Book (chap. 11 Public

COMP547
Claude Crépeau
INTRODUCTION TO
MODERN
CRYPTOGRAPHY
_
Second Edition
_
Jonathan Katz •Yehuda Lindell
Chapter 11 :
Private-Key Encryption
1
Chapter 11 Public-Key Encryption
Apologies: all numbering still refers to first edition of book.
10.1 Public-Key Encryption – An Overview
10.2 Definitions
10.2.1 Security against Chosen-Plaintext Attacks
10.2.2 Multiple Encryptions
10.3 Hybrid Encryption
10.4 RSA Encryption
10.4.1 “Plain RSA” and its Insecurity
10.4.2 Attacks on Plain RSA
10.4.3 Padded RSA
10.5 The El Gamal Encryption Scheme
10.6 Security Against Chosen-Ciphertext Attacks
10.7 * Trapdoor Permutations
Asymmetric Encryption
(Public-Key Cryptography)
Encryption
P
Ke
Kd
C
Decryption
Complexity Theoretical Security
10.2 Definitions
DEFINITION 10.1 A public-key encryption scheme is
a tuple of PPT algorithms (Gen,Enc,Dec) s.t. :
1. The key generation algorithm Gen takes as input
the security parameter 1n and outputs a pair of keys
(pk,sk). We refer to the first of these as the public key
and the second as the private key. We assume for
convenience that pk and sk each have length at least n,
and that n can be determined from pk, sk.
Definitions
2. The encryption algorithm Enc takes as input a public
key pk and a message m from some underlying plaintext
space. It outputs a ciphertext c, and we write this as c ← Encpk(m).
3. The decryption algorithm Dec takes as input a private
key sk and a ciphertext c, and outputs a message m or a
special symbol ⊥ denoting failure. We assume without loss
of generality that Dec is deterministic, and write this as
m ≔ Decsk(c).
Definitions
It is required that there exists a negligible function negl
such that for every n, every (pk,sk) output by Gen(1n), and
every message m in the appropriate underlying plaintext
space, it holds that
Pr[ Decsk(Encpk(m)) ≠ m ] ≤ negl(n).
10.2.1 Security against
Chosen-Plaintext Attacks
The eavesdropping indistinguishability experiment
PubKeAa,vΠ(n):
1. Gen(1n) is run to obtain keys (pk,sk).
2. Adversary A is given pk, and outputs a pair of messages
m0,m1 of the same length. (These messages must be in the
plaintext space associated with pk.)
Security against
Chosen-Plaintext Attacks
3. A random bit b ← {0,1} is chosen, and then a ciphertext
c ← Encpk(mb) is computed and given to A.
We call c the challenge ciphertext.
4. A outputs a bit b′ .
5.The output of the experiment is defined to be 1 if
b′ = b, and 0 otherwise.
Security against
Chosen-Plaintext Attacks
DEFINITION 10.3 A public-key encryption scheme
Π = (Gen,Enc,Dec) has indistinguishable encryptions in
the presence of an eavesdropper if for all probabilistic
polynomial-time adversaries A there exists a negligible
function negl such that
Pr[ PubKeAa,vΠ(n) = 1 ] ≤ ½ + negl(n).
Security against
Chosen-Plaintext Attacks
CPA indistinguishability experiment PubKcAp,aΠ(n):
1. Gen(1n) is run to obtain keys (pk,sk).
2. Adversary A is given pk as well as oracle access to
Encpk(·). The adversary outputs a pair of messages m0,m1
of the same length. (These messages must be in the
plaintext space associated with pk.)
Security against
Chosen-Plaintext Attacks
3. A random bit b ← {0,1} is chosen, and then a ciphertext
c ← Encpk(mb) is computed and given to A.
We call c the challenge ciphertext.
4. A continues to have access to Encpk(·), and outputs a bit
b′.
5.The output of the experiment is defined to be 1 if
b′ = b, and 0 otherwise.
Security against
Chosen-Plaintext Attacks
DEFINITION 10.4 A public-key encryption scheme
Π = (Gen,Enc,Dec) has indistinguishable encryptions
under a chosen-plaintext attack (or is CPA secure) if for
all probabilistic polynomial-time adversaries A there exists a
negligible function negl such that:
Pr[ PubKcAp,aΠ(n) = 1 ] ≤ ½ + negl(n).
Security against
Chosen-Plaintext Attacks
PROPOSITION 10.5 If a public-key encryption scheme Π
has indistinguishable encryptions in the presence of an
eavesdropper, then Π also has indistinguishable encryptions
under a chosen-plaintext attack.
Insecurity of
Deterministic Public-Key
Encryption
THEOREM 10.6 No deterministic public-key encryption
scheme has indistinguishable encryptions in the presence of
an eavesdropper.
10.2.2 Multiple
Encryptions
THEOREM 10.10 If a public-key encryption scheme Π
has indistinguishable encryptions in the presence of an
eavesdropper, then Π has indistinguishable multiple
encryptions in the presence of an eavesdropper.
Encrypting ArbitraryLength Messages
Say Π = (Gen,Enc,Dec) is an encryption scheme where
the plaintext space is {0,1}. We can construct a new
scheme Π′ = (Gen,Enc′,Dec′) with plaintext space
∗
{0,1} by defining Enc′ as follows:
Enc′pk(m) = Encpk(m1),...,Encpk(mt),
where m = m1 ... mt. The decryption algorithm Dec′ is
modified in the obvious way.
Encrypting ArbitraryLength Messages
PROPOSITION 10.11 Let Π and Π′ be as above. If Π
has indistinguishable encryptions in the presence of an
eavesdropper, then so does Π′ .
10.3 Hybrid Encryption
Hybrid Encryption
To encrypt a message m: 1. The sender first chooses a random secret key k, and
encrypts k using the public key of the receiver. Call the
resulting ciphertext c1.
The receiver will be able to recover k by decrypting c1,
yet k will remain unknown to an eavesdropper (by
security of the public-key encryption scheme), and so
this has the effect of establishing a shared secret
between the sender and the receiver.
Hybrid Encryption
2. The sender then encrypts the message m using a
private-key encryption scheme (Gen′,Enc′,Dec′) and the
secret key k that has just been shared. This results in a
ciphertext c2 that can be decrypted by the receiver
using k.
Hybrid Encryption
Hybrid Encryption
THEOREM 10.13 If Π is a CPA-secure public-key
encryption scheme and Π′ is a private-key encryption
scheme that has indistinguishable encryptions in the
presence of an eavesdropper, then Πhy as in Construction
10.12 is a CPA-secure public-key encryption scheme.
10.4 RSA Encryption
Public inventors
Private inventors
Ellis,
Cocks,
Williamson
RSA Encryption
Ron Rivest,
Adi Shamir
and Len Adleman
RSA Encryption
RSA Encryption
In Cocks’ variation, e=N and
therefore d=N-1 mod φ(N).
7.2.4 The RSA
Assumption
The RSA problem can be described informally as
follows: given a modulus N, an integer (exponent)
e > 0 that is relatively prime to φ(N), and an element
y ∈ ZN* , compute e√y mod N;
Given N,e,y find x such that xe = y mod N.
7.2.4 The RSA
Assumption
The RSA experiment RSA-invA,GenRSA(n):
1. Run GenRSA(1n) to obtain (N,e,d).
2. Choose y ← ZN* .
3. A is given N,e,y, and outputs x ∈ ZN* .
4.The output of the experiment is defined to be 1 if y = xe mod N , and 0 otherwise.
7.2.4 The RSA
Assumption
DEFINITION 7.46 We say that the RSA problem is
hard relative to GenRSA if for all probabilistic
polynomial-time algorithms A there exists a negligible
function negl such that
Pr[ RSA-invA,GenRSA(n) = 1 ] ≤ negl(n).
RSA vs Factoring
The RSA assumption implies that φ(N) is unknown.
Theorem: Knowledge of N and φ(N) factors N.
Proof:
N=pq, φ(N)=(p-1)(q-1)=N-p-q+1.
p+q=N-φ(N)+1 p+N/p=N-φ(N)+1 or
p2-(N-φ(N)+1)p+N=0.
p and q are the two solutions of this quadratic
equation.
RSA vs Factoring
The RSA assumption implies that d is unknown.
Knowledge of N,e,d factors N.
Proof: use algorithm from next slide: RSA-FACTOR(N,e,d). Success probability ≥½.
RSA vs Factoring
RSA Implementation
Issues
Encoding binary strings as elements of ZN* . Let ℓ = ∥N∥. Any binary string m of length ℓ−1 can be
viewed as an element of ZN in the natural way. It is also
possible to encode strings of varying lengths as
elements of ZN by padding using some unambiguous
padding scheme.
RSA Implementation
Issues: Choice of e
There does not appear to be any difference in the
hardness of the RSA problem for different exponents e
and, as such, different methods have been suggested for
selecting e.
One popular choice is to set e = 3, since then
computing eth powers modulo N (as done when
encrypting in the Plain RSA scheme) requires only
two multiplications.
If e is to be set equal to 3, then p and q must be
chosen to satisfy p,q ≠ 1 mod 3 so that gcd(e,φ(N )) = 1.
RSA Implementation
Issues: Choice of d
Note that choosing d to be small in order to speed up
decryption (that is, changing GenRSA so that a small d
is chosen first and then computing e) is a bad idea.
If d is chosen in a small range (say, d < 216 ) then a
brute-force search for d is easy to carry out.
Even if d is chosen so that d ≈ N¼, (and so bruteforce attacks are ruled out) there are other attacks
that can be used to recover d from the public key.
10.4.2 Attacks on Plain
RSA
Encrypting short messages using small e. If e is small
then the encryption of “small” messages is insecure
when using plain RSA encryption.
For example, say e = 3 and the message m is such
that m < N⅓ ( or |m| < |N|/3 ) but m is otherwise
unknown to an attacker. In this case, encryption of m
does not involve any modular reduction since the
integer m3 is less than N .
10.4.2 Attacks on Plain
RSA
Encrypting short messages using small e. If e is small
then the encryption of “small” messages is insecure
when using plain RSA encryption. This means that given the ciphertext c = m3 mod N an attacker can determine m by
computing m ≔ c⅓ over the integers, a computation
that can be easily carried out.
Attacks on
Plain RSA
The above attack shows that short messages can be
recovered easily from their encryption if plain RSA
with small e is used.
Here, we extend the attack to the case of arbitrarylength messages as long as the same message is sent to
multiple receivers.
Attacks on
Plain RSA
Let e = 3 as before, and say the same message m is
sent to three different parties holding public keys
pk1 = (N1,3), pk2 = (N2,3), and pk3 = (N3,3), resp. . Then an eavesdropper sees c1 = m3 mod N1 and c2 =
m3 mod N2 and c3 = m3 mod N3.
Attacks on
Plain RSA
∗
Let N = N1 N2 N3 . An extended version of the
Chinese remainder theorem says that there exists a
unique non-negative value
∗
∗
c < N such that:
∗
c ≡ c1 mod N1,
∗
c ≡ c2 mod N2 and ∗
c ≡ c3 mod N3.
10.4.3 Padded RSA
Padded RSA
THEOREM 10.19 If the RSA problem is hard relative to
GenRSA then Construction 10.18 with
ℓ(n) = O(log n)
has indistinguishable encryptions under a chosen-plaintext
attack.
PKCS #1 v1.5
A widely-used and standardized encryption
scheme, RSA Laboratories Public-Key Cryptography
Standard (PKCS) #1 version 1.5, utilizes what is
essentially padded RSA encryption.
For a public key pk = [N,e] of the usual form, let k
denote the length of N in bytes; i.e., k is the
integer satisfying 28(k−1) ≤ N < 28k.
PKCS #1 v1.5
Messages m to be encrypted are assumed to be a
multiple of 8 bits long, and can have length up to k − 11 bytes. Encryption of a message m that is D-bytes long is computed as
(00000000∥00000010∥r∥00000000∥m)e mod N ,
where r is a randomly-generated string of (k−D−3)
bytes, with none of these bytes equal to 0.
PKCS #1 v1.5
PKCS #1 v1.5 is believed to be CPA-secure,
although no proof solely based on the RSA
assumption has ever been shown.
Subsequent to the introduction of PKCS #1 v1.5,
a chosen-ciphertext attack on this scheme was
demonstrated.
This motivated a change in the standard to a
newer scheme called OAEP (for Optimal
Asymmetric Encryption Padding).
10.5 The Elgamal
Encryption Scheme
Taher Elgamal
The Elgamal Encryption
Scheme
The Elgamal
Encryption Scheme
THEOREM 10.22 If the DDH problem is hard
relative to G, then the Elgamal encryption scheme has
indistinguishable encryptions under a chosen-plaintext
attack.
Elgamal
Implementation Issues
Encoding binary strings. Let p be a strong prime, i.e., q = (p − 1)/2 is also prime.
•
Then the set of quadratic residues modulo p forms a
group G of order q = (p − 1)/2 under x modulo p.
Elgamal
Implementation Issues
•
We can map the integers {1,...,(p − 1)/2} to the set of
quadratic residues modulo p by squaring: that is, the
integer ṁ is mapped to the quadratic residue
m = ṁ2 mod p. This encoding is one-to-one and efficiently reversible.
( When extracting square roots mod p
take the smaller square root x ≤ (p − 1)/2. )
Elgamal
Implementation Issues
Given the above, we can map a string w of length ∥q∥−1 to an element m ∈ G in the following way:
∥q∥−1
given a string w ∈ {0,1}
,
interpret it as an integer in the natural way and
add 1 to obtain an integer ṁ with 1 ≤ ṁ ≤ q. Then take m = ṁ2 mod p.
10.6 Security vs ChosenCiphertext Attacks
Security vs ChosenCiphertext Attacks
DEFINITION 10.24 A public-key encryption scheme
Π = (Gen,Enc,Dec) has indistinguishable encryptions
under a chosen-ciphertext attack (or is CCA-secure)
if for all probabilistic polynomial-time adversaries A there
exists a negligible function negl such that
Pr[ PubKcAc,aΠ(n) = 1 ] ≤ ½ + negl(n).
Examples of ChosenCiphertext Attacks
Plain RSA encryption. Say an adversary A intercepts
the ciphertext c = me mod N.
Then the adversary can choose a random r ← ZN* and compute the ciphertext c′ ≔ re · c mod N.
Given the decryption m′ of this ciphertext, A
can recover m ≔ m′ · r−1 mod N.
Examples of ChosenCiphertext Attacks
Elgamal encryption. Say an adversary A intercepts a
ciphertext c ≔ ⟨c1,c2⟩ that is an encryption of the
(encoded) message m with respect to the public key pk = G,q,g,h.
This means that c1 = gy and c2 = hy · m for some
y ∈ Zq unknown to A. Nevertheless, if the adversary
computes c2′ ≔ c2 · m′ then it is easy to see that the
ciphertext c′ ≔ ⟨c1,c2′⟩ is an encryption of the
message m · m′.
Examples of ChosenCiphertext Attacks
One might object that the receiver will become
suspicious if it receives two ciphertexts c,c′ that
share the same first component. However, this is
easy for the adversary to avoid.
Examples of ChosenCiphertext Attacks
Letting c1,c2,m,m′ be as above, A can choose a
random y′′ ← Zq and set c1′′ ≔ c1 · gy′′ and c2′′ ≔ c2 · hy′′ · m′.
Then c1′′ = gy · gy′′ = gy+y′′ and c2′′ = hy m · hy′′ m′ = hy+y′′ mm′, and so the ciphertext c′′ = ⟨c1′′,c2′′⟩ is an encryption
of m · m′ but with a completely random first
component.
COMP547
Claude Crépeau
INTRODUCTION TO
MODERN
CRYPTOGRAPHY
_
Second Edition
_
Jonathan Katz •Yehuda Lindell
Chapter 11 :
Private-Key Encryption
58
Blum-Goldwasser
Encryption
NIB
NIB
Blum-Goldwasser
Encryption
NIB
Blum-Goldwasser
Encryption
NIB
Blum-Goldwasser
Encryption
NIB
Blum-Goldwasser
Encryption
NIB
Blum-Goldwasser
Encryption
NIB
COMP547
Claude Crépeau
INTRODUCTION TO
MODERN
CRYPTOGRAPHY
_
Second Edition
_
Jonathan Katz •Yehuda Lindell
Chapter 11 :
Private-Key Encryption
66
Approximate Integer
GCD based crypto
§
NIB
Approximate Integer GCD
0
p
2p
3p
4p
5p
NIB
Approximate Integer GCD
0
0
p
2p
3p
4p
p
2p
3p
4p
5p
5p
NIB
Approximate Integer GCD
0
0
p
2p
3p
4p
p
5p
2p
3p
4p
5p
q1p
NIB
Approximate Integer GCD
0
0
p
2p
3p
4p
p
5p
2p
q1p
3p
4p
5p
q2p
NIB
Approximate Integer GCD
0
0
p
2p
3p
4p
p
5p
2p
q1p
3p
q2p
4p
5p
q3p
NIB
Approximate Integer GCD
0
0
p
2p
3p
4p
p
5p
2p
q1p
3p
q2p
4p
q3p
5p
q4p
NIB
Approximate Integer GCD
0
0
p
2p
3p
4p
p
5p
2p
q1p
3p
q2p
4p
q3p
5p
q4p
GCD(q1p,q2p,q3p,q4p) = p
NIB
Approximate Integer GCD
0
p
2p
3p
4p
5p
x1
x2
x3
x4
q1p
q2p
q3p
q4p
GCD(x1,x2,x3,x4) = p
NIB
Approximate Integer GCD
0
p
2p
3p
4p
5p
0
p
2p
3p
4p
5p
x1
x2
x3
x4
q1p
q2p
q3p
q4p
GCD(x1,x2,x3,x4) = p
NIB
Approximate Integer GCD
0
p
2p
3p
4p
5p
0
p
2p
3p
4p
5p
x1
x2
x3
x4
q1p
q2p
q3p
q4p
GCD(x1,x2,x3,x4) = p
NIB
Approximate Integer GCD
0
p
2p
3p
4p
5p
x1
x2
x3
x4
q1p
q2p
q3p
q4p
z1
0
p
2p
3p
4p
5p
q1p±2e1
GCD(x1,x2,x3,x4) = p
NIB
Approximate Integer GCD
0
0
p
p
2p
2p
3p
3p
4p
4p
5p
5p
x1
x2
x3
x4
q1p
q2p
q3p
q4p
z1
z2
q1p±2e1
q2p±2e2
GCD(x1,x2,x3,x4) = p
NIB
Approximate Integer GCD
0
0
p
p
2p
2p
3p
3p
4p
4p
5p
5p
x1
x2
x3
x4
q1p
q2p
q3p
q4p
z1
z2
z3
q1p±2e1
q2p±2e2
q3p±2e3
GCD(x1,x2,x3,x4) = p
NIB
Approximate Integer GCD
0
0
p
p
2p
2p
3p
3p
4p
4p
5p
5p
x1
x2
x3
x4
q1p
q2p
q3p
q4p
z1
z2
z3
z4
q1p±2e1
q2p±2e2
q3p±2e3
q4p±2e4
GCD(x1,x2,x3,x4) = p
NIB
Approximate Integer GCD
0
0
p
p
2p
2p
3p
3p
4p
4p
5p
5p
x1
x2
x3
x4
q1p
q2p
q3p
q4p
z1
z2
z3
z4
q1p±2e1
q2p±2e2
q3p±2e3
q4p±2e4
GCD(x1,x2,x3,x4) = p
GCD(z1,z2,z3,z4) = 1
NIB
Approximate Integer GCD
0
0
p
p
2p
2p
3p
3p
4p
4p
5p
5p
x1
x2
x3
x4
q1p
q2p
q3p
q4p
z1
z2
z3
z4
q1p±2e1
q2p±2e2
q3p±2e3
q4p±2e4
GCD(x1,x2,x3,x4) = p
NIB
Approximate Integer GCD
0
0
p
p
2p
2p
3p
3p
4p
4p
5p
5p
x1
x2
x3
x4
q1p
q2p
q3p
q4p
z1
z2
z3
z4
q1p±2e1
q2p±2e2
q3p±2e3
q4p±2e4
GCD(x1,x2,x3,x4) = p
AIGCD : find p from z1,z2,z3,z4 ?
NIB
Approximate Integer GCD
z1
0
p
2p
3p
4p
z2 z3
.
.
.
zk-1 zk
z0
5p
NIB
Approximate Integer GCD
z1
0
p
2p
3p
4p
z2 z3
.
.
.
zk-1 zk
z0
5p
∑sizi mod z0
1≤i≤k
NIB
Approximate Integer GCD
z1
0
p
2p
3p
4p
z2 z3
.
.
.
zk-1 zk
z0
5p
∑sizi mod z0
1≤i≤k
si∈{0,1}
NIB
Approximate Integer GCD
z1
0
p
2p
3p
4p
z2 z3
.
.
.
zk-1 zk
z0
5p
∑sizi mod z0
1≤i≤k
si∈{0,1}
NIB
Approximate Integer GCD
z1
0
p
2p
3p
4p
z2 z3
.
.
.
zk-1 zk
z0
5p
∑sizi mod z0
1≤i≤k
si∈{0,1}
NIB
Approximate Integer GCD
z1
0
p
2p
3p
4p
z2 z3
.
.
.
zk-1 zk
z0
5p
∑sizi mod z0 ≈ ∑sixi mod x0
1≤i≤k
1≤i≤k
si∈{0,1}
NIB
Approximate Integer GCD
z1
0
p
2p
3p
4p
z2 z3
.
.
.
zk-1 zk
z0
5p
∑sizi mod z0 ≈ ∑sixi mod x0
1≤i≤k
1≤i≤k
si∈{0,1}
±2(ke0+∑ei)
1≤i≤k
NIB
Approximate Integer GCD
z1
0
p
2p
3p
4p
z2 z3
.
.
.
zk-1 zk
z0
5p
| ∑sizi mod z0 - (∑siqi mod q0) × p |
≤
4k|e
max|
si∈{0,1}
1≤i≤k
1≤i≤k
NIB
Approximate Integer GCD
NIB
Approximate Integer GCD
NIB
Approximate Integer GCD
ΩΩ(s)=∑sizi mod z0
1≤i≤k
NIB
Approximate Integer GCD
ΩΩ(s)=∑sizi mod z0
1≤i≤k
n
s∈{0,1}
NIB
Approximate Integer GCD
ΩΩ(s)=∑sizi mod z0
1≤i≤k
n
s∈{0,1}
|emax| ≤ ∂ ≪ p/8k
NIB
Approximate Integer GCD
ΩΩ(s)=∑sizi mod z0
1≤i≤k
n
s∈{0,1}
|emax| ≤ ∂ ≪ p/8k
ΩΩ(s)-p[ΩΩ(s)/p] = small even error
NIB
AIGCD encryption
NIB
AIGCD encryption
SK : p
NIB
AIGCD encryption
SK : p
PK : z0, z1, z2,..., zk, ∂ ≪ p/8k ≪ ∂′≪ p/2
NIB
AIGCD encryption
SK : p
PK : z0, z1, z2,..., zk, ∂ ≪ p/8k ≪ ∂′≪ p/2
ei ∈U [-∂...+∂]
NIB
AIGCD encryption
SK : p
PK : z0, z1, z2,..., zk, ∂ ≪ p/8k ≪ ∂′≪ p/2
ei ∈U [-∂...+∂]
enc(b) = ΩΩ(s)+2e+b
n
s ∈U {0,1}
e ∈U [-∂′...+∂′]
NIB
AIGCD encryption
SK : p
PK : z0, z1, z2,..., zk, ∂ ≪ p/8k ≪ ∂′≪ p/2
ei ∈U [-∂...+∂]
enc(b) = ΩΩ(s)+2e+b
n
s ∈U {0,1}
e ∈U [-∂′...+∂′]
dec(c) = c-p[c/p] mod 2
= parity of error
NIB