30.11.12

Lecture 9

Public-Key Encryption II

Stefan Dziembowski www.dziembowski.net

MIM UW

ver 1.0

Plan

1. Discrete-log – a revision 2. Diffie-Hellman key exchange 3. ElGamal encryption 4. Practical considerations

Remember the exponentiation modulo a prime?

9 8 10 7

1

6 2 5 3 4

6 7 8 9 3 4 5 x 0 1 2 2 x mod 11 1 2 4 8 5 10 9 7 3 6 2

is a generator of

Z 11 *

Plan

1. Discrete-log – a revision 2. Diffie-Hellman key exchange 3. ElGamal encryption 4. Practical considerations

x 0 1 2 3 4 5 6 7 8 9 g x 1 2 4 8 5 10 9 7 3 6

Discrete log is hard in many other groups!

Discrete log

Function

f(x) = g x mod p easy to compute

believed to be hard to compute for large

p f -1

is also denoted

log g

and called the discrete logarithm

How to construct PKE based on the

hardness of discrete log

?

RSA

was a trapdoor permutation, so the construction was quite easy...

In case of the

discrete log,

we just have a one-way function.

Diffie and Hellman constructed something weaker than PKE: a

key exchange protocol

(also called key agreement protocol).

We’ll not describe it. Then, we’ll show how to “convert it” into a PKE.

Alice key k

Key exchange

initially they share no secret

Bob listens key k

Eve should have no information about

k

We will formalize it later.

Let’s first show the protocol.

The Diffie-Hellman Key exchange

G

– a group, where discrete log is believed to be hard

q = |G| g

– a generator of

G x ← Z q h 1 = g x h 2 = g y Alice Bob y ← Z q

output:

k A =(h 2 ) x

equal to:

g yx

equal!

output:

k B =(h 1 ) y

equal to:

g xy

Security of the Diffie-Hellman exchange

G,g h 1 = g x

knows

h 2 = g y Eve

Eve should have no information about

g yx g yx ?

Is it secure?

If the discrete log in

G exchange

is

not

is easy then the secure.

DH key

(because the adversary can compute

x

and

g y

) and

y

from

g x

If the discrete log in

G

is hard, then...

it may also not be secure

Quadratic Residues

Definition a

is a

quadratic residue modulo

such that

a = b 2 mod p p

if there exists

b QR p

– a set of quadratic

QR p

residues modulo

p

is a subgroup of

Z p * QNR p := Z p * \ QR p

11

Observation

Let

g

be a generator of

Z p *

.

Then

QR p

=

{g 2 ,g 4 ,...,g p-1 }

. 12

Example:

QR

11

= {1,4,5,9,3}

3 = 5 , 6

3

6

1

1 = 1 , 10 2

4

4 = 2 , 9 7 9 = 3 , 8

9

10 8

5

5 = 4 , 7

Another fact

Testing if

x



QR p

is easy even for large

p

.

Example:

G = Z

p * x

is even iff

h 1

is a QR

g yx x ← Z q ?

Alice h 1 = g x h 2 = g y Bob y ← Z q y

is even iff

h 2

is a QR Therefore:

g yx

is a QR iff (

h 1

is a QR) or (

h 2

is a QR) So, Eve can compute some information about (namely: if it is a QR, or not).

g yx

Is it a problem, or not?

We need to 1. formalize what we mean by secure key exchange, 2. identify the assumptions needed to prove the security.

interactive probabilistic Turing machine

A

“transcript”

T

: the sequence of exchanged messages: interactive probabilistic Turing machine

B Alice key k Bob key k Informal definition: (A,B)

is

secure

if no “efficient adversary” can distinguish with a “non-negligible advantage”.

k

from random, given

T

,

key k T ?

random string of the same length

How to formalize it?

security parameter 1 n T A B key k є {0,1} n key k є {0,1} n

We say

(A,B)

is secure a secure key-exchange protocol if: the output of

A A

and

B

is always the same, and

| Prob [M(1 n ,T,k) = 1] - Prob [M(1 n ,T,r) = 1] |

is negligible in

n

polynomial-time

M

that outputs

0

or

1 r

is random and

|r| = n

Problem

In practice often a fixed group is used.

In theory we need to have a new group

G

every value of

1 n

.

for So, we need to define an algorithm that generates

G

and its generator

g

.

Remember the algorithm

H

?

• • Algorithm

H

: on input

1 n

outputs: – a description of

G

, – order

q

of

G

such that

|q| = n

, – a generator

g

of

G

.

How does the protocol look now?

security parameter 1 n (G,g,q) ← H(1 n ) x ← Z q G,g,q, h 1 = g x y ← Z q h 2 = g y Alice Bob

output:

k A =(h 2 ) x

(Note that we cheat a bit because

k group element

, not a

string of bits

.) output:

k B =(h 1 ) y

is a “pseudorandom” If such a key exchange protocol is secure, we say that: the

Decisional Diffie-Hellman (DDH) problem is hard with respect to H

)

An example of

H

where

DDH

be hard is believed to

QR(p ) H(1 n ):

1.

2.

3.

4.

5.

generate a random

strong

prime

p

set

q := (p-1)/2

.

choose any

x є Z p *

set

g := x 2 mod p

.

such that

x ≠ ±

of length

1 (mod p)

.

n+1

.

output

(p,g).

Other groups are also used (e.g. groups based on the elliptic curves).

How does DDH compare to the discrete log assumption

DDH is hard w.r.t.

H

implies discrete log is hard w.r.t.

H

The opposite implication is unknown in most of the cases

A problem

The protocols that we discussed are secure only against a

passive adversary

(that only eavesdrop).

What if the adversary is

active

?

She can launch a man-in-the-middle attack.

Man in the middle attack

I am Bob I am Alice

Alice key k

A very realistic attack!

key k key k’ Bob key k’

So, is this thing totally useless?

No!

(it is useful as a building block)

Plan

1. Discrete-log – a revision 2. Diffie-Hellman key exchange 3. ElGamal encryption 4. Practical considerations

El Gamal encryption

El Gamal is another popular public-key encryption scheme.

It is based on the Diffie-Hellman key-exchange.

First observation

Remember that the one-time pad scheme can be generalized to any group?

• • E.g.:

K

=

M

=

C

= G Enc(k,m) = m · k

.

Dec(k,m) = m · k -1

So, if

k

is the key agreed in the DH key exchange, then Alice can send a message

m Є G

to Bob “encrypting it with setting:

k

” by

c := m · k

How does it look now?

security parameter 1 n (G,g,q) ← H(1 n ) x ← Z q h 1 = g x Alice (G,g,q,h 1 ) h 2 = g y c := m · (h 1 ) y

output:

m’ := c · (h 2 ) -x Bob y ← Z q

plaintext

m

since

(h 2 ) x

= (h

1 ) y

we get:

m = m’

The last two messages can be sent together

security parameter 1 n (G,g,q) ← H(1 n ) x ← Z q h 1 = g x Alice (G,g,q,h 1 ) (c, h 2 ) := (m · (h 1 ) y , g y ) Bob y ← Z q

plaintext

m

output:

m’ := c · (h 2 ) -x

Remeber the definition of the public key encryption?

A

public-key encryption (PKE)

scheme is a triple

(Gen, Enc, Dec)

poly-time algorithms, where of 

Gen

is a

key-generation

randomized algorithm that takes as input a security parameter

1 n

and outputs a key pair

(pk,sk)

.



Enc key

is an

pk encryption

and a message algorithm that takes as input the public

m

, and outputs a ciphertext

c

, 

Dec

is an

key sk decryption

algorithm that takes as input the private and the ciphertext

c

, and outputs a message

m’

.

private key key generation

ElGamal encryption

encryption security parameter 1 n public key (G,g,q) ← H(1 n ) x ← Z q h 1 = g x Alice (G,g,q,h 1 ) (c, h 2 ) := (m · (h 1 ) y , g y ) Bob y ← Z q

plaintext

m

output:

m’ := c · (h 2 ) -x decryption ciphertext

El Gamal encryption

Let

H

be such that DDH is hard with respect to

H

.

Gen(1 n )

first runs

H

to obtain

G,g

and

q

. Then, it chooses

x ← Z q

and computes

h := g x

. (note: it is randomized by definition) The public key is

(G,g,q,h) .

The private key is

(G,g,q,x)

.

Enc((G,g,q,h), m) := (m · h y , g y )

, where

m Є G

and

y

is a random element of

G Dec((G,g,q,x), (c 1 ,c 2 )) := c 1 · c 2 -x

Correctness

h = g x Enc((G,g,q,h), m) = (m · h y , g y ) Dec((G,g,q,x), (c 1 ,c 2 )) = c 1 · c 2 -x = m · h y · (g y ) -x = m · (g x ) y · (g y ) -x = m · g xy · g -yx = m

El Gamal encryption – implementation issues Which group to choose?

E.g.:

QR(p),

prime.

where

p

is a strong prime, i.e.:

q = (p-1)/2

is also Plaintext space is a set of integers

{1,...,q}.

How to map an integer

i є {1,...,q}

to

QR(p)

?

Just square:

f(i) = i 2 mod p.

Why is it one-to-one?

Remember this picture?

Z 7 * : QR 7 : f(x) = x 2 5 6 1 2 3 4 2 4 1

Observation

In

Z p *

the function and

p-i f

“glues” only the elements

i f(x) = x 2

we take only this

1 ...

q q+1 ...

2q

The mapping

So

f(i) = i 2 mod p

is

one-to-one

(on

{1,...,q}

).

Is it also efficiently invertible?

Yes

(this was discussed on the previous lecture)

Plan

1. Discrete-log – a revision 2. Diffie-Hellman key exchange 3. ElGamal encryption 4. Practical considerations

El Gamal vs. RSA

• • • In practice

RSA

and

ElGamal

(in

Z p *

) have similar security for equivalent key lengths.

RSA

is slightly more efficient

ElGamal

plaintext has a ciphertext twice as long as the But

ElGamal

can be generalized to other groups (e.g. the

elliptic curves

much more efficient!

) where it is

Recommended key length

From the web-page of the

RSA laboratories

:

RSA Laboratories

currently recommends key sizes of

1024

bits for corporate use and

2048

bits for extremely valuable keys like the root key pair used by a certifying authority. Several recent standards specify a

1024

-bit minimum for corporate use.

How to encrypt longer messages?

Two methods: 1. divide the message in blocks and encrypt each block separately.

2. combine the public-key encryption with the private-key encryption.

Public key vs. private key encryption

Private-key encryption has a following advantage: it is much more efficient.

Practical solution: combine both!

It is called: the

hybrid encryption .

Hybrid encryption

Encrypt the symmetric key with a public-key encryption scheme.

k m pk Enc pk Enc’ k c 1 := Enc pk (k) c 2 =Enc’ k (m) ciphertext

How to decrypt?

c 1 c 2 ciphertext sk Dec sk k Dec’ k m

© 2011 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for

personal or classroom use, are not distributed for profit or commercial advantage, and

that new copies bear this notice and the full citation.