Your SlideShare is downloading. ×
0
Upcoming SlideShare
Loading in...5
×

# Lecture 6 Public-Key Encryption

419

Published on

0 Comments
0 Likes
Statistics
Notes
• Full Name
Comment goes here.

Are you sure you want to Yes No
Your message goes here
• Be the first to comment

• Be the first to like this

No Downloads
Views
Total Views
419
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

### Transcript of "Lecture 6 Public-Key Encryption"

1. 1. Modern Cryptography www.dziembowski.net/Studenti/BISS09<br />Lecture 6 Public-Key Encryption<br />StefanDziembowski<br />UniversityofRome<br />La Sapienza<br />BiSS 2009Bertinoro International Spring School 2-6 March 2009<br />
2. 2. Plan<br />Problems with the handbook RSA encryption<br />Security definitions<br />How to encrypt with RSA?<br />Encryption based on discrete-log<br />first step: Diffie-Hellman key exchange<br />ElGamal encryption<br />Public-key vs. private key encryption<br />
3. 3. The “handbook RSA encryption”<br />N = pq- RSAmodulus<br />eis such thatgcd(e, φ(N)) = 1,<br />d is such thated = 1 (mod φ(N))<br />Enc(e,N) (m) = me mod N, <br />and Dec(d,N) (c) = cd mod N.<br />
4. 4. Problems<br />Encpkis deterministic, so:<br />if one encrypts twice the same message then the ciphertexts are the same<br />Therefore if the message spaceM is small, the adversary can check all possible messages:<br />given a ciphertextc do:<br /> for every m є Mcheck if Encpk(m) = c<br />for example if M={yes,no}, then the encryption is not secure.<br />RSAhas some “algebraic properties”.<br />
5. 5. Algebraic properties of RSA<br />RSA is homorphic:<br />Enc(e,N)(m0· m1) = (m0· m1)e<br /> = m0e· m1e<br /> = Enc(e,N )(m0) · Enc(e,N )(m1)<br /> why is it bad?<br />By checking if<br />c0· c1 =c<br /> the adversary can detect if<br />Dec(d,N)(c0) ·Dec(d,N)(c1) = Decd(c)<br />The Jacobi symbol leaks.<br />
6. 6. JacobiSymbol<br />+ 1 ifx ЄQRp<br />forany prime p defineJp(x) := <br /> - 1 otherwise<br />forN=pqdefineJN(x) := Jp(x) ·Jq(x)<br />mod p<br />JN(x) := <br />QR(p)<br />QR(q)<br />QR(n)<br />mod q<br />Itis a subgroupofZN*<br />ZN+ := {x : JN(x) = +1}<br />Jacobisymbol can becomputedefficiently! (even in p and q are unknown)<br />
7. 7. Fact<br />Enc(N,e) – encryption function of RSA<br />Then:<br />Jn(Enc(N,e)(m)) = Jn(m)<br />Proof<br />Left-hand-side:<br />Jn(Enc(N,e)(m)) = Jp(Enc(N,e) (m)) · Jq(Enc(N,e) (m)) <br />Right-hand-side:<br />Jn(m) = Jp(m) · Jq(m)<br />Therefore it is enough to prove that:<br />Jp(Enc(N,e)(m)) = Jp(m) <br />and <br />Jq(Enc (N,e)(m)) = Jq(m).<br />Sincep andqare symmetric we can just prove it forp.<br />
8. 8. We have to show that<br />Jp(Ence(m)) = Jp(m)<br />In other words:<br />Enc(N,e)(m) is aQRpiffm is aQRp<br />Now observe that e is always odd <br />(because gcd(e,(p-1)(q-1)) = 1).<br />To finish the proof we need to show that for every odd e:<br />me mod p is aQRpiffm mod p is aQRp<br />This is equal to<br />me mod p<br />
9. 9. Fact<br />For an odd e:<br />me mod p is aQRpiffm mod p is aQRp<br />Proof<br />Let g be the generator of Zp*. Write m = gx.<br />Recall that mis a QRpiffx is an even.<br />It is easy to see that <br />me mod p is aQRp<br />iff<br />(gx)e mod p is aQRp<br />iff<br />x · e mod (p-1) is even<br />iff<br />x mod (p-1) is even<br />iff<br />m mod p is aQRp<br />Hence we are done.<br />
10. 10. Conclusion<br />The Jacobi symbol “leaks”, i.e.:<br />fromc<br />one can compute Jn(Dec(N,d)(c))<br />(without knowing the factorization of N)<br />Is it a big problem?<br />Depends on the application...<br />
11. 11. Question: Is RSA secure?<br />Looks like it has some weaknesses...<br />Plan:<br />Provide a formal security definition.<br />Modify RSA so that it is secure according to this definition.<br />
12. 12. Plan<br />Problems with the handbook RSA encryption<br />Security definitions<br />How to encrypt with RSA?<br />Encryption based on discrete-log<br />first step: Diffie-Hellman key exchange<br />ElGamal encryption<br />Public-key vs. private key encryption<br />
13. 13. A mathematical view<br />A public-key encryption (PKE) scheme is a triple (Gen, Enc, Dec)of poly-time algorithms, where<br /><ul><li>Genis a key-generationrandomizedalgorithmthattakesas input a security parameter1n and outputs a key pair(pk,sk).
14. 14. Enc is an encryptionalgorithmthattakesas input the public keypkand a messagem, and outputs a ciphertextc,
15. 15. Decis an decryptionalgorithmthattakesas input the private key pkand the ciphertextc,and outputs a messagem’.</li></ul>We will sometimes write Encpk(m)and Decsk(c)instead of Enc(pk,m) and Dec(sk,c).<br />Correctness<br />P(Decsk(Encpk(m)) ≠ m)isnegligible in n<br />
16. 16. The security definition<br />Remember the symmetric-key case?<br />We considered a chosen-plaintext attack.<br />How would it look in the case of the public-key encryption?<br />
17. 17. A chosen-plaintext attack (CPA)<br />security parameter<br />1n<br />selects random(pk,sk) = Gen(1n)<br />chooses a random b = 0,1<br />pk<br />choosesm’1<br />m’1<br />oracle<br />c1 = Enc(pk,m’1)<br />This is notneeded.<br />Why?Because if Eve knows pk she can compute all these ciphertexts herself!<br />. . .<br />chooses m’t<br />m’t<br />ct = Enc(pk,m’t)<br />challenge phase:<br />m0,m1<br />chooses m0,m1<br />c = Enc(pk,mb)<br />the interaction continues . . .<br />has to guess b<br />
18. 18. A simplified view<br />security parameter<br />1n<br />selects random(pk,sk) = Gen(1n)<br />chooses a random b = 0,1<br />pk<br />oracle<br />challenge phase:<br />m0,m1<br />chooses m0,m1<br />c = Enc(pk,mb)<br />has to guess b<br />
19. 19. CPA-security<br />Alternative name:CPA-secure<br />Security definition:<br />We say that (Gen,Enc,Dec)hasindistinguishable encryptions under a chosen-plaintext attack (CPA)if any <br />randomized polynomial timeadversary <br />guesses b correctly <br />with probability at most 0.5 +ε(n), whereεis negligible.<br />
20. 20. Plan<br />Problems with the handbook RSA encryption<br />Security definitions<br />How to encrypt with RSA?<br />Encryption based on discrete-log<br />first step: Diffie-Hellman key exchange<br />ElGamal encryption<br />Public-key vs. private key encryption<br />
21. 21. Is the “handbook RSA” secure?<br />the “handbook RSA”<br />N = pq- RSA modulus<br />eis such thatgcd(e,d) = 1,d is such thated = 1 (mod φ(N))<br />Enc(N,e)(m) = me mod N, and Dec(d,N)(c) = cd mod N.<br />Not secure!<br />In fact:<br />No deterministic encryption scheme is secure.<br />How can the adversary win the game?<br />he just chooses any m0,m1, <br />computes c0=Enc(pk,m0) himself<br />compares the result.<br />Moral: encryption has to be randomized.<br />
22. 22. Encoding<br />Therefore, before encrypting a message we usually encode it (adding some randomness).<br />This has the following advantages:<br />makes the encryption non-deterministic<br />breaks the “algebraic properties” of encryption.<br />
23. 23. How is it done in real-life?<br />PKCS #1: RSA Encryption Standard Version 1.5:<br />public-key: (N,e)<br />let k := length on N in bytes.<br />let D := length of the plaintext<br />requirement: D ≤ k - 11.<br />Enc((N,e), m) := xe mod N, where x is equal to:<br />k bytes<br />(k - D - 3)random non-zero bytes<br />D bytes<br />
24. 24. Security of the PKCS #1: RSA Encryption Standard Version 1.5.<br />It is believed to be CPA-secure.<br />It has however some weaknesses (it is not “chosen-ciphertext secure”).<br />Optimal Asymmetric Encryption Padding (OAEP) is a more secure encoding.<br />(we will discuss it later)<br />
25. 25. Plan<br />Problems with the handbook RSA encryption<br />Security definitions<br />How to encrypt with RSA?<br />Encryption based on discrete-log<br />first step: Diffie-Hellman key exchange<br />ElGamal encryption<br />Public-key vs. private key encryption<br />
26. 26. How to construct PKE based on the hardness of discrete log?<br />RSA was a trapdoor permutation, so the construction was quite easy...<br />In case of the discrete log, we just have a one-way function.<br />Diffie and Hellman constructed something weaker than PKE: a key exchange protocol (also called key agreement protocol).<br />We’ll not describe it. Then, we’ll show how to “convert it” into a PKE.<br />
27. 27. Key exchange<br />initially they share no secret<br />listens<br />Alice<br />Bob<br />key k<br />key k<br />Eve should have no information about k<br />We will formalize it later.Let’s first show the protocol.<br />
28. 28. The Diffie-Hellman Key exchange<br />h1 = gx<br />h2 = gy<br />G – a group, where discrete log is believed to be hard<br />q = |G|<br />g – a generator of G<br />x ← Zq<br />y ← Zq<br />Bob<br />Alice<br />output:kA=(h2)x<br />output:kB=(h1)y<br />equal to:gyx<br />equal to:gxy<br />equal!<br />
29. 29. Security of the Diffie-Hellman exchange<br />h1 = gx<br />h2 = gy<br />G,g<br />knows<br />gyx?<br />Eve<br />Eve should have no information about gyx<br />
30. 30. Is it secure?<br />If the discrete log in G is easy then the DH key exchange is not secure.<br />(because the adversary can compute x and y from<br />gxand gy)<br />If the discrete log in G is hard, then...<br />it may also not be secure<br />
31. 31. Example: G = Zp*<br />x is even iff h1is a QR<br />x ← Zq<br />h1 = gx<br />y ← Zq<br />h2 = gy<br />Bob<br />Alice<br />y is even iffh2 is a QR<br /> Therefore:<br />gyxis a QRiff (h1 is a QR) or (h2is a QR)<br />So, Eve can compute some information aboutgyx(namely: if it is a QR, or not).<br />gyx ?<br />
32. 32. Is it a problem, or not?<br />We need to<br />formalize what we mean by secure key exchange,<br />identify the assumptions needed to prove the security.<br />
33. 33. interactive<br />probabilisticTuring machine A<br />interactiveprobabilistic<br />Turing machine B<br />“transcript” T: the sequence of exchanged messages:<br />Alice<br />Bob<br />key k<br />key k<br />Informal definition:(A,B)issecureif no “efficient adversary” can distinguish kfrom random, givenT,<br />with a “non-negligible advantage”.<br />key k<br />?<br />T<br />random string of the same length<br />
34. 34. How to formalize it?<br />security parameter 1n<br />T<br />A<br />B<br />key k є {0,1}n<br />key k є {0,1}n<br />We say (A,B) is secure a secure key-exchange protocol if:the output of A and B is always the same, and<br />A<br />|Prob [M(1n,T,k) = 1] - Prob [M(1n,T,r) = 1] |is negligible in n<br />polynomial-time Mthat outputs 0 or 1<br />r is random and |r| = n<br />
35. 35. Remember the algorithm H?<br />Algorithm H:<br />on input 1n<br />outputs:<br />a description of G of order q, such that |q| = n,<br />a generator g of G.<br />
36. 36. How does the protocol look now?<br />security parameter 1n<br />(G,g) ← H(1n)<br />x ← Zq<br />(G,g),q, h1 = gx<br />y ← Zq<br />h2 = gy<br />Bob<br />Alice<br />output:kA=(h2)x<br />output:kB=(h1)y<br />(Note that we cheat a bit because k is a “pseudorandom” group element, not a string of bits.)<br />If such a key exchange protocol is secure, we say that: the Decisional Diffie-Hellman (DDH) problem is hard with respect toH)<br />
37. 37. An example of H where DDH is believed to be hard<br />QR(p)<br />H(1n):<br />generate a random strong prime p of length n+1.<br />set q := (p-1)/2.<br />choose any x єZp* such that x ≠ ±1 (mod p).<br />set g := x2 mod p.<br />output (p,g).<br />Other groups are also used (e.g. groups based on the elliptic curves).<br />
38. 38. How does DDH compare to the discrete log assumption<br />DDH is hard w.r.t. H<br />discrete log is hard w.r.t. H<br />implies<br />The opposite implication is unknown in most of the cases<br />
39. 39. A problem<br />The protocols that we discussed are secure only against a passive adversary(that only eavesdrop).<br />What if the adversary is active?<br />She can launch a man-in-the-middle attack.<br />
40. 40. Man in the middle attack<br />I am Bob<br />I am Alice<br />Alice<br />Bob<br />key k<br />key k’<br />key k<br />key k’<br />A very realistic attack!<br />So, is this thing totally useless?No! (it is useful as a building block)<br />
41. 41. Plan<br />Problems with the handbook RSA encryption<br />Security definitions<br />How to encrypt with RSA?<br />Encryption based on discrete-log<br />first step: Diffie-Hellman key exchange<br />ElGamal encryption<br />Public-key vs. private key encryption<br />
42. 42. El Gamal encryption<br />El Gamal is another popular public-key encryption scheme.<br />It is based on the Diffie-Hellman key-exchange.<br />
43. 43. First observation<br />Remember that the one-time pad scheme can be generalized to any group?<br />E.g.: K = M = C =G.<br />Enc(k,m) = m · k<br />Dec(k,m) = m · k-1<br />So, if k is the key agreed in the DH key exchange, then <br />Alice can send a message m Є Gto Bob “encryptingitwithk” bysetting:<br />c := m · k<br />
44. 44. How does it look now?<br />security parameter 1n<br />(G,g) ← H(1n)<br />x ← Zq<br />y ← Zq<br />(G,g,q,h1)<br />h1= gx<br />plaintextm<br />h2 = gy<br />Alice<br />Bob<br />c := m · (h1)y<br />output:m’ := c · (h2)-x<br />since (h2)x = (h1)y<br />we get: m = m’<br />
45. 45. The last two messages can be sent together<br />security parameter 1n<br />(G,g) ← H(1n)<br />x ← Zq<br />y ← Zq<br />(G,g,q,h1)<br />h1= gx<br />plaintextm<br />(c, h2) := <br />(m · (h1)y, gy)<br />Alice<br />Bob<br />output:m’ := c · (h2)-x<br />
46. 46. ElGamal encryption<br />key generation<br />encryption<br />private key<br />security parameter 1n<br />public key<br />(G,g) ← H(1n)<br />x ← Zq<br />y ← Zq<br />(G,g,q,h1)<br />h1= gx<br />plaintextm<br />(c, h2) := <br />(m · (h1)y, gy)<br />Alice<br />Bob<br />output:m’ := c · (h2)-x<br />ciphertext<br />decryption<br />
47. 47. El Gamal encryption<br />Let H be such that DDH is hard with respect to H.<br />Gen(1n) first runs H to obtain (G,q)and q. Then, it chooses x ← Zqand computes h := gx. (note: it is randomized by definition)<br />The public key is (G,g,q,h).<br />The private key is (G,g,q,x).<br />Enc((G,g,q,h), m) := (m · hy, gy) , <br />where m ЄG and y is a random element of G<br />Dec((G,g,q,x), (c1,c2)) := c1 · c2-x<br />
48. 48. Correctness<br />h = gx<br />Enc((G,g,q,h), m) = (m · hy, gy) <br />Dec((G,g,q,x), (c1,c2)) = c1 · c2-x<br />= m · hy · (gy)-x<br />= m · (gx)y · (gy)-x<br />= m · gxy · g-yx<br />= m<br />
49. 49. El Gamal encryption – implementation issues<br />Which group to choose?<br />E.g.: QR(p), where p is a strong prime, i.e.: q = (p-1)/2 is also prime.<br />Plaintext space is a set of integers {1,...,q}.<br />How to map an integer i є {1,...,q} to QR(p)?<br />Just square: <br />f(i) = i2 mod p.<br />Why is it one-to-one?<br />
50. 50. Remember this picture?<br />Z7*:<br />QR7:<br />f(x) = x2<br />1<br />2<br />3<br />1<br />2<br />4<br />4<br />5<br />6<br />
51. 51. Observation<br />In Zp* the function f “glues” only the elementsi and p-i<br />f(x) = x2<br />we take only this<br />
52. 52. The mapping<br />So<br />f(i) = i2 mod p<br />isone-to-one(on {1,...,q}).<br />Is it also efficiently invertible?<br />Yes(this was discussed on the previous lecture)<br />
53. 53. Plan<br />Problems with the handbook RSA encryption<br />Security definitions<br />How to encrypt with RSA?<br />Encryption based on discrete-log<br />first step: Diffie-Hellman key exchange<br />ElGamal encryption<br />Public-key vs. private key encryption<br />
54. 54. Public key vs. private key encryption<br />Private-key encryption has a following advantage:<br />it is much more efficient.<br />Practical solution: <br />combine both!<br />It is called: the hybrid encryption.<br />
55. 55. Hybrid encryption<br />Encrypt the symmetric key with a public-key encryption scheme.<br />k<br />m<br />random<br />private key enc.<br />Encpk<br />Enc’k<br />pk<br />public key enc.<br />ciphertext<br />c1 := Encpk(k)<br />c2 =Enc’k(m)<br />
56. 56. How to decrypt?<br />ciphertext<br />c1<br />c2<br />Decpk<br />Dec’k<br />pk<br />k<br />m<br />
57. 57. Is the public-key encryption in Minicrypt?<br />As far as we know: no!<br />cryptomania<br />trap-door permutations exist<br />???<br />???<br />public-key encryption exists<br />key exchange protocols exist<br />???<br />???<br />???<br />one way functionsexist<br />minicrypt<br />
58. 58. ©2009 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.<br />
1. #### A particular slide catching your eye?

Clipping is a handy way to collect important slides you want to go back to later.