Lecture 4: Crypto from the Discrete Logarithm Assumption

Announcements

  • Reading: NBFMG, chapter 1
  • Homework 1 and Lab 1 make-ups are due on Friday at 10pm on Gradescope
  • Office hours: TF Tejovan Parker’s office hours are now:
    • Wednesday 3:15-4:45pm
    • Friday 12:00-1:30pm (both in CDS room 1325 or 1324)
  • Homework 2 will be released tomorrow, and due on 2/7 at 10pm

Learning outcomes

By the end of today’s lecture, you will learn:

  • How to construct Schnorr signatures, based on the hardness of finding discrete logarithms.
  • How two people on the Internet, who have never physically met, can produce a shared secret.
  • How it is possible to compute and verify properties of data that you cannot see.

Review from last lecture

Last time, we constructed a Merkle tree, which allows a cloud provider to prove to Alice that it is providing the correct file in response to a query.

This is our first example of a proof system, which allows a prover who knows why a claim is true to convince a verifier of this fact. We will see more proof systems throughout this course.

Prover Verifier
\(\quad \longrightarrow \quad\)

We also began our exploration into digital signatures, which allow the recipient Bob of a message to check that the sender is who they claim to be (entity authentication) and that the data hasn’t been tampered in transit (data authentication).

Alice Mallory Bob
\(\longrightarrow\) \(\longrightarrow\)

Formally, a digital signature contains three algorithms:

  • KeyGen: takes no input, produces a secret key \(sk\) and a public key \(pk\)
  • Sign\((sk, M)\): produces a signature \(\sigma\)
  • Verify\((pk, M, \sigma)\): returns true or false

All three algorithms should be efficiently computable. Moreover, the digital signature must satisfy two requirements: correctness (Alice’s honest signatures should pass the verification check) and unforgeability (formalized with the EU-CMA game).

A digital signature scheme needs to be based on a math problem that is difficult to solve but easy to verify. Unfortunately, we do not know for certain whether any such problems exist! As a result, in cryptography we make conjectures about the difficulty of time-tested math problems, such as factoring.

If factoring large integers is computationally infeasible, then the RSA digital signature scheme is unforgeable (i.e., no adversary Mallory can win the EU-CMA game).

RSA is used in practice today, but not always. Let’s look at the digital certificate for the website bu.edu as an example.

  • Note that RSA keys and signatures are small, but not that small: they are 2048 bits (or 256 bytes) long. This is because factoring is a hard problem, but it’s not a really hard problem, so we have to choose very large numbers for it to be infeasible by modern computers.

  • As a result: RSA is fast, but not that fast. Signing and verification take around 1 millisecond on a modern laptop or phone, give or take.

These costs may not sound significant, and indeed a single signature is small and quick to compute on your phone or laptop. But:

  • If you run a web server and calculate RSA for every client that visits your website, then the computational costs add up quickly.
  • As we will see next week when we discuss Bitcoin, there are more than 1 billion transactions made on the Bitcoin blockchain so far, and each one includes a digital signature. As a result, using a large signature can waste many gigabytes of storage space.

Instead, the most common standard is called the digital signature algorithm, or DSA. We will discuss it today.

4.1 The Discrete Logarithm Assumption

Recall that digital signature schemes have a tricky property: from the public key it is impossible to create a digital signature but easy to verify if someone else has done so. As a result, we must build signature schemes from math problems that we believe to have this property of “difficult to solve but easy to verify.”

Here is another hard math problem: taking logarithms.

…Wait, hang on, this doesn’t sound right. Let’s check whether this is actually a hard math problem.

Question. If I tell you that I have taken the number \(5\) to some power \(x\) and the result is \(125\), can you determine the power \(x\) such that \(5^x = 125\)?

Taking logarithms to find \(x = \log_5(125)\) is easy over the real numbers \(\mathbb{R}\).

But: it turns out though that if you ask this question together with modular arithmetic, then it is believed to be practically infeasible to compute discrete logarithms. For instance, consider the following function: \(f(x) = 5^x \bmod{7}\).

Question. Can you find an integer \(x\) such that \(5^x \bmod{7} = 2\)?

This does not seem as simple to calculate. The good news is that calculating this function in the forward direction is easy: all we have to do is multiply. So, here is the truth table of the function \(f\). (Remember that this took a decent amount of computational effort to build.)

Truth table for \(f(x) = 5^x \bmod{7}\)
x f(x)
1 5
2 4
3 6
4 2
5 3
6 1
7 5

With this table, now can you solve the question from above?

It turns out the act of exponentiation modulo a prime number is:

  • Invertible. In fact it is a permutation over the inputs from \(1\) to \(6\), because each number between \(1\) and \(6\) occurs exactly once as a possible output. (And the function cycles after that, so we’ll ignore any larger inputs.) And this idea generalizes to larger primes besides \(p = 7\). The function is a permutation over the integers from \(1\) to \(p-1\).

  • Computationally difficult to invert… at least if we choose a prime modulus that is large enough.

    (There is one additional caveat: for some technical reasons that I will skip, we must take only the subgroup of quadratic residues, i.e., only half of the truth table for even values of \(x\).)

There is another way to make “exponentiation” easy but “logarithms” hard. It uses another kind of math object called an elliptic curve, which is just a cubic equation \(y^2 = x^3 + ax + b \bmod{p}\).

Rather than multiplying numbers, we’re going to make a new kind of arithmetic where we can “multiply” points in space. I’ll skip the math details since they are strange, but the punchline is the same: it is another math problem where exponentiating is easy but the inverse is practically impossible.

Elliptic curve discrete logarithm assumption: Given two points \(P\) and \(Q\) such that \(P^x = Q\), it is computationally infeasible for anyone to find the discrete logarithm \(x\).

(Note: all of the exponentiations and logarithms in today’s lecture are done modulo a prime number, but I’m going to stop writing that explicitly from now onward.)

In fact, this problem is really hard to solve, even harder than factoring (as far as we know). As a result:

  • The act of computing a digital signature is faster: closer to microseconds (\(10^{-6}\) seconds) than milliseconds (\(10^{-3}\) seconds).
  • We can get away with smaller keys and signatures: they can be 256 bits/32 bytes in size (just like SHA-256) rather than 2048 bits/256 bytes in size.

4.2 Diffie-Hellman Key Exchange

We have a new tool in our crypto toolbox. What can we do with this?

Here’s one option: we can use the assumption that discrete logarithms are hard as the basis for another type of public key cryptography.

Taking a slight detour from digital signatures, let’s go back to a question I raised in the first lecture. Suppose Alice wants to send data back and forth to a public website, like kaggle.com, in such a way that nobody else can read or tamper with the contents that Alice sends or receives from the server.

We already know that digital signatures can provide evidence of tampering. But what about message confidentiality?

Lock icon on kaggle.com

To solve this problem, Alice needs symmetric key encryption. (We will build it in Unit 3 of this course.)

  • This is the digital equivalent to a combination safe – it allows for two computers to exchange messages confidentially, as long as they have a shared secret that the two of them know but nobody else in the world does.
  • It is the basis for end-to-end encrypted secure messaging systems like Signal and WhatsApp.

In order to encrypt data, Alice’s computer and the kaggle.com server both need to have a secret key that nobody else in the world does.

Alice kaggle.com
\(\quad \Longleftrightarrow \quad\)

But how can they do that? If Alice and the web server could physically meet, then they could exchange secrets. But we want to enable secure communication over the Internet, which is a public network where most pairs of people (and companies) have never met before.

In the digital world, they need a secure way to exchange secrets in plain view.

“The Internet is just the world passing notes in a classroom.”

– Jon Stewart

Amazingly, this can be done! This ingenious protocol was discovered in the late 1970s by Whitfield Diffie and Martin Hellman, and it is named Diffie-Hellman key exchange in their honor. It was based on concepts developed earlier by Ralph Merkle… the same person who invented Merkle trees.

Based on the hardness of the discrete logarithm problem, here is an approach that Alice and the kaggle.com server can take.

  • Alice can choose a secret \(a\) that she keeps to herself, and send \(A = g^a\) to the server. (Remember, nobody can take \(A\) and reconstruct \(a\)… not the server, or anyone else!)
  • The kaggle.com server can choose a secret exponent \(b\) and send \(B = g^b\) to Alice.

Now, there is a shared secret that both of them can compute: \(s = g^{ab}\).

  • Alice can take the public value \(B\) and raise it to her secret exponent \(a\) to compute \(B^a = (g^b)^a = s\)
  • The server can do the opposite: \(A^b = (g^a)^b = s\)

Moreover, nobody else can compute this secret! Other people hear \(A\) and \(B\). But they don’t know – and cannot compute – either secret exponent. So as far as we know, they have no way to compute \(s\).

One caveat: the last sentence does not actually follow from the one before it. (That is, it might be possible to compute the shared secret \(s\) without ever learning the other secret exponent \(a\) or \(b\).) Nevertheless, cryptographers do believe that the final sentence is true too. This stronger claim is, appropriately enough, called the Diffie-Hellman assumption.

4.3 A Zero-Knowledge Proof

Here is another application of the math of discrete logarithms: we can build an amazing new kind of proof.

A zero knowledge proof allows a prover to convince a verifier that a particular claim is true, but without revealing the evidence for this claim!

Prover Verifier
\(\quad \longrightarrow \quad\)

Let’s see how this works in the case of discrete logarithms. Suppose that:

  • The prover chooses a secret exponent \(x\), and reveals \(g^x\) to the world
  • The prover now wants to show that she knows the discrete log of \(g^x\)… but without revealing \(x\)!

How can we do this?

The key idea is that the prover can show only discrete logarithms of values of her own choosing, and not \(g^x\) specifically. Here’s how the prover and verifier can interact.

Construction of a zero-knowledge proof that the prover knows the discrete logarithm of \(g^x\).

  1. Prover chooses a random exponent \(k\) and sends \(g^k\) to the verifier.
  2. Verifier chooses one of two challenges: it requests either
    • The discrete log of \(g^k\), or
    • The discrete log of \(g^k \cdot g^x = g^{k+x}\).
  3. Prover responds to the challenge by sending either \(k\) or \(k+x\), as appropriate.

The verifier accepts this proof only if \(g\) raised to the power of the final message equals the challenge.

We will provide a formal definition of zero knowledge proofs in a future lecture. At a high level:

  • Confidentiality holds because the prover only responded to one challenge. Either \(k\) or \(k+x\) on its own reveals nothing about \(x\).
  • Integrity holds because if the prover knows how to respond to both requests, then it knows both \(k\) and \(k+x\), and as a result must also know \(x\).

One downside of this protocol is that the prover can cheat with probability \(\frac{1}{2}\). A malicious prover Mallory can potentially know the response to one of the two requests.

  • For instance, even if she has no idea what \(x\) is, she can run the first part of the protocol honestly and she will be able to respond to a challenge to produce \(k\).
  • Then, Mallory will fool Bob if he is unlucky enough to request the discrete logarithm of \(g^k\).
  • Similarly, there is a way for Mallory to be able to produce the discrete log of only \(g^{k+x}\). (Try for yourself to see how Mallory could do this.)

To fix this problem, the prover and verifier can repeat the protocol many times until the verifier is convinced that the prover isn’t cheating.

A faster approach is to introduce more challenges that the verifier can ask.

Construction of a better zero-knowledge proof that the prover knows the discrete logarithm of \(g^x\).

  1. Prover chooses a random exponent \(k\) and sends \(g^k\) to the verifier.
  2. Verifier chooses a number \(e\) at random, and challenges the verifier to find the discrete log of \(g^k \cdot (g^x)^e = g^{k+xe}\).
  3. Prover responds to the challenge by sending \(k+xe\).

As before, the verifier accepts this proof only if \(g\) raised to the power of the final message equals the challenge.

This time, it turns out that the prover can only cheat with probability \(1/p\), where \(p\) is the modulus used for all of this arithmetic. (Remember my note from earlier: all of the exponentiations and logarithms in today’s lecture are done modulo a prime number.)

If we use a really large prime, say \(p \approx 2^{128}\), then cheating becomes practically infeasible.

4.4 Constructing a Digital Signature Algorithm

Returning back to our goal: how can we form a digital signature algorithm based on the fact that discrete logarithms are hard?

Remember that a signature scheme needs a secret key and public key, such that it is easy to go from the secret to the public key, but hard to go in the other direction.

Based on the zero knowledge proof, here’s an idea for KeyGen.

  • Secret key: sample an exponent \(x\) uniformly at random.
  • Public key: choose a base \(g\), and publish \(y = g^{x}\) as the public key.

This satisfies our criteria.

  • Starting from the secret key, we can calculate the public key through exponentiation, which is simple to do.
  • But going in the other direction requires taking a discrete logarithm, which is believed to be hard.

There are a few digital signature schemes that can be designed using keys of this form.

One of them is a NIST standard called the digital signature algorithm, or DSA. If you use an elliptic curve group to build it, then we refer to the construction as ECDSA. (Note: you will explore ECDSA signatures in Homework 2.)

Another scheme, which is related to but slightly simpler than ECDSA, is called Schnorr signatures.

I reproduce the construction of Schnorr signatures below; it is adapted from the presentation on Wikipedia. Don’t worry too much on the math details; the main ideas are the same as the zero knowledge proof we constructed earlier.

Construction of Schnorr signatures.

KeyGen works as stated above: the signer creates a secret exponent \(x\) and publishes the corresponding public key \(y = g^x\).

The signer should Sign a message \(M\) as follows:

  • Choose a random exponent \(k\) from the allowed set.
  • Let \(r=g^{k}\).
  • Let \(e = H(r, M)\), where \(H\) denotes a cryptographic hash function.
  • Let \(s = k − x e\).

The signature is the pair \(\sigma = (s, e)\).

The receiver should Verify the claimed signature \(\sigma = (s, e)\) of a message \(M\) as follows:

  1. Let \(r^* = g^{s}y^{e}\).
  2. Let \(e^* = H(r^*, M)\).

If \(e^* = e\), then accept the signature as valid. Otherwise, reject the signature as a forgery.

An observation: this signature scheme is randomized. If you request to sign the same message twice, you will likely get two different signatures back in response.

Nevertheless, all possible signatures will correctly be accepted by Verify.

Security of Schnorr signatures

Why does this construction work?

  • Correctness: if all parties are honest, it is a straightforward math calculation to check that the Sign algorithm produces a signature that passes the Verify algorithm. Try writing it out to convince yourself of this fact!
  • Unforgeability: the Schnorr signature algorithm has cleverly interwoven two hard problems here – the difficulty of solving discrete logarithms and the random oracle property of the cryptographic hash function \(H\). I will only give some intuition about the unforgeability argument here.

Put yourself in the shoes of Mallory. How would you forge a signature of a message \(M\)?

  • If Mallory picks \(s\) and \(e\) first, then that determines the value of \(r^*\) in step 1. But the cryptographic hash function “acts randomly” and it is extremely unlikely that \(H(r^*, M)\) happens to return Mallory’s chosen \(e\).
  • If Mallory picks \(r^*\) first, that determines the value of \(e = H(r^*, M)\) in step 2. Returning to step 1, you need to solve the equation \(g^{s} = r^*/y^e\) for the only remaining unknown value: \(s\). But that requires solving a discrete logarithm problem!

(Importantly: please note that there is a formal math proof that Schnorr signatures achieve EU-CMA, even though I am not showing it here.)

Size of Schnorr signatures

Finally, let’s talk about the size of Schnorr digital signatures (since this was part of the motivation of moving away from RSA signatures).

  • Using elliptic curve groups, the discrete logarithm problem is hard if the secret key \(x\) is be 256 bits, or 32 bytes, in length.
  • The two values \(s\) and \(e\) in the signature are each of length 32 bytes as well. Hence, the overall size of a Schnorr signature is 64 bytes.

By comparison: ECDSA signatures are 72 bytes long, and RSA signatures are a few hundred bytes in size.

Summary

At this point, we have two cryptographic tools at our disposal:

  • Hash functions SHA-2 and SHA-3 that satisfy collision resistance and act like a random oracle, as best as we can tell after decades of cryptanalysis and NIST certification.
  • Digital signatures like RSA, ECDSA, and Schnorr signatures that satisfy existential unforgeability under a chosen message attack if it is difficult to factor large numbers or find discrete logarithms… which we also believe to be hard math problems due to decades (or more) of cryptanalysis.

These two cryptographic tools are all we need to build a cryptocurrency – a system for digital money. We will explore cryptocurrencies next week

4.5 Group signatures

But for the rest of today, let’s discuss one nice extension of Schnorr signatures. Rather than having a single signer, suppose we want to demonstrate that a group of \(n\) people have all agreed to sign a common message \(M\).

Declaration of Independence

It’s perfectly fine for each member of the group to produce their own digital signature, and to show all \(n\) of them to the world. EU-CMA guarantees that no individual’s signature within the group can be forged.

With Schnorr signatures, there’s another way for everyone to collaborate in order to produce a single signature for the entire group.

To see how this works, let’s revisit the signing protocol Sign\((x, M)\) for Schnorr signatures, given a secret key \(x\).

  1. Choose a random exponent \(k\) from the allowed set.
  2. Let \(r=g^{k}\).
  3. Let \(e = H(r, M)\), where \(H\) denotes a cryptographic hash function.
  4. Let \(s = k − x e\).
  5. Output the pair \(\sigma = (s, e)\).

The signer must hide their long-term secret key \(x\) and one-time randomness \(k\). But the other variables can be public: \(s\) and \(e\) are part of the signature and \(r\) can be derived from them.

There are two important observations to make here.

  • Steps 2 and 4 of the protocol are linear, in the algebraic sense.
  • It is okay to post \(r\) publicly, because \(k\) is still hidden due to the discrete logarithm assumption.

Suppose that \(n\) signers each have secret keys \(x_1, x_2, \ldots, x_n\) with corresponding public keys \(y_1, y_2, \ldots, y_n\). They refuse to share their secret keys with each other. Even so, they can work together to produce a single Schnorr signature corresponding to a common public key \(y = \prod y_i = g^{x_1 + x_2 + \cdots + x_n}\).

Here’s how it works.

  • Each signer runs step 1 on their own to sample their own secret exponent \(k_i\). Then they run step 2 to compute \(r_i = g^{k_i}\).
  • The signers can share the results of step 2 and use them to produce a combined \(r = g^{\sum k_i} = \prod r_i\).
  • Everyone can run step 3, since \(r\) and \(M\) are known to everyone.
  • Each signer can compute \(s_i = k_i - x_i \cdot e\), share only \(s_i\) with the other signers, and use them to produce a combined \(s = \sum s_i\).

You can check for yourself that this exactly matches the Schnorr signature protocol, thanks to linearity!

This is one instance of a very powerful phenomenon:

Many people, each with their own private data that they do not wish to share, can still perform data analysis collaboratively and only reveal the result!

We will study this idea in far more detail in Unit 4 of this course.