Introduction to Cryptography Lecture 7

Similar documents
Introduction to Cryptography Lecture 7

RSA. Public Key CryptoSystem

Applied Cryptography and Computer Security CSE 664 Spring 2018

CS408 Cryptography & Internet Security

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

LECTURE NOTES ON PUBLIC- KEY CRYPTOGRAPHY. (One-Way Functions and ElGamal System)

Chapter 9. Public Key Cryptography, RSA And Key Management

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Public Key Cryptography and the RSA Cryptosystem

Chapter 11 : Private-Key Encryption

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Public Key Algorithms

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

CS 161 Computer Security

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Advanced Topics in Cryptography

Public Key Algorithms

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

Chapter 9 Public Key Cryptography. WANG YANG

Overview. Public Key Algorithms I

CSC 474/574 Information Systems Security

If DDH is secure then ElGamal is also secure w.r.t IND-CPA

Introduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information

Public Key Cryptography

Security of Cryptosystems

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Lecture 20: Public-key Encryption & Hybrid Encryption. Public-key Encryption

Lecture 2 Applied Cryptography (Part 2)

Lecture 15: Public Key Encryption: I

CS 161 Computer Security

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

Public Key Cryptography

Public key encryption: definitions and security

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Great Theoretical Ideas in Computer Science. Lecture 27: Cryptography

Tuesday, January 17, 17. Crypto - mini lecture 1

Part VI. Public-key cryptography

Chapter 7 Public Key Cryptography and Digital Signatures

Introduction to Cryptography and Security Mechanisms. Abdul Hameed

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Secure Multiparty Computation

Homomorphic Encryption

Introduction to Cryptography. Lecture 3

Public-key encipherment concept

Algorithms (III) Yijia Chen Shanghai Jiaotong University

CS 161 Computer Security

The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who

Key Establishment and Authentication Protocols EECE 412

Algorithms (III) Yu Yu. Shanghai Jiaotong University

Other Topics in Cryptography. Truong Tuan Anh

Public Key Cryptography and RSA

Number Theory and RSA Public-Key Encryption

Public-Key Cryptography

1. Diffie-Hellman Key Exchange

PUBLIC KEY CRYPTO. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Public Key Algorithms

Chapter 3 Public Key Cryptography

Senior Math Circles Cryptography and Number Theory Week 1

Encryption from the Diffie-Hellman assumption. Eike Kiltz

Oblivious Transfer(OT)

Public-Key Cryptography

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

Uzzah and the Ark of the Covenant

10.1 Introduction 10.2 Asymmetric-Key Cryptography Asymmetric-Key Cryptography 10.3 RSA Cryptosystem

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Key Exchange. Secure Software Systems

Public Key (asymmetric) Cryptography

Blum-Blum-Shub cryptosystem and generator. Blum-Blum-Shub cryptosystem and generator

Introduction to Cryptography. Lecture 6

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 31 October 2017

Algorithms (III) Yijia Chen Shanghai Jiaotong University

Channel Coding and Cryptography Part II: Introduction to Cryptography

Lecture 3 Algorithms with numbers (cont.)

Lecture 6: Overview of Public-Key Cryptography and RSA

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Lecture 6 - Cryptography

The ElGamal Public- key System

CS Network Security. Nasir Memon Polytechnic University Module 7 Public Key Cryptography. RSA.

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

Introduction to Public-Key Cryptography

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

RSA (material drawn from Avi Kak Lecture 12, Lecture Notes on "Computer and Network Security" Used in asymmetric crypto.

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Introduction to Cryptography Lecture 10

Provable Partial Key Escrow

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

CS 161 Computer Security

Study Guide to Mideterm Exam

CPSC 467b: Cryptography and Computer Security

1 A Tale of Two Lovers

Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

0x1A Great Papers in Computer Security

Lecture 3.4: Public Key Cryptography IV

INTERNATIONAL JOURNAL OF ELECTRONICS AND COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET)

Transcription:

Introduction to Cryptography Lecture 7 El Gamal Encryption RSA Encryption Benny Pinkas page 1 1

Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing PK Alice can encrypt messages using it. Message decryption is possible only if SK Alice is known. Compared to symmetric encryption: Easier key management: n users need n keys, rather than O(n 2 ) keys, to communicate securely. Compared to Diffie-Hellman key agreement: No need for an interactive key agreement protocol. (Think about sending email ) Secure as long as we can trust the association of keys with users. page 2 2

Public key encryption Must have different keys for encryption and decryption. Public key encryption cannot provide perfect secrecy: Suppose E pk () is an algorithm that encrypts m=0/1, and uses r random bits in operation. An adversary is given E pk (m). It can compare it to all possible 2 r encryptions of 0 Efficiency is the main drawback of public key encryption. page 3 3

Defining a public key encryption The definition must include the following algorithms; Key generation: KeyGen(1 k ) (PK,SK) (where k is a security parameter, e.g. k=1000). Encryption: C = E PK (m) algorithm) (E might be a randomized Decryption: M= D SK (C) page 4 4

The El Gamal public key encryption system Public information (can be common to different public keys): A group in which the DDH assumption holds. Usually start with a prime p=2q+1, and use H Z p* of order q. Define a generator g of H. Key generation: pick a random private key a in [1, H ] (e.g. 0<a<q). Define the public key h=g a (h=g a mod p). Encryption of a message m H Z p * Pick a random 0 < r < q. The ciphertext is (g r, h r m). Decryption of (s,t) Compute t /s a (m= h r m / (g r ) a ) Using public key alone Using private key page 5 5

El Gamal and Diffie-Hellman ElGamal encryption is similar to DH key exchange DH key exchange: Adversary sees g a, g b. Cannot distinguish the key g ab from random. El Gamal: A fixed public key g a. Sender picks a random g r. Sender encrypts message using g ar. Known to the adversary Used as a key El Gamal is like DH where The same g a is used for all communication There is no need to explicitly send this g a (it is already known as the public key of Alice) page 6 6

The El Gamal public key encryption system Encoding the message: m must be in the subgroup H generated by g. If p=2q+1, and H is the subgroup of quadratic residues, we can map each message m {1,,(p-1)/2} to the value m 2 mod p, which is in H. Alternatively, encrypt m using (g r, H(h r ) m). Decryption is done by computing H( (g r ) a ). (H is a hash function that preserves the pseudo-randomness of h r.) page 7 7

The El Gamal public key encryption system Overhead: Encryption: two exponentiations; preprocessing possible. Decryption: one exponentiation. message expansion: m (g r, h r m). Randomized encryption Must use fresh randomness r for every message. Two different encryptions of the same message are different! (provides semantic security) page 8 8

The Decisional Diffie-Hellman assumption (DDH) Recall the Decisional Diffie-Hellman assumption: Given random x,y Z p*, such that x=g a and y=g b ; and a pair (g ab,g c ) (in random order, for a random c), it is hard to tell which is g ab. page 9 9

The El Gamal public key encryption system Public information (can be common to different public keys): A group in which the DDH assumption holds. Usually start with a prime p=2q+1, and use H Z p* of order q. Define a generator g of H. Key generation: pick a random private key a in [1, H ] (e.g. 0<a<q). Define the public key h=g a (h=g a mod p). Encryption of a message m H Z p * Pick a random 0 < r < q. The ciphertext is (g r, h r m). Decryption of (s,t) Compute t /s a (m= h r m / (g r ) a ) Using public key alone Using private key page 10 10

Security reductions Security by reduction Define what it means for the system to be secure (chosen plaintext/ciphertext attacks, etc.) State a hardness assumption (e.g., that it is hard to extract discrete logarithms in a certain group). Show that if the hardness assumption holds then the cryptosystem is secure. Usually prove security by showing that breaking the cryptosystem means that the hardness assumption is false. Benefits: To examine the security of the system it is sufficient to check whether the assumption holds Similarly, for setting parameters (e.g. group size). page 11 11

Semantic security Semantic Security: knowing that an encryption is either E(m 0 ) or E(m 1 ), (where m 0,m 1 are known) an adversary cannot decide with probability better than ½ which is the case. This is a very strong security property. Suppose that a public key encryption system is deterministic., then it cannot have semantic security. In this case, E(m) is a deterministic function of m and P. Therefore, if Eve suspects that Bob might encrypt either m 0 or m 1, she can compute (by herself) E(m 0 ) and E(m 1 ) and compare them to the encryption that Bob sends. page 12 12

Goal and method Goal Show that if the DDH assumption holds Then the El Gamal cryptosystem is semantically secure Method: Show that if the El Gamal cryptosystem is not semantically secure Then the DDH assumption does not hold page 13 13

El Gamal encryption: breaking semantic security implies breaking DDH Proof by reduction: We can use an adversay that breaks El Gamal. We are given a DDH challenge: (g,g a,g r, (D 0,D 1 ) ) where one of D 0,D 1 is g ar, and the other is g c. We need to identify g ar. We give the adversay g and a public key: h=g a. The adversary chooses m 0,m 1. We give the adversay (g r,d e m b ), using random b,e {0,1}. (That is, choose m b randomly from {m 0,m 1 }, choose D e randomly from {D 0,D 1 }. The result is a valid El Gamal encryption if D e =g ar.) If the adversay guesses b correctly, we decide that D e =g ar. Otherwise we decide that D e =g c. page 14 14

El Gamal encryption: breaking semantic security implies breaking DDH Analysis: Suppose that the adversary can break the El Gamal encryption with prob 1. If D e =g ar then the adversary finds c with probability 1, otherwise it finds c with probability ½. Our success probability ½ 1 + ½ ½ = 3/4. Suppose now that the adversary can break the El Gamal encryption with prob ½+p. If D e =g ar then the adversary finds c with probability ½+p, otherwise it finds c with probability ½. Our success probability ½ (½+p) + ½ ½ = ½+½p. QED page 15 15

Chosen ciphertext attacks In a chosen ciphertext attack, the adversary is allowed to obtain decryptions of arbitrary ciphertexts of its choice (except for the specific message it needs to decrypt). El Gamal encryption is insecure against chosen ciphertext attacks: Suppose the adversary wants to decrypt <c 1,c 2 > which is an ElGamal encryption of the form (g r,h r m). The adversary computes c 1 =c 1 g r, c 2 =c 2 h r m, where it chooses r,m at random. It asks for the decryption of <c 1,c 2 >. It multiplies the plaintext by (m ) -1 and obtains m. page 16 16

Homomorphic property The attack on chosen ciphertext security is based on the homomorphic property of the encryption Homomorphic property: Given encryptions of x,y, it is easy to generate an encryption of x y (g r, h r x) (g r, h r y) (g r, h r x y) page 17 17

Homomorphic encryption Homomorphic encryption is useful for performing operations over encrypted data. Given E(m 1 ) and E(m 2 ) it is easy to compute E(m 1 m 2 ), even if you don t know how to decrypt. For example, an election procedure: A Yes is E(2). A No vote is E(1). Take all the votes and multiply them. Obtain E(2 j ), where j is the number of Yes votes. Decrypt only the result and find out how many Yes votes there are, without identifying how each person voted. page 18 18

Integer Multiplication & Factoring as a One Way Function. easy p,q N=pq hard Can a public key system be based on this observation????? page 19 19

Excerpts from RSA paper (CACM, 1978) The era of electronic mail may soon be upon us; we must ensure that two important properties of the current paper mail system are preserved: (a) messages are private, and (b) messages can be signed. We demonstrate in this paper how to build these capabilities into an electronic mail system. At the heart of our proposal is a new encryption method. This method provides an implementation of a public-key cryptosystem, an elegant concept invented by Diffie and Hellman. Their article motivated our research, since they presented the concept but not any practical implementation of such system. page 20 20

The Multiplicative Group Z pq * p and q denote two large primes (e.g. 512 bits long). Denote their product as N = pq. The multiplicative group Z N* =Z pq* contains all integers in the range [1,pq-1] that are relatively prime to both p and q. The size of the group is φ(n) = φ(pq) = (p-1) (q-1) = N - (p+q) + 1 For every x Z N*, x φ(n) =x (p-1)(q-1) = 1 mod N. page 21 21

Exponentiation in Z N * Motivation: use exponentiation for encryption. Let e be an integer, 1 < e < φ(n) = (p-1)(q-1). Question: When is exponentiation to the e th power, (x x e ), a one-toone operation in Z N *? Claim: If e is relatively prime to (p-1)(q-1) (namely gcd(e, (p-1)(q- 1))=1) then x x e is a one-to-one operation in Z N *. Constructive proof: Since gcd(e, (p-1)(q-1) )=1, e has a multiplicative inverse modulo (p- 1)(q-1). Denote it by d, then ed=1+c(p-1)(q-1)=1+cφ(n). Let y=x e, then y d = (x e ) d = x 1+cφ(N) = x. I.e., y y d is the inverse of x x e. page 22 22

The RSA Public Key Cryptosystem Public key: N=pq the product of two primes (we assume that factoring N is hard) e such that gcd(e,φ(n))=1 (are these hard to find?) Private key: d such that de 1 mod φ(n) Encryption of M Z N * C=E(M)=M e mod N Decryption of C Z N * M=D(C)=C d mod N (why does it work?) page 23 23

Constructing an instance of the RSA PKC Alice picks at random two large primes, p and q. picks (uniformly at random) a (large) d that is relatively prime to (p-1)(q-1) (namely, gcd(d,φ(n))=1 ). Alice computes e such that de 1 mod φ(n) Let N=pq be the product of p and q. Alice publishes the public key (N,e). Alice keeps the private key d, as well as the primes p, q and the number φ(n), in a safe place. page 24 24

Efficiency The public exponent e may be small. It is common to choose its value to be either 3 or 2 16 +1. The private key d must be long. Each encryption involves only a few modular multiplications. Decryption requires a full exponentiation. Usage of a small e Encryption is more efficient than a full blown exponentiation. Decryption requires a full exponentiation (M=C d mod N) Can this be improved? page 25 25

The Chinese Remainder Theorem (CRT) Thm: Let N=pq with gcd(p,q)=1. Then for every pair (y,z) Z p Z q there exists a unique x Z n, s.t. x=y mod p x=z mod q Proof: The extended Euclidian algorithm finds a,b s.t. ap+bq=1. Define c=bq. Therefore c=1 mod p. c=0 mod q. Define d=ap. Therefore d=0 mod p. d=1 mod q. Let x=cy+dz mod N. cy+dz = 1y + 0 = y mod p. cy+dz = 0 + 1z = z mod q. (How efficient is this?) (The inverse operation, finding (y,z) from x, is easy.) page 26 26

More efficient RSA decryption CRT: Given p,q compute a,b s.t. ap+bq=1. c=bq; d=ap Once for all messages Decryption, given C: Compute y =C d mod p. (instead of d can use d =d mod p-1) Compute z =C d mod q. (instead of d can use d =d mod q-1) Compute M=cy +dz mod N. Overhead: Two exponentiations modulo p,q, instead of one exponentiation modulo N. Overhead of exponentiation is cubic in length of modulus. I.e., save a factor of 2 3 /2. page 27 27

RSA as a One Way Trapdoor Permutation easy x x e mod N hard Easy with trapdoor info ( d ) page 28 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback