Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
1
CISPA
Center for IT Security, Privacy and Accountabiltiy
Introduction to CybersecurityCryptography (Part 4)
Review of Last Lecture
Blockciphers
• Review of DES
• Attacks on Blockciphers
• Advanced Encryption Standard (AES)
• Modes of Operation
MACs and Hashes
• Message Authentication Codes
• Hash Functions
• Compression Functions
• Merkle-Damgård Construction
• MACs from Hashes
1Introduction to Cybersecurity 2016/17
Review: Attack by Meet-in-the-Middle
E(K1,×)m cE(K2,×)
DE((K1,K2), m) := E(K2, E(K1, m))
Attack by “meet-in-the-middle”
Introduction to Cybersecurity 2016/17 2
2
CISPA
Center for IT Security, Privacy and Accountabiltiy
Review: Modes of Operation
Cipherblock Chaining (CBC)
3Introduction to Cybersecurity 2016/17
m1
E(K,×)
+IV
c1
m2
E(K,×)
+
c2
c1
D(K,×)
+IV
m1
c2
D(K,×)
+
m2
Review: Message Integrity
Goal of message integrity:
Alice generates tag 𝑡 for message 𝑚, Bob verifies tag
Goal: Attacker cannot change message, i.e., attacker cannot generate any valid pair (𝑚, 𝑡)
41
AddMAC
Plaintext
Verify
Key KeyPlaintextwith MAC
Plaintext
Alice Bob
Introduction to Cybersecurity 2016/17
Let 𝐻:ℳ → 𝒯 be a hash function (non-keyed)(often 𝐻: 0,1 ∗ → 0,1 𝑛)
A collision for 𝐻 is a tuple (𝑚1, 𝑚2) with
𝐻 𝑚1 = 𝐻 𝑚2 ∧ 𝑚1 ≠ 𝑚2
Remark: Defining that “no efficient adversary exists that finds a collision” cannot be fulfilled
Review: Hash Function
48Introduction to Cybersecurity 2016/17
Definition: Collision Resistant Hash Function (CRHF)A hash function 𝐻 is collision resistant if no “efficient” algorithm is known that finds a collision for 𝐻 in suitable time.
3
CISPA
Center for IT Security, Privacy and Accountabiltiy
Review: Merkle-Damgard Construction
53
Merkle-Damgård (iterated construction)
𝑝𝑎𝑑 is the padding function (injective)
𝑓: 0,1 𝑘 × 0,1 𝑛 → 0,1 𝑛 is the compression function.
ℎ𝑖 are called chaining variables
𝐼𝑉 is the initial value
Message 𝑚
Padding 𝑝𝑎𝑑
Block 𝑏2 Block 𝑏3 Block 𝑏4Block 𝑏1Block 𝑏0
𝑓 𝑓 𝑓 𝑓 𝑓ℎ1 ℎ2 ℎ3 ℎ4ℎ0𝐼𝑉 Hash ℎ
Introduction to Cybersecurity 2016/17
This Lecture’s Summary
Asymmetric encryption
• Number theory for El-Gamal
• El-Gamal Encryption Scheme
• Number theory for RSA
• RSA Encryption Schemes
7Foundations of Cybersecurity 2016
Symmetric vs. Asymmetric (Public-key) Encryptions
Fast
Based on Heuristics
One key for every pair of user
Two parties need to protect the secret
8Foundations of Cybersecurity 2016
Slow
Based on Security Proofs with well-defined assumptions
One key for every user
Everyone is responsible for his/her own secret key
4
CISPA
Center for IT Security, Privacy and Accountabiltiy
9Foundations of Cybersecurity 2016
E Dm
pk sk
c:= E(pk,m) c m
K
Public-key Encryption
Now public-key encryption schemes (K,E,D):
RandomizedStatefulDeterministic
Legend
Definition of Public-Key Encryption
10Foundations of Cybersecurity 2016
Definition: Public-key Encryption Scheme
A public-key encryption scheme is a triple of algorithms (𝐾, 𝐸, 𝐷):
The randomized key generation algorithm 𝐾 takes no input and returns a key pair (𝑝𝑘, 𝑠𝑘).
The (often randomized) encryption algorithm 𝐸 takes a public key 𝑝𝑘 and a message 𝑚 and returns a ciphertext 𝑐.
The deterministic decryption algorithm 𝐷 takes a secret key 𝑠𝑘, a ciphertext 𝑐 and returns a plaintext 𝑚 ∈ ℳ or a distinguished error symbol.
Correctness:
The above algorithms have to satisfy the following property: For any key pair (𝑝𝑘, 𝑠𝑘) ∈ [𝐾], any message 𝑚 ∈ 𝑀 , and any 𝑐 ∈[𝐸(𝑝𝑘,𝑚)], we have that 𝐷(𝑠𝑘, 𝑐) = 𝑚.
Number Theory Basics for the El-Gamal Encryption Scheme
5
CISPA
Center for IT Security, Privacy and Accountabiltiy
Notation
From here on:
𝑁 denotes a positive integer.
𝑝 denote a prime.
Notation: ℤ𝑁 = 0,1,2, … , 𝑁 − 1
Can do addition and multiplication modulo 𝑁
Foundations of Cybersecurity 2016 12
Modular Arithmetic
Examples: let 𝑁 = 12
9 + 8 = 5 in ℤ125 × 7 = 11 in ℤ12
5 − 7 = 10 in ℤ12
Arithmetic in ℤ𝑁 works as you expect, e.g.𝑥 ⋅ 𝑦 + 𝑧 = 𝑥 ⋅ 𝑦 + 𝑥 ⋅ 𝑧
in ℤ𝑁.
Foundations of Cybersecurity 2016 13
Greatest Common Divisor (GCD)
Definition: GCD
For integers 𝑥, 𝑦 we define gcd 𝑥, 𝑦 is the greatest common divisor of 𝑥, 𝑦.
Example: gcd 12, 18 = 6
Fact: GCD
For all integers 𝑥, 𝑦 there exist integers 𝑎, 𝑏 such that
a ⋅ 𝑥 + 𝑏 ⋅ 𝑦 = gcd 𝑥, 𝑦
𝑎, 𝑏 can be found efficiently using the extended Euclidean algorithm.
If gcd 𝑥, 𝑦 = 1 we say that 𝑥 and 𝑦 are relatively prime.
Foundations of Cybersecurity 2016 14
6
CISPA
Center for IT Security, Privacy and Accountabiltiy
How to compute gcd? The Extended Euclid Algorithm
15
Example: gcd 240,46
240 = 5 ⋅ 46 + 1046 = 4 ⋅ 10 + 610 = 6 + 46 = 4 + 24 = 2 ⋅ 2
240 − 5 ⋅ 46 = 1046 − 4 ⋅ 10 = 610 − 6 = 46 − 4 = 2
240 − 5 ⋅ 46 = 1046 − 4 ⋅ 10 = 62 ⋅ 6 − 10 = 2
240 − 5 ⋅ 46 = 102 ⋅ (46 − 4 ⋅ 10) − 10 = 2
240 − 5 ⋅ 46 = 102 ⋅ 46 − 9 ⋅ 10 = 2
2 ⋅ 46 − 9 ⋅ (240 − 5 ⋅ 46) = 2
−9 ⋅ 240 + 47 ⋅ 46 = 2
Foundations of Cybersecurity 2016
Modular Inversion
Definition: Inverse
The inverse of 𝑥 in ℤ𝑁 is an element 𝑦 in ℤ𝑁 such that 𝑥 ⋅ 𝑦 = 1 in ℤ𝑁.
𝑦 is denoted by 𝑥−1.
Over rationals, inverse of 2 is 1
2. What about ℤ𝑁?
Example: let 𝑁 be an odd integer. The inverse of 2 in ℤ𝑁 is
2 ⋅𝑁+1
2= 𝑁 + 1 = 1 in ℤ𝑁
Foundations of Cybersecurity 2016 16
Modular Inversion
Lemma:
𝑥 in ℤ𝑁 has an inverse if and only if gcd(x,N) = 1
Which elements have an inverse in ℤ𝑁?
