Sherman Chow Chinese University of Hong Kong Fall 2018 Lecture 3: Public-Key Encryption and Signatures ENGG 5383 Applied Cryptography 18th September 2018 ENGG5383 Applied Cryptography 1
Sherman Chow Chinese University of Hong Kong
Fall 2018 Lecture 3: Public-Key Encryption and Signatures
ENGG 5383 Applied Cryptography
18th September 2018 ENGG5383 Applied Cryptography 1
§ PRG: Generates a pseudorandom sequence § PRF: A function “pseudorandomly” drawn from a family § Building stateful SKE § OWF/P: Easy to compute & Difficult to invert
§ E.g., Integer multiplication (F), Modular Exponentiation (P) § TOWF/P: Easy to invert with the trapdoor, e.g., RSA
§ Cyclic Group, Multiplicative Group, Order § RSA (Exponentiating with a public exponent in ZN*) § One-Wayness and Semantic Security of PKE
Last Lecture
18th September 2018 ENGG5383 Applied Cryptography 2/32
§ What can be done in poly. time (w.r.t. operands' length)? § Addition, Multiplication § ∀ a > b > 0, find unique r and 0 ≤ q < b s.t. a = rb + q.
§ How about exponentiation? The answer is no!
§ gcd (a, b):= max{d ≥ 1 : d|a and d|b}. § Greatest common divisor § a, b ∈ Z+, d|a means d divides a
Facts in Z or Z+, set of (+ve) integers
18th September 2018 ENGG5383 Applied Cryptography 3/32
§ Theorem: gcd(a, b) = au + bv is poly. time. § 1) Division: a = br1 + q1, 0 ≤ q1 < b = q0 § 2) Repeat: q0 = q1r2 + q2, 0 ≤ q2 < q1 § 3) Keep repeating until qs+1 = 0 § We have gcd(a, b) = gcd(b, q1) = … = gcd(qs-1, qs) = qs
§ [Exercise] qi ≥ 2qi+2. § Consider qi ≥ 2qi+1 or qi ≤ 2qi+1
§ Note that qi = qi+2 mod qi+1 (and qi > q+1 > q+2)
§ Every two iterations, qi decreases by a factor > 1
Extended Euclidean Algorithm
18th September 2018 ENGG5383 Applied Cryptography 4/32
§ Prime Number Theorem: π(x) ~ x / ln(x) § π(x) denotes the number of primes less than x § Pr[random k-bit integer is prime] ≈ c/k where c is a constant § so we can sample prime numbers efficiently by trial and error § or AKS deterministic primality test (arxiv.org/abs/1311.3785)
§ Group op is closed, associative, invertible (& commutative) § Ring, “like a group”, but with two operations (+, ×)
§ and two identities (correspondingly, denoted by 0 and 1) § Multiplication distributes over addition: a × (b + c) = ab + ac. § If ∃ multiplicative inverse for every nonzero element => Field
Prime, Group, Ring, Field
18th September 2018 ENGG5383 Applied Cryptography 5/32
§ How many generators does Zp* have? § Theorem: It is Φ(p - 1) ≥ p / log(log(p)) § How to sample a generator?
§ Test if an element is a generator with factorization of (p – 1)
§ [Proofs and details are omitted]
Generator for Modular Exponentiation
18th September 2018 ENGG5383 Applied Cryptography 6/32
§ How to do modular exponentiation? § Example:
§ fg, p(x) := gx mod p is believed to be a OWP § from Zp-1 to Zp* § Why are they different? They are actually equivalent § Even given the factorization of (p – 1) [details omitted]
§ [Exercise] Can we solve x2 = a mod p? (for non-zero a)
Modular Exponentiation is a OWP
18th September 2018 ENGG5383 Applied Cryptography
x277 = x(00100010101)2 = bi ⋅ x2i
i=0
10
∏
7/32
§ Let m1, ..., mk be pairwise relative prime, m = m1m2... mk § ∀a1 ∈ Zm1
, ..., ∀ak ∈ Zmk, we can comp. unique a ∈ Zm
§ s.t. a ≡ ai mod mi, ∀i = 1, ..., k.
§ We thus have 1-1 correspondence Zm = Zm1 × … × Zmk
§ + and × are preserved (i.e., so does exponentiation) § So Zm* = Zm1
* × … × Zmk*
§ Fermat's Little Theorem generalizes to Euler’s Theorem
Chinese Remainder Theorem
18th September 2018 ENGG5383 Applied Cryptography 8/32
§ G: {0, 1}k à {0, 1} p(k) § Stretching: p(k) > k § |Pr[ D(G(x)) = 1 | x ßr {0, 1} k) - Pr[ D(R) = 1 | R ßr {0, 1} p(k)]| § < negl(k)
§ How to construct a PRG? § will show an OWF-based construction (stay tuned)
§ Can we use OWP directly as a PRG? § With trapdoor, TOWP suggests OW-PKE, but not CPA-PKE § But PRG gives us pseudorandomness, “TPRG”=>PKE? (stay tuned)
Pseudo Random Generator (PRG)
18th September 2018 ENGG5383 Applied Cryptography 9/32
§ Trapdoor is the secret key § Enc is c := f(m) § Dec is to compute f-1(c) § But it is not CPA secure § Every deterministic PKE cannot be CPA-secure
§ Can we use TDP to build a CPA-secure scheme? § Looking ahead: we need a “hardcore bit”
TDP à OW-PKE
18th September 2018 ENGG5383 Applied Cryptography 10/32
§ Encryption § Chosen-Ciphertext Attack § Key-Exchange § Decisional Diffie-Hellman Assumption § ElGamal Encryption
§ Authentication § Hash Function § Message Authentication Code § Signatures
This Lecture
18th September 2018 ENGG5383 Applied Cryptography 11/32
§ Indistinguishability (IND) § Provide training on top of chosen-plaintext attack (CPA) § Training: decryption oracle § Winning condition: the adversary cannot ask for help
from decryption oracle to decrypt the challenge ctxt.
Here is my public key, I will keep my private key from you
I somehow get a ciphertext for you, can you decrypt it?
Sure, I can decrypt many of them for you
I want to be challenged with these 2 messages: m0, m1
Now I encrypt a random 1 of them, make your guess
Chosen-Ciphertext Attack (CCA)
18th September 2018 ENGG5383 Applied Cryptography 12/32
§ There is decryption oracle, how about encryption oracle? § Encryption is a public algorithm in public-key encryption. § Encryption in secret-key encryption requires secret knowledge. § It makes sense to consider encryption oracle for SKE but not PKE.
§ Can I prepare all possible ciphertexts for decryption? § Only a polynomial number of queries are allowed.
§ Why I still need to “attack” if I have access of an oracle? § “Lunch time” attack: you may not be able to decrypt all possible
ciphertexts you want, e.g., the one which you yet to see
More Thoughts on Decryption Oracle
18th September 2018 ENGG5383 Applied Cryptography 13/32
§ Secret key: a random key from the key space of PRF § Message space: the range of the PRF § To encrypt:
§ Pick a random r in the domain of PRF § Output ciphertext <r, fk(r) ⊕ m>
§ The ciphertext is longer than the plaintext (“redundancy”)
§ How to establish the symmetric secret key?
PRF à CPA-SKE
18th September 2018 ENGG5383 Applied Cryptography 14/32
§ If interaction is allowed, how to ensure confidentiality? § Each party contributes some randomness?
Diffie-Hellman Key-Exchange
18th September 2018 ENGG5383 Applied Cryptography
X = gx
Y = gy
K = Yx
K = Xy
G = <g>, gx, , gy, gxy or random?
15/32
§ Discrete Logarithm (DL) assumption suffices? § Ephemeral key recovery attack
§ Nothing about pseudorandomness of the session key § Decisional Diffie-Hellman (DDH) assumption
§ One of a widely-used assumption § Which group is expected to have this assumption hold?
§ Go back to Number Theory!
Decisional Diffie-Hellman Problem
18th September 2018 ENGG5383 Applied Cryptography 16/32
§ Proposition: x2 = a mod p has either 0 or 2 solutions § If it has 2 solutions, a is called Quadratic Residue (QR) § Lemma: Suppose g is generator of Zp*, a ∈ Zp*, a = gz. § Then a is QR ó z is even ó a(p-1)/2 ≡ 1 mod p § Corollary: Exactly half of Zp* elements are QR § Define Legendre symbol of a, = a(p-1)/2 § a is QR iff a’s Legendre symbol is +1
Quadratic Residues
18th September 2018 ENGG5383 Applied Cryptography
ap
!
"#
$
%&
17/32
§ DDH does not hold in Zp* § Why? The answer is in the previous slide
§ How about QRp*? § How about cubic residues? § Let’s play “safe”
§ A prime p is called a safe prime if (p-1)/2 is also prime
A Candidate DDH(-hard) Group
18th September 2018 ENGG5383 Applied Cryptography 18/32
§ Bob “contributes” his Public-Key § Alice “completes” the key-agreement and use the
session key as an “one-time pad” of the message
§ Bob then derives the session key, unwrap the padding
ElGamal Encryption
18th September 2018 ENGG5383 Applied Cryptography
Y = gy
C0 = gr, C1 = Myr
19/32
§ Homomorphic: E(m0; r0) × E(m1; r1) = E(m0m1; r0+r1) § Blindable § Re-randomizable: E(m; r) × E(1; r’) = E(m; r+r’)
§ Key is not a “bit-string” § Message is not a QR?
Properties of ElGamal
18th September 2018 ENGG5383 Applied Cryptography 20/32
§ If DDH assumption holds, ElGamal is IND-CPA secure § Reductionist proof: ElGamal is insecure è DDH solver § Given (G, g, gx, gy, gz) § Set pk = (G, g, gy), and Enc(Mb) = (gx, Mbgz) § Simulator S outputs 1 if the adversary A returns 1
§ z is random, S outputs 1 with prob. ½ § z = xy, i.e., IND-CPA game, S outputs 1 with prob. ½ +
advantage of A
Security of ElGamal
18th September 2018 ENGG5383 Applied Cryptography 21/32
§ Key encapsulation mechanism (KEM) § only output encapsulated key, i.e., the pad
§ E.g., yr in ElGamal
§ but not encrypting the plaintext
§ Any 2-round key exchange which is secure against a passive attacker yields a secure KEM, and vice versa. § CPA-security of KEM? There is no plaintext! § I actually mean indistinguishability.
Key Encapsulation and Key Exchange
18th September 2018 ENGG5383 Applied Cryptography 22/32
§ Recall the PRF-based CPA-SKE: <r, fk(r) ⊕ m>
§ (Y = gx, x) ß KG; (C0 = gr, C1 = MYr)ß E(M); C1/C0x ß D(C);
§ Trapdoor PseudoRandom numbers Generator (TPRG): § Key gen algo: KG(), and 3 functions Gpk(x) , Tpk(x) , Rsk(x) § Gpk(x) is pseudorandom even given Tpk(x) and pk § Rsk (Tpk(x)) = Gpk(x)
§ (pk, sk) ß TPRG.KG; § (C0 = Tpk(r), C1 = M × Gpk(r))ß E(M); § C1/Rsk (C0) ß D(C);
Another Abstraction of ElGamal
18th September 2018 ENGG5383 Applied Cryptography 23/32
§ Hardcore bit h(x) for a given (T)OWF f: § h(x) is easy to compute from x § but almost impossible to even guess well from f(x)
§ Construction strategy: § Taking as hypothesis that a concrete function is OWF, exhibit
a hardcore bit for that function § Taking as hypothesis that an arbitrary function is OWF, exhibit
a hardcore bit for that (e.g., Goldreich-Levin Construction[*])
§ PRG from OWP: G(x) = fn(x) ◦ h(fn-1(x)) ◦ h(fn-2(x)) ◦ .. ◦ h(x)
Hardcore Bit of a OWF
18th September 2018 ENGG5383 Applied Cryptography 24/32
§ Is factoring assumption suffice for one-wayness of RSA? § RSA Assumption: Let N = pq, where p, q are k-bit primes.
Then for every PPT algo. A and negligible function negl(): § Pr[A(N, e, RSAN, e(x)) = x] < negl(k)
§ where RSAN, e(x) is xe mod N
§ Let’s assume LSB(RSAN, e(x)) is a hardcore bit. § Exercises:
§ Write down the definition of trapdoor predicate § How to construct a 1-bit CPA-secure PKE from RSA?
RSA Assumption, Trapdoor Predicate
18th September 2018 ENGG5383 Applied Cryptography 25/32
§ Password Authentication from OWF § Server stores OWF(password) but not password itself § To authenticate, the user sends the candidate password § “Static” authentication
§ S/Key System from OWP § Server stores y0 = OWF(OWF(OWF(… (pw)))) // T times § T times authentication with “changing” token § To authenticate at the i-th time, the user sends yi = OWFi(pw) § The server updates what it stores to yi too.
Using OWF/P for Authentication
18th September 2018 ENGG5383 Applied Cryptography 26/32
§ KeyGen() -> k § MACk(m) à t § Verifyk (t, m) à True/False
§ PRF à Deterministic MAC
§ Security definition of MAC/(One-Time) Signature?
Message Authentication Code & Signatures
18th September 2018 ENGG5383 Applied Cryptography 27/32
§ KeyGen() -> (vk, sk) § Signsk(m) à σ § Verifyvk (σ, m) à True/False
§ OWF à One-Time Signature
§ “Random-looking” mapping of inputs to shorter hash-values § H: {0, 1}k à {0, 1} s(k) which is shrinking: s(k) < k § Yes, that is the hash you learn in your data structure course
§ Removes worst-case effects for higher efficiency
§ In cryptography, we use it for “integrity” § So we ask for more: “collision resistance”
§ Family: takes “2” inputs § the index of the member (function) of the family
§ can be considered as a “secret key” (Weak vs. Strong in next slide)
§ and the real input (of the function)
Hash Function Family
18th September 2018 ENGG5383 Applied Cryptography 28/32
§ ∀PPT algo. A, Pr[x ≠ y and h(x) = h(y)] is negl. § What is the probability space? § Who decides which h? What knowledge algo. A has?
§ Combinatorial Hash: (x, y) ß A; h ß H § Universal One-Way Hash (UOWHF): x ß A; h ß H, y ß A(h) § Collision-Resistant Hash (CRHF): h ß H, (x, y) ß A(h)
§ Variation: A() gets only oracle access to h() § vs. A() gets any (secret) coins used for sampling h()
Degree of Collision-Resistance
18th September 2018 ENGG5383 Applied Cryptography 29/32
§ Pre-image CR: h ß H, x ß X; y ß A(h, h(x)) § y allowed to be x
§ Second Pre-image CR: h ß H, x ß X; y ß A(h, x) § y ≠ x
§ [Ex. 1] They are incomparable (doesn’t imply another) § [Ex. 2] CRHF è 2nd pre-image CR § [Ex. 3] If “sufficiently compressing” è pre-image CR
Weaker CRHFs
18th September 2018 ENGG5383 Applied Cryptography 30/32
§ A single fixed function § not a family § no security level “knob” § not formally collision-resistant (!)
§ E.g., SHA-1, MD4, MD5 § All broken
§ SHA-2, and SHA-3 § (SHA-224, SHA-256, SHA-512, SHA-512/224, SHA-512/256)
§ has an initial vector (I.V., like a key) built into the standard § considered as have been randomly chosen from a family
Hash Function in Practice
18th September 2018 ENGG5383 Applied Cryptography 31/32
§ More Efficient Signature Schemes: § Full-domain hash + TOWF § Schnorr Signature (discrete logarithm based)
§ Unforgeability of MAC and Signature § Definitions § Proof Techniques § The above 2 schemes are provably secure in the random
oracle model
Next Lecture
18th September 2018 ENGG5383 Applied Cryptography 32/32