2 UN ESCOLLO INSALVABLE: LA CUESTIÓN RELIGIOSA.

TENSIONES YCONFLICTOS

V. 2 UN ESCOLLO INSALVABLE: LA CUESTIÓN RELIGIOSA.

Deﬁnition 3.2 (Trapdoor Permutation) A function f : {0, 1}∗ _{→ {0, 1}}∗ _with_an_associ ated trapdoor information td ∈ {0, 1}κ_,_κ_∈

N is a trapdoor permutation if all of the following holds:

One-way permutation. If td is kept secret then f has the same properties as a one-way per mutation from Deﬁnition 3.1.

Easy to invert with a trapdoor. There exists a PPT algorithm that for all x ∈ {0, 1}∗ _on

input td and y = f(x) outputs x. _♦

Note that the easy inversion with the trapdoor does not contradict the function’s one-wayness, because the trapdoor is not part of the function’s output and is therefore not part of A’s input. Obviously, any trapdoor permutation is also a one-way permutation. On the other hand, not every one-way permutation can be associated with a trapdoor. Therefore, the assumption on the existence of trapdoor permutations is strictly stronger than on the existence of one way functions. As we will see, existence of trapdoor permutations is likely to be the weakest assumption needed to construct secure group signatures, unlike ordinary signatures that can be constructed from one-way functions. Although existence of trapdoor permutations is an unproven assumption, a well-known candidate for a trapdoor permutation is the permutation used by the RSA cryptosystem (cf. Section 3.2.1).

3.2. Number-Theoretic

Hardness

Assumptions

While general assumptions are helpful to assess security of cryptographic schemes from the theoretical point of view many practical cryptographic constructions require assumptions based on number-theory. In this section we give an overview of three number-theoretic settings that have been used in the design of modern group signature schemes. These include the RSA

setting, the DL setting, and the setting of bilinear maps, which can be seen as a special case of the DL setting with richer algebraic properties. In our description we will assume that the reader is familiar with basic number-theoretic concepts used in cryptography that can be found, for example, in the book of Shoup [171].

3.2.1. Assumptions in the RSA Setting

The RSA setting is based on an algorithm RSAGen that on input a security parameter 1κ_, κ ∈ _N outputs a tuple of integers (N, p, q) such that N = pq is of length κ, and p, q are prime numbers. N is called RSA modulus. Moreover, if p, q are safe primes, i.e. p = 2p ' + 1 and

' ' '

q = 2q + 1 with p and q being primes as well, then the RSA modulus N is called safe. It is widely assumed that factoring N, that is computing its prime factors p and q, is hard if these factors are suﬃciently large. The RSA setting admits further hardness assumptions that we will use in our description of group signatures and introduce in the following.

Deﬁnition 3.3 (Strong RSA Assumption (SRSA)) Let RSAGen be an algorithm that out puts (N, p, q) with N being a (safe) RSA modulus and let _G = (g) denote a cyclic subgroup of _Z_N∗ of order Q with length |Q| = κ. The Strong RSA (SRSA) assumption says that for all PPT algorithms A the following advantage function is negligible in κ:

AdvSRSA (N, p, q) ← RSAGen(1

κ_{), z}_∈R

G, u ∈ G, e ∈ Z>1

RSAGen,A(κ) = Pr _{(u, e) ← A(N, g, z)} : _ue_{= z} _(mod_N₎ .

♦

A frequent choice for _G in the context of group signatures is the group of quadratic residues

modulo N, denoted QR(N). This group of order p 'q ' is generated by an element g ∈ _ZN. An appropriate generator g can be chosen by picking a ∈ _Z∗_N such that gcd(a ± 1, N) = 1, in which case g = a2 _mod _N_. _Security_of_several_group_signatures,_where_the_QR(N₎_group_is_used, relies further on the following assumption.

Deﬁnition 3.4 (Decision Diﬃe-Hellman (DDH) Assumption in QR(N)) Let RSAGen

be an algorithm that outputs (N, p, q) with N being a (safe) RSA modulus and let QR(N) = (g) denote the group of quadratic residues modulo N of order p 'q ' of length κ. The Decision

Diﬃe-Hellman(DDH)assumption in QR(N) says that for all PPT algorithms A the following

advantage function is negligible in κ:

(N, p, q) ← RSAGen(1κ), x, y, z ∈R _Zpl_ql, 1

AdvDDH_RSAGen_,A(κ) = Pr : b = b∗ − . g0 = gxy, g1 = gz, b ∈R {0, 1}, b∗ ← A(N, g, gx, gy, gb) 2

♦

The DDH assumption in QR(N) groups is a special type of the more general DDH assump tion, which can be deﬁned over cyclic groups _G of prime order (cf. Deﬁnition 3.6). Interestingly, in QR(N) groups the DDH assumption is assumed to hold, irrespective of whether the factors p and q of the RSA modulus N are known or not.

3.2.2. Assumptions in the DL Setting

The Discrete Logarithm (DL) setting is based on an algorithm GenG that on input a security parameter 1κ_{, κ ∈}

N outputs the description of a cyclic group (G, g, Q) where g is the generator and the order Q is prime and of length κ. The DL setting admits the following hardness assumptions that we will refer to in the constructions of group signature schemes.

Deﬁnition 3.5 (Discrete Logarithm (DL) Assumption) Let GenG be an algorithm that outputs the description of a cyclic group (_G, g, Q) with Q prime and |Q| = κ. The Discrete Logarithm(DL) assumption says that for all PPT algorithms A the following advantage function is negligible in κ: (_G, g, Q) ← GenG(1κ_{), h ∈} R G, x ∈ ZQ AdvDL_GenG_,A(κ) = Pr : _x . x ← A(_G, g, Q, h) g = h ♦

A popular example of a suitable group, often used in cryptographic schemes, is a subgroup G ⊂ ZP of a prime order Q|P − 1 where P is also prime.

Furthermore, the DDH assumption introduced for QR(N) groups in the previous section (cf. Deﬁnition 3.4) can be generalized to cyclic groups of prime order. For example, IND-CPA security of the well-known ElGamal encryption scheme [88] relies on the DDH assumption.

Deﬁnition 3.6 (Decision Diﬃe-Hellman (DDH) Assumption in Groups of Prime Order)

Let GenG be an algorithm that outputs the description of a cyclic group (_G, g, Q) with Q prime and |Q| = κ. The Decision Diﬃe-Hellman (DDH) assumption in _G says that for all PPT algorithms A the following advantage function is negligible in κ:

(_G, g, Q) ← GenG(1κ), x, y, z ∈R ZQ, 1

AdvDDH_GenG_,A(κ) = Pr : b = b∗ − .

g0 = gxy, g1 = gz, b ∈R {0, 1}, b∗ ← A(g, gx, gy, gb) 2

♦

3.2.3. Assumptions in the Setting of Bilinear Maps

The cryptographic setting of bilinear maps, also known as pairings serves as a basis for many modern group signature schemes as it provides richer algebraic structure in comparison to the DL and RSA settings. The setting of bilinear maps is based on an algorithm GenBG that on input a security parameter 1κ_{, κ ∈}

N outputs the description of two cyclic groups (G1, g1, Q) and (_G2, g2, Q) of prime order Q of length κ and respective generators g1 and g2 with an associated bilinear map e : _G1 × G2 → GT where GT is another cyclic group (called target group) of order Q. The corresponding groups _G1 and G2 are called bilinear if they satisfy the following deﬁnition.

Deﬁnition 3.7 (Bilinear Groups) Let GenBGbe an algorithm that outputs the description of two cyclic groups _G1 = (g1) and G2 = (g2) of prime order Q with |Q| = κ, where possibly

G1 = G2, and the description of e : G1×G2 → GT with GT being another cyclic group of prime order Q. The group pair (_G1, G2) is called bilinear if the following holds:

1. Eﬃciency: The bilinear map e : _G1× G2 → GT can be computed in polynomial-time. a

2. Bilinearity: For all u ∈ _G1, v ∈ G2 and a, b ∈ ZQ: e(u , vb) = e(u, v)ab. 3. Non-degeneracy: e(g1, g2) = 1.

There can further exist an eﬃciently computable homomorphism ψ from _G2 to G1 with ψ(g2) =

g1. ♦

Depending on the choice of the input groups (_G1, G2) and existence of the homomorphism ψ, the associated pairing e : _G1× G2 → GT can be classiﬁed as follows (see also Galbraith, Paterson, and Smart [95]).

Definition 3.8 (Bilinear Maps: Classification) Let (_G1, G2) be bilinear groups and e : G1 × G2 → GT the associated bilinear map according to Definition 3.7.

Type-1. e is of Type-1 if _G1 = G2.

Type-2. e is of Type-2 if _G1 = G2 and there exists an eﬃciently computable homomorphism ψ : _G2 → G1.

Type-3. e is of Type-3 if _G1 = G2 and there exists no eﬃciently computable homomorphism ψ : _G2 → G1.

♦

In general, different pairing types may admit different hardness assumptions and result in more or less efficient implementations. For example, the DDH assumption does not hold in Type-1 pairings. Indeed, if _G1 = G2 and the corresponding generator is g then for a given problem instance (g, gx_{, g}y_{, g}

b) one can easily distinguish the corresponding bit b by testing whether e(gx_{, g}y_{) =}_e(g

b, g). In Type-2 pairings the DDH assumption is assumed to hold only in the input group _G1, whereas in Type-3 pairings the DDH assumption is assumed to hold in both input groups _G1 and G2. From the eﬃciency point of view, Type-3 pairings admit the most eﬃcient implementations, considering both bandwidth and computation costs.

In the following we focus on some number-theoretic hardness assumptions, frequently used in the design of group signatures. We start with the q-Strong Diﬃe-Hellman (q-SDH) assumption, which was introduced by Boneh and Boyen [35]. It is one of the most popular assumptions used to prove security of various signature and group signature schemes.

Definition 3.9 (q-Strong Diffie-Hellman (q-SDH) Assumption) Let GenBGbe an algo rithm that outputs a pair of bilinear groups _G1 = (g1) and G2 = (g2) of prime order Q with |Q| = κ, and the associated bilinear map e : _G1 × G2 → GT. The q-Strong Diffie-Hellman

(q-SDH) assumption in (_G1, G2) with q ∈ N says that for all PPT algorithms A the following advantage function is negligible in κ:

γ ∈R_ZQ 1

Advq−SDH γ+x

GenBG,A(κ) = Pr γ (γ2₎ ₍_γq₎ : x ∈

ZQ∗, g = g . (g, x) ← A(g1, g2, g 2, g2 , . . . , g2 ) 1

♦

The following Decision Linear (DLIN) assumption was introduced by Boneh, Boyen, and Shacham [36]. It serves as a basis of the Linear Encryption scheme, which can be seen as an analog of the ElGamal encryption scheme in bilinear groups, most frequently in Type-1 pairings, where the original DDH problem is not necessarily hard. We deﬁne the DLIN assumption in the setting of bilinear maps, where it is traditionally used. However, we note that DLIN assumption can also be formulated in the standard DL setting using the corresponding algorithm GenG.

Deﬁnition 3.10 (Decision Linear (DLIN) Assumption) Let _G = (g) be one of the bilin ear groups of prime order Q with |Q| = κ output by an algorithm GenBG, and u, v, and h be arbitrary generators of _G. The Decision Linear (DLIN) assumption in _G says that for all PPT algorithms A the following advantage function is negligible in κ:

AdvDLIN u, v, h ∈RG, α, β, γ ∈RZQ, h0 = h α+β_{, h} 1 = hγ 1 Pr : b = b∗ − . GenBG,A(κ) = _{b ∈} R {0, 1}, b∗ ← A(u, v, h, uα, vβ, hb) 2 ♦

It can be shown that an algorithm breaking the DLIN Assumption in _Gcan be used to solve the DDH problem in _G while the converse is believed to be false.

The following Decision Bilinear Diﬃe-Hellman (DBDH) assumption was introduced by Boneh and Boyen [34].

Deﬁnition 3.11 (Decision Bilinear Diﬃe-Hellman (DBDH) Assumption) Let _G = (g) be one of the bilinear groups of prime order Q with |Q| = κ output by an algorithm GenBG. The

Decision Bilinear Diﬃe-Hellman (DBDH) assumption in _G says that for all PPT algorithms A the following advantage function is negligible in κ:

AdvDBDH a, b, c, d ∈R ZQ, h0 = e(g, g) abc_{, h} 1 = e(g, g)d 1 GenBG,A(κ) = Pr b : b = b ∗ ₋ _. a b ∈R{0, 1}, b∗ ← A(g, g , g , gc, hb) 2 ♦

The following LRSW assumption was introduced by Lysyanskaya et al. [135]. The LRSW assumption is deﬁned for general prime order groups _G, however, we will use it mostly in the context of bilinear groups with _G being one of the input groups (i.e. _G1 or G2). Additionally, we mention the asymmetric version of the LRSW assumption, which explicitly takes inputs from both input groups _G1 and G2.

Deﬁnition 3.12 (LRSW Assumption) Let _G = (g) be a group of prime order Q with |Q| = κ and X, Y ∈ _G with X = gx _and_Y ₌_gy_. _Let_O

X,Y(·) be an oracle that, on input a value m ∈ _ZQ, outputs a triple (a, ay_{, a}x+mxy₎_for_a_randomly_chosen_{a ∈}

The LRSW assumption in _G says that for all PPT algorithms A the following advantage function (where Q is the set of queries A poses to OX,Y(·)) is negligible in κ:

AdvLRSW x ∈R ZQ, y ∈RZQ, X = g x_{, Y}_{= g}y _m _{∈ Q, m ∈} ZQ, m = 0 (κ) = Pr : . A _{(m, a, b, c) ← A}OX,Y (·)_(Q, y x+mxy G, g, X, Y ) a ∈ G, b = a , c = a

The asymmetric version of the LRSW assumption employs two diﬀerent groups _G1 = (g1) and _G2 = (g2), both of prime order Q with |Q| = κ, such that a ∈ G1, whereas X, Y ∈ G2. ♦

The following SDLP assumption was introduced by Bichsel et al. [31].

Deﬁnition 3.13 (SDLP Assumption) Let _G1 = (g1), G2 = (g2) be bilinear groups of prime order Q with |Q| = κ with the associated bilinear map e.

The SDLP assumption in (_G1, G2) says that for all PPT algorithms A the following advantage function is negligible in κ:

AdvSDLP_A (κ) = Pr µ ∈RZQ, µ ∗ ← A(Q, G1, G2, g1, g2, e, g1µ, g2µ) : µ = µ∗ .

♦

In document La enseñanza en Huelva durante la II República (1931-1936) (página 133-137)