If DDH is secure then ElGamal is also secure w.r.t IND-CPA

Transcription

1 CS 6903 Modern Cryptography May 5th, 2011 Lecture 12 Instructor:Nitesh Saxena Recap of the previous lecture Scribe:Orcun Berkem, Turki Turki, Preetham Deshikachar Shrinivas The ElGamal encryption scheme is an encryption scheme in the DL setting, and its security is based on the hardness of the Decisional Die-Hellman (DDH) problem. If DDH is secure then ElGamal is also secure w.r.t IND-CPA RSA 1

2 Theorem: Elgamal is not IND-CCA2 proof: we would create an attacker who can break El Gamal w.r.t IND-CCA2 2

3 Steps as numbered on the above gure: it to Adversary them to A Dec oracle 1&2-Challenger picks random x, which is hidden from anyone except challenger. and computes y and send 3-Adversary picks two messages m 0,m 1 and send them to challenger. 4&5- challenger picks randomly one valuse of two to assign to b and random and computing k,c and send 6-Adversary changes (k,c) received from Challenger by(doing a message) to get (k',c') and send them to 7&8-Decryption oracle decrypts and send mb to Adversary 9-Adversary gives b' to challenger. Construction for IND-CCA2 asymmetric key encryption Given an IND-CPA Secure encryption scheme Enc P K B (m):c=enc P KB (m); S=Sig SKA (c) (c,s) Dec SK B (m):verify P KA (c,s)? = 1 m Dec SKB (c) Cramer-Shoup IND-CCA2 scheme in DL setting 3

4 It is an asymmetric key encryption algorithm, and is proven to be secure against adaptive chosen ciphertext attack (IND-CCA2) using standard cryptographic assumptions 1-Key Gen: (sk)[z,x 1,x 2,y 1,y 2 ] $ z m G={(g 1.g 2 ):g 1.g 2 are generators} Public PK 2-Enc P K (m): c=g1 x1.gx2 2 d=g y1 1.gy2 2 h=g1 z r $ z m u 1 = g r 1 u 2 = g r 1 e= m.h r α=h(u 1,u 2,e) v = c r.d rα output (u 1,u 2,e,v) 3-Dec SK (u 1,u 2,e,v): compute α =H(u 1,u 2,e) v=c r.d rα v=(g1 x1.gx2 2 )r.(g y1 1.gy2 2 )rα x v=u 1 x 1.u 2 y 2 u 1α y 1.u 2α 2 v? = u(x 1+y 1 α) 1.u (x 2+y 2 α) 2 (this step is checking if true we decrypt) m=e.h r m=e(g z 1) r m=e.u z 1 = m Theorem: Cramer-Shoup encryption is IND-CCA2 given DDH in DL setting assumption holds and H() is collision Resistant The system is IND-CCA2 secure if DDH assumption holds in G, and H is collision resistant. α = H(u 1, u 2, e ) Construction encryption scheme in the RSA settingtextbook RSA N=pq Φ(N) = (p 1)(q 1) e gcd(e, Φ(N)) = 1 d = e 1 modφ(n) x $ z N y = x e modn y,e,n 1 KeyGen(e, N) : P K 2 Enc P K (m) : 3 Dec SK (c) : d : SK Delete(p, q) c = m e modn m = c d modn =[m ed modn] ed = 1modΦ(N) m = m Is texbook RSA Secure w.r.t IND-CPA? 4

5 No because it is not IND-CPA since it is not randomized. Therefore, we can query the Encryption oracle to get the corresponding challenge ciphertext and comparison would be easy. 1-challenger send e,n to Adversary 2- Adversary sends m 0,m 1 to challenger 3- challenger gives c=(m b ) e mod N to adversary 4- Adversary sends m 0 to Enc oracle 5- Encryption oracle gives c'=m e 0mod N to Adversary 6-Adversary gives b' to challener IS textbook RSA IND-CCA2? Since it is not secure against IND-CPA, it will be not secure against IND-CCA2 5

6 1-challenger sends e,n to Adversary. 2-Adversary picks two messages m0,m1and sending them to the challenger 3-challenger sends c to Adversary. 4- Adversary multiplies c by (M) e. and send c'=(m) e c mod N to Dec oracle 5-oracle return decrypted message to Adversary, which will know the message since Adversary embedded the message M inside c' 6- Adversary sends b' to the challenger RSA optimal Asymmetric Encryption Padding(RSA-OAEP) 1 key Gen:N=pq Φ(N) = (p 1)(q 1) e s.t gcd(e, Φ(N)) = 1 d = e 1 modφ(n) P K : e, N SK : d K = N Pick two valuesk 0,k 1 s.t k 0 +k 1 < k G : {0, 1} k 1+n {0, 1} k 0 2-Enc P K (m): H : {0, 1} k 0 {0, 1} k 1+n n = k (k 0 + k 1 ) pick r $ {0,1}k 0 s = H(r) [m 0 k 1 ] T = G(s) r w = (s T ) e modn output w 6

7 3-Dec d (w) : S T = (w) d modn r = T G(s) m 0 k 1 = s H(r) Theorem: RSA: OAEP is IND-CCA2 given RSA assumption holds and G,H behave as random functions(random oracle) Digital Signatures 1-Alice picks message m, and sigining is done on message m by his own secret key sk A and send m,s to B 2-Bob veries message m and s by Alices's public keyp K A this gives autthentication since Alice signed by his own secret key sk A, which is knows only to Alice,and it gives non repudiation. 1-KeyGen:(SK,PK) 2-Sign SK (m): s sign sk (m) output is (m, s) 3-verify P K (s, m):outpur 0/1 based on weather (m, s)is a valid message/sign Chosen Message attack(cma) on the previous digital signature scheme 1- Alice sends message m i to signature oracle. 2- signature oracles signs on message m i and sends S i to Alice 3- Alice creates forgery M s.t M! =m i, and she sends (M,S) to the vericaton oracle 7

8 4- verication oracle will respond based on (M,S) that is received from Alice as valid or invalid RSA based Signatures Textbook RSASign 1-KeyGen: it is as in RSA SK:d PK:(e,N) 2-Sign d (m) : s = m d modn (m,s) 3-verify e,n (m, s): (s) e modn $ = m RSA Textbook is not Secure Textbook RSA is homomorphic. That is, if we multiply the signatures on two dierent messages m 1 and m 2 as shown in the gure below, we can get a corresponding signature on a new message m 1 m 2 sincs s 1 =m d 1 modn s 2 =m d 2 modn s 1.s 2 =(m 1.m 2 ) d mod N CMA secure RSA signatures: Full domain Hash RSA A randomized version of the textbook RSA signatures known as the Full Domain Hash (FDH) RSA signatures. It works as follows: 1-KeyGen : (N, e) p K d s K 2-Sign d (m) :s = (H(m)) d mod N m,s Verify e,n (m, s) : S e mod N? H(m) mod N homomorphic property does not hold (as shown below) and FDH RSA signatures remain secure under the RSA assumotion given that H() behaves asarandom function. s 1 = (H(m 1 )) d mod N s 2 = (H(m 2 )) d mod N s 1 s 2 = [H(m 1 ).H(m 2 )] d mod N [H(m 1.m 2 )] d mod N 8