/
Public Key Cryptography: Encryption, Signatures, FDH Public Key Cryptography: Encryption, Signatures, FDH

Public Key Cryptography: Encryption, Signatures, FDH - PowerPoint Presentation

sherrill-nordquist
sherrill-nordquist . @sherrill-nordquist
Follow
433 views
Uploaded On 2016-11-03

Public Key Cryptography: Encryption, Signatures, FDH - PPT Presentation

The ROM FDH using the ROM From previous lecture Ciphers Stream ciphers many follow OTP PRG strategy Block ciphers work on plaintext of limited size block output ciphertexts of same size ID: 484037

output key rsa outputs key output outputs rsa signature iff random hash ind message queries bit security encryption public

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Public Key Cryptography: Encryption, Sig..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

Public Key Cryptography: Encryption, Signatures, FDH

The ROM, FDH, using the ROMSlide2

From previous lecture

Ciphers

Stream ciphers : many follow OTP + PRG strategy

Block ciphers : work on plaintext of limited size = block

output ciphertexts of same size

Modes of operation : used to encrypt longer messages

Hash functions

Basic properties : first/second preimage resistance, collision resistance

Can be used to construct primitives like

HMacsSlide3

Part IBackgroundSlide4

Divisors, Primes, GCD

Assume: positive integers

Division: “

divides

iff

. s.t. We write and say is a divisor of Examples: , , etc.Prime numbers: positive integers greater than only divisible by and themselves1 is not a prime number. Nor is 0.Modular arithmetic: remainder of division s.t. with and E.g.

 Slide5

Equivalence Classes, GCD

Equivalence

:

iff

.

Equivalence classes :For instance Common divisor: is common divisor of iff.: and Greatest common divisor: largest such

 Slide6

Finding GCD

If

it holds that:

This is because if

and

, then

Why? Write , Then , so and For any : if

then

Hence Euclid’s algorithm, input

:

1. if

, then output

2. else, repeat procedure on input ()Total complexity:

 Slide7

Extended GCD

Theorem:

If

, then

is the smallest positive integer for which there exist integers

such that:

If = 1, are called co-primeExtended GCD: Input Output:  Slide8

Groups

Set

, operator

such that:

Closure:

it holds

Associativity: it holds Identity element: s.t.: Inverse element:

s.t.

:

(

) is an Abelian group iff: is a group

Example:

Another example:

 Slide9

Subgroups and Orders

Order

of group

: # elements in

Subgroup

of

: is a groupTheorem [Lagrange]: If is finite and subgroup of Then divides  Slide10

Cyclic Groups

Cyclic

groups

of order

is cyclic

iff

.:We call a generator of this groupAny element can be a generatorTheorem [Fermat’s little theorem]:If is a finite subgroupThen it holds that  n timesSlide11

Groups and subgroups we use

For a prime

:

Integers modulo a prime, under multiplication mod p

Abelian (multiplication is commutative)

Variation: sometimes in ECC we use

For primes : () with Cardinality: # of numbers co-prime with Usually denoted by Euler’s function:E.g.:

 Slide12

Part IIEncryption SchemesSlide13

Public-Key Encryption

Syntax: algorithms (

) such that:

: given security parameters, outputs tuple

consisting of a private/public key : given plaintext and public key, outputs ciphertext : given ciphertext and secret key, outputs plaintext or error symbol  KGenEnc

pk

sk

pk; m

c

Dec

sk; cmSlide14

Public-Key Encryption

Correctness:

For all tuples

and for all plaintexts

, it must hold that Sometimes we degrade it to -correctness in which the decryption fails with probability IND-CPA: eavesdropper can’t tell even 1 bit of p-text

A

wins iff.

 Slide15

El-Gamal Encryption

Before key-generation: setup

Pick primes

such that

Group

and cyclic subgroup

of of prime order under the same operationGenerator of Key generation:Secret key ; public key Encryption of message :Pick , set

Decryption of

:

Set

 Slide16

Generic Messages

Message has to be in

What happens otherwise?

Could use

, for

(if

, then the order of is not ; yet, the order of is ) Proof in TDEncrypt instead of , take at decryption Could also modify scheme a little bit, using a hash function:Encryption: Decryption: We can prove security as long as the hash function preserves the pseudorandomness of

 Slide17

El-Gamal Security

Theorem:

If there exists an adversary

A

who can break the IND-CPA security of the El Gamal scheme with probability

...

... then there exists an adversary B who can break the DDH assumption in group with probability such that: Slide18

Reminder: Hard problems based on DLog

Setup:

Cyclic group

of prime order

, generator

DLog

:Given , find ( and fully define )CDHGiven find DDHGiven find out whether or notNote: If DLog is solved, then we can solve CDHIf we can solve CDH, then we can solve DDH Slide19

Proof

What does breaking DDH mean?

B plays a game against a challenger

Depending on a bit

, B receives

(if

) or , for B must output a bit and wins iff. Constructing B that uses AUpon receiving tuple

with

or

B gives A:

A chooses and sends B messages

B chooses a bit

, outputs

, send to A

A outputs

and wins iff

B outputs

 Slide20

Analysis

Constructing B that uses A

Upon receiving tuple

with

or

B gives A:

A chooses and sends B messages B chooses a bit , outputs , send to AA outputs and wins iff B outputs

Analysis:

If b = 1, B got

, which means A plays the true game: so A wins

w.p

.

If b = 0, B got

, so A wins

w.p

.

 Slide21

Malleability

Malleability, to maul:

Informally: ability to “re-shape”

things

Not always bad – crucial in homomorphic crypto

Bad for IND-CCA

ElGamal is malleable:Say we encrypt message with randomness Now pick random Maul ciphertext: , Then

is an encryption of

 Slide22

IND-CPA vs IND-CCA

IND-CPA: eavesdropper can’t tell even 1 bit of p-text

A wins iff. IND-CCA: even if we have power of decryption, can’t learn even 1 bit of fresh messageSame as before, but include Dec. oracleA must not query challege ciphertext to Dec. Slide23

Malleability and IND-CCA

Malleability informally means that one can use a relation on the input to induce a relation on the output.

Malleability usually implies encrpytion scheme is not IND-CCA

Why?

Key to IND-CCA success: A cannot query the challenge ciphertext

Maul challenge ciphertext, then query it to Dec

Perform inverse transformationSlide24

IND-CCA encryption

Much harder to get than IND-CPA encryption

Must prevent malleability, so usually we would use something to verify the integrity of the message

Would using a hash function help?

: doesn’t work.

Why not?

How about ? Could we use a PRF instead?: security is ok, but why would we do PKE if we already had a shared key? Slide25

Part IIISignature SchemesSlide26

Digital signatures

Syntax: algorithms (

) such that:

: given security parameters, outputs tuple

consisting of a private/public key : given plaintext and secret key, outputs signature : given message, signature and public key, outputs a bit if checks for , 0 otherwise KGenSign

pk

sk

m,

 

s

k, mVfpk; m,

 

0/1Slide27

Signature security

Correctness:

For all tuples

and for all messages

, it must hold that Sometimes we degrade it to -correctness in which the verification of a signed message fails with probability EUF-CMA: adversary can’t forge fresh signature Store list

of queries to Sign

A

wins iff.

and

 Slide28

RSA Signatures

RSA setup:

Large primes

, let

Subgroup of co-primes with

, size

Work in subgroup RSA signatures: KGen: Find such that and its inverse such that Public key ; Secret key Sign message :

Verify signature

for message

Output 1 iff.

and output 0 otherwise

 Slide29

Not EUF-CMA

No

queries:

Pick random string

Compute

Output

as forgeryForgery with 2 queries:Want to forge signature for given message Pick at random, ask signature: Compute s.t. , get Output

 

RSA Signature

Key Generation:

 

 

Sign:

 

Verify:

 

?Slide30

How to Get EUF-CMA

Use Hash functions, and sign hash of message

The Probabilistic Full-Domain-Hash RSA scheme:

Use a hash function

KGen

: Obtain

, set:; Sign: Choose random , compute , output signature: Verification: receive

, output

iff.

 Slide31

Security of PFDH-RSA

Assumptions on hash functions:

Collision-resistance sometimes suffices

However, proofs for signatures are hard to do relying just on collision resistance

Need a stronger assumption

Random oracles, the ROM:

Imagine an idealization of a hash functionEvery time we query the idealization on a value , check RO has not been queried with before:If so, output new uniformly random value of good length Else output previously seen value for  Slide32

RSA assumption

The RSA problem:

Given an RSA instance, with public key

Given “ciphertext”:

Compute

The RSA assumption:

The RSA problem is hard to solve for a PPT adversaryThe strong RSA assumption:Alow Adversary to choose exponent Given , hard to output s.t.  Slide33

Security of PFDH

Theorem:

Take

In the random oracle model

If there exists an adversary A against the EUF-CMA of the PFDH scheme, making at most

queries to

and at most queries to , winning with probability …Then there exists an adversary B that solves the RSA problem with probability  Slide34

Programming a RO

Key observations:

A does not have much use submitting messages to Sign oracle without submitting them to Hashing RO first

Not entirely true, we would lose a guessing term here

A cannot output a meaningful forgery for a message

without submitting it to Hashing RO first

Again, not entirely true, same considerations as beforeA has no use querying the same message twice to the random oracle (since the RO always returns the same thing) Slide35

Security Proof for PFDH-RSA

Proof intuition:

The random oracle randomizes the messages to be signed; in fact, by choosing different values of

we get different values of

Multiple related signatures per message:

Because of the RO, all hashes are different

 Slide36

Constructing the Reduction

Adversary B plays the RSA problem

It needs to simulate the EUF-CMA game to adversary A, and use its output

Setup:

Adversary B receives tuple

and

for some B must then answer queries from A for signaturesB prepares for each a list of values like this:Choose random Choose random Given calculate: Store tuple ; all tuples with same make up  Slide37

The Reduction

Every time A queries the RO

, B responds as follows:

Create initially empty table

with entries

If

is queried for the first time, B first makes up Else, assume is already createdIf there exists in an entry , return If from list , then output and insert in an entry Else, if

not used in

, choose random

and output to A the value

and store

in

Remember A has signature queries Slide38

Finishing the Reduction

Apart from RO queries, A can ask signature queries to the signing oracle

B has to respond to these queries

When A queries

:

If

does not have a corresponding , generate itElse, pick the next value of in that list, see if there is a related entry in , output If there is no such related entry, create one, and output the same thing Slide39

Winning or Losing

Finally A outputs a forgery of the type:

If

, abort

Else, if

, find corresponding entry in

and output (to B’s challenger):Note: A outputs forgery on message not queried to signature oracle beforeBut he could have input to RO instead, got Only way to get from is by guessing it:Total probability it doesn’t happen:  Slide40

Random Oracles

Idealising hash function in a very useful way

Can get nice properties for key-exchange, encryption, signatures, and many other primitives

However, random oracles are a bit too ideal

We know that some primitives that are “secure” in the presence of random oracles are insecure no matter which hash function we use for our RO

Proofs in ROM:

Tricky bit is to program the RO: store queries, know what to answerAlternative to ROM: standard modelSlide41

Full-Domain Hashing

Generalized beyond RSA by trapdoor permutations

Trapdoor permutations:

Family of 1-way permutations

with

, such that

are binary sets of arbitrary length. Includes algorithms such that:: on input outputs tuple and trapdoor : on input the key , this algorithm efficiently samples input : on input and any , efficiently outputs

: on input

, trapdoor

and any

, efficiently outputs inverse

such that

Security: without trapdoor , hard to invert  Slide42

PKE as Trapdoor Permutation

Trapdoor permutation

Algorithm

 

 

 

Function : efficient to get  Inverse easy with  

 

PKE

Algorithm

 

 

 

Encryption algorithm

 

Decryption algorithm

 Slide43

Generalized FDH

Take Trapdoor permutation

Take hash function

Key Generation: Run

. Set:

and

Signing: Compute , then do: Signature is: Verification: Do

,

then:

.

Output 1 iff.