Cryptography

Lecture 8

Stefan Dziembowskiwww.dziembowski.net

stefan@dziembowski.net

Plan

1. Insecurity of the “handbook RSA”

2. Formal security definitions

3. Improved version of RSA

4. El Gamal encryption

5. Hybrid encryption

The “handbook” RSA function

N = pq, such that p and q are large distinct primes

e is such that gcd(e, φ(N)) = 1

d is such that ed = 1 (mod φ(N))

Ee: ZN* → ZN

* is defined as:

E(m) = me mod N.

Dd: ZN* → ZN

* is defined as:

D(c) = cd mod N.

Correctness:

Dd(Ee(m)) = (me)d = med = m

φ(N)) = (p-1)(q-1).

public key:(N,e)

private key:(N,d)

Problems

1. Ee is deterministic, so:– if one encrypts twice the same message then the

ciphertexts are the same– therefore it is completely insecure if the message

space M is small,because the adversary can check all possible messages:given a ciphertext c do:

for every m є M check if Ee (m) = c

for example if M={yes,no}, then the encryption is not secure.

2. RSA has some “algebraic properties”.

Algebraic properties of RSA

1. RSA is homorphic:Ee(m0 · m1) = (m0 · m1)e

= m0e · m1

e

= Ee(m0) · Ee(m1)why is it bad?

By checking ifc0 · c1 = c

the adversary can detect ifDd(c0) · Dd(c1) = Dd(c).

2. The “Jacobi symbol” leaks.

What is “Jacobi symbol”

If p is prime then

Jp(x) = +1 if x is a quadratic residue modulo p -1 otherwise

If n = pq (where p and q are prime) then

Jn(x) = Jp(x) · Jq(x)

The Jacobi symbol

n = pq

From CRT Zn* can be depicted as follows:

+1 -1

-1 +1

QRpnot QRp

not QRq

QRq

By the way:

only these are quadratic residues

modulo n

How to compute the Jacobi symbol

Jacobi symbol (in Zn*) can be efficiently computed if the factorization of n is known (this is easy).

What if the factorization is unknown?

It can also be efficiently computed (but the algorithm is not that trivial).

Fact Ee – encryption function of the RSAThen:

Jn(Ee(m)) = Jn(m)

ProofLeft-hand-side:

Jn(Ee(m)) = Jp(Ee(m)) · Jq(Ee(m)) Right-hand-side:

Jn(m) = Jp(m) · Jq(m)

Therefore it is enough to prove that:

Jp(Ee(m)) = Jp(m) and

Jq(Ee(m)) = Jq(m).

Since p and q are symmetric we can just prove it for p.

We have to show thatJp(Ee(m)) = Jp(m)

In other words:Ee(m) is a QRp

iff m is a QRp

Now observe that e is always odd (because gcd(e,(p-1)(q-1)) = 1).

To finish the proof we need to show that for an odd e:

me mod p is a QRp iff

m mod p is a QRp

This is equal tome mod p

For an odd e:me mod p is a QRp

iff m mod p is a QRp

Let g be the generator of Zp*.Recall that x is a QRp iff x is an even power of gIt is easy to see that

me mod p is an even power of g iff

m mod p is an even power of g.

Hence we are done.

Conclusion

The Jacoby symbol “leaks”, i.e.:from c

one can compute Jn(Dd(c))(without knowing the factorization of n)

Is it a big problem?

Depends on the application...

Question: Is RSA secure?

Looks like it has some weaknesses...

Plan:

1. Provide a formal security definition.

2. Modify RSA so that it is secure according to this definition.

A public-key encryption scheme

The security definition

Remember the symmetric-key case?

We considered a chosen-plaintext attack.

How would it look in the case of the public-key encryption?

A chosen-plaintext attack (CPA)

oracle

chooses m’1 m’1

c1 = Enc(pk,m’1)

has to guess b

chooses m’t m’t

ct = Enc(pk,m’t)

m0,m1

c = Enc(pk,mb)

chooses m0,m1

the interaction continues . . .

security parameter1n

1. selects random (pk,sk) = Gen(1n)

2. chooses a random b = 0,1

. . .challenge phase:

pk

This is notneeded.

Why?Because if Eve knows pk she can compute all these ciphertexts herself!

A simplified view

oracle

has to guess b

m0,m1

c = Enc(pk,mb)

chooses m0,m1

security parameter1n

1. selects random (pk,sk) = Gen(1n)

2. chooses a random b = 0,1

challenge phase:

pk

CPA-security

Security definition:

We say that (Gen,Enc,Dec) has indistinguishable encryptions under a chosen-plaintext attack (CPA) if any

randomized polynomial time adversary

guesses b correctly

with probability at most 0.5 + ε(n), where ε is negligible.

Alternative name: CPA-secure

What about the multiple encryptions?

What if the users use several times the same public key?

The game between the adversary and the oracle needs to be modified:

We will allow the adversary to choose vectors if messages• M0 = (m0

1,..., m0t),

• M1 = (m11,..., m1

t)such that for each i we have

|m1i| = |m0

i|.Then the oracle will output

(c1,...,ct) := Enc(pk,mb1),..., Enc(pk,mb

t)

Multiple messages experiment

oracle

has to guess b

(m01,..., m0

t),(m1

1,..., m1t)

Enc(pk,mb1),...,Enc(pk,mb

t)

security parameter1n

1. selects random (pk,sk) = Gen(1n)

2. chooses a random b = 0,1

challenge phase:

pk

CPA-security with multiple encryptions

Security definition:

We say that (Gen,Enc,Dec) has indistinguishable multiple encryptions under a chosen-plaintext attack (CPA) if any

randomized polynomial time adversary

guesses b correctly

with probability at most 0.5 + ε(n), where ε is negligible.

Fact

It can be proven that these two notions are equivalent, i.e.:

(Gen,Enc,Dec) has indistinguishable encryptions under a chosen-plaintext attack (CPA)

iff

(Gen,Enc,Dec) has indistinguishable multiple encryptions under a chosen-plaintext attack (CPA).

Is the “handbook RSA” secure?

No!In fact:No deterministic encryption scheme is secure.

How can the adversary win the game?

Trivial attack: 1. he just chooses any m0,m1 , 2. computes c0=Enc(pk,m0) himself3. compares the result.

Moral: encryption has to be randomized.

Encoding

Therefore, before encrypting a message we usually encode it (adding some randomness).

This has the following advantages:

• makes the encryption non-deterministic

• breaks the “algebraic properties” of encryption.

How is it done in real-life?PKCS #1: RSA Encryption Standard Version 1.5:

public-key: (N,e)let k := length on N in bytes.let D := length of the plaintextrequirement: D ≤ k - 11.

Enc((N,e), m) := xe mod N, where x is equal to

00000000 00000001 r 00000000 m

(k - D - 3) random bytes D bytes

k bytes

Security of the PKCS #1: RSA Encryption Standard Version 1.5.

It is believed to be CPA-secure.

It has however some weaknesses (it is not “chosen-ciphertext secure”).

Optimal Asymmetric Encryption Padding (OAEP) is a more secure encoding.

(we will discuss it later)

El Gamal encryption

El Gamal is another popular public-key encryption scheme.

It is based on the Diffie-Hellman key-exchange.

Let us look at it again now.

The Diffie-Hellman Key exchangeG – a group, where discrete log is hardq = |G|g – a generator of G

Alice Bob

x ← Zq

y ← Zq

h2 = gy

security parameter 1n

(G,g),q, h1 = gx

(G,g) ← H(1n)

output:kA=(h2)x

output:kB=(h1)y

Idea

x ← Zq

security parameter 1n

(G,g,q,gx)

(G,g) ← H(1n)

Let this be the public key of Alice

To encrypt a message m with the key of Alice “play the role of Bob”, i.e.:

1. select y ← Zq and send h2 = gy to Alice2. calculate k = (h1)y

3. we have somehow to encrypt m....4. “encrypt it with k” and send to Alice.How to do it? Simply set c := k · m.Alice will also calculate k = (h2)x, and calculate m := c · k-1.

El Gamal encryption - formally

Correctness of El Gamal encryption

El Gamal encryption – implementation issues

Which group to choose?

E.g.: QR(p), where p is a strong prime, i.e.: q = (p-1)/2 is also prime.

Plaintext space is a set of integers {1,...,q}.

How to map an integer i є {1,...,q} to QR(p)?

Just square: f(i) = i2 mod p.

Why is it one-to-one?

Remember this picture?

1

2

3

4

5

6

1

Z7*:

QR7:

2 4

f(x) = x2

Observation

In Zp* the function f “glues” only the elements i and p-i

f(x) = x21

...

q

q+1

...

2q

we take only this

The mapping

Sof(i) = i2 mod p

is one-to-one (on {1,...,q}).

Is it also efficiently invertible?

Yes (but this fact is not trivial)

Public key vs. private key encryption

Private-key encryption has a following advantage:

it is much more efficient.

Practical solution:

combine both!

It is called: the hybrid encryption.

Hybrid encryption

Encrypt the symmetric key with a public-key encryption scheme.

EncpkEnc’k

k m

pk

c1 c2

random

private key enc.

public key enc.

ciphertext

How to decrypt?

EncpkEnc’k

k

m

pk

c1 c2ciphertext