the generic group model and algorithmic randomness
play

The Generic Group Model and Algorithmic Randomness Kohtaro Tadaki - PowerPoint PPT Presentation

Nov 01, 2023 •302 likes •576 views

The Generic Group Model and Algorithmic Randomness Kohtaro Tadaki Doi Norihisa Research and Development Initiative, Chuo University Tokyo, Japan 1 Abstract In modern cryptography, the generic group model (Shoup, 1997) is widely used as an

  1. The Generic Group Model and Algorithmic Randomness Kohtaro Tadaki Doi Norihisa Research and Development Initiative, Chuo University Tokyo, Japan 1

  2. Abstract In modern cryptography, the generic group model (Shoup, 1997) is widely used as an imaginary framework in which the security of a cryptographic scheme is discussed. In particular, the generic group model is often used to discuss the compu- tational hardness of problems, such as the discrete logarithm problem and the Diffie-Hellman problem, which are used as a computational hardness assumption to prove the security of a cryptographic scheme. In this talk, we apply the concepts and methods of algorithmic randomness to the generic group model, and consider the secure instantiation of the generic group, i.e., a random encoding of the group elements. In particular, we show that the generic group can be instantiated by a specific computable function while keeping the computational hardness of the problems originally proved in the generic group model. 2

  3. Discrete Logarithm Problem 3

  4. Experiment for the Discrete Logarithm Problem Let G be a finite cyclic group in a certain class. Consider the following experiment defined for a probabilistic polynomial- time algorithm A and a parameter n : ✓ ✏ The discrete logarithm experiment DLog A ( n ) : 1. Generate ( G, N, g ) , where G is a finite cyclic group of order N repre- sented by n bit strings and g is a generator of G . 2. Generate h ∈ G uniformly. 3. A is given q, g, h and outputs x ∈ Z q 4. The output of the experiment is defined to be 1 if g x = h and 0 otherwise. ✒ ✑ 4

  5. The Hardness of the Discrete Logarithm Problem Definition We say that the discrete logarithm problem is hard (with respect to a cer- tain class of finite cyclic groups) if for all probabilistic polynomial-time algorithms A and all d ∈ N + there exists N ∈ N + such that, for all n > N , Prob[ DLog A ( n ) = 1] ≤ 1 n d . 5

  6. The Generic Group Model 6

  7. Generic Algorithm 7

  8. Encoding Function into n Bitstrings Definition [Encoding Function into n Bitstrings] Let n ∈ N + = { 1 , 2 , 3 , . . . } . An encoding function into n bitstrings is a bijective function mapping { 0 , 1 , . . . , 2 n − 1 } to { 0 , 1 } n . Let N ≤ 2 n . • For every pair of finite cyclic group G of order N and its generator, there is an encoding function σ into n bitstrings such that G is isomorphic to Z N via σ . • Conversely, for every encoding function σ into n bitstrings, by defining the binary operation σ ( x ) ◦ σ ( y ) := σ ( x + y ) on σ ( Z N ), the set σ ( Z N ) becomes a finite cyclic group of order N with generator σ (1) and the set σ ( Z N ) is isomorphic to Z N via σ . In this manner, there is a bijective correspondence between a pair of a finite cyclic group G of order N and its generator, and an encoding function σ into n bitstrings. By choosing σ appropriately, any finite cyclic group G (with its generator) can be obtained. 8

  9. Generic Algorithm Definition [Generic Algorithm, Shoup 97] A generic algorithm is a probabilistic oracle Turing machine A which be- haves as follows: Let n ∈ N + , and let σ be an encoding function into n bitstrings and N a positive integer with N ≤ 2 n . (i) A takes as input a list σ ( x 1 ) , . . . , σ ( x k ) with x 1 , . . . , x k ∈ Z N , as well as (the binary representations of) N and its prime factorization. (ii) As A is executed, it is allowed to make calls to oracles which compute the functions add : σ ( Z N ) × σ ( Z N ) → σ ( Z N ) and inv : σ ( Z N ) → σ ( Z N ) with add ( σ ( x ) , σ ( y )) = σ ( x + y ) and inv ( σ ( x )) = σ ( − x ) . The algorithm A do not perform these operations internally by itself. (iii) Eventually, A halts and outputs a finite binary string, denoted by A ( N ; σ ( x 1 ) , . . . , σ ( x k )) . 9

  10. The Discrete Logarithm Problem in the Generic Group Model 10

  11. Experiment for the Discrete Logarithm Problem A Consider the following experiment defined for a polynomial-time generic algorithm A , a parameter n , and a positive integer N ≤ 2 n : ✓ ✏ The discrete logarithm experiment DLog A ( n, N ) : 1. Generate an encoding function σ into n bitstrings uniformly. 2. Generate x ∈ Z N uniformly. 3. The output of the experiment is defined to be 1 if A ( N ; σ (1) , σ ( x )) = x σ (1) is a generator of the finite cyclic group σ ( Z N ) of order N , and x is the discrete logarithm of σ ( x ) to the base σ (1) . and 0 otherwise. ✒ ✑ 11

  12. The Hardness of the Discrete Logarithm Problem A Theorem [Shoup 97] There exists C ∈ N + such that, for every generic algorithm A , n ∈ N + , and N with N ≤ 2 n , Prob[ DLog A ( n, N ) = 1] ≤ Cm 2 , p where p is the largest prime divisor of N and m is the maximum number of the oracle queries among all the computation paths of A . If we insist that A succeed with probability bounded by a positive constant (e.g., 1 / 2) to the below, this theorem translates into a lower bound Ω( √ p ) of the number of group operations queried by A . 12

  13. Translating Shoup’s result into the form well used as a computational assumption 13

  14. Experiment for the Discrete Logarithm Problem B Consider the following experiment for a polynomial-time generic algorithm A , a parameter n , and an encoding function σ into n bitstrings: ✓ ✏ The discrete logarithm experiment DLog A ( n, σ ) : 1. Generate an n -bit prime p uniformly. 2. Generate x ∈ Z p uniformly. 3. The output of the experiment is defined to be 1 if A ( p ; σ (1) , σ ( x )) = x and 0 otherwise. ✒ ✑ 14

  15. The Hardness of the Discrete Logarithm Problem B The hardness of the discrete logarithm problem in the generic group model is then formulated as follows. Definition We say that the discrete logarithm problem is hard in the generic group model if for all polynomial-time generic algorithms A and all d ∈ N + there exists N ∈ N + such that, for all n > N , 1 Prob[ DLog A ( n, σ ) = 1] ≤ 1 ∑ n d , # Encf n σ ∈ Encf n where Encf n is the set of all encoding functions into n bitstrings. Note that the probability is averaged over all encoding functions into n bit- strings. This results in a random encoding function into n bitstrings, i.e., the generic group. Theorem The discrete logarithm problem is hard in the generic group model. 15

  16. Our aim is the secure instantiation of the generic group. For that purpose, we translate Shoup’s result into a stronger computational hardness. 16

  17. The Effective Hardness of the Discrete Logarithm Problem In this talk we consider a stronger notion of the hardness of the discrete logarithm problem. This stronger notion, called the effective hardness of the discrete logarithm problem, is defined as follows: We first choose a particular recursive enumeration A 1 , A 2 , A 3 , . . . of all polynomial-time generic algorithms. It is easy to show that such an enu- meration exists. The effective hardness of the discrete logarithm problem in the generic group model is then formulated as follows. Definition We say that the discrete logarithm problem is effectively hard in the generic group model if there exists a computable function f : N + × N + → N + such that, for all i, d, n ∈ N + , if n ≥ f ( i, d ) then 1 Prob[ DLog A i ( n, σ ) = 1] ≤ 1 ∑ n d . # Encf n σ ∈ Encf n 17

  18. Effective Hardness ? In the definitions of the (conventional) hardness of the discrete logarithm problem, the number N is only required to exist, depending on an adversary A and a number d , that is, the success probability of the attack by an adversary A on a security parameter n is required to be less than 1 /n d for all sufficiently large n , where the lower bound of such n is not required to be computable from A and d . On the other hand, in the definitions of the effective hardness of the discrete logarithm problem, it is required that the lower bound N of such n can be computed from the code of A and d . Definition [posted again] We say that the discrete logarithm problem is hard in the generic group model if for all polynomial-time generic algorithms A and all d ∈ N + there exists N ∈ N + such that, for all n > N , 1 Prob[ DLog A ( n, σ ) = 1] ≤ 1 ∑ n d . # Encf n σ ∈ Encf n 18

  19. Effective Hardness ? In modern cryptography based on computational security, it is important to choose the security parameter n of a cryptographic scheme as small as possible to the extent that the security requirements are satisfied, in order to make the efficiency of the scheme as high as possible. For that purpose, it is desirable to be able to calculate a concrete value of N , given the code of A and d , since N gives a lower bound of the security parameter for which the security requirements specified by A and d are satisfied. This results in the notion of effective hardness. Definition [posted again] We say that the discrete logarithm problem is hard in the generic group model if for all polynomial-time generic algorithms A and all d ∈ N + there exists N ∈ N + such that, for all n > N , 1 Prob[ DLog A ( n, σ ) = 1] ≤ 1 ∑ n d . # Encf n σ ∈ Encf n 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Algorithmic randomness Cuny logic worshop Benoit Monin - LACL - Universit e Paris-Est Cr

Algorithmic randomness Cuny logic worshop Benoit Monin - LACL - Universit e Paris-Est Cr

Algorithmic randomness Beyond arithmetic Higher randomness ITTM and randomness Algorithmic randomness Cuny logic worshop Benoit Monin - LACL - Universit e Paris-Est Cr eteil 5 May 2017 Algorithmic randomness Beyond arithmetic Higher

771 views • 64 slides
Algorithmic Randomness Rod Downey Victoria University Wellington New Zealand Udine, 2018

Algorithmic Randomness Rod Downey Victoria University Wellington New Zealand Udine, 2018

Algorithmic Randomness Rod Downey Victoria University Wellington New Zealand Udine, 2018 Lets begin by examining the title: Algorithmic Randomness The idea is to use algorithmic means to ascribe meaning to the apparent

963 views • 50 slides
Randomness in Computing L ECTURE 24 Last time Probabilistic method Algorithmic LLL

Randomness in Computing L ECTURE 24 Last time Probabilistic method Algorithmic LLL

Randomness in Computing L ECTURE 24 Last time Probabilistic method Algorithmic LLL Applications of LLL Today Markov chains 4/21/2020 Sofya Raskhodnikova;Randomness in Computing; based on slides by Baranasuriya et al.

538 views • 24 slides
Multiple recurrence and algorithmic randomness Andr e Nies CCR 2015, Universit at

Multiple recurrence and algorithmic randomness Andr e Nies CCR 2015, Universit at

Multiple recurrence and algorithmic randomness Andr e Nies CCR 2015, Universit at Heidelberg Joint work with Rod Downey and Satyadev Nandakumar Slides are on my web site Andr e Nies Multiple recurrence and algorithmic randomness

642 views • 23 slides
An operational characterization of the notion of probability by algorithmic randomness and its

An operational characterization of the notion of probability by algorithmic randomness and its

An operational characterization of the notion of probability by algorithmic randomness and its applications Kohtaro Tadaki Department of Computer Science, College of Engineering Chubu University Nagoya, Japan CCR 2015, June 24th, 2015,

725 views • 51 slides
Point-free Descriptive Set Theory and Algorithmic Randomness Alex Simpson University of

Point-free Descriptive Set Theory and Algorithmic Randomness Alex Simpson University of

1/24 Point-free Descriptive Set Theory and Algorithmic Randomness Alex Simpson University of Ljubljana, Slovenia incorporating j.w.w. Antonin Delpeuch (Univ. Oxford) CCC, Nancy, June 2017 Point-free Descriptive Set Theory and Algorithmic

538 views • 24 slides
Randomness in Computing L ECTURE 23 Last time Probabilistic method Lovasz Local Lemma

Randomness in Computing L ECTURE 23 Last time Probabilistic method Lovasz Local Lemma

Randomness in Computing L ECTURE 23 Last time Probabilistic method Lovasz Local Lemma (LLL) Algorithmic LLL Today Probabilistic method Algorithmic LLL Applications of LLL 4/16/2020 Sofya Raskhodnikova;Randomness in

449 views • 15 slides
Extending Algorithmic New Definition of . . . Need to Extend . . . Randomness to Natural

Extending Algorithmic New Definition of . . . Need to Extend . . . Randomness to Natural

Physicists Usually . . . Kolmogorovs . . . New Definition of . . . Extending Algorithmic New Definition of . . . Need to Extend . . . Randomness to Natural Extension of . . . the Algebraic Approach Consistency Result: . . . Consistency:

255 views • 24 slides
Higher randomness Benoit Monin - LIAFA - University of Paris VII Victoria university - 16 April

Higher randomness Benoit Monin - LIAFA - University of Paris VII Victoria university - 16 April

Introduction Complexity of sets Algorithmic randomness Beyond arithmetic Higher randomness Topological differences Higher randomness Benoit Monin - LIAFA - University of Paris VII Victoria university - 16 April 2014 Introduction Complexity

767 views • 75 slides
1 Definition of a simple generic class Why generic programming (cont.) class Pair <T> {

1 Definition of a simple generic class Why generic programming (cont.) class Pair <T> {

Topics background and goals of generic programming basics of generic classes = parameterized types generic methods for general algorithms inheritance rules for generic types Generic programming in Java bounded type parameters

261 views • 5 slides
Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn

Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn

Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn Tillmanns, Jiska Classen, Felix Rohrbach, Matthias Hollick Technische Universitt Darmstadt, Germany ??? 2 How to acquire randomness? A: 42 B: Random

562 views • 32 slides
Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University

Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University

Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Baileys ECE 422 Randomness and Pseudorandomness Review Problem:

1.69k views • 33 slides
On Stability Property of Probability Laws with Respect to Small Violations of Algorithmic

On Stability Property of Probability Laws with Respect to Small Violations of Algorithmic

On Stability Property of Probability Laws with Respect to Small Violations of Algorithmic Randomness Vladimir V. Vyugin Institute for Information Transmission Problems Russian Academy of Sciences logo Martin-L of random sequences

190 views • 17 slides
Effective fractal dimension in the hyperspace and the space of probability distributions

Effective fractal dimension in the hyperspace and the space of probability distributions

Effective fractal dimension in the hyperspace and the space of probability distributions (informal talk) Elvira Mayordomo Universidad de Zaragoza, Iowa State University AIM, August 13th 2020 Why algorithmic randomness? Why algorithmic

401 views • 26 slides
Computably measurable sets and computably measurable functions in terms of algorithmic

Computably measurable sets and computably measurable functions in terms of algorithmic

Computably measurable sets and computably measurable functions in terms of algorithmic randomness Tokyo Institute of Technology 20 Feb 2013 Kenshi Miyabe RIMS, Kyoto University 1 Motivation Measure (Probability) theory everywhere(!)

