CPSC 467: Cryptography and Computer Security · CPSC 467: Cryptography and Computer Security...

Outline Legendre/Jacobi BBS Bit commitment Appendix 1: Formalization of Bit Commitment Schemes BBS Security

CPSC 467: Cryptography and Computer Security

Michael J. Fischer

Lecture 21November 18, 2015

CPSC 467, Lecture 21 1/67


The Legendre and Jacobi SymbolsThe Legendre symbolJacobi symbolComputing the Jacobi symbol

BBS Pseudorandom Sequence Generator

Bit Commitment ProblemBit Commitment Using QR CryptosystemBit Commitment Using Symmetric CryptographyBit Commitment Using Hash FunctionsBit Commitment Using Pseudorandom Sequence Generators

Appendix 1: Formalization of Bit Commitment Schemes

Appendix 2: Security of BBS



The Legendre and Jacobi Symbols



Notation for quadratic residues

The Legendre and Jacobi symbols form a kind of calculus forreasoning about quadratic residues and non-residues.

They lead to a feasible algorithm for determining membership inQ01

n ∪ Q10n . Like the Euclidean gcd algorithm, the algorithm does

not require factorization of its arguments.

The existence of this algorithm also explains why theGoldwasser-Micali cryptosystem can’t use all of QNRn in theencryption of “1”, for those elements in Q01

n ∪ Q10n are readily

determined to be in QNRn.



Legendre

Legendre symbol

Let p be an odd prime, a an integer. The Legendre symbol(

ap

)is

a number in {−1, 0,+1}, defined as follows:

(a

p

)=

+1 if a is a non-trivial quadratic residue modulo p

0 if a ≡ 0 (mod p)−1 if a is not a quadratic residue modulo p

By the Euler Criterion, we have

TheoremLet p be an odd prime. Then(

a

p

)≡ a( p−1

2 ) (mod p)

Note that this theorem holds even when p |a.



Legendre

Properties of the Legendre symbol

The Legendre symbol satisfies the following multiplicative property:

FactLet p be an odd prime. Then(

a1a2p

)=

(a1p

) (a2p

)

Not surprisingly, if a1 and a2 are both non-trivial quadraticresidues, then so is a1a2. Hence, the fact holds when(

a1p

)=

(a2p

)= 1.



Legendre

Product of two non-residues

Suppose a1 6∈ QRp, a2 6∈ QRp. The above fact asserts that theproduct a1a2 is a quadratic residue since(

a1a2p

)=

(a1p

) (a2p

)= (−1)(−1) = 1.

Here’s why.

I Let g be a primitive root of p.

I Write a1 ≡ gk1 (mod p) and a2 ≡ gk2 (mod p).

I Both k1 and k2 are odd since a1, a2 6∈ QRp.

I But then k1 + k2 is even.

I Hence, g (k1+k2)/2 is a square root of a1a2 ≡ gk1+k2 (mod p),so a1a2 is a quadratic residue.



Jacobi

The Jacobi symbolThe Jacobi symbol extends the Legendre symbol to the case wherethe “denominator” is an arbitrary odd positive number n.

Let n be an odd positive integer with prime factorization∏k

i=1 piei .

We define the Jacobi symbol by(an

)=

k∏i=1

(a

pi

) ei

(1)

The symbol on the left is the Jacobi symbol, and the symbol onthe right is the Legendre symbol.

(By convention, this product is 1 when k = 0, so(a1

)= 1.)

The Jacobi symbol extends the Legendre symbol since the twodefinitions coincide when n is an odd prime.



Jacobi

Meaning of Jacobi symbol

What does the Jacobi symbol mean when n is not prime?

I If(an

)= +1, a might or might not be a quadratic residue.

I If(an

)= 0, then gcd(a, n) 6= 1.

I If(an

)= −1 then a is definitely not a quadratic residue.



Jacobi

Jacobi symbol = +1 for n = pq

Let n = pq for p, q distinct odd primes. Since(an

)=

(a

p

) (a

q

)(2)

there are two cases that result in(an

)= 1:

1.(

ap

)=(

aq

)= +1, or

2.(

ap

)=(

aq

)= −1.



Jacobi

Case of both Jacobi symbols = +1

If(

ap

)=(

aq

)= +1, then a ∈ QRp ∩QRq = Q11

n .

It follows by the Chinese Remainder Theorem that a ∈ QRn.

This fact was implicitly used in the proof sketch that |√a| = 4.



Jacobi

Case of both Jacobi symbols = −1

If(

ap

)=(

aq

)= −1, then a ∈ QNRp ∩QNRq = Q00

n .

In this case, a is not a quadratic residue modulo n.

Such numbers a are sometimes called “pseudo-squares” since theyhave Jacobi symbol 1 but are not quadratic residues.



Identities

Computing the Jacobi symbol

The Jacobi symbol(an

)is easily computed from its definition

(equation 1) and the Euler Criterion, given the factorization of n.

Similarly, gcd(u, v) is easily computed without resort to theEuclidean algorithm given the factorizations of u and v .

The remarkable fact about the Euclidean algorithm is that it letsus compute gcd(u, v) efficiently, without knowing the factors of uand v .

A similar algorithm allows us to compute the Jacobi symbol(an

)efficiently, without knowing the factorization of a or n.



Identities

Identities involving the Jacobi symbol

The algorithm is based on identities satisfied by the Jacobi symbol:

1.(0n

)=

{1 if n = 10 if n 6= 1;

2.(2n

)=

{1 if n ≡ ±1 (mod 8)−1 if n ≡ ±3 (mod 8);

3.(a1n

)=(a2n

)if a1 ≡ a2 (mod n);

4.(2an

)=(2n

)·(an

);

5.(an

)=

{ (na

)if a, n odd and ¬(a ≡ n ≡ 3 (mod 4))

−(na

)if a, n odd and a ≡ n ≡ 3 (mod 4).



Identities

A recursive algorithm for computing Jacobi symbol

/* Precondition: a, n >= 0; n is odd */

int jacobi(int a, int n) {

if (a == 0) /* identity 1 */

return (n==1) ? 1 : 0;

if (a == 2) /* identity 2 */

switch (n%8) {

case 1: case 7: return 1;

case 3: case 5: return -1;

}

if ( a >= n ) /* identity 3 */

return jacobi(a%n, n);

if (a%2 == 0) /* identity 4 */

return jacobi(2,n)*jacobi(a/2, n);

/* a is odd */ /* identity 5 */

return (a%4 == 3 && n%4 == 3) ? -jacobi(n,a) : jacobi(n,a);

}



BBS Pseudorandom Sequence Generator



Blum primes and integers

A Blum prime is a prime p such that p ≡ 3 (mod 4).

A Blum integer is a number n = pq, where p and q are Blumprimes.

If p is a Blum prime, then −1 ∈ QNRp. This follows from the

Euler criterion, since p−12 is odd. By definition of the Legendre

symbol,(−1p

)= −1.

If n is a Blum integer, then −1 ∈ QNRn, but now(−1

n

)=

(−1

p

) (−1

q

)= (−1)(−1) = 1.



Square roots of Blum primes

TheoremLet p be a Blum prime, a ∈ QRp, and {b,−b} =

√a be the two

square roots of a. Then exactly one of b and −b is itself aquadratic residue.

Proof.(−b)(p−1)/2 6= b(p−1)/2 since

(−b)(p−1)/2 = (−1)(p−1)/2b(p−1)/2 = (−1)b(p−1)/2.

Both (−b)(p−1)/2 and b(p−1)/2 are in√

1 = {±1}, so it followsfrom the Euler criterion that one of b, −b is a quadratic residueand the other is not.



Square roots of Blum integers

Theorem (QR square root)

Let n = pq be a Blum integer and a ∈ QRn. Exactly one of a’sfour square roots modulo n is a quadratic residue.



Proof of QR square root theorem

Consider Z∗p and Z∗q. a ∈ QRp and a ∈ QRq.

Let {b,−b} ∈√a (mod p). By the previous theorem, exactly one

of these numbers is in QRp. Call that number bp.

Similarly, one of the square roots of a (mod q) is in QRq, say bq.

Applying the Chinese Remainder Theorem, it follows that exactlyone of a’s four square roots modulo n is in QRn.



A cryptographically secure PRSG

We present a cryptographically secure pseudorandom sequencegenerator due to Blum, Blum, and Shub (BBS).

BBS is defined by a Blum integer n = pq and an integer `.

It maps strings in Z∗n to strings in {0, 1}`.

Given a seed s0 ∈ Z∗n, we define a sequence s1, s2, s3, . . . , s`, wheresi = s2i−1 mod n for i = 1, . . . , `.

The `-bit output sequence BBS(s0) is b1, b2, b3, . . . , b` , wherebi = lsb(si ) is the least significant bit of si .



QR assumption and Blum integers

The security of BBS is based on the assumed difficulty ofdetermining, for a given a with Jacobi symbol 1, whether or not ais a quadratic residue, i.e., whether or not a ∈ QRn.

We just showed that Blum primes and Blum integers have theimportant property that every quadratic residue a has exactly onesquare root y which is itself a quadratic residue.

Call such a y the principal square root of a and denote it(ambiguously) by

√a (mod n) or simply by

√a when it is clear

that mod n is intended.



Security of BBS

We show in appendix 1 that BBS is cryptographically secure.

The proof reduces the problem of predicting the output of BBS tothe quadratic residuosity problem for numbers with Jacobisymbol 1 over Blum integers.

To do this reduction, we show that if there is a judge J thatsuccessfully distinguishes BBS(S) from U, then there is a feasiblealgorithm A for distinguishing quadratic residues from non-residueswith Jacobi symbol 1, contradicting the above version of the QRhardness assumption.



Bit Commitment Problem



Bit guessing game

Alice and Bob want to play a guessing game over the internet.

Alice says,

“I’m thinking of a bit. If you guess my bit correctly, I’llgive you $10. If you guess wrong, you give me $10.”

Bob says,

“Ok, I guess zero.”

Alice replies,

“Sorry, you lose. I was thinking of one.”



Preventing Alice from changing her mind

While this game may seem fair on the surface, there is nothing toprevent Alice from changing her mind after Bob makes his guess.

Even if Alice and Bob play the game face to face, they still must dosomething to commit Alice to her bit before Bob makes his guess.

For example, Alice might be required to write her bit down on apiece of paper and seal it in an envelope.

After Bob makes his guess, he opens the envelope to knowwhether he won or lost.

Writing down the bit commits Alice to that bit, even though Bobdoesn’t learn its value until later.



Bit commitment

A bit-commitment is an encryption of a bit using a cryptosystemwith a special property.

1. The bit is hidden from anyone not knowing the secret key.

2. There is only one valid way of decrypting the ciphertext, nomatter what key is used.

Thus, if c = Ek(b):

I It is hard to find b from c without knowning k .

I For every k ′, b′, if Ek ′(b′) = c , then b = b′.



Bit commitment intuition

In other words,

I If Alice produces a commitment c to a bit b, then b cannotbe recovered from c without knowing Alice’s secret encodingkey k .

I There is no key k ′ that Alice might release that would make itappear that c is a commitment of the bit 1− b.



Bit-commitments as cryptographic envelopes

More formally, a bit commitment or blob or cryptographic envelopeis an electronic analog of a sealed envelope.

Intuitively, a blob has two properties:

1. The bit inside the blob remains hidden until the blob isopened.

2. The bit inside the blob cannot be changed, that is, the blobcannot be opened in different ways to reveal different bits.



Bit-commitment primitives

A blob is produced by a protocol commit(b) between Alice andBob. We assume initially that only Alice knows b.

At the end of the commit protocol, Bob has a blob c containingAlice’s bit b, but he should have no information about b’s value.

