1. B504/I538: Introduction to Cryptography
Spring • Lecture 22
(2017—03—30)

2. Recall: Trapdoor permutations (TDPs)
Intuitively, a trapdoor permutation family is an OWP family with the additional property that each OWP in the family is easy to invert when given some special information called the trapdoor

3. Trapdoor permutation (TDP) families
Defn: A trapdoor permutation (TDP) family is an infinite set {πk}k∈Ｋe, in which each πk：Dk→Dk is a permutation, equipped with a quadruple of PPT algorithms (Gen，Samp，Eval，Inv) such that
Easy to sample from family: Gen：1ℕ→Ｋe×Ｋd is a randomized algorithm that, on input 1s, outputs (k，tk) where tk is the trapdoor for πk.
Easy to sample from domains: Samp：Ｋe→⋃Dk is a randomized algorithm that, on input k∈Ｋe, outputs x∊Dk.
Easy to evaluate: Eval：Ｋe×⋃Dk is a deterministic algorithm that, on input k∈Ｋe and x∈Dk, outputs y=πk(x).
East to invert with trapdoor: Inv：Ｋe×Ｋd×⋃Dk is a deterministic algorithm that, on input any (k，tk)←Gen(1s) and y∈Dk, outputs x∈Dk such that y=πk(x).
Hard to invert without trapdoor: For every PPT attacker A, there exists a negligible function ε：ℕ→ℝ+ such that
Pr[x←A(k,y)｜(k，tk)←Gen(1s)∧x←Samp(k)∧y←Eval(k，x)]≤ε(s).

4. Public-key bit encryption from TDPs
Let {πk}k∈Ｋe be a trapdoor permutation family with algorithms (Gen，Samp，Eval，Inv) such that each πk has a corresponding hard-core predicate hk.
Q: Does such TDP family even exist?
A: Probably!? Or, at least, hopefully! (Why should we think it does?)
Goldreich-Levin implies that if any TDP family exists, then there exists a TDP family in which each TDP has a hardcore predicate.

5. Public-key bit encryption from TDPs
Let {πk}k∈Ｋe be a trapdoor permutation family with algorithms (Gen，Samp，Eval，Inv) such that each πk has a corresponding hard-core predicate hk.
Define (Gen，Enc，Dec) as follows:
Gen：1ℕ→Ｋe×Ｋd is just the Gen algorithm for the TDP family
Enc：Ｋe×{0，1}→Dk takes (k,m)∈Ｋe×{0，1} as input, chooses r←Samp(k) such that hk(r)=m, and outputs c≔Eval(k，r)
Dec：Ｋe×Ｋd×Dk→{0，1} takes (k，tk，c) as input and outputs hk(Inv(k，tk，c))
requires 2 samples on average

6. Public-key bit encryption from TDPs
Let {πk}k∈Ｋe be a trapdoor permutation family with algorithms (Gen，Samp，Eval，Inv) such that each πk has a corresponding hard-core predicate hk.
Thm: The tuple (Gen，Enc，Dec) just described is an IND- CCA2 secure public key encryption scheme with message space Ｍ={0，1}.

7. Encryption for longer messages
Q: How do we extend bit encryption to longer messages?
A: Encrypt message bit-by-bit using the bit encryption scheme
But this is outrageously inefficient…
Q: How do we extend bit encryption to longer messages efficiently?
A: Very carefully…
A candidate approach (with Ｍ=Dk):
Gen：1ℕ→Ｋe×Ｋd is the Gen algorithm for the TDP family
Enc：Ｋe×Dk→Dk maps (k,m) to c≔Eval(k，m)
Dec： Ｋe×Ｋd×Dk→Dk maps (k，tk，c) to m≔Inv(k，tk，c)
Not randomized!
Not obtained
from Samp!

8. Hybrid encryption from TDPs
Let {πk}k∈Ｋe be a trapdoor permutation family with algorithms (Gen，Samp，Eval，Inv);
Let (Gen’，Enc’，Dec’) be an IND-CCA2 secure symmetric-key encryption scheme; and
Let H：{0，1}*→{0，1}* be a cryptographic hash function
(modeled as a random oracle)
Define (Gen，Enc，Dec) as follows:
Gen：1ℕ→Ｋe×Ｋd is just the Gen algorithm for the TDP family;
Enc：Ｋe×{0，1}*→Dk×{0，1}* takes (k,m)∈Ｋe×{0，1}* as input, chooses r←Samp(k) and outputs c≔(y，C), where y≔Eval(k，r) and C≔Enc’H(r)(m);
Dec：Ｋe×Ｋd×(Dk×{0，1}*)→{0，1}* takes (k，tk，(y，C)) as input, computes r≔Inv(k，tk，y), and outputs m≔Dec’H(r)(C).

9. Hybrid encryption from TDPs
y≔Eval(k，r)
C≔Enc’H(r)(m)
Define (Gen，Enc，Dec) as follows:
Gen：1ℕ→Ｋe×Ｋd is just the Gen algorithm for the TDP family;
Enc：Ｋe×{0，1}*→Dk×{0，1}* takes (k,m)∈Ｋe×{0，1}* as input, chooses r←Samp(k) and outputs c≔(y，C), where y≔Eval(k，r) and C≔Enc’H(r)(m);
Dec：Ｋe×Ｋd×(Dk×{0，1}*)→{0，1}* takes (k，tk，(y，C)) as input, computes r≔Inv(k，tk，y), and outputs m≔Dec’H(r)(C)

10. Hybrid encryption from TDPs
Thm: The tuple (Gen，Enc，Dec) described below is an IND- CCA2 secure public key encryption scheme with message space Ｍ={0，1}* in the random oracle model.
Define (Gen，Enc，Dec) as follows:
Gen：1ℕ→Ｋe×Ｋd is just the Gen algorithm for the TDP family;
Enc：Ｋe×{0，1}*→Dk×{0，1}* takes (k,m)∈Ｋe×{0，1}* as input, chooses r←Samp(k) and outputs c≔(y，C), where y≔Eval(k，r) and C≔Enc’H(r)(m);
Dec：Ｋe×Ｋd×(Dk×{0，1}*)→{0，1}* takes (k，tk，(y，C)) as input, computes r≔Inv(k，tk，y), and outputs m≔Dec’H(r)(C)

11. Recall: The eth root problem
Defn: The eth root problem (aka the RSA problem) is: Given (n，e，a) such that
n=pq for distinct s-bit primes p and q,
a∈℥n, and
gcd(e，φ(n))=1,
compute a1/e mod n.
One possible solution: compute d≔e-1 mod φ(n) and output ad mod n

12. Recall: RSA instance generator
Defn: An RSA instance generating algorithm Ｇ is a PPT algorithm that, on input a security parameter 1s∈1ℕ, outputs a pair of distinct s-bit primes (p，q) and e∊℥φ(pq). We write (p，q，e)← Ｇ(1s) to indicate that s-bit primes (p，q) and e∈℥φ(pq) are sampled from the output of Ｇ.
We define hardness assumption for the eth root problem with respect to a particular fixed instance generator

13. Recall: The eth root (RSA) assumption
Challenger (C)
Attacker (A)
1 s
(p，q，e)←Ｇ(1 s) N≔p·q
a∊℥N b≔ae mod N
1 s
(N，e，b) a’
Let E be the event that a≡a’ mod N
Define A’s advantage to be AdvRSA,Ｇ(A)≔Pr[E]
Defn: Let Ｇ be a fixed RSA instance generating algorithm. The eth root (RSA) assumption holds with respect to Ｇ if, for every PPT algorithm A, there exists a negligible function ε：ℕ→ℝ+ such that AdvRSA，Ｇ(A)≤ε(s).

14. The Strong RSA assumption
Challenger (C)
Attacker (A)
1 s
(p，q，e)←Ｇ(1 s)
(if gcd(e’，φ(n))≠1, choose again)
N≔p·q
a∊℥N
b≔ae’ mod N e'
1 s
e'∈Primes[s]
(N，b) a’
Let E be the event that a≡a’ mod N
Define A’s advantage to be AdvStrongRSA,Ｇ(A)≔Pr[E]
Defn: Let Ｇ be a fixed RSA instance generating algorithm. The strong RSA ssumption holds with respect to Ｇ if, for every PPT algorithm A, there exists a negligible function ε： ℕ→ℝ+ such that AdvStrongRSA，Ｇ(A)≤ε(s).

15. The RSA trapdoor permutation family
The RSA assumption is equivalent to the assumption that the eth root problem induces a trapdoor permutation family
Ｋe≔{(pq，e)｜p，q∈Primes[s] with p≠q and gcd(φ(pq)，e)=1}; Ｋd≔ℕ; and Dk≔℥pq
Gen(1s) chooses distinct primes p,q∊Primes[s] and e∊ℤφ(pq). It outputs k≔(pq,e) and tk≔e-1 mod φ(pq)
Samp(k) outputs x∊℥pq
Eval(k，x) outputs y≔xe mod pq
Inv(k，tk，y) outputs x≔yd mod pq

16. “Textbook” (a.k.a. naïve) RSA
Many textbooks (and courses) describe RSA encryption as a direct application of the RSA trapdoor permutation to a “message” (usually a symmetric key)
Q: Is this a secure public-key encryption scheme?
A: NO! NO! NO! Don’t ever do this! (Seriously, don’t do it!)
(If you do this and I find out, I will retroactive fail you in this course!)
Meet-in-the-middle attacks
Short message—small exponent attacks
CRT-based attacks
Related message attacks

17. Meet-in-the-middle attack
Suppose k∊{0，1}128 is a random 128-bit symmetric key
Q: Given (N，e) and c≔ke mod N, how hard is it to recover k?
A: It is sometimes very easy!
If k≡k1·k2 mod N where lg k1≈lg k2≈264, then k2e≡c·m2-e mod N
Idea: Precompute a lookup table L≔{1e，2e，3e，…，(264)e} mod N
For each a∈L, compute b≔c·a-1 mod N and check if b∈L;
if so, then k≡a·b mod N!

18. Meet-in-the-middle attack
Computing L≔{1e，2e，3e，…，(264)e} requires about 264= exponentiations to power e modulo N
A brute-force attack would have required about 2128/2=2127 exponentiations to power e modulo N

19. Meet-in-the-middle attack
Toy example: N=282,943=523·541 and e=3
Message k is an 8-bit symmetric key
Ciphertext is c=ke≡206,824 mod N 13 23 33 43 53 63 73 83 93
103
113
123
133
143
153
163 1 8 27 64
125
216
343
512
729
1,000
1,331
1,728
2,197
2,744
3,375
4,096
206,824
25,823
60,057
180,071
74,088
42,875
27,000
270,853
190,853
9,261
268,643
111,463
1,328
175,232
⇒ k≡14·15=210 mod N (indeed, 2103≡206,824 mod N)

20. Short message—small exponent attack
Alice wishes to encrypt a short message, say m=100, under Bob’s public key k=(N，e)
If N>me, then no modular reduction occurs!
In this case, given c≔me mod n, it is easy to compute m=c1/e in ℤ!

21. Recall: Chinese Remainder Theorem (CRT)
Chinese Remainder Theorem: Let n1, n2, …, nk be positive integers with gcd(ni, nj)=1 whenever i≠j, and let N=n1·n2⋯nk.
Then the system of congruence relations
x≡ c1 mod n1 ⋮
x≡ ck mod nk
has a unique solution in ℤN.
zi≡1 mod ni
zi≡0 mod nj when i≠j
For each i=1,…,k, set yi ≡ (N/ni)-1 mod ni and zi≡(N/ni)·yi mod N
The unique solution is x≡∑zi·ci mod N

22. CRT-based attack
Suppose Bob, Carol, and David have distinct public keys (NB，3), (NC，3), and (ND，3)
Alice wishes to encrypt the same message m for each of them
cB≔m3 mod NB
cC≔m3 mod NC
cD≔m3 mod ND
If gcd(NB，NC)=gcd(NB,ND)=gcd(NC,ND)=1, then by CRT there exists unique c∈ℤN such that c≡ci mod Ni for i∈{B,C,D}
Solving for c, we get m=c1/3 in ℤ (Why?)
If NA，NB，NC aren’t pairwise relatively prime, attacker still learns m (How?)

23. That’s all for today, folks!