Introduction to Cybersecurity Cryptography (Part 4)
Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message Authentication Codes Hash Functions Compression Functions Merkle-Damgård Construction MACs from Hashes Introduction to Cybersecurity 2016/17 1
Review: Attack by Meet-in-the-Middle DE((K 1,K 2 ), m) := E(K 2, E(K 1, m)) Attack by meet-in-the-middle m E(K 1, ) E(K 2, ) c Introduction to Cybersecurity 2016/17 2
Review: Modes of Operation Cipherblock Chaining (CBC) m 1 m 2 c 1 c 2 IV + + D(K, ) D(K, ) E(K, ) E(K, ) IV + + c 1 c 2 m 1 m 2 Introduction to Cybersecurity 2016/17 3
Review: Message Integrity Goal of message integrity: Add MAC Key Plaintext with MAC Verify Key Plaintext Plaintext Alice Alice generates tag t for message m, Bob verifies tag Bob Goal: Attacker cannot change message, i.e., attacker cannot generate any valid pair (m, t) Introduction to Cybersecurity 2016/17 41
Review: Hash Function Let H: M T be a hash function (non-keyed) (often H: 0,1 0,1 n ) A collision for H is a tuple (m 1, m 2 ) with H m 1 = H m 2 m 1 m 2 Definition: Collision Resistant Hash Function (CRHF) A hash function H is collision resistant if no efficient algorithm is known that finds a collision for H in suitable time. Remark: Defining that no efficient adversary exists that finds a collision cannot be fulfilled Introduction to Cybersecurity 2016/17 48
Review: Merkle-Damgard Construction Merkle-Damgård (iterated construction) Message m Padding pad Block b 0 Block b 1 Block b 2 Block b 3 Block b 4 IV h 0 f f f f f h 1 h 2 h 3 h 4 Hash h pad is the padding function (injective) f: 0,1 k 0,1 n 0,1 n is the compression function. h i are called chaining variables IV is the initial value Introduction to Cybersecurity 2016/17 53
This Lecture s Summary Asymmetric encryption Number theory for El-Gamal El-Gamal Encryption Scheme Number theory for RSA RSA Encryption Schemes Foundations of Cybersecurity 2016 7
Symmetric vs. Asymmetric (Public-key) Encryptions Fast Based on Heuristics One key for every pair of user Two parties need to protect the secret Slow Based on Security Proofs with welldefined assumptions One key for every user Everyone is responsible for his/her own secret key Foundations of Cybersecurity 2016 8
Public-key Encryption Now public-key encryption schemes (K,E,D): m E c:= E(pk,m) c m D pk K sk Legend Randomized Stateful Deterministic Foundations of Cybersecurity 2016 9
Definition of Public-Key Encryption Definition: Public-key Encryption Scheme A public-key encryption scheme is a triple of algorithms (K, E, D): The randomized key generation algorithm K takes no input and returns a key pair (pk, sk). The (often randomized) encryption algorithm E takes a public key pk and a message m and returns a ciphertext c. The deterministic decryption algorithm D takes a secret key sk, a ciphertext c and returns a plaintext m M or a distinguished error symbol. Correctness: The above algorithms have to satisfy the following property: For any key pair (pk, sk) [K], any message m M, and any c [E(pk, m)], we have that D(sk, c) = m. Foundations of Cybersecurity 2016 10
Number Theory Basics for the El-Gamal Encryption Scheme
Notation From here on: N denotes a positive integer. p denote a prime. Notation: Z N = 0,1,2,, N 1 Can do addition and multiplication modulo N Foundations of Cybersecurity 2016 12
Modular Arithmetic Examples: let N = 12 9 + 8 = 5 in Z 12 5 7 = 11 in Z 12 5 7 = 10 in Z 12 Arithmetic in Z N works as you expect, e.g. x y + z = x y + x z in Z N. Foundations of Cybersecurity 2016 13
Greatest Common Divisor (GCD) Definition: GCD For integers x, y we define gcd x, y is the greatest common divisor of x, y. Example: gcd 12, 18 = 6 Fact: GCD For all integers x, y there exist integers a, b such that a x + b y = gcd x, y a, b can be found efficiently using the extended Euclidean algorithm. If gcd x, y = 1 we say that x and y are relatively prime. Foundations of Cybersecurity 2016 14
How to compute gcd? The Extended Euclid Algorithm Example: gcd 240,46 240 = 5 46 + 10 46 = 4 10 + 6 10 = 6 + 4 6 = 4 + 2 4 = 2 2 240 5 46 = 10 46 4 10 = 6 10 6 = 4 6 4 = 2 240 5 46 = 10 46 4 10 = 6 2 6 10 = 2 240 5 46 = 10 2 (46 4 10) 10 = 2 240 5 46 = 10 2 46 9 10 = 2 2 46 9 (240 5 46) = 2 9 240 + 47 46 = 2 Foundations of Cybersecurity 2016 15
Modular Inversion Over rationals, inverse of 2 is 1 2. What about Z N? Definition: Inverse The inverse of x in Z N is an element y in Z N such that x y = 1 in Z N. y is denoted by x 1. Example: let N be an odd integer. The inverse of 2 in Z N is 2 N+1 2 = N + 1 = 1 in Z N Foundations of Cybersecurity 2016 16
Modular Inversion Which elements have an inverse in Z N? Lemma: x in Z N has an inverse if and only if gcd(x, N) = 1 Proof: gcd x, N = 1 a, b: a x + b N = 1 a x = 1 in Z N x = a 1 in Z N gcd x, N > 1 a: gcd a x, N > 1 a x 1 in Z N Foundations of Cybersecurity 2016 17
More notation Definition: Set of invertible Elements in Z N Z N { x Z N gcd x, N = 1} Examples: For a prime p: Z p = Z p \{0} = 1,2,, p 1 Z 12 = {1,5,7,11} For x in Z N, we can find x 1 using the extended Euclid algorithm. Foundations of Cybersecurity 2016 18
Solving modular linear equations Solve: Solution: a x + b = 0 in Z N x = b a 1 in Z N Find a 1 in Z N using the extended Euclid. Run time: O(log 2 N) Foundations of Cybersecurity 2016 19
The structure of Z p Theorem (Euler): Z p is a cyclic group, that is g Z p such that 1, g, g 2, g 3, g is called a generator of Z p. = Z p Example: p = 7. g = 3 is a generator: 1, 3, 3 2, 3 3, 3 4, 3 5 = 1, 3, 2, 6, 4, 5 = Z 7 Not every element is a generator: 1, 2, 2 2, 2 3, 2 4, 2 5 = {1, 2, 4} Foundations of Cybersecurity 2016 20
Order For g the set {1, g, g 2, g 3, } is called the group generated by g, denoted by <g>. Definition: Order of g The order of g Z p is the size of <g>, denoted by ord p g = <g>. It is the smallest a > 0 s.t. g a = 1 in Z p. Examples: ord 7 3 = 6; ord 7 2 = 3; ord 7 1 = 1. Theorem (Lagrange): g Z p : ord p g divides p 1 Foundations of Cybersecurity 2016 21
Fermat s little Theorem Theorem: Fermat s little Theorem For every prime p and every x Z p it holds that x p 1 = 1 mod p. Follows from Langrange s Theorem and the fact that x ord p x = 1 mod p. Foundations of Cybersecurity 2016 22
Easy problems Given composite N and x in Z N find x 1 in Z N. Given prime p and polynomial f x find x in Z p s.t. f x = 0 in Z p Running time is linear in deg f. (if one exists) but many problems are difficult. Foundations of Cybersecurity 2016 23
Intractable problems with primes discrete logarithm Fix a prime p > 2 and g in Z p of order q. Consider the function x g x in Z p Now, consider the inverse function: Dlog g g x = x where x {0,, q 2} Example: in : 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 Dlog 2 ( ) : 0, 1, 8, 2, 4, 9, 7, 3, 6, 5 Foundations of Cybersecurity 2016 24
Computing Dlog in Z p (n-bit prime p) Best known algorithm (GNFS): run time exp(o 3 n ) Cipher key size Modulus Size Elliptic curve group size 80 bits 1024 bits 160 bits 128 bits 3072 bits 256 bits 256 bits (AES) 15360 bits 512 bits As a result: slow transition away from (mod p) to elliptic curves Foundations of Cybersecurity 2016 25
El-Gamal Encryption Scheme
ElGamal Encryption System (1984) Key Generation K(n) for security parameter n Pick random n-bit prime p Pick random generator g for Z p } Can be publicly known Pick random x {1,, p 1} Set pk = (p, g, h: = g x ) Set sk = (p, g, x) Output (pk, sk) Foundations of Cybersecurity 2016 27
ElGamal Encryption System (1984) Encryption Enc(pk, m); pk = (p, g, h), m Z p Pick random y {1,, p 1} Set i = g y, k = h y Set c: = (i, m k) Output c Decryption Dec sk, c ; sk = (p, g, x) and c = (A, B) Set d = B A x Output d Correctness: El-Gamal B A x = B g y x = B g x y = B h y = (m hy) h y = m Foundations of Cybersecurity 2016 28
ElGamal Encryption System (cont d) Security intuition: B = m g xy is similar to the OTP: g xy is the key and the XOR. but: why is this secure? Goals: Define security of public key encryption schemes. (yes, we do that!) Prove that ElGamal is secure. (core lecture) Foundations of Cybersecurity 2016 29
Indist. Ciphertexts under CPA Let PE = (K, E, D) be a public-key encryption scheme and A an adversary. Define Exp CPA PE,A (b) as: Challenger(b, n),b {0,1} Adversary(n) Generate Keys K(n) (pk, sk) Encrypt(pk, m b ) pk m 0, m 1 c Output b Definition: Indistinguishability of Ciphertexts under CPA A sequence of public-key encryption schemes PE has indistinguishable ciphertexts under chosen-plaintext attack (CPA) if for all efficient adversaries A = A n n N : Adv CPA PE,A = Pr[Exp CPA PE,An (0) = 1] Pr[Exp CPA PE,An (1) = 1] is negligible. Foundations of Cybersecurity 2016 30
Only a 1-CPA Variant? Does the following extended experiment strengthen the definition? Challenger(b, n),b {0,1} Adversary(n) Generate Keys K(n) (pk, sk) pk m E(pk, m) m 0, m 1 Encrypt(pk, m b ) c Output b No, since A can compute E(pk,m) itself for messages of its choice! Foundations of Cybersecurity 2016 31
CPA-security of ElGamal Theorem: IND-CPA of ElGamal ElGamal has indistinguishable ciphertexts under CPA if the following Decisional Diffie-Hellman assumption holds in G: Definition: Decisional Diffie-Hellman Assumption (DDH) Given a group G with ~2 n elements and a random g G, no efficient adversary (in n) can distinguish (g x, g y, g xy ) and (g x, g y, g z ) for x, y, z random in {1,, G }. Why decisional? CPA-security says it must be hard to distinguish, CDH that it is hard to compute. But distinguishing might be easier... Foundations of Cybersecurity 2016 32
Problem of information secrecy solved? We need alternative schemes based on different assumptions! RSA based ciphers (origin in 1977) Foundations of Cybersecurity 2016 23