Review of Elementary Cryptography. For more material, see my notes of CSE 5351, available on my webpage

Transcription

1 Review of Elemetary Cryptography For more material, see my otes of CSE 5351, available o my webpage

2 Outlie Security (CPA, CCA, sematic security, idistiguishability) RSA ElGamal Homomorphic ecryptio 2

3 Two types of ecryptio schemes Private-key ecryptio schemes Also called symmetric-key ecryptio schemes Public-key ecryptio schemes Also called asymmetric-key ecryptio schemes We are more iterested i the latter. 3

4 Symmetric-key ecryptio scheme * Message space: M {0,1}. Key geeratio algorithm G: O iput 1, G(1 ) outputs a key k {0,1}. ( K = {0,1} ; ad is the security parameter.) Ecryptio algorithm E : O iput a key k ad a plaitext m M, Eoutputs a ciphertext c. We write c Ekm (, ) or c E ( m). k Decryptio algorithm D outputs a message ( ) D : O iput a key k ad a ciphertext c, m. We write m: = D( k, c) or m: = D ( c). Correctess requiremet: for each k K ad m M, D E ( m) = m. k k G, E, probabilistic algorithms. D, determiistic. All poly-time. k 4

5 Public-key ecryptio scheme Key geeratio algorithm ( pk sk ) G: O iput 1, G(1 ) outputs a pair of keys,,, each of legth at least Ecryptio algorithm E : O iput a public key pk ad a plaitext m M, E outputs a ciphertext c. We write c E ( m). pk (The message space may deped o pk.) Decryptio algorithm c, D outputs a message Correctess requiremet: ( ). D : O iput a secret key sk ad a ciphertext m. We write m: = D ( c). Pr Dsk Ep k( m) m: m M = pk = 1 except for a egligible portio of key pairs output by G( 1 ). sk pk

6 Symmetric vs. Asymmetric Symmetric ecryptios are much faster tha asymmetric oes. AES is typically 100 times faster tha RSA ecryptio ad 1000 times faster tha RSA decryptio. Use asymmetric cipher to set up a sessio key ad the use symmetric cipher to ecrypt data.

7 Security Issues What does it mea that a ecryptio scheme is secure (or isecure)? Sematic security Ciphertext-idistiguishability No-malleability

8 Differet types of attacks Differet types of attacks (classified by the amout of iformatio available to the attacker): Ciphertext-oly attack (eavesdropper) Kow-plaitext attack Chose-plaitext attack (CPA) Chose-ciphertext attack (CCA) 8

9 Negligible fuctios A oegative fuctio f : N R is said to be egligible if for every positive polyomial P ( ), there is a iteger 0 such that 1 f( ) < for all > 0 (i. e., for sufficietly large ). P ( ) log Examples: 2, 2, are egligible fuctios. Negligible fuctios approach zero faster tha the reciprocal of every polyomial. We write egl( ) to deote a uspecified egligible fuctio. 9

10 Security Parameter The security of a ecryptio scheme typically depeds o its key legth. Is RSA secure if N = 216, 512, or 1024? I geeral, a ecryptio scheme is associated with a iteger called its thik of it as key legth.) Whe we say that the beig broke security parameter λ. security parameter. (For ow, you may probability Pr( λ) of a ecryptio scheme is egligible, it is w. r.t. the ecryptio scheme's 10

11 Sematic Security (simplified) A private-key ecryptio scheme ( GED,, ) with sesutiry parameter is sematically secure agaist a eavesdropper if for every probabilistic polyomial-time (PPT) algorithm A there exists a PPT A such that for all polyomial-time computable fuctios f ad h: Pr ( ) A1, Ek ( m), hm ( ) f( m) : k G(1 ), m {0,1} = egl( ). ( 1, h( m ) Pr A ) = f( m) : m { 0,1} 11

