Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Similar documents
Notes for Lecture 17

Lecture 17: Constructions of Public-Key Encryption

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Notes for Lecture 25

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

5.4 ElGamal - definition

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Cybersecurity Cryptography (Part 4)

ECS 189A Final Cryptography Spring 2011

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

El Gamal A DDH based encryption scheme. Table of contents

1 Number Theory Basics

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Introduction to Cryptography. Lecture 8

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Notes for Lecture 9. 1 Combining Encryption and Authentication

CPSC 467b: Cryptography and Computer Security

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Lecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004

Introduction to Cryptology. Lecture 20

Public Key Cryptography

CS294: Pseudorandomness and Combinatorial Constructions September 13, Notes for Lecture 5

Introduction to Cybersecurity Cryptography (Part 5)

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

CIS 551 / TCOM 401 Computer and Network Security

Lecture 1: Introduction to Public key cryptography

Public-Key Encryption: ElGamal, RSA, Rabin

Lecture Notes, Week 6

Notes on Zero Knowledge

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

An Introduction to Probabilistic Encryption

10 Concrete candidates for public key crypto

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Exercise Sheet Cryptography 1, 2011

Pseudorandom Generators

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

ASYMMETRIC ENCRYPTION

Cryptography IV: Asymmetric Ciphers

Introduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

CPSC 467b: Cryptography and Computer Security

CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn

Digital Signatures. Adam O Neill based on

14 Diffie-Hellman Key Agreement

Lecture Note 3 Date:

Lecture 7: ElGamal and Discrete Logarithms

Lecture 14: Hardness Assumptions

Cryptography and Security Final Exam

Introduction to Elliptic Curve Cryptography

Provable security. Michel Abdalla

Lecture 28: Public-key Cryptography. Public-key Cryptography

Lattice Cryptography

COMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Cryptographic Hardness Assumptions

Lecture 11: Key Agreement

Public-Key Encryption

Notes for Lecture 27

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Pseudo-random Number Generation. Qiuliang Tang

Notes for Lecture 7. 1 Increasing the Stretch of Pseudorandom Generators

1 Public-key encryption

CPA-Security. Definition: A private-key encryption scheme

Cryptography and Security Midterm Exam

Advanced Cryptography 03/06/2007. Lecture 8

Introduction to Modern Cryptography. Benny Chor

Pseudorandom Generators

Notes for Lecture 14 v0.9

Introduction to Modern Cryptography. Benny Chor

G Advanced Cryptography April 10th, Lecture 11

Chapter 11 : Private-Key Encryption

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

Circuit Complexity. Circuit complexity is based on boolean circuits instead of Turing machines.

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Lecture 22: RSA Encryption. RSA Encryption

Elliptic Curve Cryptography

1 Rabin Squaring Function and the Factoring Assumption

Lossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Advanced Cryptography 1st Semester Public Encryption

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

CPSC 467: Cryptography and Computer Security

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Lectures One Way Permutations, Goldreich Levin Theorem, Commitments

5 Public-Key Encryption: Rabin, Blum-Goldwasser, RSA

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

8.1 Principles of Public-Key Cryptosystems

Computer Science A Cryptography and Data Security. Claude Crépeau

Transcription:

U.C. Berkeley CS276: Cryptography Handout N19 Luca Trevisan March 31, 2009 Notes for Lecture 19 Scribed by Cynthia Sturton, posted May 1, 2009 Summary Today we continue to discuss number-theoretic constructions of CPA-secure encryption schemes. First, we return to the Decision Diffie Hellman assumption (the one under which we proved the security of the El Gamal encryption scheme) and we show that it fails for Z p, although it is conjectured to hold in the subgroup of quadratic residues of Z p. Then we introduce the notion of trapdoor permutation and show how to construct CPA-secure public-key encryption from any family of trapdoor permutations. Since RSA is conjectured to provide a family of trapdoor permutations, this gives a way to achieve CPA-secure encryption from RSA. 1 Decision Diffie Hellman and Quadratic Residues Recall that if D is a distribution over triples (G, g, q), in which G is a cyclic group of q elements and g is a generator, then D satisfies the (t, ɛ) Decision Diffie Hellman Assumption if for every algorithm A of complexity t we have P[A(G, g, q, g x, g y, g z ) = 1] P[A(G, g, q, g x, g y, g x y ) = 1] ɛ (1) where G, g, q are distributed as in D, and x, y, z are integers uniformly distributed in {0,..., q 1}. In Lecture 17, we gave the group Z p, p prime, as an example of cyclic group for which the discrete logarithm problem is conjectured to be hard. The Decision Diffie Hellman assumption, however, is always false for groups of the type Z p. To see why, we need to consider the notion of quadratic residue in Z p. An integer a {1,..., p 1} is a quadratic residue if there exists r {1,..., p 1} such that a = r 2 mod p. (In such a case, we say that r is a square root of a.) As an example, let p = 11. The elements of Z p are, Z p = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10} 1

The squares of the elements, mod p: The quadratic residues of Z p: 1, 4, 9, 5, 3, 3, 5, 9, 4, 1 Q p = {1, 4, 9, 5, 3} For every odd primes p, exactly (p 1)/2 of the elements of Z p are quadratic residues, and each has two square roots. Furthermore, there is an efficient algorithm (polynomial in the number of digits of a) to check whether a is a quadratic residue. This fact immediately gives an algorithm that contradicts (1) if we take G to be Z p, when ɛ < 1/4. To see why this is so, first consider g, a generator in Z p. Then g x mod p is a quadratic residue if and only if x is even: Since g is a generator, Z p can be written as, Z p = {g 0, g 1,..., g p 2 } Squaring every element in Z p gives the quadratic residues: Q p = {g 0, g 2,..., g 2(p 2) } When x is even, g x is the square of g x/2 Z p. All the quadratic residues can be written as g x, x = 2i so x must be even. In (1) g z is a random element in Z p so it is a quadratic residue with probability 1/2. But g x y is a quadratic residue with probability 3/4 (if x, y, or x and y are even). Since there is an efficient algorithm to check if a value is a quadratic residue, the algorithm A can easily distinguish between (G, g, q, g x, g y, g z ) and (G, g, q, g x, g y, g x y with probability > 1/4 by outputting 1 when it finds that the final input parameter (either g z or g x y ) is a quadratic residue. Note, however, that the set Q p of quadratic residues of Z p is itself a cyclic group, and that if g is a generator of Z p then g 2 mod p is a generator of Q p. Q p is a cyclic group: 1 is a quadratic residue if r 1 = x 2 1, r 2 = x 2 2 are quadratic residues, then r 1 r 2 = (x 1 x 2 ) 2 is a quadratic residue. if r = x 2 is a quadratic residue then r 1 = (x 1 ) 2 is a quadratic residue If g is a generator of Z p then g 2 mod p is a generator of Q p : Q p = {g 0, g 2,... g 2(p 2) } 2

Which is exactly Q p = {(g 2 ) 0, (g 2 ) 1,... (g 2 ) (p 2) } It is believed that if p is a prime of the form 2q +1, where q is again prime then taking G = Q p and letting g be any generator of G satisfies (1), with t and 1/ɛ exponentially large in the number of digits of q. 2 Trapdoor Permutations and Encryption A family of trapdoor permutations is a triple of algorithms (G, E, D) such that: 1. G() is a randomized algorithm that takes no input and generates a pair (pk, sk), where pk is a public key and sk is a secret key; 2. E is a deterministic algorithm such that, for every fixed public key pk, the mapping x E(pk, x) is a bijection; 3. D is a deterministic algorithm such that for every possible pair of keys (pk, sk) generated by G() and for every x we have D(sk, E(pk, x)) = x That is, syntactically, a family of trapdoor permutations is like an encryption scheme except that the encryption algorithm is deterministic. A family of trapdoor permutations is secure if inverting E() for a random x is hard for an adversary that knows the public key but not the secret key. Formally, Definition 1 A family of trapdoor permutations (G, E, D) is (t, ɛ)-secure if for every algorithm A of complexity t P [A(pk, (E(pk, x))) = x] ɛ (pk,sk) G(),x It is believed that RSA defines a family of trapdoor permutations with security parameters t and 1/ɛ that grow exponentially with the number of digits of the key. Right now the fastest factoring algorithm is believed to run in time roughly 2 O(k1/3), where k is the number of digits, and so RSA with k-bit key can also be broken in that much time. In 2005, an RSA key of 663 bits was factored, with a computation that used about 2 62 elementary operations. RSA with keys of 2048 bits may plausibly be (2 60, 2 30 )-secure as a family of trapdoor permutations. In order to turn a family of trapdoor permutations into a public-key encryption scheme, we use the notion of a trapdoor predicate. 3

Definition 2 Let (G, E, D) be a family of trapdoor permutations, where E takes plaintexts of length m. A boolean function P : {0, 1} m {0, 1} is a (t, ɛ)-secure trapdoor predicate for (G, E, D) if for every algorithm A of complexity t we have P [A(pk, E(pk, x)) = P (x)] 1 (pk,sk) G(), x 2 + ɛ Remark 3 The standard definition is a bit different. This simplified definition will suffice for the purpose of this section, which is to show how to turn RSA into a public-key encryption scheme. Essentially, P is a trapdoor predicate if it is a hard-core predicate for the bijection x E(pk, x). If (G, E, D) is a secure family of trapdoor permutations, then x E(pk, x) is one-way, and so we can use Goldreich-Levin to show that x, r is a trapdoor predicate for the permutation E (pk, (x, r)) = E(pk, x), r. Suppose now that we have a family of trapdoor permutations (G, E, D) and a trapdoor predicate P. We define the following encryption scheme (G, E, D ) which works with one-bit messages: G (): same as G() E (pk, b): pick random x, output E(pk, x), P (x) b D (pk, (C, c)) := P (D(pk, C)) c Theorem 4 Suppose that P is (t, ɛ)-secure trapdoor predicate for (G, E, D), then (G, E, D ) as defined above is (t O(1), 2ɛ)-CPA secure public-key encryption scheme. Proof: In Theorem 2 of Lecture 13 we proved that if f is a permutation and P is a (t, ɛ) hard-core predicate for f, then for every algorithm A of complexity t O(1) we have P[A(f(x), P (x)) = 1] P[A(f(x)), r) = 1] ɛ (2) where r is a random bit. Since P[A(f(x)), r) = 1] = 1 2 P [A(f(x), P (x)) = 1] + 1 2 P [A(f(x), 1 P (x)) = 1] we can rewrite (2) as P[A(f(x), P (x)) = 1] P[A(f(x)), P (x) 1) = 1] 2ɛ And taking f to be our trapdoor permutation, 4

that is, P[A(E(pk, x), P (x) 0) = 1] P[A(E(pk, x), P (x) 1) = 1] 2ɛ P[A(E (pk, 0)) = 1] P[A(E (pk, 1)) = 1] 2ɛ showing that E is (t O(1), 2ɛ) CPA secure. The encryption scheme described above is only able to encrypt a one-bit message. Longer messages can be encrypted by encrypting each bit separately. Doing so, however, has the undesirable property that an l bit message becomes an l m bit ciphertext, if m is the input length of P and E(pk, ). A cascading construction similar to the one we saw for pseudorandom generators yields a secure encryption scheme in which an l-bit message is encrypted as a cyphertext of length only l + m. 5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback