Lecture 9 Public-Key Encryption II Stefan Dziembowski www.dziembowski.net MIM UW 30.11.12 ver 1.0 Plan 1. 2. 3. 4. Discrete-log – a revision Diffie-Hellman key exchange ElGamal encryption Practical considerations.
Download ReportTranscript Lecture 9 Public-Key Encryption II Stefan Dziembowski www.dziembowski.net MIM UW 30.11.12 ver 1.0 Plan 1. 2. 3. 4. Discrete-log – a revision Diffie-Hellman key exchange ElGamal encryption Practical considerations.
30.11.12
Lecture 9
Public-Key Encryption II
Stefan Dziembowski www.dziembowski.net
MIM UW
ver 1.0
Plan
1. Discrete-log – a revision 2. Diffie-Hellman key exchange 3. ElGamal encryption 4. Practical considerations
Remember the exponentiation modulo a prime?
9 8 10 7
1
6 2 5 3 4
6 7 8 9 3 4 5 x 0 1 2 2 x mod 11 1 2 4 8 5 10 9 7 3 6 2
is a generator of
Z 11 *
Plan
1. Discrete-log – a revision 2. Diffie-Hellman key exchange 3. ElGamal encryption 4. Practical considerations
x 0 1 2 3 4 5 6 7 8 9 g x 1 2 4 8 5 10 9 7 3 6
Discrete log is hard in many other groups!
Discrete log
Function
f(x) = g x mod p easy to compute
believed to be hard to compute for large
p f -1
is also denoted
log g
and called the discrete logarithm
How to construct PKE based on the
hardness of discrete log
?
RSA
was a trapdoor permutation, so the construction was quite easy...
In case of the
discrete log,
we just have a one-way function.
Diffie and Hellman constructed something weaker than PKE: a
key exchange protocol
(also called key agreement protocol).
We’ll not describe it. Then, we’ll show how to “convert it” into a PKE.
Alice key k
Key exchange
initially they share no secret
Bob listens key k
Eve should have no information about
k
We will formalize it later.
Let’s first show the protocol.
The Diffie-Hellman Key exchange
G
– a group, where discrete log is believed to be hard
q = |G| g
– a generator of
G x ← Z q h 1 = g x h 2 = g y Alice Bob y ← Z q
output:
k A =(h 2 ) x
equal to:
g yx
equal!
output:
k B =(h 1 ) y
equal to:
g xy
Security of the Diffie-Hellman exchange
G,g h 1 = g x
knows
h 2 = g y Eve
Eve should have no information about
g yx g yx ?
Is it secure?
If the discrete log in
G exchange
is
not
is easy then the secure.
DH key
(because the adversary can compute
x
and
g y
) and
y
from
g x
If the discrete log in
G
is hard, then...
it may also not be secure
Quadratic Residues
Definition a
is a
quadratic residue modulo
such that
a = b 2 mod p p
if there exists
b QR p
– a set of quadratic
QR p
residues modulo
p
is a subgroup of
Z p * QNR p := Z p * \ QR p
11
Observation
Let
g
be a generator of
Z p *
.
Then
QR p
=
{g 2 ,g 4 ,...,g p-1 }
. 12
Example:
QR
11
= {1,4,5,9,3}
3 = 5 , 6
3
6
1
1 = 1 , 10 2
4
4 = 2 , 9 7 9 = 3 , 8
9
10 8
5
5 = 4 , 7
Another fact
Testing if
x
QR p
is easy even for large
p
.
Example:
G = Z
p * x
is even iff
h 1
is a QR
g yx x ← Z q ?
Alice h 1 = g x h 2 = g y Bob y ← Z q y
is even iff
h 2
is a QR Therefore:
g yx
is a QR iff (
h 1
is a QR) or (
h 2
is a QR) So, Eve can compute some information about (namely: if it is a QR, or not).
g yx
Is it a problem, or not?
We need to 1. formalize what we mean by secure key exchange, 2. identify the assumptions needed to prove the security.
interactive probabilistic Turing machine
A
“transcript”
T
: the sequence of exchanged messages: interactive probabilistic Turing machine
B Alice key k Bob key k Informal definition: (A,B)
is
secure
if no “efficient adversary” can distinguish with a “non-negligible advantage”.
k
from random, given
T
,
key k T ?
random string of the same length
How to formalize it?
security parameter 1 n T A B key k є {0,1} n key k є {0,1} n
We say
(A,B)
is secure a secure key-exchange protocol if: the output of
A A
and
B
is always the same, and
| Prob [M(1 n ,T,k) = 1] - Prob [M(1 n ,T,r) = 1] |
is negligible in
n
polynomial-time
M
that outputs
0
or
1 r
is random and
|r| = n
Problem
In practice often a fixed group is used.
In theory we need to have a new group
G
every value of
1 n
.
for So, we need to define an algorithm that generates
G
and its generator
g
.
Remember the algorithm
H
?
• • Algorithm
H
: on input
1 n
outputs: – a description of
G
, – order
q
of
G
such that
|q| = n
, – a generator
g
of
G
.
How does the protocol look now?
security parameter 1 n (G,g,q) ← H(1 n ) x ← Z q G,g,q, h 1 = g x y ← Z q h 2 = g y Alice Bob
output:
k A =(h 2 ) x
(Note that we cheat a bit because
k group element
, not a
string of bits
.) output:
k B =(h 1 ) y
is a “pseudorandom” If such a key exchange protocol is secure, we say that: the
Decisional Diffie-Hellman (DDH) problem is hard with respect to H
)
An example of
H
where
DDH
be hard is believed to
QR(p ) H(1 n ):
1.
2.
3.
4.
5.
generate a random
strong
prime
p
set
q := (p-1)/2
.
choose any
x є Z p *
set
g := x 2 mod p
.
such that
x ≠ ±
of length
1 (mod p)
.
n+1
.
output
(p,g).
Other groups are also used (e.g. groups based on the elliptic curves).
How does DDH compare to the discrete log assumption
DDH is hard w.r.t.
H
implies discrete log is hard w.r.t.
H
The opposite implication is unknown in most of the cases
A problem
The protocols that we discussed are secure only against a
passive adversary
(that only eavesdrop).
What if the adversary is
active
?
She can launch a man-in-the-middle attack.
Man in the middle attack
I am Bob I am Alice
Alice key k
A very realistic attack!
key k key k’ Bob key k’
So, is this thing totally useless?
No!
(it is useful as a building block)
Plan
1. Discrete-log – a revision 2. Diffie-Hellman key exchange 3. ElGamal encryption 4. Practical considerations
El Gamal encryption
El Gamal is another popular public-key encryption scheme.
It is based on the Diffie-Hellman key-exchange.
First observation
Remember that the one-time pad scheme can be generalized to any group?
• • E.g.:
K
=
M
=
C
= G Enc(k,m) = m · k
.
Dec(k,m) = m · k -1
So, if
k
is the key agreed in the DH key exchange, then Alice can send a message
m Є G
to Bob “encrypting it with setting:
k
” by
c := m · k
How does it look now?
security parameter 1 n (G,g,q) ← H(1 n ) x ← Z q h 1 = g x Alice (G,g,q,h 1 ) h 2 = g y c := m · (h 1 ) y
output:
m’ := c · (h 2 ) -x Bob y ← Z q
plaintext
m
since
(h 2 ) x
= (h
1 ) y
we get:
m = m’
The last two messages can be sent together
security parameter 1 n (G,g,q) ← H(1 n ) x ← Z q h 1 = g x Alice (G,g,q,h 1 ) (c, h 2 ) := (m · (h 1 ) y , g y ) Bob y ← Z q
plaintext
m
output:
m’ := c · (h 2 ) -x
Remeber the definition of the public key encryption?
A
public-key encryption (PKE)
scheme is a triple
(Gen, Enc, Dec)
poly-time algorithms, where of
Gen
is a
key-generation
randomized algorithm that takes as input a security parameter
1 n
and outputs a key pair
(pk,sk)
.
Enc key
is an
pk encryption
and a message algorithm that takes as input the public
m
, and outputs a ciphertext
c
,
Dec
is an
key sk decryption
algorithm that takes as input the private and the ciphertext
c
, and outputs a message
m’
.
private key key generation
ElGamal encryption
encryption security parameter 1 n public key (G,g,q) ← H(1 n ) x ← Z q h 1 = g x Alice (G,g,q,h 1 ) (c, h 2 ) := (m · (h 1 ) y , g y ) Bob y ← Z q
plaintext
m
output:
m’ := c · (h 2 ) -x decryption ciphertext
El Gamal encryption
Let
H
be such that DDH is hard with respect to
H
.
Gen(1 n )
first runs
H
to obtain
G,g
and
q
. Then, it chooses
x ← Z q
and computes
h := g x
. (note: it is randomized by definition) The public key is
(G,g,q,h) .
The private key is
(G,g,q,x)
.
Enc((G,g,q,h), m) := (m · h y , g y )
, where
m Є G
and
y
is a random element of
G Dec((G,g,q,x), (c 1 ,c 2 )) := c 1 · c 2 -x
Correctness
h = g x Enc((G,g,q,h), m) = (m · h y , g y ) Dec((G,g,q,x), (c 1 ,c 2 )) = c 1 · c 2 -x = m · h y · (g y ) -x = m · (g x ) y · (g y ) -x = m · g xy · g -yx = m
El Gamal encryption – implementation issues Which group to choose?
E.g.:
QR(p),
prime.
where
p
is a strong prime, i.e.:
q = (p-1)/2
is also Plaintext space is a set of integers
{1,...,q}.
How to map an integer
i є {1,...,q}
to
QR(p)
?
Just square:
f(i) = i 2 mod p.
Why is it one-to-one?
Remember this picture?
Z 7 * : QR 7 : f(x) = x 2 5 6 1 2 3 4 2 4 1
Observation
In
Z p *
the function and
p-i f
“glues” only the elements
i f(x) = x 2
we take only this
1 ...
q q+1 ...
2q
The mapping
So
f(i) = i 2 mod p
is
one-to-one
(on
{1,...,q}
).
Is it also efficiently invertible?
Yes
(this was discussed on the previous lecture)
Plan
1. Discrete-log – a revision 2. Diffie-Hellman key exchange 3. ElGamal encryption 4. Practical considerations
El Gamal vs. RSA
• • • In practice
RSA
and
ElGamal
(in
Z p *
) have similar security for equivalent key lengths.
RSA
is slightly more efficient
ElGamal
plaintext has a ciphertext twice as long as the But
ElGamal
can be generalized to other groups (e.g. the
elliptic curves
much more efficient!
) where it is
Recommended key length
From the web-page of the
RSA laboratories
:
RSA Laboratories
currently recommends key sizes of
1024
bits for corporate use and
2048
bits for extremely valuable keys like the root key pair used by a certifying authority. Several recent standards specify a
1024
-bit minimum for corporate use.
How to encrypt longer messages?
Two methods: 1. divide the message in blocks and encrypt each block separately.
2. combine the public-key encryption with the private-key encryption.
Public key vs. private key encryption
Private-key encryption has a following advantage: it is much more efficient.
Practical solution: combine both!
It is called: the
hybrid encryption .
Hybrid encryption
Encrypt the symmetric key with a public-key encryption scheme.
k m pk Enc pk Enc’ k c 1 := Enc pk (k) c 2 =Enc’ k (m) ciphertext
How to decrypt?
c 1 c 2 ciphertext sk Dec sk k Dec’ k m
© 2011 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for
personal or classroom use, are not distributed for profit or commercial advantage, and
that new copies bear this notice and the full citation.