12 Ciphertext-Idistiguishability Adversary: a polyomial-time eavesdropper. ( GED,, ) : a ecryptio scheme with security parameter. Imagie a game played by Bob ad Eve (adversary): Eve is give iput 1 ad outputs a pair of messages m, m of the same legth. 0 1 Bob chooses a key k G(1 ) ad m u { m0, m1}. He computes c Ek ( m) ad gives c to Eve. Eve tries to determie whether c is the ecryptio of m or m. 0 1 A ecryptio scheme is ciphertext-idistiguishable agaist eavesdroppers if o adversary ca succeed with probability o-egligibly greater tha

13 Defiitio: A ecryptio scheme is ciphertext-idistiguishable agaist eavesdroppers if for every PPT algorithm it holds: A ad all m, m M, m = m, Pr A(1, m0, m1, Ek( m)) = m: m u { m0, m1}, k G(1 ) 1 + egl( ) 2 13

14 Equivalece of sematic security ad ciphertext-idistiguishability Theorem: Agaist a eavesdropper, a ecryptio scheme is sematically secure iff it is ciphertext-idistiguishable. Theorem: Uder CPA, CCA1 or CCA2, a ecryptio scheme is sematically secure if ad oly if it is ciphertext-idistiguisha ble. 14

15 Chose-plaitext attacks (CPA) Iformally, we may describe CPA as follows: Give: ( m, c ), ( m, c ),, ( m, c ), where m, m,, m t t 1 2 t are chose by the adversary; ad a ew ciphertext c. Q : what is the plaitext of c? Adaptively-chose-plaitext attack : m, m,, m are chose adaptively. 1 2 Now we describe CPA i terms of oracle. t 15

16 Chose-plaitext attacks (CPA) A CPA o a ecryptio scheme ( GED,, ) is modeled as follows. 1. A key k G(1 ) is geerated. 2. The adversary is give iput 1 ad oracle access to E. She may request the oracle to ecrypt plaitexts of her choice. 3. The adversary chooses two message m, m with m = m ; ad is give a challege ciphertext c E ( m ), where b {0,1}. k b u 4. The adversary cotiues to have oracle access ad may request the ecryptios of additioal plaitexts of her choice, eve m ad m. 5. The adversary fially aswers 0 or 1. k 0 1 Note: The CPA here actually refers to a adaptive CPA. 16

17 Ciphertext-idistiguishability agaist CPA A ecryptio scheme ( GED,, ) is IND-CPA if o polyomial-time adversary ca aswer correctly with probability o-egligibly greater tha 1 2. Defiitio: a ecryptio scheme ( GED,, ) is IND-CPA if for ever polyomial adversary A it holds that: k ( ) k m E Pr A 1, m0, m1, E ( ) = m: k G(1 ), m u { m0, m1}, m, m 0 1 A M ] 1 + egl( ) 2 17

18 Chose-ciphertext attacks (CCA) Iformally we may describe CCA as follows: Give: ( m, c ), ( m, c ),, ( m, c ), where c, c,, c t t 1 2 t are chose by the adversary; ad a ew ciphertext c. Q : what is the plaitext of c? Adaptively-chose-plaitext attack : c, c,, c are chose adaptively. 1 2 Now we describe CCA i terms of oracle. We will allow a CCA adversary to also have CPA capability. (So, by CCA we mea CCA+CPA, rather tha pure CCA.) t 18

19 Chose-ciphertext attacks (CCA) A CCA o a ecryptio scheme ( GED,, ) is modeled as follow s. 1. A key k G(1 ) is geerated. 2. The adversary is give iput 1 ad oracle access to E ad D. She may request the oracles to perform ecryptios ad/or decryptios for her. 3. The adversary chooses two message m, m with m = m ; ad is give a challege ciphertext c E ( m ), where b {0,1}. 4. The k b u adversary cotiues to have oracle access to E ad D, but is ot allowed to request the decryptio of c. 5. The adversary fially aswers 0 or 1. k k k k 19

20 Ciphertext-idistiguishability agaist CCA A ecryptio scheme ( GED,, ) is IND-CCA if o polyomial-time adversary ca aswer correctly with probability o-egligibly greater tha 1 2. Defiitio: a ecryptio scheme ( GED,, ) is IND-CCA if for ever polyomial-time adversary A, it holds that: k ( ) k m E, Dk Pr A 1, m0, m1, E ( ) = m: k G(1 ), m u { m0, m1}, m, m 0 1 A M ] 1 + egl( ) 2 20

21 CCA1 vs. CCA2 The CCA described above is also called CCA2. If i item #4 the adversary has o access to the decryptio oracle, the CCA is called CCA1. 21

22 No-malleability A ecryptio scheme ( GED,, ) is o-malleable if give a ciphertext c= Em ( ), it is computatioally ifeasible for a adversary to produce a ciphertext c such that m = Dc ( ) has some kow relatio with m. RSA is malleable. malleable ot IND-CCA2. Every homomorphic ecryptio scheme is malleable, ad hece caot be IND-CCA2. Highest security level possible for homomorphic ecryptio scheme: IND-CCA1. 22

23 Homomorphic Ecryptio

24 RSA is homomorphic RSA( m m ) = RSA( m ) RSA( m ) * where is the multiplicatio i Z (i.e., modulo ). Easy to verify: ( ) RSA( m m ) = m m RSA( m ) = RSA( m ) e 1 1 e 2 = m2 e e RSA( m ) RSA( m ) = m m = ( m m ) 1 m e e

25 Homomorphic ecryptio M : message space C : ciphertext space M C : some biary operatio i M : some biary operatio i C Defiitio : A ecryptio scheme is if the ecryptio fuctio E satisfies E ( m m ) = E ( m ) E ( m ) pk 1 M 2 pk 1 C k 2 for all keys pk ad messages m, m M. 1 2 M -homomorphic Comm et: does't work for probabilistic ecryptios.

26 ElGamal ecryptio is homomorphic Em ( m) Em ( ) Em ( ), i the followig sese: Em ( ) Em ( ) is a valid ecryptio of mm. 1 2 Verificatio: ( k ) ( ) 1 k1 k2 k If Em ( ) = g, my ad Em ( ) = g, my, the ( k ) ( ) 1 k1 k2 k2 Em ( ) Em ( ) = g, my g, my = ( k ) 1+ k2 k1+ k2 g, m1m 2y is a valid ecryptio of m m

27 Homomorphic ecryptio redefied M : message space C : ciphertext space M C : some biary operatio i M : some biary operatio i C Defiitio : A ecryptio scheme is -homomorphic if the ecryptio fuctio E satisfies ( ( ) ( )) C m m = D E m Em 1 M 2 sk pk 1 2 for all messages m, m M ad all ecryptio/decryptio key pairs ( pk, sk). 1 2 M

28 A geeralized defiitio Defiiti o: A ecryptio scheme is homomorphic if there is a polyomial time algorithm A such that w.r.t M m m = D 1 M 2 sk ( ( ), ( )) ( A Em Em ) pk 1 2 for all messages m, m M ad all key pairs. 1 2 ecryptio/decryptio Questio: How to further geeralize it?

29 Various homomorphic ecryptios A ecryptio scheme is additively homomorphic if it is homomorphic w.r.t multiplicatively homomorphic if it is homomorphic w.r.t algebraicly + M ad M homomorphic if it is homomorphic w.r.t both + M M RSA (1977) ad ElGamal (1984) are homomorphic. multiplicatively Padded RSA is ot homomorphic. Goldwasser-Micali (1982): additively homomorphic

30 Fully homomorphic ecryptio I 2009, Craig Getry proposed a fully homomorphic ecryptio scheme. Iformally: A ecryptio scheme is homomorphic w. r.t if there is a polyomial time algorithm A such that C A M (, ( ) ( )) ( ) A ( m,, m ) = D A pk E m,, E m M 1 t pk C 1 t Iformally: A ecryptio scheme is fully homomorphic if it is homomorphic w.r.t. ay algorithm A M.