Introduction to Cybersecurity Cryptography (Part 4)

Similar documents
Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Cybersecurity Cryptography (Part 5)

5.4 ElGamal - definition

Public Key Cryptography

Introduction to Cryptography. Lecture 8

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

1 Number Theory Basics

Lecture Note 3 Date:

ASYMMETRIC ENCRYPTION

5199/IOC5063 Theory of Cryptology, 2014 Fall

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

ECS 189A Final Cryptography Spring 2011

Cryptography IV: Asymmetric Ciphers

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Chapter 8 Public-key Cryptography and Digital Signatures

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Lecture 28: Public-key Cryptography. Public-key Cryptography

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Notes for Lecture 17

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

CPSC 467b: Cryptography and Computer Security

Advanced Cryptography 1st Semester Public Encryption

CIS 551 / TCOM 401 Computer and Network Security

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Provable security. Michel Abdalla

Lecture 14: Hardness Assumptions

Lecture Notes, Week 6

Mathematics of Cryptography

Lecture 7: ElGamal and Discrete Logarithms

Hans Delfs & Helmut Knebl: Kryptographie und Informationssicherheit WS 2008/2009. References. References

DATA PRIVACY AND SECURITY

Cryptography and Security Midterm Exam

Mathematical Foundations of Public-Key Cryptography

Instructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year

Topics in Cryptography. Lecture 5: Basic Number Theory

El Gamal A DDH based encryption scheme. Table of contents

Introduction to Elliptic Curve Cryptography. Anupam Datta

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Digital Signatures. Adam O Neill based on

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Biomedical Security. Overview 9/15/2017. Erwin M. Bakker

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Public Key Algorithms

Public Key Cryptography

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

Lecture 17: Constructions of Public-Key Encryption

Lecture 1: Introduction to Public key cryptography

Biomedical Security. Some Security News 9/17/2018. Erwin M. Bakker. Blockchains are not safe for voting (slashdot.org) : From: paragonie.

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Public-Key Encryption: ElGamal, RSA, Rabin

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Public-Key Cryptosystems CHAPTER 4

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Foundations of Network and Computer Security

Chapter 11 : Private-Key Encryption

Introduction to Elliptic Curve Cryptography

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Question: Total Points: Score:

G Advanced Cryptography April 10th, Lecture 11

Short Exponent Diffie-Hellman Problems

Public Key Cryptography

Week : Public Key Cryptosystem and Digital Signatures

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Security Final Exam

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

COMP4109 : Applied Cryptography

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

CRYPTOGRAPHY AND NUMBER THEORY

Cryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

1 Basic Number Theory

Public Key Encryption

Discrete logarithm and related schemes

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

Security II: Cryptography exercises

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

CSC 5930/9010 Modern Cryptography: Number Theory

Public Key Cryptography

Lecture 11: Number Theoretic Assumptions

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Asymmetric Encryption

Solution of Exercise Sheet 7

Number Theory & Modern Cryptography

Public Key Cryptography

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Transcription:

Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message Authentication Codes Hash Functions Compression Functions Merkle-Damgård Construction MACs from Hashes Introduction to Cybersecurity 2016/17 1 Review: Attack by Meet-in-the-Middle DE((K 1,K 2 ), m) := E(K 2, E(K 1, m)) Attack by meet-in-the-middle m E(K 1, ) E(K 2, ) c Introduction to Cybersecurity 2016/17 2 1

Review: Modes of Operation Cipherblock Chaining (CBC) m1 m2 c1 c2 IV + + D(K, ) D(K, ) E(K, ) E(K, ) IV + + c1 c2 m1 m2 Introduction to Cybersecurity 2016/17 3 Review: Message Integrity Goal of message integrity: Add MAC Key Plaintext with MAC Verify Key Plaintext Plaintext Alice Alice generates tag t for message m, Bob verifies tag Bob Goal: Attacker cannot change message, i.e., attacker cannot generate any valid pair (m, t) Introduction to Cybersecurity 2016/17 41 Review: Hash Function Let H: M T be a hash function (non-keyed) (often H: 0,1 0,1 n ) A collision for H is a tuple (m 1, m 2 ) with H m 1 = H m 2 m 1 m 2 Definition: Collision Resistant Hash Function (CRHF) A hash function H is collision resistant if no efficient algorithm is known that finds a collision for H in suitable time. Remark: Defining that no efficient adversary exists that finds a collision cannot be fulfilled Introduction to Cybersecurity 2016/17 48 2

Review: Merkle-Damgard Construction Merkle-Damgård (iterated construction) Message m Padding pad Block b 0 Block b 1 Block b 2 Block b 3 Block b 4 IV h 0 f f f f f h 1 h 2 h 3 h 4 Hash h pad is the padding function (injective) f: 0,1 k 0,1 n 0,1 n is the compression function. h i are called chaining variables IV is the initial value Introduction to Cybersecurity 2016/17 53 This Lecture s Summary Asymmetric encryption Number theory for El-Gamal El-Gamal Encryption Scheme Number theory for RSA RSA Encryption Schemes 7 Symmetric vs. Asymmetric (Public-key) Encryptions Fast Based on Heuristics One key for every pair of user Two parties need to protect the secret Slow Based on Security Proofs with welldefined assumptions One key for every user Everyone is responsible for his/her own secret key 8 3

Public-key Encryption Now public-key encryption schemes (K,E,D): m E c:= E(pk,m) c m D pk K sk Legend Randomized Stateful Deterministic 9 Definition of Public-Key Encryption Definition: Public-key Encryption Scheme A public-key encryption scheme is a triple of algorithms (K, E, D): The randomized key generation algorithm K takes no input and returns a key pair (pk, sk). The (often randomized) encryption algorithm E takes a public key pk and a message m and returns a ciphertext c. The deterministic decryption algorithm D takes a secret key sk, a ciphertext c and returns a plaintext m M or a distinguished error symbol. Correctness: The above algorithms have to satisfy the following property: For any key pair (pk, sk) [K], any message m M, and any c [E(pk, m)], we have that D(sk, c) = m. 10 Number Theory Basics for the El-Gamal Encryption Scheme 4

Notation From here on: N denotes a positive integer. p denote a prime. Notation: Z N = 0,1,2,, N 1 Can do addition and multiplication modulo N 12 Modular Arithmetic Examples: let N = 12 9 + 8 = 5 in Z 12 5 7 = 11 in Z 12 5 7 = 10 in Z 12 Arithmetic in Z N works as you expect, e.g. x y + z = x y + x z in Z N. 13 Greatest Common Divisor (GCD) Definition: GCD For integers x, y we define gcd x, y is the greatest common divisor of x, y. Example: gcd 12, 18 = 6 Fact: GCD For all integers x, y there exist integers a, b such that a x + b y = gcd x, y a, b can be found efficiently using the extended Euclidean algorithm. If gcd x, y = 1 we say that x and y are relatively prime. 14 5

How to compute gcd? The Extended Euclid Algorithm Example: gcd 240,46 240 = 5 46 + 10 46 = 4 10 + 6 10 = 6 + 4 6 = 4 + 2 4 = 2 2 240 5 46 = 10 46 4 10 = 6 10 6 = 4 6 4 = 2 240 5 46 = 10 46 4 10 = 6 2 6 10 = 2 240 5 46 = 10 2 (46 4 10) 10 = 2 240 5 46 = 10 2 46 9 10 = 2 2 46 9 (240 5 46) = 2 9 240 + 47 46 = 2 15 Modular Inversion Over rationals, inverse of 2 is 1 2. What about Z N? Definition: Inverse The inverse of x in Z N is an element y in Z N such that x y = 1 in Z N. y is denoted by x 1. Example: let N be an odd integer. The inverse of 2 in Z N is N+1 2 = N + 1 = 1 in Z 2 N 16 Modular Inversion Which elements have an inverse in Z N? Lemma: x in Z N has an inverse if and only if gcd(x, N) = 1 Proof: gcd x, N = 1 a, b: a x + b N = 1 a x = 1 in Z N x = a 1 in Z N gcd x, N > 1 a: gcd a x, N > 1 a x 1 in Z N 17 6

More notation Definition: Set of invertible Elements in Z N Z N { x Z N gcd x, N = 1} Examples: For a prime p: Z p = Z p \{0} = 1,2,, p 1 Z 12 = {1,5,7,11} For x in Z N, we can find x 1 using the extended Euclid algorithm. 18 Solving modular linear equations Solve: Solution: a x + b = 0 in Z N x = b a 1 in Z N Find a 1 in Z N using the extended Euclid. Run time: O(log 2 N) 19 The structure ofz p Theorem (Euler): Z p is a cyclic group, that is g Z p such that 1, g, g 2, g 3, g is called a generator of Z p. = Z p Example: p = 7. g = 3 is a generator: 1, 3, 3 2, 3 3, 3 4, 3 5 = 1, 3, 2, 6, 4, 5 = Z 7 Not every element is a generator: 1, 2, 2 2, 2 3, 2 4, 2 5 = {1, 2, 4} 20 7

Order For g the set {1, g, g 2, g 3, } is called the group generated by g, denoted by <g>. Definition: Order of g The order of g Z p is the size of <g>, denoted by ord p g = <g>. It is the smallest a > 0 s.t. g a = 1 in Z p. Examples: ord 7 3 = 6; ord 7 2 = 3; ord 7 1 = 1. Theorem (Lagrange): g Z p : ord p g divides p 1 21 Fermat s little Theorem Theorem: Fermat s little Theorem For every prime p and every x Z p it holds that x p 1 = 1 mod p. Follows from Langrange s Theorem and the fact that x ord p x = 1 mod p. 22 Easy problems Given composite N and x in Z N find x 1 in Z N. Given prime p and polynomial f x find x in Z p s.t. f x = 0 in Z p Running time is linear in deg f. (if one exists) but many problems are difficult. 23 8

Intractable problems with primes discrete logarithm Fix a prime p > 2 and g in Z p of order q. Consider the function x g x in Z p Now, consider the inverse function: Dlog g g x = x where x {0,, q 2} Example: in : 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 Dlog 2 ( ) : 0, 1, 8, 2, 4, 9, 7, 3, 6, 5 24 Computing Dlog in Z p (n-bit prime p) Best known algorithm (GNFS): run time exp(o 3 n ) Cipher key size Modulus Size Elliptic curve group size 80 bits 1024 bits 160 bits 128 bits 3072 bits 256 bits 256 bits (AES) 15360 bits 512 bits As a result: slow transition away from (mod p) to elliptic curves 25 El-Gamal Encryption Scheme 9

ElGamal Encryption System (1984) Key Generation K(n) for security parameter n Pick random n-bit prime p Pick random generator g for Z p } Can be publicly known Pick random x {1,, p 1} Set pk = (p, g, h: = g x ) Set sk = (p, g, x) Output (pk, sk) 27 ElGamal Encryption System (1984) Encryption Enc(pk, m); pk = (p, g, h), m Z p Pick random y {1,, p 1} Set i = g y, k = h y Set c: = (i, m k) Output c Decryption Dec sk, c ; sk = (p, g, x) and c = (A, B) Set d = B A x Output d Correctness: El-Gamal B A x = B gy x = B gx y = B h y = (m hy) h y = m 28 ElGamal Encryption System (cont d) Security intuition: B = m g xy is similar to the OTP: g xy is the key and the XOR. but: why is this secure? Goals: Define security of public key encryption schemes. (yes, we do that!) Prove that ElGamal is secure. (core lecture) 29 10

Indist. Ciphertexts under CPA Let PE = (K, E, D) be a public-key encryption scheme and A an adversary. Define Exp CPA PE,A (b) as: Challenger(b, n),b {0,1} Adversary(n) Generate Keys K(n) (pk, sk) Encrypt(pk, m b ) pk m 0, m 1 c Output b Definition: Indistinguishability of Ciphertexts under CPA A sequence of public-key encryption schemes PE has indistinguishable ciphertexts under chosen-plaintext attack (CPA) if for all efficient adversaries A = A n n N : Adv CPA PE,A = Pr[Exp CPA PE,An (0) = 1] Pr[Exp CPA PE,An (1) = 1] is negligible. 30 Only a 1-CPA Variant? Does the following extended experiment strengthen the definition? Challenger(b, n),b {0,1} Adversary(n) Generate Keys K(n) (pk, sk) Encrypt(pk, m b ) pk m E(pk, m) m 0, m 1 c Output b No, since A can compute E(pk,m) itself for messages of its choice! 31 CPA-security of ElGamal Theorem: IND-CPA of ElGamal ElGamal has indistinguishable ciphertexts under CPA if the following Decisional Diffie-Hellman assumption holds in G: Definition: Decisional Diffie-Hellman Assumption (DDH) Given a group G with ~2 n elements and a random g G, no efficient adversary (in n) can distinguish (g x, g y, g xy ) and (g x, g y, g z ) for x, y, z random in {1,, G }. Why decisional? CPA-security says it must be hard to distinguish, CDH that it is hard to compute. But distinguishing might be easier... 32 11

Problem of information secrecy solved? We need alternative schemes based on different assumptions! RSA based ciphers (origin in 1977) 23 12

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback