Diffie Hellman The ElGamal Publickey System Online Cryptography Course Dan Boneh Recap public key encryption Gen E D E D pk m c c m ID: 687133 Download Presentation

Embed / Share - Public key encryption from

Slide1

Public key encryptionfrom Diffie-Hellman

The

ElGamal Public-key System

Online Cryptography Course Dan BonehSlide2

Recap: public key encryption: (Gen, E, D)E

D

pkm

c

c

m

s

k

GenSlide3

Recap: public-key encryption applicationsKey exchange (e.g. in HTTPS)Encryption in non-interactive settings:Secure Email: Bob has Alice’s pub-key and sends her an emailEncrypted File Systems

Bob

write

E(

kF, File)

E(

pk

A

, K

F

)

E(

pk

B

, K

F

)

Alice

read

File

sk

ASlide4

Recap: public-key encryption applicationsKey exchange (e.g. in HTTPS)Encryption in non-interactive settings:Secure Email: Bob has Alice’s pub-key and sends her an emailEncrypted File SystemsKey escrow: data recovery without Bob’s key

Bob

write

E(

kF

, File)

E(

pk

escrow

, K

F

)

E(

pk

B

, K

F

)

Escrow

Service

sk

escrowSlide5

ConstructionsThis week: two families of public-key encryption schemesPrevious lecture: based on trapdoor functions (such as RSA)Schemes: ISO standard, OAEP+, …This lecture: based on the Diffie-Hellman protocolSchemes: ElGamal encryption and variants (e.g. used in GPG)

Security goals: chosen ciphertext securitySlide6

Review: the Diffie-Hellman protocol (1977)Fix a finite cyclic group G

(e.g G = (Zp)

* ) of order nFix a generator g in G (i.e. G = {1, g, g2, g3, … , gn-1 } )AliceBob

c

hoose random a in {1,…,n}

c

hoose random

b

in {1,…,

n

}

k

AB

=

g

ab

=

(

g

a)b =

Ab Ba

= (gb)

a

=

A =

g

a

B

=

g

bSlide7

ElGamal: converting to pub-key enc. (1984)Fix a finite cyclic group G (e.g G = (Zp)* ) of order n

Fix a generator g in G (i.e. G = {1, g, g2, g3

, … , gn-1} )AliceBobchoose random a in {1,…,n

}

choose random b in {1,…,n}

A =

g

a

B

=

g

b

Treat as a public key

c

t

=

[

,

]

c

ompute g

ab = A

b

,

d

erive symmetric key k ,

e

ncrypt message m with kSlide8

ElGamal: converting to pub-key enc. (1984)Fix a finite cyclic group G (e.g G = (Zp)* ) of order n

Fix a generator g in G (i.e. G = {1, g, g2, g3

, … , gn-1} )AliceBobchoose random a in {1,…,n

}

choose random b in {1,…,n}

A =

g

a

B

=

g

b

Treat as a public key

c

t

=

[

,

]

c

ompute g

ab = A

b

,

d

erive symmetric key k ,

e

ncrypt message m with k

To decrypt:

compute g

ab

= B

a

,

derive k, and decryptSlide9

The ElGamal system (a modern view)G: finite cyclic group of order n (Es, Ds) : symmetric auth. encryption defined over (K,M,C)H: G2 ⟶ K a hash function

We construct a pub-key enc. system (Gen, E, D):Key generation Gen:

choose random generator g in G and random a in Znoutput sk = a , pk = (g, h=ga )Slide10

The ElGamal system (a modern view)E( pk=(g,h), m) :

b ⟵ Zn , u ⟵ g

b , v ⟵ hb k ⟵ H(u,v) , c ⟵ Es(k, m) output (u, c)

D(

sk=a, (u,c) ) :

v

⟵

u

a

k ⟵ H

(

u,v

) , m

⟵

D

s(k, c)

output m

G: finite cyclic group of order n (Es

, Ds) : symmetric auth. encryption defined over (K,M,C)

H: G2 ⟶ K a hash function

RSlide11

ElGamal performanceEncryption: 2 exp. (fixed basis) Can pre-compute [ g(2^i) , h(2^i) for i=1,…,log2 n ]

3x speed-up (or more)Decryption: 1 exp. (variable basis)

E(

pk

=(

g,h

), m)

:

b ⟵ Z

n

, u ⟵

g

b

, v ⟵

h

b

D(

sk

=a, (

u,c

) )

:

v ⟵

u

aSlide12

End of SegmentNext step: why is this system chosen ciphertext secure? under what assumptions?Slide13

Public key encryptionfrom Diffie-Hellman

ElGamal

Security

Online Cryptography Course Dan BonehSlide14

Computational Diffie-Hellman AssumptionG: finite cyclic group of order n

Comp. DH (CDH) assumption holds in G if: g, ga , g

b ⇏ gab for all efficient algs. A:

Pr[ A

(g, ga, gb )

=

g

ab

]

< negligible

where g ⟵

{

generators of G

}

, a,

b

⟵

ZnSlide15

Hash Diffie-Hellman AssumptionG: finite cyclic group of order n

, H: G2 ⟶ K a hash functionDef

: Hash-DH (HDH) assumption holds for (G, H) if: (g, ga, gb , H(gb,

gab)

) ≈p (

g,

g

a

,

g

b

,

R

)

where g ⟵

{

generators of G} , a, b

⟵ Z

n , R

⟵ KH acts as an extractor: strange distribution on G2 ⇒ uniform on KSlide16

Suppose K = {0,1}128 and H: G2 ⟶ K only outputs strings in K that begin with 0 ( i.e. for all x,y: msb

(H(x,y))=0 )

Can Hash-DH hold for (G, H) ? Yes, for some groups GNo, Hash-DH is easy to break in this caseYes, Hash-DH is always true for such HSlide17

ElGamal is sem. secure under Hash-DHKeyGen: g ⟵ {generators of G} , a ⟵ Zn

output pk = (g, h=

ga) , sk = a

D(

sk

=a, (

u,c

) )

:

k ⟵ H(

u,

u

a

) , m ⟵ D

s

(k, c)

output m

E(

pk

=(

g,h

), m)

:

b ⟵ Z

n

k ⟵ H(

g

b

,h

b

) , c ⟵

E

s

(k, m)

output (

g

b

, c)Slide18

ElGamal is sem. secure under Hash-DH≈p≈p

≈p

chal.adv. A

pk,sk

m0 , m

1

g

b

,

E

s

(

H(),

m

0

)

b

’

≟

1

p

k

= (

g,g

a

)

c

hal

.

a

dv

. A

p

k,sk

m

0

,

m

1

g

b

,

E

s

(

H(),

m

1

)

b

’

≟

1

p

k

= (

g,g

a

)

c

hal

.

a

dv

. A

p

k,sk

m

0

,

m

1

g

b

,

E

s

(

k

,

m

0

)

b

’

≟

1

p

k

= (

g,g

a

)

k

K

c

hal

.

a

dv

. A

p

k,sk

m

0

,

m

1

g

b

,

E

s

(

k

,

m

1

)

b

’

≟

1

p

k

= (

g,g

a

)

k

K

(

g

b

, g

ab

)

(

g

b

, g

ab

)

≈

pSlide19

ElGamal chosen ciphertext security?To prove chosen ciphertext security need stronger assumptionInteractive Diffie-Hellman (IDH) in group G:

IDH holds in G if:

∀efficient A: Pr[ A outputs gab] < negligibleChal.

Adv. A

(u

1

,v

1

)

g⟵{gen}

a,b⟵Z

n

g, h

=

g

a

, u

=

g

b

if (u

1

)

a

= v

1

0 otherwise

v

w

ins if v=g

abSlide20

ElGamal chosen ciphertext security?Security Theorem: If IDH holds in the group G, (Es, D

s) provides auth. enc. and H: G

2 ⟶ K is a “random oracle” then ElGamal is CCAro secure.Questions: (1) can we prove CCA security based on CDH? (2) can we prove CCA security without random oracles?Slide21

End of SegmentSlide22

Public key encryptionfrom Diffie-Hellman

ElGamal

VariantsWith Better Security

Online Cryptography Course Dan BonehSlide23

Review: ElGamal encryptionKeyGen: g ⟵ {generators of G} , a ⟵ Z

n output pk = (g, h=

ga) , sk = a

D(

sk

=a, (

u,c

) )

:

k ⟵ H(

u,

u

a

) , m ⟵ D

s

(k, c)

output m

E(

pk

=(

g,h

), m)

:

b ⟵ Z

n

k ⟵ H(

g

b

,h

b

) , c ⟵

E

s

(k, m)

output (

g

b

, c)Slide24

ElGamal chosen ciphertext securitySecurity Theorem: If IDH holds in the group G, (

Es, Ds) provides auth. enc.

and H: G2 ⟶ K is a “random oracle” then ElGamal is CCAro secure.Can we prove CCA security based on CDH (g, ga , gb ↛ g

ab ) ?

Option 1: use group G where CDH = IDH (a.k.a bilinear group)Option 2: change the ElGamal systemSlide25

Variants: twin ElGamal [CKS’08]KeyGen: g ⟵ {generators of G} , a1, a2 ⟵ Zn output pk = (g,

h1=ga1, h2

=ga2) , sk = (a1, a2)

D

(

sk

=(a1,a2), (

u,c

)

)

:

k ⟵ H(u, u

a1

, u

a2

)

m ⟵ D

s

(k, c) output m

E

(

pk

=(g,h

1

,h

2

), m

)

:

b ⟵ Z

n

k ⟵ H(

g

b

, h

1

b

,

h

2

b

)

c ⟵

E

s

(k, m)

output (

g

b

, c)Slide26

Chosen ciphertext securitySecurity Theorem: If CDH

holds in the group G, (Es, Ds

) provides auth. enc. and H: G3 ⟶ K is a “random oracle” then twin ElGamal is CCAro secure.Cost: one more exponentiation during enc

/dec

Is it worth it? No one knows …Slide27

ElGamal security w/o random oracles?Can we prove CCA security without random oracles?Option 1: use Hash-DH assumption in “bilinear groups”

Special elliptic curve with more structure [CHK’04 + BB’04]

Option 2: use Decision-DH assumption in any group [CS’98]Slide28

Further ReadingThe Decision Diffie-Hellman problem. D. Boneh, ANTS 3, 1998Universal hash proofs and a paradigm for chosen ciphertext secure public key encryption. R. Cramer and V. Shoup,

Eurocrypt 2002Chosen-ciphertext

security from Identity-Based Encryption.D. Boneh, R. Canetti, S. Halevi, and J. Katz, SICOMP 2007The Twin Diffie-Hellman problem and applications.D. Cash, E. Kiltz, V. Shoup, Eurocrypt 2008

Efficient chosen-ciphertext security via

extractable hash proofs.H. Wee, Crypto 2010Slide29

Public key encryptionfrom Diffie-Hellman

A Unifying Theme

Online Cryptography Course Dan BonehSlide30

One-way functions (informal)A function f: X ⟶ Y is one-way ifThere is an efficient algorithm to evaluate f(⋅), butInverting f is hard: for all efficient A and x ⟵ X : Pr[ A

(f(x)) ] < negligible

Functions that are not one-way: f(x) = x, f(x) = 0Slide31

Ex. 1: generic one-way functionsLet f: X ⟶ Y be a secure PRG (where |Y| ≫ |X| ) (e.g. f built using det. counter mode)Lemma: f a secure PRG ⇒ f is one-wayProof sketch:

A inverts f ⇒ B(y) = is a distinguisherGeneric: no special properties. Difficult to use for key exchange.Slide32

Ex 2: The DLOG one-way functionFix a finite cyclic group G (e.g G = (Zp)

* ) of order ng: a random generator in G

(i.e. G = {1, g, g2, g3, … , gn-1} )Define: f: Zn ⟶ G as f(x) = gx ∈ GLemma: Dlog hard in G ⇒ f is one-

wayProperties: f(x), f(y) ⇒ f(

x+y) = f(x) ⋅ f(y) ⇒ key-exchange and public-key encryptionSlide33

Ex. 3: The RSA one-way functionchoose random primes p,q 1024 bits. Set N=pq.

choose integers

e , d s.t. e⋅d = 1 (mod (N) ) Define: f: as f(x) = xe in

Lemma: f is one-way under the RSA assumption

Properties: f(x⋅y) = f(x) ⋅ f(y) and

f has a trapdoorSlide34

SummaryPublic key encryption: made possible by one-way functions with special properties homomorphic properties and trapdoorsSlide35

End of SegmentSlide36

Farewell (for now)

Online Cryptography Course Dan BonehSlide37

Quick Review: primitivesPRGPRF, PRP

MAC

GGMCTR

CMAC, HMAC

PMAC

Collision

resistance

k

ey exchange

Trapdoor

Functions

p

ublic key

encryption

Diffie

-Hellman groupsSlide38

Quick Review: primitivesTo protect non-secret data: (data integrity)using small read-only storage: use collision resistant hashno read-only space: use MAC … requires secret keyTo protect sensitive data: only use authenticated encryption

(eavesdropping security by itself is insufficient)Session setup

:Interactive settings: use authenticated key-exchange protocol When no-interaction allowed: use public-key encryptionSlide39

Remaining Core Topics (part II)Digital signatures and certificatesAuthenticated key exchangeUser authentication: passwords, one-time passwords, challenge-responsePrivacy mechanismsZero-knowledge protocolsSlide40

Many more topics to cover …Elliptic Curve CryptoQuantum computingNew key management paradigms: identity based encryption and functional encryptionAnonymous digital cashPrivate voting and auction systemsComputing on ciphertexts: fully homomorphic encryptionLattice-based crypto

Two party and multi-party computationSlide41

Final WordsBe careful when using crypto:A tremendous tool, but if incorrectly implemented: system will work, but may be easily attackedMake sure to have others review your designs and code Don’t invent your own ciphers or modesSlide42

End of part I

Please download the presentation from below link :

Download Presentation - The PPT/PDF document "Public key encryption from" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Try DocSlides online tool for compressing your PDF Files Try Now