Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64
Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability definition Hybrid argument Remarks, questions, comments? 2 / 64
Last Time (II) Exercises done 1) Negligible functions 2) Probabilities 3 5) Indistinguishability 3 / 64
Outline of Today: Security Notions 1 Cyclic Groups 4 / 64
Outline of Today: Security Notions 1 Cyclic Groups 2 Hard Problems 4 / 64
Outline of Today: Security Notions 1 Cyclic Groups 2 Hard Problems 3 Ideas of Security Notions 4 / 64
Outline of Today: Security Notions 1 Cyclic Groups 2 Hard Problems 3 Ideas of Security Notions 4 Definitions of Security Notions 4 / 64
Outline of Today: Security Notions 1 Cyclic Groups 2 Hard Problems 3 Ideas of Security Notions 4 Definitions of Security Notions 5 Examples RSA Diffie-Hellman ElGamal 4 / 64
Outline of Today: Security Notions 1 Cyclic Groups 2 Hard Problems 3 Ideas of Security Notions 4 Definitions of Security Notions 5 Examples RSA Diffie-Hellman ElGamal 6 Proofs IND-CCA2 NM-CCA2 IND-CCA1 NM-CPA 4 / 64
Outline of Today: Security Notions 1 Cyclic Groups 2 Hard Problems 3 Ideas of Security Notions 4 Definitions of Security Notions 5 Examples RSA Diffie-Hellman ElGamal 6 Proofs IND-CCA2 NM-CCA2 IND-CCA1 NM-CPA 7 Conclusion 4 / 64
Cyclic Groups Outline 1 Cyclic Groups 2 Hard Problems 3 Ideas of Security Notions 4 Definitions of Security Notions 5 Examples RSA Diffie-Hellman ElGamal 6 Proofs IND-CCA2 NM-CCA2 IND-CCA1 NM-CPA 7 Conclusion 5 / 64
Cyclic Groups Definitions (I) A group (G, ) is composed of a set G and a binary operator on G which satisfy the three following axioms: a, b, c G, a (b c) = (a b) c e G, a G, e a = a e = a a G, b G, a b = b a = e Associativity Neutral Element Inverse Element b is called the inverse of a and is denoted by a 1. Example (Z, +), (Z/nZ, +), permutation group, (M (n,n), +). Counter-Example (N, +), (M (n,n), ) 6 / 64
Cyclic Groups Definitions (II) Cyclic Group A group G is cyclic if G is finite and there exists an element g of G such that: a G, n N, a = g n Element g is called a generator of group G. Example If p is a prime number, then Z/pZ is a cyclic group. 7 / 64
Hard Problems Outline 1 Cyclic Groups 2 Hard Problems 3 Ideas of Security Notions 4 Definitions of Security Notions 5 Examples RSA Diffie-Hellman ElGamal 6 Proofs IND-CCA2 NM-CCA2 IND-CCA1 NM-CPA 7 Conclusion 8 / 64
Hard Problems Integer Factoring and RSA Use of algorithmically hard problems. Factorization p, q n = p.q n = p.q p, q easy (quadratic) difficult RSA function n = pq, p and q primes. e: public exponent x x e mod n easy (cubic) y = x e x mod n difficult x = y d where d = e 1 mod φ(n) 9 / 64
Hard Problems Complexity Estimates Estimates for integer factoring Lenstra-Verheul 2000 Modulus Operations (bits) (log 2 ) 512 58 1024 80 2048 111 4096 149 8192 156 2 60 years Can be used for RSA too. 10 / 64
Hard Problems The Diffie-Hellman Key Exchange Protocol Let g be a generator of a cyclic group of prime order q. A B : g a B A : g b A B : {N} g ab 11 / 64
Hard Problems Hard Problems Most cryptographic constructions are based on hard problems. Their security is proved by reduction to these problems: Discrete Logarithm problem, DL. Given a group g and g x, compute x. Computational Diffie-Hellman, CDH Given a group g, g x and g y, compute g xy. Decisional Diffie-Hellman, DDH Given a group g, distinguish between the distributions (g x, g y, g xy ) and (g x, g y, g r ). RSA. Given N = pq and e Z ϕ(n), compute the inverse of e modulo ϕ(n) = (p 1)(q 1). Factorization 12 / 64
Hard Problems Relation between the problems Prop DL CDH DDH. Prop (Moaurer & Wolf) For many groups, DL CDH Prop (Joux & Wolf) There are groups for which DDH is easier than CDH. 13 / 64
Hard Problems Usage of DH assumption The Diffie-Hellman problems are widely used in cryptography: Public key cryptosystems [ElGamal, Cramer& Shoup] Pseudo-random functions [Noar& Reingold, Canetti] Pseudo-random generators [Blum& Micali] (Group) key exchange protocols [many] 14 / 64
Hard Problems Example: ElGamal Encryption Scheme Key generation: Alice chooses a prime number p and a group generator g of (Z/pZ) and a (Z/(p 1)Z). Public key: (p, g, h), where h = g a mod p. Private key: a Encryption: Bob chooses r R (Z/(p 1)Z) and computes (u, v) = (g r, Mh r ) Decryption: Given (u, v), Alice computes M p v u a Justification: v u a = Mh r g ra p M Remarque: re-usage of the same random r leads to a security flaw: M 1 h r M 2 h r p M 1 M 2 Practical Inconvenience: Cipher is twice as long as plain text. 15 / 64
Ideas of Security Notions Outline 1 Cyclic Groups 2 Hard Problems 3 Ideas of Security Notions 4 Definitions of Security Notions 5 Examples RSA Diffie-Hellman ElGamal 6 Proofs IND-CCA2 NM-CCA2 IND-CCA1 NM-CPA 7 Conclusion 16 / 64
Ideas of Security Notions Adversary Model Qualities of the adversary: Clever: Can perform all operations he wants Limited time: Do not consider attack in 2 60. Otherwise a Brute force by enumeration is always possible. Model used: Any Turing Machine. Represents all possible algorithms. Probabilistic: adversary can generates keys, random number... 17 / 64
Ideas of Security Notions One-Wayness (OW) Without the private key, it is computationally impossible to recover the plain-text. (Near of Perfect Security of Shannon) 18 / 64
Ideas of Security Notions Not enough Does not exclude to recover half of the plain-text Even worse if one has already partial information of the message: Subject: XXXX From: XXXX 19 / 64
Ideas of Security Notions Indistinguishability (IND) The adversary is not able to guess in polynomial-time even a bit of the plain-text knowing the cipher-text, notion introduced by S. Goldwasser and S.Micali ([GM84]). 20 / 64
Ideas of Security Notions Non Malleability (NM) The adversary should not be able to produce a new cipher-text such that the plain-texts are meaningfully related, notion introduced by D. Dolev, C. Dwork and M. Naor in 1991 ([DDN91,BDPR98,BS99]). 21 / 64
Ideas of Security Notions Relations Non Malleability Indistinguishability One-Wayness 22 / 64
Ideas of Security Notions Adversary Models The adversary is given access to oracles : encryption of all messages of his choice decryption of all messages of his choice Three classical security levels: Chosen-Plain-text Attacks (CPA) Non adaptive Chosen-Cipher-text Attacks (CCA1) only before the challenge Adaptive Chosen-Cipher-text Attacks (CCA2) unlimited access to the oracle (except for the challenge) 23 / 64
Ideas of Security Notions Chosen-Plain-text Attacks (CPA) Adversary can obtain all cipher-texts from any plain-texts. It is always the case with a scheme. 24 / 64
Ideas of Security Notions Non adaptive Chosen-Cipher-text Attacks (CCA1) Adversary knows the public key, has access to a decryption oracle multiple times before to get the challenge (cipher-text), also called Lunchtime Attack introduced by M. Naor and M. Yung ([NY90]). 25 / 64
Ideas of Security Notions Adaptive Chosen-Cipher-text Attacks (CCA2) Adversary knows the public key, has access to a decryption oracle multiple times before and AFTER to get the challenge, but of course cannot decrypt the challenge (cipher-text) introduced by C. Rackoff and D. Simon ([RS92]). 26 / 64
Ideas of Security Notions Parallels Attacks (PA0, PA1) Introduced by M. Bellare and A. Sahai ([BS99]) to prove the link between NM and IND. PA0 = Chosen Cipher-text Parallel Attack, after getting the challenge the adversary can ask for decrypting a finite number of cipher-text all AT THE SAME TIME which can be dependent of the challenge, but not of responses to decryption oracle. PA1 = CCA1 followed by PA0. 27 / 64
Definitions of Security Notions Outline 1 Cyclic Groups 2 Hard Problems 3 Ideas of Security Notions 4 Definitions of Security Notions 5 Examples RSA Diffie-Hellman ElGamal 6 Proofs IND-CCA2 NM-CCA2 IND-CCA1 NM-CPA 7 Conclusion 28 / 64
Definitions of Security Notions Asymmetric Encryption An asymmetric encryption scheme S = (K, E, D) is defined by K: key generation E: encryption D: decryption K(η) = (k e, k d ) E ke (m, r) = c D(c, k d ) = m 29 / 64
Definitions of Security Notions One-Wayness (OW) AdversaryA: any polynomial time Turing Machine (PPTM) Basic security notion: One-Wayness (OW) Without the private key, it is computationally impossible to recover the plain text: Pr m,r [A(c) = m c = E(m, r)] is negligible. 30 / 64
Definitions of Security Notions Indistinguishability (IND) Game Adversary: A = (A 1, A 2 ) 1 The adversary A 1 is given the public key pk. 2 The adversary A 1 chooses two messages m 0, m 1. 3 b = 0, 1 is chosen at random and c = E(m b ) is given to the adversary. 4 The adversary A 2 answers b. The probability Pr[b = b ] 1 2 sould be negligible. 31 / 64
Definitions of Security Notions The IND-CPA Games Given an encryption scheme S = (K, E, D). An adversary is a pair A = (A 1, A 2 ) of polynomial-time probabilistic algorithms, b {0, 1}. Let Ind b CPA (A) be the following algorithm: Generate (pk, sk) R K(η). (s, m 0, m 1 ) R A 1 (η,pk) b R A2 (η,pk, s, E(pk, m b )) return b. Then, we define the advantage against the IND-CPA game by: Adv Ind CPA S,A (η) = Pr[b R Ind 1 CPA (A) : b = 1] Pr[b R Ind 0 CPA (A) : b = 1] 32 / 64
Definitions of Security Notions The IND-CCA1 Games Given an encryption scheme S = (K, E, D). An adversary is a pair A = (A 1, A 2 ) of polynomial-time probabilistic algorithms, b {0, 1}. Let Ind b CCA1 (A) be the following algorithm: Generate (pk, sk) R K(η). (s, m 0, m 1 ) R A O 1 1 (η,pk) where O 1 = D b R A2 (η,pk, s, E(pk, m b )) return b. Then, we define the advantage against the IND-CCA1 game by: Adv Ind CCA1 S,A (η) = Pr[b R Ind 1 CCA1 (A) : b = 1] Pr[b R Ind 0 CCA1 (A) : b = 1] 33 / 64
Definitions of Security Notions The IND-CCA2 Games Given an encryption scheme S = (K, E, D). An adversary is a pair A = (A 1, A 2 ) of polynomial-time probabilistic algorithms, b {0, 1}. Let Ind b CCA2 (A) be the following algorithm: Generate (pk, sk) R K(η). (s, m 0, m 1 ) R A O 1 1 (η,pk) where O 1 = D b R A O 2 2 (η,pk, s, E(pk, m b)) where O 2 = D return b. Then, we define the advantage against the IND-CCA2 game by: Adv Ind CCA2 S,A (η) = Pr[b R Ind 1 CCA2 (A) : b = 1] Pr[b R Ind 0 CCA2 (A) : b = 1] 34 / 64
Definitions of Security Notions IND-XXX Security Definition An encryption scheme is IND-XXX secure, if for any adversary A the function Adv IND XXX S,A is negligible. Exercice Prove that Adv Ind XXX S,A (η) = Pr[b R Ind 1 (A) : b = 1] Pr[b R Ind 0 (A) : b = 1] = 2Pr[b R Ind b (A) : b = b] 1 35 / 64
Definitions of Security Notions Summery of IND-XXX Games Given S = (K, E, D), A = (A 1, A 2 ) of polynomial-time probabilistic algorithms. Ind b XXX (A) follows: Generate (pk, sk) R K(η). (s, m 0, m 1 ) R A O 1 1 (η,pk) b R A O 2 2 (η,pk, s, E(pk, m b)) return b. Adv Ind XXX S,A (η) = Pr[b R Ind 1 XXX (A) : b = 1] Pr[b R Ind 0 XXX (A) : b = 1] IND-CPA, IND-CCA1, IND-CCA2 IND-CPA: O 1 = O 2 = Chosen Plain text Attack IND-CCA1: O 1 = {D}, O 2 = Non-adaptive Chosen Cipher text Attack IND-CCA2: O 1 = O 2 = {D} Adaptive Chosen Cipher text Attack. 36 / 64
Definitions of Security Notions Non Malleability Game Adversary: A = (A 1, A 2 ) 1 The adversary A 1 is given the public key pk. 2 The adversary A 1 chooses a message space M. 3 Two messages m and m are chosen at random in M and c = E(m; r) is given to the adversary. 4 The adversary A 2 outputs a binary relation R and a cipher-text c. Probability Pr[R(m, m )] Pr[R(m, m )] is negligible, where m = D(c ) 37 / 64
Definitions of Security Notions The NM-XXX Games Given S = (K, E, D). An adversary A = (A 1, A 2 ) of polynomial-time probabilistic algorithms, m,m,m M. Let NM b XXX (A): Generate (pk,sk) R K(η). (s,m) R A O1 1 (η,pk),m 0,m 1, M (R,C ) R A O2 2 (η,pk,s,m, E(pk,m b)),m D(C ) return R(m b,m ) Then, we define the advantage against the IND-CCA2 game by: Adv NM XXX S,A (η) = Pr[R(m,M ) R NMXXX 1 (A) : R(m,M ) = 1] Pr[R(m,M ) R NMXXX 0 (A) : R(m,M ) = 1] NM-CPA: O 1 = O 2 = Chosen Plain text Attack NM-CCA1: O 1 = {D}, O 2 = Non-adaptive Chosen Cipher text Attack NM-CCA2: O 1 = O 2 = {D} Adaptive Chosen Cipher text Attack. 38 / 64
Definitions of Security Notions Relations NM-CPA NM-CCA1 NM-CCA2 IND-CPA IND-CCA1 IND-CCA2 OW-CPA Relations Among Notions of Security for Public-Key Encryption Schemes, Crypto 98, by Mihir Bellare, Anand Desai, David Pointcheval and Phillip Rogaway [BDPR 98] 39 / 64
Definitions of Security Notions Relations NM-CPA NM-CCA1 NM-CCA2 IND-CPA IND-CCA1 IND-CCA2 minimal security OW-CPA weak security strong security Relations Among Notions of Security for Public-Key Encryption Schemes, Crypto 98, by Mihir Bellare, Anand Desai, David Pointcheval and Phillip Rogaway [BDPR 98] 39 / 64
Examples Outline 1 Cyclic Groups 2 Hard Problems 3 Ideas of Security Notions 4 Definitions of Security Notions 5 Examples RSA Diffie-Hellman ElGamal 6 Proofs IND-CCA2 NM-CCA2 IND-CCA1 NM-CPA 7 Conclusion 40 / 64
Examples RSA Example: RSA public n = pq e (public key) private d = e 1 mod φ(n) (private key) RSA Encryption E(m) = m e mod n D(c) = c d mod n OW-CPA = RSA problem by definition! 41 / 64
Examples RSA IND-XXX and the Determinism Prop The encryption algorithm of an IND-XXX scheme must probabilistic, if it is stateless. Proof. An exercise. 42 / 64
Examples Diffie-Hellman The Discret Logarithm (DL) Let G = ( g, ) be any finite cyclic group of prime order. Idea: it is hard for any adversary to produce x if he only knows g x. For any adversary A, [ ] Adv DL (A) = Pr A(g x ) x x, y R [1, q] is negligible. 43 / 64
Examples Diffie-Hellman Computational Diffie-Hellman (CDH) Idea: it is hard for any adversary to produce g xy if he only knows g x and g y. For any adversary A, ] Adv CDH (A) = Pr [A(g x, g y ) g xy x, R y [1, q] is negligible. 44 / 64
Examples Diffie-Hellman Decisional Diffie-Hellman (DDH) Idea: Knowing g x and g y, it should be hard for any adversary to distinguish between g xy and g r for some random value r. For any adversary A, the advantage of A [ ] Adv DDH (A) = Pr A(g x, g y, g xy ) 1 x, y R [1, q] [ ] Pr A(g x, g y, g r ) 1 x, y, r R [1, q] is negligible. This means that an adversary cannot extract a single bit of information on g xy from g x and g y. 45 / 64
Examples Diffie-Hellman DDH CDH DL Exercice DDH CDH DL 46 / 64
Examples ElGamal Recall Elgamal G = ( g, ) finite cyclic group of prime order q. x: private key. y = g x : public key. E(m; r) = (g r, y r m) (c, d) and D(c, d) = d c x OW = CDH Assumption IND-CPA= DDH Assumption 47 / 64
Examples ElGamal OW-CPA for Elgamal Exercice Prove that under CDH assumption El-Gamal is OW-CPA. 48 / 64
Examples ElGamal IND-CPA for Elgamal Exercice Prove that under DDH assumption El-Gamal is IND-CPA. 49 / 64
Proofs Outline 1 Cyclic Groups 2 Hard Problems 3 Ideas of Security Notions 4 Definitions of Security Notions 5 Examples RSA Diffie-Hellman ElGamal 6 Proofs IND-CCA2 NM-CCA2 IND-CCA1 NM-CPA 7 Conclusion 50 / 64
Proofs IND-CCA2 NM-CCA2 Intuition for IND-CCA2 NM-CCA2 Non-malleability deals with the ability to output ciphertexts. As the adversary is granted access to the decryption oracle during its whole attack, it can decrypt any ciphertext it outputs. The ability to output ciphertexts is thus not likely to increase the power of the adversary. 51 / 64
Proofs IND-CCA2 NM-CCA2 Main Idea We assume the scheme PE is secure in the IND-CCA2 sense. We let B = (B 1, B 2 ) be an NM-CCA2 adversary attacking PE. We must show that Adv NM CCA2 PE,B (k) is negligible. We construct an IND-CCA2 adversary A attacking the scheme, using B. Comparing these two advesaries, we show the advantages are such that : Adv NM CCA2 PE,B (k) = 2 Adv IND CCA2 PE,A (k) 52 / 64
Proofs IND-CCA2 NM-CCA2 Algorithm of Attack Algorithm A D sk 1 (pk) (s, M) R B D sk 1 (pk); (m 0, m 1 ) R M; s (m 0, m 1, M, s); Return (m 0, m 1, s ). Algorithm A D sk 2 (s, y) (R, C ) R B D sk 2 (M, s, y); M D sk ( C ); if R(m 0, M ) then d 0 else d R {0, 1}. Return d. 53 / 64
Proofs IND-CCA2 NM-CCA2 Notation Adv IND CCA2 PE,A (k) = pk(0) pk(1) p k (b) = Pr[(pk,sk) K(η);(s,m 0,m 1 ) A D sk 1 (pk) : A D sk 2 (s, E(pk,m b )) = 0] Adv NM CCA2 PE,B (k) = pk (0) pk (1) p k(b) = Pr[(pk,sk) K(η);(s,M) R B D sk 1 (pk);(m 0,m 1 ) R M; (R, C ) R B D sk 2 (M,s, E(pk,m b )) M D sk ( C ); R(m b, M )] 54 / 64
Proofs IND-CCA2 NM-CCA2 End of the Proof p k (0) = p k (0).Pr[d = 0 R(m 0, M)] + (1 p k (0)).Pr[d = 0 coinflip] = p k (0) + 1 2 1 2 p k (0) = 1 2 (1 + p k (0)) p k (1) = 1 2 (1 + p k (1)) Adv IND CCA2 PE,A (k) = pk(0) pk(1) = 1 2 (1 + p k (0)) 1 2 (1 + p k (1)) = 1 2 (p k (0) p k (1)) = 1 2 AdvNM CCA2 PE,B (k) 55 / 64
Proofs IND-CCA1 NM-CPA Idea:IND-CCA1 NM-CPA Assume there exists some IND-CCA1 secure encryption PE. We modifiy PE to build PE which is also IND-CCA1 secure but not NM-CPA secure. 56 / 64
Proofs IND-CCA1 NM-CPA Algorithm PE : Algorithm E pk (x) y 1 R Epk (x); y 2 R Epk (x); Return y 1 y 2 Where y 1 y 2 is a pair, and x us the bitwise complement of x. Algorithm D sk (y 1 y 2 ) Return D sk (y 1 ). 57 / 64
Proofs IND-CCA1 NM-CPA PE is not NM-CPA: Idea Given a cipher text y 1 y 2 of a messge x it is easy to create a cipher of x: just output y 2 y 1.Thus the scheme is malleable. Formally: A = (A 1, A 2 ) breaks PE in the sense of NM-CPA. (, M) R A 1 (pk), where M puts unforms distribution on {0, 1} k (R, y 2 y 1 ) R A 2 (, M, y 1 y 2 ), where R(m 1, m 2 ) = 1 if m 1 = m 2 Adv NM CPA PE,B (k) = 1 2 k 58 / 64
Proofs IND-CCA1 NM-CPA PE is IND-CPA: Idea Let B = (B 1, B 2 ) be some polynomial time adversary attacking PE in the IND-CCA1 sense. Show that Adv IND CCA1 PE,B (k) is negligible, using an hybrid argument. p k (i, j) = Pr[(s, m 0, m 1 ) R B D sk 1 ; y 1 R Epk (x i ); y 2 R Epk (x j ) : B 2 (s, m 0, m 1, y 1 y 2 ) = 1] Adv IND CCA1 PE,B (k) = p k (1, 1) p k (0, 0) Adv IND CCA1 PE,B (k) = p k (1, 1) p k (1, 0) + p k (1, 0) p k (0, 0) 59 / 64
Proofs IND-CCA1 NM-CPA Claim 1: p k (1, 1) p k (1, 0) is negligible Algorithm A D sk 1 (pk) (s,m 0,m 1 ) R B D sk 1 (pk); Return (m 0,m 1,s). Algorithm A 2 (s,m 0,m 1,y) (R, C ) R B D sk 2 (M,s,y); d R B 2 (m 0,m 1,s, E pk (m 1 ) y); Return d. Pr[(m 0,m 1,s) R A D sk 1 (pk) : A 2 (m 0,m 1,s, E pk (m 1 )] = p k (1,1) Pr[(m 0,m 1,s) R A D sk 1 (pk) : A 2 (m 0,m 1,s, E pk (m 0 )] = p k (1,0) Adv IND CCA1 PE,A (k) = p k (1,1) p k (0,0) is negligible, assumng security of PE in the IND-CCA1 sense. 60 / 64
Proofs IND-CCA1 NM-CPA Claim 2: p k (1, 0) p k (0, 0) is negligible Algorithm A D sk 1 (pk) (x 0,x 1,s) R B D sk 1 (pk); Return (x 0,x 1,s). Algorithm A 2 (x 0,x 1,s,y) (R, C ) R B D sk 2 (M,s,y); d R B 2 (x 0,x 1,s,y E pk (x 0 )); Return d. Pr[(x 0,x 1,s) R A D sk 1 (pk) : A 2 (x 0,x 1,s, E pk (x 1 )] = p k (1,0) Pr[(x 0,x 1,s) R A D sk 1 (pk) : A 2 (x 0,x 1,s, E pk (x 0 )] = p k (0,0) Adv IND CCA1 PE,A (k) = p k (1,0) p k (0,0) is negligible, assumng security of PE in the IND-CCA1 sense. 61 / 64
Conclusion Outline 1 Cyclic Groups 2 Hard Problems 3 Ideas of Security Notions 4 Definitions of Security Notions 5 Examples RSA Diffie-Hellman ElGamal 6 Proofs IND-CCA2 NM-CCA2 IND-CCA1 NM-CPA 7 Conclusion 62 / 64
Conclusion Summary Today Cyclic Groups Hard Problems One-way IND-CPA, IND-CCA1, IND-CCA2 NM-CPA, NM-CCA1, NM-CCA2 Examples RSA ElGamal IND-CCA2 NM-CCA2 NM-CCA1 NM-CPA 63 / 64
Conclusion Thank you for your attention. Questions? 64 / 64