B 50 4 I 538 Introduction to Cryptography 20170404 Recall Diffie Hellman key exchange 1 Alice Bob Eve g a g b a q b q h g b ID: 759618
Download Presentation The PPT/PDF document "Spring 2017 • Lecture 23" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Spring 2017 • Lecture 23
B504/I538: Introduction to Cryptography
(2017—04—04)
Slide2Recall: Diffie-Hellman key exchange
1
Alice
Bob
Eve
g
a
g
b
a∊℥
q
b∊℥
q
≔h
(
(
g
b
)
a
)
≔h
(
(
g
a
)
b
)
Enc
(m)
Suppose
(
G,q,g
)←G(1
s
)
for some group generating algorithm
G
=???
m=???
Slide3Recall: CDH assumption
Defn: Let G be a group generating algorithm. The (computational) Diffie-Hellman (CDH) assumption holds with respect to G if, for every PPT algorithm A, there exists a negligible function ε:ℕ→ℝ+ such that AdvCDH,G(A)≤ε(s).
2
Challenger (C)
Attacker (A)
(
G,q,g
)←G(1
s)a,b∊℥qh1≔ga, h2≔gb
h
1
s
(G,q,g,h
1
,h2)
Let E be the event that h=gab Define A’s advantage to be AdvCDH,G(A)≔Pr[E]
1
s
Slide4Recall: DDH assumption
3
3
1
s
∈1
ℕ
b’∈{0,1}
b’∈{0,1}
1
s
∈1
ℕ
Game 0:
(input to A is a DH tuple)
Game 1:
(input to A is not a DH tuple)
Distinguisher (D)
Distinguisher (D)
Challenger
Challenger
1
s
∈1
ℕ
1
s
∈1
ℕ
Def
n
:
Let
(
G,q,g
)←G(1
s
)
. Then (G,q,g,ga,gb,h) is a DH tuple if and only if h=gab.
(G,q,g)←G(1 s)a,b∊℥q
(G,q,g)←G(1 s)a,b,c∊℥q
(
G,q,g,ga,gb,gab)
(
G,q,g,ga,gb,gc)
Let E be the event that b’=0 in Game 0 or b’=1 in Game 1
Defn: AdvDDH,G(D)≔|Pr[E]- ½|
Slide5El Gamal encryption
Intuitively, El Gamal encryption is the result of converting Diffie-Hellman key exchange into a public-key encryption schemeFact 1: Let (G,•) be a group with prime order q and g∈G be a generator. Then exponentiation with base g is a uniform random variable on G; that is, if r∊℥q, then gr is distributed uniformly at random in G.Fact 2: Let (G,•) be a group, let m∈G. Then multiplication with m is a uniform random variable on G; that is, if h∊G, then m•h is distributed uniformly at random in G.
4
OTP
in G
choosing
random
OTP
Slide6El Gamal encryption
Let G be a group-generating algorithm. The El Gamal encryption scheme is the following:Gen(1s) invokes (G,q,g)←G(1s), chooses a∊℥q, and computes h≔gaThe public key is ke≔(G,q,g,h)The private key is kd≔aEnc(ke,m) chooses r∊℥q and computes c1≔gr and c2≔hr•mThe ciphertext is c≔(c1,c2)Dec(ke,kd,c) outputs m’≔c2•c1-a
5
(
M=C=G
)
Slide7El Gamal encryption
Thm: El Gamal encryption is correct.
6
Proof:
Let
c≔(c
1
,c
2)=(gr,hr•m) with ke≔(G,q,g,h) and kd=a Then Dec(ke,kd,m)
=c2•c1-a
=(hr•m)•c1-a
=(hr•m)•(gr)-a
=((ga)r•m)•(gr)-a
=m•(gar•g-ar)
=m ☐
Slide8El Gamal encryption
Thm: El Gamal encryption is IND-CPA secure whenever the DDH assumption holds with respect to G.
7
Proof (sketch):
Consider a “modified” El
Gamal in which
“encryption” is done by choosing
r,s
∊℥
q
and outputting
c≔(c
1
,c
2
)
for
c
1
≔g
r
and
c
2
≔g
s
•m
By
Facts 1
and
2
,
c
1
and
c
2
are independent uniform random variables on
G
—
decryption is impossible
.
Slide98
El Gamal encryption
Thm: El Gamal encryption is IND-CPA secure whenever the DDH assumption holds with respect to G.
Proof (sketch):
Assume attacker
A
can break IND-CPA security of El
Gamal with advantage
μ
(s)
We construct a DDH distinguisher
D
for
G
from
A
as follows:
Given a DDH instance (
G,q,g,h
1
,h
2
,h
3
)
, send
k
e
≔(G,q,g,h
1
)
to
A
to get
(m
0
,m
1
)
Choose
b∊{0,1}
and set
c≔(h
2
,h
3
•m
b
)
to
A
Obtain
b’’∈{0,1}
from
A
and output
b’≔
b⊕b
’’
Note that
Adv
DDH,G
(D)=
Adv
CPA
(A)=
μ
(s) ☐
Slide10Multiplicative homomorphism
Thm: El Gamal encryption is multiplicatively homormorphic; that is, if (c1,c2)←Enc(ke,m) and (c′1,c′2)←Enc(ke,m’), then Dec(kd,(c1•c′1,c2•c′2))=m•m’.
9
In other words, by taking the component-wise product of two
ciphertexts
(encrypted under the same key), we obtain an encryption of the product of the two messages
Proof:
Let
(c
1
,c
2
)=(
g
r
,h
r
•m
)
and
(c′
1
,c′
2
)≔(
g
s
,h
s
•m
’)
.
Then
c
1
•c′
1
=
g
r
•g
s
=
g
r+s
and
c
2
•c′
2
=(
h
r
•m
)•(
h
s
•m
’)=
h
r+s
•(
m•m
’)
;
hence,
Dec
(
k
e
,k
d
,(c
1
•c′
1
,c
2
•c′
2
)
)=(
g
r+s
)
a
•h
r+s
•(
m•m
’)=
m•m
’
☐
Slide11Recall: Quadratic residues
Defn: An element a∈ℤn is a quadratic residue modulo n if and only if it has a square root modulo n.At most half of elements in ℤn can be quadratic residues modulo n!The set of quadratic residues modulo n is denoted QRn.Fact 3: (QRn,⊡) is a group, where ⊡ is multiplication modulo n!More generally, a is an eth residue modulo n if it has an eth root modulo n.
10
Slide12Recall: Legendre symbols
Defn: If p>2 is prime, then ()≔a(p-1)⁄2 is called the Legendre Symbol of a modulo p.
Q: What makes () worthy of special consideration?A: Fermat’s Little Theorem implies that ()2≡1 whenever a∈℥p!(Note: ()∈{-1,0,1})
Thm (Euler’s Criterion): a∈℥p is a quadratic residue modulo p if and only if ()=1; that is, if and only if ()≡1.
11
Slide13Recall: Jacobi Symbols
The Legendre Symbol generalizes to composite moduli, but the properties are slightly trickier:If ()=-1, then a is definitely not a quadratic residue modulo nIf a is a quadratic residue modulo N, then () is definitely equal to 1However, if ()=1, then a may or may not be a quadratic residue modulo N!Fact 4: Let N=pq be the product of two distinct primes. Then a∈QRN ifand only if it is a∈QRp and a∈QRqIt is easy to tell if a∈QRN if you know p and q!Fact 5: If a∈QRN and b∉QRN, then a·b∉QRN.Fact 6: For all a,b∈ℤN, ()·()=()
12
Slide14Quadratic residuosity
Q: If p and q are not known, how easy is it to determine if a∈QRN?A: Sometimes it is easy, sometimes it appears hard!If a∈QRp but a∉QRq or a∉QRp but a∈QRq, it is easy (because Jacobi symbol is -1)If a∉QRp and a∉QRq, then Jacobi symbol is +1 and it appears difficult to distinguish this from case wheren a∈QRNDefine QNRN+={a∉QRN|()=1}
13
Slide15Quadratic residuosity assumption
Let G be a PPT algorithm that, on input a security parameter 1s∈1ℕ, outputs a pair of distinct s-bit primes (p,q). We call such a G a QR instance generator.Defn: The quadratic residuosity assumption holds with respect to a QR instance generator G if, for every PPT attacker A, there exists a negligible function ε:ℕ→ℝ+ such that ∣ Pr[A(pq,a)=1|(p,q)←G(1s)∧a∊QNRN+] - Pr[A(pq,a)=1|(p,q)←G(1s)∧a∈QRN] ∣≤ε(s)
14
Slide16Goldwasser-Micali bit encryption
15
Let G be a QR instance generator. The Goldwasser-Micali bit encryption scheme is the following:Gen(1s) invokes (p,q)←G(1s) and chooses z∊QNRN+The public key is ke≔(pq,z)The private key is kd≔(p,q)Enc(ke,b) does the following:If b≟0, it chooses a∊ℤN and outputs c≔a2 mod NIf b≟0, it chooses a∊ℤN and outputs c≔za2 mod NDec(ke,kd,c) outputs b’=0 if c∈QRN and b’=1 otherwise
(
M={0,1}; C=ℤ
N
)
Slide17El Gamal encryption
Thm: Goldwasser-Micali encryption is correct.
16
Proof:
If
b=0
, then
c≔a
2
mod N
for some
a∈ℤ
N
.
Hence,
c∈QR
N
and
Dec(
k
e
,k
d
,c
)=0
.
If
b=1
, then
c≔a
2
·z mod N
for some
a∈ℤ
N
.
Since
a
2
∈QR
N
and
z∉QR
N
,
by
Fact 5
we have
c∉QR
N
and
Dec(
k
e
,k
d
,c
)=1 ☐
Slide18El Gamal encryption
Thm: Goldwasser-Micali encryption is IND-CPA secure whenever the quadratic residuosity assumption holds with respect to G.
17
Proof (sketch):
If
b=0
, then
c∊QR
N
; on the other hand, if
b=1
, then, by
Fact 6
,
c∊QNR
N
+
.
Hence, distinguishing encryptions of
0
from encryptions of
1
is directly equivalent to winning in the quadratic
residuosity
game.
Slide19XOR homomorphism
Thm: Goldwasser-Micali encryption is XOR-homormorphic; that is, if c←Enc(ke,b) and c’←Enc(ke,b’), thenDec(ke,kd,c•c’)=b⊕b’.
18
In other words, by taking the product of two
ciphertexts
(encrypted under the same key), we obtain an encryption of the XOR of the two messages!
Proof:
If
(
b,b
’)=(0,0)
, then
(
c,c
’)≔(a
2
,a’
2
)⇒
c·c
’=(
a·a
’)
2
∈QR
N
If
(
b,b
’)=(1,1)
, then
(
c,c
’)≔(a
2
z,a’
2
z)⇒c·c’=(
a·a
’·z)
2
∈QR
N
If
(
b,b
’)=(0,1)
, then
(
c,c
’)=(a
2
,a’
2
z)⇒
c·c
’=(
a·a
’)
2
z∈QNR
N
+
If
(
b,b
’)=(1,0)
, then
(
c,c
’)=(a
2
z,a’
2
)⇒
c·c
’=(
a·a
’)
2
z∈QNR
N
+
Slide20Paillier encryption
Paillier encryption is based on some fairly advanced algebra, which we won’t discuss hereIt is IND-CPA secure under the composite residuosity assumption, which posits that it is infeasible to distinguish a uniform random Nth residue modulo N2 from uniform random number modulo N2It is noteworthy due to the following theorem:
19
Thm
:
Paillier
encryption is
additively
homormorphic
; that is, if
c←Enc
(
k
e
,m
)
and
c’←
Enc
(
k
e
,m
’)
, then
Dec(
k
e
,k
d
,c•c
’)=
m+m
’ mod N
2
.
Slide21That’s all for today, folks!
20