Later, Alice and Bob can run a protocol open(c) to reveal the bitcontained in c to Bob.



Requirements for bit commitment

Alice and Bob do not trust each other, so each wants protectionfrom cheating by the other.

I Alice wants to be sure that Bob cannot learn b after she runscommit(b), even if he cheats.

I Bob wants to be sure that all successful runs of open(c)reveal the same bit b′, no matter what Alice does.

We do not require that Alice tell the truth about her private bit b.A dishonest Alice can always pretend her bit was b′ 6= b whenproducing c . But if she does, c can only be opened to b′, not to b.

These ideas should become clearer in the protocols below.



From QR cryptosystem

Bit Commitment Using QR Cryptosystem




A simple (but inefficient) bit commitment scheme

Here’s a simple way for Alice to commit to a bit b.

1. Create a Goldwasser-Micali public key e = (n, y), wheren = pq.

2. Choose random r ∈ Z∗n, and use it to produce an encryption cof b. (See lecture 19, slide 29.)

3. Send the blob (e, c) to Bob.

To open (e, c), Alice sends b, p, q, r to Bob.

Bob checks that n = pq, p and q are distinct odd primes, y ∈ Q00n ,

and that c is the encryption of b based on r .


http://zoo.cs.yale.edu/classes/cs467/2015f/lectures/ln19.pdf



Security of QR bit commitment

Alice can’t change her mind about b, since c either is or is not aquadratic residue.

Bob cannot determine the value of b before Alice opens c sincethat would amount to violating the quadratic residuosityassumption.



Bit Commitment Using Symmetric Cryptography

Bit Commitment Using Symmetric

Cryptography




A naıve approach for a faster bit-commitment scheme

A naıve way to use a symmetric cryptosystem for bit commitmentis for Alice to encrypt b with a private key k to get blob c = Ek(b).

She opens it by releasing k . Anyone can compute b = Dk(c).

Alice can easily cheat if she can find a colliding triple (c, k0, k1)with the property that Dk0(c) = 0 and Dk1(c) = 1.

She “commits” by sending c to Bob.

Later, she can choose to send Bob either k0 or k1.

This isn’t just a hypothetical problem. Suppose Alice uses themost secure cryptosystem of all, a one-time pad, so Dk(c) = c ⊕ k .

Then (c, c ⊕ 0, c ⊕ 1) is a colliding triple.




Another attemptThe protocol below tries to make it harder for Alice to cheat bymaking it possible for Bob to detect most bad keys.

Alice Bob

To commit(b):

1.r←− Choose random string r .

2. Choose random key k.

Compute c = Ek(r · b).c−→ c is commitment.

To open(c):

3. Send k .k−→ Let r ′ · b′ = Dk(c).

Check r ′ = r .b′ is revealed bit.




Security of second attempt

For many cryptosystems (e.g., DES), this protocol does indeedprevent Alice from cheating, for she will have difficulty finding anytwo keys k0 and k1 such that Ek0(r · 0) = Ek1(r · 1), and r isdifferent for each run of the protocol.

However, for the one-time pad, she can cheat as before: She justtakes c to be random and lets k0 = c ⊕ (r · 0) and k1 = c ⊕ (r · 1).

Then Dkb(c) = r · b for b ∈ {0, 1}, so the revealed bit is 0 or 1depending on whether Alice sends k0 or k1 in step 3.




Need for a different approach

We see that not all secure cryptosystems have the properties weneed in order to make the protocol secure.

We need a property analogous to the strong collision-free propertyfor hash functions (lecture 14).


http://zoo.cs.yale.edu/classes/cs467/2015f/lectures/ln14.pdf


From hash

Bit Commitment Using Hash Functions



From hash

Bit commitment from a hash functionThe analogy between bit commitment and hash functions describedabove suggests a bit commitment scheme based on hash functions.

Alice Bob

To commit(b):1.

r1←− Choose random string r1.2. Choose random string r2.

Compute c = H(r1r2b).c−→ c is commitment.

To open(c):

3. Send r2.r2−→ Find b′ ∈ {0, 1} such that

c = H(r1r2b′).

If no such b′, then fail.Otherwise, b′ is revealed bit.



From hash

Purpose of r2

The purpose of r2 is to protect Alice’s secret bit b.

To find b before Alice opens the commitment, Bob would have tofind r ′2 and b′ such that H(r1r

′2b′) = c .

This is akin to the problem of inverting H and is likely to be hard,although the one-way property for H is not strong enough to implythis.

On the one hand, if Bob succeeds in finding such r ′2 and b′, he hasindeed inverted H, but he does so only with the help of r1 —information that is not generally available when attempting toinvert H.



From hash

Purpose of r1

The purpose of r1 is to strengthen the protection that Bob getsfrom the hash properties of H.

Even without r1, the strong collision-free property of H wouldimply that Alice cannot find c , r2, and r ′2 such thatH(r20) = c = H(r ′21).

But by using r1, Alice would have to find a new colliding pair foreach run of the protocol.

This protects Bob by preventing Alice from exploiting a fewcolliding pairs for H that she might happen to discover.



From PRSG

Bit Commitment Using Pseudorandom

Sequence Generators



From PRSG

Bit commitment using a PRSGLet Gρ(s) be the first ρ bits of G (s). (ρ is a security parameter.)

Alice Bob

To commit(b):1.

r←− Choose random r ∈ {0, 1}ρ.2. Choose random seed s.

Let y = Gρ(s).If b = 0 let c = y .

If b = 1 let c = y ⊕ r .c−→ c is commitment.

To open(c):

3. Send s.s−→ Let y = Gρ(s).

If c = y then reveal 0.If c = y ⊕ r then reveal 1.Otherwise, fail.



From PRSG

Security of PRSG bit commitment

Assuming G is cryptographically strong, then c will look random toBob, regardless of the value of b, so he will be unable to get anyinformation about b.

Why?

Assume Bob has advantage ε at guessing b when he can choose rand is given c . Here’s a judge J for distinguishing G (S) from U.

I Given input y , J chooses random b and simulates Bob’scheating algorithm. J simulates Bob choosing r , computesc = y ⊕ rb, and continues Bob’s algorithm to find a guess bfor b.

I If b = b, J outputs 1.

I If b 6= b, J outputs 0.



From PRSG

The judge’s advantage

If y is drawn at random from U, then c is uniformly distributedand independent of b, so J outputs 1 with probability 1/2.

If y comes from G (S), then J outputs 1 with the same probabilitythat Bob can correctly guess b.

Assuming G is cryptographically strong, then Bob has negligibleadvantage at guessing b.



From PRSG

Purpose of r

The purpose of r is to protect Bob against a cheating Alice.

Alice can cheat if she can find a triple (c, s0, s1) such that s0 opensc to reveal 0 and s1 opens c to reveal 1.

Such a triple must satisfy the following pair of equations:

c = Gρ(s0)c = Gρ(s1)⊕ r .

}It is sufficient for her to solve the equation

r = Gρ(s0)⊕ Gρ(s1)

for s0 and s1 and then choose c = Gρ(s0).



From PRSG

How big does ρ need to be?We now count the number of values of r for which the equation

r = Gρ(s0)⊕ Gρ(s1)has a solution.

Suppose n is the seed length, so the number of seeds is ≤ 2n.Then the right side of the equation can assume at most 22n/2distinct values.

Among the 2ρ possible values for r , only 22n−1 of them have thepossibility of a colliding triple, regardless of whether or not Alicecan feasibly find it.

Hence, by choosing ρ sufficiently much larger than 2n − 1, theprobability of Alice cheating can be made arbitrarily small.

For example, if ρ = 2n + 19 then her probability of successfulcheating is at most 2−20.



From PRSG

Why does Bob need to choose r?

Why can’t Alice choose r , or why can’t r be fixed to someconstant?

If Alice chooses r , then she can easily solve r = Gρ(s0)⊕ Gρ(s1)and cheat.

If r is fixed to a constant, then if Alice ever finds a colliding triple(c , s0, s1), she can fool Bob every time.

While finding such a pair would be difficult if Gρ were a trulyrandom function, any specific PRSG might have special properties,at least for a few seeds, that would make this possible.



From PRSG

Example

For example, suppose r = 1ρ and Gρ(¬s0) = ¬Gρ(s0) for some s0.

Then taking s1 = ¬s0 givesGρ(s0)⊕Gρ(s1) = Gρ(s0)⊕Gρ(¬s0) = Gρ(s0)⊕¬Gρ(s0) = 1ρ = r .

By having Bob choose r at random, r will be different each time(with very high probability).

A successful cheating Alice would be forced to solver = Gρ(s0)⊕ Gρ(s1) in general, not just for one special case.



Appendix 1: Formalization of Bit

Commitment Schemes



Formalization of bit commitment schemes

The above bit commitment protocols all have the same form.

We abstract from them a cryptographic primitive, called a bitcommitment scheme, which consists of a pair of key spaces KAand KB, a blob space B, a commitment function

enclose : KA ×KB × {0, 1} → B,

and an opening function

reveal : KA ×KB × B → {0, 1, φ},

where φ means “failure”.

We say that a blob c ∈ B contains b ∈ {0, 1} ifreveal(kA, kB , c) = b for some kA ∈ KA and kB ∈ KB .



Desired properties

These functions have three properties:

1. ∀kA ∈ KA, ∀kB ∈ KB ,∀b ∈ {0, 1},reveal(kA, kB , enclose(kA, kB , b)) = b;

2. ∀kB ∈ KB ,∀c ∈ B,∃b ∈ {0, 1},∀kA ∈ KA,reveal(kA, kB , c) ∈ {b, φ}.

3. No feasible probabilistic algorithm that attempts to distinguishblobs containing 0 from those containing 1, given kB and c, iscorrect with probability significantly greater than 1/2.



Intuition

The intention is that kA is chosen by Alice and kB by Bob.Intuitively, these conditions say:

1. Any bit b can be committed using any key pair kA, kB , andthe same key pair will open the blob to reveal b.

2. For each kB , all kA that successfully open c reveal the samebit.

3. Without knowing kA, the blob does not reveal any significantamount of information about the bit it contains, even whenkB is known.



Comparison with symmetric cryptosystem

A bit commitment scheme looks a lot like a symmetriccryptosystem, with enclose(kA, kB , b) playing the role of theencryption function and reveal(kA, kB , c) the role of thedecryption function.

However, they differ both in their properties and in theenvironments in which they are used.

Conventional cryptosystems do not require uniqueness condition 2,nor do they necessarily satisfy it.



Comparison with symmetric cryptosystem (cont.)

In a conventional cryptosystem, we assume that Alice and Bobtrust each other and both share a secret key k.

The cryptosystem is designed to protect Alice’s secret messagefrom a passive eavesdropper Eve.

In a bit commitment scheme, Alice and Bob cooperate in theprotocol but do not trust each other to choose the key.

Rather, the key is split into two pieces, kA and kB , with eachparticipant controlling one piece.



A bit-commitment protocol from a bit-commitment schemeA bit commitment scheme can be turned into a bit commitmentprotocol by plugging it into the generic protocol:

Alice Bob

To commit(b):

1.kB←− Choose random kB ∈ KB .

2. Choose random kA ∈ KA.

c = enclose(kA, kB , b).c−→ c is commitment.

To open(c):

3. Send kA.kA−→ Compute b = reveal(kA, kB , c).

If b = φ, then fail.If b 6= φ, then b is revealed bit.



The previous bit commitment protocols we have presented can allbe regarded as instances of the generic protocol.

For example, we get the second protocol based on symmetriccryptography by taking

enclose(kA, kB , b) = EkA(kB · b),

and

reveal(kA, kB , c) =

{b if kB · b = DkA(c)φ otherwise.



Appendix 2: Security of BBS



Blum integers and the Jacobi symbol

FactLet n be a Blum integer and a ∈ QRn. Then

(an

)=(−a

n

)= 1.

Proof.This follows from the fact that if a is a quadratic residue modulo aBlum prime, then −a is a quadratic non-residue. Hence,(

a

p

)= −

(−ap

)and

(a

q

)= −

(−aq

), so

(an

)=

(a

p

)·(a

q

)=

(−(−ap

))·(−(−aq

))=

(−an

).



Blum integers and the least significant bit

The low-order bits of x mod n and (−x) mod n always differ whenn is odd.

Let lsb(x) = (x mod 2) be the least significant bit of integer x .

FactIf n is odd, then lsb(x mod n)⊕ lsb((−x) mod n) = 1.



First-bit prediction

A first-bit predictor with advantage ε is a probabilistic polynomialtime algorithm A that, given b2, . . . , b`, correctly predicts b1 withprobability at least 1/2 + ε.

This is not sufficient to establish that the pseudorandom sequenceBBS(S) is indistinguishable from the uniform random sequence U,but if it did not hold, there certainly would exist a distinguishingjudge.

Namely, the judge that outputs 1 if b1 = A(b2, . . . , b`) and 0otherwise would output 1 with probability greater than 1/2 + ε inthe case that the sequence came from BBS(S) and would output 1with probability exactly 1/2 in the case that the sequence was trulyrandom.



BBS has no first-bit predictor under the QR assumption

If BBS has a first-bit predictor A with advantage ε, then there is aprobabilistic polynomial time algorithm Q for testing quadraticresiduosity with the same accuracy.

Thus, if quadratic-residue-testing is “hard”, then so is first-bitprediction for BBS.

TheoremLet A be a first-bit predictor for BBS(S) with advantage ε. Thenwe can find an algorithm Q for testing whether a number x withJacobi symbol 1 is a quadratic residue, and Q will be correct withprobability at least 1/2 + ε.



Construction of Q

Assume that A predicts b1 given b2, . . . , b`.

Algorithm Q(x) tests whether or not a number x with Jacobisymbol 1 is a quadratic residue modulo n.

It outputs 1 to mean x ∈ QRn and 0 to mean x 6∈ QRn.

To Q(x):1. Let s2 = x2 mod n.2. Let si = s2i−1 mod n, for i = 3, . . . , `.

3. Let b1 = lsb(x).

4. Let bi = lsb(si ), for i = 2, . . . , `.

5. Let c = A(b2, . . . , b`).

6. If c = b1 then output 1; else output 0.



Why Q worksSince

(xn

)= 1, then either x or −x is a quadratic residue. Let s0

be the principal square root of x or −x . Let s1, . . . , s` be the statesequence and b1, . . . , b` the corresponding output bits of BBS(s0).

We have two cases.

Case 1: x ∈ QRn. Then s1 = x , so the state sequence of BBS(s0)is

s1, s2, . . . , s` = x , s2, . . . , s`,

and the corresponding output sequence is

b1, b2, . . . , b` = b1, b2, . . . , b`.

Since b1 = b1, Q(x) correctly outputs 1 whenever A correctlypredicts b1. This happens with probability at least 1/2 + ε.



Why Q works (cont.)

Case 2: x ∈ QNRn, so −x ∈ QRn. Then s1 = −x , so the statesequence of BBS(s0) is

s1, s2, . . . , s` = −x , s2, . . . , s`,

and the corresponding output sequence is

b1, b2, . . . , b` = ¬b1, b2, . . . , b`.

Since b1 = ¬b1, Q(x) correctly outputs 0 whenever A correctlypredicts b1. This happens with probability at least 1/2 + ε.In both cases, Q(x) gives the correct output with probability atleast 1/2 + ε.


CPSC 467: Cryptography and Computer Security · CPSC 467: Cryptography and Computer Security...

Documents

Transcript of CPSC 467: Cryptography and Computer Security · CPSC 467: Cryptography and Computer Security...