Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 8 Stefan Dziembowski

Published byJoseph Kelly Modified over 9 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 8 Stefan Dziembowski"— Presentation transcript:

1 Cryptography Lecture 8 Stefan Dziembowski www.dziembowski.net stefan@dziembowski.net

2 Plan 1.Insecurity of the “handbook RSA” 2.Formal security definitions 3.Improved version of RSA 4.El Gamal encryption 5.Hybrid encryption

3 The “handbook” RSA function N = pq, such that p and q are large distinct primes e is such that gcd(e, φ(N)) = 1 d is such that ed = 1 (mod φ(N)) E e : Z N * → Z N * is defined as: E(m) = m e mod N. D d : Z N * → Z N * is defined as: D(c) = c d mod N. Correctness: D d (E e (m)) = ( m e ) d = m ed = m φ(N)) = (p-1)(q-1). public key: (N,e) private key: (N,d)

4 Problems 1.E e is deterministic, so: –if one encrypts twice the same message then the ciphertexts are the same –therefore it is completely insecure if the message space M is small, because the adversary can check all possible messages: given a ciphertext c do: for every m є M check if E e (m) = c for example if M={yes,no}, then the encryption is not secure. 2.RSA has some “algebraic properties”.

5 Algebraic properties of RSA 1.RSA is homorphic: E e (m 0 · m 1 ) = (m 0 · m 1 ) e = m 0 e · m 1 e = E e (m 0 ) · E e (m 1 ) why is it bad? By checking if c 0 · c 1 = c the adversary can detect if D d (c 0 ) · D d (c 1 ) = D d (c). 2.The “Jacobi symbol” leaks.

6 What is “Jacobi symbol” If p is prime then J p (x) = +1 if x is a quadratic residue modulo p -1 otherwise If n = pq (where p and q are prime) then J n (x) = J p (x) · J q (x)

7 The Jacobi symbol n = pq From CRT Z n * can be depicted as follows: +1 +1 QR p not QR p not QR q QR q By the way: only these are quadratic residues modulo n

8 How to compute the Jacobi symbol Jacobi symbol (in Z n *) can be efficiently computed if the factorization of n is known (this is easy). What if the factorization is unknown? It can also be efficiently computed (but the algorithm is not that trivial).

9 Fact E e – encryption function of the RSA Then: J n (E e (m)) = J n (m) Proof Left-hand-side: J n (E e (m)) = J p (E e (m)) · J q (E e (m)) Right-hand-side: J n (m) = J p (m) · J q (m) Therefore it is enough to prove that: J p (E e (m)) = J p (m) and J q (E e (m)) = J q (m). Since p and q are symmetric we can just prove it for p.

10 We have to show that J p (E e (m)) = J p (m) In other words: E e (m) is a QR p iff m is a QR p Now observe that e is always odd (because gcd(e,(p-1)(q-1)) = 1). To finish the proof we need to show that for an odd e: m e mod p is a QR p iff m mod p is a QR p This is equal to m e mod p

11 For an odd e: m e mod p is a QR p iff m mod p is a QR p Let g be the generator of Z p *. Recall that x is a QR p iff x is an even power of g It is easy to see that m e mod p is an even power of g iff m mod p is an even power of g. Hence we are done.

12 Conclusion The Jacoby symbol “leaks”, i.e.: from c one can compute J n (D d (c)) (without knowing the factorization of n) Is it a big problem? Depends on the application...

13 Question: Is RSA secure? Looks like it has some weaknesses... Plan: 1.Provide a formal security definition. 2.Modify RSA so that it is secure according to this definition.

14 A public-key encryption scheme

15 The security definition Remember the symmetric-key case? We considered a chosen-plaintext attack. How would it look in the case of the public- key encryption?

16 A chosen-plaintext attack (CPA) oracle chooses m’ 1 m’ 1 c 1 = Enc(pk,m’ 1 ) has to guess b chooses m’ t m’tm’t c t = Enc(pk,m’ t ) m 0,m 1 c = Enc(pk,m b ) chooses m 0,m 1 the interaction continues... security parameter 1 n 1.selects random (pk,sk) = Gen(1 n ) 2.chooses a random b = 0,1... challenge phase: pk This is not needed. Why? Because if Eve knows pk she can compute all these ciphertexts herself!

17 A simplified view oracle has to guess b m 0,m 1 c = Enc(pk,m b ) chooses m 0,m 1 security parameter 1 n 1.selects random (pk,sk) = Gen(1 n ) 2.chooses a random b = 0,1 challenge phase: pk

18 CPA-security Security definition: We say that (Gen,Enc,Dec) has indistinguishable encryptions under a chosen-plaintext attack (CPA) if any randomized polynomial time adversary guesses b correctly with probability at most 0.5 + ε(n), where ε is negligible. Alternative name: CPA-secure

19 What about the multiple encryptions? What if the users use several times the same public key? The game between the adversary and the oracle needs to be modified: We will allow the adversary to choose vectors if messages M 0 = (m 0 1,..., m 0 t ), M 1 = (m 1 1,..., m 1 t ) such that for each i we have |m 1 i | = |m 0 i |. Then the oracle will output (c 1,...,c t ) := Enc(pk,m b 1 ),..., Enc(pk,m b t )

20 Multiple messages experiment oracle has to guess b (m 0 1,..., m 0 t ), (m 1 1,..., m 1 t ) Enc(pk,m b 1 ),...,Enc(pk,m b t ) security parameter 1 n 1.selects random (pk,sk) = Gen(1 n ) 2.chooses a random b = 0,1 challenge phase: pk

21 CPA-security with multiple encryptions Security definition: We say that (Gen,Enc,Dec) has indistinguishable multiple encryptions under a chosen-plaintext attack (CPA) if any randomized polynomial time adversary guesses b correctly with probability at most 0.5 + ε(n), where ε is negligible.

22 Fact It can be proven that these two notions are equivalent, i.e.: (Gen,Enc,Dec) has indistinguishable encryptions under a chosen-plaintext attack (CPA) iff (Gen,Enc,Dec) has indistinguishable multiple encryptions under a chosen-plaintext attack (CPA).

23 Is the “handbook RSA” secure? No! In fact: No deterministic encryption scheme is secure. How can the adversary win the game? Trivial attack: 1.he just chooses any m 0,m 1, 2.computes c 0 =Enc(pk,m 0 ) himself 3.compares the result. Moral: encryption has to be randomized.

24 Encoding Therefore, before encrypting a message we usually encode it (adding some randomness). This has the following advantages: makes the encryption non-deterministic breaks the “algebraic properties” of encryption.

25 How is it done in real-life? PKCS #1: RSA Encryption Standard Version 1.5: public-key: (N,e) let k := length on N in bytes. let D := length of the plaintext requirement: D ≤ k - 11. Enc((N,e), m) := x e mod N, where x is equal to 0000000000000001r00000000m (k - D - 3) random bytes D bytes k bytes

26 Security of the PKCS #1: RSA Encryption Standard Version 1.5. It is believed to be CPA-secure. It has however some weaknesses (it is not “chosen-ciphertext secure”). Optimal Asymmetric Encryption Padding (OAEP) is a more secure encoding. (we will discuss it later)

27 El Gamal encryption El Gamal is another popular public-key encryption scheme. It is based on the Diffie-Hellman key- exchange. Let us look at it again now.

28 The Diffie-Hellman Key exchange G – a group, where discrete log is hard q = |G| g – a generator of G Alice Bob x ← Z q y ← Z q h 2 = g y security parameter 1 n (G,g),q, h 1 = g x (G,g) ← H(1 n ) output: k A =(h 2 ) x output: k B =(h 1 ) y

29 Idea x ← Z q security parameter 1 n (G,g,q,g x ) (G,g) ← H(1 n ) Let this be the public key of Alice To encrypt a message m with the key of Alice “play the role of Bob”, i.e.: 1.select y ← Z q and send h 2 = g y to Alice 2.calculate k = (h 1 ) y 3.we have somehow to encrypt m.... 4.“encrypt it with k” and send to Alice. How to do it? Simply set c := k · m. Alice will also calculate k = (h 2 ) x, and calculate m := c · k -1.

30 El Gamal encryption - formally

31 Correctness of El Gamal encryption

32 El Gamal encryption – implementation issues Which group to choose? E.g.: QR(p), where p is a strong prime, i.e.: q = (p-1)/2 is also prime. Plaintext space is a set of integers {1,...,q}. How to map an integer i є {1,...,q} to QR(p)? Just square: f(i) = i 2 mod p. Why is it one-to-one?

33 Remember this picture? 1 2 3 4 5 6 1 Z7*:Z7*: QR 7 : 24 f(x) = x 2

34 Observation In Z p * the function f “glues” only the elements i and p-i f(x) = x 2 1... q q+1... 2q we take only this

35 The mapping So f(i) = i 2 mod p is one-to-one (on {1,...,q}). Is it also efficiently invertible? Yes (but this fact is not trivial)

36 Public key vs. private key encryption Private-key encryption has a following advantage: it is much more efficient. Practical solution: combine both! It is called: the hybrid encryption.

37 Hybrid encryption Encrypt the symmetric key with a public-key encryption scheme. Enc pk Enc’ k km pk c1c1 c2c2 random private key enc. public key enc. ciphertext

38 How to decrypt? Enc pk Enc’ k k m pk c1c1 c2c2 ciphertext

Download ppt "Cryptography Lecture 8 Stefan Dziembowski"

Similar presentations

Lecture 8 Public-Key Encryption I Stefan Dziembowski www.dziembowski.net MIM UW 23.11.12ver 1.0.

Lecture 8 Public-Key Encryption I Stefan Dziembowski MIM UW ver 1.0.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Cryptography Lecture 9 Arpita Patra.

Cryptography Lecture 9 Arpita Patra.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Asymmetric-Key Cryptography

Asymmetric-Key Cryptography
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
7. Asymmetric encryption-

7. Asymmetric encryption-
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Identity Based Encryption

Identity Based Encryption
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Public Key Algorithms 4/17/2017 M. Chatterjee.

Public Key Algorithms 4/17/2017 M. Chatterjee.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Ruhr-Universität Bochum, Germany

Ruhr-Universität Bochum, Germany

Similar presentations

Ads by Google