Introduction to Cybersecurity Cryptography (Part 4)

Similar documents
Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Cybersecurity Cryptography (Part 5)

5.4 ElGamal - definition

Public Key Cryptography

Introduction to Cryptography. Lecture 8

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

1 Number Theory Basics

Lecture Note 3 Date:

ASYMMETRIC ENCRYPTION

5199/IOC5063 Theory of Cryptology, 2014 Fall

Cryptography IV: Asymmetric Ciphers

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Chapter 8 Public-key Cryptography and Digital Signatures

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Lecture 28: Public-key Cryptography. Public-key Cryptography

ECS 189A Final Cryptography Spring 2011

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Notes for Lecture 17

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

CPSC 467b: Cryptography and Computer Security

Advanced Cryptography 1st Semester Public Encryption

CIS 551 / TCOM 401 Computer and Network Security

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Provable security. Michel Abdalla

Lecture 14: Hardness Assumptions

Mathematics of Cryptography

Hans Delfs & Helmut Knebl: Kryptographie und Informationssicherheit WS 2008/2009. References. References

DATA PRIVACY AND SECURITY

Mathematical Foundations of Public-Key Cryptography

Instructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year

Lecture Notes, Week 6

Topics in Cryptography. Lecture 5: Basic Number Theory

El Gamal A DDH based encryption scheme. Table of contents

Introduction to Elliptic Curve Cryptography. Anupam Datta

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Lecture 7: ElGamal and Discrete Logarithms

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Biomedical Security. Overview 9/15/2017. Erwin M. Bakker

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Cryptography and Security Midterm Exam

Public Key Algorithms

Public Key Cryptography

Digital Signatures. Adam O Neill based on

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

Lecture 17: Constructions of Public-Key Encryption

Lecture 1: Introduction to Public key cryptography

Biomedical Security. Some Security News 9/17/2018. Erwin M. Bakker. Blockchains are not safe for voting (slashdot.org) : From: paragonie.

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Public-Key Encryption: ElGamal, RSA, Rabin

Public-Key Cryptosystems CHAPTER 4

Foundations of Network and Computer Security

Chapter 11 : Private-Key Encryption

Introduction to Elliptic Curve Cryptography

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Question: Total Points: Score:

Public Key Cryptography

Week : Public Key Cryptosystem and Digital Signatures

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Cryptography and Security Final Exam

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

COMP4109 : Applied Cryptography

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

CRYPTOGRAPHY AND NUMBER THEORY

Cryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages

Public Key Encryption

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Security II: Cryptography exercises

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

CSC 5930/9010 Modern Cryptography: Number Theory

Short Exponent Diffie-Hellman Problems

1 Basic Number Theory

Lecture 11: Number Theoretic Assumptions

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Asymmetric Encryption

G Advanced Cryptography April 10th, Lecture 11

Number Theory & Modern Cryptography

Public Key Cryptography

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Introduction to Public-Key Cryptosystems:

Introduction to Cryptography. Lecture 6

Practice Assignment 2 Discussion 24/02/ /02/2018

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Transcription:

Introduction to Cybersecurity Cryptography (Part 4)

Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message Authentication Codes Hash Functions Compression Functions Merkle-Damgård Construction MACs from Hashes Introduction to Cybersecurity 2016/17 1

Review: Attack by Meet-in-the-Middle DE((K 1,K 2 ), m) := E(K 2, E(K 1, m)) Attack by meet-in-the-middle m E(K 1, ) E(K 2, ) c Introduction to Cybersecurity 2016/17 2

Review: Modes of Operation Cipherblock Chaining (CBC) m 1 m 2 c 1 c 2 IV + + D(K, ) D(K, ) E(K, ) E(K, ) IV + + c 1 c 2 m 1 m 2 Introduction to Cybersecurity 2016/17 3

Review: Message Integrity Goal of message integrity: Add MAC Key Plaintext with MAC Verify Key Plaintext Plaintext Alice Alice generates tag t for message m, Bob verifies tag Bob Goal: Attacker cannot change message, i.e., attacker cannot generate any valid pair (m, t) Introduction to Cybersecurity 2016/17 41

Review: Hash Function Let H: M T be a hash function (non-keyed) (often H: 0,1 0,1 n ) A collision for H is a tuple (m 1, m 2 ) with H m 1 = H m 2 m 1 m 2 Definition: Collision Resistant Hash Function (CRHF) A hash function H is collision resistant if no efficient algorithm is known that finds a collision for H in suitable time. Remark: Defining that no efficient adversary exists that finds a collision cannot be fulfilled Introduction to Cybersecurity 2016/17 48

Review: Merkle-Damgard Construction Merkle-Damgård (iterated construction) Message m Padding pad Block b 0 Block b 1 Block b 2 Block b 3 Block b 4 IV h 0 f f f f f h 1 h 2 h 3 h 4 Hash h pad is the padding function (injective) f: 0,1 k 0,1 n 0,1 n is the compression function. h i are called chaining variables IV is the initial value Introduction to Cybersecurity 2016/17 53

This Lecture s Summary Asymmetric encryption Number theory for El-Gamal El-Gamal Encryption Scheme Number theory for RSA RSA Encryption Schemes Foundations of Cybersecurity 2016 7

Symmetric vs. Asymmetric (Public-key) Encryptions Fast Based on Heuristics One key for every pair of user Two parties need to protect the secret Slow Based on Security Proofs with welldefined assumptions One key for every user Everyone is responsible for his/her own secret key Foundations of Cybersecurity 2016 8

Public-key Encryption Now public-key encryption schemes (K,E,D): m E c:= E(pk,m) c m D pk K sk Legend Randomized Stateful Deterministic Foundations of Cybersecurity 2016 9

Definition of Public-Key Encryption Definition: Public-key Encryption Scheme A public-key encryption scheme is a triple of algorithms (K, E, D): The randomized key generation algorithm K takes no input and returns a key pair (pk, sk). The (often randomized) encryption algorithm E takes a public key pk and a message m and returns a ciphertext c. The deterministic decryption algorithm D takes a secret key sk, a ciphertext c and returns a plaintext m M or a distinguished error symbol. Correctness: The above algorithms have to satisfy the following property: For any key pair (pk, sk) [K], any message m M, and any c [E(pk, m)], we have that D(sk, c) = m. Foundations of Cybersecurity 2016 10

Number Theory Basics for the El-Gamal Encryption Scheme

Notation From here on: N denotes a positive integer. p denote a prime. Notation: Z N = 0,1,2,, N 1 Can do addition and multiplication modulo N Foundations of Cybersecurity 2016 12

Modular Arithmetic Examples: let N = 12 9 + 8 = 5 in Z 12 5 7 = 11 in Z 12 5 7 = 10 in Z 12 Arithmetic in Z N works as you expect, e.g. x y + z = x y + x z in Z N. Foundations of Cybersecurity 2016 13

Greatest Common Divisor (GCD) Definition: GCD For integers x, y we define gcd x, y is the greatest common divisor of x, y. Example: gcd 12, 18 = 6 Fact: GCD For all integers x, y there exist integers a, b such that a x + b y = gcd x, y a, b can be found efficiently using the extended Euclidean algorithm. If gcd x, y = 1 we say that x and y are relatively prime. Foundations of Cybersecurity 2016 14

How to compute gcd? The Extended Euclid Algorithm Example: gcd 240,46 240 = 5 46 + 10 46 = 4 10 + 6 10 = 6 + 4 6 = 4 + 2 4 = 2 2 240 5 46 = 10 46 4 10 = 6 10 6 = 4 6 4 = 2 240 5 46 = 10 46 4 10 = 6 2 6 10 = 2 240 5 46 = 10 2 (46 4 10) 10 = 2 240 5 46 = 10 2 46 9 10 = 2 2 46 9 (240 5 46) = 2 9 240 + 47 46 = 2 Foundations of Cybersecurity 2016 15

Modular Inversion Over rationals, inverse of 2 is 1 2. What about Z N? Definition: Inverse The inverse of x in Z N is an element y in Z N such that x y = 1 in Z N. y is denoted by x 1. Example: let N be an odd integer. The inverse of 2 in Z N is 2 N+1 2 = N + 1 = 1 in Z N Foundations of Cybersecurity 2016 16

Modular Inversion Which elements have an inverse in Z N? Lemma: x in Z N has an inverse if and only if gcd(x, N) = 1 Proof: gcd x, N = 1 a, b: a x + b N = 1 a x = 1 in Z N x = a 1 in Z N gcd x, N > 1 a: gcd a x, N > 1 a x 1 in Z N Foundations of Cybersecurity 2016 17

More notation Definition: Set of invertible Elements in Z N Z N { x Z N gcd x, N = 1} Examples: For a prime p: Z p = Z p \{0} = 1,2,, p 1 Z 12 = {1,5,7,11} For x in Z N, we can find x 1 using the extended Euclid algorithm. Foundations of Cybersecurity 2016 18

Solving modular linear equations Solve: Solution: a x + b = 0 in Z N x = b a 1 in Z N Find a 1 in Z N using the extended Euclid. Run time: O(log 2 N) Foundations of Cybersecurity 2016 19

The structure of Z p Theorem (Euler): Z p is a cyclic group, that is g Z p such that 1, g, g 2, g 3, g is called a generator of Z p. = Z p Example: p = 7. g = 3 is a generator: 1, 3, 3 2, 3 3, 3 4, 3 5 = 1, 3, 2, 6, 4, 5 = Z 7 Not every element is a generator: 1, 2, 2 2, 2 3, 2 4, 2 5 = {1, 2, 4} Foundations of Cybersecurity 2016 20

Order For g the set {1, g, g 2, g 3, } is called the group generated by g, denoted by <g>. Definition: Order of g The order of g Z p is the size of <g>, denoted by ord p g = <g>. It is the smallest a > 0 s.t. g a = 1 in Z p. Examples: ord 7 3 = 6; ord 7 2 = 3; ord 7 1 = 1. Theorem (Lagrange): g Z p : ord p g divides p 1 Foundations of Cybersecurity 2016 21

Fermat s little Theorem Theorem: Fermat s little Theorem For every prime p and every x Z p it holds that x p 1 = 1 mod p. Follows from Langrange s Theorem and the fact that x ord p x = 1 mod p. Foundations of Cybersecurity 2016 22

Easy problems Given composite N and x in Z N find x 1 in Z N. Given prime p and polynomial f x find x in Z p s.t. f x = 0 in Z p Running time is linear in deg f. (if one exists) but many problems are difficult. Foundations of Cybersecurity 2016 23

Intractable problems with primes discrete logarithm Fix a prime p > 2 and g in Z p of order q. Consider the function x g x in Z p Now, consider the inverse function: Dlog g g x = x where x {0,, q 2} Example: in : 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 Dlog 2 ( ) : 0, 1, 8, 2, 4, 9, 7, 3, 6, 5 Foundations of Cybersecurity 2016 24

Computing Dlog in Z p (n-bit prime p) Best known algorithm (GNFS): run time exp(o 3 n ) Cipher key size Modulus Size Elliptic curve group size 80 bits 1024 bits 160 bits 128 bits 3072 bits 256 bits 256 bits (AES) 15360 bits 512 bits As a result: slow transition away from (mod p) to elliptic curves Foundations of Cybersecurity 2016 25

El-Gamal Encryption Scheme

ElGamal Encryption System (1984) Key Generation K(n) for security parameter n Pick random n-bit prime p Pick random generator g for Z p } Can be publicly known Pick random x {1,, p 1} Set pk = (p, g, h: = g x ) Set sk = (p, g, x) Output (pk, sk) Foundations of Cybersecurity 2016 27

ElGamal Encryption System (1984) Encryption Enc(pk, m); pk = (p, g, h), m Z p Pick random y {1,, p 1} Set i = g y, k = h y Set c: = (i, m k) Output c Decryption Dec sk, c ; sk = (p, g, x) and c = (A, B) Set d = B A x Output d Correctness: El-Gamal B A x = B g y x = B g x y = B h y = (m hy) h y = m Foundations of Cybersecurity 2016 28

ElGamal Encryption System (cont d) Security intuition: B = m g xy is similar to the OTP: g xy is the key and the XOR. but: why is this secure? Goals: Define security of public key encryption schemes. (yes, we do that!) Prove that ElGamal is secure. (core lecture) Foundations of Cybersecurity 2016 29

Indist. Ciphertexts under CPA Let PE = (K, E, D) be a public-key encryption scheme and A an adversary. Define Exp CPA PE,A (b) as: Challenger(b, n),b {0,1} Adversary(n) Generate Keys K(n) (pk, sk) Encrypt(pk, m b ) pk m 0, m 1 c Output b Definition: Indistinguishability of Ciphertexts under CPA A sequence of public-key encryption schemes PE has indistinguishable ciphertexts under chosen-plaintext attack (CPA) if for all efficient adversaries A = A n n N : Adv CPA PE,A = Pr[Exp CPA PE,An (0) = 1] Pr[Exp CPA PE,An (1) = 1] is negligible. Foundations of Cybersecurity 2016 30

Only a 1-CPA Variant? Does the following extended experiment strengthen the definition? Challenger(b, n),b {0,1} Adversary(n) Generate Keys K(n) (pk, sk) pk m E(pk, m) m 0, m 1 Encrypt(pk, m b ) c Output b No, since A can compute E(pk,m) itself for messages of its choice! Foundations of Cybersecurity 2016 31

CPA-security of ElGamal Theorem: IND-CPA of ElGamal ElGamal has indistinguishable ciphertexts under CPA if the following Decisional Diffie-Hellman assumption holds in G: Definition: Decisional Diffie-Hellman Assumption (DDH) Given a group G with ~2 n elements and a random g G, no efficient adversary (in n) can distinguish (g x, g y, g xy ) and (g x, g y, g z ) for x, y, z random in {1,, G }. Why decisional? CPA-security says it must be hard to distinguish, CDH that it is hard to compute. But distinguishing might be easier... Foundations of Cybersecurity 2016 32

Problem of information secrecy solved? We need alternative schemes based on different assumptions! RSA based ciphers (origin in 1977) Foundations of Cybersecurity 2016 23

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback