Chapter 11 : Private-Key Encryption

Transcription

1 COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1

2 Chapter 11 Public-Key Encryption Apologies: all numbering still refers to first edition of book Public-Key Encryption An Overview 10.2 Definitions Security against Chosen-Plaintext Attacks Multiple Encryptions 10.3 Hybrid Encryption 10.4 RSA Encryption Plain RSA and its Insecurity Attacks on Plain RSA Padded RSA 10.5 The El Gamal Encryption Scheme 10.6 Security Against Chosen-Ciphertext Attacks 10.7 * Trapdoor Permutations

3 Asymmetric Encryption (Public-Key Cryptography) Encryption K e P C K d Decryption Complexity Theoretical Security

4 10.2 Definitions DEFINITION 10.1 A public-key encryption scheme is a tuple of PPT algorithms (Gen,Enc,Dec) s.t. : 1. The key generation algorithm Gen takes as input the security parameter 1 n and outputs a pair of keys (pk,sk). We refer to the first of these as the public key and the second as the private key. We assume for convenience that pk and sk each have length at least n, and that n can be determined from pk, sk.

5 Definitions 2. The encryption algorithm Enc takes as input a public key pk and a message m from some underlying plaintext space. It outputs a ciphertext c, and we write this as c Encpk(m). 3. The decryption algorithm Dec takes as input a private key sk and a ciphertext c, and outputs a message m or a special symbol denoting failure. We assume without loss of generality that Dec is deterministic, and write this as m Decsk(c).

6 Definitions It is required that there exists a negligible function negl such that for every n, every (pk,sk) output by Gen(1 n ), and every message m in the appropriate underlying plaintext space, it holds that Pr[ Decsk(Encpk(m)) m ] negl(n).

7 Security against Chosen-Plaintext Attacks The eavesdropping indistinguishability experiment PubK e A a, v Π(n): 1. Gen(1 n ) is run to obtain keys (pk,sk). 2. Adversary A is given pk, and outputs a pair of messages m0,m1 of the same length. (These messages must be in the plaintext space associated with pk.)

8 Security against Chosen-Plaintext Attacks 3. A random bit b {0,1} is chosen, and then a ciphertext c Encpk(mb) is computed and given to A. We call c the challenge ciphertext. 4. A outputs a bit b. 5. The output of the experiment is defined to be 1 if b = b, and 0 otherwise.

9 Security against Chosen-Plaintext Attacks DEFINITION 10.3 A public-key encryption scheme Π = (Gen,Enc,Dec) has indistinguishable encryptions in the presence of an eavesdropper if for all probabilistic polynomial-time adversaries A there exists a negligible function negl such that Pr[ PubK e A a, v Π(n) = 1 ] ½ + negl(n).

10 Security against Chosen-Plaintext Attacks CPA indistinguishability experiment PubK c A p, a Π(n): 1. Gen(1 n ) is run to obtain keys (pk,sk). 2. Adversary A is given pk as well as oracle access to Encpk( ). The adversary outputs a pair of messages m0,m1 of the same length. (These messages must be in the plaintext space associated with pk.)

11 Security against Chosen-Plaintext Attacks 3. A random bit b {0,1} is chosen, and then a ciphertext c Encpk(mb) is computed and given to A. We call c the challenge ciphertext. 4. A continues to have access to Encpk( ), and outputs a bit b. 5. The output of the experiment is defined to be 1 if b = b, and 0 otherwise.

12 Security against Chosen-Plaintext Attacks DEFINITION 10.4 A public-key encryption scheme Π = (Gen,Enc,Dec) has indistinguishable encryptions under a chosen-plaintext attack (or is CPA secure) if for all probabilistic polynomial-time adversaries A there exists a negligible function negl such that: Pr[ PubK c A p, a Π(n) = 1 ] ½ + negl(n).

13 Security against Chosen-Plaintext Attacks PROPOSITION 10.5 If a public-key encryption scheme Π has indistinguishable encryptions in the presence of an eavesdropper, then Π also has indistinguishable encryptions under a chosen-plaintext attack.

14 Insecurity of Deterministic Public-Key Encryption THEOREM 10.6 No deterministic public-key encryption scheme has indistinguishable encryptions in the presence of an eavesdropper.

15 Multiple Encryptions THEOREM If a public-key encryption scheme Π has indistinguishable encryptions in the presence of an eavesdropper, then Π has indistinguishable multiple encryptions in the presence of an eavesdropper.

16 Encrypting Arbitrary- Length Messages Say Π = (Gen,Enc,Dec) is an encryption scheme where the plaintext space is {0,1}. We can construct a new scheme Π = (Gen,Enc,Dec ) with plaintext space {0,1} by defining Enc as follows: Enc pk(m) = Encpk(m1),...,Encpk(mt), where m = m1... mt. The decryption algorithm Dec is modified in the obvious way.

17 Encrypting Arbitrary- Length Messages PROPOSITION Let Π and Π be as above. If Π has indistinguishable encryptions in the presence of an eavesdropper, then so does Π.

18 10.3 Hybrid Encryption

19 Hybrid Encryption To encrypt a message m: 1. The sender first chooses a random secret key k, and encrypts k using the public key of the receiver. Call the resulting ciphertext c1. The receiver will be able to recover k by decrypting c1, yet k will remain unknown to an eavesdropper (by security of the public-key encryption scheme), and so this has the effect of establishing a shared secret between the sender and the receiver.

20 Hybrid Encryption 2. The sender then encrypts the message m using a private-key encryption scheme (Gen,Enc,Dec ) and the secret key k that has just been shared. This results in a ciphertext c2 that can be decrypted by the receiver using k.

21 Hybrid Encryption

22 Hybrid Encryption THEOREM If Π is a CPA-secure public-key encryption scheme and Π is a private-key encryption scheme that has indistinguishable encryptions in the presence of an eavesdropper, then Π hy as in Construction is a CPA-secure public-key encryption scheme.

23 10.4 RSA Encryption Public inventors Private inventors Ellis, Cocks, Williamson

24 RSA Encryption Ron Rivest, Adi Shamir and Len Adleman

25 RSA Encryption

26 RSA Encryption In Cocks variation, e=n and therefore d=n -1 mod φ(n).

27 7.2.4 The RSA Assumption The RSA problem can be described informally as follows: given a modulus N, an integer (exponent) e > 0 that is relatively prime to φ(n), and an element y Z * N, compute e y mod N; Given N,e,y find x such that x e = y mod N.

28 7.2.4 The RSA Assumption The RSA experiment RSA-invA,GenRSA(n): 1. Run GenRSA(1 n ) to obtain (N,e,d). 2. Choose y Z * N. 3. A is given N,e,y, and outputs x Z * N. 4. The output of the experiment is defined to be 1 if y = x e mod N, and 0 otherwise.

29 7.2.4 The RSA Assumption DEFINITION 7.46 We say that the RSA problem is hard relative to GenRSA if for all probabilistic polynomial-time algorithms A there exists a negligible function negl such that Pr[ RSA-invA,GenRSA(n) = 1 ] negl(n).

30 RSA vs Factoring The RSA assumption implies that φ(n) is unknown. Theorem: Knowledge of N and φ(n) factors N. Proof: N=pq, φ(n)=(p-1)(q-1)=n-p-q+1. p+q=n-φ(n)+1 p+n/p=n-φ(n)+1 or p 2 -(N-φ(N)+1)p+N=0. p and q are the two solutions of this quadratic equation.

31 RSA vs Factoring The RSA assumption implies that d is unknown. Knowledge of N,e,d factors N. Proof: use algorithm from next slide: RSA-FACTOR(N,e,d). Success probability ½.

32 RSA vs Factoring

33 RSA Implementation Issues Encoding binary strings as elements of Z * N. Let l = N. Any binary string m of length l 1 can be viewed as an element of ZN in the natural way. It is also possible to encode strings of varying lengths as elements of ZN by padding using some unambiguous padding scheme.

34 RSA Implementation Issues: Choice of e There does not appear to be any difference in the hardness of the RSA problem for different exponents e and, as such, different methods have been suggested for selecting e. One popular choice is to set e = 3, since then computing e th powers modulo N (as done when encrypting in the Plain RSA scheme) requires only two multiplications. If e is to be set equal to 3, then p and q must be chosen to satisfy p,q 1 mod 3 so that gcd(e,φ(n )) = 1.

35 RSA Implementation Issues: Choice of d Note that choosing d to be small in order to speed up decryption (that is, changing GenRSA so that a small d is chosen first and then computing e) is a bad idea. If d is chosen in a small range (say, d < 2 16 ) then a brute-force search for d is easy to carry out. Even if d is chosen so that d N ¼, (and so bruteforce attacks are ruled out) there are other attacks that can be used to recover d from the public key.

36 Attacks on Plain RSA Encrypting short messages using small e. If e is small then the encryption of small messages is insecure when using plain RSA encryption. For example, say e = 3 and the message m is such that m < N ⅓ ( or m < N /3 ) but m is otherwise unknown to an attacker. In this case, encryption of m does not involve any modular reduction since the integer m 3 is less than N.

37 Attacks on Plain RSA Encrypting short messages using small e. If e is small then the encryption of small messages is insecure when using plain RSA encryption. This means that given the ciphertext c = m 3 mod N an attacker can determine m by computing m c ⅓ over the integers, a computation that can be easily carried out.

38 Attacks on Plain RSA The above attack shows that short messages can be recovered easily from their encryption if plain RSA with small e is used. Here, we extend the attack to the case of arbitrarylength messages as long as the same message is sent to multiple receivers.

39 Attacks on Plain RSA Let e = 3 as before, and say the same message m is sent to three different parties holding public keys pk1 = (N1,3), pk2 = (N2,3), and pk3 = (N3,3), resp.. Then an eavesdropper sees c1 = m 3 mod N1 and c2 = m 3 mod N2 and c3 = m 3 mod N3.

40 Attacks on Plain RSA Let N = N1 N2 N3. An extended version of the Chinese remainder theorem says that there exists a unique non-negative value c < N such that: c c1 mod N1, c c2 mod N2 and c c3 mod N3.

41 Padded RSA

42 Padded RSA THEOREM If the RSA problem is hard relative to GenRSA then Construction with l(n) is O(log n) has indistinguishable encryptions under a chosen-plaintext attack.

43 PKCS #1 v1.5 A widely-used and standardized encryption scheme, RSA Laboratories Public-Key Cryptography Standard (PKCS) #1 version 1.5, utilizes what is essentially padded RSA encryption. For a public key pk = [N,e] of the usual form, let k denote the length of N in bytes; i.e., k is the integer satisfying 2 8(k 1) N < 2 8k.

44 PKCS #1 v1.5 Messages m to be encrypted are assumed to be a multiple of 8 bits long, and can have length up to k 11 bytes. Encryption of a message m that is D-bytes long is computed as ( r m) e mod N, where r is a randomly-generated string of (k D 3) bytes, with none of these bytes equal to 0.

45 PKCS #1 v1.5 PKCS #1 v1.5 is believed to be CPA-secure, although no proof solely based on the RSA assumption has ever been shown. Subsequent to the introduction of PKCS #1 v1.5, a chosen-ciphertext attack on this scheme was demonstrated. This motivated a change in the standard to a newer scheme called OAEP (for Optimal Asymmetric Encryption Padding).

46 10.5 The Elgamal Encryption Scheme Taher Elgamal

47 The Elgamal Encryption Scheme

48 The Elgamal Encryption Scheme THEOREM If the DDH problem is hard relative to G, then the Elgamal encryption scheme has indistinguishable encryptions under a chosenplaintext attack.

49 Elgamal Implementation Issues Encoding binary strings. Let p be a strong (or Sophie Germain) prime, i.e., q = (p 1)/2 is also prime. Then the set of quadratic residues modulo p forms a group G of order q = (p 1)/2 under x modulo p.

50 Elgamal Implementation Issues We can map the integers ṁ {1,...,(p 1)/2} to the set of quadratic residues modulo p by squaring: that is, the integer ṁ is mapped to the quadratic residue m = ṁ 2 mod p. This encoding is one-to-one and efficiently reversible. ( When extracting square roots mod p take the smaller square root x (p 1)/2. )

51 Elgamal Implementation Issues Given the above, we can map a string w of length q 1 to an element m G in the following way: given a string w {0,1} q 1, interpret it as an integer in the natural way and add 1 to obtain an integer ṁ with 1 ṁ q. Then take m = ṁ 2 mod p.

52 10.6 Security vs Chosen- Ciphertext Attacks

53 Security vs Chosen- Ciphertext Attacks DEFINITION A public-key encryption scheme Π = (Gen,Enc,Dec) has indistinguishable encryptions under a chosen-ciphertext attack (or is CCA-secure) if for all probabilistic polynomial-time adversaries A there exists a negligible function negl such that Pr[ PubK cc A, a Π(n) = 1 ] ½ + negl(n).

54 Examples of Chosen- Ciphertext Attacks Plain RSA encryption. Say an adversary A intercepts the ciphertext c = m e mod N. Then the adversary can choose a random r Z * N and compute the ciphertext c r e c mod N. Given the decryption m of this ciphertext, A can recover m m r 1 mod N.

55 Examples of Chosen- Ciphertext Attacks Elgamal encryption. Say an adversary A intercepts a ciphertext c c1,c2 that is an encryption of the (encoded) message m with respect to the public key pk = G,q,g,h. This means that c1 = g y and c2 = h y m for some y Zq unknown to A. Nevertheless, if the adversary computes c2 c2 m then it is easy to see that the ciphertext c c1,c2 is an encryption of the message m m.

56 Examples of Chosen- Ciphertext Attacks One might object that the receiver will become suspicious if it receives two ciphertexts c,c that share the same first component. However, this is easy for the adversary to avoid.

57 Examples of Chosen- Ciphertext Attacks Letting c1,c2,m,m be as above, A can choose a random y Zq and set c1 c1 g y and c2 c2 h y m. Then c1 = g y g y = g y+y and c2 = h y m h y m = h y+y mm, and so the ciphertext c = c1,c2 is an encryption of m m but with a completely random first component.

58 COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 58

59 NIB Approximate Integer GCD based crypto

60 NIB Approximate Integer GCD 0 p 2p 3p 4p 5p 0 p 2p 3p 4p 5p q 1 p q 2 p q 3 p q 4 p GCD(q1p,q2p,q3p,q4p) = p

61 NIB Approximate Integer GCD 0 p 2p 3p 4p 5p x1 x2 x3 x4 q 1 p q 2 p q 3 p q 4 p 0 p 2p 3p 4p 5p z1 q 1 p±2e 1 z2 q 2 p±2e 2 z3 q 3 p±2e 3 z4 q 4 p±2e 4 GCD(x1,x2,x3,x4) = p AIGCD : find p from z1,z2,z3,z4?

62 Approximate Integer GCD z1 z2 z3... zk-1 zk z0 0 p 2p 3p 4p 5p sizi mod z0 1 i k si {0,1} NIB

63 Approximate Integer GCD z1... z2 z3 zk-1 zk z0 0 p 2p 3p 4p 5p sizi mod z0 sixi mod x0 1 i k 1 i k si {0,1} ±2(ke0+ ei) 1 i k NIB

64 Approximate Integer GCD z1... z2 z3 zk-1 zk z0 0 p 2p 3p 4p 5p sizi mod z0 - ( siqi mod q0) p 1 i k 1 i k si {0,1} 4k emax NIB

65 NIB Approximate Integer GCD Ω(s)= sizi mod z0 1 i k s {0,1} n emax p/8k Ω(s)-p[Ω(s)/p] = small even error

66 NIB AIGCD encryption SK : p (x0, x1, x2,..., xk) PK : z0, z1, z2,..., zk,, enc(b) = sizi mod z0+2e+b where p/8k p/2 and ei U [-...+ ] s U {0,1} n e U [-...+ ] dec(c) = c-p[c/p] mod 2 = parity of error

67 NIB AIGCD encryption SK : p (x0, x1, x2,..., xk) PK : z0, z1, z2,..., zk,, enc(b) = sizi mod z0+2e+b where p/8k p/2 and ei U [-...+ ] s U {0,1} n e U [-...+ ] enc(a) + enc(b) mod z0 = enc(a(+)b) enc(a) * enc(b) mod z 0 = enc(a/\b)

68 COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 68