Diffie Hellman The ElGamal Publickey System Online Cryptography Course Dan Boneh Recap public key encryption Gen E D E D pk m c c m ID: 687133
Download Presentation The PPT/PDF document "Public key encryption from" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Public key encryptionfrom Diffie-Hellman
The
ElGamal Public-key System
Online Cryptography Course Dan BonehSlide2
Recap: public key encryption: (Gen, E, D)E
D
pkm
c
c
m
s
k
GenSlide3
Recap: public-key encryption applicationsKey exchange (e.g. in HTTPS)Encryption in non-interactive settings:Secure Email: Bob has Alice’s pub-key and sends her an emailEncrypted File Systems
Bob
write
E(
kF, File)
E(
pk
A
, K
F
)
E(
pk
B
, K
F
)
Alice
read
File
sk
ASlide4
Recap: public-key encryption applicationsKey exchange (e.g. in HTTPS)Encryption in non-interactive settings:Secure Email: Bob has Alice’s pub-key and sends her an emailEncrypted File SystemsKey escrow: data recovery without Bob’s key
Bob
write
E(
kF
, File)
E(
pk
escrow
, K
F
)
E(
pk
B
, K
F
)
Escrow
Service
sk
escrowSlide5
ConstructionsThis week: two families of public-key encryption schemesPrevious lecture: based on trapdoor functions (such as RSA)Schemes: ISO standard, OAEP+, …This lecture: based on the Diffie-Hellman protocolSchemes: ElGamal encryption and variants (e.g. used in GPG)
Security goals: chosen ciphertext securitySlide6
Review: the Diffie-Hellman protocol (1977)Fix a finite cyclic group G
(e.g G = (Zp)
* ) of order nFix a generator g in G (i.e. G = {1, g, g2, g3, … , gn-1 } )AliceBob
c
hoose random a in {1,…,n}
c
hoose random
b
in {1,…,
n
}
k
AB
=
g
ab
=
(
g
a)b =
Ab Ba
= (gb)
a
=
A =
g
a
B
=
g
bSlide7
ElGamal: converting to pub-key enc. (1984)Fix a finite cyclic group G (e.g G = (Zp)* ) of order n
Fix a generator g in G (i.e. G = {1, g, g2, g3
, … , gn-1} )AliceBobchoose random a in {1,…,n
}
choose random b in {1,…,n}
A =
g
a
B
=
g
b
Treat as a public key
c
t
=
[
,
]
c
ompute g
ab = A
b
,
d
erive symmetric key k ,
e
ncrypt message m with kSlide8
ElGamal: converting to pub-key enc. (1984)Fix a finite cyclic group G (e.g G = (Zp)* ) of order n
Fix a generator g in G (i.e. G = {1, g, g2, g3
, … , gn-1} )AliceBobchoose random a in {1,…,n
}
choose random b in {1,…,n}
A =
g
a
B
=
g
b
Treat as a public key
c
t
=
[
,
]
c
ompute g
ab = A
b
,
d
erive symmetric key k ,
e
ncrypt message m with k
To decrypt:
compute g
ab
= B
a
,
derive k, and decryptSlide9
The ElGamal system (a modern view)G: finite cyclic group of order n (Es, Ds) : symmetric auth. encryption defined over (K,M,C)H: G2 ⟶ K a hash function
We construct a pub-key enc. system (Gen, E, D):Key generation Gen:
choose random generator g in G and random a in Znoutput sk = a , pk = (g, h=ga )Slide10
The ElGamal system (a modern view)E( pk=(g,h), m) :
b ⟵ Zn , u ⟵ g
b , v ⟵ hb k ⟵ H(u,v) , c ⟵ Es(k, m) output (u, c)
D(
sk=a, (u,c) ) :
v
⟵
u
a
k ⟵ H
(
u,v
) , m
⟵
D
s(k, c)
output m
G: finite cyclic group of order n (Es
, Ds) : symmetric auth. encryption defined over (K,M,C)
H: G2 ⟶ K a hash function
RSlide11
ElGamal performanceEncryption: 2 exp. (fixed basis) Can pre-compute [ g(2^i) , h(2^i) for i=1,…,log2 n ]
3x speed-up (or more)Decryption: 1 exp. (variable basis)
E(
pk
=(
g,h
), m)
:
b ⟵ Z
n
, u ⟵
g
b
, v ⟵
h
b
D(
sk
=a, (
u,c
) )
:
v ⟵
u
aSlide12
End of SegmentNext step: why is this system chosen ciphertext secure? under what assumptions?Slide13
Public key encryptionfrom Diffie-Hellman
ElGamal
Security
Online Cryptography Course Dan BonehSlide14
Computational Diffie-Hellman AssumptionG: finite cyclic group of order n
Comp. DH (CDH) assumption holds in G if: g, ga , g
b ⇏ gab for all efficient algs. A:
Pr[ A
(g, ga, gb )
=
g
ab
]
< negligible
where g ⟵
{
generators of G
}
, a,
b
⟵
ZnSlide15
Hash Diffie-Hellman AssumptionG: finite cyclic group of order n
, H: G2 ⟶ K a hash functionDef
: Hash-DH (HDH) assumption holds for (G, H) if: (g, ga, gb , H(gb,
gab)
) ≈p (
g,
g
a
,
g
b
,
R
)
where g ⟵
{
generators of G} , a, b
⟵ Z
n , R
⟵ KH acts as an extractor: strange distribution on G2 ⇒ uniform on KSlide16
Suppose K = {0,1}128 and H: G2 ⟶ K only outputs strings in K that begin with 0 ( i.e. for all x,y: msb
(H(x,y))=0 )
Can Hash-DH hold for (G, H) ? Yes, for some groups GNo, Hash-DH is easy to break in this caseYes, Hash-DH is always true for such HSlide17
ElGamal is sem. secure under Hash-DHKeyGen: g ⟵ {generators of G} , a ⟵ Zn
output pk = (g, h=
ga) , sk = a
D(
sk
=a, (
u,c
) )
:
k ⟵ H(
u,
u
a
) , m ⟵ D
s
(k, c)
output m
E(
pk
=(
g,h
), m)
:
b ⟵ Z
n
k ⟵ H(
g
b
,h
b
) , c ⟵
E
s
(k, m)
output (
g
b
, c)Slide18
ElGamal is sem. secure under Hash-DH≈p≈p
≈p
chal.adv. A
pk,sk
m0 , m
1
g
b
,
E
s
(
H(),
m
0
)
b
’
≟
1
p
k
= (
g,g
a
)
c
hal
.
a
dv
. A
p
k,sk
m
0
,
m
1
g
b
,
E
s
(
H(),
m
1
)
b
’
≟
1
p
k
= (
g,g
a
)
c
hal
.
a
dv
. A
p
k,sk
m
0
,
m
1
g
b
,
E
s
(
k
,
m
0
)
b
’
≟
1
p
k
= (
g,g
a
)
k
K
c
hal
.
a
dv
. A
p
k,sk
m
0
,
m
1
g
b
,
E
s
(
k
,
m
1
)
b
’
≟
1
p
k
= (
g,g
a
)
k
K
(
g
b
, g
ab
)
(
g
b
, g
ab
)
≈
pSlide19
ElGamal chosen ciphertext security?To prove chosen ciphertext security need stronger assumptionInteractive Diffie-Hellman (IDH) in group G:
IDH holds in G if:
∀efficient A: Pr[ A outputs gab] < negligibleChal.
Adv. A
(u
1
,v
1
)
g⟵{gen}
a,b⟵Z
n
g, h
=
g
a
, u
=
g
b
if (u
1
)
a
= v
1
0 otherwise
v
w
ins if v=g
abSlide20
ElGamal chosen ciphertext security?Security Theorem: If IDH holds in the group G, (Es, D
s) provides auth. enc. and H: G
2 ⟶ K is a “random oracle” then ElGamal is CCAro secure.Questions: (1) can we prove CCA security based on CDH? (2) can we prove CCA security without random oracles?Slide21
End of SegmentSlide22
Public key encryptionfrom Diffie-Hellman
ElGamal
VariantsWith Better Security
Online Cryptography Course Dan BonehSlide23
Review: ElGamal encryptionKeyGen: g ⟵ {generators of G} , a ⟵ Z
n output pk = (g, h=
ga) , sk = a
D(
sk
=a, (
u,c
) )
:
k ⟵ H(
u,
u
a
) , m ⟵ D
s
(k, c)
output m
E(
pk
=(
g,h
), m)
:
b ⟵ Z
n
k ⟵ H(
g
b
,h
b
) , c ⟵
E
s
(k, m)
output (
g
b
, c)Slide24
ElGamal chosen ciphertext securitySecurity Theorem: If IDH holds in the group G, (
Es, Ds) provides auth. enc.
and H: G2 ⟶ K is a “random oracle” then ElGamal is CCAro secure.Can we prove CCA security based on CDH (g, ga , gb ↛ g
ab ) ?
Option 1: use group G where CDH = IDH (a.k.a bilinear group)Option 2: change the ElGamal systemSlide25
Variants: twin ElGamal [CKS’08]KeyGen: g ⟵ {generators of G} , a1, a2 ⟵ Zn output pk = (g,
h1=ga1, h2
=ga2) , sk = (a1, a2)
D
(
sk
=(a1,a2), (
u,c
)
)
:
k ⟵ H(u, u
a1
, u
a2
)
m ⟵ D
s
(k, c) output m
E
(
pk
=(g,h
1
,h
2
), m
)
:
b ⟵ Z
n
k ⟵ H(
g
b
, h
1
b
,
h
2
b
)
c ⟵
E
s
(k, m)
output (
g
b
, c)Slide26
Chosen ciphertext securitySecurity Theorem: If CDH
holds in the group G, (Es, Ds
) provides auth. enc. and H: G3 ⟶ K is a “random oracle” then twin ElGamal is CCAro secure.Cost: one more exponentiation during enc
/dec
Is it worth it? No one knows …Slide27
ElGamal security w/o random oracles?Can we prove CCA security without random oracles?Option 1: use Hash-DH assumption in “bilinear groups”
Special elliptic curve with more structure [CHK’04 + BB’04]
Option 2: use Decision-DH assumption in any group [CS’98]Slide28
Further ReadingThe Decision Diffie-Hellman problem. D. Boneh, ANTS 3, 1998Universal hash proofs and a paradigm for chosen ciphertext secure public key encryption. R. Cramer and V. Shoup,
Eurocrypt 2002Chosen-ciphertext
security from Identity-Based Encryption.D. Boneh, R. Canetti, S. Halevi, and J. Katz, SICOMP 2007The Twin Diffie-Hellman problem and applications.D. Cash, E. Kiltz, V. Shoup, Eurocrypt 2008
Efficient chosen-ciphertext security via
extractable hash proofs.H. Wee, Crypto 2010Slide29
Public key encryptionfrom Diffie-Hellman
A Unifying Theme
Online Cryptography Course Dan BonehSlide30
One-way functions (informal)A function f: X ⟶ Y is one-way ifThere is an efficient algorithm to evaluate f(⋅), butInverting f is hard: for all efficient A and x ⟵ X : Pr[ A
(f(x)) ] < negligible
Functions that are not one-way: f(x) = x, f(x) = 0Slide31
Ex. 1: generic one-way functionsLet f: X ⟶ Y be a secure PRG (where |Y| ≫ |X| ) (e.g. f built using det. counter mode)Lemma: f a secure PRG ⇒ f is one-wayProof sketch:
A inverts f ⇒ B(y) = is a distinguisherGeneric: no special properties. Difficult to use for key exchange.Slide32
Ex 2: The DLOG one-way functionFix a finite cyclic group G (e.g G = (Zp)
* ) of order ng: a random generator in G
(i.e. G = {1, g, g2, g3, … , gn-1} )Define: f: Zn ⟶ G as f(x) = gx ∈ GLemma: Dlog hard in G ⇒ f is one-
wayProperties: f(x), f(y) ⇒ f(
x+y) = f(x) ⋅ f(y) ⇒ key-exchange and public-key encryptionSlide33
Ex. 3: The RSA one-way functionchoose random primes p,q 1024 bits. Set N=pq.
choose integers
e , d s.t. e⋅d = 1 (mod (N) ) Define: f: as f(x) = xe in
Lemma: f is one-way under the RSA assumption
Properties: f(x⋅y) = f(x) ⋅ f(y) and
f has a trapdoorSlide34
SummaryPublic key encryption: made possible by one-way functions with special properties homomorphic properties and trapdoorsSlide35
End of SegmentSlide36
Farewell (for now)
Online Cryptography Course Dan BonehSlide37
Quick Review: primitivesPRGPRF, PRP
MAC
GGMCTR
CMAC, HMAC
PMAC
Collision
resistance
k
ey exchange
Trapdoor
Functions
p
ublic key
encryption
Diffie
-Hellman groupsSlide38
Quick Review: primitivesTo protect non-secret data: (data integrity)using small read-only storage: use collision resistant hashno read-only space: use MAC … requires secret keyTo protect sensitive data: only use authenticated encryption
(eavesdropping security by itself is insufficient)Session setup
:Interactive settings: use authenticated key-exchange protocol When no-interaction allowed: use public-key encryptionSlide39
Remaining Core Topics (part II)Digital signatures and certificatesAuthenticated key exchangeUser authentication: passwords, one-time passwords, challenge-responsePrivacy mechanismsZero-knowledge protocolsSlide40
Many more topics to cover …Elliptic Curve CryptoQuantum computingNew key management paradigms: identity based encryption and functional encryptionAnonymous digital cashPrivate voting and auction systemsComputing on ciphertexts: fully homomorphic encryptionLattice-based crypto
Two party and multi-party computationSlide41
Final WordsBe careful when using crypto:A tremendous tool, but if incorrectly implemented: system will work, but may be easily attackedMake sure to have others review your designs and code Don’t invent your own ciphers or modesSlide42
End of part I