on of her I D t hat
has enabl ed Al i ce t o cr eat e t he si gnat ur e.
Being abl e t o si mul t aneousl y veri f y t hese t wo t hi ngs i n one go i s a ni ce feat ur e of fer ed by an I D-
based si gnat ur e scheme. Bei ng abl e t o avoi d t r ansmi t t i ng a cer t if i cat e fr om t he signer t o t he
ver i fi er al so saves t he communi cat i on bandwi dt h. Thi s f eat ur e al so br ands t he I D- based
cry pt ogr aphy wi t h anot her name: non - i n t er act i ve p ubl i c k ey cr y pt ogr ap hy . We wi l l see i n a
moment t hat t he non- int eract i on pr oper t y wi ll make bet t er sense i n an I D- based encr ypt i on
syst em.
Fi nal l y we must r ecap and r emember t hat Tr ent can f orge any user 's si gnat ur e! Ther efor e,
Shami r 's I D- based si gnat ure scheme i s not sui t abl e f or appli cat i ons i n an open sy st em
envi ronment . Rat her , i t i s more sui t abl e for t hose i n a closed sy st em i n whi ch Tr ent has
l egi t i mat e ownershi p of al l i nf or mat i on i n t he whole sy st em. Thi s i s unfor t unat el y a ver y
r est r i ct i ve set t i ng.
A chal l engi ng open problem i s t o desi gn an I D- based si gnat ur e scheme whi ch i s fr ee fr om t hi s
r est r i ct i ve set t i ng. Anot her open problem i s t o desi gn an I D- based si gnat ur e scheme whi ch
feat ures non- i nt er act ive key revocat i on. Key r evocat i on is necessar y when a user 's pr i vat e key i s
compr omi sed.
I t seems t hat wi t hout having t hese t wo open pr obl ems sol ved, an I D- based si gnat ur e scheme
wi l l have r at her l i mit ed appl icat i ons. We shal l see i n t he remai nder of t hi s chapt er t hat one of
t hese t wo pr obl ems, f ree f r om t he need for an absol ut e t r ust on Tr ent , can be sol ved f or an I D-
based encr y pt i on scheme.
13.3.3 Self-certified Public Keys
Let ( s, P) be a pai r of secr et and publ i c key s, r espect i vel y . A publ i c- key aut hent i cat i on
fr amework is t o pr ovi de a key pair wit h a guar ant ee G whi ch l i nks P t o an i dent i t y I .
I n a di r ect or y - based publ i c- key aut hent i cat i on fr amewor k ( e. g. , X. 509 which we have seen i n
Exampl e 13. 1) , t he guarant ee G t akes t he for m of a di gi t al si gnat ur e of t he pai r ( I , P) , which i s
comput ed and del i ver ed by a cert i f i cat i on aut hor it y CA. The aut hent icat i on fr amewor k i s
or gani zed by i t ems of four di st i nct at t ri but es: ( s, I , P, G) . Three of t hem, ( I , P, G) , ar e publ i c

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
and shoul d be avai l abl e i n a publ i c dir ect ory . When a pr i nci pal needs an aut hent i cat ed copy of I ' s
publ i c key , i t get s t he publ i c t r i pl e ( I , P, G) , checks G using CA's publ i c key, and aft er wards
makes use of P t o aut hent i cat e t hi s user .
I n ident i t y- based aut hent i cat ion f r amewor k ( e.g., Shami r' s scheme in 13.3. 1) , t he publ i c key i s
not hi ng but t he ident i t y I . So P = I and t he aut hent i cat i on f r amewor k i s or gani zed by i t ems of
t wo at t ri but es: ( s, I ) . As we have seen in 13.3. 1, when a pr inci pal needs t o aut hent icat e I ' s
publ i c key I , i t has t o ver i fy a signat ure; a Tr ue answer conf i rms t he aut hent i ci t y of t he publ i c
key I . Ther efor e, t he guar ant ee i s not hi ng but t he secr et key i t sel f, i . e. , G = s.
Gi r aul t pr oposes a scheme f or publ i c- key aut hent i cat i on f r amewor k whi ch i s i nt er medi at e
bet ween a cer t i fi cat e- based scheme and i dent i t y - based one [ 122, 121] . I n Gi r aul t ' s scheme, t he
guarant ee i s equal t o publ i c key , i . e. , G = P, whi ch t her ef or e may be sai d sel f- cer t i fi ed, and each
user has t hr ee at t r ibut es: ( s, P, I ) . I n Gi r aul t ' s scheme, a user 's pr i vat e key can be chosen by
t he user .
13.3.3.1 Girault's Scheme
Gi r aul t ' s scheme st i l l needs a t r ust ed aut hor i t y TA ( l et it be Tr ent ) , who set s up t he syst em
par amet er and hel ps an i ndi vi dual user t o set up her / his key at t r i but e.
13.3.3.2 System Key Material
Tr ent gener at es an RSA key mat eri al as fol l ows:
a publ i c modul us N = PQ wher e P, Q ar e l ar ge pr imes of r oughl y equal si ze, e.g. , | P| = | Q|
= 512;
1.
a publ i c exponent e co- pri me t o ( N) = ( P 1) ( Q 1) ; 2.
a secret exponent d sat i sfy i ng ed 1 ( mod ( N) ) ; 3.
a publ i c el ement whi ch has t he maximum mul t i pl i cat ive or der modul o N; t o
comput e g, Tr ent can f ind gp as a gener at or modul o P and g
Q
as a gener at or modul o Q,
and can t hen const r uct g by apply i ng t he Chi nese Remai nder Theor em ( Theor em 6. 7 i n
6. 2. 3) .
4.
Tr ent publ i ci zes t he syst em publ i c key mat er i al ( N, e, g) , and keeps t he sy st em secr et key
mat eri al d secur el y .
13.3.3.3 User Key Material
Al i ce randoml y chooses a secr et key s
A
whi ch i s a 160- bi t i nt eger , comput es
and gi ves v t o Tr ent . Then she proves t o Tr ent t hat she knows s
A
wi t hout reveal i ng i t , by usi ng a
si mpl e pr ot ocol t o be descr i bed i n 13.3. 3. 4. Al i ce al so sends her i dent it y I
A
t o Tr ent .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Tr ent cr eat es Al i ce's publ i c key as t he r aw RSA si gnat ur e of t he val ue v I
A
:
Tr ent sends P
A
t o Al i ce as par t of her publi c key . So t he fol l owi ng equat i on hol ds:
Equ at i on 13 . 3. 2
At fi r st si ght , in t his key set up, because bot h P
A
and v ar e r andom el ement s i n , so i t seems
t hat making equat i on ( 13.3. 2) is not a di f fi cul t j ob. For exampl e, Al ice can pi ck P
A
at r andom,
comput es v using and I
A
using ( 13.3. 2) . However , i f v i s comput ed t hi s way, t hen Al i ce
shoul d not be abl e t o know i t s di scr et e l ogar i t hm t o t he base g modul o N.
I t i s Al i ce' s capabil i t y t o demonst r at e her possessi on of t he discr et e logari t hm of v t o t he base g
modul o N, i . e., t he val ue s
A
, t hat wi l l provi de t he guarant ee t hat P
A
has been i ssued by Tr ent .
The si mpl est way t o achi eve t hi s demonst r at i on i s by using a vari at i on of t he Di ff ie- Hel l man key
exchange prot ocol t o be descr i bed i n 13.3. 3. 4.
13.3.3.4 Key Exchange Protocol
Let ( s
A
, P
A
, I
A
) be Al i ce' s publ ic key mat er ial , and ( s
B
, P
B
, I
B
) be Bob' s publ i c key mat er i al. They
can si mpl y exchange an aut hent i cat ed key by agreei ng:
I n t hi s key agr eement , Al i ce comput es ( mod N) and Bob comput es
( mod N) . Ther efor e i t is i ndeed t he Di ff i e- Hel l man key agr eement pr ot ocol . I f t he
t wo par t i es can agr ee on t he same key , t hen t hey know t hat t he ot her end has pr oved her / his
i dent i t y .
Gi r aul t also pr oposes an i dent i t y- based i dent i f icat i on pr ot ocol and an i dent i t y based si gnat ur e
scheme which i s i n t he ElGamal si gnat ur e scheme [ 122] .
13.3.3.5 Discussions
The sel f- cert if i ed publ i c key s of Gi r aul t shar e one f eat ur e of Shami r' s i dent i t y - based scheme:
fr ee f rom ver i fy i ng an addi t i onal key cer t i f i cat e issued by a t rust ed t hir d par t y t o a key owner .
The ver if i cat ion i s i mpl i cit and i s done at t he same t i me of ver i fy i ng t he key owner 's
crypt ogr aphi c capabi li t y.
However , t he ver if i er needs a separ at e publ i c key i n addi t i on t o an i dent i t y , i . e. , P i n addi t i on t o

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I , and t he for mer cannot be der i ved f rom t he l at t er by t he veri f i er . Thi s means t hat t he veri f i er
has t o ask for t he key owner t o send t he publi c key over befor e usi ng i t . This is an addi t i onal
st ep of communi cat i on. Ther efor e, Gi r aul t ' s sel f - cer t i fi ed publi c keys cannot be consi dered as
non - in t er act iv e publ i c key cry pt ogr aphy ( r eview our di scussi on on t hi s point i n 13.3. 2) . Thi s i s
a dr awback of sel f- cer t i fi ed publ i c keys.
13.3.4 Identity-Based Public-key Cryptosystems from Pairings on
"Weak" Elliptic Curves
Shami r 's or i gi nal I D- based publ i c- key cr y pt osyst em i s a di gi t al si gnat ur e scheme. He al so
conj ect ur es t he exi st ence of I D- based encr ypt i on sy st ems. Aft er Shamir ' s posi ng of t he pr obl em
i n 1984, sever al I D- based cr y pt osy st ems have been pr oposed [ 251, 51, 78, 141, 191, 289, 287] .
Sakai, Ohgishi and Kasahar a [ 251] and Joux [ 154] independent l y pi oneer t he i dea of ut i l izi ng a
speci al pr opert y of a pai r i n g- mappi ng f unct i on whi ch works on an abel ian group f or med by
poi nt s on an el l i pt i c cur ve. ( see 5. 5) . The work of Sakai , Ohgi shi and Kasahara [ 251] is a
mar vel ous appl i cat i on of a pr evi ous cr ypt anal y si s resul t ( t o expl ain i n 13.3. 4. 1) whi ch make
Shami r 's conj ect ur e a pr act i cal r eal i t y . I ndependent l y , t he wor k of Joux [ 154] uses t he same
t echni que t o achi eves anot her f asci nat i ng appl i cat ion: one- r ound t hr ee- par t y Di ff ie- Hel lman key
shar i ng ( Joux names i t "t r i par t i t e Di f fi e- Hel l man".
The i ndependent appli cat i ons of t he pai r i ng t echni que by Sakai , Ohgi shi and Kasahar a [ 251] and
by Joux [ 154] not onl y achi eve t hings which pr evi ousl y no one knew how t o do, mor e
i mpor t ant l y , t hey t ur n a pr evi ous cr y pt analy si s r esul t of Menezes, Okamot o and Vanst one [ 197]
i nt o posi t i ve appl i cat ions. Thei r semi nal wor ks gave r i se t o a r esur gence of i nt er est i n ident i t y-
based cr y pt ogr aphy aft er t he y ear 2000.
The speci al pr oper t y ut il i zed by Sakai et al . [ 251] and Joux [ 154] is t he f ol lowi ng. I n a "weak"
el li pt ic curve group in whi ch a "pair i ng- mappi ng" can be eff i ci ent l y comput ed, t he deci si onal
Di f f i e- Hel l man p r obl em ( DDH pr obl em) i s easy whil e i t s comput at i onal count erpart r emai ns
di f fi cul t . Let us f i rst st udy t he weak cases of el li pt i c cur ves and t he r el at ed easy DDH pr oblem.
Aft er t hi s st udy we wil l t hen i nt roduce t hese t wo pai ri ng based key agreement schemes.
13.3.4.1 A "Weak" Class of Elliptic Curves
Menezes, Okamot o and Vanst one [ 197] show t hat for a special class of el l ipt i c cur ves def i ned
over fi ni t e f i el ds , t her e exi st s an ef fi cient al gor i t hm t o " map- i n- pai r " t wo poi nt s on t he cur ve
t o a "non- degener at ed" ( i . e. , not a mul t i pl i cat i ve uni t y) fi nit e fi el d el ement . The
speci al curves ar e call ed super si n gul ar cur ves; t hey sat i sf y t hat t i n ( 5. 5. 6) is di vi si bl e by t he
char act er i st i c of ( we confi ne our descr i pt i on t o t he easy case of t he f iel d charact er i st i c
gr eat er t han 3) .
I n t hi s case ( i .e. , t i n ( 5. 5. 6) is di vi si bl e by t he char act eri st i c of ) , f or some ( l arge) pr i me
number , a cur ve def i ned over an ext ensi on of , i . e., , cont ai ns many
poi nt s of or der , t hat i s, poi nt P sat i sfy i ng [ ] P = O ( if necessar y , r evi ew 5. 5) . Group
i s non- cy cl i c, and hence many of t hese or der - poi nt s ar e " l i near l y i ndependent " t o one anot her;
t hat i s, for P, Q bei ng t wo ( pr i me) or der- and li near l y i ndependent poi nt s, P [ a] Q and Q
[ b] P f or any i nt egers a, b ( in ot her wor ds, P Q and Q P ) . For t hi s pr i me t he f iel d
ext ensi on al so has a uni que or der- subgr oup ( si nce i s cy cli c, see Theor em 5. 2) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Menezes, Okamot o and Vanst one [ 197] show t hat a 1- 1 ont o and operat ion- pr eser vi ng mappi ng
( i . e. , an i somorphi sm) i s avai labl e bet ween an order - subgr oup of and t he or der -
subgroup of . Mor eover , t he fi el d ext ensi on i s a smal l one: 6. The smal l ness of t he f i el d
ext ensi on i s ver y i mpor t ant ! We shal l ret ur n t o t hi s poi nt i n a moment .
The i somor phi sm used by Menezes, Okamot o and Vanst one i s cal l ed t he Wei l pai r i ng . The Weil
pai r i ng t akes t wo poi nt s i n or der - subgr oups of t o an element i n . Fr om t he vi ew
poi nt of t he mappi ng bei ng an i somor phism bet ween t wo or der - gr oups, we should r eal ly vi ew
one of t he t wo "mapped fr om" poi nt s t o be r el at ed t o a fi xed const ant ( i . e., onl y one of t he t wo
poi nt s i s a var i abl e i n an or der - gr oup on t he cur ve) . Let X be a f i xed or der- poi nt
( " t he fi xed const ant ") . We denot e t he Wei l pai ri ng
wher e ei t her P X or Q X . I n t hi s denot at i on, e
X
( P, Q) i s an - t h r oot of t he unit y, i . e. , an
or der - el ement , i n i f and onl y i f P and Q have t he pri me or der and t hey ar e l inear l y
i ndependent ( f or exampl e, onl y one of P and Q i s in X ) .
Denot e by G
1
an or der - subgr oup of wi t h el ement s i n i t ( apar t f r om O) li near l y
i ndependent f r om "t he fi xed or der - const ant X ( such a subgr oup exist s unl ess i s cy cli c
and t hen i s non- super si ngul ar ) , and by G
2
= e
X
( P, X) t he or der - subgr oup i n gener at ed
by e
X
( P, X) . Then we know # G
1
= # G
2
= .
These t wo subgr oups are isomor phi c under t he Weil pai r i ng. Not ice t hat even t hough G
1
i s an
addit ive group of t he poi nt s on a super singul ar el l i pt i c cur ve and G
2
mult ipl icat i ve subgroup of a
fi nit e fi el d, under t he i somor phi sm, t hese t wo algebrai c st r uct ures have no essent i al di ff er ence.
The Wei l pai ri ng sat i sfi es t he fol l owing pr opert i es:
Pr oper t y 1 3. 1: The Wei l Pai r i ng Pr oper t i es Let ( G
1
, + ) , ( G
2
, . ) be t wo pr i me- or der
i som or phi c abel ian gr oups und er t he Weil p air i ng e
X
. Th e pai ri ng has t h e fol lowi ng pr opert i es:
I dent i t y for all P G
1
:
Bi l i n ear i t y for all P, Q G
1
:
Non- degener acy for all P G
1
wit h P O ( hence P an d X ar e li near ly i nd ep en dent ) :

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Pr act i cal Ef f i ci en cy for all P G
1
, R X , e
X
( P, R) and e
X
( R, P) ar e pr act i cal ly ef fi ci ent l y
comput ab le.
Not i ce t hat by bil i near i t y we have
Fur t her by non- degener acy we know t hat , as l ong as , t he above " pai r i ng mapped" r esul t
i s not t he uni t y of G
2
, i . e., i s not an uni nt er est i ng el ement i n G
2
.
These pr oper t i es of t he Wei l pai r i ng enabl e a pr ofound r educt i on, cal l ed t he MOV r edu ct i on,
fr om t he di f fi cul t y of t he el l i pt i c curve di scret e l ogari t hm pr obl em ( ECDLP, defi ned i n 5. 5. 3) t o
t hat of t he di scr et e l ogar i t hm probl em in f i ni t e fi el ds. To appl y t he MOV r educt i on t o t he ECDLP
on gi ven pai r of poi nt s ( P, [ n ] P) , we can comput e t he Wei l pai r i ngs = e
X
( P, X) and = e
X
[ n]
P, X) and not i ce
Equ at i on 13 . 3. 3
So t he pai r ( ) in G
2
pr ovi des a di scr et e l ogar i t hm pr obl em i n t he mul t i pl i cat i ve gr oup G
2
( hence i n t he fi ni t e f i el d ) . We know t hat f or t he l at t er probl em, we have a subexponent ial
sol ver wi t h t he t ime compl exi t y expr essed as sub_exp( q ) ( usi ng q i n pl ace of q i n t he
compl exi t y expr essi on ( 8. 4. 2) ) . Recal l t hat we have di scussed ear l ier , t hat f or super si ngul ar
cur ves, 6. Ther efor e, t he MOV r educt i on i s a drast i c one: i t r educes a wi del y bel i eved
exponent i al probl em: i nt o a subexponent i al one: sub_exp( q ) wi t h not
exceedi ng 6.
Consi der i ng t hat t he pr ogr ess of t he har dwar e comput i ng t echnol ogy wil l cause q t o gr ow it s
si ze, t hen t he par amet er of a super singul ar curve has t o grow i n t he way of t hat of fi nit e fi el d. I n
ot her wor ds, t he advant age of usi ng el l i pt i c curve i n cr y pt ography i s gone. Ther ef or e, aft er t he
cry pt anal ysi s wor k of Menezes, Okamot o and Vanst one [ 197] , i t becomes a widel y agreed
convent i on t hat supersi ngul ar ell i pt ic curves shoul d be excluded f r om cry pt ogr aphi c use. They
ar e weak curves.
Then why have we used t he quot ed for m of "weak" i n t he t i t l e of t hi s subsect i on? These cur ves
have a newly di scover ed usef ul pr opert y whi ch sends a shock wave t o t he r esearch communi t y .
Let us f ir st descr i be t he deci si onal f or m of t he Di ff ie- Hel lman pr obl em.
13.3.4.2 Decisional Diffie-Hellman Problem
I n Defi nit ion 8. 1 ( in 8. 4) we have i nt r oduced t he CDH pr oblem ( t he comput at i onal ver si on of
t he Di ff ie- Hel l man pr oblem) . The deci si onal ver si on of t he pr obl em i s gi ven bel ow i n Defi nit ion
13.1.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Def i n i t i on 1 3. 1: Deci si onal Di f f i e- Hel l man Pr obl em ( DDH Pr obl em)
I NPUT desc( G) : t he d escr ip t ion of an abeli an grou p
G: ( g, g
a
, g
b
, g
c
) G
4
wher e g i s a generat or
of t he gr oup G;
OUTPUT YES i f ab c ( mod # G) .
The DDH probl em can not be har der t han t he CDH pr obl em. I f t her e exi st s a CDH pr obl em sol ver
( such an assumed sol ver is usual l y call ed an oracl e) , t hen on input t i ng ( g, g
a
, g
b
, g
c
) , t he or acl e
can fi nd g
ab
f r om t he fi r st t hr ee el ement s i n t he input , and t hus can answer t he DDH pr obl em by
checki ng whet her or not t he out put fr om t he CDH or acl e i s equal t o g
c
.
However , i n t he general case of abel i an gr oups we do not know for sure any t hi ng mor e t han t hi s
r el at i on bet ween t hese t wo pr obl ems. Moreover , we do not know any eff i ci ent al gor it hm t o sol ve
t he DDH pr obl em. The di f fi cul t y of answeri ng t he DDH pr obl em has render ed t he pr oblem a
st andar d and wi del y accept ed i nt r act abi l i t y assumpt i on ( t o be descr i bed in Assumpt i on 14. 2) for
underl y i ng t he secur i t y of many cr ypt ogr aphi c sy st ems, e. g. , [ 20, 58, 84, 209, 283] .
Now f or t he speci al case of super si ngul ar el l ipt i c cur ves, we know t he fol l owi ng newl y di scover ed
fact : t he DDH probl em is easy . Thi s i s i dent if i ed by Joux and Nguy en [ 155] . Befor e we expl ai n
t he fact , we need t o t r ansl at e t he pr obl em ( and t he CDH, DL pr obl ems) i nt o t he addi t i ve f or m,
si nce t he el l i pt i c cur ve gr oups are wr i t t en addi t i vely .
The Di scr et e Logar i t h m ( DL) Pr obl em i n ( G, + )
I NPUT Two el ement s P, Q G wi t h P bei ng a gr oup
gener at or ;
OUTPUT I nt eger a such t hat Q = aP.
The Comput at i on al Di f f i e- Hel l man ( CDH) Pr obl em i n ( G, + )
I NPUT Thr ee element s P, aP, bP G wi t h P bei ng a
gr oup gener at or ;
OUTPUT El ement ( ab) P G.
The Deci si onal Di f f i e- Hel l man ( DDH) Pr obl em i n ( G, + )
I NPUT Four el ement s P, aP, bP, cP G wi t h P bei ng
a gr oup generat or;
OUTPUT YES i ff c ab ( mod # G) .
13.3.4.3 "Weak" Curves Enable Easy Decisional Diffie-Hellman Problem
The i dent i t y pr oper t y of t he Wei l pai ri ng ( see Pr oper t y 13. 1) is somewhat awkwar d. I t means

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
t hat f or P, Q i n G
1
( and so Q = [ a] P f or some i nt eger a) , pai ri ng e
X
( P, Q) = e
X
( P, P)
a
= 1
a
= 1.
I n order t o obt ain a non- degener at ed mapped resul t , anot her or der - poi nt X whi ch i s l i near ly
i ndependent f r om t he el ement s i n G
1
has t o be f ound. Thi s i s a bi g li mi t at i on for t he Wei l pai r i ng
t o be di r ect ly used i n posi t i ve cr y pt ogr aphi c appl i cat i ons.
Verheul [ 296] engi neer s a what he names " dist or t i on map" met hod. A di st or t i on map i s a
modi fi cat i on on t he coor di nat es of a curve point ( t he modi fi cat i on i s done in t he under l y i ng fi el d
) . Denot e by ( P) t hi s modi fi cat i on. For P bei ng a poi nt i n , ( P) is st i l l a poi nt i n
of t he same order ( t or si on) as l ong as P has an or der gr eat er t han 3. What i s mor e
i mpor t ant i s t hat P and ( P) are l i near l y i ndependent . Under a di st or t ion map, t he Wei l pair i ng
i s modi fi ed t o
Cl ear ly now, e( P, P) 1 si nce P and ( P) are l i near l y i ndependent . Mor eover , f or P, Q G
1
, we
fur t her have t he fol l owi ng sy mmet r i c proper t y f or t he modi fi ed Wei l pai ri ng:
Equ at i on 13 . 3. 4
Now consi der t he DDH pr obl em i n gr oup G
1
. To answer whet her a quadr upl e ( P, [ a] P, [ b] P, [ c] P)
i s a DH quadr uple, we comput e pai r i ngs = e( P, [ c] P) and = e( [ a] P, [ b] P) . Not i ci ng
and e( P, P) 1, t her efor e t he quadrupl e i s DH one i f and onl y i f = , i . e., i f and onl y i f ab c
( mod # G
1
) . Wi t h t he pr act i cal ef fi ci ency pr opert y of t he modi f i ed Wei l pai r i ng, t hi s deci si onal
quest i on can be ef fi ci ent l y answered.
Thi s i mpor t ant obser vat i on made by Joux and Nguy en [ 155] enabl es many i nt er est i ng new
cry pt ogr aphi c usages of supersi ngul ar ell i pt ic curves. The I D- based cry pt ogr aphy i s a pr omi nent
one of t hem. These new usages ar e based on a fact and an int r act abi li t y assumpt ion whi ch we
have di scussed so f ar, whi ch ar e summar ized her e:
Fact ( The DDH Pr obl em i s easy )
The DDH probl em in super si ngular el l i pt i c cur ve gr oup can be eff i ci ent l y answer ed usi ng t he
Wei l pai r i ng al gor i t hm.
Assumpt i on ( CDH, DL Pr obl ems r emai n har d)
The CDH probl em ( and hence t he DL pr obl em) i n supersi ngul ar el li pt ic curve groups
r emai ns har d by a sui t abl e choi ce on t he size of of an el l i pt i c cur ve. For a cur ve E( F
q
) , t he
di f fi cul t y can be expr essed as sub_exp( q
e
) for 6.
I n t he assumpt i on " CDH, DL pr obl ems remai n har d, " t he compl exi t y expression sub_exp( q )

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
fol l ows t he effect of t he MOV r educt i on and t he subexponent i al al gor i t hm f or sol vi ng t he di scr et e
l ogar i t hm i n f ini t e fi el ds. Thus, we now have t o use an enl ar ged secur i t y par amet er ( t he si ze of
t he curve) f or a supersi ngul ar cur ve in compar i son wi t h t he gener al curves. The enl ar ged
secur i t y paramet er shoul d be one such t hat sub_exp( q ) is an i nfeasi ble quant i t y. So, i n or der t o
make use of t he newl y discover ed mat hemat i cal proper t y i n super si ngul ar el l i pt i c cur ves ( t he
posi t i ve appl i cat i ons t o be present ed i n 13.3. 513.3. 7) , we choose t o sacr i fi ce t he ef fi ci ency
whi ch is t he or i gi nal advant age of el l i pt i c cur ves over f ini t e fi el ds.
Ther e ar e t wo ki nds of pai r ing t echni ques: t he modi fi ed Wei l pai ri ng which we have di scussed,
and t he Tat e pai r i ng. The l at t er i s mor e eff ici ent . The det ai l s of t he pai ri ng al gor i t hms ar e out of
t he scope of t hi s book. The i nt erest ed r eader may st udy t hem f rom [ 51, 116] . I n t he remai nder
of t hi s chapt er we wi ll al way s use t he modi f ied Wei l pai r i ng.
13.3.5 ID-based Non-interactive Key Sharing System of Sakai, Ohgishi
and Kasahara
Li ke Shami r 's I D- based si gnat ure scheme, t he key shar i ng sy st em of Sakai , Ohgi shi and
Kasahar a [ 251] ( SOK k ey shar i n g sy st em) also needs a t r ust ed aut hori t y TA ( l et i t be named
Tr ent ) t o oper at e a key set up cent er .
The SOK key shari ng sy st em has t he fol l owi ng t hr ee component s:
Sy st em Par amet er s Set up Tr ent r uns t hi s al gor i t hm t o set up gl obal syst em par amet er s
and mast er - key;
User Key Gener at i on Tr ent r uns t hi s al gor i t hm; on i nput t i ng mast er- key and an ar bi t r ary
bi t st ri ng i d { 0, 1}
*
, t hi s al gor i t hm out put s pr i vat e- key whi ch cor responds t o id; t hi s i s an
i nst ant i at i on of ( 13.3. 1) ;
Key - Shar i ng - Scheme Two end- user s r un t hi s scheme i n a non- int er act i ve manner ; f or
each end- user , t he scheme t akes i n as i nput t he pr i vat e key of t he end- user and t he publ i c
key ( id) of t he i nt ended communi cat ion part ner ; t he scheme out put s a secr et key shar ed
bet ween t he t wo end- user s.
These t hr ee component s ar e r eal ized by t he f oll owi ng st eps.
Sy st em Par amet er s Set up
Tr ent set s up t he syst em par amet er s bef or e openi ng a key gener at i on cent er t o off er t he key
gener at i on ser vi ce. I n t he gener at i on of t he sy st em paramet ers, Tr ent per for ms:
Gener at e t wo gr oups ( G
1
, + ) , ( G
2
, . ) of pr i me or der p and t he modi f ied Wei l pai r i ng
[ b]
e :
( G
1
, + )
2
( G
2
, ) . Choose an arbi t r ary gener at or P G
1
;
[ b]
The original SOK key shar ing syst em uses t he unmodif ied Weil pairing, and is less convenient t han
t he ver sion pr esent ed her e.
1.
Pi ck and set P
pub
[ ] P; i s in t he posi t i on of mast er - key; 2.
Choose a cry pt ogr aphi cal l y st rong hash f unct i on f : { 0, 1} * G
1
; t hi s hash funct i on i s for
mappi ng a user' s i d t o an element i n G
1
.
3.
Tr ent publ i shes t he sy st em par amet er s and t hei r descr ipt i ons

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
and keeps as t he sy st em pr ivat e key. Since Trent i s assumed t o be t he syst em- wi de wel l -
known pr i ncipal , t he publ i shed sy st em par amet er s wi l l al so be wel l - known by al l user s i n t he
syst em ( f or exampl e, may be t hese paramet ers wi l l be har dwi r ed i nt o ever y appli cat i on t hat uses
t hi s scheme) .
Not i ce t hat t he secrecy of t he mast er key i s pr ot ect ed by t he di ff i cul t y of t he DLP in G
1
.
Tr ent now opens t he key generat ion cent er.
Let I D
A
denot e user Al i ce' s uni quely ident i fi abl e i dent it y. We assume t hat I D
A
cont ains a
suf fi cient quant i t y of r edundancy such t hat i t i s i mpossibl e for any ot her user i n t he sy st em t o
al so have I D
A
as her/ hi s i dent i t y . Havi ng perf or med physi cal i dent i fi cat i on of Al ice and made
sur e of t he uni queness of I D
A
, Tr ent ' s key gener at i on ser vi ce i s as fol l ows:
Comput e PI D
A
f ( I D
A
) , t hi s i s an el ement i n G
1
, and i s Al i ce' s I D- based publ ic key ; 1.
Set Al i ce' s pr i vat e key SI D
A
as SI D
A
[ ] PI D
A
. 2.
Not i ce t hat as a hashed val ue, PI D
A
shoul d l ook r andom. However , wi t h I D
A
cont aini ng suff i ci ent
r ecogni zabl e ( r edundant ) i nfor mat i on and bei ng t he pr e- i mage of PI D
A
under t he crypt ogr aphi c
hash funct i on f , PI D
A
i s a r ecogni zabl e el ement . Ther ef or e, t here is essent i al ly no dif fer ence t o
vi ew I D
A
as Ali ce's publ i c key, or t o vi ew PI D
A
as Ali ce's publ i c key.
We should al so not i ce t hat Al i ce's pri vat e key i s pr ot ect ed by t he di f fi cul t y of t he CDH pr obl em i n
G
1
; t hi s i s because PI D
A
must be gener at ed by P ( a gener at or el ement of G
1
) and so we can
denot e it by PI D
A
= [ a] P f or some a < p; t hen f r om P, P
pub
( = [ ] P) , PI D
A
( = [ a] P) , t o fi nd
i s cl ear l y a CDH pr obl em in G
1
.
Key - Shar i ng - Scheme
For users Ali ce and Bob, I D
A
and I D
B
ar e t heir I D i nf ormat i on whi ch is known t o t hem one
anot her . Ther efor e, t he respect i ve publ i c keys P
A
= f ( I D
A
) and P
B
= f ( I D
B
) are known t o t hem
one anot her , t oo.
Al i ce can gener at e a shared key K
AB
( G
2
, . ) by comput i ng
Bob can gener at e a shar ed key K
BA
( G
2
, . ) by comput i ng

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Not i cing t he bi l i near proper t y of t he pai r i ng ( Pr oper t y 13. 1) , we have
Si mil ar l y ,
Due t o t he symmet ri c pr opert y ( 13.3. 4) of t he modi f ied Wei l pai r i ng, we have
So Al i ce and Bob can i ndeed shar e a secret even wi t hout int er act i on wit h one anot her .
For a part y ot her t han Al i ce, Bob and Trent , t o f i nd K
AB
f r om t he publi c dat a ( P, P
I DA
, P
I DB
, P
pub
)
i s a pr obl em cal l ed bi l i near Di f f i e- Hel l man pr obl em [ 51] . I t i s essent i al l y a CDH pr obl em.
When Bob receives a message whi ch i s aut hent i cat ed usi ng K
AB
, he knows exact l y t hat Al i ce is
t he aut hor of t he message as l ong as hi msel f has not aut hor ed it . However, Ali ce, whi l e showi ng
t he aut hor shi p t o t he design at ed v eri fi er Bob, can deny her i nvol vement i n t he communi cat ion i n
fr ont of a t hi r d par t y since Bob has t he same cr ypt ogr aphi c capabi l it y t o have const r uct ed t he
message. One may consider a scenari o t hat Al ice and Bob ar e spi es. When t hey cont act , t hey
must aut hent i cat e t hemsel ves t o one anot her . However , Al i ce, as a doubl e agent , may be
wor ry i ng t hat Bob i s a doubl e agent t oo. Theref ore, an aut hent i cat ion scheme for spi es must
have an absol ut el y deni abl e aut hent i cat i on pr opert y. The SOK key shar i ng syst em has pr eci sel y
such a f eat ure. I t i s a publ i c- key based sy st em, t hat i s, t he aut hent i cat i on needn't be based on
an onl i ne t r ust ed t hi r d par t y ( l i ke t he one based on shar ed secr et which we have i nt r oduced i n
Chapt er 2) .
A mor e seri ous appl i cat i on scenar i o for t he SOK key shari ng sy st em can be f or t he I nt ernet Key
Exchange Pr ot ocol ( I KE, i nt r oduced i n t he precedi ng chapt er ) . The I KE Pr ot ocol has an
aut hent i cat ion mode whi ch has a " pl ausi bl e deni abi l it y" feat ur e ( see 12.2. 4) . The absol ut e
deni abi l i t y f eat ur e of t he key shar i ng sy st em of Sakai et al . can pr ovi de an obviousl y bet t er
sol ut i on whi l e keepi ng t he pr ot ocol publ ic- key based.
13.3.6 Tripartite Diffie-Hellman Key Agreement
Joux [ 154] appl i es t he pai ri ng t echni que and achi eves key agr eement among t hr ee par t i es in an
ast oni shi ngly si mpl e way . He names hi s pr ot ocol "t r i par t i t e Di ff i e- Hel l man". Again, Joux' s
or i gi nal prot ocol works i n t he Wei l pai ri ng and hence is less conveni ent f or a r eal appl icat i on use
( have t o const ruct l i near ly independent poi nt s) . We i nt r oduce t he ver si on using a modi fi ed Weil
pai r i ng.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Let Ali ce const r uct s her key agr eement mat er i al P
A
by comput i ng
wher e P G
1
i s an or der - ( pr ime) poi nt on super si ngul ar el l i pt i c curve, a < i s an i nt eger .
Si mil ar l y , l et t he respect ive key agr eement mat er i al of Bob and Charl i e be
for some i nt eger s b < , c < . The i nt egers a, b , c ar e t he secr et keys of t hese part ies,
r espect i vel y .
The t hr ee par t i es exchange P
A
, P
B
and P
C
, e. g. , each announce t he key agr eement mat er i al on a
publ i c di r ect or y . Once t hi s i s done, t hey shar e t he f ol l owi ng key:
Al i ce comput es t he shar ed key by exponent i at ing t he f i rst pai r ing, Bob does t he second, and
Charl i e, t he t hi r d.
Wi t hout usi ng t he pai r i ng t echni que, t ri par t i t e Di ffi e- Hel lman key agr eement cannot be achi eved
wi t h a si ngl e r ound.
Of cour se, as i n t he or i gi nal Di ff ie- Hel lman key exchange pr ot ocol , t hi s scheme does not have
t he aut hent i cat i on pr oper t y.
13.3.7 ID-Based Cryptosystem of Boneh and Franklin
Si nce a shared key can be est abl i shed bet ween t wo pr i nci pal s by onl y usi ng t hei r i dent i t i es,
encry pt ion i s al so possi bl e by onl y usi ng i dent i t i es. Boneh and Fr ankl i n [ 51] appl y t he pai r i ng
t echni que and achi eve t he fi r st pract i cal I D- based publ ic key cr ypt osy st em whi ch f ul l y sat i sf i es
Shami r 's cal l f or I D- based publi c- key cr y pt osy st ems.
Ther e ar e four al gor i t hms i n t he I D- based cry pt osy st em of Boneh and Fr ankl i n.
Sy st em Par amet er s Set up Tr ent r uns t hi s al gor i t hm t o gener at e gl obal syst em
par amet er s and mast er - key;
User Key Gener at e Tr ent r uns t hi s al gor i t hm; on i nput t i ng mast er - key and an ar bi t r ar y
bi t st ri ng i d { 0, 1} * , t he al gor i t hm out put s pr i vat e- key whi ch cor responds t o i d; t his is an
i nst ant i at i on of ( 13.3. 1) ;
Encr y pt i on Thi s i s a probabi l i st i c al gori t hm; i t encr y pt s a message under t he publi c key i d;
Decr yp t i on Thi s al gor i t hm i nput s a cipher t ext and pr i vat e- key, and r et ur ns t he
corr esponding pl ai nt ext .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Al g 13. 2 speci fi es t he ident i t y- based cr ypt osy st em of Boneh and Fr ankl i n.
We now show t hat t he syst em specif i ed i n Al g 13. 2 i s indeed a cr y pt osy st em. Obser ve
Ther ef or e, t he val ue whi ch Al ice put s i nsi de t he hash funct i on H i n t he decr y pt i on t i me i s i n fact
gI D, i . e., t he same value whi ch Bob has put i nsi de t he hash funct ion H i n t he encr y pt i on t i me.
Then
si nce bi t wi se- XOR- i ng i s sel f i nvert i ng.
Algorithm 13.2: The Identity-Based Cryptosystem of Boneh and
Franklin
Sy st em Par amet er s Set up ( perf or med by Tr ent )
Gener at e t wo gr oups ( G
1
, + ) , ( G
2
, ) of pr i me or der p and a mapping- i n- pair e :
( G
1
, + )
2
( G
2
, ) . Choose an arbi t r ary gener at or P G
1
.
1.
Pi ck and set P
pub
[ s] P; s i s in t he posi t i on of mast er - key. 2.
Choose a cry pt ogr aphi cal l y st rong hash f unct i on F : { 0, 1} * G
1
; t hi s hash
funct i on is for mappi ng a user 's i d t o an el ement i n G
1
;
3.
Choose a cry pt ogr aphi cal l y st rong hash f unct i on H : G
2
{ 0, 1}
n
; t hi s hash
funct i on det er mi nes t hat ( t he pl ai nt ext message space) i s { 0, 1}
n
.
4.
Tr ent keeps s as t he sy st em pr ivat e key ( mast er - key) , and publ i ci zes t he sy st em
par amet er s and t heir descr i pt i ons
Let I D denot e user Al i ce' s uni quely ident i fi abl e i dent it y. Havi ng per for med phy si cal
i dent i f icat i on of Al i ce and made sur e t he uni queness of I D, Tr ent ' s key gener at i on
ser vi ce is as fol l ows:
Comput e QI D F( I D) , t hi s i s an el ement i n G
1
, and i s Al i ce' s I D- based publ ic 1.
2.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
key ;
1.
Set Al i ce' s pr i vat e key dI D as dI D [ s] QI D. 2.
Encr y pt i on
To send conf ident i al messages t o Ali ce, Bob fi r st obt ains t he sy st em par amet er s ( G
1
,
G
2
, e, n, P, P
pub
, F, H) . Usi ng t hese par amet er s, Bob t hen comput es
Let t he message be bl ocked i nt o n- bi t bl ocks. Then t o encry pt M { 0, 1}
n
, Bob pi cks
and comput es
The ci pher t ext i s
Decr yp t i on
Let C = ( U, V) C be a ci pher t ext encr ypt ed usi ng Al i ce' s publ i c key I D. To decr y pt C
usi ng her pri vat e key dI D G
1
, Al i ce comput es
Boneh and Frankl i n al so pr ovide a f or mal pr oof of secur i t y f or t hei r I D- based encr y pt i on scheme.
The secur i t y not i on i s a st r ong one: adapt i ve chosen- ci pher t ext at t ack. The di r ect use of a hash
funct i on in t he El Gamal st y l e of encry pt i on means t hat t he pr oof i s based on a so- cal l ed " r andom
or acl e model " . Because we wi l l st udy for mal and st r ong not i on of secur i t y and t he r andom oracl e
model i n Par t V, we shal l not i nt roduce t hei r proof of securi t y t echni que her e.
13.3.7.1 Extension to an Open System's Version
We must not i ce t hat Tr ent can decry pt ever y ciphert ext message sent t o ever y pr i nci pal i n t he
syst em! Ther efor e, t he basic scheme of Boneh and Frankl i n i s not sui t abl e f or appl i cat i ons i n an
open syst em. However, t hei r basi c scheme can be ext ended t o one whi ch i s sui t able for
appli cat i ons in an open sy st em envir onment . We descr i be here an ext ensi on met hod whi ch i s a
si mpl if i ed var iat ion of t he met hod di scussed i n t he paper of Boneh and Frankl i n.
The basic idea i s t o, of cour se, use mul t i pl e TAs. However , doi ng so wi l l be i nt er est i ng onl y i f i t
won' t cause a bl owup i n t he number of t he i ndi vi dual user 's I D, nor i n t he si ze of t he ci phert ext .
Here is one way t o do i t . We descr i be t he case of t wo TAs. I t i s t ri vi al t o ext end t o many TAs.
Sy st em Par amet er s Set up Let par amet er s ( G
1
, G
2
, e, n, P, F, H) be i dent i cal t o t hose def ined
i n 13.3. 7. Let furt her

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
such t hat t he t upl e
i s i n t he posi t i on of
i n 13.3. 7, t hat i s, s
1
and s
2
ar e t he t wo mast er key s of TA
1
and TA
2
, r espect i vel y .
Thus, ( G
1
, G
2
, e, n, P, P
1
, P
2
, F, H) is t he sy st em- wi de publ i c par amet er s. These par amet er s can
be " har dwi red" i nt o appl i cat i ons.
User Key Gener at i on Let I D denot e user Al i ce' s uniquel y i dent i fi abl e i dent i t y. For i = 1, 2, t he
key generat i on ser vi ce pr ovi ded by TA
i
i s as fol l ows:
Comput e QI D F( I D) , t hi s i s an el ement i n G
1
, and i s Al i ce' s uni que I D- based publ i c key ; 1.
Set Al i ce' s pr i vat e key as 2.
Al i ce' s pr i vat e key i s t he sum:
I f t he t wo TAs do not col l ude, t hen t hi s pr i vat e key i s not known t o t hem.
Not i ce t hat Al ice has a si ngle publ i c key: I D.
Encr y pt i on To send confi dent i al messages t o Al i ce, Bob f i rst obt ai ns t he syst em paramet ers ( G
1
,
G
2
, e, n, P, P
1
, P
2
, F, H) . Usi ng t hese par amet er s, Bob t hen comput es
Let t he message be bl ocked i nt o n- bi t bl ocks. Then t o encry pt M { 0, 1}
n
, Bob pi cks
and comput es

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The ci pher t ext i s C. Thus, t he ci pher t ext i s a pai r compr i si ng of a poi nt i n G
1
and a bl ock i n { 0,
1}
n
. Namel y, C ( t he ci pher t ext space) i s G
1
X { 0, 1}
n
.
Decr yp t i on Let C = ( U, V) C be a ci pher t ext encr ypt ed usi ng Al i ce' s publ i c key I D. To decr y pt
C using her pr i vat e key dI D G
1
, Al i ce comput es
Not i ce t hat
So Al i ce has r ecover ed gI D and hence i s abl e t o decr y pt :
si nce bi t wi se- XOR- i ng i s sel f i nvert i ng.
Discussions
Compar ed wit h t he singl e TA case, comput at i ons for encr y pt i on and decr y pt i on doubl ed.
But t her e i s no i ncrease i n t he number of Al ice's I D, or t he si ze of ci pher t ext .
Whi l e col l udi ng TAs can do t he decr y pt i on t oo, not any si ngle of t hem can. When mor e TAs
ar e used, conf i dence of no cor r upt ion becomes evi dent . I t i s easy t o see t hat i ncreasi ng t he
number of TAs, t he number of Al ice's I D and t he size of t he ci pher t ext r emai ns unchanged.
However , t he comput at i ons i n encry pt i on and i n decry pt i on i ncr ease l i near l y pr opor t i onal t o
t he number of TAs.
Wi t h several TAs ar e used, per for mi ng decry pt i on of an end user ' s cipher t ext requi res t he
ful l col lusi on of al l TAs. I f we t r ust t hat at l east one of t he TAs i s honest l y t r ust wor t hy , t hen
eavesdr oppi ng by TAs i s pr event ed. Thus, t hi s ext ended I BE scheme i s sui t able for

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
appli cat i ons in an open sy st em envir onment .
13.3.8 Non-interaction Property: Authentication Without Key Channel
When Bob i s t o send a conf i dent i al message t o Al i ce usi ng a cr ypt ogr aphic t echni que i n t he usual
sense, he shoul d fi r st est abl i sh a key channel fr om hi m t o her ( see Fi g 7.1) . I n publ i c- key
cry pt ogr aphy i n t he usual sense, a key channel can be di rect or y- based: f or exampl e, based on
t he sender ver i fy i ng t he publ i c- key cert i f i cat e of t he r eci pient . Thus, t he sender shoul d fi r st make
a r equest t o t he r eci pi ent for obt ai ni ng her / hi s publ i c- key cer t i f icat e. Consider i ng appl icat i ons in
an open sy st em i n which pr i nci pal s cannot memor i ze a l ink bet ween a publ i c key and i t s owner ,
i t i s necessar y f or t he sender and reci pi ent t o have some i nt er act i on( s) i n order t o est abl i sh a
key channel bef ore sending a conf ident i al message encr y pt ed under t he publ i c key of t he
r eci pi ent .
I t i s i nt er est ing t o r eali ze t hat in an I D- based publi c- key cr y pt osy st em, t he not i on of key - channel
est abl i shment i s not onl y unnecessary , but i n f act i s i mpossibl e! Even i f Bob does make a r equest
for Al ice t o send her I D- based publ i c key , t her e wi l l be no way f or Bob t o ver i fy whet her t he I D
r ecei ved fr om her is indeed her publ i c key. All Bob needs t o do i s t o t r eat t he acqui r ed I D as a
val id publ i c key of Al i ce and goes ahead t o use i t t o encry pt t he message. I f in t he end Ali ce i s
abl e t o decry pt t he ci pher t ext sent by Bob, t hen her I D i s i ndeed her publ i c key . Thus, as l ong as
each I D i s pr eci se i n t er ms of uni quel y pi npoi nt i ng an i ndi vi dual ( t hi s has t o be made sur e by TA,
or TAs) , t hen t her e i s no need for t he sender t o be i n an i nt er act i on wi t h t he r eci pi ent befor e
usi ng an I D- based encr y pt i on algor it hm f or sendi ng confi dent ial messages. Thi s i s why an I D-
based publ i c- key cr y pt osyst em i s al so cal l ed non- i nt er act ive publ i c key cr y pt osy st em.
The non- i nt er act i on f eat ur e of an I D- based cr ypt ogr aphic scheme i s most promi nent l y evi dent i n
t he case of t he SOK key shar i ng sy st em ( see 13.3. 5) . Once Al ice and Bob have r egi st er ed t hei r
r espect i ve I D- based publ i c key s, t hey al r eady shar e a secur e key channel wi t hout even engagi ng
i n any communi cat i on: t he shar ed channel i s underpi nned by t he t wo pri vat e keys. Ther e i s no
need t o r un a pr ot ocol bet ween Al ice and Bob whi l e a shar ed secur e channel has been
est abl i shed! We shoul d cont rast t hi s non- i nt er act i on case of shared key agr eement wi t h t he key
exchange prot ocol usi ng Gi rault 's sel f- cer t i f i ed publ i c key s whi ch we have seen i n 13.3. 3. 4.
That pr ot ocol cannot be non- i nt er act i ve because t he t wo par t i ci pant s must exchange t hei r publ i c
key s bef ore t hey can est abl i sh a shar ed key.
The i mpossi bi l i t y t o di rect l y confi r m t hat a publ ic key bel ongs t o a pr i nci pal , i . e. , t he absence of
a publ i cl y ver i fi abl e key cer t i f icat e, wi l l enabl e an i nt er est i ng appl i cat ion of I D- based publ ic- key
cry pt ogr aphy : " spy pr obl em." We shal l see t hi s appl i cat ion i n a l at t er chapt er aft er we have
i nt r oduced zer o- k now l edg e pr ot ocol s.
13.3.9 Two Open Questions for Identity-based Public-key Cryptography
Fi rst , l et us r evi ew t he user - key generat ion procedur e
I n t hi s met hod for user pr ivat e key ext r act i on, a user submi t s publ i c- key of t he user 's choi ce.
The t hr eat model i s t hat t he user can be pot ent i al l y mal ici ous, however TA must si mpl y ser ve
t hi s comput at i on uncondit i onall y and hand pr i vat e- key back t o t he user.
Not i ce t hat i n or der f or t he cr y pt osy st em being an I D- based, i .e. , bei ng non- i nt er act i ve or

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
wi t hout a cer t i fi cat e, t he f unct i on F must be det er mi n i st i c. Thus, t he pr ocedure for user - key
gener at i on has no any r andom i nput . I n ot her wor ds, each user 's pr i vat e- key i s a det er mi nist i c
i mage of det er mi nist i c i mage of mast er - key. This comput at i on i s i n gener al consi der ed as
pot ent ial l y a danger ous one ( i n t erms of cr y pt anal y sis agai nst mast er - key) . The danger has
become wel l under st ood af t er t he wel l - known cr i t i que of Gol dwasser - Mi cali on t he det er mini st i c
t r apdoor funct i on model of Di ffi e- Hel lman [ 125] , and has been wi del y avoi ded in t he st andar d
appli cat i ons of publ i c- key cr y pt ogr aphy ( e.g. , by TA addi ng hi s r andom i nput ) .
I D- based publi c- key cr y pt ogr aphy wi t h pr obabi l i st i c pr i vat e- key i s t hus an i nt er est ing t hi ng t o
pursue. Thi s i s t he f i rst open quest i on.
The second and a chal l engi ng open pr oblem i s t o desi gn an I D- based cr ypt osy st em whi ch
feat ures non- i nt er act ive i dent i t y revocat ion. I dent i t y r evocat i on necessar y i f an end- user ' s
pr i vat e key i s compr omi sed.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I n t hi s chapt er we have int r oduced sever al t echniques for real i zi ng aut hent icat i on fr amework f or
publ i c- key cry pt ogr aphy . These t echni ques include a di r ect or y - based cert i f i cat i on f ramework
usi ng hi er archi cal l y or gani zed cer t i fi cat i on aut hor i t i es, a "web- of- t rust "- based non- hi er archi cal
aut hent i cat ion f ramewor k, and an i dent i t y- based t echni que i n which a publ i c key can be non-
r andom and so sel f - aut hent i cat ed.
Recent progress i n i dent i t y - based publ i c- key cr ypt ogr aphy not onl y pr ovides pr act ical and
conveni ent way s of aut hent i cat i ng ( r ecogni zi ng) publ i c key s, but al so opens some new kinds of
aut hent i cat ion servi ces: publi c- key based aut hent i cat ion wi t hout usi ng a cer t i fi cat e. A cer t i fi cat e-
fr ee aut hent i cat ion f r amewor k has some i nt er est i ng and usef ul pr oper t i es. I n a l at er chapt er, we
wi l l see a ver y good use of a cer t i f icat e- fr ee aut hent i cat ion servi ce.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exercises
13 .1 Why must a publ i c key gener at ed f rom a pri vat e key in ( 13.1. 1) be cer t i f ied?
13 .2 What i s F i n ( 13.1. 1) for t he cases of RSA, Rabi n and El Gamal publ i c- key
cry pt ogr aphi c sy st ems, r espect i vel y ?
13 .3 Does a revocat ion of a publi c key cer t i f icat e necessar i l y i nval idat e a di gi t al
si gnat ure issued befor e t he revocat ion?
13 .4 I f a pri vat e key is generat ed fr om a publ i c key , as i n t he case ( 13.3. 1) , why i s
t her e no need t o cer t i f y t he publ i c key ?
13 .5 Why is an I D- based cr ypt ogr aphy also cal l ed non- i nt er act i ve publ i c- key
crypt ogr aphy ?
13 .6 I s Gi r aul t ' s sel f - cer t i fi ed publ i c- key cr y pt osyst em a non- i nt er act i ve one?
13 .7 I n t he key exchange pr ot ocol of Gi r aul t ' s sel f - cer t i fi ed publi c- key cr y pt osy st em
( 13.3. 3. 4) , a pr ot ocol par t i ci pant can deny an i nvolvement i n a prot ocol run.
Why ?
13 .8 Why must a supersi ngul ar ell i pt ic curve f or cry pt ogr aphi c use have a si gni f i cant l y
l ar ger secur i t y par amet er t han t hat of a non- super si ngular one?
13 .9 Unl i ke t he Di f fi e- Hel l man key agr eement pr ot ocol ( Pr ot 8.1) , t he key exchange
pr ot ocol of Gi r aul t ' s sel f - cer t i fi ed publ ic- key cr y pt osy st em ( 13.3. 3. 4) and t he SOK
key shari ng sy st em ( 13.3. 5) do not suf fer man- i n- t he- middl e at t ack. Why ?
13 .1 0 From ( 13.3. 4) we know t hat t he modi fi ed Wei l pair i ng i s sy mmet r i c. Can t he
or i gi nal Wei l pai ri ng be sy mmet ri c f or t wo li near l y i ndependent poi nt s?
Hi nt : appl y bi li near i t y and i dent it y t o eX( P+ X, P+ X) .
13 .1 1 I f we vi ew t he SOK key shar i ng syst em ( 13.3. 5) as a non- i nt er act ive versi on of
t he Di ff ie- Hel l man key exchange pr ot ocol , t hen t he I D- based cry pt osy st em of
Boneh and Frankl i n ( Al gor i t hm 13. 2) can be vi ewed as non- i nt er act ive versi on of
whi ch int eract i ve ver sion of t he cry pt osy st em?
Hi nt : usual publ i c- key cr y pt osyst ems ar e i nt er act i ve, i . e. , a sender must f ir st fet ch
t he publi c key of t he int ended recei ver befor e a ci phert ext can be cr eat ed and sent .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Part V: Formal Approaches to Security
Establishment
Sy st ems' complexi t y, in part i cul ar , t hat due t o communicat i ons among sy st ems and sy st em
component s, has been t he mai n cause of f ai lures t hat ar e i nt roduced i nt o comput i ng and
communi cat ions syst ems. Cr ypt ogr aphic sy st ems ( algor it hms and pr ot ocol s) , whi ch ar e
usual l y compl ex sy st ems, ar e open t o a f ur t her cause of f ail ures: at t acks. Whi l e or di nar y
comput i ng and communi cat i ons sy st ems wor k i n a f ri endly envi r onment ( a user wi l l t r y
caref ul l y not t o i nput or send i nval i d dat a t o a pr ogr am or t o a communicat i on par t ner i n
or der t o avoi d syst em cr ash) , cry pt ogr aphi c sy st ems wor k i n a host i l e envi ronment . I n
addit ion t o possibl e fai l ur es i n an or di nary way , cr ypt ogr aphic sy st ems may also fai l due t o
del i berat e abnor mal use. They ar e subj ect t o var i ous at t acks which can be mount ed not
onl y by an ext er nal at t acker who may i nt er act wi t h t he sy st em wi t hout bei ng i nvi t ed, but
al so by a l egi t i mat e user ( an at t acker f rom inside) . Oft en cr ypt ogr aphi c sy st ems, even
devel oped by exper t s, are vulner able t o f ail ures. The long hi dden fl aws i n Needham-
Schr oeder pr ot ocols are a well - known l esson on unr el iabi li t y of secur it y exper t s ( see
Chapt er 2) .
Formal met hodol ogi es for sy st ems analy si s i nvol ve sy st emat i c procedur es f or t he anal ysi s
t ask. The sy st emat i c pr ocedur es base t hei r f oundat i ons squarel y on mat hemat i cs i n or der
t o pr eser ve r i gor ousness and gener al i t y i n t he model i ng and const ruct ion of compl ex
syst ems and i n t he obser vat ion and r easoni ng of t hei r behavi or . These pr ocedur es ei t her
devel op syst ems i n a syst emat i c manner so t hat t he desi red syst em pr oper t i es ar e
evi dent ly demonst rabl e, or exami ne sy st ems vi a sy st emat i c sear ch so t hat err or s i n
syst ems ar e uncovered. The er ror - pr one nat ur e of cr ypt ogr aphic sy st ems has r ai sed a wi de
consensus for t hese sy st ems t o be devel oped and/ or anal y zed by for mal met hodol ogi es.
Thi s part cont ai ns four chapt er s on t opi cs of for mal approaches t o t he devel opment and t he
anal y sis of cr y pt ogr aphi c syst ems. Chapt er 14 i nt r oduces for mal def ini t i ons of st r ong ( i .e. ,
fi t - for - appl i cat i on) secur i t y not i ons for publi c- key cr y pt ogr aphy . I t t akes a progressive
approach t o reachi ng t he fi t - f or- appl i cat ion securi t y not i on fr om a t ext book one. Chapt er
15 i nt r oduces and explai ns t wo i mpor t ant and pr act i cal publ i c- key cry pt osy st ems wi t h t hei r
fi t - for - appl i cat i on secur i t y est abl ished usi ng t he not i on defi ned i n Chapt er 16 i nt r oduces a
fi t - for - appl i cat i on secur i t y not i on f or di gi t al si gnat ur es and descr i bes t echni ques for ar gui ng
secur i t y f or sever al signat ure schemes under t he st r ong secur i t y not ion i nt r oduced. I n
Chapt er 17 we wi l l r et ur n t o t he t opi c of aut hent i cat i on pr ot ocols: we i nt r oduce var i ous
for mal anal ysi s t echni ques f or aut hent i cat i on prot ocol s cor r ect ness.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Chapter 14. Formal and Strong Security
Definitions for Public-Key Cryptosystems
Sect i on 14. 2. A For mal Treat ment for Secur i t y
Sect i on 14. 3. Semant ic Secur i t y t he Debut of Pr ovabl e Secur it y
Sect i on 14. 4. I nadequacy of Semant i c Secur it y
Sect i on 14. 5. Bey ond Semant i c Securi t y
Exerci ses

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
14.1 Introduction
Secr ecy i s at t he hear t of cr ypt ogr aphy. Let us now r econsider secur i t y not i ons for publ i c- key
encry pt ion al gor i t hms. We shall l at er see t hat t he confi dent ial i t y - or i ent ed securi t y not i ons
est abl i shed i n t hi s chapt er wi l l have a wi der gener al it y for basing ot her kinds of securi t y
ser vi ces.
So f ar we have conf i ned our sel ves t o a ver y weak confi dent i al i t y not ion f or publ i c- key
cry pt osy st ems. The not i on i s descr i bed i n Pr oper t y 8. 2 ( in 8. 2) : we onl y face a passive at t acker
and such an at t acker may br eak a t arget cry pt osy st em onl y i n t he " al l - or - not hi ng" sense. Thi s i s
a t ypical t ext book cr y pt o secur i t y not i on. I t i s usel ess f or r eal appli cat i ons.
I n real i t y, however , at t acker s ar e most l i kel y act i ve ones whi l e r et ai ni ng t hei r passi ve abi li t y of
eavesdr oppi ng: t hey may modi fy a ciphert ext or calcul at e a pl ai nt ext i n some unspeci fi ed way s
and send t he r esul t t o an unwi t t i ng user t o get or acl e serv i ces ( see 7. 8. 2.1 and 8. 9 f or t he
meani ng of oracl e servi ces) . Ther efor e, a secur i t y not i on whi ch onl y deal s wi t h passi ve at t acker s
i s not st r ong enough. We need t o ant i ci pat e Mal i ce, our act i ve and cl ever at t acker ( r evi ew 2. 3
for t he power of Mali ce) .
Mor eover , i n many appli cat i ons, plai nt ext messages may cont ai n apr i ori i nfor mat i on which can
be guessed easi l y. For exampl e, such apr i ori i nfor mat i on can be a value fr om a known range of
sal ari es, a candi dat e's name fr om sever al known candi dat es i n a vot i ng pr ot ocol , one of sever al
possi bl e i nst r uct i ons, or even one- bi t i nf ormat i on about a pl ai nt ext ( e. g. , a BUY/ SELL inst ruct i on
t o a st ock br oker , or HEADS/ TAI LS in a remot e " Coin Fl i ppi ng" prot ocol see Pr ot 1.1) . To guess
such infor mat i on about a plai nt ext encr y pt ed under a one- way - t r apdoor based publ i c- key
encry pt ion al gor i t hm, Mal ice can simpl y r e- encry pt t he guessed pl ai nt ext and see i f t he r esul t
mat ches t he t arget cipher t ext . Ther efor e, a confi dent i al i t y not ion i n t he " all - or - not hi ng" sense
cannot be suf fi ci ent l y st r ong.
To ant i ci pat e at t acks of var i ous degr ees of sever it y we need var i ous mor e st ri ngent secur i t y
not i ons. I n or der t o est abli sh more st r i ngent securi t y not i ons, t he fi r st st ep i s t o for mal ize t he
pr obl ems pr oper l y. I n t he area of cr y pt ographi c syst ems wi t h for mall y provabl e secur i t y, var i ous
at t ack games have been pr oposed t o model and capt ure var i ous at t ack scenar i os. Such games
ar e pl ay ed bet ween Mali ce and an or acle. The r ul e of t he game al lows Mal ice t o obt ai n
cry pt ogr aphi c assi st ance pr ovi ded by t he or acle, vi r t ual l y on Mal i ce' s demand. We can vi ew t hat
such assi st ance pr ovides a ki nd of "cry pt anal ysi s t r ai ni ng cour se" t o Mali ce. A cr y pt osyst em i s
r egar ded as secur e agai nst t he f or mal model of an at t ack game i f, even gi ven adequat e
"cr ypt anal y si s t r ai ni ng cour se, " Mal i ce cannot succeed wi t h sat i sf act ion.
The second aspect of t he f or mal t r eat ment on secur i t y i s a r i gor ous measur e on Mal i ce' s
sat i sf act i on. I n t he ar ea of f ormal l y pr ovabl e securi t y f or cr ypt ogr aphic sy st ems, securi t y of a
cry pt ogr aphi c sy st em concer ns a quant i t at i ve rel at i on whi ch l i nks t he secur i t y of t he
cry pt osy st em t o some i nt r act abl e probl em i n t he t heor y of comput at i onal compl exit y. A st andar d
t echni que for est abl i shi ng a hi gh degr ee of confi dence i n secur i t y i s t o express and t r ansl at e t he
sat i sf act i on l evel of Mal ice against a t arget cr ypt ogr aphi c sy st em int o some val ues whi ch
measure how fast and how oft en i t t akes for one t o sol ve some r eput abl e i nt r act abl e problems i n
t he t heory of comput at i onal compl exit y . Such a t r anslat ion i s an eff i ci ent mat hemat ical
t r ansfor mat i on, or a sequence of such t r ansfor mat i ons, l eadi ng fr om t he al l eged successful
at t ack t o a sol ut i on t o a r eput abl e i nt ract able pr obl em. Since we are hi ghl y conf i dent about how
slow and how in fr eq uent i t i s for us t o solve t he l at t er pr obl ems, we wi l l al so have a def ini t e
( hi gh) conf i dence about Mal i ce's di ssat i sfact ion wi t h t he al leged at t ack on t he t arget
cry pt osy st em.
Due t o t he di ver si t y of t he at t ack scenar i os and t he use of several i nt r act abl e pr obl ems as t he

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
comput at i onal basi s for secur i t y , t he ar ea of cr ypt ogr aphic sy st ems wi t h f ormal l y pr ovabl e
secur i t y has adopt ed a language wi t h pl ent y of j ar gon. Wi t h t hi s j ar gon we can descr ibe vari ous
secur i t y proper t i es and r equi r ement s wi t h conveni ence and pr eci si on. Her e ar e a f ew exampl es
of secur i t y st at ement s:
Cr y pt osy st em X i s sem an t icall y secu re agai nst a passive eavesdr opper of unbounded
comput i ng r esource, but i s m all eable under chosen - ciph er t ex t at t ack i n whi ch t he at t acker
onl y has t o wor k at l uncht i m e wi t h a low- end devi ce such as a handhel d cal cul at or .
Di gi t al si gnat ur e scheme Y i s secur e i n t er ms of unfor geabi l i t y of si gnat ure under adap t ive
chosen - m essage at t ack . For mal pr oof of i t s secur i t y r ed uces a successful for ger y t o sol vi ng
t he di scr et e l ogar i t hm probl em. The r educt i on i s under a r andom oracl e model i n whi ch t he
for ger can be for k ed wi t h a non- negli gibl e pr obabil i t y.
Si gncr y pt i on scheme Z i s secur e i n t er ms of i ndi st ingu ishab il it y of encr y pt i on under
adap t iv e chosen- cip hert ex t at t ack and unf orgeabi li t y of si gnat ur e under adapt i ve chosen-
message at t ack, r egar dl ess of whet her t he at t acker wor ks at l uncht i me, at m id nigh t or i n
t he sm all hou rs. For mal pr oofs of t hese secur i t y quali t i es ar e wi t h respect t o t he i nt eger
fact or i zat i on pr obl em.
El ect roni c auct i on pr ot ocol I I i s secur e f or t he bi dder s i n t er ms of deni abi li t y of t heir
par t i ci pat i on i n a pr ot ocol r un and f or t he wi nner in t er ms of i ndi st i ngui shabi l it y of i t s
i dent i t y . For mal pr oofs of t hese secur i t y qual i t i es ar e wi t h respect t o a st andar d
i nt r act abil it y assump t ion : t he deci si onal Di ff i e- Hel l man pr obl em.
I n our st udy of for mal ly pr ovabl e secur i t y i n t hi s and t he next t hree chapt er s, t he j ar gon
appear i ng i n t hese secur i t y st at ement s wil l be def ined or expl ai ned. Secur i t y st at ement s such as
t hose l i st ed her e wi l l become much mor e meani ngf ul aft er our st udy .
We begin i n 14.2 wi t h an i nt r oduct i on t o t he mai n t heme of t hi s chapt er : for mal t r eat ment on
secur i t y which i nvol ves f ormal model i ng of at t ack scenari os and pr eci se measur i ng of t he
consequences. The for mal t r eat ment wi l l show cl ear l y t he i nadequacy of t he " all - or - not hi ng"
based secur i t y not i on we have i nt r oduced i n Chapt er 8. A st rengt hened secur i t y not i on,
"semant i c secur i t y ," whi ch means hi di ng any par t ial i nfor mat i on about a message, wil l be
i nt r oduced i n 14.3. The i nadequacy of semant i c securi t y wi l l be exposed in 14.4. The exposur e
l eads t o sever al f ur t her st eps of st r engt heni ng secur i t y not i ons: "chosen ci pher t ext secur i t y , "
"adapt i ve chosen- ci pher t ext securi t y , " and " non- mal l eabi li t y , " These st r engt hened securi t y
not i ons and t hei r r elat ions wi ll be st udi ed i n 14.5.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
14.2 A Formal Treatment for Security
Speaking at a ver y abst r act l evel , "f or mal l y pr ovabl e securi t y " for a cry pt ogr aphi c sy st em i s an
aff i r mat i ve m easu re of t he syst em's st r engt h i n r esi st i ng an at t ack. Secur e syst ems ar e t hose i n
whi ch Mal ice cannot do somet hi ng bad t oo oft en or fast en ough. Thus, t he measur e i nvol ves
est abl i shing success pr obabi l i t i es and comput at i onal cost .
To pr ovi de a concr et e vi ew of such a measure let us l ook at an " at t ack game" pl ay ed bet ween
Mal i ce and an "or acl e" who model s an innocent user of a cry pt ogr aphi c sy st em i n whi ch t he user
shoul d be i nevi t abl y i n i nt er act i ons wi t h Mal ice. Thi s game pr ovi des a for mal t r eat ment of a
comput at i onal view of what we mean by secur i t y ; i t al so makes a fi r st st ep i n our pr ocess of
st r engt heni ng t he secur i t y not i on f or cr ypt osy st ems ( fr om what has so far been confi ned i n
Pr oper t y 8. 2 i n 8. 2) .
Let Mal i ce be t he at t acker and l et O denot e an or acl e i n our game of at t ack. I n t he cont ext of
conf ident i ali t y , t he t ar get of Mali ce i s a cr y pt osy st em. Thus, " somet hi ng bad" means t hat t he
game r esul t s i n a br each of conf i dent i al i t y r egardi ng t he t ar get cr y pt osy st em.
Let us use Defi nit ion 7. 1 i n 7. 2 t o pr ovi de t he sy nt act i c not at i on for t he t ar get cr y pt osyst em
whi ch has an encry pt i on al gor i t hm E, plai nt ext space M and ci pher t ext space C. Never t hel ess, we
shoul d make an i mpor t ant point her e: t he encry pt i on al gor i t hm i s now probabi l ist i c, t hat i s, i t
has an i nt er nal random oper at i on whi ch has cer t ai n pr obabil i t y di st r i but i on and wi l l cause t he
ci pher t ext out put as a r andom var i abl e of t hi s di st r ibut i on. For exampl e, i f a pl ai nt ext message i s
encry pt ed under an encr y pt i on key t wice, t he t wo r esult ant ci pher t ext s wi ll be dif fer ent wi t h an
over whel ming pr obabi l i t y ( due t o t he encr ypt i on al gori t hm' s 1- 1 mappi ng pr oper t y) .
Pr ot 14. 1 speci fi es an at t ack game.
I n t he at t ack game O chall enges Mali ce t o answer t he f ol lowi ng quest i on:
From whi ch of t he t wo ensembl es ( exper i ment s)
ke
( m
0
) ,
ke
( m
1
) comes t he chall enge
ci pher t ext c
*
?
We consi der t hat Mal i ce i s a pr obabi l i st ic pol ynomial - t i me dist i ngui sher defi ned i n Defi nit ion 4. 14
( i n 4. 7) . Thi s i s not onl y because O' s out put i s pr obabi l i st ic, but also because Mal ice i s
pol y nomial ly b ound ed and t heref ore may wi sh t o use a pr obabi li st i c pol y nomi al - t i me ( PPT)
al gor i t hm i f he t hi nks such al gor i t hms may be mor e eff i ci ent t han det er mi nist i c ones ( t hi s i s
usual l y t r ue as we have wi t nessed many t i mes in Chapt er 4) . Denot e by Adv t he advant age of
Mal i ce for maki ng a di st i nct i on. By Defi nit ion 4. 14, Adv shoul d be t he di ff erence bet ween Mali ce's
pr obabi li st i c di st i ngui shi ng of t he ensembl es
ke
( m
0
) and
ke
( m
1
) :
Equ at i on 14 . 2. 1
The pr obabi l i t y space shoul d i ncl ude t he pr obabi li st i c choi ces made by O, Mal i ce and t he i nt ernal
r andom operat ion of t he encr y pt i on al gor i t hm. Al so not i ce t hat Mal ice's answer i s based not
sol el y on t he chal lenge ciphert ext c
*
, but also on t he t wo chosen pl ai nt ext messages ( m
0
, m
1
) .
Only because so, can hi s answer be regar ded as an "educat ed guess. " However, for cl ar i t y i n
exposi t i on, we have omi t t ed ( m
0
, m
1
) fr om Mal i ce' s i nput .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
We must not i ce t hat t her e i s an addi t i onal clue for Mal i ce t o " i mpr ove" hi s educat ed guess: O
t osses a fai r coi n. The advant age f ormul at i on ( 14.2. 1) does not expl i ci t l y expr ess how Mali ce
coul d have used t hi s clue, t hough i mp li ci t l y we know t hat each pr obabi l it y t er m i n ( 14.2. 1) can
never exceed si nce, e.g. , t he event " c
*
=
ke
( m
0
) , " can onl y occur wi t h pr obabil i t y . We
shoul d expl ici t l y express Mal i ce' s use of t hi s cl ue i n hi s advant age for mul at i on. Appl y ing t he
condi t i onal pr obabil i t y ( Defi nit ion 3. 3 i n 3. 4. 1) whi le not i cing t he equal pr obabil i t y of for
bot h cases of O' s coi n- t ossi ng, ( 14.2. 1) can be rewr it t en t o
Equ at i on 14 . 2. 2
Protocol 14.1: Indistinguishable Chosen-plaintext Attack
PREMI SE
Mal i ce and an oracl e O have agr eed on a t ar get cr y pt osy st em of pl aint ext
message space M and ci pher t ext message space C;
i .
O has fi xed an encr ypt i on key k e f or . i i .
Mal i ce chooses di st i nct messages m
0
, m
1
M and sends t hem t o O;
( * t he messages m
0
, m
1
ar e cal l ed chosen pl ai nt ex t messages. Mali ce has so
far been i n a "f i ndst ag e" for prepar i ng m
0
, m
1
; he shoul d of cour se pr epar e
t hem i n such a way t hat he hopes t he encr y pt i on of t hem i s easi ly recogni zable
* )
1.
I f t hese t wo messages ar e not t he same l engt h, O wi l l pad t he shor t er one i nt o
t he same l engt h of t he ot her ;
( * e.g., usi ng a dummy st r i ng 0
d
wher e d i s t he di f fer ence bet ween t he
message l engt hs * )
O t osses a f ai r coi n b
U
{ 0, 1} and perf or ms t he f ol lowi ng encr ypt i on oper at i on
O sends c
*
C t o Mal i ce;
( * t he ci pher t ext message c
*
i s cal l ed a chal lenge cip her t ex t . As convent i on i n
2.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
t he area of pr ovable secur i t y, a ci pher t ext wi t h a
"* "
superscri pt i s al way s
consi dered as a chall enge ci phert ext * )
( * r emember, c
*
i s a r andom var i abl e of t wo random i nput val ues: fai r coi n b
and an i nt er nal r andom oper at i on of * )
Upon receipt of c
*
, Mal i ce must answer ei t her 0 or 1 as his wor ki ng out of O' s
coi n t ossi ng.
( * Mal i ce is now i n a " gu ess- st ag e" for an educat ed guess of O' s coi n t ossing;
an answer ot her t han 0 or 1 i s not al l owed * ) .
3.
By r ul e of t he game, Mal i ce is not all owed t o answer ot her t han 0 or 1, and hence t he event of a
wr ong ( corr ect ) answer i s compl ement ar y t o t hat of a cor r ect ( wrong) answer . So appl y i ng
Pr oper t y 5 of pr obabi l i t y ( 3. 3) , we have
t hat i s,
Equ at i on 14 . 2. 3
The f or mul at i on ( 14.2. 3) is oft en used t o expr ess an algor it hmic advant age on t op of t hat f or a
sheer guessi ng of f ai r coin t ossi ng ( pr obabil i t y ) . So i f Adv = 0, t hen Mali ce's probabi l i st i c
answer wi ll be exact l y t he di st r i but i on of t ossing a fai r coi n. Of cour se, we shoul d not be t oo
cyni cal about Mal i ce' s al gor i t hmi c advant age and shoul d gener ousl y consi der ( i) Adv > 0 and ( i i )
t he posit ive si gn pr efi xi ng Adv. Cl earl y , ( 14.2. 3) wi l l al so hol d i f al l appearances of 0 i n i t ar e
r epl aced wi t h 1.
From ( 14.2. 3) we can al so see t hat Mal i ce' s advant age can never exceed si nce a pr obabil i t y
val ue cannot be out side t he int er val [ 0, 1] . I ndeed, gi ven t hat O has exact l y pr obabil i t y t o
have encr ypt ed ei t her of t he t wo pl ai nt ext s, Adv for mul at ed i n ( 14.2. 1) as t he probabi l i t y
di f fer ence f or j oi nt event s can never exceed . The r eader mi ght be wonderi ng what ( 14.2. 3)
woul d l ook l i ke i f O t osses a bi ased coi n, say one wi t h probabi l it y t o encr y pt t he pl ai nt ext
quer y m
0
and probabi l it y t o encr ypt m
1
. Hi nt : r epl ace i n ( 14.2. 2) wi t h r espect i ve bi ased
pr obabi li t y val ues and see how ( 14.2. 3) wi l l change. We wi l l t hen r eali ze t hat i s possi bl e f or
Mal i ce' s advant age t o exceed pr ovid ed t hat O t osses a bi ased coi n.
We say t hat t he t ar get cr ypt osyst em i s secure agai nst t he at t ack game i n Pr ot 14. 1 i f
ke
( m
0
) is
i ndi st i ngui shabl e f rom
ke
( m
1
) . Accor di ng t o Defi nit ion 4. 15 ( in 4. 7) , t hi s means t her e shoul d
exi st no PPT di st i nguisher f or any Adv > 0 as a non- negl i gi bl e quant i t y . Equi valent ly , f or any
Mal i ce successf ul l y t o make a di st i nct i on, hi s Adv must be a negl igi bl e quant i t y . Her e "negl igi bl e"
i s measured wi t h r espect t o a secur i t y paramet er of t he t arget encry pt ion scheme whi ch i s
usual l y t he size of t he key mat er i al . We can consider Adv f or any poly nomi al l y bounded Mal i ce
( i . e. , any PPT al gori t hm) as a sl ow- growi ng f unct i on of Mal i ce's comput at i onal resour ces. Her e

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
"sl ow- gr owing" means t hat even i f Mal i ce adds hi s comput at ional r esources i n a t r emendous
manner , Adv wi l l onl y gr ow i n a mar gi nal manner so t hat Mali ce cannot be ver y happy about hi s
"advant age." Thi s i s exact l y what we meant when we ment i oned i n t he beginni ng of t hi s chapt er
t hat Mal i ce cannot do somet hi ng bad t oo oft en or f ast enough.
Si nce our argument has fol l owed exact ly Defi nit ion 4. 15 f or pol yn omi al i ndi st i ng ui shabl e
ensembl es, t he new securi t y not i on we have j ust est abl ished can be named pol yn omi al
i n di st i ngu i shabi l i t y of encr y pt i on. Mor eover , because t he i ndi st i ngui shabi l i t y i s bet ween t he
t wo pl aint ext s chosen by Mali ce, t he pr eci se name for t hi s new not i on is secur i t y agai n st
pol yn omi al l y i nd i st i n gui sh ab l e chosen - pl ai nt ex t at t ack . I t is usual l y shor t en t o I ND- CPA
secur i t y .
Now t hat i n t he I ND- CPA at t ack game i n Pr ot 14. 1, Mal i ce has fr eedom t o choose plai nt ext
messages, and i s onl y r equi r ed t o answer sheer one- bi t i nfor mat i on about t he chosen pl ai nt ext s:
"I s t he encr y pt ed pl ai nt ext m
0
or m
1
?" t he dif fi cul t y f or Mal i ce t o break t he t ar get cr y pt osyst em
i s dr ast i call y r educed fr om t hat t o br eak t he cr ypt osyst em i n t he "al l - or - not hi ng" sense of
secur i t y ( def i ned in Pr oper t y 8. 2. ( i ) i n 8. 2) . I ndeed, al l t ext book publ i c- key encry pt ion
al gor i t hms ( see 8. 14 f or t he meaning of t ext book cr y pt o) we have i nt r oduced so f ar ar e
i nsecure under I ND- CPA. I t i s easy t o see t hi s for t he RSA and Rabi n cry pt osy st ems si nce t hey
ar e det ermi ni st i c and t her eby al l ow Mali ce t o pi npoint m
0
or m
1
by r e- encr ypt i on. We shal l
fur t her see i n 14.3. 5 t hat t he El Gamal cr y pt osy st em speci fi ed in Al g 8. 3, whi ch pr ovides a
pr obabi li st i c encr ypt i on al gori t hm, is no l onger secur e under I ND- CPA t oo.
Wi t h t he di ff icul t y of an at t ack bei ng r educed, t he securi t y r equir ement f or cry pt osy st ems shoul d
be st r engt hened. To reduce t he di f fi cul t y f or Mal i ce t o at t ack cr y pt osyst ems, or speaki ng
equi val ent l y, t o st r engt hen t he secur i t y not i on f or cr y pt osy st ems, and t o do so wi t h f or mal
r i gor ousness, i s t he mai n t opi c for t hi s chapt er .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
14.3 Semantic Security the Debut of Provable
Security
The I ND- CPA securi t y not i on whi ch we have j ust def i ned is ori ginal ly int r oduced by Gol dwasser
and Mi cal i [ 125] . They use semant i c secur i t y t o name t hi s secur i t y not ion. Thi s not i on means
t hat a ci pher t ext does not l eak any usef ul i nfor mat i on about t he pl ai nt ext ( if we may consi der
t hat t he lengt h of t he plai nt ext i s not a pi ece of useful infor mat i on) t o any at t acker whose
comput at i onal power i s pol y nomi al l y bounded. They obser ved t hat , i n many appl i cat i ons,
messages may cont ai n cer t ai n apr i ori i nfor mat i on which can be useful for an at t ack. For
exampl e, a ci phert ext may onl y encr y pt a si mpl e i nst r uct i on such as "BUY" or " SELL, " or one of
t he ident i t i es of a handful of known candi dat es who ar e bei ng vot ed on. Gol dwasser and Mical i
poi nt out t hat publ i c- key cry pt osy st ems whi ch ar e based on dir ect appl i cat i ons of one- way
t r apdoor funct i ons ar e i n general ver y weak for hi di ng such messages. We shal l see t hat t heir
cri t i que does appl y t o each of t he publ i c- key cr ypt osyst ems whi ch we have int r oduced i n Chapt er
8.
The need for t hi s r at her st r ong secur i t y not i on i s ver y real . The fai l ur e of a ment al poker pr ot ocol
pr ovi des a good i l l ust r at i on on t he weakness of publ i c- key cr ypt osy st ems as di r ect appl i cat i ons
of one- way t r apdoor funct i ons. Let us f ir st review t he ment al poker prot ocol of Shamir , Ri vest
and Adl eman [ 261] .
14.3.1 The SRA Mental Poker Protocol
Al i ce li ves i n New Yor k and Bob l i ves i n London. They have never met , but t hey wi sh t o pl ay
poker across t he At l ant i c. The same aut hor s of t he RSA cr ypt osyst ems made t hi s possi bl e:
Shami r , Ri vest and Adl eman propose a pr ot ocol cal l ed "SRA ment al poker " [ 261] .
Ment al poker is pl ayed l i ke or dinary poker , however t he car ds ar e encoded i nt o messages so t hat
t he car d game can be pl ay ed i n communi cat i ons. I n or der t o pl ay a poker game, Al i ce and Bob
shoul d fi r st deal t he car ds f ai rl y . Her e " fai r " means t he f oll owi ng f our r equi r ement s:
The deal must dist r i but e al l possi bl e hands wi t h equal probabi l i t y ( i . e. , uni for m
di st r i but i on) and should not al l ow t he same car d t o appear i n t wo hands si mul t aneousl y.
i .
Al i ce and Bob must know t he cards i n t heir own hand, but nei t her can have any i nf or mat i on
about t he ot her 's hand.
i i .
Bot h Al i ce and Bob must be vi ewed as pot ent ial cheat er s who cannot be r el ied upon t o
fol l ow t he r ul es of t he pr ot ocol .
i i i .
Al i ce and Bob shoul d bot h be abl e t o ver i fy t hat a pr eceding game has been fai r l y pl ay ed. i v .
The i dea behi nd t he SRA ment al poker is t o make use of a ci pher wi t h t he commut at i ve proper t y .
I n such a ci pher , a message can be doubl y encr y pt ed by Al i ce and Bob usi ng t hei r respect ive
secr et keys and t he r esult ant ci pher t ext must also be doubl y decr ypt ed by bot h of t hem. Let

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
denot e t he encr ypt i on and decr y pt i on al gor i t hms per for med by pr i nci pal X. The commut at ive
pr oper t y of t he ci pher i s t hat t he f ol l owing equat i ons hold f or any message M i n i t s plai nt ext
space:
Equ at i on 14 . 3. 1
That i s, t he pl aint ext message can be cor rect l y r et r i eved even t hough t he sequence of t he doubl e
decry pt ion can be i ndependent fr om t hat of t he doubl e encr y pt i on.
For simpli ci t y whi l e wi t hout l oss of gener al it y, l et us suppose t hat Al ice and Bob deci de t o pl ay a
game of one- car d hand usi ng a deck of t hr ee car ds. Pr ot 14. 2 speci fi es a met hod f or a f ai r deal
of hands. The gener al i zat i on t o t he case of a deck havi ng any number of cards i s, however
maybe t edi ous, st r ai ght f or ward.
Protocol 14.2: A Fair Deal Protocol for the SRA Mental Poker
Game
PREMI SE:
Al i ce and Bob have agr eed on a commut at i ve ci pher wit h t he pr oper t i es i n
( 14.3. 1) and t hey have pi cked t hei r own secr et encr ypt i on keys;
They have agree on a deck of t hr ee car ds M
1
, M
2
, M
3
.
GOAL:
They achi eve a f air deal of a one- car d hand f or each par t y sat i sfy i ng t he
fai r ness pr oper t i es ( i ) - ( i v) .
Al i ce encr y pt s t he t hr ee cards as C
i
= E
A
( M
i
) f or i = 1, 2, 3; she sends t o Bob
t hese t hr ee ci pher t ext s i n a random or der ;
( * sendi ng t he encr y pt ed car ds in a random or der model s shuff li ng of t he deck
* )
1.
Bob pi cks at r andom one ci pher t ext ; denot ing i t by C, he doubl y encr ypt s C as
CC = E
B
( C) ; he al so pi cks at r andom anot her ciphert ext , denot i ng i t by C' ; he
sends CC, C' t o Ali ce;
( * CC det er mi nes Bob' s hand; C' det er mi nes Al i ce' s hand; t he ot her encr y pt ed
card i s discar ded * )
2.
Al i ce decr ypt s bot h CC and C' ; t he decr y pt i on of C' i s her hand; t he decr y pt i on 3.
4.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
of CC, denot i ng i t by C", i s r et ur ned t o Bob;
3.
Bob decr y pt s C" and t her eby obt ai ns hi s hand.
( * t hey can now pl ay t hei r ment al poker game * )
4.
14.3.2 A Security Analysis Based on Textbook Security
For t he t ime bei ng l et us suppose t hat t he cr ypt osyst em used in Pr ot 14. 2 i s suff ici ent l y st r ong i n
bot h si ngl e and double encr y pt i on oper at ions. By sayi ng t hat a cry pt osy st em is "suff i ci ent l y
st r ong, " we mean t hat , gi ven a pl ai nt ext ( r espect i vel y , a ci pher t ext ) wi t hout gi vi ng t he corr ect
encry pt ion key ( r espect i vel y , decry pt i on key ) , a pol y nomi al ly bounded at t acker cannot creat e a
val id ci pher t ext fr om t he gi ven plai nt ext ( r espect i vel y , cannot r et r i eve t he pl ai nt ext f r om t he
gi ven ci pher t ext ) . Thi s i s an "al l - or - not hing" sense of secr ecy gi ven i n Pr oper t y 8. 2. ( i ) whi ch we
have agr eed f or t ext book cr ypt o al gor i t hms ( in 8. 2) . Under t hi s not i on of secur i t y we can now
pr ovi de a secur i t y anal y si s f or Pr ot 14. 2 wi t h r espect t o t he fai r ness pr oper t i es ( i) - ( iv) .
Aft er a r un of Pr ot 14. 2:
Al i ce and Bob each obt ai ns a hand of a car d i n { M
1
, M
2
, M
3
} wi t h equal pr obabi li t y ( i .e. ,
unif or m i n t hi s set ) ; t hi s i s because Al ice has shuf fl ed t he deck i n St ep 1. Not i ce t hat i t i s
Al i ce' s i nt erest t o shuf fl e t he deck i n uni for ml y r andom t o prevent Bob f rom having an
advant age i n choosi ng his hand. So f ai rness proper t y ( i) i s sat i sf i ed.
Each of t he t wo par t i es knows her / hi s own hand af t er doubl e decr y pt i on, but does not know
t he hand of t he ot her par t y si nce nei t her of t hem knows t he discar ded car d. So fai r ness
pr oper t y ( i i ) i s sat i sfi ed.
I t i s obvi ous t hat t he prot ocol does not r el y on any par t y t o be honest . So fai r ness pr oper t y
( i i i ) i s sat i sfi ed.
Fai rness proper t y ( i v) depends on whet her or not t he cr ypt osy st ems used i n t he prot ocol permi t s
a honest ver i f icat i on aft er a poker game. Shami r et al . suggest t o use a var i at i on of t he RSA
cry pt osy st em ( see 8. 5) wher e t he t wo par t ies keep bot h of t heir encr y pt i on and decry pt ion
exponent s secr et bef or e a poker game fi ni shes, and t hey di scl ose t hese exponent s t o t he ot her
par t y f or checki ng t hei r honest conduct aft er a game f i ni shes.
Let N be t he shared RSA modul us. I n t hi s var iat ion, Al i ce and Bob know t he f act ori zat i on of N.
Let ( e
A
, d
A
) be Al i ce' s encry pt i on and decr ypt i on exponent s, and ( e
B
, d
B
) be Bob' s encr ypt ion
and decr ypt i on exponent s. Knowing t he f act ori zat i on of N per mi t s Al i ce ( r espect i vel y , Bob) t o
comput e d
A
f r om e
A
( respect ivel y, d
B
f r om e
B
) . They do so by sol vi ng t he congr uence
Equ at i on 14 . 3. 2
( wher e X means A or B) . Then f or pr i nci pal X we have

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Si nce t he RSA group i s commut at i ve, i t i s t r i vi al t o see t he hol di ng of ( 14.3. 1) . Befor e f i ni shi ng a
game, bot h part ies keep t hei r encr ypt i on and decr y pt i on exponent s secr et . Thus, no one can
creat e a vali d ci pher t ext whi ch has been cr eat ed by t he ot her par t y; t hi s pr event s a par t y f rom
t est ing whi ch car d has been encr y pt ed under which ci pher t ext . Al so, nei t her can decry pt a
ci pher t ext whi ch has been cr eat ed by t he ot her par t y. Thus, i ndeed, t he cr ypt osyst em i s
"suf fi cient ly st r ong" as we have r equi red i t t o be.
I t i s now cl ear t hat aft er a game fi nishes, bot h part ies can di scl ose t hei r encr ypt i on and
decry pt ion exponent s t o t he ot her par t y and t hereby t hey can check t hat t he encr y pt i on, doubl e
encry pt ion and decr y pt i on have al l been cor r ect l y per for med. Thus, fai r ness pr oper t y ( i v) i s
sat i sf i ed.
I n our anal y si s we have used a r at her i nadequat e and unr easonabl e not i on of secur i t y : a
"suf fi cient ly st r ong" cr y pt osyst em means an at t acker ' s i nabi l i t y t o cr eat e a val i d ci phert ext f r om
a gi ven pl ai nt ext wi t hout t he corr ect encr ypt i on key, or t o decr y pt a ci pher t ext wi t hout t he
corr ect decr ypt i on key . The i nadequacy and unreasonabil i t y of t hi s secur i t y not ion now become
apparent . Li pt on [ 178] obser ves t hat Pr ot 14. 2 f ai l s i f it uses t he var i at i on of t he RSA
cry pt osy st em suggest ed by t he ori gi nal aut hors of t he ment al poker game. The fai l ur e i s due t o
t he cr y pt osy st em's inabi l i t y t o hi de cert ai n apr i ori i nfor mat i on i n pl ai nt ext messages. Her e, t he
apr i ori i nfor mat i on i s t he quadr at i c r esi duosi t y . Revi ew 6. 5, a number a i s a quadr at i c r esi due
modul o n i f gcd( a, N) = 1 and t her e exi st s x < N such t hat
Not i ce t hat because ( N) is even, t he encry pt i on exponent e and t he decr ypt i on exponent d
whi ch sat i sfy congr uence ( 14.3. 2) must bot h be odd. Consequent l y , a pl ai nt ext M i s a quadr at i c
r esi due modul o N, i . e., M QR
N
i f and onl y i f t he cor respondi ng ci phert ext C QR
N
, si nce
for some x < N. That i s, t he RSA encr ypt i on cannot change t he quadr at i c r esi duosi t y of t he
pl ai nt ext message. Furt her revi ew 6. 5, we know t hat wit h t he fact or i zat i on of N, deci di ng C
QR
N
can be easi l y done: fi r st havi ng C modul o each pr ime f act or of N, t hen evaluat i ng Legendr e
symbol of t he r esul t s usi ng Al g 6. 2.
Ther ef or e, if some pl ai nt ext car d( s) i s ( ar e) i n QR
N
and ot hers ( t he ot her ) ar e ( i s) not , t hen a
par t y who knows Li pt on' s t r i ck wi l l have an unfai r advant age i n a game: ( s) he wi l l know exact ly
whi ch of t he car ds wi l l never be encr ypt ed, whet her under si ngl e encr ypt i on or doubl e.
We concl ude t hat t he SRA ment al poker pr ot ocol i s not secur e. To st at e our concl usi on wi t h t he
for mal preci si on, we say t hat i t i s not secure agai nst t he I ND- CPA model speci f ied i n Prot ocol
( Game) 14.1.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
14.3.3 Probabilistic Encryption of Goldwasser and Micali
I t i s possi bl e t o fi x Pr ot 14. 2 agai nst Lipt on' s at t ack. For exampl e, f orci ng al l car ds t o be chosen
fr om QR
N
pr ovi des a speci f ic fi x. However, Gol dwasser and Mi cal i envi sion a need f or a gener al
fi x of a much bi gger probl em: t he need for a st ronger secur i t y not i on: semant i c securi t y . They
descr i be t heir not i on of semant i c secur it y i n Pr oper t y 14. 1.
Pr oper t y 1 4. 1: Seman t i c Secur i t y What ev er is ef fi ci ent l y com p ut abl e abou t t h e pl ain t ex t giv en
t he ci pher t ext , is also eff ici en t ly com pu t abl e wit h out t he cip hert ex t .
They pr oposed a pr obabi l i st i c en cr yp t i on scheme whi ch possesses t his pr oper t y. Let us name
t hi s scheme t he GM cr y pt osyst em. The GM cr y pt osyst em encr ypt s t he ent i re message bi t by bi t ,
wher e t he di ff icul t y of f i ndi ng an encr ypt ed si ngl e bi t f rom a ci pher t ext c i s t hat of deci di ng
whet her c QR
N
or c J
N
( 1) \ QR
N
, wher e .
The GM cr y pt osyst em i s speci fi ed i n Al g 14. 1.
Obser vi ng t he encry pt ion al gor i t hm i t i s easy t o see t hat t he pl ai nt ext bi t 0 i s encr y pt ed t o a
ci pher t ext i n QR
N
.
For t he pl ai nt ext bi t 1, t he corr espondi ng ci pher t ext i s c = yx
2
. Not i ci ng , we
have ( due t o t he mul t i pl i cat i on pr opert y of Legendr e sy mbol , see Theor em 6. 16 i n 6. 5. 2) :
and
and t her efor e
That i s, t he pl aint ext 1 is encr y pt ed t o a ci phert ext i n J
N
( 1) \ QR
N
.
The decr y pt i on al gor it hm wor ks pr oper ly because knowi ng p, q, Al i ce can deci de whet her c
i

QR
N
or c
i
J
N
( 1) \ QR
N
, r espect i vel y , and hence can r et ri eve t he pl aint ext bi t by bi t corr ect ly .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I t i s not dif fi cul t t o see t hat encry pt ion of an - bi t message b t akes O
B
( l ( l og
2
N)
2
) bi t oper at i ons;
t hi s i s t he t i me compl exi t y f or encry pt ion. The encr y pt i on al gor it hm has a message expansi on
r at i o of l og
2
N: one bi t of pl ai nt ext i s expanded i nt o l og
2
N bi t s of cipher t ext .
Algorithm 14.1: The Probabilistic Cryptosystem of Goldwasser
and Micali
Key Set up
choose t wo r andom pr i me number s p and q such t hat | p| = | q| = k
( * e.g., usi ng Al g 4. 7 wi t h i nput 1
k
* )
1.
comput e N = pq; 2.
pi ck a random i nt eger y sat i sfy i ng
( * t hus y J( N) \ QR
N
* )
3.
publ i ci ze ( N, y ) as her publ i c key mat er i al, and keep ( p, q) as her pr i vat e key . 4.
Encr y pt i on
To send a bi nar y st ri ng m = b
1
b
2
. . .b
l
t o Al i ce, Bob per for ms:
for ( i = 1, 2, ..., l)
{
x
U
;
if (b
i
== 0) c
i
x
2
(mod N)
else c
i
yx
2
(mod N)
}

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Bob sends t o Ali ce: E
N
( m) ( c
1
, c
2
, . . . , c
l
) .
Decr yp t i on
Upon receipt an - t upl e ciphert ext ( c
1
, c
2
, . . . , c
l
) , Al i ce per for ms:
for (i = 1,2,...,l)
{
if (c
i
QR
N
) b
i
0
else b
i
1;
}
set m (b
1
,b
2
,...,b
l
).
Si nce comput i ng Legendr e symbol mod p and mod q wi t h | p| = | q| = k can be done i n O
B
( k
2
) bi t
oper at i ons ( r evi ew t he di scussi on aft er Al g 6. 2 on car ef ul real i zat i on of t he Jacobi - symbol
al gor i t hm) , decr ypt i on of ( c
1
, c
2
, . .. , c
l
) requir es O
B
( l ( l og
2
N)
2
) bi t oper at i ons. Thi s i s t he t i me
compl exi t y f or decry pt i on.
The " bi t - by - bi t " fashi on of encry pt ion means t hat t he GM cr y pt osy st em is hi ghl y i nef fi ci ent .
14.3.4 The Security of the GM Cryptosystem
The encr y pt i on al gor it hm of t he GM cr y pt osy st em can be consi der ed as an er r or- f r ee r andomized
al gor i t hm: t he r andom oper at i ons i n t he encr ypt i on algori t hm can int r oduce no any er r or i nt o
t he ci pher t ext but achieve t he fol l owing import ant f unct i on:
Di st r i but i ng t he pl ai nt ext bit 0 uni f or ml y ( t hat i s, cor r ect l y ) over QR
N
and t he plai nt ext bi t 1

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
unif or mly over J
N
( 1) \ QR
N
.
Bot h di st r ibut i ons are uni for m. This i s because, f or t he pl ai nt ext bi t 0, squar ing maps fr om
ont o QR
N
, and f or t he pl ai nt ext bi t 1, mult ipl yi ng- y t o an element i n QR
N
i s a per mut at i on fr om
QR
N
ont o J
N
( 1) \ QR
N
. Thus, pi cki ng x
U
i n t he encr y pt i on al gor i t hm means pi cki ng eit her a
unif or m el ement in QR
N
i f t he pl ai nt ext bit i s 0, or a uni for m el ement i n J
N
( 1) \ QR
N
i f t he pl ai nt ext
bi t i s 1.
To expr ess it for mal l y, we say t hat t he dif fi cul t y of t he GM cry pt osy st em is t hat of deci ding t he
quadr at i c r esi duosi t y probl em ( QR) pr obl em whi ch i s for mall y speci fi ed i n Defi nit ion 6. 2 ( in
6. 5. 1) . The QR pr obl em i s a wel l - known har d pr obl em in number t heor y ( r evi ew t he di scussi on
we pr ovi ded 6. 5. 1 af t er Defi nit ion 6. 2) . We have t he f ol l owi ng assumpt i on on i t s i nt r act abi l i t y .
Assumpt i on 14 . 1: Quadr at i c Resi du osi t y Assu mp t i on ( QR Assumpt i on ) Let I G be an
i nt eger inst an ce gener at or t h at on i npu t 1
k
, r un s in t i m e pol yn omi al in k , an d ou t put s a 2 k- b it
m odul us N = p q wh er e p and q ar e each a k - b it uni for m ly ran dom od d p ri m e.
We say t h at I G sat i sf ies t h e qu adr at ic r esidu osit y ( QR) assum pt i on if f or al l su ff icient l y l arge k
and f or N I G( 1
k
) , ensem bles QR
N
an d J
N
( 1) \ QR
N
ar e p oly nom i all y in dist i ngui shabl e wher e t he
concep t of p oly nom ial i nd ist i ngui sh abi li t y is giv en i n Defi nit ion 4. 14 i n 4. 7.
I t i s cl ear t hat t he avai l abi l i t y of t he publi c key N pl aces an upper bound for t he di f fi cul t y of t he
QR pr obl em si nce i t suf fi ces for an at t acker t o fact or N and t hen appl y t he GM decr y pt i on
al gor i t hm t o sol ve t he QR pr obl em. Ther efor e, t he GM cr ypt osyst em assumes t hat t he at t acker i s
pol y nomi al ly bounded. That i s why semant i c securi t y for encr ypt i on al gori t hms i s al so cal l ed
pol yn omi al i ndi st i ng ui shabi l i t y of encr y pt i on s.
I f t he QR assumpt i on t r ul y hol ds, t hen we can consi der t hat , vi ewed by a poly nomi al l y bounded
at t acker , t he GM encry pt i on al gor i t hm di st ri but es a plai nt ext bi t uni for ml y over t he ci pher t ext
space J
N
( 1) . The uni for m dist r i but ion of t he ciphert ext means t hat an at t empt for such an
at t acker t o guess t he pl ai nt ext f r om t he cor r espondi ng ci pher t ext i s a compl et el y senseless t hi ng
t o do. This is exact l y what Gol dwasser and Mical i mean by expressing t hei r not i on of semant i c
secur i t y i n t he for m of Pr oper t y 14. 1.
We can r e- expr ess t he not i on of semant ic secur i t y as i n Defi nit ion 14. 1.
Def i n i t i on 1 4. 1: Seman t i c Secur i t y , Secur i t y f or I n di st i ngui shabl e Chosen- p l ai nt ex t
At t ack ( I ND- CPA Secu r i t y ) A cr y pt osyst em wi t h a secur i t y par am et er k is sai d t o be
sem an t icall y secu re ( I ND- CPA secur e) i f aft er t he at t ack gam e in Pr ot 1 4. 1 b ei ng pl ayed wit h any
pol y nom ial ly b ound ed at t ack er , t he adv ant age Adv for m ul at ed i n ( 14 .2 . 3) is a negli gib le q uant i t y
i n k .
We have t he f oll owi ng r esult for t he securi t y of t he GM cr ypt osy st em.
. Th eor em 1 4. 1
Let k be t h e size of t h e t wo p ri m e fact or s of an RSA mod ul us N. Th e GM cr y pt osy st em wi t h
secur i t y par am et er k is sem ant i cal ly secur e ( I ND- CPA secu re) if and onl y i f t he QR assum pt i on
hol ds.
14.3.5 A Semantically Secure Version of the ElGamal Cryptosystem
Si mil ar t o t he case of t he RSA cr y pt osy st em, t he El Gamal cr ypt osyst em specif i ed i n Al g 8. 3 does

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
not hi de t he quadr at i c r esi duosi t y of t he pl ai nt ext . This is because in t hat al gor i t hm we have set
t he publi c par amet er s ( g, p ) such t hat g gener at es t he whol e gr oup . I n such a par amet er
set t ing, t he quadr at i c r esi duosi t y of a pl ai nt ext can be r elat ed t o t hat of t he cor r espondi ng
ci pher t ext . Thi s i s shown in Exampl e 14. 1.
Exampl e 14 .1 .
Let t he or acl e O set up ( p, g, y ) as t he publ i c key mat er i al f or t he El Gamal cr ypt osy st em speci f ied
i n Al g 8. 3. Then due t o Eul er' s cr it er i on ( Theor em 6. 13 i n 6. 5. 1) , g QNR
p
( i. e. , g i s a quadr at i c
non- resi due modul o p) .
Let Mal i ce be an I ND- CPA at t acker. He shoul d submi t a message m
0
QR
p
and m
1
QNR
p
( appl yi ng Al g 6. 2, i t i s easy f or Mal i ce t o prepar e m
0
and m
1
t o sat i sf y t hese t wo condi t i ons) . Let
( , ) be t he pai r of chal l enge ci pher t ext r et ur ned f r om O; we have
Now, Mal i ce can pi npoi nt t he pl ai nt ext by deci di ng t he quadr at i c resi duosi t y of y, and .
Ther e ar e a f ew cases t o consider .
Let us f ir st consi der y QR
p
. This case i s very easy . The pl aint ext i s m
0
i f and onl y i f QR
p
.
Thi s i s due t o t he t he mul t i pl i cat i ve pr opert y of Legendr e sy mbol gi ven i n Theor em 6. 16. ( i i ) ( i n
6. 5. 2) .
The case y QNR
p
has t wo subcases whi ch ar e al so ver y easy . The fi r st sub- case of QR
p
wi l l cause y
k
QR
p
( because now k i s even) , and t her eby t he deci si on i s i dent i cal t o t hat i n t he
pr evi ous par agr aph. The r eader may compl et e t he second sub- case of QNR
p
by not i ci ng t hat
now k i s odd.
As usual, having seen wher e t he pr obl em i s, i t i s r el at i vel y easy t o f ix it . I f we rest r i ct t he
cry pt osy st em t o wor ki ng i n QR
p
, t hen t he at t ack i n Exampl e 14. 1 wi l l no l onger wor k. Al g 14. 2
speci f i es a fi x.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Algorithm 14.2: A Semantically Secure Version of the ElGamal
Cryptosystem
Publ i c Par amet er Set up
Let G be an abel ian group wi t h t he fol l owi ng descr i pt i on:
fi nd a r andom pr i me number q wi t h | q| = k; 1.
t est pr i mal i t y of p = 2q + 1, i f p i s not pr ime, go t o 1; 2.
pi ck a random gener at or , set g = h
2
( mod p) ; 3.
l et desc( G) be such t hat ;
( * t he gr oup generat ed f rom g, see Defi nit ion 5. 10 i n 5. 2. 3 * )
4.
l et ( p, g) be t he publi c par amet er s for t he El Gamal cr y pt osy st em; 5.
l et G be t he pl ai nt ext message space. 6.
( * t he r est part i s t he same as t hat of Al g 8. 3 * )
Fi rst of all we shoul d not i ce t hat Al g 14. 2 wi l l t er mi nat e because t her e ar e pl ent y of pr ime
number s p such t hat ( p 1) / 2 is also pr i me ( 7, 11, 23, 39, 47 ar e sever al exampl es) . Such a
pr i me i s call ed a saf e pr i me.
Next , by Fermat ' s Li t t l e Theor em, or d
p
( g) = q whi ch i s a lar ge pr i me; t heref ore, t he gr oup
has a l ar ge order . Thi s i s a necessar y r equi r ement for t he DL assumpt i on t o hol d
( Assumpt i on 8. 2) .
Mor eover , by Eul er' s Cr i t er ion ( Theor em 6. 13 i n 6. 5. 1) we know g QR
p
and t heref ore G = QR
p
( t he reader may answer why by not i ci ng Theor em 5. 2 i n 5. 2. 3) . So for chosen pl ai nt ext s m
0
,
m
1
QR
p
, t he number s g, y , , ar e al l quadrat i c r esidues modul o p. Consequent l y , t he
quadr at i c- r esiduosi t y at t ack demonst r at ed i n Exampl e 14. 1 wi l l no l onger wor k si nce now al l
cases of quadr at i c r esi duosit y t est i ng wi l l out put t he YES answer .
The st i pul at i on of t he pl ai nt ext space bei ng G = QR
p
can cause no t r oubl e f or message encodi ng
( i n encr y pt i on t i me) and decodi ng ( i n decry pt i on t i me) . For exampl e, f or any message m < p, i f
m QR
p
, t hen we ar e done; i f m QR
p
, t hen m = p m G. This is because fr om
we have

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
and t her efor e m QR
p
= G af t er Euler 's Cr i t er i on.
For t he fi xed ver si on of t he El Gamal cr y pt osy st em, Mal i ce now faces a di f fer ent deci sional
pr obl em. Upon receipt of t he chal l enge ci pher t ext ( , ) aft er havi ng submi t t ed m
0
, m
1
f or
encry pt ion, he can comput e f r om
Not i ce t hat i n t he f ir st case, t he t upl e
i s a Di ff ie- Hel lman t upl e, whi le in t he second case i t i s not . So Mali ce shoul d ask hi msel f :
or
That i s, t he I ND- CPA game act uall y chal l enges Mal i ce t o answer t he DDH Quest i on i n G ( see
Defi nit ion 13. 1 i n 13.3. 4. 3) .
I f Mal i ce can answer t he DDH Quest i on i n G cor r ect l y , t hen gi ven t he chal l enge ci pher t ext pai r he
can of course pi npoi nt t he plai nt ext , i. e. , t he coi n t ossi ng of O, cor r ect l y . Conver sel y, because ( g,
y , , / m
0
) ( mod p) and ( g, y , , / m
1
) ( mod p) are r andom t upl es generat ed by g, so i f he
can pi npoi nt t he pl ai nt ext cor rect l y t hen he can answer t he DDH Quest i on i n cor r ect l y .
So I ND- CPA securi t y f or t he El Gamal cr ypt osyst em usi ng t he publ ic par amet er s i n Al g 14. 2 i s
pr eci sel y t he dif fi cul t y f or answer ing t he DDH Quest i on i n G ( Theor em 14. 2) .
I n t he general case of abel i an gr oups ( whi ch i ncl udes G def i ned in Al g 14. 2) we do not know any
eff ici ent algor it hm t o answer t he DDH Quest i on. The di f fi cul t y has render ed t he DDH Quest i on a
st andar d and wi del y accept ed i nt r act abi l i t y. The r eader i s r ef err ed t o Boneh' s sur vey ar t i cl e [ 47]
for furt her st udy of t hi s pr obl em.
Assumpt i on 14 . 2: Deci si onal Di f f i e- Hel l man Assu mp t i on i n f i ni t e f i el ds ( DDH
Assumpt i on ) Let b e a gr ou p i nst ance gener at or t hat on in put 1
k
, r un s in t i m e pol yn omi al in
k , and out put s ( i) desc( G) ( t he descr ip t ion of an abeli an grou p G of a fi ni t e fi eld) wit h | # G| = k ,

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
( i i) a gr oup generat or g G.
We say t h at sat i sfi es t he decisi onal Dif fi e- Hel lm an ( DDH) assum pt i on i f for all suf fi ci ent l y
l arge k and for ( desc( G) , g) ( 1
k
) , ensem bles ( g, g
a
, g
b
, g
ab
) and ( g, g
a
, g
b
, g
c
) are
pol y nom ial ly i nd ist in gui sh able wh er e t he concep t of p oly nom ial i nd ist i ngui sh abi li t y is giv en i n
Defi nit ion 4. 14 ( in 4. 7) .
We must not i ce t hat t he DDH assumpt i on i s onl y consi der ed on gr oups of fi nit e fi el ds, r at her
t han i n gener al abel i an gr oups, si nce t he DDH probl em is easy i n gr oups of poi nt s on
super singul ar el l i pt i c cur ves ( review 13.3. 4. 3) .
We have est abl i shed t he f oll owi ng r esult for t he f i xed ver sion of t he El Gamal cr y pt osyst em.
. Th eor em 1 4. 2
The ElGamal cr y pt osyst em usi ng t he pu bl ic p aram et ers in Alg 14 .2 i s I ND- CPA secu re if and on ly
i f t he DDH assum pt i on hold s.
14.3.6 Semantically Secure Cryptosystems Based on Rabin Bits
Aft er t he wor k of Gol dwasser and Mi cal i in cr ypt osy st ems wit h semant i c secur i t y , sever al publ i c-
key encr y pt i on schemes wi t h semant i c securi t y and for m i mpr ovement s t o t he GM cr y pt osyst em
have been pr oposed by sever al aut hor s. These i ncl ude, Bl um and Mi cali [ 46] , Yao [ 303] and an
eff ici ent scheme by Bl um and Gol dwasser [ 45] .
The mai n i dea i n t hese i mpr ovement s i s t he not i on of a CSPRB gener at or ( see t he pr evi ous
subsect ion) . Such a gener at or is a pr ogr am whi ch t akes as i nput a k- bi t r andom seed and
pr oduces as out put a k
t
- bi t number , wher e t > 1 is fi xed. The out put pr oduced by a CSPRB
gener at or i s of hi gh qual i t y i n t he f ol lowi ng sense: i f t he k- bi t seed i s t ot al l y unknown, t hen t he
out put k
t
- bi t number cannot be di st i ngui shed f rom t r ul y r andom number of t he same l engt h by
any st at i st i cal t est whi ch runs i n pol y nomi al i n k t ime.
Now, t o encr ypt an - bi t message m, t he sender sends t he excl usive- or of m wi t h an - bi t
out put st ri ng pr of a CSPRB gener at or on a k- bi t i nput seed s al ong wi t h a publi c- key encr y pt i on
of s, t hat i s
Equ at i on 14 . 3. 3
The l egi t i mat e r eci pient ( i . e. , t he owner of t he publ ic key pk ) can decr ypt c
1
and obt ai n t he seed
s. This wil l enabl e t he r ecipi ent t o r egener at e t he - bi t pseudo- r andom bi t st ri ng ps f r om t he
CSPRB gener at or , and t her eby t o ret r i eve m f r om c
2
by t he exclusive- or oper at i on.
A CSPRB- gener at or - based encr ypt i on scheme has much i mpr oved eff ici ency over t he "bi t - by- bi t "
fashion of encr ypt i on. An - bi t pl ai nt ext message is now expanded t o an ( l + k ) - bi t cipher t ext
message i nst ead of l k- bi t as i n t he case of t he " bi t - by - bi t " fashi on of encry pt ion. The i mpr oved
t i me and space compl exi t i es are si mi l ar t o t hose of t he t ext book encr y pt i on schemes such as
RSA, Rabi n and EI Gamal .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
14.3.6.1 Semantic Security of a CSPRB-based Encryption Scheme
I f t he seed s i s a unif or mly random k- bi t st ri ng and if t he bl ock- based det er mi nist i c encr ypt i on
al gor i t hm
pk
( wi t h securi t y par amet er k) for ms a per mut at i on over it s message space, t hen t he
fi r st ci pher t ext bl ock c
1
i n ( 14.3. 3) is permut ed f rom a uni for mly random number and hence
i t sel f i s uni for ml y random. Thus, i t can pr ovide no apr i ori nor apost er ior i i nfor mat i on about t he
pl ai nt ext f or an at t acker t o expl oit .
The RSA encr ypt i on al gori t hm i s a per mut at ion over i t s message space. The Rabi n encr y pt i on
al gor i t hm can be const r uct ed i nt o a per mut at i on i n QR
N
i f N i s a Bl um i nt eger ; t hi s has been
shown i n Theor em 6. 18( i v) ( i n 6. 7) . So t hese encry pt i on al gor i t hms ar e good candidat es for
pk
.
Fur t her because of t he st r engt h of t he CSPRB gener at or , t he pseudo- r andom st r i ng ps gener at ed
fr om it usi ng t he seed s pl ays t he r ol e of t he i nt er nal r andom oper at i on of t he encr y pt i on
scheme. Consequent l y, t he excl usi ve- or bet ween m and ps pr ovi des a semant i cal l y secur e
encry pt ion of m.
I n t he case of t he eff i cient CSPRB- generat or - based encr y pt i on scheme by Bl um and Goldwasser
( t he BG cr y pt osyst em, [ 45] ) , c
1
i n ( 14.3. 3) is s
2i
( mod N) wher e ; and
t he pseudo- r andom bi t st r i ng ps i s generat ed fr om s using t he BBS pseudo- r andom generat or
( 9. 3. 1) in a bl ock- by- bl ock f ashi on: each bl ock i s t he log
2
l og
2
N l east si gnif i cant bit s of an
el ement whi ch i s t he 2
j
- t h power of s modul e N ( j = 1, 2, .. . , i 1) . Not i ce t hat t he f i rst el ement
i n t he ci pher t ext pai r i s essent ial l y a Rabi n encr ypt ion of s.
Si nce t he pr obl em of ext r act i ng t he si mul t aneous log
2
l og
2
N l east si gnif i cant bit s of a plai nt ext
fr om a Rabin ci pher t ext i s equi val ent t o fact or i ng N ( revi ew Remar k 9.1 i n 9. 3. 1) , t he semant ic
secur i t y of t he BG cr y pt osy st em can be quant i f i ed t o bei ng equi val ent t o fact or ing t he modulus
N.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
14.4 Inadequacy of Semantic Security
The not i on of t he I ND- CPA secur i t y ( semant i c secur i t y ) i nt roduced i n Defi nit ion 14. 1 ( and i n
Pr oper t y 14. 1) capt ur es t he i nt ui t i on t hat any pol y nomi al ly bounded at t acker shoul d not be abl e
t o obt ai n any apr i ori i nfor mat i on about a pl ai nt ext message gi ven i t s encr y pt i on. However , t hi s
guarant ee of pl ai nt ext secr ecy i s onl y vali d when t he at t acker i s passive when faci ng a
ci pher t ext , i. e. , al l t he at t acker does about a ci pher t ext i s eavesdr op.
I n 8. 6 and 8. 14 we have poi nt ed out t hat many publ i c- key cry pt osy st ems ar e part icul ar l y
vul ner abl e t o a so- call ed chosen - ci ph er t ex t at t ack ( CCA and CCA2, see Defi nit ion 8. 3 i n
8. 6) . I n CCA and CCA2, an at t acker ( now he i s Mal i ce) may get decr ypt i on assi st ance, t hat is,
he may be i n a cer t ai n l evel of cont r ol of a "decry pt i on box" and so may have some ciphert ext of
hi s choi ce t o be decr ypt ed f or hi m even t hough he does not have possessi on of t he decry pt ion
key . We have t r eat ed such an assi st ance as a " cr y pt anal y sis t rai ning course" provi ded t o Mali ce
i n order t o ease hi s at t ack j ob. These modes of at t acks, i n par t i cular CCA2, ar e real i st ic i n many
appli cat i ons of publ i c- key cr y pt ogr aphy. For exampl e, some pr ot ocols may requir e a pr i nci pal t o
per for m decr ypt i on operat i on on a r andom chal l enge t o for m a chal l enge- response mechani sm.
For anot her exampl e, a r ecei ver of an encr y pt ed e- mai l may r eveal t he pl ai nt ext message i n
subsequent publ i c di scussi ons.
The par t i cular vulner abil i t y t o CCA or CCA2 shared by many publi c- key cr y pt osy st ems i s due t o
t he general l y nice al gebr ai c proper t i es t hat underl i e t hese cr ypt osy st ems. Mal ice may expl ore
t hese ni ce pr oper t i es and make up a ci pher t ext vi a some cl ever cal cul at i ons. I f Mal i ce is gi ven
decry pt ion assi st ance, hi s cl ever cal cul at i ons on t he chosen ci pher t ext based on t he ni ce
al gebr ai c pr oper t i es of t he t ar get publi c- key cr y pt osy st em may al l ow hi m t o obt ai n messages
whi ch shoul d ot herwi se not be avai l abl e t o hi m.
I n Exampl e 8. 9 we have seen a vul ner abi l it y of t he EI Gamal cr y pt osy st em t o CCA2. That at t ack
i s obvi ousl y appli cabl e t o t he f i xed ver si on of t he cry pt osy st em wi t h I ND- CPA securi t y , t oo. The
same- st y l e CCA2 at t acks ar e obvi ousl y appl i cabl e t o any I ND- CPA secur e scheme based on a
CSPRB gener at or ( i n 14.3. 6) ; in such at t acks, c
2
i n ( 14.3. 3) is repl aced wi t h
wher e r i s an - bi t r andom st r i ng and play s t he same ( bl i ndi ng) r ol e of t he random number r i n
Exampl e 8. 9.
Exampl e 14. 2 shows t he vul ner abi l i t y of t he GM cr y pt osyst em t o CCA2.
Exampl e 14 .2 .
Let Mal i ce be i n a condi t i onal cont r ol of Al i ce' s GM decr y pt i on box. The condi t i on is qui t e
"r easonabl e: " i f t he decr y pt i on resul t of a ci pher t ext submi t t ed by Mal i ce l ooks r andom, t hen
Al i ce shoul d ret ur n t he pl ai nt ext t o Mal ice.
Let ci phert ext C = ( c
1
, c
2
, . .. , c
l
) encr y pt pl ai nt ext B = ( b
1
, b
2
, . .. , b
l
) whi ch i s f rom a conf i dent i al
communi cat ion bet ween Al i ce and someone el se ( not wi t h Mal i ce! ) . However , Mali ce has
eavesdr opped C and he want s t o know B. He now sends t o Al i ce t he fol l owi ng " cl everl y
cal culat ed ci pher t ext : "
Equ at i on 14 . 4. 1

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I n t hi s at t ack, Mal i ce i s maki ng use of t he fol l owi ng ni ce al gebr ai c pr oper t y :
Thi s proper t y i s a di r ect r esul t of Eul er 's cr i t eri on ( see Theor em 6. 13 i n 6. 5. 1) .
Thus, because y J
N
( 1) \ QR
N
, we can view y t o encr ypt t he bi t 1. Then t he "mul t i pl yi ng- y" at t ack
i n ( 14.4. 1) causes f l ippi ng of t he bi t b
i
f or i = 1, 2, .. . , , t hat i s, t he decr y pt i on r esul t by Al i ce
wi l l be
wher e denot es t he compl ement ary of t he bi t b
i
f or i = 1, 2, .. . , .
Thi s decr y pt i on resul t shoul d look random f or Al i ce. So Ali ce r et ur ns B' back t o Mal i ce. Al as,
Mal i ce fi nds B!
Mal i ce can al so make B' un if orm l y r andom ( not j ust "l ook r andom" ) by usi ng t he " mul t i pli er " Y =
( y
1
, y
2
. . ., y
l
) i nst ead of ( y , y ,. . . , y ) , wher e Y i s a GM encry pt ion, under Al ice's publi c key, of a
unif or mly random - bi t t uple Z = ( z
1
, z
2
, . .. , z
l
)
U
{ 0, 1} . I t is easy t o check
I n t hi s at t ack, Al i ce has pr ovi ded Mali ce wi t h an "oracl e servi ce" for decr y pt i on assi st ance. Not i ce
t hat t he oracl e servi ce need not be an expl i ci t one. Exampl e 14. 3 shows t hat wit hout repl y i ng
Mal i ce' s ci pher quer y need not necessari l y be a good st r at egy .
Exampl e 14 .3 .
Suppose t hat now Al i ce wi l l no l onger r et ur n random- l ooki ng decr ypt i on resul t back t o Mal i ce.
For t he encr y pt ed message ( c
1
, c
2
, . .. , c
l
) ( e. g. , sent fr om Bob t o Al ice) , Mal i ce can st i l l f i nd t he
pl ai nt ext bi t by bi t .
For i nst ance, i n order t o f ind whet her c
1
encr y pt s 0 or 1, Mal i ce can send t o Al i ce an encr y pt ed
quest i on for her t o answer ( e. g. , a quest i on f or a YES/ NO answer ) . Mali ce can encr y pt t he f i rst
hal f of t he quest i on i n t he usual way , but encr y pt s t he second hal f of t he quest i on using c
1
i n
pl ace of y i n Al g 14. 1.
I f c
1
QR
N
, t hen Al i ce wil l onl y decry pt t he fi r st hal f of t he quest i on cor r ect l y . The decr y pt i on of
t he rest of t he quest i on wil l be al l zer os. So she wi l l ask Mal i ce why he onl y sends an
uncompl et ed sent ence. Then Mal i ce knows c
1
encr y pt s 0. On t he ot her hand, i f Al i ce can answer
t he quest i on cor r ect l y , t hen Mal i ce knows t hat c
1
i s a non- resi due and hence encry pt s 1.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Not i ce t hat i n t hi s way of at t ack, Mal i ce can even di gi t al l y si gn al l of hi s messages t o Al i ce t o
assur e her t he ful l and real aut hor shi p of t hese messages. Mali ce cannot be accused of any
wr ong doi ng!
From t hese t wo way s of act i ve at t acks we r eal ize t hat t he GM cr ypt osyst em i s hopel essl y weak
agai nst an act i ve at t acker . I n f act , t he securi t y not i on in I ND- CPA i s hopel essl y weak.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
14.5 Beyond Semantic Security
Li f t i ng secur i t y not ion f rom t he " al l - or - not hi ng" secur e ( Pr oper t y 8. 2 i n 8. 2) t o I ND- CPA secur e
( Defi nit ion 14. 1) for ms a f i rst st ep i n our process of st r engt heni ng secur i t y not ions.
I n 14.4 we have seen t hat a securi t y not i on i n t he I ND- CPA sense i s not good enough for
appli cat i ons wher e a user may be t r i cked i nt o pr ovi di ng an or acl e ser vice i n t he decr y pt i on
mode. I ndeed, i n appl icat i ons of cr y pt ogr aphi c syst ems, it wi l l be i mpr act i cal t o r equir e an
i nnocent user t o keep vi gi l ant all t he t ime and not t o pr ovi de an or acl e servi ce i n t he decr ypt i on
mode. Ther efor e, st ronger secur i t y not ions ar e needed.
The next st ep i n our process of st r engt heni ng secur i t y not i ons i s t o consi der an at t ack model
cal led i n di st i ngu i shabl e ch osen- ci pher t ex t at t ack ( I ND- CCA) . I n t hi s at t ack model , we wi l l
fur t her ease t he di f fi cul t y f or Mal i ce t o break t he t ar get cr ypt osyst ems: i n addi t i on t o t he
encry pt ion assi st ance pr ovi ded i n t he CPA game ( i n Pr ot 14. 1) , we wi l l f ur t her al l ow Mal i ce t o
obt ai n a condi t i onal assi st ance i n t he decry pt ion mode. A for mal t r eat ment of t he I ND- CCA
model i s based on a game due t o Naor and Yung [ 210] . The game i s named "l u ncht i me at t ack "
or "i n di f f er ent chosen- ci ph er t ex t at t ack . "
14.5.1 Security Against Chosen-ciphertext Attack
A l uncht i me at t ack descr i bes a real - l i fe scenar io of Mal i ce who, i n t he absence of ot her
empl oyees of an organi zat i on ( e. g., dur i ng l uncht ime) , queri es t he decr y pt i on mechani sm of t he
or gani zat i on, i n hope t hat t he i nt er act i ons wi t h t he decr ypt i on box may pr ovide hi m wi t h a ki nd
of "cr ypt anal ysi s t r ai ni ng cour se" whi ch may make hi m mor e experi enced i n a fut ur e
cry pt anal ysi s of t he or gani zat i on' s cr ypt osy st em. Due t o t he short durat i on of l uncht i me, Mali ce
does not have enough t i me t o prepar e his ci pher t ext queri es so t hat t hey are rel at ed t o t he
answers of t he decr ypt i on box i n some f unct i on. Therefor e, al l ci pher s he quer i es dur i ng
l uncht ime ar e ones whi ch he had pr epar ed bef ore l uncht i me.
Thi s r eal - l if e scenar i o can al so be model ed by a game of at t ack. The game wi l l be pl ay ed by t he
same pl ay er s i n t he I ND- CPA at t ack game ( Pr ot 14. 1) : Mal i ce who may be a di sgr unt l ed
empl oyee of an or gani zat i on, and an oracl e O who i s now t he decr y pt i on ( and encry pt ion)
mechani sm of t he or ganizat ion. We shal l name t he game a i n di st i ngu i shabl e ch osen-
ci ph er t ex t at t ack ( I ND- CCA) . The new game i s speci fi ed in Pr ot 14. 3.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Protocol 14.3: "Lunchtime Attack" (Non-adaptive
Indistinguishable Chosen-ciphertext Attack)
PREMI SE
As i n Pr ot 14. 1, Mal i ce and or acle O have agr eed on a t ar get cr y pt osy st em f or
whi ch O has fi xed an encr ypt i on key ;
i .
Mal i ce has prepar ed some ci pher t ext messages, befor e l uncht i me. i i .
Mal i ce sends t o O a pr epar ed ci pher t ext message c C; 1.
O decr y pt s c and ret ur ns t he decr y pt i on resul t back t o Mali ce;
( * t he ci pher t ext c i s cal l ed a chosen ci ph er t ex t or an i n di f f er ent chosen-
ci ph er t ex t ; it i s consi dered t hat t o ret ur n t he decr y pt i on r esul t back t o Mal ice
i s t o pr ovi de hi m wi t h a " cr y pt anal y sis t rai ning course; " Mali ce can ask for t hi s
"t r ai ni ng cour se" t o r epeat as many t i mes as he wi shes; he may want t o
consi der t o use a pr ogram t o speed up t he "t r ai ni ng sessi ons" si nce l uncht i me is
shor t * )
2.
Upon sat isf act i on of t he "decr y pt i on t r ai ni ng cour se, " Mal ice now asks O t o pl ay
t he CPA game in Pr ot 14. 1;
( * i n t hi s i nst ant i at i on of t he CPA game, t he chosen plai nt ext messages m
0
and
m
1
ar e cal l ed adapt i v e chosen - pl ai nt ex t messages; t hat i s, t hese t wo
messages can be some funct i ons of t he ent i re hi st ory of t he "decr ypt i on t r ai ni ng
cour se" pr ovided i n St eps 1 and 2; t her ef or e, Mal i ce's "fi ndst age" st ar t s r i ght
at t he beginni ng of t hi s prot ocol and ends upon hi s r ecei pt of t he chal l enge
ci pher t ext c
*
C, whi ch encry pt s, equal ly li kely , one of hi s t wo chosen pl ai nt ext
messages m
0
, m
1
* )
( * we r easonabl y assume t hat Mal ice can comput e adapt i ve chosen- pl aint ext
messages even i n t he shor t luncht i me si nce worki ng on pl ai nt ext should be
r el at i vely easi er t han wor ki ng on ci pher t ext * )
( * by now, " l uncht ime" i s over ; so Mali ce shoul d answer eit her 0 or 1 as hi s
educat ed guess on O' s coi n t ossing in t he CPA game; however , even t he game
i s over , Mali ce r emai ns i n " guess- st age" unt il he answer s * )
3.
At fi r st gl ance, one may argue t hat t he l uncht i me at t ack game does not model a r eal ist i c at t ack
scenar i o. Who wi l l be so ni ce and so nai ve t o pl ay t he rol e of a decry pt i on box and answer
Mal i ce' s decry pt ion queri es? We shoul d answer t his quest i on i n t hree di f fer ent consi der at i ons.
I n many appl i cat i ons of cr ypt osyst ems ( i n par t i cular , in cr ypt ogr aphi c pr ot ocol s) , i t i s oft en
t he case t hat a user ( a part i ci pant of a pr ot ocol ) i s r equi r ed, upon r ecei pt of a chal l enge
message, t o per for m a decr y pt i on oper at i on usi ng her pr ivat e key and t hen send t he
decry pt ion r esul t back. Thi s is t he so- cal led chal l enge- response mechani sm ( see Chapt er 2

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
and Chapt er 11) .
We may have t o accept a fact of l i fe: many users are j ust hopel essl y nai ve and cannot be
r equi r ed or educat ed t o mai nt ai n a hi gh degr ee of vi gi l ance i n ant i ci pat ion of any t r ick
l aunched by bad guy s. I n f act , i t wi l l not be wrong for us t o say t hat st r onger
cry pt osy st ems and secur i t y not i ons ar e devel oped exact l y for nai ve user s.
Mal i ce can embed decr y pt i on quer i es insi de nor mal and i nnocent l ooki ng communi cat i ons,
and i n so doi ng he may get i mpl i cit answers t o his quer i es. Exampl es 9. 2 and 14.3 pr ovi de
vi vi d act i ve at t acks whi ch ar e ver y i nnocent l ooki ng. I t can be ver y di ff i cul t t o di ff erent i at e
such at t acks and legi t i mat e secure communicat i ons. Not t o answer any quest i ons
( encr ypt ed quest i ons or answers) does not const it ut e a good sol ut i on t o act i ve at t acks but
a sel f- denial fr om t he benefi t of t he secur e communi cat i on t echnol ogy .
Mal i ce can even expl oit a subl i mi nal channel such as t hat i n t he t i mi ng at t ack we have seen
i n 12.5. 4 whi ch answers Mal ice's quest i ons i n t erms of dif fer ence i n t i me del ay s.
The cor r ect at t i t ude t oward Mal i ce i s t o face hi m st r ai ght on and pr ovi de hi m t he "cr ypt anal y si s
t r ai ni ng cour se" on hi s demand. The t r ai ni ng cour se can be i n encr y pt i on or i n decr y pt i on, at a
whol e dat a- bl ock l evel or at a si ngl e bi t l evel . Our st r at egy i s t o desi gn st r ong cry pt osy st ems
such t hat t he "cr ypt anal y si s t rai ning course" even suppl ied on demand won't hel p Mal ice t o
br eak a t arget cry pt osy st em!
Fol lowi ng t he same r easoni ng i n 14.2 f or der i vi ng Mali ce's advant age f or br eaking t he t ar get
cry pt osy st em i n t he CPA game ( Pr ot 14. 1) , we can anal ogousl y der i ve Mal i ce' s advant age i n t he
l uncht ime at t ack game. The f ormul at i on of t he advant age is ver y simi l ar t o ( 14.2. 3) , except t hat
we shoul d now add t he ent ir e hist or y of t he chosen ci pher t ext cr y pt anal ysi s t r ai ni ng cour se t o
t he input of Mal i ce. Let Hi st - CCA denot e t hi s hi st or y. Mal i ce's advant age is:
Equ at i on 14 . 5. 1
To t hi s end we r each a new secur i t y not i on whi ch is st r engt hened f r om t he I ND- CPA securi t y
not i on.
Def i n i t i on 1 4. 2: Secur i t y f or I n di st i ngui shabl e Chosen- ci p her t ext At t ack ( I ND- CCA
Secur i t y) A cr y pt osyst em wi t h a secur i t y par am et er k is sai d t o be secur e agai nst an
i ndi st ingu ishab le chosen- cip hert ex t at t ack ( I ND- CCA secur e) i f aft er t he at t ack gam e i n Pr ot 1 4. 3
bei ng p lay ed wi t h any pol y nom ial ly b ound ed at t ack er, t he ad van t age Adv for m ul at ed i n ( 14 .5 . 1)
i s a n egl igi bl e quan t it y in k .
Si nce i n a l uncht i me at t ack, t he decr ypt i on assi st ance ( or "cr ypt anal ysi s t r ai ni ng cour se" ) f or
Mal i ce i s pr ovided on t op of t he I ND- CPA game i n Pr ot 14. 1, t he new at t ack game must have
r educed t he di f fi cul t y of Mal i ce' s cry pt anal ysi s t ask f rom t hat of t he I ND- CPA game. We shoul d
t her efor e expect t hat some cr y pt osyst ems whi ch ar e I ND- CPA secure wi l l no l onger be I ND- CCA
secur e.
None of t he I ND- CPA secur e cr ypt osy st ems whi ch we have i nt roduced i n t hi s chapt er has been
pr oven I ND- CCA secure. Al as, among t hem, t her e i s a demonst r abl y i nsecur e one! Thi s i s t he
eff ici ent CSPRB- gener at or - based cr y pt osyst em of Bl um and Gol dwasser , whi ch we have
i nt r oduced i n 14.3. 6.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exampl e 14 .4 .
To at t ack t he BG cry pt osy st em i n l uncht i me at t ack, Mal i ce shoul d make a chosen- ci pher t ext
quer y ( c, m ) wher e c i s a chosen quadr at i c r esi due modul o N, and .
Obser vi ng t he BG cr y pt osy st em descr ibed i n 14.3. 6, we know t hat t he r esponse t o Mal ice wi l l
be t he f oll owi ng decr ypt i on r esul t
Bi t - wi se XOR- i ng m t o t he repl y , Mal i ce obt ai ns l east si gnif i cant bit s of a square
r oot modul o N of c. Remember t hat c i s a chosen quadr at i c r esi due modul o N. Revi ew Remark
9. 1 ( i n 9. 3. 1) , provi di ng Mal i ce wi t h l east si gnif i cant bit s of a square root of c
wi l l ent i t l e hi m t o fact or N i n pr obabi l ist i c polynomi al - t i me!
Exampl e 14. 4 shows t hat it i s i ndeed t he very cr y pt analy si s t r ai ni ng cour se pr ovi ded t o Mal ice
t hat empower s hi m t o break t he cry pt osy st em. The consequence i s so sever e and t hor ough t hat
i t i s not a mer e discl osur e of one ci pher t ext , but t he t ot al dest r uct i on of t he cry pt osy st em.
We al so r eal ize t hat t he preci se basis for t he BG cr y pt osy st em t o be I ND- CPA secure is also t he
ver y exact cause for t he cr ypt osyst em t o be i nsecure agai nst I ND- CCA. This is anal ogous t o t he
case for t he Rabin cr ypt osy st em under t he " all - or - not hi ng" sense of secur i t y ( see Theor em 8. 2 i n
8. 11) .
Naor and Yung pr opose a cr y pt osyst em whi ch i s pr ovabl y secur e against I ND- CCA [ 210] . I n t hat
cry pt osy st em, a pl ai nt ext message i s encry pt ed i n a bi t - by- bi t f ashi on i nt o t wo ci phert ext
messages under t wo di ff er ent publi c key s. The encry pt ion al gor i t hm i ncludes a non - i n t er act i ve
zer o- k now l edg e ( NI ZK) pr oof pr ocedur e whi ch enabl es t he sender of a pl aint ext message t o
pr ove t hat t he t wo ci pher t ext messages do encr y pt t he same pl ai nt ext bi t under t he respect i ve
publ i c key s ( consi der t he encr y pt i on al gor i t hm f or ms an NP pr obl em wi t h t he plai nt ext and
r andom i nput t o t he al gor i t hm as t he wi t ness t o t he NP pr obl em, see di scussi on i n 4. 8. 1) . Thi s
pr oof wi l l be ver if i ed i n t he decr y pt i on t i me ( e. g. , by O i n t he l uncht i me at t ack game) . Passi ng of
t he ver i fi cat i on procedur e i n t he decr y pt i on t i me i mpl ies t hat t he pl ai nt ext encr y pt ed under t he
pai r of ci pher t ext messages i s al r eady known t o t he sender ( e.g. , known t o Mal i ce i n t he
l uncht ime at t ack game) . So servi ng Mal i ce i n " l uncht i me" wi l l not pr ovide hi m wi t h any new
knowl edge f or easi ng his cr y pt analy si s j ob. Due t o a rat her hi gh cost of r eali zi ng a NI ZK pr oof
( ver i f icat i on) for an encr y pt i on ( decr y pt i on) al gor i t hm and t he bit - by - bi t f ashi on of encr y pt i on
and decr ypt i on, t he cr y pt osy st em of Naor and Yung [ 210] is not int ended for pract i cal use.
Luncht i me at t ack i s a qui t e r est ri ct i ve at t ack model i n t hat , t he decr ypt i on assi st ance pr ovi ded t o
Mal i ce i s onl y avai labl e i n a shor t per i od of t i me. I t i s as i f t he decr y pt i on box woul d be swi t ched
off per manent l y af t er "l uncht i me, " or Mal ice would not st r i ke back any mor e, not even at
"l uncht i me" t omorr ow. This is not a r easonabl e or r eal i st i c scenar i o. I n r eal i t y , nai ve user s wi ll
r emai n per manent l y nai ve, and Mal i ce wi l l def i ni t el y st ri ke back, pr obabl y even as soon as t he
aft er noon t ea- br eak t i me! Ther ef or e t he secur it y not i on i n I ND- CCA i s, again, not st r ong enough.
We need a st i l l st r onger securi t y not i on.
14.5.2 Security Against Adaptive Chosen-ciphertext Attack
A f ur t her st ep i n our pr ocess of st r engt hening secur i t y not i ons i s t o consi der an at t ack model
cal led i n di st i ngu i shabl e adapt i v e ch osen- ci pher t ex t at t ack ( I ND- CCA2) . Rackoff and

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Si mon or i gi nal l y propose t hi s st r onger at t ack model [ 241] .
I n t hi s at t ack model , we wi l l fur t her ease t he di f fi cul t y f or Mal i ce t o at t ack cr y pt osyst ems fr om
t hat i n l uncht i me at t ack. I n t he l uncht i me at t ack game ( see Pr ot 14. 3) , t he decry pt ion assist ance
( or "cr y pt anal y sis t rai ning course") i s condi t i onal i n t hat t he assi st ance wi ll be st opped upon
Mal i ce' s submi ssi on of t he pai r of t he adapt i ve chosen- pl ai nt ext messages; t hat is, a l uncht i me
at t ack st ops upon t ermi nat ion of t he I ND- CPA game ( i .e. , Pr ot 14. 1) , and f r om t hen on t he
decry pt ion assi st ance wi l l become per manent l y unavai l abl e.
I n t he new at t ack model we r emove t hi s unr eal i st i c condi t i on of a shor t - per i od avai l abi l i t y of
decry pt ion assi st ance whi ch i s somewhat ar t i fi ci al ly pl aced i n luncht i me at t ack. Now t he
decry pt ion assi st ance for Mal i ce wi l l be per manent l y avai l abl e bef ore and aft er a luncht i me
at t ack. We can i magi ne t hi s at t ack scenar i o as a pr ol onged l uncht i me at t ack. For t his reason, we
shal l name t hi s new at t ack model smal l - h our s at t ack . This name descr i bes a real - l i fe scenar io
t hat Mal i ce, agai n as a disgr unt l ed empl oy ee of an or ganizat ion, st ay s up al l ni ght t o pl ay wi t h
t he decr y pt i on mechani sm of t he or gani zat i on. Not i ce t hat t he smal l - hour s at t ack i s di ffer ent
fr om a so- call ed mi d ni g ht at t ack whi ch of t en appear s i n t he li t er at ur e as anot her name f or
l uncht ime at t ack; perhaps as i n l uncht i me at t ack, i t i s consi dered t hat t he secur it y guar ds of an
or gani zat i on shoul d have meal s rat her punct ual l y ar ound mi dni ght .
Si nce now Mal i ce has pl ent y of t i me t o go unnot i ced, he wi l l of cour se pl ay t he decr y pt i on box i n
a mor e sophist i cat ed and mor e i nt er est i ng way . I n addi t i on t o what he can do i n l uncht ime ( i n
fact at mi dni ght ) , i. e. , adapt i vel y choose pl ai nt ext queri es usi ng i nf or mat i on gat hered fr om t he
"decr ypt i on t r ai ni ng cour se" and subsequent l y obt ai n a cor r espondi ng chal l enge ci pher t ext , now
Mal i ce can al so submi t adap t iv e chosen- cip hert ex t m essages af t er he r ecei ves t he chal l enge
ci pher t ext . Therefor e, t he adapt ive chosen- ci pher t ext messages can somehow be r el at ed t o t he
chal l enge ci pher t ext of whi ch t he cor responding pl ai nt ext i s chosen by hi m. Of cour se, t he
decry pt ion box i s i nt el li gent enough not t o decr ypt t he exact chall enge ci phert ext f or Mal i ce! Thi s
i s t he onl y r est r i ct i on, and i s of cour se a r easonabl e one. Wit hout t hi s r est ri ct i on, Mali ce can
si mpl y ask t he decr ypt i on box t o decr y pt t he chal l enge ci pher t ext f or hi m, and we wi l l not have
an i nt er est i ng game t o pl ay ! The decry pt i on box is also dummy enough so t hat i t wi l l decry pt a
ci pher t ext whi ch can be r el at ed t o t he t he chal l enge ci pher t ext i n any st r aight f orwar d way! Any
mi nut e change of t he chal l enge ci pher t ext , such as mult ipl yi ng 2, or adding 1, wi l l guarant ee a
decry pt ion servi ce!
Our descr i pt i on on t he new at t ack model i s speci f i ed i n Pr ot 14. 4.
Agai n, fol l owi ng t he same r easoni ng i n 14.2 f or der i vi ng Mali ce's advant age f or br eaking t he
t ar get cr y pt osyst em i n t he I ND- CPA game ( Pr ot 14. 1) , we can anal ogousl y der i ve Mal i ce' s
advant age t o br eak t he t ar get cr y pt osy st em i n t he smal l - hour s at t ack game. The f ormul at i on of
t he advant age is agai n ver y simi l ar t o ( 14.2. 3) , except t hat we shoul d now add t o Mal ice's input
t he ent i re hi st or y of t he t wo cr y pt anal y sis t r aini ng courses, one f or t he pr e- chall enge CCA, and
one f or t he post - chal l enge CCA or " ext ended CCA. " Let Hi st - CCA2 denot e t hi s whole hi st ory .
Mal i ce' s advant age i s:
Equ at i on 14 . 5. 2
To t hi s end we r each a new secur i t y not i on whi ch is fur t her st r engt hened f r om t he I ND- CCA
secur i t y not i on.
Def i n i t i on 1 4. 3: Secur i t y f or I n di st i ngui shabl e Adapt i v e Chosen - ci ph er t ex t At t ack

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
( I ND- CCA2 Secu r i t y) A cr y pt osyst em wi t h a secur i t y par am et er k is sai d t o be secur e agai nst
an in dist i ngui shabl e adap t iv e chosen- cip hert ex t at t ack ( I ND- CCA2 secu re) if af t er t he at t ack
gam e in Pr ot 1 4. 4 b ei ng pl ayed wit h any poly nom i all y bou nded at t acker , t h e adv ant age Adv
for m ul at ed i n ( 14 .5 . 2) is a negli gib le q uant i t y i n k.
Protocol 14.4: "Small-hours Attack" (Indistinguishable
Adaptive Chosen-ciphertext Attack)
PREMI SE
whi ch O has fi xed an encr ypt i on key .
Mal i ce and O pl ay t he l uncht i me at t ack game i n Pr ot 14. 3;
( * i n t hi s i nst ant i at i on of t he luncht i me at t ack game Mali ce's " fi ndst age" i s t he
same as t hat i n Pr ot 14. 3, whi ch ends upon hi s r ecei pt of t he chal l enge
ci pher t ext c
*
C, whi ch encry pt s, equal ly li kely , one of hi s t wo chosen pl ai nt ext
messages m
0
m
1
; however , i n t hi s i nst ant i at i on, Mal i ce is all owed t o
ext end his " guess- st age; " t he ext ended "guess- st age" i s as f ol l ows * )
1.
Mal i ce furt her comput es ciphert ext c' C and submi t s i t t o O f or decr ypt i on;
( * t he ci pher t ext c' i s cal led an adapt i v e chosen - ci p her t ext or post -
chal l eng e chosen ci ph er t ex t ; in cont r ast , t he chosen ci pher t ext i n t he
l uncht ime at t ack game ( Pr ot 14. 3) is also cal l ed pr echal l enge chosen
ci ph er t ex t ; st ep 2 i s consi der ed t o serve Mal i ce a "decr y pt i on t r aini ng cour se"
ext end ed f r om t hat of t he luncht i me at t ack game; Mal ice can ask for t he
"ext ended t r ai ni ng cour se" t o repeat as many t i mes as he wi shes * )
( * i t i s st i pul at ed t hat c' c
*
, namel y , Mal i ce is not all owed t o send t he
chal l enge ci pher t ext back f or decry pt i on * )
2.
Upon sat isf act i on of t he "ext ended decry pt ion t r ai ni ng cour se, " Mal i ce must now
answer eit her 0 or 1 as hi s educat ed guess on O' s coi n t ossing.
3.
We summar i ze t he var i ous I ND at t ack games int r oduced so far i n Fi g 14. 1.
Fi gu r e 14 . 1. Summar y of t h e I n di st i ng ui sh abl e At t ack Games

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Si nce i n t he smal l- hour s at t ack game, t he "ext ended" decr y pt i on assi st ance ( or , t he " ext ended
cry pt anal ysi s t r ai ni ng cour se") i s pr ovi ded af t er t he luncht i me at t ack game i n Pr ot 14. 1, t he new
at t ack game must have fur t her r educed t he di ff i cul t y for Mal i ce t o br eak t he t arget cry pt osy st em
fr om t hat in a l uncht i me at t ack. We shoul d t her efor e expect t hat some cr y pt osy st ems whi ch ar e
I ND- CCA secur e wi l l no l onger be I ND- CCA2 secure. I n fact , except f or t he RSA- OAEP whi ch we
have specif i ed i n Al g 10. 6, none of t he ot her cry pt osy st ems int r oduced so far i n t hi s book i s
pr ovabl y I ND- CCA2 secur e. We have demonst r at ed plent y of exampl es of cry pt osy st ems which
ar e CCA2 i nsecur e, i. e. , i n " al l- or - not hi ng" sense, and hence t hey ar e al so I ND- CCA2 i nsecur e
( see Exampl es 8. 5, 8. 7, 8. 9, 9. 2, 14.2, 14.3) .
Aft er havi ng i nt roduced t he not i on of I ND- CCA2 securi t y , Rackof f and Simon pr oposed I ND- CCA2
secur e cr y pt osyst ems whi ch ar e al so based on NI ZK pr oof. However , t hey consider ed t he case of
an NI ZK pr oof wi t h a speci fi c pr ov er . I n t hei r I ND- CCA2 secur e cr y pt osy st ems, not onl y t he
r ecei ver has publ ic- pri vat e key pai r , t he sender has such a key pai r t oo. Mor eover , t he sender' s
publ i c key i s cer t i fi ed by a publ i c- key cert if i cat ion i nf r ast r uct ure ( see t he t echni ques i n 13.2) .
The sender wi l l use not onl y t he r ecei ver ' s publ i c key t o encry pt a message as usual , but al so hi s
own pr i vat e key i n t he const r uct i on of a NI ZK proof so t hat t he r ecei ver of t he ci pher t ext can
ver i fy t he proof usi ng t he sender' s publ i c key . Passing of t he NI ZK veri f i cat i on i mpl i es t hat it i s
t he speci fi c sender ( pr over ) who has cr eat ed t he pl ai nt ext , and hence, r et ur ni ng t he pl ai nt ext
back t o t he sender wi l l not pr ovi de him any i nf or mat i on useful for br eaki ng t he t ar get
cry pt osy st em. The I ND- CCA2 secur e cr y pt osy st ems of Rackoff and Si mon al so oper at e i n t he bit -
by- bi t fashi on.
14.5.3 Non-Malleable Cryptography
Non- mal l eab l e ( NM) cr yp t ogr aph y [ 100] st r engt hens securi t y not i ons f or publ i c- key
cry pt ogr aphy i n t he comput at i onal di r ect i on. NM i s an i mpor t ant requi rement t hat i t shoul d not
be easy f or Mal i ce t o modi f y a plai nt ext message i n a meani ngf ul l y cont r ol l abl e manner vi a

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
modi fy i ng t he cor r espondi ng ci pher t ext . Dol ev et al . descri be t he i mpor t ance of t his requi rement
ver y wel l usi ng a cont ract bi dding exampl e.
Suppose t hat const ruct ion compani es ar e i nvi t ed by a muni ci pal gover nment t o a bi d for
const r uct i ng a new el ement ary school . The government , whi ch act i vely pr ogr esses i t s elect r oni c
oper at i ons, advert izes i t s publ i c key E t o be used f or encry pt i ng bi ds, and opens an e- mai l
address e- gov @bi d . f or . i t . gov f or r ecei ving t he encr ypt ed bit s. Company A pl aces it s bi d of
$1,500, 000 by sendi ng ( 1, 500, 000) t o t he e- gov@bi d. f or. i t . gov. However , t he e- mai l i s
i nt er cept ed by Mal ice, t he head of CheapSub, a one- man company speci al izi ng sel li ng sub-
cont r act s t o some cheap bui l der s. I f t he encr ypt i on al gori t hm used by t he e- gover nment i s
mal leabl e, t hen Mal i ce may somehow t r ansfor m ( 1, 500, 000) i nt o ( 15, 000, 000) . I n so doi ng,
Mal i ce' s own bi d woul d have a much bet t er chance of wi nni ng.
The si mpl est exampl e of a mal leabl e encr y pt i on algor it hm i s t he one- t i me pad. I n Par t I I I we
have al so seen t hat al l t he basi c and popul ar publ i c- key encr ypt i on f unct i ons are easi l y
mal leabl e.
Unl i ke i n t he var i ous cases of at t acks on i ndi st ingui shabil i t y ( I ND) secur i t y wher e at t ack
pr obl ems ar e decisi onal ones, a mal l eabil i t y at t ack i s a comput at i onal pr obl em. The probl em is
descr i bed i n Pr ot 14. 5.
I n t hi s mal l eabil i t y at t ack, because t he goal of Mali ce, gi ven a chal lenge cipher t ext c
*
, i s not t o
l earn somet hi ng about t he t arget pl ai nt ext , he need not know at al l . However , for hi s at t ack
t o be successful , Mal ice must out put a " meani ngf ul " rel at i on R t o r elat e t he decr ypt i ons of c
*
and
c' .
Mal i ce' s success i s al so expr essed i n t erms of an advant age. I n [ 100] , t he aut hors use t he i dea
of zero- knowl edge si mul at i on
[ a]
t o expr ess t his advant age. Fi r st , Mal i ce, who i s agai n a PPT
al gor i t hm, i s given c
*
=
pk
( ) and out put s (
pk
( ) , R) wi t h cert ai n pr obabi l it y . Secondl y , a
simul at or , who we denot e by ZK- Si m and i s a PPT al gor i t hm, is not gi ven c
*
but wil l also out put
a ci pher t ext wi t h cert ai n pr obabi li t y . ( ZK- Si m even i gnor es t he encr ypt i on al gor i t hm and t he
publ i c key ! ) Mal ice's advant age i n mount i ng a mal l eabil i t y at t ack is t he f oll owi ng pr obabi l it y
di f fer ence:
[ a]
I n a lat er chapt er we shall st udy t opics of zero- knowledge pr oof and polynomial- t ime simulat ion of such
pr oof s.
Equ at i on 14 . 5. 3
The cr y pt osyst em
pk
( ) wit h a secur i t y par amet er k i s sai d t o be non- mal l eabl e i f, for al l PPT
comput able rel at i on R and for al l PPT at t acker s ( i . e., Mal i ce and t he l i ke) , NM- Adv i s a negl i gi bl e
funct i on in k. I n [ 100] , t hi s secur i t y not ion i s cal l ed " semant i c secur i t y w i t h r espect t o
r el at i ons un der chosen- p l ai n t ex t at t ack . " We t her ef ore name i t NM- CPA. NM- CPA i nt ui t i vel y
capt ur es t he fol l owi ng desi r abl e secur it y qual i t y .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Protocol 14.5: Malleability Attack in Chosen-plaintext Mode
PREMI SE
whi ch O has fi xed an encr ypt i on key pk .
Mal i ce and O pl ay t he f ol l owi ng game:
Mal i ce sends t o O: v , desc( v ) , wher e v i s a vect or cont aini ng a plural number
of pl ai nt ext s, desc( v ) is a descri pt ion on t he di st ri but i on of t he pl ai nt ext s i n v ;
1.
O cr eat es a val id chal l enge ci pher t ext c
*
= E
pk
( ) wher e i s cr eat ed f ol lowi ng t he
di st r i but i on of t he pl ai nt ext s i n v ; O sends c
*
t o Mal i ce;
2.
Upon receipt of c
*
, Mal i ce must out put a " meaningful " PPT- comput abl e r el at i on
R and anot her val i d ci pher t ext c' =
pk
( ) such t hat R( , ) = 1 hol ds.
3.
Pr oper t y 1 4. 2: NM- CPA Secur i t y Gi ven a ci pher t ext fr om an NM- CPA secur e cr y pt osyst em ,
Mal ice' s ad van t age t o mou nt a m all eabil it y at t ack on t he cr yp t osyst em does n ot i ncr ease i n an y
PPT d iscer n ibl e way f rom t hat t o " m oun t t h e at t ack " ( i . e. , t o sim ul at e an at t ack ) wit hout t he
cip hert ex t .
Whi l e provi di ng a ci phert ext shoul d not ease an at t ack pr obl em, pr ovidi ng " cr y pt analy si s t r ai ni ng
cour ses" shoul d! Anal ogous t o t he cases of I ND- CCA and I ND- CCA2, a mall eabi l i t y at t ack can
al so be eased i n t he luncht i me at t ack mode and in t he smal l - hour s at t ack mode. I n a
mal leabi l i t y at t ack eased i n t he luncht i me at t ack mode, Mal i ce can send pl ur al number of chosen
ci pher t ext s t o O f or decr ypt i on, but t hi s ser vi ce wi l l t er mi nat e upon Mal i ce r equest s t o r eceive
t he chall enge ciphert ext c
*
. I n a mal l eabi li t y at t ack eased in t he smal l - hour s at t ack mode, t he
decry pt ion servi ce does not t ermi nat e aft er t he chal l enge ci pher t ext c
*
has been sent t o Mali ce.
Of cour se, as we have st i pul at ed i n t he small - hour s at t ack game, Mal i ce i s not al l owed t o send c
*
back t o O f or decr ypt i on ser vi ce.
Consequent l y, we have NM- CCA and NM- CCA2 secur i t y not i ons.
Due t o t hese probl ems' comput at i onal nat ur e, we shal l not i ncl ude her e a r i gor ousl y for mal
t r eat ment f or NM- secur i t y not i ons. The i nqui si t i ve r eader i s r eferr ed t o [ 100] for det ai l s. I t i s
quit e r easonable t o ant ici pat e t hat a f ormal i zat i on of NM not ions wi l l i nvol ve some compl exi t i es
whi ch need not be i nvol ved i n t he I ND- secur i t y not i ons. For exampl e, unl i ke i n t he case of a
deci si onal - probl em wher e we do not need t o t ake car e of t he si ze of a pl ai nt ext message space
( t her e i t can even be as smal l as 2, e. g. , as i n t he GM cr ypt osyst em) , a f or mali zat i on of NM
not i on must st i pul at e t hat t he pl ai nt ext message space be suff i ci ent l y l ar ge so t hat t he
comput at i on of t he rel at i on R wi l l not degener at e i nt o a t ri vi al pr oblem.
I n [ 19] , t he aut hors pr ovi de sl i ght l y di f ferent f ormal i zat i ons f or NM secur i t y not i ons whi ch ar e
based on at t ack games si mi lar t o t hose we have i nt r oduced for var i ous I ND at t acks. The r eader
may fi nd t hat t he t r eat ment i n [ 19] is easi er t o access as a r esult of t hei r si mil ar i t y t o t he games
we have i nt r oduced f or I ND securi t y not i ons.
Never t hel ess, our descr i pt i on on NM securi t y not i ons does suffi ce us t o capt ur e t he i dea of NM-
secur i t y not i ons wi t h adequat e pr eci si on. I mmediat el y we can see t hat most t ext book encr y pt i on

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
al gor i t hms whi ch ar e resul t s of dir ect appl i cat i ons of one- way t r apdoor funct ions ar e easi l y
mal leabl e. As we have seen in Chapt er 9, al l common one- way ( t r apdoor ) funct ions underl y i ng
popul ar publ i c- key cry pt ogr aphy can be i nver t ed by maki ng use of some par t i al i nfor mat i on
or acl es ( e. g. , " pari t y or acl e" or " half - or der or acle") ; t he pri nci pl e of t hese i nver t i ng met hods i s
exact l y mal l eabi li t y at t acks mount ed on t he unknown pl ai nt ext messages. For exampl e, for t he
RSA case of c = m
e
( mod N) , Mali ce knows t hat t he unknown pl ai nt ext m can be doubl ed i f he
mul t i pl i es c wi t h 2
e
( mod N) .
Dol ev et al . proposed a publ i c- key encr y pt i on scheme whi ch is pr ovabl e NM- CCA2 secure [ 100] .
The scheme uses a plur al number of publ i c/ pr i vat e key pair s, and encr y pt s a pl ai nt ext message
i n bi t - by - bi t manner . The encr y pt i on of each pl ai nt ext bit al so cont ai ns an NI ZK pr oof.
14.5.4 Relations between Indistinguishability and Non-Malleability
The non- mal l eabl e secur i t y not i ons ar e undoubt edl y ver y i mport ant . However , due t o t hese
pr obl ems' comput at i onal nat ur e, for mal t r eat ment f or non- mal l eabl e securi t y not i ons t urns out
bei ng r at her compl ex. Consequent l y , desi gni ng a cr y pt osy st em and est abl i shi ng t hat i t has non-
mal leabl e secur i t y i s r at her a di ff icul t j ob.
Fort unat el y , r esearcher s have est abl i shed a number of i mpor t ant r elat ions bet ween non-
mal leabl e secur i t y not i ons and i ndi st i ngui shabl e secur i t y not ions. Mor eover , under CCA2, t he
most useful secur i t y not i on, non- mal leabi l i t y i s f ound equi val ent t o i ndi st i ngui shabi l i t y. Si nce
for mal t r eat ment f or I ND- CCA2 has been wel l est abl i shed, we can achieve pr ovabl e securi t y i n
t he NM- CCA2 mode by pr oving secur i t y under t he I ND- CCA2 not i on.
Formal pr oof for r el at i ons bet ween securi t y not i ons can be achi eved by const r uct i ng a
pol yn omi al - t i me r educt i on al g or i t hm. I n t he cont ext of rel at i ng at t acks on cr y pt osy st ems,
such a r educt i on ( al gor it hm) " r educes" a t arget at t acki ng pr obl em ( call i t "Tar get At t ack") t o
anot her at t ack ( call i t " Source At t ack" ) . I f a successf ul l y const ruct ed r educt i on is a PPT
al gor i t hm, t hen "Tar get At t ack" can be successf ul l y mount ed based on t he successful mount i ng
of "Sour ce At t ack," and t he cost for mount i ng " Tar get At t ack" is bounded by a poly nomi al i n t hat
for mount i ng " Source At t ack. "
Si nce an at t ack on a cr ypt osyst em i s al ways based on some appr opr i at e assumpt i ons and
r equi r ement s ( e. g. , f or an CCA2 at t acker t o wor k proper l y , t he at t acker shoul d be ent it led t o
pr e- chal l enge and post - chal l enge cr y pt analy si s t r ai ni ng cour ses) , a reduct i on al gor i t hm must
sat i sf y an at t acker about t hese necessar y assumpt i ons and envir onment al requi rement s. Of t en
we wi l l use a speci al agent , who we name Si mon Si mul at or , t o conduct a r educt i on. Si mon wi l l
sat i sf y an at t acker of al l t he assumpt i ons and t he ent i t l ed requi rement s by si mul at i ng t he
at t acker ' s worki ng envi ronment .
Somet imes, Si mon himself wi l l become a successf ul at t acker for " Target At t ack" as a r esul t of
t he fact t hat he has been t aught by t he at t acker f or "Sour ce At t ack" af t er having int eract ed wit h
t he at t acker . I n such a reduct i on, Si mon wi l l be "or chest r at i ng" t wo at t ack games in bet ween an
at t acker and an encr y pt i on/ decr ypt i on oracl e. One t he one hand, Si mon play s t he "Sour ce
At t ack" game wi t h an at t acker by simulat ing t he envi ronment f or "Sour ce At t ack" ( i . e. , by
masquer adi ng as an encry pt i on/ decr y pt i on or acl e t o f ace t he at t acker ) . On t he ot her hand,
Si mon pl ays t he "Tar get At t ack" game wi t h an encr y pt i on/ decr ypt i on or acl e, and now he i s an
at t acker . I n such a si t uat i on, we can consi der t hat t he at t acker f or " Sour ce At t ack" i s t eachi ng
Si mon t o mount " Tar get At t ack. " Fi gur es 14. 2 and 14.3 i l l ust r at e such a or chest rat i on conduct ed
by Si mon.
Fi gu r e 14 . 2. Redu ct i on f r om an NM- at t ack t o an I ND-at t ack

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Fi gu r e 14 . 3. Redu ct i on f r om I ND- CCA2 t o NM-CCA2

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Now we ar e r eady t o st at e and pr ove some usef ul r el at i ons.
14.5.4.1 Non-malleability Implying Indistinguishability
Let ATK denot es CPA, CCA or CCA2. we can show t hat i f a publ i c- key cr y pt osyst em i s NM- ATK
secur e t hen i t must be I ND- ATK secur e.
. Th eor em 1 4. 3
I f a pu bli c- key cr yp t osyst em i s NM- ATK secu r e t hen it is al so I ND- ATK secur e ,
Pr oof We can prove t he t heor em by showi ng t hat i f a publ i c- key cr ypt osyst em
pk
i s I ND- ATK
i nsecure t hen i t must be NM- ATK i nsecur e.
Suppose
pk
i s I ND- ATK i nsecure. Then we have a PPT at t acker A who can br eak
pk
i n t he I ND-

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
ATK mode wit h a non- negl i gi bl e advant age Adv( A) . We let Si mon Si mul at or conduct a r educt i on
by using A t o br eak
pk
i n t he NM- ATK mode.
Si mon i s i n or chest r at i on bet ween t wo at t ack games. One game i s in t he I ND- ATK mode ( i. e. ,
any of t he Pr ot ocols 14.1, 14.3, or 14.4) in whi ch Si mon pl ay s t he r ole of O i n i nt er act i on wi t h A
who i s i n t he posi t i on of Mal ice. The ot her game i s t he NM- ATK mode ( i .e. , t he ATK versi on of
Pr ot 14. 5) in whi ch Si mon pl ay s t he r ole of Mal ice i n i nt er act i on wi t h an encr y pt i on or acl e ( and
decry pt ion or acl e i f ATK { CCA, CCA2} ) O. Fi g 14. 2 i l l ust r at es t he reduct i on f or t he most
gener al case of ATK = CCA2. Some of t he i nt er act ions can be omi t t ed i n t he ot her t wo cases of
ATK.
Not i ce t hat i n t he mal l eabil i t y - ATK game ( i .e. , t he ri ght - hand si de int eract i ons in Fi g 14. 2) , t he
descr i pt i on on t he di st ri but i on of t he chosen plai nt ext s i s uni for m; t heref ore O wi l l have t o
encry pt a random choi ce of t he chosen pl ai nt ext s.
The " educat ed guess" fr om A i s b { 0, 1} . Si mon t hen has f reedom t o out put c' =
pk
( m
b
+ 1)
and t he rel at i on R( x , y ) = 1 if and onl y i f y = x + 1 for al l x i n t he pl ai nt ext space. Cl earl y , wi t h
A bei ng PPT, Si mon can out put t hi s corr ect mal l eabil i t y r esul t al so i n pol y nomi al t i me.
Si nce A answer s b wi t h advant age Adv( A) , we have
Not i ce t hat ZK- Si m does not have access t o t he chal l enge ci pher t ext c
*
and hence does not have
t he use of A; so for t he si mul at ed out put cipher t ext t o cor respond a pl ai nt ext sat i sf y ing R,
Pr ob must be negl igi bl e. Hence, NM- Adv( Si mon) i s non- negl i gi bl e as
desi red.
Recal l t hat we have demonst r at ed numerous at t acks in var i ous I ND- ATK modes on var i ous
cry pt osy st ems. By Theor em 14. 3, t hese cr ypt osyst ems ar e al so i nsecur e i n t he respect ive NM-
ATK modes.
I t i s known t hat t her e exist cr y pt osy st ems whi ch ar e I ND- CPA ( r espect i vel y, I ND- CCA) secur e,
but ar e not NM- CPA ( r espect i vel y , NM- CCA) secur e. These cases can be found in [ 19] .
Among t he r el at i ons among NM and I ND securi t y not i ons which have been invest i gat ed i n [ 19] ,
t he fol l owing rel at i on is t he most i mpor t ant one.
14.5.4.2 Indistinguishability Implying Non-malleability Under Adaptive Chosen-
ciphertext Attack
For t he case of ATK = CCA2, t he conver se of t he st at ement i n Theor em 14. 3 i s also t rue.
. Th eor em 1 4. 4
A p ubl ic- k ey cr y pt osy st em is NM- CCA2 secur e i f and onl y if i t i s I ND- CCA2 secur e .
Pr oof Si nce i n Theor em 14. 3 we have est abli shed NM- CCA2 I ND- CCA2, we onl y need t o
est abl i sh t he opposi t e case: I ND- CCA2 NM- CCA2. We can show t hat i f a publ i c- key
cry pt osy st em
pk
i s NM- CCA2 i nsecure t hen i t must be I ND- CCA2 i nsecur e.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Suppose
pk
i s NM- CCA2 i nsecure. Then we have a PPT at t acker A who can br eak
pk
i n NM- CCA2
wi t h a non- negl i gi bl e advant age Adv( A) . We let Si mon Si mul at or conduct a r educt i on by usi ng A
t o br eak
pk
i n t he I ND- CCA2 mode.
Fi g 14. 3 i l l ust r at es t he reduct i on or chest r at ed by Si mon. Not i ce t hat t he r educt i on i s possi bl e
exact l y because t he ci phert ext c' out put by t he mall eabi l i t y at t acker A i s di ff er ent fr om t he
chal l enge ci pher t ext c
*
, and t herefor e t he or chest r at er of t he t wo games, Si mon who pl ay s t he
r ol e of Mal i ce i n t he I ND- CCA2 game, can send c' t o O f or decr ypt i on a post - chal l enge chosen
ci pher t ext . Wit h t he decry pt ion r esul t , Si mon can ver i fy t he r elat i on bet ween t he pl ai nt ext s ( t he
r el at i on has been gi ven by A) and t her eby det ermi nes t he chal lenge bi t b.
Cl ear ly , si nce A i s PPT, t he t wo games or chest r at ed by Si mon wi l l t er mi nat e i n pol y nomi al t i me,
and t he advant age of Simon i s non- negl i gi bl e si nce t he advant age of A i s non- negli gibl e.
Fi g 14. 4 summar i ze t he known r elat ions among t he secur i t y not i ons we have i nt r oduced so far .
We have not demonst r at ed t he non- i mpl i cat i on cases ( t hose separat ed by ) . The i nt er est ed
r eader may st udy [ 19] for det ai l s.
Fi gu r e 14 . 4. Rel at i ons Among Secu r i t y Not i ons f or Pu bl i c- k ey
Cr ypt osy st ems
Theor em 14. 4 t el l s us t hat i n t he cont ext of publ i c- key encry pt ion schemes, we only need t o
consi der I ND- CCA2 not ion whi ch i s easi er t o handle t han NM- CCA2 not i on i s. Al so, due t o t he
equi val ence rel at i on bet ween I ND- CCA2 and NM- CCA2, it i s now general l y agreed t hat I ND-
CCA2 i s t he r i ght def i ni t i on of secur i t y for publi c key encry pt ion al gor i t hms f or gener al use.
I n t he next chapt er we shal l i nt r oduce t wo pr act i call y ef fi cient publ i c- key cr ypt osy st ems whi ch
ar e pr ovabl e I ND- CCA2 secur e.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I n t hi s chapt er we have t aken a st ep- wi se approach t o i nt roduci ng pr ogr essi vel y st r onger
secur i t y not i ons f or publ ic- key cry pt osy st ems.
We st ar t ed wi t h a pr ot ocol whi ch uses a t y pi cal t ext book encry pt i on al gor i t hm and seei ng i t s
weakness and unsui t abi l i t y f or appl i cat i ons. We t hen i nt roduced a fi r st - st ep st r engt hened
secur i t y not i on: semant i c securi t y or i ndi st i ngui shabl e encry pt i on under passi ve at t ack.
Weaknesses of semant i c secur it y wer e exposed, fol l owed by furt her st eps of st rengt heni ng st eps.
We f i nal l y r eached t he st r ongest secur i t y not i on for publi c- key cr y pt osy st ems: i ndi st i ngui shabl e
encry pt ion under adapt i ve chosen- ci pher t ext at t ack ( I ND- CCA2) whi ch we consi der as a fi t - f or -
appli cat i on secur i t y not ion. Fi nal l y, we consi der ed t he secur i t y not i on f or publ i c- key encr ypt ion
agai nst a dif fer ent at t acki ng scenar i o: non- mal l eabi l it y , and rel at e t he not i ons of I ND- CCA2 and
non- mall eabi l i t y .
Nowaday s, I ND- CCA2 i s t he st andar d and fi t - f or - appl i cat i on secur i t y not i on for publi c- key
cry pt osy st ems. Al l new publ ic- key encr y pt i on schemes f or gener al purpose appl i cat i ons ought t o
have t his secur i t y quali t y . I n t he next chapt er we shal l i nt roduce pr act i cal publ ic- key
cry pt osy st ems whi ch ar e for mal l y pr ovabl y secur e under t he I ND- CCA2 at t acki ng mode.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exercises
14 .1 Can t he t ext book RSA encr y pt i on hi de t he sign of Jacobi symbol of t he pl aint ext
message?
14 .2 Can t he t ext book RSA ( Rabi n) encry pt i on be secur e t o encr y pt , e. g. , a sal ar y
fi gur e? How about t he t ext book El Gamal if , e. g. , t he sal ar y f i gur e i s not i n g ?
14 .3 I f, in a chosen- pl aint ext at t ack game ( Pr ot 14. 1) , O f l i ps a bi ased coi n wi t h 2/ 3
pr obabi li t y for HEADS appear ance, der i ve Mal i ce's advant age for mul a whi ch
corr esponds t o ( 14.2. 3) .
14 .4 For a publ i c- key encr y pt i on algor it hm, does Mal i ce need t o pl ay t he chosen-
pl ai nt ext at t ack game?
14 .5 What i s semant i c secur i t y ? I s i t a secur i t y not i on agai nst ( i ) a passi ve and
pol y nomi al ly bounded at t acker, ( i i ) a passi ve and pol y nomi al l y unbounded
at t acker , and ( ii i ) an act i ve ( and pol y nomi al l y bounded) at t acker ?
14 .6 Semant i c secur i t y means t o hi de al l par t i al i nf ormat i on about plai nt ext messages.
Why is it st i l l not st rong enough for real - wor l d appl i cat ions?
14 .7 I f t he Rabi n encr y pt i on scheme ( Al g 8. 2) is at t acked under a l uncht i me at t ack
( Pr ot 14. 3) , what can an at t acker achi eve?
Hi nt : i n a l uncht ime at t ack an at t acker can adap t iv ely choose pl aint ext messages
and get decr y pt i on assi st ance.
14 .8 Cr y pt anal y si s t r aini ng cour ses ( encr ypt i on, decr ypt i on assi st ances) are ver y
eff ect i ve for pr ovi di ng Mali ce wi t h measur es t o br eak all t ext book cr y pt ographi c
al gor i t hms. Why shoul d we general l y ( and gener ousl y ) grant Mali ce such
assi st ances?
14 .9 What i s t he I ND- CCA2 secur i t y not i on? What ki nd of at t acks does i t count er?
14 .1 0 Di scuss t he i mpor t ance of t he equi val ence rel at i on bet ween t he secur it y not i ons
I ND- CCA2 and NM- CCA2.
Hi nt : consider t he dif fi cul t y of usi ng t he NM secur i t y for mul at i ons.
14 .1 1 I f, in a smal l - hours at t ack game ( Pr ot 14. 4) , Mali ce onl y submit s ci phert ext s whi ch
he const r uct s using t he pr escr i bed encr y pt i on scheme, show t hat t he game
degener at es t o a l uncht i me one. Why can' t t he game f ur t her degener at e t o an
I ND- CPA one?

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Chapter 15. Provably Secure and Efficient
Public-Key Cryptosystems
Sect i on 15. 2. The Opt i mal Asy mmet ri c Encry pt ion Paddi ng
Sect i on 15. 3. The Cr amer- Shoup Publi c- key Cr ypt osy st em
Sect i on 15. 4. An Over vi ew of Pr ovabl y Secure Hybri d Cr y pt osy st ems
Sect i on 15. 5. Li t erat ur e Not es on Pr act i cal and Pr ovabl y Secure Publ i c- key Cr y pt osy st ems
Sect i on 15. 7. Exer ci ses

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
15.1 Introduction
I n t he pr eceding chapt er we have seen t hat ear ly sol ut ions t o I ND- CCA2 ( equi val ent l y, NM-
CCA2) secur e publ ic- key cr y pt osy st ems have gener al l y r est ed on appl i cat i ons of non- i nt eract i ve
zero- knowl edge ( NI ZK) pr oof t echni ques. Such a pr oof shows a r ecei ver of a ci pher t ext t hat t he
creat or of t he ci pher t ext al ready knows t he cor respondi ng pl ai nt ext because what i s pr oved i s
t he fol l owing NP member shi p
[ a]
st at ement :
[ a]
We shall st udy t he r elat ion bet ween NP member ship st at ement and zer o- knowledge proof in Chapt er 18.
"The ci pher t ext c i s in l anguage L def i ned by encr ypt i on al gor i t hm under publ i c key pk ,
and t he cr eat or of c has i n it s possessi on an auxi l i ary input ( i . e. , a wi t ness of an NP
pr obl em) f or t he member shi p proof . "
Here "auxil i ar y i nput " for t he member shi p pr oof consi st s of t he corr espondi ng pl aint ext and
per haps pl us a r andom i nput t o t he encr ypt ion al gor i t hm ( t he r andom i nput i s necessar y i f t he
encry pt ion scheme needs t o be semant ical l y secur e) . I f t he ver if i cat ion of such a proof out put s
"Accept. " t he r ecei ver , who may be r equi r ed or t ri cked t o pr ovide a decr ypt i on ser vi ce, can t hen
be sure t hat even i f t he cr eat or of t he ciphert ext c i s Mal ice ( t he bad guy) , t o r et ur n t he
corr esponding pl ai nt ext t o hi m i s onl y t o r et ur n t o hi m somet hi ng he alr eady knows, and hence
t o do so wi l l not hel p hi m i n any way shoul d he t r y t o at t ack t he t arget cry pt osy st em.
Whi l e t hi s i s a sound i dea, it i s qui t e an expensi ve one. The gener al met hod f or r eal i zi ng NI ZK
pr oof i s f or t he prover ( her e, t he cr eat or of a ci pher t ext ) and t he ver i fi er ( her e, a r ecei ver of t hat
message) t o shar e a m ut u all y t r ust ed r andom st r i ng. Thi s demand i s way bey ond what an
encry pt ion scheme shoul d ask for . I f we consider t hat el i mi nat i ng t he need f or t wo part ies t o
shar e secr et i nf or mat i on bef ore secur e communi cat i on const i t ut es t he most i mpor t ant advant age
of publ i c- key cry pt ogr aphy
[ b]
, t hen provabl e securi t y for publ i c- key encr ypt i on schemes shoul d
not be bui l t at t he expense of r egr essi ng back t o shar i ng mut ual ly t rust ed i nf or mat i on bet ween
communi cat ion part i es!
[ b]
We have wit nessed way s of secure communicat ion even wit hout need f or t wo par t ies t o shar e public
inf or mat ion, see 13. 3.
I n fact , what pr ovabl e secur i t y shoul d achi eve i s an aff ir mat i ve measur e t o ensur e t hat Mal i ce
shoul d not be abl e t o do somet hi ng bad t oo oft en or fast en ough. So pr ovabl e secur i t y can be
est abl i shed as l ong as we can est abl ish t he success pr obabi l i t i es and comput at i onal cost for
Mal i ce t o succeed i n an at t ack. I n t he cont ext of achievi ng a provabl y secur e encr y pt i on, t o ask
for a guar ant ee t hat Mal i ce must know t he cor respondi ng pl ai nt ext of a ci pher t ext i s t o ask for
t oo much, and NI ZK proof i s unnecessar y and over kil l . I n fact , none of t he pr evi ous publ ic- key
encry pt ion schemes which ar e pr ovabl y I ND- CCA2 secure based on apply i ng NI ZK pr oof
t echni ques is suff ici ent l y eff i ci ent for pr act i cal use.
Many pr act ical l y eff ici ent and pr ovabl y secur e publ i c- key encr ypt i on and di gi t al si gnat ur e
schemes have been pr oposed. These schemes ar e mai nl y r esult s of enhanci ng popul ar t ext book
publ i c- key al gor i t hms or di gi t al si gnat ur e schemes usi ng a message i nt egr i t y checki ng
mechani sm. Her e, by t ext book publ i c- key al gor i t hms ( see 8. 14) , we mean t hose whi ch are
di r ect appli cat i ons of some one- way t r apdoor funct i ons such as t he RSA, Rabi n and El Gamal
funct i ons. A message i nt egr i t y checki ng mechani sm al l ows us t o est abli sh t he success
pr obabi li t i es and t he comput at i onal cost s f or Mal i ce t o mount a successful at t ack on t he
enhanced scheme.
The cost for usi ng a scheme enhanced t hi s way i s at t he l evel of a smal l const ant mul t i pl e of t hat
for usi ng t he under l yi ng t ext book publ i c- key encr ypt i on al gori t hm.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I n t hi s chapt er we shall i nt r oduce t wo wel l - known publ ic- key encr y pt i on schemes whi ch are
pr ovabl y secure agai nst I ND- CCA2 and are pr act ical l y eff ici ent . They are t he Opt i mal
Asy mmet r i c Encr y pt i on Paddi ng ( OAEP) [ 24, 270, 114] ( 15.2) and t he Cr amer - Shou p
pu bl i c- k ey cr yp t osy st em [ 84] ( 15.3) . We shal l t hen conduct an over vi ew on a fami ly of so-
cal led hy br i d cr y pt osyst ems whi ch ar e a combi nat ion of publ i c- key and secr et - key encr y pt i on
al gor i t hms, ar e pr ovabl y secur e agai nst I ND- CCA2 and are pr act i cal l y effi ci ent ( 15.4) . We shal l
end t hi s chapt er wit h a l it er at ur e r eview of pract i cal and provabl y secur e publ ic- key
cry pt osy st ems ( 15.5) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
15.2 The Optimal Asymmetric Encryption Padding
The Opt i mal Asymmet r ic Encr ypt i on Paddi ng ( OAEP) i s i nvent ed by Bel l are and Rogaway [ 24] .
Thi s i s a r and omi zed messag e paddi ng t echn i qu e and is an easi l y i nver t i bl e t r ansf ormat i on
fr om a pl ai nt ext message space t o t he domai n of a one- w ay t r apd oor p er mu t at i on ( OWTP) .
The RSA and Rabi n funct i ons ar e t he t wo best - known OWTP
[ c]
. The t r ansfor mat i on uses t wo
cry pt ogr aphi c hash f unct i ons and t akes as t he i nput a pl ai nt ext message, a r andom number and
a st r i ng of zeros as added r edundancy for message r ecogni zabi l i t y. Fi g 15. 1 depi ct s t he
t r ansfor mat i on i n pi ct ure. Det ai l ed inst ruct ions for using t he RSA- OAEP scheme ( i . e. , t he OWTP
i s i nst ant i at ed under t he RSA f unct i on) have been speci fi ed i n Al g 10. 6. We shoul d not i ce t hat for
t he case of t he RSA- OAEP speci f i ed i n Al g 10. 6, due t o our added t est i ng st ep i n t he encr y pt i on
pr ocedur e, t he paddi ng r esul t s | | t as an i nt eger i s al way s l ess t han t he RSA modul us N.
[ c]
See 14. 3. 6. 1 f or why and how a r ecommended way of using t he Rabin encr y pt ion algor it hm f orms OWTP.
Fi gu r e 15 . 1. Opt i mal Asy mmet r i c Encr ypt i on Paddi n g ( OAEP)
An OAEP based publ i c- key encr ypt i on scheme can be viewed as a sequent i al l y combi ned
t r ansfor mat i on:
Equ at i on 15 . 2. 1
Let us now pr ovide t hr ee explanat i ons on t he cent ral idea behi nd t his combined t r ansf ormat i on.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Mi x i ng of Di f f er ent Al g eb r ai c St r uct ur es As we have di scussed i n 8. 6, usuall y a
mat hemat i cal funct i on under l yi ng a t ext book publ ic- key al gor it hm has ver y well - behavi ng
and publ i c al gebr ai c pr oper t i es. These al gebr ai c proper t i es ar e fr om an under ly i ng
al gebr ai c st r uct ur e i n whi ch t he OWTP is defi ned ( e.g., axi oms of a gr oup or a fi eld provi de
ver y nice al gebr ai c proper t i es, see Defi nit ion 5. 1 and 5. 13 i n Chapt er 5) . A l arge number of
at t acks on t ext book publ ic- key encr y pt i on al gor i t hms we have shown so f ar ( i ncl udi ng
t hose on some semant i cal l y secur e schemes, e. g. , t he GM cr y pt osy st em, Al g 14. 1 whi ch i s
at t acked i n Exampl es 14. 2 and 14.3) have i nvari ant ly shown a gener al t echni que for Mali ce
t o at t ack t ext book encry pt i on al gor i t hms: mani pul at i ng a ci pher t ext such t hat t he
corr esponding pl ai nt ext can be modi fi ed i n a cont r ol led way t hanks t o t he ni cel y - behavi ng
al gebr ai c pr oper t i es of t he OWTP.
Rat her di ff er ent l y , t he OAEP t r ansfor mat i on i s const r uct ed by net wor ki ng cr y pt ographi c
hash funct i ons wi t h a wel l - known sy mmet r i c cry pt o- algori t hmic st r uct ure. I ndeed, as
shown i n Fi g 15. 2 ( compar e wi t h Fi g 7.2) , t he OAEP const r uct i on can be vi ewed as a t wo-
r ound Feist el ci pher , wi t h t he f i rst r ound usi ng a hash f unct i on G and t he second r ound
usi ng a hash f unct i on H i n pl aces of an "s- box funct i on" for a Fei st el cipher ; t hough her e
t he t wo "s- box f unct i ons" ar e not key ed, and t he t wo " half bl ocks" can have di f ferent si zes.
Fi gu r e 15 . 2. OAEP as a Tw o-r ou nd Fei st el Ci ph er
These t wo ki nds of st ruct ur es, i . e., t he st r uct ur es of t he OWTPs underl y i ng popul ar publ i c-
key cr y pt osy st ems and t he Fei st el - ci pher st r uct ure of OAEP, have vast l y di f fer ent al gebr ai c
pr oper t i es. For a r ough j udgement we can appar ent l y see t hat a for mer st ruct ur e has
bl ock- wise al gebr ai c proper t i es i n a l ar ge- order space whi le t he l at t er st r uct ur e has bi t - wi se
( i . e. , i n an or der- 2 space) al gebr ai c proper t i es. We shoul d t her efor e have a good hope t hat
t he combi ned t r ansfor mat i on ( 15.2. 1) shoul d cause a t r emendous di f fi cul t y f or Mal i ce t o
modi fy a pl ai nt ext i n a cont r oll ed way vi a mani pul at i ng t he corr espondi ng ci pher t ext .
Pl ai nt ex t Ran domi zat i on As we have st udi ed in Chapt er 9, i f t he pl ai nt ext message i nput
t o a basi c and t ext book publ i c- key cr ypt ogr aphic funct ion has a r andom di st r i but i on, t hen
t he funct ion provi des a st r ong prot ect i on in hidi ng t he plai nt ext infor mat i on, even down t o
t he level of an indi vidual bi t . A paddi ng scheme l ike OAEP has a r andom i nput val ue whi ch

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
adds r andomness t o t he di st r i but ion of t he paddi ng resul t , t hat i s, i t makes t he input t o t he
OWTP t o have mor e r andom di st r i but i on. Thus, t o sequent i al l y combi ne t he randomi zed
paddi ng scheme wi t h t he OWTP, we hope t o be abl e t o make use of t he st r ong bi t - secur i t y
of t he publi c- key cr y pt ogr aphi c pr i mit ive f unct i on whi ch we have seen i n Chapt er 9.
Dat a I nt egr i t y Pr ot ect i on We have wi t nessed many t i mes t hat a mai n dr awback shar ed
by t ext book cr y pt o algor it hms i s an ext r eme vulner abi l i t y t o act i ve at t acks. The inver t i bl e
funct i on ( t he RSA decry pt ion and t he Fei st el net wor k) and t he added r edundancy 0
k1
pr ovi des t he decr y pt i on end wi t h a mechani sm t o check dat a i nt egri t y ( dat a int egr it y fr om
Mal i ce, see 10.5) . So act ive at t acks ar e pr event ed.
These t hr ee observat i ons shoul d make a good sense i f t he r andomi zed paddi ng out put does have
a good random dist r i but ion over t he i nput message space of t he OWTP.
Formal pr oof for an OAEP encr ypt i on scheme i s based on a power f ul t echnique cal l ed r and om
or acl e model . Such a pr oof assumes t hat hash funct i ons used i n t he const r uct i on of OAEP
behave as compl et ely random f unct i ons, usual ly cal l ed r and om or acl es ( revi ew 10.3. 1. 2 f or
t he behavior of a r andom or acl e) . Under t he r andom oracl e assumpt i on, i. e. , when t he hash
funct i ons used i n t he paddi ng scheme ar e r andom or acl es, t hen t he paddi ng out put , i . e. , t he
i nput t o t he OWTP, should i ndeed have a uni for m di st ri but i on. Ther efor e, i t 's int ui t i vel y
pr omi si ng t hat we could est abl i sh a pr oof t o l ead t o t he r esul t si mi l ar t o what we have obt ai ned
i n Chapt er 9.
Pr eci sel y , a random- or acl e- model - based ( ROM- based) pr oof for an OAEP- OWTP encr y pt i on
scheme ai ms t o const ruct an eff ici ent t ransf or mat ion ( cal l ed a reduct ion) which t r ansl at es an
advant age for an al l eged at t ack on t he OAEP- OWTP encr y pt i on scheme t o a si mil ar ( up t o
pol y nomi al ly di ff er ent ) advant age for inver t i ng t he OWTP used i n t he scheme. For exampl e, f or
t he OWTP bei ng t he RSA funct ion, t he i nver si on act ual l y sol ves t he RSA pr obl em or br eaks t he
RSA assumpt i on ( Defi nit ion 8. 4, Assumpt i on 8. 3 i n 8. 7) . Si nce i t i s wi dely beli eved t hat t her e
exi st s no eff i ci ent al gor it hm f or i nver t i ng t he OWTP, t he eff i ci ent reduct ion t r ansf ormat i on i s
consi dered t o l ead t o a cont r adi ct i on. Ther efor e, t he pr oof so const ruct ed i s cal led r edu ct i on t o
cont r adi ct i on.
15.2.1 Random Oracle Model for Security Proof
I n 10.3. 1. 2 we have i nt r oduced t he not ion of r and om or acl e. A random or acl e i s a power f ul
and i magi nar y f unct i on whi ch i s det er mi ni st ic and ef fi ci ent and has unif or m out put val ues.
Bell ar e and Rogaway make use of t hese r andom or acl e pr oper t i es for provi ng t hat an OAEP
encry pt ion scheme is secur e [ 24] . Thei r model for securi t y pr oof is cal l ed r and om or acl e model
( ROM) [ 22] .
I n an ROM- based t echni que f or securi t y pr oof, not only random or acl es ar e used ( i . e. , not only
ar e t hey assumed t o exi st ) , but al so a speci al agent , Si mon Si mulat or whom we have met in
14.5. 4, shal l be abl e t o, somehow, simul at e t he behavi or of ever yb ody ' s ( incl udi ng Mal i ce' s)
r andom oracl es. So whenever someone want s t o appl y a random or acl e, say G, t o a val ue, say a,
( s) he shal l unwi t t i ngly make a so- cal l ed r and om or acl e qu er y t o Si mon; one does t hi s by
submi t t i ng a t o, and subsequent ly recei vi ng a query resul t G( a) f r om, Si mon. Si mon shal l alway s
honest l y compl y wi t h any quer y or der and dul y r et ur n a good quer y r esul t back.
As l ong as ever y body obeys t he r ul e of making random or acl e quer i es onl y fr om Si mon, t hen
Si mon can easi l y si mul at e t he random or acl e behavi or wi t h per f ect pr eci si on. Let us now expl ain
how Simon coul d si mul at e t he behavi or of a random or acl e.
For or acl e G f or exampl e, Si mon shal l mai nt ai n a G- l i st whi ch cont ai ns al l t he pai r s ( a, G( a) )

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
such t hat a has been quer ied i n t he ent i r e hi st or y of G. The si mul at i on j ob i s r at her mundane:
for each quer y a, Si mon shal l check whet her or not a i s alr eady i n t he li st ; if i t i s, he shal l j ust
r et ur n G( a) as t he query resul t ( t hat ' s why det er mi ni st ic) ; ot her wi se, he shal l invent a new value
for G( a) at uni for mly random i n t he range of G, r et ur n t hi s new val ue as t he query resul t ( t hat ' s
why un if orm ) and archi ve t he new pai r ( a, G( a) ) in t he l ist . Simon coul d bui l d hi s l i st so t hat t he
pai r s ar e sor t ed by t he f i rst el ement . Ther e i s no need t o appl y a sort ing algori t hm because each
l i st i s i ni t i al i zed t o empt y at t he begi nni ng, and gr ow as queri es ar r i ve. For each query , a sear ch
t hr ough a sor t ed l i st of N el ement s can be done in l og N t ime ( see Al g 4. 4) , i . e., i n PPT i n t he
si ze of t he el ement s ( and t hat ' s why eff icient ) .
To t hi s end, we have const ruct ivel y obt ai ned t he st at ement i n Lemma 15. 1.
. Lemma 15 . 1
A r an dom or acle can be si mu lat ed per fect ly i n PPT.
For a publ i c- key encr y pt i on scheme usi ng r andom oracl es ( e.g. , OWTP- OAEP) , t his way t o
si mul at e r andom or acl es enabl es Si mon t o const ruct a 1- 1 mappi ng r elat i on bet ween plai nt ext s
and ci pher t ext s ( e. g. , in t he case of OWTP- OAEP i n ( 15.2. 1) , mappi ng fr om l eft - hand side t o
r i ght - hand side) . Now i f an at t acker , say Mal i ce, const r uct s a v ali d chosen ci phert ext c using an
OWTP f , t hen as l ong as Mal ice has used Si mon' s r andom oracl e servi ces ( whi ch he is for ced t o
use) i n t he const r uct i on of c, Si mon shal l be abl e t o "decr y pt " c even t hough he does not have i n
hi s possessi on of t he t rapdoor i nf or mat ion f or i nver t i ng f . This is mer ely because Si mon has t he
pl ai nt ext - ci pher t ext pai r i n hi s l i st si mul at ed r andom or acl es. I ndeed, t he "pl ai nt ext " must have
been i n some of hi s l i st s as l ong as t he ciphert ext is val i d.
Ther ef or e, in addi t i on t o havi ng si mul at ed r andom or acl es, Si mon can al so si m ul at e a decry pt ion
or acl e
[ d]
, i . e., O i n Pr ot 14. 3 or Pr ot 14. 4. This is anot her r eason why we have named our
speci al agent Si mon Si mul at or . The si mul at ed " decr y pt i on" capabi l i t y enabl es Si mon t o of fer a
pr oper " cr y pt anal y sis t rai ning course" t o Mal i ce i n I ND- ATK games ( ATK st ands for any of CPA,
CCA or CCA2) .
[ d]
The r eader must not conf use a "decr ypt ion or acle" wit h a "random or acle, " t hey ar e t ot ally dif f er ent t hings.
The f ormer can be r eal, e.g. , a naive user t r icked by Malice t o pr ovide a decr y pt ion ser vice, while t he lat t er is
an imaginar y f unct ion.
I f t he " t rai ni ng cour se" i s provi ded at t he pr eci se quali t y ( i .e. , t he si mul at ed "t r ai ni ng cour se" is
accur at e) t hen Mal i ce, as a successful at t acker , must end up wi t h a non- negli gibl e advant age i n
shor t enough t i me ( PPT) t o br eak t he encr y pt i on scheme ( i . e., in t he I ND- ATK case, he ends up
r el at i ng one of t he t wo chosen pl ai nt ext s t o t he chal l enge ci phert ext ) . Then Si mon who has in his
possessi on t he r andom or acl es shal l al so end up wi t h a successful i nversi on of t he cr ypt ogr aphic
funct i on at t he poi nt of t he chal l enge ci phert ext : t he pai r ( pl ai nt ext , chal lenge- ci pher t ext ) can be
found i n one of hi s si mul at ed r andom or acle li st s. We shal l see det ai l s of t his "t r ick" f or t he case
of OWTP- OAEP i n 15.2. 3. 1. I n t he next chapt er we shal l al so see t hi s " t ri ck" f or t he case of
ROM- based secur it y pr oofs f or some di gi t al si gnat ur e schemes.
Thi s does const i t ut e a val i d argument , however , onl y i n a wor ld wi t h r andom oracl es!
Never t hel ess, due t o t he good appr oxi mat i on of t he r andom or acl e behavi or f r om cry pt ogr aphi c
hash funct i ons, t hi s ar gument provi des a convi nci ng heur i st i c i nsi ght for an OAEP enhanced
encry pt ion scheme being secur e i n t he r eal wor ld. Even t hough we know t hat i t i s only an
unpr oven assumpt i on t hat a cr ypt ogr aphi c hash f unct i on emulat es a r andom oracl e behavi or i n a
PPT i ndi scer ni bl e manner , t hi s assumpt i on has now been wi del y accept ed and used in pr act i ce.
Aft er al l , each of t he r eput abl e OWTPs under l yi ng a popular publi c- key cr y pt osy st em i s an
unpr oven but wi del y accept ed assumpt i on.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Gol dr ei ch consi der s ( i n " 6. 2 Oded' s Concl usi ons" of [ 65] ) t hat an ROM- based t echni que for
secur i t y proof i s a useful t est - bed; cr ypt ogr aphic schemes whi ch do not per for m wel l on t he t est -
bed ( i . e. , cannot pass t he sani t y check) shoul d be dumped. I t i s wi dely agr eed t hat designi ng a
cry pt ogr aphi c scheme so t hat i t i s ar gued secur e i n t he ROM i s a good engi neeri ng pri nci pl e.
I n t he r eal wor ld, i f hash funct ions ( or pseudo- random f unct i ons) used i n a cr y pt ogr aphi c
scheme or pr ot ocol have no " obvi ous" f l aw, t hen a securi t y pr oof for such a scheme or pr ot ocol
usi ng t hei r i deal i zed versi on can be consi der ed as val i d, i n part icul ar if t he goal of t he pr oof i s up
t o t he unpr oven assumpt i on of pol y nomial t i me i ndi st i ngui shabi l it y. Such a pr oof of secur i t y i s
cal led a secur it y pr oof based on t he ROM.
Let us now descr i be an ROM- based secur i t y pr oof for an OWTP- OAEP encry pt i on scheme. I n t he
next chapt er we wil l also see ROM- based secur i t y pr oofs for some di gi t al si gnat ur e schemes.
15.2.2 RSA-OAEP
I n t he case of RSA- OAEP, t he OWTP i s t he RSA encr ypt ion f unct i on. We not i ce t hat i n t he
r emai ni ng part of t hi s chapt er, al l i nst ances of RSA- OAEP apply t o Rabi n- OAEP wher e t he OWTP
i s t he permut at i on r eal i zat i on of t he Rabi n encr ypt i on f unct i on ( see 14.3. 6. 1 f or how t o r eal i ze
t he Rabi n encry pt i on f unct i on i nt o a OWTP) .
Si nce t he RSA- OAEP encry pt i on scheme invol ves t wo hash f unct i on eval uat i ons fol l owed by an
appli cat i on of t he RSA f unct i on ( see Al g 10. 6) , and si nce hash f unct i on can be ef fi ci ent l y
eval uat ed, t he scheme i s ver y eff i ci ent , al most as effi ci ent as t he t ext book RSA. Thi s scheme also
has a ver y high bandwi dt h f or message recover y . I f we consi der usi ng an RSA modul us of t he
st andar d l engt h of 2048 bi t s ( t he r eason why 2048 bi t s is a st andard l engt h f or t he RSA- OAEP
encry pt ion scheme wil l be expl ained i n 15.2. 5) , and consi der k
0
= k
1
= 160 ( so t hat 2
k0
and
2
k1
ar e negl igi bl y smal l ) , t hen t he pl ai nt ext massage can have a l engt h | M| = | N| k
0
k
1
=
2048 320 = 1728, t hat i s, t he pl aint ext message encr ypt ed i nsi de t he RSA- OAEP scheme can
have a lengt h up t o 84% of t he l engt h of t he modul us.
These pr act i cal l y i mpor t ant feat ures have been wi dely recogni zed by t he pr act i t i oners so t hat t he
scheme has been accept ed as t he RSA encry pt ion st andard under i ndust ri al and i nt ernat i onal
st andar dizat ion or ganizat ions ( PKCS# 1, I EEE P1363) . I t has al so been chosen t o use i n t he wel l-
known I nt ernet elect r oni c commer ce pr ot ocol SET [ 259] .
So, RSA- OAEP is a ver y successful publ i c- key encry pt ion scheme. However , f or i t s provabl e
secur i t y , success i s a son of f ai lure.
I f t he r eader onl y want s t o know how t o encr ypt i n RSA wi t h a fi t - f or- appl i cat ion securi t y , t hen
t he RSA- OAEP scheme speci fi ed i n Al g 10. 6 has pr ovi ded adequat e " knowhow" i nf or mat i on and
t he reader can t her eby pr oceed t o 15.3. The t ext bet ween her e and 15.3 i s "know- why"
mat eri al : it answers why t he RSA- OAEP scheme has a f i t - for - appl icat i on secur i t y . We wi l l t r y t o
pr ovi de t he answer in an i nt uit ive manner and di scuss some i mpor t ant i ssues r el at ed t o t he
pr oof of secur i t y.
15.2.3 A Twist in the Security Proof for RSA-OAEP
The or i gi nal ROM- based proof f or f - OAEP [ 24] t ri ed t o r el at e an at t ack on t he f - OAEP scheme i n
t he I ND- CCA2 mode t o t he probl em of inver t i ng t he OWTP f wi t hout using t he t r apdoor
i nf ormat i on of f . Recent l y , Shoup has made an i ngeni ous obser vat i on and r evealed a f l aw i n t hat
pr oof [ 270] . Moreover , he poi nt s out t hat for f bei ng a gener al case of OWTP, i t is unl i kel y t hat
an ROM- based pr oof exist s f or t hat f - OAEP i s secure agai nst I ND- CCA2. For t unat el y and ver y

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
quickl y, t he danger f or us l osi ng a ver y successf ul publ i c- key encr y pt i on algor it hm st andard was
over ! A cl oser obser vat ion i s made by Fuj isaki et al . [ 114] and t hey fi nd a way t o rescue OAEP
for f bei ng t he RSA funct i on.
Let us now r evi ew t hi s dramat i c mat t er . We shal l st ar t wi t h st udy ing t he or i gi nal secur i t y
ar gument at t empt ed by Bell ar e and Rogaway. We t hen descr i be Shoup' s obser vat i on of a f l aw i n
t hat ar gument . Fi nal l y we shal l see t he rescue wor k of Fuj i saki et al . ( Shoup al so works out a
speci al case f or t he same r escue, and we shall see t hat as wel l ) .
15.2.3.1 A Reduction Based on Random Oracle Model
Suppose t hat an at t acker A, who i s a PPT al gor i t hm, can have a non- negl i gi ble advant age t o
br eak an f - OAEP scheme i n t he I ND- CCA2 mode. Let us const r uct an al gori t hm whi ch wi l l enable
our speci al agent , Si mon Si mul at or , t o make use of t he I ND- CCA2 at t acker A t o i nvert t he OWTP
f , al so wi t h a non- negl i gi ble advant age. Thi s al gor it hm must be eff i ci ent ( i .e. , a PPT one) . Thus,
Si mon ef fi cient ly " reduces" hi s t ask of i nver t i ng f t o A' s capabi l i t y of at t acki ng t he f - OAEP
scheme. The al gor it hm used by Si mon is t heref ore cal l ed a pol yn omi al - t i me r educt i on. Si nce
bot h A and t he r educt i on r un by Si mon are pol ynomi al t i me, i nver si on of f as t he combi nat i on of
A and t he r educt i on conduct ed by Si mon t hen also runs i n pol y nomi al t i me. I t i s t he bel ief t hat
i nversi on of f cannot be done i n PPT t hat shoul d r ef ut e t he exi st ence of t he al l eged I ND- CCA2
at t acker A on f - OAEP ( however , we shoul d be caref ul about an i ssue whi ch we shal l di scuss i n
15.2. 5) . A secur i t y pr oof i n t hi s st y l e, in addi t i on t o t he name "r educt i on t o cont r adi ct i on, " is
al so cal led a r edu ct i oni st pr oof .
Let us now descr i be t he r educt i on.
Let Simon be gi ven ( t he descr i pt i on of) an OWTP f and a uni for mly random point c* i n t he r ange
of f . Si mon want s t o uncover f
1
( c* ) by usi ng A as an I ND- CCA2 at t acker . We must not i ce t he
i mpor t ance of t he randomness of c* : i f c* i s not r andom, t hen Si mon' s r esul t cannot be a usef ul
al gor i t hm.
Top-level Description of the Reduction Algorithm
Fi g 15. 3 pr ovi des a vi sual aid f or t he reduct ion we wi l l be descr i bi ng now. The pi ct ur e shows t hat
Si mon has t aken over al l t he communicat i on l i nks of t o and f rom t he ext er nal wor ld so t hat A
can int er act onl y wi t h Si mon.
Fi gu r e 15 . 3. Redu ct i on f r om I nv er si on of a One- way Tr ap door Fu n ct i on
f t o an At t ack on t h e f - OAEP Scheme

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Si mon st ar t s by sendi ng ( t he descr i pt i on of) t he f - OAEP encr ypt i on al gor i t hm t o .
Si mon shal l pl ay wi t h an I ND- CA2 at t ack game ( i .e. , t hey r un Pr ot 14. 4) . I n t hi s game,
Si mon shal l imper sonat e t he decry pt ion or acle O as i f he has i n hi s possessi on a val i d
decry pt ion box. The i mpersonat ion i s vi a si mul at i on. We shall see t hat i n ROM, Si mon can
i ndeed do so wit hout det ect i ng anyt hing wr ong.
Si mon shal l also pr ovi de wi t h si mul at ed servi ces for t he r andom oracl es G and H used i n
OAEP ( see Fi g 15. 1) . So as we have st i pulat ed i n 15.2. 1, whenever want s t o appl y G
and/ or H ( e. g. , when i t want s t o pr epar e a chosen ci pher t ext i n a proper way dur i ng t he
game play ) , i t shal l act ual l y make quer i es t o Si mon and subsequent l y get s t he r espect i ve
quer y r esul t s back f rom Simon.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I t i s vi t al l y i mpor t ant t hat t he si mul at i ons provi ded by Si mon must be accur at e so t hat
cannot feel any t hing wr ong i n i t s communi cat i ons wi t h t he out si de worl d. Onl y under a pr eci se
si mul at ion can be educat ed pr operl y by Si mon and t hereby r el ease i t s at t acki ng capaci t y
ful ly . The I ND- CCA2 at t acki ng game pl ay ed bet ween Simon and i s as fol l ows.
I n ' s " fi nd st age, " Si mon shal l r ecei ve fr om i ndi ff er ent chosen- ci phert ext s f or
decry pt ion ( i . e., t hose i n a l uncht i me at t ack) . has fr eedom t o const ruct t hese
ci pher t ext s i n any way it wi shes; but i f i t does want t o const ruct t hem pr operl y , e. g. , vi a
apply i ng t he random or acl es, t hen i t s quer ies must go t o Si mon ( as i ll ust r at ed i n Fi g 15. 3,
Si mon has t aken over al l ' s communi cat i on channel s t o and f rom t he ext er nal worl d) .
The way s f or Si mon t o si mulat e t hese r andom or acl es wil l be descr i bed i n a moment .
i .
Si nce Si mon r ecei ves fr om chosen ci phert ext s f or decry pt i on, Si mon shal l answer t hem
t o by si mulat ing t he decr ypt i on box ( or acl e O) . Det ai l s f or Si mon t o si mul at e O shall
al so be gi ven i n a moment .
i i .
shall end i t s "fi nd st age" by submi t t i ng t o Si mon a pai r of chosen plai nt ext s m
0
, m
1
.
Upon receipt of t hem, Si mon shal l f li p a fai r coi n b
U
{ 0, 1} , and send t o t he "chal l enge
ci pher t ext " c* as a sim ul at ed f - OAEP encr ypt i on of m
b
. Her e, Simon pr et ends as if c*
encry pt s m
b
.
i i i .
Now i s in i t s "guess st age. " So i t may submi t f ur t her adapt i ve chosen- ci pher t ext s for it s
"ext ended cr y pt anal y sis t rai ning course. " Si mon shall ser ve as i n ( ii ) . I n case makes
r andom oracl e quer i es i n it s pr oper const r uct i on of t he adapt i ve chosen- ci pher t ext s, Simon
shal l serve as i n ( i ) .
Event ual l y , shoul d out put i t s educat ed guess on t he bi t b. This is t he end of t he
at t acking game.
i v .
As we have agreed and emphasized many t i mes, shoul d not submit t he " chal lenge
ci pher t ext " c* for decr y pt i on. Wer e c* submi t t ed, i t woul d be i mpossi ble for Si mon t o provi de a
si mul at ed decr ypt i on si nce t his is t he very ci pher t ext t hat Si mon needs ' s hel p t o decry pt .
Si mul at i on of Rand om Or acl es. Si mon shal l si mul at e t he t wo r andom oracl es G and H used i n
t he OAEP t ransfor mat i on. I n t he si mul at i on, Si mon maint ai ns t wo l ist s, cal l ed hi s G- l i st and his
H- l i st , bot h ar e i ni t i al l y set t o empt y :
G- or acl e Suppose makes G- quer y g. Si mon shal l fi r st search hi s G- l i st t r ying t o f i nd g.
I f g i s found i n t he l ist , Si mon shal l pr ovi de G( g) t o . Ot herwi se, g i s fr esh; t hen Si mon
pi cks at uni for ml y r andom a st r ing G( g) of l engt h k
0
, provi des G( g) t o and adds t he new
pai r ( g, G( g) ) t o G- l i st .
I f t he query occur s i n ' s " guess st age, " t hen Si mon shall t r y t o i nver t f at t he poi nt c* .
What he shoul d do i s: f or each ( g, G( g) ) G- l i st and each ( h, H( h) ) H- l i st , Si mon bui l ds
w = h | | ( g H( h) ) and checks whet her c* = f( w) . I f t hi s hol ds f or some so- const r uct ed
st r ing, t hen f
1
( c* ) has been found.
H- or acl e Suppose makes H- quer y h. Si mon shal l fi r st search hi s H- l i st t r ying t o f i nd h.
I f h i s found i n t he l ist , Si mon shal l pr ovi de H( h) t o . Ot herwi se, h i s fr esh; t hen Si mon

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
pi cks at uni for ml y r andom a st r ing H( h) of l engt h k k
0
, provi des H( h) t o and adds t he
new pai r ( h, H( h) ) t o H- l i st .
I f t he query occur s i n ' s " guess st age, " t hen Si mon shall t r y t o i nver t f at t he poi nt c* as
i n t he case of G- or acle.
Si mul at i on of t he Descr yp t i on Or acl e. Si mon shal l si mul at e t he decr y pt i on box ( or acl e O) .
Hi s si mulat ion st eps ar e: upon receipt of ci pher t ext c f r om f or decr ypt i on, Si mon looks at
each query- answer ( g, G( g) ) G- l i st and ( h, H( h) ) H- l i st ; f or each pai r t aken fr om bot h li st s,
Si mon comput es
and checks
and
i f t he bot h checki ng st eps yi el d " YES, " Si mon shal l r et ur n t he most si gni f icant n = k k
0
k
1
bi t s
of v t o . Ot herwi se, Si mon shal l r et ur n REJECT t o .
Because i s pol ynomi al l y bounded, t he number of r andom oracl e quer i es and t hat of
decry pt ion r equest s made by ar e al so pol ynomi al l y bounded. Hence, Si mon can r un t he
si mul at ed game i n pol y nomi al t i me.
15.2.3.2 Accuracy of the Simulation
As we have ment i oned, for t o wor k pr oper l y, t he accur acy of t he si mul at i ons i s vi t al ly
i mpor t ant ( i s ever yt hi ng) !
Fi rst of all , as we have est abl ished i n Lemma 15. 1, t he t wo r andom or acles have been per fect ly
si mul at ed.
Now l et us exami ne t he accur acy of Si mon' s si mul at ion of t he descr y pt i on box.
Let Simon be gi ven a chosen ci pher t ext c ( ei t her a pr e- chal lenge one or a post - chal l enge one,
i . e. , ei t her an i ndif fer ent l y chosen one or an adapt i vely chosen one) . Si mon' s simulat ion f or t he
decry pt ion box i s i n f act very accur at e. Let

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Equ at i on 15 . 2. 2
Equ at i on 15 . 2. 3
Equ at i on 15 . 2. 4
be t he val ues whi ch ar e def i ned by c shoul d c be a val i d ci pher t ext . Bel ow, whenever we say "t he
corr ect val ue, " we mean t he val ue pr ocessed by a r eal decr ypt i on or acl e O shoul d c be sent t o O.
I f t he cor r ect s def i ned by c i n ( 15.2. 2) has not been quer ied for random or acl e H, t hen t he
corr ect H( s) i s mi ssing. So i n each G- quer y , we can onl y have pr obabi l it y at t he l evel of 2
k0
f or r
defi ned i n ( 15.2. 3) being cor r ect . So l i ke t he mi ssi ng cor rect val ue s bei ng quer ied for H, t he
corr ect val ue r i s also mi ssing fr om bei ng quer i ed f or G ( except f or pr obabi li t y at t he l evel of
2
k0
) . Consequent l y , as i n ( 15.2. 4) , val ue s G( r ) can have pr obabi l it y 2
k1
t o have k
1
t rai l i ng
zeros si nce t hi s r equi r es s and G( r ) t o have t hei r k
1
l east si gnif i cant bit s i dent i cal bi t by bit , but
t he for mer is mi ssi ng, and t he l at t er i s uni for ml y random. Not i ce t hat i n t hi s anal y si s we have
al r eady al so consider ed t he case for t he cor rect r havi ng not been quer i ed f or G: rej ect i on is
corr ect except for an er r or pr obabil i t y of 2
k1
.
I n summar y , we can concl ude t he f ol l owing r esul t r egar di ng t he simul at ed decry pt ion of a
chosen ci pher t ext c:
I f bot h s and r have been quer i ed for t he r espect i ve random or acl es, t hen t he si mul at ed
decry pt ion can cor r ect ly const r uct f
1
( c) and t her eby furt her decr y pt c i n t he usual way.
I f eit h er s and/ or r has not been queri ed for t he r espect i ve r andom or acl es, t hen i t i s
corr ect f or t he si mul at ed decr y pt i on t o ret ur n REJECT except f or an err or probabi l i t y at t he
l evel of 2
k0
+ 2
k1
.
Not i ce t hat i n t he case of eit h er s and/ or r havi ng not been quer i ed f or t he respect ive r andom
or acl es, t he er r or pr obabi li t y bound holds i n a st at ist i cal sense: namel y, t he probabi l i t y bound
hol ds as l ong as has not made t he necessary random or acl e quer y r egardl ess of how power ful
may be.
At t hi s poi nt we can confi r m t hat our argument so far has al r eady shown t hat f - OAEP i s pr ovabl y
secur e agai nst I ND- CCA ( i . e., luncht i me at t ack or i ndi ff er ent chosen- ci pher t ext at t ack) . This i s
because i n an I ND- CCA at t ack game t he decr y pt i on box onl y wor ks i n t he "f i nd st age," and we
have est abl i shed t hat i n t hat st age, t he si mul at ed decr y pt i on wor ks accur at el y except for a
mi nut e er r or pr obabi li t y.
We should expl i ci t l y emphasi ze t hat our ar gument is sol el y based on t he one- way- ness of f .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
15.2.3.3 Incompleteness
Shoup obser ves t hat t he or i gi nal OAEP secur i t y ar gument ( for I ND- CCA2 secur i t y ) cont ai ns a
fl aw [ 270] . Befor e we go ahead t o expl ai n i t , l et us make i t ver y cl ear t hat t he OAEP const r uct i on
i s not f l awed. I t i s t he for mal proof descr ibed i n 15.2. 3. 2 t hat has not gone t hr ough compl et ely
for I ND- CCA2 secur i t y . A short way t o st at e t he i ncompl et eness can be as fol l ows:
The si mul at ed decr y pt i on per for med by Simon i s st at i st i cal l y pr ecise as l ong as s* defi ned
by t he chal l enge ci pher t ext c* i n ( 15.2. 5) is not quer ied for random or acl e H, but t he
st at i st ical pr eci sion f al ls apar t as soon as s* i s quer i ed. However , t he possi bi l i t y of s* bei ng
quer i ed was not consi der ed i n t he secur i t y ar gument in 15.2. 3. 2.
I n order t o expl ai n t he i ncompl et eness, l et us consi der var i ous val ues defi ned by t he chal l enge
ci pher t ext c* . Let
Equ at i on 15 . 2. 5
Equ at i on 15 . 2. 6
Equ at i on 15 . 2. 7
The t hr ee val ues ( s* , r * , m
b
) are def i ned by t he chal lenge cipher t ext c* where b i s t he coi n
t ossing resul t per f ormed by Si mon.
Let us now i magi ne t hat s* i s quer i ed f or r andom oracl e H. Of course, i n st at ist i cs t hi s must be
r emot el y unl ikel y i n ' s " fi nd st age" si nce at t hat poi nt i n t i me i t has not yet been gi ven t he
chal l enge ci pher t ext c* . Thi s i s why we have concl uded at t he end of 15.2. 3. 2 t hat t he
ar gument t her e does pr ovi de a v ali d pr oof for f - OAEP bei ng secur e i n t he I ND- CCA mode.
However , i t may be possib le f or t o quer y s* i n i t s " guess st age" when i t has been gi ven t he
chal l enge ci pher t ext c* .
What i s t he pr obabi l i t y f or t o quer y s* i n i t s " guess st age?" Wel l , we do not know f or sur e. Al l
we def ini t el y know i s t hat : gi ven bei ng al l egedl y power ful, t her e i s no way for us t o deny a
possi bi l it y for i t t o quer y s* i n i t s " guess st age. " Ot her wi se, why shoul d we have assumed
bei ng abl e t o guess t he bi t b i n f ir st pl ace? ( Nevert heless, t he condi t i onal pr obabi l it y bound f or
s* havi ng been queri ed, gi ven t hat answer s cor rect l y, can be est i mat ed; t he r esult i s non-
negl i gi bl e. We shall pr ovide an est i mat e i n 15.2. 3. 4. )

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
As l ong as can quer y s* , it can fi nd di screpancy in t he simul at ed at t ack game. Here is an
easy way for us t o i magi ne t he discr epancy. For r * fi xed by ( 15.2. 6) , may f ur t her query r * .
The uni for ml y r andom G( r * ) r et ur ned back wi l l mean l it t le chance for G( r * ) s* t o meet ei t her
chosen plai nt ext s. So at t his moment shall shout : " St op fool i ng ar ound! " shoul d shout so
because i t has spot t ed t hat t he " chal l enge ci pher t ext " c* has not hi ng t o do wi t h any of it s chosen
pl ai nt ext s.
Of cour se, t hi s " easy" way of fi ndi ng di scr epancy would " cost " t oo much: i t woul d have
al r eady di scl osed bot h s* and t * = r * H( s* ) t o Si mon and hence woul d have al r eady hel ped
Si mon t o i nvert f at t he poi nt c* = f ( s* | | t * ) !
Shoup has a bet t er expl oi t at i on of t hi s problem. He obser ves t hat f or some f as an OWTP, ' s
abi l i t y t o quer y s* gi ven c* suff i ces i t t o const r uct a val id ci pher t ext wi t hout quer y i ng r * for
r andom oracl e G ( in f act , wi t hout ever quer y i ng G at al l i n t he ent ir e hi st or y of t he at t ack game) .
Mor eover , because t he val i d ci phert ext so const ruct ed i s a mal l eabi l it y resul t of anot her val i d
ci pher t ext , t hi s f - OAEP scheme i s NM- CCA2 i nsecure, and by Theor em 14. 4 ( i n 14.5. 4. 2) , i t i s
al so I ND- CCA2 i nsecur e. However, t he r educt i on t echni que descr i bed i n 15.2. 3. 1 shall not help
Si mon t o i nvert f si nce Si mon' s G- l i st can even be empt y ( i . e. , has never quer i ed any t hi ng f or
r andom oracl e G) !
Shoup const r uct s a k- bi t OWTP f f or a count er exampl e. He supposes t hi s permut at i on i s "xor -
mal leabl e: " gi ven f ( w
1
) , w
2
, one can const r uct f( w
1
w
2
) wi t h a si gni fi cant advant age. Not i ce
t hat t hi s is not an unr easonabl e assumpt i on. I n t he secur it y pr oof for an f - OAEP scheme
descr i bed i n 15.2. 3. 1 we have onl y r equi r ed f t o be one- way and have never requir ed i t t o be
non- mall eabl e. Aft er al l , as we have seen i n t he pr evi ous chapt er , OWTPs under l yi ng popul ar
t ext book publ i c- key encr ypt ion al gor i t hms ar e gener al l y mal leabl e, and t he gener al mal l eabil i t y
i s t he ver y r eason for us t o enhance a t ext book publ ic- key scheme wi t h t he OAEP t echnique.
To make t he exposi t i on cl ear er , l et t hi s f not hi de t he k k
0
most si gni fi cant bi t s at al l. Then t hi s
f can be wr i t t en as:
wher e f
0
i s a "xor - mal l eabl e" ( k k
0
) - bi t OWTP, i. e. , gi ven f
0
( t
1
) , t
2
, one can const r uct f
0
( t
1
)
t
2
) wi t h a si gni fi cant advant age. Thi s f i s st i l l an OWTP wi t h one- way- ness quant i f i ed by t he
secur i t y paramet er k
0
.
Now consi der f - OAEP encr ypt i on scheme i nst ant i at ed under t hi s f . Remember t hat for c* bei ng
t he chall enge ciphert ext , val ues s* , t * , r * and ( m
b
| | 0
k1
) cor r espond t o c* under t hi s f - OAEP
scheme.
Si nce i s a bl ack box, we have fr eedom t o descr ibe how he shoul d const r uct a val i d cipher t ext
out of modi fy i ng anot her val i d ciphert ext . Upon r ecei pt of t he chal l enge ci pher t ext c* ,
decomposes c* as c* = s* | | f
0
( t * ) . I t t hen chooses an ar bi t r ar y , non- zer o message { 0,
1}
kk0k1
, and comput es:

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Cl ear ly , i n or der t o const r uct t he new ciphert ext c f r om t he chall enge ciphert ext c* , onl y
needs t o quer y s* and s f or H.
Let us now confi r m t hat c i s a val id f - OAEP encr ypt i on of m
b
as l ong as c* i s a val i d f - OAEP
encry pt ion of m
b
. Fr om t = t * H ( s* ) H( s) , we have
Equ at i on 15 . 2. 8
Cl ear ly , ( 15.2. 8) hol ds even t hough has not quer i ed r = r * for G ( he may not even know r *
because i t may not know t * ) .
Had t hi s game been pl ay ed bet ween and t he r eal decry pt ion or acl e O, t hen O woul d r et r ieve r
pr oper l y by comput ing
But not i ci ng ( 15.2. 8) , O woul d have act uall y r et r i eved r * . So O woul d f ur t her appl y hash funct i on
G, and would comput e
Upon seei ng t he t r ai l i ng k
1
zer os, O woul d r et ur n m
b
, as t he cor rect decr ypt i on of c. Fr om
t he ret ur ned pl ai nt ext m
b
, can easi l y ext ract m
b
and hence br eak t hi s f - OAEP i n t he I ND-
CCA2 mode.
However , for t hi s game bei ng play ed in t he r educt i on bet ween and Simon, because Si mon's
G- l i st i s empt y , Si mon shal l pr ompt l y r et ur n REJECT. Now, wi l l def i ni t ely shout ver y l oudl y :
"STOP FOOLI NG AROUND! "
15.2.3.4 Probability for to have Queried s* in its "Guess Stage"
We have l eft out a smal l det ai l r egar di ng t he i ncompl et eness of t he ori ginal pr oof of Bell ar e-
Rogaway : t he condi t ional pr obabi l it y for t o have queri ed s* i n i t s " guess st age" given t hat i t
can answer t he chal l enge bi t corr ect l y. Because t hi s par t has i nvolved pr obabi l i t y est imat i on, i t
may be ski pped wi t hout causing any t r ouble in under st andi ng how t he secur it y pr oof for RSA-
OAEP wor ks. ( I n fact , t he pr obabi l it y est i mat i on is qui t e el ement ary ; we wi l l st at e all rul e
appli cat i ons by r ef err i ng t o t hei r or igi ns i n Chapt er 3) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
To st ar t wit h, we suppose t hat somehow has advant age Adv t o guess t he chal lenge bi t b
corr ect l y aft er he has had enough adapt ive chosen- ci pher t ext t r ai ni ng.
Duri ng t he t r ai ni ng, Simon may mi st akenl y r ej ect a val i d ci phert ext i n a decr y pt i on quer y . Thi s i s
a bad event because i t shows a l ow qual it y of t he t r ai ni ng cour se. So l et t hi s event be
denot ed DBad. I n 15.2. 3. 2 our exami nat i on on Si mon's si mul at ed decr y pt i on pr ocedur e has
concl uded t hat t he si mul at ed decr y pt i on i s accurat e or a high- qual it y one: t he pr obabil i t y f or
i naccur acy is at t he l evel 2
k0
+ 2
k1
. So we have
Equ at i on 15 . 2. 9
Let fur t her AskG ( respect ivel y, AskH) denot e t he event t hat r * ( r espect i vel y , t he event s* ) has
ended up i n G- l i st ( r espect i vel y, i n H- l i st ) . These t wo event s ar e al so undesi r abl e because t hey
di sclose t o i nfor mat i on f or i t t o discover t hat t he chal l enge ci pher t ext c* act ual l y has not hi ng
t o do wi t h i t s " chosen pl ai nt ext s" m
0
, m
1
. Ther efor e, l et us also cal l t hem bad event s. Def i ne t he
event Bad as
Now, l et wi ns denot e t he event t hat makes a cor r ect guess of t he chal l enge bi t b. I t is
cl ear t hat in absence of t he event Bad, due t o t he uni for m r andomness of t he values whi ch t he
r andom oracl es can have, t he chal l enge bi t b i s independent fr om t he chal l enge ci pher t ext c* .
Thus we have
Equ at i on 15 . 2. 10
Applyi ng condi t i onal pr obabil i t y ( Defi nit ion 3. 3 i n 3. 4. 1) we can r e- expr ess ( 15.2. 10) int o
or
Equ at i on 15 . 2. 11

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
We should not i ce t hat i n t he event ( i. e. , i n absence of Bad) , t he si mulat ed r andom or acl es
and t he si mul at ed decry pt i on box wor k per f ect l y and ar e i dent i cal t o t hese t r ue f unct i ons. So
' s at t acki ng advant age should be full y r el eased, and we have
Equ at i on 15 . 2. 12
On t he ot her hand ( see t he l aw of t ot al probabi l i t y, Theor em 3. 1 i n 3. 4. 3) ,
Equ at i on 15 . 2. 13
I f we conj unct ( 15.2. 12) and ( 15.2. 13) , we have
or
Equ at i on 15 . 2. 14
Not i cing ( 15.2. 11) , t he i nequal i t y ( 15.2. 14) becomes
t hat i s

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Equ at i on 15 . 2. 15
Si nce Bad = AskG AskH DBad, we have
Equ at i on 15 . 2. 16
Equ at i on 15 . 2. 17
Equ at i on 15 . 2. 18
wher e ( 15.2. 16) is due t o Pr obabi l i t y Addi t i on Rul e 1, ( 15.2. 17) is due t o Exampl e 3. 3, and
fi nall y ( 15.2. 18) fol l ows t he def i ni t i on for condi t i onal pr obabi l it y and t he f act t hat a pr obabi l i t y
val ue i s al ways less t han 1.
Fi nal l y, we not i ce t hat t he uni for m r andomness of t he H or acl e, t he condi t i onal event
( i. e. , gi ven t hat s* has not been quer i ed, r * has been quer i ed) can onl y occur wi t h
pr obabi li t y 2
k0
. We have al so known f r om ( 15.2. 9) t hat pr obabi l i t y f or DBad i s also at t he l evel
of 2
k0
+ 2
k1
. The i nequal i t i es ( 15.2. 1515.2. 18) concl ude
Ther ef or e, if Adv i s non- negl i gi bl e i n k, so i s Prob [ AskH] .
To t hi s end, we can cl ear l y see t hat i f an at t acker i s capabl e of breaki ng, i n I ND- CCA2 mode, t he
RSA- OAEP i mpl ement ed by random or acl es, t hen t he at t acker i s capabl e of par t i al ly inver t i ng t he
RSA funct ion: f i ndi ng s* wi t h a simi l ar advant age. par t i al i nv er si on of t he RSA funct i on can
act ual l y l ead t o ful l i nver si on. Let us now see how t hi s i s possi bl e.
15.2.4 Rescue Work for RSA-OAEP
The mat hemat i cs i n 15.2. 3. 4 act uall y pl ays an i mpor t ant r ol e i n t he r escue wor k f or RSA- OAEP.
However , t he i nit ial r escue at t empt di d not rel y on i t .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
15.2.4.1 Shoup's Initial Attempt
Fort unat el y , t he mal l eabi l it y pr oper t y of t he RSA f unct i on is not so simi l ar t o t hat of a Feist el
ci pher whi ch bases t he OAEP t r ansf ormat i on ( r evi ew Fi g 15. 2 and our di scussion t her e on t he
di f fer ence i n al gebr ai c pr oper t i es bet ween t hese t wo st r uct ur es) . I roni cal l y , t he si gni fi cant
di f fer ence i n al gebr ai c pr oper t i es ( or i n mal l eabi l i t y pr oper t i es) bet ween t hese t wo st r uct ur es
enabl ed Shoup t o pr ove t hat t he RSA- OAEP i s I ND- CCA2 secur e provi ded t he RSA encry pt i on
exponent is ext r emel y small : for N bei ng t he RSA modul us, his pr oof requi res
Equ at i on 15 . 2. 19
Let us see why .
Recal l t hat our anal ysi s has concl uded t hat i f s* , whi ch i s def i ned by t he chal l enge ci pher t ext c*
i n ( 15.2. 5) , i s not queri ed for or acl e H, t hen t he r educt i on i s st at i st i call y cor r ect . The onl y case
for t he r educt i on bei ng i ncorr ect i s when s* i s quer i ed f or H. For t his case, we have not
consi dered how Si mon shoul d act .
Shoup obser ves t hat wi t h s* bei ng a ( k k
0
) - bi t st r ing i n Si mon' s H- l i st , Si mon can solve t he
fol l owi ng equat i on f or t he RSA pr obl em:
Equ at i on 15 . 2. 20
wher e I ( x) i s t he i nt eger val ue f or t he st r i ng x. This equat i on i s sol vabl e i n t i me pol y nomi al i n
t he si ze of N using Copper smi t h's al gori t hm [ 82] pr ovi ded X < N
1/ e
. Wi t h X bei ng a quant i t y at
t he level of 2
k0
and wi t h t he r est r i ct ion i n ( 15.2. 19) , t he condi t i on X < N
1/ e
i s met .
Thus, upon bei ng gi ven a ciphert ext c f or decr ypt i on ser vi ce, Si mon should, upon f ai l ur e t o
decry pt c using t he met hod speci f ied i n 15.2. 3. 1, t r y t o solve ( 15.2. 20) for X using each
el ement in his H- l i st . I f all of t hese at t empt s f ail , Si mon shoul d r ej ect c. Ot herwi se, t he sol ut i on
i s X = I ( t * ) ; knowi ng s* and t * , Simon shoul d decry pt c i n t he usual way.
Ther ef or e, for t hi s case of t he RSA- OAEP, i . e. , f or t he encry pt i on exponent e sat i sfy i ng ( 15.2. 20) ,
quer y i ng s* for H has al r eady hel ped Si mon t o i nver t c* . The quest i on i s: what i s t he magni t ude
of e sat i sfy i ng ( 15.2. 20) ? For t he st andard securi t y par amet er set t i ngs f or t he RSA- OAEP, we
have N > 2
1024
, and k
0
= 160 ( i n or der for 2
k0
bei ng negl igi bl e) , and so . So
for t he st andar d secur it y par amet er set t i ngs, e = 3 or e = 5 are t he onl y possi bl e cases for
encry pt ion exponent s ( e must be co- pri me t o ( N) whi ch i s even) . Al t hough using such small
exponent s we can r each pr ovabl e secur i t y f or t he RSA- OAEP, it i s wi del y r ecognized aft er
Coppersmi t h' s wor k, t hat one shoul d not use such smal l exponent s for RSA encr ypt i on.
Because t he st andard securi t y par amet er set t i ng for k
0
i s alr eady cl ose t o t he l ower bound and
t hat f or t he si ze of N cannot be i ncr eased dr amat i cal l y, t her e i s l it t le hope t o use t hi s reduct ion
met hod for any l ar ger e.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
15.2.4.2 Full Rescue by Fujisaki et al.
Fort unat el y agai n, soon af t er Shoup's anal ysi s, Fuj i saki et al . [ 114] made a f ur t her obser vat ion
and f ound a way t o i nvert t he RSA f unct i on for t he gener al case of t he encr y pt i on exponent .
For t he case of t he RSA- OAEP, di scl osi ng t o Si mon s* as a si gni fi cant l y l ar ge chunk of t he pr e-
i mage of c* has act ual l y al r eady di scl osed t oo much. Because s* has k k
0
bi t s and because k >
2k
0
, mor e t han half t he bi t s ( t he most si gni f i cant bit s) of t he pre- i mage of c* ar e di scl osed.
Gi ven such a l ar ge chunk of t he pr e- image, Fuj i saki et al . appli ed a bri l l i ant lat t i ce t echnique
whi ch can sol ve f or T = I ( t * ) fr om t he equat i on
Equ at i on 15 . 2. 21
for arbi t r ari l y l ar ge e. Recal l t hat gi ven a one- bi t RSA or acl e ( "RSA par i t y or acl e, " r evi ew 9. 2) ,
we have st udi ed an al gor i t hm ( Al g 9. 1) whi ch appl ies t he one- bi t or acl e l og
2
N t imes t o i nver t t he
RSA funct ion. Exact l y t he same pri nci pl e appl i es here: i s in f act an "RSA hal f- or - gr eat er- bl ock
or acl e" si nce s* has mor e t han half t he bi t s of t he pr e- i mage of c* . Usi ng t he al gori t hm of
Fuj i saki et al , Si mon can appl y t wi ce t o obt ai n t wo r el at ed blocks ( hal f - or - gr eat er - bl ock) of
par t i al pre- i mage i nf or mat ion. These t wo bl ocks can be used i n t he for mul a ( 15.2. 21) for sol ving
t wo unknown i nt eger s whi ch ar e smal ler t han . One of t hese smal l er i nt eger s i s T( t * ) , and
hence, Si mon has i nver t ed t he RSA f unct i on.
Si nce Si mon has t o appl y t wi ce, he shoul d pl ay wi t h t wi ce t he r educt i on- via- at t ack game:
once f eedi ng wi t h c* , and once feedi ng wi t h ( mod N) for a r andom .
The r espect i ve s* and wi l l be i n hi s H- l i st and his , r espect i vel y . Let q = max( # ( H-
l i st ) , # ( ) ) . Fr om t hese t wo li st s Si mon wil l deal wi t h no mor e t han q
2
pai rs . One of
t hese pai r s wi l l enabl e Si mon t o make t wo cor r ect equat i ons i n t he for mul a ( 15.2. 21) and
t her eby t o inver t t he RSA funct i on, unl ess he has chosen a bad whi ch has a small pr obabi l i t y
( negl i gi ble when k 2k
0
whi ch i s t he case i n t he RSA- OAEP) . Because sol vi ng t wo cases of
( 15.2. 21) can be done i n t i me O
B
( ( l og
2
N)
3
) , Si mon can i nver t t he RSA f unct i on i n t i me
Equ at i on 15 . 2. 22
wher e T i s t ime bound f or t o per for m t he I ND- CCA2 at t ack on t he RSA- OAEP.
The RSA- OAEP has ot her t wo var iat ions for t he paddi ng par amet er set t i ngs. They ar e PKCS# 1
ver si ons 2 and hi gher [ 230] and SET [ 259] . I n t hese vari at i ons, t he known dat a chunk s* i s
posi t i oned in dif fer ent pl aces i n t he pl aint ext chunk. Due t o t he suf fi ci ent l y l ar ge si ze of s*
( consi derabl y l arger t han t he hal f- bl ock si ze) , r oot - ext r act i on can easi l y be done by at most
t wi ce runni ng of . So a var iat ion of t he t echni que of Fuj i saki et al . wi l l st i ll appl y t o t hese

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
vari at i ons.
I n t hi s way , t he RSA- OAEP, and t he var i at i ons, r emai n pr ovabl y secur e i n t he I ND- CCA2 mode.
Fi nal l y, we poi nt out t hat t he same r esul t appl i es t o t he Rabi n- OAEP. Ther ef ore inver t i ng t he
Rabin f unct i on, i. e. , ext ract i ng a squar e r oot modulo N, at an arbi t rar y poi nt i mpl i es fact or i ng N.
Thi s can be done by Simon appl yi ng Theor em 6. 17. ( i i i) ( i n 6. 6. 2) : pi cki ng a random val ue x
and set t i ng c* as r aw Rabi n encr y pt i on of x. The secur i t y r esult for t he Rabi n- OAEP i s bet t er
t han t hat f or t he RSA- OAEP since fact or i zat i on i s a weaker assumpt i on t hat t he RSA assumpt i on.
15.2.5 Tightness of "Reduction to Contradiction" for RSA-OAEP
The RSA- OAEP scheme i s very ef fi ci ent . However , t he "r educt i on t o cont r adi ct ion" should not be
consi dered so. Let us now expl ai n t hi s i ssue.
The expr essi on ( 15.2. 22) shows t he t i me needed by Si mon Simul at or t o appl y t wi ce t o i nver t
t he RSA f unct i on at an ar bi t r ar y poi nt . The expr essi on has a quadrat i c t er m q
2
wher e q i s t he
number of RO quer i es t o H t hat i s ent it led t o make i n each i nst ance of i t being used by
Si mon.
Not i ce t hat an RO ideal i zes a hash f unct i on whi ch can be eval uat ed ver y eff ici ent l y . For a
dedi cat ed at t acker , we ought t o r easonabl y ent i t l e i t t o make, say 2
50
, hash f unct i on
eval uat ions. Thus, i t i s r easonabl e t o consi der q 2
50
. Consequent l y , t he quadr at i c t er m q
2
i n
( 15.2. 22) means t hat Simon's t i me t o i nver t t he RSA pr obl em i s
Now r evi ew 4. 6 f or t he st at e of t he f act or izat ion ar t , ( 4. 6. 1) is t he expr essi on f or f act or i ng N
usi ng t he Number Fiel d Si eve ( NFS) met hod. For t he usual si ze of | N| = 1024, ( 4. 6. 1) pr ovi des a
val ue at t he l evel of 2
86
. Thus, a cont radict i on gi ven by 2
100
. O
B
( ( l og
2
N)
3
) is not a meani ngf ul
one at al l si nce usi ng t he NFS met hod, Si mon can i nvert t he RSA f unct i on based on a 1024- bi t
modul us at a far lower cost wi t hout usi ng . Thus, t he " reduct ion t o cont r adi ct i on" proof i s not
a val i d one f or t he case of a 1024- bi t RSA modul us.
Si nce 1024- bi t RSA modul i ar e cur r ent l y r egar ded wi t hi n t he saf e mar gi n for many secur e
appli cat i ons, t he i nval idi t y of t he secur it y pr oof for t he RSA- OAEP exposes t he dissat i sfact i on of
t he reduct ion as a degr ee- 2 pol y nomi al .
The " reduct i on- t o- cont r adi ct i on" pr oof is val i d for much l ar ger RSA modul i ; f or example, i t i s
val id i n a mar gi nal way for an 2048- bi t modul us f or whi ch ( 4. 6. 1) wi l l pr oduce a 2
116
- l evel
val ue.
15.2.6 A Critique on the Random Oracle Model
Canet t i, Gol dr ei ch and Hal evi hol d a r at her negat i ve vi ew on t he ROM- based secur it y pr oofs [ 64,
65] . They demonst r at e t hat t here exi st s signat ur e and encr y pt i on schemes whi ch ar e provabl y
secur e under t he ROM, but cannot have secure real i zat i ons i n t he r eal wor l d i mpl ement at i on.
Thei r basi c i dea i s t o devi se nast y schemes. Such a scheme usual ly behaves pr operl y as a
si gnat ure scheme or an encry pt ion scheme. However , upon hol di ng of a cer t ai n condi t i on
( basi cal ly , when non- randomness i s sensed) , t he scheme becomes nast y and out put s t he pr ivat e

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
si gni ng key i t i s i t a si gnat ure scheme, or t he pl ai nt ext message i f i t i s an encr y pt i on scheme.
Cl ear ly , when we pr ove secur i t y f or t hi s nast y scheme under ROM, si nce t he pl aint ext t o be
si gned or encry pt ed i s assumed uni for mly random ( of cour se purel y owi ng t o t he ROM t r i ck) , t he
pr oof wi l l go t hr ough. However , i n t he r eal wor l d wi t h pr act i cal appl i cat i ons, si nce t her e i s no
unif or mly random plai nt ext , any r eal - wor l d impl ement at i on i s cl ear l y i nsecur e.
Thei r st eps t o cr eat e such nast y schemes ar e r at her i nvol ved. The mor e i nt er est ed r eader i s
r ef err ed t o [ 65] .
However , aft er el egant and convi ncing sci ent i fi c ar gument , i t i s i nt er est ing t o f ind t hat t he t hree
aut hor s reach rat her di ff erent concl usions i n t er ms of di sagr eement s on t he useful ness of t he
r andom oracl e met hodol ogy. They deci de t o present t heir di sagr eement s i n t he most
cont r over si al for m by havi ng t hr ee separat e concl usi ons, one fr om each aut hor .
Canet t i' s concl usi on ( 6. 1 of [ 65] ) exposes t he most cr i t i cal view of t he t hree. He consi ders t hat
t he random or acl e model i s a bad abst ract i on and l eads t o t he l oss of r educt i ons t o har d
pr obl ems ( i . e. , i t nul l i fi es t he el egant i dea of " reduct ion t o cont r adi ct i on") . He f ur t her consi der s
t hat t o ident i fy any useful , speci al - pur pose proper t i es of r andom oracl e can be al t er nat i ve
di r ect i ons of r esearch.
Gol dr ei ch's concl usi on ( 6. 2 of [ 65] ) is t he mi l dest among t he t hr ee. He consi der s t he pr obl em
wi t h t he ROM as incomplet eness: i t may f ai l t o rul e out insecur e desi gns due t o some fl aws i n
t he implement at i on of random or acl es. He t heref ore r ecommends t hat i n cur r ent l y publ i shed
wor k, pr oofs of secur it y under t he ROM shoul d not be i ncluded ( we i nt erpret t hi s as: t hese pr oofs
shoul d not be consi der ed as r eal proof s) . However, he has a r at her opt i mi st i c bot t om- li ne: t he
model has it s val ue i n pl ayi ng t he r ole of a t est - bed for conduct i ng t he sani t y check f or
cry pt ogr aphi c schemes. He f ur t her hopes t hat i n t he f ut ur e t he model may show mor e val ue t o
be r ecommended.
Hal evi 's concl usi on ( 6.3 of [ 65] ) invol ves an event of seemi ngl y non- negl i gi bl e pr obabi l it y. He
r egar ds t hat t he curr ent success of t hi s met hodology i s due t o pur e l uck: "al l t he cur rent
schemes t hat ar e pr oven secur e i n t he r andom oracl e model happen t o be secur e al so i n t he r eal
wor ld f or no r eason. " His bot t om l i ne: t oday 's st andar ds should be ar ound t he schemes wit h
pr oof i n t he ROM r at her t han be ar ound t hose wi t hout . Aft er al l , t his is rat her an opt i mi st i c
bot t om l i ne.
15.2.7 The Author's View on the Value of the Random Oracle Model
The aut hor of t hi s book has hi s own view on t he value of t he ROM- based secur i t y pr oof . I n order
t o be obj ect i ve about t he cont ent we have st udi ed so far in t hi s chapt er , l et me conf ine my
observat i on t o t he case of t he RSA- OAEP encr y pt i on scheme.
The ROM- based secur i t y pr oof f or t he RSA- OAEP essent i al l y reveal s t he f oll owi ng f act :
I f t he paddi ng scheme is a t r ul y r andom f unct i on, t hen t he paddi ng r esul t out put f r om
OAEP i s a "pl ai nt ext " i n an ideal worl d: i t has a uni for ml y r andom di st ri but i on i n t he
pl ai nt ext space of t he RSA funct ion. Thus, our i nvest igat i on on t he st rengt h of t he RSA
funct i on being used i n t he i deal wor l d i n 9. 2 concl udes t hat t he easiest way t o br eak t he
I ND- CCA2 secur it y is t o sol ve t he RSA pr obl em f ir st and t hen t o do what t he decr y pt i on
al gor i t hm does.
Thus, t he ROM- based pr oof suggest s t hat f or a r eal wor ld paddi ng- based encr ypt i on scheme
whi ch uses r eal wor l d hash f unct i ons rat her t han ROs, t he most vul ner abl e point t o mount an
at t ack i s t he hash funct ions used i n t he scheme. I n or der t o r each a hi gh confi dence about a
paddi ng based encr y pt i on scheme, we shoul d pay much at t ent i on on t he desi gn of hash funct i on

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
and i t s i nput t i ng r andomness.
From t hi s point of vi ew. we consi der t hat an ROM- based t echni que f or securi t y pr oof manif est s
i t s i mpor t ance i n t hat i t suggest s where t o f ocus t he at t ent i on f or car ef ul desi gn.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
15.3 The Cramer-Shoup Public-key Cryptosystem
Anot her wel l - known pr ovabl y I ND- CCA2- secur e and pr act i call y ef fi cient publ i c- key cr ypt osy st em
i s t he Cr amer - Shou p p ubl i c- k ey cr y pt osyst em [ 84] , named aft er i t s invent ors Cr amer and
Shoup.
15.3.1 Provable Security Under Standard Intractability Assumptions
We have j ust seen t he gener al met hodol ogy for f or mal l y provabl e secur it y: t o " r educe" an
al l eged at t ack on a cr y pt ogr aphi c scheme t o a sol ut i on t o a r eput ably har d pr obl em ( i .e. , t o
make use of an all egedl y successful at t acker as a black box t o sol ve a r eput abl y har d pr obl em) .
We desi r e such a " r educt i on t o cont r adi ct i on" pr oof t o have t he f oll owi ng t wo import ant
pr oper t i es.
Pr oper t y 1 5. 1: Desi r abl e Pr oper t i es f or "Reduct ion t o Cont radi ct i on"
The r educt i on shoul d be ef fi ci ent ; i deal l y, an all egedl y successful at t acker f or a
cry pt ogr aphi c scheme shoul d be able t o sol ve a har d pr obl em under ly i ng t he scheme i n an
eff ort si mi l ar t o t hat for mount i ng t he at t ack.
i .
The i nt r act abi li t y assumpt i ons whi ch ar e r equi r ed f or a scheme bei ng secur e shoul d be as
weak as possi bl e; i deal ly , f or a publi c- key encr y pt i on scheme based on an one- way
t r apdoor funct i on ( OWTF, not i ce: OWTP i s a speci al case of OWTF) , t he onl y assumpt i on f or
t he scheme t o become provabl y secur e shoul d be t he i nt r act abi l i t y of t he one- way t rapdoor
funct i on.
i i .
Pr oper t y 15. 1. ( i ) has a pract i cal i mpor t ance: an i neff i ci ent r educt i on, even i f i t i s i n pol y nomi al
t i me, may pr ovi de no pr act i cal r el at i on at al l bet ween an at t ack and a solut i on t o a har d
pr obl em. For exampl e, i f a r educt i on r el at i on i s a pol ynomial of degr ee 8 wher e t he secur i t y
par amet er is t he usual case of 1024, t hen t he t i me compl exit y for t he r educt i on is at t he l evel of
1024
8
= 2
80
. Under such a r educt i on, whi l e an at t acker may enj oy an ef fi ci ent at t ack which
br eaks a scheme as fast as 10
6
second, t he r educt i on usi ng t hi s at t acker wil l onl y solve a har d
pr obl em i n 38 bi l l i on y ear s! Such pr ovabl e secur i t y i s not onl y cer t ainl y useless, but al so may not
const i t ut e any cont r adi ct ion f or qual i fy i ng a mat hemat i cal pr oof: known met hods f or solvi ng t he
r eput ably har d probl em may wel l be far l ess cost l y t han t he f i gur e given by t he reduct ion! I n
fact , as we have seen i n 15.2. 5, even a reduct ion measured by a degr ee- 2 poly nomi al can
al r eady be r egar ded as i nvali d f or appl i cat i ons usi ng a qui t e st andar d si ze of secur it y
par amet er s.
One may t hi nk t hat t he desi red Pr oper t y 15. 1. ( i i ) i s l ess pr act ical l y i mpor t ant si nce i t seems
mer el y t o go wi t h a gener al pr inci ple in mat hemat i cal pr oof : i f weakeni ng of assumpt i ons does
not r est r i ct t he deri vat i on of a proof t hen a pr oof shoul d onl y be based on t he weakened
assumpt i ons. Whil e pur sui ng a beaut i ful pr oof i s cer t ai nl y an i mpor t ant par t of t he mot i vat ion,
t he import ance of Pr oper t y 15. 1. ( i i ) i s mor e on t he pract i cal si de. The i mpor t ance of Pr oper t y
15.1. ( i i ) i s especi al l y t r ue i n t he desi gn of cr ypt ogr aphic sy st ems; weaker assumpt i ons ar e
easi er t o sat isf y usi ng more pr act i cal and avai l abl e cr ypt ogr aphi c const r uct i ons, and
consequent l y , cry pt ogr aphi c sy st ems usi ng weaker assumpt i ons pr ovide a hi gher securi t y
conf idence t han t hose usi ng st r onger assumpt i ons.
We have seen t hat t he ROM- based proof f or RSA- OAEP does not sat i sfy Pr oper t y 15. 1. ( i ) t o t he
i deal ext ent i n t hat t he reduct i on i s not t i ght enough for st andar d si ze of RSA modul i . Mor eover ,

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
t he ROM- based pr oof for RSA- OAEP does meet Pr oper t y 15. 1. ( i i ) ver y wel l . Thi s i s because t he
pr oof not onl y needs t he i nt r act abi l i t y of t he RSA f unct i on ( t he RSA assumpt i on, Assumpt i on
8. 3) , i t al so needs a ver y much st r onger assumpt ion: hash f unct i ons used i n t he OAEP
const r uct i on shoul d have t he r andom or acl e proper t y . We say t hat t hi s assumpt i on is ver y
st r ong, in f act , i t i s unr easonabl y st rong: as we have di scussed i n 10.3. 1. 2 t hat t here exi st s no
r andom oracl e i n t he r eal wor l d; consequent l y, t hi s assumpt i on is mat hemat ical l y unsat i sfi able.
I ndeed, speaki ng i n pract i cal t er ms, what we can obt ai n fr om t he pr oof of t he RSA- OAEP i s t hat
we must use hi gh quali t y hash f unct i ons i n t he const r uct i on of t he RSA- OAEP scheme.
Unfor t unat el y, t hi s i s not an absol ut e conf i dence whi ch a mat hemat i cal pr oof shoul d pr ovi de.
A f or mal pr oof of secur i t y f or a publ i c- key cr ypt osyst em r ely i ng sol el y on t he int r act abi l it y of t he
underl y i ng OWTP of t he cr ypt osyst em i s sai d t o be a pr oof under st an dar d i n t r act abi l i t y
assumpt i on( s) . . Such a proof est abl i shes secur i t y i n t he r eal wor l d: it pr oves t hat a
cry pt osy st em cannot be broken wi t hout br eaki ng t he under l yi ng i nt ract abil i t y assumpt i on( s) .
Ther e ar e a number of pr ovabl y secur e ( i n t he I ND- CCA2 mode) cr y pt osyst ems based on
st andar d i nt r act abi l i t y assumpt i ons, t he NM- CCA2 ( equi val ent t o I ND- CCA2) secur e scheme of
Dol ev et al . [ 100] is an exampl e. However, as we have di scussed i n 14.5. 3, t he need f or usi ng
NI ZK pr oof i n t hat scheme makes it unat t r act i ve f or pr act i cal appl i cat i ons.
The Cr amer - Shoup publ i c- key cr ypt osyst em [ 84] is t he f i rst publi c- key cr y pt osy st em which i s
pr act i cal l y eff i cient and pr ovabl y I ND- CCA2 secur e under a st andard i nt ract abi l i t y assumpt i on.
We shal l al so see t hat t he scheme has a t i ght " r educt i on t o cont radi ct i on" proof of securi t y : a
l i near r educt i on. So t he Cramer - Shoup publ i c- key encr ypt ion scheme meet s t he t wo desi r abl e
pr oper t i es i n Pr oper t y 15. 1 t o t he i deal qual i t y.
Let us now i nt r oduce t he Cr amer- Shoup scheme.
15.3.2 The Cramer-Shoup Scheme
The Cr amer - Shoup publ i c- key encr ypt i on scheme i s a CCA2 enhancement of t he semant i cal l y
secur e El Gamal encry pt i on scheme ( see 14.3. 5) . As in t he case of t he semant ical l y secur e
El Gamal encr y pt i on scheme, t he st andar d int r act abi li t y assumpt ion under ly i ng t he secur i t y of t he
Cr amer- Shoup scheme i s t he decisi onal Di ff ie- Hel lman ( DDH) assumpt i on. The r eader may l ike
t o revi ew Defi nit ion 13. 1 i n 13.3. 4. 3 f or t he DDH pr obl em, and Assumpt i on 14. 2 i n 14.3. 5 f or
t he DDH assumpt i on.
The Cr amer - Shoup cr ypt osyst em i s specif i ed i n Al g 15. 1
I t i s easy t o see t hat par t of t he ci pher t ext ( u
1
, e) is exact l y t he ci pher t ext pai r of t he
semant ical l y secur e El Gamal cry pt osy st em. By Theor em 14. 2 ( in 14.3. 5) , we al r eady know t hat
t he Cr amer - Shoup scheme i s I ND- CPA secur e under t he DDH assumpt i on.
Li ke any CCA2- secur e encry pt i on scheme, t he decry pt i on pr ocedur e has a dat a i nt egr i t y
val idat i ng st ep i n t he decr ypt i on pr ocedure. Suppose t hat t he ciphert ext has not been al t er ed en
r out e t o Al i ce. Then we have

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Algorithm 15.1: The Cramer-Shoup Public-key Cryptosystem
Key Par amet er s
Let G be an abel ian group of a l arge pr i me or der q. The pl ai nt ext space i s G;
( * we assume t her e exi st s an encodi ng scheme t o code any pl aint ext as a bi t st r i ng
i nt o G and decode i t back; gi ven desc( G) , such an encodi ng scheme can be easil y
r eal i zed, see, e. g., 14.3. 5 * )
pi ck t wo random el ement s g
1
, g
2

U
G; 1.
pi ck f ive r andom i nt eger s x
1
, x
2
, y
1
y
2
, z
U
[ 0, q) ; 2.
comput e ; 3.
choose a cr y pt ogr aphi c hash funct ion H : G
3
[ 0, q) ; 4.
publ i ci zes ( g
1
, g
2
, c, d , h, H) as publ ic key , keeps ( x
1
, x
2
, y
1
, y
2
, z) as pr i vat e
key .
5.
Encr y pt i on
To send a confi dent i al message m G t o Al i ce, t he sender Bob pi cks r andom i nt eger
r
U
[ 0, q) and comput es
The ci pher t ext i s ( u
1
, u
2
, e, u ) .
Decr yp t i on
To decr y pt ci pher t ext ( u
1
, u
2
, e, u ) , Al i ce per for ms t he f ol l owing st eps:
H( u
1
, u
2
, e) ; 1.
2.
Upon passi ng t hi s dat a- i nt egri t y val i dat i ng st ep, t he r est of t he decr y pt i on pr ocedur e fol l ows t hat
of t he semant i cal ly secur e El Gamal cr y pt osyst em. Lat er we shall see t hat t hi s dat a- i nt egri t y
val idat i ng st ep i s ver y ef fect ive: i t vi r t ual l y st ops any hope of const r uct i ng a val i d ci pher t ext
wi t hout usi ng t he speci fi ed encr y pt i on pr ocedur e.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
A r eader mi ght want t o ask t he fol l owi ng quest i on:
"Why i s t he secur it y of t he scheme based sol el y on t he DDH assumpt ion? Si nce t he dat a-
i nt egr i t y val i dat i ng st ep uses a hash f unct i on H, why is t he scheme' s secur i t y not al so based
on some hash f unct i on pr oper t y , e.g., t he r andom or acl e pr opert y ?"
Of cour se, t he hash f unct i on used i n t he scheme must not be a weak one. However , we shoul d
not i ce t hat t he secur i t y servi ce used i n t he dat a- i nt egr i t y val idat i ng st ep i s sol el y t he one- way -
ness of t he hash f unct i on. There is no need t o use t he r andom or acle pr opert y . For exampl e,
hash funct i on H( x ) can be i mpl ement ed by g
x
i n t he same group G, and t hereby we wi l l onl y use
t he one- way- ness of t he di scr et e l ogar i t hm ( DL) pr obl em ( see Defi nit ion 8. 2 i n 8. 4) . The
associ at ed int r act abi li t y assumpt ion i s t he di scr et e l ogar i t hm ( DL) assumpt i on ( see Assumpt i on
8. 2 i n 8. 4) whi ch i s not onl y st andar d, but al so is weaker t han t he DDH assumpt i on i n t he same
gr oup; t hat i s, i f we use t he DDH assumpt i on i n G, t he DL assumpt i on must al so be in place i n G.
I t i s f r om t hi s poi nt of vi ew, we say t hat t he secur it y of t he scheme can be sol el y based on t he
DDH assumpt i on. I n cont r ast , as we have wi t nessed i n Shoup's at t ack on an f - OAEP ( 15.2. 3. 3) ,
a secur i t y pr oof for f - OAEP cannot sol el y be based on t he one- way- ness proper t y , be i t t hat of
t he hash f unct i ons used i n t he OAEP const r uct i on, or t hat of t he under l y ing i nt r act abi li t y .
15.3.2.1 The Performance
At fi r st gl ance, i t appear s t hat t he Cr amer - Shoup cr ypt osyst em i s associ at ed wit h much l ar ger
key s and many mor e exponent i at i ons i n compar i son wi t h t he El Gamal cr ypt osy st em. However, a
cl oser exami nat ion wi l l r eveal t hat t he di f ference i s not so subst ant i al .
A publ i c key of t he scheme consist s of f i ve el ement s i n G, i ncr eased fr om a t wo- element publ i c
key in t he case of ElGamal. The si ze of a ci pher t ext i s a quadrupl e i n G, doubl i ng t he si ze of t hat
of El Gamal . Encry pt ion r equi r es "fi ve" ( but i n fact , four , see i n a moment ) exponent iat i ons,
i ncr eased fr om t wo exponent iat ions i n t he case of El Gamal . Decry pt ion r equi r es " t hr ee" ( i n fact
t wo) exponent i at ions, i ncreased f r om one exponent i at i on i n t he case of El Gamal .
Now l et us explai n why encr y pt i on ( decr y pt i on) onl y needs four ( t wo) exponent i at i ons i nst ead of
fi ve ( t hree) of t hem as obvi ousl y speci f ied i n t he scheme. This i s because t he product of t wo
exponent i at i ons i n t he for mul at i on of g
x
h
y
can be comput ed at t he cost of a singl e
exponent i at i on. Al g 15. 2 speci fi es t hi s met hod. I t i s easy t o see t hat t he al gor it hm t er minat es i n
max( | x| , | y| ) st eps of t he wel l- known " square- and- mul t i pl y " oper at i on and out put s t he corr ect
r esul t . Not i ce t hat t hi s al gor i t hm and in f act t hr oughout our i nt r oduct i on t o t he Cr amer- Shoup
scheme, we have been omi t t i ng t he present at i on of t he group oper at i on. I ndeed, G can be any
abel i an gr oup i n which t he DDH assumpt i on hol ds.
Aft er our exami nat i on on t he perf or mance of t he Cr amer- Shoup cry pt osy st em, we can concl ude:
i n bot h communi cat ion bandwi dt h and comput at ion, t he over head of t he Cr amer- Shoup
cry pt osy st em i s r oughly t wice t hat of t he El Gamal cr y pt osyst em.
15.3.3 Proof of Security
I f t he r eader onl y want s t o know how t o encr ypt i n Cr amer - Shoup wi t h a fi t - f or- appl i cat i on
secur i t y , t hen Al g 15. 1 has pr ovi ded adequat e " knowhow" i nf or mat i on and t he r eader can
t her eby pr oceed t o 15.4. The t ext bet ween her e and 15.4 i s "know- why" mat eri al : it answers
why t he Cr amer - Shoup cr y pt osy st em has a fi t - f or- appl i cat ion securi t y . We wi l l t ry t o pr ovi de t he
answer i n an i nt ui t i ve manner.
The r eader who decides t o f ol low our "know- why" r out e shoul d be rel i eved t o know t hat t here is
no need of any advanced mat hemat i cal knowl edge i n or der t o under st and t he t echnique f or t he

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
pr oof of secur i t y f or t he Cr amer - Shoup cr y pt osyst em. A ver y basi c under st andi ng of t he group
t heor y whi ch we have i nt r oduced i n 5. 2 pl us an element ar y knowl edge of l i near al gebr a ( we
shal l st at e t he fact when i t i s used) wi l l suf fi ce.
Pr oof of secur i t y for t he Cramer - Shoup cr ypt osy st em fol l ows t he "r educt i on t o cont r adi ct i on"
met hodol ogy for f or mal l y pr ovabl e securi t y : "reducing" a har d pr obl em suppor t ed by t he
underl y i ng i nt r act abi l i t y assumpt i on t o an al l eged I ND- CCA2 at t ack. I n t he Cr amer - Shoup
cry pt osy st em, t he hard pr obl em i s t he fol l owi ng one:
Let G be a gr oup of a pr i me or der q, and l et ( g
1
, g
2
, u
1
, u
2
) G
4
be an ar bi t r ary quadr upl e
wi t h g
1
1, g
2
1. Answer t he quest ion: I s ( g
1
, g
2
, u
1
, u
2
) a Di f fi e- Hel l man quadrupl e?
That i s, whet her or not exist i ng i nt eger s a, b [ 0, q) such t hat
Equ at i on 15 . 3. 1
Si nce G i s of pr ime a or der, g
1
1 i s a gener at or of G ( Cor ol l ary 5. 3) and hence t her e al ways
exi st s i nt eger s a, b [ 0, q) t o sat i sfy t he fi r st t wo equat i ons i n ( 15.3. 1) . That i s why we have
onl y put t he quest i on mar k of t he t hi rd equat ion. I t i s r out ine t o check t hat hol ding of t he t hree
equat i ons i n ( 15.3. 1) is equi val ent t o
Algorithm 15.2: Product of Exponentiations
I NPUT
g, h A, wher e i s an al gebr ai c st r uct ur e;
x , y : int egers i n i nt er val ( 0, # ) ;
Exp( u, z) : si ngl e exponent i at i on whi ch r et ur ns u

z
;
( * e.g., usi ng Al g 4. 3 f or Exp * )

OUTPUT g
x
h
y
.
i f ( | x| > | y| )
{
u Exp( g, x ( mod 2
| x| | y|
) ) ;
( * exponent i at i on uses t he l east | x| | y| si gni fi cant bi t s of x * )
x x 2
| x| | y|
( * " : " di vi si on i n int egers; t he oper at i on chops t he l ease
1.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
si gni f icant | x| | y| bi t s of f x, and hence now | x| = | y| * )
}
i f ( | y| > | x| )
{
u Exp( h, y( mod 2
| y| | x|
) ) ;
y y 2
| y| x|
}
2.
v gh ; ( * bel ow | x| = | y| * ) 3.
whi l e ( x 0 ) do
{
( a) u u
2
;
( b) i f ( x ( mod 2) = = 1 y ( mod 2) = = 1) u u v;
( c) i f ( x ( mod 2) = = 1 y ( mod 2) = = 0) u u g;
( d) i f ( x ( mod 2) = = 0 y ( mod 2) = = 1) u u h;
( e) x x 2; y y 2; ( * t hr ow away t he least si gni fi cant bi t * )
}
4.
r et ur n( u ) .
( * t ot al number of "square- and- mul t i pl y : " max( | x| , | y| ) * )
5.
By t he Deci si onal Dif fi e- Hell man assumpt i on ( Assumpt i on 14. 2) , t hi s quest i on is a har d pr obl em
for t he gener al case of an abel ian group.
15.3.3.1 A Top-level Description for the Security Proof Technique
Suppose t her e exi st s an at t acker A who can br eak t he Cr amer- Shoup cry pt osy st em i n t he I ND-
CCA2 mode wi t h a non- negl igi bl e advant age. We shal l const r uct an eff i ci ent r educt i on al gori t hm
t o enabl e our speci al agent , Si mon Si mul at or , t o answer a Deci si onal Di ff i e- Hel l man quest i on.
The i nput t o Si mon i s an ar bi t rar y quadr upl e ( g
1
, g
2
, u
1
, u
2
) G
4
wher e g
1
1 and g
2
1. Thi s
quadr upl e may be a Dif fi e- Hell man quadr upl e, i f t hi s i s t he case we denot e ( g
1
, g
2
, u
1
, u
2
) D;
or i t may not be a Di ff ie- Hel lman quadr upl e, i f t hi s i s t he case we denot e ( g
1
, g
2
, u
1
, u
2
) D.
Usi ng t he i nput val ues, Si mon can const ruct a publ i c key PK = ( g
1
, g
2
, c, d, h, H) for t o use,
and dur ing t he I ND- CCA2 at t ack game pl ay ed wi t h , Si mon can al so, upon ' s request ,
const r uct a chal lenge ci pher t ext C* = ( u
1
, u
2
, e, v ) whi ch encr ypt s a chosen pl ai nt ext m
b

U
{ m
0
,
m
1
ar e chosen by , but t he bi t b i s hi dden fr om ) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The chall enge ci phert ext C* has t he fol l owi ng t wo proper t i es:
I f ( g
1
, g
2
, u
2
, u
2
) D, t hen C* i s a val i d Cr amer - Shoup ci pher t ext whi ch encr y pt s m
b
under
t he publi c key PK. We shall see t he vali dit y of C* i n 15.3. 3. 3 and 15.3. 3. 4. Al so, whet her
usi ng t he gi ven publ i c key or not , can get cr y pt analy si s t r ai ni ng cour ses whi ch wil l be
pr eci sel y si mul at ed by Si mon. We shal l see t he exact pr eci si on of t he si mul at ed
cry pt anal ysi s t r ai ni ng cour ses in 15.3. 3. 5. So i n t hi s case, Si mon asks t o r elease i t s
at t acking advant age t o t he full capaci t y .
i .
I f ( g
1
, g
2
, u
2
, u
2
) D, t hen t he chal l enge ci pher t ext C* encry pt s m
b
i n Shannon' s
i nf ormat i on- t heoret i cal securi t y sense ( i . e. , perf ect encr y pt i on, see 7. 5) , t hat i s, t he
ci pher t ext wil l be uni for mly di st ri but ed i n t he ent i re ci pher t ext space. We shal l see
Shannon' s per fect encr ypt i on i n 15.3. 3. 4. Mor eover , we shal l also see i n 15.3. 3. 5 t hat
t he qual i t y of Shannon' s per fect encr y pt i on cannot be compr omi sed by t he cr y pt anal y si s
t r ai ni ng cour ses del i ver ed t o . So i n t hi s case, cannot have any advant age
what soever !
i i .
I t i s t he di f fer ence i n t he respect i ve advant ages i n t hese t wo cases t hat makes a good t eacher
for Si mon t o answer t he Deci si onal Di ff i e- Hel l man quest ion.
Let us now const ruct a "reduct ion t o cont r adi ct i on. "
15.3.3.2 The Reduction
The r educt i on i nvol ves t he fol l owi ng st eps:
On i nput ( g
1
, g
2
, u
1
, u
2
) G
4
, Si mon wil l const r uct a publ i c key for t he Cr amer- Shoup
cry pt osy st em, and send t hi s publ ic key t o ; t he met hod for t he publ i c key const r uct i on
wi l l be descr ibed i n 15.3. 3. 3.
1.
Si mon wi l l provi de wi t h needed pr e- chal l enge cr y pt analy si s t r ai ni ng cour se; t he met hod
for Si mon t o si mul at e O' s decr y pt i on pr ocedur e wi l l be descr ibed i n 15.3. 3. 5.
2.
Si mon wi l l r ecei ve fr om a pai r of chosen pl ai nt ext m
0
, m
1
, wi l l f li p a fai r coi n b
U
{ 0,
1} , and wi l l encrypt m
b
t o const r uct a chal l enge ci pher t ext C* and wi ll send C* t o ; t he
met hod for Si mon t o si mul at e O' s encr y pt i on pr ocedur e wi l l be descr ibed i n 15.3. 3. 5.
3.
Si mon wi l l cont i nue pr ovi di ng wi t h needed post - chal l enge cr ypt anal ysi s t r ai ni ng cour se
by si mul at i ng O' s decr y pt i on pr ocedur e.
4.
Si mon wi l l f i nal l y r eceive f r om an educat ed guess on t he bi t b; upon t hi s t ime, Si mon
wi l l be abl e t o answer t he quest i on whet her ( g
1
, g
2
, u
1
, u
2
) D or ( g
1
, g
2
, u
1
, u
2
) D.
5.
Fi g 15. 4 pr ovi des an i l l ust r at ion of t he r educt i on. I t is an at t acki ng game play ed bet ween t he
I ND- CCA2 at t acker and Simon Si mul at or . Si mon has t aken over al l communi cat ion l i nks of
so t hat can i nt er act onl y wi t h Si mon. For Si mon, t he at t acking game i s a si mul at ed one,
however , as we shall see t hat because t he simulat i on i s per fect i n qual it y , cannot di scern t he
si mul at ion f r om a r eal at t ack.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Fi gu r e 15 . 4. Redu ct i on f r om t h e DDH Pr obl em t o an At t ack on t he
Cr amer -Shou p Cr yp t osy st em
15.3.3.3 Public Key Construction
Usi ng t he i nput quadr uple ( g
1
, g
2
, u
1
, u
2
) G
4
, Si mon const ruct s publi c- key as fol l ows: he pi cks
and comput es

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Equ at i on 15 . 3. 2
Si mon al so chooses a cr y pt ogr aphi c hash funct i on H. The publ ic key f or t o use i s
The pr ivat e key t hat Si mon wi l l use i s
The r eader may have al r eady not i ced t hat par t of t he publ ic key , namel y t he h component , i s
di f fer ent f rom t hat speci fi ed i n Al g 15. 1. Let us expl ai n t hat t hi s i s not a pr obl em. We fi r st show
t hat t he h component of t he publ ic key const r uct ed by Si mon i s per f ect l y val id.
For wi t h g
1
1, we not e t hat g
1
i s a gener at or of G ( Cor ol l ary 5. 3) and hence
f or some w [ 0, q) ; t hus
Equ at i on 15 . 3. 3
for z z
1
+ wz
2
( mod q) . So, indeed, h f ol l ows exact l y t he key - set up procedur e i n Al g 15. 1.
The r eader mi ght st i l l have t he fol l owi ng concer n:
"Si nce Si mon does not know w = l og
g 1
g
2
( mod q) , how can he l at er use z z
1
+ wz
2
( mod
q) in t he decry pt i on pr ocedur e?"
I n 15.3. 3. 5 we shall see t hat f or any ci pher t ext whi ch i s vali d wi t h respect t o t he publ i c key,
Si mon can i ndeed cor r ect l y use z z
1
+ wz
2
( mod q) as t he " nor mal ver si on" of t he decr y pt i on
exponent even he does not have possessi on of z.
15.3.3.4 Simulation of the Encryption Procedure
Upon receipt of t wo chosen pl ai nt ext messages m
0
, m
1
f r om , Si mon t osses an unbi ased coin
b
U
{ 0, 1} , and encr y pt s m
b
as fol l ows:

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The chall enge ci phert ext C* i s ( u
1
, u
2
, e, v) .
The r eader may have not i ced agai n t hat t hi s encr ypt i on pr ocedure is di ff er ent fr om t he nor mal
encry pt ion procedur e wher e e shoul d be comput ed as
for some r [ 0, q) .
However , t hi s shoul d cause no pr obl em at al l . I nst ead, t he di ff er ence i s vi t al ly import ant f or t he
pr oof of secur i t y . Let us expl ai n t he cr ux by consi der i ng t he f ol l owi ng t wo cases:
( g
1
, g
2
, u
1
, u
2
) D. I n t hi s case, because t her e exi st s r [ 0, q) such t hat ,
, we have
So t he si mul at ed encr ypt i on i s exact ly a val id Cramer - Shoup encr ypt ion under t he gi ven
publ i c key . Thi s is exact l y what we desi r e f or as i n t hi s case we want t o show i t s
at t acking advant age in t he full capaci t y .
i .
( g
1
, g
2
, u
1
, u
2
) D. I n t hi s case, t her e exi st s i nt eger s r
1
, r
2
[ 0, q) wi t h r
1
r
2
( mod q) ,
and . Si nce g
1
1 i s a gener at or of G, t her e exi st s log
g1
g
2
, l og
g1
h,
l og
g1
( e/ m
0
) , and l og
g1
( e/ m
1
) .
To make our exposi t i on cl ear er , we may consi der t hat i s now ( i . e., i n t hi s case onl y)
comput at i onall y unbounded. Gi ven e i n t he chal lenge cipher t ext C* , wi t h i t s unbounded
comput at i onal power , can see t he f oll owi ng t wo li near equat i on sy st ems on t wo
unknown i nt eger s ( z
1
, z
2
) :
Equ at i on 1 5. 3. 4
Equ at i on 1 5. 3. 5
i i .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Wi t h ( g
1
, g
2
, u
1
, u
2
) D, we have r
1
r
2
( mod q) ; also not i ce l og
g1
g
2
0 ( mod q)
( si nce g
2
1) . So t he l eft - hand side mat r ix is of t he f ul l r ank, 2, and so bot h sy st ems
have a uni que i nt eger sol ut i on for t he pai r ( z
1
, z
2
) . Ther e i s no way f or t o ver i f y
whi ch of t he t wo cases i s t he cor r ect one. Thus, even comput at i onal l y unbounded,
can have absol ut el y no i dea whet her m
0
or m
1
i s encr y pt ed under C* . So f or t hi s case,
C* encry pt s m
b
i n Shannon' s i nf ormat i on- t heor et i cal securi t y sense, and so can
have no advant age what soever !
We must poi nt out t hat , so far , t he exact Cr amer - Shoup encr ypt i on in case ( i ) , or Shannon's
i nf ormat i on- t heoret i cal ly secur e encry pt ion i n case ( ii ) ar e onl y t r ue up t o t he CPA mode. That i s,
t he qual i t i es of t he r espect i ve cases of t he simulat ed encry pt ion hold i f i s passi ve. Our
at t acker is not so feebl e! Remember , ent it les cr ypt anal y si s t rai ning courses even aft er r ecei pt
of t he chall enge ci phert ext . For exampl e, i f i n case ( ii ) can obt ai n a t hi r d l i near sy st em in
addit ion t o ( 15.3. 4) and ( 15.3. 5) , may be as a r esul t of t he CCA2 t r ai ni ng cour se, t hen we can no
l onger cl ai m Shannon' s i nf ormat i on- t heoret i cal securi t y of t he encr ypt ion.
We shal l see i n t he next sect i on how t he qual i t i es of t he t wo cases of t he simul at ed encry pt ion
wi l l be mai nt ai ned t hroughout t he cr y pt anal ysi s t r ai ni ng cour ses which an I ND- CCA2 at t acker
enj oy s.
15.3.3.5 Simulation of the Decryption Procedure
Upon receipt of a ci phert ext C = ( U
1
, U
2
, E, V) fr om , Si mon wil l fi r st conduct t he dat a-
i nt egr i t y val i dat i ng pr ocedur e speci f i ed i n Al g 15. 1. I f t he t est yi el ds YES, t hen t he ci pher t ext i s
deemed vali d. Si mon t hen comput es
Equ at i on 15 . 3. 6
and r et ur ns m t o as t he decr ypt i on resul t . I f t he t est yi el ds NO, t hen t he ci pher t ext i s deemed
i nval i d and Si mon wi ll ret urn REJECT as t he decr y pt i on r esul t .
We wi l l st at e and prove i n a moment Theor em 15. 1 whi ch cl aims t hat a vali d ci pher t ext C = ( U
1
,
U
2
, E, V) impli es ( g
1
, g
2
, U
1
, U
2
) D wi t h pr obabi l it y . So t her e exi st s R [ 0, q) such t hat
, . Thus,
Equ at i on 15 . 3. 7
Thus we see t hat t he si mul at ed decr ypt i on per f ormed by Si mon in ( 15. 3. 6) i s corr ect , except for

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
a negl igi bl e pr obabi li t y . This cl ar i fi es t he doubt we have l eft over at t he end of 15.3. 3. 3 on
how Simon can pr operl y decr y pt wi t hout " t he normal ver si on" of t he pr i vat e exponent z z
1
+
z
2
l og
g1
g
2
( mod q) .
Si mon's abi l it y t o conduct cor r ect decr y pt i on for val i d ci phert ext s per mi t s Si mon t o off er
pr oper cr ypt anal y si s t rai ning courses whi ch ent it les as an I ND- CCA2 at t acker .
We now show t hat t he cry pt anal ysi s t r ai ni ng cour ses wi l l not compr omi se t he per fect qual i t i es
for t he chal l enge ci pher t ext hidi ng m
b
, whi ch we have est abl i shed i n 15.3. 3. 4.
For any val i d ci pher t ext submi t t ed by , t he r et ur ned decr ypt i on resul t wi l l onl y confi r m
( 15.3. 7) in whi ch t he i nt eger pai r ( z
1
, z
2
) is defi ned by ( U
1
, U
2
, h
R
) exact l y t he same way as t he
pai r i s def i ned by t he publi c key component s ( g
1
, g
2
, h) in t he t hi r d equat i on i n ( 15.3. 2) . So no
i nf ormat i on about z
1
, z
2
i n addi t i on t o what has al r eady been shown i n t he publ i c key can be
obt ai ned by . Ther efor e, i f submit s val i d ci pher t ext s, t hen t he cr y pt analy si s t r ai ni ng
cour ses ar e usel ess f or i t .
I n order not t o wast e t he pr eci ous cr y pt anal y sis t rai ning oppor t uni t y, must submi t
ci pher t ext s such t hat f or C = ( U
1
, U
2
, E, V) , i t hol ds ( g
1
, g
2
, U
1
, U
2
) D. I f such a ci pher t ext
passes Simon's val i dat i ng st ep, t hen a numeri cal decr ypt i on resul t wi l l be r et urned t o and
t hi s decr y pt i on resul t mi ght rel at e t o t he chal l enge ci pher t ext i n some way whi ch may onl y be
known t o . Si nce i t i s supposed t hat i s ver y clever , we can never be sur e, i n t he case of
( g
1
, g
2
, U
1
, U
2
) D, how t he ret ur ned decry pt ion r esul t may r elat e t o t he chal l enge ci pher t ext .
Should be confi r med of a hi dden r elat i on, t hen we coul d no l onger cl ai m t hat t he encr ypt i on
of m
b
i s exact l y under t he Cr amer- Shoup scheme f or case ( i ) , or i s i nf or mat ion- t heor et i cal l y
secur e f or case ( i i) , as we have est abl i shed i n 15.3. 3. 4 under t he CPA mode.
Fort unat el y , i f somehow manages t o come up wi t h a ci pher t ext ( U
1
, U
2
, E, V) such t hat ( g
1
,
g
2
, U
1
, U
2
) D, i t wil l be pr ompt l y r epl i ed wi t h REJECT. Thi s i s due t o Theor em 15. 1 whi ch we
shal l st at e and pr ove i n a ver y shor t moment . As we shal l see, t he rej ect i on pr obabi l i t y i s at l east
. Not i ce t hat i n t he r emaini ng pr obabi l i t y of , t her e i s no need for t o obt ain any cl ue
fr om Si mon by t aki ng t he t r oubl e t o submi t a ci pher t ext ; can al ways help i t self t o guess
any t hi ng i n G cor r ect l y wi t h pr obabil i t y si nce G i s onl y of size q.
Thus, cannot use it s "clever ness" by submi t t i ng bad ci pher t ext s and hopi ng not t o be
r ej ect ed.
The pr obabi l i t y for const ruct ing a bad ci pher t ext and escapi ng r ej ect i on can be est abl i shed as
fol l ows.
. Th eor em 1 5. 1
Let ( g
1
, g
2
, c, d, h, H) be a pu bli c k ey for t he Cr am er- Sh oup en cr y pt i on schem e i n a gr oup G of a
pr i me ord er q, wher e, g
1
1 and g
2
1. I f ( g
1
, g
2
, U
1
, U
2
) D, t hen t he su ccessf ul pr obab il it y
for sol v ing t he fol lowin g p rob lem i s bou nded by r egar dl ess of what algor i t hm i s used:
I nput : pu bli c k ey ( g
1
, g
2
, c, d, h, H) , ( U
1
, U
2
, E) G
3
;

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Out put : V G: ( U
1
, U
2
, E, V) i s a v ali d ci ph er t ex t deem ed by t he k ey owner .
. Remar k 1 5. 1
We h ave si mp li fi ed t h e pr obl em of cr eat i ng a v ali d ci pher t ex t as t o out pu t t h e fou rt h com ponent
V f r om a gi v en t r i ple ( U
1
, U
2
, E) and t h e pub li c k ey . Tr eat in g V as an inp ut com pon en t an d
out p ut t i ng any one of t he f ir st t h ree ci pher t ex t com p onent s i s essent i all y t he sam e pr ob lem ,
howev er si nce V i s not i nput t o t he h ash f unct i on H, out pu t t in g V mak es t he si m pl est case .
Pr oof To const r uct a val i d cipher t ext fr om t he i nput val ues, an al gori t hm has t o out put V G
sat i sf y ing
Equ at i on 15 . 3. 8
wher e x
1
, y
1
, x
2
, y
2
i s t he pr i vat e key of t he owner of t he i nput publ i c key and = H( U
1
, U
2
, E) .
Si nce G i s of pr ime or der q, g
1
1 i s a gener at or of G ( Cor ol l ary 5. 3) . So we can denot e r
1
=
l og
g1
U
1
, r
2
= l og
g2
U
2
, w = l og
g1
g
2
; t here also exi st s l og
g1
c, l og
g1
d and log
g1
V f or any V G.
Combi ning ( 15.3. 8) wi t h t he const ruct ion of t he publ ic- key component s c and d ( whi ch have
been i mpl i ci t l y ver i fi ed dur i ng t he key set up t i me) , we have t he f ol lowi ng l i near sy st em
Equ at i on 15 . 3. 9
Apply i ng Gaussi an el i mi nat i on, t he mat r i x i n ( 15.3. 9) is equi val ent t o
Equ at i on 15 . 3. 10
Wi t h ( g
1
, g
2
, U
1
, U
2
) D, we have r
1
r
2
( mod q) ; also not i ce w 0 ( mod q) ( si nce g
2
1 i s
al so a generat or of G) . So t he mat r i x i n ( 15.3. 10) is of t he f ul l r ank, 3, i .e. , t he t hr ee r ow
vect or s ar e l i near ly independent . By a si mpl e fact i n l i near al gebra, for any V G, sy st em
( 15.3. 9) has ( non- unique) sol ut i ons for ( x
1
, y
1
, x
2
, y
2
) ( mod q) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Thus, we have pr oved t hat f or t he i nput values sat i sfy i ng t he t heor em condi t i on, al l q el ement s
i n G ar e val i d candi dat es f or V, i . e., for t he i nput val ues, ever y V G makes ( U
1
, U
2
, E, V) a val id
ci pher t ext . However , f or t he key owner , among t hese q possi bi l i t i es, t here is onl y one si ngle V
G sat i sfy i ng her / hi s choi ce of t he pr ivat e key component s ( x
1
, y
1
, x
2
, y
2
) . ( We shoul d cl ar i fy t hat ,
even t hough for any fi xed V G, t he i nt eger sol ut i ons f r om syst em ( 15.3. 9) are not uni que,
however , i t i s ver y cl ear t hat any f ixed int eger t upl e ( x
1
, y
1
, x
2
, y
2
) can onl y be mapped t o a
si ngl e V G. ) Hence t he successf ul pr obabi l i t y for t he probl em in t he t heor em st at ement is
est abl i shed.
We have, t o t hi s end, compl et ed t he secur i t y pr oof for t he Cr amer- Shoup cry pt osy st em.
I t i s easy t o obser ve t hat t he "reduct ion t o cont r adi ct i on" i n t hi s pr oof is a l i near funct i on: ' s
capabi l i t y t o at t ack t he cr y pt osyst em i s i dent ical l y t r ansl at ed t o i t s capabi l i t y t o di st i ngui sh
whet her or not a gi ven quadr uple is in D. We t heref ore say t hat t he r educt i oni st proof f or t he
secur i t y of t he Cr amer - Shoup scheme has a t i ght r educt i on.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
15.4 An Overview of Provably Secure Hybrid
Cryptosystems
I n 8. 15 we have i nt r oduced hy br id cr ypt osyst ems mainl y under ef fi ci ency consi der at i ons.
Hy br i d cr ypt osyst ems al so for m a gener al sol ut i on t o I ND- CCA2 secur e and pr act i cal publ ic- key
encry pt ion. I n t hi s sect i on l et us conduct an over vi ew of a ser i es of hybri d encr ypt i on schemes.
As t he number of t hese schemes is not smal l , we cannot i ncl ude secur i t y pr oofs; int erest ed
r eader s may st udy t he ori ginal paper s f or det ai l s.
A ci pher t ext out put fr om a hy br i d cr y pt osy st em has t wo component s: a k ey en capsul at i on
mechani sm ( KEM) and a dat a encap su l at i on mechani sm ( DEM) . This KEM- DEM pai r
ci pher t ext can be wri t t en as
Upon receipt of t hi s pai r , t he recei ver shoul d decry pt t he KEM bl ock using her/ hi s pr i vat e key t o
obt ai n t he ephemer al sy mmet r i c key K, and t hen usi ng t hi s key t o decry pt t he DEM bl ock t o
r et ri eve Payl oad_Message.
I f KEM i s out put f r om a provabl y I ND- CCA2 secur e asy mmet r i c encr y pt i on scheme, t hen t he I ND
pr oper t y of t he DEM bl ock i s t hen a nat ur al r esul t of t he randomness of t he ephemer al key . I t is
not di f fi cul t concei ve t hat a KEM- DEM st ruct ur ed hy br i d cry pt osy st em can be I ND- CCA2 secur e.
I ndeed, Hy br i d schemes i n a KEM- DEM st ruct ur e shoul d be r egar ded as t he most nat ur al
approach t o publ i c- key encr y pt i on wit h I ND- CCA2 secur i t y and pr act i cal eff ici ency.
We r egar d hy br i d schemes as t he most nat ur al ones because t hey can encr ypt messages of any
l engt h at a l ow overhead. I n appl i cat i ons, dat a have vari ed l engt hs and i n most si t uat ions have
l engt hs l arger t han a l engt h f i xed by a secur i t y paramet er i n a publ i c- key cry pt osy st em, e. g. , n
i n t he case of t he RSA- OAEP or l og
2
( # G) in t he case of t he Cr amer - Shoup. Because publ i c- key
cry pt osy st ems have a much hi gher over head t han t hose of a sy mmet r i c cr ypt osy st em, it i s ver y
l i kel y t hat i n appl i cat i ons a pr ovabl y secur e publ i c- key encr ypt i on scheme, such as t he RSA-
OAEP and t he Cr amer - Shoup, i s only used t o for m a KEM bl ock i n a hy br i d scheme, whi l e t he
encry pt ion of dat a i s done i n a ser i es of DEM bl ocks.
Hy br i d encr ypt i on schemes i nclude sever al KEM- DEM schemes pr oposed by Shoup [ 271] , a
scheme named FO proposed by Fuj i saki and Okamot o [ 113] , a scheme named HD- RSA pr oposed
by Poi nt cheval [ 232] , a scheme named DHAES pr oposed by Abdal l a, Bel l are and Rogaway [ 4] , a
vari at i on of t he Cr amer - Shoup scheme pr oposed by Shoup [ 269] , and a scheme named REACT
pr oposed by Okamot o and Point cheval [ 223] .
The scheme of Fuj i saki and Okamot o t akes t he fol l owing for mul at i on:
wher e G, H ar e hash f unct i ons. I n t hi s scheme, t he decr ypt i on r esul t f r om t he KEM bl ock i s pai r
, H( , m) . The r eci pi ent uses t o " seed" t he hash funct ion G t o obt ain a sy mmet r i c key G( ) ;
t hen usi ng i t t o decry pt t he DEM bl ock; fi nall y , t he r eci pi ent can veri f y t he cor r ect ness of t he

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
decrypt ion by re- evaluat i on H( , m) . So t hi s scheme al lows t he r eci pi ent t o det ect whet her t he
ci pher t ext has been modi fi ed or cor r upt ed en rout e. The det ect i on of ci pher t ext al t er at i on i s t he
mai n t echnical enabl er for a cr y pt osy st em being secur e agai nst act ive at t ackers.
The HD- RSA scheme of Poi nt cheval i s based on an i nt r act abi l i t y pr obl em named dependent
RSA [ 233] : gi ven an RSA ci pher t ext = r
e
( mod N) , f i nd B = ( r + 1)
e
( mod N) . Thi s pr obl em
i s apparent ly har d i f one cannot fi nd t he e- t h r oot of modul o t he composi t e N ( t he RSA
pr obl em) . Then, t he KEM block of t he HD- RSA scheme i s si mpl y = r
e
( mod N) for a r andom
. The r eci pi ent as t he owner of N can of cour se ext r act r f r om and t hen const r uct B.
The scheme uses K = G( B) as t he sy mmet r i c key f or t he DEM bl ock, as i n t he hybri d scheme of
Shoup and t hat of Fuj i saki - Okamot o.
The DHAES scheme of Abdal l a, Bel l are and Rogaway [ 4] is a hy br i d scheme wher e t he DEM bl ock
al so at t aches a message aut hent i cat ion code ( MAC, see 10.3) as a means f or dat a i nt egr i t y
val idat i on. The t wo sy mmet r i c key s ( one for t he DEM bl ock and one for t he MAC bl ock) ar e
der i ved fr om a hash funct ion f ormulat ion: H( g
u
, g
uv
) wher e g
u
i s t he KEM bl ock and g
v
i s t he
r eci pi ent ' s publ i c key . Cl ear l y, t he owner of t he publ ic key g
v
can oper at e t he pr i vat e key v on
t he KEM bl ock g
u
t o obt ain g
uv
, and t hereby r econst r uct H( g
u
, g
uv
) f or f ur t her der i vat ion of t he
t wo sy mmet r i c key s. Wi t hout usi ng t he pr i vat e key v, t he t ask of decry pt i on seems t o be
somet hing si mi l ar t o sol vi ng t he comput at i onal Di f fi e- Hel l man pr obl em ( Defi nit ion 8. 1) . The
pr obl em f or fi ndi ng H( g
u
, g
uv
) gi ven g
u
, g
v
i s cal l ed hash Di f f i e- Hel l man ( HDH) pr obl em.
I n DHAES, i t i s i nt erest i ng t o not i ce t hat i f g
uv
i s di rect l y used as an encr y pt i on mul t i pl i er as i n
t he cases of t he El Gamal and Cr amer- Shoup schemes, t hen semant i cal securi t y wi l l be based on
a deci si onal problem: deci di ng whet her or not ( g, g
u
, g
v
, g
uv
( = e/ m
b
) ) is a Di f fi e- Hel l man
quadr upl e. Now i n t his hy br id scheme, t he use of hash f unct i on pr event s t he easy access t o t he
four t h el ement i n t he quadr upl e, and so t he deci si onal pr oblem seems t o have been weakened t o
a comput at i onal probl em. Remember, it i s desi rabl e t o under l ie secur i t y wi t h int r act abi li t y
assumpt i ons which ar e as weak as possi bl e. The r eader may do an exer ci se t o show t hat t he
HDH pr obl em l ies i n bet ween t he CDH pr obl em ( Defi nit ion 8. 1 i n 8. 4) and t he DDH pr oblem
( Defi nit ion 13. 1 i n 13.3. 4. 3) . Of course, we must not i ce t hat t he " weakening of assumpt ion"
fr om t he DDH pr obl em t o t he HDH pr obl em i s not uncondi t i onal : it needs some ( hi dden f r om our
br i ef descr i pt i on) assumpt i on on t he hash funct ion used. Unf or t unat el y , t he hi dden assumpt i on
shoul d be somet hi ng ver y cl ose t o a r andom oracl e one.
Shoup's hy br i d scheme [ 269] is a "weakeni ng of assumpt i on" ver si on for t he Cr amer - Shoup
scheme. I n t he or i gi nal Cr amer - Shoup scheme ( Al g 15. 1) , encr y pt i on of message m t akes t he
El Gamal for mul at i on: h
r
m. I n t he " weakeni ng of assumpt i on" ver si on i n [ 269] , h
r
i s hi dden under
a hash f unct i on H( . . .; h
r
) t o st op t he easy t est ing of t he DDH pr obl em. The hashed val ue H( . . .; h
r
)
wi l l be used t o der i ve symmet ri c key s for encoding t he DEM block and a dat a i nt egr i t y val idat i ng
mechani sm. Shoup uses "hedging wi t h hash" t o name hi s versi on of "weakeni ng of assumpt i on. "

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
15.5 Literature Notes on Practical and Provably Secure
Public-key Cryptosystems
Damgr d or i gi nat es t he wor k on pract i cal publ i c- key cry pt osy st ems wi t h securi t y r esil i ence t o
act i ve at t acker s [ 88] : t hwar t i ng act ive at t ackers by i ncl udi ng a dat a- i nt egri t y val i dat i ng
pr ocedur e i n publi c- key cr y pt osy st ems. The met hod has si nce t hen become a general st r at egy
for desi gni ng cry pt osy st ems wi t h pr ovabl e securi t y agai nst act i ve at t acker s. However Damgr d' s
schemes ( t her e ar e t wo schemes i n hi s or igi nal wor k) ar e demonst r abl y i nsecure in t he CCA2
mode ( see, e. g., [ 311] ) .
Zheng and Seber ry pr opose pr act i cal encr y pt i on and di gi t al si gnat ur e schemes which ai m t o be
secur e i n t he CCA2 mode [ 311, 310] . The gener al i dea i n t hei r scheme i s t o enhance one- way
funct i on based t ext book publ i c- key schemes ( El Gamal based) using hash f unct i ons. Thi s i s an
i mpor t ant i dea whi ch is l at er devel oped t o t he r andom or acl e model f or pr ovabl e secur i t y whi ch
we have st udi ed i n 15.2. The secur i t y pr oof i n t he I ND- CCA2 mode pr ovi ded i n [ 310] is based
on a non- st andar d assumpt i on cal l ed " sol e- sampl abi l it y of spaces i nduced by funct i ons"
( t oget her wi t h t he comput at i onal Di ff i e- Hel l man assumpt i on) . Sol dera di scovered t hat one of t he
schemes of Zheng and Seber ry is act ual ly I ND- CCA2 i nsecure [ 280, 281] .
I n t he case of RSA based r andomi zed paddi ng schemes, upon di scovery of t he i ncompl et eness i n
t he secur i t y pr oof for t he RSA- OAEP ( 15.2. 3. 3) , Shoup pr oposes a modi f i cat i on t o OAEP cal l ed
OAEP + [ 270] and obt ai ns secur i t y pr oof whi ch i s a t i ght er reduct i on t han t hat of t he secur i t y
pr oof f or t he RSA- OAEP obt ai ned by Fuj i saki et al. [ 114] . The r educt i on becomes t i ght er because
Si mon's advant age t o i nvert t he RSA f unct i on i s l i nearl y r el at ed t o Mal i ce' s advant age t o break
t he cr y pt osy st em. However , because Si mon's t i me t o i nvert t he RSA f unct i on i s st i ll a quadr at i c
funct i on of t he number of RO quer i es whi ch Mal i ce i s ent i t l ed t o make, and hence t he r educt i on
r emai ns inef fi ci ent ( r eview t he si mi l ar case for t he RSA- OAEP in 15.2. 5) . Boneh al so pr oposes
modi fi cat i ons t o OAEP, named Si mpl e- OAEP ( SAEP) and Si mpl e- OAEP+ ( SAEP+ ) [ 49] . However ,
t hese schemes have a l ow bandwi dt h of message r ecover y ( we wi ll di scuss t he pr oblem of l ow
bandwi dt h of message r ecover y wit h some r andomi zed padding schemes in 16.4. 4. 2) .
Recent l y, Cor on et al . [ 83] show t hat anot her randomi zed paddi ng scheme for RSA, named
Pr obabi l i st i c Si gnat ure Scheme wi t h message Recover y ( PSS- R, or igi nal l y pr oposed by Bell ar e
and Rogaway [ 26] , det ai l s see t he next chapt er ) can al so be used for encr y pt i on. Essent i al l y ,
t hese aut hor s i nsight f ul l y r eal i ze t hat , wi t h t he use of hash f unct i ons, dat a- i nt egr i t y val idat i on i n
a paddi ng scheme needn' t be based on i nt r oduci ng addi t i onal r edundancy such as a st r i ng of
zeros as i n t he case of t he RSA- OAEP. We wil l see t his scheme i n t he next chapt er. Li ke SAEP
and SAEP+ , PSS- R has a l ow bandwi dt h of message r ecover y when i t i s used for RSA encr ypt i on
( see 16.4. 4. 2) .
Li ke t he RSA- OAEP scheme, t he randomi zed paddi ng schemes ment i oned i n t he pr eceding
par agr aph al l ar e provabl y secur e i n t he I ND- CCA2 mode under t he ROM. However , because
pr ovabl e I ND- CCA2 secur it y for t he RSA- OAEP has been r e- est abl ished ( 15.2. 4) , because t he
RSA- OAEP has l ong been t he RSA encr y pt i on st andar d, and most i mpor t ant l y , because OAEP
t ur ns out t o have t he hi ghest bandwidt h for message r ecover y , i t is not cl ear whet her t hese new
modi fi cat i ons can gai n a si mi lar moment um as t he RSA- OAEP has obt ai ned as t he st andar d for
RSA encr ypt i on.
Padding t echni ques f or OWTP can r esul t i n opt i mal l y ef fi ci ent schemes. However , OWTP i s
act ual l y a ver y r are f unct i on. RSA and Rabi n ( over quadrat i c r esidues) ar e pr obabl y t he only
OWTPs among common publi c- key cr y pt ogr aphi c funct i ons. Mor eover , t he random or acl e model
based secur i t y pr oof ( or ar gument ) f or paddi ng schemes have so f ar fai l t o der i ve a t i ght
"r educt i on t o cont r adi ct i on. " Some resear cher s consider t o devi se pr ovabl y secur e schemes f or
gener al one- way f unct i on based publ i c- key cr ypt ogr aphic funct ions wi t h mor e t i ght reduct i ons

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
for pr ovabl y secur i t y . Some aut hors devi se schemes whi ch ext end paddi ng based schemes f r om
OWTP t o gener al one- way t r apdoor f unct i ons. Many publ i ckey cr ypt ogr aphi c f unct i ons ar e not
per mut at i ons ( e. g. , t he El Gamal funct ion i s not a permut at i on) . Ther efor e such ext ensi ons ar e
useful. Fuj i saki and Okamot o [ 112] and Poi nt cheval [ 234] pr opose t wo such gener ali zed
schemes. However , t hese gener ali zed schemes ar e not opt i mal ly ef fi ci ent : r e- encry pt i on i s
r equi r ed i n t he decr y pt i on t i me as t he means t o det ect er ror s. Si nce decr ypt ion i s of t en oper at ed
i n a sl ow devi ce, such as smart cards, decr y pt i on- heavy schemes shoul d be avoided.
Of cour se, a number of hy br i d cr y pt osy st ems f orm a f ami l y of pr ovabl y I ND- CCA2 secur e and
pr act i cal publ ic- key encr y pt i on schemes. Det ai l ed l i t erat ur e not es of t hi s f ami ly have been
over vi ewed i n 15.4.
Fi nal l y, we shoul d remi nd t he r eader t hat f or pr act i cal publi c- key encr y pt i on schemes, t he dat a-
i nt egr i t y val i dat i ng mechani sm used i n t he provabl y I ND- CCA2 secur e encr ypt i on schemes onl y
pr ovi des a securi t y ser vi ce whi ch we have t ermed " dat a i nt egr i t y wi t hout sour ce i dent i fi cat i on, "
or " i nt egri t y f r om Mal i ce" ( r evi ew 10.5) . I n most appl icat i ons in t he r eal wor l d, t hi s not ion of
secur i t y servi ce i s i nadequat e. The common appr oach t o achi evi ng sour ce i dent i fi cat i on i n publ i c-
key cr y pt ogr aphy i s t o use di gi t al si gnat ur es.
Recent l y, a novel publ i c- key cr ypt ogr aphi c pri mi t i ve named si gn cr yp t i on has emer ged. A
si gncr ypt i on scheme combi nes encr y pt i on and si gnat ure in one go. The mot i vat i on of t he
combi nat i on i s t o achi eve ef fi ci ent publ i c- key encr y pt i on at t he same t ime t o of fer addit ional
secur i t y servi ces import ant f or el ect r oni c commer ce appli cat i ons: message sour ce ident i fi cat i on
and non- r epudi at i on. As t hi s new cr y pt ographi c pr i mi t i ve appeared aft er t he wi de spr eadi ng of
t he not i on of pr ovabl e secur i t y f or publ ic- key cr y pt osy st ems ( or i gi nat ed i n 1997 by Zheng
[ 309] ) , r esear cher s have t he r eadi ness t o appl y t he pr ovabl e secur i t y st r at egy i n t he desi gn of
si gncr ypt i on schemes. We shal l st udy a pr ovabl y secur e and pr act i cal si gncr y pt i on scheme i n t he
next chapt er .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I n t hi s chapt er we have descr i bed wi t h det ai l ed expl anat i ons t wo i mpor t ant publ i ckey
cry pt osy st ems whi ch not onl y have f or mall y est abl i shed f i t - for - appl i cat i on secur i t y , i . e. , pr ovably
secur e under t he I ND- CCA2 at t acki ng mode, but al so ar e pr act i call y ef fi cient : t hei r eff i ci ency i s
si mi l ar t o t hei r t ext book count er par t s. The encr y pt i on schemes f rom t hi s chapt er st r i de f r om
pr evi ous bi t - by - bit based sol ut ions ( e.g. , t hose descri bed i n t he precedi ng chapt er ) , and hence
ar e pr act i cal publ ic- key encr y pt i on schemes.
The r eader may consi der t hat i n a publ i c- key cr ypt osy st em whi ch has dat a i nt egr i t y ver i fi cat i on
st ep i n t he decr y pt i on t i me, a ci pher t ext encr y pt s a message which i s " di git all y si gned" by t he
sender usi ng t he publi c key of t he r ecei ver. The " si gnat ur e" scheme has a message recover y
feat ure and t her ef ore t he r ecei ver can r et ri eve t he plai nt ext and ver i fi es t he " si gnat ur e" usi ng
her / hi s pri vat e key . Thi s t hought i s t echni call y cor r ect . The onl y r eason we have used quot es
"di git all y si gned," " si gnat ure, " i s because t he " si gner " can be anybody and t her efor e t he
cry pt ogr aphi c t r ansf or mat i on does not provi de a si gnat ur e i n t he usual sense. Nevert hel ess, i t i s
t he di ff i cult y t o f or ge a " si gnat ur e" wi t hout usi ng t he gi ven procedur e and t he gi ven publ i c key
t hat eff ect i vel y st ops an adapt i ve chosen- ciphert ext at t ack. Thi s i s t he mai n r eason for such an
encry pt ion scheme ( and t he t wo pr act i cal cr y pt osy st ems i nt roduced i n t hi s chapt er ) secur e i n
CCA2 sense.
I n t he cour se of secur i t y pr oof f or t hese cry pt osy st ems, we al so i nt roduce and explai n sever al
i mpor t ant concept s: r andom oracl e model f or secur i t y proof ( wi t h i t s l i mit at i on di scussed) ,
for mal proof vi a r educt i on t o cont radi ct i on, and t i ght ness of such a reduct ion.
We al so conduct ed an over vi ew on var i ous hybri d encr ypt i on schemes whi ch combi ne sy mmet r i c
and asy mmet r i c encr y pt i on t echni ques and achieve pr act i cal publ ic- key cr y pt osy st ems.
Fi nal l y we pr ovi ded a li t er at ur e not e t o r eview t he devel opment of t he subj ect .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
15.7 Exercises
15 .1 What i s t he rol e of t he r andom i nput i n t he RSA- OAEP algor it hm? What i s t he r ole
of t he const ant st r i ng 0
k1
i n t he same al gori t hm?
15 .2 The bandwi dt h of an encr ypt i on al gori t hm i s t he si ze t he pl ai nt ext i t can encr ypt
over t he val ue of t he secur i t y par amet er . Let an i nst ant i at i on of t he RSA- OAEP use
2048 as t he secur i t y par amet er and 160 as t he size of t he r andom i nput . What i s
t he bandwi dt h of t hi s i nst ant i at i on of t he RSA- OAEP?
15 .3 What i s t he random or acl e model for secur i t y pr oof ?
15 .4 What ar e t he li mi t at i ons of t he r andom- or acl e- model - based secur i t y pr oof ?
15 .5 Why must t he si mul at i on of an RO i n 15.2. 1 be buil t fr om a sort ed l i st whi ch is
i ni t i al l y empt y?
15 .6 What i s a " cont r adi ct ion" i n "r educt i on t o cont r adi ct i on" i n a secur i t y proof f or
cry pt osy st ems wi t h securi t y based on a comput at i onal compl exi t y probl em?
15 .7 Why must t he chal lenge ciphert ext in a reduct ioni st pr oof be r andom?
15 .8 I n t he pr oof of securi t y f or t he RSA- OAEP, why must Simon r un t he at t acker mor e
t han once?
15 .9 Why is a 1024- bi t modul us f or t he RSA- OAEP regar ded t oo smal l even t hough such
a modul us r esi st s t he cur rent f act or i zat i on t echnol ogy ?
15 .1 0 The Cr amer - Shoup cr ypt osyst em al so uses a hash f unct i on. Does t he secur it y pr oof
for t he cr ypt osyst em r equi r e t hi s f unct i on t o have a r andom or acl e behavi or ?
15 .1 1 Suppose t hat t he Cramer - Shoup cr ypt osyst em i s modi fi ed i nt o one whi ch encr y pt s
as
( and hence decr y pt i on perf or ms subt r act i on) , and al l ot her par t s r emain
unchanged. Show t hat t he modi fi ed scheme i s CCA2 secur e, i. e. , any act i ve at t ack
can be det ect ed. I s i t I ND- CCA2 secur e?
15 .1 2 Why is t he cost f or comput i ng g
x
h
y
( mod p) measur ed as t hat of one modul o
exponent i at i on?
15 .1 3 Ext end Al g 15. 2 t o t he case of f
x
g
y
h
z
( mod p) .
15 .1 4 What i s a hy br id cr ypt osyst em?

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
15 .1 5 I n appl i cat i ons, confi dent i al dat a usual l y have si zes much l ar ger t han, whi l e a
symmet r ic encr y pt i on key have si zes much less t han, a secur i t y par amet er of a
publ i c- key cry pt osy st em. For secur e t r ansmissi on of such dat a, whi ch of t he
fol l owi ng al gor i t hms wi l l y ou choose? ( i) RSA, ( ii ) AES, ( i i i ) RSA- OAEP, ( iv)
El Gamal , ( v) Cr amer - Shoup, or ( vi ) a hy br i d cry pt osy st em.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Chapter 16. Strong and Provable Security
for Digital Signatures
Sect i on 16. 2. St rong Secur i t y Not i on for Di gi t al Si gnat ur es
Sect i on 16. 3. St rong and Provabl e Secur i t y f or El Gamal - fami l y Si gnat ur es
Sect i on 16. 4. Fi t - f or - appl i cat i on Ways f or Si gning in RSA and Rabin
Sect i on 16. 5. Signcr ypt i on
Sect i on 16. 7. Exer ci ses

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
16.1 Introduction
Al t hough i n our defi nit i on f or di gi t al si gnat ur e schemes ( Defi nit ion 10. 2 i n 10.4) we st i pul at e an
"over whel mi ng" pr obabi l i t y f or Veri f y
pk
( m , s) = Fal se i f ( m , s) is a f orged message- si gnat ur e
pai r cr eat ed wi t hout usi ng t he pr escr i bed si gning pr ocedure, we have not conduct ed any
i nvest i gat ion on how over whel mi ng t he pr obabi li t y shoul d be for any si gnat ur e scheme
i nt r oduced i n Chapt er 10. Al so, as we have di scussed i n 10.4. 9, t he t ext book secur i t y not i on of
di gi t al si gnat ur es, i .e. , dif fi cul t y of f or gi ng a si gnat ur e "fr om scr at ch, " i s t oo weak t o be fi t for
appli cat i ons. Ther efor e, secur i t y ar gument s for si gnat ur e schemes i n Chapt er 10, i f we have
conduct ed any t here, ar e t oo i nfor mal t o pr ovi de an adequat e l evel of confi dence and t oo weak
t o be useful i n pr act i ce. The r eal r eason f or havi ng consider ed i nfor mal and weak securi t y
ar gument s in Chapt er 10 i s because t hen we wer e not t echni call y r eady f or conduct ing a for mal
and st r ong secur i t y ar gument .
Aft er havi ng st udi ed i n t he t wo pr ecedi ng chapt ers for mal met hodol ogi es for secur i t y pr oof f or
publ i c- key encry pt ion schemes, whi ch i nclude st r ong secur i t y not i ons ( e. g. , I ND- CCA2) , t he
"r educt i on- t o- cont radi ct i on" phi losophy, t he r andom or acl e and st andar d model s f or securi t y
pr oof , we ar e now t echnical l y r eady t o fur t her st udy f ormal secur i t y anal y si s met hodologi es for
di gi t al si gnat ur e schemes. Analogous t o t he case of enhanced secur i t y anal y si s for publ i c- key
encry pt ion schemes, t he fol l owi ng t wo i ssues wil l be cover ed i n our st udy of enhanced secur i t y
anal y sis for digi t al si gnat ure schemes:
Di f f i cu l t y f or si gnat ur e f or ger y agai nst t he most gener al w ay of at t acki ng di gi t al
si gn at u r e schemes The most gener al at t ack on di git al signat ur es i s adapt i v e chosen -
messag e at t ack . An adapt i ve at t acker has in i t s possessi on t he publ i c key of a t ar get user ,
and can use t he user as an or acl e si g ni n g ser v i ce pr ovi der ( meani ng gi ven i n 8. 2) for
si gni ng any messages of i t s choi ce. I t can t hen adapt i t s quer i es accor di ng t o t he message-
si gnat ure pai rs i t has col l ect ed. We can consi der t hi s way of at t ack as t he at t acker
obt ai ning a t r ai ni ng cour se fr om t he t ar get ed si gner f or f orgi ng si gnat ur es. The t ask f or t he
at t acker , af t er quer y ing suff ici ent l y many adapt i vel y chosen messages and get t i ng
r espect i ve si gnat ur es, i .e. , af t er suff i ci ent t r aini ng, i s t o out put a new message- si gnat ur e
pai r which i s val id wi t h r espect t o t he t arget ed user' s publ i c key . Her e, " new" means a
message which has never been pr evi ousl y signed by t he user .
Secur i t y ar gu ment w i t h f or mal evi dence est abl i shmen t Thi s i s t o conduct a " r educt i on
t o cont r adi ct ion" st y l e of demonst rat ion t o est abli sh secur i t y . Such a r educt i on of a secure
si gnat ure scheme i s an ef fi ci ent t ransf or mat ion whi ch shows t hat any successful f orger y
al gor i t hm ( e. g. , under adapt i ve at t ack) can be used as a " blackbox" f or sol vi ng a r eput abl y
har d pr obl em i n comput at i onal compl exit y. Her e "cont r adi ct i on" i s because of a wi de bel i ef
t hat t her e exi st s no eff i ci ent al gor i t hm t o solve t he r eput abl y hard problem.
Gol dwasser , Mical i and Ri vest make syst emat i c consider at i ons on t hese t wo i ssues f or di git al
si gnat ures i n t hei r semi nal work publi shed i n [ 127] . They also real i ze a si gnat ur e scheme which
i s pr obabl y i nvul ner abl e t o ( exi st ent i all y ) adapt i ve chosen- message at t ack. That scheme uses a
not i on of " cl aw- fr ee" per mut at i on pai rs: i nfor mal l y, t hese are permut at ions f
0
and f
1
over a
common domai n for whi ch i t is comput at i onal l y i nf easi bl e t o fi nd a t r ipl e ( x , y , z) such t hat f
0
( x)
= f
1
( y) = z. Goldwasser et al . r eal ize t hei r "claw- f r ee" permut at i on pai rs using t he i nt eger
fact or i zat i on pr obl em ( see [ 127] for det ai l s) . That si gnat ure scheme has an advant age t hat i t
can si gn any random st r i ng wi t hout adding t o t he st ri ng any r ecognizabl e r edundancy, e. g. ,
wi t hout usi ng hash funct i ons f or message f or mat t ing. However , t hat scheme si gns a message i n
a bi t - by - bi t manner and hence i s r egar ded as not i deal ly suit abl e for appl i cat i ons. However, t he
wor k of Gol dwasser et al . [ 127] lay s t he i mpor t ant foundat i on for t he st r ong ( i . e. , f i t - for -
appli cat i on) secur i t y not ion f or di gi t al si gnat ur e schemes.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I n 16.2 we int r oduce t he st rongest secur i t y not i on f or di git al signat ur e schemes. I n 16.3 we
conduct a f or mal r educt i oni st securi t y proof f or El Gamal - f amil y si gnat ur e schemes. I n 16.4 we
i nt r oduce fi t - f or- appl i cat ion si gnat ur e schemes whi ch ar e based on randomi zed paddi ng
t echni ques and one- way t r apdoor permut at ions ( mai nl y , RSA and Rabi n funct i ons) . I n 16.5 we
st udy si gncry pt i on schemes and t hei r fi t - f or- appl i cat ion securi t y .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
16.2 Strong Security Notion for Digital Signatures
We provi de her e necessar y def ini t ions t o be used in t hi s chapt er .
Fi rst , a di gi t al si gnat ur e scheme is denot ed by ( Gen, Si gn, Ver if y) and t hese el ement s ar e
defi ned i n Defi nit ion 10. 2 ( in 10.4) . However , because of t he general uses of cr y pt ographi c
hash funct i ons i n di gi t al si gnat ur es we have wi t nessed i n Chapt er 10 ( t here t he usage was
most ly t o prevent an exi st ent i al f or gery ) , i n t his chapt er we shal l consi der t hat Si gn and Veri f y of
a si gnat ur e scheme use one or mor e st r ong hash funct ions. By a st r ong hash funct i on we mean
t hat , when we argue securi t y f or a si gnat ur e scheme, we wi l l f or mal l y model such a hash
funct i on used i n t he scheme t o have t he r andom or acl e behavi or descr ibed i n 10.3. 1. 2. I ndeed,
al l securi t y ar gument s t o be pr ovi ded i n t his chapt er ar e gi ven under t he random or acl e model
for secur i t y pr oof ( r evi ew 15.2. 1) .
Now we provi de an asy mpt ot i c defi nit ion f or t he game of adapt ive chosen- message at t ack on a
di gi t al si gnat ur e scheme whi ch uses hash f unct i on( s) .
Def i n i t i on 1 6. 1: Ad apt i v e Ch osen- message At t ack Let k be a posit i v e in t eger . An adap t iv e
for ger agai nst a signat u r e schem e ( Gen, Sign, Ver i fy) i s a ( p rob abi li st i c) p oly nom ial - t i me ( in k )
al gori t hm . I t t ak es as i npu t a pub li c k ey pk , where ( pk , sk) U Gen( 1
k
) , and t r i es t o for ge
sign at ur es wit h r espect t o pk . Th e for ger is all owed t o requ est , and obt ai n, sign at ur es of
m essages of it s ch oice. Thi s is mod el ed b y all owin g t h e for ger t o access t o t h e si gni ng and hash
al gori t hm s, bot h p oly nom ial ( in k ) t i m es .
The f or ger is sai d t o ( t ( k ) , Ad v( k ) ) - b reak t h e signat u r e schem e i f in t i me t ( k) wit h p rob abi li t y
Adv ( k ) i t ou t put s a v ali d for gery n am el y, a m essage- signat ur e pai r ( m , s) such t hat Veri f y
pk
( m , s) = Tr ue wher e m i s a r ecogn izab le m essage accor din g t h e hash fun ct ions used i n t he
sch em e b ut is n ot on e which has been i nput t o Si gn earl ier b y t he si gner. Her e t ( k ) is a
pol y nom ial , and Adv ( k ) , a si gni fi can t q uant i t y , i n k .
For t he meani ng of a si gni fi cant quant i t y ( funct i on) , r eview 4. 6.
We have si mpl i fi ed t he def i ni t i on wi t hout st at i ng t wo expressi ons whi ch ar e f or t he number of
t i mes t he f orger makes si gni ng and hash queri es. These omi t t ed expressions ar e bot h
pol y nomi al s i n k: si nce t he for ger i s a pol y nomi al - t i me ( in k) algori t hm, i t can onl y make
pol ynomi al ly many ( i n k) si gni ng and hash quer i es.
Def i n i t i on 1 6. 2: Secur e Si gn at u r e Sch eme Sign at ur e scheme ( Gen, Sign, Ver i fy) i s sai d ( t ( k ) ,
Adv ( k ) ) - secur e i f t her e exi st s no for ger who ( t ( k) , Adv ( k) ) - br eak s t h e sch em e f or al l su ff icient l y
l arge k .
The use of Defi nit ion 16. 2 wi l l be i n a cont r adi ct i on manner. Assume t hat a gi ven si gnat ur e
scheme i s ( t ( k ) , Ad v( k ) ) - br eakabl e wher e t ( k ) i s a pol ynomi al and Adv( k ) , a si gni fi cant funct i on,
i n k. A reduct ion t r ansf ormat i on wi l l be const r uct ed whi ch can t r anslat e t ( k ) t o t ' ( k) and Adv( k )
t o Adv ' ( k) so t hat an under l yi ng hard probl em becomes ( t ' ( k) , Adv ' ( k ) ) - br eakabl e. I f t he
r educt i on is ef fi ci ent enough, t hen t ' ( k) wi l l be smal l enough and Adv ' ( k) wi l l be suff i ci ent l y cl ose
t o Adv( k ) and wi l l t heref ore al so be si gni fi cant enough. Consequent l y, i t i s wi del y known t o be
unt r ue t hat t he under l y ing har d probl em can be ( t ' ( k) , Adv ' ( k ) ) - br eakabl e. I n t hi s way we r each
a cont radi ct i on and compl et e a securi t y pr oof. The r eader may revi ew 15.2. 5 f or t he meaning of
an ef fi ci ent r educt i on and t he i mport ance for a r educt i on t o be as ef fi ci ent as possi ble.
Si mil ar t o t he cases of t he "reduct ion- t o- cont r adi ct i on" t echni ques f or publ i c- key encry pt i on
schemes whi ch we have st udi ed i n t he pr ecedi ng chapt er, reduct i ons for pr ovi ng si gnat ur e
schemes i n t hi s chapt er wil l also be conduct ed by a speci al agent named Si mon Si mul at or .
Si mon wi l l be pl ay ing t he r ol e of a t ar get ed signer i n int eract i on wi t h t he f orger by i ssuing

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
si gnat ures of messages of t he for ger 's choi ce. This is done vi a si mul at i on of a si gni ng or acl e. I n
or der for t he f or ger t o r el ease i t s f ul l capaci t y f or si gnat ure for ger y, t he si mul at ed si gni ng or acl e
must behave indi st i nguishabl y fr om a t r ue si gner . Si nce t he for ger i s pol y nomi al l y bounded, i t
suf fi ces f or us t o use t he pol y nomi al - t i me i ndi st i ngui shabi l it y not i on whi ch f ol lows Defi nit ion 4. 15
( i n 4. 7) .
I n t he r est of t hi s chapt er we name a for ger Mal i ce, who i s an act i ve at t acker .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
16.3 Strong and Provable Security for ElGamal-family
Signatures
For a l ong per i od of t i me ( 19851996) af t er t he bir t h of t he El Gamal si gnat ur e scheme ( 10.4. 6)
and t he fami l y of such si gnat ur es ( e. g., Schnor r 10.4. 8. 1 and DSS 10.4. 8. 2) , i t was wi dely
bel i eved t hat t he di f fi cul t y of f orgi ng such a signat ur e shoul d somehow be rel at ed t o sol vi ng t he
di scret e l ogar i t hm i n a l ar ge subgroup of a fi nit e fi el d. However , no for mal evidence ( for mal
pr oof ) was ever est abl i shed unt i l 1996.
Poi nt cheval and St er n succeed demonst r at i ng aff i rmat i ve evi dence f or r elat ing t he di f fi cul t y of
si gnat ure for ger y under a si gnat ure scheme i n t he ElGamal - f ami ly si gnat ur es t o t hat of
comput i ng discr et e logari t hm [ 235] . They do so by maki ng use of a power ful t ool : t he r andom
or acl e model ( ROM) for pr oof of secur i t y [ 22] . The r eader may r eview 15.2. 1 t o r efr esh t he
gener al i dea of usi ng ROM for securi t y pr oof ( t her e, ROM- based pr oofs are for publ i c- key
encry pt ion schemes) . The ROM- based t echni que of Poi nt cheval and St ern i s an i nsi ght ful
i nst ant i at i on of t he general ROM- based secur i t y proof t echnique t o pr oving secur i t y for t he
El Gamal - f ami l y si gnat ur es.
16.3.1 Triplet ElGamal-family Signatures
Let us now i nt r oduce a t y pi cal ver si on of t he El Gamal - f ami l y si gnat ur e schemes whi ch can be
pr ovabl y unfor geabl e under ROM. A scheme i n t hi s ver si on t akes as i nput a si gning key sk, a
publ i c key pk and a message M whi ch i s a bi t st r i ng, and out put s a si gnat ur e of M as a t r i pl et ( r ,
e, s) . Her e
r i s cal l ed a commi t ment ; it commi t s an ephemer al i nt eger cal l ed a commi t t al whi ch i s
i ndependent of such values used i n al l pr evi ous si gnat ur es; t he usual f or m for const ruct i ng
a commi t ment i s r = g ( mod p) wher e g and p ar e part of t he publi c par amet er s of t he
si gnat ure scheme;
e = H( M, r ) wher e H( ) i s a cry pt ogr aphi c hash f unct i on; and
s i s cal l ed a signat ure; it i s a l i near f unct i on of t he commi t ment r , t he commi t t al , t he
message M, t he hash funct i on H( ) and t he pri vat e si gni ng key sk.
Let us name such a si gnat ur e scheme a t r i pl et si gn at u r e scheme.
The or i gi nal El Gamal si gnat ur e scheme gi ven i n Al g 10. 3 i s not a t r i pl et si gnat ure scheme
because i t does not use a hash funct i on and does not r esi st an exi st ent i al f or gery ( not t o f ur t her
consi der adapt ive chosen- message at t ack) . However , t he ver si on whi ch uses a hash f unct i on and
t her eby becomes exi st ent ial - f or gery resi st ant , i . e. , t he var iat i on whi ch we have descr i bed i n
10.4. 7. 2, i s a t r i pl et ver si on.
The Schnor r signat ur e scheme ( Al g 10. 4) is also a t r i pl et one. A si gnat ure of a message M
pr oduced by t he si gni ng al gor i t hm of t he Schnorr si gnat ur e scheme i s ( r , e, s) wher e e = H( M, r )
for some hash f unct i on H( ) , al t hough i n t he Schnorr scheme t her e i s no need t o send t he val ue r
t o t he veri f ier si nce t he val ue can be comput ed as g
s
y
e
.
Let us now i nt r oduce t he r educt i on t echni que of Poi nt cheval and St er n for pr ovi ng unfor geabi l i t y
for a t r i pl et si gnat ur e scheme. I t i s cal l ed a f or k i n g r ed uct i on t echnique.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
16.3.2 Forking Reduction Technique
We have shown i n 10.4. 7. 1 t hat a vi olat i on f or t he one- t ime use of an ephemer al key
( commi t t al or equi valent ly commi t ment r ) in a si gnat ur e scheme in t r i pl et El Gamal- fami l y
si gnat ures wi l l l ead t o uncover ing of t he si gni ng pri vat e key . The uncoveri ng of a signi ng pr i vat e
key is an ef fi cient sol ut i on t o a har d pr obl em: ext r act i on of t he di scr et e l ogari t hm of an el ement
( a publi c key) i n gr oup modul o a l ar ge pr i me.
A r educt i onist secur i t y pr oof f or t r ipl et El Gamal - f ami l y si gnat ur e schemes makes use of t hi s
commi t ment repl ay t echnique t o uncover t he si gning pr ivat e key. A successful for ger f or such a
si gnat ure scheme can be r educed, wi t h a si mil ar cost , t o an ext r act or for t he si gning pr ivat e key.
Si nce t he lat t er pr obl em, ext r act i on of t he di scr et e l ogar i t hm of an el ement ( a publi c key) i n
gr oup modulo a l ar ge pr ime, i s r eput abl y har d ( Assumpt i on 8. 2 i n 8. 4) , t he al l eged successful
si gnat ure for ger y shoul d al so be si mil ar l y har d, where t he si mi l ar i t y bet ween t he t wo eff or t s
depends on t he eff i ci ency of t he reduct ion.
I n t he ROM- based r educt i onist secur i t y pr oof f or a t r i pl et El Gamal si gnat ure scheme, t he hash
funct i on is ideal i sed by a r andom funct i on cal l ed " random or acl e" ( RO) whi ch has t he behavior
speci f i ed i n 10.3. 1. 2. Under t he ROM, al l ROs ar e simulat ed by Si mon Si mul at or. I n addi t i on,
Si mon wi l l al so si mul at e t he si gni ng pr ocedur e and so answer Mal i ce' s si gnat ure quer i es. Thus,
Si mon can pr ovi de Mal i ce wit h t he necessar y t r aini ng cour se which Mal i ce i s ent i t l ed t o i n or der
t o pr epare hi m well i n hi s si gnat ur e f or gery t ask. I f Mal i ce i s i ndeed a successful for ger , t hen he
shoul d be educat abl e, and wi ll out put a for ged message- si gnat ure pai r wi t h a non- negl i gi bl e
pr obabi li t y . Si mon wil l use t he f or ged si gnat ur e t o sol ve a har d probl em, which i n t he case of a
t r i pl et El Gamal si gnat ur e scheme, i s t he di scret e l ogari t hm pr obl em i n a f i ni t e fi el d. Fi g 16. 1
i l l ust rat es a r educt i on t echnique i n whi ch Si mon makes use of Mali ce t o sol ve a har d pr obl em.
Fi gu r e 16 . 1. Redu ct i on f r om a Si gn at ur e For g er y t o Sol vi ng a Har d
Pr obl em

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I n our descri pt ion of t he r educt i on t echnique of Poi nt cheval and St er n, which we wi l l be givi ng i n
t he next t wo sect ions, we wi ll t r y t o provi de as much i nt ui t i on as possi ble. As a r esul t , our
pr obabi li t y est i mat i on r esul t does not t ake t he exact for mul a gi ven by Poi nt cheval and St er n
al t hough our measur ement fol l ows t he same l ogi c of r easoni ng as t hei r s. I n t er ms of t he
r educt i on t i ght ness, our resul t i s an upper bound i n compar i son t o t hat obt ained by Poi nt cheval
and St er n. Never t hel ess, our upper bound suff ices t o pr oduce a reasonabl y meani ngful
cont r adi ct i on for a l arge secur i t y par amet er. The r eader wit h a more invest i gat i ve appet i t e i s
r ef err ed t o [ 236] t o st udy t hei r mor e i nvolved pr obabi l i t y measurement .
16.3.2.1 Unforgeability under Non-adaptive Attack
Let us f ir st consi der t he case of t he unfor geabi l i t y pr oper t y of t r i pl et El Gamal signat ure schemes
under non- adapt i ve at t ack.
Let ( Gen( 1
k
) , Si gn, Ver i fy ) be an i nst ance of t he t r ip let ver si on of t he El Gamal si gnat ur e scheme
( i . e. , t he t r i pl et versi on of Al g 10. 3) wher e t he pr i me p sat i sfi es t hat t her e exist s a k- bi t pr i me q
di vi di ng p 1 and ( p 1) / q has no l arge pr i me fact or s.
Suppose t hat Mal i ce is a successful for ger against ( Gen( 1
k
) , Si gn, Ver i fy ) . Let Si mon Si mul at or
wr ap al l communicat i on channel s f r om and t o Mal ice as i l l ust r at ed in Fi g 16. 1. However , under
t he non- adapt i ve at t ack scenar i o, t her e i s no "si mul at ed si gni ng t rai ni ng" in t he i nt eract i on
bet ween Mal i ce and Si mon si nce Mal i ce never request s a signat ur e.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Si mon wi l l pick a r andom el ement . Hi s goal i s t o uncover t he di scret e l ogari t hm of y t o
t he generat or base g modul o p, i . e., t o uncover i nt eger x sat i sfy i ng y g
x
( mod p) . Si mon wil l
use Mal i ce as a bl ackbox i n such a way t hat Mali ce's successf ul f orger y of a new si gnat ur e on a
chosen message wil l pr ovi de Simon enough i nfor mat i on t o uncover t he di scr et e l ogar i t hm. We
hope t hat by now t he reader has become i nst i nct i vel y aware of t he need for t he i nput problem
( i . e. , y) t o be arbi t rar y : ot herwi se, t he r educt i on wi ll not be a usef ul al gori t hm.
Let Mal i ce's successf ul probabi l i t y for si gnat ur e f orger y Adv( k ) whi ch i s a si gni fi cant quant it y i n k
and l et his t i me spent on si gnat ure for ger y be t ( k ) whi ch i s a pol ynomial i n k. We shall fi nd out
Si mon's successf ul probabi l i t y Adv ' ( k) for discr et e logar it hm ext ract i on and hi s t i me t ' ( k) for
doi ng t he j ob. Of cour se we wi ll r el at e ( t ' ( k) , Adv ' ( k) ) t o ( t ( k) , Adv ( k) ) .
First Lot of Runs of Malice
Now Si mon runs Mal i ce 1/ Adv( k ) t imes. Si nce Mal i ce i s a successful for ger , af t er havi ng been
sat i sf i ed of a condi t i on ( t o be gi ven i n a moment ) , he wil l out put , wi t h pr obabi l i t y 1 ( si nce he has
been r un 1/ Adv( k ) t imes) a val i d signat ur e ( r , e, s) of message M under t he scheme ( Gen, Si gn,
Veri f y) . That i s,
wher e | e| = k.
The condi t i on of which Si mon must sat isf y Mal i ce is t hat t he l at t er should be ent i t l ed t o some
number of eval uat i ons of t he RO f unct i on H. Under t he ROM, as i l l ust r at ed i n Fi g 16. 1, Mal i ce has
t o make RO- quer i es t o Si mon. Si mon' s r esponse i s vi a t he si mul at i on of t he RO: he simul at es H
by mai nt aini ng an H- l i st of sor t ed el ement s ( ( M
i
, r
i
, e
i
) ( e. g. , sor t ed by M
i
) wher e ( M
i
, r
i
) are
quer i es and e
i
ar e r andom answers.
Si nce Mal i ce i s pol y nomi all y bounded, he can onl y make n = q
H
RO quer ies wher e q
H
i s
pol y nomi al ly ( i n k) bounded. Let
Equ at i on 16 . 3. 1
be n di st i nct RO quer i es fr om Mal i ce. Let
be t he n answer s f rom Simon. Si nce | H| = k, Si mon' s answers ar e uni for ml y r andom in t he set
{ 1, 2, 3, .. . , 2
k
} .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Due t o t he unif or m r andomness of Si mon's answer s, when Mal i ce out put s a val i d f or gery ( r , e, s)
on M, he must have queri ed ( M, r ) and obt ai ned t he answer e = H( M, r ) . That i s, i t must be t he
case t hat ( M, r ) = ( M
i
, r
i
) and for some i [ 1, n] . The pr obabil i t y f or ( M, r ) not havi ng been
quer i ed i s 2
k
( i. e. , Mal i ce has guessed Si mon' s uni for mly random answer R
i
= e
i
cor r ect l y
wi t hout making a quer y t o Si mon) . Consi der i ng t he quant i t y 2
k
bei ng negl igi bl e, we know t hat
( ( M, r) , e) are i n Si mon' s H- l i st .
Let us r ecap an i mpor t ant poi nt whi ch we must bear i n mi nd: wi t hout maki ng an RO- quer y t o
Si mon and wi t hout using Simon's answer , Mal i ce cannot be successful except f or a mi nut e
pr obabi li t y val ue 2
k
whi ch i s negl i gi ble. Wi t h t hi s obser vat i on, we can i magi ne as i f Mal i ce has
been " for ced" t o for ge a signat ure on one of t he n messages in ( 16.3. 1) .
Second Lot of Runs of Malice to Achieve a Successful Forking
Now Mal i ce i s r e- run anot her 1/ Adv( k ) t imes under exact l y t he same condi t i on. That i s, he wi l l
make exact l y t he same n quer ies i n ( 16.3. 1) . However , t hi s t i me Simon wi l l r eset hi s n answer s
at uni f orml y r andom.
We must not i ce t hat since t he r eset answer s st i l l f oll ow t he uni for m dist r i but ion i n t he set { 1, 2,
3, .. . , 2
k
} , t hese answer s r emai n bei ng t he cor r ect ones si nce t hey have t he corr ect di st r i but i on.
( Thi s poi nt wi l l be furt her expl ai ned i n Remar k 16. 1 i n a moment . )
Aft er havi ng been fed t he second l ot of n cor r ect answer s, Mal i ce must again f ul l y r el ease hi s
for ger y capaci t y and out put , wit h probabi l i t y 1, a new f orger y ( r ' , e' , s' ) on M' . Agai n, as we
have di scussed i n t he f i rst lot of r uns of Mal ice, ( M' , r ' ) must be a Q
j
i n ( 16.3. 1) for some j [ 1,
n] except f or a mi nut e pr obabi li t y val ue 2
k
.
An event of "successf ul f or ki ng of Mali ce's RO queri es," whi ch is il l ust r at ed in Fi g 16. 2, occur s
when i n t he t wo l ot s of runs of Mal i ce t he t wo for ged message- si gnat ure pai rs ( M, ( r, e, s) ) and
( M' , ( r ' , e' , s' ) ) sat i sfy ( M, r ) = ( M' , r ' ) . Not i ce t hat i n each lot of r uns of Mal ice, he can f orge a
si gnat ure for ( M
i
, r
i
) wher e i U [ 1, n] is uni f orml y r andom and needn' t be fi xed. Appl yi ng t he
bi r t hday par adox ( see 3. 6) , we know t hat t he probabi l i t y for t hi s event t o occur ( i .e. , i = j = b)
i s r oughl y . Not i ce: t his is di ff er ent fr om t he case of f i xi ng i i n t he second l ot of r uns,
whi ch wi l l r esul t i n t he pr obabi l i t y f or successf ul for ki ng ( at t he fi xed point i ) t o be 1/ n.
Fi gu r e 16 . 2. Successf u l For k i n g An sw er s t o Ran dom Or acl e Qu er i es

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Recal l t hat n i s pol ynomi al l y bounded, so i s a non- negl i gi bl e quant i t y . That i s, wi t h t he
non- negl i gi bl e probabi l it y val ue , Si mon obt ai ns t wo vali d f orger i es ( r , e, s) and ( r , e' , s' ) .
Fur t her not ice t hat because i n t he second run Simon has reset hi s answer s at uni for ml y r andom,
we must have e' e ( mod q) wi t h t he over whel mi ng probabi l i t y value 1 2
k
.
Wi t h a successful f orki ng, Si mon wi l l be abl e t o ext r act t he t arget ed di scret e l ogari t hm value. Let
us see how t hi s i s done.
Extraction of Discrete Logarithm
From t he t wo val i d for ger i es Simon can comput e
Si nce g i s a gener at or el ement modul o p, we can wri t e r = g ( mod p) for some i nt eger > p
1. Also not i ce y = g
x
( mod p) , we have
Si nce e' e ( mod q) necessar i l y i mpl i es s' s ( mod q) , we have

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Fi nal l y, i f q| r , t hen t he r educt i on f ai l s. Thi s condi t i on sat i sf i es t hat f or mount i ng Bl ei chenbacher 's
at t acks [ 41] on t he El Gamal si gnat ur e scheme which we have war ned as t he f i r st warni ng i n
10.4. 7. 1. However , whi l e Bl ei chenbacher' s at t acks ar e enabl ed by mal ici ous choice of publ i c key
par amet er s, f or r andoml y chosen publ i c key inst ance, t he event q| r obvi ousl y has t he negl igi bl e
pr obabi li t y val ue of 1/ q, and so we do not need t o car e i f Mal i ce may be successful i n f or gi ng
si gnat ures ( M, q, H( M, q) , s) for some i nt eger si nce t hese successful for ger i es for m a
negl i gi bl e f r act ion of val i d si gnat ur es. Thus, wi t h an over whel mi ng pr obabi li t y : r i s rel at i vel y
pr i me t o q and hence Si mon can ext r act x ( mod q) as
Recal l t hat ( p 1) / q has no l arge pr i me fact or s, x ( mod p 1) can easi l y be f ur t her ext r act ed.
Si nce t he number s r , e, e' ar e i n Simon' s t wo RO l ist s, and s, s' ar e Mal i ce' s out put , Si mon can
i ndeed use t he descr ibed met hod t o ext r act t he di scr et e l ogar i t hm of y t o t he base g modul o p.
I n t hi s met hod Si mon uses Mal i ce as a bl ackbox: he does not car e nor i nvest i gat e how Mal i ce' s
t echnol ogy wor ks; but as long as Mal i ce's t echnol ogy wor ks, so does Si mon's.
Reduction Result
To t hi s end we have obt ai ned t he fol l owi ng reduct ion r esul t s:
Si mon's advant age for ext r act i ng discr et e logar it hm i s
si nce q
H
i s pol ynomi al l y ( i n k) bounded, t he val ue Adv ' ( k) i s non- negli gibl e i n k.
i .
Si mon's t i me cost is roughl y
wher e t i s Mal ice's t ime f or f orgi ng a si gnat ur e. We wi ll di scuss in 16.3. 2. 3 t he eff i ci ency of
t hi s r educt i on al gor i t hm.
i i .
The t heoret i c basi s f or t hi s ROM- based r educt i on proof i s cal l ed f or k i n g l emma [ 235] .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
. Remar k 1 6. 1
The f or ki ng redu ct ion t ech ni que wor k s because Sim on Sim u lat or r eset s t he RO an swer s so t hat
one set of q uest ions fr om Mal ice ar e an swer ed wit h t wo comp let ely i nd ep en dent set s of answers.
I t seem s t h at Mal ice i s v er y st up id f or not hav in g det ect ed t h e ch anged answer s t o t he sam e set
of qu est i ons. No, Mal ice i s st il l v er y clev er as a successfu l for ger. We shoul d con si der t h at Mal ice
i s a p rob abil ist i c al gori t hm wh ose sol e f unct i onali t y i s t o ou t pu t a val id f orger y whenev er t he
al gori t hm is wor k ing in a cor r ect env ir onm ent and has b een respon ded t o wit h RO an swer s of t he
corr ect dist r i but ion. We m ust not t hi nk t h at t h e pr obabi li st ic algor it h m m ay hav e an y addi t ion al
fu nct ion ali t y , such as t hat t he al gor it h m m ay be consciou s li k e a hu m an b ei ng and m ay t her eb y
be ab le t o det ect whet h er or not som ebody in t he com m uni cat ion env ir onm ent is fool ing ar ound .
I n f act , by r esp ondi ng t o Mali ce wi t h corr ect ly d ist r ib ut ed an swer s, Sim on is not fool i ng h im at
al l.
16.3.2.2 Unforgeability under Adaptive Chosen-message Attack
Now l et us consi der t he case of unfor geabi l i t y under adapt ive chosen- message at t ack.
The r educt i on t echni que wi ll be essent i al l y t he same as t hat in t he case of non- adapt i ve at t ack.
However , now Mal ice i s al so al l owed t o make si gni ng quer i es ( q
s
of t hem) , i n addi t i on t o maki ng
RO quer i es. Hence Si mon Si mul at or must , i n addi t i on t o respondi ng t o RO queri es, al so r espond
t he si gni ng quer i es wi t h answer s whi ch can pass Mal i ce' s ver i f icat i on st eps usi ng Ver i f y
pk
.
Si mon must do so even t hough he does not have possessi on of t he si gning key . The si gning is
t he ver y pi ece of infor mat i on he i s t r y ing t o obt ain wi t h t he hel p of Mal i ce! Si mon's pr ocedure for
si gni ng i s done vi a si mul at ion.
Ther ef or e her e i t suf fi ces for us t o show t hat under t he ROM, Si mon can i ndeed sat i sf y Mal i ce' s
si gni ng quer i es wi t h t he per fect qual i t y .
Si nce t he si gni ng al gor i t hm uses a hash f unct i on whi ch is model ed by an RO, under t he ROM, f or
each si gni ng query M, Si mon wil l choose a new el ement r < p and make t he RO quer y ( M, r ) on
behal f of Mal i ce and t hen r et ur ns bot h t he RO answer and t he si gning answer t o Mal i ce. The
gener at i on of a new r by Si mon f or each si gni ng quer y fol l ows exact l y t he si gni ng pr ocedur e;
Si mon shoul d never r euse any r whi ch has been used pr evi ousl y.
Here is pr eci sel y what Si mon shoul d do. For si gni ng quer y M, Si mon pi cks r andom i nt eger s u, v
l ess t han p 1, and set s
Si mon r et ur ns e as t he RO answer t o t he RO query ( M, r ) and ret urns ( r , e, s) as t he si gnat ur e of
M ( i. e. , as t he si gni ng answer t o t he si gni ng quer y M) . The r eader may ver if y t hat t he ret urned

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
si gnat ure is indeed val i d. I n fact , t hi s simulat ed si gni ng al gor i t hm is exact l y t he one wi t h whi ch
we gener at ed an exist ent i al for ger y i n 10.4. 7. 2; t here we have ver i fi ed t he val i di t y of such an
exi st ent i al f or gery.
Under t he ROM, t hi s si mul at ed si gnat ur e has t he i dent i cal dist r i but ion as one i ssued by t he
si gni ng al gor i t hm whi ch uses an RO i n pl ace of t he hash funct i on H. That i s why Mal ice cannot
di scer n any abnor mali t y . Thus, t he "si mul at ed si gni ng t r ai ni ng" pr ovi ded by Si mon ( see Fi g
16.1) is a hi gh qual i t y one, and t her eby Mali ce can be sat i sfi ed wi t h t he si gnat ur e r esponses, i n
addit ion t o bei ng sat isf i ed wi t h t he RO r esponses. Hi s f or gery capaci t y shoul d be ful ly rel eased
and t he same r educt i on used i n 16.3. 2. 1 shoul d al so lead t o a cont r adi ct i on as desi r ed.
Now we ar e done. Theor em 16. 1 summar i zes t he securi t y resul t we have obt ai ned.
. Th eor em 1 6. 1
Let ( Gen( 1
k
) , Si gn, Ver i fy) be an i nst ance i n t ri pl et El Gam al- f am il y sign at ur e sch em es wher e t he
pr i me p sat i sf ies t h at t h er e ex ist s a k- bit pr i me a di v idi ng p 1 and ( p 1) / q h as no lar ge pr i me
fact or s. I f an ad apt i ve chosen- m essage f or ger can br eak t he schem e in t i m e t ( k ) wi t h adv ant age
Adv ( k ) , t h en t he discr et e logar it hm pr ob lem m odul o p can be solv ed in t i me t ' ( k ) wi t h adv ant age
Adv ' ( k) where
wher e q
s
an d qH ar e t he nu mb er s of si gnin g an d H or acl e qu er i es, r esp ect i vel y, and T i s t i me f or
answeri ng an H qu er y .
I n t hi s r esult , k
3
i s t he number of bi t operat i ons for comput i ng exponent i at i on modul o a k- bi t
i nt eger ( we have der i ved t he cubi c t i me- complexi t y expressi on f or modul o exponent i at i on i n
4. 3. 2.6) .
We have agai n wi t nessed t he power of t he ROM for secur it y pr oof. Her e i s a fact r eveal ed
by t he ROM- based secur it y pr oof for t ri plet El Gamal - fami l y signat ure schemes: if t he
si gni ng al gor i t hm is a t r ul y r andom f unct i on, t hen t he easi est way t o for ge a si gnat ure is t o
sol ve t he di scret e l ogar i t hm fi r st and t hen do as a t r ue si gner does. This is compat ibl e t o
t he bi t - secur i t y i nvest igat i on resul t whi ch we have conduct ed i n Chapt er 9.
Thus, an ROM- based pr oof suggest s t hat f or a r eal wor l d si gnat ur e scheme which uses r eal
wor ld hash f unct i ons r at her t han ROs, t he most vul ner abl e poi nt t o mount an at t ack is
pr obabl y t he hash f unct i ons used i n t he scheme, unl ess an at t acker consider s t hat at t acki ng
t he hash f unct i ons i s har der t han sol ving t he di scr et e l ogari t hm pr obl em. We t her efor e
consi der t hat t he ROM- based t echni que for secur it y pr oof mani fest s i t s i mpor t ance i n t hat i t

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
suggest s wher e t o focus t he at t ent i on f or a car ef ul desi gn.
We have seen t hat Si mon' s advant age t o sol ve di scret e l ogar i t hm pr obl em i s wher e q
H
i s t he number of RO queri es t o H t hat Mal ice i s ent i t l ed t o make. I n or der f or Si mon t o
achi eve a const ant advant age t o sol ve di scr et e l ogar i t hm probl em, t he r educt i on shoul d run
Thi s wi ll furt her increase Si mon's t ime t o
I f we consider t hat a hash funct i on can be eval uat ed ef fi ci ent l y, it i s t her efor e r easonabl e t o
gr ant a dedi cat ed for ger t o eval uat e 2
50
hash f unct i ons ( same as our i nst ant iat ion i n
15.2. 5) . Ther efor e i n t he r educt i on pr oof we ought t o per mi t Mal i ce t o make 2
50
RO
quer i es, t hat is, q
H
= 2
50
i s a r easonabl e set t i ng. Under t hi s r easonable set t i ng, we consi der
t he domi nant cost par t of i n Si mon' s t i me, and obt ai n
as Si mon' s t i me for sol vi ng t he discr et e logar it hm pr obl em. Thi s t ime cost i ndi cat es t hat
our reduct i on i s not ver y ef fi cient . The r esul t ant cont r adi ct ion i s not a ver y meani ngf ul one
for p bei ng a 1024- bit pr i me especi al l y i f Adv i s smal l . I t i s however r easonabl y meani ngful
for p bei ng a 2048- bit pr i me.
Al t hough t he r educt i on does not have i deal eff i ci ency , never t hel ess, t he ROM- based f or ki ng
r educt i on t echni que of Poi nt cheval and St er n pr ovides t he f ir st reduct i onist secur i t y pr oof
for t r ipl et El Gamal - fami l y si gnat ur e schemes.
I t i s r at her ir oni c t o see t hat t he proof f or unfor geabi l i t y agai nst adapt ive chosen- message
at t ack, whi ch i s t he st r ongest not i on of secur it y for di gi t al si gnat ur es, i s made possi ble onl y
because t he si gnat ur e scheme has an i nher ent weakness of bei ng exi st ent ial l y f orgeabl e.
However , t hi s i r ony i s di ff er ent fr om t he one i n t he case of "Shoup' s i ni t i al at t empt " i n
15.2. 4 f or proof of securi t y for t he RSA- OAEP scheme wher e he suggest s usi ng 3 as t he
publ i c exponent f or RSA encry pt i on. The i nherent "weakness" of t he exi st ent i al f orger y
pr oper t y of di git al signat ur e schemes based on one- way t r apdoor funct i ons i s not an
essent i al weakness ( it i s a pr opert y) , whi le t he RSA encry pt ion usi ng publ i c exponent 3 i s a
r eal weakness.
Al t hough t he Digi t al Si gnat ur e St andar d ( DSS, see 10.4. 8. 2) is not a t r i pl et si gnat ur e
scheme ( t he hash funct i on t akes as i nput t he message bi t st r i ng onl y , r at her t han t he
message and t he commi t ment val ue) , t her e i s no essent i al t echni cal di f fi cul t y i n pr oving t he
same unf or geabi l it y qual i t y f or t he DSS under t he ROM. The f ormal i t y can go t hr ough i f we
assume t hat Si mon i s able t o document al l messages whi ch have been RO queri ed and
si gni ng quer i ed in t he ent i r e hi st ory wi t h r espect t o a gi ven key pai r . I n t hi s way, quer i es of
ol d messages can be r esponded wi t h t he old answer s. Per haps, t he successful ROM- based
pr oof of t he t ri plet El Gamal si gnat ur e schemes suggest s t hat t he DSS shoul d be modi f ied
i nt o a t r i pl et ver si on, t hat i s, t he commi t ment value shoul d al so be hashed.
Poi nt cheval and St er n [ 235] also pr ovi ded a secur i t y pr oof for t he si gnat ur e scheme of Fi at

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
and Shami r [ 109] due t o t he fact t hat t he scheme of Fi at and Shami r i s essent i al l y a t r i pl et
si gnat ure scheme. That si gnat ur e scheme is modi fi ed f r om a zer o- knowl edge i dent i f i cat i on
scheme which we shal l i nt r oduce i n a l at er chapt er .
16.3.3 Heavy-Row Reduction Technique
Ther e i s a di ff er ent reduct ion t echni que for t he proof of unfor geabi l i t y f or t r i pl et El Gamal - f amil y
si gnat ure schemes. The t echni que i s call ed heavy r ow and is invent ed by Fei ge, Fi at and Shami r
[ 106] for provi ng a soundness pr oper t y f or a zer o- knowl edge i dent i f i cat i on scheme of Fi at and
Shami r [ 109] ( we wil l st udy t he soundness proper t y of a zero- knowl edge pr ot ocol i n 18.2. 2) .
Si nce t hat i dent i f icat i on pr ot ocol can easi l y be t ur ned t o a t ri plet si gnat ur e scheme of Fi at and
Shami r ( t hough not i n t he ElGamal fami l y) , t he heavy - r ow t echni que t r ivi al l y appl i es t o t r ipl et
El Gamal - f ami l y si gnat ur e schemes. Thi s f act i s event ual ly document ed i n [ 222] . Now let us
pr ovi de a br ief descri pt ion of t he heavy - r ow r educt i on t echni que for pr ovi ng securi t y f or t r i pl et
El Gamal - f ami l y si gnat ur e schemes.
I n t he heavy - row reduct ion t echni que, we al so assume t hat Mal i ce has advant age Adv t o f orge a
si gnat ure. Then Si mon wi l l r un Mali ce a lot of t i mes pr opor t i onal t o 1/ Adv ( exact l y 3/ Adv t imes) .
Now l et us i magi ne a gi gant ic bi nar y mat r i x H of q r ows and q col umns. The q r ows cor r esponds
al l possi bl e r andom choi ces of t he fi r st el ement i n a t r i pl et El Gamal si gnat ur e scheme. The q
col umns cor responds al l possi bl e r andom choi ces of t he second el ement in t hi s si gnat ur e
scheme. An ent r y of h
i , j
i n H i s 1 i f ( i , j , s) is a val id si gnat ur e, and i s 0 ot herwi se. A r ow i s sai d
t o be heavy i f i t cont ai ns has at l east t wo 1' s.
An ext r emel y si mpl e but cr ucial l y i mpor t ant f act wi t h t hi s mat r ix is:
. Lemma 16 . 1 Heav y- r ow Lemma
The p r obabi li t y f or 1' s in H and i n h eav y r ows i s at l east 1/ 2.
Thi s i s si mpl y because heavy r ows have more 1's t han ot her r ows.
Si nce Mal i ce i s a successful for ger agai nst t he t r i pl et si gnat ure scheme wi t h advant age Adv , we
know t hat t here ar e Adv . q
2
1's in H. Running Mal ice 1/ Adv t imes, Mal i ce ought t o out put a
corr ect f orger y ( i , j , s) . By Heavy- row Lemma, wi t h probabi l it y at l east 1/ 2, i i s a heavy r ow.
Now r un Mal i ce anot her 2/ Adv t imes, st i cki ng t o t he commi t ment i , Mal i ce wi l l successful l y f orge
anot her val i d signat ur e ( i , j ' s' ) wher e j ' j .
We al r eady know t hat t hese t wo for ged si gnat ures achi eve t he ext ract i on t he needed di scret e
l ogar i t hm val ue, i . e., l ead t o a cont r adi ct i on as desir ed.
I n our descri pt ion of t he heavy - r ow t echnique we have f ocused our at t ent i on expl ai ni ng t he
i nt uit ion of t he i dea. As a resul t we have omi t t ed t he appl i cat i on of a bi r t hday- paradox effect
whi ch can l ead t o an enl argement t he probabi l i t y values. For t he pr eci se r educt i on for mul at i ons
of t he heavy - r ow t echni que whi ch makes use of t he bi r t hday - par adox ef fect , t he reader i s
r ef err ed t o [ 222] .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
16.4 Fit-for-application Ways for Signing in RSA and
Rabin
The RSA and Rabi n funct i ons ar e one- way t r apdoor permut at i ons ( OWTP, r evi ew 14.3. 6. 1 f or
why and how a recommended way of usi ng t he Rabi n f unct i on for ms OWTP) . As a r esul t , t he
t ext book- ver sion si gnat ur e schemes based on t hese f unct i ons ( t he t ext book RSA signat ure
scheme 10.4. 2 and t he t ext book Rabi n si gnat ur e scheme 10.4. 4) are det er mi ni st i c al gor it hms.
Thi s means t hat f or a gi ven key pai r ( sk, pk ) and a gi ven message M, t he signat ure of M out put
fr om t he si gni ng al gor i t hm i s uni quely det er mi ned by ( sk, pk ) and M.
I n cr y pt ogr aphy , det ermi ni sm i s an undesi r abl e proper t y . I n t he case of t he t ext book Rabi n
si gnat ure scheme, t he det er mi ni sm i s al so t he cause of a devast at i ng at t ack on t he scheme
whi ch we have shown i n 10.4. 5: adapt i ve chosen- message at t ack per mi t s Mal i ce t o obt ai n t wo
di f fer ent square r oot s of a chosen message and t her eby fact or t he modul us. Therefor e, f it - for -
appli cat i on ver sions of t he RSA and Rabi n si gnat ur es must be pr obabil i st i c schemes.
16.4.1 Signatures with Randomized Padding
Bell ar e and Rogaway i ni t i at e t he work of si gni ng wit h RSA and Rabi n i n a pr obabi l i st ic met hod
[ 26] . They name t hei r met hod pr obabi l i st i c si gnat ur e sch eme ( PSS) . I t is a r andomi zed
paddi ng- based scheme f or t he RSA ( and Rabi n) funct i on. For ease of wordi ng, below we onl y
ment i on t he case of RSA.
Li ke t he OAEP padding scheme ( see Fi g 15. 1 f or a pi ct ur e of t he paddi ng scheme) , t he PSS
paddi ng scheme i s al so const r uct ed fr om hash f unct i ons and i s essent i all y i n t he same spi r i t as
t he OAEP scheme. I n t he case of t he RSA- OAEP scheme for encr y pt i on, t he encr ypt i on procedure
i s a t ransf or mat ion whi ch uses t he one- way par t of t he RSA f unct i on. I n t he case of t he RSA- PSS
si gnat ure scheme, t he si gning pr ocedure is a t r ansfor mat i on whi ch uses t he t r apdoor par t of t he
RSA funct ion si nce now t he pri vat e key i s avai l abl e t o t he si gner.
Now l et us speci f y t he RSA- PSS scheme, an i mpor t ant fi t - f or - appl i cat i on di gi t al si gnat ur e
scheme.
16.4.2 The Probabilistic Signature Scheme PSS
We shal l onl y speci f y t he al gor i t hm for t he RSA case; t he Rabi n case i s anal ogous.
Fi g 16. 3 i l l ust r at es a pi ct ure of t he PSS padding. The signat ur e scheme i s speci f ied i n Al g 16. 1.
Fi gu r e 16 . 3. Th e PSS Pad di n g

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The si gni ng and ver i fy i ng al gor i t hms make use of t wo hash f unct i ons. The fi r st , H, cal l ed t he
compr essor, maps as H: { 0, 1} * { 0, 1}
k1
and t he second, G, cal l ed t he gener at or, maps as
G: { 0, 1}
k1
{ 0, 1}
kk1 1
. I n t he anal ysi s of secur i t y , t hese hash funct i ons ar e model ed by
ROs.
Algorithm 16.1: The Probabilistic Signature Scheme (PSS)
Key Par amet er s
Let ( N, e, d, G, H, k
0
, k
1
) U Gen( 1
k
) wher e: ( N, e, d) are RSA key mat er i al wi t h
( N, e) publi c and d = e
-1
( mod ( N) ) pr i vat e; k = | N| = k
0
+ k
1
wi t h 2
- k
0
and 2
k
1
bei ng negl i gi bl e quant it i es; G, H ar e hash f unct i ons sat i sfy i ng
( * t he out put bi t st r ing f r om G i s spli t i nt o t wo sub- bi t - st ri ngs, one i s denot ed by G
1
and has t he f i rst ( i .e. , t he most signi fi cant ) k
0
bi t s, t he ot her i s denot ed by G
2
and
has t he r emai ning k k
1
k
0
1 bi t s * )
Si gnPSS( M, d , N) =
r U { 0, 1}
k0
; w H( M | | r ) ; r * G
1
( w) r ;
y 0 | | w | | r * | | G
2
( w) ;
r et ur n( y
d
( mod N) ) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Veri f yPSS( M, U, e, N) =
y U
e
( mod N) ;
Par se y as b | | w | | r * | |
( * That i s, let b be t he fi r st bi t of y,
w, t he next k
1
bi t s,
r * , t he next k
0
bi t s,
and , t he r emai ni ng bit s * )
r r * G
1
( w) ;
i f ( H( M | | r ) = w G
2
( w) = b = 0) ret urn ( Tr u e)
el se r et ur n ( Fal se) .
What i s t he rol e of t he l eadi ng 0? Fr om t he l engt hs of t he hash f unct i ons and t he r andom i nput ,
we know t hat t he paddi ng r esul t has k 1 bi t s. Thus, pr efi xi ng t he paddi ng r esul t wi t h 0
pr oduces a k- bi t st ri ng, and when i nt er pr et ed as an i nt eger , wi l l be l ess t han N. This is necessary
i n order for t he modul o exponent i at i on t o be conduct ed cor r ect l y . An al t er nat i ve way f or making
sur e t hat t he padding resul t i s l ess t han N whi le savi ng one- bi t bandwidt h is t o make t he
paddi ng r esul t an exact l y k- bi t st ri ng and t o have t he signer per for m t r i al - ander r or t est s. Thi s
met hod has been i ncluded in our speci f icat i on of t he RSA- OAEP padding in Al g 10. 6 whi ch i s a
mi nor st ep of cor r ect i on fr om t he or i gi nal al gori t hm gi ven i n [ 24] .
16.4.2.1 Proof of Security
Formal evi dence for unf or geabi l it y of si gnat ur e under t he RSA- PSS scheme can be shown using
an ROM- based r educt i on t echni que and is gi ven i n [ 26] . The for mal evidence is agai n deri ved
fr om reduct i on t o cont r adi ct ion: a successf ul for ger y can l ead t o an i nver si on of t he RSA funct i on
whi ch is a well - known har d pr obl em. The const r uct i on of t he r educt i on i s ver y si mi lar t o t hat f or
an RSA paddi ng al gori t hm as an encry pt i on scheme ( e. g. , t hat for RSA- OAEP whi ch we have
st udi ed i n 15.2) .
Speci fi call y , t he r educt i on f or RSA- PSS secur i t y pr oof wi l l al so t r ansfor m a successful si gnat ur e
for ger y i nt o a part ial i nver si on of t he RSA funct ion as we have seen in 15.2. 3. 4 i n t he case of
t he reduct ioni st pr oof for RSA- OAEP ( t her e, a successful I ND- CCA2 at t ack l eads t o di scover y of
s* , whi ch i s a par t i al e- t h r oot of t he chal l enge ci pher t ext c* ) . Nevert heless, t he si gnat ur e case
t ur ns out t o be easi er t han t he encr y pt i on case: par t i al i nversi on of t he RSA funct i on can di r ect l y
l ead t o t he ful l i nver si on wi t hout havi ng t o r er un Mal i ce as i n t he encr ypt i on case. Thi s i s due t o
t he comput at i onal nat ur e of a si gnat ur e f orger y : i n a successf ul si gnat ur e for ger y, Mal i ce has t o
pr ovi de Si mon a pai r of message, si gnat ur e, and t hi s pai r can be ver i fi ed usi ng t he one- way
funct i on ( here t he RSA funct i on) . I n cont r ast , i n a successful I ND- CCA2 at t ack, Mal i ce pr ovides
Si mon much l ess i nfor mat i on, merel y a one- bi t guessi ng, and so t her e i s no one- way f unct i on
avai labl e for Si mon t o r el at e t he guessed pl ai nt ext t o t he chal l enge ci pher t ext . The resul t ant
i nversi on is j ust a part i al one. Thus, in t he encry pt i on case, t he r educt i on resor t s t o a r er un of
Mal i ce by shi f t i ng t he posi t i on of t he par t i al i nver si on i n or der t o obt ai n t he f ul l i nver si on of t he
funct i on.
A di rect r esul t of t he full i nver si on i n one go i n t he secur i t y pr oof for t he RSA- PSS si gnat ure

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
scheme i s an eff i ci ent r educt i on: Mal ice's advant age f or si gnat ur e for ger y, Adv , i s t i ght l y
t r ansl at ed t o Si mon's advant age, Adv ' ; t hat i s, Adv ' Adv . Bel l are and Rogaway name t he t i ght
r educt i on resul t t he exact secur i t y f or t hei r RSA paddi ng based si gnat ur e scheme.
Due t o t he concept ual si mi lar i t y bet ween secur i t y pr oof for t he RSA- PSS signat ure scheme and
t hat f or t he RSA- OAEP encr y pt i on scheme, al so due t o a nont r ivi al degree of det ai l edness i n t he
pr esent at i on of t he r educt i on, we shal l not descr ibe t he reduct i on pr oof her e. The mor e
i nvest i gat ive r eader i s r ef err ed t o [ 26] for det ai l s.
16.4.3 PSS-R: Signing with Message Recovery
From t he f act t hat t he RSA- OAEP encr ypt ion scheme permi t s a pr i vat e key owner t o r ecover an
encry pt ed message, we can t hi nk t he i ssue i n t he opposit e di r ect i on: a paddi ng based si gnat ur e
scheme wi t h message r ecover y can al so per mi t ever yb ody , as l ong as having in possessi on of
t he cor r ect publ ic key , t o recover a signed message. Thi s i s exact l y what t he RSA- PSS- R scheme
does: Pr obabi li st i c Si gnat ur e Scheme wit h m essage Recov er y . Bel l are and Rogaway provi de t he
PSS- R paddi ng scheme f or RSA and Rabi n [ 26] .
We shal l i nt r oduce a sl i ght var iat ion t o t he or i gi nal PSS- R padding scheme of Bel l ar e and
Rogaway . The vari at i on i s due t o Coron et al. [ 83] . The r eason for us t o choose t o i nt r oduce t he
vari at i on of Cor on et al . i s because t he l at t er aut hors pr ove t hat t heir var i at i on i s not onl y secur e
for si gnat ur e usage when t he si gnat ure is cr eat ed usi ng t he t r apdoor par t of t he RSA funct i on,
but al so secure for encr y pt i on usage when t he ci pher t ext i s cr eat ed usi ng t he one- way par t of
t he RSA f unct i on. Her e secure for t he signat ure usage i s i n t er ms of unfor geabi l i t y under
adapt i ve chosen- message at t ack, whi le t hat for t he encry pt ion usage i s under t he I ND- CCA2
mode.
16.4.4 Universal PSS-R Padding for Signature and Encryption
Fi g 16. 4 i l l ust r at es t wo pi ct ures of t he PSS- R padding; one f or t he or i gi nal ver si on of Bel l are and
Rogaway [ 26] , and t he ot her f or t he var i at i on of Cor on et al . [ 83] . The uni versal paddi ng
scheme f or si gnat ur e and encry pt i on i s specif i ed i n Al g 16. 2.
Fi gu r e 16 . 4. Th e PSS-R Paddi n g

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Algorithm 16.2: The Universal RSA-Padding Scheme for
Signature and Encryption
Key Par amet er s
Let ( N, e, d, G, H, k
0
, k
1
) Gen( 1
k
) wher e: ( N, e, d) are RSA key mat er i al wi t h ( N,
e) publi c and d = e
1
( mod ( N) ) pr i vat e; k = | N| = k
0
+ k
1
wi t h 2
k
0
and 2
k
1
bei ng
negl i gi bl e quant it ies; G, H ar e hash f unct i ons sat i sfy i ng
Si gnat ur e Gener at i on or Messag e Encr y pt i on
PSS- R- Paddi ng( M, x , N) =
r
U
{ 0, 1}
k0
; w H( M | | r ) ; s G( w) ( M | | r ) ; y ( w | | s) ; 1.
i f ( y N) go t o 1;
r et ur n( y
x
( mod N) ) .
Si gnat ur e Ver i f i cat i on or Decr y pt i on w i t h Ci pher t ex t Val i dat i on
PSS- R- UnPaddi ng ( U, x , N) =
y U
x
( mod N) ;
Par se y as w | | s;

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
( * i . e. , l et w be t he fi r st k
1
bi t s, s, t he r emai ni ng k k
1
bi t s * )
Par se G( w) s as M | | r ;
( * i . e. , l et M be t he fi r st k k
1
k
0
bi t s, r , t he r emai ni ng k
0
bi t s * )
i f ( H( M | | r ) = w ) r et ur n ( Tr ue | | M )
el se r et ur n ( Fal se | | Nul l ) .
I n t hi s uni ver sal RSA- paddi ng scheme, t he si gni ng and encry pt ion procedur e wi l l be cal l ed PSS-
R- Paddi ng. I t t akes as input a message M { 0, 1}
kk1 k0
, an RSA exponent and an RSA
modul us; t he RSA exponent i s d f or si gnat ur e gener at ion, and e f or encr ypt i on. Not i ce t hat
unli ke t he PSS si gnat ur e scheme wher e t he message can have an unl i mit ed l engt h, now t he
message must have a l i mi t ed l engt h: k k
1
k
0
. The pr ocedur e for si gnat ur e ver i f icat i on and
decry pt ion wi t h cipher t ext int egr it y ver i fi cat i on wi l l be call ed PSS- R- UnPaddi ng. I t t akes as input
a number U < N and RSA key mat er i al and i t s out put i s i n { Tr ue, Fal se} U { 0, 1}
kk1 k0
; in t he
case of t he f ir st par t of t he out put bei ng Tr ue, t he r emai ni ng bit st r ing fr om t he out put i s t he
message r ecover ed; ot her wi se, t he r emai ning par t of t he out put i s a null st ri ng Nul l .
Pr oofs of secur it y pr oper t i es f or RSA- PSS- R encr ypt i on and si gnat ur e schemes ar e concept ual l y
t he same t o ( i ) i n t he case of encr ypt i on, t hat f or RSA- OAEP, and ( i i ) i n t he case of si gnat ur e,
t hat f or RSA- PSS. Again, due t o t he concept ual si mi l ari t y and t he non- t r i vi al degree of
det ai l edness, we shall not i nclude t he r educt i ons her e. The r eader i s r ef err ed t o [ 83] for det ai l s.
I n PSS- R- Paddi ng, i n or der t o guar ant ee t hat t he paddi ng r esul t as an i nt eger i s l ess t han
N, we conduct a t r i al- and- er ror t est . The pr obabi li t y for r epeat i ng t he t est i t imes i s 2
i
.
Al t ernat i vel y , t he l eadi ng- 0 t echni que used i n t he PSS padding scheme can al so be used
her e.
When PSS- R- Paddi ng i s used f or encr y pt i on, i nt egr i t y ver i fi cat i on of t he ci pher t ext val idi t y
i s done via checki ng t he hash f unct i on value. Thi s met hod i s di f ferent f rom t he case of t he
OAEP paddi ng scheme: checking a st r ing of 0's as recover ed r edundancy .
The ROM- based I ND- CCA2 securi t y anal ysi s f or t he encr y pt i on case of t he RSA PSS- R-
Padding scheme i s essent i al l y t he same as t hat we have conduct ed for t he RSA- OAEP
scheme: vi a r educt i on t o a par t i al i nver si on of t he RSA f unct i on wher e w i s uncover ed; t hat
i s, i f Mal i ce i s successf ul i n br eaki ng t he scheme wi t h advant age Adv , t hen i n t he at t acki ng
game r un wi t h Si mon Si mul at or , Mal i ce must have quer ied t he RO G wi t h an advant age
si mi l ar t o Adv . Si nce a r un of t he at t acker onl y causes a part i al inver sion, t he reduct ion has
t o run t he at t acker mor e t han once i n or der t o obt ai n enough infor mat i on for i nver t ing t he
funct i on ful l y . As we have seen i n 15.2. 4, i n or der t o make t he r educt i on l eadi ng t o a
meani ngf ul cont radict i on, t he r educt i on shoul d r un Mal i ce no mor e t han t wi ce ( so t hat t he
r educt i on is a pol y nomi al of degr ee 2) .
Even i n t he case of r unni ng Mal i ce t he mi ni mum number : t wi ce, t he r educt i on i s al r eady far
fr om t ight . The r eader may revi ew 15.2. 5 t o see t he consequence of t he non- t ight ness of
t he reduct ion. I n order t o r each a meani ngful cont r adi ct i on, t he non- t i ght r educt i on

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
st i pul at es t hat t he RSA modul us f or t he RSA- PSS- R encr y pt i on scheme should be at l east a
2048- bi t one.
The need of t he mi ni mum of t wi ce r unni ng Mal i ce r equi r es t he paddi ng scheme t o sat i sf y
| | > . Consequent l y , | M| | r | . Ther efor e, t he RSA- PSS- R paddi ng scheme for
encry pt ion has a r at her l ow bandwi dt h f or message recover y : t he si ze of t he r ecovered
message must be bel ow hal f t he si ze of t he modul us. I n t he t y pi cal key set t i ng of k = | N| =
2048 and k
0
= 160, we can obt ai n as maxi mum | M| = k
0
= 1024 160 = 862, t hat i s,
| M| is onl y up t o 42% of | N| .
As we have di scussed i n 16.4. 2. 1 f or t he case of t he RSA- PSS si gnat ur e scheme, t he ROM-
based secur i t y pr oof for t he RSA- PSS- R si gnat ur e scheme ( unfor geabi l i t y against adapt i ve
chosen- message at t ack) has a t ight reduct ion. Thi s i s because a successf ul for ger y of a
si gnat ure can l ead t o ful l i nver si on of t he RSA funct i on i n one go. Thus, unl i ke secur i t y
pr oof f or t he encr y pt i on case discussed i n t he precedi ng par agr aph, secur i t y pr oof f or t he
si gnat ure case does not r equi r e t he condi t i on | | > . We consi der t hat i t suff i ces f or k
0
,
k
1
t o have si zes wit h 2
k0
, 2
k1
bei ng negl igi bl e agai nst a guessi ng at t ack f or whi ch k
0
= k
1
= 160 suff i ces. Thus, | M| = k k
1
k
0
can be r at her lar ge. I nst ant i at i ng t he t y pi cal case of
k = | N| = 2048 and k
0
= k
1
= 160, we can obt ai n | M| = 2048 320 = 1728, t hat i s, | M|
can be up t o 84% of | N| .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
16.5 Signcryption
To avoi d for ger y and ensur e conf ident i al it y of t he cont ent s of a l et t er, it has been a common
pr act i ce t hat t he aut hor of t he l et t er shoul d si gn and t hen seal t he let t er i n an envel ope, bef ore
handi ng i t over t o a del i ver er. Thi s common pr act i ce i n secur e communicat i ons appl i es t o di gi t al
si gnat ure and dat a encr y pt i on, oft en separ at el y and st r ai ght f or war dly : si gni ng a message and
t hen encry pt ing t he r esult at t he sendi ng end; decr ypt i ng t he ci pher t ext and ver i f yi ng t he
si gnat ure at t he r eceivi ng end.
Si gnat ur e and encry pt ion consume machi ne cy cl es, and al so i nt r oduce expanded bi t s t o a
message. The cost of a cr ypt ogr aphi c operat i on on a message i s t y pi cal l y measur ed i n t he
message expansi on r at e and t he comput at i onal t ime spent by t he bot h t he sender and t he
r eci pi ent . Wi t h t he st r aight f orwar d signat ure- t hen- encr y pt i on pr ocedur e, t he cost f or del i ver i ng a
message i n an aut hent i cat ed and conf ident i al way i s essent i al l y t he sum of t he cost f or digi t al
si gnat ure and t hat for encr y pt i on. Oft en t hi s i s not an economical way t o do t he j ob.
Si gncr y pt i on i s a publ i c key pri mi t i ve t o achi eve t he combi ned funct i onal i t y of di gi t al si gnat ur e
and encr ypt i on i n an ef fi ci ent manner. I t t her efor e off ers t he t hree f requent l y used secur it y
ser vi ces: conf i dent i al i t y, aut hent ici t y and non- r epudiat ion. Si nce t hese ser vi ces ar e f requent l y
r equi r ed si mul t aneousl y, Zheng pr oposes si gncry pt ion [ 309] as a means t o off er t hem i n a mor e
eff ici ent manner t han t hat a st rai ght for war d composi t i on of di gi t al si gnat ur e scheme and
encry pt ion scheme.
16.5.1 Zheng's Signcryption Scheme
Zheng pr oposes t wo ver y simi l ar si gncr ypt i on schemes, named SCS1 and SCS2, r espect i vel y
[ 309] . They appl y t wo ver y simi l ar si gnat ur e schemes i n t he El Gamal fami l y, named SDSS1 and
SDSS2, respect i vel y.
Recal l 16.3. 1, i n a t ri pl et El Gamal si gnat ure ( r , e, s) , t he commi t ment r i s usual l y comput ed by
r = g
k
( mod p) wher e g and p ar e part of t he publi c key mat eri al , and t he commi t t al k i s a
i nt eger i ndependent t o such val ues used i n all pr evi ous si gnat ur es. Furt her r ecal l t hat i n t he
Schnor r si gnat ur e scheme ( Al g 10. 4) , which i s a t ri pl et El Gamal scheme, t her e i s no need for t he
si gner t o send t he commi t ment t o t he receiver ; t he way t hat t he si gnat ur e i s gener at ed per mi t s
t he recei ver t o r ecover t he commi t ment by comput i ng r = g
s
y
e
( mod p) .
Thus, if a message sender ( as a si gner of t he message) comput es t he commi t ment in a speci al
way so t hat i t i s onl y r ecoverabl e by an i nt ended r ecei ver ( e. g. , comput ed usi ng t he recei ver' s
publ i c key ) , t hen t he commi t ment val ue can be used as ( or can seed) a sy mmet r i c key shared
bet ween t he sender and t he r ecei ver and so symmet r ic encr y pt i on can be appli ed for provi di ng
message conf i dent i al i t y .
Thi s i s mor e or l ess what all Zheng' s si gncr ypt i on schemes are about : usi ng t he r ecover abl e
commi t ment val ue of a t r i pl et si gnat ur e scheme i n t he El Gamal - fami l y si gnat ur es as t he
symmet r ic key t o achi eve sy mmet r i c encr y pt i on of t he message whi l e t he t ri plet si gnat ur e
scheme ser ves t he si gnat ur e. Fr om t hi s bri ef and abst r act descri pt i on, we can al ready wr i t e a
si gncr ypt ed message as a t r i pl et ( c, e, s) here c i s a ci pher t ext out put f r om a sy mmet r i c
encrypt ion al gor i t hm, ( e, s) is t he second and t hi r d el ement s i n a t r i pl et si gnat ure; t he f i rst
el ement of t he t r i pl et si gnat ur e scheme ( which i s convent i onal l y denot ed by r ) is recover abl e
onl y by an int ended message r ecei ver .
Due t o t he simi l ar i t y bet ween SCS1 and SCS2, we shal l onl y pr ovi de t he specif i cat ion of SCS1,
whi ch is gi ven i n Al g 16. 3. For ease of exposi t i on, our specif i cat ion f oll ows t he convent i onal

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
not at ion f or speci f yi ng t r i pl et El Gamal si gnat ure schemes, except t hat we use K i n pl ace of r ( t he
commi t ment val ue of a t r i pl et ElGamal signat ur e scheme) t o i ndi cat e t hat t hi s val ue i s used as a
symmet r ic key .
We now show t hat t he syst em specif i ed i n Al g 16. 3 i s bot h a cr ypt osyst em and a si gnat ur e
scheme, i . e., ( i ) Bob' s decr ypt i on procedur e wi l l act ual l y r et ur n t he same pl ai nt ext message t hat
Al i ce has si gncr ypt ed; and ( ii ) Al ice has signed t he message.
To show ( i ) , i t suff ices t o show t hat Bob can r ecover as Ali ce has encoded. Bob' s
r ecovery pr ocedure i s
Thus, indeed, Bob r ecover s K as Ali ce has encoded. Usi ng K
1
spli t fr om K, Bob can of course
decry pt t he ci phert ext c and ret r i eve t he message M.
To show ( i i ) , we not i ce t hat wi t h bei ng r ecover ed, ( K
2
, e, s) for ms a t r i pl et El Gamal
si gnat ure on t he r et ri eved message M. Ther efor e t he sy st em i n Al g 16. 3 i s indeed a si gnat ur e
scheme.
Ef f i ci ency The SCS1 scheme i s ver y ef fi ci ent bot h in comput at ion and i n communi cat ion
bandwi dt h. I n comput at i on, t o si gncry pt , t he sender per f orms one modul o exponent i at i on,
one hashi ng and one sy mmet r i c encry pt ion; t o unsi gncr y pt , t he r ecei ver perf or ms a si mi l ar
amount of comput at i on i f t he exponent iat ion expr essi on ( g
e
yA)
sx b
i s rewr it t en t o g
esxb
yA
sx b
and comput ed usi ng Al g 15. 2. I n communi cat i on bandwi dt h, consider i ng t hat t he
symmet r ic encr y pt i on of a message does not cause dat a expansi on, t hen a si gncr y pt t ext
can be sent i n 2| q| bi t s pl us t he bit s of t he message bei ng si gncry pt ed. Thi s i s t he same
bandwi dt h for t r ansmi t t i ng a signat ure ( wi t h t he si gned message) i n t he El Gamal - f amil y
si gnat ures. Mor eover , t he use of a sy mmet r i c ci pher al gor i t hm makes t he scheme sui t abl e
for sendi ng bul k vol ume of dat a eff i ci ent l y ( e. g. , usi ng a bl ock ci pher wi t h t he CBC mode of
oper at i on, see 7. 8. 2) . I n essence, SCS1 can be vi ewed as a hy br i d publi c- key encr y pt i on
scheme which we have overvi ewed i n 15.4.
Algorithm 16.3: Zheng's Signcryption Scheme SCS1
A t rust ed aut hori t y perf or ms t he f ol lowi ng st eps:
Set up syst em par amet er s ( p, q, g, H) ;
( * t hese paramet er s are t he same as t hose f or Schnor r si gnat ur e scheme
( Al g 10. 4) * )
1.
2.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I n addi t i on, set up a sy mmet ri c encr ypt i on algori t hm ;
( * for exampl e, AES is a good candidat e f or * )
2.
The par amet er s ( p, q, g, H, ) are publ i ci zed f or use by sy st em- wi de user s.
User Al i ce pi cks a r andom number x
A
U and comput es
Al i ce' s publ ic- key mat er i al i s ( p, q, g, y
A
, H, ) ; her pr i vat e key i s x
A
.
Si gncr y pt i on
To send t o Bob M i n si gncr ypt i on, Al i ce per for ms:
Pi ck u r andoml y fr om [ 1, q] , comput es Spl it K i nt o k
1
and k
2
of appr opr i at e l engt hs;
1.
e H( K
2
, M) ; 2.
s u( e+ x
A
)
1
( mod q) ; 3.
c E
k 1
( M) ; 4.
Send t o Bob t he si gncry pt ed t ext ( c, e, s) . 5.
Unsi gn cr yp t i on
Upon receipt of t he signcr ypt ed t ext ( c, e, s) fr om Al i ce, Bob per for ms:
Recover K f r om e, s, g, p , y
A
and x
B
: K ( g
e
yA)
sxB
( mod p) ; 1.
Spl i t K i nt o K
1
and k
2
; 2.
M D
k1
( c) ; 3.
Accept M as a val i d message ori ginat ed f r om Al i ce onl y i f e = H( K
2
, M) . 4.
Secur i t y For unf orgeabil i t y of si gnat ur e, Zheng conduct s a r easonabl e ar gument for his
schemes. Si nce we have seen t hat t he SCS1 scheme i s essent i al l y a t ri plet El Gamal
si gnat ure wi t h a recover abl e commit ment , unf or geabi l it y of si gnat ur e under adapt i ve
chosen- message at t ack shoul d be st rai ght f orwar d by f ol lowi ng t he ROM- based pr oof f or a
t r i pl et El Gamal si gnat ur e schemes proposed by Poi nt cheval and St er n [ 235] ( we have
st udi ed t he t echnique i n 16.3) . However , f or confi dent i ali t y of message, due t o t he
i nvol vement of a symmet ri c encr y pt i on al gor it hm, Zheng has not gi ven a r educt i oni st pr oof
on t he I ND- CCA2 secur i t y f or hi s si gncr ypt i on schemes. Per haps, here i s t he r eason f or a

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
non- t r ivi al hur dl e for const ruct ing a r educt i oni st proof f or t he I ND- CCA2 secur i t y : only t he
i nt ended r ecei ver i s abl e t o r ecover t he commi t ment val ue K, under adapt i ve chosen-
ci pher t ext at t ack.
Non- r epud i at i on Non- r epudi at i on, i. e. , a pr inci pal cannot deny t he aut horship of a
message, i s an i mpor t ant secur i t y servi ce for many appl i cat i ons, e.g. , elect r oni c commer ce.
Di gi t al si gnat ur es pr ovi de t hi s ser vi ce because a si gnat ur e of a message i s ver i fi able
univer sal l y ; when t wo part ies disput e r egar di ng a message- si gnat ur e pai r , a t hi r d par t y
can be cal led upon t o make an ar bi t r at i on. I n t he case of si gncr y pt i on, i f a si gnat ure cannot
be made uni versal l y ver i fi able, t hen t he nonrepudi at i on ser vi ce wi l l have a cost . Thi s i s t he
case for Zheng's si gncry pt i on schemes. Here, veri f i cat i on of a ( t ri plet ) signat ur e r equi r es
r ecovery of t he commi t ment val ue K and t he r ecovery needs t o use t he r ecei ver ' s pr i vat e
key . So a t hi rd par t y 's arbi t rat ion cannot be st rai ght - for war dl y done. Zheng suggest s t hat
upon di sput e bet ween t he r ecei ver ( Bob) and t he sender ( Al i ce) , t hen Bob can conduct a
zero- knowl edge pr oof wi t h an ar bi t r at or t o show t hat he has i n hi s possessi on of Al i ce's
si gnat ure. No zer o- knowl edge pr oof pr ot ocol i s gi ven. Al t hough it shoul d not be di ff icul t t o
devi se such a pr ot ocol , i t i s a pai n t o have t o t ur n a si mpl e ver i fi cat i on pr ocedur e i nt o an
i nt er act ive prot ocol . This is t he most ser ious dr awback of Zheng's si gncr y pt i on schemes.
16.5.2 Two Birds One Stone: Signcryption using RSA
Mal one- Lee and Mao pr opose a signcr ypt i on scheme named " t wo bi r ds one st one" ( TBOS) [ 182]
( t he name wi l l be expl ai ned i n a moment ) . The TBOS signcry pt ion scheme is real i zed i n RSA.
They pr ovi de r educt i oni st pr oofs of st r ong secur i t y proper t i es for message conf ident i al it y and
si gnat ure unf orgeabi li t y . Bot h proof s, al t hough ROM- based, are under t he assumpt i on t hat
i nvert i ng t he RSA funct ion i s hard.
The TBOS si gncr ypt i on scheme i s ver y si mpl e and can indeed be si mpl y descr ibed. I t " doubl e-
wr aps" a message i n RSA si gning and encr y pt i on funct i ons: a sender ( e.g., Al ice) f i rst si gns a
message by "wr appi ng" i t i nside t he t rapdoor part of her own RSA funct i on, and t hen encry pt s
t he si gnat ur e by fur t her " wrappi ng" i t i nsi de t he one- way part of t he RSA f unct i on of an int ended
r ecei ver ( Bob) . Thus, if we denot e by ( N
A
, e
A
) , ( N
A
, d
A
) Ali ce's RSA publ i c, pr i vat e key mat eri al ,
and by ( N
B
, e
B
) , ( N
B
, d
B
) t hat of Bob's, a TBOS si gncr y pt ed message M shoul d be a " doubl e
wr apped" l i ke t hi s:
Al t hough t he i dea is concept ual l y ver y si mple, f or t ext book RSA, t hi s way of "doubl e wr apping"
won' t wor k i n gener al. Thi s i s because Al i ce' s RSA modul us may be lar ger t han Bob' s, and hence
an "i nner wr apping" resul t , as an i nt eger , may al r eady be lar ger t han t he modulus t o be used for
an "out er wr apping. "
Never t hel ess, we have seen t hat a fi t - f or- appl i cat i on RSA scheme, whet her encr y pt i on or
si gnat ure, onl y " wraps" a message aft er t he message has been processed wi t h a r andomi zed
paddi ng scheme. For such an RSA scheme, sy st em- wi de user s shoul d use moduli of t he same
si ze si nce t he sendi ng and r ecei ving ends shoul d agr ee upon a paddi ng and unpadding scheme.
Wi t h syst em- wide users using modul i of t he same si ze, "doubl e wr appi ng" wi l l wor k ni cely . I f an
"i nner wr appi ng" r esul t exceeds t he modul us f or an " out er wr appi ng, " t hen t he sender si mpl y
"chops" one bit off ( e. g. , t he most si gni f icant bi t ) fr om t he " i nner wr appi ng" r esul t . Wi t h one bi t
"chopped of f, " t he r emai ning int eger must be less t han t he " out er wr apping" modul us ( t o show
t hi s i n a moment ) and hence dir ect " wr appi ng" can be conduct ed. Remember t hat t he r ecei vi ng
end of such an RSA ciphert ext wi l l have t o conduct ci pher t ext i nt egr i t y ver i fi cat i on; t he

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
ver i fi cat i on st ep wi l l al l ow t he recei ver t o use t r ial - and- err or t est t o put t he " chopped- off " bi t
back. That ' s t he i dea.
So now f or | N
A
| = | N
B
| = k. Let Padding( M, r ) { 0, 1}
k
denot e a randomi zed paddi ng of
message M wi t h r andom i nput r . Then a message M si gncr y pt ed under t he TBOS signcr ypt i on
scheme sent fr om Al i ce t o Bob l ooks l i ke a "doubl e wr appi ng" as f ol l ows:
Aft er t hi s abst r act descri pt i on of t he TBOS si gncr y pt i on scheme, we can al ready see t hr ee ni ce
feat ures of t he scheme:
I t produces compact ciphert ext s: a signcr ypt t ext has t he same si ze of an RSA ci pher t ext
wi t hout a si gnat ur e, or t he same si ze of an RSA si gnat ur e wi t hout encr ypt i on. This i s why
t he scheme i s named " t wo bir ds one st one" ( aft er an Engl i sh phrase: " t o ki ll t wo bir ds wit h
one st one") . Thi s pr oper t y i s very at t r act i ve i n many el ect r oni c commer ce appl i cat i ons
wher e a shor t message ( such as a cr edi t car d number f or a payment aut hori zat i on) needs
t o be sent over t he I nt er net wi t h confi dent i al i t y pr ot ect i on as wel l as non- r epudi at ion f or
pay ment aut hor i zat i on. I n t hese appli cat i ons, t he TBOS i s abl e t o pr oduce one short
cry pt ogr am. Not only does t hi s achi eve ef fi ci ency , but it al so hel ps t o r educe t he
engi neer ing compl exit y of an e- commer ce pr ot ocol .
I t of fer s nonrepudi at i on i n a ver y st r ai ght f or war d manner : t he r ecei ver , Bob, aft er
"unwrappi ng" a si gncr y pt t ext , and maybe aft er f i xi ng t he " chopped- off bi t " back, has an
RSA si gnat ur e of t he sender Al ice i n t he usual f ormulat ion: Paddi ng( M, r)
d
A
( mod N
A
) . Any
t hi r d par t y can ver i fy t he signat ure i n t he usual way .
Securi t y pr oofs f or t he TBOS scheme can be est abli shed by f ol lowi ng t hose for t he fi t - f or -
appli cat i on RSA paddi ng schemes and are gi ven i n a r educt i oni st manner . Al t hough t he
pr oof s ar e ROM based, t he r educt i oni st pr oof s ot her wise only rel y on a r eput abl y har d
pr obl em ( t he RSA pr obl em and assumpt i on, Defi nit ion 8. 4, Assumpt i on 8. 3 i n 8. 7) ; t hi s i s
ver y desi r abl e.
Now l et us explai n t hat pr oper unsi gncr ypt i on on Bob's end can alway s be pr oper ly conduct ed.
Thi s i s obvi ousl y t r ue if N
A
< N
B
. For t he case N
A
> N
B
, wi t h r oughly 1/ 2 pr obabil i t y , we have
However , since | N
A
| = | N
B
| = k, we have
and t her efor e, l et
i . e. , ' i s wi t h t he most signi fi cant bi t "chopped off , " t hen

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
That i s, Bob can r ecover ' pr oper l y. Thereaf t er , Bob's ver if i cat ion st ep wi l l gui de Bob whet her or
not t o fi x t he " chopped bi t " back.
16.5.2.1 RSA-TBOS
The RSA- TBOS scheme of Mal one- Lee and Mao [ 182] appl i es t he PSS- R paddi ng scheme
( 16.4. 4) . The signcr ypt ion scheme i s speci fi ed i n Al g 16. 4.
The poi nt of st ep 6 in si gncr y pt i on i s t o ensur e t hat c' < N
B
. I f c' i ni t i al l y fai l s t his t est t hen we
have N
A
> c' > N
B
. Si nce bot h N
A
and N
B
have k- bi t s we infer t hat c' al so has k- bi t s and so t he
assi gnment c' c' 2
k1
i s equi val ent t o r emovi ng t he most si gni f icant bi t of c' . Thi s gi ves us c'
< N
B
as requi red.
Not e t hat t hi s st ep may cause an addi t i onal st ep i n unsi gncr y pt i on. I n part i cul ar i t may be
necessar y t o per f orm c'
eA
( mod N
A
) t wice ( t he t wo c' 's wi l l di f fer by 2
k1
) . I t woul d have been
possi bl e t o defi ne an al t er nat i ve scheme under whi ch t he t r i al - ander r or occurs in t he
si gncr ypt i on st age. Thi s woul d mean r epeat ing st eps 1- 5 i n si gncr y pt i on wi t h di ff er ent val ues of r
unt i l c' < N
B
was is obt ai ned.
Non- r epudi at i on i s very si mpl e f or RSA- TBOS. The r ecei ver of a si gncr ypt i on f ol l ows t he
unsi gncry pt i on pr ocedur e up unt i l st age 2, c' may t hen be gi ven t o a t hi r d par t y who can veri f y
i t s val i di t y.
Al t hough t he TBOS signcr ypt i on scheme has many at t r act i ve f eat ures ( we have li st ed befor e t he
speci f i cat i on of t he algor it hm) , we shoul d not i ce a dr awback i t i nher es f rom t he appl i cat i on of
t he RSA- PSS- R padding scheme: i t has a r at her low message bandwi dt h f or message r ecover y.
The r eader should r evi ew our di scussi on on t hi s poi nt f or t he RSA- PSS- R encr y pt i on scheme ( i n
16.4. 4. 2) .
Mal one- Lee and Mao pr ovi de f ormal reduct i onist pr oofs of st r ong securi t y pr opert ies f or t he
TBOS si gncry pt i on scheme [ 182] . They also incl ude a descr i pt i on of t he securi t y model for
si gncr ypt i on. The st rong secur it y pr oper t i es ar e: message confi dent ial i t y under t he I ND- CCA2
model , and si gnat ure unf orgeabi li t y under t he chosen- message at t ack.
Due t o t he essent i al si mi lar i t y of t hese proof s t o t hose we have conduct ed i n 15.2 f or RSA-
OAEP, and due t o t he non- t r ivi al degree of det ai l edness, we shoul d omi t pr esent i ng t he
r educt i ons her e. The r eader wi t h a mor e i nvest i gat ive appet i t e shoul d check [ 182] for det ai l s.
Never t hel ess, even wi t hout descr i bi ng t he r educt i on det ail s, we can st i ll reach an i nfor mal and
abst r act l evel of under st andi ng of why a pr ovabl y secure encr y pt i on paddi ng scheme, when used
wi t h t he t r apdoor di r ect i on of t he RSA f unct i on, can f orm a secure si gnat ur e scheme. Clear l y, we
need t o ar gue for t he case of si gnat ur e unfor geabi l i t y under a chosen- message at t ack scenar i o.
Let us t r y t o r each t hi s under st andi ng usi ng t he OAEP padding wi t h whi ch we ar e al ready
fami l i ar .
Let us r ecal l t he case of t he RSA- OAEP reduct i on pr oof agai nst an at t ack i n t he I ND- CCA2 mode
( gi ven i n 15.2) . Ther e, we have est i mat ed t hat i f Mal i ce does not comply wi t h t he pr escr i bed

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
encry pt ion procedur e, t hen t he pr obabi l i t y f or hi m t o be abl e t o submi t a val i d cip hert ex t i s
st at i st ical l y negl i gi ble, r egar dl ess of what ever al gor i t hm Mal i ce may use ( recal l t hat Mal i ce i s a
bl ackbox) and r egar dl ess of t he f act t hat he may const r uct ci phert ext s i n an adapt i ve manner
( i . e. , under an adapt i ve chosen- ci pher t ext decr ypt i on t rai ni ng scenar io) .
Algorithm 16.4: Two Birds One Stone: RSA-TBOS Signcryption
Scheme
Key Par amet er s
Let k be an even posit ive i nt eger . Let sender Al i ce's ( respect i vel y, receiver Bob' s)
RSA publi c and pr i vat e key mat eri al be ( N
A
, e
A
) , ( N
A
, d
A
) ( respect ivel y ( N
B
, e
B
) , ( N
B
,
d
B
) ) , sat i sfyi ng | N
A
| = | N
B
| = k.
Let G and H be t wo hash f unct i ons sat i sfy i ng
wher e k = n + k
0
+ k
1
wi t h 2
k0
and 2
k1
bei ng negl igi bl e quant i t i es.
Si gncr y pt i on Unsi gn cr yp t i on
When Al i ce si gncr ypt s
a message M { 0,
1}
n
f or Bob, she
per for ms:
When Bob unsi gncr y pt s a cry pt ogram c f r om
Al i ce, he per for ms:
1. r
U
{ 0, 1}
k0
1. c' c
dB
( mod N
B
)
2. w H( M | | r ) 2. I f c' > N
A
, r ej ect
3. s G( w) ( M | |
r )
3. c'
eA
( mod N
A
)
4. I f s | | w > N
A
got o
1
4. Parse as s | | w
5. c' ( s | | w)
dA
( mod N
A
)
5. M | | r G( w) s
6. I f c' > N
B
, c' c'
2
k1
6. I f H( M | | r ) = w, r et ur n M
7. c c'
eB
( mod N
B
) 7. c' c' + 2
k1
8. Send c t o Bob 8. I f c' > N
A
, r ej ect
9. c'
eA
( mod N
A
)
10. Par se as s | | w
11. M | | r G( w) s

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
12. I f w H( M | | r ) , r ej ect
13. Ret ur n M
Thi s f act can be mechani call y t ransl at ed t o a pr oof of unf or geabi l i t y of signat ur es f or a
r andomi zed padding si gnat ur e scheme: wi t hout using t he prescr i bed signi ng pr ocedur e ( due t o
mi ssi ng of t he si gni ng exponent ) , t he pr obabil i t y of Mali ce f orging a val id message- si gnat ur e
pai r ( whi ch i s i n t he posi t i on of a val i d pl ai nt ext - ci pher t ext pair const ruct ed wi t hout usi ng t he
pr escr i bed encr y pt i on pr ocedur e) i s st at i st ical l y negl i gi ble, even under an adapt ive chosen-
message t rai ni ng scenar io.
Of cour se, however i nt ui t i vel y convincing, we must emphasize t hat t hi s descri pt ion i s not a
for mal proof of secur it y for an RSA paddi ng based si gnat ur e scheme because i t does not fol l ow
our est abl i shed for mal approach of "r educt i on t o cont r adi ct i on. " The i nt er est ed reader shoul d
check t he r educt i oni st pr oof i n [ 182] .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I n t hi s chapt er we began by pr ovi di ng a st r ong securi t y not i on for digi t al si gnat ures: si gnat ur e
unfor geabi l i t y under an adapt i ve chosen- message at t ack. This is an at t ack mode for si gnat ur e
schemes count er par t i ng t o t he I ND- CCA2 mode for publ ic- key encr y pt i on schemes. The basi c
i dea shar ed by t he t wo modes i s t hat i n t hese at t acks, Mal ice i s ent i t l ed t o cr ypt anal y si s t rai ning.
A cr y pt ogr aphi c syst em i s st r ong and r esi st ant t o at t ack even givi ng Mal i ce t he cr y pt anal y sis
t r ai ni ng, even as much of i t as he wi shes ( provi ded he i s poly nomi al l y bounded and so t he
number of int eract i ons in a t r aini ng session i s poly nomi al l y bounded) .
Then we st udi ed t wo i mpor t ant fami l i es of " fi t - f or- appl i cat ion" si gnat ur e schemes. The f i rst
fami l y i s t r i pl et ElGamal- f ami ly si gnat ur e schemes, and t he second fami l y i s r andomi zed paddi ng
schemes appl ied t o one- way t r apdoor per mut at ions, such as t he RSA and Rabi n f unct i ons.
We t hen proceeded t o est abli sh for mal evidence of st r ong securi t y for t he signat ure schemes in
bot h f amil i es.
For t he fi r st fami l y , we st udi ed an ROM- based r educt i oni st pr oof t echni que whi ch wor ks on t he
pr i nci pl e t hat t her e i s a non- negl igi bl e pr obabil i t y f or successful " for ked answer s t o for ger 's
quest i ons. " That i s, a set of quest i ons f rom t he f orger can be answer ed wi t h t wo set s of
compl et el y di f fer ent answer s, yet bot h ar e corr ect i n t er ms of havi ng t he cor r ect r andom
di st r i but i on ( t he uni f orm di st ri but i on) . Since t he f orger whose quest i ons ar e f orked is an
unconsci ous pr obabi l i st ic algor it hm, t he cor r ect di st ri but i on i s al l t hat i t i s af t er. Ther ef ore,
al t hough quest i ons ar e r esponded t o wi t h for ked answer s, t he f or ked for ger i s not f ool ed, and i t
wi l l t her eby pr oceed t o hel p t he reduct ion al gor i t hm t o sol ve a dif fi cul t pr obl em: t he di scr et e
l ogar i t hm pr obl em. We have al so descr i bed an alt er nat i ve pr oof appr oach f or t hi s f amil y : t he
heavy- r ow model . Al t hough bot h proof appr oaches ar e ri gorousl y f or mal , as we have anal y zed,
t he reduct ion al gor i t hms ar e not very ef fi ci ent . Consequent l y, a pr oof i s onl y meani ngful for
r at her l ar ge securi t y par amet er s.
For t he second fami l y, si gnat ur e schemes ar e const r uct ed fr om sequent i al combi nat ion of
r andomi zed paddings f or one- way t r apdoor per mut at i ons. An ROM- based r educt i oni st proof i s
si mi l ar t o t hat for t he publ i c- key encr ypt i on schemes fr om r andomi zed paddings f or one- way
t r apdoor per mut at i ons whi ch we have st udi ed i n t he pr eceding chapt er. Nevert heless, now f or
t he si gnat ur e case, a successful at t ack ( si gnat ure for ger y under t he adapt i ve chosen message
at t ack) can l ead t o t he f ul l i nversi on of t he one- way funct i on i n a dir ect manner . The r esul t i ng
r educt i on pr oof for t he r andomi zed paddi ng- based si gnat ur e schemes i s t hus a t i ght one, t hat i s,
t he at t acker 's abi li t y for si gnat ur e for ger y can be ful ly t ranslat ed t o one f or i nver t i ng t he har d
funct i on ( i .e. t he underl y i ng one- way t r apdoor funct ion) . Thi s i s cal l ed an exact secur i t y
pr oper t y .
Fi nal l y, we have al so st udi ed si gncr y pt i on schemes as eff i ci ent and useful cry pt ogr aphi c
pr i mi t i ves. Li kewi se t he ot her cases of f i t - for - appl icat i on encry pt ion and si gnat ur e schemes
i nt r oduced i n t hi s book, t he signcr ypt i on schemes i nt roduced her e ar e al so based on t he t wo
popul ar cr ypt ogr aphi c under l yi ng probl ems: t he di scr et e l ogar i t hm pr obl em and i nt eger
fact or i zat i on pr obl em.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
16.7 Exercises
16 .1 What i s t he " fi t - f or - appl i cat i on" secur i t y not i on for di gi t al si gnat ur es?
16 .2 Gi ven t hat Mal i ce i s a bad guy , why shoul d we st il l gr ant hi m t he ent i t lement t o
obt ai ning si gnat ur es on messages of hi s choi ce and even t o obt ai ni ng t hem as many
as he wishes?
16 .3 I n t he ROM- based f or ki ng- l emma pr oof of secur i t y for t ri plet El Gamal si gnat ur es,
Si mon r uns Mal i ce t wi ce and answer s hi s same set of RO quer i es wi t h t wo set s of
i ndependent r esponses. Shoul d we consider t hat Mal i ce is fool ed by Si mon i n t he
second r un?
16 .4 Di scuss t he usef ul ness of t he exist ent i al for geabi l i t y of a t r i pl et El Gamal si gnat ure in
t he secur i t y pr oof for t he scheme.
16 .5 Usi ng t he PSS t o sign t he same message t wi ce, what is t he probabi l it y for t he
al gor i t hm t o out put t he same si gnat ure val ue?
16 .6 I n Exerci se 15.2 we have defi ned t he bandwi dt h of an encr ypt i on scheme. The
bandwi dt h of a di gi t al si gnat ur e scheme wi t h message r ecovery is si mi l arl y def i ned.
Wi t h t he same securi t y par amet er set t i ng as i n Exerci se 15.2, what i s t he
bandwi dt h of usi ng t he Uni versal RSA- Paddi ng scheme ( Al g 16. 2) for ( i ) si gni ng, ( i i)
encry pt ion?
16 .7 Why are t he t wo bandwi dt h resul t s i n t he precedi ng pr obl em di f fer ent ?
16 .8 Di scuss t he di ffer ence bet ween t he non- r epudi at ion proper t i es ser ved by Zheng' s
si gncr ypt i on scheme and by t he TBOS si gncry pt i on scheme.
16 .9 Our ar gument on t he unfor geabi l i t y of t he TBOS si gncr y pt i on scheme ( i n 16.5. 2. 2)
i s a convi nci ng one, however i s not a f or mal secur i t y pr oof . Why ?
Hi nt : i s t he ar gument a reduct ioni st one?

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Chapter 17. Formal Methods for
Authentication Protocols Analysis
Sect i on 17. 2. Toward For mal Speci f icat i on of Aut hent i cat i on Pr ot ocol s
Sect i on 17. 3. A Comput at i onal Vi ew of Corr ect Pr ot ocol s t he Bell ar e- Rogaway Model
Sect i on 17. 4. A Sy mbol i c Mani pul at i on Vi ew of Cor r ect Pr ot ocols
Sect i on 17. 5. For mal Anal y si s Techni ques: St at e Syst em Expl or at i on
Sect i on 17. 6. Reconci l i ng Two Vi ews of Formal Techni ques for Secur i t y
Exerci ses

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
17.1 Introduction
I n Chapt er 11 we have wit nessed t he f act t hat aut hent i cat i on and aut hent i cat ed key
est abl i shment pr ot ocol s ( i n t hi s chapt er we shall oft en use aut hent i cat ion prot ocol s t o r ef er t o
bot h ki nds) are not or i ousl y er r or pr one. These prot ocol s can be f l awed i n ver y subt l e way s. How
t o devel op aut hent i cat i on pr ot ocol s so t hat t hey ar e secure is a ser i ous resear ch t opi c pur sed by
r esear cher s wi t h di f ferent backgr ounds; some ar e cr y pt ographers and mat hemat ici ans, ot her s
ar e t heor et ic comput er sci ent i st s. I t i s wi del y agr eed by t hese r esearcher s t hat f ormal
approaches shoul d be t aken t o t he analy si s of aut hent i cat i on pr ot ocol s.
Formal appr oaches ar e a nat ur al ext ensi on t o infor mal ones. For mal can mean many t hi ngs,
r angi ng over not i ons such as met hodi cal , mechani cal , r ul e and/ or t ool suppor t ed met hods. A
for mal met hod usual l y suppor t s a sy mbol i c syst em or a descr i pt i on l anguage f or model ing and
speci f yi ng a syst em's behavi or so t hat t he behavi or can be capt ur ed ( i . e. , compr ehended) and
r easoned about by appl y i ng l ogi cal and mat hemat i cal met hods i n a r i gor ous manner.
Somet imes, a f or mal met hod i s an expert syst em whi ch capt ur es human exper i ence or even t r i es
t o model human i ngenui t y. A common char act eri st i c of for mal met hods i s t hat t hey t ake a
syst emat i c, somet i me an exhaust i ve, approach t o a pr obl em. Ther ef or e, for mal met hods ar e
par t i cul ar l y sui t abl e for t he analy si s of compl ex sy st ems.
I n t he ar eas of for mal anal y si s of aut hent icat i on pr ot ocol s, we can i dent i f y t wo di st i nct
approaches. One can be r ef er r ed t o as f ormal reasoni ng about holdi ng of some desi r abl e, or
secur e proper t i es; t he ot her can be r eferr ed t o as sy st emat i c sear ch f or some undesi rabl e, or
dangerous, pr oper t i es.
I n t he f ir st appr oach, a pr ot ocol t o be anal y zed must be very car efull y chosen or designed so
t hat i t i s alr eady bel i eved or l i kel y t o be cor rect . The anal y si s t r i es t o est abl i sh t hat t he pr ot ocol
i s i ndeed cor r ect wi t h respect t o a set of desi rabl e pr oper t i es which have al so been car efull y
for mal i zed. Because of t he car ef ul l y chosen prot ocol s t o be analy zed, a for mal proof i s of t en
speci al l y t ai l or ed t o t he t ar get pr ot ocol and may hence need t o have much human i ngenui t y
i nvol vement , al t hough t he pr oof met hodol ogy can be mor e gener al. Thi s appr oach f ur t her
br anches t o t wo school s: a comput at i onal school and a sy mbol i c mani pul at i on school . I n t he
for mer, secur i t y pr oper t i es ar e defi ned and measur ed i n t er ms of pr obabil i t y , and a pr oof of
secur i t y or pr ot ocol corr ect ness i s a mat hemat i ci an's demonst r at i on of hol di ng of a t heorem; t he
pr oof of t en i nvol ves a r educt i oni st t r ansfor mat i on t o a wel l - accept ed compl exi t y - t heor et i c
assumpt i on ( see Chapt ers 14 and 15 f or t he case of provabl y secur e publ ic- key encr y pt i on
schemes) . I n t he l at t er school , whi ch consi st s of t heor et i c comput er scient ist s i n f ormal met hods
ar ea, secur i t y pr oper t i es are expr essed as a set of abst r act sy mbol s whi ch can be mani pul at ed,
somet i mes by a for mal l ogi c sy st em, somet i mes by an mechani cal t ool cal l ed a t heor em pr over ,
t owar d a YES/ NO r esult .
The second appr oach consi der s t hat an aut hent i cat ion prot ocol , however car eful ly chosen or
desi gned, or even having gone t hr ough a f or mal pr oof of corr ect ness ( i. e. , as a resul t of t he f ir st
approach) , can st i l l cont ai n err or . This is because "pr oof of cor r ect ness" can onl y demonst r at e
t hat a pr ot ocol sat isf ies a set of speci fi ed desi r abl e pr oper t i es; i t i s st i l l possi bl e t hat a pr ovabl y
secur e prot ocol can f ail i f a f ail ure has not been consi der ed i n t he " pr oof of secur i t y" pr ocess.
Ther ef or e, in t hi s appr oach, anal ysi s i s i n t erms of sy st emat i c, or exhaust i ve, sear ch f or err or s.
Formal i zat i on of a pr ot ocol i nvol ves expr essi ng of t he pr ot ocol i nt o a ( f i ni t e) st at e sy st em which
i s of t en composed f rom subst at e sy st ems of pr ot ocol part s r un by di f fer ent pri nci pal s ( incl udi ng
"Mal i ce' s par t " ) . An er r or can be descr i bed i n gener al t er ms, e.g., i n t he case of secrecy of a
message, a bad st at e can be t hat t he message ends up in Mal i ce's set of knowl edge; or i n t he
case of ent i t y aut hent i cat i on, a bad st at e can be t hat a wr ong i dent i t y ends up i n t he set of
accept ed i dent i t i es of an honest pri nci pal. Thi s approach has a close r el at i on wi t h t he area of
for mal anal ysi s of compl ex sy st ems i n t heor et i c comput er sci ence, and hence of t en appl i es wel l

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
devel oped aut omat i c anal ysi s t ool s developed t her e.
I n t hi s chapt er we shall st udy t hese appr oaches t o f ormal anal ysi s of aut hent i cat i on prot ocol s.
The t echnical par t of t he chapt er st ar t s wi t h for mal izat ion of prot ocol speci fi cat i ons; i n 17.2 we
shal l st udy a r efi nement appr oach t o aut hent i cat ion prot ocol s specif i cat ion. Aft er t he
speci f i cat i on t opic, we shal l concent r at e on analy si s t echni ques. I n 17.3 we shall i nt r oduce a
pr oof t echni que based on a comput at i onal model for prot ocol cor r ect ness wher e a pr oof is in
t er ms of a mat hemat i ci an's demonst r at i on of hol di ng of a t heorem. I n 17.4 we shall i nt r oduce
t echni ques for ar guing pr ot ocol secur i t y by mani pul at i on of abst r act symbols; a l ogi cal appr oach
and a t heorem pr ovi ng appr oach wi l l be i nt roduced t her e. I n 17.5 we shall i nt r oduce f or mal
anal y sis t echni ques whi ch model a prot ocol as a f i ni t e- st at e sy st em and sear ch for sy st em
err or s. Final ly, i n 17.6 we shall pr ovi de a bri ef di scussi on on a r ecent wor k t o bri dge a gap
bet ween securi t y under a comput at i onal vi ew and t hat under a symbol i c vi ew.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
17.2 Toward Formal Specification of Authentication
Protocols
Let us begi n t he t echni cal par t of t hi s chapt er by pr ovidi ng evi dence of a need for a mor e
for mal i zed speci fi cat i on means f or aut hent i cat ion prot ocol s. Speci fi cat i on shoul d be an
i ndi spensabl e component i n any f or mal met hods f or t he anal ysi s of compl ex sy st ems. I n t he case
of compl ex sy st ems bei ng aut hent i cat i on pr ot ocol s, we consi der t hat t he ar ea of st udy needs a
mor e pr eci se descr i pt i on of t he use of cr y pt ographi c t r ansf ormat i ons.
As we have seen i n Chapt ers 2 and 11, many aut hent i cat i on pr ot ocol s are desi gned sol ely using
encry pt ion, and f or t hi s r eason, a wi del y agreed not at i on for expr essi ng t he use of encr y pt i on i n
t hese pr ot ocol s i s { M}
K
. This not at i on denot es a pi ece of ci pher t ext : i t s sender must perf or m
encry pt ion t o creat e i t whi l e i t s r ecei ver has t o per f orm decr y pt i on i n or der t o ext ract M f r om i t .
I t i s t he demonst r at i on of t hese cr y pt ogr aphi c capabi l i t i es t o t he communi cat i on par t ner s t hat
pr ove a pri nci pal hol di ng of a secr et key and hence pr ove t he holder ' s i dent i t y .
Thus, it seems t hat t he i dea of aut hent i cat ion achi eved by using encr y pt i on i s si mpl e enough;
t her e shoul d not be much subt let y her e.
However i n fact , t he simple idea of achi evi ng aut hent i cat ion usi ng cr ypt ogr aphic t r ansfor mat i on
i s of t en mi sused. The mi suse i s r esponsi ble for many pr ot ocol fl aws. I n t hi s sect i on, we shal l fi r st
i dent i f y a popul ar mi suse of encry pt i on i n aut hent icat i on pr ot ocol s; t hen we shal l pr opose an
aut hent i cat ion prot ocol desi gn met hod based on a ref ined specif i cat ion on t he use of
cry pt ogr aphi c t r ansf or mat i ons.
17.2.1 Imprecision of Encryption-decryption Approach for
Authentication
I n 11.4. 1. 5 we have l ist ed t wo " non- st andar d" mechani sms f or const r uct i on aut hent icat i on
pr ot ocol s usi ng encry pt ion. I n t hose mechani sms, a sender generat es ci pher t ext { M}
K
and sends
i t t o an i nt ended r ecei ver ; t he corr ect r ecei ver has a secret key t o perf or m decry pt ion, and
subsequent ly can r et ur n t o t he sender a message component ext r act ed fr om t he ci pher t ext . The
r et ur ned message component , of t en cont aini ng a f reshness i dent i f i er , proves t o t he sender a
l i vel y cor respondence of t he r ecei ver . Thi s achieves aut hent icat i on of t he r ecei ver t o t he sender.
Let us name t hese ( non- st andard) mechani sms t he " aut hent i cat i on vi a encr y pt i on- decr y pt i on"
approach.
An oft en unpr onounced secur i t y ser vi ce whi ch i mpl i cit l y pl ays t he r ol e i n t he encr ypt i on-
decrypt ion appr oach i s conf ident i al it y , whi ch must be r eal i zed usi ng a r eversi bl e cr ypt ogr aphic
t r ansfor mat i on. However , i n many cases of aut hent i cat i on pr ot ocol s where t hi s approach i s used,
t he needed securi t y ser vi ce i s act ual l y not confi dent i al i t y, but dat a in t egri t y , whi ch i s bet t er
r eal i zed usi ng some one- way ( i. e. , non r ever si bl e) t ransf or mat ions. That i s why we have l abel ed
such cases m isuse of cr y pt ogr aphi c t r ansfor mat i ons.
When a mi suse of cry pt ogr aphi c t r ansf ormat i ons t akes pl ace, t her e ar e t wo undesi r abl e
consequences. Let us now discuss t hem in det ai l .
17.2.1.1 Harmful

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I n a chal l enge- r esponse mechani sm f or ver i fy i ng message f r eshness, t he encr y pt i on- decr y pt i on
approach assi st s an adversar y t o use a pri nci pal t o pr ovi de an or acl e decr yp t ion ser v ice ( see
7. 8. 2.1 and 8. 9) . Such a ser vi ce may gr ant an unent i t l ed cry pt ogr aphi c oper at i on t o Mal ice
who ot her wi se cannot per for m hi msel f as he does not have in hi s possessi on of t he cor r ect
crypt ogr aphi c key.
Or acl e decr y pt i on ser vi ce pr ovi des a maj or sour ce of t r i cks f or Mal i ce t o mani pul at e pr ot ocol
messages and def eat t he goal of aut hent i cat i on. Lowe' s at t ack on t he Needham- Schr oeder
Publi c- key Aut hent i cat i on Pr ot ocol ( At t ack 2. 3) shows exact l y such a t r i ck: in t he at t acki ng st ep
1- 7, Mal i ce uses Ali ce's or acl e decry pt ion servi ce t o decr ypt Bob's nonce N
B
f or him, and is
subsequent ly abl e t o t alk t o Bob by masquer adi ng as Al i ce.
Or acl e decr y pt i on ser vi ces al so provi de Mali ce wi t h val uabl e i nf ormat i on usabl e f or cry pt anal ysi s,
e.g. , i n chosen- pl aint ext or chosen- ciphert ext at t acks. We have seen such t r i cks i n numer ous
at t acking exampl es i n Chapt er 14.
The cor r ect cr y pt ographi c t r ansfor mat i on i n a chal l enge- response based mechani sm for a
r ecei ver t o show a cr y pt ographi c cr edent i al ( possessi ng t he cor r ect key ) i s f or her / hi m t o
per for m a one- way t r ansfor mat i on. I n t he case of usi ng sy mmet r i c cr y pt ographi c t echni que,
mechani sm 11.4. 2 i s a mor e desi r abl e one. I f t he fr eshness i dent i fi er must be kept secret , t hen
mechani sm 11.4. 1 can be used, however , i n t hat case, Bob shoul d st i ll appl y an dat a- i nt egr i t y
ser vi ce t o pr ot ect hi s ci phert ext ( reason t o be gi ven i n 17.2. 1. 2) , which shoul d i n fact be
achi eved usi ng a one- way t r ansf ormat i on, t hat i s, t he ci pher t ext i n mechanism 11.4. 1 st i l l needs
a pr ot ect i on based on mechani sm 11.4. 2. I n t he case of usi ng asymmet r ic t echni ques,
mechani sm 11.4. 3 i s st andar d.
Of cour se mechani sms 11.4. 1 and 11.4. 2 al so enabl e t he chal l enger t o use t he r esponder t o
pr ovi de an or acl e ser vi ce for cr eat i ng pl ai nt ext - cipher t ext pai r s:
wher e N i s a fr eshness i dent i fi er of t he chal l enger' s choi ce. Nevert hel ess, consi der i ng N bei ng
non- secr et , pr ovi ding such a pai r can cause f ar l ess pr obl em t han pr ovi di ng a decr y pt i on ser vi ce.
Mor eover , i n t he second case, t he "oracl e encr ypt i on servi ce" i s i n fact not i n pl ace. Any one- way
cry pt ogr aphi c t r ansf or mat i on f or r eal i zi ng an MDC has a dat a compression proper t y ( see, e. g.,
10.3. 1 and 10.3. 3 f or t he dat a compressi on pr oper t y i n hash- f unct i on based and bl ock- ci pher
based MDC) . The dat a compr essi on proper t y r ender s l oss of i nf ormat i on and t hat 's why t he
t r ansfor mat i on becomes i r reversi bl e. The l oss of i nf or mat i on makes t he r esult ant
chal l enge/ r esponse pai r unusabl e i n a di f fer ent cont ext : t hei r usage i s f ixed as i n t he cont ext of
mechani sm 11.4. 2; using t hem i n any ot her cont ext wi l l cause a det ect abl e er r or .
17.2.1.2 Insufficient
I n general , a cipher t ext encr y pt i ng a confi dent i al message shoul d i t sel f be pr ot ect ed i n t er ms of
dat a i nt egr i t y . I n absence of a dat a- i nt egri t y pr ot ect i on, it seems i mpossibl e t o prevent an act i ve
adversar y f rom mani pul at i ng t he encr y pt ed messages and def eat i ng t he goal of a pr ot ocol i f t he
ci pher t ext i s an import ant prot ocol message.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Let us now l ook at t hi s i ssue usi ng t he Needham- Schr oeder Symmet r ic- key Aut hent icat i on
Pr ot ocol ( t he fi xed ver si on due t o Denning and Sacco, see 2. 6. 5.1) . We assume t hat t he
encry pt ion al gor i t hm used i n t he pr ot ocol pr ovi des a st r ong confi dent ial i t y prot ect i on for any
message component i nsi de a ciphert ext . However , f or t he pur pose of exposing our poi nt , we
shal l st i pulat e t hat t he encr ypt i on algori t hm does not pr ovi de any pr ot ect i on i n t er ms of dat a
i nt egr i t y . Thi s st i pulat ion i s not unr easonable. I n fact , any encr ypt i on al gor i t hm whi ch i s not
desi gned t o al so provi de a dat a- i nt egri t y pr ot ect i on can have t hi s f eat ure if t he pl ai nt ext
message cont ains a suf fi ci ent quant i t y of randomness so t hat t he pl ai nt ext ext r act ed f r om
decry pt ion i s unr ecogni zabl e.
For i nst ance, we may r easonabl y assume t hat t he encr ypt i on al gor i t hm i s t he AES ( 7. 7) wi t h
t he CBC mode of oper at i on ( 7. 8. 2) . The r eader may ext end our at t ack t o ot her sy mmet r i c
encry pt ion al gor i t hms, f or exampl e, t he one- t i me pad encry pt ion. We should not i ce t hat ,
r egar dl ess of what encr ypt ion al gor i t hm i s t o be used, our at t ack wi ll not make use any
weakness i n t he al gori t hm' s qual it y of confi dent i al i t y servi ce.
Let us exami ne t he f i rst t wo st eps of t he Needham- Schroeder Sy mmet r i c- key Aut hent i cat i on
Pr ot ocol.
Al i ce Tr ent : Ali ce, Bob, N
A
; 1.
Tr ent Al i ce: { N
A
, K, Bob , Y}
KAT
; 2.
wher e Y = { Ali ce, K, T}
KBT
.
Let
denot e t he plai nt ext message bl ocks for t he pl ai nt ext message st ri ng
I n order for t he pr ot ocol t o sui t t he needs for general appl i cat i ons, we should r easonabl y assume
t hat t he si ze of t he sessi on key K shoul d be no smal l er t han t he si ze of one cipher t ext bl ock. Thi s
i s a reasonabl e assumpt i on si nce a sessi on key should cont ai n suf fi cient ly many i nfor mat i on bi t s
( e. g. , for secur e key i ng a bl ock ci pher or seedi ng a st ream ci pher ) . The nonce N
A
shoul d al so be
suf fi cient ly lar ge t o prevent predi ct i on. Si nce t he nonce N
A
st ar t s i n P
1
, our assumpt i on on t he
si ze of t he sessi on key wi l l nat ur al ly deduce t hat t he whol e pl ai nt ext block P
2
wi l l be used sol ely
for cont ai ni ng t he sessi on key , or may be P
2
onl y cont ai ns part of t he sessi on key .
Not i ce t hat al t hough we have rel at ed P
2
t o K, t hi s i s pur el y for cl ar i t y i n t he exposi t ion; i f t he
sessi on key K i s ver y l arge, t hen it may occupy a number of pl aint ext bl ocks st ar t i ng f rom P
2
. Of
cour se, Mal ice wi l l know t he si ze of t he sessi on key K. Yes, our at t ack does r equi r e Mal i ce t o
know t he si ze of t he plai nt ext messages and t he impl ement at i on det ai ls. Af t er al l , t hese shoul d
not be secret .
Let

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
denot e t he AES- CBC ci pher t ext blocks corr esponding t he pl ai nt ext bl ocks P
1
, P
2
, . . . , P
l
( revi ew
t he CBC mode of oper at i on i n 7. 8. 2) . Let fur t her
be t he ci pher t ext bl ocks of a pr evi ous r un of t he same pr ot ocol bet ween t he same pai r of
pr i nci pal s. Of cour se, Mal i ce had recorded t he ol d ci pher t ext blocks.
To at t ack t he prot ocol i n a new r un, Mal ice shoul d i nt er cept t he new ci pher t ext bl ocks fl owi ng
fr om Trent t o Al i ce:
2. Trent Mal ice( "Al i ce") :
Mal i ce shoul d now r epl ace t hese bl ocks i n t he fol l owi ng way:
2. Mal ice( "Tr ent ") Al i ce:
That i s, Mal i ce shoul d repl ace t he last 1 ci pher t ext bl ocks in t he cur rent r un wi t h t he
r espect i ve ol d blocks whi ch he had r ecor ded fr om an ol d r un of t he prot ocol , and let t he
mani pulat ed chai n of bl ocks go t o Al ice as if t hey wer e coming fr om Tr ent .
The CBC decr y pt i on by Al i ce wil l ret ur n N
A
i n good or der si nce t he decr y pt i on r esul t i s a f unct i on
of I V and C
1
. I t wil l ret ur n ( see "CBC Decr y pt i on" in 7. 8. 2)
as t he "new" sessi on key ( or t he f i rst bl ock of t he " new" session key) . Her e K' i s t he old sessi on
key ( or t he f i r st bl ock of i t ) which was di st r i but ed i n t he r ecor ded ol d r un of t he pr ot ocol . Al i ce's
decry pt ion of t he subsequent ciphert ext bl ocks wi l l r et ur n t he r est of t he 1 pl ai nt ext bl ocks
i dent i cal t o t hose she had obt ai ned i n t he ol d r un of t he pr ot ocol .
Si nce K' i s t he old sessi on key , we shoul d not excl ude a possi bi l i t y t hat Mal i ce may have
somehow acqui r ed t he ol d sessi on key alr eady ( may be because Al i ce or Bob had acci dent all y
di sclosed it ) . Thus, Mal ice can use ( or maybe a val ue whi ch i s t he concat enat i on of wi t h
t he rest bl ocks of K' , i f t he si ze of a sessi on key i s l onger t han one bl ock) t o t al k t o Al i ce by
masquer adi ng as Bob.
From t hi s at t ack we see t hat , r egardless of what Al ice may i nf er fr om her cor r ect ext r act i on of
her f reshness i dent i f i er N
A
, no any ot her pl ai nt ext message ret urned f rom Ali ce's decr y pt i on
oper at i on shoul d be r egar ded as fr esh!
Ther e can be numer ous way s t o i mplement t he encr ypt i on- decry pt ion appr oach i n t hi s prot ocol ,
each of t hem may t hwar t t his speci fi c at t ack, but may be subj ect t o a di f fer ent at t ack, as l ong as
t he implement at i on det ai l s ar e not secret t o Mali ce.
Sever al aut hent i cat ion prot ocol s i n t wo ear l y dr aft i nt er nat i onal st andar d document s [ 144, 145]
fol l ow t he wr ong i dea of CBC r eali zat i on of encr ypt ion provi di ng dat a- i nt egr i t y ser vi ce ( gener al
guidel i ne for t hese prot ocol s usi ng CBC i s document ed i n [ 146, 142] ) , and of course, t hese

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
pr ot ocol s ar e fat al l y f l awed [ 184, 185] as we have demonst r at ed i n t hi s sect ion.
We bel i eve t hat t he cor rect sol ut i on t o secur i ng t hi s prot ocol i s t o have t he cipher t ext bl ocks
pr ot ect ed under a pr oper dat a- i nt egri t y ser vi ce; f or exampl e, by appl y i ng t he message
aut hent i cat ion t echni ques whi ch we have i nt r oduced i n 10.3. 2 and 10.3. 3 ( mani pul at i on
det ect ion code t echnique) . Such a t echnique essent i al l y i s a based on one- way t r ansf ormat i on,
r at her t han t he encry pt ion- decry pt i on approach.
To t hi s end, we have cl ear l y demonst rat ed t hat i n t he case of aut hent i cat i on pr ot ocol s appl yi ng
symmet r ic cr y pt ographi c t echni ques, t he encry pt i on- decr y pt i on approach i s i nsuf fi cient f or
secur i ng aut hent i cat i on prot ocol s.
I n aut hent i cat i on usi ng asy mmet ri c cr y pt ogr aphi c t echni ques, t he encr y pt i on- decr y pt i on
approach i s al so i nsuf fi ci ent . The Needham- Schr oeder Publi c- key Aut hent i cat i on Prot ocol ( Pr ot
2. 5) is an exampl e of t hi s appr oach. Lowe's at t ack on t hat pr ot ocol ( At t ack 2. 3) pr ovi des a clear
evi dence of t he i nsuf fi ci ency . We wi l l see l at er ( 17.2. 3. 3) t hat a one- way t r ansf ormat i on
approach for speci fy i ng t hat pr ot ocol wi l l provi de a sound fi x t o t hat pr ot ocol wi t h r espect t o
t hwar t i ng Lowe' s at t ack.
17.2.2 A Refined Specification for Authentication Protocols
I n order t o specif y aut hent i cat ion prot ocol s so t hat t he pr ecisel y needed cr ypt ogr aphic ser vi ces
ar e expressed, Boyd and Mao pr opose t o speci f y aut hent i cat i on pr ot ocol s i n a mor e complet e
manner [ 186] . They t ake a r ef i nement appr oach whi ch uses t wo not at ions t o expr ess t he use of
cry pt ogr aphi c t r ansf or mat i ons. Her e t he t wo not at i ons ar e descr i bed:
{ M}
k
denot es a r esul t of an encry pt ion of t he message M using t he key K. The secur i t y
ser vi ce pr ovi ded on M i s confi dent i al i t y: M may onl y be ext ract ed by a pr i nci pal who i s i n
possessi on of K
-1
whi ch i s t he decr y pt i on key mat chi ng K. Not i ce t hat t he message out put
fr om t he decr ypt i on procedur e may not be r ecogni zabl e by t he hol der of K
-1
.
[ M]
k
denot es a r esul t of a one- way t r ansfor mat i on of t he message M using t he key K. The
secur i t y servi ce pr ovided on M i s dat a i nt egri t y wi t h m essage sour ce id en t if icat i on whi ch
shoul d use t he t echni ques we have st udi ed i n Chapt er 10. The message M i n [ M]
k
i s not a
secr et and may be vi si bl e f rom [ M]
k
even wi t hout per f ormi ng any cr y pt ographi c oper at i on.
A pr inci pal who has possessi on of K
-1
whi ch i s t he ver i fi cat i on key mat chi ng K can ver i fy t he
dat a- int egr it y cor r ect ness of [ M]
k
and ident i fy t he message sour ce. The veri f i cat i on
pr ocedur e out put s YES or NO: i n t he YES case, [ M]
k
i s deemed t o have t he corr ect dat a
i nt egr i t y and M i s deemed t o be a r ecogni zabl e message f r om t he ident i fi ed source; i n t he
NO case, [ M]
k
i s deemed t o have an i ncor rect dat a i nt egri t y and M i s deemed t o be
unrecogni zable.
I n pr act i ce, [ M]
k
can be r eal i zed by a pai r ( M, prf
k
( M) ) where pr f
k
denot es a keyed pseudo-
r andom funct ion ( e. g. , a message aut hent i cat i on code in ci pher - bl ock- chaini ng mode of
oper at i on, CBC- MAC, see 10.3. 3, or a key ed cr y pt ogr aphi c hash funct i on, HMAC, see
10.3. 2) for t he case of sy mmet r i c t echni que r eal i zat i on, or a digi t al si gnat ure algor it hm
for t he case of asymmet ri c t echnique r eal izat ion. These ar e pr act i cal l y eff i ci ent r eal i zat i ons.
The r efi ned not at ions unif i es sy mmet r i c and asy mmet r i c cry pt ogr aphi c t echni ques. I n t he for mer
case, K and K
-1
ar e t he same, wher eas i n t he l at t er case, t hey ar e t he mat chi ng key pai r i n a
publ i c- key cry pt ogr aphi c al gor i t hm.
We should emphasi ze t hat t he t r ansfor mat i on [ M]
k
not onl y ser ves dat a i nt egri t y , but also
m essage sour ce id en t if icat i on . I f t he ver i fi cat i on of [ M]
k
r et ur ns YES, t hen even t hough t he
message M may not cont ain any infor mat i on about i t s sour ce, t he ver i f ier can i dent i fy t he cor rect

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
sour ce based on t he ver i fi cat i on key i n use.
Recent l y, t he i mpor t ance of coupli ng ci pher t ext s ( confi dent i ali t y ser vi ce) wi t h dat a- i nt egri t y
ser vi ce becomes mor e widel y adopt ed. We have seen t he i dea' s gener al appli cat i ons in publ i c-
key cr ypt ogr aphy i n Chapt er 15. I n t he secur it y communi t y, Aiel l o et al. [ 11] use t he f ol l owi ng
not at ion f or r ef i nement of secur i t y ser vi ces:
Protocol 17.1: The Needham-Schroeder Symmetric-key
Authentication Protocol in Refined Specification
PREMI SE and GOAL: Same as i n Pr ot 2.4.
Al i ce Tr ent : Ali ce, Bob, N
A
; 1.
Tr ent Al i ce : [ { K}
KAT
, N
A
, Al ice, Bob]
KAT
; [ { K}
KBT
, T, Ali ce, Bob]
KBT
; 2.
Al i ce Bob : [ { K}
KBT
, T, Ali ce, Bob ]
KBT
; 3.
Bob Al i ce : [ N
B
]
k
; 4.
Al i ce Bob : [ N
B
1 ]
k
5.
I n t hi s not at ion, t he message M i s encr y pt ed using key K
1
, as wel l as prot ect ed in dat a- i nt egr i t y
wher e t he ver if i cat ion key i s K
2
.
17.2.3 Examples of Refined Specification for Authentication Protocols
Now l et us pr ovi de a f ew exampl es of aut hent i cat i on prot ocol s speci fi ed usi ng t he r ef i ned
not at ion.
17.2.3.1 The Needham-Schroeder Symmetric-key Authentication Protocol
The f i r st exampl e i s t he Needham- Schr oeder Sy mmet ri c- key Aut hent i cat i on Prot ocol , which i s
speci f i ed i n Pr ot 17. 1.
I n t he r efi ned speci fi cat i on of t he Needham- Schr oeder Symmet r ic- key Aut hent icat i on Pr ot ocol,
t he need f or dat a i nt egr i t y ser vi ce i s made expl i ci t . I f t he messages whi ch Al i ce and Bob r ecei ve
fr om Trent and t hose bet ween t hem have not been al t er ed i n t he t ransmi ssion, t hen bot h par t i es
can be sur e, aft er seei ng YES out put fr om dat a- i nt egr i t y ver i fi cat i on, t hat t he sessi on key K has a
corr ect cr ypt ogr aphic associ at i on wi t h t hei r i dent i t i es and t hei r r espect i ve f reshness i dent i f ier s.
These assure t hem t he cor r ect ness of t he key shar i ng par t i es and t he fr eshness of t he sessi on
key . I t i s cl ear t hat any unaut hor i zed al t er at i on of t he message, such as t hat we have seen i n
17.2. 1. 2, wi l l be det ect ed.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
From t hi s r efi ned speci f icat i on of t he prot ocol we can see t hat t he conf i dent i al i t y ser vi ce is
pr ovi ded at t he mi nimum l evel : onl y t he sessi on key K i s pr ot ect ed i n t hat way . Gi ven t he
r andom nat ur e of a key , t he mini mum use of conf ident i al it y ser vice i s desi r abl e because i t l i mi t s
( mi ni mi zes) t he amount of i nf or mat i on di scl osure whi ch may be usef ul f or cr ypt anal ysi s.
17.2.3.2 The Woo-Lam Protocol
The second exampl e of a ref ined prot ocol speci fi cat i on is t hat for t he Woo- Lam Pr ot ocol . The
r ef i ned speci fi cat i on is gi ven i n Pr ot 17. 2 ( cf . Pr ot 11. 2) . Thi s exampl e wi l l r eveal t he
eff ect i veness of usi ng t he r ef i ned speci fi cat i on t o achi eve avoi di ng var i ous at t acks. The r easons
behi nd t he at t acks we have seen on t hi s pr ot ocol wi l l become apparent : i ncor rect cr y pt ogr aphi c
ser vi ces i mpl i ed by t he i mpr ecisi on of t he wi del y agr eed not at i on for expr essi ng t he use of
encry pt ion i n aut hent i cat i on pr ot ocol s.
Protocol 17.2: The Woo-Lam Protocol in Refined Specification
PREMI SE and GOAL: Same as i n Pr ot 11. 2;
CONVENTI ON:
Abor t run if any one- way t r ansfor mat i on ver i fi cat i on r et ur ns NO.
Al i ce Bob: Ali ce; 1.
Bob Al i ce: N
B
; 2.
Al i ce Bob: [ N
B
]
KAT
; 3.
Bob Tr ent : [ Al ice, N
B
, [ N
B
]
KAT
]
KBT
;
( * not e: Bob i ncl udes N
B
i n hi s par t of t he one- way t r ansfor mat i on si nce hi m sel f
i s t he source of t hi s fr eshness ident i fi er * )
4.
Tr ent Bob: [ N
B
]
KBT
; 5.
Bob accept s if t he i nt egr i t y ver i f icat i on of [ N
B
]
KBT
r et ur ns YES, and r ej ect s
ot her wi se.
6.
We not i ce t hat si nce no message i n t he Woo- Lam Prot ocol ( Pr ot 11. 2) is secret , t here is no need
for pr ovi ding confi dent i al i t y prot ect i on on any pr ot ocol message. The onl y needed cr y pt ogr aphi c
pr ot ect i on i n t he pr ot ocol i s dat a i nt egr i t y wi t h source i dent if i cat ion. Ther ef or e i n t he r efi ned
speci f i cat i on of t he pr ot ocol we onl y speci fy one- way t r ansf ormat i on.
Now l et us r eason t hat none of t he at t acks on t he ori gi nal Woo- Lam Pr ot ocol or on var i ous
"f ixes" whi ch we have seen i n 11.7 can be appl i cabl e t o t he pr ot ocol 's refi ned ver si on.
Fi rst , t he par al l el - sessi on at t ack demonst r at ed i n At t ack 11. 5 wi l l no l onger wor k. To see t his, l et
Mal i ce sends t o Bob [ N
B
] K
MT
i n t wo par al lel st eps 3 and 3':

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
3. Mal ice( "Al i ce") Bob: [ N
B
] K
MT
3' . Mal i ce Bob: [ N
B
] K
MT
Let us assume t hat Bob remai ns i nauspi ci ous: he does not check t hese messages ( si nce t hey ar e
not meant f or hi m t o per for m any checki ng) , and simply pr oceeds t o send out t wo messages i n
t wo par all el st eps 4 and 4':
4. Bob Tr ent : [ Ali ce, N
B
, [ N
B
] K
MT
] K
BT
4' . Bob Tr ent : [ Mal ice, , [ N
B
] K
MT
] K
BT
However , Tr ent wi l l det ect t wo er r or s i n t hese t wo st eps. The f i rst er r or occur s on t he veri f i cat i on
of t he message i n st ep 4: Tr ent uses K
AT
t o ver i f y [ N
B
] K
MT
and t hi s of cour se ret urns NO, and so
t he run wi t h st ep 4 wi l l be abor t ed. The second er r or occur s on t he veri f i cat i on of t he message i n
st ep 4': Trent f inds t hat t he t wo one- way t ransf or mat ions use di f fer ent nonces, and hence t hi s
r un wi ll have t o be abor t ed t oo ( ot her wi se, whi ch of t he t wo nonces Tr ent shoul d r et urn t o Bob?)
Fi nal l y, i t i s t r i vi al t o see t hat t he r efl ect ion at t ack i n At t ack 11. 6 wi l l no l onger wor k on t he
r ef i ned speci fi cat i on t oo. Thi s i s because, i f Mal i ce ref lect s message li ne 4 in message li ne 5, t he
ver i fi cat i on st ep per for med by Bob in st ep 6 wi l l cert ainl y ret urn NO.
Now i t i s cl ear t hat t he fundament al reason for t he or igi nal Woo- Lam Pr ot ocol bei ng fl awed is i t s
mi suse of cr y pt ogr aphi c ser vi ces.
17.2.3.3 The Needham-Schroeder Public-key Authentication protocol
Fi nal l y, l et us l ook at t he r efi ned pr ot ocol specif i cat ion exampl e on a publ i c- key appli cat i on: t he
Needham- Schr oeder Publ i c- Key Aut hent i cat i on Prot ocol .
Fol lowi ng our di scussi on i n 2. 6. 6.3, t he Needham- Schroeder Publ i c- key Aut hent i cat ion Pr ot ocol
can be pr esent ed i n t hr ee st eps of message t r ansi t i ons. This si mpl i fi ed ver sion i s speci fi ed i n Pr ot
17.3.
Protocol 17.3: The Needham-Schroeder Public-key
Authentication Protocol
Al i ce Bob : { N
A
, Al ice} K
B
; 1.
Bob Al i ce : { N
A
, N
B
} K
A
; 2.
Al i ce Bob : { N
B
} K
B
. 3.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Protocol 17.4: The Needham-Schroeder Public-key
Authentication Protocol in Refined Specification
Al i ce Bob : { [ N
A
, Al ice] K
A
} K
B
; 1.
Bob Al i ce : { N
A
, [ N
B
] K
B
} K
A
; 2.
Al i ce Bob : { [ N
B
] K
A
} K
B
. 3.
Here, { .. . } K
A
and { . . .} K
B
denot e t he encr y pt i on usi ng Al i ce's and Bob' s publ ic key s, respect i vel y,
and so, t hey can onl y be decr y pt ed by Al i ce and Bob, r espect i vel y. Thus, upon recei pt of
message l i ne 2, Al i ce shoul d bel ieve t hat onl y Bob can have decr y pt ed message l i ne 1 and
subsequent ly ret ur ned her nonce N
A
. Likewi se, upon receipt of message li ne 3, Bob should
bel i eve t hat only Ali ce can have decr y pt ed message l i ne 2 and subsequent l y r et urned his nonce
N
B
. Thus, i t i s r at her reasonabl e t o expect t hat , upon t ermi nat ion of a run, bot h par t i es shoul d
have achi eved l i vel y i dent i f icat i on of t he ot her par t y and shar ed t he t wo nonces.
However , Lowe's at t ack in At t ack 2. 3 r efut es t hi s " r easonabl e" bel i ef. Now, af t er our convi nci ng
ar gument s in 17.2. 1 agai nst t he i mpr eci sion of achi evi ng aut hent i cat i on vi a encr y pt i on-
decry pt ion appr oach, we ar e abl e t o r evi ew Lowe's at t ack on t he or i gi nal prot ocol fr om a new
angle: i t i s t he missi ng of t he cor r ect cr y pt ographi c ser vi ce t hat has been t he cause of t he at t ack.
The at t ack wi l l di sappear i f t he prot ocol is speci fi ed i n a r ef i ned preci si on. Pr ot 17. 4 speci fi es one
case.
Protocol 17.5: Another Refined Specification of the Needham-
Schroeder Public-key Authentication Protocol
Al i ce Bob : [ { N
A
} K
B
, Al ice] K
A
; 1.
Bob Al i ce : [ { N
A
, N
B
} K
A
] K
B
; 2.
Al i ce Bob : [ { N
B
} K
B
] K
A
. 3.
I n t he r efi ned speci fi cat i on, [ N
A
, Al ice] K
A
denot es a message of whi ch t he ver i fi cat i on of dat a
i nt egr i t y ( and message sour ce i dent i fi cat i on) shoul d use Ali ce's publ i c key K
A
. Hence, t he
t r ansfor mat i on [ N
A
, Al ice] K
A
can be Al i ce's si gnat ur e. So t he message i n st ep 1 i s Al ice's nonce,
si gned by Al i ce t hen encr y pt ed under Bob's publi c key. Li kewi se, t he message i n st ep 2 can be
one si gned by Bob and t hen encr y pt ed under Al i ce' s publ i c key .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Because t he second message i s signed by Bob, Lowe' s at t ack i n At t ack 2. 3 can no l onger wor k on
t he pr ot ocol i n t he r efi ned ver si on. Mal i ce can i ni t i at e a r un wi t h Bob by masquerading as Al ice
usi ng Al i ce' s si gnat ur e ( Al i ce has sent her si gnat ure t o Mal i ce, and he can decry pt t o ret r i eve t he
si gnat ure and re- encr ypt i t usi ng Bob' s publ ic key ) , however , now Mal i ce cannot for war d Bob's
r esponse t o Al i ce as he di d i n t he at t ack on t he or i gi nal pr ot ocol since t hen Al i ce wi l l det ect an
err or when she t r i es t o ver if y Mal i ce' s si gnat ur e.
Al t hough i n 2. 6. 6.4 we have suggest ed a fi x f or Lowe's at t ack on t he Needham- Schr oeder
Publi c- key Aut hent i cat i on Pr ot ocol by addi ng i dent i t i es of t he i nt ended communi cat i on par t ner i n
t he encr y pt ed message, we now know t hat t he fi x i s not necessar il y cor r ect . I ndeed, i f t he
encry pt ion al gor i t hm i s mall eabl e ( see 14.5. 3) , t hen t her e i s no guar ant ee for t he decr ypt i ng
pr i nci pal t o be sure about t he cor r ect ness of t he ident i t y r eveal ed f rom decr y pt i on. Cl ear l y , t he
corr ect f i x i s t o use cor r ect cry pt ographi c servi ces, and t he r ef i ned pr ot ocol speci f icat i on hel ps t o
i dent i f y and speci f y t he cor r ect ser vi ces.
The Needham- Schr oeder Publi c- key Aut hent i cat i on Pr ot ocol can al so be ref ined i n a di ff er ent
ver si on, encr ypt i on- t hen- si gn, as speci fi ed i n Pr ot 17. 5.
Agai n, Lowe's at t ack on t he or igi nal prot ocol won't work on Pr ot 17. 5: now Mal i ce cannot even
i ni t i at e a masquerading run wi t h Bob.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
17.3 A Computational View of Correct Protocols the
Bellare-Rogaway Model
I n Chapt ers 14 and 15 we have been f ami l i ar wi t h t he i dea of pr ovabl e secur i t y under a
comput at i onal model whi ch ori gi nat es fr om t he semi nal wor k of Gol dwasser and Mi cal i [ 125] .
Ther e, a securi t y pr opert y ( one of sever al conf ident i ali t y qual i t i es) i s ar gued under a gi ven
at t acking scenar i o ( one of sever al at t acki ng games each of whi ch models, wi t h suf fi cient
gener al it y and pr eci si on, one of several t ypi cal behavior s of a r eal - wor l d at t acker agai nst publ ic-
key encr y pt i on schemes) . A proof of securi t y for publ i c- key encr ypt i on schemes wi t h r espect t o
an al leged at t ack i nvol ves t o demonst r at e an ef fi ci ent t r ansf or mat i on ( cal l ed a pol ynomi al - t i me
r educt i on) leadi ng f r om t he all eged at t ack t o a maj or br eakt hr ough t o a wel l - bel i eved har d
pr obl em i n comput at i onal complexi t y. I t i s t he wide bel i ef on t he unl i kel i hood of t he maj or
br eakt hr ough t hat shoul d r efut e t he exist ence of t he al leged at t ack, t hat i s, a pr oof i s given by
cont r adi ct i on.
Ther ef or e, a f ormal pr oof of secur i t y under t he comput at i onal model consi st s of t he f ol l owing
t hr ee st eps:
Formal model i ng of t he behavi or of pr ot ocol par t i ci pant s and t hat of an at t acker : t he
model ing is usual l y gi ven i n t he f or m of an at t acki ng game pl ayed bet ween t he at t acker
and t he t ar get .
i .
Formal defi ni t i on of secur i t y goal : success for t he at t acker i n t he at t acking game i s
for mul at ed her e, usual l y i n t er ms of ( a non- negl i gi ble) pr obabi l i t y and ( af for dabl e) t i me
compl exi t y f ormulat i ons.
i i .
Formal demonst rat i on of a pol ynomi al - t i me r educt i on, l eadi ng f r om an all eged at t ack on a
gi ven t ar get t o an unl i kel y br eakt hr ough i n t he t heor y of comput at ional compl exi t y ; t he
for mal demonst r at i on of t he r educt i on i s a mat hemat i ci an' s pr oof whi ch shows hol di ng of a
t heor em.
i i i .
Bell ar e and Rogaway ar e t he fi r st r esear cher s who i ni t i at e a comput at i onal - model appr oach t o
pr oof of secur i t y f or aut hent i cat ion and aut hent i cat ed key est abl ishment pr ot ocol s [ 23] . I n t hei r
semi nal work, t hey model at t acks on aut hent i cat i on and aut hent icat ed key est abl i shment
pr ot ocol s, desi gn sever al si mpl e pr ot ocol s ( ent i t y aut hent i cat i on and aut hent i cat ed key
agr eement ) and t hen conduct pr oof s t hat t hei r pr ot ocol s ar e corr ect . Thei r pr oof l eads f rom an
al l eged successful at t ack on a prot ocol t o t he col l apse of pseudo- randomness, i. e. , t he out put of
a pseudo- r andom funct ion can be dist i ngui shed f r om t hat of a t r uly random f unct i on by a
pol y nomi al - t i me di st ingui sher ; i n ot her wor ds, t he exi st ence of pseudo- r andom funct i ons i s
deni ed.
The r eader may now l ike t o r evi ew our di scussi ons i n 4. 7 l eadi ng t o Assumpt i ons 4.1 and 4. 2.
These assumpt i ons ar e t he foundat i ons for moder n cr y pt ography . They i mpl y t hat t he r esul t of
t he reduct ion should ei t her be fal se or a maj or br eakt hr ough i n t he f oundat i ons f or modern
cry pt ogr aphy . As t he f ormer i s mor e l ikel y t he case, t he r educt i on der i ves a cont r adi ct ion as
desi red.
We shal l onl y i nt r oduce t he si mplest case i n t he i ni t i al wor k of Bel l are and Rogaway : pr oof of
secur i t y f or a t wo- par t y ent i t y aut hent i cat i on prot ocol based on shar ed sy mmet r i c key [ 23] .
Never t hel ess, t his si mpl e case suff i ces us t o vi ew t he wor ki ng pr i nci pl e of t he comput at i onal
model f or pr oof of pr ot ocol cor rect ness.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Our i nt r oduct i on t o t he or i gi nal wor k of Bel l are and Rogaway on aut hent i cat i on prot ocol s f ol lows
t he t hr ee st eps i n t he comput at i onal model for pr ovabl e secur i t y . I n 17.3. 1 we for mall y model
t he behavior of pr ot ocol par t i cipant s and t hat of Mal ice. I n 17.3. 2 we pr ovi de a f ormal
defi nit ion on t he secur i t y goal of mut ual ent it y aut hent icat i on. I n 17.3. 3 we demonst r at e a
pr oof by reduct i on t o cont r adi ct ion f or a mut ual ent i t y aut hent i cat i on pr ot ocol .
17.3.1 Formal Modeling of the Behavior of Principals
The pr ot ocol s consi der ed i n [ 23] are t wo- par t y ones. Each of t he t wo par t i cipant s of a pr ot ocol
has it s par t as a pi ece of ef fi ci ent l y execut abl e code wi t h i nput and out put val ues. A prot ocol is
composed by t he communi cat i ons bet ween t hese t wo par t s on t he input and out put val ues.
However we shoul d not ice t hat "communi cat i ons" her e may go t hrough Mal i ce and may be
subj ect t o hi s mani pul at i on of t he communicat ed val ues.
Thus, we use t wo st eps t o descr i be an abst r act pr ot ocol : fi r st , an eff ici ent l y execut able funct ion
owned by a pr ot ocol par t i cipant ; and secondl y, t he composit ion vi a communi cat i ons.
17.3.1.1 Formalization of the Protocol Part Owned by an Honest Participant
Formal l y , t hi s part of an abst r act pr ot ocol i s speci fi ed by a pol ynomi al - t i me funct i on I I on t he
fol l owi ng i nput val ues:
1
k
: The secur i t y par amet er k N ( revi ew 4. 4. 6 and Defi nit ion 4. 7
for t he r eason why we wri t e k i n t he unar y r epr esent at i on) .
i : The i dent i t y of t he pr inci pal who owns t hi s par t of t he pr ot ocol; l et
us cal l t hi s pr i nci pal "t he owner ; " i I wher e I i s a set of pr i nci pal s
who share t he same l ong- l i ved key.
j : The i dent i t y of t he i nt ended communi cat i on par t ner of t he owner; j
I .
K: The l ong- l i ved symmet ri c key ( i . e. , t he secr et i nput ) of t he owner ;
i n our case of t wo- par t y prot ocol s based on shared sy mmet ri c key,
K i s also t he l ong- l ived key f or j .
conv : Conver sat ion so f ar conv i s a bi t st ri ng; t hi s st ri ng gr ows wi t h
t he pr ot ocol r uns; new st ri ng i s concat enat ed t o it .
r : The r andom i nput of t he owner t he r eader may consi der r as a
nonce cr eat ed by t he owner .
Si nce I I ( 1
k
, i , j , K, conv , r ) runs i n pol y nomi al- t ime i n t he si ze of i t s input values ( not i ce t hat 1
k
i s of si ze k) , we may consi der K, r of si ze k, and i , j , con v of si ze polynomi al i n k.
An execut i on of I I ( 1
k
, i , j , K, conv , r ) wi l l yi eld t hree val ues:

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
m:
The next message t o send out m { 0, 1} * { "no message
out put " } ; t his is t he publ i c message t o be t ransmi t t ed over t he
open net wor k t o t he i nt ended communi cat ion part ner .
: The deci si on f or t he owner { Accept , Rej ect , No- decisi on} ; t he
owner deci des whet her t o accept or r ej ect or r emai n undeci ded
r egar di ng t he cl ai med i dent i t y of t he i nt ended communi cat i on
par t ner ; an accept ance deci si on usual l y does not occur unt i l t he
end of t he prot ocol run, al t hough a r ej ect i on deci si on may occur at
any t ime. Once a deci si on ot her t han " No- deci si on" i s r eached, t he
val ue of wi l l no l onger change.
:
The pr ivat e out put t o t he owner { 0, 1} * { "no pri vat e
out put " } ; t he r eader may consi der t hat an agr eed sessi on key as a
r esul t of an accept ance r un i s a pr i vat e out put t o t he owner .
From t hi s f ormal model i ng of a pr ot ocol par t , we can see t hat Bel l ar e and Rogaway model ent i t y
aut hent i cat ion prot ocol s usi ng i mpor t ant pr ot ocol i ngredi ent s: cr y pt ographi c oper at i ons,
par t i ci pant s' i dent i t i es, fr eshness i dent i fi er s, and t he conversed messages ( r evi ew 11.4 f or t he
meani ngs of t hese pr ot ocol i ngr edi ent s) .
We somet imes use I I ( 1
k
, I ) t o denot e an abst ract pr ot ocol f or t he ent i t i es i n set I .
For any gi ven pai r i , j I ( i. e. , for t wo pr i nci pal s who shar e a l ong- l i ved symmet ri c key) and f or s
, we denot e by t o mean pl ayer i at t empt ing t o aut hent i cat e pl ay er j i n a sessi on whi ch i
consi ders as l abeled by s. This at t empt may be i ni t i at ed by i , or may be a r esponse t o a message
fr om t he i nt ended communi cat i on peer j . I n fact , we shall general l y ( and conveni ent l y ) t r eat t hat
t hi s at t empt i s al way s a r esponse t o an or acl e qu er y made by Mal i ce. Thi s gener al i zat i on i s
for mul at ed by f or mal i zat i on of communi cat i ons.
17.3.1.2 Formalization of Communications
Bell ar e and Rogaway fol l ow t he communi cat i on model of Dol ev and Yao [ 101] ( see 2. 3) :
Mal i ce, t he at t acker , cont rol s t he ent i r e communi cat ion net wor k.
Gi ven Mal i ce's net wor k obser vat i on capabi l i t y whi ch we have been f ami li ar wi t h i n Chapt ers 2
and 11, Mal i ce can obser ve a ser ies of , f or any gi ven pai r i , j I ( i. e. , who share a
l ong- li ved sy mmet r i c key ) even i f t he execut i ons of t hese f unct i ons are not t he making of
hi msel f . However , as an act i ve at t acker, Mal i ce can do much mor e t han passi ve observat i on. He
can conduct as many session s as he pl eases among t he honest pr i nci pal s, and he can per suade a
pr i nci pal ( e. g. , i ) t o st ar t a pr ot ocol r un as i f i t i s r un wi t h anot her honest pri nci pal ( e. g., j ) .
For t he reason t hat Mal ice i s a powerf ul act i ve at t acker , we conveni ent l y l et Mal i ce own ,
as or acl es i n a bl ackbox st yl e ( f or i , j I , s, t ) . Thi s means, Mal ice can quer y by
suppl yi ng i wi t h i nput val ues ( i , j , s, con v) , and he can quer y l i kewi se. When Mal i ce quer i es
or acl e using i nput ( i , j , s, con v) , i wi l l add t o Mal i ce' s i nput i t s own secr et i nput K and it s
r andom i nput r , and so I I
s
( 1
k
, i , j , K, conv , r ) can be execut ed. Aft er t he execut i on, i wi l l send
out an out put message m ( if t her e i s one) , or "no message out put ," and t he deci si on , and wi l l
keep t he pr ivat e out put t o i t sel f . The out bound out put r esul t s wi l l of cour se be obt ai ned by

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Mal i ce, and so he may proceed his at t ack furt her .
Under t he Dol ev- Yao t hr eat model of communi cat i ons, bef ore an or acl e r eaches t he " Accept "
deci si on, i t al way s consider s t hat any quer y i t recei ves i s fr om Mali ce.
Wi t hout l oss of gener al it y, it i s har ml ess t o consi der t hat t her e al ways exi st s a part i cul ar l y
fr i endl y ki nd of at t acker , cal l ed a " beni gn adver sar y ," who rest r i ct s it s act ion t o choosing a pai r
of or acl es and and t hen fai t hf ul l y convey i ng each f low fr om one or acl e t o t he ot her,
wi t h begi nni ng f i rst . I n ot her wor ds, t he fi r st query a beni gn adver sar y makes i s ( i , j , s,
""
)
( wher e
""
denot es an empt y st ri ng) , gener at i ng r esponse ; t he second query he makes i s (
) , gener at i ng r esponse ; and so for t h, unt il bot h or acl es r each t he " Accept "
deci si on and t er mi nat e. Theref ore, a beni gn adversar y behaves j ust l i ke a wi r e l inki ng bet ween i
and j . We shall l at er see t hat f or a pr ovably secur e pr ot ocol , Mal i ce' s behavi or , i f he wi shes t o
have t he t ar get ed pri nci pal s t o out put t he " Accept " deci si on, wi l l be rest r ict ed t o t hat of a beni gn
adversar y .
I n a par t i cul ar execut i on of a pr ot ocol , Mal ice's t - t h quer y t o an oracl e i s sai d t o occur at t i me T
= T
t
. For t < u, we demand t hat T
t
< T
u
.
17.3.2 The Goal of Mutual Authentication: Matching Conversations
Bell ar e and Rogaway defi ne a not i on of mat chi ng conv er sat i on s ( not i ce t he plur al for m) as t he
secur i t y goal of mut ual ent i t y aut hent i cat ion.
A conver sat i on of or acle i s a sequence of t i mel y or der ed messages which has sent out
( r espect i vel y , r ecei ved) , and as consequent r esponses, r ecei ved ( r espect i vel y , sent out ) . Let T
1
<
T
2
< . .. < T
R
( for some posi t i ve int eger R) be a t ime sequence r ecorded by when i t
conver ses. The conver sat i on can be denot ed by t he fol l owi ng sequence:
Thi s sequence encodes t hat at t i me T
1
or acl e was asked m
1
and responded wi t h and
t hen, at some l at er t i me T
2
> T
1
, t he or acl e was asked m
2
, and r esponded wi t h and so on,
unt i l, fi nal l y, at t i me T
R
i t was asked m
R
, and r esponded wi t h .
We should r emind t he r eader t hat under t he Dolev- Yao t hreat model of communi cat i ons, oracl e
shoul d assume t hat t hi s conver sat i on has been bet ween it and Mal i ce, unl ess at t i me T
R
i t
has reached " Accept " deci si on. I t i s conveni ent t o t reat as i f al l conver sat i ons ar e st ar t ed by
Mal i ce. So i f m
1
=
""
, t hen we cal l an i ni t i at or oracl e, ot her wise, we cal l i t a r esponder
or acl e.
Let

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
be a conver sat i on of oracl e . We say t hat or acl e has a conver sat i on conv ' whi ch
mat ches conv i f t her e exi st s t i me sequence T
0
< T
1
< T
2
< . .. < T
R
and
wher e = " no message out put ". These t wo conver sat i ons ar e cal l ed mat chi ng conversat i ons.
Gi ven a pr ot ocol I I , i f and bot h al way s have mat chi ng conver sat i ons whenever t hey
ar e al l owed t o compl et e a pr ot ocol r un ( agai n, we remi nd t hat , befor e r eaching t he " Accept "
deci si on, each of t he or acl es t hi nks i t has been runni ng wi t h Mal i ce) , t hen i t i s cl ear t hat Mal ice
has not been abl e t o mount any at t ack mor e harmf ul t han bei ng a beni gn adver sar y , i . e. , act i ng
honest l y j ust l i ke a wi r e.
Now we ar e r eady t o for mal ly pr onounce what a secur e mut ual ent i t y aut hent i cat i on pr ot ocol i s.
Def i n i t i on 1 7. 1: We say t h at I I ( 1
k
, { A, B} ) i s a secu re mu t ual aut hent i cat i on pr ot ocol bet ween
A an d B i f t he f oll owi ng st at em ent hol ds ex cept for a negl igi ble pr obabi li t y i n k: or acl es
and bot h r each t h e " Accept " decision i f and onl y if t h ey hav e m at ch in g conv er sat i ons .
When we pr ove t hat a prot ocol is secur e usi ng t hi s defi ni t i on, it i s t r i vi al t o see t hat t he exi st ence
of mat chi ng conver sat i ons i mpl i es accept ance by bot h or acl es si nce an or acl e accept s upon
compl et i ng i t s par t of t he ( mat chi ng) conver sat i ons.
Protocol 17.6: MAP1
PREMI SE: Al i ce ( A) and Bob ( B) share a secr et sy mmet r i c key K of
si ze k; R
A
i s Al i ce's nonce, R
B
i s Bob's nonce, bot h ar e of
si ze k; [ x ]
K
denot es pai r ( x, prf
K
( x ) ) where x { 0, 1} * and
pr f
K
{ 0, 1}
*
{ 0, 1}
k
i s a pseudo- r andom funct ion keyed
by K.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The ot her di r ect i on i s t he non- t r i vi al st ep: accept ance by bot h par t i es impli es t he exi st ence of
mat chi ng conver sat i ons. Consequent l y, t he goal for Mal ice i n an at t ack on a prot ocol i s t o have
bot h or acl es t o accept whi l e t hey do not have mat chi ng conversat i ons. Ther efor e t he fol l owi ng
defi nit ion i s mor e r el evant and wil l be used in our pr oof of pr ot ocol secur i t y :
Def i n i t i on 1 7. 2: We say t h at I I ( 1
k
, { A, B} ) i s a secu re mu t ual aut hent i cat i on pr ot ocol bet ween
A an d B i f Mali ce can not wi n wit h a non- n egl igi bl e pr obab il it y i n k. Her e Mal ice wi ns i f an d
b ot h reach t he " Accep t " d eci si on whil e t h ey d o n ot hav e m at chi ng con ver sat ions .
17.3.3 Protocol MAP1 and its Proof of Security
Bell ar e and Rogaway demonst r at e t hei r f ormal pr oof t echni que by pr ovidi ng a si mpl e mut ual
ent i t y aut hent i cat i on pr ot ocol named MAP1 ( st andi ng f or "mut ual aut hent i cat ion prot ocol one" )
and conduct ing it s pr oof of secur i t y . MAP1 i s speci f ied i n Pr ot 17. 6.
I n t hi s pr ot ocol , Al i ce begi ns by sendi ng Bob A| | R
A
wher e R
A
i s her r andom nonce of l engt h k.
Bob r esponds by maki ng up a nonce chal l enge R
B
of l engt h k and sending back [ B| | A| | R
A
| | R
B
]
K
.
Al i ce checks whet her t his message i s of t he ri ght f or m and i s cor rect l y l abel ed as comi ng fr om
Bob. I f i t i s, Ali ce sends Bob t he message [ A| | R
B
]
K
and accept s. Bob t hen checks whet her t he
fi nal message i s of t he r i ght for m and i s cor r ect l y l abel ed as comi ng f rom Ali ce, and, i f it i s, he
accept s.
I f Al ice and Bob ar e i nt er faced wi t h a beni gn adversar y, t hen wit h T
0
< T
1
< T
2
< T
3
, Al i ce wi ll
accept wi t h t he f ol lowi ng conversat i on:
and Bob wi ll accept wi t h t he f oll owi ng conver sat i on
Cl ear ly , conv
A
and conv
B
ar e t wo mat chi ng conver sat i ons.
To pr ove t hat MAP1 i s secur e when Al i ce and Bob ar e i nt er faced wi t h any ki nd of poly nomi al l y
bounded at t acker ( i . e. , Mal i ce) , Bel l ar e and Rogaway consi der t wo exper i ment s. I n t he fi r st
exper i ment , pr f
K
i n MAP1 i s a t r uly random f unct i on, t hat is, and
somehow shar e t he f unct i on pr f
K
; when t hey appl y i t t o a gi ven i nput x, t he r esul t pr f
K
( x) is a bi t
st r ing uni f orml y di st r i but ed i n { 0, 1}
k
. Of course, we must admit t hat t her e exi st s no r eal- wor l d
met hod t o i mpl ement such a shar ed funct i on. I n t he second experi ment , MAP1 i s r eal i zed by a
pseudo- r andom f unct i on fami l y j ust as what happens i n t he r eal wor l d.
Now t hat i n t he fi r st exper i ment , si nce pr f
K
( x) is a k- bi t uni f or m st ri ng, when sees
t he conver sat ion conv
A
, i t sees t hat t he uni f orml y r andom st ri ng [ B| | A| | R
A
| | R
B
]
K
i s comput ed
usi ng R
A
i nvent ed by i t sel f; it can t heref ore concl ude t hat t he pr obabi l i t y f or t hi s bit st r i ng not

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
havi ng been comput ed by i t s i nt ended peer ( i n ot her wor ds, havi ng been comput ed by Mal ice) i s
at t he l evel of 2
- k
. This level of t he probabi l i t y value shoul d hol d r egardl ess how Mal i ce act s,
beni gn or mal i ci ous. Consequent ly , i t can concl ude t hat i t s i nt ended peer has a conver sat i on
whi ch is pr ef i xed by ( T
1
, A| | R
A
, [ B| | A| | R
A
| | R
B
]
K
. This essent i al ly shows t o t hat
t her e exi st s a conver sat i on mat chi ng conv
A
and t hi s conver sat i on has been comput ed by t he
i nt ended peer i n an over whel mi ng pr obabi li t y ( in k) .
Li kewi se, when sees conv
B
, i t can concl ude t hat a conversat i on mat chi ng conv
B
must have been pr oduced by i t s int ended peer except f or a pr obabi l i t y at t he l evel of 2
- k
.
So i f MAP1 i s r eal i zed by a t ruly random and shar ed funct i on, t hen Mal i ce cannot win except for
a negl igi bl e pr obabi li t y i n k ( revi ew Defi nit ion 17. 2 f or t he meaning of "Mal ice wi ns") .
The r emai ni ng par t of t he pr oof i s an ar gument by cont r adi ct i on.
Suppose t hat i n t he second experi ment , Mal ice wi ns i n a non- negli gibl e pr obabil i t y ( i n k) . We
can const r uct a poly nomi al - t i me t est T whi ch di st i ngui shes random f unct i ons fr om pseudo-
r andom funct ions. T r ecei ves a f unct i on whi ch i s chosen accor di ng t o
t he fol l owing exper i ment :
fl i p a coi n C;
i f C = "HEADS" l et g be a r andom f unct i on
el se pi ck K at r andom and l et g = pr f
K
.
T' s j ob i s t o pr edi ct C wi t h some advant age non- negl igi bl e i n k. T' s st rat egy is t o r un Mal i ce on
MAP1 whi ch i s r eal i zed by g.
I f Mal i ce wi ns ( not e t hat T can t el l whet her or not Mali ce wi ns si nce T has i n it s possessi on bot h
or acl es and and hence can see t hei r conver sat i ons) , t hen T pr edict s C
= "HEADS" ( i . e. , g i s a pseudo- r andom f unct i on) , el se T pr edict s C = "TAI LS" ( g i s t rul y
r andom) . Thus we see t hat T' s advant age t o make a di st i nct i on bet ween a k- bi t - out put r andom
funct i on and a k- bi t - out put pseudo- random f unct i on i s simi l ar t o Mal i ce' s advant age t o wi n, i. e. ,
non- negl i gi bl e i n k. This cont r adi ct s t o t he common bel i ef t hat t here exi st s no pol ynomi al - t i me
( i n k) di st ingui sher t o make such a di st i nct i on ( see Assumpt i on 4. 2) .
I n pr act i ce, t he pseudo- r andom funct i on prf
K
can be pr act i cal l y r eal i zed by a message
aut hent i cat ion code i n ci pher - bl ock- chai ning mode of oper at i on ( CBC- MAC, see 10.3. 3) or by a
key ed cr y pt ogr aphi c hash funct i on ( HMAC, see 10.3. 2) . These ar e pr act i call y ef fi ci ent
r eal i zat i ons.
17.3.4 Further Work in Computational Model for Protocols Correctness
I n t hei r semi nal paper [ 23] , Bel l are and Rogaway al so consi der t he corr ect ness for aut hent i cat ed
sessi on key est abl i shment ( sessi on key t r anspor t ) pr ot ocols ( al so for t he t wo- part y case) . For
t hose prot ocol s, " Mal i ce wi ns" means ei t her a wi n under Defi nit ion 17. 2, or a successful guess of
t he sessi on key . Si nce t he t r anspor t ed key i s encr ypt ed under t he shar ed l ong- li ved key,
successful guessi ng of t he key is si mi l arl y hard as maki ng di st i nct i on bet ween a pseudo- random
funct i on and a t r ul y r andom f unct i on.
Lat er , Bel l are and Rogaway ext end t heir i ni t i al wor k t o t he t hr ee- par t y case: also si mpl e
pr ot ocol s usi ng a t rust ed t hi r d par t y as an aut hent i cat i on ser ver [ 25] .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Sever al ot her aut hor s develop and expl or e t he same approach furt her: e.g. , [ 37] on key
t r anspor t pr ot ocols, [ 36, 38] on key agr eement pr ot ocols, [ 21, 57] on passwor d- based
pr ot ocol s, [ 18, 66] on key exchange pr ot ocol s and desi gn t o be corr ect pr ot ocol s, and [ 67] on
t he I nt er net Key Exchange ( I KE) pr ot ocol s.
17.3.5 Discussion
Wi t h t he r i gor ous for mul at i on of mat ching conver sat ions, Bel l ar e and Rogaway pr ovi de a useful
for mal i zat i on for prot ocol secur i t y. I mmedi at ely we can see t hat i n or der f or a pr i ncipal t o reach
a meani ngful conver sat i on, some si ll y prot ocol fl aws ( desi gn feat ur es) whi ch cause ref lect i on
at t acks ( see 11.7. 4) and t ype fl aws ( see 11.7. 6) can be easi l y el i mi nat ed fr om prot ocol
desi gn. Al so, t he mat hemat i cal anal ysi s can requi re, t o cer t ai n ext ent , a prot ocol desi gner or
anal y zer t o consi der usi ng cor rect or more pr eci se cr y pt ographi c ser vi ces, and so prot ocol fl aws
due t o mi suse of cry pt ogr aphi c servi ces ( see 11.7. 8) wi l l become l ess fr equent .
I t i s cl ear t hat t hi s proof t echnique should be worki ng t oget her wi t h pr ot ocol desi gn. I t gui des
pr ot ocol desi gn, and i t only wor ks on corr ect l y desi gned prot ocol s.
We should r emark a l i mi t at i on i n t hi s appr oach. Defi nit ion 17. 1, and hence Defi nit ion 17. 2, do
not consi der t he case of accept ance by one oracl e when t wo or acl es do not have mat chi ng
conver sat i ons. I n t hi s case, t hese defi ni t i ons do not j udge whet her or not a pr ot ocol i s secur e
si nce we onl y have one accept ance. However , because t he t he accept ance or acle act ual ly reaches
a wr ong deci sion, t he pr ot ocol shoul d act ual l y be deemed i nsecur e.
Perhaps t he wr ong deci si on in t his case needn't be a concer n at al l . For any secur e pr ot ocol ,
Mal i ce can al way s cut t he f inal message and t hereby pr event t he or acl e whi ch shoul d ot her wi se
r ecei ve t he f inal message f r om r eachi ng an accept ance deci si on. Cl earl y , such a non- accept ance
by one or acl e shoul d not t ur n t he pr ot ocol i nt o an i nsecur e one. However , we shoul d r emi nd
our sel ves t hat t her e exi st s non- t r i vi al aut hent i cat i on fai l ur es ( i . e. , not a resul t of t he non-
i nt er est i ng " droppi ng t he fi nal message at t ack") whi ch cannot be handl ed by Defi nit ions 17.1
and 17.2. The aut hent icat i on- fai l ur e fl aw in t he I KE Pr ot ocol ( Pr ot 12. 1) whi ch we demonst r at ed
i n At t ack 12. 1 i s j ust such an exampl e.
Due t o t he nat ure of communicat i on, pr ovabl e secur i t y f or aut hent icat i on pr ot ocol s i s a
consi derabl y har der pr obl em t han pr ovable secur i t y for a cr ypt ogr aphi c al gori t hm. The appr oach
of Bell ar e and Rogaway set s out a cor rect dir ect i on. Fur t her wor k ext endi ng t hei r i ni t i al
pr omi si ng r esul t i s cur r ent l y an act i ve r esear ch t opi c.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
17.4 A Symbolic Manipulation View of Correct Protocols
A sy mbol i c mani pul at i on vi ew of cor r ect aut hent i cat i on pr ot ocol s i s based on f or mal met hods
r esear ch r esult s conduct ed by t heor et i c comput er scient ist s. Under t hi s view, securi t y pr opert ies
ar e expressed as a set of abst r act symbol s which can be mani pulat ed, somet i mes by a for mal
l ogi c sy st em, somet imes by an mechani cal t ool cal l ed a t heor em pr over , t owar d a YES/ NO r esul t .
17.4.1 Theorem Proving
A t heorem provi ng approach can be descr i bed as fol l ows:
A set of al gebrai c or logi cal for mul ae ar e defi ned f or use i n sy st em behavi or descr i pt i on or
i n st at ement const ruct i on, wher e st at ement s can be pr emi ses ( known f ormulae) or
consequences ( for mul ae t o be der i ved) ;
A set of axi oms ar e post ul at ed for al l owi ng al gebr ai c or l ogi cal way s t o deri ve new f or mul ae
fr om known ones;
Desir ed behavi or or pr oper t i es of a sy st em bei ng analy zed are speci fi ed as a set of
t heor ems t hat need t o be pr oved;
A pr oof of a t heor em i s conduct ed by usi ng premi ses and appl y ing axi oms or proved
t heor ems t o r each desi red consequences.
Somet imes, t he pr oof pr ocess i n a t heor em pr oving appr oach can be mechani zed i f t here are
cer t ai n r ul es for appl y ing axi oms or t heor ems. The pr oof t ool is t hen cal l ed a ( mechani cal )
t heor em pr over . Appl yi ng t er m r ewr it ing r ules t o r ewr i t e a for mul a t o a nor mal for m i s a
st andar d example for mechani zi ng a proof . For i nst ance, i t is wel l - known t hat any bool ean
expression can be mechani call y r ewr it t en t o a "conj unct i ve nor mal f orm" ( CNF) . However , i n
most cases, a mechanical t heorem prover pr oduces l ong and t edi ous pr oofs. I t i s al so a wel l -
known phenomenon t hat t he lengt h of a mechani cal pr oof can be a non- pol y nomi al l y bounded
quant i t y i n t he si ze of t he for mul a bei ng r easoned about ( revi ew 4. 6 f or t he meaning of a non-
pol ynomi al bounded quant i t y) .
Al t hough a mechani cal t heor em pr over t ends t o pr oduce i mpr act i cal l y l ar ge proof s, a t heor em
pr ovi ng appr oach is, never t hel ess, capabl e of deal i ng wi t h a sy st em whose behavi or al
descr i pt i on cannot be repr esent ed by a f ini t e st ruct ur e ( e.g., a sy st em has an i nfi nit e st at e
space) . An induct i on pr oof of an int eger- based mat hemat i cal st at ement i s such an example.
However , a shor t - cut pr oof usual l y r equi r es t he i nvol vement of human i ngenui t y.
A necessar y proper t y i n an al gebr ai c- based t heor em pr ovi ng appr oach i s t hat t he axi om syst em
must pr eserve a so- cal l ed congr uence pr opert y . Thi s i s a gener al i zat i on of t he congr uence
r el at i on over int egers ( defi ned i n 4. 3. 2.5) t o an ar bi t r ar y al gebr aic st r uct ure. A bi nar y r el at i on
R over an al gebr ai c st ruct ur e i s said t o be a congr uence i f for every dy adi c oper at i on o of t he
st r uct ur e, whenever
t hen

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The congr uence pr oper t y i s al so r ef err ed t o as t he subst i t ut ion proper t y or subst i t ut abil i t y . Wi t h
subst i t ut abi l it y, a syst em component can be subst i t ut ed by anot her one of a r elat ed behavi or
whi l e t he desi r ed sy st em behavior can be consi st ent l y mai nt ai ned accor ding t o t he rel at i on
bet ween t he subst i t ut ed component s. A t heorem provi ng sy st em wi l l not be regar ded as a sound
syst em i f i t does not pr eserve subst it ut abi l i t y . Ther ef or e, subst i t ut abi l i t y i s al so r efer red t o as t he
sound ness pr opert y of a t heor em pr oving sy st em. An unsound " t heor em pr ovi ng" shoul d be
usel ess because i t is capabl e of pr oduci ng an i nconsi st ent st at ement , f or exampl e, a nonsense
st at ement " 1 = 2."
The com plet eness pr opert y of a t heor em pr oving sy st em r ef er s t o a suf fi ci ency st at us of i t s
axi om syst em wi t h respect t o a not ion of " semant i c val idi t y. " Basi cal l y, if a t heor em pr ovi ng
syst em i s compl et e, t hen any semant i cal l y val id st at ement must be provabl e, t hat i s, t her e must
exi st a sequence of axioms appl i cat ions whi ch demonst r at es syn t act icall y t he val idi t y of t he
st at ement . The compl et eness proper t y is desi r abl e but i s gener al l y mi ssi ng f rom a mechani cal
t heor em pr over .
A t heorem provi ng approach ai ms t o demonst r at e some desi red pr oper t i es of a syst em, r at her
t han t o fi nd er ror s i n a sy st em. Thi s i s because usual l y an undesi r abl e pr oper t y cannot be
for mul at ed i nt o a t heor em. Nevert heless, fai l ur e t o demonst rat e a desi r ed pr oper t y by a t heor em
pr ovi ng sy st em may oft en r esul t i n some i nsi ght ful i deas l eadi ng t o a revelat i on of a hi dden
err or .
Aut hent i cat ion pr ot ocol s ar e ext remel y er r or- pr one syst ems. I n gener al , i t is di ff i cul t t o come up
wi t h a secure pr ot ocol i n t he fi r st pl ace and t hen t o demonst r at e i t s securi t y using a t heor em
pr ovi ng appr oach. Ther efor e, a t heorem provi ng appr oach i s l ess usef ul t han one whi ch is
capabl e of f i ndi ng f l aws di r ect l y .
17.4.2 A Logic of Authentication
One of t he f i rst at t empt s at for mal izi ng t he not i on of pr ot ocol cor rect ness i s t he " Logi c of
Aut hent i cat ion" proposed by Burr ows, Abadi and Needham, named t he BAN logi c [ 61] . The BAN
l ogi c can be vi ewed as t aki ng t he t heor em pr ovi ng approach. I t pr ovi des a set of l ogi cal f ormulae
t o model t he basi c act i ons of pr ot ocol par t i cipant s and t he meani ngs of t he basi c prot ocol
component s i n an i nt uit i ve manner :
a pr inci pal sees a message;
a pr inci pal ut t er s a message;
a pr inci pal bel i eves or pr ovi des j uri sdi ct i on over t he t r ut h of a logi cal st at ement ;
t wo ( or more) pr i ncipal s shar e a secr et ( message) ;
message encr y pt i on;
message f r eshness;
conj unct i on of logi cal st at ement s;
a good shared key : i t has never been di scover ed by Mal i ce and i t is fr esh.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I t s axi om syst em i s al so post ulat ed on t he basis of int ui t i on. For exampl e, t he f ol lowi ng r ul e
( named " nonce veri f i cat i on" ) capt ures t he fr eshness r equi rement in message aut hent i cat i on
pr eci sel y:
Equ at i on 17 - 41
Here Q bel i eve X i n t he consequence shoul d be i nt er pr et ed t o mean t hat pr i nci pal Q ut t ered
message X r ecen t ly . This axi om shoul d be i nt er pr et ed as say ing: if pr inci pal P bel i eves t hat
message X i s fr esh and t hat pr i nci pal Q sai d X, t hen he shoul d bel ieve t hat Q has sai d X r ecen t ly .
A pr ot ocol anal y si s i n t he BAN l ogi c st ar t s by f or mul at i ng a set of pr emi ses whi ch are pr ot ocol
assumpt i ons. Next , t he pr ot ocol messages ar e " i deali zed. " Thi s i s a pr ocess t o t ransfor m pr ot ocol
messages i nt o l ogi cal for mul ae. Then, axi oms ar e appl ied on t he l ogi cal f or mul ae wit h an ai m of
est abl i shing a desi red pr oper t y such as a good- key st at ement .
As a t heor em pr ovi ng appr oach, t he BAN l ogi c does not have a mechanism f or dir ect ly fi nding a
fl aw i n a pr ot ocol . However, we shoul d not i ce t hat one can conduct a r easoni ng pr ocess i n a
backward manner : st ar t i ng f r om t he desi r ed goal and apply i ng t he axi oms t o workout a
necessar y set of pr emi ses. Therefor e, t he BAN l ogi c has been very successf ul i n uncoveri ng
i mpl i ci t assumpt i ons t hat wer e mi ssi ng fr om prot ocol speci fi cat i ons but are act uall y necessar y i n
or der for t he st at ement of t he desir ed goal t o hol d t r ue. A mi ssing assumpt ion can oft en l ead t o
a di scover y of a fl aw. A number of f l aws i n a number of aut hent i cat i on pr ot ocols have been
uncovered i n t he semi nal wor k [ 61] . However , f l aw- fi ndi ng i n t his way depends hi ghl y on t he
( human) anal yzer 's exper ience, i nsi ght or even l uck.
The pr ocedure for prot ocol i deal i zat i on can be an er r or - pr one process. Pr ot ocol s i n t he l i t er at ur e
ar e t y pi call y speci fi ed as a sequence of pr i nci pal s sendi ng/ r ecei vi ng messages. Use of t he BAN
l ogi c r equi r es t hat t he anal yzer t r ansl at e a pr ot ocol i nt o for mul ae about t he message t r ansmi t t ed
bet ween pr i nci pal s, so t hat axi oms can be appli ed. For exampl e, i f Tr ent sends a message
cont ai ni ng t he key K
AB
, t hen t he message sendi ng st ep mi ght need t o be conver t ed i nt o
and t his means t hat t he key K
AB
i s a good key for communi cat i on bet ween Al ice and Bob. Thi s
i deal i zat i on st ep seems t o be a qui t e st r aight f orwar d. However, pr ot ocol i deal izat ion i s act ual l y a
subt l e j ob. Mao obser ves t hat t he BAN l ogi c pr ovi ded a cont ext - f ree pr ocedur e f or pr ot ocol
i deal i zat i on [ 183] . For exampl e, t he i deal i zat i on st ep we have i l l ust rat ed above i s done wi t hout
consi deri ng t he cont ext of t he pr ot ocol. Thi s i s i n fact a dangerous simpli f i cat i on. Mao argues
t hat t he pr ot ocol i deal izat ion i n t he BAN l ogi c must be a cont ext - sensit i ve pr ocess.
Anot her dr awback i n t he or i gi nal pr oposal of t he BAN l ogi c i s i t s l ack of a f or mal defi ni t i on for an
underl y i ng semant ics upon whi ch t he soundness of t he axi om syst ems i s based. As a r esul t , t he
l ogi c as a t heor em pr ovi ng sy st em may be consi dered unsound. As anot her r esul t , some axi oms
even l ack a meani ngf ul t ype; for exampl e, i n t he nonce- veri f icat i on r ul e l i st ed i n ( 17.4. 1) , Q
bel i eves X has a t ype er r or f or most cases of X ( a nonce) : X i s nor mal l y not a logi cal for mul a
even aft er i deal i zat i on. ( We have made a necessary cor r ect i on i n our i nt er pr et at i on of t he
meani ng of t he nonce- ver if i cat ion r ul e. )

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
At t empt s f or pr ovi di ng t he under l yi ng semant i cs and ar gui ng t he soundness f or t he BAN l ogi c
have been made [ 3, 286] .
Not abl e ext ensions t o t he BAN l ogic include t he GNY l ogic of Gong, Needham and Yahal om
[ 131] , an ext ensi on of van Oorschot [ 292] and Kail ar ' s account abi l i t y l ogi c [ 156] .
The GNY l ogi c ext ension i ncl udes t he not i on of r ecogni zabi l i t y whi ch i s based on speci f yi ng t he
t y pe i nf or mat ion of prot ocol messages so as t o pr event t ype fl aws, and t he not i on of a message
bei ng possessed by a pri nci pal as a r esul t of i nvent i ng or r ecogni zi ng t he messages.
The ext ensi on of van Oor schot i s t o faci l it at e exami nat i on of publ i c- key based aut hent i cat ed key
est abl i shment pr ot ocol s. The ext ended l ogic i s used t o anal y ze t hr ee Di ff i e- Hel l man based key
agr eement pr ot ocol s whi ch i ncl udes t he STS Prot ocol ( Pr ot 11. 6 whi ch we have exami ned i n
11.6. 1) .
I n Kail ar 's ext ensi on, Kai l ar convi nci ngl y ar gued t hat i n e- commerce appl i cat i ons, it i s
account abil i t y and not bel i ef t hat i s i mport ant , and pr ovi des a sy nt ax whi ch al l ows such
pr oper t i es t o be expr essed and a set of proof r ul es f or ver i fy i ng t hem. Si mi lar t o t he BAN l ogi c,
t hese t hr ee ext ensi ons lack a for mal semant i c model for t he soundness of t hese l ogi cs.
Never t hel ess, t he BAN l ogi c i s undoubt edl y an i mport ant semi nal wor k. I t has i nspi red t he st ar t
of for mal appr oaches t o t he anal y si s of aut hent i cat i on pr ot ocols.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
17.5 Formal Analysis Techniques: State System
Exploration
Anot her popular appr oach t o f ormal anal ysi s of compl ex sy st ems' behavi or model s a compl ex
syst em i nt o a ( fi ni t e) st at e sy st em. Pr oper t i es of a st at e sy st em can be expr essed by some st at e
sat i sf act i on r el at i ons. The anal ysi s of t he behavior of a syst em usuall y i nvol ves a st at e space
expl orat i on t o check whet her or not cer t ai n pr opert ies wi l l or wi l l not be sat i sf ied. The
met hodol ogy is usual l y call ed model ch eck i n g.
I n general , model checki ng can be a met hodol ogy for guar di ng agai nst cer t ai n undesi r abl e
pr oper t i es so t hat t hey never occur, or one f or making sure t hat cer t ai n desi r abl e pr oper t i es do
event ual ly occur . The for mer kind of checking is usual l y consider ed for safet y of a syst em; whi l e
t he lat t er ki nd of checki ng i s f or l iv en ess of a syst em.
I t i s seems t hat checking in t he safet y di r ect i on i s mor e r el evant f or model checki ng t echni que t o
be appl i ed t o t he anal ysi s of aut hent i cat ion prot ocol s.
17.5.1 Model Checking
A model checki ng appr oach can be descr i bed as fol l ows ( we wi l l use some concr et e exampl es i n
our descr i pt i on) :
The oper at i onal behavi or of a fi ni t e st at e sy st em i s modeled by a fi ni t e st at e t r ansit ion
syst em whi ch can make st at e t r ansi t i ons by i nt eract i ng wi t h i t s envi ronment on a set of
event s; such a syst em i s cal led a "l abel ed t r ansit ion sy st em" ( LTS) .
- For exampl e, our si ngle- t ape Tur i ng machine Di v3 gi ven i n Exampl e 4. 1 i s an LTS
whi ch can make st at e t r ansi t i ons by scanning a bi t st ri ng on i t s i nput t ape.
Each st at e of an LTS is int erpret ed mechani cal l y i nt o ( or assi gned wi t h) a logi cal for mul a.
- For exampl e, each st at e of t he machi ne Di v3 can be i nt er pr et ed i nt o a pr oposi t i onal
l ogi c st at ement i n { 0 , 1, 2 } , each st at ing: " t he bi t st r i ng scanned so f ar r epr esent s
an i nt eger congr uent t o 0, 1, or 2 modul o 3, " r espect i vely .
A sy st em pr opert y whi ch i s t he t ar get of an analy si s i s al so expli ci t l y i nt er pr et ed i nt o a
l ogi cal f ormul a.
- For exampl e, a t ar get st at ement for t he machi ne Di v3 can be "an accept ed bi t
st r ing is an i nt eger di vi si bl e by 3. "
An LTS is sy mbol i call y execut ed; a sy mbol i c execut i on pr oduces a "t r ace"
wher e f
0
, . . . , f
n
ar e l ogical f or mul ae and e
1
, . . . , e
n
ar e event s.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
- For exampl e, al l bi t st ri ngs i n all t r aces accept ed by t he machi ne Di v3 f orms t he
l anguage DI V3.
A mechani cal pr ocedur e can check whet her or not a t ar get for mul a i s sat i sfi abl e by any
for mul a i n any t r ace; here sat i sfi abil i t y means t hat t he t ar get for mul a i s a l ogi cal
consequence of a f or mul a i n a t r ace.
- For exampl e, for t he machi ne Di v3, it i s mechani cal l y checkabl e t hat any
t er mi nat ing t race sat i sfi es t he t arget f ormul a " an accept ed bi t st r i ng r epresent s an
i nt eger divi sibl e by 3."
We should not i ce t hat , unl i ke i n t he case of t heor em pr ovi ng where a t heor em must be an
asser t i on of a desi red goal of a syst em, i n model checki ng, a t ar get for mul a can model an
un desi r able pr opert y of t he sy st em as wel l as a desi rable one. For exampl e,
"Mal i ce knows t he newl y di st r i but ed sessi on key K"
i s a for mul a model i ng an undesi r abl e pr oper t y for a key di st ri but i on pr ot ocol speci f i ed t o run by
ot her pri nci pal s. I n t he case of a t arget for mul a model i ng an undesi r abl e proper t y , t he r esul t of
a sat i sfi able checking pr oduces a t race whi ch pr ovi des an expl i ci t descr i pt i on of a sy st em er r or .
Ther ef or e, a model checki ng appr oach can work in t he mode f or fi ndi ng an er r or i n a syst em.
We should emphasi ze t hat checki ng f or fl aws wi l l be t he mai n worki ng mode f or a model
checki ng t echni que appli ed t o t he anal y si s of aut hent i cat i on pr ot ocols.
17.5.1.1 System Composition in Model Checking
When we desi gn a compl ex sy st em i t i s usual ly easi er t o bui l d i t up fr om si mpl er component s.
For exampl e, i f we want t o desi gn a Tur i ng machi ne whi ch accept s bi t st ri ngs di vi sibl e by 6 ( l et 's
denot e t he machi ne by Di v6) , a si mpl e met hod f or us t o do t he j ob can be t o desi gn a machi ne
whi ch accept s even numbers ( let ' s denot e such a machi ne by Div2) and Di v3 ( whi ch has been
gi ven i n Exampl e 4. 1) and t hen t o compose t he lat t er t wo machi nes by a " conj unct i ve
composit ion." I t i s qui t e possi bl e t hat desi gni ng Div2 and Di v3 is easi er t han desi gni ng Di v6
fr om scr at ch.
I n t hi s conj unct i ve composi t i on, Di v2 and Div3 scan t hei r r espect i ve i nput t apes wit h t he
i dent i cal cont ent , and t he t wo machi nes ar e concur rent l y sy nchr oni zed, namel y , t hey make ever y
move at t he same t ime. Let t he composed machi ne accept an input i f and onl y i f bot h component
machi nes accept t he input . Now i t i s obvi ous t hat t hi s composi t i on met hod does ar r i ve at a
corr ect Di v6 ( a concr et e r eal i zat i on of such a "conj unct i ve composi t i on" wil l be exempl i fi ed i n
17.5. 3) .
For a mor e convi nci ng exampl e, a " di sj unct i ve composit ion" of Di v2 and Di v3 wi l l produce a
machi ne t o accept st ri ngs di vi si ble by 2 or by 3, i. e. , i t accept s any number i n t he fol l owing
sequence:
0, 2, 3, 4, 6, 8, 9, 10, 12, 14, 15, . .. .
Here, " di sj unct i ve composi t i on" means t hat t he composed machi ne shoul d t er mi nat e wi t h
accept ance whenever ei t her Di v2 or Di v3 does. Cl ear l y , designi ng a machi ne wit h t hi s r at her
awkwar d behavi or , i f not using our composi t i on met hod, can be r at her an awkwar d j ob t oo.
The t ask f or f i ndi ng f laws in aut hent i cat i on prot ocol s vi a a model checki ng approach can al so be

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
si mpl if i ed by a sy st em composi t i on met hod.
I n fact , t he pr obl em for fi nding fl aws fr om an aut hent i cat i on pr ot ocol i s a process of exami ni ng a
syst em whi ch i s al ways l ar ger t han t he syst em whi ch r epresent s t he speci fi ed par t of t he
pr ot ocol . A pr ot ocol speci fi cat i on, at best , only descr i bes how legi t i mat e prot ocol par t i ci pant s
shoul d act . A successf ul at t ack, however , wi l l al way s descr i be t he behavi or of a lar ger sy st em in
whi ch Mal ice l i ves "in harmony " wit h ( some of ) t he l egit imat e par t i ci pant s ( i . e. , Mal ice
successful l y cheat s a pr i nci pal or uncover s a secret wit hout bei ng det ect ed) .
Ther ef or e, in a model checki ng approach t o aut hent i cat i on pr ot ocols anal ysi s, not onl y wi l l t he
l egi t i mat e par t i ci pant s' r oles speci fi ed i n a pr ot ocol be model ed, but al so wi l l some t y pi cal
behavi or of Mal i ce be model ed ( we wi l l see l at er how t o model t he t y pi cal behavi or of Mal i ce) .
Each of t hese modeled component par t s i s an LTS. They wil l be composed i nt o a l ar ger LTS
whi ch is t hen checked. A composi t i on operat i on i n a model checki ng t ool oft en model s
asynchr onous communi cat i ons bet ween sy st em component s. Here, " asy nchr onous" means t hat
t he composed sy st em may make a move as a r esul t of one of t he component subsy st em maki ng
a move. Thi s model s t he si t uat i on t hat Mal ice's moves may be i ndependent fr om t hose of t he
honest pr ot ocol par t i cipant s.
I n t he very begi nni ng of our i nt r oduct i on t o t he model checki ng appr oach we have emphasi zed
t hat such an appr oach i s sui t abl e t o deal wi t h a fi ni t e st at e sy st ems. I ndeed, a model checki ng
t echni que can only deal wi t h sy st ems whi ch can be model ed i nt o a f i ni t e st at e LTS. I n
aut hent i cat ion prot ocol s anal y si s, t hi s l i mit at ion r equi r es t hat Mal i ce is a comput at ional ly
bounded pr i nci pal : act i ons whi ch r el at e t o unbounded comput at i onal power wi l l not be
consi dered.
Model checking met hods f requent l y face a "st at e expl osi on" pr obl em: a sy st em maps t o a l ar ge
LTS of t oo many st at es so t hat t he comput ing resour ces cannot cope wi t h i t . Thi s i s pr obl em can
be par t i cular l y acut e when t he sy st em bei ng anal y zed i s a l arge soft war e or hardware sy st em.
Such a sy st em t ends t o be model ed by a huge st at e space. For t unat el y , under t he reasonabl e
assumpt i on t hat Mal i ce i s comput at i onal l y bounded, most aut hent i cat i on pr ot ocol s can be
model ed by rat her smal l LTSs. Theref ore, model checking t echni ques ar e par t i cul ar l y sui t abl e for
t he anal ysi s of aut hent i cat i on prot ocol s.
Now l et us pr ovi de a br ief i nt r oduct ion t o t wo model checking t echniques for aut hent icat i on
pr ot ocol s anal ysis.
17.5.2 The NRL Protocol Analyzer
Meadows developed a PROLOG- based pr ot ocol checki ng t ool named t he NRL Prot ocol Anal yzer ,
wher e "NRL" st ands for Naval Research Laborat ory of t he Uni t ed St at es of Amer ica [ 194] .
Li ke ot her met hodologi es for aut hent i cat i on pr ot ocol s anal ysi s, t he NRL Pr ot ocol Analy zer i s al so
based on t he Dol ev and Yao t hr eat model of communi cat ions [ 101] ( see 2. 3) . So Mal i ce is abl e
t o obser ve al l message t raf fi c over t he net work, i nt er cept , r ead, modi f y or dest r oy messages,
per for m t r ansf ormat i on oper at i ons on t he int ercept ed messages ( such as encr y pt i on or
decry pt ion, as l ong as he has i n hi s possessi on of t he cor r ect key s) , and send hi s messages t o
ot her pri nci pal s by masquer adi ng as some pr i nci pal . However , Mal i ce' s comput at i onal capabi l i t y
i s pol y nomi al l y bounded, t her efor e t her e i s set of " wor ds" t hat Mal ice does not know for gr ant ed
at t he beginni ng of a prot ocol run, and t hese wor ds shoul d remai n unknown t o hi m aft er an
execut i on of t he prot ocol if t he pr ot ocol i s secur e. Thi s set of words can be secr et messages or
cry pt ogr aphi c keys for which a prot ocol is meant t o pr ot ect . Let us call t hi s set of wor ds
"f orbidden wor ds. "
I n addi t i on t o bei ng a model checki ng met hod, t he NRL al so has t he f l avor of a t er m- r ewr it ing

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
syst em. I t uses a modi fi ed ver si on of t he Dol ev- Yao t hr ead model which i s cal led " t erm- r ewri t i ng
Dol ev- Yao model ." We can t hi nk of Mal ice as manipul at i ng a t er m- r ewr i t i ng syst em. I f t he goal
of Mal i ce i s t o f i nd out a f orbi dden word, t hen t he pr obl em of pr ovi ng a pr ot ocol secure becomes
a wor d pr obl em i n a t er m- rewr i t i ng sy st em: for bidden wor ds shoul d remai n for bi dden.
Equi val ent l y , t he pr obl em of showi ng a prot ocol insecur e becomes t o est abl i sh a t er m- r ewr i t i ng
sequence whi ch demonst r at es t hat some " for bidden wor ds" can become avail able t o Mal i ce.
I n t he NRL Pr ot ocol Anal y zer, a pr ot ocol i s model ed by a "gl obal " f i ni t e- st at e syst em. The gl obal
st at e sy st em i s composed of a few " l ocal " st at e sy st ems t oget her wi t h some st at e i nfor mat i on f or
Mal i ce. Each l ocal st at e sy st em descr i bes an honest pri nci pal who part ici pat es i n t he pr ot ocol .
Thi s way of bui l di ng up t he sy st em behavi or fol l ows t he st andar d met hodol ogy f or const r uct i ng a
compl ex sy st em fr om easier - compr ehensi bl e component s ( see 17.5. 1. 1) .
Mal i ce' s i nvol vement i n t he gl obal st at e sy st em models how he can gener at e hi s knowledge as a
r esul t of a prot ocol execut i on. Mal i ce's goal i s t o generat e a "f orbi dden word," maybe via hi s
i nvol vement i n t he gl obal st at e sy st em whi ch model s his at t empt t o cause honest pri nci pal s t o
r each cer t ai n st at es t hat ar e i ncompat i bl e wi t h t he ai med f unct i on of t he pr ot ocol . Such a st at e i s
cal led an "i nsecur e st at e. " I f a pr ot ocol cont ai ns a fl aw, t hen an i nsecure st at e shoul d be
r eachabl e. Under t he t er m- r ewr i t i ng model, reachi ng an i nsecure st at e is equi val ent t o
est abl i shing a t er m- r ewr it i ng sequence which demonst r at es t hat some wor ds whi ch shoul d not
be avai l abl e t o Mal i ce ( i. e. , " f orbidden wor ds" ) can become avai labl e t o hi m.
I n t he NRL Pr ot ocol Anal y zer a set of st at e t ransi t i on r ul es ar e defi ned. A t r ansi t i on rule can be
"f ir ed" when some condi t i ons hol d and aft er " f i r ing" of a r ul e some consequence wil l occur :
Befor e a rule can be fi r ed:
- Mal ice must be assi gned some wor ds;
- t he r elat ed l ocal st at es must be associ at ed wi t h some val ues;
Aft er a r ul e i s f ir ed:
- some wor ds wi l l be out put by an honest pri nci pal ( and hence l earned by Mal i ce) ;
- t he r elat ed l ocal st at es wil l be associ at ed wit h some new val ues.
The wor ds invol ved i n t hese r ul es obey a set of t er m- r ewr i t i ng r ul es. Typical l y, t her e ar e t hr ee
r ul es used t o capt ur e t he not i on of equal i t y and t he fact t hat encry pt i on and decr ypt i on ar e
i nverse f unct i ons. These r ul es ar e:
encry pt ( X, decr ypt ( X, Y) ) Y
decry pt ( X, encr ypt ( X, Y) ) Y
i d_check( X, X) YES
To per f orm an anal ysi s, t he user of t he NRL Pr ot ocol Anal y zer quer i es it by pr esent i ng i t wi t h a
descr i pt i on of a st at e i n t er ms of words known by Mal i ce ( i . e. , a descr i pt i on of an i nsecur e st at e) .
The NRL Prot ocol Anal yzer t hen searches backwar d i n an at t empt t o f ind t he i ni t i al st at e of t he
gl obal st at e syst em. Thi s i s accompl i shed nat ur all y i n PROLOG by at t empt ing t o uni fy t he cur rent
st at e agai nst t he ri ght hand side of a t er m- rewr i t i ng rul e and t hus r educi ng fr om t he l ef t hand
si de what t he st at e descr i pt i on for t he pr evi ous st at e must be. I f t he i ni t i al st at e i s f ound, t hen
t he sy st em i s i ndeed i nsecur e; ot her wi se an at t empt i s made t o pr ove t hat t he i nsecur e st at e i s
unreachabl e by showi ng t hat any st at e t hat l eads t o t his par t i cul ar st at e i s al so unreachabl e.
Thi s ki nd of sear ch oft en l eads t o an i nf i ni t e t r ace where in or der f or Mal i ce t o l ear n a wor d A, he

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
must l ear n wor d B, and i n or der t o lear n word B, he must l ear n wor d C, and so on. The Anal y zer
i ncl udes cert ain f eat ur es t hat al l ow t he user t o pr ove lemmas about t he unr eachabl e of cl asses of
st at es. Event ual l y, t he goal i s t o reduce t he st at e space t o one smal l enough t o be examined by
exhaust i ve sear ch t o det ermi ne whet her or not an at t ack on t he prot ocol i s possi bl e.
We should not i ce t hat t he mai n algori t hm used in t he NRL Pr ot ocol Anal y zer answer s a st at e
r eachabi li t y pr obl em. I t i s well known t hat such al gor i t hms ar e not guarant eed t o t er mi nat e.
Ther ef or e a l i mi t i s placed on t he number of recur sive cal l s al l owed for some of t he checki ng
r out i nes. Usi ng t he t ool seems t o r equi r e quit e a hi gh l evel of user exper t i se i n accur at el y codi ng
t he t ransit i on r ul es for a pr ot ocol and i n specif y ing insecur e st at e. The t ool al so has an i nher ent
l i mi t at ion on bei ng par t i cul ar ly appl i cabl e t o pr ot ocols for key est abli shment .
The NRL Prot ocol Anal yzer has been used t o analy ze a number of aut hent i cat i on pr ot ocols and
has successf ul l y found or demonst r at ed known fl aws i n some of t hem. These pr ot ocols include
t he Needham- Schr oeder Publ ic- key Aut hent icat i on Pr ot ocol ( Pr ot 2.5) [ 193] ( for t he anal y sis of
t hi s pr ot ocol Meadows pr ovi ded a compari son bet ween t he anal ysi s usi ng t he NRL Pr ot ocol
Anal y zer and Lowe's anal ysi s usi ng t he model checker FDR in [ 181] ) , a "sel ect i ve br oadcast
pr ot ocol " of Si mmons [ 192, 274] , t he Tat ebay ashi - Mat suzaki - Newman pr ot ocol [ 160] , t he
I nt er net Key Exchange pr ot ocol ( I KE, see 12.2. 3, a r ef l ect i on at t ack i s found i n t he si gnat ure
based "Phase 2" exchange pr ot ocol ) [ 135, 195] and t he Secur e El ect ronic Transact i on pr ot ocol s
( SET) [ 259, 196] .
17.5.3 The CSP Approach
CSP st ands f or Com m un icat in g Sequent ial Pr ocesses and is mai nly t he wor k of Hoar e [ 137] . The
name was l at er changed t o TCSP ( Theor et i cal CSP) [ 60] aft er a renovat i on on it s semant i cs.
Fi nal l y i n [ 138] , TCSP was r enamed back t o CSP.
CSP bel ongs t o a f ami ly of sy st ems named pr ocess al gebr a. I t fol l ows an al gebr aic appr oach t o
t he const r uct i on of an abst r act comput at i onal st r uct ur e ( see Chapt er 5) . An an al gebr a, CSP i s a
l anguage of t er ms upon whi ch a few oper at ion s ar e def i ned. These oper at i ons obey a "Cl osur e
Axiom" whi ch means t hat t he CSP t erms f or m a cl osur e upon t hese oper at i ons ( revi ew
Defi nit ions 5. 1, 5. 12 and 5. 13 i n Chapt er 5) . Each oper at i on i s associ at ed wi t h an oper at i onal
semant ics t o pr ovi de t he meani ng f or t he t erm const r uct ed. We wi l l see t he basi c CSP oper at i ons
and t er ms i n a moment .
17.5.3.1 Actions and Events
I n CSP, a sy st em i s modeled i n t er ms of t he act ions t hat i t can per for m. An act ion i s a fi ni t e
sequence of event s occur r i ng sequent i al ly , which i ncl udes a sequence of zer o lengt h whi ch
model s " doi ng not hi ng. " The set of al l possi bl e event s ( f ixed at t he begi nning of t he anal y sis) i s
cal led t he al phabet of a pr ocess and is denot ed . Thus, for any act i on a, we have a * . An
exampl e of al phabet for sever al pr ocesses t o be gi ven i n a moment is = { 0, 1} , and an
exampl e of an act i on whi ch can be per f ormed by t hese pr ocesses i s a bi t st r i ng of cer t ai n
pr oper t y ( t o be cl ear i n a moment ) .
I n t he case of CSP model i ng pr ot ocol s or communi cat i on sy st ems, an act i on can be an at omi c
message, or a sequence of messages. I f M and N ar e sequence of messages, t hen M. N i s also a
sequence of message. Somet imes we can omit t he sy mbol ". " fr om a sequence of messages
wi t hout causi ng t r oubl e i n underst andi ng.
17.5.3.2 Processes

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Pr ocesses ar e t he component s of sy st ems. They ar e t he ent i t i es t hat are descr i bed usi ng CSP,
and t hey ar e descr ibed i n t erms of t he possi bl e act i ons t hat t hey may engage i n. Fi g 17. 1 l i st s
t he most basi c CSP pr ocesses and t heir associ at ed oper at i onal semant i cs.
Fi gu r e 17 . 1. Th e CSP Langu age
STOP ( "inact ion: " do not hi ng) ;
a P ( "pr ef i x: " per for m act i on a and t hen behave l ike P) ;
P Q ( " det er mi ni st i c choi ce: " behave l i ke P or Q r eact i vel y accor di ng
t o ext er nal act i on occur r ed i n t he envi r onment ) ;
P Q ( " nondet er mini st i c choice: " behave li ke P or Q wi t h no clear
r eason, per haps due t o t he weat her ) ;
/ a ( " conceal ment : " pay no at t ent i on t o act i on a) ;
X. P( x) ( "recur si on: " i t er at e t he behavi or of P wi t h X bei ng a
vari able, meani ng: ;
P | | Q ( " concurr ency : " P and Q communi cat e evolve t oget her when
bot h can per for m t he sam e act i on) ;
P | | | Q ( "int erl eaving: " P and Q ar e composed wi t hout
communi cat ion, meani ng: t hey do not have t o perf or m t he same
act i on) .
The basic operat i ons i n Fi g 17. 1 ar e t he basi c bui ldi ng bl ocks f or const r uct i ng a CSP pr ocess t o
model and descri be t he behavi or of a fi nit e st at e sy st em. Wi t h t hese bui l di ng blocks and t he
associ at ed operat i onal semant ics, t he CSP l anguage i s powerf ul enough t o descr i be a compl ex
syst em f i ni t e- st at e sy st em.
For exampl e, our Tur i ng machine Di v3 gi ven i n Exampl e 4. 1, whi ch i s a f i ni t e- st at e sy st em, can
be r e- speci f i ed conci sel y by a CSP pr ocess whi ch i s gi ven i n Exampl e 17. 1. This CSP speci fi cat i on
onl y uses " pref ix, " " det er mi ni st i c choi ce" and " r ecur si on" oper at i ons.
Exampl e 17 .1 . CSP Speci f i cat i on of Di v 3

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The pr ocess Di v3 i s def i ned fr om a number of subpr ocesses i n a recur sive manner . Al l t he sub-
pr ocesses, except STOP, r eact on event s in = { 0, 1} ;
[ a]
STOP r eact s on not hing t o mean
t er mi nat ion. I t i s easy t o ver i fy t hat Div3 has t he fol l owi ng behavi or :
[ a]
I n fact , r ecall our st ipulat ion in 17. 5. 3. 1 on eliding an at omic act ion { e} int o t o e; t hese subpr ocesses,
except STOP, react on at omic act ion { 0} and { 1} in * ; S
0
also r eact s on t he empt y act ion { } which leads
Div3 t o t er minat ion.
wher e for t he meani ng of t he l anguage DI V3, see Exampl e 4. 1.
17.5.3.3 Traces
The semant i cs of a process P i s defi ned as t he set of sequences of event s, denot ed t r aces( P) , t hat
i t may possi bl y per f orm. Examples of t r aces i nclude { } ( t he empt y t r ace) and 1001 ( a possi bl e
t r ace of Di v3) .
An oper at ion ". " i s defi ned on t wo set s of t r aces T, T' as f ol lows:
wher e t he concat enat ed sequence t r . t r ' has been defi ned i n 17.5. 3. 1.
17.5.3.4 Analyzing Processes
A pr ocess P sat i sfi es a language ( e.g. , a speci fi cat i on) L i f al l of i t s t races ar e par t of L:
A pr ocess P r efi nes a pr ocess Q i f t r aces( P) t r aces( Q) . Thi s means t hat i f Q sat i sfi es L ( i. e. , Q
sat L) t hen P wi l l al so sat i sfi es i t .
For exampl e, Di v3 sat DI V3 { } si nce t r aces( Di v3) = DI V3 { } . Moreover , Di v3 r ef i nes a
pr ocess which per for ms al l bi t st ri ngs. Al so, we nat ural l y have t hat STOP r efi nes Di v3 ( STOP
r ef i nes any pr ocess) . I n a moment , we shal l see a non- t r ivi al process whi ch r efi nes Di v3.
Model - checki ng t echni ques al low t he r efi nement rel at i on t o be checked mechani call y f or f i ni t e-
st at e pr ocesses usi ng t he t ool named Fai l ur es Di ver gences Refi nement [ 248] ( FDR, a pr oduct of
Formal Syst ems ( Eur ope) Lt d; f or det ai l s, vi si t t hei r web sit e ht t p: / / www. fsel . com/ i ndex.ht ml) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
17.5.3.5 System Composition in CSP
I n 17.5. 1. 1 we have argued t hat sy st em composi t i on pl ay s a cr uci al l y i mport ant r ol e i n a model
checki ng t echni que. I n CSP, sy st em composit i on i s achi eved i n a mechani cal manner by appl y i ng
"concur r ency " and " i nt er leavi ng" oper at i ons ( t hese t wo operat i ons t oget her f or m CSP' s syst em
composit ion oper at i on) .
We provi de her e an example t o show t he power of CSP' s composi t i on oper at i on. I n 17.5. 1. 1 we
have suggest ed a met hod t o real i ze Di v6, a machine accept ing bi t st r i ngs whi ch ar e i nt eger s
di vi si ble by 6. That met hod consi der s Di v6 as j oi nt r unning of Di v2 and Di v3, whi ch accept s a
st r ing when bot h sub- machi nes do. Al t hough t he met hod i s not compl ex, i t i s onl y an abst r act
i dea and does not pr ovi de a concr et e const r uct i on f or Di v6.
Now, i f we have const r uct ed Div2 and Di v3 in CSP, t hen Di v6 can be bui l t m ech anical ly by
composing t he CSP speci f icat i ons of Di v2 and Div3, and t he r esul t i s a concret e CSP speci f i cat i on
for Di v6. Fi rst , Di v2 i s si mpl e enough t o const ruct di r ect ly , and i s gi ven i n Exampl e 17. 2.
Exampl e 17 .2 . CSP Speci f i cat i on of Di v 2
Now, t he mechanical composi t i on of Di v6 i s achi eved by appl yi ng CSP's " concurr ency" oper at i on,
and i s gi ven i n Exampl e 17. 3.
Exampl e 17 .3 . CSP Composi t i on Const r u ct i on of Di v6

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I n Exampl e 17. 3,
STOP| | STOP = STOP
i s a CSP axi om named "absor pt i on axi om" ( absorpt i on f or | | ) , whi ch i s obvi ousl y t r ue si nce bot h
si des of t he equat i on can per for m not hi ng.
The mechani cal l y composed ver sion of Di v6 does r eal i ze t he machi ne cor rect l y ( t he r eader may
t est i t wi t h sever al numer i cal exampl es, t hough such t est s do not for m a pr oof for t he
corr ect ness) . The mechani cal model checker FDR wi l l be abl e t o confi r m t hat Div6 r ef i nes Di v3,
and i t refi nes Di v2. These t wo conf i rmat i ons shoul d const it ut e a pr oof t hat Di v6 i s i ndeed a
corr ect r eal izat ion of t he ai med machi ne.
We can al so mechani cal l y const r uct a machi ne fr om Di v2 and Di v3, whi ch accept s i nt eger st r i ngs
di vi si ble by 2 or 3. Thi s mechani cal composi t i on can be achi eved by ( i ) appl y i ng " i nt er leavi ng"
oper at i on wher e " i nt er l eavi ng" i s swi t ched t o "concur r ency " whenever t wo t er ms bei ng
composed can perf or m t he same act i on, and ( ii ) by appl yi ng t he f oll owi ng "deadl ock axi om" i n
CSP:
STOP | | | P = STOP | | P = P | | | STOP = P | | STOP = STOP.
The r esul t ant machi ne wi l l be r at her bi g ( wi l l have many st at es) and t her ef or e we shal l not
expl ici t l y pr ovi de i t s speci fi cat i on.
17.5.3.6 Analysis of Security Protocols
The usef ul ness of t he composi t i on oper at i on i n CSP makes t he CSP par t i cul ar l y sui t abl e f or
model ing and descr i bi ng t he behavior of concur rency and communi cat i on sy st ems. I t is t hi s
feat ure of CSP t hat has i nspi r ed some researcher s t o argue f or i t s sui t abi l i t y f or for mal analy si s
of aut hent i cat ion pr ot ocol s [ 249, 253, 250] . I n addit ion, t her e exi st s a model checker t ool FDR
[ 248] whi ch i s t ai l or ed t o check CSP pr ocesses for ref inement r el at i ons. Lowe appl i ed t he FDR
model checker and successful ly uncover ed a pr evi ousl y unknown er r or i n t he Needham-
Schr oeder Publ i ckey Aut hent i cat i on Pr ot ocol [ 181] .
Fi gu r e 17 . 2. Th e CSP Ent ai l ment Ax i oms

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
When anal y si ng t he pr oper t y of conf ident i al it y of messages, an " ent ail ment " r el at i on I m
capt ur es how a piece of i nf ormat i on can be der i ved fr om avai l abl e i nf ormat i on. Fi g 17. 2 speci fi es
t he ent ai lment axi oms f or i nf ormat i on der i vat i on.
For exampl e, we have
and
but not
The ent ail ment axi oms i nt ui t i vel y model how Mal i ce deri ves i nfor mat i on. When Mali ce i s t r y i ng t o
defeat t he ( conf i dent i al i t y ) goal of a prot ocol , he can use an i ni t i al set of i nfor mat i on he has i n
hi s possessi on and some pr ot ocol messages whi ch have been sent t o t he net wor k. By t he way of
i nf ormat i on der i vat i on, I i s in pr i nci pl e an i nf i ni t e set . However, i n r eal it y, gi ven a prot ocol , we
can always l i mit I t o a fi ni t e set of "i nt er est ing" infor mat i on. Moreover , r esear cher s have t aken
advant age of t he f act t hat t her e i s no need t o act ual l y const r uct I . I t suff ices t o check m I f or
some fi ni t e number of messages.
I n summar y , i n t he CSP approach, t he use of a mechani cal t ool i s an i mpor t ant el ement f or
anal y sis of sy st em behavi or. The mechani cal t ool appl i es a set of i nt uit i vel y defi ned r ul es. For
exampl e, i n syst em const r uct i on, a composi t i on t ool can buil d a lar ger sy st em fr om composi ng
small er component s by appl yi ng t he semant i c r ules given in Fi g 17. 1; in process ref inement
checki ng, a t ool can check t r ace rel at i ons by apply i ng def ini t ion f or r ef i nement ( see 17.5. 3. 4) ,
and i n i nfor mat i on deri vat i on, a t ool can apply t he ent ai l ment axi oms i n Fi g 17. 2) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The sy nt ax of CSP, i n par t i cul ar t he f act t hat i t invol ves communi cat ions among syst em
component s, i s r at her unsui t abl e f or bei ng comfor t abl y compr ehended by humans, al t hough it
can cause no t r oubl e when bei ng deal t wi t h by a mechani cal checker . ( We shoul d not i ce t hat our
mechani cal const ruct ion of Di v6 i n Exampl e 17. 3 using CSP's composi t i on operat i on i s succi nct
because i t does not i nvol ve any communi cat i ons bet ween t he Di v2 and Di v3; t hese t wo
component s concurr ent l y communi cat e wi t h t he envi r onment whi ch need not be speci fi ed. )
Si nce aut hent i cat ion prot ocol s i nvol ve communicat i ons among sever al pr inci pals, i t i s far fr om
st r aight f orwar d t o pr esent t he CSP model for aut hent icat i on pr ot ocol s t o most reader s of t hi s
book who ar e not speci al i st s i n t he f ormal met hods ar eas. The i nt er est ed reader i s r efer r ed t o a
t ext book by Ry an and Schnei der [ 250] .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
17.6 Reconciling Two Views of Formal Techniques for
Security
Si nce Chapt er 14, we have been seei ng t wo di st i nct views of f ormal reasoni ng about securi t y .
One vi ew, named t he comput at i onal vi ew, whi ch we have i nt roduced i n Chapt er 14 and revi si t ed
i n 17.3, i s based on a det ai l ed comput at i onal model . Let us t ake secur it y for encr y pt i on ( i .e. ,
conf ident i ali t y ) for exampl e. The comput at ional vi ew consi der s conf i dent i al it y as t he di ff i cult y of
di st i ngui shi ng pl ai nt ext s, t hat is, an at t acker, gi ven t wo pl aint ext s and a ci pher t ext whi ch
encry pt s one of t he for mer, cannot deci de whi ch of t he t wo plai nt ext s has been encr ypt ed.
Reasoni ng about securi t y is usual l y conduct ed by const r uct i ng a " reduct i on t o cont r adi ct ion"
st y le of pr oof wher e t he " cont r adi ct i on" is an ef fi ci ent sol ut i on t o a wi dely beli eved di f fi cul t
pr obl em i n t he ar ea of comput at i onal compl exi t y .
The ot her view, named symbol i c vi ew, whi ch we have i nt roduced i n 17.4 and 17.5, r el ies on
si mpl e but eff ect i ve for mal l anguage appr oaches. Let us, agai n, t ake securi t y for encr ypt i on f or
exampl e. The sy mbol i c vi ew consi der s conf i dent i al i t y as t he di ff i cul t y of fi ndi ng pl ai nt ext by
mechani cal appl i cat i on of t he ent ai l ment axi oms i n Fi g 17. 2. The mechanical appl i cat ion of t he
axi oms can be based ei t her on t heor em pr ovi ng t echni ques or on st at e syst em expl orat ion
t echni ques.
These t wo vi ews come f r om t wo most l y separat e communi t ies. An uncomf ort abl e gap bet ween
t hem and, i ndeed, bet ween t he t wo communi t i es, has l ong been not i ced. The sy mbol ic vi ew i s
desi rably si mpl e, however , somet i me may mi sl ead r esear cher s t o r each a wr ong vi ew due t o
over si mpl if i cat ion. For exampl e, i t i s somet i mes seen under t he symbol i c vi ew t hat si gni ng and
encry pt ion under t he same pai r of pr i vat e- publ i c key pai r " cancel each ot her " whi le in f act few
publ i c- key cry pt ogr aphi c al gor i t hms, even t ext book versi ons, do so. Mor e of t en, t he sy mbol i c
vi ew of encr y pt i on i s vi ewed as a det er mi nist i c f unct i on whi ch may easi ly mi sl ead secur it y
engi neer s t o r eal i ze t hem by appl y i ng some t ext book encr y pt i on al gor it hms.
Abadi and Rogaway dut i f ul l y st ar t a wor k f or br i dgi ng t he gap [ 2] . They consi der t hat
connect i ons bet ween t he symboli c vi ew and t he comput at i onal vi ew shoul d ul t i mat el y benefi t
one anot her . They el abor at e
These connect i ons shoul d st r engt hen t he foundat i ons f or f ormal cr y pt ol ogy , and hel p i n
el ucidat i ng i mpl ici t assumpt ions and gaps i n for mal met hods. They shoul d conf i rm or
i mpr ove t he r elevance of for mal proof s about a pr ot ocol t o concr et e i nst ant iat ions of t he
pr ot ocol , making expl i cit r equi r ement s on t he i mpl ement at i ons of cr y pt ographi c oper at i ons.
Met hods for hi gh- l evel reasoni ng seem necessar y f or comput at i onal cry pt ol ogy as i t t r eat s
i ncr easi ngly compl ex syst ems. Symboli c appr oaches suggest such hi gh- l evel r easoning
pr i nci pl es, and even permi t aut omat ed pr oofs. I n addi t i on, some sy mbol ic appr oaches
capt ur e nai ve but powerf ul i nt ui t i ons about cr y pt ogr aphy ; a li nk wit h t hose i nt ui t i ons
shoul d i ncr ease t he appeal and accessi bi l i t y of comput at i onal cry pt ology.
The i nit ial gap br i dgi ng wor k of Abadi and Rogaway pr ovides a comput at ional j ust if i cat ion f or t he
symboli c t reat ment of encr y pt i on. The basi c i dea of t hei r wor k i s t o show t hat t hese t wo views
ar e "al most homomor phi c. " Fi rst , under t he comput at i onal view, t wo i ndi st i ngui shabl e
ci pher t ext s ar e consi der ed equival ent . Secondl y , under t he sy mbol i c view, t wo ciphert ext s whi ch
cannot be deemed meani ngful usi ng t he ent ail ment axi oms ar e consi dered equi val ent . They
est abl i sh t hat equi val ent ci pher t ext s under t he sy mbol ic vi ew necessar i l y i mpli es t hat t hey are
i ndi st i ngui shabl e under t he comput at i onal vi ew. I n t hi s way, t he comput at i onal vi ew of secur i t y
can be consi dered as a sound for mal basi s under pi nni ng securi t y in t he symbol i c vi ew.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The i nit ial gap br i dgi ng wor k of Abadi and Rogaway al so pr ovides i nsight for conduct i ng furt her
wor k for for mal t r eat ment s of secur i t y for ot her cr ypt ogr aphi c pri mi t i ves such as si gnat ur es,
hash funct i ons, aut hent i cat ion or aut hent i cat ed key di st r i but i on pr ot ocol s.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I n t hi s chapt er we r et ur ned t o t he pr act i call y i mpor t ant subj ect of aut hent i cat ion prot ocol s.
However , our st udy her e was on for mal t echni ques for t heir cor r ect ness.
We began by ar gui ng t he need f or a refi ned met hod for pr ot ocol speci f icat i on. We i dent i f ied t hat
t he impreci si on of t he wi del y used pr ot ocol speci f i cat i on met hod i s r esponsi bl e f or t he common
pi t f al ls of mi susi ng cry pt ogr aphi c servi ces in aut hent i cat i on pr ot ocol s. We t hen proposed a r efi ne
speci f i cat i on met hod and pr esent ed a f ew r ef i ned pr ot ocol s t o show t he eff ect i veness of t he
r ef i ned met hod proposed.
We t hen i nt r oduced f ormal pr ot ocol anal y si s met hodologi es, bot h under a comput at i onal vi ew of
pr ovi ng pr ot ocol corr ect ness and under a sy mboli c manipul at i on vi ew of model checki ng f or
pr ot ocol er ror s.
As bot h vi ews have t hei r advant ages and l imi t at i ons, we pr ovi ded a di scussi on on a recent move
for fi ndi ng rel at i ons and reconci li ng conf l i ct bet ween bet ween t he t wo vi ews.
Formal anal ysi s of aut hent i cat i on prot ocol s i s st i l l a t opi c i n an ear l y st age of r esear ch and
i nvest i gat ion. The mat er i al cover ed i n t hi s chapt er i nevi t abl y has t hi s feat ur e t oo.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exercises
17 .1 The ci pher - block chai ni ng ( CBC) mode of oper at i on i s wi del y used wi t h block
ci pher s for pr oduci ng r andomi zed ci pher t ext s. Does i t provi de conf i dent i al i t y ser vi ce
under t he " fi t - f or- appl i cat ion" securi t y not i on?
Hi nt : does t he CBC mode of oper at i on t hwart an act ive at t ack?
17 .2 I n Chapt er 2 we conduct ed a ser i es of st eps of at t acki ng- and- fi xi ng aut hent icat i on
pr ot ocol s. Di d our process t here end up wi t h any secur e pr ot ocol ? I f not , why ?
17 .3 Use t he r efi ned pr ot ocol speci f icat i on met hod t o r e- speci f y var i ous exchanges of
Kerber os ( i n 12.4. 2) . Pr ovi de t he cor r ect speci f i cat i ons for " aut hent i cat or s."
Hi nt : r evi ew 12.4. 3.
17 .4 Mi suse of cry pt ogr aphi c servi ces is a common mi st ake in t he desi gn of
aut hent i cat ion prot ocol s and aut hent i cat ed key exchange pr ot ocol s. What i s t he
most common f orm of t he mi suse?
17 .5 The Bel l ar e- Rogaway model f or pr oving t he cor rect ness of aut hent icat i on pr ot ocol s
i s based on a " r educt i on- t o- cont r adict i on" approach. What "cont r adi ct i on" does
such a r educt i on lead t o?
17 .6 Can t he Bel l ar e- Rogaway model f or pr ovi ng t he cor r ect ness of aut hent i cat ion
pr ot ocol s be appl i ed t o ar bi t r ary aut hent i cat i on pr ot ocol s?
17 .7 Apply CSP "i nt er l eavi ng composi t i on" t o const r uct a CSP pr ocess whi ch accept s
i nt eger st r i ngs di vi si bl e by 2 or 3.
Hi nt : r evi ew 17.5. 3. 5; one shoul d use t he CSP t ool t o do t hi s as t he resul t i ng
pr ocess i s r at her lar ge.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Part VI: Cryptographic Protocols
Nowaday s, more and mor e commer ce act i vi t i es, busi ness t r ansact i ons and gover nment
ser vi ces ar e t aki ng pl ace and bei ng of fered over t he I nt er net , i n par t i cul ar , vi a
Wor l dWi deWeb- based t ool s. Many of t hese appl i cat i ons r equi r e secur i t y ser vi ces. Shoppi ng,
bi l l i ng, banki ng, admi ni st rat ion of j ob or uni ver si t y appl icat i ons, and t ax assessment s ar e a
few such examples. For t hese appli cat i ons, aut hent i cat i on, conf i dent i al i t y and non-
r epudi at i on ar e t he most commonl y needed secur i t y ser vi ces. These ser vi ces can be
adequat el y of fer ed by some si mpl e cr ypt ogr aphi c pr ot ocol s, such as TLS ( SSL, whi ch we
have i nt r oduced i n Chapt er 12) .
However , t her e ar e many "f anci er t hi ngs" whi ch can al so be conduct ed on- l ine whi l e t he
secur i t y servi ces t hey need cannot be met by a simple pr ot ocol such as TLS. For example:
mi cr o- payment s ( how t o keep t ransact i ons at a ver y l ow cost ) , el ect r oni c cash ( how t o off er
spender s' anony mit y whi l e pr event i ng ext or t i on) , auct i ons ( how t o separ at e t he wi nni ng bi d
fr om t he l osi ng ones wi t hout openi ng t he seal s) , vot i ng ( how t o keep vot ers' anonymi t y and
i mmuni t y f rom coer cion) , f air exchange ( how t o preser ve fai r ness i n spi t e of t he
par t i ci pant s' r esource dif fer ence) , t imest ampi ng and not ar i zat i on ( how t o mai nt ai n a l egal l y
bi ndi ng ef fect even when t he under l yi ng mechani sm, e.g., a si gnat ur e scheme used, br eaks
down i n t he f ut ur e) , t i med key r ecovery ( is a secr et r ecover abl e aft er exact ly t
mul t i pl i cat i ons) .
"Fanci er " secur i t y ser vi ces ar e i n gener al off ered by "f anci er " cr y pt ographi c pr ot ocol s. Thi s
par t cont ai ns t wo chapt er s. I n Chapt er 18 we int r oduce a cl ass of cry pt ogr aphi c prot ocol s
cal led zero- knowl edge pr ot ocols whi ch f orms a ker nel t echni que under ly i ng "f ancier "
ser vi ces: provi ng a cl ai med proper t y wi t hout di scl osing a secr et . I n Chapt er 19, we wi l l
concl ude our wor k i n t hi s book by pr ovidi ng a concr et e real i zat i on of our f ir st pr ot ocol " Coi n
Fl ippi ng Over Tel ephone" ( Pr ot 1.1) . That r eal izat ion provi des a ver y st rong sol ut i on t o
r emot e coi n fl i ppi ng where a st r ong and mut ual l y t r ust ed st ri ng of r andom bi t s i s needed,
y et t he sol ut ion i s a pr act ical one i n t hat t he prot ocol uses wi del y avai l abl e cry pt ogr aphi c
t echni ques and achi eves an ef fi ci ency si mi l ar t o or di nary use of publi c- key cr y pt ography .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Chapter 18. Zero-Knowledge Protocols
Sect i on 18. 2. Basi c Def i ni t i ons
Sect i on 18. 3. Zer o- knowl edge Pr oper t i es
Sect i on 18. 4. Proof or Argument ?
Sect i on 18. 5. Prot ocol s wi t h Two- sided- err or
Sect i on 18. 6. Round Eff ici ency
Sect i on 18. 7. Non- i nt er act ive Zer o- knowledge
Exerci ses

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
18.1 Introduction
A basi c pr obl em i n cr y pt ogr aphy i s a t wo- par t y i nt er act i ve game i n whi ch one par t y ( cal l ed t he
pr over ) pr ov es t o t he ot her par t y ( cal l ed t he ver i fi er ) t hat a pr edi cat e of a st at ement hol ds t r ue
wi t hout l et t i ng t he l at t er l ear n how t o conduct t he proof as t he f ormer does. Her e, t he ver i f ier on
i t s own cannot ver i fy t he pr edi cat e due t o t he l ack of some i nf or mat ion whi ch i s avail able t o t he
pr over . The game has a gener al name of i n t er act i ve pr oof ( I P) pr ot ocol ( syst em) . We can
consi der a proof conduct ed by an I P pr ot ocol as " pr oof i n t he dar k . " The phrase "i n t he dar k" has
t wo meani ngs: f ir st , a ver i fi er, aft er havi ng been convi nced t he val i di t y of what i s pr oved, cannot
have l earned t he knowl edge possessed by t he pr over i n or der t o conduct t he pr oof ; secondl y,
aft er t he pr ot ocol t er mi nat es, any ot her t hi r d part y cannot see any meaningful t hing whi ch has
t aken place bet ween t he pr over and t he ver if i er .
Wi t h a bol d i magi nat ion, a st at ement whi ch needs a pr oof "i n t he dar k" can be an af fi r mat i ve
answer t o a famous open quest i on i n mat hemat i cs ( e. g. , t he Gol dbach Conj ect ur e
[ a]
) . I n t hi s
case, a pr over who may wor r y a possi bi l i t y t hat , wer e t he knowhow t echnique demonst r at ed "in
t he open" t o a revi ewer , t he l at t er may st eal or r ob her / hi s cr edi bi l it y , can conduct t he pr oof " i n
t he dar k" by convi nci ng t he lat t er ( now t he ver i fi er i n t he I P pr ot ocol) t he affi r mat i ve answer
wi t hout pr ovi di ng any addi t i onal infor mat i on about t he knowhow.
[ a]
Every even int eger gr eat er t han 2 can be r epr esent ed as t he sum of t wo pr imes.
I n many r eal appl i cat i ons, t her e ar e many mor e ser i ous r easons f or conduct i ng proof s " i n t he
dar k. " Pr oof of i dent i t y as a means of aut hent i cat i on i s a common appl i cat i on of I P pr ot ocols.
Unl i ke t he convent i onal way of aut hent i cat i on, e. g. , by a subj ect i ssuing a di git al signat ur e, her e
a pr over as t he subj ect bei ng aut hent icat ed does not want t he communi cat i on t ranscr i pt s f or
aut hent i cat ion t o be vi sibl e by any t hi r d par t y ot her t han t he i nt ended ver i f ier , and hence
aut hent i cat ion must be conduct ed "i n t he dar k. " Anot her common case of usi ng I P pr ot ocol s i s t o
pr ove t hat a pi ece of hi dden i nfor mat i on has a cer t ain st r uct ur e; t hi s i s necessary in some
secur i t y appl i cat i ons ( e.g. , i n an auct i on appl icat i on) i n whi ch a hi dden number ( a bi d) must be
i n a val id r ange i n or der f or t he appl i cat i on t o provi de a fancy ser vi ce ( e. g. , demonst r at i ng x > y
wi t hout openi ng
k
( x) ,
k
( y) whi ch ar e seal ed bi ds) .
For I P pr ot ocol s we ar e al ways concer ned wit h t wo i mpor t ant quest i ons:
Quest i on I How much i nfor mat i on does a ver i fi er gain dur ing t he cour se of an int eract i ve pr oof?
Quest i on I I How few i nt er act i ons ar e needed for a pr over t o convi nce a veri f i er ?
The i deal answer t o Quest i on I i s non e, or zero amount . An I P prot ocol wi t h t his qual i t y i s cal l ed
a zer o- k now l edg e ( ZK) pr ot ocol . Quest i on I I has i mpor t ance not onl y i n pr act i cal appl i cat i on
of I P prot ocol s, but al so i n t he t heory of comput at i onal compl exi t y si nce a quant i t at i ve answer t o
t hi s pr obl em for a gi ven cl ass of pr obl ems can mean di scover y of a new l ower bound of
compl exi t y .
I n t hi s chapt er we shall st udy ZK pr ot ocols. Our st udy i s a sy st emat i c i nt roduct i on t o var ious
not i ons on t he subj ect ( i ncl udi ng answer i ng t he above t wo quest i ons) . These not i ons ar e ver y
i mpor t ant , however , many of t hem ar e based on backgr ound mat eri al whi ch has been
est abl i shed and accumul at ed i n many y ear s of research paper s but i s not avai l abl e i n most
t ext books i n cr y pt ogr aphy. I n or der t o achi eve a concret e under st andi ng of t hem, we shal l use
many concr et e pr ot ocol s t o exempl i f y t hese not i ons when t hey are i nt r oduced. We bel i eve t hat
t hi s way of st udy ing ZK pr ot ocol s wi l l ease t he access t o t he subj ect .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
18.2 i nt r oduces t he basi c concept s of I P sy st em. 18.3 i nt r oduces var i ous ZK pr oper t i es of I P
pr ot ocol s. 18.4 di ff er ent i at es t he not i on of ZK pr oof f rom t hat of ZK ar gument . 18.5 st udi es
err or - pr obabi li t y charact er izat ion of t wo- si ded- er ror pr ot ocols. 18.6 st udi es t he r ound-
eff ici ency pr obl em. Final ly, 18.7 i nt r oduces t he not i on of non- i nt er act i ve ZK pr ot ocol s.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
18.2 Basic Definitions
Zero- knowl edge pr ot ocols not onl y have a gr eat appli cat i on val ue i n appl i ed cr ypt ogr aphy , t he
subj ect wi t hi n t he f ramewor k of I P pr ot ocol s has been devel oped as an i mpor t ant br anch in t he
t heor y of comput at i onal compl exi t y . As a r esul t , i t has a ri ch set of defi ni t i ons. We shoul d
i nt r oduce some of t he not i ons whi ch ar e r elevant t o appl i ed cr ypt ogr aphy .
18.2.1 Model of Computation
For t he t ime bei ng l et us det ach our sel ves fr om Quest i ons I and I I wi t hout concer ni ng our selves
wi t h t he point s of i nf ormat i on di sclosur e and pr act i cal eff i ci ency .
We i nt roduce t he model of comput at i on of an i n t er act i ve pr oof syst em whi ch i s def ined by
Gol dwasser , Mical i and Rackof f [ 126] . A basi c model of an i nt eract i ve pr oof pr ot ocol can be
denot ed by ( P, V) wher e P i s a pr over and V, a v er i f i er . I n t he general case, t he pr ot ocol ( P, V)
i s f or pr oving a l anguage membershi p st at ement wher e t he l anguage i s over { 0, 1} * . We wil l
pr ovi de a general meani ng f or t he l anguage i n 18.2. 2 and nar row i t down t o a speci al meani ng
of cry pt ogr aphi c i nt er est i n 18.2. 3.
Let L be a l anguage over { 0, 1} * . For a member shi p inst ance x L, P and V must shar e t he
i nput x whi ch i s t her efor e cal led common i n put . The pr oof i nst ance i s denot ed by ( P, V) ( x) .
These t wo part ies ar e l i nked by a communi cat i on channel , t hrough whi ch t hey conduct an
i nt er act ion t o exchange a sequence of i nfor mat i on denot ed by
Equ at i on 18 . 2. 1
Thi s sequence of i nf or mat ion exchange i s cal l ed a pr oof t r anscr i pt . The pr oof t r anscri pt
i nt er l eaves dat a t r ansmi t t ed by P, whi ch we shal l name pr over ' s t r anscr i pt , and t hose by V,
whi ch we shall name v er i f i er ' s t r anscr i p t . Her e, not onl y t he lengt h of t he pr oof t r anscri pt ,
but al so t hat of each el ement exchanged in t he t r anscr i pt , i .e. , | a
i
| , | b
i
| ( for i = 1, 2, . . ., ) ,
ar e bounded by a pol ynomial i n | x| . The pr oof i nst ance ( P, V) ( x) must t er mi nat e i n t ime
pol y nomi al i n | x| .
Upon complet i on of t he i nt er act i on in t i me bounded by a pol y nomi al i n | x| , t he out put of t he
pr ot ocol should have t he fol l owi ng t y pe
These t wo out put val ues mean V' s accept ance or rej ect i on of P' s cl ai m x L, r espect i vel y .
Because ( P, V) is a pr obabi li st i c sy st em, f or each x, t he out put val ue ( P, V) ( x) is a r andom
vari able of t he common i nput x, a pr i v at e i np ut val ue of P, and some r and om i n put val ues of
P and V. Mor eover , t he element s i n a proof t ranscr i pt ( 18.2. 1) are al so such r andom var i abl es.
Si nce ( P, V) is a game bet ween t wo par t i es, i t i s nat ur al t o expect t hat each par t y wi ll t r y t o gai n
an advant age whi ch may be more t han t hat t o which i t i s ent i t l ed. On t he one hand, t he pr over P

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
shoul d have an i nt er est t o make ( P, V) ( x) = Accept as much as possi bl e even when i n fact x L.
A pr over havi ng t his behavior ( st rat egy ) i s cal l ed a cheat i ng pr ov er and is usual l y denot ed by
. On t he ot her hand, t he ver i f ier V shoul d have an i nt er est t o di scover some infor mat i on about
P' s pr i vat e input fr om t he i nt er act i on. A ver i fi er havi ng t hi s behavi or ( st r at egy ) i s cal l ed a
di sh onest ver i f i er and is usual l y denot ed by .
18.2.2 Formal Definition of Interactive Proof Protocols
Now we ar e r eady t o pr ovide t he f or mal defi ni t i on f or i nt eract i ve pr oof syst em.
Def i n i t i on 1 8. 1: Let L b e a l angu age over { 0, 1} * . We say t h at an I P pr ot ocol ( P, V) is an
i nt eract i ve pr oof sy st em for L i f
Equ at i on 18 . 2. 2
and
Equ at i on 18 . 2. 3
wher e an d ar e const an t s sat isfy i ng
Equ at i on 18 . 2. 4
The p r obabi li t y space is t he al l in put v alues t o ( P, V) and all r and om i npu t v alu es of P and V.
The pr obabi l i t y expression i n ( 18.2. 2) charact er izes a not i on of comp l et eness f or ( P, V) . The
pr obabi li t y bound i s cal l ed comp l et eness p r obabi l i t y of ( P, V) . Thi s means t hat i f x L, t hen
V wi l l accept wi t h pr obabi li t y at least .
The pr obabi l i t y expression i n ( 18.2. 3) charact er izes a not i on of soundn ess f or ( , V) . The
pr obabi li t y bound i s cal l ed soundn ess p r obabi l i t y of ( , V) . Thi s means t hat i f x L, t hen V
wi l l accept wi t h pr obabi l i t y at most .
Compar i ng Defi nit ion 18. 1 wi t h Defi nit ion 4. 5 ( in 4. 4) in whi ch t he compl exi t y cl ass has
t he er r or pr obabi li t y charact er izat ions i n ( 4. 4. 1) , ( 4. 4. 2) and ( 4. 4. 3) , we obt ai n t he f oll owi ng

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
r esul t :
. Th eor em 1 8. 1
wher e i s t he cl ass of al l lan guages whose m emb er shi p q uest ions can b e
answered by I P p rot ocol s.
Mor eover , f rom our st udy i n 4. 4. 1 we know t hat t he compl et eness ( respect i vel y, soundness)
pr obabi li t y bound can be enl ar ged ( r esp. , r educed) t o ar bi t r ar i l y cl osi ng t o 1 ( r esp. , 0) by
sequent i al l y and i ndependent l y r epeat i ng ( P, V) pol ynomial l y many t imes ( i n t he si ze of t he
common i nput ) and by V t aki ng "maj ori t y el ect ion" t o r each an accept ance/ r ej ect i on deci si on.
Now l et us r evi ew al l t he not i ons i nt r oduced so far by l ooki ng at a concr et e exampl e of I P
pr ot ocol : Pr ot 18. 1.
Protocol 18.1: An Interactive Proof Protocol for Subgroup
Membership (* see Remark 18.1 regarding the name of this
protocol *)
COMMON I NPUT:
f : a one- way f unct i on over sat i sfy i ng t he homomorphi c condi t i on: i .
X = f( z) for some ; i i .
PRI VATE I NPUT of Al i ce: z < n;
OUTPUT TO Bob: Member shi p X f ( 1) , i . e., X i s generat ed by f ( 1) .
Al i ce pi cks , comput es Commi t f ( k) and sends Commi t t o Bob; 1.
Bob pi cks Chall enge
U
{ 0, 1} and sends i t t o Al i ce; 2.
She sends Response t o Bob;
3.
4.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
3.
he r ej ect s and abort s t he prot ocol i f t he checki ng shows er ror ;
4.
Bob accept s.
Exampl e 18 .1 .
I n Pr ot 18. 1, Al i ce i s a pr ov er and Bob i s a v er i fi er . The common i npu t t o ( Al i ce, Bob) i s X = f( z)
wher e f i s a one- way and homomor phic funct ion over st at ed i n Pr ot 18. 1. The memb er shi p
clai m made by Al i ce i s t hat . This is i n f act t he subgr oup
member shi p X f ( 1) si nce X = f ( 1)
z
( see Remar k 18. 1 f or a general condi t i on for t hi s pr obl em
t o be har d for Bob) . Al i ce' s pr i vat e inp ut i s as t he pre- i mage of X under t he one- way
and homomor phi c f unct i on f .
I n t he pr ot ocol t he t wo par t i es i nt er act m t imes and produce t he f ol l owi ng pr oof t r anscri pt :
The pr ot ocol out p ut s Accept i f ever y checki ng conduct ed by Bob passes, and Rej ect ot herwi se.
Thi s prot ocol is com plet e. That i s, i f Al ice does have i n her possessi on of t he pr e- image z and
fol l ows t he pr ot ocol i nst r uct i on, t hen Bob wi l l al ways accept .
Comp l et en ess
I ndeed, t he com plet eness pr obabi l it y expr essi on ( 18.2. 2) is met by = 1 si nce Al i ce' s r esponse
al ways sat i sfi es Bob' s veri f icat i on st ep:
for ei t her cases of hi s r andom choi ce of Chall enge U { 0, 1} .
Thi s prot ocol is sound .
Sou ndness
We need t o f i nd t he sound ness pr obabi li t y .
Bob' s checki ng st ep ( St ep 4) depends on hi s r andom choice of Chall enge whi ch t akes pl ace aft er
Al i ce has sent Commi t . The consist ent passing of Bob's ver if i cat ion shows hi m t he f ol l owi ng t wo
cases:
Case Chall enge = 0: Bob sees t hat Al ice knows pre- i mage( Commi t ) ;
Case Chall enge = 1: Bob sees

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Si nce Al i ce cannot ant i ci pat e Bob' s r andom choice of t he chal l enge bi t aft er she has sent out t he
commi t ment , i n t he case Chall enge = 1, she shoul d also know pr e- i mage ( Commi t ) and hence
shoul d know pre- i mage( X) t oo.
I f Al ice does not know pr e- image( X) , t hen she has t o cheat by guessi ng t he random chal l enge bi t
befor e sending out t he commi t ment . I n her cheat i ng "pr oof , " t he commi t ment can be comput ed
as f ol lows:
choosi ng at r andom Response
U
;
guessi ng Chall enge;
Cl ear ly , i n t hi s cheat i ng "proof , " Bob wi l l have 1/ 2 odds t o rej ect each i t er at i on of t he
i nt er act ion. Ther ef or e, we have = 1/ 2 as t he sound ness er r or pr obabil i t y ( i. e. , for Ali ce havi ng
sur vi ved successf ul cheat i ng) . I f m i t er at i ons r esul t i n no rej ect i on, t hen pr obabi l i t y f or Al ice's
successful cheat ing shoul d be bounded by 2
m
. Bob wi l l be suf fi ci ent l y confi dent t hat Al i ce cannot
sur vi ve successful cheat i ng i f m i s suff ici ent l y l ar ge, i . e. , 2
m
i s suff ici ent l y small . For exampl e,
m = 100 provi des a suff ici ent l y hi gh conf i dence for Bob t o pr event Al i ce' s cheat ing. Ther efor e,
Al i ce' s pr oof i s vali d upon Bob's accept ance.
Lat er ( i n 18.3. 1 and Exampl e 18. 2) we shall furt her i nvest i gat e a pr oper t y of per fect zer o-
k nowledge- ness: if t he funct i on f i s indeed one- way , t hen Bob, as pol y nomi all y bounded veri f ier ,
cannot fi nd any i nf ormat i on about Al i ce' s pr i vat e i nput .
. Remar k 1 8. 1
By hom om or phi sm, f ( x) = f ( 1)
x
for all x . Ther ef or e Pr ot 1 8. 1 i s al so ( i n f act , m ore oft en)
call ed a pr ot ocol for Al ice t o pr ov e her possession of t h e di scr et e logar i t hm of X t o t h e base f ( 1) .
We h ave chosen t o n ame t he pr ot ocol " sub grou p m em bershi p pr oof" because t he m em bersh ip
pr obl em is a m or e gen er al on e t ackl ed b y I P pr ot ocols. Wh en usi ng t h is ( mor e gener al and
app rop ri at e) n ame, we sh ould em phasi ze t he gener al case of or d[ f ( 1) ] bei ng a pr oper and secr et
di v isor of n, i. e., t he gener al case wher e f ( 1) does n ot gener at e a gr oup of n elem en t s. I n t hi s
general case, Bob can not dir ect ly v eri fy t he sub grou p m em ber sh ip wit h out Ali ce' s help .
Remar k 18. 1 act uall y st at es t hat deci di ng subgr oup member shi p i s in gener al a har d pr obl em.
We should provi de some f ur t her elabor at i ons on t he di ff icul t y . Not i ce t hat al t hough t he set
i s a cy cli c gr oup ( since it i s gener at ed by f ( 1) , see 5. 2. 3) , Bob cannot easi l y deci de
. He wi l l need t o f act or n down t o i ndivi dual pr i mes i n or der t o answer t hi s quest i on ( i . e. , t o see

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
i f f ( 1) i s a pr imi t i ve r oot or an nt h r oot of 1, see Defi nit ion 5. 11 i n 5. 4. 4) . Onl y for t he case of
# L
n
= n can Bob answer YES t o t he subgr oup member shi p pr obl em i n Pr ot 18. 1 wi t hout act ual ly
r unni ng t he prot ocol wi t h Al i ce ( si nce t hen f ( 1) must gener at e al l n el ement s i n L
n
) . The di ff i cul t y
for subgr oup membershi p deci si on t hen r est s on t hat f or fact or i ng n of a l ar ge magni t ude.
Ther ef or e, for Pr ot 18. 1 t o t ackle subgr oup member shi p pr obl em, t he i nt eger n must be a
suf fi cient ly lar ge composi t e. For t hi s r eason, we st i pulat e l og n as t he securi t y par amet er f or Pr ot
18.1.
I n 18.3. 1. 1 we wi l l see a speci al case of common i nput par amet er set t i ng which wi ll
degener al ize Pr ot 18. 1 i nt o t he speci al case f or pr oving possessi on of di scret e l ogar i t hm.
18.2.3 A Complexity Theoretic Result
The mat er i al t o be gi ven her e ( i n t he scope of 18.2. 3) may be ski pped wi t hout causi ng any
t r ouble for under st andi ng ot her not i ons of ZK pr ot ocols t o be int r oduced in t he r est of t hi s
chapt er .
We now der i ve a fact i n t he t heor y of comput at i onal complexi t y. The f act i s st at ed in ( 4. 5. 1) . I n
Chapt er 4 we wer e not abl e t o pr ovide an evi dence f or t hi s f act . Now we ar e.
I n app li ed cr yp t ogr aphy , we shal l onl y be i nt er est ed i n I P pr ot ocol s whi ch answer membershi p
quest i ons for a subcl ass languages of . For any L i n t he subcl ass, t he member shi p quest i on
have t he f ol lowi ng t wo char act er i zat i ons:
I t i s not known whet her t her e exist s a pol y nomi al - t i me ( i n | x| ) algor it hm, det ermi ni st i c or
pr obabi li st i c, t o answer t he quest i on. Ot her wise, t her e i s no r ol e for P t o pl ay i n ( P, V) si nce
V al one can answer t he quest i on.
i .
The quest ion can be answer ed by a pol y nomi al - t i me ( i n | x| ) algor it hm i f t he algori t hm has
i n it s possessi on of a wit ness for t he quest i on.
i i .
Recal l our cl assi f i cat i on f or t he compl exi t y cl ass ( 4. 5) : we can see t hat ( i ) and ( i i )
char act er i ze t he cl ass . Pr eci sel y, t hey char act er i ze NP probl ems whi ch have spar se
wi t nesses. Si nce ( Defi nit ion 18. 1) , we have
Ther ef or e for any l anguage , t her e exi st s an I P pr ot ocol ( P, V) for L, t hat i s, f or any x
L, ( P, V) ( x) = Accept t er mi nat es i n t i me pol ynomial i n | x| .
I n fact , t his pr opert y has been demonst rat ed i n a const r uct iv e manner by sever al aut hor s. They
const r uct ZK ( I P) pr ot ocol s f or some NPC l anguages ( 4. 5. 1) , e. g. , Gr aph 3- Col our abi l i t y by
Gol dr ei ch, Mi cal i and Wi gder son [ 124] , and Bool ean Express Sat i sfi abi l i t y by Chaum [ 71] . Once
a ZK pr ot ocol ( P, V) for an NPC l anguage L has been const r uct ed, it i s cl ear t hat member ship y
L' f or L' bei ng an ar bi t rar y NP l anguage can be pr oved i n ZK i n t he fol l owi ng t wo st eps:
P r educes y L' t o x L wher e L i s an NPC l anguage ( e. g. , x i s an i nst ance of Graph 3-
Col our abil i t y or one of Bool ean Express Sat i sfi abi l i t y . Si nce P knows y L' , t hi s r educt i on
1.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
t r ansfor mat i on can be perf or med by P i n t i me pol y nomi al i n t he si ze of y. P encr y pt s t he
t r ansfor mat i on and sends t he ci phert ext t o V.
1.
P conduct s a ZK pr oof f or V t o ver i f y t he cor r ect encr y pt i on of t he poly nomi al r educt i on
t r ansfor mat i on. We shal l pr ovi de a convi nci ng expl anat i on i n 18.4. 2 t hat ZK pr oof of
corr ect encr ypt i on of a st r ing can be easi l y done if t he encry pt ion i s i n Gol dwasser - Mi cal i
pr obabi li st i c encr ypt i on scheme ( Al g 14. 1) .
2.
Cl ear ly , t hese t wo st eps combi ni ng t he concr et e ZK prot ocol const r uct i on for pr ovi ng
member shi p x L do const i t ut e a val i d ZK pr oof for y L' . Not i ce t hat t he met hod does not put
any r est r ict i on of t he NP l anguage L' ot her t han i t s membershi p i n .
Al so cl ear l y , such a gener al pr oof met hod for membershi p i n an arbit rar y NP l anguage cannot
have an eff ici ency for pr act ical use. I n 18.6 we shall st ipul at e t hat a pr act ical l y eff ici ent ZK ( and
I P) prot ocol shoul d have t he number of i nt er act ions bounded by a li near funct i on i n a securi t y
par amet er . A gener al pr oof met hod can hardly have i t s number of int eract i ons be bounded by a
l i near pol y nomi al , since at t he moment we do not know any li near reduct i on met hod t o
t r ansfor m an NP pr obl em t o an NPC one. Any known r educt i on i s a pol ynomi al of a ver y high
degr ee. That is why we say t hat ZK proof f or member shi p i n an ar bi t r ar y NP l anguage i s onl y a
t heor et i c resul t , al bei t an impor t ant one. I t pr ovi des a const r uct iv e evi dence for .
Equat i on i s an open quest i on i n t he t heor y of comput at ional compl exi t y .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
18.3 Zero-knowledge Properties
Let us now consider t he case of Quest i on I ( in 18.1) being answer ed i deal l y: ( P, V) is a ZK
pr ot ocol , t hat i s, zero amount or no i nfor mat i on what soever about P' s pr i vat e input i s di sclosed
t o ( or V) aft er an execut i on of t he prot ocol , except t he val i di t y of P' s cl ai m.
I n order for ( P, V) t o achi eve t hi s qual it y , we must r est r i ct t he comput at i onal power of V ( and
) so t hat i t i s bounded by a pol y nomi al i n t he si ze of t he common i nput . Cl ear ly , wi t hout t hi s
r est r i ct i on we needn't t al k about zer o knowl edge si nce V of an unbounded comput at i onal
r esour ce can help i t self t o f ind P' s pr i vat e input hi dden behind t he common i nput .
I n sever al sect ions t o fol l ow we shal l i dent if y sever al quali t i es of ZK- ness:
per fect ZK ( 18.3. 1) ,
honest - veri f i er ZK ( 18.3. 2) ,
comput at i onal ZK ( 18.3. 3) , and
st at i st ical ZK ( 18.3. 4) .
18.3.1 Perfect Zero-knowledge
Let ( P, V) be an I P pr ot ocol f or a language L. For any x L, a pr oof r un ( P, V) ( x) not onl y
out put s Accept , but al so pr oduces a pr oof t ranscr i pt whi ch i nt er l eaves t he pr over 's t r anscr i pt and
t he ver i fi er' s t r anscri pt . The el ement s i n t he pr oof t r anscri pt ar e r andom vari abl es of al l i nput
val ues i ncludi ng t he random i nput t o ( P, V) .
Cl ear ly , shoul d ( P, V) ( x) di scl ose any i nfor mat i on about P' s pr i vat e input , t hen i t can onl y be t he
case t hat it i s t he pr oof t r anscr i pt t hat has been r esponsi ble for t he i nf ormat i on l eakage.
However , i f t he r andom vari ables i n t he pr oof t ranscr i pt are un if orml y r andom i n t hei r r espect i ve
pr obabi li t y spaces and ar e i ndependent of t he common i nput , t hen i t i s quit e sensel ess t o al lege
t hat t hey can be r esponsi bl e for any i nf or mat ion l eakage. We can consi der t hat i n such a
si t uat i on ( i .e. , when t he pr oof t ranscr i pt i s uni f orml y r andom and i ndependent of t he common
i nput ) , t he pr over speaks t o t he veri f i er in a l anguage whi ch cont ai ns no r ed und ancy, or cont ai ns
t he hi ghest possib le ent rop y ( see Pr oper t i es of Ent r opy i n 3. 7. 1) . Ther efor e, no mat t er how
clev er ( or how power f ul ) t he ver i fi er can be, i t cannot l ear n anyt hi ng convey ed by t hi s l anguage,
even i f it spends ver y ver y l ong t i me t o l ear n t he l anguage!
Now l et us show t hat Pr ot 18. 1 i s perf ect ZK.
Exampl e 18 .2 .
Review Pr ot 18. 1. A pr oof t r anscr i pt pr oduced fr om a pr oof r un of ( Al ice, Bob) ( X) is

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
wher e ( for i = 1, 2, .. . , m)
Commi t
i
= f ( k
i
) wi t h k
i
U ;
cl ear l y , since Ali ce chooses uni f orm k
i
, Commi t
i
must al so be uni for m i n t he range space of
t he funct ion f and is independent of t he common i nput X;
Chall enge
i
{ 0, 1} ;
Bob shoul d pi ck t he chal l enge bi t uni for ml y, but we needn' t demand him t o do so, see
Response bel ow;
Response
i
= k
i
+ z Chall enge
i
( mod n) ;
cl ear l y , due t o t he uni f or mi t y of k
i
, Response
i
must be uni for m i n f or ei t her cases of
Chall enge
i
{ 0, 1} ( even i f Chall enge
i
i s non- uni for m) and i s i ndependent of t he common
i nput X.
Ther ef or e t he dat a sent fr om Al i ce i n a r un of Pr ot 18. 1 ar e uni for m. They can t el l Bob no
i nf ormat i on what soever about Al i ce's pri vat e i nput . Thi s pr ot ocol i s a per f ect ZK pr ot ocol .
From t hi s exampl e we al so see t hat t he element s i n Al i ce's t r anscr i pt ar e uni f orm r egardless of
how Bob chooses hi s r andom chal l enge bit s. I n ot her wor ds, Bob can have no st rat egy t o make
an i nfl uence on t he di st r ibut i on of Al ice's t ranscr i pt . Therefor e, Pr ot 18. 1 i s perf ect ZK even i f
Bob i s di shonest .
For a per f ect ZK pr ot ocol , we do not have t o run t he pr ot ocol i n or der t o obt ai n a pr oof
t r anscri pt . Such a t r anscr ipt ( whi ch i s merel y a st r i ng) can be pr oduced vi a r andom coi n f li ppi ng
i n t i me pol ynomial i n t he l engt h of t he t ranscr i pt . Defi nit ion 18. 2 capt ur es t hi s i mpor t ant not i on
of per fect ZK- ness.
Def i n i t i on 1 8. 2: An I P pr ot ocol ( P, V) for L is sai d t o be p er f ect zer o- k nowl ed ge if f or any x L,
a p r oof t ran scr ip t of ( P, V) ( x) can be pr odu ced by a pol yn om ial - t im e ( i n t he siz e of t he i npu t )
al gori t hm ( x) wit h t h e same pr obabi li t y di st r ibu t ion s.
Convent i onall y , t he ef fi ci ent al gori t hm i s named a si mul at or f or a ZK pr ot ocol , whi ch
pr oduces a simul at i on of a pr oof t ranscr i pt . However , i n t he case of ( P, V) being perf ect ZK, we
do not want t o name a si mulat or. I t i s exact l y an equat or .
18.3.1.1 Schnorr's Identification Protocol
I n Pr ot 18. 1, Bob uses bi t chal lenges. Thi s r esul t s i n a lar ge soundness er ror pr obabi l i t y val ue
= 1/ 2. Ther efor e t he pr ot ocol has t o r epeat m t imes i n or der t o r educe t he err or probabi l i t y t o
2
m
. Ty pi cal l y, m = 100 i s r equi r ed t o achi eve a hi gh conf i dence agai nst Ali ce's cheat i ng. The
necessi t y for a l ar ge number of i nt er act i ons means a poor per for mance bot h i n communi cat i on
and i n comput at i on.
Under cert ai n condi t i ons for set t i ng t he secur i t y par amet er in t he common i nput , i t is possi ble t o
r educe t he soundness er ror pr obabi l i t y val ue and hence t o r educe t he number of i nt er act i ons.
The condi t i on i s: t he veri f ier Bob shoul d know t he f act or i zat i on of n. The r eason why t his
condi t i on i s needed wi l l be r evealed i n 18.6. 1. A speci al case for Bob knowi ng t he fact or i zat i on
of n i s n bei ng a pr i me number . Let us now see a concr et e pr ot ocol usi ng t hi s case of par amet er
set t ing. The pr ot ocol i s Schn or r ' s I dent i f i cat i on Pr ot ocol whi ch i s pr oposed by Schnor r [ 256]

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
for a r eal- wor l d ( smar t car d- based) i dent i fi cat i on appl i cat i on.
Schnor r 's I dent i fi cat i on Pr ot ocol i s a speci al case of Pr ot 18. 1 wher e t he funct i on f ( x) is real i zed
by g
x
( mod p) in t he fi ni t e fi eld wher e t he subgroup < g> i s of a pr i me order q| p 1. I t i s
easy t o see t hat g
x
( mod p) is homomorphi c. Mor eover , for suff ici ent l y l ar ge pr i mes p and q,
e.g. , | p| = 1024, | q| = 160, g
x
( mod p) is also one- way due t o t he DL assumpt i on ( Assumpt i on
8. 2 i n 8. 4) .
I n t hi s par amet er set t i ng, Schnor r 's I dent i fi cat i on Pr ot ocol , whi ch we speci f y i n Pr ot 18. 2,
per mit s Bob t o use sl i ght l y enl ar ged chal l enges up t o l og
2
l og
2
p bi t s.
. Remar k 1 8. 2
Wi t h t he pr i m e q| p 1 gi ven pub li cl y , Schnor r ' s I dent i fi cat ion Pr ot ocol is n o l onger one f or
answeri ng su bgr oup m em b er shi p q uest i on. Now Bob him self al one can answer quest ion y < g>
wit hout need of Al ice' s h el p by checki ng: y
q
g
q
1 ( m od p) . Theref ore, Schn orr ' s
I d en t if icat i on Prot ocol i s for pr ovi ng a m or e speci fi c pr obl em: Ali ce has i n her possession of t h e
di scr et e l ogari t hm of y t o t h e base g, as her cr y pt ogr aph ic cr edent i al.
Now l et us i nvest i gat e secur i t y pr oper t i es of Schnor r 's I dent i f i cat i on Pr ot ocol .
Protocol 18.2: Schnorr's Identification Protocol
COMMON I NPUT:
p, q: t wo pr i mes sat i sf yi ng q| p 1;
( * t y pi cal size set t i ng: | p| = 1024, | q| = 160 * )
g: ord
p
( g) = q;
y: y = g
a
( mod p) ;
( * t uple ( p, q, g, y ) is Ali ce's publ i c- key mat er i al, cer t i fi ed by an CA * )
PRI VATE I NPUT of Al i ce: a < q;
OUTPUT TO Bob: Al i ce knows some such t hat y g
a
( mod p) .
Repeat i ng t he fol l owi ng st eps l og
2
l og
2
p t imes:
Al i ce pi cks k
U
and comput es Commi t g
k
( mod p) ;
she sends Commi t t o Bob;
1.
Bob pi cks Chall enge U { 0, 1}
l og
2
log
2
p
;
he sends Chall enge t o Al i ce;
2.
3.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
2.
Al i ce comput es Response k + a Chall enge ( mod q) ;
3.
Bob checks Commi t g
Response
y
Chall enge
( mod p) ;
he r ej ect s and abort s if t he checki ng shows er ror ;
4.
Bob accept s.
( * Bob' s comput at i on of g
Response
y
Chall enge
( mod p) shoul d appl y Al g 15. 2 and so t he
cost i s si mi l ar t o comput i ng si ngl e modul o exponent i at i on * )
18.3.1.2 Security Properties of Schnorr's Identification Protocol
Completeness
Tr i vi al l y pr eser ved. I n f act , = 1 can be obt ai ned. Thi s i s l ef t for t he r eader as an exerci se
( Exerci se 18.7) .
Soundness
Suppose i s a cheat er, i. e. , she does not have t he cor rect discr et e logar it hm val ue. For
Commi t she sent i n an i t er at i on, Bob, aft er pi cki ng Chall enge
U
{ 0, 1}
l og
2
, l og
2
p
, i s wai t i ng f or
Response = l og
g
[ Commi t y
Chall enge
( mod p) ] ( mod q) .
Thi s equat i on shows t hat , f or f ixed Commi t and y, t her e wi l l be l og
2
p di st i nct values for
Response whi ch cor respond t o l og
2
p di st i nct values for Chall enge, r espect i vel y . Given t he small
magni t ude of l og
2
p, t he best st r at egy f or comput i ng t he cor r ect r esponse fr om Commi t y
Chall enge
( mod p) is t o guess Chall enge bef or e fi xi ng Commi t as fol l ows:
pi cking Response
U
; 1.
guessi ng Chall enge
U
{ 0, 1}
l og
2
log
2
p
; 2.
comput i ng Commi t g
Response
y
Chall enge
( mod p) . 3.
Cl ear ly , t he soundness pr obabi l i t y f or corr ect guessi ng i s 1/ l og
2
p per i t er at i on, t hat i s, we have
found = 1/ l og
2
p as t he soundness err or probabi l i t y for a si ngl e r ound of message i nt er act i ons.
The r educed soundness er r or pr obabil i t y f or a si ngl e round of message exchange i n Schnor r 's
I dent i f icat i on Pr ot ocol means an improved per f ormance f r om t hat of Pr ot 18. 1. This is because,
for Pr ot 18. 1 r unni ng m i t er at i ons t o achi eve a negl i gi bl y smal l soundness er r or pr obabi li t y =
2
m
, Schnorr ' s I dent i fi cat i on Prot ocol onl y needs

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
r ounds of i t erat i ons whi l e maint ai ni ng t he soundness er ror pr obabi l i t y unchanged fr om t hat of
Pr ot 18. 1 using m r ounds of i nt er act i ons.
For p 2
1024
and m = 100, we have = 100/ 10 = 10. That i s, t he enlar ged chal l enge r educes
t he number of i nt er act i ons f rom t hat of Pr ot 18. 1 by 10 f old whi l e keeping t he same l ow
soundness er r or pr obabi li t y.
Perfect ZK-ness
For common i nput y, we can const ruct a pol ynomial - t i me ( i n | p| ) equat or ( y) as fol l ows:
i nit ial i zes Tr anscri pt as an empt y st r i ng; 1.
For i = 1, 2, . . ., l og
2
l og
2
p:
pi cks Response
i

U
< g> a.
pi cks Chall enge
i

U
{ 0, 1}
l og
2
l og
2
p; b.
comput es Commi t
i
g
Response
i
y
Chall enge
i
( mod p) ; c.
Tr anscri pt Tr anscri pt | | Commi t
i
, Chall enge
i
, Response
i
d.
2.
Cl ear ly , Tr anscri pt can be pr oduced i n pol y nomi al t i me, and t he el ement s i n it have di st r i but ions
whi ch are t he same as t hose i n a r eal pr oof t r anscr ipt .
From our analy si s of Schnor r 's I dent if i cat ion Pr ot ocol we see t hat enl argi ng chal lenge size
r educes t he number of i nt er act i ons whi l e mai nt ai ni ng t he soundness er ror pr obabi l i t y
unchanged. Then why have we confi ned t he si ze enl ar gement t o a rat her st range and smal l
val ue l og
2
l og
2
p?
Enlar ging chall enge si ze not onl y i mproves per for mance ( a posit ive r esul t ) , i n 18.3. 2 we wi l l
fur t her see t hat t hi s al so has a negat i ve consequence. Be car ef ul , si ze mat t ers!
18.3.2 Honest-Verifier Zero-knowledge
At fi r st gl ance of Schnorr ' s I dent i fi cat i on Prot ocol , i t i s not ver y cl ear why we have r est r i ct ed t he
si ze for t he chal l enge bit s t o t he case | Chall enge| = l og
2
l og
2
p. I t seems t hat i f we use
| Chall enge| = l og
2
p, t hen t he pr ot ocol wi l l become even mor e eff i ci ent : i t only needs one
i nt er act ion t o achi eve t he same l ow soundness probabi l i t y ( 1/ p) agai nst Al i ce cheat i ng.
Mor eover , i t seems t hat t he equat or can be const r uct ed i n t he same way for Schnor r' s
I dent i f icat i on Pr ot ocol ; agai n, now onl y needs one si ngl e " l oop" t o pr oduce Tr anscri pt whi ch

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
cont ai ns uni for ml y di st r i but ed element s.
However , t her e i s a subt l et y for t he pr obl em. Let us exami ne i t now.
18.3.2.1 What a Dishonest Verifier Can Do
Let be a di sh onest ver i f i er , t hat is, he does not fol l ow pr ot ocol i nst ruct ions and al way s
t r i es t o t r i ck Al ice t o di sclose some i nf ormat i on whi ch may be useful for hi m. Suppose t hat
i s al l owed t o pi ck a l ar ge Chall enge so t hat 2
Chall enge
i s a non- pol y nomi all y bounded quant i t y .
Then he may devi se a t r i ck t o f or ce Al i ce t o pr oduce a t r anscr i pt whi ch i s i nequat abl e ( i . e. ,
cannot be equat ed) or unsi mul at abl e i n pol y nomi al t i me. I f can do t hi s, t hen by Defi nit ion
18.2, t he pr ot ocol can no l onger be per f ect ZK.
Let us exami ne t he i ssue by sl i ght ly modi fy i ng Schnor r 's I dent i f i cat i on Pr ot ocol whi ch all ows
t o choose Chall enge , i . e., ampl if y ing t he chal l enge space f r om { 0, 1}
l og
2
log
2
p
t o .
Here is what shoul d do i n t hi s modif i ed Schnor r ' s I dent i fi cat i on Prot ocol .
Upon receipt of Commi t , he appl i es a sui t abl e pseudo- r andom funct i on pr f wi t h t he l arge out put
space t o cr eat e hi s Chall enge as:
Chall enge pr f( " Meani ngful t r anscri pt , si gned Ali ce" | | Commi t ) .
So cr eat ed Chall enge i s pseudo- r andom ( i .e. , not t r ul y r andom) . We shal l see i n a moment t he
ful l meani ng of t he st r i ng " Meani ngful t r anscr i pt , si gned Al i ce. "
Poor Al i ce, due t o t he general indi st i nguishabi li t y bet ween pseudo- r andomness and t rue
r andomness ( Assumpt i on 4. 2) , she can have no way t o recogni ze t he pseudo- randomness of
Chall enge, and wi l l have t o f oll ow t he pr ot ocol i nst r uct i on by sendi ng back Response = k + a
Chall enge ( mod q) .
Remember t hat Al i ce's answer sat i sfi es
Equ at i on 18 . 3. 1
si nce t hi s i s exact l y t he ver i f icat i on pr ocedur e conduct ed by . Ther efor e, Al i ce has hel ped
t o have const r uct ed t he f oll owi ng equat ion
Equ at i on 18 . 3. 2

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Vi ewed by a t hi r d par t y, ( 18.3. 2) means ei t her of t he fol l owi ng t wo cases:
t he equat i on was const ruct ed by Al i ce usi ng her pri vat e i nput , and hence Ali ce discl oses t he
fact t hat she has been i n i nt eract i on wi t h, and f ool ed by, , or
i .
has successful l y broken t he pseudo- random f unct i on pr f of t he l ar ge out put space ,
because he has const r uct ed equat ion
Thi s i s a wel l - known har d pr obl em because pr f i s assumed one- way .
i i .
Gi ven t hat i s pol ynomi al l y bounded, t he t hi rd par t y wi l l of cour se bel i eve t hat ( i ) i s t he
case. Poor Ali ce, i n t he proof t r anscr ipt ( Commi t , Chal lenge, Response) sat i sfy i ng ( 18.3. 1) and
( 18.3. 2) , t he pai r ( Commi t , Response) is pr eci sel y a signat ur e of message "Meani ngf ul
t r anscri pt , si gned Ali ce" under Schnor r 's si gnat ur e scheme ( check Al g 10. 4 wi t h pr f = H) ! Since
onl y Al i ce coul d have i ssued t he si gnat ur e ( r ecal l , i n 16.3. 2 we have pr oved t he si gnat ur e
scheme's st r ong secur it y agai nst f or gery under adapt i ve chosen- message at t ack) , t he t hi r d par t y
has made a cor r ect j udgement !
A smal l consol at i on f or Al i ce i s t hat t he i nfor mat i on di scl osur e caused by i s not a t oo
di sast rous one ( t hough t hi s asser t i on has t o be based on appl i cat ions r eal l y ) . As we have
anal y zed i n 7. 5. 2, i f Al i ce pi cks i ndependent fr om al l pr evi ous i nst ances, t hen
for ms a one- t i me pad ( shi ft cipher ) encr ypt i on of Al i ce' s pr i vat e i nput a, whi ch pr ovides
i nf ormat i on- t heoret i c qual i t y of secur i t y . Thi s means t hat t he pr oof t r anscri pt st i l l does not
di sclose t o or a t hir d par t y any i nf ormat i on about Al i ce' s pr i vat e i nput a.
However , as an i nt er act i ve pr oof degener at es t o a si gnat ure whi ch needn' t be i ssued i n an
i nt er act ive way , t he secur i t y ser vi ce off er ed by an i nt eract i ve pr oof i s l ost : now any t hi rd part y
can ver if y t he pr oof r esul t . Thi s means t hat now showi ng knowl edge is no l onger conduct ed " i n
t he dar k, " i t i s conduct ed " i n t he open. " That i s why t he var iant prot ocol ( i. e. , Schnor r 's
I dent i f icat i on Pr ot ocol usi ng a l ar ge chal l enge) is no l onger ZK any more!
I n general , i f Schnorr ' s I dent i fi cat i on Prot ocol uses l ar ge chall enge i n , t hen t he pr ot ocol has a
hon est - v er i f i er zer o- k now l edg e pr opert y . I n an honest - ver i fi er ZK pr ot ocol, if t he ver i fi er
honest l y f oll ows t he pr ot ocol i nst r uct i on, t hen t he pr ot ocol i s per f ect ZK. Thi s i s because, i f t he
ver i fi er picks a t ruly random chal l enge, t hen t he pr oof t r anscri pt can be equat ed eff ici ent l y .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
For an honest - ver i fi er ZK pr ot ocol ( P, V) , i f t he behavi or of V i s fi xed i nt o a conf i ned manner so
t hat i t cannot f or ce P t o pr oduce an i nequat abl e or unsi mul at abl e t r anscr ipt , t hen ) can
st i l l be a per fect ZK pr ot ocol . I n 18.3. 2. 3 we wi l l see t hat l i mi t i ng t he si ze of t he chal l enge bi t s
i s a sol ut ion. Ther e ar e ways t o i mpose behavi or al confi nement on V, e. g. ,
for ci ng V t o demonst r at e i t s honest y in choosi ng r andom chall enge i s a sol ut i on; i n 18.6. 2
we wi l l i nt r oduce an ext r emel y ef fi ci ent per f ect ZK pr oof pr ot ocol whi ch uses t hi s i dea;
pr ovi di ng V wi t h an ent i t l ement t o si mul at e a "pr oof, " and hence a di shonest ver i f ier can
onl y show i t s di shonest y i f i t t r i es t o t ri ck t he pr over ; i n 18.7. 1 we wi l l see anot her
ext r emel y ef fi cient pr ot ocol whi ch uses t hi s i dea.
18.3.2.2 The Fiat-Shamir Heuristic
Fi at and Shami r suggest a general met hod f or t r ansfor mi ng a secur e honest - ver i f ier ZK pr ot ocol
i nt o a digi t al si gnat ure scheme [ 109] . The met hod uses exact l y t he same at t acking t echni que of
a di shonest ver i fi er whi ch we have seen i n 18.3. 2. 1. I n gener al, l et ( Commi t , Chal lenge,
Response) denot e t he t r anscr i pt of an honest - ver i fi er ZK pr ot ocol , t hen t he t r ansfor mi ng met hod
uses a sui t abl e hash funct ion H t o const r uct a di gi t al si gnat ur e of message M { 0, 1} * as
Thi s gener al met hod i s cal l ed t he Fi at - Shami r heu r i st i c.
I t i s easy t o see t hat a t r ipl et El Gamal - fami l y si gnat ure scheme ( 16.3. 1) is a special case of
si gnat ure schemes generat ed f rom t he Fi at - Shami r heur i st i c. I n f act , t he f or mal secur i t y pr oof
t echni que on t he st r ong unfor geabi l i t y of t r i pl et El Gamal - f ami l y si gnat ur e schemes ( st udied i n
16.3. 2) appl i es t o any signat ur e scheme whi ch i s conver t ed f rom an honest - ver i fi er ZK prot ocol
by appl y ing t he Fi at - Shami r heur i st i c.
A cl ai m hi dden behi nd a one- way f unct i on ( e.g. , member shi p, or w i t n ess hi di ng cl ai m) whi ch i s
ver i fi ed l ike veri f i cat i on of di gi t al si gnat ur e due t o t he f act t hat Fi at - Shami r heur i st i c i s clear l y
publ i cl y veri f i abl e, i .e. , i t is not a "pr oof i n t he dark. " Oft en, a cl ai m shown in t his st y l e i s cal l ed
pr oof - of - k now l ed ge. Because of t he st r ong secur it y resul t ( unf or geabi l it y agai nst adapt i ve
chosen- message at t ack) which we have est abl i shed i n 16.3. 2, proof - of- knowl edge remai ns
bei ng a qual i t y and useful way f or demonst rat ing a cl aim hi dden behi nd a one- way funct i on.
I n some appl i cat i ons, such as proof t hat a secr et has a r equi r ed st r uct ur e, "pr oof i n t he dark" i s
not an essent i al securi t y r equir ement ( i . e., a pr over does not feel a need t o deny par t i ci pat i on i n
an i nt er act i on) . I n such appli cat i ons, proof - of- knowl edge i s a very usef ul and adequat e not i on.
18.3.2.3 Returning to Perfect Zero-knowledge
Now l et us consi der t he case of Schnor r 's I dent i fi cat i on Pr ot ocol ( not e, not t he var i at ion usi ng
l ar ge chal l enge bit s) bei ng r un wit h t he di shonest ver if i er , i n whi ch he t r i es t o f ool Al i ce t o
i ssue a si gnat ur e under Schnor r 's si gnat ur e scheme.
However now for any pseudo- r andom f unct i on pr f of out put si ze l og
2
l og
2
p bi t s, equat i on
( 18.3. 2) can be eff icient ly m ade u p by any body, t hat is, a pr oof t r anscri pt can be eff i ci ent l y

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
equat ed. Let us see how t o do t hi s and how ef fi ci ent l y t hi s can be done.
Let be an equat or . Al l has t o do i s t o pi ck at random Response , and t est if ( 18.3. 2)
hol ds for a fi xed Chall enge { 0, 1}
l og
2
log
2
p
. I f t he t est fai l s, si mpl y t r i es anot her Response
. The t r ial - ander ror t est wil l be successful befor e t he out put space of prf of l og
2
l og
2
p bi t s i s
exhaust ed. Si nce pr f onl y has l engt h l og
2
l og
2
p, i t s out put space can be exhaust ed wi t hin l og
2
p
st eps, t hat i s, i n t i me poly nomi al ( l i near ) i n t he si ze of p.
Once t he equat i on i s f ound, can set Commi t using ( 18.3. 1) . Thus,
Tr anscri pt = Commi t , Chall enge, Response
i s an equat ed " pr oof t r anscri pt " i mi t at i ng a si ngl e r ound of int eract i on, and i s pr oduced i n t i me
pol y nomi al i n t he si ze of p ( i. e. , i n log p) . Thi s equat ed " pr oof t r anscr i pt " sat i sf i es
and
However , i t i s not a meani ngf ul t r anscr i pt at al l and as we have seen, i t needn' t be i ssued by
Al i ce!
To t hi s end, we know t hat for chal lenge bi t s i n a ZK pr ot ocol , si ze does mat t er!
18.3.3 Computational Zero-knowledge
We have seen t hat i n or der t o demonst rat e t hat an I P pr ot ocol ( P, ) is perf ect ZK, we must
const r uct an equat or: i t can ef fi ci ent l y gener at e a " pr oof" t r anscr i pt whi ch has t he same
pr obabi li t y di st ri but i on as t hat pr oduced by ( P, ) . Thi s requi rement can be r el axed for an I P
pr ot ocol whi ch i s comp ut at i onal zer o- k now l ed ge.
Def i n i t i on 1 8. 3: An I P pr ot ocol ( P, V) f or L i s sai d t o b e comp ut at i onal ZK if for any x L, a
pr oof t r anscri pt of ( P, V) ( x) can be sim ul at ed by a p oly nom i al- t i m e ( in t h e size of t h e in put )
al gori t hm S( x) wit h pr ob abil it y di st r i but i ons wh ich are poly nom i all y in di st i ngu ishab le f rom t hat of
t he pr oof t r anscr i pt .
I n t hi s def ini t ion, t he not i on of pol y nomi al i ndi st i ngui shabi l i t y i s defi ned i n Defi nit ion 4. 15.
To see a comput at i onal ZK pr ot ocol , l et us modif y Pr ot 18. 1 i n anot her way. I n t his modi fi cat i on,
t he one- way and homomor phi c f unct i on f i s defi ned over a space of an unknown magni t ude, t hat
i s, now n i n i s a secr et i nt eger f or bot h P and V. I t is possi ble t o const r uct f over a secret
domai n. Her e i s a concr et e const r uct i on.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
18.3.3.1 A Construction of One-way and Homomorphic Function f(x)
Let P and V agr ee on a random and ver y l arge odd composit e int eger N such t hat no one knows
t he fact or i zat i on of N. This is easy i f bot h part i es i nput t hei r own r andomness in t he agr eement
of N, however, we shall omit t he det ai ls for doi ng t hi s. They can si mi l arl y agree on a random
el ement a < N so t hat gcd( a, N) = 1.
Si nce N i s lar ge and random, wi t h an over whelmi ng probabi l it y N has a l ar ge pr ime f act or p
unknown t o bot h P and V, and mor eover , p 1 shoul d have a l arge pr i me fact or q, al so unknown
t o bot h P and V. We shoul d omi t t he i nvest i gat i on on how "overwhel mi ng" t he pr obabi l i t y shoul d
be, but remi nd t he r eader t hat f or a r andom and l ar ge composi t e N, t he exi st ence of such l ar ge
pr i mes p and q i s t he exact r eason why a lar ge and r andom odd composi t e i s hard t o fact or ( t he
r eader can f i nd some i nsi ght s about t hi s by r evi ewi ng 8. 8 ) .
Al so, since bot h N, a ar e r andomly agr eed upon, wi t h an over whelmi ng pr obabi l it y , t he
mul t i pl i cat i ve or der or d
N
( a) is a l ar ger and secr et i nt eger . We ar e sur e of t hi s " over whel ming: "
t he pr obabi l i t y f or q| or d
N
( a) is at l east 1 1/ q because f or any pr i me q\ ( N) , i n t here can be
at most 1/ q f r act ion of el ement s whose order s ar e co- pr i me t o q.
Now P and V " defi ne"
Equ at i on 18 . 3. 3
for any i nt eger x . Not i ce t hat we have quot ed "defi ne" her e because t he domai n of t hi s
funct i on cannot be , i nst ead, it i s : namel y , f or any x , i t al ways holds
I n ot her wor ds, t he i nput t o f i s alway s f rom t he space whi ch i s small er t han .
St i l l , i t i s easy t o see t hat f ( x) is homomorphi c and one- way . The homomor phi sm is t r ivi al l y
observed as
The one- way pr opert y i s based on t hat of t he di scr et e l ogar i t hm pr obl em modul o p ( recal l, an
unknown l ar ge pri me p| N) : fi nding x f r om f ( x) = f ( 1)
x
( mod N) is necessar i l y har der t han fi nding
x ( mod p 1) f rom f ( 1)
x
( mod p) , whil e f unct i on f ( 1)
x
( mod p) is one- way due t o t he di scr et e
l ogar i t hm assumpt i on ( Assumpt i on 8. 2) .
18.3.3.2 A Computational Zero-knowledge Protocol

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Usi ng f ( x) const r uct ed i n 18.3. 3. 1, we can const ruct a comput at i onal ZK pr ot ocol .
Exampl e 18 .3 .
Let ( Al ice, ) be a var i at i on of Pr ot 18. 1 using t he one- way and homomor phic funct ion f ( x)
const r uct ed i n 18.3. 3. 1, i . e., f ( x) is defi ned i n ( 18.3. 3) .
Now t hat Al i ce no longer knows n = or d
N
( a) , she can no l onger sampl e r andom number s i n
wi t h t he uni f orm di st ri but i on. I n or der f or Al ice t o st i ll be able t o conduct a pr oof ( i .e. ,
t o pr eser ve t he compl et eness pr oper t y ) , pr ot ocol i nst r uct i ons for Al i ce have t o be sl ight l y
adj ust ed, e. g. , as f ol lows ( let z < N be Al i ce' s pr i vat e input ) :
Al i ce pi cks k
U
, comput es Commi t f ( k) and sends i t t o Bob; 1.
Bob . .. ( * no change * ) 2.
3.
Bob . .. ( * no change * ) 4.
I n t hi s modi fi cat i on, inst ruct ions for Bob ar e unchanged. However, i nst r uct i ons f or Al ice have t wo
changes. I n St ep 1, t he random val ue k i s sampl ed fr om . We wi l l expl ai n in a moment
why she has t o pi ck k f r om t hi s r at her peculi ar space. I n St ep 3 ( i n case of Chall enge = 1) , she
comput es Response ( k + z) using addi t i on i n t he i nt eger space , i . e., wit hout conduct i ng
modul o r educt i on. Now she can no l onger comput e t he modul o r educt i on si nce she does not have
t he modul us n = or d
N
( a) for t he oper at i on.
The compl et eness and soundness proper t i es of t hi s modif i cat ion can be r easoned anal ogously t o
t hose we have conduct ed in Exampl e 18. 1.
However , now we can no l onger show t hat t hi s var i at ion i s per f ect ZK, because now we can no
l onger const r uct an ef fi ci ent equat or t o produce a " pr oof" t r anscr i pt whi ch has t he same
di st r i but i on as t hat produced by ( Al ice, ) ( X) .
I ndeed, a usual si mul at i on t echni que wi l l pr oduce a t ranscr i pt of a di f fer ent dist r i but i on. I n such
a si mul at i on, a si mul at or S per f orms t he f oll owi ng st eps:
S pi cks Response
U
; 1.
S pi cks Chall enge
U
{ 0, 1} ; 2.
S comput es Commi t f ( Response) / X
Chall enge
( mod N) . 3.
Cl ear ly , ( i n t he case of Chall enge = 1) whi l e Response i n t he pr oof t r anscr i pt i s unif or m i n t he
i nt er val [ z, N
2
) , t hat i n t hi s si mul at ed t r anscr i pt i s uni f or m i n t he i nt er val [ 0, N
2
) . They have

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
3.
di st in ct di st r i but i ons. Wi t hout z, S j ust cannot equat e Al i ce' s behavi or !
Never t hel ess, t he var i at i on ( Al ice, ) is comput at i onal ZK. Thi s i s because t he t wo
di st r i but i ons x
U
[ z, N
2
) and y
U
[ 0, N
2
) are comput at i onal i ndi st ingui shable for z < N. Fr om
Equ at i on 18 . 3. 4
we have
Fol lowi ng Defi nit ion 4. 15 ( in 4. 7) , Response i n t he pr oof t r anscr i pt and t hat i n t he si mul at ed
t r anscri pt ar e comput at i onall y i ndi st ingui shable. Ther eby , we have const r uct ed a pol y nomi al -
t i me simulat or S, or ( Ali ce, ) is comput at i onal ZK by Defi nit ion 18. 3.
Now we can explai n why Al i ce has t o pi ck commi t t al k f r om t he rat her pecul iar space .
Fi rst , t he z par t i n N
2
z i s necessar y or el se Response may end up t o be l ar ger t han N
2
due t o
addit ion wi t hout modul o r educt i on. I f t hat happens, t he pr ot ocol can by no means t o be l abel led
ZK i n any sense!
Secondl y , t he N
2
par t i n N
2
z i s in or der t o obt ai n t he pr obabi l i t y bound ( 18.3. 4) and hence t he
pr ot ocol can achi eve t he comput at i onal ZK qual it y . I n fact , N
2
i s unnecessar i ly t oo l ar ge.
Comput at i onal ZK can be achi eved by usi ng N
1+
f or any const ant > 0. The r eader is
encour aged t o conf i rm t hi s ( hi nt : obser ve t hat i n t he r i ght - hand side of ( 18.3. 4) shoul d be
r epl aced wi t h ) .
I n real - wor ld appl i cat i ons of ZK pr ot ocol s ( e. g. , Schnor r 's I dent i fi cat i on Pr ot ocol ) , most one- way
funct i ons ar e r eal ized by avai l abl e publ i c- key cry pt ogr aphi c t echniques ( e.g. , as i n t he case of
f ( x) being real i zed i n 18.3. 3. 1, or in Schnor r ' s I dent i fi cat i on Prot ocol ) . Ther efor e comput at ional
ZK i s t he most i mpor t ant and adequat e ( i . e. , f i t - for - appl i cat i on) not ion i n ZK ( and I P) pr ot ocol s.
18.3.4 Statistical Zero-knowledge
Gol dwasser , Mical i and Rackof f [ 126] also int r oduce a not i on of st at i st i cal zer o- k now l edge.
An I P pr ot ocol i s st at i st i cal ZK i f t her e exi st s an eff i ci ent si mul at or t o si mul at e a pr oof t ranscr i pt
t o a pr ecisi on whi ch cannot be di ff erent i at ed by any st at i st i cal di st i ngui sher. A st at i st i cal
di st i ngui sher is si mi l ar t o a pol y nomi al di st i ngui sher defi ned i n Defi nit ion 4. 14 except t hat i t s
r unni ng t i me needn't be pol ynomi al l y bounded. Fr om t hi s di f ference we know t hat a st at i st i cal
ZK prot ocol has a mor e st r i ngent ZK qual i t y t han a comput at i onal one.
As a mat t er of fact , t he comput at i onal ZK pr ot ocol ( Al i ce, ) in Exampl e 18. 3 i s st at i st i cal ZK.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Thi s i s because, ( 18.3. 4) st at es t hat t he f oll owi ng event occur s wit h probabi l i t y l ess t han a
negl i gi bl e quant it y 1/ N:
Thus, wit h probabi l i t y at l east ( N 1) / N, Response i n bot h t r anscr i pt s ar e l ar ger t han z and are
bot h uni for m. They cannot be di ff er ent i at ed by any di st i nguisher even i f i t r uns for ever !
Concept ual ly , st at i st i cal ZK and comput at i onal ZK have no essent i al di f fer ence. Never t hel ess,
si nce t he f or mer i s a more st r i ngent securi t y not i on, i n r eal appl i cat i ons, i t is mor e desi r abl e t o
est abl i sh t hat a pr ot ocol i s st at i st i cal ZK i f a pr ot ocol desi gner i s abl e t o do so.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
18.4 Proof or Argument?
We have r easoned exp li ci t l y t hat in or der f or an I P pr ot ocol ( P, V) t o have ZK pr oper t i es ( any of
t he four ZK not i ons i nt r oduced so far ) , t he comput i ng power f or V and must be bounded by a
pol y nomi al i n t he si ze of t he common i nput . However , so f ar we have not been ver y expl i ci t
about t he comput i ng power of P or .
18.4.1 Zero-knowledge Argument
A car eful reader may have not i ced t hat f or al l ZK prot ocol s we have i nt r oduced so far , we
act ual l y r equi r e P or t o have a pol y nomi all y bounded comput i ng power . I ndeed, when we
r eason t he soundness pr oper t y f or t hese pr ot ocol s, we have al ways begun wi t h say i ng " i f P ( or
) does not know t he pr e- i mage of X . . . . "
For a l anguage i n , t hi s "i f .. . " act ual ly impli es t hat P ( or ) is pol ynomial l y
bounded. I f we say t hat an unbounded P i s one who can ext ract t he pre- i mage under t he one-
way f unct i on f , t hen none of t he soundness r easonings f or t hese pr ot ocol s i s val id. Cl ear ly , f or
any Chall enge, an unbounded P or can ext r act Response as
For t hi s way of pre- i mage ext r act i on by an unbounded al gor i t hm, we can never est i mat e t he
soundness pr obabi l i t y f or ( 18.2. 3) . I n each case of our soundness r easoni ng conduct ed f or t he
pr ot ocol s i nt r oduced so f ar, t he val ue has al ways been obt ained under t he ( i mpl ici t )
assumpt i on t hat P ( and ) are bounded.
I f a ZK pr ot ocol ( P, V) for a l anguage L r equir es P ( and ) t o have a pol y nomi all y ( in t he si ze of
t he input ) bounded comput i ng power , t hen ( P, V) is cal l ed a zer o- k now l edg e ar gument
pr ot ocol . Usual l y, t he r equi r ement i s needed in or der t o est abl ish t he soundness f or t he
pr ot ocol . An ar gument is not as r igorous as a pr oof and i n par t icular , i t fai l s t o make a good
sense when P i s an unbounded ent i t y.
Thus, we have so f ar seen perf ect , honest - ver i fi er , comput at i onal and st at i st ical ZK ar gum ent
pr ot ocol s. Al so, Schnor r' s I dent i f icat i on Pr ot ocol i s a ZK ar gument pr ot ocol. We have act ual l y not
met any zer o- k now l edg e pr oof p r ot ocol y et .
Befor e we go ahead and descr i be ZK pr oof pr ot ocol s, we shoul d cl ar i fy one i mpor t ant poi nt ver y
cl ear l y . I n most r eal - worl d appl icat i ons, i . e. , i n t he usual cases of secur i ng i nf or mat ion usi ng t he
compl exi t y - t heor et i c based moder n cr y pt ogr aphi c t echni ques, pr i nci pal s of a secur e syst em
( i ncl udi ng a pr over of a ZK prot ocol ) wil l most l ikel y have t hei r comput at ional r esour ce
pol y nomi al ly bounded, and hence t hey cannot sol ve NP pr obl ems qui ckl y . Ther efor e ZK
ar gument r emai ns a ver y useful not i on.
18.4.2 Zero-knowledge Proof

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I n a ZK pr oof pr ot ocol , t he soundness pr oper t y can be est abl ished wi t hout r equi r ing P or t o
be pol ynomi al l y bounded.
Let us now see a ZK pr oof pr ot ocol . Proof of quadr at i c r esi duosi t y pr ovi des a good exampl e f or a
ZK pr oof pr ot ocol . Such a pr ot ocol i s agai n f or a membershi p pr obl em: x QR
N
f or N bei ng an
odd composi t e number .
18.4.2.1 ZK Proof of Quadratic Residuosity
Let N be a l ar ge and odd composi t e i nt eger whi ch has at l east t wo di st inct odd pri me f act or s. I n
6. 5 we have st udi ed quadr at i c r esidues modul o an i nt eger and l ear ned t he f ol l owi ng number -
t heor et i c fact s:
Fact 1 Knowing t he f act ori zat i on of N, f or any x QR
N
, a squar e r oot y of x modul o N, sat i sfy i ng
y
2
x ( mod N) , can be ef fi cient ly ext r act ed. Thi s can be done usi ng Al g 6. 5.
Fact 2 For any x QNR
N
( quadrat i c non- r esi due) , i n t here exi st s no squar e r oot of x ( St ep 1
of Al g 6. 5 won't work) .
Fact 3 I f x QNR
N
, t hen x y QR
N
i mpl i es y QNR
N
( t he r eader can conf i rm t hi s by exami ni ng
al l possi bl e cases of Jacobi symbol s of x , y and x y) .
Usi ng t hese f act s we can const r uct a per fect ZK pr oof pr ot ocol for t o pr ov e t o Bob t hat a
number i s a quadr at i c r esi due modul o an odd composi t e i nt eger . This pr ot ocol i s due t o
Gol dwasser , Mical i and Rackof f [ 126] and i s speci fi ed i n Pr ot 18. 3.
Let us f ir st anal yze t he soundness pr oper t y for Pr ot 18. 3.
Soundness
Suppose x QNR
N
( i. e. , t he pr ot ocol i s r un wit h , a cheat er ) . Let us fi nd t he soundness
err or pr obabi l i t y . Of course, we now consi der bei ng comput at i onal l y unbounded.
For Chall enge = 0, Bob sees t hat Response i s a squar e r oot of Commi t so Commi t QR
N
.
For Chall enge = 1, Bob sees t hat Response i s a squar e r oot of Commi t x, so Commi t x QR
N
. By
Fact 3, Bob f ur t her sees Commi t QNR
N
.
So i f x QNR
N
, t hen Bob sees Commi t QR
N
or Commi t QNR
N
al t er nat i vely dependi ng on hi s
r andom chal lenge bi t being 0 or 1, r espect i vel y . Si nce has sent Commi t bef or e Bob pi cks
t he random chal l enge bi t , must have cor rect l y guessed Bob' s chal l enge bit cor rect l y.
Cl ear ly , we have = 1/ 2 as t he soundness er r or pr obabil i t y . Hence, Bob' s ver i fi cat i on passi ng m
t i mes resul t s i n t he soundness pr obabi l it y being 2
m
.
The soundness pr oper t y holds for an unbounded si nce due t o Fact 2, even unbounded,
cannot comput e squar e r oot for x QNR
N
, and hence has t o guess Bob' s r andom
chal l enge bit .
Completeness and Perfect Zero-knowledge-ness

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The compl et eness pr opert y i s i mmedi at e f r om Fact 1.
Protocol 18.3: A Perfect Zero-knowledge Proof Protocol for
Quadratic Residuosity
COMMON I NPUT:
N: a l ar ge and odd composi t e i nt eger whi ch i s not a power of a pr i me;
x: an el ement i n QR
N
.
Al i ce' s PRI VATE I NPUT:
y : y
2
x ( mod N) ;
OUTPUT TO Bob: x QR
N
.
Al i ce pi cks u
U
QR
N
, comput es Commi t u
2
( mod N) , and sends Commi t t o
Bob;
1.
Bob pi cks Chall enge
U
{ 0, 1} , and sends i t t o Al ice; 2.
and sends Response t o Bob;
3.
Bob ver i fi es:
i f t he ver if i cat ion f ail s, Bob r ej ect s and abor t s t he pr ot ocol ;
4.
Bob accept s.
The per f ect ZK pr oper t y can be demonst r at ed by const r uct i ng an equat or whi ch gener at es
an equat ed pr oof t r anscr i pt as f oll ows:
For i = 1, 2, . . ., m
pi cks Response
i

U
; 1.
2.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
1.
pi cks Chall enge
i

U
{ 0, 1} ; 2.
3.
I t i s easy t o check t hat el ement s in t his equat ed t ranscr i pt have t he same di st r i but ions as t hose
i n a pr oof t r anscr ipt .
18.4.2.2 ZK Proof of Quadratic Non-residuosity
A pr ot ocol for ZK pr oof of quadr at ic non- r esiduosi t y can al so be const r uct ed usi ng t he i dea i n
Pr ot 18. 3. The basi c i dea i s t he fol l owi ng.
For common i nput x QNR
N
, Bob can chall enge Al ice at r andom using ei t her Chall enge r
2
( mod N) or Chall enge' x r
2
( mod N) wher e r i s a r andom el ement i n . Clear l y, Chall enge
QR
N
and Ali ce can see t his and answer YES. On t he ot her hand, i f x i s indeed i n QNR
N
, t hen by
Fact 3, Chall enge' QNR
N
; also, Al i ce can see t hi s and answer NO.
By r epeat edl y chal lengi ng Ali ce wi t h so- const ruct ed r andom el ement s eit her i n QR
N
or i n QNR
N
,
Bob can veri f y x QNR
N
f r om Al i ce' s consist ent l y cor r ect answer s t o hi s r andom chal lenges. The
det ai l ed f or mulat ion of t his pr ot ocol can be found i n [ 126] .
ZK proof s of quadr at i c r esi duosi t y and non- r esi duosi t y have a good appl i cat i on f or pr ovi ng
corr ect encr ypt i on of an ar bi t r ar y bi t st ri ng wher e t he encr y pt i on al gor i t hm i s Gol dwasser - Mi cal i
pr obabi li st i c encr ypt i on ( Al g 14. 1) . Thi s appl i cat i on is usef ul f or der i vi ng t he i mpor t ant t heor et i c
r esul t whi ch we have di scussed in 18.2. 3.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
18.5 Protocols with Two-sided-error
For al l ZK ( pr oof or ar gument ) pr ot ocols st udi ed so far , we have i nvar i ant l y seen t hat t hei r
compl et eness pr obabi li t y expr essi on ( 18.2. 2) is alway s char act eri zed by = 1, and t hei r
soundness pr obabi l i t y expr essi on ( 18.2. 3) is alway s char act eri zed by > 0. Wit h = 1, t hese
pr ot ocol s have per fect compl et eness, t hat i s, i f t he pr over does not cheat , t hen t he ver i fi er wi l l
al ways accept a pr oof . Usi ng t he t ermi nol ogy for er r or pr obabil i t y char act eri zat i on f or
r andomi zed algori t hms whi ch we have st udi ed i n 4. 4, we can say t hat al l t hese pr ot ocol s have
one- si d ed - er r or i n t he Mont e Car lo subcl ass ( i .e. , i n " al ways fast and pr obabl y cor rect "
subcl ass, see 4. 4. 3) . For such a prot ocol , a one- sided er ror may occur i n prover 's ( Al i ce' s) si de,
t hat i s, may cheat and t r y t o " pr ove" x L whi le in f act x L, and Bob may be fool ed t o
accept her " proof " ( alt hough t he soundness er r or pr obabil i t y can be made t o ar bi t r ar i l y smal l
by sequent ial i ndependent r epeat i ng pr oofs) .
Some ZK prot ocol s can have ver i fi er - si de ( Bob- si de) er r ors t oo. That i s, t he compl et eness
pr obabi li t y expr essi on ( 18.2. 2) is charact er i zed by < 1. Such prot ocol s ar e sai d t o have t w o-
si ded er r or s, or are i n At l ant i c Ci t y subcl ass ( i .e. , i n " pr obably fast and pr obabl y cor r ect "
subcl ass, see 4. 4. 5) . Let us now see one such pr ot ocol .
18.5.1 Zero-knowledge Proof of Two-prime Integers
A ver y usef ul appl i cat i on of t he ZK proof of quadr at i c r esi duosit y i s t o prove t hat an odd
composit e i nt eger N has exact l y t wo pr i me fact or s, i. e. , N E
2_Pri me
or i s a val i d RSA modulus.
I n 4. 7, t he l anguage E
2_Pri me
was cal l ed an ensembl e. Any el ement in t hi s l anguage i s an odd
composit e i nt eger whi ch has t wo di st i nct pr i me fact or s. I n 4. 7 we regar ded t hi s l anguage t o be
i ndi st i ngui shabl e f rom anot her ensembl e ( l anguage) E
3_Pri me
, whi ch i s t he set of odd composi t e
i nt eger s wi t h t hr ee di st inct pr i me fact or s.
Let Ali ce const r uct a l ar ge N E
2_Pri me
such t hat she knows t he fact or i zat i on ( e. g., she const ruct
i t by mul t i pl y i ng t wo di st i nct odd pr i mes t oget her) . She can pr ov e t o Bob i n per f ect ZK t hat N
E
2_Pri me
. Such a pr oof wi l l make use of t he t hr ee number - t heor et i c fact s used by Pr ot 18. 3 pl us
t he fol l owing t wo addi t i onal f act s:
Fact 4 I f N E
2_Pri me
, t hen preci sel y hal f t he el ement s i n
ar e quadr at i c r esi dues, i . e. , . This is because onl y hal f of t hese el ement s
can have t he posi t i ve Legendre sy mbol modul o bot h pri me f act ors; t he ot her hal f must have t he
negat i ve Legendr e sy mbol modul o bot h pr ime f act or s i n or der t o have t he posi t i ve Jacobi
symbol.
Fact 5 I f N E
2_Pri me
and N i s not a pr i me or pr i me power , t hen at most a quart er el ement s i n
J
N
( 1) ar e quadr at i c r esi dues, i . e. , . This is t he gener al i zat i on of Fact 4 t o

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
t he cases of N havi ng 3 or mor e dist i nct pr i me fact or s. Remember , for x t o qual if y a member ship
i n QR
N
, i t requi res x ( mod p) QR
p
f or each pri me p| N.
I n Fact 5, we r equi r e t hat N i s not a pr i me power. I f N i s a pr i me power , i .e. , N = p
i
f or p bei ng
pr i me and i bei ng an i nt eger , t hen al l el ement s in J
N
( 1) ar e quadr at i c r esi dues. For t unat el y , a
pr i me power can be fact or ed easi l y ( r evi ew t he hi nt s i n Exerci ses 8. 7 and 8. 8) .
Pr ot 18. 4 al l ows Al i ce t o conduct a per fect ZK pr oof of membership i n E
2_Pri me
.
Let us now i nvest i gat e secur i t y pr oper t i es of Pr ot 18. 4.
18.5.1.1 Security Properties
Fi rst of all , it i s cl ear t hat t he per fect ZK- ness of Pr ot 18. 4 di rect l y fol l ows t hat of Pr ot 18. 3.
Below we onl y analy ze t he compl et eness and soundness pr opert ies.
Protocol 18.4: ZK Proof that N Has Two Distinct Prime Factors
COMMON I NPUT: a composi t e int eger N;
Al i ce' s Pr ivat e Knowl edge: t he f act or izat ion of N;
OUTPUT TO Bob: N E
2_Pri me
.
Bob checks t hat N i s not a pr i me or a pr ime power ( e. g. , appl y ing Pri me_Test
agai nst pr i me, and using t he hint i n Exerci se 8. 7 t o f act or a pr i me power ) ;
1.
Bob pi cks a set Chall enge of m r andom numbers in J
N
( 1) , and sends Chall enge
t o Ali ce;
2.
Denot e by x
1
, x
2
, . . . , x
k
t he al l squares i n Chall enge; Ali ce pr oves t o Bob t hat
t hese k el ement s ar e i n QR
N
using Pr ot 18. 3;
3.
I f Bob accept s el se he r ej ect s.
( * her e, i s a " pr act i cal mi nor it y el ect i on cr i t eri on; " see 4. 4. 1.2
wher e we di scussed t he " maj ori t y el ect ion cr i t er i on" ; t hi s pr ot ocol
cannot use t hat cr i t er i on si mpl y because el ement s in QR
N
ar e not maj ori t y i n
J
N
( 1) ; we wi l l explai n i n 18.5. 1. 2 why we have chosen t hi s "elect i on cr i t eri on"
* )
4.
Completeness
Consi der t hat Al i ce has honest ly const ruct ed N E
2_Pri me
. However , af t er a r un of t he pr ot ocol
Bob may st il l rej ect . This is because it j ust happened t hat fewer t han f r act ions of t he r andom

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
chal l enges pi cked by Bob wer e squar es ( bad l uck for Ali ce! ) . Thi s can occur when we have t he
compl et eness pr obabi li t y < 1.
I n t he ot her pr ot ocol s we have seen so far , t he ver i fi er wi l l not t ol erat e any err or , not even a
si ngl e one i n mul t i ple rounds of r epet i t i on. Those pr ot ocols are al l onsi ded- err or pr ot ocol s: i f
t he pr over does not cheat , t hen t he compl et eness pr obabi l it y sat i sf ies = 1 and t her ef or e t he
ver i fi er should of cour se not t ol er at e even a si ngl e err or . Her e i n Pr ot 18. 4, due t o t he f act t hat
wi t h = ( when Al i ce does not cheat , see Fact 4) , Bob may happen t o choose mor e t han hal f
non- resi dues, he shoul d t oler at e cert ai n er ror s. However , i f t he number of err or s exceeds a pr e-
fi xed cr i t eri on, t hen Bob shoul d consi der t hat Al i ce i s cheat i ng and r ej ect .
I f Al ice does not cheat but i s r ej ect ed, we say an event BadLuckAl i ce occur s. Gi ven t he pr e- fi xed
cri t er i on for Bob t o reach a deci si on, l et us est i mat e t he pr obabi l i t y for BadLuckAl i ce. We have
chosen as t he cr i t er i on, t hat is, i f Bob sees t he fr act i on of or more chal l enges
bei ng quadr at i c r esi dues, he accept s, el se he r ej ect s. We wi ll expl ai n why we have chosen t hi s
cri t er i on in 18.5. 1. 2.
Aft er m r ounds of r epet i t i on, l et us est i mat e ( m) . We consi der t he f oll owi ng equi val ent f or m of
t he compl et eness pr obabi l i t y bound whi ch manif est s t he event BadLuckAl i ce mor e meani ngf ul l y:
Under t he condi t i on m = # Chall enge < # J
N
( 1) , event BadLuckAl i ce i s t he sum of m Ber noull i
t r i al s ( see 3. 5. 2) of k " successes" and m k " fai l ur es" for al l cases of . Si nce Al i ce
has const r uct ed N E
2_Pri me
, f or Chall enge cont aini ng r andom el ement s of J
N
( 1) , i n each
Bernoul l i t r i al t he pr obabi l i t i es of "success" and "f ail ure" are bot h 1/ 2. Appl y i ng t he bi nomi al
di st r i but i on funct i on for " l eft t ai l " gi ven i n 3. 5. 2 ( not i cing t o sum al l possi ble cases of k whi ch
off end Bob, i . e., al l , we have
.
Thi s i s a "l ef t t ai l" of t he bi nomi al di st r i but i on funct i on ( see 3. 5. 2.1 f or t he meaning of a " l eft
t ai l ") because t he poi nt i s at t he l ef t of t he cent ral poi nt .
To make BadLuckAl i ce negl igi bl y smal l , we have t o choose m = 2000 ( reason t o be pr ovi ded i n
18.5. 1. 2) . Thi s "l ef t t ail " i s t he f ol l owi ng val ue
Ther ef or e, ( 2000) i s an over whel mi ng probabi l i t y. So i f Al i ce does not cheat , Bob wi l l accept
wi t h an over whel mi ng pr obabi li t y.
By t he Law of Lar ge Number s ( 3. 5. 3) , t he l ar ger t he number of chal l enges Bob pi cks, t he l arger

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
t he compl et eness pr obabi l i t y val ue wi l l be. By t he way , i f Bob pi cks # J
N
( 1) chal l enges ( t hough
i mpr act ical ) , t he compl et eness pr obabi li t y becomes 1, i. e. , no Bob- si de er ror ( BadLuckAl i ce) can
occur .
Soundness
For t he ot her side of err or , l et us suppose has di shonest l y const r uct ed N E
2_Pri me
( i. e. , N
has mor e t han t wo di st i nct pr ime f act ors) . St il l , Bob may accept Al i ce' s "pr oof ." Thi s i s because i t
j ust happens t hat mor e t han f r act ions of t he r andom chal l enges pi cked by Bob ar e quadr at i c
r esi dues ( bad l uck for Bob! ) .
Denot e by BadLuckBob t he condi t i onal event of N E
2_Pri me
whi le Bob accept i ng. For randoml y
chosen Chall enge, we know fr om Fact 5, t hat now a Ber noull i t ri al has successful pr obabil i t y at
most and fai l ur e pr obabi li t y at l east . Appl yi ng t he bi nomi al di st r i but i on
for mul a by summi ng al l cases of k > whi ch cause Bob t o accept , we obt ain ( m)
( a "ri ght t ail " of t he bi nomi al di st r ibut i on funct i on)
For m = 2000, we have
I t wi l l be ver y fool i sh for Al i ce t o t ry t o cheat and expect not t o be caught !
To t hi s end we have compl et ed our i nvest i gat i on on t he ZK, compl et eness and soundness
pr oper t i es for Pr ot 18. 4.
18.5.1.2 The Choice of the "Election Criterion"
When Al i ce does not cheat , wit h t he compl et eness pr obabi li t y bound f or one r ound sat isf ies =
, i . e., exact l y hal f t he el ement s i n J
N
( 1) ar e quadr at i c r esi dues, Pr ot 18. 4 cannot use t he
"maj or i t y el ect i on cri t er i on" gi ven i n 4. 4. 1.1 t o enl ar ge t he complet eness pr obabil i t y . Our
choi ce of t he cr i t er i on bei ng i s t he mi ddl e poi nt bet ween = ( Ali ce does not cheat ) and
( Ali ce cheat s) . Thi s choi ce makes t he t wo " bad l uck" event s roughl y equall y
( i m) pr obable.
Thi s i s a "mi nor i t y el ect i on cr i t eri on." Thanks t o t he Law of Large Number s ( 3. 5. 3) , as long as
< , we can choose t he mi ddle poi nt bet ween t hem as t he cr it er i on and repeat mul t i pl e r ounds
( m) t o r educe ( m) and enl arge ( m) . So a cheat i ng Al i ce can be di ff er ent i at ed fr om an honest

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
one, wi t h a hi gh confi dence of t he corr ect j udgement , af t er r epeat i ng suf fi ci ent l y many r ounds.
I n order for bot h "bad l uck" event s t o be negl i gi bl y small , whi ch i s usuall y consi der ed, by " rule of
t humb, " t o be 2
100
( we have been st i cki ng t o t hi s r ul e f or al l t he pr ot ocol s i nt r oduced so far i n
t hi s chapt er) , we have t o use 2000 as t he number of r epet it i on. I f we reduce m down f r om 2000
si gni f icant ly , t hen t he t wo er r or pr obabi l i t y bounds wil l det er i or at e dr ast i call y . For example, l et
m = 100 ( which i s usual l y consi der ed an "accept abl e" number of r epet i t i on, agai n accor di ng t o
our " rul e of t humb" ) , t hen we wi l l have ( 100) 0. 993 ( so BadLuckAl i ce occur s wi t h pr obabil i t y
1 ( 100) 0. 007) and ( 100) 0. 0052 ( pr obabi l i t y for BadLuckAl i ce) . These er ror
pr obabi li t y bounds ar e far fr om sat i sfact or y since t he t wo "bad l uck" event s are t oo pr obabl e
( i . e. , t he pr obabi li t i es f or bot h " bad l uck" event s ar e t oo si gni fi cant ) .
I n general , when and ar e cl ose, t wo- si ded- er r or pr ot ocol s ar e not eff ici ent .
Sever al aut hor s have pr oposed mor e eff i ci ent , one- sided- er r or ( = 1) ZK pr ot ocol s f or showi ng
N havi ng t wo pr i me fact or s, e.g., van de Gr aaf and Per al t a [ 291] , Cameni sch and Mi chel s [ 63] ,
Gennaro, Mi cci ani ci o and Rabi n [ 120] . The pr ot ocol i nt r oduced her e, whi ch i s based on a
pr ot ocol proposed by Ber ger, Kannan and Per al t a [ 32] , i s concept uall y t he si mpl est . The ot her
i mpor t ant r eason for us t o have chosen t o int r oduce t his pr ot ocol i s i t s t wo- si ded- er ror feat ur e
whi ch is a r ar e pr oper t y i n ZK pr ot ocol s and hence we want t he reader t o gai n some fami l iar i t y
about i t .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
18.6 Round Efficiency
Let us now consider Quest i on I I l i st ed i n 18.1: how f ew i nt eract i ons are needed f or a prover t o
convi nce t he veri f i er ? Thi s i s a so- cal l ed r ou nd ef f i ci en cy quest ion. A round means a compl et e
r ound cy cl e of message sendi ng and r eceivi ng act i ons. Because many ZK ( and I P) pr ot ocol s
gener al ly invol ve Commi t ( a f ir st move by P) , Chall enge ( a move by V) , Response ( a second
move by P) , we of t en r efer t o such t hr ee moves as a round.
As we have seen t hat i n gener al , a ZK pr ot ocol can achi eve r educt i on of an er ror pr obabi l i t y by
r epeat ing sequent i all y a pl ur al number of r ounds. For t he case of compl et eness pr obabil i t y
whi ch bounds t he pr obabi l i t y i n ( 18.2. 2) fr om bel ow, we consi der 1 as an er r or pr obabil i t y
bound fr om above. As i n t he case of soundness, such an err or probabi l i t y bound ( bounded fr om
above) should be as l ow as possi bl e. I n order t o obj ect ivel y measur e r ound ef fi ciency f or a ZK
pr ot ocol , we shoul d consi der err or probabi l i t i es obt ai ned by one si ngl e round. The l ower an er r or
pr obabi li t y is, t he mor e ef fi ci ent r ound ef fi ci ency t he pr ot ocol has.
Roughl y t hree dif fer ent magni t udes of si ngle- r ound er r or pr obabi l i t i es classi fy prot ocol s t o t hr ee
di f fer ent cl asses of r ound eff i ci enci es.
Log ar i t hmi c- r oun d Pr ot ocol s Al l ZK pr ot ocol s we have st udied so f ar, wit h t he except i on of
Pr ot 18. 4, have const ant er ror pr obabi l i t i es i n a singl e r ound, e. g. , 1/ 2 or l og
2
l og
2
n ( for l og
2
n
bei ng a secur it y par amet er , such as i n t he case of Pr ot 18. 1 or Schnor r 's I dent i f i cat i on Pr ot ocol ,
we equat e log l og n t o a const ant ) . I n or der t o r educe t he err or probabi l i t y t o a negl i gi bl y smal l
quant i t y , i . e. , bei ng a qual i t y bounded by 1/ ( l og n)
c
f or al l const ant c, a pr ot ocol wi t h const ant
err or pr obabi l i t y must r epeat l og n r ounds. Such a pr ot ocol i s t her ef or e cal l ed l og ar i t h mi c-
( l og - ) r oun d pr ot ocol .
Pol y nomi al - r oun d Pr ot ocol s The r ound eff i ci ency of a log- r ound pr ot ocol i s i n fact measur ed
by a l i near pol y nomi al i n t he securi t y par amet er . Some ZK prot ocol s have hi gher - order
pol y nomi al s for t hei r r ound- ef fi ci ency measur es. A ZK prot ocol for an ar bi t r ar y NP l anguage vi a
gener al pol y nomi al r educt i on t o NPC pr obl em ( see 18.2. 3) is a pol yn omi al - r ound ( pol y-
r ou nd) pr ot ocol .
Pr ot 18. 4 i s a pol y - r ound pr ot ocol . Fi rst , it has a l ar ger number of r ounds due t o i t s t wo- si ded
err or pr opert y . Secondl y , i n each r ound, Pr ot 18. 4 cal l s anot her l og- r ound prot ocol ( Pr ot 18. 3) .
Const an t - r ou nd ( or si ngl e- r oun d) Pr ot ocol s I f a ZK pr ot ocol can achi eve a negl i gi bl y smal l
err or pr obabi l i t y i n a small const ant rounds ( or a si ngl e r ound) , t hen t here is no need t o r epeat
r unni ng l og- many r ounds. Such a prot ocol i s t heref ore cal l ed a const an t - r ou nd ( or a si ng l e-
r ou nd) pr ot ocol .
Much r esear ch eff or t has been f ocused on i mprovi ng r ound eff i ci ency f or ZK prot ocol s. Many
r esul t s have been obt ai ned. Let us now l ook at t wo such resul t s f or subgroup member ship and
di scret e l ogar i t hm pr obl ems.
I n 18.6. 1 we wi l l der i ve a l ower- bound r ound- eff i ci ency r esult for ZK ar gument of
subgroup member ship f or subgroups of wi t h N odd composi t e. Thi s i s a negat i ve r esult
i n t hat t he l ower- bound i s l og- round, i. e. , t her e exi st s no const ant - r ound pr ot ocol for t hi s
member shi p pr oof.
I n 18.6. 2 we wi l l st udy a const ant - r ound pr ot ocol f or ZK pr oof of di scr et e l ogar i t hm
equal i t y f or el ement s i n fi nit e fi el d . This is a posi t i ve r esul t and i s a si gnif i cant r ound-
eff ici ency i mpr ovement f r om Schnor r 's I dent i fi cat i on Pr ot ocol ( Pr ot 18. 2) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
18.6.1 Lower-bound Round Efficiency for Subgroup Membership
Let us r econsi der agai n subgr oup member shi p ( ar gument ) pr obl em t ackl ed by Pr ot 18. 1. Now it
i s f or t he case t hat f ( x) is real i zed i n 18.3. 3. 1; t hat is,
wher e N i s a l ar ge odd composi t e number and g havi ng a l ar ge mul t i pl i cat i ve or der . I n
t hi s r eal i zat i on, we know
t hat i s, t he subset has f ewer t han ( N) el ement s. Thi s i s because i s non- cycl i c.
Now, we al so l et t he pr over Ali ce know t he f act or i zat i on of N. ( Recal l t hat i n 18.3. 3, we did not
al l ow Al i ce t o know t he f act or i zat i on of N and hence t he var i at i on of t he pr ot ocol t her e was
comput at i onal ZK. ) Knowi ng t he fact or i zat i on of N per mi t s Al i ce t o conduct per fect ZK for y
< g> .
Now we ask:
For f ( x) = g
x
( mod N) wi t h Al i ce knowing fact or izat ion of t he composi t e int eger N, can t he
r ound eff i ci ency of Pr ot 18. 1 be i mpr oved via enl argi ng t he si ze of Bob' s chal l enge as we
di d i n Schnor r' s I dent i f i cat i on Pr ot ocol?
Recal l t hat , e. g. , in Schnorr ' s I dent i fi cat i on Prot ocol ( Pr ot 18. 2) , we made a sl i ght enl argement
on chal l enges: Chall enge { 0, 1}
l og
2
log
2
p
. Consequent l y , t he var i ant pr ot ocol achi eves an
i mpr oved per for mance: r ounds suf fi ces i nst ead of m r ounds needed i n Pr ot 18. 1,
whi l e mai nt ai ni ng t he soundness er r or pr obabil i t y unchanged.
Unfor t unat el y, if Al i ce knows t he fact or izat ion of N, t hen r ound- eff ici ency i mpr ovement usi ng t hi s
chal l enge- enl argement met hod is no l onger possibl e. The pr obl em i s not wi t h t he ZK pr oper t y; i t
i s wi t h t he soundness err or probabi l i t y. The pr ot ocol has t he l ower - bound soundness er ror
pr obabi li t y = 1/ 2, r egardl ess how l arge chal l enge i s used. Wit h t he const ant and signi fi cant
soundness er r or pr obabi li t y , t he pr ot ocol has t o be a l og- round one. Gal br ai t h, Mao and Pat er son
observe t hi s fact [ 117] whi ch we shal l expose now.
To make t he exposi t i on expl i ci t , l et us i nvest i gat e t he soundness pr obabi l i t y of a si ngl e- r ound
t hr ee- move prot ocol whi ch uses a l ar ge chall enge ( and hence as we have st udi ed i n 18.3. 2, t he
pr ot ocol i s honest - ver if i er ZK) . As we shal l see, t he i nvest i gat i on resul t appl i es t o any sizes of
chal l enges l ar ger t han one bi t .
Here we speci fy an honest - ver if i er zer o- knowl edge pr ot ocol named " Not To Be Used" ( Pr ot 18. 5)
for showing subgr oup member shi p wher e t he subgr oup i s one of . We must war n t he r eader
t hat Pr ot 18. 5 i s not i nt ended for any appl i cat i on use; we speci f y i t only for t he pur pose of
r eveal ing a pr obl em.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
At fi r st gl ance of Pr ot 18. 5 i t seems t hat because Chall enge i s lar ge, Al i ce cannot guess i t easi l y
and t her efor e she has t o f ol l ow t he pr ot ocol i nst r uct i on which wi ll r esul t i n a soundness
pr obabi li t y at t he l evel of 1/ ( N) . I f t his is t rue, t hen t hi s pr ot ocol i s i ndeed a si ngl e- r ound
one. Unf ort unat el y , t hi s soundness pr obabil i t y est i mat e i s i ncor rect . Exampl e 18. 4 demonst r at es
a cheat i ng met hod.
Exampl e 18 .4 .
From now on, we use si nce what she does i n t he fol l owi ng i s di shonest .
Knowi ng t he fact or i zat i on of N, can easi l y comput e a non- t r i vi al squar e root of 1, i. e. ,
el ement such t hat 1 whi l e
2
1 ( mod N) . Squar e- r oot ext r act i on can be done
usi ng Al g 6. 5. She can choose such t hat < g> .
Now, comput es t he common i nput as
Cl ear ly , Y < g> , i . e. , Y i s in t he coset of < g> . We expl i cit l y not i ce t hat Y < g> si nce < g>
( see t he proper t i es of coset in t he pr oof of Defi nit ion 5. 1, 5. 2. 1) .
I nst ead of comput ing Commi t by fol l owi ng t he pr ot ocol i nst r uct i on, f l i ps a fai r coi n b
U
{ 0, 1} as her guessi ng of t he par i t y of Bob' s chal l enge. She t hen comput es Commi t as fol l ows:
I n t he r emai nder of t he prot ocol shoul d pr oceed as inst ruct ed by t he pr ot ocol
speci f i cat i on.
Cl ear ly, wi t h 1/ 2 odds guessi ng i s cor rect . I n t he cor r ect guessi ng of even Chall enge =
2u, Bob's veri f i cat i on st ep i s:
and hence Bob wi l l accept . I n t he corr ect guessi ng of odd Chall enge = 2u + 1, Bob's ver if i cat ion
st ep i s:
and hence Bob wi l l accept t oo.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Ther ef or e, regar dl ess of how lar ge Bob's chal lenge i s, we can only obt ai n = 1/ 2 as t he singl e-
r ound soundness pr obabil i t y f or Pr ot 18. 5. That i s why we have named t hi s pr ot ocol " Not To Be
Used. "
Protocol 18.5: "Not To Be Used"
COMMON I NPUT N: A l ar ge odd composi t e i nt eger ;
g, y :
Two el ement s i n sat i sfy i ng
g has a l ar ge order modul o N;
y g
z
( mod N)
Al i ce' s PRI VATE I NPUT: I nt eger z < ( N) ;
OUTPUT TO Bob: y < g> , i . e. , y g
z
( mod N) for some z.
Al i ce pi cks and comput es Commi t g
k
( mod N) ; she sends
Commi t t o Bob;
1.
Bob pi cks uni for ml y r andom Chall enge < N and sends i t t o Al i ce; 2.
Al i ce comput es Response k + z Chall enge ( mod ( N) ) ;
she sends Response t o Bob;
3.
Bob accept s if g
Response
Commi t y
Chall enge
( mod N) , or rej ect s ot her wi se. 4.
Si nce Bob does not know t he fact or i zat i on of N, he cannot deci de subgr oup membershi p by
hi msel f al one ( see Remar k 18. 1 and t he discussion af t er for t he di f fi cul t y ) . Hence t her e i s no
way , ot her t hen t he soundness er r or pr obabi l i t y 1/ 2, f or Bob t o prevent f r om cheat i ng i n
t he met hod given by Exampl e 18. 4. Enl ar gi ng t he chal l enge si ze does not hel p at al l!
We not i ce t hat t he pr obl em i n Exampl e 18. 4 di dn' t show up i n t he ( comput at ional ZK) pr ot ocol i n
18.3. 3. 2 wher e we al so used a si mi lar way t o r eal ize f ( x) , i . e., f ( x) = a
x
( mod N) wi t h N bei ng
an odd composi t e. Recal l t hat t hat prot ocol uses bi t chal l enges, and hence i t s soundness err or
pr obabi li t y is t he same value = 1/ 2. We al so not ice t hat Schnorr ' s I dent i fi cat i on Pr ot ocol i s
i mmune t o t hi s probl em because t he gr oup < g> i n t hat pr ot ocol i s of pri me or der q, whi ch does
not cont ai n any el ement of or der l ess t han q except f or t he i dent i t y element .
Usi ng a non- t ri vi al squar e r oot of 1 modul o N pr ovi des wi t h t he maxi mum pr obabi l i t y
val ue, = 1/ 2, for a successful cheat ing. Usi ng t he t r i vial case = 1 ( t he ot her t r i vi al case = 1
does not const i t ut e an at t ack) seems t o al l ow Bob t o obt ai n a bet t er convi ct i on: ei t her Y or Y i s
i n < g> . However , because knows t he f act or i zat i on of N whi le Bob doesn' t , she may al so
bl i nd g
k
using ot her smal l - or der mul t i pl i er, e. g., an or der - 3 one, whi ch she can comput e usi ng

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
t he Chi nese Remai nder Theor em ( Theor em 6. 7 i n 6. 2. 3, usi ng CRT, can comput e
el ement s of any or der d| ( N) ) . Thus, t he soundness er ror pr obabi l i t y cannot be a negl i gi ble
val ue. Pr ot 18. 1 r emai ns bei ng t he onl y ver si on f or showi ng ( ZK argument ) subgr oup
member shi p pr obl em for t he gener al set t i ng of secur i t y paramet ers, which i ncl ude t he cases of
subgroups of .
To t hi s end, we concl ude t hat , i n gener al , ZK subgr oup membershi p i s a loground pr obl em.
I n an appl i cat ion of ZK pr ot ocol t o be i nt r oduced i n t he next chapt er we wil l need t o show
subgroup member ship i n . However , i n t hat appl i cat i on we cannot aff ord t he cost of usi ng a
l og- r ound pr ot ocol . Ther e we wi l l use a speci al set t i ng f or N t o get around of t he pr obl em.
18.6.2 Constant-round Proof for Discrete Logarithm
Schnor r 's I dent i fi cat i on Pr ot ocol ( Pr ot 18. 2) all ows ZK argument of possessi on of t he di scr et e
l ogar i t hm of an el ement fi ni t e fi eld . We have seen t hat it i s a log- r ound pr ot ocol .
Now we show t hat for t he same pr obl em t ackl ed by Schnorr ' s I dent i fi cat i on Prot ocol , ZK pr oof
wi t h const ant - r ound eff i ci ency can be achi eved. Thi s i s due t o a pr ot ocol of Chaum [ 72] . Let us
name t hat prot ocol Chaum' s ZK Di s- Log- EQ Pr oof Pr ot ocol . I t i s for ZK pr oof of t wo el ement s
havi ng t he same discr et e logari t hm val ue.
We shal l i nt r oduce Chaum's ZK Di s- Log- EQ Proof Pr ot ocol usi ng t he secur i t y par amet er set t i ng
whi ch is t he same as t hat f or Schnor r 's I dent if i cat ion Pr ot ocol . That i s, l et element g F
p
wi t h p
bei ng an odd pr i me and or d
p
( g) = q wi t h q al so being an odd pri me ( hence q| p 1) . We denot e
G = < g> .
Chaum's ZK Di s- Log- EQ Proof Pr ot ocol uses an addit i onal element h < g> wi t h h g and h
1. Pr ot 18. 6 speci fi es Chaum's prot ocol .
From t he prot ocol speci fi cat i on we see t hat t he pr ot ocol has a f our message exchanges and it
onl y needs t o r un once. We shal l see i n t he soundness anal y si s t hat t hi s si ngl e- r ound pr ot ocol
achi eves = 1/ q as t he soundness err or probabi l i t y. Hence, Chaum's ZK Pr oof of Di s- Log
Pr ot ocol i s ext r emel y ef fi cient .
Let us now i nvest i gat e secur i t y pr oper t i es of t hi s pr ot ocol .
18.6.2.1 Security Properties of Chaum's ZK Proof of Dis-Log Protocol
Completeness
By di r ect obser vat i on of t he pr ot ocol , it i s st r aight f orwar d t o obt ai n = 1 as t he compl et eness
pr obabi li t y . That i s, i f Al i ce has z and fol l ow t he pr ot ocol i nst r uct i on, Bob wi l l al ways accept .
Soundness
We shal l see t hat Chaum's ZK Di s- Log EQ Pr ot ocol i s a pr oof pr ot ocol , t hat is, t he pr over Ali ce
can be a comput at i onal l y unbounded part y . For t hi s pur pose, we wi l l not put any r est r i ct ion on
Al i ce' s comput at i onal resour ce i n our anal y sis of t he soundness pr oper t y.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Suppose t hat cheat s. So t he common i nput values ( p, q, g, h , X, Y) sat i sfy t he f ol lowi ng
condi t i on of di scret e l ogar i t hm i nequal i t y :
Equ at i on 18 . 6. 1
I n order t o l et Bob accept her proof , i . e. , let hi s ver i fi cat i on i n St ep 5 pass, must send t o
Bob, in St ep 2 t he val ue sat i sfy i ng
Equ at i on 18 . 6. 2
I n ot her wor ds, , af t er havi ng r eceived a, b f r om Bob, must decommi t her commi t t al val ue
c whi ch sat i sf i es ( 18.6. 2) . Wi t h a, b f i xed by Bob i n St ep 1, and wi t h ,
f i xed i n St ep 2, ( 18.6. 2) say s t hat c i s also fi xed i n St ep 2. I n ot her words,
cannot change c af t er she has sent out her commit ment s in St ep 2.
Wi t h c f i xed i n St ep 2, we have:
Equ at i on 18 . 6. 3
Protocol 18.6: Chaum's ZK Proof of Dis-Log-EQ Protocol
COMMON I NPUT:
p, q: t wo pr i mes sat i sf yi ng q| p 1;
( * t y pi cal size set t i ng: | p| = 1024, | q| = 160 * )
g, h : ord
p
( g) = or d
p
( h) = q, g h;
( * Bob checks: g 1, h 1, g h, g
q
h
q
1 ( mod p) * )

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
X, Y: X = g
z
( mod p) , X = h
z
( mod p) ;
PRI VATE I NPUT of Al i ce: z ;
OUTPUT TO Bob:
Al i ce knows some z such t hat X g
z
( mod p) and Y h
z
( mod p) , or log
g
X
l og
h
Y ( mod q) .
Bob pi cks a, b
U
and comput es Commi t
B
g
a
h
b
( mod p) ;
he sends Commi t
B
t o Al i ce;
( * Commi t
B
i s Bob's chall enge * )
1.
Al i ce pi cks c
U
; she comput es
she sends , t o Bob;
2.
Bob di scl oses t o Al i ce: a, b ;
( * Bob decommi t s hi s commi t t al s i n order t o show hi s corr ect const r uct i on of
hi s chal l enge * )
3.
Al i ce ver if i es whet her Commi t
B
g
a
h
b
( mod p) ;
i f t he equal it y hol ds, she di scl oses t o Bob: c, ot her wi se, she abor t s;
( * Al i ce onl y decommi t s i f Bob has proper l y const r uct ed hi s chal lenge; Bob' s
corr ect const r uct i on of hi s chal l enge i mpl i es t hat he al r eady knows X
a
Y
b
( mod
p) t o be di scl osed by Al ice * )
4.
Bob ver i fi es
Commi t
B
g
c
( mod p) ; X
c
X
a
Y
b
( mod p) ;
i f t he equal it y hol ds, he accept s, ot her wi se, he r ej ect s.
5.
and f rom ( 18.6. 2) we also have:
Equ at i on 18 . 6. 4

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Si nce h < g> ( because or d
p
( h) = q, Bob can confi r m t hi s by checki ng h 1 and h
q
1 ( mod
p) ) , we can wr it e h g
d
( mod p) for some d , d 0 ( mod q) . Consequent l y, ( 18.6. 3) can
be r ewr it t en i n t he f ol l owi ng equi val ent for m:
Equ at i on 18 . 6. 5
Anal ogousl y using ( 18.6. 1) , we can al so r ewr i t e ( 18.6. 4) int o:
Equ at i on 18 . 6. 6
For z z' ( mod q) , ( 18.6. 5) and ( 18.6. 6) for ms t he f ol l owi ng l i near congruence sy st em:
The mat r i x i n t hi s l i near congruence sy st em i s of t he f ul l r ank ( r ank = 2) . By a si mpl e fact in
l i near al gebr a, t his sy st em has t he unique pair of sol ut ion ( a, b ) . This sol ut ion pair
sat i sf i es Bob's const r uct i on of Commi t
B
i n St ep 1 and hi s ver i fi cat i on i n St ep 5.
However , i n St ep 2 when f i xed c , she onl y get s one equat i on ( 18.6. 5) . Fr om t hat
equat i on she has exact l y q di st i nct pai r s of ( a, b ) . Each of t hese q pai rs sat i sfi es ( 18.6. 5) , but
onl y one of t hem al so sat i sfi es ( 18.6. 6) whi ch i s Bob' s veri f icat i on i n St ep 5. Thus, even
comput at i onall y unbounded, t he probabi l it y for t o pi npoi nt t he cor rect pai r ( a, b ) in St ep
2 i s pr eci sely 1/ q.
To t hi s end, we have not onl y obt ai ned 1/ q as t he soundness err or probabi l i t y for a si ngl e- r ound
r un of Chaum's prot ocol , but also t hat t he prot ocol pr ovi des a pr oof of t he di scr et e l ogar it hm
equal i t y ( i . e., not an ar gument ) .
Perfect Zero-knowledge-ness
Fi nal l y, l et us i nvest i gat e t he ZK pr oper t y f or Pr ot 18. 6.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
The pr ot ocol i s i n f act per fect ZK. Let us const ruct an equat or t o cr eat e a t r anscri pt whi ch
has t he i dent i cal dist r i but ion t o a proof t ranscr i pt . For t he common i nput t upl e ( p, q, g, h , X, Y) ,
per f orms t he f oll owi ng si mpl e and eff ici ent st eps:
pi cks a, b
U
and comput es Commi t
B
g
a
h
b
( mod p) ; 1.
pi cks c
U
; comput es
,
;
2.
out put s Tr anscri pt = Commi t
B
, , , a, b , c. 3.
I t i s t ri vi al t o check t hat Tr anscri pt has t he ident i cal di st r ibut i on as a pr oof t ranscr i pt .
Ther e i s a di ff er ent but more convi nci ng way t o mani fest t he per fect ZK- ness of Chaum's
pr ot ocol . Fi rst , i f f ool s ar ound by sendi ng out an i nval i d chal lenge, i .e. , Commi t
B
i s not
pr oper l y const ruct ed, t hen he wi l l r ecei ve not hi ng. Secondl y , i f Bob does send cor r ect l y
const r uct ed chal l enge using ( a, b ) , t hen he al ready knows, r i ght i n t he begi nni ng of
St ep 1, t he val ue t o be " di sclosed" by Al i ce, which i s X
a
Y
b
( mod p) . I n bot h cases, Bob get s
absol ut el y no new i nf or mat i on about Al i ce' s pr i vat e i nput !
Chaum's ZK Di s- Log EQ Pr ot ocol can be used as an i dent if i cat ion prot ocol . I n t hi s
appli cat i on, t he pair ( g, X) can be a user 's publ i c key mat er i al whi ch i s cer t i fi ed by a key
cer t i f icat i on aut hori t y ( CA, see 13.2) .
Comput i ng g
a
h
b
( mod p) and X
c
X
a
Y
b
( mod p) can use Al g 15. 2 t o achi eve cost si mi l ar t o
comput i ng si ngl e modul o exponent i at i on. So t he cost for Al i ce and Bob i s r oughl y t hr ee
modul o exponent i at i on f or each part y. At t his cost , t he pr oof achi eves a negl i gi bl y smal l
err or pr obabi l i t y agai nst Al ice's cheat i ng. I n compari son, Schnor r' s I dent i f icat i on Pr ot ocol
wi l l r equi r e Al ice and Bob t o comput e l og
2
p 10 ( i n case of p 2
1024
) modul o
exponent i at i ons i n or der t o achi eve si mi l ar l y l ow er ror pr obabi l i t y .
The unr est r i ct ed comput at i onal r esource f or t he pr over makes t he prot ocol usabl e i n
appli cat i ons in whi ch t he prover i s a power f ul part y , such as a gover nment agency .
Al t hough t he soundness pr oof i s a st r ong one, i t does not show t hat Al i ce necessar il y knows
t he di scr et e l ogar i t hm val ue. Al l i t has shown i s t hat she has answer ed wit h a cor r ect
exponent i at i on. Maybe she has used somebody el se as an exponent iat ion or acl e. I n t he
Schnor r 's I dent i fi cat i on Pr ot ocol , t wo cor r ect answer s, even i f a prover obt ai ns t hem f rom
an or acl e, f orm a k now l edg e ex t r act or t o ext ract t he discr et e logari t hm val ue and t his is
t he basis for f or ki ng l emma t echni que for provi ng t he unf or geabi l it y of a t r i pl et ElGamal
si gnat ure ( see 16.3. 2) . Her e i n Chaum' s pr ot ocol , t wo cor r ect answer s do not for m a
knowl edge ext ract or for t he di scr et e l ogar i t hm val ue.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Chaum proposes t his pr ot ocol for an un den i abl e si gnat ur e sch eme [ 72] ( also Chaum
and Ant wer pen [ 74] ) . An "undeni abl e si gnat ur e scheme" pr ovi des a pr oof of aut hor shi p of
a document usi ng an i nt er act ive prot ocol in pl ace of si gnat ur e ver i fi cat i on pr ocedure in an
or di nar y si gnat ur e scheme. Hence, it enabl es t he si gner t o choose si gnat ur e ver i fi er s, and
t her eby pr ot ect s t he si gner ' s r i ght t o t he pr i vacy of i t s si gnat ur es. Thi s may be usef ul i n
cer t ai n appli cat i ons wher e a publ icl y ver i f iabl e si gnat ur e i s not desi r abl e. For exampl e, a
soft war e vendor put s digi t al si gnat ures on i t s product s so t hat i t can aut hent i cat e i t s
pr oduct s as genuine copi es and vi r us fr ee, but onl y want s pay ing cust omer s t o be abl e t o
ver i fy t he val i di t y of t hese si gnat ures. Usi ng undeni abl e si gnat ur es t he vendor can pr event
a pi rat e fr om convi nci ng ot her s of t he qual i t y of t he pi rat ed copi es of t he sof t ware.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
18.7 Non-interactive Zero-knowledge
We have seen t hat ZK pr ot ocol s, as i nt eract i ve pr ot ocol s, general l y r equi r e i nt er act i ons.
Al t hough i n t he cases of si ngl e- r ound or const ant r ound pr ot ocol s ( e. g. , Chaum' s ZK Pr oof of
Di s- Log EQ Pr ot ocol ) t he number of i nt er act i ons i s smal l, t he need for int eract i on means t hat
bot h prover and ver i fi er must be onli ne at t he same t i me. I f a ZK pr oof ( or ar gument ) can be
achi eved wit hout i nt er act i on, t hen a "mono- di rect i onal " communi cat i on means can be used.
Such a communi cat i on means can have sever al advant ages.
Consi der an i magi nar y case of P, V bei ng mat hemat i ci ans ( a scenar i o i magi ned i n [ 44] ) . The
for mer may want t o t r avel t he wor l d whi l e di scover ing pr oofs f or new mat hemat i cal t heor ems
and may want t o pr ove t hese new t heor ems t o t he lat t er in ZK. I n t hi s scenar io, non- i nt er act i ve
pr oof i s necessar y because P may have no f i xed address and wi l l move away befor e any mai l can
r each i t . These t wo fancy user s wi ll appr eciat e non- i nt er act i ve ZK pr oof .
I n t he begi nni ng of Chapt er 15 we have di scussed a mor e real i st i c appl i cat i on of non- i nt er act i ve
ZK proof : const r uct i ng a pr ovabl y secur e publ i c- key encr ypt i on scheme agai nst t he CCA2
at t acker ( alt hough our purpose of i nt r oduci ng Chapt er 15 i s an advi ce agai nst such an appr oach
t o secur e encry pt ion scheme) . At any rat e, a possibi li t y for conduct i ng a non- i nt er act ive ZK pr oof
( or ar gument ) i s al way s a usef ul add- on feat ur e.
Bl um, Feldman and Mical i propose a met hod for achievi ng non - i n t er act i ve ZK ( NI ZK) i f P and
V share r andom chal l enge bit s [ 44] . The shar ed r andom chal l enge bi t s may be ser ved by a t hir d
par t y who i s mut uall y t rust ed by P and V ( such a mut ual l y t r ust ed random sour ce i s call ed a
r and om beacon by Rabin [ 239] , "r andomness fr om t he sky ") . I t is also possi ble t hat t he t wo
par t i es had gener at ed t hem when t hey wer e t oget her ( e. g., befor e t he fancy mat hemat i ci an's
depar t ure f or t r ot t i ng t he worl d) .
I n 18.3. 2. 2 we have i nt r oduced t he Fi at - Shami r heur i st i c as a general met hod f or const r uct i ng
a non- i nt er act i ve " pr oof of knowl edge. "
[ b]
However , t he non- i nt eract i on achi eved using t he Fi at -
Shami r heur i st i c i s at t he cost of l osi ng t he ZK pr oper t y: " pr oof i n t he dark" is t ur ned t o "i n t he
open, " i .e. , becomes publ i cl y ver i fi abl e.
[ b]
We will always use quot ed f or m f or t he phr ase "pr oof of knowledge" derived fr om t he Fiat -Shamir heur ist ic
because r igor ously speaking, it is argument of knowledge, see 18. 4. 1.
Jakobsson, Sako and I mpagli azzo devi se an i nt er est i ng t echni que whi ch uses t he Fi at - Shami r
heur i st i c whi l e maint ai ni ng t he "pr oof i n t he dar k" proper t y [ 153] . They name t hei r t echni que
desi gn at ed ver i f i er p r oof s: i f Al i ce conduct s a pr oof f or Bob t o ver i f y, t hen onl y Bob can be
convi nced of t he val i di t y of t he pr oof . Any body el se wi l l view t he pr oof as ei t her conduct ed by
Al i ce, or si mul at ed by Bob.
18.7.1 NIZK Achieved using Designation of Verifier
The NI ZK t echni que of Jakobsson et al . i s achi eved by Al i ce const ruct ing a non- i nt eract i ve "pr oof
of knowl edge" f rom t he Fi at - Shami r heuri st i c f or t he f ol l owi ng l ogical expr essi on:
"Al i ce' s clai m is t rue" " Bob has simulat ed Al i ce' s pr oof"
Al i ce is abl e t o const r uct a "proof " f or t his logi cal expr essi on t hanks t o a pr i mi t i ve cal led
t r apd oor commi t ment ( also cal l ed si mul at abl e commi t ment by Br assar d, Chaum and
Cr peau [ 59] ) .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
A t rapdoor commit ment i s a speci al commi t ment whi ch Al i ce const ruct s usi ng a publ i c key of Bob
who i s t he desi gnat ed ver i f ier . Let us denot e by
a t rapdoor commit ment whi ch i s const r uct ed usi ng Bob' s publ ic key y
B
. I n t hi s commit ment , w i s
t he commi t t al val ue ( commi t t ed by t he pri nci pal who has const r uct ed i t ) and r i s a r andom
i nput . Pr oper t y 18.1 speci fi es t wo i mpor t ant pr oper t i es of TC( w, r , y
B
) .
Pr oper t y 1 8. 1: Tr apd oor Commi t men t Pr oper t i es
Wi t hout t he pr iv at e com ponent of y
B
, t h e comm i t m en t i s bi ndi ng, i. e., t her e ex i st s no
eff icient al gori t hm for com put ing a p air of col li si on w
1
w
2
su ch t hat TC( w
1
, r , y
B
) =
TC( w
2
, r ' , y
B
) .
i .
Usi ng t he p ri v at e comp onent of y
B
, i t i s easy t o com put e any n um ber of pai rs of col li sion . i i .
Exampl e 18 .5 . A Tr ap door Commi t ment Scheme
Let ( p, q, g) be t he number s i n t he common i nput of t he Schnorr ' s I dent i fi cat i on Pr ot ocol . Let y
B
= g
x
B
( mod p) be Bob' s publ i c key wher e x
b
be hi s pri vat e exponent .
I f Al ice want s t o commi t t o val ue w , she pi cks r
U
and comput es TC( w, r , y
B
) g
w
y
r
B
( mod p) . She can open ( decommit ) TC ( w, r , y
B
) by r eveal i ng t he pair ( w, r ) . We now conf i rm
t hat TC ( w, r , y
B
) sat i sfi es t he t wo proper t i es of a t r apdoor commi t ment .
Confi r mi ng TC Pr oper t y ( i ) : Wi t hout knowi ng Bob' s pr i vat e key x
b
, ( w, r ) is t he only way for Al i ce
t o decommi t . Suppose on t he cont rar y t hat she al so knows a di f fer ent pair of decommi t ment
val ues ( w' ,r ' ) wi t h w' w ( mod q) ( hence r ' r ( mod q) ) . Then because
we obt ai n
i . e. , Al i ce knows ( mod q) . Thi s cont r adi ct s t he assumpt i on t hat Al i ce does not
know x
B
.
Confi r mi ng TC Pr oper t y ( i i ) : Usi ng x
B
, Bob can pi ck w
1
, w
2
, r
1

U
wi t h w
1
w
2
( mod q) .
Then he set s

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I t i s st r ai ght for ward t o check TC( w
1
, r
1
, y
B
) = TC( w
2
, r
2
, y
B
) .
I n 18.3. 2. 2 we have seen t hat a "pr oof of knowl edge" obt ai ned fr om t he Fi at - Shami r heur ist i c
i s a t ri plet ( Commi t , Chal lenge, Response) whi ch i s const r uct ed by t he pr over Al i ce. I n t his
t r i pl et , Commi t i s a commi t ment i n which Al i ce commi t s a val ue k whi ch she cannot change once
commi t t ed.
I n t he NI ZK scheme of Jakobsson et al . , a pr oof is t he f ol lowi ng t upl e
Equ at i on 18 . 7. 1
Here t he pr efi x pai r ( w, r ) is Ali ce's decommi t ment f or TC( w, r , y
B
) . Thi s added pai r i s f or t he
purpose of all owi ng t he desi gnat ed ver if i er Bob t o use his t rapdoor i nfor mat i on t o fi nd col l i si ons.
Bob' s abi l i t y t o fi nd col l isi ons wi l l ent i t l e hi m t o si mul at e Al i ce' s pr oof .
Alice's Procedure to Construct Proof
Al i ce const r uct s t he pr oof t upl e i n ( 18.7. 1) as fol l ows:
P. 1
pi cking w, r
U
, comput ing
( mod p) ;
P. 2 Commi t i s comput ed i n t he same way as t hat
i n t he Fi at - Shami r heur i st i c:
pi cking k
U
and comput i ng Commi t
g
k
( mod p) ;
P. 3 t he generat i on of Chall enge i s usual : usi ng a
hash funct i on ( whi ch may al so t ake M as an
opt i onal message) :
Chall enge h( TC( w, r , y

B
) | | Commi t | |
[ M] ) ;
P. 4 t he comput at i on of Response now al so t akes
t he commi t t al w as i nput :
Response k + x
A
( Chall enge + w) ( mod
q) .
Bob's Verification Procedure

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Gi ven t he pr oof t uple in ( 18.7. 1) ( may be i ncl udi ng t he opt i onal message M) , Bob ver i f ies usi ng
t he fol l owing pr ocedure
V. 1 Chall enge h( TC( w, r , y
B
) | | Commi t | | [ M] ) ;
V. 2 check
; accept s i f checki ng passes, or r ej ect s
ot her wi se.
Now l et us consi der t he secur it y pr oper t ies of t hi s scheme.
18.7.1.1 Security Properties
Completeness
Al i ce' s pr oof t uple in ( 18.7. 1) is ver y simi l ar t o t he case of ( Commi t , Chal lenge, Response)
gener at ed f r om t he Fi at - Shami r heuri st i c. The onl y el ement which makes t hi s "designat ed
ver i fi er proof " dif fer ent f r om t hat obt ai ned f rom t he Fi at - Shami r heur i st i c i s t he addi t i onal val ue
( mod p) : t hi s addi t i onal val ue i s mul t i pl i ed t o t he r ight - hand si de expr essi on i n Bob's
ver i fi cat i on pr ocedur e ( st ep V. 2) . Thus, t he scheme has a st r ai ght f or ward compl et eness
pr oper t y .
Soundness
Vi ewed by t he designat ed ver i fi er Bob, t he val ue ( mod p) is fi xed si nce w i n i t is fi xed i n
TC( w, r , y
B
) and due t o t he TC pr opert y ( i) , Al ice cannot change i t , unl ess she knows Bob'
pr i vat e key x
B
. Ther efor e, i f Bob i s sure t hat hi s pr i vat e key x
B
i s not known by Ali ce, t hen t he
mul t i pl i er ( mod p) is a const ant , and consequent l y , t he t ri pl et ( Commi t , Chal lenge,
Response) is a Fi at - Shami r- heur ist i c based ar gument whi ch i s genui nel y const ruct ed by Al i ce.
Thus, t he soundness of t hi s scheme i s t he same as t hat f or an ar gument generat ed fr om t he
Fi at - Shami r heur i st ic. We r emar k t hat because t he comput at i onal r esour ce of Al i ce has t o be
pol y nomi al ly bounded ( t o pr event her f r om i nver t i ng t he hash funct ion or Bob's publ i c key) , t hi s
scheme i s an ar gument .
Perfect ZK-ness
Vi ewed by any ot her par t y , si nce Bob knows t he t rapdoor i nf or mat ion x
B
, t he mul t i pl i er ( mod
p) appear ing in t he r ight - hand si de of ver i fi cat i on st ep ( st ep V. 2) i s no l onger a fi xed const ant .
I nst ead, i t is can be any val ue f ree of mani pul at i on by Bob. I ndeed, because Bob can fr eely
si mul at e TC( w, r , y
B
) , t he pr oof t upl e i n ( 18.7. 1) can be si mul at ed perf ect l y . Let us now see t he
si mul at ion.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Bob's Simulation Procedure
Bob pi cks Response, ,
U
, and comput es
S. 1 TC( w, r , y
B
) g

( mod p)
S. 2
Commi t g
Response
( mod p)
S. 3 Chall enge h( TC( w, r , y
B
) | | Commi t | |
[ M] )
S. 4 w Chall enge ( mod q)
S. 5 r ( w) / x
B
) ( mod q)
S. 6 He out put s t he t upl e ( w, r , Commi t ,
Chall enge, Response) as t he si mul at ed
pr oof .
We can confi r m t hat t hi s si mul at ed pr oof i s per fect .
Fi rst of all , due t o st ep S. 2, we have
t hen via st ep S. 3, t he r i ght - hand si de becomes
t hat i s, we der i ve
as desi r ed, whi ch agrees wi t h t he veri f i cat i on st ep V. 2.
Secondl y , fr om st ep S.5, we have
Checki ng t he const r uct i on of TC( w, r , y
B
) in st ep S. 1, t he t rapdoor commit ment i ndeed has t he
corr ect const r uct i on.
Fi nal l y, i t i s easy t o check t hat not onl y t hese val ues have t he cor r ect const ruct ion as shown,
t hey al so have t he cor rect dist r i but i ons as t hose generat ed by Al i ce. Theref ore, Bob's si mul at i on

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
al gor i t hm i s an equat i ng one. The per f ect ZK- ness t hus st ands.
18.7.1.2 Applications
Jakobsson et al. envi si on int erest i ng appl i cat i ons of t hei r " desi gnat ed veri f i er pr oofs" t echnique.
One i s an ef fi ci ent al t er nat i ve t o "undeni able si gnat ur es" ( see our di scussi ons i n 18.6. 2. 2 on
"undeni abl e si gnat ur es") : t he opt i onal message M i n our descr i pt i on can be consider ed as a
si gnat ure of Al i ce but i s only ver i fi abl e by t he desi gnat ed ver i f ier Bob. Consi der t he appli cat i on of
a sof t ware vendor aut hent i cat es t he genuineness of i t s product ; if t he vendor Al i ce uses a
"desi gnat ed ver i fi er pr oof " f or t he buy er Bob t o ver i f ier , t hen Bob cannot convi nce a t hi r d par t y
of t he genui neness of t he copy he has bought si nce he coul d si mul at e a "designat ed ver i fi er
pr oof ."
The ot her good appli cat i on i s el ect r oni c vot i ng. A vot i ng cent er , af t er r eceivi ng a vot er Carol ' s
vot e, must send a r ecei pt t o Carol t o convi nce her t hat her vot e has been cor r ect l y count ed.
Here, i t i s ver y i mpor t ant for t he cent er t o convi nce Carol t he cor rect ness of cent er ' s pr oof, whi l e
an ar med coer cer , Mali ce, must be pr event ed fr om coer ci ng Carol t o vot e t he candi dat e of hi s
choi ce. Now i f t he r ecei pt i s const r uct ed usi ng t his " desi gnat ed ver if i er pr oof, " t hen Mal ice cannot
check t he cor rect ness; cl ear l y, Car ol can si mul at e per f ect l y a receipt f or t he candi dat e of Mali ce's
choi ce. Thi s secur i t y servi ce i s call ed r ecei pt f r ee el ect r oni c v ot i n g whi ch has been st udied by
Benal oh and Tui nst r a [ 30] .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
I n t hi s chapt er we have conduct ed a st udy on zer o- knowl edge prot ocol s.
We began wi t h i nt r oduci ng i nt er act i ve pr oof sy st ems in whi ch we i dent i fy t hat I P pr ot ocol s ar e
cl osel y r el at ed t o t he compl exi t y cl ass whi ch we have st udi ed i n Chapt er 4. This
i dent i f icat i on l eads us t o a bet t er under st anding of pr obl ems i n . Af t er our st udy of Chapt er
4 we know t hat for a l anguage , quest i on i s easy ( har d) i f an al gor it hm does
( not ) have an wi t ness t o wor k wi t h. Now aft er our st udy of t hi s chapt er , we f ur t her know in a
mor e i nt ui t i ve way t hat t he same deci sion problem i s easy ( har d) i f a veri f i er does ( not ) have a
pr over t o wor k t oget her .
We t hen i dent i f i ed sever al not i ons of zer o- knowl edge- ness: per fect , honest - veri f i er ,
comput at i onal and st at i st ical , dif fer ent i at ed not i ons of proof and ar gument , consi dered a
pr ot ocol wi t h t wo- si ded- err or er r or pr obabil i t y char act eri zat i on, i nvest i gat ed t he round- ef fi ciency
pr obl em, and f inal ly , st udi ed non- i nt er act i ve zer o- knowledge pr ot ocol s. I n our i nt r oduct i on of
each of t hese not ions, we pr ovided pract i cal pr ot ocol s for concr et e exempl i fi cat i on. I n t his way of
st udy , we hope t hat , zer o- knowledge pr ot ocol s, t hough consi der ed as an advanced
cry pt ogr aphi c t opi c, becomes accessibl e for r eader s who wi sh t o devel op i nfor mat i on secur it y
syst ems whi ch pr ovi de rat her fancy ser vi ces yet are pr act i cal .
Zero- knowl edge pr ot ocols is an act i ve r esear ch ar ea i n cr y pt ography ( and connect i ng i t t o
t heor et i c comput er sci ence) . For r eader s who i nt end t o conduct a f ur t her st udy of t he subj ect ,
t hi s chapt er ser ves an el ement ary i nt roduct i on t o t he not i ons and concept s whi ch ar e necessar y
for under st anding, y et not i nt roduced i n, t he advanced research paper s.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Exercises
18 .1 Expl ai n t he f ol l owi ng not i ons i n ZK prot ocol s:
Common i nput . i .
Pr i vat e input . i i .
Random i nput . i i i .
Compl et eness. i v .
Soundness. v .
Pr oof t r anscr i pt . v i .
Cheat i ng prover . v i i .
Di shonest ver if i er . v i i i .
Equat abi l i t y . i x .
Si mul at abi l i t y . x .
18 .2 Di f ferent iat e t he f ol lowi ng not i ons:
Perf ect ZK. i .
Honest - ver i fi er ZK. i i .
Comput at i onal ZK. i i i .
St at i st i cal ZK. i v .
ZK proof . v .
ZK ar gument . v i .
Pr oof of knowledge. v i i .
18 .3 The non- r epudiat ion servi ce pr ovided by a di git al signat ure means a pr oof of
knowl edge t hat a si gner owns excl usi vel y a pr i vat e key ( knowl edge) whi ch has
enabl ed ( s) he t o issue t he si gnat ure. What i s t he di f fer ence bet ween t hi s sense of
pr oof of knowl edge and t hat of fer ed by a ZK pr ot ocol?
18 .4 Can a perf ect - ZK pr ot ocol be a ZK ar gument one? Can a comput at i onal - ZK
pr ot ocol be a proof one?
18 .5 I n a ZK pr ot ocol , does a pr over have t o have a poly nomi al l y bounded comput i ng
power ? Answer t he same quest i on f or a veri f i er .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
18 .6 Why cannot Schnor r' s I dent i f icat i on Pr ot ocol be a const ant - r ound one?
18 .7 Show t he compl et eness proper t y f or Schnor r ' s I dent i fi cat i on Prot ocol ( Pr ot 18. 2) .
18 .8 I n t he comput at ional ZK pr ot ocol descr i bed in 18.3. 3. 2, we have di scussed t hat
Al i ce can choose her commit t al fr om t he set f or any smal l and f i xed > 0.
Why ?
18 .9 Pr ove Fact 3 i n 18.4. 2. 1.
18 .1 0 Some ZK prot ocol s use mult ipl e rounds t o r educe t he ( soundness) er r or
pr obabi li t y . Usual l y, t he veri f ier wi l l only accept a pr oof i f no any er ror i s det ect ed
i n all r ounds. Can t hi s " el ect i on cri t er i on" be used f or pr ot ocol s wi t h t wo- sided
err or ?
18 .1 1 Why cannot Pr ot 18. 4 use t he "maj ori t y el ect ion cr i t er i on?"
18 .1 2 Why is a t wo- si ded- er ror pr ot ocol not ef fi ci ent , i n par t i cul ar when t he behavi or of
an honest pr over and t hat of a cheat ing one ar e simi l ar i n a si ngle round of
message exchange?
18 .1 3 What i s a const ant - r ound ( l og- r ound, pol y- r ound) pr ot ocol?
18 .1 4 Can Pr ot 18. 6 be si mpli f i ed t o an honest - ver i fi er ver si on wi t h t hree moves onl y?
Hi nt : i f Ali ce per for ms modulo exponent i at i on di rect l y on Bob' s chal l enge, t hen
move 2, 3 and 4 can be compr essed i nt o a si ngle message t r ansmi ssi on.
18 .1 5 What i s t he danger in t he "honest - ver i f ier " ver si on of Pr ot 18. 6 suggest ed i n t he
pr ecedi ng pr obl em?
Hi nt : r evi ew t he f our t h bul l et poi nt di scussed i n 18.6. 2. 2.
18 .1 6 What i s a t rapdoor commit ment ?
18 .1 7 What ar e appli cat i ons of a non- int eract i ve ZK prot ocol ?

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Chapter 19. Returning to "Coin Flipping
Over Telephone"
The f i r st cry pt ogr aphi c prot ocol of t hi s book, " Coin Fl i ppi ng Over Tel ephone" ( Pr ot 1.1) , i s
speci f i ed usi ng a " magi c funct i on" f . Let us r ecap t wo pr oper t i es of t hi s funct i on ( Pr oper t y 1. 1) :
For ever y i nt eger x, i t i s easy t o comput e f ( x) fr om x whi le gi ven any val ue f ( x) it i s
i mp ossi ble t o f ind any i nf ormat i on about a pr e- image x, e. g. , whet her x i s an odd or even
number .
I .
I t i mp ossi ble t o f ind a pai r of i nt eger s ( x , y ) sat i sfy i ng x y and f ( x) = f ( y) . I I .
So f ar , t hi s " magic funct ion" r emains magi c. No suppor t i ng evi dence f or t he t wo uses of t he wor d
"i mpossi ble" has been pr ovi ded, l et al one t he pr ovi si on of a concr et e r eal i zat i on of t he f unct i on
( and hence of Pr ot 1.1) .
I n fact , i n 1. 2. 1 we di d suggest a pr act ical way t o r eali ze Pr ot 1.1: real i zi ng t he f unct i on f using
a pr act i cal hash f unct i on such as SHA- 1. I n t he SHA- 1 r eal i zat i on, for any i nt eger x, t he r esul t
f ( x) can be coded i nt o 40 hexadeci mal char act ers and so i t i s pract i cal f or Al i ce t o r ead f ( x) t o
Bob over t he phone. We have al so ment i oned t hat t hat r eal i zat i on i s good enough for t he t wo
fr i ends t o deci de a recr eat i on venue.
However , t her e ar e pl ent y of cr ypt ogr aphic appl i cat i ons i n whi ch t wo unt rust ed communi cat ion
par t ner s need t o use mut ual l y t r ust ed r andom number s. Such appl icat i ons wi l l have much mor e
ser i ous secur i t y consequences t han t hat of pl ay ing a l i ght hear t ed game. For exampl e, a st andar d
at t acking t echni que which we have wi t nessed i n numerous at t acks t hr oughout t hi s book boi l s
down t o t ri cki ng a nai ve user i nt o pr ovidi ng an oracl e ser vi ce in whi ch t he user per f orms a
cry pt ogr aphi c oper at i on on an i nnocent - l ooki ng "r andom" number. I f a user knows wi t h hi gh
conf idence t hat a r andom number t o be dealt wi t h, whet her or not i s fr om an or acle ser vi ce
r equest , i s a genui ne one, t hen many such at t acks wi l l no l onger wor k. Ther ef or e, t he genui ne
r andomness and t he knowl edge t hat a random l ooki ng number i s i ndeed r andom mat t er ver y
much for cr y pt ogr aphi c sy st ems' securi t y .
To see anot her reason behi nd t he need of a t rust wor t hy r andom sour ce, l et us recal l t he
pr ecedi ng chapt er where we have seen t hat honest - ver i fi er zer o- knowledge pr ot ocol s need
mut uall y t rust ed r andom chall enges. These r andom chal l enges shoul d not be der i ved fr om a
hash funct i on. A di shonest veri f ier can at t ack an honest - ver i f ier ZK pr ot ocol pr eci sely because
( s) he can use hash funct i on t o gener at e a "random" l ooki ng chal l enge ( r evi ew 18.3. 2. 1) .
Ther ef or e a r eal izat ion of Pr ot 1.1 ( a coi n- fl i ppi ng pr ot ocol for generat ing mut ual l y t r ust ed
r andom number s, not mer el y for deci di ng r ecr eat i on venues) using a SHA- 1 l ike pract i cal hash
funct i on, as we suggest ed i n Chapt er 1, i s cert ainl y unsui t abl e for t hese appl i cat ions.
Yet anot her r eason behi nd t he unsui t abi li t y for a coi n- fl i pping pr ot ocol t o use a pr act i cal hash
funct i on is t he dif fi cul t y of conduct i ng a preci se secur i t y anal y si s. Such an anal y si s i s necessar y i f
t he pr ot ocol i s for ser i ous appl icat i ons.
The f i nal pr ot ocol for t hi s book i s a concret e r eal izat ion of t he fi r st prot ocol of t he book. Af t er our
st udy t hr ough t he book, we ar e now t echni call y r eady t o pr ovide a good r eal i zat i on f or Pr ot 1.1.
Thi s r eal izat ion i s t he famous " Coi n- Fl i ppi ng- by - Telephone" Pr ot ocol of Bl um [ 43] .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
19.1 Blum's "Coin-Flipping-By-Telephone" Protocol
Bl um's remot e coi n- f li ppi ng pr ot ocol i s specif i ed i n Pr ot 19. 1. The pr ot ocol r uns in paral l el ,
al l owing t wo unt r ust ed par t i es t o agr ee on a mut ual l y t r ust ed r andom number of m- bi t l ong. As
i n Pr ot 1.1, i n Bl um's pr ot ocol i t i s al so t he case t hat Ali ce f li ps a coi n and Bob guesses t he si des.
Bl um's pr ot ocol uses a l ar ge composi t e i nt eger N = PQ wher e P, Q ar e t wo l arge pr i mes
sat i sf y ing
Aft er t he publ i cat ion of Bl um' s pr ot ocol [ 43] , such i nt eger s ar e named Bl u m i n t eg er s. Bl um
i nt eger s have many usef ul proper t i es for cr y pt ographi c use. I n 6. 7 we have st udi ed some
number t heor y fact s about Bl um i nt eger s. Some of t hese f act s wi l l be usef ul her e f or us t o
anal y ze secur i t y proper t i es of Bl um's pr ot ocol.
Let us f ir st pr ovi de a securi t y anal ysi s f or Bl um's r emot e coin- fl i ppi ng pr ot ocol. Aft er t he secur i t y
anal y sis, we shal l measur e t he ef fi ci ency of t he pr ot ocol .
Protocol 19.1: Blum's "Coin-Flipping-by-Telephone" Protocol
( * t hi s prot ocol let s Al i ce and Bob agr ee on a st r ing of mut ual l y t r ust ed r andom bi t s
of l engt h m; li ke i n t he case of Pr ot 1.1, Al i ce fl i ps a coi n and Bob guesses * )
CONVENTI ON
Each par t y digi t all y si gns each message sent t o t he ot her part y.
Each par t y abort s a r un i f any veri f i cat i on ( i ncl udi ng t hat f or a di gi t al si gnat ur e)
shows i nconsi st ency .
Bob gener at es a l ar ge Bl um i nt eger N = PQ and sends N t o Al i ce; 1.
Al i ce pi cks m r andom numbers: x
1
, x
2
, , x
m

U
t he val ues ( i = 1, 2,
. . ., m) are her coi n- fl i ppi ng r esul t s;
she comput es , , , ( mod N) ;
she sends y
1
, y
2
, . . . , y
m
t o Bob;
2.
Bob pi cks random si gns b
1
, b
2
, . . . , b
m

U
{ 1, - 1} as hi s guesses on t he si gns of
f or i = 1, 2, .. . , m;
3.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
he sends t hese si gns t o Al ice;
( * Bob has f ini shed hi s guessi ng of Al i ce' s coi n f l ippi ng * )
Al i ce reveal s x
1
, x
2
, . . . , x
m
t o Bob;
( * Al i ce has t ol d Bob t he cor rect ness of hi s guessi ng * )
4.
Bob ver i fi es ( mod N) for i = 1, 2, .. . , m;
he r eveal s P, Q t o Al i ce;
5.
Al i ce ver if i es P Q 3 ( mod 4) and conduct s pr i mal i t y t est on P and Q; 6.
Bot h comput e t he agr eed r andom bi t s as ( for i = 1, 2, .. . , m) 7.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
19.2 Security Analysis
I n Blum' s r emot e coi n f li ppi ng pr ot ocol , Al i ce f l i ps a coi n and Bob guesses t he si des. Theref ore i n
t he anal ysi s of t he pr ot ocol 's securi t y we need t o measur e t he di ff i cul t i es f or t hese t wo par t i es t o
mount at t acks i n t he f oll owi ng t wo possi bil i t i es:
Alice's Cheating
Can Al i ce fi nd a way t o f li p a coi n and l at er r eveal t o Bob HEADS or TAI LS as she wi shes?
Bob's Unfair Guessing Advantage
Can Bob' s guessi ng advant age be dif fer ent f r om ?
We ar e able t o answer t hese t wo quest ions qu ant i t at iv ely . Fi r st , Ali ce's cheat i ng i s t he pr obl em
for her t o fact or t he Bl um i nt eger N. Secondl y , Bob' s guessi ng advant age i s pr eci sel y . These
ar e now separ at el y anal yzed.
Security Against Alice's Cheating
I n order t o cheat , Al i ce has t o fi nd a pai r of col l isi ons, i . e., t wo el ement s Z
1
, Z
2
sat i sfy i ng
( mod N) , and
.
Suppose t hat Al ice can i ndeed fi nd such a pai r of col l i si ons. By Theor em 6. 18. ( i ) , we have
. This requi res z
1
z
2
( mod N) , i . e., 0 < z
1
z
2
< N. Suppose on t he cont rar y ,
e.g. , z
1
= z
2
( mod N) . We have
whi ch cont radi ct s t o Al i ce' s col li si on cr i t er ion .
Now f r om

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
and
we obt ai n ( e. g. )
Thi s i s, Al i ce has f act ored N.
To t hi s end, we concl ude t hat Al i ce' s di ff i cul t y of fi ndi ng a pair of col l i sions i s pr eci sel y t hat of
fact or i ng N, a r eput abl y hard pr oblem. Her e, agai n, we have conduct ed a "r educt i on- t o-
cont r adi ct i on" secur i t y anal y sis. We are sat i sfi ed t o use t he di f fi cul t y of f act ori zat i on as our
quant i t at i ve measur e f or t he di ff i cult y of t he second " impossi bl e" i n t he descr i pt i on of t he " magi c
funct i on" pr oper t ies. I n pr act ice, i t is a wel l- known i mpossibl e pr obl em, especi all y consi der i ng
t hat Al i ce has t o do t he f act or i ng j ob i n r eal t i me.
Ther ef or e, vi ewed by Ali ce, t he funct ion i n Bl um's pr ot ocol for sendi ng coi n- f l i ppi ng commi t ment
i s i ndeed one- way, wi t h conf i dence based on a "pedi gr ee" pr obl em.
Bob's Guessing Advantage
We now show t hat Bob's guessi ng advant age i s pr ecisel y .
For t he i - t h coi n f l i p, Al i ce sends t o Bob ( mod N) . Bob's j ob is t o guess t he si gn of
af t er seei ng y
i
. By Theor em 6. 18. ( i i i) , y
i
has pr eci se t wo squar e r oot s wi t h t he posi t i ve
Jacobi sy mbol and preci se t wo squar e r oot s wi t h t he negat i ve one. Usi ng Al g 6. 5 Bob can
comput e each of t hese four squar e r oot s, but t her e i s no way what soever f or hi m t o know which
r oot Al i ce has chosen and so he has no way what soever t o pi npoint t he sign for Jacobi sy mbol of
Al i ce' s chosen r oot . For Bob, t he f unct i on i s pr eci sely a 2- t o- 1 mappi ng. All he can do is a pur e
guess whi ch has t he corr ect ness pr obabi l i t y pr eci sel y .
Thi s i s our quant i t at i ve measur e f or t he fi r st " i mpossi ble" i n t he descr i pt i on t he "magi c funct i on"
pr oper t i es. Thi s i mpossi bi l i t y i s absol ut e!

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
19.3 Efficiency
Obser vi ng t he pr ot ocol , we can measur e t he t wo par t i es' comput at i onal cost s as f ol l ows.
Alice's Cost
Al i ce' s main cost amount s t o t hose for ( i ) comput i ng m squar ings, ( i i ) m Jacobi symbol s and ( i ii )
conduct ing t wo pr i mal it y t est s. Squar ings and eval uat i ons of Jacobi symbol s cost O
B
( ( l og N)
2
) .
Pr i mal i t y t est s cost s O
B
( l og N)
3
. So i f we consi der m = l og N, t he t ot al cost s f or Al i ce i s C ( l og
N)
3
wher e C i s a small const ant . This est i mat e cover s t he cost for gener at i ng and ver if y ing di gi t al
si gnat ures. Speaki ng i n or di nary wor ds, t he t ot al comput at i onal cost for Al i ce i s at t he l evel of
per for mi ng several RSA encr ypt i ons.
I n communicat i on bandwi dt h cost , Ali ce sends 2( l og N)
2
bi t s ( consi deri ng m = l og N) .
Bob's Cost
I t i s easy t o see t hat Bob' s comput at ional cost i s t hat of Al i ce' s pl us t hat for gener at i ng an RSA
modul us. So speaki ng i n or di nar y wor ds, Bob' s comput at ional cost i s t hat of an RSA key
gener at i on pl us per for mi ng several RSA encr y pt i ons. To expr ess i t f ormal l y , we can r epl ace t he
const ant C i n Al i ce' s comput at i onal cost expr essi on wi t h log N t o obt ain Bob' s comput at ional cost
expression: O
B
( ( l og N)
4
) .
Bob communi cat i on cost i s much l ower t han t hat of Ali ce's si nce he onl y needs t o send t he
modul us, m r andom bi t s and t he f act or of t he modul us, whi ch amount s t o 3 l og N ( bi t s) .
Cl ear ly , t he cost s for bot h par t i es are suit abl e for pr act i cal appl i cat ions.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Our quant i t at i ve measur es on t he per for mance and secur it y for Bl um' s " Coi n- Fl i pping- by -
Tel ephone" Pr ot ocol i dent if i es t he f ol lowi ng qual i t i es f or t he pr ot ocol:
St r ong and measurabl e secur i t y
We have seen f r om our secur it y anal y si s i n 19.2 t hat t he event ual r eal izat ion of t he one-
way f unct i on in t he coin- fl i pping pr ot ocol i s ver y st r ong i n a measu rab le sense: one use of
t he wor d " i mpossibl e" i s based on a one- way pr oper t y fr om a " pedi gr ee" pr obl em:
fact or i zat i on and t he ot her " i mpossi bl e" is in t he absol ut e sense: uncondi t i onal .
Pr act ical ef fi ci ency
We have al so seen f r om our per f ormance anal ysi s i n 19.3 t hat t he pr ot ocol al l ows t wo
par t i es t o agr ee on a st ri ng of mut ual ly t r ust ed r andom bi t s of l engt h m at t he cost of
per for mi ng several ordi nar y publ ic- key cr y pt ographi c oper at i ons wher e t he publ ic- key
cry pt osy st em uses m as t he securi t y par amet er . Thi s ef fi ciency i s cl earl y sui t able for
pr act i cal appl i cat i ons.
Based on pr act i cal and avail able pr imi t i ves
The pr ot ocol can use or dinary di gi t al si gnat ur e scheme, i nvol ves comput ing squar i ng,
Jacobi sy mbol s modul o a l ar ge i nt eger and Mont e- Car l o pri mal i t y t est i ng. These al gori t hms
and oper at i ons ar e st andar d i n most cr ypt ogr aphi c al gori t hm l i br ari es and ar e t her efor e
wi del y avai l abl e.
Thus, accor di ng t o our cr i t er i a f or good cr ypt ogr aphic al gor it hms, pr ot ocols and sy st ems whi ch
we have l i st ed i n Chapt er 1, Bl um' s "Coi n- Fl i pping- by - Tel ephone" Prot ocol i s indeed a good
pr ot ocol .

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Chapter 20. Afterremark
Cr y pt ogr aphy ent er ed i t s moder n er a in t he mid- 1970s as t he r esult of t wo event s: publ i cat i on of
t he US Dat a Encr ypt i on St andar d and t he di scover y of publ i c- key cr ypt ogr aphy . The t heor et ic
and pr act i cal i mpor t ance of cry pt ogr aphy has since t hen been successful l y st i mul at i ng
pr ol i fer at i ons of academic research advances and commer ci al appl i cat ion act i vit ies. To t hi s day ,
moder n cr y pt ogr aphy has evol ved t o a vast ar ea of st udy . Wi t h ceasel ess emer gence of new
i deas and t echni ques, t he ar ea i s st i l l on i t s cour se of st eady gr owt h.
I n t hi s book, we have confi ned our sel ves t o t he st udy of a chosen small but i mpor t ant par t of
moder n cr y pt ogr aphy. The select ed part i ncl udes t echni ques, schemes, pr ot ocol s and sy st ems
whi ch ei t her have been pl ay i ng r oles of t he most common bui ldi ng bl ocks in t he const ruct ion of
i nf ormat i on secur i t y sy st ems ( e. g. , cr ypt ogr aphi c pr imi t i ves in Chapt ers 710 and basic
aut hent i cat ion prot ocol const r uct i ons in Chapt er 11) , or have found t he wi dest r ange of
appli cat i ons ( e. g. , r eal - worl d aut hent i cat i on sy st ems i n Chapt er 12 and fi t - f or- appl i cat ion
encry pt ion and si gnat ur e schemes i n Chapt ers 1516) , or wi l l l i kely t o have a gr eat pot ent i al
and i mpact i n bui ldi ng fut ur e and " fancy" appl i cat i ons of el ect r oni c busi ness, commer ce and
ser vi ces ( e. g. , i dent it y - based schemes i n Chapt er 13 and zer o- knowl edge prot ocol s i n Chapt er
18) .
Wi t h focus, we ar e abl e t o conduct a sy st emat ic and i n- dept h st udy of t he sel ect ed t echni ques
under several aspect s whi ch have i mpor t ance not onl y f or proper uses of t he sel ect ed t echni ques
i n appl i cat i ons but al so i n f ur t her devel opment of t he met hodol ogi es for i nf or mat ion securi t y .
These aspect s are:
Revel at i ons of general weaknesses i n " t ext book" cr ypt ogr aphi c schemes and pr ot ocols
st r engt heni ng secur it y not i ons t o f it - for - appli cat i on ver sions
i nt r oduct ion t o fi t - f or - appl i cat i on cr y pt ogr aphi c schemes and pr ot ocol s
for mal met hodologi es and t echni ques f or secur i t y anal y si s, and
exempl i fi ed for mal est abl i shment of st r ong secur i t y evi dence f or some schemes and
pr ot ocol s.
I n addi t i on, we have al so conduct ed a st udy on t heor et i c f oundat i ons f or moder n cr y pt ogr aphy,
wi t h whi ch we i nt end t o pr ovi de t he reader wi t h an i nt r oduct or y mat er ial t o hel p her / hi s f ur t her
expl orat i on i n t he vast domai n of moder n cr y pt ogr aphy.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Bibliography
[ 1] M. Abadi and R. Needham. Pr udent engi neer ing pr act i ce f or cry pt ogr aphi c prot ocol s.
Techni cal Repor t DEC SRC Techni cal Repor t 125, Digi t al Equi pment Cor por at i on, November
1995.
[ 2] M. Abadi and P. Rogaway. Reconci li ng t wo views of cr ypt ogr aphy ( t he comput at ional
soundness of for mal encry pt ion) . Jour nal of Cry pt ology , 15( 2) : 103127, Spr i ng 2002.
[ 3] M. Abadi and M.R. Tut t l e. A semant i cs for a l ogi c of aut hent i cat i on ( ext ended abst r act ) . I n
Pr ocedi ngs of Tent h An nual ACM Sy m posiu m on Pri ncip les of Di st r i but ed Com pu t in g , pages
201216, August 1991.
[ 4] M. Abdal l a, M. Bel l ar e, and P. Rogaway . DHAES: an encr ypt i on scheme based on t he Di ff i e-
Hell man pr obl em. Submi ssion t o I EEE P1363: Asymmet ri c Encr ypt ion, 1998. Avai l abl e at
gr ouper . i eee. org/ gr oups/ 1363/ P1363a/ Encr y pt i on. ht ml .
[ 5] C. Abr ams and A. Dr obi k. E- busi ness oppor t uni t y i ndex t he EU sur ges ahead. Research
Not e, St r at egi c Pl anni ng, SPA- 10- 7786, Gar t nerGroup RAS Ser vi ces, 21, Jul y 2000.
[ 6] C. Adams, P. Cai n, D. Pi nkas, and R. Zuccher at o. I nt er net X. 509 Publ i c Key I nfr ast r uct ur e
Ti me- St amp Pr ot ocol ( TSP) . The I nt ernet Engi neer i ng Task For ce Request For Comment s ( I ETF
RFC) 3161, August 2001. Avai labl e at www.i et f .or g/ rf c/ rf c3161. t xt .
[ 7] C. Adams and S. Far rel l . I nt er net X. 509 Publ i c Key I nfr ast r uct ur e Cer t i fi cat e Management
Pr ot ocols. The I nt ernet Engi neer i ng Task For ce Request For Comment s ( I ETF RFC) 2510, Mar ch
1999. Avai l abl e at www.i et f .or g/ rf c/ rf c2510. t xt .
[ 8] M. Agrawal , N. Kayal , and N. Saxena. PRI MES i s i n P. Onl i ne News, August 2002.
www.cse.i i t k. ac. i n/ user s/ mani ndr a/ pr i mal i t y. ps.
[ 9] A. V. Aho, J.E. Hopcr oft , and J. D. Ul lman. The Design and An aly si s of Com p ut er Algor i t hm s.
Addison- Wesl ey Publ i shi ng Company, 1974.
[ 10] W. Aiel l o, S. M. Bel l ovi n, M. Bl aze, R. Canet t i , J. I oanni di s, A. D. Ker omyt i s, and O. Rei ngol d.
Ef fi ci ent , DoS- r esist ant , secur e key exchange for I nt ernet Pr ot ocols. I n B. Chri st i anson et al . ,
edi t or , Pr oceedi ngs of Secur it y Pr ot ocol s, Lect u re Not es in Com pu t er Sci ence 246 7 , pages 2739.
Spr i nger - Verl ag, 2002.
[ 11] W. Aiel l o, S. M. Bel l ovi n, M. Bl aze, R. Canet t i , J. I oanni di s, A. D. Ker omyt i s, and O. Rei ngol d.
Ef fi ci ent , DoS- r esist ant , secur e key exchange for I nt ernet Pr ot ocols. I n Pr oceedi ngs of ACM
Con fer en ce on Com p ut er and Commun icat ion s Secu ri t y ( ACM- CCS' 02 ) , pages 4858. ACM Press,
November 2002.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
[ 12] Al ct el. Under st andi ng t he I PSec prot ocol suit e. Whi t e Paper s Ar chive, Mar ch 2000. Avai labl e
at www.i nd. al ct el . com/ l i br ar y / whi t epaper s/ wp_I PSec. pdf .
[ 13] W. Alexi , B. Chor , O. Goldr ei ch, and C. P. Schnor r . RSA and Rabi n f unct i ons: cer t ai n part s
ar e as har d as t he whol e. SI AM Jour n al of Com put i ng, 17( 2) : 194209, Apr i l 1988.
[ 14] R. Ander son. Secu ri t y Engin eer in g: A Gui de t o Bui ldi ng Dep en dabl e Dist r i but ed Syst em s .
John Wi l ey & Sons, I nc. , 2001.
[ 15] R. Ander son, E. Bi ham, and L. Knudsen. Serpent : A pr oposal f or t he advanced encr ypt i on
st andar d. AES pr oposal : Nat ional I nst i t ut e of St andar ds and Technology ( NI ST) , 1998. Al so
avai labl e at www.cl . cam. ac. uk/ ~ rj a14/ ser pent . ht ml .
[ 16] L. Babai . Tal k pr esent ed at t he 21st Annual Sy mposi um on Foundat i on of Comput er
Sci ence. San Juan, Puer t o Ri co, Oct ober 1979.
[ 17] R. Bal dwi n and R. Ri vest . The RC5, RC5- CBC, RC5- CBC- Pad, and RC5- CTS al gori t hms. The
I nt er net Engi neeri ng Task For ce Request For Comment s ( I ETF RFC) 2040, Oct ober 1996.
Avail able at www.i et f .or g/ rf c/ rf c2040. t xt .
[ 18] M. Bel l ar e, R. Canet t i , and H. Kr awczyk. A modul ar approach t o t he desi gn and anal y si s of
aut hent i cat ion and keyexchange pr ot ocols. I n Pr oceedi ngs of t h e 30t h An nual Sy m posiu m on
t he Theory of Com put i ng ( STOC' 98) , pages 419428. ACM Pr ess, 1998.
[ 19] M. Bel l ar e, A. Desai , D. Poi nt cheval , and P. Rogaway . Rel at i ons among nat ions of secur i t y
for publ ic- key encr y pt i on schemes. I n H. Kr awczy k, edi t or , Adv ances in Cr y pt ol ogy
Pr oceedi ngs of CRYPTO' 9 8, Lect u re Not es i n Com put er Sci en ce 146 2 , pages 2645. Spr i nger -
Verl ag, 1998.
[ 20] M. Bel l ar e and S. Mical i . Non- i nt er act i ve obl i vi ous t ransfer and appl icat i ons. I n G. Br assard,
edi t or , Adv ances in Cr y pt ol ogy Proceed in gs of CRYPTO' 89 , Lect ur e Not es i n Comp ut er Science
43 5, pages 547557. Spri nger- Ver l ag, 1990.
[ 21] M. Bel l ar e, D. Poi nt cheval , and P. Rogaway . Aut hent i cat ed key exchange secur e agai nst
di ct i onar y at t acks. I n B. Pr eneel , edi t or , Adv ances in Cr y pt ol ogy Proceed in gs of
EUROCRYPT' 00, Lect u re Not es i n Com pu t er Sci en ce 180 7 , pages 139155. Spri nger- Ver l ag,
2000.
[ 22] M. Bel l ar e and P. Rogaway . Random or acl es ar e pract i cal : a par adi gm for desi gni ng
eff ici ent pr ot ocols. I n Fir st ACM Con fer en ce on Comp ut er and Comm un icat i ons Secur it y , pages
6273, New Yor k, 1993. ACM Pr ess.
[ 23] M. Bel l ar e and P. Rogaway . Ent i t y aut hent i cat i on and key di st ri but i on. I n D. St i nson, edi t or ,
Adv ances in Cr y pt ol ogy Proceed in gs of CRYPTO' 93 , Lect ur e Not es i n Comp ut er Science 7 73 ,
pages 232249. Spr i nger - Verl ag, 1994.
[ 24] M. Bel l ar e and P. Rogaway . Opt i mal asy mmet r i c encr ypt i on. I n A. de Sant i s, edi t or ,

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Adv ances in Cr y pt ol ogy Proceed in gs of EUROCRYPT' 9 4, Lect ur e Not es i n Com put er Sci en ce
95 0, pages 92111. Spr i nger - Verl ag, 1995.
[ 25] M. Bel l ar e and P. Rogaway . Pr ovabl y secur e sessi on key di st r i but i on t he t hr ee part y case.
I n Pr oceedi ngs of 27 t h ACM Sym posi um on t he Theory of Com put i ng , pages 5766. ACM Press,
1995.
[ 26] M. Bel l ar e and P. Rogaway . The exact securi t y of di gi t al si gnat ur es How t o si gn wi t h RSA
and Rabi n. I n U. Maur er, edi t or, Adv ances in Cr y pt ol ogy Proceed in gs of EUROCRYPT' 9 6,
Lect ur e Not es i n Comp ut er Science 1 070 , pages 399416. Spri nger- Ver l ag, 1996.
[ 27] S. M. Bel l ovin. Pr obl em ar eas for t he I P securi t y prot ocol s. I n Pr oceedi ngs of t h e Six t h
Useni x UNI X Secur it y Sym posi um , pages 116, Jul y 1996.
[ 28] S. M. Bel l ovin and M. Merr i t t . Li mi t at i ons of t he Kerber os aut hent i cat i on sy st em. ACM
Compu t er Communi cat ion Rev iew , 20( 5) : 119132, 1990.
[ 29] S. M. Bel l ovin and M. Merr i t t . Encr y pt ed key exchange: Passwor d- based pr ot ocol s secur e
agai nst di ct i onar y at t acks. I n Pr oceedi ngs of t h e 199 2 I EEE Sy m posiu m on Resear ch i n Secur i t y
and Pr iv acy, 1992.
[ 30] J. C. Benal oh and D. Tui nst r a. Recei pt - fr ee secr et - bal l ot el ect i ons. I n Pr oceedi ngs of t h e
26 t h Annual Sy m posiu m on t he Th eor y of Comp ut i ng ( STOC' 94) , pages 544553, 1994.
[ 31] C. Bennet t and G. Br assar d. The dawn of a new er a f or quant um cr y pt ography : t he
exper i ment al prot ot ype i s worki ng! SI GACT News, 20: 7882, Fall 1989.
[ 32] R. Ber ger , S. Kannan, and R. Per al t a. A f r amewor k for t he st udy of cry pt ogr aphi c prot ocol s.
I n H. C. Wi l li ams, edi t or , Adv ances in Cr y pt ol ogy Proceed in gs of CRYPTO' 85 , Lect ur e Not es i n
Com pu t er Sci ence 218 , pages 87103. Spr i nger - Verl ag, 1986.
[ 33] E. Bi ham and A. Shami r. Di f ferent ial cr y pt anal ysi s of DES- li ke cr ypt osy st ems. Jour nal of
Cr y pt ol ogy, 4: 372, 1991.
[ 34] R. Bi rd, I . Gopal, A. Herzber g, P. Janson, S. Kut t en, R. Molva, and M. Yung. Sy st emat i c
desi gn of t wo- par t y aut hent i cat ion prot ocol s. I n J. Feigenbaum, edi t or , Adv ances in Cr y pt ol ogy
Proceed in gs of CRYPTO' 91 , Lect ur e Not es i n Comp ut er Science 5 76 , Spr i nger- Ver lag, pages
4461, 1992.
[ 35] I . Bl ake, G. Ser oussi , and N. Smart . El li pt i c Cu rv es in Cry pt ogr ap hy . Cambri dge Uni ver si t y
Pr ess, 1999. London Mat hemat i cal Soci et y Lect ur e Not e Ser i es 265.
[ 36] S. Bl ake- Wi l son, D. Johnson, and A. Menezes. Key agr eement pr ot ocols and t hei r secur i t y
anal y sis. I n Pr oceedi ngs of t h e si x t h I MA I nt er nat i onal Confer en ce on Cr yp t ograp hy an d Codin g,
Lect ur e Not es i n Comp ut er Science, 13 55, pages 3045. Spr i nger Ver lag, 1997.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
[ 37] S. Bl ake- Wi l son and A. Menezes. Securi t y pr oofs f or ent i t y aut hent i cat i on and aut hent i cat ed
key t ranspor t pr ot ocol s empl yi ng asy mmet r i c t echni ques. I n Pr oceedi ngs of 19 97 Secu ri t y
Pr ot ocols Wor k shop, Lect u re Not es in Com pu t er Sci ence 136 1 , pages 137158. Spri nger Ver l ag,
1998.
[ 38] S. Bl ake- Wi l son and A. Menezes. Aut hent i cat ed Di f fi e- Hel l man key agr eement pr ot ocol s. I n
S. Tavar es and H. Mei j er , edi t or s, Pr oceedi ngs of Select ed Ar eas in Cry pt ogr aph y ( SAC' 98) ,
Lect ur e Not es i n Comp ut er Science 1 556 , pages 339361. Spri nger Ver l ag, 1999.
[ 39] M. Bl aze. Ef fi ci ent , DoS- r esist ant , secur e key exchange for I nt ernet pr ot ocol s ( Tr anscri pt of
Di scussi on) . I n B. Chri st i anson et al . , edi t or , Pr oceedi ngs of Secur it y Pr ot ocol s, Lect u re Not es in
Com pu t er Sci ence 246 7, pages 4048. Spr i nger - Ver l ag, 2002.
[ 40] M. Bl aze, J. Fei genbaum, and J. Lacy. Di st r i but ed t r ust management . I n Pr oceedi ngs 1 996
I EEE Sy mp osi um on Secur it y and Pri v acy , pages 164173. I EEE Comput er Soci et y Pr ess, May
1996.
[ 41] D. Bl ei chenbacher . Gener at i ng El Gamal si gnat ur e wi t hout knowi ng t he secr et key . I n U.
Maurer , edi t or , Adv ances in Cr y pt ol ogy Proceed in gs of EUROCRYPT' 9 6, Lect ur e Not es i n
Com pu t er Sci ence 107 0 , pages 1018. Spr i nger - Ver l ag, 1996.
[ 42] L. Bl um, M. Blum, and M. Shub. A si mpl e unpr edi ct abl e pseudo- r andom number generat or.
SI AM Jour n al of Com put i ng, 15( 2) : 364383, May 1986.
[ 43] M. Bl um. Coi n fl i ppi ng by t el ephone: A pr ot ocol f or sol vi ng i mpossi bl e pr obl ems. I n
Pr oceedi ngs of t h e 24t h I EEE Com p ut er Con ference , pages 133137, May 1981.
[ 44] M. Bl um, P. Feldman, and S. Mi cal i . Non- i nt er act i ve zer o- knowl edge and i t s appl i cat i ons
( ext ended abst ract ) . I n Pr oceedi ngs of t h e 20t h An nual ACM Sy m posium on Theory of
Compu t in g, pages 103112, 1988.
[ 45] M. Bl um and S. Gol dwasser . An eff icient pr obabi l i st ic publi c- key encr y pt i on scheme whi ch
hi des al l par t i al i nf ormat i on. I n G. R. Bl akl ey and D. Chaum, edi t or s, Adv ances in Cr y pt ol ogy
Pr oceedi ngs of CRYPTO' 8 4, Lect u re Not es i n Com put er Sci en ce 196 , pages 289299. Spri nger-
Verl ag, 1985.
[ 46] M. Bl um and S. Mi cal i . How t o gener at e cry pt ogr aphi cal ly st r ong sequences of pseudo-
r andom bi t s. I n Pr oceedi ngs of 23 r d An nual I EEE Sy m posium on Fou ndat i ons of Comp ut er
Science, pages 112117, 1982.
[ 47] D. Boneh. The deci si on Dif fi e- Hell man pr obl em. I n Pr oceedi ngs of 3r d Al gori t hm i c Num ber
Theor y Sy mp osi um , Lect u re Not es i n Com put er Sci en ce 1423 , pages 4863. Spr i nger - Ver l ag,
1997.
[ 48] D. Boneh. Twent y y ears of at t acks on t he RSA cr y pt osyst em. Not i ces of t h e AMS,
46( 2) : 203213, Febr uar y 1999.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
[ 49] D. Boneh. Si mpl i fi ed OAEP f or t he RSA and Rabi n funct i ons. I n J. Ki l l i an, edi t or , Adv ances in
Cr y pt ol ogy Pr oceed ings of CRYPTO' 01 , Lect ur e Not es in Com p ut er Science 21 39 , pages
275291. Spr inger- Ver l ag, 2001.
[ 50] D. Boneh and G. Dur fee. Cr y pt anal y si s of RSA wi t h pr i vat e key d l ess t han n
0. 292
. I n J.
St er n, edi t or , Adv ances in Cr y pt ol ogy Proceed in gs of EUROCRYPT' 9 9, Lect ur e Not es i n
Com pu t er Sci ence 159 2, pages 111. Spri nger- Ver l ag, 1999.
[ 51] D. Boneh and M. Fr ankli n. I dent i t y based encry pt i on f rom t he Wei l pai r i ng. I n J. Ki l l i an,
[ 52] D. Boneh, A. Joux, and P. Q. Nguy en. Why t ext book El Gamal and RSA encry pt ion ar e
i nsecure ( ext ended abst r act ) . I n T. Okamot o, edi t or , Adv ances in Cr y pt ol ogy Proceed in gs of
ASI ACRYPT' 0 0, Lect u re Not es i n Com put er Sci en ce 1976 , pages 3043. Spr i nger - Ver l ag, 2000.
[ 53] A. Bosselaer s, H. Dobbert in, and B. Pr eneel . The new cry pt ogr aphi c hash f unct i on RI PEMD-
160. Dr . Dobb s, 22( 1) : 2428, Januar y 1997.
[ 54] C. Boyd. Hi dden assumpt i ons i n cry pt ogr aphi c prot ocol s. I EE Proceed in gs, Part E,
137( 6) : 433436, November 1990.
[ 55] C. Boyd and W. Mao. On a li mi t at i ons of BAN l ogi c. I n T. Hel leset h, edi t or , Adv ances in
Cr y pt ol ogy Pr oceed ings of EUROCRYPT' 93 , Lect ur e Not es i n Comp ut er Science 7 65 , pages
[ 56] C. Boyd, W. Mao, and K. Pat er son. Deni abl e aut hent i cat i on for I nt er net Prot ocol s. I n
I n t ern at ion al Work shop on Secur i t y Pr ot ocols, Lect ur e Not es i n Com put er Science ( t o app ear ) ,
pages Preproceedi ngs: 137150. Spr i nger - Verl ag, Apr i l 2003. Sidney Sussex Col lege,
Cambr i dge, England.
[ 57] V. Boy ko, P. MacKenzi e, and S. Pat el . Pr ovabl y secur e passwor d- aut hent i cat ed key
exchange usi ng Di f fi e- Hel l man. I n B. Pr eneel , edi t or , Adv ances in Cr y pt ol ogy Proceed in gs of
2000.
[ 58] S. Br ands. An ef fi ci ent of f- l i ne el ect roni c cash syst em based on t he r epr esent at i on pr obl em.
Techni cal Repor t CS- R9323, CWI Techni cal Report , 1993.
[ 59] G. Br assar d, D. Chaum, and C. Cr peau. Mi ni mum di scl osur e pr oof s of knowledge. Jour nal
of Com pu t er and Syst em Schi en ces, 37( 2) : 156189, 1988.
[ 60] S. C. Brookes, C. A. R. Hoar e, and A. W. Roscoe. A t heory of communi cat i ng sequent i al
pr ocesses. Jour nal of t he Associ at ion of Com pu t in g Machi ner y , 31( 7) : 560599, 1984.
[ 61] M. Bur r ows, M. Abadi, and R. Needham. A l ogic of aut hent i cat i on. Techni cal Repor t SRC
Techni cal Repor t 39, Di gi t al Equi pment Cor por at i on, Febr uar y 1989.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
[ 62] C. Bur wi ck, D. Copper smi t h, E. D' Avi gnon, R. Gennar o, S. Halevi , C. Jut l a, S. M. Mat yas Jr. ,
L. O'Connor , M. Peyr avian, D. Saff ord, and N. Zuni c. MARS - a candi dat e ci pher for AES. AES
pr oposal : Nat ional I nst i t ut e of St andar ds and Technology ( NI ST) , 1998. Also avai l abl e at
www.r esear ch. i bm. com/ securi t y / mar s. ht ml .
[ 63] J. Cameni sch and M. Michel s. Pr ovi ng i n zer o- knowl edge t hat a number i s t he pr oduct of
t wo saf e pr i mes. I n J. St er n, edi t or , Adv ances in Cr y pt ol ogy Proceed in gs of EUROCRYPT' 9 9,
[ 64] R. Canet t i , O. Gol dr ei ch, and S. Hal evi . The r andom or acle met hodol ogy , r evi si t ed. I n
Pr oceedi ngs of t h e 30t h An nual Sy m posiu m on t he Th eor y of Com p ut in g ( STOC' 9 8) , pages
209218. ACM Pr ess, 1998.
[ 65] R. Canet t i , O. Gol dr ei ch, and S. Hal evi . The r andom or acle met hodol ogy , r evi si t ed. A new
ver si on of [ 64] , Oct ober 2002. Avai l abl e at xxx.l anl. gov/ ps/ cs. CR/ 0010019.
[ 66] R. Canet t i and H. Kr awczy k. Anal y sis of key - exchange pr ot ocol s and t hei r use f or bui ldi ng
secur e channel s. I n B. Pf it zmann, edi t or , Adv ances in Cr y pt ol ogy Proceed in gs of
2001.
[ 67] R. Canet t i and H. Kr awczy k. Securi t y anal ysi s of I KE' s signat ure- based key - exchange
pr ot ocol . I n M. Yung, edit or, Adv ances in Cr y pt ol ogy Pr oceedi ngs of CRYPTO' 0 2, Lect ur e Not es
i n Comp ut er Science 24 42, pages 143161. Spri nger- Ver l ag, 2002. Al so avai l abl e at
epr i nt . i acr . or g.
[ 68] B. Canvel , A. Hi lt gen, S. Vaudenay , and M. Vuagnoux. Passwor d i nt er cept i on i n a SSL/ TLS
channel . To appear i n CRYPTO'03, Mar ch 2003. Avai l abl e at l asecwww.epf l . ch/ memo_ssl .sht ml .
[ 69] U. Car l sen. Cr y pt ogr aphi c pr ot ocol f laws: know y our ener my . I n Pr oceedi ngs of The
Com pu t er Secur i t y Found at ion s Wor kshop VI I , pages 192200. I EEE Comput er Soci et y Pr ess,
1994.
[ 70] S. Caval l ar , B. Dodson, A. K. Lenst ra, W. Li oen, P. L. Mont gomer y , B. Mur phy , H. t e Ri el e, K.
Aar dal , J. Gi lchr i st , G. Gui l l er m, P. Leyl and, J. Marchand, F. Morai n, A. Muf fet t , C. Put nam, C.
Put nam, and P. Zi mmer mann. Fact ori zat i on of a 512- bi t RSA modul us. I n B. Pr eneel , edi t or ,
[ 71] D. Chaum. Demonst r at i ng t hat a publ i c pr edi cat e can be sat i sf i ed wi t hout r eveal i ng any
i nf ormat i on about how. I n A. M. Odly zko, edi t or , Adv ances in Cr y pt ol ogy Proceed in gs of
CRYPTO' 8 6, Lect ur e Not es i n Com put er Sci en ce 2 63 , pages 195199. Spri nger- Ver l ag, 1987.
[ 72] D. Chaum. Zero- knowl edge undeniabl e signat ur es ( ext ended abst ract ) . I n I .B. Damgr d,

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
[ 73] D. Chaum and T. P. Peder sen. Wal l et dat abases wi t h obser ver s. I n E. F. Br ickell , edit or ,
pages 89105. Spr i nger - Ver l ag, 1993.
[ 74] D. Chaum and H. van Ant wer pen. Undeni abl e si gnat ur es. I n G. Br assard, edi t or , Adv ances
i n Cry pt ol ogy Pr oceedin gs of CRYPTO' 8 9, Lect ur e Not es i n Com put er Science 4 35 , pages
[ 75] B. Chor . Two I ssu es i n Publ ic Key Cry pt ograp hy , RSA Bit Secur i t y and a New Kn apsack Typ e
Sy st em . MI T Press, 1985. An ACM Di st i ngui shed Di sser t at i on.
[ 76] B. Chor and O. Gol dr ei ch. RSA/ Rabi n least si gnif i cant bi t s ar e 6791 secur e. I n G. T. Bl akley
and D. Chaum, edit ors, Adv ances in Cr y pt ol ogy Proceed in gs of CRYPTO' 84 , Lect ur e Not es i n
Com pu t er Sci ence 196 , pages 303313. Spri nger- Ver l ag, 1985.
[ 77] J. Cl ar k and J. Jacob. A sur vey of aut hent icat i on pr ot ocol l i t erat ur e: ver si on 1.0. Onli ne
document , November 1997. Avai labl e at www.cs. yor k. ac. uk/ j ac/ paper s/ drar eview. ps. gz.
[ 78] C. Cocks. An i dent i t y - based publ i c- key cr ypt osyst em. I n Cr y pt ogr aph y and Codi ng: 8t h I MA
I n t ern at ion al Conf er ence, Lect ur e Not es in Com p ut er Science 22 60 , pages 360363. Spri nger,
December 2001.
[ 79] H. Cohen. A Cour se in Com pu t at ion al Algebr ai c Num ber Theor y . Spri nger , 1996. Gr aduat e
Text s i n Mat hemat ics 138.
[ 80] S. A. Cook. The compl exit y of t heorem- pr ovi ng pr ocedur es. I n Pr oceedi ngs of 3r d Ann ual
ACM Sy mp osi um on Th eor y of Com p ut i ng , pages 151158, 1971.
[ 81] D. Copper smi t h. The Dat a Encry pt ion St andar d ( DES) and i t s st r engt h agai nst at t acks. I BM
Jour nal of Resear ch and Devel opm en t , 38: 243250, 1994.
[ 82] D. Copper smi t h. Fi ndi ng a smal l r oot of a bi var i at e i nt eger equat i on; f act or i ng wi t h hi gh
bi t s known. I n U. Maur er, edi t or, Adv ances in Cr y pt ol ogy Proceed in gs of EUROCRYPT' 9 6,
[ 83] J. S. Coron, M. Joye, D. Naccache, and P. Pail l i er. Uni ver sal paddi ng schemes for RSA. I n M.
Yung, edi t or , Adv ances in Cr y pt ol ogy Proceed in gs of CRYPTO' 02 , Lect ur e Not es i n Comp ut er
Science 24 42, pages 226241. Spri nger- Ver l ag, 2002.
[ 84] R. Cr amer and V. Shoup. A pr act i cal publ i c key cr y pt osy st em provabl y secur e agai nst
adapt i ve chosen ci phert ext at t ack. I n H. Kr awczy k, edi t or , Adv ances in Cr y pt ol ogy Proceed in gs
of CRYPTO' 9 8, Lect ur e Not es i n Com put er Sci en ce 1 462 , pages 1325. Spr i nger - Ver l ag, 1998.
[ 85] R. Cr amer and V. Shoup. Si gnat ur e schemes based on t he st rong RSA assumpt i on. I n
Pr oceedi ngs of 6t h ACM Confer ence on Com put er an d Comm u nicat i on Secur i t y . ACM Pr ess,
November 1999.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
[ 86] J. Daemen and V. Ri j men. AES Proposal: Ri j ndael . AES pr oposal : Nat ional I nst i t ut e of
St andards and Technol ogy ( NI ST) , Oct ober 6 1998. Avai l abl e at csr c. ni st . gov,encr ypt i on/ aes/ .
[ 87] J. Daemen and V. Ri j men. The Design of Ri j n dael: AES t h e Adv anced En cry pt i on
St and ard . Spri nger - Ver l ag, 2002. I SBN: 3540425802.
[ 88] I . Damgrd. Towar ds pr act i cal publ i c key sy st ems secure agai nst chosen ci phert ext at t acks.
I n J. Fei genbaum, edi t or , Adv ances in Cr y pt ol ogy Proceed in gs of CRYPTO' 91 , Lect ur e Not es i n
[ 89] D.W. Davies and W.L. Pr i ce. Secu ri t y f or Com pu t er Net wor k s, An I nt r odu ct ion t o Dat a
Secu ri t y i n Tel ep r ocessi ng and El ect r oni c Fund s Tr ansfer ( secon d edi t ion ) . John Wil ey & Sons,
1989.
[ 90] D. Davi s and R. Swi ck. Wor kst at ion servi ces and Ker ber os aut hent i cat i on at Proj ect At hena.
Techni cal Memorandum TM- 424, MI T Labor at or y f or Comput er Sci ence, Febr uar y 1990.
[ 91] R.A. DeMi ll o, G. L. Davi da, D. P. Dobki n, M. A. Harr i son, and R. J. Li pt on. App li ed Cr y pt ol ogy,
Cr y pt ogr aph ic Pr ot ocols, an d Comput er Secur it y Models , vol ume 29. Pr ovi dence: Amer i can
Mat hemat i cal Soci et y , 1983. Pr oceedi ngs of Symposi a in Appl ied Mat hemat i cs.
[ 92] R.A. DeMi ll o and M. J. Mer r it t . Pr ot ocols for dat a securi t y . Com pu t er, 16( 2) : 3950, Febr ar y
1983.
[ 93] D. Denni ng. Cr y pt ogr aph y and Dat a Secur it y . Addi son- Wesl ey Publ ishi ng Company , I nc. ,
1982.
[ 94] D.E. Denni ng and G. M. Sacco. Ti mest amps i n key di st ri but i on pr ot ocols. Com m un icat ion s of
t he ACM, 24( 8) : 533536, August 1981.
[ 95] T. Di er ks and C. All en. The TLS Pr ot ocol , Ver si on 1. 0. Request f or Comment s: 2246,
January 1999.
[ 96] W. Di ff i e. The f i r st t en y ear s of publ ic key cr ypt ol ogy . I n G. J. Si mmons, edi t or ,
Con t em p orar y Cr y pt ol ogy , t he Sci en ce of I nf orm at i on I nt egr i t y , pages 135175. I EEE Press,
1992.
[ 97] W. Di ff i e and M. Hel l man. Mult i user cr ypt ogr aphic t echni ques. I n Pr oceedi ngs of AFI PS 197 6
NCC, pages 109112. AFI PS Pr ess, Mont vale, N. J. , 1976.
[ 98] W. Di ff i e and M. E. Hel l man. New di r ect i ons i n cr y pt ogr aphy. I EEE Tr ans. I n fo. Th eor y , I T-
22( 6) : 644654, 1976.
[ 99] W. Di ff i e, P.C. van Oorschot , and M. Wi ener . Aut hent i cat ion and aut hent i cat ed key
exchanges. Desi gns, Cod es and Cr yp t ogr aphy , 2: 107125, 1992.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
[ 100] D. Dol ev, C. Dwork, and M. Naor . Non- mal l eabl e crypt ography. I n Pr oceedi ngs of 23 r d
Ann unal ACM Sy m posium on Theory of Com put i ng , pages 542552, 1991. Jour nal ver sion i n
SI AM Jour n al on Comp ut i ng, vol 30, no. 2, 391437, 2000.
[ 101] D. Dol ev and A. C. Yao. On t he secur i t y of publ i c key prot ocol s. I n Pr oceedi ngs of I EEE
22 nd Annu al Sym posi um on Found at ion s of Com pu t er Sci en ce, pages 350357, 1981.
[ 102] T. El Gamal . A publ i c- key cr y pt osyst em and a signat ur e scheme based on di scret e
l ogar i t hms. I EEE Tr ansact ions on I nf orm at i on Theory , I T- 31( 4) : 469472, Jul y 1985.
[ 103] C. El l i son, B. Fr ant z, B. Lampson, R. Rivest , B. Thomas, and T. Yl onen. SPKI cert i f i cat e
t heor y . The I nt ernet Engi neer i ng Task For ce Request For Comment s ( I ETF RFC) 2693,
Sept ember 1999. Avai l abl e at www.i et f .or g/ rf c/ rf c2693. t xt .
[ 104] eMar ket er . Securi t y onl i ne: Cor por at e & consumer prot ect i on, e- t el l igence for business.
eMar ket er Repor t , Febr uar y 2003. Avai l abl e at www.emar ket er .com.
[ 105] A. Evans Jr . , W. Kant r owi t z, and E. Weiss. A user aut hent i cat i on scheme not r equi r ing
secr ecy i n t he comput er. Com m un icat ion s of t he ACM, 17( 8) : 437442, 1974.
[ 106] U. Fei ge, A. Fi at , and A. Shamir . Zero- knowl edge pr oofs of i dent i t y. ACM Special I nt erest
Gr oup on Algor i t hm s and Comp ut at i on Theory ( SI GACT) , pages 210217, 1987.
[ 107] H. Fei st el. Cr y pt ogr aphy and comput er pri vacy. Sci. Am . , 228( 5) : 1523, May 1974.
[ 108] N. Fer guson and B. Schnei er . A cr y pt ogr aphi c eval uat i on of I Psec. Count er pane Labs,
2000. Avai l abl e at www.count erpane.com/ i psec. pdf.
[ 109] A. Fiat and A. Shami r . How t o pr ove your sel f: pr act i cal sol ut ions of i dent i f icat i on and
si gnat ure pr obl ems. I n A. M. Odly zko, edi t or , Adv ances in Cr y pt ol ogy Proceed in gs of
[ 110] El ect r oni c Fr ont i er Foundat i on. Cr acki ng DES: Secr et s of Encr yp t ion Research, Wir et ap
Pol it i cs & Chi p Design . O'Rei l l y & Associ at es, May 1998. I SBN 1- 56592- 520- 3.
[ 111] A.O. Frei er, P. Kar lt on, and P. C. Kocher . The SSL Pr ot ocol , Versi on 3. 0. I NTERNET- DRAFT,
dr af t - fr ei er - ssl - ver si on3- 02. t xt , November 1996.
[ 112] E. Fuj i saki and T. Okamot o. How t o enhance t he secur i t y of publ i c- key encr ypt i on at
mi ni mum cost . I n H. I mai and Y. Zheng, edi t or s, Pub li c Key Cr yp t ogr aphy Pr oceedi ngs of
PKC' 99, Lect ur e Not es in Com pu t er Sci ence 15 60 , pages 5368. Spr i nger - Ver l ag, 1999.
[ 113] E. Fuj i saki and T. Okamot o. . Secure int egr at i on of asy mmet r i c and symmet r ic encr y pt i on
schemes. I n M. Wi ener , edi t or , Adv ances in Cr y pt ol ogy Proceed in gs of CRYPTO' 99 , Lect ur e
Not es in Comp ut er Science 16 66 , pages 537554. Spri nger- Ver l ag, 1999.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
[ 114] E. Fuj i saki , T. Okamot o, D. Poi nt cheval, and J. St er n. RSA- OAEP I s secure under t he RSA
assumpt i on. I n J. Ki l l i an, edi t or , Adv ances in Cr y pt ol ogy Proceed in gs of CRYPTO' 01 , Lect ur e
[ 115] K. Gaar der and E. Snekkenes. Apply i ng a for mal anal y si s t echni que t o t he CCI TT X. 509
st r ong t wo- way aut hent i cat i on pr ot ocol . Jour nal of Cry pt ology , 3( 2) : 8198, 1991.
[ 116] S. Gal br ai t h. Super si ngular curves i n cr y pt ography . I n C. Boyd, edit or, Adv ances in
Cr y pt ol ogy Pr oceed ings of ASI ACRYPT' 01 , Lect ur e Not es in Comp ut er Science 22 48 , pages
[ 117] S.D. Gal br ai t h, W. Mao, and K.G. Pat erson. A caut ionar y not e r egar di ng cr ypt ogr aphi c
pr ot ocol s based on composi t e i nt eger s. Techni cal Repor t HPL- 2001- 284, HP Labor at or i es, Br i st ol ,
November 2001.
[ 118] M. R. Gar ey and D. S. Johnson. Com pu t ers an d I nt r act abi li t y : A Gui de t o t he Theory of NP-
Com pl et en ess. Fr eeman, San Fr anci sco, 1979.
[ 119] C. F. Gauss. Disqu isi t ion es Ar i t hm et icae. Tr ansl at ed by A. Ar t hur and S. J. Cl ar k, 1996, Yale
Uni ver sit y Press,New Haven, 1801.
[ 120] R. Gennaro, D. Mi cci ani ci o, and T. Rabin. An ef fi ci ent non- i nt er act i ve st at i st i cal zero-
knowl edge proof sy st em f or quasi- saf e pr i me pr oduct s. I n 5t h ACM Con fer en ce on Comp ut er and
Com m un icat ion s Secu ri t y , Fair fax , Vi r gini a , 1998.
[ 121] M. Gi r aul t . An i dent i t y - based i dent if i cat ion scheme based on di scret e l ogar i t hms modul o a
composit e number . I n I .B. Damgr d, edi t or , Adv ances in Cr y pt ol ogy Proceed in gs of
EUROCRYPT' 90, Lect u re Not es i n Com pu t er Sci en ce 473 , pages 481486. Spri nger- Ver l ag, 1991.
[ 122] M. Gi r aul t . Self - cer t i f ied publ i c keys. I n D. W. Davi es, edi t or, Adv ances in Cr y pt ol ogy
Pr oceedi ngs of EUROCRYPT' 91, Lect u r e Not es in Com pu t er Sci ence 547 , pages 490497.
[ 123] I . Gol dber g and D. Wagner. Randomness and t he Net scape br owser , how secure i s t he
Wor l d Wide Web? Dr . Dobb ' s Jou rn al, pages 6670, Januar y 1996.
[ 124] O. Gol drei ch, S. Mical i , and A. Wigderson. How t o pr ove al l NP st at ement s i n zer o-
knowl edge and a met hodol ogy of cr ypt ogr aphic pr ot ocol design ( ext ended abst r act ) . I n A. M.
Odly zko, edi t or , Adv ances in Cr y pt ol ogy Proceed in gs of CRYPTO' 86 , Lect ur e Not es i n
[ 125] S. Gol dwasser and S. Mi cali . Pr obabi l i st i c encrypt i on. Jour nal of Com put er an d Sy st em
Sciences, 28: 270299, 1984.
[ 126] S. Gol dwasser , S. Mi cal i , and C. Rackoff . The knowl edge complexi t y of i nt er act i ve pr oof -
syst ems. I n Pr oceedi ngs of 17 t h Ann. ACM Sy m p. on Th eor y of Comp ut i ng , pages 291304,
1985. A j our nal versi on under t he same t i t l e appear s i n: SI AM Jour n al of Com put i ng vol . 18, pp.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
186208, 1989.
[ 127] S. Gol dwasser , S. Mi cal i , and R.L. Ri vest . A di gi t al si gnat ur e scheme secure agai nst
adapt i ve chosen- message at t acks. SI AM Jour n al of Com put i ng, 17( 2) : 281308, 1988.
[ 128] S. Gol dwasser , S. Mi cal i , and P. Tong. Why and how t o est abl i sh a pr ivat e code on a publ i c
net wor k. I n Pr oceedi ngs of 23 r d An nual I EEE Sy m posium on Fou ndat i ons of Comp ut er Science ,
pages 134144, 1982.
[ 129] D. Gol l mann. Compu t er Secur i t y . John Wil ey & Sons, I nc. , 1999. I SBN: 0- 471- 97884- 2.
[ 130] D. Gol l mann. Aut hent i cat ion myt hs and mi sconcept i ons. Pr ogr ess i n Com put er Science
and App li ed Logic, 20: 203225, 2001. Bi r khuser Ver l ag Basel / Swi t zer l and.
[ 131] L. Gong, R. Needham, and R. Yahal om. Reasoni ng about bel i ef in cr ypt ogr aphi c pr ot ocol s.
I n Pr oceedi ngs of t h e 199 0 I EEE Sy m posiu m on Resear ch i n Secur i t y and Pr iv acy , pages
234248. I EEE Comput er Soci et y Pr ess, 1990.
[ 132] F. T. Grampp and R.H. Mor ri s. Uni x oper at i ng sy st em secur i t y . AT&T Bell Labor at or ies
Tech ni cal Jou rn al, 63( 8) : 16491672, Oct ober 1984.
[ 133] C. G. Gnt her . An i dent i t y - based keyexchange pr ot ocol. I n J. - J. Qui squat er and J.
Vander wal l e, edit ors, Adv ances in Cr y pt ol ogy Proceed in gs of EUROCRYPT' 8 9, Lect ur e Not es i n
Com pu t er Sci ence 434 , pages 2937. Spr i nger - Ver l ag, 1990.
[ 134] N.M. Hal ler . The S/ KEY one- t i me passwor d sy st em. I n Pr oceedi ngs of t h e Sym p osi um on
Net work and Dist r ib ut ed Sy st em Secu ri t y . pages 151157, 1994.
[ 135] D. Har ki ns and D. Car rel . The I nt er net key exchange pr ot ocol ( I KE) . The I nt ernet
Engi neer i ng Task For ce Request For Comment s ( I ETF RFC) 2409, November 1998. Avai l abl e at
www.i et f .or g/ rf c/ rf c2409. t xt .
[ 136] K.E.B. Hickman. The SSL Pr ot ocol . Onl i ne document , Feburar y 1995. Avai l abl e at
www.net scape. com/ eng/ secur i t y / SSL_2.ht ml .
[ 137] C. A.R. Hoar e. Communicat i ng sequent i al pr ocesses. Com m un icat ion s of t he ACM, 21( 8) ,
1978.
[ 138] C. A.R. Hoar e. Com m un icat in g Sequent ial Pr ocesses. Pr ent i ce- Hal l I nt er nat ional , 1985.
Seri es i n Comput er Sci ence.
[ 139] P. Hoff man. Feat ur es of proposed successors t o I KE. I NTERNET- DRAFT, draf t - i et f- i psec-
soi - feat ur es- 01. t xt , May 2002.
[ 140] R. Housl ey and P. Hof fman. I nt er net X. 509 Publ i c Key I nfr ast r uct ur e Oper at i onal
Pr ot ocols: FTP and HTTP. The I nt ernet Engi neer i ng Task For ce Request For Comment s ( I ETF

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
RFC) 2585, August 2001. Avai labl e at www.i et f .or g/ rf c/ rf c2585. t xt .
[ 141] D. Hhnl ein, M. Jakobsson, and D. Weber . Towar ds pr act i cal non- i nt eract i ve publ i c key
cry pt osy st ems using non- maxi mal i maginar y quadrat ic order s. I n Pr odeed in gs of Sel ect ed Ar eas
of Cr y pt ogr aph y SAC 20 00, Lect u re Not es in Com pu t er Sci ence 201 2 , pages 275287.
[ 142] I SO/ I EC. I nf ormat i on Pr ocessi ng Modes of oper at i on for an n- bi t bl ock cipher al gor i t hm.
I nt er nat i onal Or gani zat i on for St andar di zat i on and I nt er nat i onal El ect r o- t echni cal Commi ssi on,
1991. 10116.
[ 143] I SO/ I EC. I nf or mat ion Technol ogy Secur it y Techni ques summar y of vot i ng on l et t er
bal l ot No.6, Document SC27 N277, CD 9798- 3. 3 "Ent i t y Aut hent i cat i on Mechani sms" Par t 3:
Ent i t y aut hent i cat i on mechani sms using a publ i c key al gor i t hm. I nt er nat i onal Or gani zat i on f or
St andardi zat i on and I nt er nat ional El ect r o- t echni cal Commissi on, Oct ober 1991. I SO/ I EC JTC
1/ SC27 N313.
[ 144] I SO/ I EC. I nf or mat ion Technol ogy Secur it y Techni ques Ent i t y Aut hent i cat i on
Mechani sms Par t 2: Ent i t y aut hent i cat i on usi ng sy mmet ri c t echni ques. I nt ernat i onal
Or ganizat ion f or St andardi zat i on and I nt er nat ional El ect r o- t echni cal Commissi on, 1992. I SO/ I EC
JTC 1/ SC 27 N489 CD 9798- 2, 1992- 06- 09.
[ 145] I SO/ I EC. I nf or mat ion Technol ogy Secur it y Techni ques Ent i t y Aut hent i cat i on
Mechani sms Par t 2: Ent i t y aut hent i cat i on usi ng sy mmet ri c t echni ques. I nt ernat i onal
Or ganizat ion f or St andardi zat i on and I nt er nat ional El ect r o- t echni cal Commissi on, 1993. I SO/ I EC
JTC 1/ SC 27 N739 DI S 9798- 2, 1993- 08- 13.
[ 146] I SO/ I EC. I nf or mat ion Technol ogy Secur it y Techni ques Ent i t y Aut hent i cat i on Par t
1: Gener al. I nt ernat i onal Or gani zat i on for St andar di zat i on and I nt ernat i onal El ect r o- t echni cal
Commi ssi on, 1996. I SO/ I EC JTC 1/ SC 27 DI S 9798- 1: 1996 ( E) .
2: Mechani sms usi ng sy mmet r i c enci pher ment al gor i t hms. I nt er nat i onal Or ganizat ion f or
St andardi zat i on and I nt er nat ional El ect r o- t echni cal Commissi on, December 1998. I SO/ I EC JTC
1/ SC 27 N2145 FDI S 9798- 2.
3: Mechani sms usi ng di gi t al si gnat ur e t echni ques. I nt er nat i onal Or ganizat ion f or St andardi zat i on
and I nt er nat i onal El ect r o- t echni cal Commi ssi on, Oct ober 1998. BS I SO/ I EC 9798- 3.
4: Mechani sms usi ng a cr ypt ogr aphi c check f unct i on. I nt er nat ional Or gani zat i on f or
St andardi zat i on and I nt er nat ional El ect r o- t echni cal Commissi on, Apri l 1999. I SO/ I EC JTC 1/ SC
27 N2289 FDI S 9798- 4.
[ 150] I SO/ I EC. I nf or mat ion Technol ogy Secur it y Techni ques Di gi t al si gnat ur e schemes
gi vi ng message r ecovery Par t 3: Di scr et e l ogar it hm based mechanisms.I nt er nat ional
Or ganizat ion f or St andardi zat i on and I nt er nat ional El ect r o- t echni cal Commissi on, Apri l 2000.
I SO/ I EC JTC 1/ SC 27 9796- 3.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
[ 151] I SO/ I EC. I nf or mat ion Technol ogy Secur it y Techni ques Hash Funct i ons Par t 3:
Dedi cat ed hash- funct i ons. I nt er nat i onal Or gani zat i on for St andar di zat i on and I nt er nat i onal
El ect ro- t echni cal Commi ssi on, November 2001. I SO/ I EC JTC1, SC27, WG2, Document 1st CD
10118- 3.
[ 152] I TU- T. Rec. X. 509 ( revi sed) t he Dir ect or y Aut hent i cat i on Fr amewor k, 1993.
I nt er nat i onal Tel ecommuni cat i on Uni on, Geneva, Swi t zer land ( equi val ent t o I SO/ I EC 9594-
8: 1995.) .
[ 153] M. Jakobsson, K. Sako, and R. I mpagl i azzo. Designat ed ver i fi er pr oofs and t hei r
appli cat i ons. I n U. Maur er, edi t or, Adv ances in Cr y pt ol ogy Proceed in gs of EUROCRYPT' 9 6,
[ 154] A. Joux. A one r ound pr ot ocol f or t r i par t i t e Di f fi e- Hel l man. I n W. Bosma, edi t or ,
Algor i t hm i c Num ber Theor y, I V- t h Sy m posium ( ANTS I V) , Lect ur e Not es in Comp ut er Science
[ 155] A. Joux and K. Nguy en. Separ at i ng decisi on Di ff i e- Hel l man f rom Di ff i e- Hel l man i n
crypt ogr aphi c groups. Cry pt ol ogy ePr i nt Ar chi ve, 2001/ 003, 2001. Avai l abl e at
ht t p: / / epr i nt . i acr. or g/ .
[ 156] R. Kai l ar . Account abi l i t y i n elect r oni c commer ce pr ot ocols. I EEE Tr ansact ions on Sor t war e
En gineer ing, 22( 5) : 313328, May 1996.
[ 157] C. Kauf man. Compar i son of I KEv2, JFK, and SOI r equi r ement s. The I nt ernet Engi neer i ng
Task Force: onli ne document , Apri l 2002. Avai labl e at
www.i et f .or g/ pr oceedi ngs/ 02mar/ sl i des/ i psec- 1/ .
[ 158] C. Kauf man. I nt er net Key Exchange ( I KEv2) Prot ocol . The I nt ernet Engi neer i ng Task
Force: I NTERNET- DRAFT, dr aft - i et f- i psec- i kev2- 03.t xt , Oct ober 2002. Avai l abl e at
www.i et f .or g/ int er net - dr aft s/ dr aft - i et f - i psec- i kev2- 03. t xt .
[ 159] C. Kauf man, R. Perl man, and M. Speci ner. Net work Secur it y: Pr iv at e Com m un icat ion i n a
Pub li c Wor ld , Secon d Edi t ion. Pr ent i ce- Hal l PTR, 2002.
[ 160] R. Kemmer er, C. Meadows, and J. Mi l len. Thr ee syst ems for cr y pt ogr aphi c pr ot ocol
anal y sis. Jour nal of Cry pt ology , 7( 2) : 79130, 1994.
[ 161] S. Kent and R. At ki nson. I P Aut hent i cat i on Header . The I nt ernet Engi neer i ng Task For ce
Request For Comment s ( I ETF RFC) 2402, November 1998. Avai l abl e at
[ 162] S. Kent and R. At ki nson. I P Encapsul at i ng Securi t y Pay l oad ( ESP) . The I nt ernet

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
[ 163] S. Kent and R. At ki nson. Securi t y Archi t ect ur e f or t he I nt er net Prot ocol . The I nt ernet
[ 164] J. Kl ensi n. Si mpl e mai l t r ansfer prot ocol . The I nt ernet Engi neer i ng Task For ce Request For
Comment s ( I ETF RFC) 2821, Apr i l 2001. Avai l abl e at www.i et f .or g/ rf c/ rf c2821. t xt .
[ 165] L. R. Knudsen. Block Ciph er s Anal y si s, Desi gn an d Ap pl icat i ons . r hus Uni ver si t y , 1994.
[ 166] N. Kobl i t z. El l i pt i c cur ve cry pt osy st ems. Mat h . Comp. , 48( 5) : 203209, 1987.
[ 167] P.C. Kocher. Ti ming at t acks on i mpl ement at i ons of Di f fi e- Hel l man, RSA, DSS, and ot her
syst ems. I n N. Kobl i t z, edi t or , Adv ances in Cr y pt ol ogy Proceed in gs of CRYPTO' 96 , Lect ur e
[ 168] J. Kohl and C. Neuman. The Ker ber os net wor k aut hent icat i on ser vi ce ( v5) . The I nt ernet
Engi neer i ng Task For ce Request For Comment s ( I ETF RFC) 1510, Sept ember 1993. Avai labl e at
[ 169] L. M. Kohnfel der . Towar ds a Pract i cal Pu bl ic- k ey Cr yp t osy st em. MI T B.S. Thesi s, MI T
Depar t ment of El ect r i cal Engi neer i ng, May 1978.
[ 170] E. Kr anaki s. Pr imal it y an d Cr yp t ograp hy . John Wil ey & Sons, 1986. Wi l ey- Teubner Ser i es
i n Comput er Sci ence.
[ 171] H. Kr awczyk. SI GMA: t he ' SI Gn- and- MAc' appr oach t o aut hent i cat ed Dif fi e- Hell man
pr ot ocol s. Onl i ne document , 1996. Avai labl e at www.ee. t echni on. ac. i l / ~ hugo/ sigma.ht ml.
[ 172] H. Kr awczyk. SKEME: a ver sat i le secur e key exchange mechanism f or I nt er net . I n
Pr oceedi ngs of Net wor k and Dist r ib ut ed Syst em Secu ri t y Sy m posiu m ( NDSS) , pages 114127.
I EEE Comput er Societ y Pr ess, Febr uar y 1996.
[ 173] L. Lamport . Const r uct i ng digi t al si gnat ures f r om a one way funct i on. SI R I nt ernat i onal ,
Oct ober 1979. Avail able at www.csl . sr i . com/ papers/ 676/ .
[ 174] L. Lamport . Passwor d aut hent i cat i on wi t h i nsecur e communi cat i on. Com m un icat ion s of t he
ACM, 24( 11) : 770772, 1981.
[ 175] A. Lenst r a and E. Verheul . The XTR publ i c key sy st em. I n M. Bel l are, edi t or , Adv ances in
Cr y pt ol ogy Pr oceed ings of CRYPTO' 00 , Lect ur e Not es in Com p ut er Science 18 80 , pages 119.
[ 176] W. J. LeVeque. Fund ament als of Num b er Theorey . Dover Publ icat i ons, I nc. , 1977.
[ 177] R. Lidl and H. Ni eder peit er . Fin it e Fi el ds. Cambri dge Uni ver si t y Pr ess, 1997. Ency cl opedi a

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
of Mat hemat i cs and i t s Appl i cat i ons 20.
[ 178] R. J. Li pt on. How t o cheat at ment al poker. Techni cal Repor t , Comp. Sci . , Dept . Uni v. of
Cal i f. , Ber kel ey, Cal i f. , August 1979. ( Thi s is an i nt er nal t echni cal r eport ; a si mpl e descri pt ion of
t he at t ack i s avai l abl e i n page 174 of [ 91] ) .
[ 179] G. Lowe. Some new at t acks upon secur i t y pr ot ocol s. I n Pr oceedi ngs of t h e 9t h I EEE
Compu t er Secur i t y Found at ion s Wor kshop , pages 162169. I EEE Comput er Soci et y Pr ess, June
1994.
[ 180] G. Lowe. An at t ack on t he Needham- Schr oeder publ ic- key aut hent icat i on pr ot ocol .
I n for m at ion Pr ocessin g Let t er s, 56( 3) : 131133, 1995.
[ 181] G. Lowe. Br eaki ng and f ixi ng t he Needham- Schroeder publ i c- key pr ot ocol usi ng CSP and
FDR. I n Pr ocedi ngs of TACAS, Lect ur e Not es in Comp ut er Science 10 55 , pages 147166.
[ 182] J. Mal one- Lee and W. Mao. Two bi rds one st one: Signcr ypt i on usi ng RSA. I n M. Joy e,
edi t or , Topi cs in Cr y pt ol ogy t he Cr y pt ogr aph er s' Tr ack , Pr oceedi ngs of t he RSA Conf er ence
20 03 ( CT- RSA 20 03) , Lect u re Not es in Com pu t er Sci ence 261 2 , pages 210224. Spri nger-
Verl ag, Apr i l 2003.
[ 183] W. Mao. An augment at i on of BAN- l i ke l ogics. I n Pr oceedi ngs of Com p ut er Secu ri t y
Found at ion s Wor kshop VI I I , pages 4456. I EEE Comput er Soci et y Pr ess, June 1995.
[ 184] W. Mao and C. Boyd. On t he use of encry pt i on i n cr y pt ographi c pr ot ocol s. I n P. G. Far rel l ,
edi t or , Cod es an d Cy pher s Pr oceed ings of 4t h I MA Con ference on Cr y pt ogr aph y and Cod ing ,
pages 251262, December 1993. The I nst i t ut e of Mat hemat i cs and I t s Appl icat i ons, 1995.
[ 185] W. Mao and C. Boyd. On t he use of encry pt i on i n cr y pt ographi c pr ot ocol s, Febr uar y 1994.
Di st r i but ed by I nt er nat i onal Or gani zat i on f or St andardizat ion ( I SO) and I nt er nat i onal El ect r o-
t echni cal Commi ssi on ( I EC) JTC1, SC27, WG2, Document N262: " Paper s on aut hent i cat i on and
key management pr ot ocol s based on sy mmet r i c t echni ques. " This I SO document di st r ibut es t he
paper publi shed i n [ 184] .
[ 186] W. Mao and C. Boyd. Met hodical use of cr y pt ographi c t r ansfor mat i ons i n aut hent i cat i on
pr ot ocol s. I EE Proceed in gs, Com put . Digi t . Tech . , 142( 4) : 272278, Jul y 1995.
[ 187] D. Maughan, M. Scher t l er , M. Schnei der , and J. Turner . I nt er net securi t y associ at i on and
key management pr ot ocol ( I SAKMP) , versi on 10. I NTERNET- DRAFT: dr af t - i et f - i psec- i sakmp-
10.t xt , November 1998. Al so avai l abl e at www.i et f .or g/ rf c/ rf c2408. t xt .
[ 188] U. Maur er . Pr ot ocols for secr et key agr eement by publ i c discussion based on common
i nf ormat i on. I n E. F. Br ickell , edit or , Adv ances in Cr y pt ol ogy Proceed in gs of CRYPTO' 92 ,
[ 189] U. Maur er . Secr et key agr eement by publ i c di scussi on f rom common i nfor mat i on. I EEE

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Tr ansact ions on I nf orm at i on Theory , I T- 39: 733742, 1993.
[ 190] U. Maur er and S. Wol f. The r el at i onshi p bet ween br eaki ng t he Di ff i e- Hel l man prot ocol and
comput i ng discr et e logai rhms. SI AM Jour n al of Com put i ng, 28( 5) : 16891721, 1999.
[ 191] U. Maur er and Y. Yacobi . Non- i nt er act i ve publi c- key cr y pt ogr aphy . I n D. W. Davi es, edi t or,
[ 192] C. Meadows. Apply i ng f ormal met hods t o t he anal y sis of a key management pr ot ocol .
Jour nal of Com put er Secur it y , 1( 1) : 553, 1992.
[ 193] C. Meadows. Anal y zi ng t he Needham- Schr oeder publ i c key prot ocol : a compar ison of t wo
approaches. I n E. Ber t i no et al , edi t or , Pr oceedi ngs of Com p ut er Secu ri t y , ESORI CS' 96 , Lect ur e
Not es in Comp ut er Science 11 46 , pages 351364. Spri nger- Ver l ag, Febr uar y 1996.
[ 194] C. Meadows. The NRL Prot ocol Anal yzer : an over vi ew. Jour nal of Logic Progr am m ing,
26( 2) : 113131, Febr uar y 1996.
[ 195] C. Meadows. Anal y sis of t he i nt er net key exchange pr ot ocol usi ng t he NRL Pr ot ocol
Anal y zer. I n Pr oceedi ngs of I EEE Sy mp osium on Secur it y and Pr iv acy , pages 216231. I EEE
Comput er Soci et y Pr ess, May 1999.
[ 196] C. Meadows and P. Syver son. A f or mal speci f icat i on of r equi r ement s f or pay ment
t r ansact i ons i n t he SET pr ot ocol . I n R. Hi r schfel d, edi t or , Pr oceedi ngs of Fin ancial Cry pt ogr aph y
( FC' 98) , Lect u r e Not es in Com pu t er Sci ence 146 5 , pages 122140. Spri nger- Ver l ag, Febr uar y
1998.
[ 197] A.J. Menezes, T. Okamot o, and S. A. Vanst one. Reduci ng el l ipt i c cur ve logar it hms t o a
fi nit e fi el d. I EEE Tr ans. I n fo. Th eor y , 39: 16361646, 1983.
[ 198] A.J. Menezes, P. C. van Oor schot , and S. A. Vanst one. Hand book of App li ed Cr y pt ogr aph y.
CRC Pr ess, 1997.
[ 199] R. C. Mer kle. Secure communicat i ons over i nsecur e channel s. Com m un icat ion s of t he ACM,
21: 294299, 1978.
[ 200] R. C. Mer kle and M. E. Hel l man. Hi di ng i nf ormat i on and si gnat ur es i n t r apdoor knapsacks.
I EEE Tr ans. on I n fo. Th eor y , 24: 525530, 1978.
[ 201] S. Mi cali and R. L. Ri vest . Mi cr opay ment s revi si t ed. I n B. Pr eneel , edi t or , Topi cs in
Cr y pt ol ogy t he Cr y pt ogr aph er s' Tr ack , Pr oceedi ngs of t h e RSA Conf er ence 20 02 ( CT- RSA
20 02) , Lect ur e Not es in Com pu t er Sci ence 227 1 , pages 149163. Spri nger- Ver l ag, 2002.
[ 202] S.P. Mi l ler , C. Neuman, J. I . Schi l ler , and J. H. Sal t zer . Kerber os aut hent i cat i on and
aut hor izat ion syst em. Pr oj ect At hena Techni cal Pl an Sect i on E. 2.1, 1987.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
[ 203] V. Mi l l er . Use of el l i pt i c cur ves i n cr ypt ogr aphy . I n H. C. Wi l l i ams, edi t or , Adv ances in
Cr y pt ol ogy Pr oceed ings of CRYPTO' 85 , Lect ur e Not es in Com p ut er Science 21 8 , pages
[ 204] J.H. Moor e. Pr ot ocol fai l ur es i n cr y pt osy st ems. Pr oceedi ngs of t h e I EEE, 76( 5) : 594601,
1988.
[ 205] J.H. Moor e. Pr ot ocol fai l ur es i n cr y pt osy st ems. I n G. J. Si mmons, edi t or , Con t emp orar y
Cr y pt ol ogy, t he Science of I nf orm at i on I nt egr it y , pages 541558. I EEE Press, 1992.
[ 206] R. Mor r i s and K. Thompson. Passwor d secur i t y : a case hi st or y . Com m un icat ion s of t he
ACM, 22( 5) : 594597, 1979.
[ 207] M. My ers, R. Ankney , A. Mal pani , S. Gal per i n, and C. Adams. X. 509 I nt er net Publ i c Key
I nf rast r uct ur e Onl i ne Cer t i fi cat e St at us Pr ot ocol - OCSP. The I nt ernet Engi neer i ng Task For ce
Request For Comment s ( I ETF RFC) 2560, June 1999. Avai l abl e at www.i et f .or g/ rf c/ rf c2560. t xt .
[ 208] M. My ers, X. Li u, J. Schaad, and J. Wei nst ei n. Cer t i fi cat e Management Messages over
CMS. The I nt ernet Engi neer i ng Task For ce Request For Comment s ( I ETF RFC) 2797, Apr i l 2000.
Avail able at www.i et f .or g/ rf c/ rf c2797. t xt .
[ 209] M. Naor and O. Rei ngol d. Number t heor et i c const r uct i ons of eff i ci ent pseudor andom
funct i ons. I n Pr oceedi ngs of FOCS' 97, pages 458467, 1997.
[ 210] M. Naor and M. Yung. Publi c- key cr y pt osy st ems pr ovabl y secure agai nst chosen ci phert ext
at t acks. I n Pr oceedi ngs of 22 nd ACM Sym p osi um of Th eor y of Comp ut i ng , pages 427437, 1990.
[ 211] NBS. Dat a Encr ypt i on St andar d. U. S. Depar t ment of Commer ce, FI PS Publ i cat i on 46,
Washi ngt on, D.C., Januar y 1977. Nat i onal Bur eau of St andards.
[ 212] R. Needham and M. Schr oeder . Aut hent i cat ion r evi si t ed. Op er at i ng Sy st ems Revi ew , 21: 7,
1987.
[ 213] R. M. Needham and M.D. Schr oeder . Usi ng encr ypt i on for aut hent i cat i on i n l ar ge net wor ks
of comput er s. Com m un icat ion s of t he ACM, 21( 12) : 993999, 1978.
[ 214] B.C. Neuman and S.G. St ubbl ebi ne. A not e on t he use of t i mest amps as nonces. ACM
Op er at i ng Sy st ems Revi ew , 27( 2) : 1014, Apri l 1993.
[ 215] NI ST. A Pr oposed Feder al I nf ormat i on Pr ocessing St andar d for Di gi t al Si gnat ur e St andar d
( DSS) . Federal Regi st er Announcement August 30, 1991. Nat i onal I nst i t ut e of St andar ds and
Technol ogy .
[ 216] NI ST. Di gi t al Signat ure St andar d. Federal I nfor mat i on Processi ng St andar ds Publ icat i on
186, 1994. U. S. Depart ment of Commer ce/ N.I . S. T.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
[ 217] NI ST. Secure Hash St andar d. Federal I nfor mat i on Processi ng St andar ds Publ icat i on ( FI PS
PUB) 180- 1, Apr i l 1995. U. S. Depar t ment of Commer ce/ N. I . S.T.
[ 218] NI ST. Recommendat i on f or bl ock ci pher modes of oper at i on. NI ST Speci al Publ i cat i on 800-
38A 2001 Edi t i on, December 2001. U. S. Depart ment of Commer ce/ N.I . S. T.
[ 219] NI ST. Speci fi cat i on f or t he Advanced Encr y pt i on St andard ( AES) . Federal I nfor mat i on
Pr ocessing St andar ds Publ i cat i on ( FI PS PUB) 197, November 2001. U. S. Depar t ment of
Commerce/ N. I . S. T.
[ 220] K. Nyber g and R. Rueppel . A new signat ur e scheme based on t he DSA givi ng message
r ecovery . I n 1st ACM Conf er ence on Com put er and Com m uni cat ions Secur i t y , pages 5861. ACM
Pr ess, 1993.
[ 221] A.M. Odl yzko. Di scret e l ogar i t hms: t he past and t he f ut ure. Desi gns, Cod es and
Cr y pt ogr aph y, 19: 129154, 2000.
[ 222] K. Oht a and T. Okamot o. On concr et e secur i t y t r eat ment of signat ures der i ved fr om
i dent i f icat i on. I n H. Kr awczy k, edi t or , Adv ances in Cr y pt ol ogy Proceed in gs of CRYPTO' 98 ,
[ 223] T. Okamot o and D. Poi nt cheval. REACT: r api d enhanced- secur i t y asymmet ri c
cry pt osy st em t r ansfor m. I n D. Naccache, edi t or, Topi cs in Cr y pt ogr aph y, Cr yp t ogr apher s' Tr ack,
RSA Conf er ence 20 01 Pr oceed ings of CT- RSA' 00, Lect u r e Not es in Com pu t er Sci ence 202 0 ,
[ 224] T. Okamot o and S. Uchi y ama. A new publ ic- key cr y pt osy st em as secur e as f act ori ng. I n K.
Nyberg, edi t or , Adv ances in Cr y pt ol ogy Proceed in gs of EUROCRYPT' 9 8, Lect ur e Not es i n
[ 225] H. Or man. The Oakl ey key det er mi nat i on pr ot ocol , versi on 2. draf t - i et f- i psec- oakl ey -
02.t xt , 1996.
[ 226] D. Ot way and O. Rees. Ef fi ci ent and t imel y mut ual aut hent icat i on. Op er at i ng Sy st ems
Rev iew, 21( 1) : 810, 1987.
[ 227] Oxfor d. Ox for d Refer ence, Di ct ion ary of Com put i ng , Thi r d Edi t ion . Oxf ord Uni ver si t y Pr ess,
1991.
[ 228] P. Pai l li er . Publi c- key cr y pt osy st ems based on composi t e degr ee r esi duosi t y cl asses. I n J.
St er n, edi t or , Adv ances in Cr y pt ol ogy Proceed in gs of EUROCRYPT' 9 9, Lect ur e Not es i n
[ 229] J. Pat ar i n and L. Goubi n. Tr apdoor one- way per mut at i ons and mul t i var i at e pol y nomi als. I n
Y. Han, T. Okamot o, and S. Qi ng, edit ors, I n for m at ion an d Comm u nicat i ons Secur it y
Pr oceedi ngs of I CI CS' 97 , Lect ur e Not es i n Comp ut er Science 1 334 , pages 356368. Spri nger-

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Verl ag, 1997.
[ 230] PKCS. Publ ic Key Cry pt ogr aphy St andar ds, PKCS&1 v2. 1. RSA Cr y pt ogr aphy St andard,
Dr aft 2, 2001. Avai l abl e at www.r sasecur i t y . com/ r sasecur i t y. com/ r sal abs/ pkcs/ .
[ 231] S.C. Pohl i g and M. E. Hel l man. An i mproved algor it hm f or comput i ng l ogar i t hms over
GF( p) and i t s cry pt ogr aphi c si gni f i cance. I EEE Tr ansact ions on I nf orm at i on Theory , 24: 106110,
1978.
[ 232] D. Poi nt cheval . HD- RSA: hy br i d dependent RSA, a new publ i c- key encr ypt i on scheme.
Submi ssi on t o I EEE P1363: Asymmet ri c Encr ypt i on, 1999. Avai l abl e at
gr ouper . i eee. org/ gr oups/ 1363/ P1363a/ Encr y pt i on. ht ml .
[ 233] D. Poi nt cheval . Publi c- key cr y pt osy st ems based on composi t e degr ee r esi duosi t y cl asses.
I n J. St ern, edi t or , Adv ances in Cr y pt ol ogy Proceed in gs of EUROCRYPT' 9 9, Lect ur e Not es i n
[ 234] D. Poi nt cheval . 1Chosen- ci phert ext secur it y for any one- way cr ypt osy st em. I n H. I mai and
Y. Zheng, edi t or s, Pub li c Key Cr yp t ogr aphy Pr oceedi ngs of PKC' 00 , Lect ur e Not es in Com p ut er
[ 235] D. Poi nt cheval and J. St er n. Securi t y pr oofs f or si gnat ure schemes. I n U. Maur er, edi t or,
10 70 , pages 387398. Spri nger- Ver l ag, 1996.
[ 236] D. Poi nt cheval and J. St er n. Securi t y argument s f or di gi t al si gnat ur es and bl i nd
si gnat ures. Jour nal of Cry pt ology , 13( 3) : 361396, 2000.
[ 237] J.M. Pol l ard. Theor ems on f act ori zat i on and pr i mal it y t est i ng. Pr oceedi ngs of t h e
Cam br i dge Phi l osop hical Societ y , 76: 521528, 1974.
[ 238] J.M. Pol l ard. Mont e Car l o met hod for index comput at i on ( mod p) . Mat h em at i cs of
Compu t at ion , 32( 143) : 918924, 1978.
[ 239] M. Rabi n. Tr ansact ion prot ect i on by beacons. Techni cal Repor t Tech. Rep. 29- 81, Ai ken
Comput at i on Lab. , Har vard Uni ver si t y , Cambr i dge, MA, 1981.
[ 240] M. O. Rabi n. Di gi t i zed si gnat ur es and publ i c- key f unct i ons as int r act i ble as act ori zat i on.
Techni cal Repor t LCS/ TR- 212, MI T Labor at or y f or Comput er Sci ence, 1979.
[ 241] C. Rackoff and D. Si mon. Non- i nt er act i ve zer o- knowl edge proof of knowl edge and chosen
ci pher t ext at t ack. I n J. Feigenbaum, edi t or , Adv ances in Cr y pt ol ogy Proceed in gs of
[ 242] R. Ri vest and A. Shami r . Pay Wor d and Mi cr oMi nt : t wo si mpl e mi cropayment schemes.
Cr y pt oBy t es, RSA Labor at or ies, 2( 1) : 711, Spr i ng 1996.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
[ 243] R. L. Rivest . The MD5 message- di gest al gor i t hm. I nt er net Request for Comment s 1321,
Apr i l 1992.
[ 244] R. L. Rivest . S- expressions. I NTERNET- DRAFT, May 1997. Avai l abl e at
t heor y .l cs.mi t . edu/ ~ r i vest / sexp.t xt .
[ 245] R. L. Rivest and B. Lampson. SDSI - A si mpl e di st r i but ed secur i t y i nf r ast r uct ure. I nvi t ed
Speech at CRYPTO'96, August 1996. Avai l abl e at t heor y .l cs.mi t . edu/ ~ ci s/ sdsi . ht ml .
[ 246] R. L. Rivest , A. Shami r , and L. Adl eman. A met hod f or obt ai ni ng di gi t al si gnat ur es and
publ i c- key cry pt osy st ems. Com m un icat ion s of t he ACM, 21( 2) : 120126, 1978.
[ 247] R. Si dney R. L. Ri vest , M. J. B. Robshaw and Y. L. Yi n. The RC6 Bl ock Ci pher , v1. 1. AES
pr oposal : Nat ional I nst i t ut e of St andar ds and Technology ( NI ST) , 1998. Avai l abl e at
www.r sa. com/ r sal abs/ aes/ .
[ 248] A.W. Roscoe. Model checking CSP. I n A. W. Roscoe, edi t or, A Classical Mi nd: Essays i n
hon our of C. A. R. Hoar e. Pr ent i ce- Hal l , 1994.
[ 249] A.W. Roscoe. Model l i ng and ver i fy i ng key - exchange prot ocol s usi ng CSP and FDR. I n
Pr oceedi ngs of Com p ut er Secu ri t y Found at ion s Wor k sh op VI I I , pages 98107. I EEE Comput er
Soci et y Pr ess, June 1995.
[ 250] P. Ry an and S. Schnei der . The Modell in g and Anal y si s of Secu ri t y Pr ot ocols: t he CSP
App roach. Addi son- Wesl ey , 2001.
[ 251] R. Sakai , K. Ohgi shi , and M. Kasahara. Cr y pt osy st ems based on pai ri ng. I n Pr oceedi ngs of
t he 200 0 Sy m posiu m on Cr yp t ogr aphy an d I nf or mat ion Secu ri t y , Ok in awa, Japan , Januar y 2000.
[ 252] T. Sat oh and K. Ar aki. Fer mat quot i ent s and t he pol y nomi al t i me discr et e log al gor i t hm for
anomal ous el l i pt i c cur ves. Com m . Mat h . Uni v. San ct i. Pau li , 47: 8192, Spr i ng 1998.
[ 253] S. Schnei der. Securi t y pr opert ies and CSP. I n Pr oceedi ngs of t h e 199 6 I EEE Sy m posiu m i n
Secu ri t y an d Pr i vacy , pages 174187. I EEE Comput er Soci et y Pr ess, 1996.
[ 254] B. Schnei er . Secr et s and Lies. John Wil ey & Sons, 2001.
[ 255] B. Schnei er , J. Kel sey, D. Whit ing, D. Wagner , C. Hal l, and N. Fer guson. Twofi sh: a 128-
bi t bl ock cipher, AES pr oposal. AES pr oposal : Nat ional I nst i t ut e of St andar ds and Technology
( NI ST) , 1998. Avai l abl e at www.count erpane.com/ t wof ish. ht ml .
[ 256] C. P. Schnor r . Ef fi ci ent i dent if i cat ion and si gnat ur e for smar t car ds. I n G. Br assard, edi t or ,

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
[ 257] C. P. Schnor r . Ef fi ci ent si gnat ur e gener at i on f or smart cards. Jour nal of Cry pt ology ,
4( 3) : 161174, 1991.
[ 258] L. A. Semaev. Eval uat i on of di scr et e l ogar i t hms i n a gr oup of p- t or si on point s of an ell i pt ic
cur ve in char act eri st i c p. Mat h. Comp. , 67( 221) : 353356, 1998.
[ 259] SET. Secure El ect r oni c Tr ansact i on Speci f i cat i on, Ver si on 1. 0. Onl i ne document , May 1997.
Avail able at www.set co.or g/ .
[ 260] A. Shami r . I dent i t y - based cr y pt osyst ems and si gnat ure schemes. I n G. T. Bl akley and D.
Chaum, edi t or s, Adv ances in Cr y pt ol ogy Proceed in gs of CRYPTO' 84 , Lect ur e Not es i n
Com pu t er Sci ence 196 , pages 4853. Spr i nger - Ver l ag, 1985.
[ 261] A. Shami r , R. Rivest , and L. Adl eman. Ment al poker . I n D. Kl ar ner , edi t or , The
Mat h emat i cal Gard ner , pages 3743, Bost on, Mass, 1980. Pri ndl e, Weber &95 Schmi dt .
[ 262] C. E. Shannon. A mat hemat i cal t heor y of communi cat i on. Bell Sy st em s Techni cal Jour nal ,
27( 3) : 379423, Jul y 1948.
[ 263] C. E. Shannon. A mat hemat i cal t heor y of communi cat i on. Bell Sy st em s Techni cal Jour nal ,
27: 623656, Oct ober 1948. Cont i nued fr om Jul y 1948 i ssue ( i . e., [ 262] ) .
[ 264] C. E. Shannon. Communicat i ons t heory of secrecy syst ems. Bell Sy st em s Techni cal Jour nal ,
28: 656715, Oct ober 1949.
[ 265] C. E. Shannon. Pr edi lect i on and ent r opy of pr i nt ed Engl i sh. Bell Sy st em s Techni cal Jour nal ,
30: 5064, Januar y 1951.
[ 266] R. Shi r ey. I nt er net Secur i t y Gl ossar y . The I nt ernet Engi neer i ng Task For ce Request For
Comment s ( I ETF RFC) 2828, May 2000. Avai l abl e at www.i et f .or g/ rf c/ rf c2828. t xt .
[ 267] P.W. Shor . Pol y nomial - t ime al gor i t hm for pr ime f act ori zat i on and discr et e logari t hms on a
quant um comput er. SI AM Jour n al of Com put i ng, 26: 14841509, 1997.
[ 268] P.W. Shor . Why haven't more quant um al gor i t hms been found? Jour nal of t he ACM,
50( 1) : 8790, Januar y 2003.
[ 269] V. Shoup. Usi ng hash f unct i ons as a hedge agai nst chosen ci pher t ext at t ack. I n B. Pr eneel ,
edi t or , Adv ances in Cr y pt ol ogy Proceed in gs of EUROCRYPT' 0 0, Lect ur e Not es i n Com put er
[ 270] V. Shoup. OAEP r econsi der ed. I n J. Ki l l i an, edi t or , Adv ances in Cr y pt ol ogy Proceed in gs
of CRYPTO' 0 1, Lect ur e Not es i n Com put er Sci en ce 2 139 , pages 239259. Spri nger- Ver l ag, 2001.
[ 271] V. Shoup. A pr oposal for an I SO st andar d for publi c key encry pt ion ( versi on 2. 1) .
Di st r i but ed by I nt er nat i onal Or gani zat i on f or St andardizat ion ( I SO) and I nt er nat i onal El ect r o-

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
t echni cal Commi ssi on ( I EC) JTC1, SC27, WG2, December 2001. An ear l i er ver si on appear ed i n
I SO/ I EC JTC 1/ SC 27 N2765 "Edi t or ' s cont r i but i on on publ ic key encr ypt i on" ( Febr uar y 2001) .
[ 272] J.H. Sil verman. The Ar i t hm et ic of Ell ip t ic Cur v es. Spri nber - Ver l ag, 1986. Gr aduat e Text s in
Mat hemat i cs.
[ 273] R. D. Si l ver man. Fast gener at i on of r andom, st r ong RSA pri mes. Cr y pt oBy t es, 3( 1) : 913,
1997.
[ 274] G. J. Si mmons. How t o ( sel ect i vel y) br oadcast a secr et . I n Pr oceedi ngs of t h e I EEE
Sy mp osi um on Secur it y and Pr iv acy , pages 108113. I EEE Comput er Soci et y Pr ess, 1985.
[ 275] G. J. Si mmons. A sur vey of i nfor mat i on aut hent icat i on. I n G. J. Si mmons, edi t or ,
Con t em p orar y Cr y pt ol ogy , t he Sci en ce of I nf orm at i on I nt egr i t y , pages 379419. I EEE Press,
1992.
[ 276] D. Si mon. On t he power of quant um comput at i on. I n Pr oceedi ngs of t h e 35t h An nual I EEE
Sy mp osi um on Foun dat i ons of Com p ut er Science , pages 116123, 1994.
[ 277] S. Si ngh. The Code Book . Four t h Est at e, 1999.
[ 278] N.P. Smar t . The di scr et e l ogar i t hm probl em on el l ipt i c cur ves of t r ace one. Jour nal of
Cr y pt ol ogy, 12: 193196, 1999.
[ 279] M. E. Smi d and D. K. Br anst ad. The Dat a Encry pt ion St andar d, past and f ut ur e. I n G. J.
Si mmons, edi t or, Con t em p orar y Cr y pt ol ogy , t he Sci en ce of I nf orm at i on I nt egr i t y , pages 4346.
I EEE Pr ess, 1992.
[ 280] D. Sol der a. SEG - a pr ovabl y secure var i ant of El - Gamal . Techni cal Repor t HPL- 2001- 149,
Hewl et t - Packard Labor at or ies, Br i st ol, June 2001.
[ 281] D. Sol der a, J. Seber ry , and C. Qu. The anal ysi s of Zheng- Seber r y scheme. I n L. M. Bat t en
and J. Seber r y, edit ors, 7t h Au st r al ian Con ference i n I nf or mat ion Secu ri t y and Pr i vacy
Pr oceedi ngs of ACI SP' 0 2, Lect ur e Not es i n Com put er Sci en ce 2 384 , pages 159168. Spri nger-
Verl ag, 2002.
[ 282] R. Sol ovay and V. St r assen. A f ast Mont e- Car l o t est f or pr i mali t y . SI AM Jour n al of
Compu t in g, 6( 1) : 8485, Mar ch 1977.
[ 283] M. St adl er . Publi cl y ver i fi able secr et shar ing. I n U. Maur er, edi t or, Adv ances in
Cr y pt ol ogyPr oceed ings of EUROCRYPT' 96 , Lect ur e Not es i n Com put er Science 1 070 , pages
[ 284] D. R. St i nson. Cr y pt ogr aph y: Theor y and Pr act i ce. CRC Press, I nc., 1995.
[ 285] P. Sy ver son. On key di st ri but i on pr ot ocol s for r epeat ed aut hent i cat i on. ACM Oper at i ng

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Sy st em s Rev iew , 27( 4) : 2430, Oct ober 1993.
[ 286] P. Sy ver son and P. C. van Oor schot . On uni fy i ng some cr ypt ogr aphic pr ot ocol l ogi cs. I n
Pr oceedi ngs of 19 94 I EEE Sym p osi um on Secur it y an d Pri v acy . I EEE Comput er Soci et y Press,
1994.
[ 287] H. Tanaka. A r eal i zat i on scheme for t he i dent i t y - based cr y pt osy st em. I n C. Pomer ance,
[ 288] G. Tr udik. Message aut hent i cat i on wi t h one- way funct i ons. Com pu t er Com m uni cat ion
Rev iew, 22: 2938, 1992.
[ 289] S. Tsuj i and T. I t oh. An I D- based cr y pt osyst em based on t he di scret e l ogari t hm pr obl em.
I EEE Jour nal on Select ed Ar eas in Comm un icat i on , 7( 4) : 467473, 1989.
[ 290] W. Tuchman. Hell man pr esent s no short cut sol ut i ons t o t he DES. I EEE Spect ru m ,
16( 7) : 4041, 1979.
[ 291] G. van de Gr aaf and R. Per al t a. A si mpl e and secure way t o show t he val i di t y of y our
publ i c key . I n C. Pomer ance, edit or, Adv ances in Cr y pt ol ogy Proceed in gs of CRYPTO' 87 ,
Lect ur e Not es i n Comp ut er Science 2 93, pages 128134. Spri nger- Ver l ag, 1988.
[ 292] P.C. van Oorschot . Ext endi ng cr y pt ogr aphi c l ogi cs of beli ef t o key agr eement pr ot ocol s
( ext ended abst ract ) . I n Pr oceedi ngs of t h e Fi r st ACM Con ference on Com p ut er and
Com m un icat ion s Secu ri t y , pages 232243, 1993.
[ 293] V. Var adhar aj an, P. Al l en, and S. Black. An anal y si s of t he pr oxy pr obl em i n di st ri but ed
syst ems. I n Pr oceedi ngs of t h e 199 1 I EEE Sy m posiu m on Secur i t y and Pr iv acy , pages 255275,
1991.
[ 294] S. Vaudenay . Secur i t y fl aws i nduced by CBC paddi ng Appl i cat i ons t o SSL, I PSEC, WTLS
. . .. I n L.R. Knudsen, edi t or , Adv ances in Cr y pt ol ogy Proceed in gs of EUROCRYPT' 0 2, Lect ur e
[ 295] U. Vazi r ani and V. Vazi r ani . Ef fi ci ent and secur e pseudo- r andom number generat i on
( ext ended abst ract ) . I n G. T. Bl akley and D. Chaum, edi t or s, Adv ances in Cr y pt ol ogy
Verl ag, 1985.
[ 296] E. R. Ver heul . Evi dence t hat XTR i s more secur e t han super si ngul ar el l i pt i c cur ve
cry pt osy st ems. I n B. Pf it zmann, edi t or , Adv ances in Cr y pt ol ogy Proceed in gs of
2001.
[ 297] D. Wheel er . Tr ansact ions usi ng bet s. I n M. Lomas, edi t or , Secu ri t y Pr ot ocols, Lect u re
Not es in Comp ut er Science 11 89 , pages 8992. Spr i nger - Ver l ag, 1996.

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
[ 298] M. Wi ener. Cr y pt anal y si s of shor t RSA secr et exponent s. I EEE Tr ansact ions on I nf orm at i on
Theor y, 36( 3) : 553558, 1990.
[ 299] M. Wi ener. Ef fi ci ent DES key sear ch. Techni cal r epor t , TR- 244, School of Comput er
Sci ence, Car l et on Univer si t y , Ot t awa, May 1994.
[ 300] C. P. Wi l l iams and S.H. Cl ear wat er . Ult i m at e Zer o and One. Coper ni cus, Spri nger - Ver l ag
New Yor k, I nc. , 2000.
[ 301] T.Y. C. Woo and S. S. Lam. Aut hent i cat ion f or di st r ibut ed sy st ems. Com pu t er, 25( 1) : 3952,
January 1992.
[ 302] T.Y. C. Woo and S. S. Lam. A l esson on aut hent i cat ion prot ocol desi gn. Op er at i ng Sy st ems
Rev iew, 28( 3) : 2437, Jul y 1994.
[ 303] A.C. Yao. Theor y and appl icat i ons of t rapdoor f unct i ons ( ext ended abst r act ) . I n
Pr oceedi ngs of 23 r d An nual I EEE Sy m posium on Fou ndat i ons of Comp ut er Science , pages 8091,
1982.
[ 304] T. Yl onen. The SSH ( secur e shel l ) r emot e l ogi n pr ot ocol . I NTERNET- DRAFT, draf t - y l onen-
ssh- pr ot ocol - 00. t xt , Sept ember 1995.
[ 305] T. Yl onen. SSH aut hent i cat i on pr ot ocol . I NTERNET- DRAFT, draf t - i et f- user aut h- 16. t xt ,
Sept ember 2002.
[ 306] T. Yl onen. SSH connect i on pr ot ocol . I NTERNET- DRAFT, draf t - i et f- connect - 16. t xt ,
Sept ember 2002.
[ 307] T. Yl onen. SSH prot ocol archi t ect ur e. I NTERNET- DRAFT, draf t - i et f- ar chi t ect ur e- 13. t xt ,
Sept ember 2002.
[ 308] T. Yl onen. SSH t r ansport l ayer prot ocol . I NTERNET- DRAFT, draf t - i et f- t r ansport - 15. t xt ,
Sept ember 2002.
[ 309] Y. Zheng. Di gi t al si gncry pt i on or how t o achi eve cost ( si gnat ur e & encr ypt i on)
cost ( si gnat ur e) + cost ( encr ypt i on) . I n B. Kal i ski Jr. , edi t or , Adv ances in Cr y pt ol ogy
Pr oceedi ngs of CRYPTO' 9 7, Lect u re Not es i n Com put er Sci en ce 129 4 , pages 165179. Spri nger-
Verl ag, 1997.
[ 310] Y. Zheng and J. Seber r y. I mmuni zi ng publ ic key cr ypt osyst ems agai nst chosen ci phert ext
at t acks. Special I ssue on Secur e Com m uni cat ion s, I EEE Jour nal on Sel ect ed Ar eas on
Com m un icat ion s, 11( 5) : 715724, June 1993.
[ 311] Y. Zheng and J. Seber r y. Pr act ical appr oaches t o at t aini ng secur i t y agai nst adapt ivel y
chosen ci pher t ext at t acks ( ext ended abst r act ) . I n E. F. Br ickell , edit or , Adv ances in Cr y pt ol ogy

Table of Cont ent s

I SBN: 0- 13-066943-1
Pages: 648
Verl ag, 1993.
[ 312] P.R. Zi mmer mann. The Off icial PGP User ' s Gui de. MI T Press, Cambr i dge, Massachuset t s,
1995. Second pr i nt i ng.

Modern Cryptography Theory and Practice

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Modern Cryptography Theory and Practice

Uploaded by

Copyright:

Available Formats

Table of Cont ent s

Moder n Cr ypt ography : Theor y and Pract i ce

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Al i ce t hi nks she i s shar i ng a key wi t h Bob

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR

Publi sher: Prent i ce Hal l PTR