Public Key Cryptography

Transcription

1 Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 60

2 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4 Cramer-Shoup Encryption Scheme 5 Rabin Encryption Scheme 2 of 60

3 Course main reference 3 of 60

4 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4 Cramer-Shoup Encryption Scheme 5 Rabin Encryption Scheme 4 of 60

5 RSA Encryption Scheme Designed by Rivest-Shamir-Adleman in 1977 One of the most widely used algorithms today, for both signatures and public key encryption Security requires hardness of integer factorization 5 of 60

6 Pseudorandom Permutations from One Way Functions Informally speaking, one-way functions are easy to compute, hard to invert! We don t know how to prove that one-way functions exist! Assuming the hardness of some problems, we can build one-way functions. Corollary Let n > 1, and for e > 0 define f e : Z n Z n by f e (x) = x e mod n. If GCD(e, φ(n)) = 1, then f e is a permutation. The inverse of f e is f d where d = e 1 mod φ(n) 6 of 60

7 Plain RSA encryption algorithm Let p, q two distinct odd primes, and let n = pq Compute φ(n) = (p 1)(q 1), and choose e > 1 s.t. gcd(e, φ(n)) = 1 Public key is (n, e) and private key is (p, q) Given private key, can also compute d := e 1 mod φ(n) Encryption of m Z n: c = m e mod n Decryption of c Z n: m = c d mod n Correctness follows from by Euler s theorem m = (m e ) d = m ed mod φ(n) = m mod n 7 of 60

8 RSA security Solving the factorization problem is sufficient and necessary to reconstruct the private key Solving the factorization problem might not be necessary for other goals, such as decrypting without the private key In fact, Plain RSA is insecure! What if m is not chosen uniformly from Z n? Plain RSA is deterministic! Therefore, it is not CPA-secure! 8 of 60

9 Relationship between RSA and Factoring Assumptions Theorem Given as input a composite integer n and integers e, d such that ed = 1 mod φ(n), there is a PPT algorithm that can output a factor of n except with negligible probability (in n ). 9 of 60

10 Padded RSA: RSA#1 v1.5 Idea: To encrypt a message m, first map it to an element m Z n. The sender can choose a uniform bit-string r {0, 1} l, and sets m = r m (it is a reversible operation). The security of the padded scheme depends on the length of l. The cost of a brute-force attack is O (2 ) l For instance, l(n) = O(log n) is a bad choice, the scheme is not secure in this case. This scheme is provably secure based on the RSA problem in one case: l is very large, and m is just a single bit! For other cases, no security proofs based on RSA problem, BUT no known attacks are known either! 10 of 60

11 RSA-OAEP It is a construction that is based on RSA problem and CCA-secure using optimal asymmetric encryption padding OAEP. Already standardized as a part of RSA PKCS#1 since version 2.0 It uses three integer-valued functions l(n), k 0 (n), k 1 (n) with k 0 (n), k 1 (n) = Θ(n). There is also a condition on l(n) + k 0 (n) + k 1 (n), it has to be smaller than the minimum bit-length of RSA moduli. We need two hash functions H and G that are modelled as Random Oracles OAEP is therefore a two-round Feistel network. G and H are the round functions. 11 of 60

12 RSA-OAEP Source: Wikipedia 12 of 60

13 RSA-OAEP Fix n and let l = l(n), k 0 = k 0 (n), k 1 = k 1 (n). Given H : {0, 1} l+k 1 {0, 1} k 0 and G : {0, 1} k 0 {0, 1} l+k 1. How to pad a message m {0, 1} l? Set m m 0 k 1 Choose a random r {0, 1} k 0 Compute s m G(r) {0, 1} l+k 1 Compute t r H(s) {0, 1} k 0 Finally, set m s t. 13 of 60

14 RSA-OAEP How does it work? KeyGen(n) : output the public key (n, e) and private key (p, q). Enc(m, N, e) : pad m to get m. The ciphertext will be c m e mod n. Dec(c, n, d) : compute m c d mod n. If m > l + k 0 + k 1, output, otherwise; parse m as s t, s {0, 1} l+k1, t {0, 1} k0 compute r H(s) t compute m G(r) s if the least-significant k 1 bits of m are not all 0, output otherwise, output the l most-significant bits of m. 14 of 60

15 A CCA secure KEM in the ROM The KEM scheme consists of the following algorithms: KeyGen(1 n ): it generates the RSA modulus (N, e, d), where PK = (N, e) and SK = (N, d). it also generates a hash function H : Z N {0, 1} n. Encaps(PK, 1 n ): it picks a random r Z N and outputs c r e mod N and the key k H(r). Decaps(SK, c Z N): it first computes r c d mod N and then outputs k H(r). This is a part of ISO/IEC standard for public-key encryption. 15 of 60

16 Security of RSA-OAEP It is CCA-secure assuming that G and H are modelled as random oracles. There were some attacks on PKCS# v2.0 in 2001 by James Manger that exploits its implementation- it is a side channel attack! The receiver receives the error message in two different cases! The time to return the message errors was not identical. The attacker can recover a message m using ONLY N queries. Lesson: side channels attacks are nasty! Implementations should take into consideration every possibility of information leakage! 16 of 60

17 RSA weak key generator attack Suppose Alice uses private key (p, q a ) and Bob uses private key (p, q b ). Is it safe? 17 of 60

18 RSA weak key generator attack Suppose Alice uses private key (p, q a ) and Bob uses private key (p, q b ). Is it safe? Everybody sees n a := pq a and n b := pq b 17 of 60

19 RSA weak key generator attack Suppose Alice uses private key (p, q a ) and Bob uses private key (p, q b ). Is it safe? Everybody sees n a := pq a and n b := pq b Alice can compute q b = n b /p Bob can compute q a = n a /p 17 of 60

20 RSA weak key generator attack Suppose Alice uses private key (p, q a ) and Bob uses private key (p, q b ). Is it safe? Everybody sees n a := pq a and n b := pq b Alice can compute q b = n b /p Bob can compute q a = n a /p Anyone can compute gcd(n a, n b ) = p and then q a and q b Attack demonstrated in practice Lenstra et al. Ron was wrong, Whit is right Show that 2/1000 RSA keys are insecure 17 of 60

21 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4 Cramer-Shoup Encryption Scheme 5 Rabin Encryption Scheme 18 of 60

22 The Discrete Logarithm Problem (Dlog) Let p be a prime and let K := F p = Z/pZ Exponentiation in K in O(n) = O(log p) multiplications What about the inverse operation? Discrete logarithm problem: Given g and h = g k mod p, compute k Believed to be very hard: subexponential complexity L p (1/3, c) More generally: given G, g G and h = g k, compute k Can be harder or easier depending on the group 19 of 60

23 Diffie-Hellman Key Exchange Algorithm Designed by Diffie and Hellman in Widely used today, e.g. in SSL/TLS. Allows two parties to set up a common private key over a public channel. Security requires hardness of discrete logarithm problem. 20 of 60

24 Diffie-Hellman Key Exchange Algorithm Public elements: G cyclic, g G a generator Alice chooses random a and sends g a to Bob Bob chooses random b and sends g b to Alice Alice computes (g b ) a = g ab Bob computes (g a ) b = g ab 21 of 60

25 Variants of Diffie-Hellman Problem Computational Diffie-Hellman (CDH): Given g, g a, g b G, compute g ab. Decisional Diffie-Hellman (DDH): Given g, h, g a, g b G, decide if h = g ab. There is a huge list of members in the DH family of problems! 22 of 60

26 Diffie-Hellman security Solving discrete logarithm problem is sufficient to break Diffie-Hellman key exchange Solving discrete logarithm problem might not be necessary to break Diffie-Hellman key exchange Additional stuff is required for authentication, for example certificates 23 of 60

27 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4 Cramer-Shoup Encryption Scheme 5 Rabin Encryption Scheme 24 of 60

28 ElGamal Encryption Scheme Main idea: Given a finite group G, let m be an arbitrary element of G. Lemma: if we multiply m by an uniform group element of G, say k, the result k m is a uniform group element. Proof: Let g be an arbitrary element of G, And because k is uniform Pr[k m = g] = Pr[k = g m 1 ]. Pr[k = g m 1 ] = 1/ G. 25 of 60

29 ElGamal Scheme- Construction We define ElGamal public key encryption scheme as follows: KeyGen(n) : first, it outputs a description of a cyclic group G with order q, where q = n and a generator g, i.e (G, q, g). Then, it picks a uniform x Z q to compute h g x. the public key is PK = (G, g, q, h) and the private/secret key is SK = x. The messages are elements of G. Enc(PK, m G) : it chooses a uniform y Z q, and output the following ciphertext Dec(SK, c) : it outputs Check its correctness! 26 of 60 c = (c 1, c 2 ) (g y, h y m). m = c 2 /c x 1

30 ElGamal scheme- Example Example [Katz-Lindell book] Let q = 83 and p = 2q + 1 = 167. Let G denote the group of quadratic residues mod p. As both p and q are primes, then G is a subgroup of Z p with order q. Note that G is prime, so any element 1 g G is a generator. Take g = 2 2 = 4 mod 167, pick x = 37 Z 83, compute h = g x = 4 37 mod 167 = 76 The public becomes PK = (p, q, g, h) = (167, 83, 4, 76) Enc(PK, m = 65 G): a it picks y = 71 and compute the ciphertext, c = (c 1, c 2 ) = (4 71, ) = (132, 44) mod 167 a 65 is indeed in G as 65 = 30 2 mod of 60

31 ElGamal Scheme-Example Example Dec(SK, c): m =c 2 /c x 1 =44/ mod 167 =44/124 mod 167 = mod 167 =44 66 mod 167 =65 28 of 60

32 Security of ElGamal Scheme Theorem If the DDH problem is hard, then the ElGamal encryption scheme is CPA-secure. Sketch Proof. Idea: we consider a PPT algorithm D that wants to solve DDH, and PPT algorithm A (the adversary) who is attacking ELGamal scheme S. the algorithm D first receives an instance of the DDH problem, i.e (G, q, g, h 1 = g x 1, h 2 = g x 2, h 3 ),and his challenge is to figure out whether or not h 3 is equal to g xy. 29 of 60

33 Security of ElGamal Scheme Sketch Proof. Algorithm D will simulate the ElGamal scheme to A as follows: On input (G, q, g, h 1, h 2, h 3 ), it sets PK = (G, q, g, h 1 ). On input (m 0, m 1 ) received from A, it picks b {0, 1}, and sets c 1 = h 2 and c 2 = h 3 m b and sends them over to A It receives the bit b from A, it then outputs 1 if b = b and 0 otherwise. Now, let S be a modified version of ElGamal, works as follows: Same key generation algorithm Encryption algorithm: it chooses a uniform y, z Z q, and output the following ciphertext (g y, g z m). Note that the decryption algorithm doesn t work here, but we don t actually need it in the experiment. 30 of 60

34 Security of ElGamal Scheme Sketch Proof. For the modified encryption scheme, since c 2 is a uniformly distributed group element, we have And if DDH holds, then Pr[PubK CPA A,S (n) = 1] = 1/2 Pr[D(G, q, g, g x, g y, g z ) = 1] Pr[D(G, q, g, g x, g y, g xy ) = 1] < negl(n) (1) Case 1 random tuple: We can easily see that the View A when run as a subroutine by D is distributed identically to its view in experiment PubK cpa A,S. Therefore 31 of 60 Pr[D(G, q, g, g x, g y, g z ) = 1] = Pr[PubK CPA A,S (n) = 1] = 1/2 (2)

35 Security of ElGamal Scheme Sketch Proof. Case 2 DH tuple: We can also see that the View A when run as a subroutine by D is distributed identically to its view in experiment PubK cpa A,S. Therefore Pr[PubK CPA A,S (n) = 1] = Pr[D(G, q, g, gx, g y, g xy ) = 1] (3) Equations (1), (2) and (3) give us Pr[PubK CPA A,S (n)] < 1/2 + negl(n) 32 of 60

36 ElGamal Scheme- CCA secure? Is ElGamal encryption scheme CCA-secure? Why? 33 of 60

37 ElGamal Scheme- CCA secure? Is ElGamal encryption scheme CCA-secure? Why? NO, because it is malleable! 33 of 60

38 A CPA-secure KEM Scheme based on DDH The scheme consists of the following algorithms: KeyGen(1 n ): it generates (G, q, g). It then chooses x Z q and computes h = g x. It also specifies a hash function H : G {0, 1} l(n) The public key PK = (G, q, g, h, H) and the private key is x. Encaps(PK): it chooses a uniform y Z q and outputs the ciphertext c g y and the key H(h y ). Decaps(SK, c): it outputs H(c x ). If H is modelled as a random oracle model, then the scheme is CPA-secure based on (the weaker assumption) CDH 34 of 60

39 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4 Cramer-Shoup Encryption Scheme 5 Rabin Encryption Scheme 35 of 60

40 Cramer-Shoup cryptosystem The first public key encryption scheme that is CCA-secure without random oracles. It is based on ElGamal. Its CCA-security relies on the hardness of DDH. 36 of 60

41 Cramer-Shoup Cryptosystem KeyGen(n) : first, it outputs a description of a cyclic group G with prime order q, s.t. q = n and a couple of generators g 1, g 2, i.e (G, q, g 1, g 2 ). Then, it picks a uniform x 1, x 2, y 1, y 2, z 1, z 2 Z q, it computes c g x1 1 gx2 2 d g y1 1 gy2 2 h g z1 1 gz2 2 The public key is PK = (G, q, g 1, g 2, c, d, h, H) where H() is a collision-resistant hash function. The private/secret key is SK = (x 1, x 2, y 1, y 2, z 1, z 2 ). The messages are elements of G. 37 of 60

42 Cramer-Shoup Cryptosystem Enc(PK, m G) : it chooses a uniform k Z q, and output the following ciphertext: u 1 = g k 1, u 2 = g k 2 e = h k m α = H(u 1, u 2, e) v = c k d kα The ciphertext is CT = (u 1, u 2, e, v) 38 of 60

43 Cramer-Shoup Cryptosystem Dec(CT, SK) : It computes α = H(u 1, u 2, e), If u x1 1 ux2 2 (uy1 1 uy2 2 )α v, output It outputs m = e/(u z1 1 uz2 2 ) Correctness: m = e/(u z 1 1 uz 2 2 ) = hk m/g kz 1 1 gkz 2 2 = h k m/h k = m 39 of 60

44 Cramer-Shoup: Security Proof Let A be the adversary attacking the Cramer-Shoup scheme and D the distinguisher that wants to distinguish a DH tuple from a random tuple. Proof. Distinguisher D(g 1, g 2, g 3, g 4 ) x 1, x 2, y 1, y 2, z 1, z 2 Z q. PK = (g 1, g 2, c := g x 1 1 gx 2 2, d := gy 1 (m 0, m 1 ) A(PK, Dec(SK, )). b {0, 1}. 1 gy 2 2, h := gz 1 CT = (g 3, g 4, g z 1 3 gz 2 4 m b, g x 1+αy 1 3 g x 2+αy 2 4 ). b A(PK, CT, Dec(SK, ) CT ), Output 1 iff b = b 1 gz 2 2, H). 40 of 60

45 Cramer-Shoup: Security Proof Proof. Claim 1: Pr[D = 1 DH] Pr[D = 1 Random] = negl(n) [It follows from the DDH assumption] Claim 2: Pr[D outputs 1 DH] = Pr[b = b A attacks S directly] Claim 3: Pr[D = 1 Random] 1 = negl(n) 2 41 of 60

46 Cramer-Shoup: Security Proof Proof. When D gets a DH tuple, then there exist γ, r s.t.: (g 1, g 2 = g γ 1, g 3 = g r 1, g 4 = g r 2) It is easy to verify that the distribution of PK and CT are exactly the same of those obtained from a real world Cramer-Shoup challenger (and not from the distinguisher who is simulating the game). Therefore, i.e. Pr[D outputs 1 DH tuple] = Pr[b = b A attacks S directly] Pr[D outputs 1 DH tuple] = Pr[PubK cca A,CS(n) = 1] 42 of 60

47 Cramer-Shoup: Security Proof Proof. When D gets a random tuple, it will look like (g 1, g 2 = g γ 1, g 3 = g r 1, g 4 = g r 2 ), where γ 0 and r r. Getting information about z 1, z 2 : From the PK, A learns log g1 h = z 1 + γz 2. (4) From the decryption oracle on CT = (u 1, u 2, e, v), we distinguish between two cases, valid and invalid ciphertexts. We will prove that he learns nothing from valid ciphertexts and that the probability that it accepts invalid ciphertexts is negligible. CT is invalid if log g1 u 1 log g2 u 2 and Dec(SK, ) doesn t return, it is valid otherwise. 43 of 60

48 Cramer-Shoup: Security Proof Proof. no extra information from valid ciphertexts, why? When Dec() returns, it means that v is not in the right format, but z 1, z 2 are not involved in this check, so no information about them in this case. On the other hand, if then what A can learn from m is log g1 u 1 = log g2 u 2 = r log g1 m = log g1 e r z 1 r γz 2 (5) But equation (5) is linearly dependent on equation (4), so no extra information about z 1, z 2 from this case. 44 of 60

49 Cramer-Shoup: Security Proof During the course of the experiment, A learns the following about x 1, x 2, y 1, y 2 : Proof. From the public key, A learns the following: From the challenge ciphertext, A learns: log g1 c = x 1 + x 2 γ (6) log g1 d = y 1 + y 2 γ (7) log g1 v = (x 1 + αy 1 )r + (x 2 + αy 2 )γr (8) 45 of 60

50 Cramer-Shoup: Security Proof Proof. Now the idea is to prove that the probability that A submits the previous type of bad decryption queries is negligible. Let CT = (u 1, u 2, e, v ) be the challenge ciphertext, we have three possible types of bad decryption queries: (u 1, u 2, e) = (u 1, u 2, e ) with v v. Since we will have same hash values but with v v, the decryption oracle will reject it. (u 1, u 2, e) (u 1, u 2, e ) and α = α. It means that we found a collision in H, but H is collision-resistant, so this happens only with negligible probability. 46 of 60

51 Cramer-Shoup: Security Proof Proof. (u 1, u 2, e) (u 1, u 2, e ) and α α. The decryption oracle will accept the query only if log g1 v = (x 1 + α y 1 ) r + (x 2 + α y 2 )γ r (9) where r r, is linearly dependent with (6),(7),(8). BUT, we can show that in this case, the equations (6),(7),(8) and (9) are linearly independent because 1 γ 0 0 det γ r r γ rα r αγ = (γ2 )(r r)( r r)(α α ) 0 r r γ rα r α γ 47 of 60

52 Cramer-Shoup: Security Proof Proof. In the third case, the decryption query is rejected except with probability 1/q, which is the probability to have v in the right format (from A s point of view, v is uniformly distributed in G), this v has to use the same values for x 1, x 2, y 1, y 2 that are used in (6),(7),(8) (remember that these values are unknown to A). If the adversary makes η queries, then the probability that one of these queries is η not rejected is at most which is negligible as q is q η + 1 exponential in the security parameter whereas the number of queries η is polynomial in it. We deduce that the hidden bit b is independent from A s view except when either a collision is found in H or the decryption oracle accepts an invalid ciphertext. Claim 3 follows. 48 of 60

53 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4 Cramer-Shoup Encryption Scheme 5 Rabin Encryption Scheme 49 of 60

54 Quadratic Residues Definition For any positive integer m, we define the set of quadratic residues modulo m as QR(m) := {x Z m y Z m such that y 2 = x mod m}. Theorem Given a prime p > 2. Every quadratic residue in Z p has exactly two square roots. 50 of 60

55 Quadratic Residues Definition We define the Jacobi symbol of x modulo p as follows: For a prime p > 2 and x Z p, we have J p (x) = { +1 if x QR(p) 1 if x QR(p). Theorem Given a prime p > 2. Then J p (x) = x p of 60

56 Quadratic Residues Definition Let N = pq, with p, q are distinct primes, and y Z N. Then y is a quadratic residue modulo N iff y p = [y mod p] is a quadratic residue modulo p and y q = [y mod q] is a quadratic residue modulo q, i.e. y p QR(p) and y q QR(q). Theorem Let N = pq with p, q distinct odd primes. Given x, x s.t. x 2 = y = x 2 mod N but with x ± x mod N, it is possible to factor N in time polynomial in N. 52 of 60

57 Rabin Encryption Scheme The encryption scheme consists of the following algorithms: KeyGen(1 n ): it outputs (N, p, q) where N = pq, p and q are n-bit primes with p = q = 3 mod 4. The public key is N and the private key is (p, q). Enc(PK, m {0, 1}): it chooses a uniform x QR(N) where lsb(x) = m. It outputs the ciphertext c [x 2 mod N]. Dec(SK, c): it computes a unique x QR(N) s.t. x 2 = c mod N, and outputs lsb(x). Theorem If Factoring is hard, then this encryption scheme is CPA-secure. 53 of 60

58 Collision-Resistant Hash Functions based on Dlog Theorem If the discrete logarithm is hard, then collision-resistant hash functions exist. We define a fixed-length hash function based on Dlog that consists of the algorithms (KeyGen, H) as follows: KeyGen(1 n ): It outputs a description of a cyclic group G of prime order q s.t. q = n and a generator g. It then selects a uniform h G. It outputs the key s = (G, q, g, h). H(s, (x 1, x 2 ) Z q Z q ): It outputs H s (x 1, x 2 ) := g x 1 h x 2 G. 54 of 60

59 Collision-Resistant Hash Functions based on Dlog Can you solve the Dlog problem if a collision in H s is found? 55 of 60

60 Collision-Resistant Hash Functions based on Dlog Can you solve the Dlog problem if a collision in H s is found? H s (x 1, x 2 ) = H s (x 1, x 2), with x x = log g h = [(x x 1) (x 2 x 2 ) 1 mod q]. Note that x 2 x 2 0 mod q, otherwise we will have x 1 = x 1 mod q and therefore no collision is found. As q is prime, the inverse of (x 2 x 2 ) exists. 55 of 60

61 Gap Diffie-Hellman Assumption Definition We call a group G a gap-dh group if the DDH problem in G is easy but the CDH problem is still hard. 56 of 60

62 Further Reading (1) Mihir Bellare, Alexandra Boldyreva, and Silvio Micali. Public-key encryption in a multi-user setting: Security proofs and improvements. In Bart Preneel, editor, Advances in Cryptology EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, pages Springer Berlin Heidelberg, Dan Boneh. Simplified OAEP for the RSA and Rabin Functions. In Joe Kilian, editor, Advances in Cryptology CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages Springer Berlin Heidelberg, of 60

63 Further Reading (2) Ronald Cramer and Victor Shoup. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing, 33(1): , Whitfield Diffie and Martin E Hellman. New directions in cryptography. Information Theory, IEEE Transactions on, 22(6): , of 60

64 Further Reading (3) 59 of 60 Itai Dinur, Orr Dunkelman, Nathan Keller, and Adi Shamir. New attacks on feistel structures with improved memory complexities. In Advances in Cryptology - CRYPTO th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part I, pages , Naofumi Homma, Atsushi Miyamoto, Takafumi Aoki, Akashi Satoh, and Adi Shamir. Collision-based power analysis of modular exponentiation using chosen-message pairs. In Cryptographic Hardware and Embedded Systems - CHES 2008, 10th International Workshop, Washington, D.C., USA, August 10-13, Proceedings, pages 15 29, 2008.