Ryan Henry I 538 /B 609 : Introduction to Cryptography

Ryan Henry The goal of secure program obfuscation is to make a program ``unintelligible'' while preserving its functionality. For decades, program obfuscation for general programs has remained an art, with all public general-purpose obfuscation methods known to be broken. In this talk, we will describe new developments that for the first time provide a mathematical approach to the problem of general-purpose program obfuscation, where extracting secrets from the obfuscated program requires solving mathematical problems that currently take hundreds of years to solve on the world's fastest computing systems. We will also discuss the implications of these developments. Friday, November 13 at 3:00pm in LH 102: Amit Sahai, UCLA Software with Secrets

Ryan Henry Last Thursday’s lecture: Public key encryption IND-CPA / IND-CCA for public key schemes Trapdoor functions and permutations Today’s lecture: Public key encryption from TDPs The RSA cryptosystem 2

Ryan Henry Assignment 5 is TODAY! Assignment 6 has been posted! 3

Ryan Henry Recall: Trapdoor permutations (TDPs) 4 ▪ Intuitively, a trapdoor permutation family is an OWP family with the additional property that each OWP in the family is easy to invert when given some special information called the trapdoor

Ryan Henry Trapdoor permutation (TDP) families Def n : A trapdoor permutation (TDP) family is an infinite set {π k } k∈Ｋ e, in which each π k ：D k →D k is a permutation, equipped with a quadruple of PPT algorithms (Gen，Samp，Eval，Inv) such that –E–Easy to sample from family: Gen：1 ℕ →Ｋ e ×Ｋ d is a randomized algorithm that, on input 1 s, outputs (k，t k ) where t k is the trapdoor for π k. –E–Easy to sample from domains: Samp：Ｋ e →⋃ D k is a randomized algorithm that, on input k∈Ｋ e, outputs x∊D k. –E–Easy to evaluate: Eval：Ｋ e ×⋃ D k is a deterministic algorithm that, on input k∈Ｋ e and x∈D k, outputs y=π k (x). –E–East to invert with trapdoor: Inv：Ｋ e ×Ｋ d ×⋃ D k is a deterministic algorithm that, on input any (k，t k )←Gen(1 s ) and y∈D k, outputs x∈D k such that y=π k (x). –H–Hard to invert without trapdoor: For every PPT attacker A, there exists a negligible function ε：ℕ→ℝ + such that Pr[x←A(k,y)｜(k，t k )←Gen(1 s )∧x←Samp(k)∧y←Eval(k，x)]≤ε(s). 5

Ryan Henry Public-key bit encryption from TDPs ▪L▪Let {π k } k∈Ｋ e be a trapdoor permutation family with algorithms (Gen，Samp，Eval，Inv) such that each π k has a corresponding hard-core predicate h k. Q: Does such TDP family even exist? A: Probably!? Or, at least, hopefully! (Why should we think it does?) –G–Goldreich-Levin implies that if any TDP family exists, then there exists a TDP family in which each TDP has a hardcore predicate. 6

Ryan Henry Public-key bit encryption from TDPs ▪L▪Let {π k } k∈Ｋ e be a trapdoor permutation family with algorithms (Gen，Samp，Eval，Inv) such that each π k has a corresponding hard-core predicate h k. Define (Gen，Enc，Dec) as follows: –G–Gen：1 ℕ →Ｋ e ×Ｋ d is just the Gen algorithm for the TDP family –E–Enc：Ｋ e ×{0，1}→D k takes (k,m)∈Ｋ e ×{0，1} as input, chooses r←Samp(k) such that h k (r)=m, and outputs c≔Eval(k，r) –D–Dec：Ｋ e ×Ｋ d ×D k →{0，1} takes (k，t k ，c) as input and outputs h k ( Inv(k，t k ，c) ) 7 requires 2 samples on average

Ryan Henry Public-key bit encryption from TDPs ▪L▪Let {π k } k∈Ｋ e be a trapdoor permutation family with algorithms (Gen，Samp，Eval，Inv) such that each π k has a corresponding hard-core predicate h k. Thm: The tuple (Gen，Enc，Dec) just described is an IND- CCA2 secure public key encryption scheme with message space Ｍ={0，1}. 8

Ryan Henry Encryption for longer messages Q: How do we extend bit encryption to longer messages? A: Encrypt message bit-by-bit using the bit encryption scheme –B–But this is outrageously inefficient… Q: How do we extend bit encryption to longer messages efficiently? A: Very carefully… ▪A▪A candidate approach (with Ｍ=D k ): –G–Gen：1 ℕ →Ｋ e ×Ｋ d is the Gen algorithm for the TDP family –E–Enc：Ｋ e ×D k →D k maps (k,m) to c≔Eval(k，m) –D–Dec： Ｋ e ×Ｋ d ×D k →D k maps (k，t k ，c) to m≔Inv(k，t k ，c) 9 N o t o b t a i n e d f r o m S a m p ! Not randomized!

Ryan Henry Hybrid encryption from TDPs ▪ Let {π k } k∈Ｋ e be a trapdoor permutation family with algorithms (Gen，Samp，Eval，Inv); ▪ Let (Gen’，Enc’，Dec’) be an IND-CCA2 secure symmetric-key encryption scheme; and ▪ Let H：{0，1} * →{0，1} * be a cryptographic hash function 10 Define (Gen，Enc，Dec) as follows: –G–Gen：1 ℕ →Ｋ e ×Ｋ d is just the Gen algorithm for the TDP family; –E–Enc：Ｋ e ×{0，1} * →D k ×{0，1} * takes (k,m)∈Ｋ e ×{0，1} * as input, chooses r←Samp(k) and outputs c≔(y，C), where y≔Eval(k，r) and C≔Enc’ H(r) (m); –D–Dec：Ｋ e ×Ｋ d ×(D k ×{0，1} * )→{0，1} * takes ( k，t k ，(y，C) ) as input, computes r≔Inv(k，t k ，y), and outputs m≔Dec’ H(r) (C). (modeled as a random oracle)

Ryan Henry Hybrid encryption from TDPs 11 Define (Gen，Enc，Dec) as follows: – Gen：1 ℕ →Ｋ e ×Ｋ d is just the Gen algorithm for the TDP family; – Enc：Ｋ e ×{0，1} * →D k ×{0，1} * takes (k,m)∈Ｋ e ×{0，1} * as input, chooses r←Samp(k) and outputs c≔(y，C), where y≔Eval(k，r) and C≔Enc’ H(r) (m); – Dec：Ｋ e ×Ｋ d ×(D k ×{0，1} * )→{0，1} * takes ( k，t k ，(y，C) ) as input, computes r≔Inv(k，t k ，y), and outputs m≔Dec’ H(r) (C) y≔Eval(k，r) C≔Enc’ H(r) (m) c≔

Ryan Henry Hybrid encryption from TDPs 12 Define (Gen，Enc，Dec) as follows: – Gen：1 ℕ →Ｋ e ×Ｋ d is just the Gen algorithm for the TDP family; – Enc：Ｋ e ×{0，1} * →D k ×{0，1} * takes (k,m)∈Ｋ e ×{0，1} * as input, chooses r←Samp(k) and outputs c≔(y，C), where y≔Eval(k，r) and C≔Enc’ H(r) (m); – Dec：Ｋ e ×Ｋ d ×(D k ×{0，1} * )→{0，1} * takes ( k，t k ，(y，C) ) as input, computes r≔Inv(k，t k ，y), and outputs m≔Dec’ H(r) (C) Thm: The tuple (Gen，Enc，Dec) described below is an IND- CCA2 secure public key encryption scheme with message space Ｍ={0，1} * in the random oracle model.

Ryan Henry Recall: The e th root problem 13 Def n : The eth root problem (aka the RSA problem) is: Given (n，e，a) such that 1. n=pq for distinct s-bit primes p and q, 2. a∈℥ n, and 3. gcd(e，φ(n))=1, compute a 1/e mod n. One possible solution: compute d≔e -1 mod φ(n) and output a d mod n

Ryan Henry Recall: RSA instance generator Def n : An RSA instance generating algorithm Ｇ is a PPT algorithm that, on input a security parameter 1 s ∈1 ℕ, outputs a pair of distinct s-bit primes (p，q) and e∊℥ φ(pq). We write (p，q，e)← Ｇ(1 s ) to indicate that s-bit primes (p，q) and e∈℥ φ(pq) are sampled from the output of Ｇ. 14 We define hardness assumption for the e th root problem with respect to a particular fixed instance generator

Ryan Henry Recall: The e th root (RSA) assumption 15 Def n : Let Ｇ be a fixed RSA instance generating algorithm. The e th root (RSA) assumption holds with respect to Ｇ if, for every PPT algorithm A, there exists a negligible function ε：ℕ→ℝ + such that Adv RSA，Ｇ (A)≤ε(s). Challenger (C) Attacker (A) (p，q，e)←Ｇ(1 s ) N≔p·q a∊℥ N b≔a e mod N a’ 1 s1 s (N，e，b) Let E be the event that a≡a’ mod N Define A’s advantage to be Adv RSA,Ｇ (A)≔Pr[E] 1 s1 s

Ryan Henry The Strong RSA assumption 16 Def n : Let Ｇ be a fixed RSA instance generating algorithm. The strong RSA ssumption holds with respect to Ｇ if, for every PPT algorithm A, there exists a negligible function ε： ℕ→ℝ + such that Adv StrongRSA，Ｇ (A)≤ε(s). Challenger (C) Attacker (A) (p，q，e)←Ｇ(1 s ) (if gcd(e’，φ(n))≠1, choose again) N≔p·q a∊℥ N b≔a e’ mod N a’ 1 s1 s (N，b) Let E be the event that a≡a’ mod N Define A’s advantage to be Adv StrongRSA,Ｇ (A)≔Pr[E] 1 s1 s e' e'∈Primes[s]

Ryan Henry The RSA trapdoor permutation family 17 ▪T▪The RSA assumption is equivalent to the assumption that the e th root problem induces a trapdoor permutation family Ｋ e ≔{(pq，e)｜p，q∈Primes[s] with p≠q and gcd(φ(pq)，e)=1}; Ｋ d ≔ℕ; and D k ≔℥ pq ▪G▪Gen(1 s ) chooses distinct primes p,q∊Primes[s] and e∊ℤ φ(pq). It outputs k≔(pq,e) and t k ≔e -1 mod φ(pq) ▪S▪Samp(k) outputs x∊℥ pq ▪E▪Eval(k，x) outputs y≔x e mod pq ▪I▪Inv(k，t k ，y) outputs x≔y d mod pq

Ryan Henry “Textbook” (a.k.a. naïve) RSA 18 ▪M▪Many textbooks (and courses) describe RSA encryption as a direct application of the RSA trapdoor permutation to a “message” (usually a symmetric key) Q: Is this a secure public-key encryption scheme? A: NO! NO! NO! Don’t ever do this! (Seriously, don’t do it!) (If you do this and I find out, I will retroactive fail you in this course!) –M–Meet-in-the-middle attacks –S–Short message—small exponent attacks –C–CRT-based attacks –R–Related message attacks

Ryan Henry Meet-in-the-middle attack ▪ Suppose k∊{0，1} 128 is a random 128-bit symmetric key Q: Given (N，e) and c≔k e mod N, how hard is it to recover k? A: It is sometimes very easy! – If k≡k 1 ·k 2 mod N where lg k 1 ≈lg k 2 ≈2 64, then k 2 e ≡c·m 2 -e mod N Idea: Precompute a lookup table L≔{1 e ，2 e ，3 e ，…，(2 64 ) e } mod N For each a∈L, compute b≔c·a -1 mod N and check if b∈L; if so, then k≡a·b mod N! 19

Ryan Henry Meet-in-the-middle attack 20

Ryan Henry Meet-in-the-middle attack ▪ Toy example: N=282,943=523·541 and e=3 ▪ Message k is an 8-bit symmetric key ▪ Ciphertext is c=k e ≡206,824 mod N ,0001,3311,7282,1972,7443,3754, ,824 25,823 60, ,071 74,088 42,875 27, , ,853 9, , ,463 1,328 3,375 2, ,232 ⇒ k≡14·15=210 mod N (indeed, ≡206,824 mod N)

Ryan Henry Short message—small exponent attack ▪ Alice wishes to encrypt a short message, say m=100, under Bob’s public key k=(N，e) ▪ If N>m e, then no modular reduction occurs! ▪ In this case, given c≔m e mod n, it is easy to compute m=c 1/e in ℤ! 22

Ryan Henry Recall: Chinese Remainder Theorem (CRT) Chinese Remainder Theorem: Let n 1, n 2, …, n k be positive integers with gcd(n i, n j )=1 whenever i≠j, and let N=n 1 ·n 2 ⋯n k. Then the system of congruence relations x≡ c 1 mod n 1 ⋮ x≡ c k mod n k has a unique solution in ℤ N. For each i=1,…,k, set y i ≡ (N/n i ) -1 mod n i and z i ≡(N/n i )·y i mod N The unique solution is x≡∑z i ·c i mod N 23 z i ≡1 mod n i z i ≡0 mod n j when i≠j

Ryan Henry CRT-based attack ▪ Suppose Bob, Carol, and David have distinct public keys (N B ，3), (N C ，3), and (N D ，3) ▪ Alice wishes to encrypt the same message m for each of them – c B ≔m 3 mod N B – c C ≔m 3 mod N C – c D ≔m 3 mod N D ▪ If gcd(N B ，N C )=gcd(N B,N D )=gcd(N C,N D )=1, then by CRT there exists unique c∈ℤ N such that c≡c i mod N i for i∈{B,C,D} ▪ Solving for c, we get m=c 1/3 in ℤ (Why?) ▪ If N A ，N B ，N C aren’t pairwise relatively prime, attacker still learns m (How?) 24

Ryan Henry That’s all for today, folks! 25