Public-Key Encryption

Size: px

Start display at page:

Download "Public-Key Encryption"

Rebecca Robertson
5 years ago
Views:

1 Public-Key Encryption Glorianna Jagfeld & Rahiel Kasim University of Amsterdam 10 March 2016 Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

2 Warmup: crossword puzzle! Please solve the puzzle on our own. After you are done, check your solutions with your neighbor. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

3 Warmup: crossword puzzle! Please solve the puzzle on our own. After you are done, check your solutions with your neighbor. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

4 Outline 1 Definitions of Security for Public-Key Encryption 2 Hybrid Encryption and KEM/DEM 3 CDH/DDH-Based Encryption: ElGamal 4 RSA Encryption Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

5 Table of Contents 1 Definitions of Security for Public-Key Encryption 2 Hybrid Encryption and KEM/DEM 3 CDH/DDH-Based Encryption: ElGamal 4 RSA Encryption Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

6 Definitions of Security for Public-Key Encryption True or False? There are perfectly secure public-key encryption schemes. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

7 Definitions of Security for Public-Key Encryption True or False? There are perfectly secure public-key encryption schemes. False! An unbounded adversary given the public key and a ciphertext c Enc pk (m) can always determine m Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

8 Definitions of Security for Public-Key Encryption ˆ Public-key encryption scheme Π = (Gen, Enc, Dec): Algorithm Input Output Gen 1 n (pk, sk) Enc pk, m c Enc pk (m) Dec sk, c m := Dec sk (c) (pk, sk) : Pr[Dec sk (Enc pk (m)) = m] = 1 negl(n) Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

9 Definitions of Security for Public-Key Encryption ˆ Public-key encryption scheme Π = (Gen, Enc, Dec): Algorithm Input Output Gen 1 n (pk, sk) Enc pk, m c Enc pk (m) Dec sk, c m := Dec sk (c) (pk, sk) : Pr[Dec sk (Enc pk (m)) = m] = 1 negl(n) ˆ For any public-key encryption scheme Π these three definitions of security are equivalent: Π is EAV-secure (1) Π is CPA-secure (2) Π has indistinguishable multiple encryptions Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

10 Definitions of Security for Public-Key Encryption ˆ Public-key encryption scheme Π = (Gen, Enc, Dec): Algorithm Input Output Gen 1 n (pk, sk) Enc pk, m c Enc pk (m) Dec sk, c m := Dec sk (c) (pk, sk) : Pr[Dec sk (Enc pk (m)) = m] = 1 negl(n) ˆ For any public-key encryption scheme Π these three definitions of security are equivalent: Π is EAV-secure (1) Π is CPA-secure (2) Π has indistinguishable multiple encryptions ˆ Why is (1) the case? Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

11 Definitions of Security for Public-Key Encryption ˆ Public-key encryption scheme Π = (Gen, Enc, Dec): Algorithm Input Output Gen 1 n (pk, sk) Enc pk, m c Enc pk (m) Dec sk, c m := Dec sk (c) (pk, sk) : Pr[Dec sk (Enc pk (m)) = m] = 1 negl(n) ˆ For any public-key encryption scheme Π these three definitions of security are equivalent: Π is EAV-secure (1) Π is CPA-secure (2) Π has indistinguishable multiple encryptions ˆ Why is (1) the case? ˆ The proof of (2) is in the book, it uses a hybrid argument Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

12 CPA-secure Π has indistinguishable mult. encryptions ˆ Intuition before the proof shows that Π has indistinguishable two encryptions by going from C 0 to C 1 via C 01 Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

13 CPA-secure Π has indistinguishable mult. encryptions ˆ Intuition before the proof shows that Π has indistinguishable two encryptions by going from C 0 to C 1 via C 01 ˆ Actual proof generalizes on this idea: A makes t=t(n) queries Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

14 CPA-secure Π has indistinguishable mult. encryptions ˆ Intuition before the proof shows that Π has indistinguishable two encryptions by going from C 0 to C 1 via C 01 ˆ Actual proof generalizes on this idea: A makes t=t(n) queries ˆ Define LRpk i : returns m 0 for 0 i, m 1 for i + 1 t Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

15 CPA-secure Π has indistinguishable mult. encryptions ˆ Intuition before the proof shows that Π has indistinguishable two encryptions by going from C 0 to C 1 via C 01 ˆ Actual proof generalizes on this idea: A makes t=t(n) queries ˆ Define LRpk i : returns m 0 for 0 i, m 1 for i + 1 t Show that P r[a LRt pk(pk) = 1] P r[a LR0 pk(pk) = 1] negl(n) Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

16 CPA-secure Π has indistinguishable mult. encryptions ˆ Intuition before the proof shows that Π has indistinguishable two encryptions by going from C 0 to C 1 via C 01 ˆ Actual proof generalizes on this idea: A makes t=t(n) queries ˆ Define LR i pk : returns m 0 for 0 i, m 1 for i + 1 t Show that P r[a LRt pk(pk) = 1] P r[a LR0 pk(pk) = 1] negl(n) ˆ Create a telescoping sum: Pr[A LRt pk (pk) = 1] Pr[A LR 0 pk (pk) = 1] = Pr[A LRt pk (pk) = 1] Pr[A LR t 1 pk (pk) = 1] + Pr[A LR t 1 pk (pk) = 1]... Pr[A LR1 pk (pk) = 1] + Pr[A LR 1 pk (pk) = 1] Pr[A LR 0 pk (pk) = 1] Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

17 CPA-secure Π has indistinguishable mult. encryptions ˆ Intuition before the proof shows that Π has indistinguishable two encryptions by going from C 0 to C 1 via C 01 ˆ Actual proof generalizes on this idea: A makes t=t(n) queries ˆ Define LR i pk : returns m 0 for 0 i, m 1 for i + 1 t Show that P r[a LRt pk(pk) = 1] P r[a LR0 pk(pk) = 1] negl(n) ˆ Create a telescoping sum: Pr[A LRt pk (pk) = 1] Pr[A LR 0 pk (pk) = 1] = Pr[A LRt pk (pk) = 1] Pr[A LR t 1 pk (pk) = 1] + Pr[A LR t 1 pk (pk) = 1]... Pr[A LR1 pk (pk) = 1] + Pr[A LR 1 pk (pk) = 1] Pr[A LR 0 pk (pk) = 1] ˆ Now show that Pr[A LRi pk(pk) = 1] Pr[A LRi 1 pk (pk) = 1] negl(n) Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

18 CPA-secure Π has indistinguishable mult. encryptions Pr[A LRi pk (pk) = 1] Pr[A LR i 1 pk (pk) = 1] = Pr[A(pk, Enc pk (m 1,0 ),..., Enc pk (m i,0 ), Enc pk (m i+1,1 ),..., Enc pk (m t,1 )) = 1] Pr[A(pk, Enc pk (m 1,0 ),..., Enc pk (m i,1 ), Enc pk (m i+1,1 ),..., Enc pk (m t,1 )) = 1] Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

19 CPA-secure Π has indistinguishable mult. encryptions Pr[A LRi pk (pk) = 1] Pr[A LR i 1 pk (pk) = 1] = Pr[A(pk, Enc pk (m 1,0 ),..., Enc pk (m i,0 ), Enc pk (m i+1,1 ),..., Enc pk (m t,1 )) = 1] Pr[A(pk, Enc pk (m 1,0 ),..., Enc pk (m i,1 ), Enc pk (m i+1,1 ),..., Enc pk (m t,1 )) = 1] = Pr[A(pk, Enc pk (m i,0 )) = 1] Pr[A(pk, Enc pk (m i,1 )) = 1] Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

20 CPA-secure Π has indistinguishable mult. encryptions Pr[A LRi pk (pk) = 1] Pr[A LR i 1 pk (pk) = 1] = Pr[A(pk, Enc pk (m 1,0 ),..., Enc pk (m i,0 ), Enc pk (m i+1,1 ),..., Enc pk (m t,1 )) = 1] Pr[A(pk, Enc pk (m 1,0 ),..., Enc pk (m i,1 ), Enc pk (m i+1,1 ),..., Enc pk (m t,1 )) = 1] = Pr[A(pk, Enc pk (m i,0 )) = 1] Pr[A(pk, Enc pk (m i,1 )) = 1] negl(n) Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

21 CPA-secure Π has indistinguishable mult. encryptions Pr[A LRi pk (pk) = 1] Pr[A LR i 1 pk (pk) = 1] = Pr[A(pk, Enc pk (m 1,0 ),..., Enc pk (m i,0 ), Enc pk (m i+1,1 ),..., Enc pk (m t,1 )) = 1] Pr[A(pk, Enc pk (m 1,0 ),..., Enc pk (m i,1 ), Enc pk (m i+1,1 ),..., Enc pk (m t,1 )) = 1] = Pr[A(pk, Enc pk (m i,0 )) = 1] Pr[A(pk, Enc pk (m i,1 )) = 1] negl(n) ˆ Thus we have that Pr[A LRt pk (pk) = 1] Pr[A LR 0 pk (pk) = 1] = Pr[A LRt pk (pk) = 1] Pr[A LR t 1 pk (pk) = 1] + Pr[A LR t 1 pk (pk) = 1]... Pr[A LR1 pk (pk) = 1] + Pr[A LR 1 pk (pk) = 1] Pr[A LR 0 pk (pk) = 1] Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

22 CPA-secure Π has indistinguishable mult. encryptions Pr[A LRi pk (pk) = 1] Pr[A LR i 1 pk (pk) = 1] = Pr[A(pk, Enc pk (m 1,0 ),..., Enc pk (m i,0 ), Enc pk (m i+1,1 ),..., Enc pk (m t,1 )) = 1] Pr[A(pk, Enc pk (m 1,0 ),..., Enc pk (m i,1 ), Enc pk (m i+1,1 ),..., Enc pk (m t,1 )) = 1] = Pr[A(pk, Enc pk (m i,0 )) = 1] Pr[A(pk, Enc pk (m i,1 )) = 1] negl(n) ˆ Thus we have that Pr[A LRt pk (pk) = 1] Pr[A LR 0 pk (pk) = 1] = Pr[A LRt pk (pk) = 1] Pr[A LR t 1 pk (pk) = 1] + Pr[A LR t 1 pk (pk) = 1]... Pr[A LR1 pk (pk) = 1] + Pr[A LR 1 pk (pk) = 1] Pr[A LR 0 pk (pk) = 1] t(n) negl(n) Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

23 CPA-secure Π has indistinguishable mult. encryptions Pr[A LRi pk (pk) = 1] Pr[A LR i 1 pk (pk) = 1] = Pr[A(pk, Enc pk (m 1,0 ),..., Enc pk (m i,0 ), Enc pk (m i+1,1 ),..., Enc pk (m t,1 )) = 1] Pr[A(pk, Enc pk (m 1,0 ),..., Enc pk (m i,1 ), Enc pk (m i+1,1 ),..., Enc pk (m t,1 )) = 1] = Pr[A(pk, Enc pk (m i,0 )) = 1] Pr[A(pk, Enc pk (m i,1 )) = 1] negl(n) ˆ Thus we have that Pr[A LRt pk (pk) = 1] Pr[A LR 0 pk (pk) = 1] = Pr[A LRt pk (pk) = 1] Pr[A LR t 1 pk (pk) = 1] + Pr[A LR t 1 pk (pk) = 1]... Pr[A LR1 pk (pk) = 1] + Pr[A LR 1 pk (pk) = 1] Pr[A LR 0 pk (pk) = 1] t(n) negl(n) ˆ Where s the hybrid argument? Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

24 Table of Contents 1 Definitions of Security for Public-Key Encryption 2 Hybrid Encryption and KEM/DEM 3 CDH/DDH-Based Encryption: ElGamal 4 RSA Encryption Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

25 Hybrid Encryption and KEM/DEM True or False? To yield a CPA-secure hybrid encryption scheme, one must combine a CCA-secure KEM with a private-key encryption scheme that is at least CPA-secure. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

26 Hybrid Encryption and KEM/DEM True or False? To yield a CPA-secure hybrid encryption scheme, one must combine a CCA-secure KEM with a private-key encryption scheme that is at least CPA-secure. False! The KEM needs only to be CPA-secure and the private-key encryption scheme even only EAV-secure. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

27 Hybrid Encryption and KEM/DEM Please find a general outline for a proof of the following theorem: If Π is a CPA-secure KEM and Π is an EAV-secure private-key encryption scheme, then Π hy as in the construction below is a CPA-secure public-key encryption scheme. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

28 Hybrid Encryption and KEM/DEM: Solution ˆ We need to prove (pk, c, Enc k (m 0)) c (pk, c, Enc k (m 1)) Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

29 Hybrid Encryption and KEM/DEM: Solution ˆ We need to prove (pk, c, Enc k (m 0)) c (pk, c, Enc k (m 1)) ˆ CPA-security of Π gives us and (pk, c, Enc k (m 0)) c (pk, c, Enc k (m 0)) (1) (pk, c, Enc k (m 1)) c (pk, c, Enc k (m 1)) (2) Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

30 Hybrid Encryption and KEM/DEM: Solution ˆ We need to prove (pk, c, Enc k (m 0)) c (pk, c, Enc k (m 1)) ˆ CPA-security of Π gives us and (pk, c, Enc k (m 0)) c (pk, c, Enc k (m 0)) (1) (pk, c, Enc k (m 1)) c (pk, c, Enc k (m 1)) (2) ˆ By EAV-security of Π we know Enc k (m 0) c Enc k (m 1) for a uniform k, so (pk, c, Enc k (m 0)) c (pk, c, Enc k (m 1)) (3) Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

31 Hybrid Encryption and KEM/DEM: Solution ˆ We need to prove (pk, c, Enc k (m 0)) c (pk, c, Enc k (m 1)) ˆ CPA-security of Π gives us and (pk, c, Enc k (m 0)) c (pk, c, Enc k (m 0)) (1) (pk, c, Enc k (m 1)) c (pk, c, Enc k (m 1)) (2) ˆ By EAV-security of Π we know Enc k (m 0) c Enc k (m 1) for a uniform k, so ˆ Combining (1-3) we get (pk, c, Enc k (m 0)) c (pk, c, Enc k (m 1)) (3) (pk, c, Enc k (m 0)) security of Π by transitivity (pk, c, Enc k (m 1)) security of Π (pk, c, Enc k (m 0)) (pk, c, Enc k (m 1)) security of Π Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

32 Table of Contents 1 Definitions of Security for Public-Key Encryption 2 Hybrid Encryption and KEM/DEM 3 CDH/DDH-Based Encryption: ElGamal 4 RSA Encryption Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

33 CDH/DDH-Based Encryption True or False? It is more likely that the DDH assumption is true than the CDH. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

34 CDH/DDH-Based Encryption True or False? It is more likely that the DDH assumption is true than the CDH. True! The DDH is a strictly weaker assumption than the CDH. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

35 CDH/DDH-Based Encryption: ElGamal Encryption Lemma (11.15) Let G be a finite group, and let m G be arbitrary. Then choosing uniform k G and setting k := k m gives the same distribution for k as choosing uniform k G. Put differently, for any ĝ G we have P r[k m = ĝ] = 1/ G, where the probability is taken over uniform choice of k G. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

36 CDH/DDH-Based Encryption: ElGamal Encryption Lemma (11.15) Let G be a finite group, and let m G be arbitrary. Then choosing uniform k G and setting k := k m gives the same distribution for k as choosing uniform k G. Put differently, for any ĝ G we have P r[k m = ĝ] = 1/ G, where the probability is taken over uniform choice of k G. Proof. P r[k m = ĝ] = P r[k = ĝ m 1 ] = 1/ G Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

37 CDH/DDH-Based Encryption: ElGamal Encryption Construction (11.16, page 401) ˆ Gen: on input 1 n run G(1 n ) to obtain (G, q, g). Then choose a uniform x Z q and compute h := g x. The public key is G, q, g, h and the private key is G, q, g, x. The message space is G. ˆ Enc: on input a public key pk = G, q, g, h and a message m G, choose a uniform y Z q and output the ciphertext: g y, h y m. ˆ Dec: on input a private key sk = G, q, g, x and a ciphertext c 1, c 2, output ˆm := c 2 /c x 1 Show that decryption succeeds. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

38 Elgamal Encryption Gone Wrong Bob uses ElGamal encryption to communicate with Eve in some group g, i.e. he encrypts m as r = g y, c = h y a m. Eve s public parameters are: q = 8237, g = 3, and h a = He didn t pass the introduction to cryptology course and doesn t understand public-key crypto, so he uses the same nonce y for all his messages m 1, m 2, m 3,... You happen to know that he is kind of predictable and always sends Hi in his first message, which gets represented as m 1 = = 190. You observe the following ciphertexts: (r 1, c 1 ) = (7830, 4537), (r 2, c 2 ) = (7830, 361). Recover m Adapted from exam Introduction to Cryptology exercise 6 TU/e, Tanja Lange. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

39 Solution: Elgamal Encryption Gone Wrong ˆ c 1 = h y a m 1 = h y a 190 = 4537 mod 8237 Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

40 Solution: Elgamal Encryption Gone Wrong ˆ c 1 = h y a m 1 = h y a 190 = 4537 mod 8237 ˆ Inverse of 190 mod q: 1 = ˆ h y a = = 7784 mod 8237 Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

41 Solution: Elgamal Encryption Gone Wrong ˆ c 1 = h y a m 1 = h y a 190 = 4537 mod 8237 ˆ Inverse of 190 mod q: 1 = ˆ h y a = = 7784 mod 8237 ˆ Inverse of h a : 1 = ˆ m 2 = = 2342 mod 8237 Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

42 Solution: Elgamal Encryption Gone Wrong ˆ c 1 = h y a m 1 = h y a 190 = 4537 mod 8237 ˆ Inverse of 190 mod q: 1 = ˆ h y a = = 7784 mod 8237 ˆ Inverse of h a : 1 = ˆ m 2 = = 2342 mod 8237 ˆ 2342 = EVE Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

43 CPA-Security of ElGamal and the DDH Let G be an algorithm generating a cyclic group G of known order q and a generator g for G. It is shown in Theorem that ElGamal with G is CPA-secure if the DDH problem is hard with respect to G. Show that this assumption is also necessary: ElGamal is CPA-secure w.r.t. G = The DDH-problem is hard w.r.t. G Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

44 Solution: CPA-Security of ElGamal and the DDH Show the contrapositive: If the DDH is not hard then ElGamal cannot be CPA secure Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

45 Solution: CPA-Security of ElGamal and the DDH Show the contrapositive: If the DDH is not hard then ElGamal cannot be CPA secure ˆ Construct an adversary A winning PubK eav A,ElGamal with probability greater negligible who uses A as subroutine who can distinguish between h log g gx log g g y = h xy given g x, g y. ˆ A submits m 0 = 1 (the neutral element of G) and m 1 = h z for some uniform z ˆ A gets g y, c, where c = h xy m 0 = h xy 1 = h xy or c = h xy m 1 = h xy h z = h xyz ˆ Note: h xyz = h xy h z is uniform (Lemma 11.15) ˆ A gives G, q, g, h = g x, g y, c to A ˆ If A tells A that c = h xy, A outputs 0, else 1 Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

46 Solution: CPA-Security of ElGamal and the DDH Show the contrapositive: If the DDH is not hard then ElGamal cannot be CPA secure ˆ Construct an adversary A winning PubK eav A,ElGamal with probability greater negligible who uses A as subroutine who can distinguish between h log g gx log g g y = h xy given g x, g y. ˆ A submits m 0 = 1 (the neutral element of G) and m 1 = h z for some uniform z ˆ A gets g y, c, where c = h xy m 0 = h xy 1 = h xy or c = h xy m 1 = h xy h z = h xyz ˆ Note: h xyz = h xy h z is uniform (Lemma 11.15) ˆ A gives G, q, g, h = g x, g y, c to A ˆ If A tells A that c = h xy, A outputs 0, else 1 ˆ Analysis: Probability that A succeeds is greater negligible, probability that h z = h xy is negligible = probability that A wins is greater negligible Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

47 Table of Contents 1 Definitions of Security for Public-Key Encryption 2 Hybrid Encryption and KEM/DEM 3 CDH/DDH-Based Encryption: ElGamal 4 RSA Encryption Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

48 Plain RSA Encryption True or False? The following states the RSA assumption: Given (N, e, y ZN ), where N = p q for p, q prime, e > 1 and gcd(e, φ(n)) = 1, the probability that any probabilistic polynomial-time algorithm finds x ZN such that x = y mod N is negligible. True! Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

49 Plain RSA Encryption True or False? The following states the RSA assumption: Given (N, e, y ZN ), where N = p q for p, q prime, e > 1 and gcd(e, φ(n)) = 1, the probability that any probabilistic polynomial-time algorithm finds x ZN such that x = y mod N is negligible. True! Does this imply that using plain RSA to encrypt messages ZN is secure? Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

50 Plain RSA Encryption True or False? The following states the RSA assumption: Given (N, e, y ZN ), where N = p q for p, q prime, e > 1 and gcd(e, φ(n)) = 1, the probability that any probabilistic polynomial-time algorithm finds x ZN such that x = y mod N is negligible. True! Does this imply that using plain RSA to encrypt messages ZN is secure? No! It only means that it is hard to fully recover a uniform m Z N. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

51 Plain RSA Encryption Algorithm Input Output Gen 1 n (N, e, d) = GenRSA(1 n ), pk = N, e, sk = N, d Enc pk = N, e, m ZN c := [me mod N] Dec sk = N, d, c ZN m := [c d mod N] ˆ You are given the RSA public key (N, e), where e = 23. ˆ In addition you have the message ciphertext pairs ( , c 1 ) and ( , c 2 ). ˆ You can find N, c 1, c 2 and C on the Crypto Wiki (Moodle). ˆ Recover M such that Enc(M) = C. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

52 Malleability ˆ A scheme is malleable if, given the encryption c of some message m, it is possible to construct a ciphertext c that decrypts to an m which has a known relation to m. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

53 Malleability ˆ A scheme is malleable if, given the encryption c of some message m, it is possible to construct a ciphertext c that decrypts to an m which has a known relation to m. ˆ So what does non-malleability imply? Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

54 Malleability ˆ A scheme is malleable if, given the encryption c of some message m, it is possible to construct a ciphertext c that decrypts to an m which has a known relation to m. ˆ So what does non-malleability imply? ˆ Plain RSA is not CPA-secure, but ensures that a uniform m Z N cannot be recovered given c = [me mod N] and N, e. Show that not even this holds if an attacker can perform a CCA. Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

55 Malleability ˆ A scheme is malleable if, given the encryption c of some message m, it is possible to construct a ciphertext c that decrypts to an m which has a known relation to m. ˆ So what does non-malleability imply? ˆ Plain RSA is not CPA-secure, but ensures that a uniform m Z N cannot be recovered given c = [me mod N] and N, e. Show that not even this holds if an attacker can perform a CCA. ˆ Solution: Given c = [m e mod N], construct c := [2 e c mod N] = [2 e m e mod N] = [(2m) e mod N] Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March / 24

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Indian Statistical Institute Kolkata January 14, 2012 Outline 1 Definitions Encryption Scheme IND-CPA IND-CCA IND-CCVA