Chapter 10
NumberTheoretic Primitives
Number theory is a source of several computational problems that serve as primitives in the design
of cryptographic schemes. Asymmetric cryptography in particular relies on these primitives. As
with other beasts that we have been calling “primitives,” these computational problems exhibit
some intractability features, but by themselves do not solve any cryptographic problem directly
relevant to a user security goal.
But appropriately applied, they become useful to this end.
In
order to later effectively exploit them it is useful to first spend some time understanding them.
This understanding has two parts.
The first is to provide precise definitions of the various
problems and their measures of intractability. The second is to look at what is known or conjectured
about the computational complexity of these problems.
There are two main classes of primitives. The first class relates to the discrete logarithm problem
over appropriate groups, and the second to the factoring of composite integers. We look at them
in turn.
This chapter assumes some knowledge of computational number theory as covered in the chapter
on Computational Number Theory.
10.1
Discrete logarithm related problems
Let
G
be a cyclic group and let
g
be a generator of
G
. Recall this means that
G
=
{
g
0
, g
1
, . . . , g
m
−
1
}
,
where
m
=

G

is the order of
G
. The discrete logarithm function DLog
G,g
:
G
→
Z
m
takes input a
group element
a
and returns the unique
i
∈
Z
m
such that
a
=
g
i
. There are several computational
problems related to this function that are used as primitives.
10.1.1
Informal descriptions of the problems
The computational problems we consider in this setting are summarized in Fig. 10.1. In all cases,
we are considering an attacker that knows the group
G
and the generator
g
.
It is given the
quantities listed in the column labeled “given,” and is trying to compute the quantities, or answer
the question, listed in the column labeled “figure out.”
The most basic problem is the discrete logarithm (DL) problem.
Informally stated, the at
tacker is given as input some group element
X
, and must compute DLog
G,g
(
X
). This problem is
conjectured to be computationally intractable in suitable groups
G
.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
2
NUMBERTHEORETIC PRIMITIVES
Problem
Given
Figure out
Discrete logarithm (DL)
g
x
x
Computational DiffieHellman (CDH)
g
x
, g
y
g
xy
Decisional DiffieHellman (DDH)
g
x
, g
y
, g
z
Is
z
≡
xy
(mod

G

)?
Figure 10.1:
An informal description of three discrete logarithm related problems over a cyclic
group
G
with generator
g
. For each problem we indicate the input to the attacker, and what the
attacker must figure out to “win.” The formal definitions are in the text.
One might imagine “encrypting” a message
x
∈
Z
m
by letting
g
x
be the ciphertext.
An
adversary wanting to recover
x
is then faced with solving the discrete logarithm problem to do so.
This is the end of the preview.
Sign up
to
access the rest of the document.
 Winter '08
 daniele
 Cryptography, Computational complexity theory, Prime number, Logarithm, Discrete logarithm

Click to edit the document details