Table Of ContentComplexityandCryptography
AnIntroduction
Cryptographyplaysacrucialroleinmanyaspectsoftoday’sworld,frominternetbank-
ing and ecommerce to email and web-based business processes. Understanding the
principlesonwhichitisbasedisanimportanttopicthatrequiresaknowledgeofboth
computationalcomplexityandarangeoftopicsinpuremathematics.Thisbookprovides
thatknowledge,combininganinformalstylewithrigorousproofsofthekeyresultsto
giveanaccessibleintroduction.Itcomeswithplentyofexamplesandexercises(many
with hints and solutions), and is based on a highly successful course developed and
taught over many years to undergraduate and graduate students in mathematics and
computerscience.
Theopeningchaptersareabasicintroductiontothetheoryofalgorithms:fundamental
topicssuchasNP-completeness,Cook’stheorem,thePvs.NPquestion,probabilistic
computationandprimalitytestinggiveatasteofthebeautyanddiversityofthesubject.
Afterbrieflyconsideringsymmetriccryptographyandperfectsecrecy,theauthorsintro-
ducepublickeycryptosystems.Themathematicsrequiredtoexplainhowthesework
andwhyorwhynottheymightbesecureispresentedasandwhenrequired,though
appendicescontainsupplementarymaterialtofillanygapsinthereader’sbackground.
Standardtopics,suchastheRSAandElGamalcryptosystems,aretreated.Morerecent
ideas,suchasprobabilisticcryptosystems(andthepseudorandomgeneratorsonwhich
theyarebased),digitalsignatures,keyestablishmentandidentificationschemesarealso
covered.
john talbot hasbeenalecturerinmathematics,UniversityCollegeLondonsince
2003.BeforethathewasGCHQResearchFellowinOxford.
dominic welsh isafellowofMertonCollege,OxfordwherehewasProfessorof
Mathematics.HehasheldnumerousvisitingpositionsincludingtheJohnvonNeumann
Professor,UniversityofBonn.Thisishisfifthbook.
Complexity and Cryptography
An Introduction
JOHN TALBOT
DOMINIC WELSH
cambridge university press
Cambridge, New York, Melbourne, Madrid, Cape Town, Singapore, São Paulo
Cambridge University Press
TheEdinburghBuilding,Cambridgecb22ru,UK
Published in the United States of America by Cambridge University Press, New York
www.cambridge.org
Informationonthistitle:www.cambrid ge.org/9780521852319
© Cambridge University Press 2006
Thispublicationisincopyright.Subjecttostatutoryexceptionandtotheprovisionof
relevantcollectivelicensingagreements,noreproductionofanypartmaytakeplace
withoutthewrittenpermissionofCambridgeUniversityPress.
Firstpublishedinprintformat 2006
isbn-13 978-0-511-14070-9 eBook (NetLibrary)
isbn-10 0-511-14070-3
eBook (NetLibrary)
isbn-13 978-0-521-85231-9 hardback
isbn-10 0-521-85231-5 hardback
isbn-13 978-0-521-61771-0 paperback
isbn-10 0-521-61771-5 paperback
CambridgeUniversityPresshasnoresponsibilityforthepersistenceoraccuracyofurls
forexternalorthird-partyinternetwebsitesreferredtointhispublication,anddoesnot
guaranteethatanycontentonsuchwebsitesis,orwillremain,accurateorappropriate.
Contents
Preface pageix
Notation xi
1 Basicsofcryptography 1
1.1 Cryptographicmodels 2
1.2 Abasicscenario:cryptosystems 3
1.3 Classicalcryptography 7
1.4 Moderncryptography 8
2 Complexitytheory 10
2.1 Whatiscomplexitytheory? 10
2.2 DeterministicTuringmachines 16
2.3 Decisionproblemsandlanguages 22
2.4 Complexityoffunctions 30
2.5 Spacecomplexity 33
3 Non-deterministiccomputation 39
3.1 Non-deterministicpolynomialtime–NP 39
3.2 Polynomialtimereductions 43
3.3 NP-completeness 45
3.4 TuringreductionsandNP-hardness 54
3.5 ComplementsoflanguagesinNP 56
3.6 Containmentsbetweencomplexityclasses 60
3.7 NPrevisited–non-deterministicTuringmachines 62
4 Probabilisticcomputation 67
4.1 Cantossingcoinshelp? 67
4.2 ProbabilisticTuringmachinesandRP 71
v
vi Contents
4.3 Primalitytesting 74
4.4 Zero-errorprobabilisticpolynomialtime 80
4.5 Bounded-errorprobabilisticpolynomialtime 81
4.6 Non-uniformpolynomialtime 83
4.7 Circuits 86
4.8 Probabilisticcircuits 92
4.9 Thecircuitcomplexityofmostfunctions 93
4.10 Hardnessresults 94
5 Symmetriccryptosystems 99
5.1 Introduction 99
5.2 Theonetimepad:Vernam’scryptosystem 101
5.3 Perfectsecrecy 102
5.4 Linearshift-registersequences 106
5.5 Linearcomplexity 111
5.6 Non-linearcombinationgenerators 113
5.7 BlockciphersandDES 115
5.8 RijndaelandtheAES 118
5.9 ThePohlig–Hellmancryptosystem 119
6 Onewayfunctions 125
6.1 Insearchofadefinition 125
6.2 Strongone-wayfunctions 129
6.3 Onewayfunctionsandcomplexitytheory 132
6.4 Weakone-wayfunctions 135
7 Publickeycryptography 141
7.1 Non-secretencryption 141
7.2 TheCocks–Ellisnon-secretcryptosystem 142
7.3 TheRSAcryptosystem 145
7.4 TheElgamalpublickeycryptosystem 147
7.5 Publickeycryptosystemsastrapdoorfunctions 150
7.6 InsecuritiesinRSA 153
7.7 FindingtheRSAprivatekeyandfactoring 155
7.8 Rabin’spublickeycryptosystem 158
7.9 PublickeysystemsbasedonNP-hardproblems 161
7.10 Problemswithtrapdoorsystems 164
8 Digitalsignatures 170
8.1 Introduction 170
8.2 Publickey-basedsignatureschemes 171
Contents vii
8.3 Attacksandsecurityofsignature
schemes 172
8.4 Signatureswithprivacy 176
8.5 Theimportanceofhashing 178
8.6 Thebirthdayattack 180
9 Keyestablishmentprotocols 187
9.1 Thebasicproblems 187
9.2 Keydistributionwithsecurechannels 188
9.3 Diffie–Hellmankeyestablishment 190
9.4 Authenticatedkeydistribution 193
9.5 Secretsharing 196
9.6 Shamir’ssecretsharingscheme 197
10 Secureencryption 203
10.1 Introduction 203
10.2 Pseudorandomgenerators 204
10.3 Hardandeasybitsofone-wayfunctions 207
10.4 Pseudorandomgeneratorsfromhard-core
predicates 211
10.5 Probabilisticencryption 216
10.6 Efficientprobabilisticencryption 221
11 Identificationschemes 229
11.1 Introduction 229
11.2 Interactiveproofs 231
11.3 Zeroknowledge 235
11.4 Perfectzero-knowledgeproofs 236
11.5 Computationalzeroknowledge 240
11.6 TheFiat–Shamiridentificationscheme 246
Appendix1 Basicmathematicalbackground 250
A1.1 Ordernotation 250
A1.2 Inequalities 250
Appendix2 Graphtheorydefinitions 252
Appendix3 Algebraandnumbertheory 253
A3.1 Polynomials 253
A3.2 Groups 253
A3.3 Numbertheory 254
viii Contents
Appendix4 Probabilitytheory 257
Appendix5 Hintstoselectedexercisesandproblems 261
Appendix6 Answerstoselectedexercisesandproblems 268
Bibliography 278
Index 287
Preface
This book originated in a well-established yet constantly evolving course on
ComplexityandCryptographywhichwehavebothgiventofinalyearMathe-
maticsundergraduatesatOxfordformanyyears.Ithasalsoformedpartofan
M.Sc.courseonMathematicsandtheFoundationsofComputerScience,and
has been the basis for a more recent course on Randomness and Complexity
forthesamegroupsofstudents.
One of the main motivations for setting up the course was to give mathe-
maticians,whotraditionallymeetlittleinthewayofalgorithms,atasteforthe
beautyandimportanceofthesubject.Earlyoninthebookthereaderwillhave
gainedsufficientbackgroundtounderstandwhatisnowregardedasoneofthe
toptenmajoropenquestionsofthiscentury,namelytheP=NPquestion.At
thesametimethestudentisexposedtothemathematicsunderlyingthesecurity
ofcryptosystemswhicharenowanintegralpartofthemodern‘emailage’.
Although this book provides an introduction to many of the key topics in
complexitytheoryandcryptography,wehavenotattemptedtowriteacompre-
hensivetext.Obviousomissionsincludecryptanalysis,ellipticcurvecryptog-
raphy,quantumcryptographyandquantumcomputing.Theseomissionshave
allowedustokeepthemathematicalprerequisitestoaminimum.
Throughoutthetexttheemphasisisonexplainingthemainideasandproving
the mathematical results rigorously. Thus we have not given every result in
completegenerality.
Theexercisesattheendofmanysectionsofthebookareingeneralmeantto
beroutineandaretobeusedasacheckontheunderstandingofthepreceding
principle;theproblemsattheendofeachchapterareoftenharder.
We have given hints and answers to many of the problems and exercises,
marking the question numbers as appropriate. For example 1a,2h,3b would
indicatethatananswerisprovidedforquestion1,ahintforquestion2andboth
forquestion3.
ix
