Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message Authentication Codes Hash Functions Compression Functions Merkle-Damgård Construction MACs from Hashes Introduction to Cybersecurity 2016/17 1 Review: Attack by Meet-in-the-Middle DE((K 1,K 2 ), m) := E(K 2, E(K 1, m)) Attack by meet-in-the-middle m E(K 1, ) E(K 2, ) c Introduction to Cybersecurity 2016/17 2 1
Review: Modes of Operation Cipherblock Chaining (CBC) m1 m2 c1 c2 IV + + D(K, ) D(K, ) E(K, ) E(K, ) IV + + c1 c2 m1 m2 Introduction to Cybersecurity 2016/17 3 Review: Message Integrity Goal of message integrity: Add MAC Key Plaintext with MAC Verify Key Plaintext Plaintext Alice Alice generates tag t for message m, Bob verifies tag Bob Goal: Attacker cannot change message, i.e., attacker cannot generate any valid pair (m, t) Introduction to Cybersecurity 2016/17 41 Review: Hash Function Let H: M T be a hash function (non-keyed) (often H: 0,1 0,1 n ) A collision for H is a tuple (m 1, m 2 ) with H m 1 = H m 2 m 1 m 2 Definition: Collision Resistant Hash Function (CRHF) A hash function H is collision resistant if no efficient algorithm is known that finds a collision for H in suitable time. Remark: Defining that no efficient adversary exists that finds a collision cannot be fulfilled Introduction to Cybersecurity 2016/17 48 2
Review: Merkle-Damgard Construction Merkle-Damgård (iterated construction) Message m Padding pad Block b 0 Block b 1 Block b 2 Block b 3 Block b 4 IV h 0 f f f f f h 1 h 2 h 3 h 4 Hash h pad is the padding function (injective) f: 0,1 k 0,1 n 0,1 n is the compression function. h i are called chaining variables IV is the initial value Introduction to Cybersecurity 2016/17 53 This Lecture s Summary Asymmetric encryption Number theory for El-Gamal El-Gamal Encryption Scheme Number theory for RSA RSA Encryption Schemes 7 Symmetric vs. Asymmetric (Public-key) Encryptions Fast Based on Heuristics One key for every pair of user Two parties need to protect the secret Slow Based on Security Proofs with welldefined assumptions One key for every user Everyone is responsible for his/her own secret key 8 3
Public-key Encryption Now public-key encryption schemes (K,E,D): m E c:= E(pk,m) c m D pk K sk Legend Randomized Stateful Deterministic 9 Definition of Public-Key Encryption Definition: Public-key Encryption Scheme A public-key encryption scheme is a triple of algorithms (K, E, D): The randomized key generation algorithm K takes no input and returns a key pair (pk, sk). The (often randomized) encryption algorithm E takes a public key pk and a message m and returns a ciphertext c. The deterministic decryption algorithm D takes a secret key sk, a ciphertext c and returns a plaintext m M or a distinguished error symbol. Correctness: The above algorithms have to satisfy the following property: For any key pair (pk, sk) [K], any message m M, and any c [E(pk, m)], we have that D(sk, c) = m. 10 Number Theory Basics for the El-Gamal Encryption Scheme 4
Notation From here on: N denotes a positive integer. p denote a prime. Notation: Z N = 0,1,2,, N 1 Can do addition and multiplication modulo N 12 Modular Arithmetic Examples: let N = 12 9 + 8 = 5 in Z 12 5 7 = 11 in Z 12 5 7 = 10 in Z 12 Arithmetic in Z N works as you expect, e.g. x y + z = x y + x z in Z N. 13 Greatest Common Divisor (GCD) Definition: GCD For integers x, y we define gcd x, y is the greatest common divisor of x, y. Example: gcd 12, 18 = 6 Fact: GCD For all integers x, y there exist integers a, b such that a x + b y = gcd x, y a, b can be found efficiently using the extended Euclidean algorithm. If gcd x, y = 1 we say that x and y are relatively prime. 14 5
How to compute gcd? The Extended Euclid Algorithm Example: gcd 240,46 240 = 5 46 + 10 46 = 4 10 + 6 10 = 6 + 4 6 = 4 + 2 4 = 2 2 240 5 46 = 10 46 4 10 = 6 10 6 = 4 6 4 = 2 240 5 46 = 10 46 4 10 = 6 2 6 10 = 2 240 5 46 = 10 2 (46 4 10) 10 = 2 240 5 46 = 10 2 46 9 10 = 2 2 46 9 (240 5 46) = 2 9 240 + 47 46 = 2 15 Modular Inversion Over rationals, inverse of 2 is 1 2. What about Z N? Definition: Inverse The inverse of x in Z N is an element y in Z N such that x y = 1 in Z N. y is denoted by x 1. Example: let N be an odd integer. The inverse of 2 in Z N is N+1 2 = N + 1 = 1 in Z 2 N 16 Modular Inversion Which elements have an inverse in Z N? Lemma: x in Z N has an inverse if and only if gcd(x, N) = 1 Proof: gcd x, N = 1 a, b: a x + b N = 1 a x = 1 in Z N x = a 1 in Z N gcd x, N > 1 a: gcd a x, N > 1 a x 1 in Z N 17 6
More notation Definition: Set of invertible Elements in Z N Z N { x Z N gcd x, N = 1} Examples: For a prime p: Z p = Z p \{0} = 1,2,, p 1 Z 12 = {1,5,7,11} For x in Z N, we can find x 1 using the extended Euclid algorithm. 18 Solving modular linear equations Solve: Solution: a x + b = 0 in Z N x = b a 1 in Z N Find a 1 in Z N using the extended Euclid. Run time: O(log 2 N) 19 The structure ofz p Theorem (Euler): Z p is a cyclic group, that is g Z p such that 1, g, g 2, g 3, g is called a generator of Z p. = Z p Example: p = 7. g = 3 is a generator: 1, 3, 3 2, 3 3, 3 4, 3 5 = 1, 3, 2, 6, 4, 5 = Z 7 Not every element is a generator: 1, 2, 2 2, 2 3, 2 4, 2 5 = {1, 2, 4} 20 7
Order For g the set {1, g, g 2, g 3, } is called the group generated by g, denoted by <g>. Definition: Order of g The order of g Z p is the size of <g>, denoted by ord p g = <g>. It is the smallest a > 0 s.t. g a = 1 in Z p. Examples: ord 7 3 = 6; ord 7 2 = 3; ord 7 1 = 1. Theorem (Lagrange): g Z p : ord p g divides p 1 21 Fermat s little Theorem Theorem: Fermat s little Theorem For every prime p and every x Z p it holds that x p 1 = 1 mod p. Follows from Langrange s Theorem and the fact that x ord p x = 1 mod p. 22 Easy problems Given composite N and x in Z N find x 1 in Z N. Given prime p and polynomial f x find x in Z p s.t. f x = 0 in Z p Running time is linear in deg f. (if one exists) but many problems are difficult. 23 8
Intractable problems with primes discrete logarithm Fix a prime p > 2 and g in Z p of order q. Consider the function x g x in Z p Now, consider the inverse function: Dlog g g x = x where x {0,, q 2} Example: in : 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 Dlog 2 ( ) : 0, 1, 8, 2, 4, 9, 7, 3, 6, 5 24 Computing Dlog in Z p (n-bit prime p) Best known algorithm (GNFS): run time exp(o 3 n ) Cipher key size Modulus Size Elliptic curve group size 80 bits 1024 bits 160 bits 128 bits 3072 bits 256 bits 256 bits (AES) 15360 bits 512 bits As a result: slow transition away from (mod p) to elliptic curves 25 El-Gamal Encryption Scheme 9
ElGamal Encryption System (1984) Key Generation K(n) for security parameter n Pick random n-bit prime p Pick random generator g for Z p } Can be publicly known Pick random x {1,, p 1} Set pk = (p, g, h: = g x ) Set sk = (p, g, x) Output (pk, sk) 27 ElGamal Encryption System (1984) Encryption Enc(pk, m); pk = (p, g, h), m Z p Pick random y {1,, p 1} Set i = g y, k = h y Set c: = (i, m k) Output c Decryption Dec sk, c ; sk = (p, g, x) and c = (A, B) Set d = B A x Output d Correctness: El-Gamal B A x = B gy x = B gx y = B h y = (m hy) h y = m 28 ElGamal Encryption System (cont d) Security intuition: B = m g xy is similar to the OTP: g xy is the key and the XOR. but: why is this secure? Goals: Define security of public key encryption schemes. (yes, we do that!) Prove that ElGamal is secure. (core lecture) 29 10
Indist. Ciphertexts under CPA Let PE = (K, E, D) be a public-key encryption scheme and A an adversary. Define Exp CPA PE,A (b) as: Challenger(b, n),b {0,1} Adversary(n) Generate Keys K(n) (pk, sk) Encrypt(pk, m b ) pk m 0, m 1 c Output b Definition: Indistinguishability of Ciphertexts under CPA A sequence of public-key encryption schemes PE has indistinguishable ciphertexts under chosen-plaintext attack (CPA) if for all efficient adversaries A = A n n N : Adv CPA PE,A = Pr[Exp CPA PE,An (0) = 1] Pr[Exp CPA PE,An (1) = 1] is negligible. 30 Only a 1-CPA Variant? Does the following extended experiment strengthen the definition? Challenger(b, n),b {0,1} Adversary(n) Generate Keys K(n) (pk, sk) Encrypt(pk, m b ) pk m E(pk, m) m 0, m 1 c Output b No, since A can compute E(pk,m) itself for messages of its choice! 31 CPA-security of ElGamal Theorem: IND-CPA of ElGamal ElGamal has indistinguishable ciphertexts under CPA if the following Decisional Diffie-Hellman assumption holds in G: Definition: Decisional Diffie-Hellman Assumption (DDH) Given a group G with ~2 n elements and a random g G, no efficient adversary (in n) can distinguish (g x, g y, g xy ) and (g x, g y, g z ) for x, y, z random in {1,, G }. Why decisional? CPA-security says it must be hard to distinguish, CDH that it is hard to compute. But distinguishing might be easier... 32 11
Problem of information secrecy solved? We need alternative schemes based on different assumptions! RSA based ciphers (origin in 1977) 23 12