COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz •Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering still refers to first edition of book. 10.1 Public-Key Encryption – An Overview 10.2 Definitions 10.2.1 Security against Chosen-Plaintext Attacks 10.2.2 Multiple Encryptions 10.3 Hybrid Encryption 10.4 RSA Encryption 10.4.1 “Plain RSA” and its Insecurity 10.4.2 Attacks on Plain RSA 10.4.3 Padded RSA 10.5 The El Gamal Encryption Scheme 10.6 Security Against Chosen-Ciphertext Attacks 10.7 * Trapdoor Permutations Asymmetric Encryption (Public-Key Cryptography) Encryption P Ke Kd C Decryption Complexity Theoretical Security 10.2 Definitions DEFINITION 10.1 A public-key encryption scheme is a tuple of PPT algorithms (Gen,Enc,Dec) s.t. : 1. The key generation algorithm Gen takes as input the security parameter 1n and outputs a pair of keys (pk,sk). We refer to the first of these as the public key and the second as the private key. We assume for convenience that pk and sk each have length at least n, and that n can be determined from pk, sk. Definitions 2. The encryption algorithm Enc takes as input a public key pk and a message m from some underlying plaintext space. It outputs a ciphertext c, and we write this as c ← Encpk(m). 3. The decryption algorithm Dec takes as input a private key sk and a ciphertext c, and outputs a message m or a special symbol ⊥ denoting failure. We assume without loss of generality that Dec is deterministic, and write this as m ≔ Decsk(c). Definitions It is required that there exists a negligible function negl such that for every n, every (pk,sk) output by Gen(1n), and every message m in the appropriate underlying plaintext space, it holds that Pr[ Decsk(Encpk(m)) ≠ m ] ≤ negl(n). 10.2.1 Security against Chosen-Plaintext Attacks The eavesdropping indistinguishability experiment PubKeAa,vΠ(n): 1. Gen(1n) is run to obtain keys (pk,sk). 2. Adversary A is given pk, and outputs a pair of messages m0,m1 of the same length. (These messages must be in the plaintext space associated with pk.) Security against Chosen-Plaintext Attacks 3. A random bit b ← {0,1} is chosen, and then a ciphertext c ← Encpk(mb) is computed and given to A. We call c the challenge ciphertext. 4. A outputs a bit b′ . 5.The output of the experiment is defined to be 1 if b′ = b, and 0 otherwise. Security against Chosen-Plaintext Attacks DEFINITION 10.3 A public-key encryption scheme Π = (Gen,Enc,Dec) has indistinguishable encryptions in the presence of an eavesdropper if for all probabilistic polynomial-time adversaries A there exists a negligible function negl such that Pr[ PubKeAa,vΠ(n) = 1 ] ≤ ½ + negl(n). Security against Chosen-Plaintext Attacks CPA indistinguishability experiment PubKcAp,aΠ(n): 1. Gen(1n) is run to obtain keys (pk,sk). 2. Adversary A is given pk as well as oracle access to Encpk(·). The adversary outputs a pair of messages m0,m1 of the same length. (These messages must be in the plaintext space associated with pk.) Security against Chosen-Plaintext Attacks 3. A random bit b ← {0,1} is chosen, and then a ciphertext c ← Encpk(mb) is computed and given to A. We call c the challenge ciphertext. 4. A continues to have access to Encpk(·), and outputs a bit b′. 5.The output of the experiment is defined to be 1 if b′ = b, and 0 otherwise. Security against Chosen-Plaintext Attacks DEFINITION 10.4 A public-key encryption scheme Π = (Gen,Enc,Dec) has indistinguishable encryptions under a chosen-plaintext attack (or is CPA secure) if for all probabilistic polynomial-time adversaries A there exists a negligible function negl such that: Pr[ PubKcAp,aΠ(n) = 1 ] ≤ ½ + negl(n). Security against Chosen-Plaintext Attacks PROPOSITION 10.5 If a public-key encryption scheme Π has indistinguishable encryptions in the presence of an eavesdropper, then Π also has indistinguishable encryptions under a chosen-plaintext attack. Insecurity of Deterministic Public-Key Encryption THEOREM 10.6 No deterministic public-key encryption scheme has indistinguishable encryptions in the presence of an eavesdropper. 10.2.2 Multiple Encryptions THEOREM 10.10 If a public-key encryption scheme Π has indistinguishable encryptions in the presence of an eavesdropper, then Π has indistinguishable multiple encryptions in the presence of an eavesdropper. Encrypting ArbitraryLength Messages Say Π = (Gen,Enc,Dec) is an encryption scheme where the plaintext space is {0,1}. We can construct a new scheme Π′ = (Gen,Enc′,Dec′) with plaintext space ∗ {0,1} by defining Enc′ as follows: Enc′pk(m) = Encpk(m1),...,Encpk(mt), where m = m1 ... mt. The decryption algorithm Dec′ is modified in the obvious way. Encrypting ArbitraryLength Messages PROPOSITION 10.11 Let Π and Π′ be as above. If Π has indistinguishable encryptions in the presence of an eavesdropper, then so does Π′ . 10.3 Hybrid Encryption Hybrid Encryption To encrypt a message m: 1. The sender first chooses a random secret key k, and encrypts k using the public key of the receiver. Call the resulting ciphertext c1. The receiver will be able to recover k by decrypting c1, yet k will remain unknown to an eavesdropper (by security of the public-key encryption scheme), and so this has the effect of establishing a shared secret between the sender and the receiver. Hybrid Encryption 2. The sender then encrypts the message m using a private-key encryption scheme (Gen′,Enc′,Dec′) and the secret key k that has just been shared. This results in a ciphertext c2 that can be decrypted by the receiver using k. Hybrid Encryption Hybrid Encryption THEOREM 10.13 If Π is a CPA-secure public-key encryption scheme and Π′ is a private-key encryption scheme that has indistinguishable encryptions in the presence of an eavesdropper, then Πhy as in Construction 10.12 is a CPA-secure public-key encryption scheme. 10.4 RSA Encryption Public inventors Private inventors Ellis, Cocks, Williamson RSA Encryption Ron Rivest, Adi Shamir and Len Adleman RSA Encryption RSA Encryption In Cocks’ variation, e=N and therefore d=N-1 mod φ(N). 7.2.4 The RSA Assumption The RSA problem can be described informally as follows: given a modulus N, an integer (exponent) e > 0 that is relatively prime to φ(N), and an element y ∈ ZN* , compute e√y mod N; Given N,e,y find x such that xe = y mod N. 7.2.4 The RSA Assumption The RSA experiment RSA-invA,GenRSA(n): 1. Run GenRSA(1n) to obtain (N,e,d). 2. Choose y ← ZN* . 3. A is given N,e,y, and outputs x ∈ ZN* . 4.The output of the experiment is defined to be 1 if y = xe mod N , and 0 otherwise. 7.2.4 The RSA Assumption DEFINITION 7.46 We say that the RSA problem is hard relative to GenRSA if for all probabilistic polynomial-time algorithms A there exists a negligible function negl such that Pr[ RSA-invA,GenRSA(n) = 1 ] ≤ negl(n). RSA vs Factoring The RSA assumption implies that φ(N) is unknown. Theorem: Knowledge of N and φ(N) factors N. Proof: N=pq, φ(N)=(p-1)(q-1)=N-p-q+1. p+q=N-φ(N)+1 p+N/p=N-φ(N)+1 or p2-(N-φ(N)+1)p+N=0. p and q are the two solutions of this quadratic equation. RSA vs Factoring The RSA assumption implies that d is unknown. Knowledge of N,e,d factors N. Proof: use algorithm from next slide: RSA-FACTOR(N,e,d). Success probability ≥½. RSA vs Factoring RSA Implementation Issues Encoding binary strings as elements of ZN* . Let ℓ = ∥N∥. Any binary string m of length ℓ−1 can be viewed as an element of ZN in the natural way. It is also possible to encode strings of varying lengths as elements of ZN by padding using some unambiguous padding scheme. RSA Implementation Issues: Choice of e There does not appear to be any difference in the hardness of the RSA problem for different exponents e and, as such, different methods have been suggested for selecting e. One popular choice is to set e = 3, since then computing eth powers modulo N (as done when encrypting in the Plain RSA scheme) requires only two multiplications. If e is to be set equal to 3, then p and q must be chosen to satisfy p,q ≠ 1 mod 3 so that gcd(e,φ(N )) = 1. RSA Implementation Issues: Choice of d Note that choosing d to be small in order to speed up decryption (that is, changing GenRSA so that a small d is chosen first and then computing e) is a bad idea. If d is chosen in a small range (say, d < 216 ) then a brute-force search for d is easy to carry out. Even if d is chosen so that d ≈ N¼, (and so bruteforce attacks are ruled out) there are other attacks that can be used to recover d from the public key. 10.4.2 Attacks on Plain RSA Encrypting short messages using small e. If e is small then the encryption of “small” messages is insecure when using plain RSA encryption. For example, say e = 3 and the message m is such that m < N⅓ ( or |m| < |N|/3 ) but m is otherwise unknown to an attacker. In this case, encryption of m does not involve any modular reduction since the integer m3 is less than N . 10.4.2 Attacks on Plain RSA Encrypting short messages using small e. If e is small then the encryption of “small” messages is insecure when using plain RSA encryption. This means that given the ciphertext c = m3 mod N an attacker can determine m by computing m ≔ c⅓ over the integers, a computation that can be easily carried out. Attacks on Plain RSA The above attack shows that short messages can be recovered easily from their encryption if plain RSA with small e is used. Here, we extend the attack to the case of arbitrarylength messages as long as the same message is sent to multiple receivers. Attacks on Plain RSA Let e = 3 as before, and say the same message m is sent to three different parties holding public keys pk1 = (N1,3), pk2 = (N2,3), and pk3 = (N3,3), resp. . Then an eavesdropper sees c1 = m3 mod N1 and c2 = m3 mod N2 and c3 = m3 mod N3. Attacks on Plain RSA ∗ Let N = N1 N2 N3 . An extended version of the Chinese remainder theorem says that there exists a unique non-negative value ∗ ∗ c < N such that: ∗ c ≡ c1 mod N1, ∗ c ≡ c2 mod N2 and ∗ c ≡ c3 mod N3. 10.4.3 Padded RSA Padded RSA THEOREM 10.19 If the RSA problem is hard relative to GenRSA then Construction 10.18 with ℓ(n) = O(log n) has indistinguishable encryptions under a chosen-plaintext attack. PKCS #1 v1.5 A widely-used and standardized encryption scheme, RSA Laboratories Public-Key Cryptography Standard (PKCS) #1 version 1.5, utilizes what is essentially padded RSA encryption. For a public key pk = [N,e] of the usual form, let k denote the length of N in bytes; i.e., k is the integer satisfying 28(k−1) ≤ N < 28k. PKCS #1 v1.5 Messages m to be encrypted are assumed to be a multiple of 8 bits long, and can have length up to k − 11 bytes. Encryption of a message m that is D-bytes long is computed as (00000000∥00000010∥r∥00000000∥m)e mod N , where r is a randomly-generated string of (k−D−3) bytes, with none of these bytes equal to 0. PKCS #1 v1.5 PKCS #1 v1.5 is believed to be CPA-secure, although no proof solely based on the RSA assumption has ever been shown. Subsequent to the introduction of PKCS #1 v1.5, a chosen-ciphertext attack on this scheme was demonstrated. This motivated a change in the standard to a newer scheme called OAEP (for Optimal Asymmetric Encryption Padding). 10.5 The Elgamal Encryption Scheme Taher Elgamal The Elgamal Encryption Scheme The Elgamal Encryption Scheme THEOREM 10.22 If the DDH problem is hard relative to G, then the Elgamal encryption scheme has indistinguishable encryptions under a chosen-plaintext attack. Elgamal Implementation Issues Encoding binary strings. Let p be a strong prime, i.e., q = (p − 1)/2 is also prime. • Then the set of quadratic residues modulo p forms a group G of order q = (p − 1)/2 under x modulo p. Elgamal Implementation Issues • We can map the integers {1,...,(p − 1)/2} to the set of quadratic residues modulo p by squaring: that is, the integer ṁ is mapped to the quadratic residue m = ṁ2 mod p. This encoding is one-to-one and efficiently reversible. ( When extracting square roots mod p take the smaller square root x ≤ (p − 1)/2. ) Elgamal Implementation Issues Given the above, we can map a string w of length ∥q∥−1 to an element m ∈ G in the following way: ∥q∥−1 given a string w ∈ {0,1} , interpret it as an integer in the natural way and add 1 to obtain an integer ṁ with 1 ≤ ṁ ≤ q. Then take m = ṁ2 mod p. 10.6 Security vs ChosenCiphertext Attacks Security vs ChosenCiphertext Attacks DEFINITION 10.24 A public-key encryption scheme Π = (Gen,Enc,Dec) has indistinguishable encryptions under a chosen-ciphertext attack (or is CCA-secure) if for all probabilistic polynomial-time adversaries A there exists a negligible function negl such that Pr[ PubKcAc,aΠ(n) = 1 ] ≤ ½ + negl(n). Examples of ChosenCiphertext Attacks Plain RSA encryption. Say an adversary A intercepts the ciphertext c = me mod N. Then the adversary can choose a random r ← ZN* and compute the ciphertext c′ ≔ re · c mod N. Given the decryption m′ of this ciphertext, A can recover m ≔ m′ · r−1 mod N. Examples of ChosenCiphertext Attacks Elgamal encryption. Say an adversary A intercepts a ciphertext c ≔ ⟨c1,c2⟩ that is an encryption of the (encoded) message m with respect to the public key pk = G,q,g,h. This means that c1 = gy and c2 = hy · m for some y ∈ Zq unknown to A. Nevertheless, if the adversary computes c2′ ≔ c2 · m′ then it is easy to see that the ciphertext c′ ≔ ⟨c1,c2′⟩ is an encryption of the message m · m′. Examples of ChosenCiphertext Attacks One might object that the receiver will become suspicious if it receives two ciphertexts c,c′ that share the same first component. However, this is easy for the adversary to avoid. Examples of ChosenCiphertext Attacks Letting c1,c2,m,m′ be as above, A can choose a random y′′ ← Zq and set c1′′ ≔ c1 · gy′′ and c2′′ ≔ c2 · hy′′ · m′. Then c1′′ = gy · gy′′ = gy+y′′ and c2′′ = hy m · hy′′ m′ = hy+y′′ mm′, and so the ciphertext c′′ = ⟨c1′′,c2′′⟩ is an encryption of m · m′ but with a completely random first component. COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz •Yehuda Lindell Chapter 11 : Private-Key Encryption 58 Blum-Goldwasser Encryption NIB NIB Blum-Goldwasser Encryption NIB Blum-Goldwasser Encryption NIB Blum-Goldwasser Encryption NIB Blum-Goldwasser Encryption NIB Blum-Goldwasser Encryption NIB COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz •Yehuda Lindell Chapter 11 : Private-Key Encryption 66 Approximate Integer GCD based crypto § NIB Approximate Integer GCD 0 p 2p 3p 4p 5p NIB Approximate Integer GCD 0 0 p 2p 3p 4p p 2p 3p 4p 5p 5p NIB Approximate Integer GCD 0 0 p 2p 3p 4p p 5p 2p 3p 4p 5p q1p NIB Approximate Integer GCD 0 0 p 2p 3p 4p p 5p 2p q1p 3p 4p 5p q2p NIB Approximate Integer GCD 0 0 p 2p 3p 4p p 5p 2p q1p 3p q2p 4p 5p q3p NIB Approximate Integer GCD 0 0 p 2p 3p 4p p 5p 2p q1p 3p q2p 4p q3p 5p q4p NIB Approximate Integer GCD 0 0 p 2p 3p 4p p 5p 2p q1p 3p q2p 4p q3p 5p q4p GCD(q1p,q2p,q3p,q4p) = p NIB Approximate Integer GCD 0 p 2p 3p 4p 5p x1 x2 x3 x4 q1p q2p q3p q4p GCD(x1,x2,x3,x4) = p NIB Approximate Integer GCD 0 p 2p 3p 4p 5p 0 p 2p 3p 4p 5p x1 x2 x3 x4 q1p q2p q3p q4p GCD(x1,x2,x3,x4) = p NIB Approximate Integer GCD 0 p 2p 3p 4p 5p 0 p 2p 3p 4p 5p x1 x2 x3 x4 q1p q2p q3p q4p GCD(x1,x2,x3,x4) = p NIB Approximate Integer GCD 0 p 2p 3p 4p 5p x1 x2 x3 x4 q1p q2p q3p q4p z1 0 p 2p 3p 4p 5p q1p±2e1 GCD(x1,x2,x3,x4) = p NIB Approximate Integer GCD 0 0 p p 2p 2p 3p 3p 4p 4p 5p 5p x1 x2 x3 x4 q1p q2p q3p q4p z1 z2 q1p±2e1 q2p±2e2 GCD(x1,x2,x3,x4) = p NIB Approximate Integer GCD 0 0 p p 2p 2p 3p 3p 4p 4p 5p 5p x1 x2 x3 x4 q1p q2p q3p q4p z1 z2 z3 q1p±2e1 q2p±2e2 q3p±2e3 GCD(x1,x2,x3,x4) = p NIB Approximate Integer GCD 0 0 p p 2p 2p 3p 3p 4p 4p 5p 5p x1 x2 x3 x4 q1p q2p q3p q4p z1 z2 z3 z4 q1p±2e1 q2p±2e2 q3p±2e3 q4p±2e4 GCD(x1,x2,x3,x4) = p NIB Approximate Integer GCD 0 0 p p 2p 2p 3p 3p 4p 4p 5p 5p x1 x2 x3 x4 q1p q2p q3p q4p z1 z2 z3 z4 q1p±2e1 q2p±2e2 q3p±2e3 q4p±2e4 GCD(x1,x2,x3,x4) = p GCD(z1,z2,z3,z4) = 1 NIB Approximate Integer GCD 0 0 p p 2p 2p 3p 3p 4p 4p 5p 5p x1 x2 x3 x4 q1p q2p q3p q4p z1 z2 z3 z4 q1p±2e1 q2p±2e2 q3p±2e3 q4p±2e4 GCD(x1,x2,x3,x4) = p NIB Approximate Integer GCD 0 0 p p 2p 2p 3p 3p 4p 4p 5p 5p x1 x2 x3 x4 q1p q2p q3p q4p z1 z2 z3 z4 q1p±2e1 q2p±2e2 q3p±2e3 q4p±2e4 GCD(x1,x2,x3,x4) = p AIGCD : find p from z1,z2,z3,z4 ? NIB Approximate Integer GCD z1 0 p 2p 3p 4p z2 z3 . . . zk-1 zk z0 5p NIB Approximate Integer GCD z1 0 p 2p 3p 4p z2 z3 . . . zk-1 zk z0 5p ∑sizi mod z0 1≤i≤k NIB Approximate Integer GCD z1 0 p 2p 3p 4p z2 z3 . . . zk-1 zk z0 5p ∑sizi mod z0 1≤i≤k si∈{0,1} NIB Approximate Integer GCD z1 0 p 2p 3p 4p z2 z3 . . . zk-1 zk z0 5p ∑sizi mod z0 1≤i≤k si∈{0,1} NIB Approximate Integer GCD z1 0 p 2p 3p 4p z2 z3 . . . zk-1 zk z0 5p ∑sizi mod z0 1≤i≤k si∈{0,1} NIB Approximate Integer GCD z1 0 p 2p 3p 4p z2 z3 . . . zk-1 zk z0 5p ∑sizi mod z0 ≈ ∑sixi mod x0 1≤i≤k 1≤i≤k si∈{0,1} NIB Approximate Integer GCD z1 0 p 2p 3p 4p z2 z3 . . . zk-1 zk z0 5p ∑sizi mod z0 ≈ ∑sixi mod x0 1≤i≤k 1≤i≤k si∈{0,1} ±2(ke0+∑ei) 1≤i≤k NIB Approximate Integer GCD z1 0 p 2p 3p 4p z2 z3 . . . zk-1 zk z0 5p | ∑sizi mod z0 - (∑siqi mod q0) × p | ≤ 4k|e max| si∈{0,1} 1≤i≤k 1≤i≤k NIB Approximate Integer GCD NIB Approximate Integer GCD NIB Approximate Integer GCD ΩΩ(s)=∑sizi mod z0 1≤i≤k NIB Approximate Integer GCD ΩΩ(s)=∑sizi mod z0 1≤i≤k n s∈{0,1} NIB Approximate Integer GCD ΩΩ(s)=∑sizi mod z0 1≤i≤k n s∈{0,1} |emax| ≤ ∂ ≪ p/8k NIB Approximate Integer GCD ΩΩ(s)=∑sizi mod z0 1≤i≤k n s∈{0,1} |emax| ≤ ∂ ≪ p/8k ΩΩ(s)-p[ΩΩ(s)/p] = small even error NIB AIGCD encryption NIB AIGCD encryption SK : p NIB AIGCD encryption SK : p PK : z0, z1, z2,..., zk, ∂ ≪ p/8k ≪ ∂′≪ p/2 NIB AIGCD encryption SK : p PK : z0, z1, z2,..., zk, ∂ ≪ p/8k ≪ ∂′≪ p/2 ei ∈U [-∂...+∂] NIB AIGCD encryption SK : p PK : z0, z1, z2,..., zk, ∂ ≪ p/8k ≪ ∂′≪ p/2 ei ∈U [-∂...+∂] enc(b) = ΩΩ(s)+2e+b n s ∈U {0,1} e ∈U [-∂′...+∂′] NIB AIGCD encryption SK : p PK : z0, z1, z2,..., zk, ∂ ≪ p/8k ≪ ∂′≪ p/2 ei ∈U [-∂...+∂] enc(b) = ΩΩ(s)+2e+b n s ∈U {0,1} e ∈U [-∂′...+∂′] dec(c) = c-p[c/p] mod 2 = parity of error NIB
© Copyright 2024