engg 5383 applied cryptographysmchow/5383/5383-18f-3-pkc.pdf · 18th september 2018 engg5383...

Sherman Chow Chinese University of Hong Kong

Fall 2018 Lecture 3: Public-Key Encryption and Signatures

ENGG 5383 Applied Cryptography

18th September 2018 ENGG5383 Applied Cryptography 1

§ PRG: Generates a pseudorandom sequence § PRF: A function “pseudorandomly” drawn from a family § Building stateful SKE § OWF/P: Easy to compute & Difficult to invert

§  E.g., Integer multiplication (F), Modular Exponentiation (P) §  TOWF/P: Easy to invert with the trapdoor, e.g., RSA

§ Cyclic Group, Multiplicative Group, Order § RSA (Exponentiating with a public exponent in ZN*) § One-Wayness and Semantic Security of PKE

Last Lecture

18th September 2018 ENGG5383 Applied Cryptography 2/32

§ What can be done in poly. time (w.r.t. operands' length)? § Addition, Multiplication § ∀ a > b > 0, find unique r and 0 ≤ q < b s.t. a = rb + q.

§ How about exponentiation? The answer is no!

§ gcd (a, b):= max{d ≥ 1 : d|a and d|b}. § Greatest common divisor §  a, b ∈ Z+, d|a means d divides a

Facts in Z or Z+, set of (+ve) integers


§ Theorem: gcd(a, b) = au + bv is poly. time. § 1) Division: a = br1 + q1, 0 ≤ q1 < b = q0 § 2) Repeat: q0 = q1r2 + q2, 0 ≤ q2 < q1 § 3) Keep repeating until qs+1 = 0 § We have gcd(a, b) = gcd(b, q1) = … = gcd(qs-1, qs) = qs

§ [Exercise] qi ≥ 2qi+2. § Consider qi ≥ 2qi+1 or qi ≤ 2qi+1

§ Note that qi = qi+2 mod qi+1 (and qi > q+1 > q+2)

§ Every two iterations, qi decreases by a factor > 1

Extended Euclidean Algorithm


§ Prime Number Theorem: π(x) ~ x / ln(x) § π(x) denotes the number of primes less than x §  Pr[random k-bit integer is prime] ≈ c/k where c is a constant §  so we can sample prime numbers efficiently by trial and error §  or AKS deterministic primality test (arxiv.org/abs/1311.3785)

§ Group op is closed, associative, invertible (& commutative) § Ring, “like a group”, but with two operations (+, ×)

§  and two identities (correspondingly, denoted by 0 and 1) § Multiplication distributes over addition: a × (b + c) = ab + ac. §  If ∃ multiplicative inverse for every nonzero element => Field

Prime, Group, Ring, Field


§ How many generators does Zp* have? § Theorem: It is Φ(p - 1) ≥ p / log(log(p)) § How to sample a generator?

§  Test if an element is a generator with factorization of (p – 1)

§ [Proofs and details are omitted]

Generator for Modular Exponentiation


§ How to do modular exponentiation? § Example:

§ fg, p(x) := gx mod p is believed to be a OWP §  from Zp-1 to Zp* § Why are they different? They are actually equivalent § Even given the factorization of (p – 1) [details omitted]

§ [Exercise] Can we solve x2 = a mod p? (for non-zero a)

Modular Exponentiation is a OWP

18th September 2018 ENGG5383 Applied Cryptography

x277 = x(00100010101)2 = bi ⋅ x2i

i=0

10

∏

7/32

§ Let m1, ..., mk be pairwise relative prime, m = m1m2... mk § ∀a1 ∈ Zm1

, ..., ∀ak ∈ Zmk, we can comp. unique a ∈ Zm

§ s.t. a ≡ ai mod mi, ∀i = 1, ..., k.

§ We thus have 1-1 correspondence Zm = Zm1 × … × Zmk

§ + and × are preserved (i.e., so does exponentiation) § So Zm* = Zm1

* × … × Zmk*

§ Fermat's Little Theorem generalizes to Euler’s Theorem

Chinese Remainder Theorem


§ G: {0, 1}k à {0, 1} p(k) § Stretching: p(k) > k § |Pr[ D(G(x)) = 1 | x ßr {0, 1} k) - Pr[ D(R) = 1 | R ßr {0, 1} p(k)]| § < negl(k)

§ How to construct a PRG? § will show an OWF-based construction (stay tuned)

§ Can we use OWP directly as a PRG? § With trapdoor, TOWP suggests OW-PKE, but not CPA-PKE §  But PRG gives us pseudorandomness, “TPRG”=>PKE? (stay tuned)

Pseudo Random Generator (PRG)


§ Trapdoor is the secret key § Enc is c := f(m) § Dec is to compute f-1(c) § But it is not CPA secure § Every deterministic PKE cannot be CPA-secure

§ Can we use TDP to build a CPA-secure scheme? §  Looking ahead: we need a “hardcore bit”

TDP à OW-PKE


§ Encryption § Chosen-Ciphertext Attack § Key-Exchange § Decisional Diffie-Hellman Assumption § ElGamal Encryption

§ Authentication § Hash Function § Message Authentication Code §  Signatures

This Lecture


§ Indistinguishability (IND) § Provide training on top of chosen-plaintext attack (CPA) § Training: decryption oracle § Winning condition: the adversary cannot ask for help

from decryption oracle to decrypt the challenge ctxt.

Here is my public key, I will keep my private key from you

I somehow get a ciphertext for you, can you decrypt it?

Sure, I can decrypt many of them for you

I want to be challenged with these 2 messages: m0, m1

Now I encrypt a random 1 of them, make your guess

Chosen-Ciphertext Attack (CCA)


§ There is decryption oracle, how about encryption oracle? §  Encryption is a public algorithm in public-key encryption. §  Encryption in secret-key encryption requires secret knowledge. §  It makes sense to consider encryption oracle for SKE but not PKE.

§ Can I prepare all possible ciphertexts for decryption? § Only a polynomial number of queries are allowed.

§ Why I still need to “attack” if I have access of an oracle? §  “Lunch time” attack: you may not be able to decrypt all possible

ciphertexts you want, e.g., the one which you yet to see

More Thoughts on Decryption Oracle


§ Secret key: a random key from the key space of PRF § Message space: the range of the PRF § To encrypt:

§ Pick a random r in the domain of PRF § Output ciphertext <r, fk(r) ⊕ m>

§ The ciphertext is longer than the plaintext (“redundancy”)

§ How to establish the symmetric secret key?

PRF à CPA-SKE


§ If interaction is allowed, how to ensure confidentiality? § Each party contributes some randomness?

Diffie-Hellman Key-Exchange


X = gx

Y = gy

K = Yx

K = Xy

G = <g>, gx, , gy, gxy or random?

15/32

§ Discrete Logarithm (DL) assumption suffices? § Ephemeral key recovery attack

§ Nothing about pseudorandomness of the session key § Decisional Diffie-Hellman (DDH) assumption

§ One of a widely-used assumption § Which group is expected to have this assumption hold?

§ Go back to Number Theory!

Decisional Diffie-Hellman Problem


§ Proposition: x2 = a mod p has either 0 or 2 solutions § If it has 2 solutions, a is called Quadratic Residue (QR) § Lemma: Suppose g is generator of Zp*, a ∈ Zp*, a = gz. § Then a is QR ó z is even ó a(p-1)/2 ≡ 1 mod p § Corollary: Exactly half of Zp* elements are QR § Define Legendre symbol of a, = a(p-1)/2 § a is QR iff a’s Legendre symbol is +1

Quadratic Residues


ap

!

"#

$

%&

17/32

§ DDH does not hold in Zp* § Why? The answer is in the previous slide

§ How about QRp*? § How about cubic residues? §  Let’s play “safe”

§ A prime p is called a safe prime if (p-1)/2 is also prime

A Candidate DDH(-hard) Group


§ Bob “contributes” his Public-Key § Alice “completes” the key-agreement and use the

session key as an “one-time pad” of the message

§ Bob then derives the session key, unwrap the padding

ElGamal Encryption


Y = gy

C0 = gr, C1 = Myr

19/32

§ Homomorphic: E(m0; r0) × E(m1; r1) = E(m0m1; r0+r1) § Blindable § Re-randomizable: E(m; r) × E(1; r’) = E(m; r+r’)

§ Key is not a “bit-string” § Message is not a QR?

Properties of ElGamal


§ If DDH assumption holds, ElGamal is IND-CPA secure § Reductionist proof: ElGamal is insecure è DDH solver § Given (G, g, gx, gy, gz) § Set pk = (G, g, gy), and Enc(Mb) = (gx, Mbgz) § Simulator S outputs 1 if the adversary A returns 1

§ z is random, S outputs 1 with prob. ½ § z = xy, i.e., IND-CPA game, S outputs 1 with prob. ½ +

advantage of A

Security of ElGamal


§ Key encapsulation mechanism (KEM) § only output encapsulated key, i.e., the pad

§ E.g., yr in ElGamal

§ but not encrypting the plaintext

§ Any 2-round key exchange which is secure against a passive attacker yields a secure KEM, and vice versa. § CPA-security of KEM? There is no plaintext! §  I actually mean indistinguishability.

Key Encapsulation and Key Exchange


§ Recall the PRF-based CPA-SKE: <r, fk(r) ⊕ m>

§ (Y = gx, x) ß KG; (C0 = gr, C1 = MYr)ß E(M); C1/C0x ß D(C);

§ Trapdoor PseudoRandom numbers Generator (TPRG): §  Key gen algo: KG(), and 3 functions Gpk(x) , Tpk(x) , Rsk(x) § Gpk(x) is pseudorandom even given Tpk(x) and pk §  Rsk (Tpk(x)) = Gpk(x)

§ (pk, sk) ß TPRG.KG; § (C0 = Tpk(r), C1 = M × Gpk(r))ß E(M); § C1/Rsk (C0) ß D(C);

Another Abstraction of ElGamal


§ Hardcore bit h(x) for a given (T)OWF f: § h(x) is easy to compute from x § but almost impossible to even guess well from f(x)

§ Construction strategy: §  Taking as hypothesis that a concrete function is OWF, exhibit

a hardcore bit for that function §  Taking as hypothesis that an arbitrary function is OWF, exhibit

a hardcore bit for that (e.g., Goldreich-Levin Construction[*])

§ PRG from OWP: G(x) = fn(x) ◦ h(fn-1(x)) ◦ h(fn-2(x)) ◦ .. ◦ h(x)

Hardcore Bit of a OWF


§  Is factoring assumption suffice for one-wayness of RSA? § RSA Assumption: Let N = pq, where p, q are k-bit primes.

Then for every PPT algo. A and negligible function negl(): § Pr[A(N, e, RSAN, e(x)) = x] < negl(k)

§ where RSAN, e(x) is xe mod N

§ Let’s assume LSB(RSAN, e(x)) is a hardcore bit. § Exercises:

§ Write down the definition of trapdoor predicate §  How to construct a 1-bit CPA-secure PKE from RSA?

RSA Assumption, Trapdoor Predicate


§ Password Authentication from OWF §  Server stores OWF(password) but not password itself §  To authenticate, the user sends the candidate password §  “Static” authentication

§ S/Key System from OWP §  Server stores y0 = OWF(OWF(OWF(… (pw)))) // T times §  T times authentication with “changing” token §  To authenticate at the i-th time, the user sends yi = OWFi(pw) §  The server updates what it stores to yi too.

Using OWF/P for Authentication


§ KeyGen() -> k § MACk(m) à t § Verifyk (t, m) à True/False

§ PRF à Deterministic MAC

§ Security definition of MAC/(One-Time) Signature?

Message Authentication Code & Signatures


§ KeyGen() -> (vk, sk) § Signsk(m) à σ § Verifyvk (σ, m) à True/False

§ OWF à One-Time Signature

§ “Random-looking” mapping of inputs to shorter hash-values § H: {0, 1}k à {0, 1} s(k) which is shrinking: s(k) < k § Yes, that is the hash you learn in your data structure course

§  Removes worst-case effects for higher efficiency

§  In cryptography, we use it for “integrity” §  So we ask for more: “collision resistance”

§ Family: takes “2” inputs §  the index of the member (function) of the family

§  can be considered as a “secret key” (Weak vs. Strong in next slide)

§  and the real input (of the function)

Hash Function Family


§ ∀PPT algo. A, Pr[x ≠ y and h(x) = h(y)] is negl. § What is the probability space? § Who decides which h? What knowledge algo. A has?

§ Combinatorial Hash: (x, y) ß A; h ß H § Universal One-Way Hash (UOWHF): x ß A; h ß H, y ß A(h) § Collision-Resistant Hash (CRHF): h ß H, (x, y) ß A(h)

§ Variation: A() gets only oracle access to h() § vs. A() gets any (secret) coins used for sampling h()

Degree of Collision-Resistance


§ Pre-image CR: h ß H, x ß X; y ß A(h, h(x)) § y allowed to be x

§ Second Pre-image CR: h ß H, x ß X; y ß A(h, x) § y ≠ x

§ [Ex. 1] They are incomparable (doesn’t imply another) § [Ex. 2] CRHF è 2nd pre-image CR § [Ex. 3] If “sufficiently compressing” è pre-image CR

Weaker CRHFs


§ A single fixed function §  not a family §  no security level “knob” §  not formally collision-resistant (!)

§ E.g., SHA-1, MD4, MD5 § All broken

§ SHA-2, and SHA-3 §  (SHA-224, SHA-256, SHA-512, SHA-512/224, SHA-512/256)

§ has an initial vector (I.V., like a key) built into the standard § considered as have been randomly chosen from a family

Hash Function in Practice


§ More Efficient Signature Schemes: §  Full-domain hash + TOWF §  Schnorr Signature (discrete logarithm based)

§ Unforgeability of MAC and Signature § Definitions § Proof Techniques §  The above 2 schemes are provably secure in the random

oracle model

Next Lecture


engg 5383 applied cryptographysmchow/5383/5383-18f-3-pkc.pdf · 18th september 2018 engg5383...

Documents