Lecture 3.4: Public Key Cryptography IV

Transcription

1 Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2012 Nitesh Saxena

2 Course Administration HW1 submitted Trouble with BB Trying to check with BB support HW1 solution will be posted very soon We are starting to grade it today

3 Outline of Today s Lecture Discrete Logarithm System El Gamal Encryption Digital Signatures

4 Discrete Logarithm Assumption Work with a cyclic group G with generator g Let G = m G = {g 0, g 1, g 2,,g m-1 } Given any y = g x in G (where x belongs to Z m ), g and and m, it is not possible to compute x This is known as the DL assumption Of course, x should be fairly large at least 160-bits in length This suggests that one can possibly use x as the secret key, and y (and other parameters) as the public key

5 El Gamal Encryption --KeyGen p, q primes such that q p-1 g is an element of order q and generates a group G q of order q g = g (p-1)/q (were g is the generator of Z p *) x in Z q, y = g x mod p DL assumption --given (p, q, g, y), it is computationally hard to compute x No polynomial time algorithm known p should be 1024-bits and q be 160-bits x becomes the private key and y becomes the public key

6 ElGamal Encryption/Decryption Encryption (of m in G q ): Choose random r in Z q k = g r mod p c = my r mod p Output (k,c) Decryption of (k,c) M = ck -x mod p Secure under (a variant of) the discrete logarithm assumption

7 ElGamal Example: dummy Let s construct an example KeyGen: p = 11, q = 2 or 5; let s say q = 5 g = 2 is a generator of Z 11 * g = 2 2 = 4 x = 2; y = 4 2 mod 11 = 5 Enc(3): r = 4 k = 4 4 mod 11 = 3 c = 3*5 4 mod 11 = 5 Dec(3,5): m = 5*3-2 mod 11 = 3

8 El Gamal Security Secure against CPA attacks assuming that discrete logarithm is hard Not secure against CCA attacks; why? It is possible to massage the ciphertextin a meaningful way Given a ciphertext(k, c), compute k = kg r andc = cy r (r is picked by the adversary) Query the decryption oracle on (k,c ); it decrypts and returns the response --m

9 CCA Security Like in the case of symmetric key encryption, we can derive CCA secure encryption using CPA secure encryption Just prevent any massaging of the ciphertext Integrity protection mechanism is needed But, now a public-key based mechanism is needed Digital signatures -- next

10 Digital Signatures Message Integrity Detect if message is tampered with while in the transit Source/Sender Authentication No forgery possible Non-repudiation If I sign something, I can not deny later A trusted third party (court) can resolve dispute Many applications signed , e-contracts, e-transactions

11 Public Key Signatures Signer has public key, private key pair Signer signs using its private key Verifier verifies using public key of the signer

12 Security Notion/Model for Signatures Existential Forgery under (adaptively) chosen message attack (CMA) Adversary (adaptively) chooses messages m i of its choice Obtains the signature s i on each m i Outputs any message m ( mi) and a signature s on m

13 RSA Signatures Key Generation: same as in encryption Sign(m): s = m d mod N Verify(m,s): (s e == m mod N) The above text-book version is insecure In practice, we use a randomized version of RSA (implemented in PKCS#1) Hash the message and then sign the hash

14 Digital Signature Standard (DSS) Adopted as standard in 1994 Security based on hardness of the discrete logarithm problem

15 DSS KeyGen; Signing; Verification KeyGen: the same way as El Gamal p, q primes such that q p-1 g is an element of order q and generates a group G q of order q g = g (p-1)/q (were g is the generator of Z p *) x in Z q, y = g x mod p Sign: Pick random r from Z* q k = (g r mod p) mod q; c = (m + xk)r -1 mod q Output (k,c) and also the message m Verify: k c == g m.y k mod p

16 DSS Example Refer to of HAC

17 Some Questions I encrypt m with Alice s ElGamalPK, I get c I encrypt m again, I get --? What does this mean? Is RSA-OAEP IND-CCA? Is El GamalIND-CCA?

18 Further Reading Stalling Chapter 10 HAC Chapter 8 and Chapter 11