Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

Similar documents
Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Introduction to Cryptography. Lecture 8

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Lecture 17: Constructions of Public-Key Encryption

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

El Gamal A DDH based encryption scheme. Table of contents

Introduction to Cybersecurity Cryptography (Part 5)

ASYMMETRIC ENCRYPTION

Public-Key Encryption: ElGamal, RSA, Rabin

14 Diffie-Hellman Key Agreement

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

Lecture 11: Key Agreement

Introduction to Cybersecurity Cryptography (Part 4)

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Introduction to Cybersecurity Cryptography (Part 4)

1 Number Theory Basics

Introduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016

Public-Key Encryption

basics of security/cryptography

Chapter 11 : Private-Key Encryption

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Lecture Notes, Week 6

Lecture 14: Hardness Assumptions

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Lecture 28: Public-key Cryptography. Public-key Cryptography

Introduction to Modern Cryptography. Benny Chor

CIS 551 / TCOM 401 Computer and Network Security

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Topics in Cryptography. Lecture 5: Basic Number Theory

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

Provable security. Michel Abdalla

CS 290G (Fall 2014) Introduction to Cryptography Oct 21st, Lecture 5: RSA OWFs

Lecture 22: RSA Encryption. RSA Encryption

Public Key Cryptography

Lecture 16: Public Key Encryption:II

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Advanced Cryptography 03/06/2007. Lecture 8

Public Key Cryptography

5.4 ElGamal - definition

Advanced Cryptography 1st Semester Public Encryption

Mathematics of Cryptography

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Lecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004

Lecture Note 3 Date:

Lecture 7: ElGamal and Discrete Logarithms

Digital Signatures. Adam O Neill based on

10 Concrete candidates for public key crypto

Introduction to Cryptology. Lecture 20

1 Public-key encryption

Advanced Topics in Cryptography

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

1 Rabin Squaring Function and the Factoring Assumption

Chapter 8 Public-key Cryptography and Digital Signatures

Notes for Lecture 17

RSA-OAEP and Cramer-Shoup

ECE596C: Handout #11

Public-Key Cryptosystems CHAPTER 4

Introduction to Cryptography. Lecture 6

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Introduction to Cryptography. Susan Hohenberger

Introduction to Modern Cryptography. Benny Chor

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

CPSC 467b: Cryptography and Computer Security

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Introduction to Elliptic Curve Cryptography. Anupam Datta

Pseudorandom Generators

Public Key Cryptography

Instructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

COMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.

Math/Mthe 418/818. Review Questions

DATA PRIVACY AND SECURITY

Cryptography IV: Asymmetric Ciphers

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

ECS 189A Final Cryptography Spring 2011

Katz, Lindell Introduction to Modern Cryptrography

General Impossibility of Group Homomorphic Encryption in the Quantum World

By the way, = = 693 (mod 1823) and ord(3) = 911. I list the commands I used in Mathematica to solve this problem here.

1 Basic Number Theory

G Advanced Cryptography April 10th, Lecture 11

Public Key Cryptography

Cryptography and Security Midterm Exam

5 Public-Key Encryption: Rabin, Blum-Goldwasser, RSA

10 Modular Arithmetic and Cryptography

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Lecture 1: Introduction to Public key cryptography

Discrete Logarithm Problem

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Security II: Cryptography exercises

Transcription:

Public-Key Cryptography Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

Diffie-Hellman Key-exchange Secure under DDH: (g x,g x,g xy ) (g x,g x,g r ) Random x {0,.., G -1} X=g x Output Y x X Y Random y {0,.., G -1} Y=g y Output X y g x, g y g xy??

Decisional Diffie-Hellman (DDH) Assumption {(g x, g y, g xy )} (G,g) GroupGen; x,y [ G ] {(g x, g y, g r )} (G,g) GroupGen; x,y,r [ G ] At least as strong as Discrete Log Assumption (DLA) DLA: Raise(x; G,g) = (g x ; G,g) is a OWF collection If DDH assumption holds, then DLA holds [Why?] But possible that DLA holds and DDH assumption doesn t e.g.: DLA is widely assumed to hold in Z p (p prime), but DDH assumption doesn t hold there! Do we have a candidate group for DDH?

A Candidate DDH Group Consider QR P : subgroup of Quadratic Residues ( even power elements) of Z P 9 8 1 7 5 Easy to check if an element is a QR or not: check if raising to G /2 gives 1 (identity element) 6 4 10 3 2 DDH does not hold in Z P : g xy is a QR w/ prob. 3/4; g z is QR only w/ prob. 1/2. How about in QR P? Could check if cubic residue in Z P! But if (P-1) is not divisible by 3, all elements in Z P are cubic residues! DDH Candidate: QR P where P is a safe-prime Safe if (P-1)/2 is also prime: P called a safe-prime

El Gamal Encryption Based on DH key-exchange Alice, Bob generate a key using DH key-exchange Then use it as a one-time pad Bob s message in the keyexchange is his PK Alice s message in the keyexchange and the ciphertext of the one-time pad together form a single ciphertext Random x X=g x K=Y x C=MK Y X C Random y Y=g y K=X y M=CK -1 KeyGen: PK=(G,g,Y), SK=(G,g,y) Enc (G,g,Y) (M) = (X=g x, C=MY x ) Dec (G,g,y) (X,C) = CX -y KeyGen uses GroupGen to get (G,g) x, y uniform from Z G Message encoded into group element, and decoded

Security of El Gamal El Gamal IND-CPA secure if DDH holds (for the collection of groups used) Construct a DDH adversary A given an IND-CPA adversary A A(G,g; g x,g y,g z ) (where (G,g) GroupGen, x,y random and z=xy or random) plays the IND-CPA experiment with A: But sets PK=(G,g,g y ) and Enc(M b )=(g x,m b g z ) Outputs 1 if experiment outputs 1 (i.e. if b=b ) When z=random, A outputs 1 with probability = 1/2 When z=xy, exactly IND-CPA experiment: A outputs 1 with probability = 1/2 + advantage of A.

Trapdoor PRG: Abstracting El Gamal KeyGen: a pair (PK,SK) Three functions: G PK (.) (a PRG) and T PK (.) (make trapdoor info) and R SK (.) (opening the trapdoor) Random x C=MK G PK (x) is pseudorandom even given T PK (x) and PK KeyGen: PK=(G,g,Y), SK=(G,g,y) Enc (G,g,Y) (M) = (X=g x, C=MY x ) (PK,T PK (x),g PK (x)) (PK,T PK (x),r) Dec (G,g,y) (X,C) = CX -y T PK (x) hides G PK (x). SK opens it. R SK (T PK (x)) = G PK (x) KeyGen: (PK,SK) Enc PK (M) = (X=T PK (x), C=M.G PK (x)) Enough for an IND-CPA secure PKE scheme (e.g., Security of El Gamal) Dec SK (X,C) = C/R SK (T PK (x)) X=g x K=Y x Y X C Random y Y=g y K=X y M=CK -1

Trapdoor PRG from Generic Assumption? PRG constructed from OWP (or OWF) Allows us to instantiate the construction with several candidates Is there a similar construction for TPRG from OWP? Trapdoor property seems fundamentally different: generic OWP does not suffice Will start with Trapdoor OWP x T G z PK KeyGen SK (PK,T PK (x),g PK (x)) (PK,T PK (x),r) R z

Trapdoor OWP (KeyGen,f,f ) (all PPT) is a trapdoor oneway permutation if For all (PK,SK) KeyGen f PK a permutation f SK is the inverse of f PK For all PPT adversary, probability of success in the Trapdoor OWP experiment is negligible f PK (x),pk x (PK,SK) KeyGen x {0,1} k x = x? Yes/No

Trapdoor OWP (KeyGen,f,f ) (all PPT) is a trapdoor oneway permutation if For all (PK,SK) KeyGen f PK a permutation f SK is the inverse of f PK For all PPT adversary, probability of success in the Trapdoor OWP experiment is negligible Hardcore predicate: B PK s.t. (PK,f PK (x),b PK (x)) (PK,f PK (x),r) f PK (x),pk b (PK,SK) KeyGen x {0,1} k b = B PK (x)? Yes/No

Trapdoor PRG from Trapdoor OWP KeyGen Same construction as PRG from OWP One bit Trapdoor PRG KeyGen same as Trapdoor OWP s KeyGen G PK (x) := B PK (x). T PK (x) := f PK (x). R sk (y) := G PK (f SK (y)) (SK assumed to contain PK) More generally, last permutation output serves as T PK x x (PK,T PK (x),g PK (x)) (PK,T PK (x),r) (PK,f PK (x),b PK (x)) (PK,f PK (x),r) f PK B PK T G G PK (x) z PK f PK T PK (x) B PK... G PK (x) SK R z f PK B PK T PK (x)

Candidate Trapdoor OWPs From some (candidate) OWP collections, with index as public-key Recall candidate OWF collections Rabin OWF: f Rabin (x; N) = x 2 mod N, where N = PQ, and P, Q are k-bit primes (and x uniform from {0 N-1}) Fact: f Rabin (.; N) is a permutation among quadratic residues, when P, Q are 3 (mod 4) Fact: Can invert f Rabin (.; N) given factorization of N Coming up RSA function: f RSA (x; N,e) = x e mod N where N=PQ, P,Q k-bit primes, e s.t. gcd(e,φ(n)) = 1 (and x uniform from {0 N-1}) Fact: f RSA (.; N,e) is a permutation Fact: While picking (N,e), can also pick d s.t. x ed = x

Z N Group operation: multiplication modulo N Has identity, is associative Group elements: all numbers (mod N) which have a multiplicative inverse modulo N e.g.: Z 6 has elements {1,5}, Z 7 has {1,2,3,4,5,6} a has a multiplicative inverse modulo N integers b, c s.t. ab = 1+cN gcd(a,n)=1 ( ) gcd(a,n) (ab-cn) Extended Euclidean algorithm to find (b,d) given (a,n). Used to efficiently invert elements in Z N ( ) from Euclid s algorithm: b, d s.t. gcd(a,n) = ab+dn Z N = #integers in [1,N-1] co-prime with N = φ(n)

Z P, P prime 8 1 7 Recall Z P 9 6 Z 11 5 2 Z P =: φ(p) = P-1 (all of them co-prime with P) 4 10 3 Cyclic: Isomorphic to Z P-1 Has φ(p-1) = Z P-1 different generators Discrete Log assumed to be hard Quadratic Residues form a subgroup QR P Candidate group for DDH assumption

Z N, N=PQ, two primes e.g. Z 15 = {1,2,4,7,8,11,13,14} φ(15) = 8 Also works with P, Q co-primes Group operation and inverse efficiently computable Cyclic? No! In Z 15, 2 4 = 4 2 = 7 4 = 8 4 = 11 2 = 13 4 = 14 2 = 1 (i.e., each generates at most 4 elements, out of 8) Product of two cycles : Z 3 and Z 5 Chinese Remainder Theorem

Chinese Remainder Theorem Consider mapping elements in Z 15 (all 15 of them) to Z 3 and Z 5 a (a mod 3, a mod 5) CRT says that the pair (a mod 3, a mod 5) uniquely determines a (mod 15)! All 15 possible pairs occur, once each In general for N=PQ (P, Q relatively prime), a (a mod P, a mod Q) maps the N elements to the N distinct pairs In fact extends to product of more than two (relatively prime) numbers Z 15 Z 3 Z 5 0 0 0 1 1 1 2 2 2 3 0 3 4 1 4 5 2 0 6 0 1 7 1 2 8 2 3 9 0 4 10 1 0 11 2 1 12 0 2 13 1 3 14 2 4

Chinese Remainder Theorem and Z N CRT representation of Z N : every element of Z N can be written as a unique element of Z P Z Q Addition can be done coordinate-wise (a,b) + (mod N) (a,b ) = (a + (mod P) a,b + (mod Q) b ) CRT: Z N Z P Z Q (group isomorphism) Z 15 Z 3 Z 5 0 0 0 1 1 1 2 2 2 3 0 3 4 1 4 5 2 0 6 0 1 7 1 2 8 2 3 9 0 4 10 1 0 11 2 1 12 0 2 13 1 3 14 2 4

Chinese Remainder Theorem Elements in Z N and Z N Multiplication (and identity, and inverse) also coordinate-wise No multiplicative inverse iff (0,b) or (a,0) Else in Z N : i.e., (a,b) s.t. a Z P, b Z Q Z N Z P Z Q φ(n) = Z N = (P-1)(Q-1) (P Q, primes) Can efficiently compute the isomorphism (in both directions) if P, Q known [Exercise] Z 15 Z 3 Z 5 0 0 0 1 1 1 2 2 2 3 0 3 4 1 4 5 2 0 6 0 1 7 1 2 8 2 3 9 0 4 10 1 0 11 2 1 12 0 2 13 1 3 14 2 4

RSA Function f RSA[N,e] (x) = x e mod N Where N=PQ, and gcd(e,φ(n)) = 1 (i.e., e Zφ(N) ) f RSA[N,e] : Z N Z N Alternately, f RSA[N,e] : Z N Z N f RSA[N,e] is a permutation with a trapdoor (namely (N,d)) In fact, there exists d s.t. f RSA[N,d] is the inverse of f RSA[N,e] d s.t. ed=1 (mod φ(n)), x ed = x (mod N) For Z N because order is φ(n) For Z N? By CRT, and because multiplication is coordinate-wise (and it holds in Z P and Z Q. note: 0 ed = 0) [Exercise]

RSA Function f RSA[N,e] (x) = x e mod N Where N=PQ, and gcd(e,φ(n)) = 1 (i.e., e Zφ(N) ) f RSA[N,e] : Z N Z N Alternately, f RSA[N,e] : Z N Z N f RSA[N,e] is a permutation with a trapdoor (namely (N,d)) RSA Assumption: f RSA[N,e] is a OWF collection, when P, Q random k-bit primes and e < N random number s.t. gcd(e,φ(n))=1 (with inputs uniformly from Z N or Z N ) Alternate version: e=3, P, Q restricted so that gcd(3,φ(n))=1 RSA Assumption will be false if one can factorize N Then knows φ(n) and can find d=e -1 in Zφ(N) Converse not known to hold Trapdoor OWP Candidate

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback