Cryptography Lecture 8 Stefan Dziembowski

Plan 1.Insecurity of the “handbook RSA” 2.Formal security definitions 3.Improved version of RSA 4.El Gamal encryption 5.Hybrid encryption

The “handbook” RSA function N = pq, such that p and q are large distinct primes e is such that gcd(e, φ(N)) = 1 d is such that ed = 1 (mod φ(N)) E e : Z N * → Z N * is defined as: E(m) = m e mod N. D d : Z N * → Z N * is defined as: D(c) = c d mod N. Correctness: D d (E e (m)) = ( m e ) d = m ed = m φ(N)) = (p-1)(q-1). public key: (N,e) private key: (N,d)

Problems 1.E e is deterministic, so: –if one encrypts twice the same message then the ciphertexts are the same –therefore it is completely insecure if the message space M is small, because the adversary can check all possible messages: given a ciphertext c do: for every m є M check if E e (m) = c for example if M={yes,no}, then the encryption is not secure. 2.RSA has some “algebraic properties”.

Algebraic properties of RSA 1.RSA is homorphic: E e (m 0 · m 1 ) = (m 0 · m 1 ) e = m 0 e · m 1 e = E e (m 0 ) · E e (m 1 ) why is it bad? By checking if c 0 · c 1 = c the adversary can detect if D d (c 0 ) · D d (c 1 ) = D d (c). 2.The “Jacobi symbol” leaks.

What is “Jacobi symbol” If p is prime then J p (x) = +1 if x is a quadratic residue modulo p -1 otherwise If n = pq (where p and q are prime) then J n (x) = J p (x) · J q (x)

The Jacobi symbol n = pq From CRT Z n * can be depicted as follows: QR p not QR p not QR q QR q By the way: only these are quadratic residues modulo n

How to compute the Jacobi symbol Jacobi symbol (in Z n *) can be efficiently computed if the factorization of n is known (this is easy). What if the factorization is unknown? It can also be efficiently computed (but the algorithm is not that trivial).

Fact E e – encryption function of the RSA Then: J n (E e (m)) = J n (m) Proof Left-hand-side: J n (E e (m)) = J p (E e (m)) · J q (E e (m)) Right-hand-side: J n (m) = J p (m) · J q (m) Therefore it is enough to prove that: J p (E e (m)) = J p (m) and J q (E e (m)) = J q (m). Since p and q are symmetric we can just prove it for p.

We have to show that J p (E e (m)) = J p (m) In other words: E e (m) is a QR p iff m is a QR p Now observe that e is always odd (because gcd(e,(p-1)(q-1)) = 1). To finish the proof we need to show that for an odd e: m e mod p is a QR p iff m mod p is a QR p This is equal to m e mod p

For an odd e: m e mod p is a QR p iff m mod p is a QR p Let g be the generator of Z p *. Recall that x is a QR p iff x is an even power of g It is easy to see that m e mod p is an even power of g iff m mod p is an even power of g. Hence we are done.

Conclusion The Jacoby symbol “leaks”, i.e.: from c one can compute J n (D d (c)) (without knowing the factorization of n) Is it a big problem? Depends on the application...

Question: Is RSA secure? Looks like it has some weaknesses... Plan: 1.Provide a formal security definition. 2.Modify RSA so that it is secure according to this definition.

A public-key encryption scheme

The security definition Remember the symmetric-key case? We considered a chosen-plaintext attack. How would it look in the case of the public- key encryption?

A chosen-plaintext attack (CPA) oracle chooses m’ 1 m’ 1 c 1 = Enc(pk,m’ 1 ) has to guess b chooses m’ t m’tm’t c t = Enc(pk,m’ t ) m 0,m 1 c = Enc(pk,m b ) chooses m 0,m 1 the interaction continues... security parameter 1 n 1.selects random (pk,sk) = Gen(1 n ) 2.chooses a random b = 0,1... challenge phase: pk This is not needed. Why? Because if Eve knows pk she can compute all these ciphertexts herself!

A simplified view oracle has to guess b m 0,m 1 c = Enc(pk,m b ) chooses m 0,m 1 security parameter 1 n 1.selects random (pk,sk) = Gen(1 n ) 2.chooses a random b = 0,1 challenge phase: pk

CPA-security Security definition: We say that (Gen,Enc,Dec) has indistinguishable encryptions under a chosen-plaintext attack (CPA) if any randomized polynomial time adversary guesses b correctly with probability at most ε(n), where ε is negligible. Alternative name: CPA-secure

What about the multiple encryptions? What if the users use several times the same public key? The game between the adversary and the oracle needs to be modified: We will allow the adversary to choose vectors if messages M 0 = (m 0 1,..., m 0 t ), M 1 = (m 1 1,..., m 1 t ) such that for each i we have |m 1 i | = |m 0 i |. Then the oracle will output (c 1,...,c t ) := Enc(pk,m b 1 ),..., Enc(pk,m b t )

Multiple messages experiment oracle has to guess b (m 0 1,..., m 0 t ), (m 1 1,..., m 1 t ) Enc(pk,m b 1 ),...,Enc(pk,m b t ) security parameter 1 n 1.selects random (pk,sk) = Gen(1 n ) 2.chooses a random b = 0,1 challenge phase: pk

CPA-security with multiple encryptions Security definition: We say that (Gen,Enc,Dec) has indistinguishable multiple encryptions under a chosen-plaintext attack (CPA) if any randomized polynomial time adversary guesses b correctly with probability at most ε(n), where ε is negligible.

Fact It can be proven that these two notions are equivalent, i.e.: (Gen,Enc,Dec) has indistinguishable encryptions under a chosen-plaintext attack (CPA) iff (Gen,Enc,Dec) has indistinguishable multiple encryptions under a chosen-plaintext attack (CPA).

Is the “handbook RSA” secure? No! In fact: No deterministic encryption scheme is secure. How can the adversary win the game? Trivial attack: 1.he just chooses any m 0,m 1, 2.computes c 0 =Enc(pk,m 0 ) himself 3.compares the result. Moral: encryption has to be randomized.

Encoding Therefore, before encrypting a message we usually encode it (adding some randomness). This has the following advantages: makes the encryption non-deterministic breaks the “algebraic properties” of encryption.

How is it done in real-life? PKCS #1: RSA Encryption Standard Version 1.5: public-key: (N,e) let k := length on N in bytes. let D := length of the plaintext requirement: D ≤ k Enc((N,e), m) := x e mod N, where x is equal to r m (k - D - 3) random bytes D bytes k bytes

Security of the PKCS #1: RSA Encryption Standard Version 1.5. It is believed to be CPA-secure. It has however some weaknesses (it is not “chosen-ciphertext secure”). Optimal Asymmetric Encryption Padding (OAEP) is a more secure encoding. (we will discuss it later)

El Gamal encryption El Gamal is another popular public-key encryption scheme. It is based on the Diffie-Hellman key- exchange. Let us look at it again now.

The Diffie-Hellman Key exchange G – a group, where discrete log is hard q = |G| g – a generator of G Alice Bob x ← Z q y ← Z q h 2 = g y security parameter 1 n (G,g),q, h 1 = g x (G,g) ← H(1 n ) output: k A =(h 2 ) x output: k B =(h 1 ) y

Idea x ← Z q security parameter 1 n (G,g,q,g x ) (G,g) ← H(1 n ) Let this be the public key of Alice To encrypt a message m with the key of Alice “play the role of Bob”, i.e.: 1.select y ← Z q and send h 2 = g y to Alice 2.calculate k = (h 1 ) y 3.we have somehow to encrypt m “encrypt it with k” and send to Alice. How to do it? Simply set c := k · m. Alice will also calculate k = (h 2 ) x, and calculate m := c · k -1.

El Gamal encryption - formally

Correctness of El Gamal encryption

El Gamal encryption – implementation issues Which group to choose? E.g.: QR(p), where p is a strong prime, i.e.: q = (p-1)/2 is also prime. Plaintext space is a set of integers {1,...,q}. How to map an integer i є {1,...,q} to QR(p)? Just square: f(i) = i 2 mod p. Why is it one-to-one?

Remember this picture? Z7*:Z7*: QR 7 : 24 f(x) = x 2

Observation In Z p * the function f “glues” only the elements i and p-i f(x) = x q q q we take only this

The mapping So f(i) = i 2 mod p is one-to-one (on {1,...,q}). Is it also efficiently invertible? Yes (but this fact is not trivial)

Public key vs. private key encryption Private-key encryption has a following advantage: it is much more efficient. Practical solution: combine both! It is called: the hybrid encryption.

Hybrid encryption Encrypt the symmetric key with a public-key encryption scheme. Enc pk Enc’ k km pk c1c1 c2c2 random private key enc. public key enc. ciphertext

How to decrypt? Enc pk Enc’ k k m pk c1c1 c2c2 ciphertext