Advanced Cryptography 03/06/2007. Lecture 8

Similar documents
Lecture 17: Constructions of Public-Key Encryption

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Advanced Topics in Cryptography

G Advanced Cryptography April 10th, Lecture 11

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Lecture 28: Public-key Cryptography. Public-key Cryptography

Provable security. Michel Abdalla

Notes for Lecture 17

Advanced Cryptography 1st Semester Public Encryption

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Public-Key Encryption: ElGamal, RSA, Rabin

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Introduction to Cryptography. Lecture 8

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Lossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems

Introduction to Elliptic Curve Cryptography

Public Key Cryptography

Lecture Notes, Week 6

Introduction to Cybersecurity Cryptography (Part 4)

Short Exponent Diffie-Hellman Problems

Introduction to Cybersecurity Cryptography (Part 4)

An Introduction to Probabilistic Encryption

2 Preliminaries 2.1 Notations Z q denotes the set of all congruence classes modulo q S denotes the cardinality of S if S is a set. If S is a set, x R

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

El Gamal A DDH based encryption scheme. Table of contents

CPSC 467b: Cryptography and Computer Security

On The Security of The ElGamal Encryption Scheme and Damgård s Variant

Lecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004

Discrete Logarithm Problem

Lossy Trapdoor Functions and Their Applications

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

5.4 ElGamal - definition

14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University

1 Number Theory Basics

14 Diffie-Hellman Key Agreement

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Chapter 11 : Private-Key Encryption

Lecture 7: Boneh-Boyen Proof & Waters IBE System

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

A Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

A New Paradigm of Hybrid Encryption Scheme

Lecture 16: Public Key Encryption:II

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Practice Assignment 2 Discussion 24/02/ /02/2018

CS 395T. Probabilistic Polynomial-Time Calculus

Lecture 11: Key Agreement

Lecture Note 3 Date:

ASYMMETRIC ENCRYPTION

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Math/Mthe 418/818. Review Questions

Public-Key Cryptosystems CHAPTER 4

CTR mode of operation

Adaptive Security of Compositions

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Introduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016

4-3 A Survey on Oblivious Transfer Protocols

Public Key Cryptography

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

RSA-OAEP and Cramer-Shoup

The Theory and Applications of Homomorphic Cryptography

Lecture 7: CPA Security, MACs, OWFs

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Chapter 8 Public-key Cryptography and Digital Signatures

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Lecture 2: Perfect Secrecy and its Limitations

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

1 Public-key encryption

Simple SK-ID-KEM 1. 1 Introduction

COS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Lecture 7: ElGamal and Discrete Logarithms

Introduction to Modern Cryptography. Benny Chor

Efficient and Secure Delegation of Linear Algebra

A new security notion for asymmetric encryption Draft #10

CS 355: Topics in Cryptography Spring Problem Set 5.

A Generalization of Paillier s Public-Key System with Applications to Electronic Voting

KDM-CCA Security from RKA Secure Authenticated Encryption

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

A new security notion for asymmetric encryption Draft #12

ON CIPHERTEXT UNDETECTABILITY. 1. Introduction

Cryptography and Security Final Exam

Public Key Cryptography

Lecture 11: Number Theoretic Assumptions

Public Key Cryptography

CIS 551 / TCOM 401 Computer and Network Security

Lecture Notes on Secret Sharing

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

6.892 Computing on Encrypted Data September 16, Lecture 2

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

A Novel Strong Designated Verifier Signature Scheme without Random Oracles

Transcription:

Advanced Cryptography 03/06/007 Lecture 8 Lecturer: Victor Shoup Scribe: Prashant Puniya Overview In this lecture, we will introduce the notion of Public-Key Encryption. We will define the basic notion of security for this primitive, i.e. Semantic Security. We will discuss an alternative formulation of the semantic security definition that is sometimes more intuitive to work with. Finally, we will give two examples of semantically-secure public-key encryption schemes, namely the El-Gamal Encryption and the Paillier Encryption schemes. Throughout the sequel, we denote the security parameter by λ. Public-Key Encryption A public-key encryption (PKE) scheme E = (G, E, D) consists of three algorithms. The key generation algorithm G takes as input the security parameter λ in unary form and outputs a pair (P K, SK), the public key and secret key for E. That is (P K, SK) G(1 λ ). The encryption algorithm E takes as input a public key P K and a message m and outputs a ciphertext c. That is, c E(P K, m). The decryption algorithm D takes as input a secret key SK and a ciphertext c and outputs a message m. That is m D(SK, m). Usually, the key generation and encryption algorithms are probabilistic while the decryption algorithm is deterministic 1. The correctness property of the PKE scheme E is defined as: (P K, SK) G(1 λ ) m : D(SK, E(P K, m)) = m The most basic notion of security for a PKE encryption scheme E is Semantic Security or Indistinguishability. As usual, we define this notion in terms of a game between a challenger 1 The encryption algorithm must be probabilistic, even to satisfy the most basic notion of security for PKE schemes. The decryption algorithm may be probabilistic, but for most PKE schemes it is possible to derandomize the L8-1

C and an attacker A which proceeds as follows: Challenger C Attacker A (P K, SK) G(1 λ ) b $ {0, 1}; c E(P K, m b ) P K (m 0,m 1 ) c ˆb {0,1} The advantage of the adversary A against an encryption scheme E in the above game is defined as follows: AdvDist A [E] def = Pr[ˆb = b] 1 The encryption scheme E is said to be semantically secure if for all probabilistic polynomial time adversaries A, the advantage AdvDist A [E] is negligible. Alternative Definition We will now give an alternative way to define the security of a public-key encryption scheme that will be more useful when analyzing the encryption scheme as a part of a large cryptosystem. In this alternative definition, we define two games between the challenger and the adversary as follows: Challenger C (P K, SK) G(1 λ ) c E(P K, m i ) Game i(=0 or 1) P K (m 0,m 1 ) c ˆb {0,1} Attacker A The task of the adversary A in this definition is to distinguish between these two games and its advantage against the encryption scheme E is defined as: AdvDist def A [E] = Pr[ˆb = 1 game 0] Pr[ˆb = 1 game 1] A public-key encryption scheme E is said to be secure under this definition is the advantage AdvDist A is negligible for any probabilistic polynomial-time adversary A. We will now show L8-

that this alternative definition is essentially the same as the semantic security definition given above. Claim 1. For any public-key encryption scheme E = (G, E, D) and any adversary A, Proof. AdvDist A [E] = AdvDist A[E] 1 AdvDist A [E] = 1 P r[ˆb = 1 b = 0 in 1 st definition] P r[ˆb = 1 b = 1 in 1 st definition] = 1 (1 P r[ˆb = b b = 0 in 1 st defn.]) P r[ˆb = b b = 1 in 1 st defn.] = 1 ( P r[ˆb = b (b = 0 in 1 st defn.)] + P r[ˆb = b (b = 1 in 1 defn.)]) st = 1 P r[ˆb = b in 1 st definition] AdvDist A[E] = AdvDist A [E] When analyzing the security of a larger system which makes use of the encryption scheme, this alternative definition turns out to be more natural to use than the semantic security definition. Multi-message security We can modify the definition of semantic security to define the notion of multi-message security for public-key encryption schemes. This definition is again given as a game between the challenger C and the adversary A. Challenger C Attacker A b $ {0, 1} (P K, SK) G(1 λ ) P K. (mi 0,mi 1 ) c E(P K, m i b ) c. ˆb {0,1} L8-3

As before, the task of the adversary is to predict the value of b used by the challenger. AdvDistM A [E] = 1/ Pr[b = ˆb It seems as though the adversary should have a better chance of guessing the challenger s bit b, since it gets to send more than one challenge message pairs. However, it can be shown that the a semantically-secure public-key encryption scheme is also multi-message semantically secure. Claim. If an encryption scheme E is semantically-secure then it is also multi-message semantically-secure. Proof. Let us assume that the multi-message adversary A sends q challenge message pairs, (m j 0, m j 1) j=1...q. Then we construct (q + 1) hybrid games between the challenger and the adversary, game 0 to game q. In game i, the challenger encrypts the message m j 0 for j i, and m j 1 for j > i. Thus in game 0 the challenger encrypts the message mj 0 for all j and in game q it encrypts the message m j 1 for all j. If the multi-message adversary A has nonnegligible advantage, then the probability that it outputs 1 in game 0 and in game q differs by a non-negligible amount. Thus, we can deduce that there is an i {0... (q 1)} such that the probability that the adversary A outputs 1 in game i and in game (i + 1) differs by a non-negligible amount. We construct the semantic-security adversary A using the multi-message adversary A as a subroutine. The adversary A chooses a random i {0... (q 1)} and encrypts the message m j 0 for j i for the first i message pairs given by A. It sends the (i + 1) th message pair sent by A to the semantic security challenger C and sends the response of C to the multi-message adversary A. For the remaining (q i 1) message pairs sent by A, the adversary A always encrypts the message m j 1. Finally it outputs the bit ˆb output by A. We can extend the above claim and define the notion of multi-key multi-message semanticsecurity for public-key encryption schemes. However, a hybrid argument, slightly more involved than the one above, can be used to show that any semantically-secure encryption scheme satisfies this notion as well. Examples of Semantically-secure Encryption Schemes We will discuss two examples of semantically secure encryption schemes, the El-Gamal Encryption scheme and the Paillier Encryption scheme. El-Gamal Encryption The El-Gamal encryption scheme is defined over a group G of order q. The encryption scheme E El Gamal = (KeyGen, E, D) consists of the following three algorithms. L8-4

KeyGen(sysP arams, 1 k ): g $ G\{1 G }; x $ Z q ; h g x ; P K (g, h); SK x; output (P K, SK) E(P K, m), m G: r $ Z q ; u g r ; v h r ; w v m; output c (u, w); D(SK, (u, w)): output m w/u x ; We shall prove the semantic security of this scheme based on the Diffie-Hellman assumption. We define two variations of the Diffie-Hellman assumption next. Assumption 3 (Computational Diffie-Hellman (CDH) assumption). For a generator g of the group G of order q, and for x, r $ Z q, it is hard to compute g xr given (g, g x, g r ). Assumption 4 (Decisional Diffie-Hellman (DDH) assumption). For a generator g of the group G of order q, and for x, r, y $ Z q, (g, g x, g r, g xr ) comp (g, g x, g r, g y ) Here comp denotes computational indistinguishability. It is easy to see that the CDH assumption is a weaker assumption than the DDH assumption. We will base the security of the El-Gamal encryption scheme on the DDH assumption for the underlying group G. Theorem 5. The El-Gamal encryption scheme is semantically-secure, provided the DDH assumption holds for the underlying group G. Proof. We will prove this theorem via a hybrid argument. Let us describe the sequence of hybrid games. Game 0. This is the semantic security game between the challenger C and the adversary L8-5

A defined for the El-Gamal encryption scheme. Challenger C Attacker A g $ G\{1 G } x $ Z q h g x (g,h) (m 0,m 1 ) b $ {0, 1} r $ Z q u g r v h r w v m b c=(u,w) ˆb {0,1} In the next game, we will modify the underlined text in the description of the challenger. We will define an event associated with this game: W 0 def = {(b = ˆb) in game 0} Game 1. Now we will modify game 0 so that the ciphertext c sent by the challenger looks like a random group element to the adversary. Challenger C Attacker A g $ G\{1 G }.. u g r y Z q v g y w v m b (g,h) (m 0,m 1 ) c=(u,w) ˆb {0,1} L8-6

Let us define a similar event associated with the adversary in this game. W 1 def = {(b = ˆb) in game 1} We will first show that if the DDH assumption holds for the underlying group G, then games 0 and 1 look similar to the adversary A. Let us start by defining what we mean by the advantage of a DDH adversary B, i.e. AdvDDH B. The DDH attacker B gets a tuple (g, h, u, v) from the DDH challenger, and outputs either 1 or 0. The advantage AdvDDH B is defined as the difference in the probability that B outputs 1 when it gets a valid DDH tuple and when v is a random group element. Claim 6. There is a DDH adversary B for the group G that has advantage AdvDDH B = Pr[W 0 ] Pr[W 1 ] Proof. The DDH adversary B uses the El-Gamal adversary A as follows: DDH Challenger B A (g,h,u,v) b b $ {0, 1} w v m b b { 1; b = ˆb 0; o/w P K=(g,h) (m 0,m 1 ) c (u,w) ˆb If (g, h, u, v) is a DDH tuple, then the attacker B acts as the challenger of game 0, otherwise it acts as the challenger in game 1. Next we show that from the attacker A cannot do better than guess the bit b at random in game 1. Claim 7. Pr[W 1 ] = 1/ Proof. This is clearly true since w sent by the challenger is simply a random group element and in particular, it is independent of the choice of bit b. Finally we can combine the above claims to deduce that Pr[W 0 ] 1/ = AdvDDH B L8-7

Paillier Encryption Scheme Let us start by describing the mathematical set-up for the Paillier encryption scheme. Let N = P Q be a product of two large prime numbers P and Q, so that φ(n) = (P 1)(Q 1). We additionally assume that gcd(φ(n), N) = 1. The Paillier encryption scheme works over the multiplicative subgroup Z N. Using Chinese remainder theorem, we can show that Z N is isomorphic to Z N Z N as follows: Z N = ZP Z Q Z N = Z P Z Q = ZP (P 1) Z Q(Q 1) = ZP Z Q Z (P 1) Z (Q 1) = ZP Q Z (P 1) Z (Q 1) = ZN Z N In fact, we can make this isomorphism explicit by providing a representation of any element of Z N in terms of an element each from Z N and Z N. We denote by [k] N, the residue class corresponding to k in the ring Z N. Now let α def = [1 + N] N. Then we can deduce that, α k = [(1 + N) k ] N = [1 + Nk] N Also, we can represent any element β Z N as [b + Nc] N, for 0 b, c < N. Moreover, elements β Z N are of the form [b + Nc] N, where 0 b, c < N and gcd(b, N) = 1. From these observations, we can deduce that α is an element of Z N of order N. Additionally, it is easy to compute k given α k. We can set up a homomorphism from Z N to Z N using α as follows: ρ 1 : Z N Z N [k] N α k = [1 + Nk] N We can also set up a homomorphism from Z N to Z N as follows: ρ : Z N Z N [b] N [b N ] N In order to see that this map is well defined, consider b 1 b that mod N. Then we can deduce b 1 = b + Nc b N 1 = b N + ( N 1 b N 1 b N mod N ) b N 1 Nc + terms with N L8-8

Moreover, this homomorphism is also one-to-one which can be seen by computing the kernel of ρ. b N 1 mod N b N 1 mod N b 1 mod N {because gcd(n, φ(n)) = 1} Hence we can deduce that Im(ρ 1 ) is a subgroup of Z N of order N. On the other hand Im(ρ ) has an exponent dividing φ N. Since we know that gcd(n, φ(n)) = 1, we can deduce that Im(ρ 1 ) Im(ρ ) = {[1] N } Thus, we can combine the above homomorphisms to get an isomorphism between Z N Z N and Z N as follows: ρ : Z N Z N Z N ([k] N, [b] N ) α k [b N ] N This map ρ is one-to-one because kernel(ρ) = {[1] N }. This is because no element in Im(ρ 1 ) has a multiplicative inverse in Im(ρ ) except [1] N. And since the cardinalities of the sets Z N Z N and Z N are the same, we can also deduce that ρ is onto. Hence ρ defines an explicit isomorphism between Z N Z N and Z N. Now we are ready to describe the Paillier encryption scheme. The encryption scheme is E P aillier = (KeyGen, E, D), with the following algorithms: KeyGen(sysP arams, 1 k ): generate N = P Q with gcd(n, φ(n)) = 1 P K N; SK (P, Q) output (P K, SK) E(P K, k), k Z N : b $ Z N c ρ(k, b) (= α k [b N ] N ) output c; D(SK, c): compute c φ(n) = α kφ(n) compute (α kφ(n) ) φ(n) 1 mod N = α k output k from α k The semantic security of Paillier encryption scheme is based on a slightly non-standard assumption. L8-9

Assumption 8 (Decisional Composite Residuosity (DCR) assumption). For N chosen as described above, it is the case that Z N comp (Z N )N The DCR assumption essentially says that a random element of the group Z N is computationally indistinguishable from a random element of Z N of order φ(n). Given this assumption, it is easy to see that the adversary gets essentially no information regarding the message from the ciphertext c. c = α k [b N ] N for random b Z N comp α k α r [b N 1 ] N for random r Z N and b Z N = α k+r [b N 1 ] N The Paillier encryption scheme is especially interesting because it is a Homomorphic PKE scheme. That is, given a ciphertext for two messages k 1 and k, one can compute the ciphertext for k 1 + k without knowing the secret key. c 1 = α k1 [b 1 ] N and c = α k [b ] N c 1 c = α k 1+k [b 1 b ] N D(SK, c 1 c ) = k 1 + k L8-10

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback