CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Similar documents
ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Introduction to Cybersecurity Cryptography (Part 4)

1 Number Theory Basics

Introduction to Cybersecurity Cryptography (Part 4)

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Chapter 11 : Private-Key Encryption

Introduction to Cybersecurity Cryptography (Part 5)

El Gamal A DDH based encryption scheme. Table of contents

Digital Signatures. Adam O Neill based on

ASYMMETRIC ENCRYPTION

Lecture 17: Constructions of Public-Key Encryption

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

The Cramer-Shoup Cryptosystem

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

RSA-OAEP and Cramer-Shoup

Lecture 28: Public-key Cryptography. Public-key Cryptography

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

ECS 189A Final Cryptography Spring 2011

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Lecture Note 3 Date:

Public-Key Encryption

Public Key Cryptography

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Introduction to Cryptography. Lecture 8

Public Key Cryptography

5.4 ElGamal - definition

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Advanced Topics in Cryptography

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Public-Key Encryption: ElGamal, RSA, Rabin

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Lecture 11: Key Agreement

Lecture 22: RSA Encryption. RSA Encryption

Modern Cryptography Lecture 4

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Cryptography and Security Midterm Exam

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

CPA-Security. Definition: A private-key encryption scheme

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Cryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography

Lecture 16: Public Key Encryption:II

14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

1 Basic Number Theory

Notes for Lecture 17

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Cryptography IV: Asymmetric Ciphers

Applied cryptography

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Public Key Cryptography

Public Key Cryptography

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Introduction to Cryptography. Susan Hohenberger

Lecture 7: CPA Security, MACs, OWFs

Advanced Cryptography 1st Semester Public Encryption

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

Provable security. Michel Abdalla

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Lecture 14 - CCA Security

Introduction to Modern Cryptography. Benny Chor

CS 395T. Probabilistic Polynomial-Time Calculus

G Advanced Cryptography April 10th, Lecture 11

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

5199/IOC5063 Theory of Cryptology, 2014 Fall

Lecture V : Public Key Cryptography

Week : Public Key Cryptosystem and Digital Signatures

CPSC 467: Cryptography and Computer Security

10 Concrete candidates for public key crypto

Practice Assignment 2 Discussion 24/02/ /02/2018

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Chapter 8 Public-key Cryptography and Digital Signatures

Cryptography and Security Final Exam

Lecture 1: Introduction to Public key cryptography

CTR mode of operation

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

RSA RSA public key cryptosystem

5 Public-Key Encryption: Rabin, Blum-Goldwasser, RSA

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Lossy Trapdoor Functions and Their Applications

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Lecture 30: Hybrid Encryption and Prime Number Generation. Hybrid Encryption & Primes

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Public Key Algorithms

General Impossibility of Group Homomorphic Encryption in the Quantum World

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

15 Public-Key Encryption

Question: Total Points: Score:

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Instructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year

Introduction to Elliptic Curve Cryptography

Identity-based encryption

Transcription:

CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017

Outline RSA encryption in practice Transform RSA trapdoor into CCA secure encryption PKCS standard and attacks OAEP standard ElGamal encryption Based on Diffie-Hellman key exchange Proof of security based on DDH assumption Digital signatures Integrity in public-key world Equivalent of MACs Public verifiability 2

Trapdoor functions Def: a trapdoor function X Y is a triple of efficient algorithms (Gen, F, F -1 ) Gen(): randomized alg. outputs a key pair (pk, sk) F(pk, ): deterministic alg. that defines a function X Y F -1 (sk, ): defines a function Y X that inverts F(pk, ) Correctness: (pk, sk) output by G x X: Trapdoor permutation F: X X, F -1 : X X F -1 (sk, F(pk, x) ) = x 3

The RSA trapdoor permutation Gen(): Choose random primes p,q 1024 bits. Set N=pq. RSA modulus Choose integers e, d s.t. e d = 1 (mod (N) ) Output pk = (N, e), sk = (d) F( pk, x ): ; F(pk, x) = x e mod N F -1 ( sk, y) = y d mod N y d = RSA(x) d = x ed = x k (N)+ 1 = (x (N) ) k x = x 4

The RSA assumption RSA assumption: RSA is trapdoor permutation For all PPT algorithms A: Pr[ A(N,e,y) = y 1/e ] < negligible R R where p,q n-bit primes, N pq, y Z * N 5

RSA public-key encryption (E, D): authenticated encryption scheme H: Z N K where K is key space of (E s,d s ) Gen(): generate RSA parameters: pk = (N,e), sk = (d) Enc(pk, m): (1) choose random x in Z N (2) y RSA(x) = x e, k H(x) (3) output (y, E(k,m) ) Randomized Dec(sk, (y, c) ): output D( H(RSA -1 (y)), c) CCA secure ISO Standard 6

RSA encryption in practice Never use textbook RSA. RSA in practice (since ISO standard is not often used) : msg key Preprocessing RSA ciphertext Main questions: How should the preprocessing be done? Can we argue about security of resulting system? 7

PKCS1 v1.5 PKCS1 mode 2: (encryption) 16 bits 02 random pad FF msg RSA modulus size (e.g. 2048 bits) Resulting value is RSA encrypted Widely deployed, e.g. in HTTPS 8

Attack on PKCS1 v1.5 (Bleichenbacher 1998) PKCS1 used in HTTPS: Is this PKCS1? 02 d Web Server c yes: continue no: error c= Attacker ciphertext attacker can test if 16 MSBs of plaintext = 02 Chosen-ciphertext attack: to decrypt a given ciphertext c do: Choose r Z N. Compute c r e c = (r PKCS1(m)) e Send c to web server and use response 9

Simple example - Bleichenbacher compute x c d in Z N is msb=1? 1 d Web Server c yes: continue no: error c= Attacker ciphertext Suppose N is N = 2 n (an invalid RSA modulus). Then: Sending c reveals msb( x ) Sending 2 e c = (2x) e in Z N reveals msb(2x mod N) = msb 2 (x) Sending 4 e c = (4x) e in Z N reveals msb(4x mod N) = msb 3 (x) and so on to reveal all of x 10

HTTPS Defense (RFC 5246) Attacks discovered by Bleichenbacher resulted in the following change: 1. Decrypt the message to recover plaintext m 2. If the PKCS#1 padding is not correct 3. Generate a string R of 46 random bytes 4. pre_master_secret = R Still no proof of security 11

PKCS1 v2.0: OAEP New preprocessing function: OAEP [BR94] check pad on decryption. reject CT if invalid. msg 01 00..0 rand. + H G + plaintext to encrypt with RSA {0,1} n-1 Theorem [FOPS 01] : RSA is a trapdoor permutation RSA-OAEP is CCA secure when H,G are random functions in practice: use SHA-256 for H and G 12

Review: the Diffie-Hellman protocol (1977) Fix a finite cyclic group G (e.g G = (Z p ) * ) of order q Fix a generator g in G (i.e. G = {1, g, g 2, g 3,, g q-1 } ) Alice choose random x in {1,,q} A = g x B x = (g y ) x = B = g y Bob choose random y in {1,,q} k AB = g xy = (g x ) y = A y 13

ElGamal: converting to pub-key enc. (1984) Fix a finite cyclic group G (e.g G = (Z p ) * ) of order q Fix a generator g in G (i.e. G = {1, g, g 2, g 3,, g q-1 } ) Alice choose random x in {1,,q} h = g x Bob choose random y in {1,,q} compute k=g xy = h y Enc(m) = [ u=g y, c=k m ] 14

ElGamal: converting to pub-key enc. (1984) Fix a finite cyclic group G (e.g G = (Z p ) * ) of order q Fix a generator g in G (i.e. G = {1, g, g 2, g 3,, g q-1 } ) Alice choose random x in {1,,q} h = g x To decrypt (u,c): Bob choose random y in {1,,q} compute k=g xy = h y Enc(m) = [ u=g y,c= k m ] compute k = u x and decrypt m = k -1 c 15

The ElGamal system (a modern view) G: finite cyclic group of order q We construct a pub-key enc. system (Gen, Enc, Dec): Key generation Gen: choose random generator g in G and random x in Z q output sk = x, pk = (g, h=g x ) Enc( pk=(g,h), m) : y Z q, u g y, k h y c k m output (u, c) Dec( sk=x, (u,c) ) : k u x m k -1 c output m 16

ElGamal performance Enc( pk=(g,h), m) : y Z q, u g y, v h y Dec( sk=x, (u,c) ) : k u x Encryption: 2 exp. (fixed basis) Can pre-compute [ g (2^i), h (2^i) for i=1,,log 2 n ] 3x speed-up (or more) Decryption: 1 exp. (variable basis) 17

Decisional Diffie-Hellman Let G be a finite cyclic group and g generator of G G = { 1, g, g 2, g 3,, g q-1 } q is the order of G Definition: We say that DDH is hard in G if for all PPT adversaries D: Pr[ D( g x,g y,g xy ) = 1 ] - Pr[ D( g x,g y,g z ) = 1 ] < negligible G, q and g are public and known to D x, y, z are chosen uniformly at random in {1, q-1} 18

Security Theorem: Let G be a cyclic group of order q. Assuming that the DDH problem is hard, then El-Gamal encryption is CPA secure. In particular, for every PPT adversary A attacking the CPA security of El-Gamal: Pr[Exp CPA Π,A n = 1] = 1/2 + negligible(n) 19

Proof of security - Intuition Π Enc(pk=(g,h), m) y Z q, u g y c h y m (= g xy m) output (u, c) 1. Success of adversary to break Π and Π in CPA game is similar Under the assumption that DDH is hard! Π Enc (pk=(g,h), m) y Z q, u g y, z Z q c g z m output (u, c) 2. Success of adversary to break Π in CPA game is negligible 20

Proof of security step 1 1. Success of adversary to break Π and Π in CPA game is similar Assume that DDH is hard. For any PPT adversary A: Pr[Exp CPA Π,A n = 1] Pr[Exp CPA Π,A n = 1] negl(n) Let A be a PPT adversary in CPA game We build D a distinguisher for DDH D knows (G, q, g) and is given input (g x,g y, w) World 1: w = g xy World 0: w = g z 21

Proof of security step 1 1. Success of adversary to break Π and Π in CPA game is similar Assume that DDH is hard. Then for any PPT adversary A: Pr[Exp CPA Π,A n = 1] Pr[Exp CPA Π,A n = 1] negl(n) D runs A. A chooses two messages m 0 and m 1 D picks a bit b at random and send c = w m b World 1: c = g xy m ; D simulates exactly scheme Π World 0: c = g z m ; D simulates exactly scheme Π D outputs what A outputs 22

Proof of security step 1 1. Success of adversary to break Π and Π in CPA game is similar Assume that DDH is hard. Then for any PPT adversary A: Pr[Exp CPA Π,A n = 1] Pr[Exp CPA Π,A n = 1] negl(n) D runs A. D outputs what A outputs Pr[Exp CPA Π,A n = 1] Pr[Exp CPA Π,A n = 1] = Pr[ D( g x,g y,g xy ) = 1 ] - Pr[ D( g x,g y,g z ) = 1 ], which is negligible(n) 23

Proof of security step 2 2. Success of adversary to break Π in CPA game is negligible For any PPT adversary A: Compute Pr[Exp CPA Π,A n = 1] Let A be an adversary in CPA game for Π A chooses two messages m 0 and m 1 A receives (g y, g z m b ) First part is independent on message If z is random, then g z is random in G For any v in G, Pr[g z m b = v] = Pr[g z = (m b ) -1 v] = 1/q g z m b does not reveal any information about m b 24

Conclusion For any PPT adversary A: Pr[Exp CPA Π,A n = 1] Pr[Exp CPA Π,A n = 1] Pr[Exp CPA Π, A n = 1] +Pr[Exp CPA Π, A n = 1] = ½ + negligible(n) El-Gamal encryption is CPA secure under DDH assumption 25

Key insights Trapdoor permutations (e.g., RSA) are not a secure encryption method They are deterministic Secure public-key encryption can be constructed from trapdoor permutations ISO standard CCA secure PKCS1 v1.5 (susceptible to padding oracles) OAEP CCA secure Discrete log based schemes El Gamal encryption constructed from Diffie-Hellman CPA security based on hardness of DDH 26

Acknowledgement Some of the slides and slide contents are taken from http://www.crypto.edu.pl/dziembowski/teaching and fall under the following: 2012 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation. We have also used slides from Prof. Dan Boneh online cryptography course at Stanford University: http://crypto.stanford.edu/~dabo/courses/onlinecrypto/ 27

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback