More Efficient DDH Pseudorandom Generators Hongsong Shi1,2 , Shaoquan Jiang1,2 , and Zhiguang Qin1 [email protected], [email protected], [email protected] 1

School of Computer Science & Engineering University of Electronic Science and Technology of China, ChengDu, China 610054 2 Center for Information Security and Cryptography (CISaC) University of Calgary, Calgary, Canada T2N 1N4

Abstract. In this paper, we first show a DDH Lemma, which states that a multi-variable version of the decisional Diffie-Hellman problem is hard under the standard DDH assumption, where the group size is not necessarily known. Our proof, based on a self-reducibility technique, has a small reduction complexity. Using DDH Lemma, we extend the FSS pseudorandom generator of Farashahi et al. to a new one. The new generator is almost twice faster than FSS while still provably secure under the DDH assumption. Using the similar technique for the RSA modulus, we improve the Goldreich-Rosen generator. The new generator is provably secure under the factoring assumption and DDH assumption over Z∗N . Evidently, to achieve the same security level, different generators may have different security parameters (e.g., distinct length of modulus). We compare our generators with other generators under the same security level. For simplicity, we make comparisons without any pre-computation. As a result, our first generator is the most efficient among all generators that are provably secure under standard assumptions. It has the similar efficiency as Gennaro generator, where the latter is proven secure under a non-standard assumption. Our second generator is more efficient than Goldreich-Rosen generator.

1

Introduction

A pseudorandom generator (PRG) is an easy-to-compute function that stretches a short random string into a long string that “looks” like a random string to any probabilistic polynomial time adversary. Pseudorandom generators have many applications in cryptography. For example, it itself is a symmetric cryptosystem, and can be used to construct pseudorandom functions and permutations [14, 26], statistically binding bit commitment protocols [27], and more. In the following, we mainly review the literature of number-theoretic PRGs, and refer the reader to [4, 8, 18, 19, 37] for others. Related works. Blum and Micali [6] constructed the first provably secure pseudorandom generator assuming the hardness of the discrete-log problem in Z∗p (p is an n-bit large prime). In each iteration i, the generator outputs the most significant (hard-core) bit of xi , and iterates xi+1 = g xi (mod p) with seed x1 ← {0, 1}n . Although very inefficient, the construction method provides an iterationbased paradigm for studying pseudorandom generators. Later, Long and Wigderson [25] and Peralta [29] improved it to output O(log n) most significant bits of xi in each iteration. By basing on Discrete Log with Short Exponents(c-DLSE) assumption [28], Gennaro [13] improved the PS generator [28] to extract almost n − c − 1 bits per modular exponentiation with only c-bit length exponent, where c = ω(log n) as mentioned in [34]. Asymptotically, it can output Θ(n) bits per multiplication, and is the most efficient PRG based on the variant of discrete-log problem while its security assumption c-DLSE is not well studied. RSA composite based pseudorandom generators have been extensively studied in the literature. Blum, Blum and Shub [5] constructed the first one called BBS generator, which is proven secure under the intractability assumption of deciding the quadratic residuosity in Z∗N (N is an n-bit

Blum integer). This generator outputs the least significant bit of xi in each iteration i, and iterates xi+1 = x2i (mod N ) with x1 ← {0, 1}n . By proving that the O(log n) least significant bits of Rabin (and RSA) function are simultaneously secure, [1, 11, 33] improved it to produce O(log n) bits per iteration. The improved scheme is among the most efficient constructions based on standard number-theoretic assumptions and with the same length of modulus. By introducing a non-standard assumption (the (δ, ²)-Small Solution RSA Problem), Steinfeld et al. [34] simplified the proof of [11] and proposed a generator which outputs cn bits per multiplication for some c < 1/6. This construction is asymptotically more efficient than Gennaro’s scheme [13]. The decisional Diffie-Hellman (DDH) assumption has already been used in constructing PRGs in recent years. Jiang [20] presented the first efficient and explicit generator based on DDH assumption in the subgroup of quadratic residue of Z∗p (p is an n-bit large prime). The generator can asymptotically output almost n bits per 2 exponentiations. Farashahi, Schoenmakers and Sidorenko [12] later independently presented a DDH generator in Z∗p with a similar performance. Our approach. We investigate how to design efficient pseudorandom generators based on standard number-theoretic assumptions. Our approach is based on the following observations. (1) The FSS generator [12] reuses the exponent to produce pseudorandom bits, such that every two exponentiations can output almost n bits. We notice the same exponent can be reused many times (instead of two) such that on average one exponentiation can produce almost n bits. (2) Based on factoring assumption for n bits RSA modulus N , Goldreich and Rosen [15] proved that (N, g, g x ) for x ∈R {0, 1}n/2 is indistinguishable from (N, g, g x ) for x ∈R {0, 1}ord(g) . From this, they proposed a generator (Goldreich-Rosen generator) that extracts almost n/2 pseudorandom bits per modular exponentiation of n/2-bit exponent. We then show that our randomness reuse technique can improve this generator to be twice faster. Randomness reuse was considered by [3] to improve the efficiency of multi-recipient public key cryptosystem. One of their concrete scheme is to extend ElGamal encryption with randomness reuse to the multi-recipient setting. The technique in this extension implies a proof of our DDH Lemma mentioned below for the case the group order is known. Main results. Our results can be described as follows. 1. We first show a DDH Lemma which states that a multi-variable decisional Diffie-Hellman problem is hard under the standard DDH assumption (see Section 3 for detail), where the group size is not necessarily known. This lemma plays a key role in constructing our generators. We point out that the proof of this lemma for the case the group size is known can be extracted from the proof of Theorem 7.3 in [3]. 2. Using the DDH Lemma, we construct a generator E(NGp ) in the quadratic residue group of Z∗p . Our generator is to extend FSS generator through randomness reuse. It can output about n − 3 bits per exponentiation of exponent length n. It is about twice faster than FSS generator. Using DDH Lemma, we construct the second generator PRGN based on the factoring assumption and DDH assumption in Z∗N , which is an improvement on Goldreich-Rosen generator [15]. PRGN can produce about n bits per exponentiation of exponent length n/2. 3. We notice that, to achieve the same security level, different generators may have different security parameters (e.g., distinct length of modulus). We thus compare our generators with other generators under the same security level. As a result, our first generator E(NGp ) is the most efficient among all generators that are provably secure under standard assumptions. For generators under non-standard assumptions, E(NGp ) has the similar efficiency as the Gennaro generator 2

but is less efficient than SPW generator [34]. However, since non-standard assumptions are not well studied, security parameters chosen according to the said assumption are not necessarily accurate. Our second generator is twice more efficient than Goldreich-Rosen generator [15]. 1.1

Organization

The paper is organized as follows. In Section 2 we introduce notations and definitions. Section 3 extends the standard DDH problem to an m-variable form and prove the fundamental DDH Lemma. Section 4 proposes two constructions based on the DDH Lemma and proves their security. In Section 5 we analyze the concrete performance of the proposed schemes.

2

Definitions

For any integer n > 0, we denote by Un a random variable that is uniformly distributed over {0, 1}n , and by x ← S the value x randomly chosen from a set S. We use |x| to denote the binary length of integer x. The notation log x means log2 (x), and ln x means the natural logarithm of x. For any n set Ω, define Ω ∗ = ∪∞ n=0 Ω to be the set of all possible strings over Ω. For two random variables X, Y over a finite set V , we define the probability distance between X and Y as def

∆(X, Y ) =

1X | Pr[X = v] − Pr[Y = v]|. 2

(1)

v∈V

It is easy to show that Eq.(1) is equivalent to ∆(X, Y ) = maxS⊆V {Pr[X ∈ S] − Pr[Y ∈ S]} .

(2)

We denote by Zn = {0, . . . , n − 1} the additive group modulo n, and by Z∗n = {m | m ∈ Zn ∧ m is relatively prime to n} the multiplicative group modulo n. In this paper, unless otherwise specified, the runtime of an algorithm always means its worst-case running time. 2.1

Indistinguishability

Indistinguishability for ensembles in the case of encryption first appeared in Goldwasser and Micali [17]. The general notion (including pseudorandomness) was first due to Yao [37]. Intuitively, two objects are indistinguishable if no efficient algorithm tells them apart. In our work, we need to argue the concrete security. Thus, we specify the concrete running time of the algorithm and its concrete advantage of distinguishability. Specifically, Definition 1. Let X and Y be two random variables over a finite alphabet V . X and Y are said to be (T, ²)-indistinguishable, if for any ( probabilistic) algorithm D with runtime bounded by T , |Pr[D(X) = 1] − Pr[D(Y ) = 1]| ≤ ². In this paper, we use Adv(D) = | Pr[D(X) = 1] − Pr[D(Y ) = 1]| to denote the advantage of D in distinguishing X and Y . Indistinguishability and probability distance have the following simple relation. Lemma 1. Let X and Y be two random variables over a finite alphabet V . Then X and Y are (T, ∆(X, Y ))-indistinguishable for any T > 0. 3

P Proof. For any random variable Z over V , Pr[D(Z) = 1] = v∈V Pr[Z = v] Pr[D(v) = 1], where Pr[D(Z) = 1] is calculated over coins of D and the distribution of Z while Pr[D(v) = 1] only depends on coins of D. The calculation can be done since the number of coins used by D is finite (recall that its runtime is bounded by T ). Let V + = {v | Pr[X = v] ≥ Pr[Y = v], v ∈ V }. We have |P Pr[D(X) = 1] − Pr[D(Y ) = 1]| P = | v∈V Pr[X = v] Pr[D(v) = 1] − v∈V Pr[Y = v] Pr[D(v) = 1]| ≤ max {A, B} (∗) P ≤ v∈V + (Pr[X = v] − Pr[Y = v]) ≤ maxS⊆V (Pr[X ∈ S] − Pr[Y ∈ S]) = ∆(X, Y ), P P where A = v∈V + Pr[D(v) = 1](Pr[X = v] − Pr[Y = v]) and B = v∈V P \V + Pr[D(v) = 1](Pr[Y = v] − Pr[X = v]). Inequality (∗) uses the fact that Pr[D(v) = 1] ≤ 1 and v∈V + (Pr[X = v] − Pr[Y = P v]) = v∈V \V + (Pr[Y = v] − Pr[X = v]). ¥ 2.2

Pseudorandom Generator

Essentially, a pseudorandom bit generator is a primitive that maps a short secret to a long binary string such that no efficient algorithm can tell it apart from a uniformly random string of the same length. In this paper, pseudorandom bit generator is called pseudorandom generator (PRG) for short. Formally, Definition 2. Let D ⊆ {0, 1}n . Let X be a random variable uniformly distributed over D. An efficiently computable deterministic algorithm G : D → {0, 1}∗ is said to be a (T, ²)-pseudorandom generator (PRG) if G(X) and U` are (T, ²)-indistinguishable for X ← D, where ` = |G(X)|. X is called the seed of the generator G. A PRG is only interesting if |G(X)| > n since in this case it generates new “randomness”. A similar notion of PRG is pseudorandom number generator. Let Q be a set and W` be a random variable uniformly distributed over Q` . An efficiently computable deterministic algorithm G : D → Q∗ is said to be a (T, ²)-pseudorandom number generator (PRNG) over Q if G(X) and W` are (T, ²)-indistinguishable for X ← D, where ` is the integer such that G(X) ∈ Q` . 2.3

Randomness Extractor

In this paper, we use randomness extractor to transform pseudorandom number generators into pseudorandom generators. Intuitively, a randomness extractor is a function that extracts almost truly random bits from a weakly random source. The randomness of a weakly random distribution is quantified by its min-entropy, where a random variable X over set V has min-entropy at least κ if for any x ∈ V , Pr[X = x] ≤ 2−κ . Definition 3. A (κ, ²)-randomness extractor is a function E : V ×{0, 1}r → {0, 1}` such that for every random variable X over finite alphabet V with min-entropy ≥ κ it holds that ∆(E(X, Ur ), U` ) ≤ ². An extractor E is deterministic if r = 0, that is, it uses no any extra randomness. Recent developments on randomness extractor have presented many explicit constructions; See [22, 16, 31]. In this paper, we will use only deterministic randomness extractors. 4

2.4

Decisional Diffie-Hellman Assumption

Let G be a large finite cyclic group and let g be a random generator for it (i.e., hgi = G). Let ord(g) denote the order of g and thus ord(g) = |G|. Here |G| might be known, or unknown (e.g., G = Z∗N when N is a RSA number with unknown factorization). Consider two random variables DH = (g, g x , g y , g xy ) for x, y ← Zord(g) and Rand = (g, g x , g y , g z ) for x, y, z ← Zord(g) . The former is called Diffie-Hellman tuple and the latter is called a random tuple. They are related by the famous decisional Diffie-Hellman assumption, which essentially says that no efficient algorithm can tell them apart. Formally, Definition 4. The decisional Diffie-Hellman (DDH) assumption is said to hold on G with parameter (T, ²) (or (T, ²)-DDH, for short) if DH and Rand are (T, ²)-indistinguishable. Now we recall two important classes of group, over which DDH assumption is believed to hold. DDH in Z∗p . Let p, q be two large primes and p = dq + 1, where d ∈ N is small. Let G be the subgroup of Z∗p of order q. Let g be a generator of G. DDH problem over G is believed to be hard. The security of Diffie-Hellman key exchange protocol [10] is based on this. DDH in Z∗N . Let N = pq be a RSA composite, where p = 2p0 + 1, q = 2q 0 + 1, p0 , q 0 are large 0 0 primes, and p 6= q . Let G be the quadratic residue subgroup of Z∗N . The order of G is p0 q 0 . Let g be a random generator of G. DDH problem over G is believed to be hard [7] too.

3

DDH Lemma

DDH assumption states that (g, g x , g y , g xy ) is indistinguishable from (g, g x , g y , g z ) for random x, y, z. In this section, we consider a natural extension of this problem to the multi-variable setting. Roughly, given random generators g, h1 , . . . , hm in G, we show (g, {hi }, g x , hx1 , . . . , hxm ) is indistinguishable from (g, {hi }, g x , hx1 1 , . . . , hxmm ), for x, x1 , . . . , xm random in Zord(g) , where the order of G (or ord(g)) is not necessarily known. We first prove a lemma. Lemma 2. Assume n, A ∈ N and A ≤ 2n . Let x, x0 be two random variables uniformly distributed over {0, 1, . . . , A − 1} and {0, 1, . . . , 22n − 1}, respectively. Let (x0 )A be the residue of x0 modulo A. Then ∆(x, (x0 )A ) ≤ 2−n . Proof. Let 22n = Q · A + r for 0 ≤ r < A and Q ∈ Z. Then for any z ∈ {0, 1, . . . , r − 1}, there are Q+1 numbers in {0, 1, . . . , 22n −1} with residue z modulus A (that is, i·A+z, for i = 0, . . . , Q). For any z ∈ {r, . . . , A−1}, there are Q numbers in {0, 1, . . . , 22n −1} that have residue z modulus A (that 2n −r+A is, i · A + z, for i = 0, . . . , Q − 1). Thus, for 0 ≤ z < r, (x0 )A = z with probability Q+1 = 2 A·2 ; for 2n 22n Q 22n −r 0 0 r ≤ z ≤ A − 1, (x )A = z with probability 22n = 22n ·A . Note in any case, (x )A = z with probability PA−1 −2n 1 −2n for some −1 < δ ≤ 1. Thus, ∆(x, (x0 ) ) ≤ = 2A2n ≤ 2−n . ¥ A z=0 2 A +δ·2 In proving the lemma below, we need a self-reduction algorithm Rud∗x (g, g a , g b , g c ) for x = 0, 1 (See Appendix A for details). Essentially, given (g, g a , g b , g c ), this algorithm outputs a tuple 0 0 0 (g a , g b , g c ) with the following property. For x = 0, if (g, g a , g b , g c ) is Diffie-Hellman tuple, then 0 0 0 (g, g a , g b , g c ) is a random Diffie-Hellman tuple with a0 = a; conversely, if (g, g a , g b , g c ) is random 0 0 0 tuple, then (g, g a , g b , g c ) is a random tuple with a0 = a. For x = 1, if (g, g a , g b , g c ) is Diffie0 0 0 Hellman tuple, then (g, g a , g b , g c ) is a random Diffie-Hellman tuple; conversely, if (g, g a , g b , g c ) is 0 0 0 random tuple, then (g, g a , g b , g c ) is a random tuple. When |G| is known, Rud∗x degenerates into 5

an algorithm Rudx that was proposed in [2, 32]. Our Rud∗x is obtained by generalizing Rudx to the setting where |G| is not necessarily known. We achieve this using Lemma 2. Lemma 3. [DDH Lemma] Let g, h1 , . . . , hm be random generators of G. |G| ≤ 2n for some known n ∈ N (|G| might be unknown). Then under (T, ²)-DDH assumption, (g, {hi }, g x , hy11 , . . . , hymm ) is (T 0 , ²0 )-indistinguishable from (g, {hi }, g x , hx1 , . . . , hxm ), where x, y1 , . . . , ym are uniformly random in Zord(g) , T 0 = T − 8mte , ²0 = ² + 3m2−n and te is the running time of exponentiation in G with exponent length n. Proof. Assume A can violate the lemma. We construct an adversary D to break (T, ²)-DDH assumption. Given parameters g and challenge (α, β, γ), D does the following. For j = 1, . . . , m, D runs (α, µj , νj ) ← Rud∗0 (g, α, β, γ) and define hj = µj , γj = νj . Finally, he feeds (g, h1 , . . . , hm ) and challenge (α, γ1 , . . . , γm ) to A, and outputs whatever A does. From Lemma 8 in Appendix A, except for probability 3m2−n , the following holds. When (g, α, β, γ) is a DH tuple, the challenge tuple is distributed as (g, {hi }, g x , hx1 , . . . , hxm ); when (g, α, β, γ) is a random tuple, the challenge tuple is distributed as (g, {hi }, g x , hy11 , . . . , hymm ) for x, y1 , . . . , ym uniform in Zord(g) . Therefore, when A has a success advantage ²0 , D has advantage at least ²0 − 3m2−n . Since each execution of Rud∗0 needs 8 exponentiations with n-bit exponent by the square-multiply method (See Appendix A for details about Rud∗x ), it follows that the running time of D is T = T 0 + 8mte . This contradicts the assumption of (T, ²)-DDH. ¥ Remark. Observe that in proving the above lemma we omit the costs of selecting random group elements, computing constant number of modular multiplications, and the costs of reading inputs and outputs, etc, since these costs are inessential in comparison with modular exponentiations with large size exponents. This convention will also be adopted later in this paper. We remark that a proof of our DDH Lemma for the case that ord(g) is known (or simply Corollary 1 below) can be extracted from the proof of Theorem 7.3 in [3], where they showed that (g x , hx1 M1 , · · · , hxm Mm ) is a multi-recipient public key cryptosystem. When |G| is known, the algorithm Rud0 in Appendix A has the property that the output (g, α, µ, ν) has exactly the same distribution as (g, α, β, γ). Also Rud0 needs only 4 exponentiations. By a similar argument as Lemma 3, we have the following. Corollary 1. Keep the notions in Lemma 3. Assume |G| is known. Then under (T, ²)-DDH assumption, (g, {hi }, g x , h1y1 , . . . , hymm ) is (T 0 , ²)-indistinguishable from (g, {hi }, g x , hx1 , . . . , hxm ), where x, y1 , . . . , ym are uniformly random in Zord(g) , T 0 = T −4mte and te is the runtime of exponentiation in G with exponent length log |G|.

4

Our Pseudorandom Generators

In this section, we propose two pseudorandom generators provably secure under the DDH assumption. The first one is an improved generator of [12] and based on the exponentiation technique in Z∗p . It is nearly twice faster than [12]. The second is an improved generator of [15] and is based on exponentiation technique modulo a RSA composite N . It is about twice faster than [15]. 4.1

Pseudorandom Generator from Z∗p

Let p, q be primes satisfying p = 2q + 1, |p| = n. Let G be the subgroup of Z∗p of order q. In this subsection, we are going to construct an efficient pseudorandom generator over G. We first 6

introduce the function | · |p : G → Zq , defined as for any x ∈ G (especially, x is not from Z∗p ),  if 1 ≤ x < q, x |x|p = p − x if q + 2 ≤ x < p,  0 otherwise. From [21, 9], it is a one-one and onto mapping. Farashahi et al. [12] proposed a decisional Diffie-Hellman assumption based pseudorandom generator (or FSS, for short). This generator is obtained by applying randomness extraction [22] to their proposed pseudorandom number generator (or FSS-PRNG, for short) below. Let s ∈ Zq be the secret seed. Let g, h be two random generators in G. Set s0 = s. For j > 0, define sj = |g sj−1 |p and σj = |hsj−1 |p . The output sequence is defined as σ1 , σ2 , . . . . A related DDH generator was previously proposed by Jiang [20] and FSS generator has a similar performance as [20]. We mainly refer [12] here since our generator is to improve it. Notice that the FSS-PRNG generator can output one field element for every two modular exponentiations. The idea in this generator is that since σj is computationally independent of sj , it follows that outputting σj does not leak any information about sj . However, one update of sj only permits to output one element σj . This seems to waste the updating cost of sj . Regarding DDH Lemma, we actually can introduce many independent and uniformly random generators (of G) h1 , . . . , hm (instead of one s s h) and output all |h1j−1 |p , . . . , |hmj−1 |p . In this way, one update of sj admits to output m elements and thus improves the efficiency. The formal description follows. Construction 1. Let s ∈ Zq be the secret seed. g, h1 , . . . , hm are independent uniformly random s generators from G. Set s0 = s. For j > 0, define sj = |g sj−1 |p and σ(j−1)m+i = |hi j−1 |p , i = 1, . . . , m. The output is defined as σ1 , σ2 , . . . . We denote this generator by NGp . Using Corollary 1, we now show that NGp is a PRNG. Theorem 1. Let m, ` > 0, |p| = n. Let R be uniformly random in Zm` q . Then, under (T, ²)-DDH assumption, σ1 , . . . , σm` generated by NGp is (T 0 , ²0 )-indistinguishable from R, where T 0 = T − ((3 + `)m + ` − 1)te and ²0 = `², where te is the runtime of exponentiation in G with an n-bit exponent. In addition, NGp outputs one element in Zq for every (1 + 1/m) modular exponentiations in Z∗p . Proof. If an adversary A of runtime T 0 can distinguish NGp with probability `², we construct a (T − 4mte , ²)-distinguisher D to violate Corollary 1. To do this, for each u = 0, . . . , `, we define a (u) variant NGp of NGp , where σ1 , . . . , σmu are taken uniformly random in Zq while σmu+1 , . . . , σm` (0) are generated using NGp starting with su ← Zq . It is immediate that NGp is distributed according (`) to NGp while NGp is uniformly random in Zm` q . Given generators (g, h1 , . . . , hm ) and challenge (α, γ1 , . . . , γm ), D normally takes u ← {1, . . . , `}, then takes σ1 , . . . , σm(u−1) uniformly random from Zq , define σm(u−1)+i = |γi |p for i = 1, . . . , m. Let su = |α|p . σmu+1 , . . . , σm` are computed normally as in NGp from su . Finally, D feeds (σ1 , . . . , σm` ) to A and outputs whatever A does. It is immediate that when the input is a random tuple, then (u) (u−1) the view by A is distributed as NGp ; otherwise it is distributed as NGp . Therefore, we have ¯P ³ ´¯ ¯ ¯ (u−1) (u) Adv(D) = 1` ¯ 1≤u≤` Pr[A(NGp ) = 1] − Pr[A(NGp ) = 1] ¯ ¯ ¯ ¯ ¯ (0) (`) = 1` ¯Pr[A(NGp ) = 1] − Pr[A(NGp ) = 1]¯ = Adv(A)/` = ². 7

Now since sampling an element in Zq and computing | · |p are much cheaper than exponentiation in Z∗p , the runtime of D is dominated by running A and (m + 1)(` − 1) exponentiations. That is, D has a runtime T 0 + (m + 1)(` − 1)te < T − 4mte . This contradicts Corollary 1. ¥ We have shown that NGp is a pseudorandom number generator, where each element σi is in Zq . But what we need is to have a pseudorandom bit generator. To do this, we adopt the deterministic randomness extractor [22] to convert NGp into a pseudorandom bit generator. This algorithm has also been adopted in [12]. Observe that the original extractor is to extract random bits from a biased die by first converting the biased die into an unbiased one and then extracting randomness from the unbiased one. In our case, we only need the second part which is introduced as follows. E : Zq → {0, 1}∗ . sκ−1

Let q be presented in a binary as sκ−1 · · · s0 , where hP stringP i si ∈ {0, 1} and i−1 i−1 j j i = 1 is the most significant bit. Define Ai = j=0 sj 2 , j=0 sj 2 + si 2 − 1 , i = 0, . . . , κ−1.

That is, {0, 1, . . . , q − 1} is decomposed into subsets A0 ∪ A1 ∪ · · · ∪ Aκ−1 suchPthat |Ai | = si 2i . i−1 Especially, if si = 0, then Ai = ∅; otherwise, |Ai | = 2i . For any x ∈ Ai , let x = j=0 sj 2j + x0 for 0 ≤ x0 ≤ si 2i − 1 = 2i − 1. Then define E(x) = x0 in the i-bit binary representation. Lemma 4. [22] Let U be uniformly random in Zq , q be a κ-bit number. Then E(U ) is uniform random in {0, 1}|E(U )| and on average |E(U )| ≥ κ − 2. With E, our actual pseudorandom generator from Z∗p is as follows. Construction 10 . Let s ∈ Zq be the secret. Run NGp (s) to generate σ1 , σ2 , . . . . Then the generator’s output is defined to be E(σ1 )E(σ2 ) · · · . Denote this generator by E(NGp ). Note from Lemma 4, when the input sequence to E is uniform in Zq , then the output is uniformly random bits string. Thus, the extraction process does not cause any bias. Based on this fact, the following is easy. Theorem 2. Keep m, `, n as in Theorem 1. Then under (T, ²)-DDH assumption, E(NGp ) is (T 0 , ²0 )pseudorandom generator, where T 0 = T − ((3 + `)m + ` − 1)te and ²0 = `². In addition, E(NGp ) outputs on average (n − 3)m/(m + 1) bits per modular exponentiation in Z∗p . Proof. The proof is the same as in Theorem 1, except that the input to the distinguisher is E(σ1 ) · · · E(σm` ) (instead of σ1 , σ2 , . . . , σm` ). The cost to compute E is negligible (compared with te ) and ignored. ¥ Remark. Although precomputation can make the generator faster, for simplicity, we only consider the efficiency without precomputation. In this setting, one exponentiation (by a square-and-multiply method) on average needs n squarings and n/2 multiplications. Assuming one squaring costs 0.8 multiplication, our generator can generate ((n − 3)m/(m + 1))/(0.8n + 0.5n) ≈ 0.73 bit per multiplication for m = 20 and n ≥ 1024. Here we choose m = 20 since m/(m + 1) = 0.95 is close to 1 while the storage for g, p, h1 , . . . , hm is just a few KBytes (e.g., 4.98KBytes is required when n = 1810, See Section 5.2). It is twice faster than FSS generator [12] and that of Jiang [20]. Detailed discussions about the selection of n and comparisons with other generators can be found in Section 5.2. 8

4.2

Pseudorandom Generator from Z∗N

Let N = p · q be an n-bit RSA number, where p, q be large primes. Blum et al. [5] constructed a pseudorandom generator by iterating x2 mod N and extracting the least significant bit of x. Thus, this generator outputs one bit for each squaring. Let g be a random element in Z∗N . Goldreich and def

def

Rosen [15] showed that Full0n = (N, g, g R ) for R ← Zord(g) and Half0n = (N, g, g r ) for r ← {0, 1}n/2 are indistinguishable. Based on this result, they proposed a pseudorandom generator under the standard factoring assumption which can output n/2 − O(log2 n) bits per modular exponentiation with n/2-bit exponent. In the following, we show how to improve the efficiency using the technique in the last subsection. We first introduce the Goldreich-Rosen’s main theorem in [15]. Lemma 5. [15] Assume no adversary can break the factoring assumption in time T with probability ². Let N = p · q be a randomly selected n bits RSA modulus and g is randomly taken from Z∗N . |p| = |q|. Then Half0n = (N, g, g x ) for x ← {0, 1}n/2 and Full0n = (N, g, g y ) for y ← Zord(g) is (T 0 , ²0 )-indistinguishable, where T 0 = 23 n−7 ²4 T − 2ntm , ²0 = 8n², and tm is the running time of multiplication modulo N. In this paper, we are more interested in the case that g is a random quadratic residue. Lemma 5 simply implies the following Corollary. Corollary 2. Let p = 2p0 + 1, q = 2q 0 + 1 and p0 6= q 0 . Let N, T, T 0 , ², ²0 , n and relations be defined as in Lemma 5, except ²0 = 8n² + 2−n/2+4 . Let G be the quadratic residue subgroup of Z∗N . g is a random generator of G. Halfn (resp. Fulln ) is Half0n (resp. Full0n ) under the revised g. Then, Halfn and Fulln are (T 0 , ²0 )-indistinguishable. Proof. Let A violate the corollary. Then an adversary A0 can violate Lemma 5 as follows. Upon receiving (N, g 0 , α), A0 invokes A with (N, g 0 2 , α2 ) and outputs whatever A does. Since g 0 is uniform in Z∗N , g 0 2 is a random quadratic residue in Z∗N and its does not have order p0 q 0 with probability at most 1/p0 + 1/q 0 < 2−n/2+3 . Therefore, the difference between the success advantages of A0 and A is at most 2−n/2+4 . Ignoring two squarings, they have the same runtime. ¥ When N = pq and p, q are primes, we can extend the above result to the multiple bases case. Lemma 6. Assume no adversary can break the factoring assumption in time T with probability ². Let N = p · q be a randomly selected n-bit RSA modulus. p = 2p0 + 1, q = 2q 0 + 1, p0 6= q 0 are primes. |p| = |q|. Let G be the quadratic residue subgroup of Z∗N . Let g, h1 , . . . , hm be unidef

n

def

m x x x 2 formly random generators of G. Let DHm 1/2 = (g, {hi }, g , h1 , . . . , hm ) for x ← {0, 1} , DH1 = m m (g, {hi }, g x , hx1 , . . . , hxm ) for x ← Zord(g) . Then, DH1/2 and DH1 are (T 00 , ²00 )-indistinguishable, where ²00 = 8n² + m2−n+1 + (m + 1)2−n/2+4 and T 00 = 23 n−7 ²4 T − 2ntm − 4mte , te is the runtime of exponentiation with n-bit exponent and tm is the runtime of multiplication modulo N . m 00 00 Proof. If DHm 1/2 and DH1 can be distinguished by A in time T with probability ² , then we can construct algorithm B to distinguish Halfn and Fulln as follows. When provided with (N, g, α), B does the following. He takes x1 , . . . , xm ← {0, 1}2n , computes hi = g xi , βi = αxi . Finally he provides (α, β1 , . . . , βm ) together with (N, g, h1 , . . . , hm ) to A and outputs whatever A does. Note 0 0m to be the input to A when α = g r for some r ← {0, 1}n/2 ; DH1m to hi = g (xi )ord(g) . Denote DH1/2

9

be the input to A when α = g r for r ← Zord(g) . Then, the advantage of B is 0

0

m | Pr[A(DH1/2 ) = 1] − Pr[A(DH1m ) = 1]| 0m m m ≥ | Pr[A(DHm 1/2 ) = 1] − Pr[A(DH1 ) = 1]| − | Pr[A(DH1/2 ) = 1] − Pr[A(DH1/2 ) = 1]| 0m −| Pr[A(DH1 ) = 1] − Pr[A(DHm 1 ) = 1]| (∗)

≥ Adv(A) − 2m(2−n + 2−n/2+3 ) = ²00 − m(2−n+1 + 2−n/2+4 ) = 8n² + 2−n/2+4 .

Inequality (∗) is justified as follows. For each 1 ≤ i ≤ m, g xi has a probability distance less than 2−n from a random element in G from Lemma 2, while it is not a generator of G with probability 0m 0m m bounded by 2−n/2+3 . By Lemma 1, | Pr[A(DH1/2 ) = 1] − Pr[A(DHm 1/2 ) = 1]| ≤ ∆(DH1/2 , DH1/2 ), 0

which is thus bounded by m(2−n + 2−n/2+3 ). Similarly, we have | Pr[A(DH1m ) = 1] − Pr[A(DHm 1 )= 1]| ≤ m(2−n + 2−n/2+3 ). B has a runtime T 0 = T 00 + 4mte ≤ 23 n−7 ²4 T − 2ntm , where te is the runtime to exponentiation modulus N with n-bit exponent (exponentiation of 2n-bit exponent is twice time-consuming as one of n-bit exponent). This contradicts Corollary 2. ¥ From Lemma 6 and Lemma 3, we have the following. Corollary 3. Let N be defined in Lemma 6 and G be the quadratic residue group of Z∗N . g is a random generator of G. Assume (T ∗ , ²)-DDH assumption holds in G and no adversary of m x x1 xm time T can factor N with probability ². Then, DHm 1/2 and Rand1 = (g, {hi }, g , h1 , . . . , hm ) for x, x1 , . . . , xm ← Zord(g) are (T 000 , ²000 )-indistinguishable, where ²000 = (8n + 1)² + 5m2−n + (m + 1)2−n/2+4 and ½ ¾ 2 −7 4 000 ∗ T = min n ² T − 2ntm − 4mte , T − 8mte . 3 In fact, we also prove the following interesting result although we will not use it in this paper. Lemma 7. Let N, G and g be defined above. Assume no adversary of time T can factor N with n def def probability ². Let DH1/2×1/2 = (g, g x , g y , g xy ) with x, y ← {0, 1} 2 and DH1 = (g, g x , g y , g xy ) for x, y ← Zord(g) . Then DH1/2×1/2 and DH1 are (T 0 , 16n² + 3 · 2−n/2+4 + 2−n+1 )-indistinguishable, where T 0 = 23 n−7 ²4 T − 2ntm − 4te . Proof. Toward contradiction, suppose A is an adversary distinguishing DH1/2×1/2 and DH1 in runtime T 0 . We first show that | Pr[A(DH1/2×1/2 ) = 1] − Pr[A(DH1/2 ) = 1]| ≤ 8n² + 2−n/2+4 . Otherwise, adversary B can be constructed to distinguish Halfn and Fulln as follows. When provided with (N, g, α), it simply takes x ← {0, 1}n/2 and feeds A with (g, g x , α, αx ) and N . Finally, he outputs whatever A does. When Halfn = (N, g, α), the input is DH1/2×1/2 ; when Fulln = (N, g, α), the input is DH1/2 . Thus, the advantage of B is | Pr[A(DH1/2×1/2 ) = 1]−Pr[A(DH1/2 ) = 1]| > 8n²+ 2−n/2+4 . Further, the runtime of B is T 0 + te ≤ 32 n−7 ²4 T − 2ntm , where notice two exponentiations with an n/2-bit exponent has time te . This contradicts Corollary 2. From Lemma 6, | Pr[A(DH1/2 ) = 1] − Pr[A(DH1 ) = 1]| ≤ 8n² + 2−n/2+5 + 2−n+1 for A with time bound T 0 = 23 n−7 ²4 T − 2ntm − 4te . | Pr[A(DH1/2×1/2 ) = 1] − Pr[A(DH1 ) = 1]| ≤ | Pr[A(DH1/2×1/2 ) = 1] − Pr[A(DH1/2 ) = 1]| +| Pr[A(DH1/2 ) = 1] − Pr[A(DH1 ) = 1]| ≤ 16n² + 3 · 2−n/2+4 + 2−n+1 . ¥ 10

With the preparation above, we are now ready to introduce our new construction of pseudorandom generator. The basic idea is to apply the strategy in Construction 1 to Goldreich-Rosen generator [15] and then pass it through a Goldreich-Wigderson randomness extractor [16]. As our presentation does not need the details of Goldreich-Wigderson extractor, we will not introduce it for simplicity. We refer interested readers to [16]. The formal description follows. Construction 2. Let N = pq, where p = 2p0 + 1, q = 2q 0 + 1, p0 6= q 0 are primes. Let m ∈ N. Assume |N | = n. Take s ← {0, 1}n/2 . Let G be the quadratic residue subgroup of Z∗N . Take 2 independent and uniformly random generators g, h1 , . . . , hm from G. Let £ : G → {0, 1}n−log n be a Goldreich-Wigderson extractor over G (it is a (n − log2 n, n− log n )-randomness extractor; See [16]). Initially, s0 = s. For i = 0, 1, . . . , the generator works as follows. Parse £(g si ) = ai ||si+1 , 2 where si , si+1 ∈ {0, 1}n/2 , ai ∈ {0, 1}n/2−log n , and notation “||” denotes the concatenation of two bit strings. Iteration i outputs ai , £(hs1i ), £(hs2i ), . . . , £(hsmi ). That is, the generator outputs a0 , £(hs10 ), £(hs20 ), . . . , £(hsm0 ), a1 , £(hs11 ), £(hs21 ), . . . , £(hsm1 ), . . . ,

(3)

Denote this generator by PRGN . Remark. Observe that Fulln has min-entropy blog p0 q 0 c > n − 4 > n − log2 n (for n > 4), then £ can be used to extract random bits contained in g si and {hsj i }, j = 1, · · · , m. Theorem 3. Let N, G be defined before. Assume no adversary factors N in time T with probability ². Assume (T ∗ , ²)-DDH assumption holds over G. £ is a Goldreich-Wigderson randomness extractor (i.e., (n − log2 n, n− log n )-extractor). Then the output by the first ` iterations in PRGN is (T 0 , ²0 )indistinguishable, where ²0 = (8n + 1)`² + 5m`2−n + (m + 1)`(n− log n + 2−n/2+4 ) and ½ 0

T = min

¾ 2 −7 4 1 1 ∗ n ² T − 2ntm − (7m + `m + ` − 1)te , T − (15m + m` + ` − 1)te , 3 2 2

(4)

where te is the running time of exponentiation modulo N with n-bit exponent and tm is the running time of multiplication modulo N . In addition, the generator outputs n(m + 0.5)/(m + 1) − log2 n bits for each modular exponentiation in Z∗N with n/2-bit exponent. Proof. Let the output of Construction 2 be S ` = (ai , £(hs1i ), . . . , £(hsmi ))`−1 i=0 . Consider a variant si1 `−1 ` ` s im of S : W = (ai , £(h1 ), . . . , £(hm ))i=0 , where the difference is that si1 , . . . , sim ← Zord(g) while ai is the most n2 − log2 n significant bits of £(g si0 ) for si0 ← Zorg(g) . We first show that S ` and W ` are indistinguishable. For j = 0, . . . , `, we first define a variant Sj` of S ` : si1 sim Sj` = (ai , £(hs1i1 ), . . . , £(hsmim ))`−1 i=0 , where for i < j, (ai , £(h1 ), . . . , £(hm )) is computed ac` cording to W ` ; (ai , £(hs1i1 ), . . . , £(hsmim ))`−1 i=j is computed according to S by starting from sj ← {0, 1}n/2 and defining si0 = si1 = · · · = sim = si for i ≥ j. Obviously S0` = S ` and S`` = W ` . Now we show if S ` and W ` are (T 0 , ²0 − n− log n (m + 1)`)-distinguishable by an adversary A, (m+1)(`−1)te ²0 −n− log n (m+1)` m 0 then DHm , )-distinguishable by an algorithm D. 1/2 and Rand1 are (T + 2 ` Given input (g, α, β1 , . . . , βm ) and (h1 , . . . , hm ), D takes j ← {0, . . . , ` − 1}, simulates Sj` , except s

s

def

def

(aj , £(h1j1 ), . . . , £(hmjm )) = (aj , £(β1 ), . . . , £(βm )) and aj |sj+1 = £(α). Finally, he feeds the simulated transcript tr to A and outputs whatever he does. Note if the input to D is DHm 1/2 , then 11

` . Thus, the advantage of D is the input tr to A is Sj` ; otherwise, it is Sj+1 ¯ ¯ ¯X ¯ `−1 ³ ´ ¯ 1 ¯¯ ` ` Pr[A(Sj ) = 1] − Pr[A(Sj+1 ) = 1] ¯¯ = Adv(A)/` ≥ (8n+1)²+5m2−n +(m+1)2−n/2+4 . (5) ¯ `¯ ¯ j=0

In addition, the runtime of D is bounded by T 0 + (m + 1)(` − 1)te /2, contradicting Corollary 3. Finally, by property of £, a simple calculation shows that ∆(W ` , UM ) ≤ (m + 1)`n− log n , where M = `(m + 21 )n − (m + 1)` log2 n. Using Lemma 1, we have that any adversary in distinguishing W ` and UM with time T 0 must have an advantage ≤ (m + 1)`n− log n . For any adversary A of time T 0 , the advantage to distinguish S ` and UM is bounded by ³ ´ ` · (8n + 1)² + 5m2−n + (m + 1)2−n/2+4 + (m + 1)`n− log n = ²0 . (6) The efficiency argument follows since PRGN can output (m + 0.5)n − (m + 1) log2 n bits for every m + 1 exponentiations in Z∗N with exponent length n/2. ¥ Remark. Our generator can output n(m + 0.5)/(m + 1) − log2 n bits for one exponentiation with an n/2-bit exponent. For simplicity, we still use the square-multiply method for exponentiation and assume one squaring costs 0.8 multiplication. Then, this scheme can generate (n(m + 0.5)/(m + 1) − log2 n)/(0.8 × 0.5n + 0.25n) per multiplication. If we take m = 20 and n ≥ 40000, it is approximately 1.49 bits. It is almost twice faster than Goldreich-Rosen generator [15] (Note: [15] states the efficiency using precomputation while we do not use here). Here we take m = 20 since (m + 0.5)/(m + 1) = 0.97619 ≈ 1 and the storage is 110KByts (if n = 40000) which is affordable in many applications. The selection of n and comparison with other generators can be found in Section 5.3.

5

Performance

We know the asymptotic efficiency of our generators per multiplication. In this section, we show the efficiency in some concrete security parameters and compare with other generators in the literature. Here we mainly compare our generators with those secure under the standard assumptions since non-standard assumptions usually still need extensive study in order to well estimate its complexity. 5.1

Basic Options for Analysis

Following the analysis method in [34, 12], we measure the running time of algorithms using time unit. One time unit equals to the time of executing one DES encryption. Recall that the security of our generators relies on DDH assumption and/or factoring assumption. For n-bit modulus, according to the current state of arts, the best algorithms for the factoring problem and discrete logarithm problem have the same heuristic running time: 1/3 2/3 L(n) = c · e1.9229(n ln 2) (ln(n ln 2)) time units, where c = 4.7 · 10−5 as in [12]. Since currently no efficient algorithm separates the DDH problem and discrete logarithm problem [30], in this paper we also use L(n) to denote the best record for solving the DDH problem of n-bit modulus. In this paper, the modular exponentiation for our generators and other generators in comparison all uses the naive square-and-multiply method. That is, we do not apply any pre-computation. Thus, on average, one exponentiation of a random exponent of binary length t will cost t/2 multiplications 12

and t squarings. One squaring costs about 0.8 multiplication. Thus, such an exponentiation costs about 1.3t multiplications on average. Observe that if one multiplication costs n2 /(24 · 360) time units [24, 35], the average computational cost of one t-bit exponentiation is thus about 1.3×tn2 /(24· 360) time units. We use the basic observation in [18, 12] for complexity analysis: if a hard problem can be solved with probability ² in time T , then it can be solved with high probability in time Q = T /². In our analysis, we take T = 275 , ² = 0.01 and so Q is around 280 time units, which is assumed to be the time limit for classical computers today. We will use it as the time bound to choose system parameters (e.g. modulus length n). Moreover, for each of the pseudorandom generators, assume we want to generate M = 230 stream bits. When T, ² and M are fixed, we select the smallest n satisfying the pre-defined security level to analyze the concrete efficiency of our generators, which n2 is measured by the number of time units to generate one output bit. It is computed as µ · 24∗360 n2 is the time units, where µ is the number of multiplications needed for generating one bit and 24∗360 number of time units for one multiplication of a n-bit modulus [24, 35] as shown above. 5.2

Performance of E(NGp )

In this subsection, we compare E(NGp ) with other generators over Z∗p : FSS and Gennaro schemes. By Theorem 2, if E(NGp ) is not (T, ²)-secure, the DDH problem can be solved in time TDDH = (T + ((3 + `)m + ` − 1)te )`/². Currently, the best algorithm for solving DDH problem has a runtime L(n). The generator needs to iterate ` = M/(m(n − 3)) times in order to output M bits. If n is selected such that TDDH < L(n), then DDH problem in this case can be solved in time less than L(n), contradicting to DDH assumption. Thus the generator is (T, ²)-secure if TDDH < L(n). Specifically, take M = 230 and m = 20. For NGp to be (275 , 0.01)-secure, we need to take n ≥ 1810 (so that TDDH < L(n)). By Theorem 2, the generator can produce (n − 3)m/(m + 1) bits per modular exponentiation (n−3)m or 1.3n(m+1) bits per multiplication without any pre-computation. As an example, it is about 0.73 bits per multiplication for m = 20 and n = 1810. Under these parameters, the generator will run 1.3n3 (m+1) (n−3)m·24·360 ≈ 519 time units to output one bit. For other choices of n, m and their corresponding performance of time units per bit, see Figure 1. Since the public parameters (p, g, h1 , h2 , . . . , hm ) is needed to initialize the generator, it requires storage; See Fig. 1. Obviously, it is a tradeoff between the value of m and the efficiency and storage of the generator. We note it is enough to select m = 20 in practice, since it is fast and the storage 4.98KBytes is small. m 1 10 20 n (Bits) 2000 1850 1810 Time Units/Bit 1206 568 519 Para Size(KBytes) 0.75 2.78 4.98

50 1770 482 11.51

100 1730 456 22.06

200 1690 433 42.67

300 1670 422 63.04

Fig. 1. Performance of (T = 275 , ² = 0.01)-secure E(NGp ) generator for M = 230 varies with m and minimum n

For FSS generator [12], we restate its reduction complexity as: if the generator is not (T, ²)secure, the DDH problem can be solved in time T 0 = T + 2`te with probability ²0 = ²/` . For outputting M bits key stream, we need to take ` = M/(n − 3). By this reduction complexity, 13

n ≥ 2000 is required to guarantee T 0 /²0 < L(n) for T = 275 , ² = 0.01 and M = 230 . Since the FSS generator is a special case of E(NGp ) with m = 1, it can output (n − 3)/2.6n ≈ 0.38 bit per multiplication, and each output bit costs n2 /(0.38 · 24 · 360) ≈ 1206 time units. In [12], n ≥ 1600 is enough for M = 220 bits to guarantee T 0 /²0 < L(n) (thus the security against the best algorithm). Here we take M = 230 bits and it is required that n ≥ 2000 for FSS to guarantee the same security.

Scheme Gennaro∗ [13] FSS [12] E(NGp ), m = 20 (this work) SPW∗ [34], e = 8 BBS-ACGS [1] BBS-FS [11] BBS-SS [33] Goldreich-Rosen [15] PRGN , m = 20 (this work)

Min n Seed Length Para Size Bits Time Units (Bits) (Bits) (KBytes) (per Mult) (per Bit) 5600 c = 520 1.4 7.5 484 2000 2000 0.75 0.38 1206 1810

1810

7000 82000 8000 43000 42000

7000 82000 8000 43000 21236

40000

20000

4.98

0.73

519

0.88 1000 10.25 log n = 16.32 1.0 1 5.38 log n = 15.39 10.5 0.76

6 47677 7410 13903 268432

110.03

1.49

124049

Fig. 2. Comparison of (T = 275 , ² = 0.01)-secure generators of minimum n with M = 230 bits output ∗ the generator is proven secure under non-standard assumption

The comparison of our E(NGp ) with FSS is shown in Figure 2. In this table, we also list Gennaro generator and RSA based generators (to be addressed in the next subsection). Our table lists the minimum n for each generator to be (T, ²)-secure with parameters M = 230 , T = 275 , ² = 0.01. From this table, we can see that our generator is not the best generator in the number of generated bits per multiplication. However, since different generators have different length of modulus in order to achieve the same security level, the multiplication for each generator has a different time cost. Thus, an absolute measure, time units per bit, is adopted here for evaluating the efficiency. In this case, our generator E(NGp ) is the best among all generators secure under standard assumptions. The storage for public parameters is just about 4.98KBytes and thus small. E(NGp ) also has a similar performance as Gennaro generator while the latter is secure under a non-standard assumption. SPW generator [34] is the most efficient one among all generators but it is again secure under a non-standard assumption, which needs extensive study in order to obtain a tight estimation on the hardness complexity of its security assumption.

5.3

Performance of PRGN

As for E(NGp ), we analyze the efficiency of PRGN and compare it with other RSA based generators. 2

n bits per multiplication. That is about 1.49 By Theorem 3, PRGN can output n(m+0.5)/(m+1)−log n×0.65 bits when m = 20 and n = 40000, for instance. The selection of m is reasonable since the size of public parameters in this case is about 110 KBytes. For many applications, it is affordable. By Theorem 3 and the fact that the currently best algorithms for DDH and factoring have the runtime

14

L(n), the generator is (T, ²)-secure if and only if ½ ¾ 1 7 05 0 min 1.5n (T + 2ntm + (m` + 7m + ` − 1)te )/² , (T + (15m + m` + ` − 1)mte /2)/² < L(n), 2 (7) ²−5m`2−n −(m+1)`(n− log n +2−n/2+4 ) . Since we assume the output is of `(8n+1) 2 2 n to take ` = M/(( 2 − log n) + m(n − log n)) iterations. Taking m = 20, M requires n ≥ 40000 to achieve (275 , 0.01)-secure (i.e., satisfying equation (7)).

where ²0 =

length M , we need

= 230 , ² = 0.01, it Taking n = 40000, n2 0.65×n the generator will run n(m+0.5)/(m+1)−log2 n · 24·360 ≈ 124049 time units to output 1 bit. Goldreich-Rosen generator can output n/2 bits per exponentiation of exponent length n/2 while ours can output almost n bits per such an exponentiation. In order for it to be (275 , 0.01)-secure, their generator needs to take n ≥ 42000. When n = 42000, it requires almost 268432 time units to produce one bit. Thus, from the previous analysis, our generator is at least twice faster than theirs. The main reason for both generators to take a large n is that the reduction complexity contains a heavy term which comes from the indistinguishability between Full0n and Half0n (see Lemma 5). It would be an interesting question to provide a proof with a tighter reduction. Now we consider BBS generator and its variants. BBS is to output the least significant bit of xi and iterates xi+1 = x2i (mod N ) for RSA composite N . Fischlin and Schnorr [11] gave the best reduction: BBS is (T, ²)-secure if 6n(log n)M 2 · (T + 27 n²−2 M 2 log(8n²−1 M ))/²2 ≤ L(n).

(8)

We denote BBS generator with this tighter bound by BBS-FS. As an example, BBS-FS is (275 , 0.01)secure if n ≥ 8000. Alexi et al. [1] proved that the BBS generator can output O(log n) bits per iterations. More precisely, BBS variant that outputs I bits per iteration is (T, ²) secure if (227+4I n3 M 8 )T /²8 ≤ L(n).

(9)

Denote this BBS variant by BBS-ACGS. As an example, BBS-ACGS is (275 , 0.01)-secure for I = log n, if n ≥ 82000. Recently, Sidorenko and Schoenmakers [33] improved the result as: 36n(log n)(T + 22I+9 nδ −4 )/δ 2 ≤ L(n),

(10)

where δ = (2I − 1)−1 M −1 ². Denote this variant by BBS-SS. As an example, BBS-SS is (275 , 0.01)secure for I = log n, if n ≥ 43000. The detailed comparisons of these generators are shown in Fig. 2. The figure also lists SPW generator [34] which is the most efficient generator among them but its security is proven under a non-standard assumption. Our generator PRGN is not the most efficient of them but it is more efficient than Goldreich-Rosen generator, while we remark that our generator NGp is the most efficient among all generators that are proven secure under standard assumptions. 5.4

On the Efficiency with Pre-computation

Pre-computation is a very effective approach to improve the efficiency of pseudorandom generators. t−1 To compute g x for x = x0 · · · xt−1 ∈ {0, 1}t , we can first pre-compute g, g 2 , . . . , g 2 and multiply 15

i

g 2 for all i such that xi = 1. Comparing with the naive square-and-multiply approach, this approach does not need on-line squaring any more. As a squaring is 0.8 multiplication, the cost for g x is now 0.5t ≈ 38.46%. Applying this pre-computation, the time unit cost per bit in Fig. 2 reduced by 0.8t+0.5t will be updated in order as h186; 464; 200; 6; 47677; 7410; 13903; 103243; 47710i. Note that one does not necessarily always store the pre-computed data. It can be generated for each initialization of the generator. The time-unit efficiency standing for all generators there remains unchanged. The efficiency can be further improved by more advanced pre-computation; See [23]. We will not discuss here. Acknowledgements. The authors would like to thank the anonymous referees for intensive invaluable comments that significantly improve our paper. Jiang’s work was mainly done under the support of research excellence grants on Algorithmic Number Theory and Cryptography, and Information Security, at the University of Calgary. All authors are now supported by National 863 High Tech Plan (No. 2006AA01Z428), NSFC (No. 60673075) and (for Jiang only) UESTC Young Faculty Plans.

References 1. W. Alexi, B. Chor, O. Goldreich and C. Schnorr. RSA and Rabin Functions: Certain Parts are as Hard as the Whole. SIAM J. Computing, 17(2), pp.194-209, 1988. 2. M. Bellare, A. Boldyreva, S. Micali. Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements. Advances in Cryptology-EUROCRYPT’00, LNCS 1807, pp.259-274, 2000. 3. M. Bellare, A. Boldyreva, K. Kurosawa, J. Staddon. Multi-Recipient Encryption Schemes: Efficient Constructions and their Security. IEEE Transactions on Information Theory, 53(11), pp.3927-3943, 2007. 4. C. Berbain, H. Gilbert, and J. Patarin. QUAD: a Practical Stream Cipher with Provable Security. Advances in Cryptology-EUROCRYPT 2006, LNCS 4004, pp.109-128, 2006. 5. L. Blum, M. Blum and M. Shub. A Simple Unpredictable Pseudorandom Number Generator. SIAM J.Computing, 15(2), pp.364-383, 1986. 6. M. Blum and S. Micali. How to Generate Cryptographically Strong Sequences of Pseudorandom Bits. SIAM Journal on Computing, 13(4), pp.850-864, 1984. 7. D. Boneh. The Decision Diffie-Hellman Problem. The Third Algorithmic Number Theory Symposium, LNCS 1423, pp.48-63, 1998. 8. D. Boneh, S. Halevi, and N.A. Howgrave-Graham. The Modular Inversion Hidden Number Problem. Advances in Cryptology-ASIACRYPT 2001, LNCS 2248, pp.36-51, 2001. 9. O. Chevassut, P. A. Fouque, P. Gaudry, and D. Pointcheval. Key derivation and randomness extraction. Cryptology ePrint Archive, Report 2005/061, 2005. Available at http://eprint.iacr.org/2005/061.pdf 10. W. Diffie, M. Hellman. New Directions in Cryptography. IEEE Transactions on Information Theory, 22(6), pp.644-654, 1976. 11. R. Fischlin and C. Schnorr. Stronger Security Proofs for RSA and Rabin Bits. Journal of Cryptology, 13(2), pp. 221-244, 2000. 12. R. R. Farashahi, B. Schoenmakers, and A. Sidorenko. Efficient pseudo-random Generators Based on the DDH assumption. PKC 2007, LNCS 4450, pp.426-441, 2007. 13. R. Gennaro. An improved pseudo-random generator based on the discrete logarithm problem. Journal of Cryptology, 18(2), pp.91-110, 2006. 14. O. Goldreich, S. Goldwasser, and S. Micali. How to construct random functions. Journal of the ACM, 33(4), pp.792-807, 1986. 15. O. Goldreich, V. Rosen. On the Security of Modular Exponentiation with Applica- tion to the Construction of Pseudorandom Generators. Journal of Cryptology, 16(2), pp.71-93, 2003. 16. O. Goldreich and A. Wigderson, Tiny Family of Functions with Random Properties: A Quality-size Tradeoff for Hashing, ACM STOC’94, pp.574-584, 1994. 17. S. Goldwasser and S. Micali, probabilistic encryptions, Journal of Computer and System Science, 28(2), pp.270299, 1984. Priliminary version appears in STOC’82.

16

18. J. H˚ astad, R. Impagliazzo, L. Levin and M. Luby. A Pseudo-Random Generator from any One-Way Function. SIAM J. Comput., 28(4), pp.1364-1396, 1999. 19. R. Impagliazzo and M. Naor. Efficient Cryptographic Schemes Provably as Secure as Subset Sum. Journal of Cryptology, 9(4), pp.199-216, 1996. 20. S. Jiang. Efficient Primitives from Exponentiation in Zp. Information Security and Privacy: 11th Australasian Conference - ACISP 2006, LNCS 4058, pp.259-270, 2006. 21. S. Jiang, G. Gong, Security of a Server-Assisted Group Password-Authenticated Key Exchange Protocol. Technical Report CACR 2005-17, 2005. Available at http://www.cacr.math.uwaterloo.ca 22. A. Juels, M. Jakobsson, E. Shriver, and B. K. Hillyer. How to turn loaded dice into fair coins, IEEE Transactions on Information Theory, 46(3), pp.911-921, 2000. 23. C. Lim, P. Lee, More Flexible Exponentiation with Precomputation, Advances in Cryptology-CRYPTO 1994, LNCS 839, pp.95-107, 1994. 24. A. K. Lenstra and E. R. Verheul. Selecting cryptographic key sizes. Journal of Cryptology. 14(4), pp.255-293, 2001. 25. D. L. Long, A. Wigderson. How Discreet is the Discrete Log. ACM STOC 1983, pp.413-420, 1983. 26. M. Luby and C. Rackoff. How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput., 17(2), pp.373-386, 1988. 27. M. Naor. Bit commitment using pseudorandomness. Journal of Cryptology, 4(2), pp.151-158, 1991. 28. S. Patel and G. S. Sundaram, An Efficient Discrete Log Pseudo Random Generator. Advances in CryptologyCRYPTO 1998, LNCS 1462, pp.304-317, 1998. 29. R. Peralta. Simultaneous Security of Bits in the Discrete Log. Advances in Cryptology-EUROCRYPT 1985, LNCS 219, pp.62-72, 1986. 30. V. Shoup. Lower Bounds for Discrete Logarithms and Related Problems. Advances in Cryptology-EUROCRYPT 1997, LNCS 1233, pp.256-266, 1997. 31. R. Shaltiel, Recent developments in explicit constructions of extractors, Bull. Eu. Assoc. Theor. Comput. Sci., (2002), pp.67-95, 2002. 32. V. Shoup. On Formal Models for Secure Key Exchange. Available at http://philby.ucsd.edu/cryptolib/ 1999.html. 33. A. Sidorenko and B. Schoenmakers. Concrete Security of the Blum-Blum-Shub Pseudorandom Generator. Cryptography and Coding 2005, LNCS 3796, pp.355-375, 2005. 34. R. Steinfeld, J. Pieprzyk, H. Wang. On the Provable Security of an Efficient RSA-Based Pseudorandom Generator. Advances in Cryptology-ASIACRYPT 2006, LNCS 4284, pp.194-209, 2006. 35. M. I. Gonzalez Vasco, M. Naslund, and I. E. Shparlinski. New results on the hardness of Diffie-Hellman bits. PKC 2004, LNCS 2947, pp.159-172, 2004. 36. J. Wullschleger, Oblivious Transfer Amplification, PhD Thesis, ETH, 2006. http://arxiv.org/abs/cs/0608076. 37. A. Yao. Theory and Applications of Trapdoor Functions. IEEE FOCS 1982, pp.80-91, 1982.

A

Diffie-Hellman Self-reduction.

Now we introduce a self-reduction technique [2, 32]. Let G be a multiplicative cyclic group ([2] states |G| is a prime and in fact their algorithm works without it) and g be a random generator of G (i.e., ord(g) = |G|). Given a triple (g, g a , g b , g c ) and a bit x, Bellare et al. [2] proposed an 0 0 0 algorithm to compute (g, g a , g b , g c ) that satisfies the properties in Figure 3.

c = ab c 6= ab

x=0 a0 = a & b0 random in Zord(g) & c0 = a0 b0 a0 = a & b0 , c0 random in Zord(g)

x=1 a0 , b0 random in Zord(g) & c0 = a0 b0 a0 , b0 , c0 random in Zord(g) 0

0

0

Fig. 3. Properties of (g a , g b , g c )

0

0

For example, given the input x = 0 and a tuple (g, g a , g b , g ab ), the output is (g, g a , g b , g ab ), where b0 is uniformly random in Zord(g) (especially, independent of (a, b, c)). For input x = 1 and 17

0

0

0 0

(g, g a , g b , g ab ), the output will be (g, g a , g b , g a b ), where (a0 , b0 ) is independent of (a, b). We use 0 0 0 Rudx (g, g a , g b , g c ) to denote their algorithm and use (g a , g b , g c ) ← Rudx (g, g a , g b , g c ) to denote a random output of Rud with input x and (g, g a , g b , g c ). The code of Rudx (g, g a , g b , g c ) is presented as follows. Algorithm Rudx (g, g a , g b , g c ), parameterized by G and ord(g) (known). 1. If x = 0, set s1 = 0; otherwise s1 ← Zord(g) . 2. s2 , r ← Zord(g) 0 3. g a ← g a · g s1 0 4. g b ← (g b )r · g s2 0 5. g c ← (g c )r · (g a )s2 · (g b )r·s1 · g s1 s2 . 0 0 0 Return (g a , g b , g c )

Algorithm Rudx (·) requires the knowledge of |G|. However, in some settings, |G| is unknown. For example, when G is the group of quadratic residue in Z∗N for a RSA composite N , |G| is unknown unless the factorization of N is known. We now modify Rudx such that it works for G with an unknown order. Denote the modified algorithm by Rud∗x . We require |G| < 2n for some known n. Rud∗x differs from Rudx only in lines 1 and 2, where we take s1 ← {0, 1}2n (in case x = 1) and s2 , r ← {0, 1}2n (instead of s1 , s2 , r ← Zord(g) there). Computational cost. Note modular exponentiation is computed using the naive square-andmultiply method in this analysis. By this method, one exponentiation with 2n-bit exponents is equivalent to two exponentiations with n-bit exponents. The cost for Rud1 is dominated by 7 exponentiations in G while Rud0 is dominated by 4 exponentiations, where the exponent length is n-bit as (g b )r·s1 is computed as (g b )(r·s1 )ord(g) , and g s1 ·s2 is similar. For Rud∗x , since we cannot compute (r · s1 )ord(g) and (s1 · s2 )ord(g) , it follows that in terms of exponentiation of exponent length n in G, the cost of Rud∗1 is dominated by 18 exponentiations while Rud∗0 has 8 exponentiations. The following lemma shows that the statistical distance between the outputs of Rudx and Rud∗x are exponentially decreasing in the length of the modulus. Lemma 8. For x ∈ {0, 1} and fixed (g a , g b , g c ), ∆(Rudx (g, g a , g b , g c ), Rud∗x (g, g a , g b , g c )) ≤ 3 · 2−n , 0

0

0

where the probability is taken over random coins of Rudx and Rud∗x . I.e., (g a , g b , g c ) output by 0 0 0 Rud∗x (g, g a , g b , g c ) is close within statistical distance 3 · 2−n to (g a , g b , g c ) that satisfies Fig. 3. Proof. For fixed x and (g, g a , g b , g c ), the output for both Rud and Rud∗ can be expressed as a deterministic function of randomness (s1 , s2 , r). We denote this function by F (s1 , s2 , r). The output by Rudx (g, g a , g b , g c ) is distributed as F (s1 , s2 , r) for s2 , r ← Zord(g) , and s1 ← Zord(g) (case x = 1) and s1 = 0 (case x = 0). The output by Rud∗x (g, g a , g b , g c ) is distributed as F (s1 , s2 , r) for s2 , r ← {0, 1}2n , and s1 ← {0, 1}2n (case x = 1) and s1 = 0 (case x = 0). Note that F (s1 , s2 , r) = F ((s1 )ord(g) , (s2 )ord(g) , (r)ord(g) ). For simplicity, we use s∗1 , s∗2 , r∗ to denote the randomness in Rud∗x . 18

We have

∆(Rudx (g, g a , g b , g c ), Rud∗x (g, g a , g b , g c )) = ∆(F (s1 , s2 , r), F ((s∗1 )ord(g) , (s∗2 )ord(g) , (r∗ )ord(g) )) (1)

≤ ∆((s1 , s2 , r), ((s∗1 )ord(g) , (s∗2 )ord(g) , (r∗ )ord(g) ))

(2)

≤ 3 · 2−n .

Here (1) holds by Claim 1 below (See also [36]), and (2) holds by Claim 2 below and Lemma 2. ¥ Claim 1. Let Ω and Q be two sets. Let X and Y be two random variables over Ω. F : Ω → Q be a deterministic function. Then ∆(F (X), F (Y )) ≤ ∆(X, Y ). (11) Proof. We have P ∆(F (X), F (Y )) = 12 v∈Q | Pr[F (X) = v] − Pr[F (Y ) = v]| P P = 12 v∈Q | u:F (u)=v (Pr[X = u] − Pr[Y = u])| P P ≤ 12 v∈Q u:F (u)=v | Pr[X = u] − Pr[Y = u]| = ∆(X, Y ).

¤

Claim 2. Let s ∈ N. Let (X1 , . . . , Xs ) and (Y1 , . . . , Ys ) be two independent vector random variables over set Ω. For each i, Xi is independent of {Xj : j = 1, . . . , s, j 6= i} and Yi is independent of {Yj : j = 1, . . . , s, j 6= i}. Then ∆((X1 , . . . , Xs ), (Y1 , . . . , Ys )) ≤

s X

∆(Xi , Yi ).

(12)

i=1

Proof. Let W i = (X1 , . . . , Xi , Yi+1 , . . . , Ys ). Then W s = (X1 , . . . , Xs ) and W 0 = (Y1 , . . . , Ys ). Thus, by triangle inequality, Ps−1 ∆(W i , W i+1 ) ∆(W s , W 0 ) ≤ P i=0P 1 = 2 i v1 ,v2 ,...,vs | Pr[W i = (v1 , . . . , vs )] − Pr[W i+1 = (v1 , . . . , vs )]| (∗) 1 Ps−1 P = 2 i=0 vi+1 | Pr[Xi+1 = vi+1 ] − Pr[Yi+1 = vi+1 ]| Ps−1 = i=0 ∆(Xi+1 , Yi+1 ), where (∗) holds since Yi+1 (resp. Xi+1 ) is independent of X1 , . . . , Xi , Yi+2 , . . . , Ys in W i (resp. in W i+1 ). ¤

19