Spring 2017 • Lecture 23 - PowerPoint Presentation

Slide1

Spring 2017 • Lecture 23

B504/I538: Introduction to Cryptography

(2017—04—04)

Recall: Diffie-Hellman key exchange

1

Alice

Bob

Eve

g

a

g

b

a∊℥

q

b∊℥

q

≔h

(

(

g

b

)

a

)

≔h

(

(

g

a

)

b

)

Enc

(m)

Suppose

(

G，q，g

)←Ｇ(1

s

)

for some group generating algorithm

Ｇ

=???

m=???

Recall: CDH assumption

Defn: Let Ｇ be a group generating algorithm. The (computational) Diffie-Hellman (CDH) assumption holds with respect to Ｇ if, for every PPT algorithm A, there exists a negligible function ε：ℕ→ℝ+ such that AdvCDH,Ｇ(A)≤ε(s).

2

Challenger (C)

Attacker (A)

(

G，q，g

)←Ｇ(1

s)a,b∊℥qh1≔ga, h2≔gb

h

1

s

(G，q，g，h

1

，h2)

Let E be the event that h=gab Define A’s advantage to be AdvCDH,Ｇ(A)≔Pr[E]

1

s

Recall: DDH assumption

3

3

1

s

∈1

ℕ

b’∈{0，1}

b’∈{0，1}

1

s

∈1

ℕ

Game 0:

(input to A is a DH tuple)

Game 1:

(input to A is not a DH tuple)

Distinguisher (D)

Distinguisher (D)

Challenger

Challenger

1

s

∈1

ℕ

1

s

∈1

ℕ

Def

n

:

Let

(

G，q，g

)←Ｇ(1

s

)

. Then (G，q，g，ga，gb，h) is a DH tuple if and only if h=gab.

(G，q，g)←Ｇ(1 s)a，b∊℥q

(G，q，g)←Ｇ(1 s)a，b，c∊℥q

(

G，q，g，ga，gb，gab)

(

G，q，g，ga，gb，gc)

Let E be the event that b’=0 in Game 0 or b’=1 in Game 1

Defn: AdvDDH,Ｇ(D)≔|Pr[E]- ½|

El Gamal encryption

Intuitively, El Gamal encryption is the result of converting Diffie-Hellman key exchange into a public-key encryption schemeFact 1: Let (G，•) be a group with prime order q and g∈G be a generator. Then exponentiation with base g is a uniform random variable on G; that is, if r∊℥q, then gr is distributed uniformly at random in G.Fact 2: Let (G，•) be a group, let m∈G. Then multiplication with m is a uniform random variable on G; that is, if h∊G, then m•h is distributed uniformly at random in G.

4

OTP

in G

choosing

random

OTP

El Gamal encryption

Let Ｇ be a group-generating algorithm. The El Gamal encryption scheme is the following:Gen(1s) invokes (G，q，g)←Ｇ(1s), chooses a∊℥q, and computes h≔gaThe public key is ke≔(G，q，g，h)The private key is kd≔aEnc(ke，m) chooses r∊℥q and computes c1≔gr and c2≔hr•mThe ciphertext is c≔(c1，c2)Dec(ke，kd，c) outputs m’≔c2•c1-a

5

(

Ｍ=Ｃ=G

)

El Gamal encryption

Thm: El Gamal encryption is correct.

6

Proof:

Let

c≔(c

1

，c

2)=(gr，hr•m) with ke≔(G，q，g，h) and kd=a Then Dec(ke，kd，m)

=c2•c1-a

=(hr•m)•c1-a

=(hr•m)•(gr)-a

=((ga)r•m)•(gr)-a

=m•(gar•g-ar)

=m ☐

El Gamal encryption

Thm: El Gamal encryption is IND-CPA secure whenever the DDH assumption holds with respect to Ｇ.

7

Proof (sketch):

Consider a “modified” El

Gamal in which

“encryption” is done by choosing

r，s

∊℥

q

and outputting

c≔(c

1

,c

2

)

for

c

1

≔g

r

and

c

2

≔g

s

•m

By

Facts 1

and

2

,

c

1

and

c

2

are independent uniform random variables on

G

—

decryption is impossible

.

8

El Gamal encryption

Thm: El Gamal encryption is IND-CPA secure whenever the DDH assumption holds with respect to Ｇ.

Proof (sketch):

Assume attacker

A

can break IND-CPA security of El

Gamal with advantage

μ

(s)

We construct a DDH distinguisher

D

for

Ｇ

from

A

as follows:

Given a DDH instance (

G，q，g，h

1

，h

2

，h

3

)

, send

k

e

≔(G，q，g，h

1

)

to

A

to get

(m

0

，m

1

)

Choose

b∊{0，1}

and set

c≔(h

2

，h

3

•m

b

)

to

A

Obtain

b’’∈{0，1}

from

A

and output

b’≔

b⊕b

’’

Note that

Adv

DDH,Ｇ

(D)=

Adv

CPA

(A)=

μ

(s) ☐

Multiplicative homomorphism

Thm: El Gamal encryption is multiplicatively homormorphic; that is, if (c1，c2)←Enc(ke，m) and (c′1，c′2)←Enc(ke，m’), then Dec(kd，(c1•c′1，c2•c′2))=m•m’.

9

In other words, by taking the component-wise product of two

ciphertexts

(encrypted under the same key), we obtain an encryption of the product of the two messages

Proof:

Let

(c

1

，c

2

)=(

g

r

，h

r

•m

)

and

(c′

1

，c′

2

)≔(

g

s

，h

s

•m

’)

.

Then

c

1

•c′

1

=

g

r

•g

s

=

g

r+s

and

c

2

•c′

2

=(

h

r

•m

)•(

h

s

•m

’)=

h

r+s

•(

m•m

’)

;

hence,

Dec

(

k

e

，k

d

，(c

1

•c′

1

，c

2

•c′

2

)

)=(

g

r+s

)

a

•h

r+s

•(

m•m

’)=

m•m

’

☐

Recall: Quadratic residues

Defn: An element a∈ℤn is a quadratic residue modulo n if and only if it has a square root modulo n.At most half of elements in ℤn can be quadratic residues modulo n!The set of quadratic residues modulo n is denoted QRn.Fact 3: (QRn,⊡) is a group, where ⊡ is multiplication modulo n!More generally, a is an eth residue modulo n if it has an eth root modulo n.

10

Recall: Legendre symbols

Defn: If p>2 is prime, then ()≔a(p-1)⁄2 is called the Legendre Symbol of a modulo p.

Q: What makes () worthy of special consideration?A: Fermat’s Little Theorem implies that ()2≡1 whenever a∈℥p!(Note: ()∈{-1,0,1})

Thm (Euler’s Criterion): a∈℥p is a quadratic residue modulo p if and only if ()=1; that is, if and only if ()≡1.

11

Recall: Jacobi Symbols

The Legendre Symbol generalizes to composite moduli, but the properties are slightly trickier:If ()=-1, then a is definitely not a quadratic residue modulo nIf a is a quadratic residue modulo N, then () is definitely equal to 1However, if ()=1, then a may or may not be a quadratic residue modulo N!Fact 4: Let N=pq be the product of two distinct primes. Then a∈QRN ifand only if it is a∈QRp and a∈QRqIt is easy to tell if a∈QRN if you know p and q!Fact 5: If a∈QRN and b∉QRN, then a·b∉QRN.Fact 6: For all a，b∈ℤN, ()·()=()

12

Quadratic residuosity

Q: If p and q are not known, how easy is it to determine if a∈QRN?A: Sometimes it is easy, sometimes it appears hard!If a∈QRp but a∉QRq or a∉QRp but a∈QRq, it is easy (because Jacobi symbol is -1)If a∉QRp and a∉QRq, then Jacobi symbol is +1 and it appears difficult to distinguish this from case wheren a∈QRNDefine QNRN+={a∉QRN｜()=1}

13

Quadratic residuosity assumption

Let Ｇ be a PPT algorithm that, on input a security parameter 1s∈1ℕ, outputs a pair of distinct s-bit primes (p，q). We call such a Ｇ a QR instance generator.Defn: The quadratic residuosity assumption holds with respect to a QR instance generator Ｇ if, for every PPT attacker A, there exists a negligible function ε：ℕ→ℝ+ such that ∣ Pr[A(pq，a)=1｜(p，q)←Ｇ(1s)∧a∊QNRN+] - Pr[A(pq，a)=1｜(p，q)←Ｇ(1s)∧a∈QRN] ∣≤ε(s)

14

Goldwasser-Micali bit encryption

15

Let Ｇ be a QR instance generator. The Goldwasser-Micali bit encryption scheme is the following:Gen(1s) invokes (p，q)←Ｇ(1s) and chooses z∊QNRN+The public key is ke≔(pq，z)The private key is kd≔(p，q)Enc(ke，b) does the following:If b≟0, it chooses a∊ℤN and outputs c≔a2 mod NIf b≟0, it chooses a∊ℤN and outputs c≔za2 mod NDec(ke，kd，c) outputs b’=0 if c∈QRN and b’=1 otherwise

(

Ｍ={0，1}; Ｃ=ℤ

N

)

El Gamal encryption

Thm: Goldwasser-Micali encryption is correct.

16

Proof:

If

b=0

, then

c≔a

2

mod N

for some

a∈ℤ

N

.

Hence,

c∈QR

N

and

Dec(

k

e

，k

d

，c

)=0

.

If

b=1

, then

c≔a

2

·z mod N

for some

a∈ℤ

N

.

Since

a

2

∈QR

N

and

z∉QR

N

,

by

Fact 5

we have

c∉QR

N

and

Dec(

k

e

，k

d

，c

)=1 ☐

El Gamal encryption

Thm: Goldwasser-Micali encryption is IND-CPA secure whenever the quadratic residuosity assumption holds with respect to Ｇ.

17

Proof (sketch):

If

b=0

, then

c∊QR

N

; on the other hand, if

b=1

, then, by

Fact 6

,

c∊QNR

N

+

.

Hence, distinguishing encryptions of

0

from encryptions of

1

is directly equivalent to winning in the quadratic

residuosity

game.

XOR homomorphism

Thm: Goldwasser-Micali encryption is XOR-homormorphic; that is, if c←Enc(ke，b) and c’←Enc(ke，b’), thenDec(ke，kd，c•c’)=b⊕b’.

18

In other words, by taking the product of two

ciphertexts

(encrypted under the same key), we obtain an encryption of the XOR of the two messages!

Proof:

If

(

b，b

’)=(0，0)

, then

(

c，c

’)≔(a

2

,a’

2

)⇒

c·c

’=(

a·a

’)

2

∈QR

N

If

(

b，b

’)=(1，1)

, then

(

c，c

’)≔(a

2

z，a’

2

z)⇒c·c’=(

a·a

’·z)

2

∈QR

N

If

(

b，b

’)=(0，1)

, then

(

c，c

’)=(a

2

,a’

2

z)⇒

c·c

’=(

a·a

’)

2

z∈QNR

N

+

If

(

b，b

’)=(1，0)

, then

(

c，c

’)=(a

2

z,a’

2

)⇒

c·c

’=(

a·a

’)

2

z∈QNR

N

+

Paillier encryption

Paillier encryption is based on some fairly advanced algebra, which we won’t discuss hereIt is IND-CPA secure under the composite residuosity assumption, which posits that it is infeasible to distinguish a uniform random Nth residue modulo N2 from uniform random number modulo N2It is noteworthy due to the following theorem:

19

Thm

:

Paillier

encryption is

additively

homormorphic

; that is, if

c←Enc

(

k

e

，m

)

and

c’←

Enc

(

k

e

，m

’)

, then

Dec(

k

e

，k

d

，c•c

’)=

m+m

’ mod N

2

.

That’s all for today, folks!

20