The ROM FDH using the ROM From previous lecture Ciphers Stream ciphers many follow OTP PRG strategy Block ciphers work on plaintext of limited size block output ciphertexts of same size ID: 484037
Download Presentation The PPT/PDF document "Public Key Cryptography: Encryption, Sig..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Public Key Cryptography: Encryption, Signatures, FDH
The ROM, FDH, using the ROMSlide2
From previous lecture
Ciphers
Stream ciphers : many follow OTP + PRG strategy
Block ciphers : work on plaintext of limited size = block
output ciphertexts of same size
Modes of operation : used to encrypt longer messages
Hash functions
Basic properties : first/second preimage resistance, collision resistance
Can be used to construct primitives like
HMacsSlide3
Part IBackgroundSlide4
Divisors, Primes, GCD
Assume: positive integers
Division: “
divides
”
iff
. s.t. We write and say is a divisor of Examples: , , etc.Prime numbers: positive integers greater than only divisible by and themselves1 is not a prime number. Nor is 0.Modular arithmetic: remainder of division s.t. with and E.g.
Slide5
Equivalence Classes, GCD
Equivalence
:
iff
.
Equivalence classes :For instance Common divisor: is common divisor of iff.: and Greatest common divisor: largest such
Slide6
Finding GCD
If
it holds that:
This is because if
and
, then
Why? Write , Then , so and For any : if
then
Hence Euclid’s algorithm, input
:
1. if
, then output
2. else, repeat procedure on input ()Total complexity:
Slide7
Extended GCD
Theorem:
If
, then
is the smallest positive integer for which there exist integers
such that:
If = 1, are called co-primeExtended GCD: Input Output: Slide8
Groups
Set
, operator
such that:
Closure:
it holds
Associativity: it holds Identity element: s.t.: Inverse element:
s.t.
:
(
) is an Abelian group iff: is a group
Example:
Another example:
Slide9
Subgroups and Orders
Order
of group
: # elements in
Subgroup
of
: is a groupTheorem [Lagrange]: If is finite and subgroup of Then divides Slide10
Cyclic Groups
Cyclic
groups
of order
is cyclic
iff
.:We call a generator of this groupAny element can be a generatorTheorem [Fermat’s little theorem]:If is a finite subgroupThen it holds that n timesSlide11
Groups and subgroups we use
For a prime
:
Integers modulo a prime, under multiplication mod p
Abelian (multiplication is commutative)
Variation: sometimes in ECC we use
For primes : () with Cardinality: # of numbers co-prime with Usually denoted by Euler’s function:E.g.:
Slide12
Part IIEncryption SchemesSlide13
Public-Key Encryption
Syntax: algorithms (
) such that:
: given security parameters, outputs tuple
consisting of a private/public key : given plaintext and public key, outputs ciphertext : given ciphertext and secret key, outputs plaintext or error symbol KGenEnc
pk
sk
pk; m
c
Dec
sk; cmSlide14
Public-Key Encryption
Correctness:
For all tuples
and for all plaintexts
, it must hold that Sometimes we degrade it to -correctness in which the decryption fails with probability IND-CPA: eavesdropper can’t tell even 1 bit of p-text
A
wins iff.
Slide15
El-Gamal Encryption
Before key-generation: setup
Pick primes
such that
Group
and cyclic subgroup
of of prime order under the same operationGenerator of Key generation:Secret key ; public key Encryption of message :Pick , set
Decryption of
:
Set
Slide16
Generic Messages
Message has to be in
What happens otherwise?
Could use
, for
(if
, then the order of is not ; yet, the order of is ) Proof in TDEncrypt instead of , take at decryption Could also modify scheme a little bit, using a hash function:Encryption: Decryption: We can prove security as long as the hash function preserves the pseudorandomness of
Slide17
El-Gamal Security
Theorem:
If there exists an adversary
A
who can break the IND-CPA security of the El Gamal scheme with probability
...
... then there exists an adversary B who can break the DDH assumption in group with probability such that: Slide18
Reminder: Hard problems based on DLog
Setup:
Cyclic group
of prime order
, generator
DLog
:Given , find ( and fully define )CDHGiven find DDHGiven find out whether or notNote: If DLog is solved, then we can solve CDHIf we can solve CDH, then we can solve DDH Slide19
Proof
What does breaking DDH mean?
B plays a game against a challenger
Depending on a bit
, B receives
(if
) or , for B must output a bit and wins iff. Constructing B that uses AUpon receiving tuple
with
or
B gives A:
A chooses and sends B messages
B chooses a bit
, outputs
, send to A
A outputs
and wins iff
B outputs
Slide20
Analysis
Constructing B that uses A
Upon receiving tuple
with
or
B gives A:
A chooses and sends B messages B chooses a bit , outputs , send to AA outputs and wins iff B outputs
Analysis:
If b = 1, B got
, which means A plays the true game: so A wins
w.p
.
If b = 0, B got
, so A wins
w.p
.
Slide21
Malleability
Malleability, to maul:
Informally: ability to “re-shape”
things
Not always bad – crucial in homomorphic crypto
Bad for IND-CCA
ElGamal is malleable:Say we encrypt message with randomness Now pick random Maul ciphertext: , Then
is an encryption of
Slide22
IND-CPA vs IND-CCA
IND-CPA: eavesdropper can’t tell even 1 bit of p-text
A wins iff. IND-CCA: even if we have power of decryption, can’t learn even 1 bit of fresh messageSame as before, but include Dec. oracleA must not query challege ciphertext to Dec. Slide23
Malleability and IND-CCA
Malleability informally means that one can use a relation on the input to induce a relation on the output.
Malleability usually implies encrpytion scheme is not IND-CCA
Why?
Key to IND-CCA success: A cannot query the challenge ciphertext
Maul challenge ciphertext, then query it to Dec
Perform inverse transformationSlide24
IND-CCA encryption
Much harder to get than IND-CPA encryption
Must prevent malleability, so usually we would use something to verify the integrity of the message
Would using a hash function help?
: doesn’t work.
Why not?
How about ? Could we use a PRF instead?: security is ok, but why would we do PKE if we already had a shared key? Slide25
Part IIISignature SchemesSlide26
Digital signatures
Syntax: algorithms (
) such that:
: given security parameters, outputs tuple
consisting of a private/public key : given plaintext and secret key, outputs signature : given message, signature and public key, outputs a bit if checks for , 0 otherwise KGenSign
pk
sk
m,
s
k, mVfpk; m,
0/1Slide27
Signature security
Correctness:
For all tuples
and for all messages
, it must hold that Sometimes we degrade it to -correctness in which the verification of a signed message fails with probability EUF-CMA: adversary can’t forge fresh signature Store list
of queries to Sign
A
wins iff.
and
Slide28
RSA Signatures
RSA setup:
Large primes
, let
Subgroup of co-primes with
, size
Work in subgroup RSA signatures: KGen: Find such that and its inverse such that Public key ; Secret key Sign message :
Verify signature
for message
Output 1 iff.
and output 0 otherwise
Slide29
Not EUF-CMA
No
queries:
Pick random string
Compute
Output
as forgeryForgery with 2 queries:Want to forge signature for given message Pick at random, ask signature: Compute s.t. , get Output
RSA Signature
Key Generation:
Sign:
Verify:
?Slide30
How to Get EUF-CMA
Use Hash functions, and sign hash of message
The Probabilistic Full-Domain-Hash RSA scheme:
Use a hash function
KGen
: Obtain
, set:; Sign: Choose random , compute , output signature: Verification: receive
, output
iff.
Slide31
Security of PFDH-RSA
Assumptions on hash functions:
Collision-resistance sometimes suffices
However, proofs for signatures are hard to do relying just on collision resistance
Need a stronger assumption
Random oracles, the ROM:
Imagine an idealization of a hash functionEvery time we query the idealization on a value , check RO has not been queried with before:If so, output new uniformly random value of good length Else output previously seen value for Slide32
RSA assumption
The RSA problem:
Given an RSA instance, with public key
Given “ciphertext”:
Compute
The RSA assumption:
The RSA problem is hard to solve for a PPT adversaryThe strong RSA assumption:Alow Adversary to choose exponent Given , hard to output s.t. Slide33
Security of PFDH
Theorem:
Take
In the random oracle model
If there exists an adversary A against the EUF-CMA of the PFDH scheme, making at most
queries to
and at most queries to , winning with probability …Then there exists an adversary B that solves the RSA problem with probability Slide34
Programming a RO
Key observations:
A does not have much use submitting messages to Sign oracle without submitting them to Hashing RO first
Not entirely true, we would lose a guessing term here
A cannot output a meaningful forgery for a message
without submitting it to Hashing RO first
Again, not entirely true, same considerations as beforeA has no use querying the same message twice to the random oracle (since the RO always returns the same thing) Slide35
Security Proof for PFDH-RSA
Proof intuition:
The random oracle randomizes the messages to be signed; in fact, by choosing different values of
we get different values of
Multiple related signatures per message:
Because of the RO, all hashes are different
Slide36
Constructing the Reduction
Adversary B plays the RSA problem
It needs to simulate the EUF-CMA game to adversary A, and use its output
Setup:
Adversary B receives tuple
and
for some B must then answer queries from A for signaturesB prepares for each a list of values like this:Choose random Choose random Given calculate: Store tuple ; all tuples with same make up Slide37
The Reduction
Every time A queries the RO
, B responds as follows:
Create initially empty table
with entries
If
is queried for the first time, B first makes up Else, assume is already createdIf there exists in an entry , return If from list , then output and insert in an entry Else, if
not used in
, choose random
and output to A the value
and store
in
Remember A has signature queries Slide38
Finishing the Reduction
Apart from RO queries, A can ask signature queries to the signing oracle
B has to respond to these queries
When A queries
:
If
does not have a corresponding , generate itElse, pick the next value of in that list, see if there is a related entry in , output If there is no such related entry, create one, and output the same thing Slide39
Winning or Losing
Finally A outputs a forgery of the type:
If
, abort
Else, if
, find corresponding entry in
and output (to B’s challenger):Note: A outputs forgery on message not queried to signature oracle beforeBut he could have input to RO instead, got Only way to get from is by guessing it:Total probability it doesn’t happen: Slide40
Random Oracles
Idealising hash function in a very useful way
Can get nice properties for key-exchange, encryption, signatures, and many other primitives
However, random oracles are a bit too ideal
We know that some primitives that are “secure” in the presence of random oracles are insecure no matter which hash function we use for our RO
Proofs in ROM:
Tricky bit is to program the RO: store queries, know what to answerAlternative to ROM: standard modelSlide41
Full-Domain Hashing
Generalized beyond RSA by trapdoor permutations
Trapdoor permutations:
Family of 1-way permutations
with
, such that
are binary sets of arbitrary length. Includes algorithms such that:: on input outputs tuple and trapdoor : on input the key , this algorithm efficiently samples input : on input and any , efficiently outputs
: on input
, trapdoor
and any
, efficiently outputs inverse
such that
Security: without trapdoor , hard to invert Slide42
PKE as Trapdoor Permutation
Trapdoor permutation
Algorithm
Function : efficient to get Inverse easy with
PKE
Algorithm
Encryption algorithm
Decryption algorithm
Slide43
Generalized FDH
Take Trapdoor permutation
Take hash function
Key Generation: Run
. Set:
and
Signing: Compute , then do: Signature is: Verification: Do
,
then:
.
Output 1 iff.