SlideShare a Scribd company logo

lecture-10---public-key-encryption-ind-cpa-ind-cca-elgamal-rsa.pptx

Download as PPTX, PDF
A
AliAshraf68199

Public key and private key

Internet
1 of 41
Lecture 10 – Public-key encryption, IND-CPA/CCA, ElGamal, RSA TEK4500 27.10.2020 Håkon Jacobsen hakon.jacobsen@its.uio.no
Basic goals of cryptography 2 Message privacy Message integrity / authentication Symmetric keys Symmetric encryption Message authentication codes (MAC) Asymmetric keys Asymmetric encryption (a.k.a. public-key encryption) Digital signatures
Basic goals of cryptography 3 Message privacy Message integrity / authentication Symmetric keys Symmetric encryption Message authentication codes (MAC) Asymmetric keys Asymmetric encryption (a.k.a. public-key encryption) Digital signatures
Creating secure channels: encryption schemes 4 Internet Alice Bob Adversary K K ℰ C 𝒟 M / ⊥ 𝓔 : encryption algorithm (public) 𝓓 : decryption algorithm (public) K: encryption /decryption key (secret) M
Creating secure channels: encryption schemes 5 Internet Alice Bob Adversary Ke Kd ℰ C 𝒟 M M / ⊥ 𝓔 : encryption algorithm (public) 𝓓 : decryption algorithm (public) Ke : encryption key (public) Kd : decryption key (private)
Public-key encryption 6
Public-key encryption – syntax 7 A public-key encryption scheme is a tuple Σ = KeyGen, Enc, Dec of algorithms 𝑠𝑘, 𝑝𝑘 $ KeyGen Enc ∶ 𝒫𝒦 × ℳ → 𝒞 Enc 𝑝𝑘, 𝑀 = Enc𝑝𝑘 𝑀 = 𝐶 Dec ∶ 𝒮𝒦 × 𝒞 → ℳ ∪ ⊥ Dec 𝑠𝑘, 𝐶 = Dec𝑆𝐾 𝐶 = 𝑀/⊥ Correctness: for all 𝑠𝑘, 𝑝𝑘 KeyGen: Dec 𝑠𝑘, Enc 𝑝𝑘, 𝑀 = 𝑀 • 𝒮𝒦 – private key space • 𝒫𝒦 – public key space • ℳ – message space • 𝒞 – ciphertext space Adversary Enc 𝐶 𝑀 𝑀 / ⊥ Dec $ 𝑠𝑘, 𝑝𝑘 $ 𝑝𝑘 𝑠𝑘 KeyGen
Public-key encryption – security: IND-CPA 8 𝐄𝐱𝐩Σ ind–cpa 𝐴 1. 𝑏 $ 0,1 2. 𝑠𝑘, 𝑝𝑘 $ Σ. KeyGen 3. 𝑀0 ∗ , 𝑀1 ∗ 𝐴(𝑝𝑘) // find stage 4. if 𝑀0 ∗ ≠ 𝑀1 ∗ then 5. return ⊥ 6. 𝐶∗ Σ. Enc 𝑝𝑘, 𝑀𝑏 ∗ 7. 𝑏′ 𝐴 𝑝𝑘, 𝐶∗ // guess stage 8. 𝐫𝐞𝐭𝐮𝐫𝐧 𝑏′ = ? 𝑏 Definition: The IND-CPA-advantage of an adversary 𝐴 is 𝐀𝐝𝐯Σ ind–cpa 𝐴 = 2 ⋅ Pr 𝐄𝐱𝐩Σ ind–cpa 𝐴 ⇒ true − 1 Test me on 𝑀0 ∗ , 𝑀1 ∗ 𝑝𝑘 𝑠𝑘, 𝑝𝑘 KeyGen 𝐶∗ was an encryption of 𝑀1 Challenger
Public-key encryption – security: IND-CCA 10 𝐄𝐱𝐩Σ ind–cca 𝐴 1. 𝑏 $ 0,1 2. 𝑠𝑘, 𝑝𝑘 $ Σ. KeyGen 3. 𝑀0 ∗ , 𝑀1 ∗ 𝐴𝒟𝑠𝑘 ⋅ (𝑝𝑘) // find stage 4. if 𝑀0 ∗ ≠ 𝑀1 ∗ then 5. return ⊥ 6. 𝐶∗ Σ. Enc 𝑝𝑘, 𝑀𝑏 ∗ 7. 𝑏′ 𝐴𝒟𝑠𝑘 ⋅ 𝑝𝑘, 𝐶∗ // guess stage 8. 𝐫𝐞𝐭𝐮𝐫𝐧 𝑏′ = ? 𝑏 𝒟𝑠𝑘 𝐶 --------------------------------- 1. if 𝐶 = 𝐶∗ the // cheating! 2. return ⊥ 3. return Σ. Dec 𝑠𝑘, 𝐶 Test me on 𝑀0 ∗ , 𝑀1 ∗ 𝑝𝑘 𝑠𝑘, 𝑝𝑘 KeyGen 𝐶∗ was an encryption of 𝑀1 𝐶1, 𝐶2, … 𝑀1, 𝑀2, … 𝐶1, 𝐶2, … 𝑀1, 𝑀2, … Dec(𝑠𝑘,⋅) Dec(𝑠𝑘,⋅) Definition: The IND-CCA-advantage of an adversary 𝐴 is 𝐀𝐝𝐯Σ ind–cca 𝐴 = 2 ⋅ Pr 𝐄𝐱𝐩Σ ind–cca 𝐴 ⇒ true − 1 Challenger
Diffie-Hellman key exchange • Discovered in the 1970's • Allows two parties to establish a shared secret without ever having met • Diffie & Hellman paper also introduced the idea of: • Public-key encryption • But didn't figure out how to do it • 1978: ElGamal encryption scheme • Digital signatures • But didn't figure out how to do it 11 Whitfield Diffie Martin Hellman Ralph Merkle
ElGamal 12 𝑏 $ 1, … , 𝐺 𝐺 = 〈𝑔〉 𝐵 𝑔𝑏 𝐴 𝐵 𝑎 $ 1, … , 𝐺 𝑍 𝐵𝑎 = 𝑔𝑎𝑏 𝐴 𝑔𝑎 𝑍 𝐴𝑏 = 𝑔𝑎𝑏
ElGamal 13 𝐵 𝐺 = 〈𝑔〉 𝑍 𝐵𝑎 = 𝑔𝑎𝑏 𝐴 𝑔𝑎 𝐴 𝑍 𝐴𝑏 = 𝑔𝑎𝑏 𝑏 $ 1, … , 𝐺 𝐵 𝑔𝑏 𝑎 $ 1, … , 𝐺
ElGamal 14 𝐺 = 〈𝑔〉 𝐴 𝑔𝑎 𝐴, 𝐶 𝐵 𝑍 𝐵𝑎 = 𝑔𝑎𝑏 𝐶 Σ. Enc 𝑍, 𝑀 𝑍 𝐴𝑏 = 𝑔𝑎𝑏 𝑏 $ 1, … , 𝐺 𝐵 𝑔𝑏 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 𝐺 × ℳ → 𝒞 Σ. Dec ∶ 𝐺 × 𝒞 → ℳ 𝑎 $ 1, … , 𝐺
ElGamal 15 𝐺 = 〈𝑔〉 𝑀 Σ. Dec 𝑍, 𝐶 𝐵 𝐴 𝑔𝑎 𝑍 𝐵𝑎 = 𝑔𝑎𝑏 𝐶 Σ. Enc 𝑍, 𝑀 𝑍 𝐴𝑏 = 𝑔𝑎𝑏 𝐴, 𝐶 𝑏 $ 1, … , 𝐺 𝐵 𝑔𝑏 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 𝐺 × ℳ → 𝒞 Σ. Dec ∶ 𝐺 × 𝒞 → ℳ 𝑎 $ 1, … , 𝐺
𝐊𝐞𝐲𝐆𝐞𝐧 1. 2. 3. ElGamal 16 𝐺 = 〈𝑔〉 𝑍 𝐵𝑎 = 𝑔𝑎𝑏 𝐶 Σ. Enc 𝑍, 𝑀 𝐴 𝑔𝑎 𝐴, 𝐶 𝐵 𝑀 Σ. Dec 𝑍, 𝐶 𝑍 𝐴𝑏 = 𝑔𝑎𝑏 𝑠𝑘 = 𝑝𝑘 = 𝑏 $ 1, … , 𝐺 𝐵 𝑔𝑏 return 𝑠𝑘, 𝑝𝑘 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 𝐺 × ℳ → 𝒞 Σ. Dec ∶ 𝐺 × 𝒞 → ℳ 𝑎 $ 1, … , 𝐺
𝐊𝐞𝐲𝐆𝐞𝐧 1. 2. 3. 𝐄𝐧𝐜 𝒑𝒌, 𝑴 1. 2. 3. 4. 5. ElGamal 17 𝐺 = 〈𝑔〉 𝑍 𝐵𝑎 = 𝑔𝑎𝑏 𝐶 Σ. Enc 𝑍, 𝑀 return 𝐴, 𝐶 𝐴 𝑔𝑎 𝐴, 𝐶 𝐵 𝑀 Σ. Dec 𝑍, 𝐶 𝑍 𝐴𝑏 = 𝑔𝑎𝑏 𝑠𝑘 = 𝑝𝑘 = 𝑏 $ 1, … , 𝐺 return 𝑠𝑘, 𝑝𝑘 𝐵 𝑔𝑏 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 𝐺 × ℳ → 𝒞 Σ. Dec ∶ 𝐺 × 𝒞 → ℳ 𝑎 $ 1, … , 𝐺
𝐊𝐞𝐲𝐆𝐞𝐧 1. 2. 3. 𝐃𝐞𝐜 𝒔𝒌, 𝑪 1. 2. 3. 𝐄𝐧𝐜 𝒑𝒌, 𝑴 1. 2. 3. 4. 5. ElGamal 18 𝐺 = 〈𝑔〉 𝑍 𝐵𝑎 = 𝑔𝑎𝑏 𝐶 Σ. Enc 𝑍, 𝑀 return 𝐴, 𝐶 𝐴 𝑔𝑎 𝐴, 𝐶 𝐵 𝑀 Σ. Dec 𝑍, 𝐶 𝑍 𝐴𝑏 = 𝑔𝑎𝑏 return 𝑀 𝑠𝑘 = 𝑝𝑘 = 𝑏 $ 1, … , 𝐺 return 𝑠𝑘, 𝑝𝑘 𝐵 𝑔𝑏 ElGamal. Enc ∶ ElGamal. Dec ∶ 𝐺 × ℳ → 𝐺 × 𝒞 𝒁𝑝 × 𝐺 × 𝒞 → ℳ 𝑎 $ 1, … , 𝐺 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 𝐺 × ℳ → 𝒞 Σ. Dec ∶ 𝐺 × 𝒞 → ℳ
ElGamal – IND-CPA security • Clearly DLOG and DH must be hard • Clearly Σ must be secure (IND-CPA? IND-CCA?) • But is this enough? • No: Σ only guarantees security if its keys are independent and uniformly distributed (in the group 𝐺) 19 but 𝑔𝑎𝑏 isn't uniformly distributed in 𝐺!
Decisional Diffie-Hellman (DDH) problem 20 𝐄𝐱𝐩𝐺,𝑔 ddh 𝐴 1. 𝑏 $ 0,1 2. 𝑥, 𝑦, 𝑧 $ 1,2, … , 𝐺 3. 𝑋 𝑔𝑥 𝑌 𝑔𝑦 4. 𝑍1 𝑔𝑥𝑦 5. 𝑍0 𝑔𝑧 6. 𝑏′ 𝐴 𝑋, 𝑌, 𝑍𝑏 7. return 𝑏′ = ? 𝑏 Challenger 𝑥, 𝑦, 𝑧 $ 1,2, … , 𝐺 𝑋 𝑔𝑥 𝑋, 𝑌, 𝑍𝑏 I think 𝑍𝑏 was a real DH value Adversary wins if it can distinguish a real DH value 𝑔𝑥𝑦 from a random group element 𝑔𝑧 Public: 𝐺 = 𝑔 Definition: The DDH-advantage of an adversary 𝐴 is 𝐀𝐝𝐯𝐺,𝑔 ddh 𝐴 = 2 ⋅ Pr 𝐄𝐱𝐩𝐺,𝑔 ddh 𝐴 ⇒ true − 1 𝑌 𝑔𝑦 𝑍1 𝑔𝑥𝑦 𝑍0 𝑔𝑧
DLOG vs. DH vs. DDH 21 𝐄𝐱𝐩𝐺,𝑔 dlog 𝐴 1. 𝑥 $ 1,2, … , 𝐺 2. 𝑋 𝑔𝑥 3. 𝑥′ 𝐴 𝑋 4. return 𝑥 = ? 𝑥 𝐄𝐱𝐩𝐺,𝑔 dh 𝐴 1. 𝑥, 𝑦 $ 1,2, … , 𝐺 2. 𝑋 𝑔𝑥 3. 𝑌 𝑔𝑦 4. 𝑧 𝐴 𝑋, 𝑌 5. return 𝑔𝑧 = ? 𝑔𝑥𝑦 DLOG security ⟸ DH security DLOG security ⟹ ? DH security 𝐄𝐱𝐩𝐺,𝑔 ddh 𝐴 1. 𝑏 $ 0,1 2. 𝑥, 𝑦, 𝑧 $ 1,2, … , 𝐺 3. 𝑋 𝑔𝑥 𝑌 𝑔𝑦 4. 𝑍1 𝑔𝑥𝑦 5. 𝑍0 𝑔𝑧 6. 𝑏′ 𝐴 𝑋, 𝑌, 𝑍𝑏 7. return 𝑏′ = ? 𝑏 ⟸ DDH security ⟹ DDH security
ElGamal – IND-CPA security: proof idea 22 Theorem: For any IND-CPA adversy 𝐴 against ElGamal, there are adversaries 𝐵 and 𝐶such that 𝐀𝐝𝐯ElGamal ind–cpa 𝐴 ≤ 2 ⋅ 𝐀𝐝𝐯𝐺,𝑔 ddh 𝐵 + 𝐀𝐝𝐯Σ ind–cpa 𝐶 𝐊𝐞𝐲𝐆𝐞𝐧 1. 2. 3. 𝐃𝐞𝐜 𝑠𝑘, 𝐶 1. 2. 3. 𝐄𝐧𝐜 𝑝𝑘, 𝑀 1. 2. 3. 4. 5. 𝐴, 𝐶 𝐵 𝑀 Σ. Dec 𝑍, 𝐶 𝑍 𝐴𝑏 = 𝑔𝑎𝑏 return 𝑀 𝑠𝑘 = 𝑏 $ 1, … , 𝐺 return 𝑠𝑘, 𝑝𝑘 𝑝𝑘 = 𝐵 𝑔𝑏 𝑍 𝐵𝑎 = 𝑔𝑎𝑏 𝐶 Σ. Enc 𝑍, 𝑀 return 𝐴, 𝐶 𝐴 𝑔𝑎 𝑎 $ 1, … , 𝐺 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 𝐺 × ℳ → 𝒞 Σ. Dec ∶ 𝐺 × 𝒞 → ℳ
ElGamal – IND-CPA security: proof idea 23 Theorem: For any IND-CPA adversy 𝐴 against ElGamal, there are adversaries 𝐵 and 𝐶such that 𝐀𝐝𝐯ElGamal ind–cpa 𝐴 ≤ 2 ⋅ 𝐀𝐝𝐯𝐺,𝑔 ddh 𝐵 + 𝐀𝐝𝐯Σ ind–cpa 𝐶 𝐊𝐞𝐲𝐆𝐞𝐧 1. 2. 3. 𝐃𝐞𝐜 𝑠𝑘, 𝐶 1. 2. 3. 𝐄𝐧𝐜 𝑝𝑘, 𝑀 1. 2. 3. 4. 5. 𝐴, 𝐶 𝐵 𝑀 Σ. Dec 𝑍, 𝐶 𝑍 𝑔𝒛 return 𝑀 𝑠𝑘 = 𝑏 $ 1, … , 𝐺 return 𝑠𝑘, 𝑝𝑘 𝑝𝑘 = 𝐵 𝑔𝑏 𝑍 𝑔𝒛 𝐶 Σ. Enc 𝑍, 𝑀 return 𝐴, 𝐶 𝐴 𝑔𝑎 𝑎 $ 1, … , 𝐺 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 𝐺 × ℳ → 𝒞 Σ. Dec ∶ 𝐺 × 𝒞 → ℳ can't tell due to DDH-security
ElGamal – IND-CPA security: proof idea 24 Theorem: For any IND-CPA adversy 𝐴 against ElGamal, there are adversaries 𝐵 and 𝐶such that 𝐀𝐝𝐯ElGamal ind–cpa 𝐴 ≤ 2 ⋅ 𝐀𝐝𝐯𝐺,𝑔 ddh 𝐵 + 𝐀𝐝𝐯Σ ind–cpa 𝐶 𝐊𝐞𝐲𝐆𝐞𝐧 1. 2. 3. 𝐃𝐞𝐜 𝑠𝑘, 𝐶 1. 2. 3. 𝐄𝐧𝐜 𝑝𝑘, 𝑀 1. 2. 3. 4. 5. 𝐴, 𝐶 𝐵 𝑀 Σ. Dec 𝑍, 𝐶 𝑍 𝑔𝒛 return 𝑀 𝑠𝑘 = 𝑏 $ 1, … , 𝐺 return 𝑠𝑘, 𝑝𝑘 𝑝𝑘 = 𝐵 𝑔𝑏 𝑍 𝑔𝒛 𝐶 Σ. Enc 𝑍, 𝑀 return 𝐴, 𝐶 𝐴 𝑔𝑎 𝑎 $ 1, … , 𝐺 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 𝐺 × ℳ → 𝒞 Σ. Dec ∶ 𝐺 × 𝒞 → ℳ can't tell due to DDH-security
ElGamal – IND-CPA security: proof idea 25 Theorem: For any IND-CPA adversy 𝐴 against ElGamal, there are adversaries 𝐵 and 𝐶such that 𝐀𝐝𝐯ElGamal ind–cpa 𝐴 ≤ 2 ⋅ 𝐀𝐝𝐯𝐺,𝑔 ddh 𝐵 + 𝐀𝐝𝐯Σ ind–cpa 𝐶 𝐊𝐞𝐲𝐆𝐞𝐧 1. 2. 3. 𝐃𝐞𝐜 𝑠𝑘, 𝐶 1. 2. 3. 𝐄𝐧𝐜 𝑝𝑘, 𝑀 1. 2. 3. 4. 5. 𝐴, 𝐶 𝐵 𝑀 Σ. Dec 𝑍, 𝐶 𝑍 $ 𝐺 return 𝑀 𝑠𝑘 = 𝑏 $ 1, … , 𝐺 return 𝑠𝑘, 𝑝𝑘 𝑝𝑘 = 𝐵 𝑔𝑏 𝑍 $ 𝐺 𝐶 Σ. Enc 𝑍, 𝑀 return 𝐴, 𝐶 𝐴 𝑔𝑎 𝑎 $ 1, … , 𝐺 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 𝐺 × ℳ → 𝒞 Σ. Dec ∶ 𝐺 × 𝒞 → ℳ
ElGamal – IND-CPA security: proof idea 26 Theorem: For any IND-CPA adversy 𝐴 against ElGamal, there are adversaries 𝐵 and 𝐶such that 𝐀𝐝𝐯ElGamal ind–cpa 𝐴 ≤ 2 ⋅ 𝐀𝐝𝐯𝐺,𝑔 ddh 𝐵 + 𝐀𝐝𝐯Σ ind–cpa 𝐶 𝐊𝐞𝐲𝐆𝐞𝐧 1. 2. 3. 𝐃𝐞𝐜 𝑠𝑘, 𝐶 1. 2. 3. 𝐄𝐧𝐜 𝑝𝑘, 𝑀 1. 2. 3. 4. 5. 𝐴, 𝐶 𝐵 𝑠𝑘 = 𝑏 $ 1, … , 𝐺 return 𝑠𝑘, 𝑝𝑘 𝑝𝑘 = 𝐵 𝑔𝑏 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 𝐺 × ℳ → 𝒞 Σ. Dec ∶ 𝐺 × 𝒞 → ℳ secure by IND-CPA 𝑍 $ 𝐺 𝐶 Σ. Enc 𝑍, 𝑀 return 𝐴, 𝐶 𝐴 𝑔𝑎 𝑎 $ 1, … , 𝐺 𝑀 Σ. Dec 𝑍, 𝐶 𝑍 $ 𝐺 return 𝑀
ElGamal – IND-CPA security: proof idea 27 Theorem: For any IND-CPA adversy 𝐴 against ElGamal, there are adversaries 𝐵 and 𝐶such that 𝐀𝐝𝐯ElGamal ind–cpa 𝐴 ≤ 2 ⋅ 𝐀𝐝𝐯𝐺,𝑔 ddh 𝐵 + 𝐀𝐝𝐯Σ ind–cpa 𝐶 𝐊𝐞𝐲𝐆𝐞𝐧 1. 2. 3. 𝐃𝐞𝐜 𝑠𝑘, 𝐶 1. 2. 3. 𝐄𝐧𝐜 𝑝𝑘, 𝑀 1. 2. 3. 4. 5. 𝐴, 𝐶 𝐵 𝑠𝑘 = 𝑏 $ 1, … , 𝐺 return 𝑠𝑘, 𝑝𝑘 𝑝𝑘 = 𝐵 𝑔𝑏 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 𝐺 × ℳ → 𝒞 Σ. Dec ∶ 𝐺 × 𝒞 → ℳ secure by IND-CPA 𝑀 Σ. Dec 𝑍, 𝐶 𝑍 $ 𝐺 return 𝑀 𝑍 $ 𝐺 𝐶 Σ. Enc 𝑍, 𝑀 return 𝐴, 𝐶 𝐴 𝑔𝑎 𝑎 $ 1, … , 𝐺
𝐊𝐞𝐲𝐆𝐞𝐧 1. 2. 3. 𝐃𝐞𝐜 𝒔𝒌, 𝑪 1. 2. 3. 𝐄𝐧𝐜 𝒑𝒌, 𝑴 1. 2. 3. 4. 5. Hashed ElGamal 28 𝐺 = 〈𝑔〉 𝑍 𝐵𝑎 = 𝑔𝑎𝑏 𝐶 Σ. Enc 𝑍, 𝑀 return 𝐴, 𝐶 𝐴 𝑔𝑎 𝐴, 𝐶 𝐵 𝑀 Σ. Dec 𝑍, 𝐶 𝑍 𝐴𝑏 = 𝑔𝑎𝑏 return 𝑀 𝑠𝑘 = 𝑝𝑘 = 𝑏 $ 1, … , 𝐺 return 𝑠𝑘, 𝑝𝑘 𝐵 𝑔𝑏 ElGamal. Enc ∶ ElGamal. Dec ∶ 𝐺 × ℳ → 𝐺 × 𝒞 𝒁𝑝 × 𝐺 × 𝒞 → ℳ 𝑎 $ 1, … , 𝐺 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 𝐺 × ℳ → 𝒞 Σ. Dec ∶ 𝐺 × 𝒞 → ℳ
𝐊𝐞𝐲𝐆𝐞𝐧 1. 2. 3. 𝐃𝐞𝐜 𝒔𝒌, 𝑪 1. 2. 3. 𝐄𝐧𝐜 𝒑𝒌, 𝑴 1. 2. 3. 4. 5. Hashed ElGamal 29 𝐺 = 〈𝑔〉 𝑍 𝐵𝑎 = 𝑔𝑎𝑏 𝐶 Σ. Enc 𝑍, 𝑀 return 𝐴, 𝐶 𝐴 𝑔𝑎 𝐴, 𝐶 𝐵 𝑀 Σ. Dec 𝑍, 𝐶 𝑍 𝐴𝑏 = 𝑔𝑎𝑏 return 𝑀 𝑠𝑘 = 𝑝𝑘 = 𝑏 $ 1, … , 𝐺 return 𝑠𝑘, 𝑝𝑘 𝐵 𝑔𝑏 ElGamal. Enc ∶ ElGamal. Dec ∶ 𝐺 × ℳ → 𝐺 × 𝒞 𝒁𝑝 × 𝐺 × 𝒞 → ℳ 𝐻: 𝐺 → 0,1 𝑘 𝑎 $ 1, … , 𝐺 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 0,1 𝑘 × ℳ → 𝒞 Σ. Dec ∶ 0,1 𝑘 × 𝒞 → ℳ
𝐊𝐞𝐲𝐆𝐞𝐧 1. 2. 3. 𝐃𝐞𝐜 𝒔𝒌, 𝑪 1. 2. 3. 𝐄𝐧𝐜 𝒑𝒌, 𝑴 1. 2. 3. 4. 5. Hashed ElGamal 30 𝐺 = 〈𝑔〉 𝐾 𝐻 𝐵𝑎 = 𝐻 𝑔𝑎𝑏 𝐶 Σ. Enc 𝑍, 𝑀 return 𝐴, 𝐶 𝐴 𝑔𝑎 𝐴, 𝐶 𝐵 𝑀 Σ. Dec 𝑍, 𝐶 𝐾 𝐻 𝐴𝑏 = 𝐻 𝑔𝑎𝑏 return 𝑀 𝑠𝑘 = 𝑝𝑘 = 𝑏 $ 1, … , 𝐺 return 𝑠𝑘, 𝑝𝑘 𝐵 𝑔𝑏 ElGamal. Enc ∶ ElGamal. Dec ∶ 𝐺 × ℳ → 𝐺 × 𝒞 𝒁𝑝 × 𝐺 × 𝒞 → ℳ 𝐻: 𝐺 → 0,1 𝑘 𝑎 $ 1, … , 𝐺 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 0,1 𝑘 × ℳ → 𝒞 Σ. Dec ∶ 0,1 𝑘 × 𝒞 → ℳ
The RSA encryption scheme 31 𝐶 = 𝑀𝑒 mod 𝑛
RSA • Designed by Rivest, Shamir and Adleman in 1977 • One year before ElGamal • Used both for public key encryption and digital signatures Ron Rivest Leonard Adleman Adi Shamir
The group 𝒁𝑛 ∗ ,⋅ 33 𝒁𝑝 = 0, 1, … , 𝑝 − 1 𝒁𝑝 ∗ = 1, … , 𝑝 − 1 𝒁𝑝,⋅ is not a group! 𝒁𝑝 ∗ ,⋅ is a group! 𝒁𝑛 = 0, 1, … , 𝑛 − 1 𝒁𝑛 ∗ ≠ 1, … , 𝑛 − 1 𝒁𝑛,⋅ is not a group! 𝒁𝑛 +,⋅ is also not a group! 𝒁𝑛 ∗ = invertible elements in 𝒁𝑛 = 𝐭𝐡𝐞𝐨𝐫𝐞𝐦 𝑎 ∈ 𝒁𝑛 gcd 𝑎, 𝑛 = 1 𝒁𝑛 ∗ ,⋅ is a group! 𝒁10 + = 1, 2, 3, 4, 5, 6, 7, 8, 9 𝒁𝑛 + 2 ⋅ 1 = 2 mod 10 2 ⋅ 2 = 4 mod 10 2 ⋅ 3 = 6 mod 10 2 ⋅ 4 = 8 mod 10 2 ⋅ 5 = 0 mod 10 2 ⋅ 6 = 2 mod 10 2 ⋅ 7 = 4 mod 10 2 ⋅ 8 = 6 mod 10 2 ⋅ 9 = 8 mod 10 Not invertible Invertible 2, 4, 5, 6, 8 1, 3, 7, 9 3 ⋅ 7 = 21 = 1 mod 10 9 ⋅ 9 = 81 = 1 mod 10 1 ⋅ 1 = 1 mod 10 10 = 2 ⋅ 5 2 = 2 4 = 2 ⋅ 2 5 = 5 6 = 2 ⋅ 3 8 = 2 ⋅ 2 ⋅ 2 Proof: let 𝑑 = gcd 𝑎, 𝑛 • 𝑎 invertible • 𝑑 = 1 ⟹ ∃𝑘: 𝑎𝑏 = 1 + 𝑘𝑛 ⟹ 𝑎𝑏 − 𝑘𝑛 = 1 ⟹ 𝑑 𝑎′ 𝑏 − 𝑘𝑛′ = 1 ⟹ 𝑑 = 1 ⟹ Claim: ∃𝑠, 𝑡 ∈ 𝒁 such that 𝑠𝑎 + 𝑡𝑛 = 𝑑 = 1 ⟹ 𝑠𝑎 = 1 − 𝑡𝑛 ⟹ 𝑠𝑎 = 1 mod 𝑛 ⟹ 𝑎 is invertible ⟹ ∃𝑏 ∈ 𝒁𝑛 such that 𝑎𝑏 = 1 mod 𝑛
Euler's 𝜙 𝑛 function • 𝜙 𝑛 = def 𝒁𝑛 ∗ • 𝜙 𝑝 = 𝑝 − 1 • 𝜙 𝑝 ⋅ 𝑞 = • Note: 𝜙 𝑛 ≈ 𝑛 − 2 𝑛 ≈ 𝑛 • i.e.: almost all integers are invertible for large 𝑝, 𝑞 34 1 ⋅ 𝑝, 2 ⋅ 𝑝, 3 ⋅ 𝑝, ⋯ (𝑞 − 1) ⋅ 𝑝 1 ⋅ 𝑞, 2 ⋅ 𝑞, 3 ⋅ 𝑞, ⋯ (𝑝 − 1) ⋅ 𝑞 𝑞 − 1 𝑝 − 1 = (𝑝𝑞 − 1) − (𝑞 − 1 + 𝑝 − 1) = 𝑝𝑞 − 𝑞 − 𝑝 + 1 = 𝑝 − 1 ⋅ 𝑞 − 1 = 𝑎 ∈ 𝒁𝑛 gcd 𝑎, 𝑛 = 1 𝑝 − 1 ⋅ 𝑞 − 1 𝜙 𝑝𝑞 = #numbers less than 𝑝𝑞 − #numbers less than 𝑝𝑞 with gcd 𝑥, 𝑝𝑞 ≠ 1 𝑛 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 𝜙 𝑛 𝟏 1 2 2 4 2 6 4 6 4 10 4 12 6 8 𝑝 ⋅ 𝑞
Euler’s Theorem • 𝒁𝑝 ∗ ,⋅ : 𝒁𝑝 ∗ = 𝑝 − 1 𝑒 = 1 • 𝒁𝑛 ∗ ,⋅ : 𝒁𝑛 ∗ = 𝜙 𝑛 𝑒 = 1 35 Theorem: if 𝐺,∘ is a finite group, then for all 𝑔 ∈ 𝐺: 𝑔 𝐺 = 𝑒 Fermat’s theorem: if 𝑝 is prime, then for all 𝑎 ≠ 0 mod 𝑝 : 𝑎𝑝−1 ≡ 1 mod 𝑝 Euler’s theorem: for all positive integers 𝑛, if gcd 𝑎, 𝑛 = 1 then 𝑎𝜙 𝑛 ≡ 1 mod 𝑛
𝐊𝐞𝐲𝐆𝐞𝐧 1. 𝑝, 𝑞 $ two random prime numbers 2. 𝑛 𝑝 ⋅ 𝑞 3. 𝜙 𝑛 = 𝑝 − 1 𝑞 − 1 4. choose 𝑒 such that gcd 𝑒, 𝜙 𝑛 = 1 5. 𝑑 𝑒−1 mod 𝜙 𝑛 6. 𝑠𝑘 𝑑 𝑝𝑘 𝑛, 𝑒 7. return (𝑠𝑘, 𝑝𝑘) 𝐃𝐞𝐜 𝑠𝑘 = 𝑑, 𝐶 ∈ 𝒁𝑛 ∗ 1. 𝑀 𝐶𝑑 mod 𝑛 2. return 𝑀 𝐄𝐧𝐜 𝑝𝑘 = 𝑛, 𝑒 , 𝑀 ∈ 𝒁𝑛 ∗ 1. 𝐶 𝑀𝑒 mod 𝑛 2. return 𝐶 Textbook RSA 36 𝐶 𝑝𝑘 RSA. Enc ∶ 𝒁+ × 𝒁𝜙 𝑛 ∗ × 𝒁𝑛 ∗ → 𝒁𝑛 ∗ RSA. Dec: 𝒁𝜙 𝑛 ∗ × 𝒁𝑛 ∗ → 𝒁𝑛 ∗ 𝒫𝒦 ℳ 𝒞 𝒮𝒦 𝒞 ℳ Common choices of 𝑒: 3, 17, 65 537 112 100012 1 0000 0000 0000 00012
Textbook RSA – correctness 37 Euler’s theorem: for all 𝑎 ∈ 𝒁𝑛 ∗ 𝑎𝜙 𝑛 ≡ 1 mod 𝑛 𝐶𝑑 = 𝑀𝑒𝑑 Dec 𝑠𝑘, Enc 𝑝𝑘, 𝑀 = 𝑀 𝐊𝐞𝐲𝐆𝐞𝐧 1. 𝑝, 𝑞 $ two random prime numbers 2. 𝑛 𝑝 ⋅ 𝑞 3. 𝜙 𝑛 = 𝑝 − 1 𝑞 − 1 4. choose 𝑒 such that gcd 𝑒, 𝜙 𝑛 = 1 5. 𝑑 𝑒−1 mod 𝜙 𝑛 6. 𝑠𝑘 𝑑 𝑝𝑘 𝑛, 𝑒 7. return (𝑠𝑘, 𝑝𝑘) 𝐃𝐞𝐜 𝑠𝑘 = 𝑑, 𝐶 ∈ 𝒁𝑛 ∗ 1. 𝑀 𝐶𝑑 mod 𝑛 2. return 𝑀 𝐄𝐧𝐜 𝑝𝑘 = 𝑛, 𝑒 , 𝑀 ∈ 𝒁𝑛 ∗ 1. 𝐶 𝑀𝑒 mod 𝑛 2. return 𝐶 = 𝑀𝑒𝑑 mod 𝜙 𝑛 = 𝑀 mod 𝑛 Fact: RSA also works for 𝑀 ∈ 𝒁𝑛 Theorem: if 𝐺,∘ is a finite group, then for all 𝑔 ∈ 𝐺: 𝑔 𝐺 = 𝑒 Corollary I: 𝑔𝑖 = 𝑔𝑖 mod 𝐺 = 𝑎𝑖 mod 𝜙 𝑛 = 𝑀1 𝑑 = 𝑒−1 mod 𝜙 𝑛 ⟺ 𝑒𝑑 = 1 mod 𝜙 𝑛
Textbook RSA – security • Textbook RSA is not IND-CPA secure! • Deterministic • Malleable • Many other attacks as well* • Textbook RSA is not an encryption scheme! • So what is it? Answer: a one-way (trapdoor) permutation * https://crypto.stackexchange.com/questions/20085/which-attacks-are-possible-against-raw-textbook-rsa 38
The RSA-problem • RSA-problem: given 𝑝𝑘 = (𝑒, 𝑛) and 𝐶 = 𝑀𝑒 mod 𝑛 find 𝑀 • RSA-assumption: the RSA-problem is hard for large random primes 𝑝, 𝑞 (≈ 1024 bits each) • Easy is 𝑑 is known: simply compute 𝐶𝑑 mod 𝑛 • Easy if 𝜙 𝑛 is known: simply compute 1/𝑒 = 𝑒−1 = 𝑑 mod 𝜙 𝑛 and do the above • Easy if 𝑝 and 𝑞 are known: compute 𝜙 𝑛 = 𝑝 − 1 ⋅ (𝑞 − 1) and do the above • Hence: RSA-assumption ⟹ must be hard to find 𝑑, 𝜙 𝑛 and 𝑝, 𝑞 given 𝑒, 𝑛 (factoring problem) • What about the converse: factoring is hard ⟹ RSA-problem is hard? Open problem! • Note: given 𝜙(𝑛) and 𝑛 ⟹ easy to find 𝑝 and 𝑞 (exercise) 39 RSA. Enc𝑝𝑘 ∶ 𝒁𝑛 ∗ → 𝒁𝑛 ∗ RSA. Enc𝑝𝑘 ∶ 𝑀 ↦ 𝑀𝑒 mod 𝑛
How hard is factoring? • In practice factoring is only known way to break RSA • Factoring 𝑛 = 𝑝𝑞 believed to be hard for large 𝑝 and 𝑞 • Naïve Factor 𝑛 : • 3 divides 𝑛? return 3 ⋅ Factor 𝑛/3 • 5 divides 𝑛? return 5 ⋅ Factor 𝑛/5 • 7 divides 𝑛? return 7 ⋅ Factor 𝑛/7 ⋮ • 𝑛 divides 𝑛? return 𝑛 ⋅ Factor 𝑛/ 𝑛 • Return 𝑛 • Very inefficient: 𝑛 ≈ 2𝑘 ⟹ 𝜋 𝑛 ≈ 2𝑘 ln 2𝑘 ≈ 2𝑘 𝑘 • Much faster factoring algorithms known: current record 829-bit number (Heninger et al.'20) 40 Algorithm Time to factor 𝑛 ≈ 2𝑘 Naive ≈ 𝒪 2𝑘 Quadratic sieve ≈ 𝒪 𝑒𝑐 𝑘 ln 𝑘 Number field sieve ≈ 𝒪 𝑒1.92 3 𝑘⋅ 1.5 ln 𝑘
RSA in practice • Textbook RSA is deterministic ⟹ cannot be IND-CPA secure • How to achieve IND-CPA? • pad message with random data before applying RSA function • PKCS#1v1.5 • RSA-OAEP • RSA encryption not used much in practice anymore • Mostly key transport: message is a random 256-bit key used in a subsequent symmetric encryption scheme • RSA digital signatures still very common 41 𝑀 𝑟 || 𝑀 𝐶 Pad 𝑋 ↦ 𝑋𝑒 mod 𝑛 256 bits 2048 bits
Summary • Public-key encryption security goals: IND-CPA and IND-CCA • ElGamal • Public-key encryption from Diffie-Hellman key exchange • IND-CPA secure if the DDH assumption holds in the group and the symmetric encryption scheme is (one-time) IND-CPA secure • Hashed-ElGamal: hash the derived Diffie-Hellman key to obtain a symmetric key 𝐾 ∈ 0,1 𝑘 • DDH assumption can be weakened to DH assumption (but stronger requirement on hash function) • RSA • Not a public-key encryption scheme directly • Can (with random padding) be used to create a IND-CPA secure public-key encryption scheme • Must be hard: RSA-problem and factoring problem 42

Recommended

What is Digital Forensics.docx
What is Digital Forensics.docxWhat is Digital Forensics.docx
What is Digital Forensics.docxAliAshraf68199
 
Week1_2.ppt
Week1_2.pptWeek1_2.ppt
Week1_2.pptAliAshraf68199
 
WindowsRegistry.ppt
WindowsRegistry.pptWindowsRegistry.ppt
WindowsRegistry.pptAliAshraf68199
 
digital Information BD.pptx
digital Information BD.pptxdigital Information BD.pptx
digital Information BD.pptxAliAshraf68199
 
digital Information.pptx
digital Information.pptxdigital Information.pptx
digital Information.pptxAliAshraf68199
 
digital10.pptx
digital10.pptxdigital10.pptx
digital10.pptxAliAshraf68199
 
digital signatures10.pptx
digital signatures10.pptxdigital signatures10.pptx
digital signatures10.pptxAliAshraf68199
 
digital signatures1.pptx
digital signatures1.pptxdigital signatures1.pptx
digital signatures1.pptxAliAshraf68199
 

Recommended

What is Digital Forensics.docx
What is Digital Forensics.docxWhat is Digital Forensics.docx
What is Digital Forensics.docxAliAshraf68199
 
Week1_2.ppt
Week1_2.pptWeek1_2.ppt
Week1_2.pptAliAshraf68199
 
WindowsRegistry.ppt
WindowsRegistry.pptWindowsRegistry.ppt
WindowsRegistry.pptAliAshraf68199
 
digital Information BD.pptx
digital Information BD.pptxdigital Information BD.pptx
digital Information BD.pptxAliAshraf68199
 
digital Information.pptx
digital Information.pptxdigital Information.pptx
digital Information.pptxAliAshraf68199
 
digital10.pptx
digital10.pptxdigital10.pptx
digital10.pptxAliAshraf68199
 
digital signatures10.pptx
digital signatures10.pptxdigital signatures10.pptx
digital signatures10.pptxAliAshraf68199
 
digital signatures1.pptx
digital signatures1.pptxdigital signatures1.pptx
digital signatures1.pptxAliAshraf68199
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture CodeSkeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations Rajiv Jayarajah, MAppComm, ACC
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data ScienceChristy Abraham Joy
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

More Related Content

Featured

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

Featured (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

lecture-10---public-key-encryption-ind-cpa-ind-cca-elgamal-rsa.pptx

  • 1. Lecture 10 – Public-key encryption, IND-CPA/CCA, ElGamal, RSA TEK4500 27.10.2020 Håkon Jacobsen hakon.jacobsen@its.uio.no
  • 2. Basic goals of cryptography 2 Message privacy Message integrity / authentication Symmetric keys Symmetric encryption Message authentication codes (MAC) Asymmetric keys Asymmetric encryption (a.k.a. public-key encryption) Digital signatures
  • 3. Basic goals of cryptography 3 Message privacy Message integrity / authentication Symmetric keys Symmetric encryption Message authentication codes (MAC) Asymmetric keys Asymmetric encryption (a.k.a. public-key encryption) Digital signatures
  • 4. Creating secure channels: encryption schemes 4 Internet Alice Bob Adversary K K ℰ C 𝒟 M / ⊥ 𝓔 : encryption algorithm (public) 𝓓 : decryption algorithm (public) K: encryption /decryption key (secret) M
  • 5. Creating secure channels: encryption schemes 5 Internet Alice Bob Adversary Ke Kd ℰ C 𝒟 M M / ⊥ 𝓔 : encryption algorithm (public) 𝓓 : decryption algorithm (public) Ke : encryption key (public) Kd : decryption key (private)
  • 7. Public-key encryption – syntax 7 A public-key encryption scheme is a tuple Σ = KeyGen, Enc, Dec of algorithms 𝑠𝑘, 𝑝𝑘 $ KeyGen Enc ∶ 𝒫𝒦 × ℳ → 𝒞 Enc 𝑝𝑘, 𝑀 = Enc𝑝𝑘 𝑀 = 𝐶 Dec ∶ 𝒮𝒦 × 𝒞 → ℳ ∪ ⊥ Dec 𝑠𝑘, 𝐶 = Dec𝑆𝐾 𝐶 = 𝑀/⊥ Correctness: for all 𝑠𝑘, 𝑝𝑘 KeyGen: Dec 𝑠𝑘, Enc 𝑝𝑘, 𝑀 = 𝑀 • 𝒮𝒦 – private key space • 𝒫𝒦 – public key space • ℳ – message space • 𝒞 – ciphertext space Adversary Enc 𝐶 𝑀 𝑀 / ⊥ Dec $ 𝑠𝑘, 𝑝𝑘 $ 𝑝𝑘 𝑠𝑘 KeyGen
  • 8. Public-key encryption – security: IND-CPA 8 𝐄𝐱𝐩Σ ind–cpa 𝐴 1. 𝑏 $ 0,1 2. 𝑠𝑘, 𝑝𝑘 $ Σ. KeyGen 3. 𝑀0 ∗ , 𝑀1 ∗ 𝐴(𝑝𝑘) // find stage 4. if 𝑀0 ∗ ≠ 𝑀1 ∗ then 5. return ⊥ 6. 𝐶∗ Σ. Enc 𝑝𝑘, 𝑀𝑏 ∗ 7. 𝑏′ 𝐴 𝑝𝑘, 𝐶∗ // guess stage 8. 𝐫𝐞𝐭𝐮𝐫𝐧 𝑏′ = ? 𝑏 Definition: The IND-CPA-advantage of an adversary 𝐴 is 𝐀𝐝𝐯Σ ind–cpa 𝐴 = 2 ⋅ Pr 𝐄𝐱𝐩Σ ind–cpa 𝐴 ⇒ true − 1 Test me on 𝑀0 ∗ , 𝑀1 ∗ 𝑝𝑘 𝑠𝑘, 𝑝𝑘 KeyGen 𝐶∗ was an encryption of 𝑀1 Challenger
  • 9. Public-key encryption – security: IND-CCA 10 𝐄𝐱𝐩Σ ind–cca 𝐴 1. 𝑏 $ 0,1 2. 𝑠𝑘, 𝑝𝑘 $ Σ. KeyGen 3. 𝑀0 ∗ , 𝑀1 ∗ 𝐴𝒟𝑠𝑘 ⋅ (𝑝𝑘) // find stage 4. if 𝑀0 ∗ ≠ 𝑀1 ∗ then 5. return ⊥ 6. 𝐶∗ Σ. Enc 𝑝𝑘, 𝑀𝑏 ∗ 7. 𝑏′ 𝐴𝒟𝑠𝑘 ⋅ 𝑝𝑘, 𝐶∗ // guess stage 8. 𝐫𝐞𝐭𝐮𝐫𝐧 𝑏′ = ? 𝑏 𝒟𝑠𝑘 𝐶 --------------------------------- 1. if 𝐶 = 𝐶∗ the // cheating! 2. return ⊥ 3. return Σ. Dec 𝑠𝑘, 𝐶 Test me on 𝑀0 ∗ , 𝑀1 ∗ 𝑝𝑘 𝑠𝑘, 𝑝𝑘 KeyGen 𝐶∗ was an encryption of 𝑀1 𝐶1, 𝐶2, … 𝑀1, 𝑀2, … 𝐶1, 𝐶2, … 𝑀1, 𝑀2, … Dec(𝑠𝑘,⋅) Dec(𝑠𝑘,⋅) Definition: The IND-CCA-advantage of an adversary 𝐴 is 𝐀𝐝𝐯Σ ind–cca 𝐴 = 2 ⋅ Pr 𝐄𝐱𝐩Σ ind–cca 𝐴 ⇒ true − 1 Challenger
  • 10. Diffie-Hellman key exchange • Discovered in the 1970's • Allows two parties to establish a shared secret without ever having met • Diffie & Hellman paper also introduced the idea of: • Public-key encryption • But didn't figure out how to do it • 1978: ElGamal encryption scheme • Digital signatures • But didn't figure out how to do it 11 Whitfield Diffie Martin Hellman Ralph Merkle
  • 11. ElGamal 12 𝑏 $ 1, … , 𝐺 𝐺 = 〈𝑔〉 𝐵 𝑔𝑏 𝐴 𝐵 𝑎 $ 1, … , 𝐺 𝑍 𝐵𝑎 = 𝑔𝑎𝑏 𝐴 𝑔𝑎 𝑍 𝐴𝑏 = 𝑔𝑎𝑏
  • 12. ElGamal 13 𝐵 𝐺 = 〈𝑔〉 𝑍 𝐵𝑎 = 𝑔𝑎𝑏 𝐴 𝑔𝑎 𝐴 𝑍 𝐴𝑏 = 𝑔𝑎𝑏 𝑏 $ 1, … , 𝐺 𝐵 𝑔𝑏 𝑎 $ 1, … , 𝐺
  • 13. ElGamal 14 𝐺 = 〈𝑔〉 𝐴 𝑔𝑎 𝐴, 𝐶 𝐵 𝑍 𝐵𝑎 = 𝑔𝑎𝑏 𝐶 Σ. Enc 𝑍, 𝑀 𝑍 𝐴𝑏 = 𝑔𝑎𝑏 𝑏 $ 1, … , 𝐺 𝐵 𝑔𝑏 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 𝐺 × ℳ → 𝒞 Σ. Dec ∶ 𝐺 × 𝒞 → ℳ 𝑎 $ 1, … , 𝐺
  • 14. ElGamal 15 𝐺 = 〈𝑔〉 𝑀 Σ. Dec 𝑍, 𝐶 𝐵 𝐴 𝑔𝑎 𝑍 𝐵𝑎 = 𝑔𝑎𝑏 𝐶 Σ. Enc 𝑍, 𝑀 𝑍 𝐴𝑏 = 𝑔𝑎𝑏 𝐴, 𝐶 𝑏 $ 1, … , 𝐺 𝐵 𝑔𝑏 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 𝐺 × ℳ → 𝒞 Σ. Dec ∶ 𝐺 × 𝒞 → ℳ 𝑎 $ 1, … , 𝐺
  • 15. 𝐊𝐞𝐲𝐆𝐞𝐧 1. 2. 3. ElGamal 16 𝐺 = 〈𝑔〉 𝑍 𝐵𝑎 = 𝑔𝑎𝑏 𝐶 Σ. Enc 𝑍, 𝑀 𝐴 𝑔𝑎 𝐴, 𝐶 𝐵 𝑀 Σ. Dec 𝑍, 𝐶 𝑍 𝐴𝑏 = 𝑔𝑎𝑏 𝑠𝑘 = 𝑝𝑘 = 𝑏 $ 1, … , 𝐺 𝐵 𝑔𝑏 return 𝑠𝑘, 𝑝𝑘 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 𝐺 × ℳ → 𝒞 Σ. Dec ∶ 𝐺 × 𝒞 → ℳ 𝑎 $ 1, … , 𝐺
  • 16. 𝐊𝐞𝐲𝐆𝐞𝐧 1. 2. 3. 𝐄𝐧𝐜 𝒑𝒌, 𝑴 1. 2. 3. 4. 5. ElGamal 17 𝐺 = 〈𝑔〉 𝑍 𝐵𝑎 = 𝑔𝑎𝑏 𝐶 Σ. Enc 𝑍, 𝑀 return 𝐴, 𝐶 𝐴 𝑔𝑎 𝐴, 𝐶 𝐵 𝑀 Σ. Dec 𝑍, 𝐶 𝑍 𝐴𝑏 = 𝑔𝑎𝑏 𝑠𝑘 = 𝑝𝑘 = 𝑏 $ 1, … , 𝐺 return 𝑠𝑘, 𝑝𝑘 𝐵 𝑔𝑏 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 𝐺 × ℳ → 𝒞 Σ. Dec ∶ 𝐺 × 𝒞 → ℳ 𝑎 $ 1, … , 𝐺
  • 17. 𝐊𝐞𝐲𝐆𝐞𝐧 1. 2. 3. 𝐃𝐞𝐜 𝒔𝒌, 𝑪 1. 2. 3. 𝐄𝐧𝐜 𝒑𝒌, 𝑴 1. 2. 3. 4. 5. ElGamal 18 𝐺 = 〈𝑔〉 𝑍 𝐵𝑎 = 𝑔𝑎𝑏 𝐶 Σ. Enc 𝑍, 𝑀 return 𝐴, 𝐶 𝐴 𝑔𝑎 𝐴, 𝐶 𝐵 𝑀 Σ. Dec 𝑍, 𝐶 𝑍 𝐴𝑏 = 𝑔𝑎𝑏 return 𝑀 𝑠𝑘 = 𝑝𝑘 = 𝑏 $ 1, … , 𝐺 return 𝑠𝑘, 𝑝𝑘 𝐵 𝑔𝑏 ElGamal. Enc ∶ ElGamal. Dec ∶ 𝐺 × ℳ → 𝐺 × 𝒞 𝒁𝑝 × 𝐺 × 𝒞 → ℳ 𝑎 $ 1, … , 𝐺 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 𝐺 × ℳ → 𝒞 Σ. Dec ∶ 𝐺 × 𝒞 → ℳ
  • 18. ElGamal – IND-CPA security • Clearly DLOG and DH must be hard • Clearly Σ must be secure (IND-CPA? IND-CCA?) • But is this enough? • No: Σ only guarantees security if its keys are independent and uniformly distributed (in the group 𝐺) 19 but 𝑔𝑎𝑏 isn't uniformly distributed in 𝐺!
  • 19. Decisional Diffie-Hellman (DDH) problem 20 𝐄𝐱𝐩𝐺,𝑔 ddh 𝐴 1. 𝑏 $ 0,1 2. 𝑥, 𝑦, 𝑧 $ 1,2, … , 𝐺 3. 𝑋 𝑔𝑥 𝑌 𝑔𝑦 4. 𝑍1 𝑔𝑥𝑦 5. 𝑍0 𝑔𝑧 6. 𝑏′ 𝐴 𝑋, 𝑌, 𝑍𝑏 7. return 𝑏′ = ? 𝑏 Challenger 𝑥, 𝑦, 𝑧 $ 1,2, … , 𝐺 𝑋 𝑔𝑥 𝑋, 𝑌, 𝑍𝑏 I think 𝑍𝑏 was a real DH value Adversary wins if it can distinguish a real DH value 𝑔𝑥𝑦 from a random group element 𝑔𝑧 Public: 𝐺 = 𝑔 Definition: The DDH-advantage of an adversary 𝐴 is 𝐀𝐝𝐯𝐺,𝑔 ddh 𝐴 = 2 ⋅ Pr 𝐄𝐱𝐩𝐺,𝑔 ddh 𝐴 ⇒ true − 1 𝑌 𝑔𝑦 𝑍1 𝑔𝑥𝑦 𝑍0 𝑔𝑧
  • 20. DLOG vs. DH vs. DDH 21 𝐄𝐱𝐩𝐺,𝑔 dlog 𝐴 1. 𝑥 $ 1,2, … , 𝐺 2. 𝑋 𝑔𝑥 3. 𝑥′ 𝐴 𝑋 4. return 𝑥 = ? 𝑥 𝐄𝐱𝐩𝐺,𝑔 dh 𝐴 1. 𝑥, 𝑦 $ 1,2, … , 𝐺 2. 𝑋 𝑔𝑥 3. 𝑌 𝑔𝑦 4. 𝑧 𝐴 𝑋, 𝑌 5. return 𝑔𝑧 = ? 𝑔𝑥𝑦 DLOG security ⟸ DH security DLOG security ⟹ ? DH security 𝐄𝐱𝐩𝐺,𝑔 ddh 𝐴 1. 𝑏 $ 0,1 2. 𝑥, 𝑦, 𝑧 $ 1,2, … , 𝐺 3. 𝑋 𝑔𝑥 𝑌 𝑔𝑦 4. 𝑍1 𝑔𝑥𝑦 5. 𝑍0 𝑔𝑧 6. 𝑏′ 𝐴 𝑋, 𝑌, 𝑍𝑏 7. return 𝑏′ = ? 𝑏 ⟸ DDH security ⟹ DDH security
  • 21. ElGamal – IND-CPA security: proof idea 22 Theorem: For any IND-CPA adversy 𝐴 against ElGamal, there are adversaries 𝐵 and 𝐶such that 𝐀𝐝𝐯ElGamal ind–cpa 𝐴 ≤ 2 ⋅ 𝐀𝐝𝐯𝐺,𝑔 ddh 𝐵 + 𝐀𝐝𝐯Σ ind–cpa 𝐶 𝐊𝐞𝐲𝐆𝐞𝐧 1. 2. 3. 𝐃𝐞𝐜 𝑠𝑘, 𝐶 1. 2. 3. 𝐄𝐧𝐜 𝑝𝑘, 𝑀 1. 2. 3. 4. 5. 𝐴, 𝐶 𝐵 𝑀 Σ. Dec 𝑍, 𝐶 𝑍 𝐴𝑏 = 𝑔𝑎𝑏 return 𝑀 𝑠𝑘 = 𝑏 $ 1, … , 𝐺 return 𝑠𝑘, 𝑝𝑘 𝑝𝑘 = 𝐵 𝑔𝑏 𝑍 𝐵𝑎 = 𝑔𝑎𝑏 𝐶 Σ. Enc 𝑍, 𝑀 return 𝐴, 𝐶 𝐴 𝑔𝑎 𝑎 $ 1, … , 𝐺 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 𝐺 × ℳ → 𝒞 Σ. Dec ∶ 𝐺 × 𝒞 → ℳ
  • 22. ElGamal – IND-CPA security: proof idea 23 Theorem: For any IND-CPA adversy 𝐴 against ElGamal, there are adversaries 𝐵 and 𝐶such that 𝐀𝐝𝐯ElGamal ind–cpa 𝐴 ≤ 2 ⋅ 𝐀𝐝𝐯𝐺,𝑔 ddh 𝐵 + 𝐀𝐝𝐯Σ ind–cpa 𝐶 𝐊𝐞𝐲𝐆𝐞𝐧 1. 2. 3. 𝐃𝐞𝐜 𝑠𝑘, 𝐶 1. 2. 3. 𝐄𝐧𝐜 𝑝𝑘, 𝑀 1. 2. 3. 4. 5. 𝐴, 𝐶 𝐵 𝑀 Σ. Dec 𝑍, 𝐶 𝑍 𝑔𝒛 return 𝑀 𝑠𝑘 = 𝑏 $ 1, … , 𝐺 return 𝑠𝑘, 𝑝𝑘 𝑝𝑘 = 𝐵 𝑔𝑏 𝑍 𝑔𝒛 𝐶 Σ. Enc 𝑍, 𝑀 return 𝐴, 𝐶 𝐴 𝑔𝑎 𝑎 $ 1, … , 𝐺 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 𝐺 × ℳ → 𝒞 Σ. Dec ∶ 𝐺 × 𝒞 → ℳ can't tell due to DDH-security
  • 23. ElGamal – IND-CPA security: proof idea 24 Theorem: For any IND-CPA adversy 𝐴 against ElGamal, there are adversaries 𝐵 and 𝐶such that 𝐀𝐝𝐯ElGamal ind–cpa 𝐴 ≤ 2 ⋅ 𝐀𝐝𝐯𝐺,𝑔 ddh 𝐵 + 𝐀𝐝𝐯Σ ind–cpa 𝐶 𝐊𝐞𝐲𝐆𝐞𝐧 1. 2. 3. 𝐃𝐞𝐜 𝑠𝑘, 𝐶 1. 2. 3. 𝐄𝐧𝐜 𝑝𝑘, 𝑀 1. 2. 3. 4. 5. 𝐴, 𝐶 𝐵 𝑀 Σ. Dec 𝑍, 𝐶 𝑍 𝑔𝒛 return 𝑀 𝑠𝑘 = 𝑏 $ 1, … , 𝐺 return 𝑠𝑘, 𝑝𝑘 𝑝𝑘 = 𝐵 𝑔𝑏 𝑍 𝑔𝒛 𝐶 Σ. Enc 𝑍, 𝑀 return 𝐴, 𝐶 𝐴 𝑔𝑎 𝑎 $ 1, … , 𝐺 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 𝐺 × ℳ → 𝒞 Σ. Dec ∶ 𝐺 × 𝒞 → ℳ can't tell due to DDH-security
  • 24. ElGamal – IND-CPA security: proof idea 25 Theorem: For any IND-CPA adversy 𝐴 against ElGamal, there are adversaries 𝐵 and 𝐶such that 𝐀𝐝𝐯ElGamal ind–cpa 𝐴 ≤ 2 ⋅ 𝐀𝐝𝐯𝐺,𝑔 ddh 𝐵 + 𝐀𝐝𝐯Σ ind–cpa 𝐶 𝐊𝐞𝐲𝐆𝐞𝐧 1. 2. 3. 𝐃𝐞𝐜 𝑠𝑘, 𝐶 1. 2. 3. 𝐄𝐧𝐜 𝑝𝑘, 𝑀 1. 2. 3. 4. 5. 𝐴, 𝐶 𝐵 𝑀 Σ. Dec 𝑍, 𝐶 𝑍 $ 𝐺 return 𝑀 𝑠𝑘 = 𝑏 $ 1, … , 𝐺 return 𝑠𝑘, 𝑝𝑘 𝑝𝑘 = 𝐵 𝑔𝑏 𝑍 $ 𝐺 𝐶 Σ. Enc 𝑍, 𝑀 return 𝐴, 𝐶 𝐴 𝑔𝑎 𝑎 $ 1, … , 𝐺 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 𝐺 × ℳ → 𝒞 Σ. Dec ∶ 𝐺 × 𝒞 → ℳ
  • 25. ElGamal – IND-CPA security: proof idea 26 Theorem: For any IND-CPA adversy 𝐴 against ElGamal, there are adversaries 𝐵 and 𝐶such that 𝐀𝐝𝐯ElGamal ind–cpa 𝐴 ≤ 2 ⋅ 𝐀𝐝𝐯𝐺,𝑔 ddh 𝐵 + 𝐀𝐝𝐯Σ ind–cpa 𝐶 𝐊𝐞𝐲𝐆𝐞𝐧 1. 2. 3. 𝐃𝐞𝐜 𝑠𝑘, 𝐶 1. 2. 3. 𝐄𝐧𝐜 𝑝𝑘, 𝑀 1. 2. 3. 4. 5. 𝐴, 𝐶 𝐵 𝑠𝑘 = 𝑏 $ 1, … , 𝐺 return 𝑠𝑘, 𝑝𝑘 𝑝𝑘 = 𝐵 𝑔𝑏 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 𝐺 × ℳ → 𝒞 Σ. Dec ∶ 𝐺 × 𝒞 → ℳ secure by IND-CPA 𝑍 $ 𝐺 𝐶 Σ. Enc 𝑍, 𝑀 return 𝐴, 𝐶 𝐴 𝑔𝑎 𝑎 $ 1, … , 𝐺 𝑀 Σ. Dec 𝑍, 𝐶 𝑍 $ 𝐺 return 𝑀
  • 26. ElGamal – IND-CPA security: proof idea 27 Theorem: For any IND-CPA adversy 𝐴 against ElGamal, there are adversaries 𝐵 and 𝐶such that 𝐀𝐝𝐯ElGamal ind–cpa 𝐴 ≤ 2 ⋅ 𝐀𝐝𝐯𝐺,𝑔 ddh 𝐵 + 𝐀𝐝𝐯Σ ind–cpa 𝐶 𝐊𝐞𝐲𝐆𝐞𝐧 1. 2. 3. 𝐃𝐞𝐜 𝑠𝑘, 𝐶 1. 2. 3. 𝐄𝐧𝐜 𝑝𝑘, 𝑀 1. 2. 3. 4. 5. 𝐴, 𝐶 𝐵 𝑠𝑘 = 𝑏 $ 1, … , 𝐺 return 𝑠𝑘, 𝑝𝑘 𝑝𝑘 = 𝐵 𝑔𝑏 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 𝐺 × ℳ → 𝒞 Σ. Dec ∶ 𝐺 × 𝒞 → ℳ secure by IND-CPA 𝑀 Σ. Dec 𝑍, 𝐶 𝑍 $ 𝐺 return 𝑀 𝑍 $ 𝐺 𝐶 Σ. Enc 𝑍, 𝑀 return 𝐴, 𝐶 𝐴 𝑔𝑎 𝑎 $ 1, … , 𝐺
  • 27. 𝐊𝐞𝐲𝐆𝐞𝐧 1. 2. 3. 𝐃𝐞𝐜 𝒔𝒌, 𝑪 1. 2. 3. 𝐄𝐧𝐜 𝒑𝒌, 𝑴 1. 2. 3. 4. 5. Hashed ElGamal 28 𝐺 = 〈𝑔〉 𝑍 𝐵𝑎 = 𝑔𝑎𝑏 𝐶 Σ. Enc 𝑍, 𝑀 return 𝐴, 𝐶 𝐴 𝑔𝑎 𝐴, 𝐶 𝐵 𝑀 Σ. Dec 𝑍, 𝐶 𝑍 𝐴𝑏 = 𝑔𝑎𝑏 return 𝑀 𝑠𝑘 = 𝑝𝑘 = 𝑏 $ 1, … , 𝐺 return 𝑠𝑘, 𝑝𝑘 𝐵 𝑔𝑏 ElGamal. Enc ∶ ElGamal. Dec ∶ 𝐺 × ℳ → 𝐺 × 𝒞 𝒁𝑝 × 𝐺 × 𝒞 → ℳ 𝑎 $ 1, … , 𝐺 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 𝐺 × ℳ → 𝒞 Σ. Dec ∶ 𝐺 × 𝒞 → ℳ
  • 28. 𝐊𝐞𝐲𝐆𝐞𝐧 1. 2. 3. 𝐃𝐞𝐜 𝒔𝒌, 𝑪 1. 2. 3. 𝐄𝐧𝐜 𝒑𝒌, 𝑴 1. 2. 3. 4. 5. Hashed ElGamal 29 𝐺 = 〈𝑔〉 𝑍 𝐵𝑎 = 𝑔𝑎𝑏 𝐶 Σ. Enc 𝑍, 𝑀 return 𝐴, 𝐶 𝐴 𝑔𝑎 𝐴, 𝐶 𝐵 𝑀 Σ. Dec 𝑍, 𝐶 𝑍 𝐴𝑏 = 𝑔𝑎𝑏 return 𝑀 𝑠𝑘 = 𝑝𝑘 = 𝑏 $ 1, … , 𝐺 return 𝑠𝑘, 𝑝𝑘 𝐵 𝑔𝑏 ElGamal. Enc ∶ ElGamal. Dec ∶ 𝐺 × ℳ → 𝐺 × 𝒞 𝒁𝑝 × 𝐺 × 𝒞 → ℳ 𝐻: 𝐺 → 0,1 𝑘 𝑎 $ 1, … , 𝐺 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 0,1 𝑘 × ℳ → 𝒞 Σ. Dec ∶ 0,1 𝑘 × 𝒞 → ℳ
  • 29. 𝐊𝐞𝐲𝐆𝐞𝐧 1. 2. 3. 𝐃𝐞𝐜 𝒔𝒌, 𝑪 1. 2. 3. 𝐄𝐧𝐜 𝒑𝒌, 𝑴 1. 2. 3. 4. 5. Hashed ElGamal 30 𝐺 = 〈𝑔〉 𝐾 𝐻 𝐵𝑎 = 𝐻 𝑔𝑎𝑏 𝐶 Σ. Enc 𝑍, 𝑀 return 𝐴, 𝐶 𝐴 𝑔𝑎 𝐴, 𝐶 𝐵 𝑀 Σ. Dec 𝑍, 𝐶 𝐾 𝐻 𝐴𝑏 = 𝐻 𝑔𝑎𝑏 return 𝑀 𝑠𝑘 = 𝑝𝑘 = 𝑏 $ 1, … , 𝐺 return 𝑠𝑘, 𝑝𝑘 𝐵 𝑔𝑏 ElGamal. Enc ∶ ElGamal. Dec ∶ 𝐺 × ℳ → 𝐺 × 𝒞 𝒁𝑝 × 𝐺 × 𝒞 → ℳ 𝐻: 𝐺 → 0,1 𝑘 𝑎 $ 1, … , 𝐺 Σ = KeyGen, Enc, Dec Σ. Enc ∶ 0,1 𝑘 × ℳ → 𝒞 Σ. Dec ∶ 0,1 𝑘 × 𝒞 → ℳ
  • 30. The RSA encryption scheme 31 𝐶 = 𝑀𝑒 mod 𝑛
  • 31. RSA • Designed by Rivest, Shamir and Adleman in 1977 • One year before ElGamal • Used both for public key encryption and digital signatures Ron Rivest Leonard Adleman Adi Shamir
  • 32. The group 𝒁𝑛 ∗ ,⋅ 33 𝒁𝑝 = 0, 1, … , 𝑝 − 1 𝒁𝑝 ∗ = 1, … , 𝑝 − 1 𝒁𝑝,⋅ is not a group! 𝒁𝑝 ∗ ,⋅ is a group! 𝒁𝑛 = 0, 1, … , 𝑛 − 1 𝒁𝑛 ∗ ≠ 1, … , 𝑛 − 1 𝒁𝑛,⋅ is not a group! 𝒁𝑛 +,⋅ is also not a group! 𝒁𝑛 ∗ = invertible elements in 𝒁𝑛 = 𝐭𝐡𝐞𝐨𝐫𝐞𝐦 𝑎 ∈ 𝒁𝑛 gcd 𝑎, 𝑛 = 1 𝒁𝑛 ∗ ,⋅ is a group! 𝒁10 + = 1, 2, 3, 4, 5, 6, 7, 8, 9 𝒁𝑛 + 2 ⋅ 1 = 2 mod 10 2 ⋅ 2 = 4 mod 10 2 ⋅ 3 = 6 mod 10 2 ⋅ 4 = 8 mod 10 2 ⋅ 5 = 0 mod 10 2 ⋅ 6 = 2 mod 10 2 ⋅ 7 = 4 mod 10 2 ⋅ 8 = 6 mod 10 2 ⋅ 9 = 8 mod 10 Not invertible Invertible 2, 4, 5, 6, 8 1, 3, 7, 9 3 ⋅ 7 = 21 = 1 mod 10 9 ⋅ 9 = 81 = 1 mod 10 1 ⋅ 1 = 1 mod 10 10 = 2 ⋅ 5 2 = 2 4 = 2 ⋅ 2 5 = 5 6 = 2 ⋅ 3 8 = 2 ⋅ 2 ⋅ 2 Proof: let 𝑑 = gcd 𝑎, 𝑛 • 𝑎 invertible • 𝑑 = 1 ⟹ ∃𝑘: 𝑎𝑏 = 1 + 𝑘𝑛 ⟹ 𝑎𝑏 − 𝑘𝑛 = 1 ⟹ 𝑑 𝑎′ 𝑏 − 𝑘𝑛′ = 1 ⟹ 𝑑 = 1 ⟹ Claim: ∃𝑠, 𝑡 ∈ 𝒁 such that 𝑠𝑎 + 𝑡𝑛 = 𝑑 = 1 ⟹ 𝑠𝑎 = 1 − 𝑡𝑛 ⟹ 𝑠𝑎 = 1 mod 𝑛 ⟹ 𝑎 is invertible ⟹ ∃𝑏 ∈ 𝒁𝑛 such that 𝑎𝑏 = 1 mod 𝑛
  • 33. Euler's 𝜙 𝑛 function • 𝜙 𝑛 = def 𝒁𝑛 ∗ • 𝜙 𝑝 = 𝑝 − 1 • 𝜙 𝑝 ⋅ 𝑞 = • Note: 𝜙 𝑛 ≈ 𝑛 − 2 𝑛 ≈ 𝑛 • i.e.: almost all integers are invertible for large 𝑝, 𝑞 34 1 ⋅ 𝑝, 2 ⋅ 𝑝, 3 ⋅ 𝑝, ⋯ (𝑞 − 1) ⋅ 𝑝 1 ⋅ 𝑞, 2 ⋅ 𝑞, 3 ⋅ 𝑞, ⋯ (𝑝 − 1) ⋅ 𝑞 𝑞 − 1 𝑝 − 1 = (𝑝𝑞 − 1) − (𝑞 − 1 + 𝑝 − 1) = 𝑝𝑞 − 𝑞 − 𝑝 + 1 = 𝑝 − 1 ⋅ 𝑞 − 1 = 𝑎 ∈ 𝒁𝑛 gcd 𝑎, 𝑛 = 1 𝑝 − 1 ⋅ 𝑞 − 1 𝜙 𝑝𝑞 = #numbers less than 𝑝𝑞 − #numbers less than 𝑝𝑞 with gcd 𝑥, 𝑝𝑞 ≠ 1 𝑛 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 𝜙 𝑛 𝟏 1 2 2 4 2 6 4 6 4 10 4 12 6 8 𝑝 ⋅ 𝑞
  • 34. Euler’s Theorem • 𝒁𝑝 ∗ ,⋅ : 𝒁𝑝 ∗ = 𝑝 − 1 𝑒 = 1 • 𝒁𝑛 ∗ ,⋅ : 𝒁𝑛 ∗ = 𝜙 𝑛 𝑒 = 1 35 Theorem: if 𝐺,∘ is a finite group, then for all 𝑔 ∈ 𝐺: 𝑔 𝐺 = 𝑒 Fermat’s theorem: if 𝑝 is prime, then for all 𝑎 ≠ 0 mod 𝑝 : 𝑎𝑝−1 ≡ 1 mod 𝑝 Euler’s theorem: for all positive integers 𝑛, if gcd 𝑎, 𝑛 = 1 then 𝑎𝜙 𝑛 ≡ 1 mod 𝑛
  • 35. 𝐊𝐞𝐲𝐆𝐞𝐧 1. 𝑝, 𝑞 $ two random prime numbers 2. 𝑛 𝑝 ⋅ 𝑞 3. 𝜙 𝑛 = 𝑝 − 1 𝑞 − 1 4. choose 𝑒 such that gcd 𝑒, 𝜙 𝑛 = 1 5. 𝑑 𝑒−1 mod 𝜙 𝑛 6. 𝑠𝑘 𝑑 𝑝𝑘 𝑛, 𝑒 7. return (𝑠𝑘, 𝑝𝑘) 𝐃𝐞𝐜 𝑠𝑘 = 𝑑, 𝐶 ∈ 𝒁𝑛 ∗ 1. 𝑀 𝐶𝑑 mod 𝑛 2. return 𝑀 𝐄𝐧𝐜 𝑝𝑘 = 𝑛, 𝑒 , 𝑀 ∈ 𝒁𝑛 ∗ 1. 𝐶 𝑀𝑒 mod 𝑛 2. return 𝐶 Textbook RSA 36 𝐶 𝑝𝑘 RSA. Enc ∶ 𝒁+ × 𝒁𝜙 𝑛 ∗ × 𝒁𝑛 ∗ → 𝒁𝑛 ∗ RSA. Dec: 𝒁𝜙 𝑛 ∗ × 𝒁𝑛 ∗ → 𝒁𝑛 ∗ 𝒫𝒦 ℳ 𝒞 𝒮𝒦 𝒞 ℳ Common choices of 𝑒: 3, 17, 65 537 112 100012 1 0000 0000 0000 00012
  • 36. Textbook RSA – correctness 37 Euler’s theorem: for all 𝑎 ∈ 𝒁𝑛 ∗ 𝑎𝜙 𝑛 ≡ 1 mod 𝑛 𝐶𝑑 = 𝑀𝑒𝑑 Dec 𝑠𝑘, Enc 𝑝𝑘, 𝑀 = 𝑀 𝐊𝐞𝐲𝐆𝐞𝐧 1. 𝑝, 𝑞 $ two random prime numbers 2. 𝑛 𝑝 ⋅ 𝑞 3. 𝜙 𝑛 = 𝑝 − 1 𝑞 − 1 4. choose 𝑒 such that gcd 𝑒, 𝜙 𝑛 = 1 5. 𝑑 𝑒−1 mod 𝜙 𝑛 6. 𝑠𝑘 𝑑 𝑝𝑘 𝑛, 𝑒 7. return (𝑠𝑘, 𝑝𝑘) 𝐃𝐞𝐜 𝑠𝑘 = 𝑑, 𝐶 ∈ 𝒁𝑛 ∗ 1. 𝑀 𝐶𝑑 mod 𝑛 2. return 𝑀 𝐄𝐧𝐜 𝑝𝑘 = 𝑛, 𝑒 , 𝑀 ∈ 𝒁𝑛 ∗ 1. 𝐶 𝑀𝑒 mod 𝑛 2. return 𝐶 = 𝑀𝑒𝑑 mod 𝜙 𝑛 = 𝑀 mod 𝑛 Fact: RSA also works for 𝑀 ∈ 𝒁𝑛 Theorem: if 𝐺,∘ is a finite group, then for all 𝑔 ∈ 𝐺: 𝑔 𝐺 = 𝑒 Corollary I: 𝑔𝑖 = 𝑔𝑖 mod 𝐺 = 𝑎𝑖 mod 𝜙 𝑛 = 𝑀1 𝑑 = 𝑒−1 mod 𝜙 𝑛 ⟺ 𝑒𝑑 = 1 mod 𝜙 𝑛
  • 37. Textbook RSA – security • Textbook RSA is not IND-CPA secure! • Deterministic • Malleable • Many other attacks as well* • Textbook RSA is not an encryption scheme! • So what is it? Answer: a one-way (trapdoor) permutation * https://crypto.stackexchange.com/questions/20085/which-attacks-are-possible-against-raw-textbook-rsa 38
  • 38. The RSA-problem • RSA-problem: given 𝑝𝑘 = (𝑒, 𝑛) and 𝐶 = 𝑀𝑒 mod 𝑛 find 𝑀 • RSA-assumption: the RSA-problem is hard for large random primes 𝑝, 𝑞 (≈ 1024 bits each) • Easy is 𝑑 is known: simply compute 𝐶𝑑 mod 𝑛 • Easy if 𝜙 𝑛 is known: simply compute 1/𝑒 = 𝑒−1 = 𝑑 mod 𝜙 𝑛 and do the above • Easy if 𝑝 and 𝑞 are known: compute 𝜙 𝑛 = 𝑝 − 1 ⋅ (𝑞 − 1) and do the above • Hence: RSA-assumption ⟹ must be hard to find 𝑑, 𝜙 𝑛 and 𝑝, 𝑞 given 𝑒, 𝑛 (factoring problem) • What about the converse: factoring is hard ⟹ RSA-problem is hard? Open problem! • Note: given 𝜙(𝑛) and 𝑛 ⟹ easy to find 𝑝 and 𝑞 (exercise) 39 RSA. Enc𝑝𝑘 ∶ 𝒁𝑛 ∗ → 𝒁𝑛 ∗ RSA. Enc𝑝𝑘 ∶ 𝑀 ↦ 𝑀𝑒 mod 𝑛
  • 39. How hard is factoring? • In practice factoring is only known way to break RSA • Factoring 𝑛 = 𝑝𝑞 believed to be hard for large 𝑝 and 𝑞 • Naïve Factor 𝑛 : • 3 divides 𝑛? return 3 ⋅ Factor 𝑛/3 • 5 divides 𝑛? return 5 ⋅ Factor 𝑛/5 • 7 divides 𝑛? return 7 ⋅ Factor 𝑛/7 ⋮ • 𝑛 divides 𝑛? return 𝑛 ⋅ Factor 𝑛/ 𝑛 • Return 𝑛 • Very inefficient: 𝑛 ≈ 2𝑘 ⟹ 𝜋 𝑛 ≈ 2𝑘 ln 2𝑘 ≈ 2𝑘 𝑘 • Much faster factoring algorithms known: current record 829-bit number (Heninger et al.'20) 40 Algorithm Time to factor 𝑛 ≈ 2𝑘 Naive ≈ 𝒪 2𝑘 Quadratic sieve ≈ 𝒪 𝑒𝑐 𝑘 ln 𝑘 Number field sieve ≈ 𝒪 𝑒1.92 3 𝑘⋅ 1.5 ln 𝑘
  • 40. RSA in practice • Textbook RSA is deterministic ⟹ cannot be IND-CPA secure • How to achieve IND-CPA? • pad message with random data before applying RSA function • PKCS#1v1.5 • RSA-OAEP • RSA encryption not used much in practice anymore • Mostly key transport: message is a random 256-bit key used in a subsequent symmetric encryption scheme • RSA digital signatures still very common 41 𝑀 𝑟 || 𝑀 𝐶 Pad 𝑋 ↦ 𝑋𝑒 mod 𝑛 256 bits 2048 bits
  • 41. Summary • Public-key encryption security goals: IND-CPA and IND-CCA • ElGamal • Public-key encryption from Diffie-Hellman key exchange • IND-CPA secure if the DDH assumption holds in the group and the symmetric encryption scheme is (one-time) IND-CPA secure • Hashed-ElGamal: hash the derived Diffie-Hellman key to obtain a symmetric key 𝐾 ∈ 0,1 𝑘 • DDH assumption can be weakened to DH assumption (but stronger requirement on hash function) • RSA • Not a public-key encryption scheme directly • Can (with random padding) be used to create a IND-CPA secure public-key encryption scheme • Must be hard: RSA-problem and factoring problem 42

Editor's Notes

  1. p = 11 q = 17 n = p * q Zn = Integers(n) phi = euler_phi(n) Zphi = Integers(phi) e = Zphi(3) d = e^-1 mod(e * d, phi) M = Zn(123) C = M^e C^d