Introduction Cryptography and Security Fall 2009 Steve Lai

Size: px

Start display at page:

Download "Introduction Cryptography and Security Fall 2009 Steve Lai"

Martin Doyle
5 years ago
Views:

1 Itroducto Cryptography ad Securty Fall 2009 Steve La

2 Outle Bascs of ecrypto Homomorphc ecrypto

3 Bascs of Ecrypto For more formato, see my CSE 651 or 794Q otes

4 Summary Symmetrc ecrypto Stream cpher (e.g., RC4) Block cpher (e.g., DES, AES) Asymmetrc ecrypto RSA ElGamal (based o Dffe-Hellma) Performace ssues Securty ssues

5 Symmetrc-Key Ecrypto Stream cpher (e.g., Vera s oe-tme pad, RC4) Block cpher (e.g., DES, AES) 5

6 Stream cphers 6

7 Stream cphers Stream cphers typcally process the platext byte by byte. So, the platext s a stream of bytes: P1, P2, P3, Use a key K as the seed to geerate a sequece of pseudoradom bytes (key-stream): K1, K2, K3, The cphertext s C1, C2, C3, C4,, where C = P K Varous stream cphers dffer ther key-stream geerators. Stream cphers requre that a ew key be used for each platext (or t wll ot be sesure). 7

8 I practce, Alce ad Bob wsh to share a permaet key K ad use t to ecrypt may messages. Oe possble strategy: Suppose Bob ad Alce share a secret key K. Each tme Bob (or Alce) wats to sed a message, he radomly geerates a strg IV ad use K IV as the key (seed) to the pseudoradom geerator. Sed IV alog wth the cphertext. Ufortuately, the resultg scheme s ot ecessarly secure. 8

9 Example: WEP s use of RC4 WEP s a protocol usg RC4 to ecrypt packets for trasmsso over IEEE wreless LAN. Each packet s ecrypted wth a separate key equal to the cocateato of a 24-bt IV (talzato vector) ad a 40 or 104-bt permaet key. Not secure. See Breakg 104 bt WEP less tha 60 secods. RC4 key: IV (24) Permaet l key (40 or 104 bts) 9

10 Block Cphers Block cphers are ecrypto schemes that use pseudoradom fuctos or pseudoradom permutatos. 10

11 Tradtoal vew of block cphers A block cpher s a symmetrc-key ecrypto scheme that maps a block of bts to a block of bts. r M = C = {0,1} ad K = {0,1}. Block legth:. Key legth: r. { } { } For a fxed key k K, E : 0,1 0,1 s a permutato. k 11

12 Practcal Block Cphers: DES ad AES DES: Data Ecrypto Stadard AES: Advaced Ecrypto Stadard 12

13 Publc Key Cryptography ad RSA

14 Publc-Key Cryptography Also kow as asymmetrc-key cryptography. Each user has a par of keys: a publc key ad a prvate key. The publc key s used for ecrypto. The key s kow to the publc. The prvate key s used for decrypto. The key s oly kow to the ower.

15 Publc-Key Cryptosystem (PKC) Each user u has a par of keys (PK u, SK u ). PK u s the publc key, avalable a publc drectory. SK u the prvate key, kow to u oly. Key-geerato algorthm: to geerate keys. Ecrypto algorthm E: to sed message M to user u, compute C = E(PK u, M). Decrypto algorthm D: Upo recevg C, user u computes D(SK u, C). Requremet: D(SK u,e(pk u, M)) = M.

16 Why Publc-Key Cryptography? Developed to address two ma ssues: key dstrbuto dgtal sgatures Iveted by Dffe & Hellma 1976.

17 Oe-way fucto wth trapdoor Easy: Hard: Easy: x x f 1 f 1 f trapdoor y y x y Use trapdoor as the prvate key. Most (beleved) oe-way fuctos come from umber theory.

18 The RSA Cryptosystem RSA Ecrypto RSA Dgtal sgature

19 The RSA Cryptosystem By Rvest, Shamr & Adlema of MIT Best kow ad most wdely used publc-key scheme. Based o the assumed oe-way property of modular powerg: e f : x x mod (easy) 1 e f x x : mod (hard)

20 Idea behd RSA It works group Z *. Ecrypto (easy): Decrypto (hard): x x RSA 1 RSA x x e e e d Lookg for a trapdoor: ( x ) = x. If d s a umber such that ed 1mod ϕ( ), the ed = kϕ( ) + 1 for some k, ad e ( ) 1 ( ) ( ) d ed ϕ k + k x x x x x 1 x x. ( ϕ ) = = = = =

21 RSA Cryptosystem Key geerato: (a) Choose large prmes p ad q, ad let : = pq. (b) Choose e (1 < e< ϕ( )) coprme to ϕ( ), ad 1 compute : mod ( ). (.) d = e ϕ ed 1 mod ϕ( ) (c) Publc key: pk = (, e). Secret key: sk = ( d, ). Ecrypto: Decrypt E x x x Z e * pk ( ) : = mod, where. D y y y Z d * o: sk ( ) : = mod, where. * ( Epk ad Dsk work for xy, Z \ Z, but ot secu re.)

22 Mathematcal Attacks Factor to pq. 1 d = e The ϕ( ) = ( p 1)( q 1) ad mod ϕ( ) ca be calculated easly. Determe ϕ( ) drectly. Equvalet to factorg. Kowg ϕ( ) wll eable us to factor by solvg = pq ϕ ( ) = ( p 1)( q 1) Determe d drectly. The best kow algorthms are ot faster tha those for factorg. Also, f d s kow, ca be factored wth hgh probablty.

23 Remarks I lght of curret factorzato techolges, RSA recommeds that be of bts. * If a message m Z \ Z, RSA works, but Sce gcd( m, ) > 1, the seder ca factor. e Also, scegcd( m, ) > 1, the adversary ca factor, too. * Questo: how lkely s m Z \ Z?

24 Securty of RSA We have see may attacks o RSA. Also, RSA s determstc ad, therefore, ot CPA-secure (.e., ot cphertext-dstgushable agast CPA). We wsh to make RSA secure agast CPA ad aforemetoed attacks. RSA prmtve: the RSA we have descrbed. also called pla RSA or textbook RSA

25 Padded RSA e Ecrypto: E ( m) = RSA( r m) = ( r m) mod, where r s a radom strg. pk Thus, Padded-RSA( m) = RSA( r m) for some radom r. Secure agast may of aforemetoed attacks. ( ) Theorem: Padded RSA s CPA-secure f m = O log. Padded RSA s adopted PKCS #1 v.1.5.

26 Padded RSA as PKCS #1 v.1.5 PKCS: Publc Key Cryptography Stadard. Let ( ed,, ) gve a par of RSA keys. Say = k bytes (e.g., k = 216). Frst byte 00. To ecrypt a message m : pad m so that m = r 00 m ( k bytes) where r = 8 or more radom bytes 00. orgal message m must be k 11 bytes. ( m ) ( m ) the cphertext s c: = RSA = mod. I 1998, Blechebacher publshed a chose-cphertext attack, forcg RSA to upgrade ts PKCS #1, ow usg OAEP. e

27 OAEP: basc dea Message paddg: stead of ecryptg m drectly, we ecrypt m r r, where r s a radom bt strg. As such, however, there s a 50% overhead. So, we wsh to use a shorter bt strg r. Besdes, r should be protected, too. Ths leads to a scheme called Optmal Asymmetrc Ecrypto Paddg ( OAEP). It ca be appled ot oly to RSA but to other trapdoor fuctos.

28 OAEP Choose k, l ( k l) s.t. k + l =. (, RSA modulus). k l G :{0,1} {0,1}, a pseudoradom geerator. l k h :{0,1} {0,1}, a hash fucto. Ecrypto. To ecrypt a block m of l bts : k 1. choose a radom bt strg r {0,1}. 2. ecode m as x: = ( m G( r) r h( m G( r))) (f x Z, the message space of RSA, retur to step 1). 3. compute the cphertext y: = E ( x). Decrypto: x: = D ( y) = a b. sk pk m= a G( b h a ) ( ).

29 Remarks o OAEP OAEP s adopted curret RSA PKCS #1 (v. 2.1). It s a paddg scheme, ot a ecrypto scheme. Itutvely, wth OAEP, the cphertext should ot reveal ay formato about the platext f RSA s oe-way ad h ad G are truely radom (radom oral ces). A slghtly more complcated verso of OAEP, whch k k x = ( m0 G( r) r h( m0 G( r))), has bee proved CCA-secure the radom oracle model (.e., f G, h are radom oracles.) I practce, hash fuctos such as SHA-1 are used for G, h.

30 Radom Oracle l( ) A radom oracle s a radom fucto f :{0,1} {0,1}. l( )2 Recall: there are 2 such fuctos. Each radom oracle s a black box that mplemets oe of the 2 l( )2 radom fuctos, say f. The 2 values of f0 are totally depedet ad radom. The oly way to kow the value of f0( x) s to explctly evaluate f0 at x (.e., to ask the oracle). No practcal/feasble way to mplemet a radom oracle. Ifeasble: use a trusted authorty. Ifeasble: use a l ( ) 2 -bt ds k. 0

31 Cryptosystems Based o Dscrete Logarthms 31

32 Outle Dscrete Logarthm Problem Dffe-Hellma key agreemet ElGamal ecrypto 32

33 Dscrete logarthm problem (DLP) A group G s cyclc f there s a elemet α G of order G. { G 1 } I ths case, G = α, α, α,, α ; α s called a geerator. If ( G, ) be a fte group (ot ecessarly cyclc) ad α G a elemet of order, the { } α = α, α, α,, α s a cyclc (sub)group of order. x For ay y α, there s a uque x Z such that α = y. Ths teger x s called the dscrete logarthm (or dex) of y wth respect to base α. We wrte log α y = x. The DLP s to compute log y for a gve y. α 33

34 Frequetly used settgs { p } G = Z. α = α, α, α,, α = G, * p where p s a large prme, ad α s a geerator of G. * ( Zp s cyclc whe p s prme.) { q } G = Z. α = α, α, α,, α Z, * * p p where α Z * p s a elemet of prme order q. For these settgs, there s o polyomal-tme algorthm for DLP. 34

35 Example 1 G = Z = {1, 2,..., 18}. * 19 2 s a geerator. That s, Z = = 1, 2 = 2, 2 = 4, 2 = 8, 2 = 16, 2 = 13, = 7, 2 = 14, log 7 = 6 2 log 14 = 7 2 log 12 =? 2 * 19 35

36 Example 2 G G = = Z = 3 3 * 11 { } 1, 2,, 10. { } 3 = 1, 3, 9, 5, 4 3 s a geerator of G, but ot a geerator of Z. log 5 = 3 log 10 = ot defed * 11 36

37 DLP Z * p * Let α be a geerator of Zp (a prmtve root of uty modulo p). Z p 1 { } { p 2 p α α α α } * Zp = 1,2,, 1 =,,,,. = { 012 p 2},,,,. * x Gve y Zp, fd the uque x Zp 1 such that y = α mod p. α x * That s, gve Z p, fd x. There s a subexpoetal-tme algorthm for DLP ( ( )) O log Idex Calculus, O 2, where = log p. Z * p 37

38 RSA vs. Dscrete Logarthm RSA s a oe-way trapdoor fucto: x x RSA 1 x RSA e x 1 RSA d x x d e ( e ) (easy) (dffcult) ( s a trapdoor) Logarthm s the verse of expoetato: expα x x α (easy) logα x x α (dffcult) log s hard to compute, so exp s a oe-way fucto, but wthout a trapdoor. A ecrypto scheme based o the dffculty of log x wll ot smply ecrypt x as α. 38

39 Dffe-Hellma key agreemet { 0 1 p α α α α } Z p 1 { 012 p 2} = = * 2 2 Z p,,,,.,,,,. Alce ad Bob wsh to set up a secret key. 1. Alce ad Bob agree o a large prme p ad a prmtve root * (geerator) α Z p. ( p, α, ot secret) a 2. Alce Bob: α mod p, where a Z. R p 1 b 3. Alce Bob: α mod p, where b Z. ab 4. They agree o the key: α mod p. a b Dffe-Hellma problem: gve α, α R p 1 * ab Z, compute α. Dffe-Hellma assumpto: the Dffe-Hellma problem s tractable. p 39

40 Ideas behd ElGamal ecrypto Z * p 0. Bob s to sed a message m to Alce, who x has prvate key x ad publc key y: = α. * 1. Regard m as a elemet Z p. 2. Use Dffe-Hellma to set up a temporary key. k xk Bob geerates k ad computes y ( = α ). k 3. Bob uses ths key to ecrypt m as m y. k k xk 4. Bob seds α alog wth m y so that Alce ca compute α. ( k k α m y) That s, Em ( ) =, 40

41 ElGamal ecrypto 1. Key geerato (e.g. for Alce): * choose a large prme p ad a prmtve root α Z p, where Z p 1 has a large prme factor. * p x radomly choose a umber x Z ad compute y = α ; k k * 2. Ecrypto: Epk ( m) = ( α, my ), where m Z p, k R Zp 1. x sk * 4. Remarks: All operatos are doe Z p, e.., modulo p. p 1 set sk = ( p, α, x) ad pk = ( p, α, y). 3. Decrypto: D ( a, b) = ba. The ecrypto scheme s o-determstc. 41

42 Securty of ElGamal ecrypto agast CPA Based o the Dffe-Hellma assumpto. Dffe-Hellma problem dscrete logarthm problem. Ope problem: dscrete logarthm Dffe-Hellma? Theorem: If the Dffe-Hellma assumpto s true, the the ElGamal ecrypto scheme s CPA-secure. 42

43 Securty of ElGamal ecrypto agast CCA A fucto f : G G s homomorphc f f( xy) = f( x) f( y). ElGamal ecrypto s h omomorphc, Emm ( ) = Em ( ) Em ( ), the followg sese: If Em ( ) k = ( k α, ) ad ( ) ( k k my Em = α, my ), the Em ( ) Em ( ) ( k k) ( k k ) ( k k k k ) ( k k k k α my α m y = α α mymy = α + mm y + ) =,,,, s a vald ecrypto of mm. As such, ElGamal ecrypto s ot CCA-secure (.e., ot dstgushable agast CCA). 43

44 Symmetrc vs. Asymmetrc Symmetrc ecryptos are much faster tha asymmetrc oes. AES s typcally 100 tmes faster tha RSA ecrypto, ad1000 tmes faster tha RSA decrypto. Use asymmetrc cpher to set up a sesso key ad the use symmetrc cpher to ecrypt data.

45 Securty Issues What does t mea that a ecrypto scheme s secure (or secure)? Sematc securty Cphertext-dstgushablty No-malleablty

46 Dfferet levels of securty Cosder cphertext-oly attacks;.e., the adversary s a eavesdropper. How to defe securty? Several optos : A ecrypto scheme s securef gve a cphertext c= Ek ( m), o adversary ca (1) fd the secret key k (2) fd the platext m (3) fd ay character of the platext (4) fd ay meagful formato about the platext (5) fd ay formato about the platext. We wll adopt (ad formalze) #5, whch s called sematc securt y ad seems to dcat the hghest level of securty. 46

47 Dfferet types of attackers Dfferet types of attacks (classfed by the amout of formato that may be obtaed by the attacker): Cphertext-oly attack Kow-platext attack Chose-platext attack (CPA) Chose-cphertext attack (CCA) 47

48 Securty Parameter The securty of a ecrypto scheme typcally depeds o ts key legth. Is RSA secure f = 216, 512, or 1024? I geeral, a ecrypto scheme s assocated wth a teger called ts securty parameter. (For ow, you may thk of t as key legth.) Whe we say that the beg broke securty parameter. probablty Pr( ) of a ecrypto scheme s eglgble, t s w. r.t. the ecrypto scheme' s 48

49 Neglgble fuctos A oegatve fucto f : N R s sad to be eglgble f for every postve polyomal P ( ), there s a teger 0 such that 1 f( ) < for all > 0 (. e., for suffcetly large ). P ( ) log Examples: 2, 2, are eglgble fuctos. Neglgble fuctos approach zero faster tha the recprocal of every polyomal. We wrte egl( ) to deote a uspecfed eglgble fucto. 49

50 Symmetrc-key ecrypto scheme * Message space: M {0,1}. Key geerato algorthm G: O put 1, G(1 ) outputs a key k {0,1}. ( K = {0,1} ; ad s the securty parameter.) Ecrypto algorthm E: O put a key k ad a platext m M, E outputs a cphertext c. We wrte c E( k, m) or c Ek ( m). Decrypto algorthm D : O put a key k ad a cphertext c, D outputs a message m. We wrte m: = D( k, c) or m: = Dk ( c). Correctess requremet: for each k K ad m M, ( ) D E ( m) = m. k k G, E are polyomal probablstc algorthms. D s determstc. 50

51 Sematc Securty Iformally, a ecrypto scheme s sematcally secure f whatever a adversary wth c = Em ( ) ca lear about m, oe ca lear equally well wthout c. A prvate-key ecrypto scheme ( GED,, ) wth securty parameter s sematcally secure agast a eavesdropper f for every probablstc polyomal-tme (PPT) algorthm A there exsts a PPT A such that for all polyomal-tme computable fuctos f ad h, there exsts a eglgble fucto egl such that: ( E ( ) ) k m Pr A 1,, h( m) = f( m) : k G(1 ), m {0,1} ( ) Pr A 1, h( m) = f( m) : m {0,1} egl( ). 51

52 Cphertext-Idstgushablty Adversary: a polyomal-tme eavesdropper. ( GED,, ) : a ecrypto scheme wth securty parameter. Image a game played by Bob ad Eve (adversary): Eve s gve put 1 ad outputs a par of messages m0, m1 of the same legth. Bob chooses a key k G(1 ) ad m u { m0, m1}. He computes c Ek ( m) ad gves c to Eve. Eve tres to determe whether c s the ecrypto of m or m. 0 1 A ecrypto scheme s cphertext-dstgushable agast eavesdroppers f o adversary ca succeed wth probablty o-eglgbly greater tha

53 Defto: A ecrypto scheme s cphertext-dstgushable agast eavesdroppers f for every PPT algorthm A ad all m, m M, m = m, t holds: Pr A(1, m0, m1, Ek( m)) = m: m u { m0, m1}, k G(1 ) 1 + egl( ) 2 53

54 Equvalece of sematc securty ad cphertext-dstgushablty Theorem: Agast a eavesdropper, a ecrypto scheme s sematcally secure ff t s cphertext-dstgushable. Theorem: Uder CPA, CCA1 or CCA2, a ecrypto scheme s sematcally secure f ad oly f t s cphertext-dstgusha ble. 54

55 Chose-platext attacks (CPA) I CSE 651 we descrbed CPA as follows: Gve : ( m, c ), ( m, c ),, ( m, c ), where m, m,, m t t 1 2 t are chose by the adversary; ad a ew cphertext c. Q : what s the platext of c? Adaptvely-chose-platext attack : m1, m2,, mt are chose adaptvely. Now we descrbe CPA terms of oracle. 55

56 Chose-platext attacks (CPA) A CPA o a ecrypto scheme ( GED,, ) s modeled as follows. 1. A key k G(1 ) s geerated. 2. The adversary s gve put 1 ad oracle access to E. She may request the oracle to ecrypt platexts of her choce. 3. The adversary chooses two message m, m wth m = m ; ad s gve a challege cphertext c E ( m ), where b {0,1}. k b u 4. The adversary cotues to have oracle access ad may request the ecryptos of addtoal platexts of her choce, eve m ad m. 5. The adversary fally aswers 0 or 1. k 0 1 Note: The CPA here actually refers to a adaptve CPA. 56

57 Cphertext-dstgushablty agast CPA A ecrypto scheme ( GED,, ) s IND-CPA f o polyomal-tme adversary ca aswer correctly wth probablty o-eglgbly greater tha 1 2. Defto: a ecrypto scheme ( GED,, ) s IND-CPA f for ever polyomal adversary A t holds that: k ( ) k m E Pr A 1, m0, m1, E ( ) = m: k G(1 ), m u { m0, m1}, m, m 0 1 A M ] 1 + egl( ) 2 57

58 Chose-cphertext attacks (CCA) I CSE 651 we also descrbed CCA as follows: Gve : ( m, c ), ( m, c ),, ( m, c ), where c, c,, c t t 1 2 t are chose by the adversary; ad a ew cphertext c. Q : what s the platext of c? Adaptvely-chose-cphertext attack : c1, c2,, ct are chose adaptvely. Now we descrbe CCA terms of oracle. We wll allow a CCA adversary to also have CPA capablty. (So, combed CCA+CPA, rather tha pure CCA.) 58

59 Chose-cphertext attacks (CCA) A CCA o a ecrypto scheme ( GED,, ) s modeled as follow s. 1. A key k G(1 ) s geerated. 2. The adversary s gve put 1 ad oracle access to E ad D. She may request the oracles to perform ecryptos ad/or decryptos for her. 3. The adversary chooses two message m, m wth m = m ; ad s gve a challege cphertext c E ( m ), where b {0,1}. 4. The k b u adversary cotues to have oracle access to E ad D, but s ot allowed to request the decrypto of c. 5. The adversary fally aswers 0 or 1. k k k k 59

60 CCA1 vs. CCA2 The CCA descrbed above s also called CCA2. If tem #4 the adversary has o access to the decrypto oracle, the CCA s called CCA1. 60

61 Cphertext-dstgushablty agast CCA A ecrypto scheme ( GED,, ) s IND-CCA f o polyomal-tme adversary ca aswer correctly wth probablty o-eglgbly greater tha 1 2. Defto: a ecrypto scheme ( GED,, ) s IND-CCA f for ever polyomal-tme adversary A, t holds that: k ( ) k m E, Dk Pr A 1, m0, m1, E ( ) = m: k G(1 ), m u { m0, m1}, m, m 0 1 A M ] 1 + egl( ) 2 61

62 No-malleablty A ecrypto scheme ( GED,, ) s o-malleable f gve a cphertext c= E( m), t s computatoally feasble for a adversary to produce a cphertext c such that m = D( c ) has some kow relato wth m. RSA s malleable. IND-CCA2 o-malleable. Later we wll see that every homomorphc ecrypto scheme s malleable, ad hece caot be IND-CCA2. Hghest securty level possble: IND-CCA1. (?) 62

63 Homomorphc Ecrypto Fotae ad Galad, A survey of homomorphc ecrypto for ospecalsts, EURASIP Joural o Iformato Securty, 2007.

64 RSA s homomorphc RSA( m m ) = RSA( m ) RSA( m ) * where s the multplcato Z (.e., modulo ). Easy to verfy: ( ) RSA( m m ) = m m RSA( m ) RSA( m ) e 1 = m1 e 2 = m2 e e RSA( m ) RSA( m ) = m m = ( m m ) 1 e e

65 Homomorphc ecrypto M C : message space : cphertext space M C : some bary operato : some bary operato Defto: A ecrypto scheme s homomorphc f for ay ecrypto key k the ecrypto fucto E satsfes Em ( 1 m2) = Em ( 1) Em ( 2) M C for all messages m, m M. 1 2 M C Commet: applcable oly to determstc ecrypto schemes.

66 ElGamal ecrypto s homomorphc Em ( m) Em ( ) Em ( ), the followg sese: Em ( ) Em ( ) s a vald ecrypto of mm. 1 2 Verfcato: ( k ) ( ) 1 k1 k2 k If Em ( ) = g, my ad Em ( ) = g, my, the Em ( 1 ( k ) ( ) 1 k1 k2 k2 ) Em ( ) = g, my g, my = s a ecrypto of mm. ( k ) 1+ k2 k1+ k2 g, mm 1 2 y 66

67 Homomorphc ecrypto redefed M : message space C : cphertext space M C : some bary operato M : some bary operato C Defto : A ecrypto scheme s homomorphc f for ay ecrypto key k the ecrypto fucto E satsfes Em ( m) Em ( ) Em ( ) 1 M 2 1 C 2 for all messages m, m M. 1 2 Comm et: meas " a ecrypto ca be computed from"

68 A equvalet defto Defto: A ecrypto scheme s homomorphc f ts ecrypto E ad decrypto D satsfy ( ( ) ( )) m m = D E m E m 1 M 2 1 C 2 for all messages m, m M ad all ecrypto/decrypto key pars. 1 2

69 A geeralzed defto Defto: A ecrypto scheme s homomorphc w.r.t f there s a polyomal tme algorthm A such that or Em ( m) m 1 M m 1 M 2 2 = D ( ( ), E( m )) A E m 1 2 ( ( ), E( m )) ( A E m ) 1 2 M for all messages m, m M ad all ecrypto/decrypto key pars. 1 2 Questo: How to further geeralze t?

70 Varous homomorphc ecryptos A ecrypto scheme s addtvely homomorphc f t s homomorphc w.r.t multplcatvely homomorphc f t s homomorphc w.r.t algebracly + M ad M homomorphc f t s homomorphc w.r.t both + M M RSA ad ElGamal are multplcatvely homomorphc. Padded RSA ad OAEP-RSA are ot homomorphc. RSA s ot IND-CPA secure; ElGamal s.

71 Addtvely homomorphc ElGamal ecrypto ElGamal ecrypto ca be made addtvely homomorphc. ( k k) Orgal ElGamal: Em ( ) = g, my. ( k m k) Now, ecrypt m as c = E( m) = g, h y geerators of Descryptg c takes two steps: Z * p., where g, h are m DL h m ElGamal decrypto c Em ( + m) Em ( ) Em ( )

72 A smple applcato To vote yes or o, ecode a yes-vote as m = 1 ad a o-vote as m = 1. ( k m k ) Ecrypt m as c = g, h y. Sed the ecrypted vote c to a trusted party. { c c c c } All votes:,,,, k (, ) k k m k c = g h y E mmod ( p 1) = 1 = 1 k k k D c = mmod ( p 1) = m (why?) = 1 = 1 = 1 k

73 Yao's Mlloare Problem Two mlloars, Alce ad Bob, wat to kow who s rcher wthout revealg ther actual wealth. Alce s worth a mllos, ad Bob b mllos. Q: a < b? Itally suggested ad solved by Adrew Yao Later latergeeralzed to a problem called Computato. Multparty Would be trval f there s a secure ecrypto scheme that s homomorphc w.r.t. " <", amely, ( ( ), ( )) ( ) m < m D A E m E m

74 Quadratc Resdues Let 2 be ay umber. * Quadratc resdues: elemets Z whch are a square. * QR = the subgroup of quadratc resdues Z. { Z } * * QNR = Z QR = quadratc o-resdues. + 1 f [ x] QR p ( x s a square) Legedre symbol: ( x ) p = 1 f [ x] QNR p (ot a square) 0 f [ x] = 0 ( ) = ( p 1)/2 Euler's crtero: mod. x p ( x) ( x)( x) Jacob symbol: =, assumg = pq. x p q p

75 Quadratc Resdues (cot'd) x ( ) x ( ) x ( ) ( x) ( x) Thus, = 1 ff = = ± 1. ( x) ( x) * s a quadratc resdue Z ff p q 1. Z = QR QNR = QR QNR QNR. * + If = 1, the x QNR. + If = 1, x QR QNR. p x = = Quadratc resduosty assumpto: x ( ) q * Gve x Z wth = 1, t s tractable to determe + whether x QR or x QNR wthout kowg = pq. Kowg = pq, easy to determe f x QR or QNR +.

76 Goldwasser-Mcal ecrypto scheme (dea) Frst probablstc ecrypto scheme. Ecrypt oe bt b { } 0,1 at a tme. Ecrypt b = 0 as a radom umber QR. + Ecrypt b = 1 as a radom umber QNR. To decrypt c= E( b), smply determe f c QR ( c) ( c) p = q (.e., = 1?)

77 Goldwasser-Mcal ecrypto scheme Publc key: ( g, ). Prvate key: ( pq, ) + 1 System setup: Alce chooses = pq ad g R QNR. b 2 * Ecrypto: Eb ( ) = gr, where r R Z. Note: Eb ( ) s a quadratc resdue ff b = 0. To decrypt c= E( b), smply determe f c QR. Drawback: t takes =1024 bts to ecrypt a sgle bt. Ths scheme has a expaso of 1024.

78 Reducg the expaso Idea of Goldwasser-Mcal: Take a group G ad a subgroup H. Partto G to two parts: M0 = H ad M1 = G\ H. Radomly select a elemet M b to ecrypt b. To geeralze, choose G ad H such that G ca be splt to more parts. { } m k Bealoh: k = small prme; E( m) = g r, m 0, k 1 ; expaso: k. Okamoto & Uchyama: reduced the expaso to 3. * Paller: reduced the expaso to 2 usg group Z 2. Damgard & Jurk: geeralzed Paller's scheme usg Z * group s+ 1, wth expaso 1 1/. + s

79 Paller's ecrypto scheme Oe of the most well-kow homomorphc ecrypto. G = Z, where = pq. * 2 ( 2 ) G = ϕ = ϕ( ). { 2} H = z G: z s a th resdue mod. z = y y G 2 mod for some. H s a subgroup ad H = ϕ( ). Use H to dvde G to classes. Let g G be ay elemet wth order a multple of.

80 Defe f : Z Z Z * * ( ) x xy, gymod Theorem: f s bjectve. * Each x Z defes a class Z 2, amely, ( *) { *, (, ) : } = f x Z f x y y Z Ecrypto: platext m Z select a radom m cphertext c= g r mod addtvely homomorphc r Z * 2 2 2

81 Decrypto: (prvate key: = pq or λ( )) cphertext c Z * 2 ( λ ( ) 2 mod ) ( λ ( ) 2 mod ) L c platext m= mod L g where Lu ( ) = ( u 1) / λ( ) s the Carmchael fucto,.e., the smallest a a Z For = pq, λ( ) = lcm( p 1, q 1). (I RSA, λ( ) ca be used place of ϕ( ).) λ ( ) * teger such that 1mod for all.

82 Securty: Assumpto: Wthout kowg = pq, t s tractable * to determe f a elemet 2 s a th resdue 2 modulo. z Z If ths assumpto holds, Paller's ecrypto scheme s sematcally secure uder CPA. Let c be the cphertext of ether m or m. m0 m1 m m0 m1 So, ether c = g r mod or g r mod. So, cg = r m0 s the cphertext of ff s a th resdue 2 modulo. mod or g r mod. c m cg 0

83 Questo: I the above argumet, whch problem s reduced to whch problem?

84 Addtvely homomorphc o Z : m Recall: Em ( ) = g rmod, m Z, r Z. ( 2 ) ( k 2 ) ( m 2 ) 2 m2 ( ) mod mod * R D E( m ) E( m ) mod = m + m mod. k D E( m) mod = m mod. D E m = m

85 A smple applcato To vote yes or o, ecode a yes vote as m = 1 ad a o vote as m = 1. m c= g r m 2 Ecrypt as mod. Sed the ecrypted vote c to a trusted party. { c c c c } All votes:,,,, k k k 2 D c mod = m mod m (why?) = 1 = 1 = 1 k

86 Fully homomorphc ecrypto At STOC'09, Crag Getry preseted a fully homomorphc ecrypto scheme. A homomorphc publc-key ecrypto scheme S has four algorthms: KeyGe, Ecrypt, Decrypt, Evaluate. C : a crcut. S s homomorphc for C f for ay key par (sk, pk) output by KeyGe, ay platext π1,, πt, ad ay cphertext ψ,, ψ wth ψ = Ecrypt( π ), t holds that: 1 t ( C ) ( ) C( π,, π ) = Decrypt Evaluate, ψ,, ψ. 1 t 1 S s fully homomorphc f t s homomorphc for all crcuts. t

87 Applcatos Protecto of moble agets Watermarkg/fgerprtg protocols Electroc aucto ad lottery protocols Multparty computato Oblvous trasfer Prvacy preservg data mg Others

Pseudo-random Functions

Pseudo-random Functions Pseudo-radom Fuctos Debdeep Mukhopadhyay IIT Kharagpur We have see the costructo of PRG (pseudo-radom geerators) beg costructed from ay oe-way fuctos. Now we shall cosder a related cocept: Pseudo-radom