Lecture 15 Private Information Retrieval Stefan Dziembowski MIM UW 25.01.13ver 1.0.
Cryptography Lecture 8 Stefan Dziembowski [email protected].
-
Upload
joseph-kelly -
Category
Documents
-
view
227 -
download
2
Transcript of Cryptography Lecture 8 Stefan Dziembowski [email protected].
Plan
1. Insecurity of the “handbook RSA”
2. Formal security definitions
3. Improved version of RSA
4. El Gamal encryption
5. Hybrid encryption
The “handbook” RSA function
N = pq, such that p and q are large distinct primes
e is such that gcd(e, φ(N)) = 1
d is such that ed = 1 (mod φ(N))
Ee: ZN* → ZN
* is defined as:
E(m) = me mod N.
Dd: ZN* → ZN
* is defined as:
D(c) = cd mod N.
Correctness:
Dd(Ee(m)) = (me)d = med = m
φ(N)) = (p-1)(q-1).
public key:(N,e)
private key:(N,d)
Problems
1. Ee is deterministic, so:– if one encrypts twice the same message then the
ciphertexts are the same– therefore it is completely insecure if the message
space M is small,because the adversary can check all possible messages:given a ciphertext c do:
for every m є M check if Ee (m) = c
for example if M={yes,no}, then the encryption is not secure.
2. RSA has some “algebraic properties”.
Algebraic properties of RSA
1. RSA is homorphic:Ee(m0 · m1) = (m0 · m1)e
= m0e · m1
e
= Ee(m0) · Ee(m1)why is it bad?
By checking ifc0 · c1 = c
the adversary can detect ifDd(c0) · Dd(c1) = Dd(c).
2. The “Jacobi symbol” leaks.
What is “Jacobi symbol”
If p is prime then
Jp(x) = +1 if x is a quadratic residue modulo p -1 otherwise
If n = pq (where p and q are prime) then
Jn(x) = Jp(x) · Jq(x)
The Jacobi symbol
n = pq
From CRT Zn* can be depicted as follows:
+1 -1
-1 +1
QRpnot QRp
not QRq
QRq
By the way:
only these are quadratic residues
modulo n
How to compute the Jacobi symbol
Jacobi symbol (in Zn*) can be efficiently computed if the factorization of n is known (this is easy).
What if the factorization is unknown?
It can also be efficiently computed (but the algorithm is not that trivial).
Fact Ee – encryption function of the RSAThen:
Jn(Ee(m)) = Jn(m)
ProofLeft-hand-side:
Jn(Ee(m)) = Jp(Ee(m)) · Jq(Ee(m)) Right-hand-side:
Jn(m) = Jp(m) · Jq(m)
Therefore it is enough to prove that:
Jp(Ee(m)) = Jp(m) and
Jq(Ee(m)) = Jq(m).
Since p and q are symmetric we can just prove it for p.
We have to show thatJp(Ee(m)) = Jp(m)
In other words:Ee(m) is a QRp
iff m is a QRp
Now observe that e is always odd (because gcd(e,(p-1)(q-1)) = 1).
To finish the proof we need to show that for an odd e:
me mod p is a QRp iff
m mod p is a QRp
This is equal tome mod p
For an odd e:me mod p is a QRp
iff m mod p is a QRp
Let g be the generator of Zp*.Recall that x is a QRp iff x is an even power of gIt is easy to see that
me mod p is an even power of g iff
m mod p is an even power of g.
Hence we are done.
Conclusion
The Jacoby symbol “leaks”, i.e.:from c
one can compute Jn(Dd(c))(without knowing the factorization of n)
Is it a big problem?
Depends on the application...
Question: Is RSA secure?
Looks like it has some weaknesses...
Plan:
1. Provide a formal security definition.
2. Modify RSA so that it is secure according to this definition.
The security definition
Remember the symmetric-key case?
We considered a chosen-plaintext attack.
How would it look in the case of the public-key encryption?
A chosen-plaintext attack (CPA)
oracle
chooses m’1 m’1
c1 = Enc(pk,m’1)
has to guess b
chooses m’t m’t
ct = Enc(pk,m’t)
m0,m1
c = Enc(pk,mb)
chooses m0,m1
the interaction continues . . .
security parameter1n
1. selects random (pk,sk) = Gen(1n)
2. chooses a random b = 0,1
. . .challenge phase:
pk
This is notneeded.
Why?Because if Eve knows pk she can compute all these ciphertexts herself!
A simplified view
oracle
has to guess b
m0,m1
c = Enc(pk,mb)
chooses m0,m1
security parameter1n
1. selects random (pk,sk) = Gen(1n)
2. chooses a random b = 0,1
challenge phase:
pk
CPA-security
Security definition:
We say that (Gen,Enc,Dec) has indistinguishable encryptions under a chosen-plaintext attack (CPA) if any
randomized polynomial time adversary
guesses b correctly
with probability at most 0.5 + ε(n), where ε is negligible.
Alternative name: CPA-secure
What about the multiple encryptions?
What if the users use several times the same public key?
The game between the adversary and the oracle needs to be modified:
We will allow the adversary to choose vectors if messages• M0 = (m0
1,..., m0t),
• M1 = (m11,..., m1
t)such that for each i we have
|m1i| = |m0
i|.Then the oracle will output
(c1,...,ct) := Enc(pk,mb1),..., Enc(pk,mb
t)
Multiple messages experiment
oracle
has to guess b
(m01,..., m0
t),(m1
1,..., m1t)
Enc(pk,mb1),...,Enc(pk,mb
t)
security parameter1n
1. selects random (pk,sk) = Gen(1n)
2. chooses a random b = 0,1
challenge phase:
pk
CPA-security with multiple encryptions
Security definition:
We say that (Gen,Enc,Dec) has indistinguishable multiple encryptions under a chosen-plaintext attack (CPA) if any
randomized polynomial time adversary
guesses b correctly
with probability at most 0.5 + ε(n), where ε is negligible.
Fact
It can be proven that these two notions are equivalent, i.e.:
(Gen,Enc,Dec) has indistinguishable encryptions under a chosen-plaintext attack (CPA)
iff
(Gen,Enc,Dec) has indistinguishable multiple encryptions under a chosen-plaintext attack (CPA).
Is the “handbook RSA” secure?
No!In fact:No deterministic encryption scheme is secure.
How can the adversary win the game?
Trivial attack: 1. he just chooses any m0,m1 , 2. computes c0=Enc(pk,m0) himself3. compares the result.
Moral: encryption has to be randomized.
Encoding
Therefore, before encrypting a message we usually encode it (adding some randomness).
This has the following advantages:
• makes the encryption non-deterministic
• breaks the “algebraic properties” of encryption.
How is it done in real-life?PKCS #1: RSA Encryption Standard Version 1.5:
public-key: (N,e)let k := length on N in bytes.let D := length of the plaintextrequirement: D ≤ k - 11.
Enc((N,e), m) := xe mod N, where x is equal to
00000000 00000001 r 00000000 m
(k - D - 3) random bytes D bytes
k bytes
Security of the PKCS #1: RSA Encryption Standard Version 1.5.
It is believed to be CPA-secure.
It has however some weaknesses (it is not “chosen-ciphertext secure”).
Optimal Asymmetric Encryption Padding (OAEP) is a more secure encoding.
(we will discuss it later)
El Gamal encryption
El Gamal is another popular public-key encryption scheme.
It is based on the Diffie-Hellman key-exchange.
Let us look at it again now.
The Diffie-Hellman Key exchangeG – a group, where discrete log is hardq = |G|g – a generator of G
Alice Bob
x ← Zq
y ← Zq
h2 = gy
security parameter 1n
(G,g),q, h1 = gx
(G,g) ← H(1n)
output:kA=(h2)x
output:kB=(h1)y
Idea
x ← Zq
security parameter 1n
(G,g,q,gx)
(G,g) ← H(1n)
Let this be the public key of Alice
To encrypt a message m with the key of Alice “play the role of Bob”, i.e.:
1. select y ← Zq and send h2 = gy to Alice2. calculate k = (h1)y
3. we have somehow to encrypt m....4. “encrypt it with k” and send to Alice.How to do it? Simply set c := k · m.Alice will also calculate k = (h2)x, and calculate m := c · k-1.
El Gamal encryption – implementation issues
Which group to choose?
E.g.: QR(p), where p is a strong prime, i.e.: q = (p-1)/2 is also prime.
Plaintext space is a set of integers {1,...,q}.
How to map an integer i є {1,...,q} to QR(p)?
Just square: f(i) = i2 mod p.
Why is it one-to-one?
Observation
In Zp* the function f “glues” only the elements i and p-i
f(x) = x21
...
q
q+1
...
2q
we take only this
The mapping
Sof(i) = i2 mod p
is one-to-one (on {1,...,q}).
Is it also efficiently invertible?
Yes (but this fact is not trivial)
Public key vs. private key encryption
Private-key encryption has a following advantage:
it is much more efficient.
Practical solution:
combine both!
It is called: the hybrid encryption.
Hybrid encryption
Encrypt the symmetric key with a public-key encryption scheme.
EncpkEnc’k
k m
pk
c1 c2
random
private key enc.
public key enc.
ciphertext