Introduction Cryptography and Security Fall 2009 Steve Lai

Similar documents
Pseudo-random Functions

Pseudo-random Functions. PRG vs PRF

Review of Elementary Cryptography. For more material, see my notes of CSE 5351, available on my webpage

Hard Core Predicates: How to encrypt? Recap

Polynomial Encryption Using The Subset Problem Based On Elgamal. Raipur, Chhattisgarh , India. Raipur, Chhattisgarh , India.

Lecture 6: October 10, DES: Modes of Operation

A note on An efficient certificateless aggregate signature with constant pairing computations

CHAPTER 4 RADICAL EXPRESSIONS

Discrete Mathematics and Probability Theory Fall 2016 Seshia and Walrand DIS 10b

Lattices. Mathematical background

PTAS for Bin-Packing

CIS 800/002 The Algorithmic Foundations of Data Privacy October 13, Lecture 9. Database Update Algorithms: Multiplicative Weights

1 Onto functions and bijections Applications to Counting

Lecture 9: Tolerant Testing

Algorithms Theory, Solution for Assignment 2

8.1 Hashing Algorithms

Investigating Cellular Automata

Chapter 9 Jordan Block Matrices

Lecture 3 Probability review (cont d)

The Mathematical Appendix

best estimate (mean) for X uncertainty or error in the measurement (systematic, random or statistical) best

Introduction to Probability

{ }{ ( )} (, ) = ( ) ( ) ( ) Chapter 14 Exercises in Sampling Theory. Exercise 1 (Simple random sampling): Solution:

The Primitive Idempotents in

Solving Constrained Flow-Shop Scheduling. Problems with Three Machines

NP!= P. By Liu Ran. Table of Contents. The P versus NP problem is a major unsolved problem in computer

Functions of Random Variables

Introduction to local (nonparametric) density estimation. methods

Exercises for Square-Congruence Modulo n ver 11

Assignment 5/MATH 247/Winter Due: Friday, February 19 in class (!) (answers will be posted right after class)

Algorithms Design & Analysis. Hash Tables

Evaluating Polynomials

(b) By independence, the probability that the string 1011 is received correctly is

TESTS BASED ON MAXIMUM LIKELIHOOD

MA 524 Homework 6 Solutions

1 Mixed Quantum State. 2 Density Matrix. CS Density Matrices, von Neumann Entropy 3/7/07 Spring 2007 Lecture 13. ψ = α x x. ρ = p i ψ i ψ i.

Non-uniform Turán-type problems

å 1 13 Practice Final Examination Solutions - = CS109 Dec 5, 2018

CHAPTER VI Statistical Analysis of Experimental Data

Mu Sequences/Series Solutions National Convention 2014

Wireless Link Properties

ECONOMETRIC THEORY. MODULE VIII Lecture - 26 Heteroskedasticity

X X X E[ ] E X E X. is the ()m n where the ( i,)th. j element is the mean of the ( i,)th., then

Homework 1: Solutions Sid Banerjee Problem 1: (Practice with Asymptotic Notation) ORIE 4520: Stochastics at Scale Fall 2015

Analysis of Lagrange Interpolation Formula

Parameter, Statistic and Random Samples

Chapter 5 Properties of a Random Sample

NP!= P. By Liu Ran. Table of Contents. The P vs. NP problem is a major unsolved problem in computer

A tighter lower bound on the circuit size of the hardest Boolean functions

Feature Selection: Part 2. 1 Greedy Algorithms (continued from the last lecture)

UNIVERSITY OF OSLO DEPARTMENT OF ECONOMICS

For combinatorial problems we might need to generate all permutations, combinations, or subsets of a set.

Knowledge-Proof Based Versatile Smart Card Verification Protocol

Lecture 1. (Part II) The number of ways of partitioning n distinct objects into k distinct groups containing n 1,

Lecture 7. Confidence Intervals and Hypothesis Tests in the Simple CLR Model

1. A real number x is represented approximately by , and we are told that the relative error is 0.1 %. What is x? Note: There are two answers.

A BASIS OF THE GROUP OF PRIMITIVE ALMOST PYTHAGOREAN TRIPLES

5 Short Proofs of Simplified Stirling s Approximation

AN UPPER BOUND FOR THE PERMANENT VERSUS DETERMINANT PROBLEM BRUNO GRENET

Lecture 3. Sampling, sampling distributions, and parameter estimation

L5 Polynomial / Spline Curves

Chapter 4 (Part 1): Non-Parametric Classification (Sections ) Pattern Classification 4.3) Announcements

A New Measure of Probabilistic Entropy. and its Properties

Investigation of Partially Conditional RP Model with Response Error. Ed Stanek

Multiple Regression. More than 2 variables! Grade on Final. Multiple Regression 11/21/2012. Exam 2 Grades. Exam 2 Re-grades

MA/CSSE 473 Day 27. Dynamic programming

Entropy ISSN by MDPI

9 U-STATISTICS. Eh =(m!) 1 Eh(X (1),..., X (m ) ) i.i.d

Attribute-Based Key-Insulated Encryption *

Department of Agricultural Economics. PhD Qualifier Examination. August 2011

QR Factorization and Singular Value Decomposition COS 323

Chapter 4 Multiple Random Variables

hp calculators HP 30S Statistics Averages and Standard Deviations Average and Standard Deviation Practice Finding Averages and Standard Deviations

Econometric Methods. Review of Estimation

ρ < 1 be five real numbers. The

This lecture and the next. Why Sorting? Sorting Algorithms so far. Why Sorting? (2) Selection Sort. Heap Sort. Heapsort

Qualifying Exam Statistical Theory Problem Solutions August 2005

UNIVERSITY OF OSLO DEPARTMENT OF ECONOMICS

Likewise, properties of the optimal policy for equipment replacement & maintenance problems can be used to reduce the computation.

The internal structure of natural numbers, one method for the definition of large prime numbers, and a factorization test

Arithmetic Mean and Geometric Mean

Random Variables and Probability Distributions

Bayes (Naïve or not) Classifiers: Generative Approach

Linear Approximating to Integer Addition

STATISTICAL PROPERTIES OF LEAST SQUARES ESTIMATORS. x, where. = y - ˆ " 1

Chapter 3 Sampling For Proportions and Percentages

Ideal multigrades with trigonometric coefficients

Given a table of data poins of an unknown or complicated function f : we want to find a (simpler) function p s.t. px (

CS286.2 Lecture 4: Dinur s Proof of the PCP Theorem

Class 13,14 June 17, 19, 2015

MATH 247/Winter Notes on the adjoint and on normal operators.

ENGI 4421 Joint Probability Distributions Page Joint Probability Distributions [Navidi sections 2.5 and 2.6; Devore sections

Median as a Weighted Arithmetic Mean of All Sample Observations

d dt d d dt dt Also recall that by Taylor series, / 2 (enables use of sin instead of cos-see p.27 of A&F) dsin

Simulation Output Analysis

Multiple Choice Test. Chapter Adequacy of Models for Regression

Introduction to Matrices and Matrix Approach to Simple Linear Regression

III-16 G. Brief Review of Grand Orthogonality Theorem and impact on Representations (Γ i ) l i = h n = number of irreducible representations.

Ordinary Least Squares Regression. Simple Regression. Algebra and Assumptions.

( ) 2 2. Multi-Layer Refraction Problem Rafael Espericueta, Bakersfield College, November, 2006

Transcription:

Itroducto 788.11 Cryptography ad Securty Fall 2009 Steve La

Outle Bascs of ecrypto Homomorphc ecrypto

Bascs of Ecrypto For more formato, see my CSE 651 or 794Q otes

Summary Symmetrc ecrypto Stream cpher (e.g., RC4) Block cpher (e.g., DES, AES) Asymmetrc ecrypto RSA ElGamal (based o Dffe-Hellma) Performace ssues Securty ssues

Symmetrc-Key Ecrypto Stream cpher (e.g., Vera s oe-tme pad, RC4) Block cpher (e.g., DES, AES) 5

Stream cphers 6

Stream cphers Stream cphers typcally process the platext byte by byte. So, the platext s a stream of bytes: P1, P2, P3, Use a key K as the seed to geerate a sequece of pseudoradom bytes (key-stream): K1, K2, K3, The cphertext s C1, C2, C3, C4,, where C = P K Varous stream cphers dffer ther key-stream geerators. Stream cphers requre that a ew key be used for each platext (or t wll ot be sesure). 7

I practce, Alce ad Bob wsh to share a permaet key K ad use t to ecrypt may messages. Oe possble strategy: Suppose Bob ad Alce share a secret key K. Each tme Bob (or Alce) wats to sed a message, he radomly geerates a strg IV ad use K IV as the key (seed) to the pseudoradom geerator. Sed IV alog wth the cphertext. Ufortuately, the resultg scheme s ot ecessarly secure. 8

Example: WEP s use of RC4 WEP s a protocol usg RC4 to ecrypt packets for trasmsso over IEEE 802.11 wreless LAN. Each packet s ecrypted wth a separate key equal to the cocateato of a 24-bt IV (talzato vector) ad a 40 or 104-bt permaet key. Not secure. See Breakg 104 bt WEP less tha 60 secods. RC4 key: IV (24) Permaet l key (40 or 104 bts) 9

Block Cphers Block cphers are ecrypto schemes that use pseudoradom fuctos or pseudoradom permutatos. 10

Tradtoal vew of block cphers A block cpher s a symmetrc-key ecrypto scheme that maps a block of bts to a block of bts. r M = C = {0,1} ad K = {0,1}. Block legth:. Key legth: r. { } { } For a fxed key k K, E : 0,1 0,1 s a permutato. k 11

Practcal Block Cphers: DES ad AES DES: Data Ecrypto Stadard AES: Advaced Ecrypto Stadard 12

Publc Key Cryptography ad RSA

Publc-Key Cryptography Also kow as asymmetrc-key cryptography. Each user has a par of keys: a publc key ad a prvate key. The publc key s used for ecrypto. The key s kow to the publc. The prvate key s used for decrypto. The key s oly kow to the ower.

Publc-Key Cryptosystem (PKC) Each user u has a par of keys (PK u, SK u ). PK u s the publc key, avalable a publc drectory. SK u the prvate key, kow to u oly. Key-geerato algorthm: to geerate keys. Ecrypto algorthm E: to sed message M to user u, compute C = E(PK u, M). Decrypto algorthm D: Upo recevg C, user u computes D(SK u, C). Requremet: D(SK u,e(pk u, M)) = M.

Why Publc-Key Cryptography? Developed to address two ma ssues: key dstrbuto dgtal sgatures Iveted by Dffe & Hellma 1976.

Oe-way fucto wth trapdoor Easy: Hard: Easy: x x f 1 f 1 f trapdoor y y x y Use trapdoor as the prvate key. Most (beleved) oe-way fuctos come from umber theory.

The RSA Cryptosystem RSA Ecrypto RSA Dgtal sgature

The RSA Cryptosystem By Rvest, Shamr & Adlema of MIT 1977. Best kow ad most wdely used publc-key scheme. Based o the assumed oe-way property of modular powerg: e f : x x mod (easy) 1 e f x x : mod (hard)

Idea behd RSA It works group Z *. Ecrypto (easy): Decrypto (hard): x x RSA 1 RSA x x e e e d Lookg for a trapdoor: ( x ) = x. If d s a umber such that ed 1mod ϕ( ), the ed = kϕ( ) + 1 for some k, ad e ( ) 1 ( ) ( ) d ed ϕ k + k x x x x x 1 x x. ( ϕ ) = = = = =

RSA Cryptosystem Key geerato: (a) Choose large prmes p ad q, ad let : = pq. (b) Choose e (1 < e< ϕ( )) coprme to ϕ( ), ad 1 compute : mod ( ). (.) d = e ϕ ed 1 mod ϕ( ) (c) Publc key: pk = (, e). Secret key: sk = ( d, ). Ecrypto: Decrypt E x x x Z e * pk ( ) : = mod, where. D y y y Z d * o: sk ( ) : = mod, where. * ( Epk ad Dsk work for xy, Z \ Z, but ot secu re.)

Mathematcal Attacks Factor to pq. 1 d = e The ϕ( ) = ( p 1)( q 1) ad mod ϕ( ) ca be calculated easly. Determe ϕ( ) drectly. Equvalet to factorg. Kowg ϕ( ) wll eable us to factor by solvg = pq ϕ ( ) = ( p 1)( q 1) Determe d drectly. The best kow algorthms are ot faster tha those for factorg. Also, f d s kow, ca be factored wth hgh probablty.

Remarks I lght of curret factorzato techolges, RSA recommeds that be of 1024-2048 bts. * If a message m Z \ Z, RSA works, but Sce gcd( m, ) > 1, the seder ca factor. e Also, scegcd( m, ) > 1, the adversary ca factor, too. * Questo: how lkely s m Z \ Z?

Securty of RSA We have see may attacks o RSA. Also, RSA s determstc ad, therefore, ot CPA-secure (.e., ot cphertext-dstgushable agast CPA). We wsh to make RSA secure agast CPA ad aforemetoed attacks. RSA prmtve: the RSA we have descrbed. also called pla RSA or textbook RSA

Padded RSA e Ecrypto: E ( m) = RSA( r m) = ( r m) mod, where r s a radom strg. pk Thus, Padded-RSA( m) = RSA( r m) for some radom r. Secure agast may of aforemetoed attacks. ( ) Theorem: Padded RSA s CPA-secure f m = O log. Padded RSA s adopted PKCS #1 v.1.5.

Padded RSA as PKCS #1 v.1.5 PKCS: Publc Key Cryptography Stadard. Let ( ed,, ) gve a par of RSA keys. Say = k bytes (e.g., k = 216). Frst byte 00. To ecrypt a message m : pad m so that m = 00 02 r 00 m ( k bytes) where r = 8 or more radom bytes 00. orgal message m must be k 11 bytes. ( m ) ( m ) the cphertext s c: = RSA = mod. I 1998, Blechebacher publshed a chose-cphertext attack, forcg RSA to upgrade ts PKCS #1, ow usg OAEP. e

OAEP: basc dea Message paddg: stead of ecryptg m drectly, we ecrypt m r r, where r s a radom bt strg. As such, however, there s a 50% overhead. So, we wsh to use a shorter bt strg r. Besdes, r should be protected, too. Ths leads to a scheme called Optmal Asymmetrc Ecrypto Paddg ( OAEP). It ca be appled ot oly to RSA but to other trapdoor fuctos.

OAEP Choose k, l ( k l) s.t. k + l =. (, RSA modulus). k l G :{0,1} {0,1}, a pseudoradom geerator. l k h :{0,1} {0,1}, a hash fucto. Ecrypto. To ecrypt a block m of l bts : k 1. choose a radom bt strg r {0,1}. 2. ecode m as x: = ( m G( r) r h( m G( r))) (f x Z, the message space of RSA, retur to step 1). 3. compute the cphertext y: = E ( x). Decrypto: x: = D ( y) = a b. sk pk m= a G( b h a ) ( ).

Remarks o OAEP OAEP s adopted curret RSA PKCS #1 (v. 2.1). It s a paddg scheme, ot a ecrypto scheme. Itutvely, wth OAEP, the cphertext should ot reveal ay formato about the platext f RSA s oe-way ad h ad G are truely radom (radom oral ces). A slghtly more complcated verso of OAEP, whch k k x = ( m0 G( r) r h( m0 G( r))), has bee proved CCA-secure the radom oracle model (.e., f G, h are radom oracles.) I practce, hash fuctos such as SHA-1 are used for G, h.

Radom Oracle l( ) A radom oracle s a radom fucto f :{0,1} {0,1}. l( )2 Recall: there are 2 such fuctos. Each radom oracle s a black box that mplemets oe of the 2 l( )2 radom fuctos, say f. The 2 values of f0 are totally depedet ad radom. The oly way to kow the value of f0( x) s to explctly evaluate f0 at x (.e., to ask the oracle). No practcal/feasble way to mplemet a radom oracle. Ifeasble: use a trusted authorty. Ifeasble: use a l ( ) 2 -bt ds k. 0

Cryptosystems Based o Dscrete Logarthms 31

Outle Dscrete Logarthm Problem Dffe-Hellma key agreemet ElGamal ecrypto 32

Dscrete logarthm problem (DLP) A group G s cyclc f there s a elemet α G of order G. { 0 1 2 G 1 } I ths case, G = α, α, α,, α ; α s called a geerator. If ( G, ) be a fte group (ot ecessarly cyclc) ad α G a elemet of order, the { 0 1 2 1 } α = α, α, α,, α s a cyclc (sub)group of order. x For ay y α, there s a uque x Z such that α = y. Ths teger x s called the dscrete logarthm (or dex) of y wth respect to base α. We wrte log α y = x. The DLP s to compute log y for a gve y. α 33

Frequetly used settgs { p } G = Z. α = α, α, α,, α = G, * 0 1 2 2 p where p s a large prme, ad α s a geerator of G. * ( Zp s cyclc whe p s prme.) { q } G = Z. α = α, α, α,, α Z, * 0 1 2 1 * p p where α Z * p s a elemet of prme order q. For these settgs, there s o polyomal-tme algorthm for DLP. 34

Example 1 G = Z = {1, 2,..., 18}. * 19 2 s a geerator. That s, Z = 2. 0 1 2 3 4 5 2 = 1, 2 = 2, 2 = 4, 2 = 8, 2 = 16, 2 = 13, 6 7 2 = 7, 2 = 14, log 7 = 6 2 log 14 = 7 2 log 12 =? 2 * 19 35

Example 2 G G = = Z = 3 3 * 11 { } 1, 2,, 10. { } 3 = 1, 3, 9, 5, 4 3 s a geerator of G, but ot a geerator of Z. log 5 = 3 log 10 = ot defed * 11 36

DLP Z * p * Let α be a geerator of Zp (a prmtve root of uty modulo p). Z p 1 { } { 0 1 2 p 2 p α α α α } * Zp = 1,2,, 1 =,,,,. = { 012 p 2},,,,. * x Gve y Zp, fd the uque x Zp 1 such that y = α mod p. α x * That s, gve Z p, fd x. There s a subexpoetal-tme algorthm for DLP ( ( )) O log Idex Calculus, O 2, where = log p. Z * p 37

RSA vs. Dscrete Logarthm RSA s a oe-way trapdoor fucto: x x RSA 1 x RSA e x 1 RSA d x x d e ( e ) (easy) (dffcult) ( s a trapdoor) Logarthm s the verse of expoetato: expα x x α (easy) logα x x α (dffcult) log s hard to compute, so exp s a oe-way fucto, but wthout a trapdoor. A ecrypto scheme based o the dffculty of log x wll ot smply ecrypt x as α. 38

Dffe-Hellma key agreemet { 0 1 p α α α α } Z p 1 { 012 p 2} = = * 2 2 Z p,,,,.,,,,. Alce ad Bob wsh to set up a secret key. 1. Alce ad Bob agree o a large prme p ad a prmtve root * (geerator) α Z p. ( p, α, ot secret) a 2. Alce Bob: α mod p, where a Z. R p 1 b 3. Alce Bob: α mod p, where b Z. ab 4. They agree o the key: α mod p. a b Dffe-Hellma problem: gve α, α R p 1 * ab Z, compute α. Dffe-Hellma assumpto: the Dffe-Hellma problem s tractable. p 39

Ideas behd ElGamal ecrypto Z * p 0. Bob s to sed a message m to Alce, who x has prvate key x ad publc key y: = α. * 1. Regard m as a elemet Z p. 2. Use Dffe-Hellma to set up a temporary key. k xk Bob geerates k ad computes y ( = α ). k 3. Bob uses ths key to ecrypt m as m y. k k xk 4. Bob seds α alog wth m y so that Alce ca compute α. ( k k α m y) That s, Em ( ) =, 40

ElGamal ecrypto 1. Key geerato (e.g. for Alce): * choose a large prme p ad a prmtve root α Z p, where Z p 1 has a large prme factor. * p x radomly choose a umber x Z ad compute y = α ; k k * 2. Ecrypto: Epk ( m) = ( α, my ), where m Z p, k R Zp 1. x sk * 4. Remarks: All operatos are doe Z p, e.., modulo p. p 1 set sk = ( p, α, x) ad pk = ( p, α, y). 3. Decrypto: D ( a, b) = ba. The ecrypto scheme s o-determstc. 41

Securty of ElGamal ecrypto agast CPA Based o the Dffe-Hellma assumpto. Dffe-Hellma problem dscrete logarthm problem. Ope problem: dscrete logarthm Dffe-Hellma? Theorem: If the Dffe-Hellma assumpto s true, the the ElGamal ecrypto scheme s CPA-secure. 42

Securty of ElGamal ecrypto agast CCA A fucto f : G G s homomorphc f f( xy) = f( x) f( y). ElGamal ecrypto s h omomorphc, Emm ( ) = Em ( ) Em ( ), the followg sese: If Em ( ) k = ( k α, ) ad ( ) ( k k my Em = α, my ), the Em ( ) Em ( ) ( k k) ( k k ) ( k k k k ) ( k k k k α my α m y = α α mymy = α + mm y + ) =,,,, s a vald ecrypto of mm. As such, ElGamal ecrypto s ot CCA-secure (.e., ot dstgushable agast CCA). 43

Symmetrc vs. Asymmetrc Symmetrc ecryptos are much faster tha asymmetrc oes. AES s typcally 100 tmes faster tha RSA ecrypto, ad1000 tmes faster tha RSA decrypto. Use asymmetrc cpher to set up a sesso key ad the use symmetrc cpher to ecrypt data.

Securty Issues What does t mea that a ecrypto scheme s secure (or secure)? Sematc securty Cphertext-dstgushablty No-malleablty

Dfferet levels of securty Cosder cphertext-oly attacks;.e., the adversary s a eavesdropper. How to defe securty? Several optos : A ecrypto scheme s securef gve a cphertext c= Ek ( m), o adversary ca (1) fd the secret key k (2) fd the platext m (3) fd ay character of the platext (4) fd ay meagful formato about the platext (5) fd ay formato about the platext. We wll adopt (ad formalze) #5, whch s called sematc securt y ad seems to dcat the hghest level of securty. 46

Dfferet types of attackers Dfferet types of attacks (classfed by the amout of formato that may be obtaed by the attacker): Cphertext-oly attack Kow-platext attack Chose-platext attack (CPA) Chose-cphertext attack (CCA) 47

Securty Parameter The securty of a ecrypto scheme typcally depeds o ts key legth. Is RSA secure f = 216, 512, or 1024? I geeral, a ecrypto scheme s assocated wth a teger called ts securty parameter. (For ow, you may thk of t as key legth.) Whe we say that the beg broke securty parameter. probablty Pr( ) of a ecrypto scheme s eglgble, t s w. r.t. the ecrypto scheme' s 48

Neglgble fuctos A oegatve fucto f : N R s sad to be eglgble f for every postve polyomal P ( ), there s a teger 0 such that 1 f( ) < for all > 0 (. e., for suffcetly large ). P ( ) log Examples: 2, 2, are eglgble fuctos. Neglgble fuctos approach zero faster tha the recprocal of every polyomal. We wrte egl( ) to deote a uspecfed eglgble fucto. 49

Symmetrc-key ecrypto scheme * Message space: M {0,1}. Key geerato algorthm G: O put 1, G(1 ) outputs a key k {0,1}. ( K = {0,1} ; ad s the securty parameter.) Ecrypto algorthm E: O put a key k ad a platext m M, E outputs a cphertext c. We wrte c E( k, m) or c Ek ( m). Decrypto algorthm D : O put a key k ad a cphertext c, D outputs a message m. We wrte m: = D( k, c) or m: = Dk ( c). Correctess requremet: for each k K ad m M, ( ) D E ( m) = m. k k G, E are polyomal probablstc algorthms. D s determstc. 50

Sematc Securty Iformally, a ecrypto scheme s sematcally secure f whatever a adversary wth c = Em ( ) ca lear about m, oe ca lear equally well wthout c. A prvate-key ecrypto scheme ( GED,, ) wth securty parameter s sematcally secure agast a eavesdropper f for every probablstc polyomal-tme (PPT) algorthm A there exsts a PPT A such that for all polyomal-tme computable fuctos f ad h, there exsts a eglgble fucto egl such that: ( E ( ) ) k m Pr A 1,, h( m) = f( m) : k G(1 ), m {0,1} ( ) Pr A 1, h( m) = f( m) : m {0,1} egl( ). 51

Cphertext-Idstgushablty Adversary: a polyomal-tme eavesdropper. ( GED,, ) : a ecrypto scheme wth securty parameter. Image a game played by Bob ad Eve (adversary): Eve s gve put 1 ad outputs a par of messages m0, m1 of the same legth. Bob chooses a key k G(1 ) ad m u { m0, m1}. He computes c Ek ( m) ad gves c to Eve. Eve tres to determe whether c s the ecrypto of m or m. 0 1 A ecrypto scheme s cphertext-dstgushable agast eavesdroppers f o adversary ca succeed wth probablty o-eglgbly greater tha 12. 52

Defto: A ecrypto scheme s cphertext-dstgushable agast eavesdroppers f for every PPT algorthm A ad all m, m M, m = m, t holds: 0 1 0 1 Pr A(1, m0, m1, Ek( m)) = m: m u { m0, m1}, k G(1 ) 1 + egl( ) 2 53

Equvalece of sematc securty ad cphertext-dstgushablty Theorem: Agast a eavesdropper, a ecrypto scheme s sematcally secure ff t s cphertext-dstgushable. Theorem: Uder CPA, CCA1 or CCA2, a ecrypto scheme s sematcally secure f ad oly f t s cphertext-dstgusha ble. 54

Chose-platext attacks (CPA) I CSE 651 we descrbed CPA as follows: Gve : ( m, c ), ( m, c ),, ( m, c ), where m, m,, m 1 1 2 2 t t 1 2 t are chose by the adversary; ad a ew cphertext c. Q : what s the platext of c? Adaptvely-chose-platext attack : m1, m2,, mt are chose adaptvely. Now we descrbe CPA terms of oracle. 55

Chose-platext attacks (CPA) A CPA o a ecrypto scheme ( GED,, ) s modeled as follows. 1. A key k G(1 ) s geerated. 2. The adversary s gve put 1 ad oracle access to E. She may request the oracle to ecrypt platexts of her choce. 3. The adversary chooses two message m, m wth m = m ; ad 0 1 0 1 s gve a challege cphertext c E ( m ), where b {0,1}. k b u 4. The adversary cotues to have oracle access ad may request the ecryptos of addtoal platexts of her choce, eve m ad m. 5. The adversary fally aswers 0 or 1. k 0 1 Note: The CPA here actually refers to a adaptve CPA. 56

Cphertext-dstgushablty agast CPA A ecrypto scheme ( GED,, ) s IND-CPA f o polyomal-tme adversary ca aswer correctly wth probablty o-eglgbly greater tha 1 2. Defto: a ecrypto scheme ( GED,, ) s IND-CPA f for ever polyomal adversary A t holds that: k ( ) k m E Pr A 1, m0, m1, E ( ) = m: k G(1 ), m u { m0, m1}, m, m 0 1 A M ] 1 + egl( ) 2 57

Chose-cphertext attacks (CCA) I CSE 651 we also descrbed CCA as follows: Gve : ( m, c ), ( m, c ),, ( m, c ), where c, c,, c 1 1 2 2 t t 1 2 t are chose by the adversary; ad a ew cphertext c. Q : what s the platext of c? Adaptvely-chose-cphertext attack : c1, c2,, ct are chose adaptvely. Now we descrbe CCA terms of oracle. We wll allow a CCA adversary to also have CPA capablty. (So, combed CCA+CPA, rather tha pure CCA.) 58

Chose-cphertext attacks (CCA) A CCA o a ecrypto scheme ( GED,, ) s modeled as follow s. 1. A key k G(1 ) s geerated. 2. The adversary s gve put 1 ad oracle access to E ad D. She may request the oracles to perform ecryptos ad/or decryptos for her. 3. The adversary chooses two message m, m wth m = m ; ad 0 1 0 1 s gve a challege cphertext c E ( m ), where b {0,1}. 4. The k b u adversary cotues to have oracle access to E ad D, but s ot allowed to request the decrypto of c. 5. The adversary fally aswers 0 or 1. k k k k 59

CCA1 vs. CCA2 The CCA descrbed above s also called CCA2. If tem #4 the adversary has o access to the decrypto oracle, the CCA s called CCA1. 60

Cphertext-dstgushablty agast CCA A ecrypto scheme ( GED,, ) s IND-CCA f o polyomal-tme adversary ca aswer correctly wth probablty o-eglgbly greater tha 1 2. Defto: a ecrypto scheme ( GED,, ) s IND-CCA f for ever polyomal-tme adversary A, t holds that: k ( ) k m E, Dk Pr A 1, m0, m1, E ( ) = m: k G(1 ), m u { m0, m1}, m, m 0 1 A M ] 1 + egl( ) 2 61

No-malleablty A ecrypto scheme ( GED,, ) s o-malleable f gve a cphertext c= E( m), t s computatoally feasble for a adversary to produce a cphertext c such that m = D( c ) has some kow relato wth m. RSA s malleable. IND-CCA2 o-malleable. Later we wll see that every homomorphc ecrypto scheme s malleable, ad hece caot be IND-CCA2. Hghest securty level possble: IND-CCA1. (?) 62

Homomorphc Ecrypto Fotae ad Galad, A survey of homomorphc ecrypto for ospecalsts, EURASIP Joural o Iformato Securty, 2007.

RSA s homomorphc RSA( m m ) = RSA( m ) RSA( m ) 1 2 1 2 * where s the multplcato Z (.e., modulo ). Easy to verfy: ( ) RSA( m m ) = m m RSA( m ) RSA( m ) 1 2 1 2 e 1 = m1 e 2 = m2 e e RSA( m ) RSA( m ) = m m = ( m m ) 1 e 2 1 2 1 2 e

Homomorphc ecrypto M C : message space : cphertext space M C : some bary operato : some bary operato Defto: A ecrypto scheme s homomorphc f for ay ecrypto key k the ecrypto fucto E satsfes Em ( 1 m2) = Em ( 1) Em ( 2) M C for all messages m, m M. 1 2 M C Commet: applcable oly to determstc ecrypto schemes.

ElGamal ecrypto s homomorphc Em ( m) Em ( ) Em ( ), the followg sese: 1 2 1 2 Em ( ) Em ( ) s a vald ecrypto of mm. 1 2 Verfcato: 1 1 2 ( k ) ( ) 1 k1 k2 k2 1 2 2 If Em ( ) = g, my ad Em ( ) = g, my, the Em ( 1 ( k ) ( ) 1 k1 k2 k2 ) Em ( ) = g, my g, my 2 1 2 = s a ecrypto of mm. ( k ) 1+ k2 k1+ k2 g, mm 1 2 y 66

Homomorphc ecrypto redefed M : message space C : cphertext space M C : some bary operato M : some bary operato C Defto : A ecrypto scheme s homomorphc f for ay ecrypto key k the ecrypto fucto E satsfes Em ( m) Em ( ) Em ( ) 1 M 2 1 C 2 for all messages m, m M. 1 2 Comm et: meas " a ecrypto ca be computed from"

A equvalet defto Defto: A ecrypto scheme s homomorphc f ts ecrypto E ad decrypto D satsfy ( ( ) ( )) m m = D E m E m 1 M 2 1 C 2 for all messages m, m M ad all ecrypto/decrypto key pars. 1 2

A geeralzed defto Defto: A ecrypto scheme s homomorphc w.r.t f there s a polyomal tme algorthm A such that or Em ( m) m 1 M m 1 M 2 2 = D ( ( ), E( m )) A E m 1 2 ( ( ), E( m )) ( A E m ) 1 2 M for all messages m, m M ad all ecrypto/decrypto key pars. 1 2 Questo: How to further geeralze t?

Varous homomorphc ecryptos A ecrypto scheme s addtvely homomorphc f t s homomorphc w.r.t multplcatvely homomorphc f t s homomorphc w.r.t algebracly + M ad M homomorphc f t s homomorphc w.r.t both + M M RSA ad ElGamal are multplcatvely homomorphc. Padded RSA ad OAEP-RSA are ot homomorphc. RSA s ot IND-CPA secure; ElGamal s.

Addtvely homomorphc ElGamal ecrypto ElGamal ecrypto ca be made addtvely homomorphc. ( k k) Orgal ElGamal: Em ( ) = g, my. ( k m k) Now, ecrypt m as c = E( m) = g, h y geerators of Descryptg c takes two steps: Z * p., where g, h are m DL h m ElGamal decrypto c Em ( + m) Em ( ) Em ( ). 1 2 1 2

A smple applcato To vote yes or o, ecode a yes-vote as m = 1 ad a o-vote as m = 1. ( k m k ) Ecrypt m as c = g, h y. Sed the ecrypted vote c to a trusted party. { c c c c } All votes:,,,, k 1 2 3 (, ) k k m k c = g h y E mmod ( p 1) = 1 = 1 k k k D c = mmod ( p 1) = m (why?) = 1 = 1 = 1 k

Yao's Mlloare Problem Two mlloars, Alce ad Bob, wat to kow who s rcher wthout revealg ther actual wealth. Alce s worth a mllos, ad Bob b mllos. Q: a < b? Itally suggested ad solved by Adrew Yao 1982. Later latergeeralzed to a problem called Computato. Multparty Would be trval f there s a secure ecrypto scheme that s homomorphc w.r.t. " <", amely, ( ( ), ( )) ( ) m < m D A E m E m 1 2 1 2

Quadratc Resdues Let 2 be ay umber. * Quadratc resdues: elemets Z whch are a square. * QR = the subgroup of quadratc resdues Z. { Z } * * QNR = Z QR = quadratc o-resdues. + 1 f [ x] QR p ( x s a square) Legedre symbol: ( x ) p = 1 f [ x] QNR p (ot a square) 0 f [ x] = 0 ( ) = ( p 1)/2 Euler's crtero: mod. x p ( x) ( x)( x) Jacob symbol: =, assumg = pq. x p q p

Quadratc Resdues (cot'd) x ( ) x ( ) x ( ) ( x) ( x) Thus, = 1 ff = = ± 1. ( x) ( x) * s a quadratc resdue Z ff p q 1. Z = QR QNR = QR QNR QNR. * + If = 1, the x QNR. + If = 1, x QR QNR. p x = = Quadratc resduosty assumpto: x ( ) q * Gve x Z wth = 1, t s tractable to determe + whether x QR or x QNR wthout kowg = pq. Kowg = pq, easy to determe f x QR or QNR +.

Goldwasser-Mcal ecrypto scheme (dea) Frst probablstc ecrypto scheme. Ecrypt oe bt b { } 0,1 at a tme. Ecrypt b = 0 as a radom umber QR. + Ecrypt b = 1 as a radom umber QNR. To decrypt c= E( b), smply determe f c QR ( c) ( c) p = q (.e., = 1?)

Goldwasser-Mcal ecrypto scheme Publc key: ( g, ). Prvate key: ( pq, ) + 1 System setup: Alce chooses = pq ad g R QNR. b 2 * Ecrypto: Eb ( ) = gr, where r R Z. Note: Eb ( ) s a quadratc resdue ff b = 0. To decrypt c= E( b), smply determe f c QR. Drawback: t takes =1024 bts to ecrypt a sgle bt. Ths scheme has a expaso of 1024.

Reducg the expaso Idea of Goldwasser-Mcal: Take a group G ad a subgroup H. Partto G to two parts: M0 = H ad M1 = G\ H. Radomly select a elemet M b to ecrypt b. To geeralze, choose G ad H such that G ca be splt to more parts. { } m k Bealoh: k = small prme; E( m) = g r, m 0, k 1 ; expaso: k. Okamoto & Uchyama: reduced the expaso to 3. * Paller: reduced the expaso to 2 usg group Z 2. Damgard & Jurk: geeralzed Paller's scheme usg Z * group s+ 1, wth expaso 1 1/. + s

Paller's ecrypto scheme Oe of the most well-kow homomorphc ecrypto. G = Z, where = pq. * 2 ( 2 ) G = ϕ = ϕ( ). { 2} H = z G: z s a th resdue mod. z = y y G 2 mod for some. H s a subgroup ad H = ϕ( ). Use H to dvde G to classes. Let g G be ay elemet wth order a multple of.

Defe f : Z Z Z * * ( ) x xy, gymod Theorem: f s bjectve. * Each x Z defes a class Z 2, amely, ( *) { *, (, ) : } = f x Z f x y y Z Ecrypto: platext m Z select a radom m cphertext c= g r mod addtvely homomorphc r Z * 2 2 2

Decrypto: (prvate key: = pq or λ( )) cphertext c Z * 2 ( λ ( ) 2 mod ) ( λ ( ) 2 mod ) L c platext m= mod L g where Lu ( ) = ( u 1) / λ( ) s the Carmchael fucto,.e., the smallest a a Z For = pq, λ( ) = lcm( p 1, q 1). (I RSA, λ( ) ca be used place of ϕ( ).) λ ( ) * teger such that 1mod for all.

Securty: Assumpto: Wthout kowg = pq, t s tractable * to determe f a elemet 2 s a th resdue 2 modulo. z Z If ths assumpto holds, Paller's ecrypto scheme s sematcally secure uder CPA. Let c be the cphertext of ether m or m. m0 m1 m0 0 0 1 m0 m1 So, ether c = g r mod or g r mod. So, cg = r 2 2 0 1 2 2 1 m0 s the cphertext of ff s a th resdue 2 modulo. mod or g r mod. c m cg 0

Questo: I the above argumet, whch problem s reduced to whch problem?

Addtvely homomorphc o Z : m Recall: Em ( ) = g rmod, m Z, r Z. ( 2 ) 1 2 1 2 ( k 2 ) ( m 2 ) 2 m2 ( ) mod mod. 1 1 2 * R D E( m ) E( m ) mod = m + m mod. k D E( m) mod = m mod. D E m = m

A smple applcato To vote yes or o, ecode a yes vote as m = 1 ad a o vote as m = 1. m c= g r m 2 Ecrypt as mod. Sed the ecrypted vote c to a trusted party. { c c c c } All votes:,,,, 1 2 3 k k k 2 D c mod = m mod m (why?) = 1 = 1 = 1 k

Fully homomorphc ecrypto At STOC'09, Crag Getry preseted a fully homomorphc ecrypto scheme. A homomorphc publc-key ecrypto scheme S has four algorthms: KeyGe, Ecrypt, Decrypt, Evaluate. C : a crcut. S s homomorphc for C f for ay key par (sk, pk) output by KeyGe, ay platext π1,, πt, ad ay cphertext ψ,, ψ wth ψ = Ecrypt( π ), t holds that: 1 t ( C ) ( ) C( π,, π ) = Decrypt Evaluate, ψ,, ψ. 1 t 1 S s fully homomorphc f t s homomorphc for all crcuts. t

Applcatos Protecto of moble agets Watermarkg/fgerprtg protocols Electroc aucto ad lottery protocols Multparty computato Oblvous trasfer Prvacy preservg data mg Others

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback