Cryptography
Download
Report
Transcript Cryptography
Cryptography
Lecture 8
Stefan Dziembowski
www.dziembowski.net
[email protected]
Plan
1.
2.
3.
4.
5.
Insecurity of the “handbook RSA”
Formal security definitions
Improved version of RSA
El Gamal encryption
Hybrid encryption
The “handbook” RSA function
N = pq, such that p and q are large distinct primes
φ(N)) = (p-1)(q-1).
e is such that gcd(e, φ(N)) = 1
d is such that ed = 1 (mod φ(N))
Ee: ZN* → ZN* is defined as:
E(m) = me mod N.
Dd: ZN* → ZN* is defined as:
D(c) = cd mod N.
Correctness:
Dd(Ee(m)) = (me)d = med = m
public key:
(N,e)
private key:
(N,d)
Problems
1. Ee is deterministic, so:
– if one encrypts twice the same message then the
ciphertexts are the same
– therefore it is completely insecure if the message
space M is small,
because the adversary can check all possible
messages:
given a ciphertext c do:
for every m є M check if Ee (m) = c
for example if M={yes,no}, then the encryption is not
secure.
2. RSA has some “algebraic properties”.
Algebraic properties of RSA
1. RSA is homorphic:
Ee(m0 · m1) = (m0 · m1)e
= m 0e · m 1e
= Ee(m0) · Ee(m1)
why is it bad?
By checking if
c0 · c1 = c
the adversary can detect if
Dd(c0) · Dd(c1) = Dd(c).
2. The “Jacobi symbol” leaks.
What is “Jacobi symbol”
If p is prime then
Jp(x) = +1 if x is a quadratic residue modulo p
-1 otherwise
If n = pq (where p and q are prime) then
Jn(x) = Jp(x) · Jq(x)
The Jacobi symbol
n = pq
From CRT Zn* can be depicted as follows:
not QRp
not QRq
+1
QRp
-1
By the way:
only these are
quadratic residues
modulo n
QRq
-1
+1
How to compute the Jacobi symbol
Jacobi symbol (in Zn*) can be efficiently
computed if the factorization of n is known
(this is easy).
What if the factorization is unknown?
It can also be efficiently computed (but the
algorithm is not that trivial).
Fact
Ee – encryption function of the RSA
Then:
Jn(Ee(m)) = Jn(m)
Proof
Left-hand-side:
Jn(Ee(m)) = Jp(Ee(m)) · Jq(Ee(m))
Right-hand-side:
Jn(m) = Jp(m) · Jq(m)
Therefore it is enough to prove that:
Jp(Ee(m)) = Jp(m)
and
Jq(Ee(m)) = Jq(m).
Since p and q are symmetric we can just prove it for p.
We have to show that
Jp(Ee(m)) = Jp(m)
In other words:
Ee(m) is a QRp
iff
This is equal to
m is a QRp
e
m mod p
Now observe that e is always odd (because
gcd(e,(p-1)(q-1)) = 1).
To finish the proof we need to show that for an odd
e:
me mod p is a QRp
iff
m mod p is a QRp
For an odd e:
me mod p is a QRp
iff
m mod p is a QRp
Let g be the generator of Zp*.
Recall that x is a QRp iff x is an even power of g
It is easy to see that
me mod p is an even power of g
iff
m mod p is an even power of g.
Hence we are done.
Conclusion
The Jacoby symbol “leaks”, i.e.:
from c
one can compute Jn(Dd(c))
(without knowing the factorization of n)
Is it a big problem?
Depends on the application...
Question: Is RSA secure?
Looks like it has some weaknesses...
Plan:
1. Provide a formal security definition.
2. Modify RSA so that it is secure according
to this definition.
A public-key encryption scheme
The security definition
Remember the symmetric-key case?
We considered a chosen-plaintext attack.
How would it look in the case of the publickey encryption?
A chosen-plaintext attack (CPA)
security parameter
1n
1. selects random
(pk,sk) = Gen(1n)
2. chooses a random b = 0,1
pk
chooses m’1
challenge phase:
chooses m0,m1
c1 = Enc(pk,m’1)
oracle
...
chooses m’t
m’1
This is not
needed.
m’t
ct = Enc(pk,m’t)
m0,m1
c = Enc(pk,mb)
the interaction continues . . .
has to guess b
Why?
Because if
Eve knows
pk she can
compute all
these
ciphertexts
herself!
A simplified view
security parameter
1n
1. selects random
(pk,sk) = Gen(1n)
2. chooses a random b = 0,1
pk
oracle
challenge phase:
chooses m0,m1
m0,m1
c = Enc(pk,mb)
has to guess b
CPA-security
Alternative name: CPA-secure
Security definition:
We say that (Gen,Enc,Dec) has indistinguishable encryptions under
a chosen-plaintext attack (CPA) if any
randomized polynomial time adversary
guesses b correctly
with probability at most 0.5 + ε(n), where ε is negligible.
What about the multiple
encryptions?
What if the users use several times the same public key?
The game between the adversary and the oracle needs to
be modified:
We will allow the adversary to choose vectors if messages
• M0 = (m01,..., m0t),
• M1 = (m11,..., m1t)
such that for each i we have
|m1i| = |m0i|.
Then the oracle will output
(c1,...,ct) := Enc(pk,mb1),..., Enc(pk,mbt)
Multiple messages experiment
security parameter
1n
1. selects random
(pk,sk) = Gen(1n)
2. chooses a random b = 0,1
pk
oracle
challenge phase:
(m01,..., m0t),
(m11,..., m1t)
Enc(pk,mb1),...,Enc(pk,mbt)
has to guess b
CPA-security with multiple
encryptions
Security definition:
We say that (Gen,Enc,Dec) has indistinguishable multiple
encryptions under a chosen-plaintext attack (CPA) if any
randomized polynomial time adversary
guesses b correctly
with probability at most 0.5 + ε(n), where ε is negligible.
Fact
It can be proven that these two notions are equivalent, i.e.:
(Gen,Enc,Dec) has indistinguishable encryptions under
a chosen-plaintext attack (CPA)
iff
(Gen,Enc,Dec) has indistinguishable multiple
encryptions under a chosen-plaintext attack (CPA).
Is the “handbook RSA” secure?
No!
In fact:
No deterministic encryption scheme is secure.
How can the adversary win the game?
Trivial attack:
1. he just chooses any m0,m1 ,
2. computes c0=Enc(pk,m0) himself
3. compares the result.
Moral: encryption has to be randomized.
Encoding
Therefore, before encrypting a message we
usually encode it (adding some
randomness).
This has the following advantages:
• makes the encryption non-deterministic
• breaks the “algebraic properties” of
encryption.
How is it done in real-life?
PKCS #1: RSA Encryption Standard Version 1.5:
public-key: (N,e)
let k := length on N in bytes.
let D := length of the plaintext
requirement: D ≤ k - 11.
Enc((N,e), m) := xe mod N, where x is equal to
k bytes
00000000
00000001
r
00000000
(k - D - 3) random bytes
m
D bytes
Security of the PKCS #1: RSA Encryption
Standard Version 1.5.
It is believed to be CPA-secure.
It has however some weaknesses (it is not
“chosen-ciphertext secure”).
Optimal Asymmetric Encryption Padding
(OAEP) is a more secure encoding.
(we will discuss it later)
El Gamal encryption
El Gamal is another popular public-key
encryption scheme.
It is based on the Diffie-Hellman keyexchange.
Let us look at it again now.
The Diffie-Hellman Key exchange
G – a group, where discrete log is hard
q = |G|
g – a generator of G
security parameter 1n
(G,g) ← H(1n)
x ← Zq
Alice
output:
kA=(h2)x
(G,g),q, h1 = gx
h2 = gy
y ← Zq
Bob
output:
kB=(h1)y
Idea
Let this be the public key of Alice
security parameter 1n
(G,g) ← H(1n)
x ← Zq
(G,g,q,gx)
To encrypt a message m with the key of Alice “play the role of Bob”, i.e.:
1. select y ← Zq and send h2 = gy to Alice
2. calculate k = (h1)y
3. we have somehow to encrypt m....
4. “encrypt it with k” and send to Alice.
How to do it?
Simply set c := k · m.
Alice will also calculate k = (h2)x, and calculate m := c · k-1.
El Gamal encryption - formally
Correctness of El Gamal encryption
El Gamal encryption –
implementation issues
Which group to choose?
E.g.: QR(p), where p is a strong prime, i.e.: q = (p-1)/2 is
also prime.
Plaintext space is a set of integers {1,...,q}.
How to map an integer i є {1,...,q} to QR(p)?
Just square:
f(i) = i2 mod p.
Why is it one-to-one?
Remember this picture?
Z7*:
1
f(x) =
QR7:
x2
2
3
2
4
5
6
4
1
Observation
In Zp* the function f “glues” only the
elements i and p-i
1
we take only this
...
q
q+1
...
2q
f(x) = x2
The mapping
So
f(i) = i2 mod p
is one-to-one (on {1,...,q}).
Is it also efficiently invertible?
Yes (but this fact is not trivial)
Public key vs. private key
encryption
Private-key encryption has a following advantage:
it is much more efficient.
Practical solution:
combine both!
It is called: the hybrid encryption.
Hybrid encryption
Encrypt the symmetric key with a public-key
encryption scheme.
pk
k
m
Encpk
Enc’k
c1
c2
ciphertext
How to decrypt?
pk
c1
c2
Encpk
Enc’k
k
m
ciphertext