Some Facets of Complexity Theory and Cryptography: A Five...

Some Facets of Complexity Theory and Cryptography:A Five-Lecture Tutorial

JORG ROTHE

Heinrich-Heine-Universitat Dusseldorf

In this tutorial, selected topics of cryptology and of computational complexity theory arepresented. We give a brief overview of the history and the foundations of classicalcryptography, and then move on to modern public-key cryptography. Particularattention is paid to cryptographic protocols and the problem of constructing keycomponents of protocols such as one-way functions. A function is one-way if it is easy tocompute, but hard to invert. We discuss the notion of one-way functions both in acryptographic and in a complexity-theoretic setting. We also consider interactive proofsystems and present some interesting zero-knowledge protocols. In a zero-knowledgeprotocol, one party can convince the other party of knowing some secret informationwithout disclosing any bit of this information. Motivated by these protocols, we surveysome complexity-theoretic results on interactive proof systems and related complexityclasses.

Categories and Subject Descriptors: E.3 [Data Encryption]: public-key cryptosystems;F.1.3 [Computation by Abstract Devices]: Complexity Measures and Classes; F.2.2[Analysis of Algorithms and Problem Complexity]: Nonnumerical Algorithms andProblems

General Terms: Algorithms, Security, Theory

Additional Key Words and Phrases: Complexity theory, interactive proof systems,one-way functions, public-key cryptography, zero-knowledge protocols

OUTLINE OF THE TUTORIAL

This tutorial consists of five lectures oncryptography, based on the lecture notesfor a course on this subject given bythe author in August, 2001, at the 11thJyvaskyla Summer School in Jyvaskyla,Finland. As the title suggests, a particularfocus of this tutorial is to emphasize the

This work was supported in part by grant NSF-INT-9815095/DAAD-315-PPP-gu-ab.Author’s address: J. Rothe, Institut fur Informatik, Heinrich-Heine-Universitat Dusseldorf, 40225Dusseldorf, Germany; email: [email protected] to make digital or hard copies of part or all of this work for personal or classroom use is grantedwithout fee provided that copies are not made or distributed for profit or direct commercial advantage andthat copies show this notice on the first page or initial screen of a display along with the full citation. Copy-rights for components of this work owned by others than ACM must be honored. Abstracting with credit ispermitted. To copy otherwise, to republish, to post on servers, to redistribute to lists, or to use any componentof this work in other works requires prior specific permission and/or a fee. Permissions may be requestedfrom Publications Dept., ACM, Inc., 1515 Broadway, New York, NY 10036 USA, fax: +1 (212) 869-0481, [email protected]©2002 ACM 0360-0300/02/1200-0504 $5.00

close relationship between cryptographyand complexity theory. The material pre-sented here is not meant to be a compre-hensive study or a complete survey of (theintersection of) these fields. Rather, fivevivid topics from those fields are chosenfor exposition, and from each topic chosen,some gems—some particularly important,central, beautiful results—are presented.

ACM Computing Surveys, Vol. 34, No. 4, December 2002, pp. 504–549.

Some Facets of Complexity Theory and Cryptography 505

Needless to say, the choice of topicsand of results selected for exposition isbased on the author’s personal tastes andbiases.

The first lecture sketches the historyand the classical foundations of cryptog-raphy, introduces a number of classical,symmetric cryptosystems, and briefly dis-cusses by example the main objectivesof the two opposing parts of cryptology:cryptography, which aims at designing se-cure ways of encryption, versus cryptanal-ysis, which aims at breaking existing cryp-tosystems. Then, we introduce the notionof perfect secrecy for cryptosystems, whichdates back to Claude Shannon’s pioneer-ing work [Shannon 1949] on coding andinformation theory.

The second lecture presents the public-key cryptosystem RSA, which was in-vented by Rivest et al. [1978]. RSA isthe first public-key cryptosystem devel-oped in the public sector. To describe RSA,some background from number theory isprovided in as short a way as possiblebut to the extent necessary to understandthe underlying mathematics. In contrastto the information-theoretical approachof perfect secrecy, the security of RSAis based on the assumption that certainproblems from number theory are compu-tationally intractable. Potential attacks onthe RSA cryptosystem as well as appro-priate countermeasures against them arediscussed.

The third lecture introduces a numberof cryptographic protocols, including thesecret-key agreement protocols of Diffieand Hellman [1976] and of Rivest andSherman (see Rabi and Sherman [1993,1997]), ElGamal’s public-key cryptosys-tem [ElGamal 1985], Shamir’s no-key pro-tocol, and the digital signature schemes ofRivest et al. [1978], ElGamal [1985], andRabi and Sherman [1993, 1997], respec-tively. Again, the underlying mathematicsand, relatedly, security issues of these pro-tocols are briefly discussed.

A remark is in order here. The proto-cols presented here are among the mostcentral and important cryptographic pro-tocols, with perhaps two exceptions: theRivest–Sherman and the Rabi–Sherman

protocols. While the secret-key agreementprotocol of Diffie and Hellman [1976] iswidely used in practice, that of Rivest andSherman (see Rabi and Sherman [1993,1997]) is not (yet) used in applications and,thus, might appear somewhat exotic atfirst glance. An analogous comment ap-plies to the Rabi–Sherman digital signa-ture protocol. However, from our point ofview, there is some hope that this fact,though currently true, might change inthe near future. In Section 3.5, we discussthe state of the art on the Diffie–Hellmanprotocol and the Rivest–Sherman proto-col, and we argue that recent progressof results in complexity theory may leadto a significant increase in the crypto-graphic security and the applicability ofthe Rivest–Sherman protocol. One lineof complexity-theoretic research that isrelevant here is presented in Section 5;another line of research is Ajtai’s break-through result [Ajtai 1996] on the com-plexity of the shortest lattice vector prob-lem (SVP, for short), which is informallystated in Section 3.5.

The fourth lecture introduces interac-tive proof systems and zero-knowledgeprotocols. This area has rapidly devel-oped and flourished in complexity theoryand has yielded a number of powerfulresults. For example, Shamir’s famousresult [Shamir 1992] characterizes thepower of interactive proof systems interms of classical complexity classes: In-teractive proof systems precisely capturethe class of problems solvable in poly-nomial space. Also, the study of inter-active proof systems is related to prob-abilistically checkable proofs, which hasyielded novel nonapproximability resultsfor hard optimization problems; see thesurvey [Goldreich 1997]. Other resultsabout interactive proof systems and the re-lated zero-knowledge protocols have directapplications in cryptography. In particu-lar, zero-knowledge protocols enable oneparty to convince another party of knowl-edge of some secret information with-out conveying any bit of this information.Thus, they are ideal technical tools forauthentication purposes. We present twoof the classic zero-knowledge protocols:

ACM Computing Surveys, Vol. 34, No. 4, December 2002.

506 Jorg Rothe

the Goldreich–Micali–Wigderson protocolfor graph isomorphism [Goldreich et al.1986, 1991] and the Fiat–Shamir proto-col [Fiat and Shamir 1986] that is basedon a number-theoretical problem. For anin-depth treatment of zero-knowledge pro-tocols and many more technical details,the reader is referred to Chapter 4 ofGoldreich’s book [Goldreich 2001].

The fifth lecture gives an overviewon the progress of results that was re-cently obtained by Hemaspaandra andRothe [1999] and Hemaspaandra et al.[2001]. Their work, which is motivatedby the Rivest–Sherman and the Rabi–Sherman protocols, studies properties offunctions that are used in building thesetwo cryptographic protocols. It is resultsabout these functions that may be use-ful in quantifying the security of theseprotocols. In particular, the key buildingblock of the Rivest–Sherman protocol isa strongly noninvertible, associative one-way function. Section 5 presents the re-sult [Hemaspaandra and Rothe 1999] onhow to construct such a function fromthe assumption that P 6= NP. In addi-tion, recent results on strong noninvert-ibility are surveyed, including the per-haps somewhat surprising result that,if P 6= NP, then there exist stronglynoninvertible functions that in fact areinvertible [Hemaspaandra et al. 2001].These results are obtained in the worst-case complexity model, which is rele-vant and interesting in a complexity-theoretic setting, but useless in appliedcryptography. For cryptographic applica-tions, one would need to construct suchfunctions based on the average-case com-plexity model, under plausible assump-tions. Hence, the most challenging openresearch question related to strongly non-invertible, associative one-way functionsis to find some evidence that they ex-ist even in the average-case model. Asnoted above, our hope of obtaining sucha result is based on recent progresson the shortest lattice vector problemaccomplished by Ajtai [1996]. Roughlyspeaking, Ajtai proved that this prob-lem is as hard in the average-case asit is in the worst-case model. Based on

this result, Ajtai and Dwork [1997] de-signed a public-key cryptosystem whosesecurity is based merely on worst-caseassumptions. Ajtai’s breakthrough re-sults, his techniques, and their crypto-graphic applications are not covered inthis tutorial. We refer to the nice sur-veys by Cai [1999] and, more recently,by Kumar and Sivakumar [2001] andNguyen and Stern [2001] on the com-plexity of SVP and the use of lattices incrytography.

The tutorial is suitable for graduate stu-dents with some background in computerscience and mathematics and may alsobe accessible to interested undergraduatestudents. Since it is organized in five es-sentially independent, self-contained lec-tures, it is also possible to present only aproper subset of these lectures. The onlydependencies occurring between lecturesare that some of the number-theoreticalbackground given in Section 2 is alsoused in Section 3, and that the Rivest–Sherman secret-key agreement protocoland the Rabi–Sherman digital signatureprotocol presented in Section 3 motivatethe investigations in Section 5. This lastsection contains perhaps the technicallymost challenging material, which, in part,is presented on an expert level with the in-tention of guiding the reader towards anactive field of current research.

There are a number of textbooksand monographs on cryptography thatcover various parts of the field invarying depth, such as the books byGoldreich [1999, 2001], Salomaa [1996],Stinson [1995], and Welsh [1998].Schneier’s book [Schneier 1996] pro-vides a very comprehensive collection ofliterally all notions and concepts known incryptography, which naturally means thatthe single notions and concepts cannotbe treated in mathematical detail there,but the interested reader is referred toan extraordinarily large bibliography forsuch an in-depth treatment. Singh [1999]wrote a very charming, easy-to-read,interesting book about the history ofcryptography from its ancient roots to itsmodern and even futuristic branches suchas quantum cryptography. An older but



still valuable source is Kahn’s book [Kahn1967]. We conclude this list, withoutclaiming it to be complete, with thebooks by Bauer [2000], Beutelspacheret al. [2001], Beutelspacher [1994], andBuchmann [2001].

1. CRYPTOSYSTEMS AND PERFECTSECRECY

1.1. Classical Cryptosystems

The notion of a cryptosystem is formallydefined as follows:

Definition 1.1 (Cryptosystem)

—A cryptosystem is a quintuple(P, C,K, E ,D) such that:(1) P, C, and K are finite sets, where

P is the plain text space or cleartext space;C is the cipher text space;K is the key space.

Elements of P are referred to asplain text (or clear text), and ele-ments of C are referred to as ciphertext. A message is a string of plaintext symbols.

(2) E = {Ek | k ∈ K} is a family of func-tions Ek : P → C that are used forencryption, and D = {Dk |k ∈ K} is afamily of functions Dk : C → P thatare used for decryption.

(3) For each key e ∈ K, there exists akey d ∈ K such that for each p ∈ P:

Dd (Ee(p)) = p. (1.1)

—A cryptosystem is called symmetric (or“private-key” ) if d = e, or if d can atleast be “easily” computed from e.

—A cryptosystem is called asymmetric (or“public-key” ) if d 6= e, and it is “compu-tationally infeasible in practice” to com-pute d from e. Here, d is the private key,and e is the public key.

At times, different key spaces are usedfor encryption and for decryption, whichresults in a slight modification of the abovedefinition.

We now present and discuss some exam-ples of classical cryptosystems. Consider

the English alphabet 6 = {A, B, . . . , Z}. Tocarry out the arithmetic modulo 26 withletters as if they were numbers, we iden-tify6withZ26 = {0, 1, . . . , 25}; thus, 0 rep-resents A and 1 represents B, and so on.This encoding of the plain text alphabet byintegers and the decoding of Z26 back to 6is not part of the actual encryption anddecryption, respectively. It will be used forthe next three examples. Note that mes-sages are elements of 6∗, where 6∗ de-notes the set of strings over 6.

Example 1.2 (Caesar Cipher, a Monoal-phabetic Symmetric Cryptosystem). LetK = Z26, and let P = C = 6. The Caesarcipher encrypts messages by shifting(modulo 26) each character of the plaintext by the same number k of letters in thealphabet, where k is the key. Shifting eachcharacter of the cipher text back using thesame key k reveals the original message:

—For each e ∈ Z26, define the encryptionfunction Ee : 6→ 6 by

Ee(p) = (p+ e) mod 26,

where addition with e modulo 26 iscarried out characterwise, that is, eachcharacter mi ∈ 6 of a message m ∈ 6∗ isshifted by e positions to mi + e mod 26.For example, using the key e= 11=L,the message “SUMMER” will be en-crypted as “DFXXPC.”

—For each d ∈ Z26, define the decryptionfunction Dd : 6→ 6 by

Dd (c) = (c − d ) mod 26,

where subtraction by e modulo 26 againis carried out characterwise. Hence, d =e. For example, decrypting the ciphertext “DNSZZW” with the key d = 11reveals the plain text “SCHOOL.”

Since the key space is very small, break-ing the Caesar cipher is very easy. It is vul-nerable even to “cipher-text-only attacks,”that is, an attacker given enough ciphertext c can easily check the 26 possiblekeys to see which one yields a meaningfulplain text. Note that the given cipher textshould contain enough letters to enable aunique decryption.


508 Jorg Rothe

Table I. An Example of Encryption by the Vigenere Cipher

k E N G L I S H E N G L I S H E N G L I S H E N G L Im F I N N I S H I S A L L G R E E K T O G E R M A N Sc J V T Y Q K O M F G W T Y Y I R Q E W Y L V Z G Y A

The Caesar cipher is a monoalphabeticcryptosystem, since it replaces each givenplain text letter, wherever in the messageit occurs, by the same letter of the ci-pher text alphabet. In contrast, the Frenchcryptographer and diplomat Blaise deVigenere (1523–1596) proposed a polyal-phabetic cryptosystem, which is muchharder to break. Vigenere’s system buildson earlier work by the Italian mathemati-cian Leon Battista Alberti (born in 1404),the German abbot Johannes Trithemius(born in 1492), and the Italian scientistGiovanni Porta (born in 1535), see Singh[1999]. It works like the Caesar cipher, ex-cept that the cipher text letter encryptingany given plain text letter X varies withthe position of X in the plain text.

More precisely, one uses for encryp-tion and decryption a Vigenere square,which consists of 26 rows with 26 columnseach. Every row contains the 26 letters ofthe alphabet, shifted by one from row torow, that is, the rows and columns maybe viewed as a Caesar encryption of theEnglish alphabet with keys 0, 1, . . . , 25.Given a message m ∈ 6∗, one first choosesa key k ∈ 6∗, which is written above themessage m, symbol by symbol, possibly re-peating k if k is shorter than m until everycharacter of m has a symbol above it. De-noting the ith letter of any string w by wi,each letter mi of m is then encrypted asin the Caesar cipher, using the row of theVigenere square that starts with ki, whereki is the key letter right above mi. Be-low, we describe the Vigenere system for-mally and give an example of a concreteencryption.

Example 1.3 (Vigenere Cipher, a Polyal-phabetic Symmetric Cryptosystem). Forfixed n∈N, let K=P = C=Zn

26. Messagesm ∈ 6∗, where 6 again is the English al-phabet, are split into blocks of length n andare encrypted block-wise. The Vigenerecipher is defined as follows:

—For each e ∈ Zn26, define the encryption

function Ee : Zn26 → Zn

26 by

Ee(p) = (p+ e) mod 26,where addition with e modulo 26 iscarried out characterwise, that is, eachcharacter pi ∈6 of a plain text p∈P isshifted by ei positions to pi + ei mod 26.

—For each d ∈ Zn26, define the decryption

function Dd : Zn26 → Zn

26 byDd (c) = (c − d ) mod 26,

where subtraction modulo 26 again iscarried out characterwise. As in theCaesar cipher, d = e.

For example, choose the word k=ENGLISH to be the key. Suppose wewant to encrypt the message m =FINNISHISALLGREEKTOGERMANS,1omitting the spaces between words.Table I shows how each plain text letter isencrypted, yielding the cipher text c. Forinstance, the first letter of the message,“F,” corresponds to the first letter ofthe key, “E.” Hence, the intersection ofthe “F”-column with the “E”-row of theVigenere square gives the first letter, “J,”of the cipher text.

Our last example of a classical, histor-ically important cryptosystem is the Hillcipher, which was invented by Lester Hillin 1929. It is based on linear algebra and,like the Vigenere cipher, is an affine linearblock cipher.

Example 1.4 (Hill Cipher, a SymmetricCryptosystem and a Linear Block Cipher).

1 From this example, we not only learn how theVigenere cipher works, but also that using a lan-guage such as Finnish, which is not widely used,often makes illegal decryption harder, and thus re-sults in a higher level of security. This is not a purelytheoretical observation. During World War II, the USNavy transmitted important messages using the lan-guage of the Navajos, a Native American tribe. The“Navajo Code” was never broken by the Japanesecode-breakers, see Singh [1999].



For fixed n∈N, the key spaceK is the set ofall invertible n×n matrices inZn×n

26 . Again,P = C = Zn

26 and messages m ∈ 6∗ aresplit into blocks of length n and are en-crypted block-wise. All arithmetic opera-tions are carried out modulo 26.

The Hill cipher is defined as follows:

—For each K ∈ K, define the encryptionfunction EK : Zn

26 → Zn26 by

EK (p) = K · p mod 26,

where · denotes matrix multiplicationmodulo 26.

—Letting K−1 denote the inverse matrixof K , the decryption function DK−1 :Zn

26 → Zn26 is defined by

DK−1 (c) = K−1 · c mod 26.

Since K−1 can easily be computedfrom K , the Hill cipher is a symmetriccryptosystem. It is also the most generallinear block cipher.

Concrete examples of messages en-crypted by the Hill cipher can be foundin, for example, Salomaa [1996].

Affine linear block ciphers are easy tobreak by “known-plain-text attacks,” thatis, for an attacker who knows some sampleplain texts with the corresponding encryp-tions, it is not too hard to find the key usedto encrypt these plain texts. They are evenmore vulnerable to “chosen-plain-text at-tacks,” where the attacker can choose somepairs of corresponding plain texts and en-cryptions, which may be useful if thereare reasonable conjectures about the keyused.

The method of frequency counts is oftenuseful for decrypting messages. It exploitsthe redundancy of the natural languageused for plain text messages. For example,in many languages the letter “E” occurs,statistically significant, most frequently,with a percentage of 12.31% in English,of 15.87% in French, and even of 18.46%in German, see [Salomaa 1996]. Somelanguages have other letters that occurwith the highest frequency; for example,“A” is the most frequent letter in aver-age Finnish texts, with a percentage of12.06% [Salomaa 1996].

In 1863, the German cryptanalystFriedrich Wilhelm Kasiski found amethod to break the Vigenere cipher.Singh [1999] attributes this achievementalso to an unpublished work, done prob-ably around 1854, by the British geniusand eccentric Charles Babbage. The booksby Salomaa [1996] and Singh [1999]describe Kasiski’s and Babbage’s method.It marks a breakthrough in the historyof cryptanalysis, because previously theVigenere cipher was considered unbreak-able. In particular, like similar periodiccryptosystems with an unknown period,the Vigenere cipher appeared to resistcryptanalysis by counting and analysingthe frequency of letters in the ciphertext. Kasiski showed how to determinethe period from repetitions of the samesubstring in the cipher text.

In light of Kasiski’s and Babbage’sachievement, it is natural to ask whetherthere exist any cryptosystems that guar-antee perfect secrecy. We turn to this ques-tion in the next section, which describessome of the pioneering work of ClaudeShannon [Shannon 1949], who laid thefoundations of modern coding and infor-mation theory.

1.2. Conditional Probability andBayes’ Theorem

To discuss perfect secrecy of cryptosys-tems in mathematical terms, we first needsome preliminaries from elementary prob-ability theory.

Definition 1.5. Let A and B be eventswith Pr(B) > 0.

—The probability that A occurs under thecondition that B occurs is defined by

Pr(A | B) = Pr(A∩ B)Pr(B)

.

—A and B are independent if Pr(A∩ B) =Pr(A) Pr(B) (equivalently, if Pr(A | B) =Pr(A)).

LEMMA 1.6 (BAYES’ THEOREM). Let A andB be events with Pr(A) > 0 and Pr(B) > 0.Then,

Pr(B) Pr(A | B) = Pr(A) Pr(B | A).


510 Jorg Rothe

PROOF. By definition,

Pr(B) Pr(A | B) = Pr(A∩ B) = Pr(B ∩ A)= Pr(A) Pr(B | A).

1.3. Perfect Secrecy: Shannon’s Theorem

Consider the following scenario:

Using a cryptosystem (P, C,K, E ,D),Alice and Bob are communicating over aninsecure channel in the presence of eaves-dropper Erich. Recall that P, C, and K arefinite sets. Erich reads a cipher text, c ∈ C,and tries to get some information aboutthe corresponding plain text, p ∈ P. Theplain texts are distributed on P accordingto a probability distribution PrP that maydepend on the language used. For eachnew plain text, Alice chooses a new keyfrom K that is independent of the plaintext to be encrypted. The keys are dis-tributed according to a probability distri-bution PrK on K. The distributions PrPand PrK induce a probability distributionPr = PrP×K on P ×K. Thus, for each plaintext p and each key k,

Pr(p, k) = PrP (p) PrK(k)

is the probability that the plain text p isencrypted with the key k, where p and kare independent.

Pr(p) = PrP (p) is the probability thatthe plain text p will be encrypted. Sim-ilarly, Pr(k) = PrK(k) is the probabilitythat the key k will be used. Let c be an-other random variable whose distributionis determined by the system used. Then,Pr(p | c) is the probability that p is en-crypted under the condition that c is re-ceived. Erich knows the cipher text c, and

he knows the probability distribution PrP ,since he knows the language used by Aliceand Bob.

Definition 1.7. A cryptosystem (P, C,K,E ,D) provides perfect secrecy if and only if

(∀p ∈ P) (∀c ∈ C) [Pr(p | c) = Pr(p)].

That is, a cryptosystem achieves perfectsecrecy if the event that some plain textp is encrypted and the event that somecipher text c is received are independent:Erich learns nothing about p from know-ing c. The following example of a cryp-tosystem that does not provide perfect se-crecy is due to Buchmann [2001].

Example 1.8 (Perfect Secrecy). LetP, C,and K be given such that:

—P = {0, 1}, where Pr(0) = 14 and

Pr(1)= 34 ;

—K = {A, B}, where Pr(A) = 14 and

Pr(B) = 34 ;

—C = {a, b}.It follows that, for example, the proba-

bility that a “1” occurs and is encryptedwith the key B is:

Pr(1, B) = Pr(1) · Pr(B) = 34· 3

4= 9

16.

Let the encryption functions be given by:

EA(0)=a; EA(1)= b; EB(0)= b;EB(1)=a.

Hence, the probability that the cipher texta occurs is:

Pr(a)=Pr(0, A)+Pr(1, B)= 116+ 9

16= 5

8.

Similarly, the probability that the ciphertext b occurs is:

Pr(b)=Pr(1, A)+Pr(0, B)= 316+ 3

16= 3

8.



Then, for each pair (p, c) ∈ P × C, the con-ditional probability Pr(p | c) is:

Pr(0 |a) = Pr(0, A)Pr(a)

= 1/165/8

= 110

;

Pr(0 | b) = Pr(0, B)Pr(b)

= 3/163/8

= 12

;

Pr(1 |a) = Pr(1, B)Pr(a)

= 9/165/8

= 910

;

Pr(1 | b) = Pr(1, A)Pr(b)

= 3/163/8

= 12.

In particular, it follows that

Pr(0) = 146= 1

10= Pr(0 |a),

and thus the given cryptosystem does notprovide perfect secrecy: If Erich sees thecipher text a, he can be pretty sure thatthe encrypted plain text was a “1.”

THEOREM 1.9 (SHANNON [1949]). LetS = (P, C,K, E ,D) be a cryptosystem with‖C‖=‖K‖ and Pr(p) > 0 for each p ∈ P.Then, S provides perfect secrecy if and onlyif

(1) PrK is the uniform distribution, and(2) for each p ∈ P and for each c ∈ C,

there exists a unique key k ∈ K withEk(p) = c.

PROOF. Assume that S provides perfectsecrecy. We show that the conditions (1)and (2) hold.

Condition (2). Fix a plain text p ∈ P.Suppose that there is a cipher text c ∈ Csuch that for all k ∈ K, it holds thatEk(p) 6= c. Thus,

Pr(p) 6= 0 = Pr(p | c),

which implies that S does not provide per-fect secrecy, a contradiction. Hence,

(∀c ∈ C) (∃k ∈ K) [Ek(p) = c].

Now, ‖ C ‖ = ‖K ‖ implies that each ci-pher text c∈ C has a unique key k withEk(p)= c.

Condition (1). Fix a cipher text c ∈ C.For p ∈ P, let k(p) be the unique key kwith Ek(p) = c. By Bayes’ theorem, foreach p ∈ P, we have:

Pr(p | c)= Pr(c | p) Pr(p)Pr(c)

= Pr(k(p)) Pr(p)Pr(c)

.

(1.2)

Since S provides perfect secrecy, we havePr(p | c)=Pr(p). By Eq. (1.2), this impliesPr(k(p))=Pr(c), and this equality holdsindependently of p.

Hence, the probabilities Pr(k) are equalfor all k ∈ K, which implies Pr(k) = 1/‖K‖.Thus, PrK is the uniform distribution.

Conversely, suppose that conditions (1)and (2) hold. We show that S provides per-fect secrecy. Let k = k(p, c) be the uniquekey k with Ek(p) = c. By Bayes’ theorem,it follows that

Pr(p | c) = Pr(p) Pr(c | p)Pr(c)

= Pr(p) Pr(k(p, c))∑q∈P Pr(q) Pr(k(q, c))

. (1.3)

Since all keys are uniformly distributed, itfollows that

Pr(k(p, c)) = 1‖K‖ .

Moreover, we have that

∑q∈P

Pr(q) Pr(k(q, c))=∑

q∈P Pr(q)

‖K‖ = 1‖K‖ .

Substituting this equality in Eq. (1.3)gives:

Pr(p | c) = Pr(p).

Hence, S provides perfect secrecy.

1.4. Vernam’s One-Time Pad

The Vernam one-time pad is a symmetriccryptosystem that does provide perfect se-crecy. It was invented by Gilbert Vernam


512 Jorg Rothe

in 1917,2 and is defined as follows. LetP = C = K = {0, 1}n for some n ∈ N. Fork ∈ {0, 1}n, define

—the encryption function Ek : {0, 1}n →{0, 1}n by

Ek(p) = p⊕ k mod 2, and

—the decryption function Dk : {0, 1}n →{0, 1}n by

Dk(c) = c ⊕ k mod 2,

where ⊕ denotes bit-wise additionmodulo 2. The keys are uniformly dis-tributed on {0, 1}n. Note that for each plaintext p a new key k is chosen from {0, 1}n.

By Shannon’s Theorem, the one-timepad provides perfect secrecy, since for eachplain text p ∈ P and for each cipher textc ∈ C, there exists a unique key k ∈ Kwithc = p⊕ k, namely the string k = c ⊕ p.

However, the one-time pad has majordisadvantages that make it impractical touse in most concrete scenarios: To obtainperfect secrecy, every key can be used onlyonce, and it must be at least as long as theplain text to be transmitted. Surely, sincefor every communication a new secret keyat least as long as the plain text must betransmitted, this results in a vicious cir-cle. Despite these drawbacks, for the per-fect secrecy it provides, the one-time padhas been used in real-world applicationssuch as, allegedly, the hotline betweenMoscow and Washington, see [Simmons1979, p. 316].

2. RSA CRYPTOSYSTEM

The RSA cryptosystem, named after itsinventors Ron Rivest, Adi Shamir, andLeonard Adleman, is the first public-keycryptosystem [Rivest et al. 1978]. It is stillwidely used in cryptographic applicationstoday. Again, the scenario is that Aliceand Bob want to exchange messages overan insecure channel on which Erich is aneavesdropper:

2 Slightly differing from the system described here,Vernam’s actual invention was a system with a finiteperiod and hence did not provide perfect secrecy; seeKahn [1967] on this point.

In order to describe how the RSAcryptosystem works, we first need somepreliminaries from elementary numbertheory.

2.1. Euler and Fermat’s Theorems

The greatest common divisor of two inte-gers a and b is denoted by gcd(a, b). Forn ∈ N, define the set

Z∗n = {i | 1 ≤ i ≤ n− 1 and gcd(i, n) = 1}.

The Euler function φ is defined byφ(n) =‖Z∗n‖. Note that Z∗n is a group (withrespect to multiplication) of order φ(n).The following useful properties of φ followfrom the definition:

—φ(m · n) = φ(m) · φ(n) for all m, n ∈ Nwith gcd(m, n) = 1, and

—φ(p) = p− 1 for all primes p.

We will specifically use that φ(n) = (p−1)(q − 1), where p and q are primes andn= pq.

Euler’s Theorem below is a special case(for the groupZ∗n) of Langrange’s Theorem,which states that for each element g of afinite multiplicative group G having order|G| and the neutral element 1, it holds thatg |G| = 1.

THEOREM 2.1 (EULER). For each a ∈ Z∗n,aφ(n) ≡ 1 mod n.

The special case of Euler’s Theorem withn being a prime not dividing a is known asFermat’s Little Theorem.

THEOREM 2.2 (FERMAT’S LITTLE THEOREM).If p is a prime and a ∈ Z∗p, then ap−1 ≡ 1mod p.



2.2. RSA

(1) Key Generation

(1) Bob chooses randomly two largeprimes p and q with p 6= q, and com-putes their product n = pq.

(2) Bob chooses a number e ∈ N with1 < e < φ(n) = (p− 1)(q − 1) andgcd(e, φ(n)) = 1. (2.4)

(3) Bob computes the unique number dsatisfying

1 < d < φ(n) ande · d ≡ 1 mod φ(n). (2.5)

That is, d is the inverse of emodulo φ(n).

(4) The pair (n, e) is Bob’s public key, andd is Bob’s private key.

In order to generate two large primes(e.g., primes with 80 digits each) effi-ciently, one can choose large numbers atrandom and test them for primality. Sinceby the Prime Number Theorem, the num-ber of primes not exceeding N is approxi-mately N/ln N , the odds of hitting a primeare good after a reasonably small num-ber of trials. To verify the primality of thenumber picked, one usually makes use ofa randomized polynomial-time primalitytest such as the Monte Carlo3 algorithm ofRabin [1980] that is related to a determin-istic algorithm due to Miller [1976]; theirprimality test is known as the Miller–Rabin test. An alternative, though lesspopular Monte Carlo algorithm was pro-posed by Solovay and Strassen [1977]. Thereason why the Solovay–Strassen test isless popular than the Miller–Rabin testis that it is less efficient and less ac-curate. These two primality tests, alongwith a careful complexity analysis and therequired number-theoretical background,

3 A Monte Carlo algorithm is a randomized algo-rithm whose “yes” answers are reliable, while its“no” answers may be erroneous with a certain er-ror probability, or vice-versa. The corresponding com-plexity classes are called R and coR, respectively, seeGill [1977]. In contrast, a Las Vegas algorithm mayfor certain sequences of coin flips halt without giv-ing an answer at all, but whenever it gives an an-swer, this answer is correct. The corresponding class,ZPP = R ∩ coR, was also defined by Gill [1977].

can be found in, for example, the books byStinson [1995] and Salomaa [1996]. Ad-ditional primality tests are contained inGoldreich [2001] and Buchmann [2001].

Note Added in Proof : Quite recently, Agrawalet al. [2002] designed a deterministicpolynomial-time algorithm for primality. Theirbreakthrough result is a milestone in complexitytheory and solves a long-standing open problem.It is unlikely, though, that this algorithm willhave immediate consequences for cryptographicapplications, since Agrawal et al. [2002] notethat their algorithm has a running time ofroughly n12, and thus is much less efficient thanthe probabilistic primality tests currently in use.

We now argue that the keys can becomputed efficiently. In particular, the in-verse d of e modulo φ(n) can be computedefficiently via the extended algorithm ofEuclid; see Figure 1.

LEMMA 2.3. On input b0 = φ(n)and b1 = e, the extended algorithm ofEuclid computes in polynomial time inte-gers x and y such that

x · φ(n)+ y · e ≡ 1 mod φ(n).

Thus, y is the inverse of e modulo φ(n),and Bob chooses d ≡ y mod φ(n) as hisprivate key.

Example 2.4. Bob chooses the primesp= 11 and q= 23, and computes theirproduct n= 253 and φ(253)= 10 ·22= 220.The smallest possible e satisfying Eq. (2.4)is e= 3. The extended algorithm of Euclidyields the following sequence of bi, xi,and yi:

i bi xi yi qi0 220 1 0 –1 3 0 1 732 1 1 −73 –

Since 1 · 220 + (−73) · 3 = 220 − 219 ≡ 1mod 220, the unique value d = −73 +220 = 147 computed by Bob satisfiesEq. (2.5) and is the inverse of e = 3 mod-ulo 220.

(2) Encryption. We assume that mes-sages over some alphabet6 are block-wise


514 Jorg Rothe

Euclid’s Algorithm (extended)

Input: Two integers, b0 and b1.begin x0 := 1; y0 := 0; x1 := 0; y1 := 1; i := 1;

while bi does not divide bi−1 dobegin

qi :=⌊

bi−1bi

⌋;

bi+1 := bi−1 − qi · bi ;xi+1 := xi−1 − qi · xi ;yi+1 := yi−1 − qi · yi ;i := i + 1

endbegin output

b := bi ; (∗ b = gcd(b0, b1) = 1 ∗)x := xi ;y := yi (∗ y is the inverse of b1 mod b0 ∗)

end outputend

Fig. 1 . The extended algorithm of Euclid.

encoded as positive integers with a fixedblock length. Suppose that m < n is themessage Alice wants to send to Bob. Aliceknows Bob’s public key (n, e) and computesthe encryption c = E(n,e)(m) of m, wherethe encryption function is defined by

E(n,e)(m) = me mod n.

Performed naively, this computationmay require a large number of multiplica-tions, depending on the choice of e. To en-sure efficient encryption, we will employa “fast exponentiation” algorithm called“square-and-multiply,” see Figure 2.

Equation (2.6) in Step 3 of Figure 2 iscorrect, since

me = m∑k

i=0 ei2i =k∏

i=0

(m2i)ei =

k∏i = 0ei=1

m2i.

Hence, instead of e multiplications,Alice need compute no more than 2 log emultiplications. Thus, the square-and-multiply method speeds up the encryptionexponentially.

Example 2.5. Suppose Alice wants tocompute c = 617 mod 100. The binary ex-

pansion of the exponent is 17 = 1 + 16 =20 + 24.

(1) Alice successively computes:

620 = 61 = 6;621 = 62 = 36;622 = 362 ≡ − 4 mod 100;623 ≡ (−4)2 mod 100 ≡ 16 mod 100;624 ≡ 162 mod 100 ≡ 56 mod 100.

(2) Alice computes her cipher text

c= 617 mod 100 ≡ 6 · 624mod 100

≡ 6 · 56 mod 100≡ 36 mod 100.

Note that only four squarings and onemultiplication are needed for her tocompute the cipher text.

(3) Decryption. Let c, 0 ≤ c < n, be the ci-pher text sent to Bob; c is subject to eaves-dropping by Erich. Bob decrypts c usinghis private key d and the following decryp-tion function:

Dd (c) = cd mod n.

Again, the fast exponentiation algorithmdescribed in Figure 2 ensures that the le-gal recipient Bob can decrypt the ciphertext efficiently. Thus, the RSA protocol is



Square-and-Multiply Algorithm

Input: m, n, e ∈ N, where m < n.

Step 1. Let the binary expansion of the exponent e be given by

e =k∑

i=0

ei2i , where ei ∈ {0, 1}.

Step 2. Successively compute m2i, where 0 ≤ i ≤ k, using the equality

m2i+1 =(

m2i) 2.

It is not necessary to store the intermediate values of m2i.

Step 3. In the arithmetic modulo n, compute

me =k∏

i = 0ei=1

m2i. (2.6)

Output: me.

Fig. 2 . The square-and-multiply algorithm.

feasible. To prove that it is correct, weshow that Eq. (1.1) is satisfied.

Figure 3 summarizes the single steps ofthe RSA protocol and displays the infor-mation communicated by Alice and Bobthat is subject to eavesdropping by Erich.

THEOREM 2.6 Let (n, e) and d be Bob’spublic and private key in the RSA protocol.Then, for each message m with 0 ≤ m < n,

m = (me)d mod n.

That is, RSA is a public-key cryptosystem.

PROOF. Since e · d ≡ 1 mod φ(n) byEq. (2.5), there exists an integer t suchthat

e · d = 1+ t(p− 1)(q − 1),

where n = pq. It follows that

(me)d = me·d = m1+t(p−1)(q−1)

= m(mt(p−1)(q−1)

)= m(mp−1)t(q−1).

Hence, we have

(me)d ≡ m mod p, (2.7)

since if p divides m then both sides ofEq. (2.7) are 0 mod p, and if p does notdivide m (i.e., gcd(p, m) = 1), then, byFermat’s Little Theorem, we have

mp−1 ≡ 1 mod p.

By a symmetric argument, it holds that

(me)d ≡ m mod q.

Since p and q are primes with p 6=q, it follows from the Chinese Remain-der Theorem (see, e.g., Knuth [1981] orStinson [1995]) that

(me)d ≡ m mod n.

Since m < n, the claim follows.

2.3. RSA Digital Signature Protocol

The RSA public-key cryptosystem de-scribed in Section 2.2 can be modified


516 Jorg Rothe

Fig. 3 . The RSA protocol.

Fig. 4 . The RSA digital signature protocol.

so as to yield a digital signature proto-col. Figure 4 shows how the RSA digitalsignature protocol works. A chosen-plain-text attack on the RSA digital signaturescheme, and countermeasures to avoid it,are described in Section 2.4.

2.4. Security of RSA and PossibleAttacks on RSA

The security of the RSA cryptosystemstrongly depends on whether factoringlarge integers is intractable. It is widely



believed that there is no efficient factoringalgorithm, since no such algorithm couldbe designed as yet, despite considerable ef-forts in the past. However, it is not knownwhether the problem of factoring large in-tegers is as hard as the problem of crack-ing the RSA system.

Here is a list of potential attacks on theRSA system. To preclude these direct at-tacks, some care must be taken in choos-ing the primes p and q, the modulus n,the exponent e, and the private key d .For further background on the securityof the RSA system and on proposed at-tacks to break it, the reader is referredto Boneh [1999], Shamir [1995], Kaliskiand Robshaw [1995], and Moore [1992].For each attack on RSA that has been pro-posed in the literature to date, some prac-tical countermeasures are known, rules ofthumb that prevent the success of thoseattacks or, at least, that make their likeli-hood of success negligibly small.

Factoring attacks. The aim of the at-tacker Erich is to use the public key (n, e)to recover the private key d by factoring n,that is, by computing the primes p and qwith n = pq. Knowing p and q, he can justlike Bob compute φ(n) = (p−1)(q−1) andthus the inverse d of e modulo φ(n), us-ing the extended algorithm of Euclid; seeFigure 1 and Lemma 2.3. There are vari-ous ways in which Erich might mount thistype of attack on RSA.

—Brute-Force Attack. Erich might try tofactor the modulus n simply by exhaus-tive search of the complete key space.Choosing n sufficiently large will pre-vent this type of attack. Currently, it isrecommended to use moduli n with atleast 768 bits, that is, the size of 512 bitsformerly in use no longer provides ad-equate protection today. Of course, thetime complexity of modular exponenti-ation grows rapidly with the modulussize, and thus there is a trade-off be-tween increasing the security of RSAand decreasing its efficiency.

It is also generally accepted that thosemoduli n consisting of prime factors pand q of roughly the same size are thehardest to factor.

—General-Purpose Factoring Methods.Examples of such general factoring al-gorithms are the general number fieldsieve (see, e.g., Lenstra and Lenstra[1993]) or the older quadratic sieve(see, e.g., Buchmann [2001] and Stinson[1995]). They are based on the follow-ing simple idea. Suppose n is the num-ber to be factorized. Using the respec-tive “sieve,” one determines integers aand b such that

a2 ≡ b2 mod n and a 6≡ ±b mod n.(2.8)

Thus, n divides a2 − b2= (a − b)(a+ b),but neither a − b nor a + b. Hence,gcd(a − b, n) is a nontrivial factor of n.The general number field sieve and thequadratic sieve differ in the specific waythe integers a and b satisfying Eq. (2.8)are found.

—Special-Purpose Factoring Methods.Depending on the form of the primesp and q, it might be argued that usingspecial-purpose factoring methods suchas Pollard’s [1974] “p− 1 method” maybe more effective and more successfulthan using general-purpose factoringmethods. This potential threat led tothe introduction of strong primes thatresist such special-purpose factoringmethods. A strong prime p is requiredto satisfy certain conditions such asthat p−1 has a large factor r and r −1,in turn, has a large factor, etc.

—Elliptic Curve Method. This factor-ing method was introduced by Lenstra[1987], and it has some success prob-ability regardless of the form of theprimes chosen. Consequently, the mosteffective countermeasure against the el-liptic curve method is to use primes ofvery large size. This countermeasuresimultaneously provides, with a veryhigh probability, protection against allknown types of special-purpose factor-ing methods. In short, randomly chosenlarge primes are more important thanstrong primes. Note that weak primesare believed to be rare; Pomerance andSorenson [1995] study the density ofweak primes.


518 Jorg Rothe

—Factoring on a Quantum Computer.Last, we mention that Shor’s [1997]algorithm for factoring large numberson a quantum computer poses a po-tential threat to the security of RSAand other cryptosystems whose secu-rity relies on the hardness of the factor-ing problem. More precisely, Shor’s ef-ficient quantum algorithm determinesthe order of a given group element, aproblem closely related to the factor-ing problem. Using Miller’s [1976] ran-domized reduction, if one can efficientlycompute the order of group elements,then one can efficiently solve the fac-toring problem. However, the quantumcomputer is a theoretical construct cur-rently. Whether or not Shor’s quantumfactoring algorithm will be a practi-cal threat remains to be seen in thefuture.

Superencryption. Early on, Sim-mons and Norris [1977] proposed an at-tack on RSA called superencryption. Thisattack is based on the observation that asufficient number of encryptions will even-tually recover the original message, sincethe RSA encryption function is an injectivemapping onto a finite set, which makes thegraph of the function a union of disjointcycles. This attack is a threat to the se-curity of RSA, provided that the numberof encryptions required is small. Luckily,superencryption is not a practical attackif the primes are large and are chosen atrandom.

Wiener’s Attack. Wiener [1990] pro-posed an attack on the RSA system by acontinued fraction approximation, usingthe public key (n, e) to provide sufficientinformation to recover the private key d .More precisely, Wiener proved that if thekeys in the RSA system are chosen suchthat n = pq, where q < p < 2q, andd < 1

34√

n, then given the public key (n, e)with ed ≡ 1modφ (n) the private key dcan be computed in linear time.

Here is a proof sketch of Wiener’s re-sult (see Boneh [1999]). Since ed ≡ 1mod φ(n), there exists a k such that ed −kφ(n) = 1, which implies that k/d is an

approximation of e/φ(n):∣∣∣∣ eφ(n)

− kd

∣∣∣∣ = ∣∣∣∣ 1dφ(n)

∣∣∣∣ . (2.9)

Erich does not know φ(n), but he can use nin place of φ(n). Using ed − kφ(n) = 1 andthe easily verified fact that |n − φ(n)| <3√

n, in place of Eq. (2.9) we now have∣∣∣∣ en − kd

∣∣∣∣ = ∣∣∣∣1− k(n− φ(n))dn

∣∣∣∣≤∣∣∣∣3k√

ndn

∣∣∣∣ = 3kd√

n.

Since kφ(n) = ed − 1 < ed and e < φ(n),we have k < d < 1

34√

n. Hence,∣∣∣∣ en − kd

∣∣∣∣ < 1d 4√

n<

12d2 .

There are at most log n fractions kd with

d < n approximating en so tightly, and they

can be obtained by computing the log nconvergents of the continued fraction ex-pansion of e

n (see Hardy and Wright [1979,Thm. 177]). Since ed −kφ(n) = 1, we havegcd(k, d ) = 1, so k

d is a reduced fraction.Note that this attack is efficient and

practical, and thus is a concern, only ifthe private key d is chosen to be smallrelative to n. For example, if n is a 1024bits number, then d must be at least 256bits long in order to prevent Wiener’s at-tack. A small value of d , however, enablesfast decryption and in particular is desir-able for low-power devices such as “smart-cards.” Therefore, Wiener proposed cer-tain techniques that avoid his attack.

The first technique is to use a large en-cryption exponent, say e = e + `φ(n) forsome large `. For a large enough e, the fac-tor k in the above proof is so large thatWiener’s attack cannot be mounted, re-gardless of how small d is.

The second technique uses the ChineseRemainder Theorem to speed up decryp-tion, even if d is not small. Let d be alarge decryption exponent such that bothd p ≡ d mod p− 1 and dq ≡ d mod q− 1are small. Then, one can decrypt a given



cipher text c as follows. Compute mp = cd p

mod p and mq = cdq mod q, and use theChinese Remainder Theorem to obtain theunique solution m modulo n = pq ofthe two equations m = mp mod p andm = mq mod q. The point is that al-though d p and dq are small, d can be cho-sen large enough to resist Wiener’s attack.

Boneh and Durfee [2000] recently im-proved Wiener’s result: Erich can effi-ciently compute d from (n, e) provided thatd < n0.292.

Small-Message Attack. RSA en-cryption is not effective if both themessage m to be encrypted and the expo-nent e to be used for encryption are smallrelative to the modulus n. In particular,if c = me < n is the cipher text, thenm can be recovered from c by ordinaryroot extraction. Thus, either the publicexponent should be large or the messagesshould always be large. It is this lattersuggestion that is more useful, for a smallpublic exponent is often preferred in orderto speed up the encryption and to precludeWiener’s attack.

Low-Exponent Attack. One shouldtake precautions, though, not to choosethe public exponent too small. A preferredvalue of e that has been used often in thepast is e = 3. However, if three partiesparticipating in the same system encryptthe same message m using the same pub-lic exponent 3, although perhaps differ-ent moduli n1, n2, and n3, then one caneasily compute m from the three ciphertexts:

c1 = m3 mod n1

c2 = m3 mod n2

c3 = m3 mod n3.

In particular, the message m must besmaller than the moduli, and so m3

will be smaller than n1n2n3. Using theChinese Remainder Theorem (see, e.g.,Knuth [1981] and Stinson [1995]), one cancompute the unique solution

c = m3 mod n1n2n3 = m3.

Hence, one can compute m from c by or-dinary root extraction.

More generally, suppose that k relatedplain texts are encrypted with the sameexponent e:

c1 = (a1m+ b1)e mod n1

c2 = (a2m+ b2)e mod n2

...ck = (akm+ bk)e mod nk ,

where ai and bi, 1 ≤ i ≤ k, are knownand k > e(e + 1)/2 and min(ni) > 2e2

.Then, an attacker can solve for m inpolynomial time using lattice reductiontechniques. This observation is due toJohan Hastad [1988], and his “broadcastattack” has been strengthened by DonCoppersmith [1997]. This attack is a con-cern if the messages are related in aknown way. Padding the messages withpseudorandom strings prior to encryptionprevents mounting this attack in practice(see, e.g., Kaliski and Robshaw [1995]). Ifthe messages are related in a known way,they should not be encrypted with manyRSA keys.

A recommended value of e that is com-monly used today is e = 216+1. One advan-tage of this value for e is that its binary ex-pansion has only two ones, which impliesthat the square-and-multiply algorithm ofFigure 2 requires very few operations,4and so is very efficient.

Forging RSA Signatures. This at-tack is based on the fact that the RSA en-cryption function is a homomorphism: if(n, e) is the public key and m1 and m2 aretwo messages, then

me1 ·me

2 ≡ (m1 ·m2)e mod n. (2.10)

Another identity that can easily be verifiedis:

(m · re)d ≡ md · r mod n. (2.11)

In particular, these identities can beused to mount an attack on the digital

4 How many exactly?


520 Jorg Rothe

signature scheme based on the RSAalgorithm, see Figure 4 and Section 2.3.Given previous message-signature pairs(m1, sigA(m1)), . . . , (mk , sigA(mk)), Erichcan use the congruences (2.10) and (2.11)to compute a new message-signature pair(m, sigA(m)) by

m = rek∏

i=1

meii mod n;

sigA(m) = rk∏

i=1

(sigA(mi))ei mod n,

where r and the ei are arbitrary. Hence,Erich can forge Alice’s signature withoutknowing her private key, and Bob will notdetect the forgery, since m ≡ (sigA(m))e

mod n. Note that, in Eq. (2.10), even ifm1 and m2 are meaningful plain texts,m1 · m2 usually is not. Thus, Erich canforge Alice’s signature only for messagesthat may or may not be useful. However,he might choose the messages mi so as togenerate a meaningful message m witha forged digital signature. This chosen-plain-text attack can again be avoided bypseudorandom padding techniques thatdestroy the algebraic relations betweenmessages. Pseudorandom padding is alsoa useful countermeasure against the fol-lowing chosen-cipher-text attack: Erich in-tercepts some cipher text c, chooses r ∈ Nat random, and computes c · re mod n,which he sends to the legitimate receiverBob. By Eq. (2.11), Bob will decrypt thestring c = cd · r mod n, which is likely tolook like a random string. Erich, however,if he were to get his hands on c, could ob-tain the original message m by multiply-ing by r−1, the inverse of r modulo n, thatis, by computing m = r−1 · cd · r mod n.

3. PROTOCOLS FOR SECRET-KEYAGREEMENT, PUBLIC-KEY ENCRYPTION,AND DIGITAL SIGNATURES

Consider again a scenario where Alice andBob want to exchange messages over aninsecure channel such as a public tele-phone line, and where Erich is an eaves-dropper:

This is why Alice and Bob want to en-crypt their messages. For efficiency pur-poses, they decide to use a symmetric cryp-tosystem in which they both possess thesame key for encryption and for decryp-tion; recall Definition 1.1. But then, howcan they agree on a joint secret key whenthey can communicate only over an in-secure channel? If they were to send anencrypted message containing the key tobe used in subsequent communications,which key should they use to encrypt thismessage?

This paradoxical situation is known asthe secret-key agreement problem, and itwas considered to be unsolvable since thebeginning of cryptography. It was quite asurprise when, in 1976, Whitfield Diffieand Martin Hellman [1976] did solvethis long-standing, seemingly paradoxicalproblem by proposing the first secret-keyagreement protocol. We describe their pro-tocol in Section 3.1. Interestingly, it wasthe Diffie–Hellman protocol that inspiredRivest, Shamir, and Adleman to invent theRSA system. That is, Diffie and Hellman’skey idea to solve the secret-key agree-ment problem opened the door to modernpublic-key cryptography, which no longerrequires sending secret keys over insecurechannels.

Strangely enough, the reverse hap-pened in the nonpublic sector. TheCommunications Electronics SecurityGroup (CESG) of the British Govern-ment Communications Head Quarters(GCHQ) claims to have invented the RSApublic-key cryptosystem prior to Rivest,Shamir, and Adleman and the Diffie–Hellman secret-key agreement schemeindependently of Diffie and Hellman. Andthey did so in reverse order. James Ellis



Fig. 5 . The Diffie–Hellman secret-key agreement protocol.

first discovered the principle possibilityof public-key cryptography in the latesixties. In 1973, Clifford Cocks developedthe mathematics necessary to realizeEllis ideas and formulated what fouryears later became known as the RSAsystem. Soon thereafter, inspired by Ellis’and Cocks’ work, Malcolm Williamsoninvented what became known as theDiffie–Hellman secret-key agreementscheme, around the same time Diffieand Hellman succeeded. None of theresults of Ellis, Cocks, and Williamsonbecame known to the public then. The fullstory—or what of it is publicly known bynow—is told in Singh’s [1999] book.

Section 3.2 shows how to modify theDiffie–Hellman protocol in order to obtaina public-key cryptosystem. This protocol isdue to Taher ElGamal [1985]. Just like theDiffie–Hellman protocol, ElGamal’s cryp-tosystem is based on the difficulty of com-puting discrete logarithms.

Section 3.3 gives an interesting proto-col due to an unpublished work of AdiShamir. In this protocol, keys do not needto be agreed upon prior to exchanging en-crypted messages.

Another cryptographic task is the gen-eration of digital signatures: Alice wantsto sign her encrypted messages to Bobin a way that allows Bob to verify thatAlice was indeed the sender of the mes-

sage. Digital signature protocols are usedfor the authentication of documents suchas email messages. The goal is to precludeErich from forging Alice’s messages andher signature. Digital signature protocolsare described in Section 2.3 (RSA digitalsignatures), in Section 3.2 (ElGamal dig-ital signatures) and in Section 3.4 (Rabiand Sherman digital signatures).

3.1. Diffie and Hellman’s Secret-KeyAgreement Protocol

Figure 5 shows how the Diffie–Hellmansecret-key agreement protocol works. It isbased on the modular exponential func-tion with base g and modulus p, wherep is a prime and g is a primitive rootof p in Z∗p, the cyclic group of primeresidues modulo p; recall thatZ∗p has orderφ(p) = p− 1. The formal definition is asfollows:

Definition 3.1

—For n ∈ N, a primitive root of n is anyelement a ∈ Z∗n satisfying that, for eachd with 1 ≤ d < φ(n), it holds that

ad 6≡ 1 mod n.

Equivalently, a primitive root of n is agenerator of Z∗n.

—Let p be a prime, and let g be a primitiveroot of p. The functionα(g , p) : Zp−1 → Z∗p


522 Jorg Rothe

that is defined by

α(g , p)(a) = ga mod p.is called the modular exponential func-tion with base g and modulus p. Its in-verse function, which for fixed p and gmaps α(g , p)(a) to a = logg α mod p, iscalled the discrete logarithm.As noted above, every primitive root of

p generates the entire group Z∗p. More-over, Z∗p has precisely φ(p− 1) primitiveroots. For example, Z∗5 = {1, 2, 3, 4} andZ∗4 = {1, 3}, so φ(4) = 2, and the two prim-itive roots of 5 in Z∗5 are 2 and 3, since

21 = 2; 22 = 4;23 ≡ 3 mod 5; 24 ≡ 1 mod 5;31 = 3; 32 ≡ 4 mod 5;33 ≡ 2 mod 5; 34 ≡ 1 mod 5.

Not every integer has a primitive root: 8is the smallest such example. It is knownfrom elementary number theory that aninteger n has a primitive root if and onlyif n is 1 or 2 or 4, or is of the form qk or 2qk

for some odd prime q.The protocol from Figure 5 works, since

kA = βa = gba = gab = αb = kB.

Thus, the keys computed by Alice and Bobindeed are the same.

Computing discrete logarithms is con-sidered to be a very hard problem: no effi-cient algorithms are known for solving it.In contrast, the modular exponential func-tion can be computed efficiently, using thefast exponentiation algorithm “square-and-multiply” described as Figure 2. Thatis why modular exponentiation is consid-ered to be a candidate for a “one-way func-tion,” that is, a function that is easy tocompute but hard to invert. Things arebad. It is currently not known whether ornot one-way functions exist. Things areworse. Although they are not known toexist, one-way functions play a key rolein cryptography, and the security of manycryptosystems is based on the assumptionthat one-way functions do exist. We dis-cuss the notion of one-way functions inmore detail in Section 5.

If Erich is listening carefully to Aliceand Bob’s communication in the Diffie–Hellman protocol (see Figure 5), he knowsp, g , α, and β. He wants to com-pute their joint secret key, kA= kB. Thisproblem is known as the Diffie–Hellmanproblem. If Erich could solve the dis-crete logarithm problem efficiently, hecould easily compute a= logg α mod pand b= logg β mod p and, thus, kA=βa

mod p and kB=αb mod p. That is, theDiffie–Hellman problem is no more dif-ficult than the discrete logarithm prob-lem. The converse question—of whetherthe Diffie–Hellman problem is as hard asthe discrete logarithm problem—is stillan unproven conjecture. Fortunately, asnoted above, the discrete logarithm prob-lem is viewed as being intractable, so thisattack is very unlikely to be a practicalthreat. On the other hand, it is the onlyknown attack for computing the keys di-rectly from α and β in the Diffie–Hellmanprotocol. Note, however, that no proof ofsecurity for this protocol has been estab-lished until now.

Note also that computing the keys kA =kB directly from α and β is not the onlypossible attack on the Diffie–Hellman pro-tocol. For example, it is vulnerable to theMan-in-the-middle attack. Unlike passiveattacks against the underlying mathemat-ics of a cryptosystem, in which an eaves-dropper tries to gain information withoutaffecting the protocol, the Man-in-the-middle attack is an active attack, in whichan eavesdropper attempts to alter the pro-tocol to his own advantage. That is, Erich,as the “man in the middle,” might pretendto be Alice when communicating with Bob,and he might pretend to be Bob when com-municating with Alice. He could interceptα= ga mod p that Alice sends to Bob andhe could also intercept β = gb mod p thatBob sends to Alice, passing on his ownvalues αE in place of α to Bob and βE inplace of β to Alice. That way, Erich couldcompute two (possibly distinct) keys, onefor communicating with Alice, the otherone for communicating with Bob, with-out them having any clue that they infact are communicating with him. Thus,



Fig. 6 . A public-key cryptosystem based on the Diffie–Hellman protocol, which uses theencryption and decryption algorithms Ek and Dk of a given symmetric cryptosystem.

Alice and Bob cannot be certain of the au-thenticity of their respective partners inthe communication. In Section 4, we intro-duce zero-knowledge protocols, which canbe used to ensure proper authentication.

By slightly modifying the Diffie–Hellman protocol, it is possible to obtaina public-key cryptosystem. The variantof the Diffie–Hellman protocol presentedhere in fact is a “hybrid cryptosystem,”a public-key cryptosystem making use ofa given symmetric cryptosystem. Suchhybrid systems are often useful in prac-tice, for they combine the advantages ofasymmetric and symmetric cryptosys-tems. Symmetric systems are usuallymore efficient than public-key systems.

The protocol works as follows. Alice andBob agree on a large prime p and a primi-tive root g of p, which are public. They alsoagree on some symmetric cryptosystemS = (P, C,K, E ,D) with encryption func-tions E = {Ek |k ∈ K} and decryption func-tions D = {Dk | k ∈ K}. The subsequentsteps of the protocol are shown in Figure 6.The message to be sent is encrypted usingthe symmetric system S, and the symmet-

ric key k used in this encryption is trans-mitted in a Diffie–Hellman-like fashion.This modification of the original Diffie–Hellman protocol is the standard usage ofDiffie–Hellman.

The system in Figure 6 modifies theoriginal Diffie–Hellman protocol in the fol-lowing way. While in the Diffie–Hellmanscheme Alice and Bob simultaneously com-pute and send their “partial keys” α and β,respectively, they do so sequentially in theprotocol in Figure 6. That is, Alice mustwait for Bob’s value β, his public key, tobe able to compute the key k with whichshe then encrypts her message m viathe symmetric cryptosystem S. Moreover,Bob generates, once and for all, his pub-lic β for possibly several communicationswith Alice, and also for possibly severalusers other than Alice who might wantto communicate with him. In contrast,Alice has to generate her α anew againand again every time she communicateswith Bob, just like in the original Diffie–Hellman protocol. This modification ofDiffie–Hellman is usually referred to asPredistributed Diffie–Hellman. In a key


524 Jorg Rothe

Fig. 7 . The ElGamal public-key cryptosystem.

distribution scheme, one party chooses akey and then transmits it to another partyor parties over an insecure channel. Incontrast, in a secret-key agreement schemesuch as the original Diffie–Hellman pro-tocol from Figure 5, two or more partiesjointly compute, by communicating overan insecure channel, a shared secret key,which depends on inputs from both or allparties.

3.2. ElGamal’s Public-Key Cryptosystemand Digital Signature Protocol

Taher ElGamal [1985] developed a public-key cryptosystem and a digital signatureprotocol that are based on the Diffie–Hellman protocol. In fact, the variantof Diffie–Hellman presented in Figure 6is somewhat reminiscent of the originalElGamal public-key cryptosystem, whichwe will now describe.

Figure 7 shows ElGamal’s public-keycryptosystem. After Alice and Bob haveagreed on a prime p and a primitive rootg of p, Bob picks a random value b ∈Z∗p−1 and computes his public key β =gb mod p. If Alice wants to send him a

message m ∈ Z∗p, she looks up β and“disguises” m by multiplying it with βa

modulo p, where a ∈ Z∗p−1 is a randomnumber she has picked. This yields thefirst part c of the cipher text, the secondpart is α = ga mod p. She sends both cand α to Bob. To decrypt, Bob first com-putes x = p− 1 − b. Since 1 ≤ b ≤ p− 2,it follows that 1 ≤ x ≤ p − 2. Bob thencan recover the original plain text m bycomputing:

cαx ≡ mβa ga(p−1−b) ≡ mgba+a(p−1)−ab

≡ m(g p−1)a ≡ m mod p.

Just as in the Diffie–Hellman protocol,the security of the ElGamal protocol isbased on the difficulty of computing dis-crete logarithms. Although it is not knownwhether breaking the ElGamal protocol isas hard as solving the discrete logarithmproblem, it can be shown that breakingthe ElGamal protocol is precisely as hardas solving the Diffie–Hellman problem. Toprevent known attacks on the ElGamalcryptosystem, the prime p should be cho-sen large enough (at least 150 digits long)



Fig. 8 . The ElGamal digital signature protocol.

and such that p− 1 has at least one largeprime factor.

ElGamal’s system can be modified so asto yield a digital signature protocol. A par-ticularly efficient variant of this protocolthat is due to an idea of Schnorr [1990] isnow the United States “Digital SignatureStandard” [NIST 1991, 1992].

The ElGamal digital signature proto-col is presented in Figure 8. Suppose thatBob wants to send a message m to Al-ice. To prove that he indeed is the sender,he wants to sign the message in a waythat Alice can verify. Let a large primep and a primitive root g of p be givenas in the ElGamal public-key cryptosys-tem, see Figure 7. As in that protocol, Bobchooses his private b and computes β = gb

mod p. In addition, he now chooses a num-ber r coprime with p−1, and he computesρ = gr mod p and a solution s to thecongruence

b · ρ + r · s ≡ m mod p− 1 (3.12)

using the extended algorithm of Euclid,see Figure 1 and Lemma 2.3.

Bob keeps b and r secret, and he sendsalong with his message m his digital sig-

nature sigB(m) = (ρ , s) and the value β toAlice.

Alice checks the validity of the signatureby verifying the congruence

gm ≡ βρ · ρs mod p. (3.13)

The protocol is correct, since by Fermat’sLittle Theorem (see Theorem 2.2) and byEquation (3.12), it holds that

gm ≡ gb·ρ+r·s ≡ βρ · ρs mod p.

Note that the public verification key,which consists of the values p, g , and β,is computed just once and can be used toverify any message that is signed with p,g , b, and β. However, a new value of r ischosen every time a message is signed.

3.3. Shamir’s No-Key Protocol

Adi Shamir proposed a cryptosystemby which Alice and Bob can exchangemessages that are encrypted by Alice’sand Bob’s individual secret keys, yet inwhich there is no need for Alice andBob to previously agree on a joint se-cret key. This clever idea is described


526 Jorg Rothe

Fig. 9 . Shamir’s no-key protocol.

in an unpublished paper of Shamir,and it is again based on the modularexponentiation function and the diffi-culty of efficiently computing discrete log-arithms that was useful for the Diffie–Hellman secret-key agreement protocoldescribed in Section 3.1. The Shamirprotocol is often called Massey–Omurain the literature. Both inventors werepreceded by Malcolm Williamson fromGCHQ who developed the same pro-tocol in the nonpublic sector around1974.

Figure 9 shows how Shamir’s no-keyprotocol works. In this protocol, let m bethe message that Alice wants to send toBob. First, Alice and Bob agree on a largeprime p. Alice generates a pair (a, a−1)satisfying

aa−1 ≡ 1 mod p− 1,

where a−1 is the inverse of a modulo p−1.Recall from Section 2.2 that, given a primep and an integer a ∈ Z∗p, the inverse a−1 ofa modulo p − 1 can easily be computed.Similarly, Bob generates a pair (b, b−1)satisfying

bb−1 ≡ 1 mod p− 1,

where b−1 is the inverse of b modulo p−1.See Figure 9 for the rest of the steps.

The protocol is correct, since for all mes-sages m, 1 ≤ m ≤ p, it holds that:

m≡maa−1mod p and m≡mbb−1

mod p.

Hence, looking at Figure 9, we obtain

zb−1 ≡ ya−1b−1 ≡ xba−1b−1 ≡ maba−1b−1

≡ m mod p,

so Step 8 of Figure 9 is correct.Note that modular exponentiation is

used here both for encryption and decryp-tion. The key property for this protocolto work is that modular exponentiation issymmetric in the exponents, that is, for alla and b, it holds that

α(g , p)(a · b) ≡ ga·b ≡ gb·a mod p.

3.4. Rivest, Rabi, and Sherman’s Secret-KeyAgreement and Digital SignatureProtocols

Ron Rivest, Muhammad Rabi, and AlanSherman developed secret-key agree-ment and digital signature protocols.The secret-key agreement protocol fromFigure 10 is attributed to Rivest andSherman in Rabi and Sherman [1993,1997]. The digital signature protocol from



Fig. 10 . The Rivest–Sherman secret-key agreement protocol, which uses a strongly nonin-vertible, associative one-way function σ .

Figure 11 is due to Rabi and Sherman[1993, 1997].

Here is a brief, intuitive explanationof how these protocols work. The keybuilding block of both protocols is atotal, strongly noninvertible, associativeone-way function. As mentioned earlier,one-way functions are theoretical con-structs not known to exist. However, thereare plausible assumptions under whichone-way functions of various types canbe constructed. In Section 5, under aquite plausible complexity-theoretic as-sumption, we will see how to constructa concrete candidate for a total, stronglynoninvertible, associative one-way func-tion. For now, assume that σ is such a func-tion. That is, σ is a total two-ary (i.e., two-argument) function mapping pairs of posi-tive integers to positive integers such that:

—σ is associative, that is, the equationσ (x, σ ( y , z)) = σ (σ (x, y), z) holds for allx, y , z ∈ N.

—σ is strongly noninvertible, that is, σ ishard to invert even if in addition to thefunction value one of the arguments isgiven.

Look at Rivest and Sherman’s secret-key agreement protocol in Figure 10. Since

σ is associative, we have:

kA = σ (x, σ ( y , z)) = σ (σ (x, y), z) = kB,

and thus the keys computed by Alice andBob indeed are the same. On the otherhand, if Erich was listening carefully,he knows not only two function values,σ (x, y) and σ ( y , z), but he also knows y ,the first argument of σ ( y , z) and the sec-ond argument of σ (x, y). That is why σmust be strongly noninvertible, in order toprevent the direct attack that Erich com-putes Alice’s secret number x from σ (x, y)and y or Bob’s secret number z fromσ ( y , z) and y , in which case he could eas-ily obtain their joint secret key, kA = kB.Analogous comments apply to Rabi andSherman’s digital signature protocol pre-sented in Figure 11.

3.5. Discussion of Diffie–Hellmanversus Rivest–Sherman

While the secret-key agreement protocol ofDiffie and Hellman [1976] is widely usedin practice, that of Rivest and Sherman(see Rabi and Sherman [1993, 1997]) is not(yet) used in applications and, thus, mightappear somewhat exotic at first glance.Note, however, that neither the Diffie–Hellman nor the Rivest–Sherman protocol


528 Jorg Rothe

Fig. 11 . The Rabi–Sherman digital signature protocol, which uses a strongly noninvertible,associative one-way function σ .

has a proof of security up to date. So, let usdigress for a moment to compare the stateof the art on these two protocols.

—While the Diffie–Hellman protocoluses a concrete function, the Rivest–Sherman protocol is based on anunspecified, “abstract” function that isdescribed only by listing the propertiesit should satisfy. That is not to saythat Rivest–Sherman is an abstractversion of Diffie–Hellman. Rather, theRivest–Sherman protocol may be seenas an alternative to the Diffie–Hellmanprotocol. The advantage of Rivest andSherman’s approach is that it is moreflexible, as it does not depend on asingle function.

—The security of the Diffie–Hellmanscheme is based on the (unproven, yetplausible) assumption that computingdiscrete logarithms is a computationallyintractable task.

In contrast, the Rivest–Shermanscheme uses a candidate for a stronglynoninvertible, associative one-way func-tion (see Section 5.1 for the formaldefinition) as its key building block.

Although it is not known whether suchfunctions exist, it has been shown re-cently by Hemaspaandra and this au-thor [1999] that they do exist in theworst-case model under the (unproven,yet plausible) assumption that P 6= NP,where P denotes the class of polynomial-time solvable problems, and NP de-notes the class of problems that can besolved nondeterministically in polyno-mial time. Section 5 presents this resultand a sketch of its proof.

—Breaking Diffie–Hellman is not evenknown to be as hard as computing dis-crete logarithms, even though some niceprogress in this direction has been maderecently by Maurer and Wolf [1999],who established conditions for relat-ing the hardness of breaking Diffie–Hellman to that of computing discretelogarithms. Again, their results rest onunproven, yet plausible assumptions.In particular, let ν(p) denote the mini-mum, taken over all numbers d in theinterval [p− 2

√p+ 1, p+ 2

√p+ 1], of

the largest prime factors of d . The“smootheness assumption” says that



ν(p) is polynomial in log p. Why isthis assumption plausible? The idea isthat numbers in the Hasse–Weil inter-val (which are sizes of elliptic curves)are smooth with the same probabil-ity as random numbers of the samelength, and these probabilities are in-dependent. Under this smoothness as-sumption, Maurer and Wolf [1999]proved that breaking Diffie–Hellmanand computing the discrete logarithmare polynomial-time equivalent tasks inthe underlying cyclic group, where theequivalence is nonuniform.

Similarly, even if strongly noninvert-ible, associative one-way functions wereknown to exist, one could not concludethat the Rivest–Sherman protocol issecure; rather, strong noninvertibilitymerely precludes certain types of di-rect attacks [Rabi and Sherman 1997;Hemaspaandra and Rothe 1999]. More-over, strongly noninvertible, associativeone-way functions could be constructedso far only in the worst-case complex-ity model, assuming P 6= NP. Althoughthis result is relevant and interesting ina complexity-theoretic setting, it has nodirect implications in applied cryptogra-phy. For cryptographic applications, onewould need to construct such functionsbased on the average-case complexitymodel, under plausible assumptions.

As noted in the outline of the tu-torial, there is some hope for obtain-ing such a strong result by combiningHemaspaandra and Rothe’s [1999] tech-nique on constructing strongly noninvert-ible, associative one-way functions in theworst case with Ajtai’s [1996] techniqueson constructing hard instances of latticeproblems. The shortest lattice vector prob-lem, denoted by SVP, is the problem offinding a shortest lattice vector in thelattice generated by a given lattice ba-sis. Roughly speaking, Ajtai [1996] provedthat the problem SVP is as hard in theaverage-case as it is in the worst-case com-plexity model.

More precisely, Ajtai constructed an infi-nite family {3n}n≥1 of lattices, where each3n is represented by a basis as an instance

of SVP, and he showed the following re-sult: Suppose one can compute in polyno-mial time, for each n, an approximatelyshortest vector in a lattice 3i randomlychosen from {3n}n≥1, with nonnegligibleprobability. Then, the length of a short-est vector in every lattice from {3n}n≥1 canbe estimated to within a fixed polynomialfactor in polynomial time with probabilityclose to one. However, since the best ap-proximation factor known to be achievedby polynomial-time algorithms is essen-tially exponential, and since the best al-gorithms known to achieve polynomial-factor approximations run in exponentialtime, it follows that, as mentioned above,“SVP is as hard in the average-case as it isin the worst-case model.” In this regard,the SVP is a unique problem; for no otherproblem in NP that is believed to be out-side P such a strong connection is known tohold.

Based on the worst-case/average-caseequivalence of SVP, Ajtai and Dwork[1997] designed a public-key cryptosys-tem whose cryptographic security dependsonly on worst-case complexity assump-tions. However, the worst-case hardnessof SVP (in the Euclidean norm) had re-mained an open problem for a long time.Solving this problem, Ajtai [1998] es-tablished the NP-hardness of SVP un-der randomized reductions. His resultwas strengthened by Micciancio [2001],who also simplified Ajtai’s proof. Sincethe construction of strongly noninvert-ible, associative one-way functions inHemaspaandra and Rothe [1999] is basedon the assumption P 6= NP, it seems rea-sonable to consider the NP-hard problemSVP to be a good candidate for achievingstrongly noninvertible, associative one-way functions even in the technically moredemanding average-case model.

The complexity of SVP and the useof lattices in crytography are covered inthe surveys by Cai [1999], Kumar andSivakumar [2001], and Nguyen and Stern[2001]. Interestingly, lattices are use-ful both in breaking existing cryptosys-tems like RSA (e.g., the low-exponent at-tacks of Hastad [1988] and Coppersmith[1997], see Section 2.4) and in designing


530 Jorg Rothe

secure cryptosystems (e.g., the Ajtai–Dwork public-ley cryptosystem).

4. INTERACTIVE PROOF SYSTEMS ANDZERO-KNOWLEDGE PROTOCOLS

In Section 3.1, we mentioned the Man-in-the-middle attack on the Diffie–Hellmansecret-key agreement protocol. Imaginethat Bob has just agreed with his partneron a joint secret key via a public telephoneline. Of course, he assumes it was Alice hewas talking to. Bob was so clever to use theDiffie–Hellman protocol, and so he thinksthat Erich does not have a clue about whatsecret key they have chosen:

But Erich was even smarter. Here iswhat really happened:

This situation raises the issue of authen-tication: How can Bob be certain that itin fact was Alice he was communicatingwith, and not Erich pretending to be Al-ice? In other words, how can Alice proveher identity to Bob beyond any doubt?

In Section 3, we have seen how to usedigital signatures for the authenticationof documents such as e-mail messages. Inthis section, our goal is to achieve authen-tication of an individual rather than a doc-ument. One way to achieve this goal isto assign to Alice’s identity some secretinformation such as her PIN (“PersonalIdentifaction Number”) or any other pri-vate information that nobody else knows.

We refer to the information proving Alice’sidentity as Alice’s secret.

But here’s another catch. Alice wouldlike to convince Bob of her identity byproving that she knows her secret. Ideally,however, she should not disclose her se-cret because then it wouldn’t be a secretanymore: If Bob, for example, knew Al-ice’s secret, he could pretend to be Alicewhen communicating with somebody else.So the question is:

How can one prove the knowledge of a secretwithout telling the secret?

That is precisely what zero-knowledgeprotocols are all about.

4.1. Interactive Proof Systems

Zero-knowledge protocols are a spe-cial form of interactive proof systems,which we will describe first. Interactiveproof systems were introduced by ShafiGoldwasser, Silvio Micali, and CharlesRackoff [Goldwasser et al. 1985, 1989].Independently, Babai and Moran [1988]and Babai [1985] developed the essen-tially equivalent notion of Arthur–Merlingames.

As in the previous protocols, we considerthe communication between two parties,the “prover” Alice and the “verifier” Bob:

For now, we are not interested in the se-curity aspects that may arise when thecommunication is eavesdropped; rather,we are concerned with the following com-munication problem: Alice and Bob wantto jointly solve a given problem L, thatis, they want to decide whether or notany given instance belongs to L. Forconcreteness, consider the graph isomor-phism problem.

Definition 4.1. The vertex set of anygraph G is denoted by V (G), and the edgeset of G is denoted by E(G). Let G and



H be undirected, simple graphs, that is,graphs with no reflexive or multiple edges.

An isomorphism between G and H is abijective mapping π from V (G) onto V (H)such that, for all i, j ∈ V (G),

{i, j } ∈ E(G) ⇔ {π (i), π ( j )} ∈ E(H).

Graph-Isomorphism denotes the set of allpairs of isomorphic graphs.

The graph isomorphism problem is todetermine whether or not any two givengraphs are isomorphic. This problem be-longs to NP, and since there is no effi-cient algorithm known for solving it, it iswidely considered to be a hard, intractableproblem. However, it is not known tobe complete for NP, that is, it is notknown whether this problem belongs tothe hardest NP problems. In fact, due toits “lowness” properties, it is doubted thatthe graph isomorphism problem is NP-complete. A set A is low for a complex-ity class C if it does not yield any addi-tional computational power when used asan oracle by the machines representingthe class C, that is, if CA = C. Schoning[1987] showed that Graph-Isomorphism isin the second level of the low hierarchywithin NP, that is, it is low for NPNP, thesecond level of the polynomial hierarchy.It follows that if Graph-Isomorphism wereNP-complete then the polynomial hierar-chy would collapse, which is consideredunlikely. Moreover, Kobler et al. [1992]proved Graph-Isomorphism low for PP,probabilistic polynomial time.

Therefore, it is conjectured that thegraph isomorphism problem might be nei-ther in P nor NP-complete, and thisis what makes this problem so inter-esting for complexity theoreticians. Ofcourse, proving this conjecture would im-mediately prove P different from NP;so, such a proof seems beyond currenttechniques. For more complexity-theoreticbackground on the graph isomorphismproblem, we refer to the book by Kobleret al. [1993].

We mention in passing that (languageversions of) the factoring problem and thediscrete logarithm problem are not known

to be NP-complete either. Unlike the graphisomorphism problem, however, no low-ness properties are known for these twoproblems. Grollmann and Selman [1988]have shown that a language version of thediscrete logarithm problem is containedin UP, which denotes Valiant’s [1976]class “unambiguous polynomial time.” NP-complete problems are very unlikely to be-long to UP, so this result gives some evi-dence against the NP-completeness of thediscrete logarithm problem.

Returning to Alice and Bob’s commu-nication problem, their task is to decidewhether or not any given pair (G, H) ofgraphs is isomorphic. Alice, the prover,tries to prove them isomorphic by provid-ing Bob with an isomorphism π betweenG and H. She intends to convince Bob nomatter whether or not G and H in fact areisomorphic. But Bob is impatient. To ac-cept the input, he wants to be convincedwith overwhelming probability that theproof provided by Alice indeed is correct.Even worse, he is convinced only if everypotential prover strategy Alice might comeup with yields an overwhelming successprobability. If Alice can accomplish thisthen Bob accepts the input, otherwise herejects it.

To formalize this intuition, imagineAlice and Bob to be Turing machines.Alice, the prover, is an all-powerful Turingmachine with no computational limitationwhatsoever. Bob, the verifier, is a random-ized Turing machine working in polyno-mial time, but capable of making randommoves by flipping an unbiased coin. In Def-inition 4.2 below, in case of acceptance, itis enough that Alice finds one sufficientstrategy to convince Bob. In case of rejec-tion, however, rather than considering ev-ery potential prover strategy of Alice, it isuseful to quantify over all possible proversthat may replace Alice.

For the definition of randomized Tur-ing machines, we refer to any textbookon complexity theory such as Balcazaret al. [1995], Bovet and Crescenzi [1993],Hemaspaandra and Ogihara [2001], andPapadimitriou [1994]. Essentially, everynondeterministic Turing machine can beviewed as a randomized Turing machine


532 Jorg Rothe

by defining a suitable probability measureon the computation trees of the machine.

Definition 4.2 (Interactive Proof System)[Goldwasser et al. 1985, 1988]

(1) An interactive proof system (or “IP pro-tocol”) (A, B) is a protocol betweenAlice, the prover, and Bob, the verifier.Alice runs a Turing machine A withno limit on its resources, while Bobruns a polynomial-time randomizedTuring machine B. Both access thesame input on a joint input tape, andthey are equipped with private worktapes for internal computations. Theyalso share a read-write communica-tion tape to exchange messages. Alicedoes not see Bob’s random choices. LetPr((A, B)(x) = 1) denote the probabil-ity (according to the random choicesmade in the communication) that Bobaccepts the input x; that is, for aparticular sequence of random bits,“(A, B)(x) = 1” denotes the event thatBob is convinced by Alice’s proof for xand accepts.

(2) An interactive proof system (A, B)accepts a set L if and only if for each x:

x ∈ L ⇒ (∃A)[Pr((A, B)(x)= 1) ≥ 3

4

];

(4.14)

x 6∈ L ⇒ (∀A)[Pr((A, B)(x)= 1) ≤ 1

4

],

(4.15)

where in (4.14) we quantify over theprover strategies (or “proofs”) for xof the prescribed Turing machine A,whereas in (4.15) we quantify over theproofs A for x of any prover (i.e., anyTuring machine of unlimited compu-tational power) that may replace thefixed Turing machine A.

(3) IP denotes the class of all sets thatcan be accepted by an interactive proofsystem.

Note that the acceptance probabilitiesof at least 3

4 if x ∈ L (respectively, of atmost 1

4 if x 6∈ L) are chosen at will.By probability amplification techniques[Papadimitriou 1994; Balcazar et al. 1995;

Bovet and Crescenzi 1993], one can useany constants 1

2 + ε and 12 − ε, respec-

tively, where ε > 0. It is even possibleto make the error probability as small as2−p(|x|), for any fixed polynomial p. Betteryet, Goldreich, et al. [1987] have shownthat one can even require the acceptanceprobability of exactly 1 if x ∈ L, withoutchanging the class IP.

In the literature, verifier and proverare sometimes referred to as Arthur andMerlin. In fact, the Arthur-Merlin gamesintroduced by Babai and Moran [1988] andBabai [1985] are nothing else than theinteractive proof systems of Goldwasseret al. [1985, 1989]. One difference be-tween Definition 4.2 and the definitionof Arthur–Merlin games is that the ran-dom bits chosen by Arthur are public (i.e.,they are known to Merlin), while theyare private to Bob in Definition 4.2. How-ever, Goldwasser and Sipser [1989] haveshown that the privacy of the verifier’srandom bits does not matter: Arthur–Merlin games are equivalent to interactiveproof systems.

What if Bob has run out of coins?That is, what if he behaves determin-istically when verifying Alice’s proof for“x ∈ L”? Due to her unlimited compu-tational power, Alice can provide proofsof unlimited length, that is, of length notbounded by any function in the lengthof x. However, since Bob is a polynomial-time Turing machine, it is clear that hecan check only proofs of length polyno-mially in |x|. It follows that IP, whenrestricted to deterministic polynomial-time verifiers, is just a cumbersome wayof defining the class NP. Hence, sinceGraph-Isomorphism belongs to NP, it mustalso belong to the (unrestricted) class IP.We omit presenting an explicit IP proto-col for Graph-Isomorphism here, but we re-fer to Section 4.3, where in Figure 13 anIP protocol for Graph-Isomorphism with anadditional property is given: it is a zero-knowledge protocol.

But what about the complement ofGraph-Isomorphism? Does there exist aninteractive proof system that decideswhether or not two given graphs are non-isomorphic? Note that even though Alice



Fig. 12 . The Goldreich–Micali–Wigderson IP protocol for Graph-Isomorphism.

is all-powerful computationally, she mayrun into difficulties when she is tryingto prove that the graphs are nonisomor-phic. Consider, for example, two noniso-morphic graphs with 1000 vertices each.A proof of that fact seems to require Aliceto show that none of the 1000! possible per-mutations is an isomorphism between thegraphs. Not only would it be impossible forBob to check such a long proof in polyno-mial time, also for Alice it would be liter-ally impossible to write this proof down.After all, 1000! is approximately 4 ·102567.This number exceeds the number of atomsin the entire visible universe,5 which iscurrently estimated to be around 1077, bya truly astronomical factor.

That is why the following result ofGoldreich et al. [1986, 1991] was a bit of asurprise.

THEOREM 4.3 (GOLDREICH ET AL. 1986,1991). Graph-Isomorphism is in IP.

PROOF. Figure 12 shows the interac-tive proof system for the graph nonisomor-phism problem.

Let us check that the implications (4.14)and (4.15) from Definition 4.2 do hold.Suppose that G1 and G2 are nonisomor-phic. Then, it is easy for Alice to determine

5 Dark matter excluded.

that graph Gb, b ∈ {1, 2}, to which H isisomorphic. So she sends a = b, and Bobaccepts with probability 1. That is,

(G1, G2) ∈ Graph-Isomorphism⇒ (∃A)[Pr((A, B)(G1, G2) = 1) = 1].

Now suppose that G1 and G2 are isomor-phic. Then, no matter what clever strat-egy Alice applies, her chance of answer-ing correctly (i.e., with a = b) is no betterthan 1/2 because she does not see Bob’srandom bit b and so can do no better thanguessing. That is,

(G1, G2) 6∈ Graph-Isomorphism ⇒(∀A)

[Pr((A, B)(G1, G2) = 1) ≤ 1

2

].

Note that the acceptance probability of≤ 1

2 above is not yet the acceptanceprobability of ≤ 1

4 required in (4.15) ofDefinition 4.2. However, as mentionedabove, standard probability amplificationtechniques yield an error probability asclose to zero as one desires. We leave thedetails to the reader.

By definition, IP contains all of NP.The above result shows that IP also con-tains a problem from coNP, the class ofcomplements of NP problems, which is


534 Jorg Rothe

unlikely to be contained in NP. So, thequestion arises of how big the class IP ac-tually is. A famous result of Shamir [1992]settled this question: IP equals PSPACE,the class of problems that can be decidedin polynomial space.

4.2. Zero-Knowledge Protocols

Recalling the issue of authentication men-tioned at the beginning of this section, weare now ready to define zero-knowledgeprotocols.

As mentioned above, GraphIsomorphismis in IP. To prove that the two given graphsare isomorphic, Alice simply sends an iso-morphism π to Bob, which he then checksdeterministically in polynomial time. Sup-pose, however, that Alice wants to keepthe isomorphism π secret. On the onehand, she does not want to disclose hersecret; on the other hand, she wants toprove to Bob that she knows it. Whatshe needs is a very special IP proto-col that conveys nothing about her se-cret isomorphism, and yet proves that thegraphs are isomorphic. The next sectionwill present such a zero-knowledge proto-col for Graph-Isomorphism.

But what is a zero-knowledge protocoland how can one formalize it? The intu-ition is this. Imagine that Alice has a twinsister named Malice who looks just likeher. However, Malice does not know Alice’ssecret. Moreover, Malice does not haveAlice’s unlimited computational power;rather, just as the verifier Bob, she only op-erates like a randomized polynomial-timeTuring machine. Still, she tries to simu-late Alice’s communication with Bob. AnIP protocol has the zero-knowledge prop-erty if the information communicated inMalice’s simulated protocol cannot be dis-tinguished from the information commu-nicated in Alice’s original protocol. Malice,not knowing the secret, cannot put any in-formation about the secret into her simu-lated protocol, and yet she is able to gener-ate that clone of the original protocol thatlooks just like the original to an indepen-dent observer. Consequently, the verifierBob (or any other party such as Erich) can-not extract any information from the orig-

inal protocol. In short, if there’s nothing inthere, you can’t get anything out of it.

Definition 4.4 (Zero-Knowledge Proto-cols) [Goldwasser et al. 1985, 1989].Let (A, B) be an interactive proof systemaccepting a problem L. We say (A, B) is azero-knowledge protocol for L if and only ifthere exists a simulator Malice such thatthe following holds:

—Malice runs a randomized polynomial-time Turing machine M to simulate theprover Alice in her communication withBob, thus yielding a simulated protocol(M , B);

—for each x ∈ L, the tuples (a1, a2, . . . , ak)and (m1, m2, . . . , mk) representing thecommunication in (A, B) and in (M , B),respectively, are identically distributedover the coin tosses of A and B in (A, B)and of M and B in (M , B), respectively.

The above definition is called “honest-verifier perfect zero-knowledge” in theliterature. That is, (a) one assumes thatthe verifier is honest, and (b) one requiresthat the information communicated inthe simulated protocol perfectly coincideswith the information communicated inthe original protocol.

Assumption (a) is not quite realistic formost cryptographic applications. A dis-honest verifier might alter the protocol tohis own advantage. Therefore, one shouldmodify the definition above to require thatfor each verifier B∗ there exists a simu-lator M ∗ generating a simulated protocolnot distinguishable from the original one.However, honest-verifier zero-knowledgeprotocols with public random bits can al-ways be transformed to protocols thathave the zero-knowledge property also inthe presence of dishonest verifiers.

Regarding assumption (b), thereare several other notions of zero-knowledge that are weaker than perfectzero-knowledge, such as “statistical zero-knowledge” and “computationalzero-knowledge.” In a statistical zero-knowledge protocol (also known as almost-perfect zero-knowledge protocol), one re-quires that the information communicatedin the original and in the simulated



protocol be indistinguishable by certainstatistical tests. In a computational zero-knowledge protocol, one merely requiresthat the information communicated in theoriginal and in the simulated protocol becomputationally indistinguishable, thatis, for each randomized polynomial-timeTuring machine, the probability of de-tecting differences in the correspondingdistributions is negligibly small.

In the latter model, Goldreich et al.[1986, 1991] showed what is consideredby far the most important result on zero-knowledge: Every problem in NP hasa computational zero-knowledge proto-col under the plausible assumption thatthere exist cryptographically secure bit-commitment schemes. The key idea isa computational zero-knowledge proto-col for Graph-Three-Colorability, a well-known NP-complete problem. In contrast,it seems unlikely [Brassard and Crepeau1989] that such a strong claim can beproven for the perfect zero-knowledgemodel presented in Definition 4.4.

For more information about interactiveproof systems and zero-knowledge, werefer to the books by Goldreich [2001,Chap. 4], Kobler et al. [1993, Chap. 2],Papadimitriou [1994, Chap. 12.2],Balcazar et al. [1990, Chap. 11], andBovet and Crescenzi [1993, Chap. 10] andto the surveys by Oded Goldreich [1988],Shafi Goldwasser [1989], and JoanFeigenbaum [1992].

4.3. Zero-Knowledge Protocol for the GraphIsomorphism Problem

Goldreich et al. [1986, 1991] proposeda zero-knowledge protocol for the graphisomorphism problem. This result wasquite a surprise, since previously zero-knowledge protocols were known only forproblems contained both in NP and coNP.It is considered to be unlikely that NPequals coNP; in particular, it is consideredto be unlikely that Graph-Isomorphism isin coNP.

THEOREM 4.5 [GOLDREICH ET AL. 1986,1991]. Graph-Isomorphism has a zero-knowledge protocol.

PROOF. Figure 13 shows the Goldreich–Micali–Wigderson protocol. One differ-ence to the protocol for the graph non-isomorphism problem in Figure 12 is thatnow Alice too makes random choices.

Alice’s secret is the isomorphism π shehas chosen. The protocol is correct, sinceAlice knows her secret π and also her ran-dom permutation ρ. Hence, she can easilycompute the isomorphism σ with σ (Gb) =H to prove her identity to Bob. When do-ing so, she does not have to disclose hersecret π to Bob in order to convince him ofher identity. In particular,

(G1, G2) ∈ Graph-Isomorphism⇒ (∃A)[Pr((A, B)(G1, G2) = 1) = 1],

so the implication (4.14) fromDefinition 4.2 holds. Since Alice her-self has chosen two isomorphic graphs,the case (G1, G2) 6∈ Graph-Isomorphismdoes not occur, so the implication (4.15)from Definition 4.2 trivially holds if theprotocol is implemented properly. Thus,the protocol is an interactive proof systemfor Graph-Isomorphism.

Recall that Alice wants to prove heridentity via this protocol. Suppose thatErich or Malice want to cheat by pre-tending to be Alice. They do not knowher secret isomorphism π , but they doknow the public isomorphic graphs G1and G2. They want to convince Bob thatthey know Alice’s secret, which corre-sponds to (G1, G2). If, by coincidence, Bob’sbit b equals their previously chosen bit a,they win. However, if b 6= a, computingσ = ρ ◦ π or σ = ρ ◦ π−1 requires knowl-edge of π . Without knowing π , comput-ing π from the public graphs G1 and G2seems to be impossible for them, sinceGraph-Isomorphism is a hard problem, toohard even for randomized polynomial-time Turing machines. Thus, they will failprovided that the graphs are chosen largeenough.

Since they cannot do better than guess-ing the bit b, they can cheat with proba-bility at most 1

2 . Of course, they can al-ways guess the bit b, which implies thattheir chance of cheating successfully is


536 Jorg Rothe

Fig. 13 . The Goldreich–Micali–Wigderson zero-knowledge protocol for graph isomorphism.

exactly 12 . Hence, if Bob demands, say, k

independent rounds of the protocol to beexecuted, he can make the cheating prob-ability as small as 2−k , and thus is verylikely to detect any cheater. Note that af-ter only 20 rounds the odds of maliciousMalice getting away with it undetected areless than one to one million. Hence, theprotocol is correct.

It remains to show that the protocol inFigure 13 is zero-knowledge. Figure 14shows a simulated protocol with Malice,who does not know the secret π , replac-ing Alice. The information communicatedin one round of the protocol is given bya triple of the form (H, b, σ ). WheneverMalice chooses a bit a with a = b, she sim-

ply sends σ = ρ and wins: Bob, or any inde-pendent observer, will not detect that shein fact is Malice. Otherwise, whenever a 6=b, Malice fails. However, that’s no problemat all: She simply deletes this round fromthe simulated protocol and repeats. Thus,she can produce a sequence of triples ofthe form (H, b, σ ) that is indistinguishablefrom the corresponding sequence of triplesin the original protocol between Alice andBob. It follows that the Goldreich–Micali–Wigderson protocol is zero-knowledge.

4.4. Fiat and Shamir’s Zero-KnowledgeProtocol

Based on a similar protocol by Goldwasseret al. [1989], Fiat and Shamir [1986]



Fig. 14 . How to simulate the Goldreich–Micali–Wigderson protocol without knowing thesecret π .

proposed a zero-knowledge protocol for anumber-theoretical problem. It is basedon the assumption that computing squareroots in Z∗n is infeasible in practice. Due toits properties, the Fiat–Shamir protocol isparticularly suitable for authentication ofindividuals in large computer networks. Itis a public-key protocol, it is more efficientthan other public-key protocols such asthe RSA algorithm, it can be implementedon a chip card, and it is zero-knowledge.These advantages resulted in a rapiddeployment of the protocol in practicalapplications. The Fiat–Shamir protocol isintegrated in the “Videocrypt” Pay-TV sys-tem [Cohen and Hashkes 1991]. The orig-inal Fiat–Shamir identification schemehas later been improved by Feige et al.[1988] to a zero-knowledge protocol in

which not only the secret square rootsmodulo n are not revealed, but also the in-formation of whether or not there exists asquare root modulo n is not leaked.

The theory of zero-knowledge mayalso become important in future inter-net technologies. To prevent confusion,we note that Zero-Knowledge Systems,Inc., a Montreal-based company that wasfounded in 1997 and provides productsand services enabling users to protecttheir privacy on-line on the World WideWeb, is not a commercial fielding of zero-knowledge protocols (I. Goldberg, personalcommunication).

THEOREM 4.6 [FIAT AND SHAMIR 1986].The Fiat–Shamir procedure given inFigure 15 is a zero-knowledge protocol.


538 Jorg Rothe

Fig. 15 . The Fiat–Shamir zero-knowledge protocol.

PROOF. Look at Figure 15. The proto-col is correct, since Alice knows the secrets∈Z∗n that she has chosen, and thus shecan compute y = r · sb, where b is the bitthat Bob has chosen at random. Hence, itholds in Z∗n that

y2 ≡ (r · sb)2 ≡ r2 · s2b ≡ r2 · vb

≡ x · vb mod n,

so Bob accepts Alice’s identity.Suppose now that Erich or Malice want

to cheat by pretending to be Alice. Theydo not know her secret s, nor do theyknow the primes p and q, but they doknow the public n = pq and v = s2

mod n. They want to convince Bob thatthey know Alice’s secret s, the square rootof v modulo n. If, by coincidence, Bob’s bitb equals zero then y = r · s0 = r andthey win. However, if b = 1, computinga y that satisfies y2 ≡ x · vb mod n re-quires knowledge of the secret s, assum-

ing that computing square roots modulo nis hard. Without knowing s, if Malice orErich were able to compute the correct an-swer for both b = 0 and b = 1, say yb withy2

b ≡ x · vb mod n, they could efficientlycompute square roots modulo n as follows:y2

0 ≡ x mod n and y21 ≡ x · v mod n im-

plies ( y1/ y0)2 ≡ v mod n; hence, y1/ y0 isa square root of v modulo n.

It follows that they can cheat with prob-ability at most 1

2 . Of course, they canalways guess the bit b in advance andprepare the answer accordingly. Choosingx = r2 · v−b mod n and y = r implies that

y2 ≡ r2 ≡ r2 · v−b · vb ≡ x · vb mod n.(4.16)

Thus, Bob will not detect any irregulari-ties and will accept. Hence, their chanceto cheat successfully is exactly 1

2 . Again, ifBob demands, say, k independent roundsof the protocol to be executed, he can



Fig. 16 . How to simulate the Fiat–Shamir protocol without knowing the secret s.

make the cheating probability as small asdesired and is very likely to detect anycheater.

It remains to show that the Fiat–Shamirprotocol in Figure 15 is zero-knowledge.Figure 16 shows a simulated protocol withMalice, who does not know the secret s, re-placing Alice. The information communi-cated in one round of the protocol is givenby a triple of the form (x, b, y). In addi-tion to the randomly chosen r ∈ Z∗n, Mal-ice guesses a bit c ∈ {0, 1} and computesx = r2·v−c mod n, which she sends to Bob.Whenever c happens to be equal to Bob’sbit b, Malice simply sends y = r and wins.By an argument analogous to Eq. (4.16)above, neither Bob nor any independentobserver will detect that she actually is

Malice:

y2 ≡ r2 ≡ r2 · v−c · vb ≡ x · vb mod n.

Otherwise, whenever c 6= b, Malice fails.However, that’s no problem at all: Shesimply deletes this round from the simu-lated protocol and repeats. Thus, she canproduce a sequence of triples of the form(x, b, y) that is indistinguishable from thecorresponding sequence of triples in theoriginal protocol between Alice and Bob.It follows that the Fiat–Shamir protocol iszero-knowledge.

We have chosen to give here the originalFiat–Shamir identification scheme as pre-sented in most books (see, e.g., Goldreich


540 Jorg Rothe

[2001] and Beutelspacher et al. [2001]).Note, however, that quite a number ofmodifications and improvements of theFiat–Shamir protocol have been proposed,including the “zero-knowledge proof ofknowledge” protocol of Feige et al. [1988].We also note in passing that we omit-ted many formal details in our argu-ments in this section. A rigid formalism(see Goldreich [2001]) is helpful in dis-cussing many subtleties that can arisein zero-knowledge protocols. For exam-ple, looking at Figure 15, Alice couldbe impersonated by anyone who picksthe value r = 0 without Bob detectingthis fraud. We refer to Burmester andDesmedt [1989] for appropriate modifica-tions of the scheme. Moreover, Burmesteret al. [1989, 1992] proposed efficient zero-knowledge protocols in a general algebraicsetting.

5. STRONGLY NONINVERTIBLEASSOCIATIVE ONE-WAY FUNCTIONS

Recall Rivest and Sherman’s secret-keyagreement protocol (Figure 10) and Rabiand Sherman’s digital signature proto-col (Figure 11) presented in Section 3.4.Both of these protocols use a candidate fora strongly noninvertible, associative one-way function. Are these protocols secure?This question has two aspects: (1) Arethey secure under the assumption thatstrongly noninvertible, associative one-way functions indeed exist? (2) What evi-dence do we have for the existence of suchfunctions?

The first question is an open problem.Security here depends on precisely how“strong noninvertibility” is defined, andin which model. Traditional complexitytheory is concerned with the worst-casemodel and has identified a large num-ber of problems that are hard in theworst case. Cryptographic applications,however, require the more demandingaverage-case model (see, e.g., Goldreich[1999, 2001] and Luby [1996]) for whichmuch less is known. As noted by Rabiand Sherman [1997], no proof of secu-rity for the Rivest–Sherman and Rabi–

Sherman protocols is currently known,and even assuming the existence of asso-ciative one-way functions that are stronglynoninvertible in the weaker worst-casemodel would not imply that the protocolsare secure. In that regard, however, theRivest–Sherman and Rabi–Sherman pro-tocols are just like many other protocolscurrently used in practical applications.For example, neither the Diffie–Hellmanprotocol nor the RSA protocol currentlyhas a proof of security. There are merelyheuristic, intuitive arguments about howto avoid certain direct attacks. The “secu-rity” of the Diffie–Hellman protocol drawson the assumption that computing dis-crete logarithms is hard, and the “secu-rity” of the RSA protocol draws on theassumption that factoring large integersis hard. Breaking Diffie–Hellman is noteven known to be as hard as the discretelogarithm problem, and breaking RSA isnot even known to be as hard as the fac-toring problem. In a similar vein, Rabiand Sherman [1993, 1997] only give intu-itive arguments for the security of theirprotocols, explaining how to employ thestrong noninvertibility of associative one-way functions to preclude certain directattacks.

Turning to the second question raisedabove: What evidence do we have thatstrongly noninvertible, associative one-way functions exist? Assuming P 6=NP, wewill show how to construct total, stronglynoninvertible, commutative,6 associativeone-way functions [Hemaspaandra andRothe 1999]. The question of whether ornot P equals NP is perhaps the mostimportant question in theoretical com-puter science. It is widely believed thatP differs from NP, although this questionhas remained open for more than thirtyyears now. For more background on com-plexity theory, we refer to the textbooks[Balcazar et al. 1995; Bovet and Crescenzi1993; Hemaspaandra and Ogihara 2001;Papadimitriou 1994].

6 Commutativity is needed to extend the Rivest–Sherman and Rabi–Sherman protocols from two par-ties to m > 2 parties.



5.1. Definitions and Progress of Results

From now on, we adopt the worst-casenotion of one-way functions that is dueto Grollmann and Selman [1988], seealso the papers by Ko [1985], Berman[1977], and Allender [1985, 1986], andthe surveys [Selman 1992; Beygelzimeret al. 1999]. Recall that one-way functionsare easy to compute but hard to invert.To prevent the notion of noninvertibilityfrom being trivialized, one-way functionsare required to be “honest,” that is, tonot shrink their inputs too much. Formaldefinitions of various types of honestycan be found in Grollmann and Selman[1988], Hemaspaandra et al. [1997,2001], Hemaspaandra and Rothe [2000],Rothe and Hemaspaandra [2002], Homan[2000], and Homan and Thakur [2002].

One-way functions are often consideredto be one-argument functions. Since theprotocols from Section 3.4 require two-argument functions, the original defini-tion is here tailored to the case of two-ary functions. Let ρ : N × N → N beany two-ary function; ρ may be nontotaland it may be many-to-one. We say thatρ is (polynomial-time) invertible if thereexists a polynomial-time computable func-tion g such that for all z ∈ image(ρ),it holds that ρ(g (z)) = z; otherwise,we call ρ not polynomial-time invertible,or noninvertible for short. We say thatρ is a one-way function if and only ifρ is honest, polynomial-time computable,and noninvertible. One-argument one-way functions are well-known to existif and only if P 6=NP (see, e.g., Selman[1992] and Balcazar et al. [1995]). It iseasy to prove the analogous result fortwo-argument one-way functions, seeHemaspaandra and Rothe [1999] and Rabiand Sherman [1997].

We now define strong noninvertibility(strongness, for short). As with noninvert-ibility, strongness requires an appropri-ate notion of honesty so as to not be triv-ial. This notion is called “s-honesty” inHemaspaandra et al. [2001], and since it ismerely a technical requirement, we omita formal definition here. Intuitively, “s-honesty” fits the notion of strong nonin-

vertibility in that it is measured not onlyin the length of the function value but alsoin the length of the corresponding givenargument.

Definition 5.1 (see Rabi and Sher-man [1997] and Hemaspaandra and Rothe[1999]). Let σ : N×N→ N be any two-aryfunction; σ may be nontotal and it may bemany-to-one. Let 〈·, ·〉 : N×N→ N be somestandard pairing function.

(1) We say that σ is (polynomial-time)invertible with respect to its first ar-gument if and only if there exists apolynomial-time computable functiong1 such that for all z ∈ image(σ )and for all a and b with (a, b) ∈domain(σ ) and σ (a, b) = z, it holds thatσ (a, g1(〈a, z〉)) = z.

(2) We say that σ is (polynomial-time)invertible with respect to its secondargument if and only if there existsa polynomial-time computable funtiong2 such that for all z ∈ image(σ )and for all a and b with (a, b) ∈domain(σ ) and σ (a, b) = z, it holds thatσ (g2(〈b, z〉), b) = z.

(3) We say that σ is strongly noninvert-ible if and only if σ is neither invert-ible with respect to its first argumentnor invertible with respect to its sec-ond argument.

(4) We say that σ is a strong one-way function if and only if σ is s-honest, polynomial-time computable,and strongly noninvertible.

Below, we define Rabi and Sherman’snotion of associativity, which henceforthwill be called “weak associativity.”

Definition 5.2 [Rabi and Sherman 1993,1997]. A two-ary function σ : N×N→Nis said to be weakly associative if and onlyif σ (a, σ (b, c))= σ (σ (a, b), c) holds for alla, b, c ∈ N for which each of (a, b), (b, c),(a, σ (b, c)), and (σ (a, b), c) belongs to thedomain of σ .

Although this notion is suitable for to-tal functions, weak associativity does notadequately fit the nontotal function case.More precisely, weak associativity fails


542 Jorg Rothe

to preclude, for nontotal functions, equa-tions from having a defined value to theleft, while being undefined to the right oftheir equality sign. Therefore, we present,in Definition 5.3, another notion of as-sociativity for two-ary functions that issuitable both for total and for nontotaltwo-ary functions. This definition is dueto Hemaspaandra and Rothe [1999] whonote that the two notions of associativ-ity are provably distinct (see Proposi-tion 5.4), and this distinction can be ex-plained (see Hemaspaandra and Rothe[1999]) via Kleene’s careful discussion[Kleene 1952, pp. 327–328] of two distinctnotions of equality for partial functionsin recursion theory: “Weak equality” be-tween two partial functions explicitly al-lows “specific, defined function values be-ing equal to undefined” as long as the func-tions take the same values on their jointdomain. In contrast, “complete equality”precludes this unnatural behavior by ad-ditionally requiring that two given partialfunctions be equal only if their domainscoincide; that is, whenever one is unde-fined, so is the other. Weak associativityfrom Definition 5.2 is based on Kleene’sweak equality between partial functions,whereas associativity from Definition 5.3is based on Kleene’s complete equality.

Definition 5.3 [Hemaspaandra andRothe 1999]. Let σ : N × N → N be anytwo-ary function; σ may be nontotal. De-fine N⊥ = N∪{⊥}, and define an extension⊥σ : N⊥ × N⊥ → N⊥ of σ as follows:

⊥σ(a, b)=

σ (a, b) if a 6= ⊥ and b 6= ⊥ and

(a, b) ∈ domain(σ )⊥ otherwise.

We say that σ is associative if and onlyif, for all a, b, c ∈ N, it holds that

⊥σ(

⊥σ(a, b), c) = ⊥

σ(a,⊥σ(b, c)).

We say that σ is commutative if and onlyif, for all a, b ∈ N, it holds that

⊥σ(a, b) = ⊥

σ(b, a).

The following proposition exploresthe relation between the two associa-tivity notions presented respectively inDefinition 5.2 and in Definition 5.3. Inparticular, these are indeed differentnotions.

PROPOSITION 5.4 [HEMASPAANDRA AND

ROTHE 1999]

(1) Every associative two-ary function isweakly associative.

(2) Every total two-ary function is associa-tive exactly if it is weakly associative.

(3) There exist two-ary functions that areweakly associative, yet not associative.

Rabi and Sherman [1993, 1997] showedthat P 6= NP if and only if commutative,weakly associative one-way functions ex-ist. However, they did not achieve strongnoninvertibility. They did not achieve to-tality of their weakly associative one-way functions, although they presented aconstruction that they claimed achievestotality of any weakly associative one-way function. Hemaspaandra and Rothe[1999] showed that Rabi and Sherman’sclaim is unlikely to be true: Any proofof this claim would imply that NP =UP, which is considered to be unlikely.Intuitively, the reason that Rabi andSherman’s construction is unlikely towork is that the functions constructed inRabi and Sherman [1993, 1997] are notassociative in the sense of Definition 5.3.In contrast, the Rabi–Sherman construc-tion indeed is useful to achieve total-ity of the associative, strongly nonin-vertible one-way functions constructed inHemaspaandra and Rothe [1999].

Thus, Rabi and Sherman [1993, 1997]left open the question of whether there areplausible complexity-theoretic conditionssufficient to ensure the existence of to-tal, strongly noninvertible, commutative,associative one-way functions. They alsoasked whether such functions could beconstructed from any given one-way func-tion. Section 5.2 presents the answers tothese questions.



Fig. 17 . The three-coloring ψ of graph G.

5.2. Creating Strongly Noninvertible, Total,Commutative, Associative One-WayFunctions from Any One-Way Function

Theorem 5.5 is the main result of this sec-tion. Since P 6= NP is equivalent to theexistence of one-way functions with no ad-ditional properties required, the converseof the implication stated in Theorem 5.5is clearly also true. However, we focuson only the interesting implication direc-tions in Theorem 5.5 and in the upcomingTheorem 5.7 and Theorem 5.9.

THEOREM 5.5 [HEMASPAANDRA AND ROTHE

1999]. If P 6= NP, then there exist total,strongly noninvertible, commutative, asso-ciative one-way functions.

A detailed proof of Theorem 5.5 can befound in Hemaspaandra and Rothe [1999],see also the survey [Beygelzimer et al.1999]. Here, we briefly sketch the proofidea.

Assume P 6= NP. Let A be a set inNP− P, and let M be a fixed NP machineaccepting A. Let x ∈ A be an input ac-cepted by M in time p(|x|), where p is somepolynomial. A useful property of NP setsis that they have polynomial-time check-able certificates.7 That is, for each certifi-cate z for “x ∈ A,” it holds that: (a) thelength of z is polynomially bounded in thelength of x, and (b) z certifies member-ship of x in A in a way that can be veri-

7 Other common names for “certificate” are “witness”and “proof” and “solution.”

fied deterministically in polynomial time.CertificatesM (x) denotes the set of allcertificates of M on input x. Note thatCertificatesM (x) is nonempty exactly ifx ∈ A.

Example 5.6. For concreteness, con-sider Graph-Three-Colorability, a well-known NP-complete problem that askswhether the vertices of a given graphcan be colored with three colors suchthat no two adjacent vertices receive thesame color. Such a coloring is called a le-gal three-coloring. In other words, a le-gal three-coloring is a mapping ψ fromthe vertex set of G to the set of colors(RED, GREEN, BLUE) such that the re-sulting color classes are independent sets.Figure 17 gives an example.

The standard NP machine forGraph-Three-Colorability works asfollows: Given a graph G, nondeterminis-tically guess a three-coloring ψ of G (i.e.,a partition of the vertex set of G into threecolor classes) and check deterministicallywhether ψ is legal.

Any legal three-coloring of G is a certifi-cate for the three-colorability of G (withrespect to the above NP machine). Forthe specific graph from Figure 17, onecertificate ψ is specified by the threecolor classes ψ−1(GREEN) = {a, g},ψ−1(RED) = {c, f , h}, and ψ−1(BLUE) ={b, d , e}.

As is standard, graphs as well asthree-colorings can be encoded as bi-nary strings that represent nonnegativeintegers.


544 Jorg Rothe

Suppose that for each x ∈ A and foreach certificate z for “x ∈ A,” it holds that|z| = p(|x|) > |x|. This is only a tech-nical requirement that makes it easy totell input strings apart from their certifi-cates. For any integers u, v, w ∈ N, letmin(u, v) denote the minimum of u and v,and let min(u, v, w) denote the minimumof u, v, and w. Define a two-ary functionσ : N× N→ N as follows:

—If a = 〈x, z1〉 and b = 〈x, z2〉for some x ∈ A with certificatesz1, z2 ∈ CertificatesM (x) (where, pos-sibly, z1 = z2), then define σ (a, b) =〈x, min(z1, z2)〉;

—if there exists some x ∈ A with certifi-cate z ∈ CertificatesM (x) such thateither a = 〈x, x〉 and b = 〈x, z〉, ora = 〈x, z〉 and b = 〈x, x〉, then defineσ (a, b) = 〈x, x〉;

—otherwise, σ (a, b) is undefined.

What is the intuition behind the defini-tion of σ? The number of certificates con-tained in the arguments of σ is decreasedby one in a way that ensures the associa-tivity of σ . Moreover, σ is noninvertible,and it is also strongly noninvertible. Why?The intuition here is that, regardless ofwhether none or either one of its argu-ments is given in addition to σ ’s functionvalue, the inversion of σ requires infor-mation about the certificates for elementsof A. However, our assumption that A 6∈ Pguarantees that this information cannotefficiently be extracted.

One can show that σ is a commuta-tive, associative one-way function that isstrongly noninvertible. We will show asso-ciativity and strongness below. Note thatσ is not a total function. However, σ can beextended to a total function without losingany of its other properties already estab-lished [Hemaspaandra and Rothe 1999].

We now show that σ is strongly non-invertible. For a contradiction, supposethere is a polynomial-time computable in-verter, g2, for a fixed second argument.Hence, for each w ∈ image(σ ) and for eachsecond argument b for which there is an

a ∈ N with σ (a, b) = w, it holds that

σ (g2(〈b, w〉), b) = w.

Then, contradicting our assumption thatA 6∈ P, one could decide A in polynomialtime as follows:

On input x, compute g2(〈〈x, x〉, 〈x, x〉〉), computethe integers d and e for which 〈d , e〉 equalsg2(〈〈x, x〉, 〈x, x〉〉), and accept x if and only ifd = x and e ∈ CertificatesM (x).

Hence, σ is not invertible with respect toits second argument. An analogous argu-ment shows that σ is not invertible withrespect to its first argument. Thus, σ isstrongly noninvertible.

Next, we prove that σ is associative. Let⊥σ be the total extension of σ as in Defini-tion 5.1. Fix any three elements of N, saya = 〈a1, a2〉, b = 〈b1, b2〉, and c = 〈c1, c2〉.To show that

⊥σ(

⊥σ(a, b), c) = ⊥

σ(a,⊥σ(b, c)) (5.17)

holds, distinguish two cases.

Case 1. a1 = b1 = c1 and {a2, b2, c2} ⊆{a1} ∪ CertificatesM (a1).

Let x, y ∈ {a, b, c} be any two fixed ar-guments of σ . As noted above, if x and ytogether contain i certificates for “a1 ∈ A,”where i ∈ {1, 2}, then σ (x, y)—and thusalso

⊥σ(x, y)—contains exactly max{0, i−1}

certificates for “a1 ∈ A.” In particular,⊥σ(x, y) preserves the minimum certificateif both x and y contain a certificate for“a1 ∈ A.”

If exactly one of x and y contains acertificate for “a1 ∈ A,” then

⊥σ (x, y) =

〈a1, a1〉.If none of x and y contains a certificate

for “a1 ∈ A,” then σ (x, y) is undefined, so⊥σ(x, y) = ⊥.

Let k ≤ 3 be a number telling ushow many of a2, b2, and c2 belong toCertificatesM (a1). For example, if a2 =b2 = c2 ∈ CertificatesM (a1) then k = 3.Consequently:

—If k ≤ 1, then both⊥σ (

⊥σ (a, b), c) and

⊥σ(a,

⊥σ(b, c)) equals ⊥.



—If k = 2, then both⊥σ (


⊥σ(a,

⊥σ(b, c)) equals 〈a1, a1〉.

—If k = 3, then both⊥σ (


⊥σ(a,

⊥σ(b, c)) equals 〈a1, min(a2, b2, c2)〉.

In each of these three cases, Eq. (5.17) issatisfied.

Case 2. Suppose Case 1 is not true.Then, either it holds that a1 6= b1 or a1 6=

c1 or b1 6= c1, or it holds that a1 = b1 = c1and {a2, b2, c2} is not contained in {a1} ∪CertificatesM (a1). By the definition of σ ,in both cases it follows that

⊥σ(

⊥σ(a, b), c) = ⊥ = ⊥

σ(a,⊥σ(b, c)),

which satisfies Eq. (5.17) and concludesthe proof that σ is associative.

Finally, we mention some related re-sults of Chris Homan [Homan 2000], whostudied upper and lower bounds on theambiguity of associative one-way func-tions. In particular, extending Rabi andSherman’s [1997] result that no total, as-sociative one-way function is injective, heproved that no total, associative one-wayfunction can be constant-to-one. He alsoshowed that, under the plausible assump-tion that P 6= UP, there exist linear-to-one, total, strongly noninvertible, associa-tive one-way functions.

On a slightly less related note, Homanand Thakur [2002] recently proved thatone-way permutations (i.e., one-way func-tions that are total, one-to-one, and onto)exist if and only if P 6= UP ∩ coUP. Thisresult gives a characterization of one-waypermutations in terms of a complexityclass separation, and thus the ultimateanswer to a question studied in Grollmannand Selman [1988], Hemaspaandra et al.[1997], Hemaspaandra and Rothe [2000],and Rothe and Hemaspaandra [2002].

5.3. If P 6= NP, then Some StronglyNoninvertible Functions Are Invertible

Is every strongly noninvertible func-tion noninvertible? Hemaspaandra et al.[2001] obtained the surprising result thatif P 6= NP then this is not necessar-ily the case. This result shows that the

term “strong noninvertibility” introducedin Rabi and Sherman [1993, 1997] actu-ally is a misnomer, since it seems to sug-gest that strong noninvertibility alwaysimplies noninvertibility, which is not true.

THEOREM 5.7. [HEMASPAANDRA ET AL.2001]. If P 6= NP, then there exists a to-tal, honest two-ary function that is stronglyone-way but not a one-way function.

We give a brief sketch of the proof. As-sume P 6= NP. Then, there exists a totaltwo-ary one-way function, call it ρ. For anyinteger n ∈ N, define the notation

odd(n) = 2n+ 1 and even(n) = 2n.

Define a function σ : N×N→ N as follows.Let a, b ∈ N be any two arguments of σ .

—If a 6= 0 6= b, a = 〈x, y〉 is odd,and b is even, then define σ (a, b) =even(ρ(x, y)).

—If a 6= 0 6= b, a is even, and b = 〈x, y〉 isodd, then define σ (a, b) = even(ρ(x, y)).

—If a 6= 0 6= b, and a is odd if and only if bis odd, then define σ (a, b) = odd(a + b).

—If a = 0 or b = 0, then define σ (a, b) =a + b.

We claim that σ is strongly noninvert-ible. For a contradiction, suppose σ wereinvertible with respect to its first argu-ment via an inverter, g1. By the defini-tion of σ , for any z ∈ image(ρ) with z 6= 0,the function g1 on input 〈2, even(z)〉 yieldsan odd integer b from which we can readthe pair 〈x, y〉 with ρ(x, y) = z. Hence,using g1, one could invert ρ in polyno-mial time, a contradiction. Thus, σ is notinvertible with respect to its first argu-ment. Analogously, one can show that σ isnot invertible with respect to its sec-ond argument. So, σ indeed is stronglynoninvertible.

But σ is invertible! By the fourth item inthe definition of σ , every z in the image of σhas a preimage of the form (0, z). Thus, thefunction g defined by g (z) = (0, z) invertsσ in polynomial time. Hence, σ is not aone-way function.

Why don’t we use a different notionof strongness that automatically implies


546 Jorg Rothe

noninvertibility? Here is an attempt toredefine the notion of strongness accord-ingly, which yields a new notion that wewill call “overstrongness.”

Definition 5.8 [Hemaspaandra et al.2001]. Let σ : N×N→ N be any two-aryfunction; σ may be nontotal and it may bemany-to-one. We say that σ is overstrong ifand only if no polynomial-time computablefunction f with f : {1, 2}×N×N→ N×Nsatisfies that for each i ∈ {1, 2} and foreach z, a ∈ N:

((∃b ∈ N)[(σ (a, b) = z ∧ i = 1) ∨ (σ (b, a)= z ∧ i = 2)]) ⇒ σ ( f (i, z, a)) = z.

Note that overstrongness implies bothnoninvertibility and strong noninvertibil-ity. However, the problem with this newdefinition is that it completely loses thecore of why strongness precludes directattacks on the Rivest–Sherman andRabi–Sherman protocols. To see why, lookat Figure 10 and Figure 11, which give theprotocols of Rabi, Rivest, and Sherman. Incontrast to overstrongness, Rabi, Rivest,and Sherman’s original definition ofstrong noninvertibility (see Definition 5.1)respects the argument given. It is thisfeature that precludes Erich from beingable to compute Alice’s secret x from thetransmitted values σ (x, y) and y , whichhe knows. In short, overstrongness is notwell-motivated by the protocols of Rabi,Rivest, and Sherman.

We mention without proof some furtherresults of Hemaspaandra et al. [2001].

THEOREM 5.9 [HEMASPAANDRA ET AL.2001]

(1) If P 6= NP, then there exists a total,honest, s-honest, two-ary overstrongfunction. Consequently, if P 6= NP, thenthere exists a total two-ary functionthat is both one-way and strongly one-way.

(2) If P 6= NP, then there exists a total, s-honest two-ary one-way function σ suchthat σ is invertible with respect to itsfirst argument and σ is invertible withrespect to its second argument.

(3) If P 6= NP, then there exists a total, s-honest two-ary one-way function that isinvertible with respect to either one ofits arguments (thus, it is not stronglyone-way), yet that is not invertible withrespect to its other argument.

(4) If P 6= NP, then there exists a total,honest, s-honest two-ary function thatis noninvertible and strongly nonin-vertible but that is not overstrong.

ACKNOWLEDGMENTS

I am grateful to Pekka Orponen for inviting me tobe a lecturer of the 11th Jyvaskyla Summer Schoolthat was held in August, 2001, at the University ofJyvaskyla. I thank Kari Pasanen for being a great tu-tor of this tutorial, for carefully proofreading a pre-liminary draft of this article, and in particular forsubletting his summer house on an island of scenicLake Keitele to me and my family during the sum-mer school. I am grateful to Pekka and Kari for theirhospitality, and I thank my 33 summer school stu-dents from 16 countries for making this course somuch fun and pleasure. I also thank Eric Allender,Godmar Back, Harald Baier, Lane Hemaspaandra,Eike Kiltz, Alan Selman, Holger Spakowski, GerdWechsung, and Peter Widmayer for their insightfuladvice and helpful comments and for their interestin this paper. Last but not least, I thank the anony-mous ACM Computing Surveys referees whose de-tailed comments very much helped to fix errors in anearlier version and to improve the presentation, andthe editor, Paul Purdom, for his guidance during theeditorial process.

REFERENCES

AGRAWAL, M., KAYAL, N., AND SAXENA, N. 2002.PRIMES is in P. Unpublished manuscript.

AJTAI, M. 1996. Generating hard instances of lat-tice problems. In Proceedings of the 28th ACMSymposium on Theory of Computing. ACM, NewYork, pp. 99–108.

AJTAI, M. 1998. The shortest vector problem in L2is NP-hard for randomized reductions. In Pro-ceedings of the 30th ACM Symposium on Theoryof Computing. ACM, New York, pp. 10–19. Fullversion available on-line as ECCC TR97-047 atftp://ftp.eccc.uni-trier.de/pub/eccc/reports/1997/TR97-047/index.html.

AJTAI, M. AND DWORK, C. 1997. A public-key cryp-tosystem with worst-case/average-case equiva-lence. In Proceedings of the 29th ACM Sympo-sium on Theory of Computing. ACM, New York,pp. 284–293.



ALLENDER, E. 1985. Invertible functions. Ph.D. dis-sertation, Georgia Institute of Technology.

ALLENDER, E. 1986. The complexity of sparse setsin P. In Proceedings of the 1st Structure inComplexity Theory Conference. Lecture Notesin Computer Science, vol. 223. Springer-Verlag,New York, pp. 1–11.

BABAI, L. 1985. Trading group theory for random-ness. In Proceedings of the 17th ACM Sympo-sium on Theory of Computing (Apr.). ACM, NewYork, pp. 421–429.

BABAI, L. AND MORAN, S. 1988. Arthur-Merlingames: A randomized proof system, and a hier-archy of complexity classes. J. Comput. Syst. Sci.36, 2, 254–276.

BALCAZAR, J., DıAZ, J., AND GABARRO, J. 1990. Struc-tural Complexity II. EATCS Monographs onTheoretical Computer Science. Springer-Verlag,New York.

BALCAZAR, J., DıAZ, J., AND GABARRO, J. 1995. Struc-tural Complexity I. EATCS Monographs onTheoretical Computer Science. 2nd edition,Springer-Verlag, New York.

BAUER, F. 2000. Decrypted Secrets: Methods andMaxims of Cryptology. Springer-Verlag, secondedition.

BERMAN, L. 1977. Polynomial Reducibilities andComplete Sets. Ph.D. dissertation, Cornell Univ.,Ithaca, N.Y.

BEUTELSPACHER, A. 1994. Cryptology. Spec-trum series. Mathematical Association ofAmerica.

BEUTELSPACHER, A., SCHWENK, J., AND WOLFENSTETTER,K. 2001. Moderne Verfahren der Kryptogra-phie. 4th ed. Vieweg. (in German.)

BEYGELZIMER, A., HEMASPAANDRA, L., HOMAN, C., AND

ROTHE, J. 1999. One-way functions in worst-case cryptography: Algebraic and security prop-erties are on the house. SIGACT News 30, 4(Dec.), 25–40.

BONEH, D. 1999. Twenty years of attacks on theRSA cryptosystem. Notices AMS 46, 2 (Feb.),203–213.

BONEH, D. AND DURFEE, G. 2000. Cryptanalysis ofRSA with private key d less than N0.292. IEEETrans. Inf. Theory IT-46.

BOVET, D. AND CRESCENZI, P. 1993. Introductionto the Theory of Complexity. Prentice-Hall,Englewood Cliffs, N.J.

BRASSARD, G. AND CREPEAU, C. 1989. Sorting outzero-knowledge. In Advances in Cryptology—EUROCRYPT 89. Lecture Notes in ComputerScience, vol. 434. Springer-Verlag, New York,pp. 181–191.

BUCHMANN, J. 2001. Introduction to Cryptography.Undergraduate Texts in Mathematics. Springer-Verlag, New York.

BURMESTER, M. AND DESMEDT, Y. 1989. Remarks onthe soundness of proofs. Elec. Lett., 25, 1509–1511.

BURMESTER, M., DESMEDT, Y., AND BETH, T. 1992. Ef-ficient zero-knowledge identification schemes forsmart cards. Comput J. 35, 1 (Feb.), 21–29.

BURMESTER, M., DESMEDT, Y., PIPER, F., AND WALKER,M. 1989. A general zero-knowledge scheme.In Advances in Cryptology—EUROCRYPT 89.Lecture Notes in Computer Science, vol. 434.Springer-Verlag, New York, pp. 122–133.

CAI, J. 1999. Some recent progress on the com-plexity of lattice problems. In Proceedings ofthe 14th Annual IEEE Conference on Computa-tional Complexity (May). IEEE Computer Soci-ety Press, Los Alamitos, Calif., pp. 158–179.

COHEN, M. AND HASHKES, J. 1991. A system forcontrolling access to broadcast transmissions.European Patent Application 0 428252 A2. May.

COPPERSMITH, D. 1997. Small solutions to polyno-mial equations, and low exponent RSA vulnera-bilities. J. Crypt. 10, 4, 233–260.

DIFFIE, W. AND HELLMAN, M. 1976. New directionsin cryptography. IEEE Trans. Inf. Theory IT-22,6, 644–654.

ELGAMAL, T. 1985. A public key cryptosystem anda signature scheme based on discrete loga-rithms. IEEE Trans. Inf. Theory IT-31, 4, 469–472.

FEIGE, U., FIAT, A., AND SHAMIR, A. 1988. Zero-knowledge proofs of identity. J. Crypt. 1, 2, 77–94.

FEIGENBAUM, J. 1992. Overview of interactive proofsystems and zero-knowledge. In ContemporaryCryptology: The Science of Information Integrity,G. Simmons, ed. IEEE Computer Society Press,Los Alamitos, Calif., pp. 423–439.

FIAT, A. AND SHAMIR, A. 1986. How to prove your-self: Practical solutions to identification and sig-nature problems. In Advances in Cryptology—CRYPTO ’86. Lecture Notes in Computer Sci-ence, vol. 263. Springer-Verlag, New York,pp. 186–194.

GILL, J. 1977. Computational complexity of proba-bilistic Turing machines. SIAM J. Comput. 6, 4,675–695.

GOLDREICH, O. 1988. Randomness, interactiveproofs, and zero-knowledge—A survey. In TheUniversal Turing Machine: A Half-Century Sur-vey, R. Herken, Ed. Oxford University Press,Oxford, England, pp. 377–405.

GOLDREICH, O. 1997. A taxonomy of proof systems.In Complexity Theory Retrospective II, L. Hema-spaandra and A. Selman, Eds. Springer-Verlag,New York, pp. 109–134.

GOLDREICH, O. 1999. Modern cryptography, prob-abilistic proofs, and pseudorandomness. Algo-rithms and Combinatorics, vol. 17. Springer-Verlag, New York.

GOLDREICH, O. 2001. Foundations of Cryptogra-phy. Cambridge University Press, Cambridge,England.

GOLDREICH, O., MANSOUR, Y., AND SIPSER, M. 1987.Interactive proof systems: Provers that never


548 Jorg Rothe

fail and random selection. In Proceedings of the28th IEEE Symposium on Foundations of Com-puter Science. IEEE Computer Society Press,Los Alamitos, Calif., pp. 449–461.

GOLDREICH, O., MICALI, S., AND WIGDERSON, A. 1986.Proofs that yield nothing but their validity anda methodology of cryptographic protocol de-sign. In Proceedings of the 27th IEEE Sympo-sium on Foundations of Computer Science. IEEEComputer Society Press, Los Alamitos, Calif.,pp. 174–187.

GOLDREICH, O., MICALI, S., AND WIGDERSON, A. 1991.Proofs that yield nothing but their validity orall languages in NP have zero-knowledge proofsystems. J. ACM 38, 3 (July), 691–729.

GOLDWASSER, S. 1989. Interactive proof sys-tems. In Computational Complexity Theory,J. Hartmanis, Ed. AMS Short Course Lec-ture Notes: Introductory Survey Lectures.Proceedings of Symposia in Applied Mathemat-ics, vol. 38. American Mathematical Society,Providence, R.I., pp. 108–128.

GOLDWASSER, S., MICALI, S., AND RACKOFF, C. 1985.The knowledge complexity of interactive proofsystems. In Proceedings of the 17th ACM Sympo-sium on Theory of Computing (Apr.). ACM, NewYork, pp. 291–304.

GOLDWASSER, S., MICALI, S., AND RACKOFF, C. 1989.The knowledge complexity of interactive proofsystems. SIAM J. Comput. 18, 1 (Feb.), 186–208.

GOLDWASSER, S. AND SIPSER, M. 1989. Private coinsversus public coins in interactive proof systems.In Randomness and Computation, S. Micali, Ed.,Advances in Computing Research, vol. 5. JAIPress, Greenwich, England, pp. 73–90.

GROLLMANN, J. AND SELMAN, A. 1988. Complexitymeasures for public-key cryptosystems. SIAM J.Computing 17, 2, 309–335.

HARDY, G. AND WRIGHT, E. 1979. An Introduction tothe Theory of Numbers. Clarendon Press, Oxford,England, 5th ed.

HASTAD, J. 1988. Solving simultaneous modularequations of low degree. SIAM J. Comput. 17,2, 336–341. (Special issue on cryptography.)

HEMASPAANDRA, L. AND OGIHARA, M. 2002. The Com-plexity Theory Companion. Springer-Verlag,New York.

HEMASPAANDRA, L., PASANEN, K., AND ROTHE, J. 2001.If P 6=NP then some strongly noninvertible func-tions are invertible. In Proceedings of the 13thInternational Symposium on Fundamentals ofComputation Theory (Aug.). Lecture Notes inComputer Science, vol. 2138. Springer-Verlag,New York, pp. 162–171.

HEMASPAANDRA, L. AND ROTHE, J. 1999. Creatingstrong, total, commutative, associative one-wayfunctions from any one-way function in complex-ity theory. J. Comput. Syst. Sci. 58, 3, 648–659.

HEMASPAANDRA, L. AND ROTHE, J. 2000. Character-izing the existence of one-way permutations.Theoret. Comput. Sci. 244, 1–2, 257–261.

HEMASPAANDRA, L., ROTHE, J., AND WECHSUNG, G.1997. On sets with easy certificates and the ex-istence of one-way permutations. In Proceedingsof the 3rd Italian Conference on Algorithms andComplexity (Mar.). Lecture Notes in ComputerScience, vol. 1203. Springer-Verlag, New York,pp. 264–275.

HOMAN, C. 2000. Low ambiguity in strong, total,associative, one-way functions. Tech. Rep. TR-734. Dept. Computer Science, Univ. Rochester,Rochester, N.Y. Aug.

HOMAN, C. AND THAKUR, M. 2002. One-way permu-tations and self-witnessing languages. In Pro-ceedings of the 2nd IFIP International Confer-ence on Theoretical Computer Science, Stream 1of the 17th IFIP World Computer Congress.Kluwer Academic Publishers, Aug.

KAHN, D. 1967. The Codebreakers: The Story of Se-cret Writing. MacMillan, New York.

KALISKI, JR. B. AND ROBSHAW, M. 1995. The secureuse of RSA. CryptoBytes 1, 3, 7–13.

KLEENE, S. 1952. Introduction to Metamathemat-ics. van Nostrand, New York and Toronto.

KNUTH, D. 1981. The Art of Computer Program-ming: Seminumerical Algorithms, vol. 2 of Com-puter Science and Information. Addison-Wesley,Reading, Mass.

KO, K. 1985. On some natural complete operators.Theoret. Comput. Sci. 37, 1, 1–30.

KOBLER, J., SCHONING, U., AND TORAN, J. 1992.Graph isomorphism is low for PP. Computat.Complex. 2, 301–330.

KOBLER, J., SCHONING, U., AND TORAN, J. 1993. TheGraph Isomorphism Problem: Its StructuralComplexity. Birkhauser.

KUMAR, R. AND SIVAKUMAR, D. 2001. Complexity ofSVP—A reader’s digest. SIGACT News 32, 3(June), 40–52.

LENSTRA, JR., H. 1987. Factoring integers with el-liptic curves. Ann. Math. 126, 649–673.

LENSTRA, A. AND LENSTRA, JR., H. 1993. The De-velopment of the Number Field Sieve. Lec-ture Notes in Mathematics, vol. 1554. Springer-Verlag, New York.

LUBY, M. 1996. Pseudorandomness and Cryp-tographic Applications. Princeton ComputerScience Notes. Princeton University Press,Princeton, N.J.

MAURER, U. AND WOLF, S. 1999. The relationshipbetween breaking the Diffie-Hellman protocoland computing discrete logarithms. SIAM J.Comput. 28, 5, 1689–1721.

MICCIANCIO, D. 2001. The shortest vector in a lat-tice is hard to approximate to within some con-stant. SIAM J. Comput. 30, 6 (Mar.), 2008–2035.

MILLER, G. 1976. Riemann’s hypothesis and testsfor primality. J. Comput. Syst. Sci. 13, 300–317.

MOORE, J. 1992. Protocol failures in cryptosys-tems. In Contemporary Cryptology: The Scienceof Information Integrity, G. Simmons, Ed. IEEE



Computer Society Press, Los Alamitos, Calif.,pp. 541–558.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOL-OGY (NIST). 1991. Digital signature standard(DSS). Fed. Reg. 56, 169 (Aug.).

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

(NIST). 1992. The Digital Signature Stan-dard, proposed by NIST. Commun. ACM, 35, 7(July), 36–40.

NGUYEN, P. AND STERN, J. 2001. The two faces of lat-tices in cryptology. In Proceedings of the Interna-tional Conference on Cryptography and Lattices.Lecture Notes in Computer Science, vol. 2146.Springer-Verlag, New York, pp. 146–180.

PAPADIMITRIOU, C. 1994. Computational Complex-ity. Addison-Wesley, Reading Mass.

POMERANCE, C., AND SORENSON, J. 1995. Countingthe integers factorable via cyclotomic methods.J. Alg., 19, 2 (Sept.), 250–265.

POLLARD, J. 1974. Theorems on factorization andprimality testing. Proc. Cambridge Philos. Soc.76, 521–528.

RABI, M. AND SHERMAN, A. 1993. Associative one-way functions: A new paradigm for secret-keyagreement and digital signatures. Tech. Rep. CS-TR-3183/UMIACS-TR-93-124. Dept. ComputerScience, Univ. Maryland, College Park, Md.

RABI, M. AND SHERMAN, A. 1997. An observationon associative one-way functions in complexitytheory. Inf. Proc. Lett., 64, 5, 239–244.

RABIN, M. 1980. Probabilistic algorithms for test-ing primality. J. Numb. Theory 12, 128–138.

RIVEST, R., SHAMIR, A., AND ADLEMAN, L. 1978. Amethod for obtaining digital signature andpublic-key cryptosystems. Commun. ACM, 21, 2(Feb.), 120–126.

ROTHE, J. AND HEMASPAANDRA, L. 2002. On charac-terizing the existence of partial one-way permu-tations. Inf. Proc. Lett., 82, 3 (May), 165–171.

SALOMAA, A. 1996. Public-Key Cryptography.EATCS Monographs on Theoretical ComputerScience, vol. 23. Springer-Verlag, New York.

SCHONING, U. 1987. Graph isomorphism is in thelow hierarchy. J. Comput. Syst. Sci. 37, 312–323.

SCHNEIER, B. 1996. Applied Cryptography: Proto-cols, Algorithms, and Source Code in C. J. Wiley,New York.

SCHNORR, C. 1990. Efficient identification and sig-nature schemes for smart cards. In Advancesin Cryptology—CRYPTO ’89. Lecture Notes inComputer Science, vol. 435. Springer-Verlag,New York, pp. 239–251.

SELMAN, A. 1992. A survey of one-way functions incomplexity theory. Math. Syst. Theory 25, 3, 203–221.

SHAMIR, A. 1992. IP=PSPACE. J. ACM 39, 4, 869–877.

SHAMIR, A. 1995. RSA for paranoids. CryptoBytes1, 3, 1–4.

SHANNON, C. 1949. Communication theory of se-crecy systems. Bell System Tech. J. 28, 4, 657–715.

SHOR, P. 1997. Polynomial-time algorithms forprime factorization and discrete logarithms ona quantum computer. SIAM J. Comput. 26, 5,1484–1509.

SIMMONS, G. 1979. Symmetric and asymmetric en-cryption. ACM Comput. Surv. 11, 4, 305–330.

SIMMONS, G., AND NORRIS, M. 1977. Preliminarycomments on the MIT public-key cryptosystem.Cryptologia 1, 4, 406–414.

SINGH, S. 1999. The Code Book. The Science of Se-crecy from Ancient Egypt to Quantum Cryptog-raphy. Fourth Estate, London, England.

SOLOVAY, R. AND STRASSEN, V. 1977. A fast MonteCarlo test for primality. SIAM J. Comput. 6, 84–85. (Erratum appears in the same journal 7, 1,118, 1978.)

STINSON, D. 1995. Cryptography Theory and Prac-tice. CRC Press, Boca Raton, Fla.

VALIANT, L. 1976. The relative complexity of check-ing and evaluating. Inf. Proc. Lett. 5, 1, 20–23.

WELSH, D. 1998. Codes and Cryptography. OxfordScience Publications. Clarendon Press, Oxford,England. 6th ed. (Reprinted with corrections.)

WIENER, M. 1990. Cryptanalysis of short RSA se-cret exponents. IEEE Trans. Inf. Theory IT-36, 3,553–558.

Received November 2001; revised July 2002; accepted August 2002


Some Facets of Complexity Theory and Cryptography: A Five...

Documents

Transcript of Some Facets of Complexity Theory and Cryptography: A Five...