Lecture 6 Public-Key Encryption
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Lecture 6 Public-Key Encryption

on

  • 597 views

 

Statistics

Views

Total Views
597
Views on SlideShare
571
Embed Views
26

Actions

Likes
1
Downloads
6
Comments
0

2 Embeds 26

https://bb.csueastbay.edu 25
http://www.slideshare.net 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Lecture 6 Public-Key Encryption Presentation Transcript

  • 1. Modern Cryptography www.dziembowski.net/Studenti/BISS09
    Lecture 6 Public-Key Encryption
    StefanDziembowski
    UniversityofRome
    La Sapienza
    BiSS 2009Bertinoro International Spring School 2-6 March 2009
  • 2. Plan
    Problems with the handbook RSA encryption
    Security definitions
    How to encrypt with RSA?
    Encryption based on discrete-log
    first step: Diffie-Hellman key exchange
    ElGamal encryption
    Public-key vs. private key encryption
  • 3. The “handbook RSA encryption”
    N = pq- RSAmodulus
    eis such thatgcd(e, φ(N)) = 1,
    d is such thated = 1 (mod φ(N))
    Enc(e,N) (m) = me mod N,
    and Dec(d,N) (c) = cd mod N.
  • 4. Problems
    Encpkis deterministic, so:
    if one encrypts twice the same message then the ciphertexts are the same
    Therefore if the message spaceM is small, the adversary can check all possible messages:
    given a ciphertextc do:
    for every m є Mcheck if Encpk(m) = c
    for example if M={yes,no}, then the encryption is not secure.
    RSAhas some “algebraic properties”.
  • 5. Algebraic properties of RSA
    RSA is homorphic:
    Enc(e,N)(m0· m1) = (m0· m1)e
    = m0e· m1e
    = Enc(e,N )(m0) · Enc(e,N )(m1)
    why is it bad?
    By checking if
    c0· c1 =c
    the adversary can detect if
    Dec(d,N)(c0) ·Dec(d,N)(c1) = Decd(c)
    The Jacobi symbol leaks.
  • 6. JacobiSymbol
    + 1 ifx ЄQRp
    forany prime p defineJp(x) :=
    - 1 otherwise
    forN=pqdefineJN(x) := Jp(x) ·Jq(x)
    mod p
    JN(x) :=
    QR(p)
    QR(q)
    QR(n)
    mod q
    Itis a subgroupofZN*
    ZN+ := {x : JN(x) = +1}
    Jacobisymbol can becomputedefficiently! (even in p and q are unknown)
  • 7. Fact
    Enc(N,e) – encryption function of RSA
    Then:
    Jn(Enc(N,e)(m)) = Jn(m)
    Proof
    Left-hand-side:
    Jn(Enc(N,e)(m)) = Jp(Enc(N,e) (m)) · Jq(Enc(N,e) (m))
    Right-hand-side:
    Jn(m) = Jp(m) · Jq(m)
    Therefore it is enough to prove that:
    Jp(Enc(N,e)(m)) = Jp(m)
    and
    Jq(Enc (N,e)(m)) = Jq(m).
    Sincep andqare symmetric we can just prove it forp.
  • 8. We have to show that
    Jp(Ence(m)) = Jp(m)
    In other words:
    Enc(N,e)(m) is aQRpiffm is aQRp
    Now observe that e is always odd
    (because gcd(e,(p-1)(q-1)) = 1).
    To finish the proof we need to show that for every odd e:
    me mod p is aQRpiffm mod p is aQRp
    This is equal to
    me mod p
  • 9. Fact
    For an odd e:
    me mod p is aQRpiffm mod p is aQRp
    Proof
    Let g be the generator of Zp*. Write m = gx.
    Recall that mis a QRpiffx is an even.
    It is easy to see that
    me mod p is aQRp
    iff
    (gx)e mod p is aQRp
    iff
    x · e mod (p-1) is even
    iff
    x mod (p-1) is even
    iff
    m mod p is aQRp
    Hence we are done.
  • 10. Conclusion
    The Jacobi symbol “leaks”, i.e.:
    fromc
    one can compute Jn(Dec(N,d)(c))
    (without knowing the factorization of N)
    Is it a big problem?
    Depends on the application...
  • 11. Question: Is RSA secure?
    Looks like it has some weaknesses...
    Plan:
    Provide a formal security definition.
    Modify RSA so that it is secure according to this definition.
  • 12. Plan
    Problems with the handbook RSA encryption
    Security definitions
    How to encrypt with RSA?
    Encryption based on discrete-log
    first step: Diffie-Hellman key exchange
    ElGamal encryption
    Public-key vs. private key encryption
  • 13. A mathematical view
    A public-key encryption (PKE) scheme is a triple (Gen, Enc, Dec)of poly-time algorithms, where
    • Genis a key-generationrandomizedalgorithmthattakesas input a security parameter1n and outputs a key pair(pk,sk).
    • 14. Enc is an encryptionalgorithmthattakesas input the public keypkand a messagem, and outputs a ciphertextc,
    • 15. Decis an decryptionalgorithmthattakesas input the private key pkand the ciphertextc,and outputs a messagem’.
    We will sometimes write Encpk(m)and Decsk(c)instead of Enc(pk,m) and Dec(sk,c).
    Correctness
    P(Decsk(Encpk(m)) ≠ m)isnegligible in n
  • 16. The security definition
    Remember the symmetric-key case?
    We considered a chosen-plaintext attack.
    How would it look in the case of the public-key encryption?
  • 17. A chosen-plaintext attack (CPA)
    security parameter
    1n
    selects random(pk,sk) = Gen(1n)
    chooses a random b = 0,1
    pk
    choosesm’1
    m’1
    oracle
    c1 = Enc(pk,m’1)
    This is notneeded.
    Why?Because if Eve knows pk she can compute all these ciphertexts herself!
    . . .
    chooses m’t
    m’t
    ct = Enc(pk,m’t)
    challenge phase:
    m0,m1
    chooses m0,m1
    c = Enc(pk,mb)
    the interaction continues . . .
    has to guess b
  • 18. A simplified view
    security parameter
    1n
    selects random(pk,sk) = Gen(1n)
    chooses a random b = 0,1
    pk
    oracle
    challenge phase:
    m0,m1
    chooses m0,m1
    c = Enc(pk,mb)
    has to guess b
  • 19. CPA-security
    Alternative name:CPA-secure
    Security definition:
    We say that (Gen,Enc,Dec)hasindistinguishable encryptions under a chosen-plaintext attack (CPA)if any
    randomized polynomial timeadversary
    guesses b correctly
    with probability at most 0.5 +ε(n), whereεis negligible.
  • 20. Plan
    Problems with the handbook RSA encryption
    Security definitions
    How to encrypt with RSA?
    Encryption based on discrete-log
    first step: Diffie-Hellman key exchange
    ElGamal encryption
    Public-key vs. private key encryption
  • 21. Is the “handbook RSA” secure?
    the “handbook RSA”
    N = pq- RSA modulus
    eis such thatgcd(e,d) = 1,d is such thated = 1 (mod φ(N))
    Enc(N,e)(m) = me mod N, and Dec(d,N)(c) = cd mod N.
    Not secure!
    In fact:
    No deterministic encryption scheme is secure.
    How can the adversary win the game?
    he just chooses any m0,m1,
    computes c0=Enc(pk,m0) himself
    compares the result.
    Moral: encryption has to be randomized.
  • 22. Encoding
    Therefore, before encrypting a message we usually encode it (adding some randomness).
    This has the following advantages:
    makes the encryption non-deterministic
    breaks the “algebraic properties” of encryption.
  • 23. How is it done in real-life?
    PKCS #1: RSA Encryption Standard Version 1.5:
    public-key: (N,e)
    let k := length on N in bytes.
    let D := length of the plaintext
    requirement: D ≤ k - 11.
    Enc((N,e), m) := xe mod N, where x is equal to:
    k bytes
    (k - D - 3)random non-zero bytes
    D bytes
  • 24. Security of the PKCS #1: RSA Encryption Standard Version 1.5.
    It is believed to be CPA-secure.
    It has however some weaknesses (it is not “chosen-ciphertext secure”).
    Optimal Asymmetric Encryption Padding (OAEP) is a more secure encoding.
    (we will discuss it later)
  • 25. Plan
    Problems with the handbook RSA encryption
    Security definitions
    How to encrypt with RSA?
    Encryption based on discrete-log
    first step: Diffie-Hellman key exchange
    ElGamal encryption
    Public-key vs. private key encryption
  • 26. How to construct PKE based on the hardness of discrete log?
    RSA was a trapdoor permutation, so the construction was quite easy...
    In case of the discrete log, we just have a one-way function.
    Diffie and Hellman constructed something weaker than PKE: a key exchange protocol (also called key agreement protocol).
    We’ll not describe it. Then, we’ll show how to “convert it” into a PKE.
  • 27. Key exchange
    initially they share no secret
    listens
    Alice
    Bob
    key k
    key k
    Eve should have no information about k
    We will formalize it later.Let’s first show the protocol.
  • 28. The Diffie-Hellman Key exchange
    h1 = gx
    h2 = gy
    G – a group, where discrete log is believed to be hard
    q = |G|
    g – a generator of G
    x ← Zq
    y ← Zq
    Bob
    Alice
    output:kA=(h2)x
    output:kB=(h1)y
    equal to:gyx
    equal to:gxy
    equal!
  • 29. Security of the Diffie-Hellman exchange
    h1 = gx
    h2 = gy
    G,g
    knows
    gyx?
    Eve
    Eve should have no information about gyx
  • 30. Is it secure?
    If the discrete log in G is easy then the DH key exchange is not secure.
    (because the adversary can compute x and y from
    gxand gy)
    If the discrete log in G is hard, then...
    it may also not be secure
  • 31. Example: G = Zp*
    x is even iff h1is a QR
    x ← Zq
    h1 = gx
    y ← Zq
    h2 = gy
    Bob
    Alice
    y is even iffh2 is a QR
    Therefore:
    gyxis a QRiff (h1 is a QR) or (h2is a QR)
    So, Eve can compute some information aboutgyx(namely: if it is a QR, or not).
    gyx ?
  • 32. Is it a problem, or not?
    We need to
    formalize what we mean by secure key exchange,
    identify the assumptions needed to prove the security.
  • 33. interactive
    probabilisticTuring machine A
    interactiveprobabilistic
    Turing machine B
    “transcript” T: the sequence of exchanged messages:
    Alice
    Bob
    key k
    key k
    Informal definition:(A,B)issecureif no “efficient adversary” can distinguish kfrom random, givenT,
    with a “non-negligible advantage”.
    key k
    ?
    T
    random string of the same length
  • 34. How to formalize it?
    security parameter 1n
    T
    A
    B
    key k є {0,1}n
    key k є {0,1}n
    We say (A,B) is secure a secure key-exchange protocol if:the output of A and B is always the same, and
    A
    |Prob [M(1n,T,k) = 1] - Prob [M(1n,T,r) = 1] |is negligible in n
    polynomial-time Mthat outputs 0 or 1
    r is random and |r| = n
  • 35. Remember the algorithm H?
    Algorithm H:
    on input 1n
    outputs:
    a description of G of order q, such that |q| = n,
    a generator g of G.
  • 36. How does the protocol look now?
    security parameter 1n
    (G,g) ← H(1n)
    x ← Zq
    (G,g),q, h1 = gx
    y ← Zq
    h2 = gy
    Bob
    Alice
    output:kA=(h2)x
    output:kB=(h1)y
    (Note that we cheat a bit because k is a “pseudorandom” group element, not a string of bits.)
    If such a key exchange protocol is secure, we say that: the Decisional Diffie-Hellman (DDH) problem is hard with respect toH)
  • 37. An example of H where DDH is believed to be hard
    QR(p)
    H(1n):
    generate a random strong prime p of length n+1.
    set q := (p-1)/2.
    choose any x єZp* such that x ≠ ±1 (mod p).
    set g := x2 mod p.
    output (p,g).
    Other groups are also used (e.g. groups based on the elliptic curves).
  • 38. How does DDH compare to the discrete log assumption
    DDH is hard w.r.t. H
    discrete log is hard w.r.t. H
    implies
    The opposite implication is unknown in most of the cases
  • 39. A problem
    The protocols that we discussed are secure only against a passive adversary(that only eavesdrop).
    What if the adversary is active?
    She can launch a man-in-the-middle attack.
  • 40. Man in the middle attack
    I am Bob
    I am Alice
    Alice
    Bob
    key k
    key k’
    key k
    key k’
    A very realistic attack!
    So, is this thing totally useless?No! (it is useful as a building block)
  • 41. Plan
    Problems with the handbook RSA encryption
    Security definitions
    How to encrypt with RSA?
    Encryption based on discrete-log
    first step: Diffie-Hellman key exchange
    ElGamal encryption
    Public-key vs. private key encryption
  • 42. El Gamal encryption
    El Gamal is another popular public-key encryption scheme.
    It is based on the Diffie-Hellman key-exchange.
  • 43. First observation
    Remember that the one-time pad scheme can be generalized to any group?
    E.g.: K = M = C =G.
    Enc(k,m) = m · k
    Dec(k,m) = m · k-1
    So, if k is the key agreed in the DH key exchange, then
    Alice can send a message m Є Gto Bob “encryptingitwithk” bysetting:
    c := m · k
  • 44. How does it look now?
    security parameter 1n
    (G,g) ← H(1n)
    x ← Zq
    y ← Zq
    (G,g,q,h1)
    h1= gx
    plaintextm
    h2 = gy
    Alice
    Bob
    c := m · (h1)y
    output:m’ := c · (h2)-x
    since (h2)x = (h1)y
    we get: m = m’
  • 45. The last two messages can be sent together
    security parameter 1n
    (G,g) ← H(1n)
    x ← Zq
    y ← Zq
    (G,g,q,h1)
    h1= gx
    plaintextm
    (c, h2) :=
    (m · (h1)y, gy)
    Alice
    Bob
    output:m’ := c · (h2)-x
  • 46. ElGamal encryption
    key generation
    encryption
    private key
    security parameter 1n
    public key
    (G,g) ← H(1n)
    x ← Zq
    y ← Zq
    (G,g,q,h1)
    h1= gx
    plaintextm
    (c, h2) :=
    (m · (h1)y, gy)
    Alice
    Bob
    output:m’ := c · (h2)-x
    ciphertext
    decryption
  • 47. El Gamal encryption
    Let H be such that DDH is hard with respect to H.
    Gen(1n) first runs H to obtain (G,q)and q. Then, it chooses x ← Zqand computes h := gx. (note: it is randomized by definition)
    The public key is (G,g,q,h).
    The private key is (G,g,q,x).
    Enc((G,g,q,h), m) := (m · hy, gy) ,
    where m ЄG and y is a random element of G
    Dec((G,g,q,x), (c1,c2)) := c1 · c2-x
  • 48. Correctness
    h = gx
    Enc((G,g,q,h), m) = (m · hy, gy)
    Dec((G,g,q,x), (c1,c2)) = c1 · c2-x
    = m · hy · (gy)-x
    = m · (gx)y · (gy)-x
    = m · gxy · g-yx
    = m
  • 49. El Gamal encryption – implementation issues
    Which group to choose?
    E.g.: QR(p), where p is a strong prime, i.e.: q = (p-1)/2 is also prime.
    Plaintext space is a set of integers {1,...,q}.
    How to map an integer i є {1,...,q} to QR(p)?
    Just square:
    f(i) = i2 mod p.
    Why is it one-to-one?
  • 50. Remember this picture?
    Z7*:
    QR7:
    f(x) = x2
    1
    2
    3
    1
    2
    4
    4
    5
    6
  • 51. Observation
    In Zp* the function f “glues” only the elementsi and p-i
    f(x) = x2
    we take only this
  • 52. The mapping
    So
    f(i) = i2 mod p
    isone-to-one(on {1,...,q}).
    Is it also efficiently invertible?
    Yes(this was discussed on the previous lecture)
  • 53. Plan
    Problems with the handbook RSA encryption
    Security definitions
    How to encrypt with RSA?
    Encryption based on discrete-log
    first step: Diffie-Hellman key exchange
    ElGamal encryption
    Public-key vs. private key encryption
  • 54. Public key vs. private key encryption
    Private-key encryption has a following advantage:
    it is much more efficient.
    Practical solution:
    combine both!
    It is called: the hybrid encryption.
  • 55. Hybrid encryption
    Encrypt the symmetric key with a public-key encryption scheme.
    k
    m
    random
    private key enc.
    Encpk
    Enc’k
    pk
    public key enc.
    ciphertext
    c1 := Encpk(k)
    c2 =Enc’k(m)
  • 56. How to decrypt?
    ciphertext
    c1
    c2
    Decpk
    Dec’k
    pk
    k
    m
  • 57. Is the public-key encryption in Minicrypt?
    As far as we know: no!
    cryptomania
    trap-door permutations exist
    ???
    ???
    public-key encryption exists
    key exchange protocols exist
    ???
    ???
    ???
    one way functionsexist
    minicrypt
  • 58. ©2009 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.