665 views • 25 slides
Randomness Some content taken from Silence on the Wire by Michal Zalewski Todays Agenda

Randomness Some content taken from Silence on the Wire by Michal Zalewski Todays Agenda

Randomness Some content taken from Silence on the Wire by Michal Zalewski Todays Agenda Randomness in Private Key Generation Randomness in Election (fraud) Randomness in Coin Flipping What is random? Chosen without method

693 views • 35 slides
Some existence of perpendicular multi-arrays Kazuki Matsubara Chuo Gakuin University (joint work

Some existence of perpendicular multi-arrays Kazuki Matsubara Chuo Gakuin University (joint work

Some existence of perpendicular multi-arrays Kazuki Matsubara Chuo Gakuin University (joint work with Sanpei Kageyama) 2018.5.20-24 JCCA2018 Sendai International Center Kazuki Matsubara (Chuo Gakuin Univ.) Some existence of perpendicular

418 views • 17 slides
Ubiquitous Networking and JGN Ubiquitous Networking and JGN for Future e- -Japan Japan for

Ubiquitous Networking and JGN Ubiquitous Networking and JGN for Future e- -Japan Japan for

Ubiquitous Networking and JGN Ubiquitous Networking and JGN for Future e- -Japan Japan for Future e Tadao SAITO Tadao SAITO Professor Emeritus, The University of Tokyo Professor Emeritus, The University of Tokyo Professor, Chuo University

874 views • 50 slides
A Data-Driven Reflectance Model Matusik, Pfister, Brand, McMillan SIGGRAPH 2003 Bidirectional

A Data-Driven Reflectance Model Matusik, Pfister, Brand, McMillan SIGGRAPH 2003 Bidirectional

A Data-Driven Reflectance Model Matusik, Pfister, Brand, McMillan SIGGRAPH 2003 Bidirectional Reflectance Distribution Functions (BRDF) Models how light reacts to a surface Outogin and incident light directions Light properties

643 views • 10 slides
Progress of Disposal of Disaster Waste Directly Governed by the National Waste Government in

Progress of Disposal of Disaster Waste Directly Governed by the National Waste Government in

Progress of Disposal of Disaster Waste Directly Governed by the National Waste Government in Designated Areas in Fukushima Prefecture Disaster waste has been disposed of based on the Treatment Plan on Waste within the Management Areas Iitate

220 views • 5 slides
An Advance Reservation based Co allocation Algorithm for Distributed Computers and Network

An Advance Reservation based Co allocation Algorithm for Distributed Computers and Network

An Advance Reservation based Co allocation Algorithm for Distributed Computers and Network Bandwidth on QoS guaranteed Grids Atsuko Takefusa, Hidemoto Nakada, Tomohiro Kudoh, and Yoshio Tanaka National Institute of Advanced Industrial

519 views • 30 slides
A computational complexity-theoretic elaboration of weak truth-table reducibility Kohtaro Tadaki

A computational complexity-theoretic elaboration of weak truth-table reducibility Kohtaro Tadaki

A computational complexity-theoretic elaboration of weak truth-table reducibility Kohtaro Tadaki Research and Development Initiative, Chuo University JST CREST Tokyo, Japan Supported by the Ministry of Economy, Trade and Industry of Japan and

464 views • 32 slides
Business Meeting AJBS 2020 The Association of Japanese Business Studies 33rd Annual Conference

Business Meeting AJBS 2020 The Association of Japanese Business Studies 33rd Annual Conference

Business Meeting AJBS 2020 The Association of Japanese Business Studies 33rd Annual Conference ( Cancelled due to COVID-19 ) Business Agenda o Current AJBS Officers o AJBS Activities and Benefits o Special Acknowledgements o New AJBS Role o

413 views • 15 slides
Recovery from the Great Hanshin-Awaji Earthquake and the Development of Safe Cities 24

Recovery from the Great Hanshin-Awaji Earthquake and the Development of Safe Cities 24

Recovery from the Great Hanshin-Awaji Earthquake and the Development of Safe Cities 24 January,2018 Noboru Shimizu Manager , Planning, Crisis Management Office, Kobe City Government The Great Hanshin-Awaji earthquake occurred on January 17,

610 views • 13 slides

More recommend