On October 23rd, 2014, we updated our
Privacy Policy
and
User Agreement.
By continuing to use LinkedIn’s SlideShare service, you agree to the revised terms, so please take a few minutes to review them.
1.
Modern Cryptography www.dziembowski.net/Studenti/BISS09 Lecture 6 Public-Key Encryption StefanDziembowski UniversityofRome La Sapienza BiSS 2009Bertinoro International Spring School 2-6 March 2009
2.
Plan Problems with the handbook RSA encryption Security definitions How to encrypt with RSA? Encryption based on discrete-log first step: Diffie-Hellman key exchange ElGamal encryption Public-key vs. private key encryption
3.
The “handbook RSA encryption” N = pq- RSAmodulus eis such thatgcd(e, φ(N)) = 1, d is such thated = 1 (mod φ(N)) Enc(e,N) (m) = me mod N, and Dec(d,N) (c) = cd mod N.
4.
Problems Encpkis deterministic, so: if one encrypts twice the same message then the ciphertexts are the same Therefore if the message spaceM is small, the adversary can check all possible messages: given a ciphertextc do: for every m є Mcheck if Encpk(m) = c for example if M={yes,no}, then the encryption is not secure. RSAhas some “algebraic properties”.
5.
Algebraic properties of RSA RSA is homorphic: Enc(e,N)(m0· m1) = (m0· m1)e = m0e· m1e = Enc(e,N )(m0) · Enc(e,N )(m1) why is it bad? By checking if c0· c1 =c the adversary can detect if Dec(d,N)(c0) ·Dec(d,N)(c1) = Decd(c) The Jacobi symbol leaks.
6.
JacobiSymbol + 1 ifx ЄQRp forany prime p defineJp(x) := - 1 otherwise forN=pqdefineJN(x) := Jp(x) ·Jq(x) mod p JN(x) := QR(p) QR(q) QR(n) mod q Itis a subgroupofZN* ZN+ := {x : JN(x) = +1} Jacobisymbol can becomputedefficiently! (even in p and q are unknown)
7.
Fact Enc(N,e) – encryption function of RSA Then: Jn(Enc(N,e)(m)) = Jn(m) Proof Left-hand-side: Jn(Enc(N,e)(m)) = Jp(Enc(N,e) (m)) · Jq(Enc(N,e) (m)) Right-hand-side: Jn(m) = Jp(m) · Jq(m) Therefore it is enough to prove that: Jp(Enc(N,e)(m)) = Jp(m) and Jq(Enc (N,e)(m)) = Jq(m). Sincep andqare symmetric we can just prove it forp.
8.
We have to show that Jp(Ence(m)) = Jp(m) In other words: Enc(N,e)(m) is aQRpiffm is aQRp Now observe that e is always odd (because gcd(e,(p-1)(q-1)) = 1). To finish the proof we need to show that for every odd e: me mod p is aQRpiffm mod p is aQRp This is equal to me mod p
9.
Fact For an odd e: me mod p is aQRpiffm mod p is aQRp Proof Let g be the generator of Zp*. Write m = gx. Recall that mis a QRpiffx is an even. It is easy to see that me mod p is aQRp iff (gx)e mod p is aQRp iff x · e mod (p-1) is even iff x mod (p-1) is even iff m mod p is aQRp Hence we are done.
10.
Conclusion The Jacobi symbol “leaks”, i.e.: fromc one can compute Jn(Dec(N,d)(c)) (without knowing the factorization of N) Is it a big problem? Depends on the application...
11.
Question: Is RSA secure? Looks like it has some weaknesses... Plan: Provide a formal security definition. Modify RSA so that it is secure according to this definition.
12.
Plan Problems with the handbook RSA encryption Security definitions How to encrypt with RSA? Encryption based on discrete-log first step: Diffie-Hellman key exchange ElGamal encryption Public-key vs. private key encryption
13.
A mathematical view A public-key encryption (PKE) scheme is a triple (Gen, Enc, Dec)of poly-time algorithms, where
Genis a key-generationrandomizedalgorithmthattakesas input a security parameter1n and outputs a key pair(pk,sk).
14.
Enc is an encryptionalgorithmthattakesas input the public keypkand a messagem, and outputs a ciphertextc,
15.
Decis an decryptionalgorithmthattakesas input the private key pkand the ciphertextc,and outputs a messagem’.
We will sometimes write Encpk(m)and Decsk(c)instead of Enc(pk,m) and Dec(sk,c). Correctness P(Decsk(Encpk(m)) ≠ m)isnegligible in n
16.
The security definition Remember the symmetric-key case? We considered a chosen-plaintext attack. How would it look in the case of the public-key encryption?
17.
A chosen-plaintext attack (CPA) security parameter 1n selects random(pk,sk) = Gen(1n) chooses a random b = 0,1 pk choosesm’1 m’1 oracle c1 = Enc(pk,m’1) This is notneeded. Why?Because if Eve knows pk she can compute all these ciphertexts herself! . . . chooses m’t m’t ct = Enc(pk,m’t) challenge phase: m0,m1 chooses m0,m1 c = Enc(pk,mb) the interaction continues . . . has to guess b
18.
A simplified view security parameter 1n selects random(pk,sk) = Gen(1n) chooses a random b = 0,1 pk oracle challenge phase: m0,m1 chooses m0,m1 c = Enc(pk,mb) has to guess b
19.
CPA-security Alternative name:CPA-secure Security definition: We say that (Gen,Enc,Dec)hasindistinguishable encryptions under a chosen-plaintext attack (CPA)if any randomized polynomial timeadversary guesses b correctly with probability at most 0.5 +ε(n), whereεis negligible.
20.
Plan Problems with the handbook RSA encryption Security definitions How to encrypt with RSA? Encryption based on discrete-log first step: Diffie-Hellman key exchange ElGamal encryption Public-key vs. private key encryption
21.
Is the “handbook RSA” secure? the “handbook RSA” N = pq- RSA modulus eis such thatgcd(e,d) = 1,d is such thated = 1 (mod φ(N)) Enc(N,e)(m) = me mod N, and Dec(d,N)(c) = cd mod N. Not secure! In fact: No deterministic encryption scheme is secure. How can the adversary win the game? he just chooses any m0,m1, computes c0=Enc(pk,m0) himself compares the result. Moral: encryption has to be randomized.
22.
Encoding Therefore, before encrypting a message we usually encode it (adding some randomness). This has the following advantages: makes the encryption non-deterministic breaks the “algebraic properties” of encryption.
23.
How is it done in real-life? PKCS #1: RSA Encryption Standard Version 1.5: public-key: (N,e) let k := length on N in bytes. let D := length of the plaintext requirement: D ≤ k - 11. Enc((N,e), m) := xe mod N, where x is equal to: k bytes (k - D - 3)random non-zero bytes D bytes
24.
Security of the PKCS #1: RSA Encryption Standard Version 1.5. It is believed to be CPA-secure. It has however some weaknesses (it is not “chosen-ciphertext secure”). Optimal Asymmetric Encryption Padding (OAEP) is a more secure encoding. (we will discuss it later)
25.
Plan Problems with the handbook RSA encryption Security definitions How to encrypt with RSA? Encryption based on discrete-log first step: Diffie-Hellman key exchange ElGamal encryption Public-key vs. private key encryption
26.
How to construct PKE based on the hardness of discrete log? RSA was a trapdoor permutation, so the construction was quite easy... In case of the discrete log, we just have a one-way function. Diffie and Hellman constructed something weaker than PKE: a key exchange protocol (also called key agreement protocol). We’ll not describe it. Then, we’ll show how to “convert it” into a PKE.
27.
Key exchange initially they share no secret listens Alice Bob key k key k Eve should have no information about k We will formalize it later.Let’s first show the protocol.
28.
The Diffie-Hellman Key exchange h1 = gx h2 = gy G – a group, where discrete log is believed to be hard q = |G| g – a generator of G x ← Zq y ← Zq Bob Alice output:kA=(h2)x output:kB=(h1)y equal to:gyx equal to:gxy equal!
29.
Security of the Diffie-Hellman exchange h1 = gx h2 = gy G,g knows gyx? Eve Eve should have no information about gyx
30.
Is it secure? If the discrete log in G is easy then the DH key exchange is not secure. (because the adversary can compute x and y from gxand gy) If the discrete log in G is hard, then... it may also not be secure
31.
Example: G = Zp* x is even iff h1is a QR x ← Zq h1 = gx y ← Zq h2 = gy Bob Alice y is even iffh2 is a QR Therefore: gyxis a QRiff (h1 is a QR) or (h2is a QR) So, Eve can compute some information aboutgyx(namely: if it is a QR, or not). gyx ?
32.
Is it a problem, or not? We need to formalize what we mean by secure key exchange, identify the assumptions needed to prove the security.
33.
interactive probabilisticTuring machine A interactiveprobabilistic Turing machine B “transcript” T: the sequence of exchanged messages: Alice Bob key k key k Informal definition:(A,B)issecureif no “efficient adversary” can distinguish kfrom random, givenT, with a “non-negligible advantage”. key k ? T random string of the same length
34.
How to formalize it? security parameter 1n T A B key k є {0,1}n key k є {0,1}n We say (A,B) is secure a secure key-exchange protocol if:the output of A and B is always the same, and A |Prob [M(1n,T,k) = 1] - Prob [M(1n,T,r) = 1] |is negligible in n polynomial-time Mthat outputs 0 or 1 r is random and |r| = n
35.
Remember the algorithm H? Algorithm H: on input 1n outputs: a description of G of order q, such that |q| = n, a generator g of G.
36.
How does the protocol look now? security parameter 1n (G,g) ← H(1n) x ← Zq (G,g),q, h1 = gx y ← Zq h2 = gy Bob Alice output:kA=(h2)x output:kB=(h1)y (Note that we cheat a bit because k is a “pseudorandom” group element, not a string of bits.) If such a key exchange protocol is secure, we say that: the Decisional Diffie-Hellman (DDH) problem is hard with respect toH)
37.
An example of H where DDH is believed to be hard QR(p) H(1n): generate a random strong prime p of length n+1. set q := (p-1)/2. choose any x єZp* such that x ≠ ±1 (mod p). set g := x2 mod p. output (p,g). Other groups are also used (e.g. groups based on the elliptic curves).
38.
How does DDH compare to the discrete log assumption DDH is hard w.r.t. H discrete log is hard w.r.t. H implies The opposite implication is unknown in most of the cases
39.
A problem The protocols that we discussed are secure only against a passive adversary(that only eavesdrop). What if the adversary is active? She can launch a man-in-the-middle attack.
40.
Man in the middle attack I am Bob I am Alice Alice Bob key k key k’ key k key k’ A very realistic attack! So, is this thing totally useless?No! (it is useful as a building block)
41.
Plan Problems with the handbook RSA encryption Security definitions How to encrypt with RSA? Encryption based on discrete-log first step: Diffie-Hellman key exchange ElGamal encryption Public-key vs. private key encryption
42.
El Gamal encryption El Gamal is another popular public-key encryption scheme. It is based on the Diffie-Hellman key-exchange.
43.
First observation Remember that the one-time pad scheme can be generalized to any group? E.g.: K = M = C =G. Enc(k,m) = m · k Dec(k,m) = m · k-1 So, if k is the key agreed in the DH key exchange, then Alice can send a message m Є Gto Bob “encryptingitwithk” bysetting: c := m · k
44.
How does it look now? security parameter 1n (G,g) ← H(1n) x ← Zq y ← Zq (G,g,q,h1) h1= gx plaintextm h2 = gy Alice Bob c := m · (h1)y output:m’ := c · (h2)-x since (h2)x = (h1)y we get: m = m’
45.
The last two messages can be sent together security parameter 1n (G,g) ← H(1n) x ← Zq y ← Zq (G,g,q,h1) h1= gx plaintextm (c, h2) := (m · (h1)y, gy) Alice Bob output:m’ := c · (h2)-x
46.
ElGamal encryption key generation encryption private key security parameter 1n public key (G,g) ← H(1n) x ← Zq y ← Zq (G,g,q,h1) h1= gx plaintextm (c, h2) := (m · (h1)y, gy) Alice Bob output:m’ := c · (h2)-x ciphertext decryption
47.
El Gamal encryption Let H be such that DDH is hard with respect to H. Gen(1n) first runs H to obtain (G,q)and q. Then, it chooses x ← Zqand computes h := gx. (note: it is randomized by definition) The public key is (G,g,q,h). The private key is (G,g,q,x). Enc((G,g,q,h), m) := (m · hy, gy) , where m ЄG and y is a random element of G Dec((G,g,q,x), (c1,c2)) := c1 · c2-x
48.
Correctness h = gx Enc((G,g,q,h), m) = (m · hy, gy) Dec((G,g,q,x), (c1,c2)) = c1 · c2-x = m · hy · (gy)-x = m · (gx)y · (gy)-x = m · gxy · g-yx = m
49.
El Gamal encryption – implementation issues Which group to choose? E.g.: QR(p), where p is a strong prime, i.e.: q = (p-1)/2 is also prime. Plaintext space is a set of integers {1,...,q}. How to map an integer i є {1,...,q} to QR(p)? Just square: f(i) = i2 mod p. Why is it one-to-one?
51.
Observation In Zp* the function f “glues” only the elementsi and p-i f(x) = x2 we take only this
52.
The mapping So f(i) = i2 mod p isone-to-one(on {1,...,q}). Is it also efficiently invertible? Yes(this was discussed on the previous lecture)
53.
Plan Problems with the handbook RSA encryption Security definitions How to encrypt with RSA? Encryption based on discrete-log first step: Diffie-Hellman key exchange ElGamal encryption Public-key vs. private key encryption
54.
Public key vs. private key encryption Private-key encryption has a following advantage: it is much more efficient. Practical solution: combine both! It is called: the hybrid encryption.
55.
Hybrid encryption Encrypt the symmetric key with a public-key encryption scheme. k m random private key enc. Encpk Enc’k pk public key enc. ciphertext c1 := Encpk(k) c2 =Enc’k(m)
56.
How to decrypt? ciphertext c1 c2 Decpk Dec’k pk k m
57.
Is the public-key encryption in Minicrypt? As far as we know: no! cryptomania trap-door permutations exist ??? ??? public-key encryption exists key exchange protocols exist ??? ??? ??? one way functionsexist minicrypt