CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Similar documents
Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lecture 17: Constructions of Public-Key Encryption

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Lecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004

Advanced Topics in Cryptography

Notes for Lecture 17

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Introduction to Cryptography. Lecture 8

Lecture 28: Public-key Cryptography. Public-key Cryptography

CPA-Security. Definition: A private-key encryption scheme

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

El Gamal A DDH based encryption scheme. Table of contents

Introduction to Elliptic Curve Cryptography

Solutions to homework 2

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Adaptive Security of Compositions

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

G Advanced Cryptography April 10th, Lecture 11

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

Advanced Cryptography 03/06/2007. Lecture 8

Lecture Note 3 Date:

Modern symmetric-key Encryption

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

Lecture 5, CPA Secure Encryption from PRFs

CS 395T. Probabilistic Polynomial-Time Calculus

Short Exponent Diffie-Hellman Problems

Computational security & Private key encryption

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

CTR mode of operation

Multiparty Computation

Provable security. Michel Abdalla

Lecture 30: Hybrid Encryption and Prime Number Generation. Hybrid Encryption & Primes

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

General Impossibility of Group Homomorphic Encryption in the Quantum World

5.4 ElGamal - definition

1 Number Theory Basics

Lecture 7: CPA Security, MACs, OWFs

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

CPSC 467b: Cryptography and Computer Security

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Advanced Cryptography 1st Semester Public Encryption

Public-Key Encryption: ElGamal, RSA, Rabin

Lecture 7: ElGamal and Discrete Logarithms

Lecture 7: Boneh-Boyen Proof & Waters IBE System

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

Public-Key Encryption

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

Computer Science A Cryptography and Data Security. Claude Crépeau

Introduction to Cybersecurity Cryptography (Part 4)

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

CPSC 467b: Cryptography and Computer Security

An Introduction to Probabilistic Encryption

Cryptography and Security Midterm Exam

Introduction to Cybersecurity Cryptography (Part 4)

Chapter 11 : Private-Key Encryption

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Public Key Cryptography

CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn

Lecture 13: Private Key Encryption

CPSC 467b: Cryptography and Computer Security

Lecture 2: Perfect Secrecy and its Limitations

The Cramer-Shoup Cryptosystem

Lecture 1: Introduction to Public key cryptography

Introduction to Cybersecurity Cryptography (Part 5)

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

Lecture Notes, Week 6

Applied cryptography

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Lecture 11: Key Agreement

Lecture 4: Computationally secure cryptography

Discrete logarithm and related schemes

Scribe for Lecture #5

Cryptography IV: Asymmetric Ciphers

RSA-OAEP and Cramer-Shoup

Public-Key Cryptosystems CHAPTER 4

CIS 551 / TCOM 401 Computer and Network Security

Lossy Trapdoor Functions and Their Applications

Public Key Cryptography

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

15 Public-Key Encryption

Modern Cryptography Lecture 4

RSA RSA public key cryptosystem

CPSC 467: Cryptography and Computer Security

Lecture 2: Program Obfuscation - II April 1, 2009

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Transcription:

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a oneway function, f, is easy to compute, but hard to invert. Formally, for all PPT adversaries A, there is a c such that or eventually all n, Pr [ A(f(x)) f 1 f(x) ] < 1 n c with the probability taken over x = n and coin flips of A. A oneway, trapdoor function is a oneway function f, which becomes easy to invert when given some extra information, t, called a trapdoor. We formalize this as follows. easy x f(x) hard easy, given t Definition 1 A oneway trapdoor function is a parameterized family of functions {f k : D k R k } k K, with K, D k, and R k {0,1}. 1. Key, trapdoor pairs are PPT sampleable: there is a polynomial p and PPT algorithm GEN such that GEN(1 n ) = (k,t k ), with k K {0,1} n, and t k p(n). Call k a key, and t k the trapdoor for f k. 2. Given k, the domain D k is PPT sampleable. 3. f 1 k is computable, given a trapdoor t k : there is an algorithm I, such that I(k,t k,f k (x)) = x, for x D k. 4. For all PPT A, the following is negligible: Pr [ A(k,f k (x)) f 1 k f k(x) ] where k is sampled by GEN, and the asymptotics are relative to the security parameter. 7-1

In this definition, (1) is saying that we can randomly generate a function from the family, and its trapdoor. The the size of the trapdoor information must be polynomial in the size of the key. (3) says that an instance f k is invertible, given its description k, and its trapdoor t k. (4) says that {f k } is a oneway family. For clarity, we will often let the k be implied, and write (f,f 1 ), instead of (k,t k ). Note that it is important to use a family of functions. If we try to make the above definition for a single function, (4) will fail. There is always some adversary A, with a description of the trapdoor t, and the inverter I, hard-wired into its description. This adversary will always be able to invert. 2 Public Key Encryption A public key encryption scheme (say, for entity A) consists of three algorithms, KEYGEN for key generation, and ENC and DEC, for encryption and decryption, respectively. Given a security parameter, 1 n, KEYGEN should return two keys, PK and SK. The idea is that PK is made public, and is used by any other entity B, as input to ENC, to encrypt a message for A. SK is kept secret by A, and is used in DEC to decrypt a ciphertext, and recover the original message. We will define the semantic security of this system so that no adversary E can recover the message, even with knowledge of the public key PK. (PK,SK) KEYGEN(1 n,r) c ENC(PK,m,r) m DEC(PK,SK,c) Of course, in the above procedure, we want m = m, so that we recover the original message m. We demand that the scheme be correct: if (PK,SK) is generated by KEYGEN, then for all messages m, DEC ( PK,SK,ENC(PK,m,r) ) = m. (1) To define semantic security, consider the following game. Challenger uses KEYGEN to generate a key pair (PK,SK) and publishes PK. Adversary, given PK, picks distinct messages m 0 and m 1, of equal length, and sends them to Challenger. Challenger picks a random bit b, and then sends to Adversary the ciphertext c = ENC(PK,m b ). 7-2

Challenger Adversary (PK,SK) = PK KEYGEN(1 n,r) m 0, m 1 Pick m 0 m 1 of equal length b random ENC(PK,m b,r) c Guess b We say that the cryptosystem is secure if Adversary can then guess b with probability which deviates only negligibly from 1 2. Remark For this definition to work, we needed ENC to be probabilistic. Otherwise, Adversary could simply compute ENC(m 0 ) and ENC(m 1 ), and compare them to c, thus determining b. 2.1 Example: PK Cryptosystem from Oneway Trapdoor Permutations A semantically secure, public key cryptosystem can be constructed from a oneway, trapdoor permutation. The algorithms are as follows 1. KEYGEN(1 n,r): 1. compute (f,f 1 ) := GEN(1 n ). 2. Pick a string p, uniformly at random, for computing hard-core bits. 3. return PK = (f,p), SK = f 1. Encryption and decryption are done bit-wise on the plaintext and ciphertext. ENC((f,p),m,r): 1. Pick x at random from the domain of f. 2. compute c := (p x) m. 3. compute d := f(x). 4. return ciphertext (c, d). 1 Recall that p x = 1 i n p[i]x[i], where p = x = n. 7-3

DEC((f,p),f 1,(c,d)): 1. compute x := f 1 (d). 2. compute m := (p x) c. 3. return m. Clearly this cryptosystem is correct; it is also semantically secure. If an adversary could distinguish two messages m 0 and m 1, then by a hybrid argument, it could distinguish two messages m 0 and m 1, which differ in only one bit. We could then use this adversary to compute hard-core bit, p x, knowing only f s (x). 3 Some Cryptographic Assumptions 3.1 Finite, Abelian Groups Recall that an abelian group is a collection of elements G, with a binary operation on G, satisfying: ( a,b,c G) (a b) c = a (b c) ( a,b G) a b = b a ( 1 G)( a G) 1 a = a ( a G)( a 1 G) a a 1 = e (Associativity) (Commutativity) Call 1 the identity element of G, and a 1 the inverse of a. The order of a finite group G is the number of elements in the group, denoted G. A useful fact is that if G = n then for any element a, a n = 1. We will usually be concerned with a specific type of abelian group: Call g G a generator iff G = {g n 0 n < G }. In case G has a generator, say that G is cyclic, and write G = g. We wish to generate finite, cyclic groups randomly. Fix a PPT algorithm GROUP, which samples a finite, cyclic group, given a security parameter 1 n. In other words, if (G,p,g) GROUP(1 n ), then G is a (binary description of a) finite group, p = G, and g is a generator. 3.2 Discrete Logarithm Problem Suppose we are given a cyclic group G, of order p, with generator g, and a group element a G. The Discrete Logarithm Problem is to find an integer k, such that g k = a. In 7-4

other words, to compute k = log g (a). The Discrete Logarithm Assumption say that this is computationally hard. Assumption 2 (DLA) For any PPT algorithm A [ ] Pr g k = a : (G,p,g) GROUP(1 n );a R G;k A(G,p,g,a) is negligible in n. Many financial transactions are done using a GROUP which returns G = Z p for p a prime. 3.3 Decisional Diffie-Hellman Problem The Decisional Diffie-Hellman Problem is similar to the Discrete Log Problem, except that one tries to distinguish to powers of a generator, rather than trying to compute a log. Suppose we are given a group G, of order p, with generator g. Then integers x,y,z Z p are selected randomly. From this, two sequences are computed: G,p,g,g x,g y,g z G,p,g,g x,g y,g xy (Random sequence) (DDH sequence) The DDH problem is to determine which sequence, Random or DDH, we have been given. The DDH Assumption is that the DDH Problem is hard. Assumption 3 (Decisional Diffie-Hellman) Let G be a sampled group of order p, with generator g. Pick x,y,z Z p uniformly at random. Then it is asymptotically difficult (with respect to the security parameter), for a PPT adversary A to distinguish (G,p,g,g x,g y,g xy ) from (G,p,g,g x,g y,g z ). Remark The DDH assumption is stronger than the DLP assumption. Computing discrete logarithms would allow one to trivially distinguish g xy from g z, for a random z. 4 The ElGamal Public Key Cryptosystem The security of the ElGamal cryptosystem is based on the difficulty of DDH and DLP. The algorithms are: 7-5

KEY(1 n ): 1. compute (G,p,g) := GROUP(1 n ). 2. Sample x Z p, uniformly at random. 3. compute w := g x. 4. return PK = (G,p,g,w), SK = x. ENC((G,p,g,y),m) (for m G): 1. Sample r R Z p. 2. compute c := w r m,d := g r. 3. return ciphertext (c, d). DEC((G,p,g,y),x,(c,d)): 1. compute m := c d x. 2. return m. To see that the cryptosystem is correct, compute cd x = w r mg rx = g xr mg rx = m. It is also secure, assuming the DDH assumption holds. Theorem 4 ElGamal is semantically secure, if the DDH assumption holds. Proof Suppose we have a PPT adversary A, which breaks ElGamal s semantic security. We can use it to construct an algorithm A, which solves the DDH problem. A is given a sequence G,p,g,g 1,g 2,g 3 and must decide whether this is a Random Sequence or a DDH Sequence. A will play the semantic security game, using A s responses to identify the sequence, thus solving the DDH problem. A (G,p,g,g 1,g 2,g 3 ) : 1. compute messages (m 0,m 1 ) := A(G,p,g,g 1 ). 2. Pick b {0, 1} uniformly at random. 3. compute A s guess b := A(g 2,g 3 m b ). 4. if b = b then return 1 else return 0. A takes an input (G,p,g,g 1,g 2,g 3 ) (with G,p,g sampled). (G,p,g,g 1 ) is used as an El- Gamal public-key, which is given to A. The adversary returns a pair of messages m 0,m 1, 7-6

which it can distinguish. After selecting a random bit b, (g 2,g 3 m b ) is returned to A, as a potential cipher-text. Then A returns b, its guess for b. If b = b we return 1, which we interpret as identifying the DDH sequence. Otherwise, we return 0, identifying the Random sequence. Note that if we give A the input (G,p,g,g x,g y,g xy ), then (g 2,g 3 m b ) = (g y,(g x ) y m b ). This is a valid ciphertext encryption of m b, with public key (G,p,g,g x ), and secret key x. Since A can distinguish m 0 from m 1, it will guess b = b correctly. In this case A will output 1 with as high a probability as A can distinguish the messages. On the other hand, if we give input (G,p,g,g x,g y,g z ) for independently chosen z, g 3 m b = g z m b will just be a random element of G. Thus g z m 0 and g z m 1 will have equal probability of appearing in the ciphertext. So A will not be able to guess b, and A will output 0 with high probability (and output 1 with low probability). Thus A can solve the DDH problem with non-negligible probability, assuming that A can break the semantic security of ElGamal. 7-7

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback