Lecture 16: Public Key Encryption:II

Similar documents
Public-Key Encryption

Lecture 14: Hardness Assumptions

Chosen-Ciphertext Security (I)

Crypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Lecture 17: Constructions of Public-Key Encryption

Lecture 22: RSA Encryption. RSA Encryption

Introduction to Cybersecurity Cryptography (Part 5)

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

5199/IOC5063 Theory of Cryptology, 2014 Fall

Lecture 5: Hard Core Predicates

Lecture 11: Key Agreement

ASYMMETRIC ENCRYPTION

Digital Signatures. Adam O Neill based on

Introduction to Cryptography. Lecture 8

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Digital Signatures. p1.

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Lecture 30: Hybrid Encryption and Prime Number Generation. Hybrid Encryption & Primes

1 Number Theory Basics

Public-Key Encryption: ElGamal, RSA, Rabin

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Introduction to Cybersecurity Cryptography (Part 4)

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Lecture Notes, Week 6

Introduction to Cybersecurity Cryptography (Part 4)

Advanced Cryptography 03/06/2007. Lecture 8

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

5.4 ElGamal - definition

Introduction to Elliptic Curve Cryptography

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Advanced Topics in Cryptography

Lecture 28: Public-key Cryptography. Public-key Cryptography

Chapter 11 : Private-Key Encryption

CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn

Introduction to Modern Cryptography. Benny Chor

Solutions to homework 2

Lecture 7: ElGamal and Discrete Logarithms

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Provable security. Michel Abdalla

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

10 Concrete candidates for public key crypto

RSA-OAEP and Cramer-Shoup

The Cramer-Shoup Cryptosystem

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Introduction to Modern Cryptography. Benny Chor

Cryptosystem. Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage

Notes for Lecture 16

ECS 189A Final Cryptography Spring 2011

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

RSA and Rabin Signatures Signcryption

RSA. Ramki Thurimella

Lecture V : Public Key Cryptography

Algorithmic Number Theory and Public-key Cryptography

El Gamal A DDH based encryption scheme. Table of contents

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

CPSC 467: Cryptography and Computer Security

CS 355: Topics in Cryptography Spring Problem Set 5.

Lattice Cryptography

Instructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

G Advanced Cryptography April 10th, Lecture 11

Cryptography IV: Asymmetric Ciphers

DATA PRIVACY AND SECURITY

Mathematics of Cryptography

Lecture 1: Introduction to Public key cryptography

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

1 Public-key encryption

Exam 2 Solutions. In class questions

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16

Classical hardness of Learning with Errors

MATH 158 FINAL EXAM 20 DECEMBER 2016

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Lecture Note 3 Date:

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Lecture 13: Private Key Encryption

Chapter 8 Public-key Cryptography and Digital Signatures

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

The security of RSA (part 1) The security of RSA (part 1)

Public Key Algorithms

Week : Public Key Cryptosystem and Digital Signatures

Number theory (Chapter 4)

14 Diffie-Hellman Key Agreement

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Public Key Cryptography

Mathematical Foundations of Public-Key Cryptography

Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes

Encryption: The RSA Public Key Cipher

Introduction to Cryptography. Susan Hohenberger

Lecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004

Notes for Lecture 17

Transcription:

Lecture 16: Public Key Encryption:II Instructor: Omkant Pandey Spring 2017 (CSE 594) Instructor: Omkant Pandey Lecture 16: Public Key Encryption:II Spring 2017 (CSE 594) 1 / 17

Last time PKE from ANY trapdoor permutation RSA-based trapdoor permutation Instructor: Omkant Pandey Lecture 16: Public Key Encryption:II Spring 2017 (CSE 594) 2 / 17

Today ElGamal Public-Key Encryption Some Comments about Textbook RSA Some attacks on RSA LWE based Public-Key Encryption Scribe notes volunteeer? Instructor: Omkant Pandey Lecture 16: Public Key Encryption:II Spring 2017 (CSE 594) 3 / 17

(Weak) Indistinguishability Security for PKE Definition (Secure Public-Key Encryption) A public-key encryption scheme tgen, Enc, Decu is said to be secure if for all non-uniform PPT D there exists a negligible function µ such that for all n P N, for all pair of messages m 0, m 1 P M such that m 0 m 1, D distinguishes between the following distributions with at most νpnq advantage: tppk, skq Ð Genp1 n q : ppk, Encppk, m 0 qqu tppk, skq Ð Genp1 n q : ppk, Encppk, m 1 qqu I.e., the distributions above are computationally indistinguishable. Instructor: Omkant Pandey Lecture 16: Public Key Encryption:II Spring 2017 (CSE 594) 4 / 17

Recall: DDH Problem Recall the DDH Problem: for a large prime p, and a generator g for the group Z p:!x Ð Z p, y Ð Z p : `g x, g y, g xy ) «c! x Ð Z p, y Ð Z p, z Ð Z p : `g x, g y, g z ) Recall: Z p p 1 is not prime! (This makes the problem easier in some special cases) Recall: we work with a prime order subgroup of Z p by picking a safe prime p 2q ` 1 and g x 2 for a random x P Z p. G q = group generated by g = tg 0, g 1,..., g q 1 u. G q q. There are other ways as well to obtain prime order groups G where DDH is conjectured to be hard. Instructor: Omkant Pandey Lecture 16: Public Key Encryption:II Spring 2017 (CSE 594) 5 / 17

Recall: DDH Problem DDH Assumption: Let G be a group of prime order q and g P G be a generator of G!x Ð Z q, y Ð Z q : `g x, g y, g xy ) «c! x Ð Z q, y Ð Z q, z Ð Z q : `g x, g y, g z ) Instructor: Omkant Pandey Lecture 16: Public Key Encryption:II Spring 2017 (CSE 594) 6 / 17

ElGamal Public-Key Encryption ElGamal Scheme: Let G be a prime order group where DDH Assumption holds. The description of G and its order q are publicly known. Messages are group elements and the message space is M G. Genp1 n q: sample g Ð G, x Ð Z q and set h g x P G. Output ppk, skq where: pk pg, hq sk x Encppk, mq for m P G: choose a random r Ð Z q and output: pg r, m h r q Decpsk, cq where c pc 1, c 2 q: output Correctness: m c 2 c x 1 m c 2 c x 1 m hr g rx c 2 ˆ pinverse of c x 1q m pgx q r g m. rx Instructor: Omkant Pandey Lecture 16: Public Key Encryption:II Spring 2017 (CSE 594) 7 / 17

Security of ElGamal Scheme Proof based on DDH Assumption: We now prove that ElGamal scheme is secure assuming that the DDH assumption holds. We have to show that for all m 0, m 1 P G these two distributions are indistinguishable: tppk, skq Ð Genp1 n q : ppk, Encppk, m 0 qqu tppk, skq Ð Genp1 n q : ppk, Encppk, m 1 qqu Let D be a PPT algorithm. Start with the first distribution, and slowly go to the second distribution. Instructor: Omkant Pandey Lecture 16: Public Key Encryption:II Spring 2017 (CSE 594) 8 / 17

Security of ElGamal Scheme Game-0: tppk, skq Ð Genp1 n q : ppk, Encppk, m 0 qqu = g, h, g r, m 0 h r( = g, g x, g r, m 0 g xr( Game-1: Use g z for a random z instead of g xr. We get: = g, g x, g r, m 0 g z( Claim: Game-0 and Game-1 are indistinguishable. Proof: Suppose that D can distinguish Game-0 and Game-1. We construct D 1 which can break DDH Assumption D 1 gets as input pg, g x, g y, g α q where α xy or α z. D 1 sends pg, g x, g y, m 0 g α q to D, D 1 outputs whatever D outputs. If α xy, D is in Game-0. If α z, D is in Game-1. If D tells Game-0, Game-1 apart, D 1 tells DDH tuples apart! Instructor: Omkant Pandey Lecture 16: Public Key Encryption:II Spring 2017 (CSE 594) 9 / 17

Textbook RSA-Encryption Public-Key Encryption: Genp1 n q: Sample p, q Ð Π n and set N Ð pq. Sample e Ð Z φpnq and compute d s.t. ed 1 mod φpnq. Output pk pn, eq and sk pn, dq. Message space M Z N Encppk, mq for pk pn, eq outputs f N,e pmq m e mod N. Decpsk, cq for sk pn, dq outputs c d mod N. The correct way to encrypt: construction from previous class. More efficient way to encrypt: RSA-OAEP+ Instructor: Omkant Pandey Lecture 16: Public Key Encryption:II Spring 2017 (CSE 594) 10 / 17

Textbook RSA-Signature RSA can be used as a signature as well! Simply use e to verify and d to sign instead of decrypt! Signature scheme: Genp1 n q: Sample p, q Ð Π n and set N Ð pq. Sample e Ð Z φpnq and compute d s.t. ed 1 mod φpnq. Output vk pn, eq and sk pn, dq. Message space M Z N Signpsk, mq for sk pn, dq outputs σ m d mod N. Verifypvk, m, σq for vk pn, eq outputs 1 iff σ e m mod N. Instructor: Omkant Pandey Lecture 16: Public Key Encryption:II Spring 2017 (CSE 594) 11 / 17

Remarks on Textbook RSA-Signature Signature function Signpsk, mq for sk pn, dq: f N,d pmq m d mod N. Verification checks m σ e mod N. Signature is deterministic but that is not a problem! Can you forge a signature? Not if someone gives you a random challenge (RSA Assumption). However: what if you select your own messages? Forgery: Choose a random α Ð Z N. Adversary knows the verification key vk pn, eq. It can compute: β α e mod N. Notice that pβ, αq is a valid (message, signature) pair! Read: how to sign from any trapdoor permutation. Instructor: Omkant Pandey Lecture 16: Public Key Encryption:II Spring 2017 (CSE 594) 12 / 17

Attacks on the RSA Function To speed up encryption, choose a short e: e.g., e 3. This is often a big problem! A Simple Example (Coppersmith, Hastad, and Boneh): Suppose Alice broadcasts m to 3 people with keys pn 1, 3q, pn 2, 3q, pn 3, 3q. c 1 m 3 mod N 1, c 2 m 3 mod N 2 and c 3 m 3 mod N 3 Suppose that N 1, N 2, N 3 are co-primes (no common factors, otherwise easy to get m). You can compute (by Chinese Remainder Theorem): C 1 m 3 mod N 1 N 2 N 3. m is less than N 1, N 2, N 3 ñ m 3 ă N 1 N 2 N 3. Therefore, m 3? C 1 on integers (modulus plays no role)! Instructor: Omkant Pandey Lecture 16: Public Key Encryption:II Spring 2017 (CSE 594) 13 / 17

Attacks on the RSA Function How often can you apply this attack? When same e is used by at least k ě e parties This takes modulus out of the equation and you can solve over integers (easy) If e is large enough, attack is not practical. Current wisdom: low exponent RSA when used carefully with appropriate padding is still secure. You can use e of special form, e.g., e 2 16 ` 1 to speed up exponentiation and use appropriate padding. (M. Weiner): If d ă 1 3 N 0.25, easy to get d from pn, eq. (Boneh-Durfee): If d ă N 0.292, east to get d from pn, eq. Instructor: Omkant Pandey Lecture 16: Public Key Encryption:II Spring 2017 (CSE 594) 14 / 17

LWE-based Public Key Encryption Let q ě 2 be a modulus, n the security parameter (a.k.a dimension), and α! 1 an erroer parameter such that αq ą? n. LWE Instance: choose a random (column) vector s $ Ð Z n q (secret) choose a random matrix of coefficients A $ Ð Z mˆn q choose a Gaussian error vector e χ Ð Z m (column) where χ is a Gaussian distribution over Z with parameter αq Let b A s ` e The LWE instance is: pa, bq Decisional LWE Assumption: hard to distinguish an LWE pair from a random instance. pa, bq «c pa, uq where u P Z m q is a random column vector. Instructor: Omkant Pandey Lecture 16: Public Key Encryption:II Spring 2017 (CSE 594) 15 / 17

LWE-based Public Key Encryption Regev s scheme based on LWE. Key Generation: choose s Ð $ Z n q, A Ð $ Z mˆn q, e Ð χ Z m, b A s ` e (as before). the keys are: pk pa, bq, sk s Encryption (for a bit): pick a row-vector of bits x $ Ð t0, 1u m, output: Decryption: pc xa, c 1 xb ` bit q 2 q c 1 c s pxb ` bit q q q q xas pxb ` bit q xb ` xe «bit 2 2 2. Parameters: n 2 ď q ď 2n 2, m 1.1n log q, α 1{p? n log 2 nq. Instructor: Omkant Pandey Lecture 16: Public Key Encryption:II Spring 2017 (CSE 594) 16 / 17

LWE-based Public Key Encryption Correctness: if not for the error term, the value would be either 0 or q{2. The error is adding at most m independent normally distributed variables whose standard deviation is? mαq ă q{ log n. The probability that it goes over q{4 is negligible. Security: (LWE + LHL) Game 0: Real pk = LWE instance = pa, bq Game 1: change pk to a random instance = pa, uq Game 2: change bit from 0 to 1 (one-time pad, due to LHL) Game 3: change pk back to LWE instance Instructor: Omkant Pandey Lecture 16: Public Key Encryption:II Spring 2017 (CSE 594) 17 / 17

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback