x - Faculty of Computer Science - Technische Universität Dresden

x - Faculty of Computer Science - Technische Universität Dresden

PBG Security

n s PBG Security of the s 2 -mod-n-generator (1) s 2 -mod-n-generator is cryptographically strong: � � P � PPA { predictor for b 0 } unpredictability to the left will do b 0 b 1 b 2 ... b k � constants �, 0 � � � 1 { frequency of the “bad” n } � t � N : { degree of the polynomial } if l (= |n|) sufficiently big it holds: for all keys n except of at most a �-fraction 1 1 W(b0=P(n,b1b2...bk)| s � Z * n random) < + 2 l t P n b 189

Security of the s 2 -mod-n-generator (2) Proof: Contradiction to QRA in 2 steps Assumption: s 2 -mod-n-generator is weak, i.e. there is a predictor P, which guesses b 0 with �-advantage given b 1 b 2 b 3 ... Step 1: Transform P in P * , which to a given s 1 of QR n guesses the last bit of s 0 with �-advantage. Given s 1. Generate b 1 b 2 b 3 ... with s 2 -mod-n-generator, apply P to that stream. P guesses b 0 with �-advantage. That is exactly the result of P * . Step 2: Construct using P * a method R, that guesses with �-advantage, whether a given s * with Jacobi symbol +1 is a square. Given s * . Set s 1 := (s * ) 2 . Apply P * to s 1. P * guesses the last bit of s 0 with �-advantage, where s * and s 0 are roots of s 1; s 0 � QR n. Therefore s * � QR n � s * = s 0 190