Proof:gcd 𝑥, 𝑁 = 1 ⇒ ∃𝑎, 𝑏: 𝑎 ⋅ 𝑥 + 𝑏 ⋅ 𝑁 = 1
⇒ 𝑎 ⋅ 𝑥 = 1 in ℤ𝑁
⇒ 𝑥 = 𝑎−1 in ℤ𝑁
gcd 𝑥, 𝑁 > 1 ⇒ ∀𝑎: gcd 𝑎 ⋅ 𝑥, 𝑁 > 1
⇒ 𝑎 ⋅ 𝑥 ≠ 1 in ℤ𝑁
Foundations of Cybersecurity 2016 17
7
CISPA
Center for IT Security, Privacy and Accountabiltiy
More notation
Definition: Set of invertible Elements in ℤ𝑁ℤ𝑁∗ ≔ { 𝑥 ∈ ℤ𝑁 ∶ gcd 𝑥, 𝑁 = 1}
Examples:
For a prime p: ℤ𝑝∗ = ℤ𝑝\{0} = 1,2, … , 𝑝 − 1
ℤ12∗ = {1,5,7,11}
For 𝑥 in ℤ𝑁∗ , we can find 𝑥−1 using the extended Euclid algorithm.
Foundations of Cybersecurity 2016 18
Solving modular linear equations
Solve: 𝑎 ⋅ 𝑥 + 𝑏 = 0 in ℤ𝑁
Solution: 𝑥 = −𝑏 ⋅ 𝑎−1 in ℤ𝑁
Find 𝑎−1 in ℤ𝑁 using the extended Euclid.
Run time: 𝑂(log2𝑁)
Foundations of Cybersecurity 2016 19
The structure ofℤ𝑝∗
Example: 𝑝 = 7.
𝑔 = 3 is a generator:1, 3, 32, 33, 34 , 35 = 1, 3, 2, 6, 4, 5 = ℤ7
∗
Not every element is a generator:1, 2, 22 , 23, 24, 25 = {1, 2, 4}
Theorem (Euler): ℤ𝑝∗ is a cyclic group, that is
∃𝑔 ∈ ℤ𝑝∗ such that 1, 𝑔, 𝑔2, 𝑔3, … = ℤ𝑝
∗
𝑔 is called a generator of ℤ𝑝∗ .
Foundations of Cybersecurity 2016 20
8
CISPA
Center for IT Security, Privacy and Accountabiltiy
Order
Examples: 𝑜𝑟𝑑7 3 = 6; 𝑜𝑟𝑑7 2 = 3; 𝑜𝑟𝑑7 1 = 1.
Definition: Order of 𝒈The order of 𝑔 ∈ ℤ𝑝
∗ is the size of <𝑔>, denoted by 𝑜𝑟𝑑𝑝 𝑔 = |<𝑔>|.
It is the smallest 𝑎 > 0 s.t. 𝑔𝑎 = 1 in ℤ𝑝∗ .
For 𝑔 ∈ the set {1, 𝑔, 𝑔2, 𝑔3, … } is called the group generated by 𝒈, denoted by <𝑔>.
Theorem (Lagrange): ∀𝑔 ∈ ℤ𝑝∗ : 𝑜𝑟𝑑𝑝 𝑔 divides 𝑝 − 1
Foundations of Cybersecurity 2016 21
Fermat’s little Theorem
22
Theorem: Fermat’s little TheoremFor every prime 𝑝 and every 𝑥 ∈ ℤ𝑝
∗ it holds that 𝑥𝑝−1 = 1mod p.
Follows from Langrange’s Theorem and the fact that 𝑥𝑜𝑟𝑑𝑝 𝑥 = 1 𝑚𝑜𝑑 𝑝.
Foundations of Cybersecurity 2016
Easy problems
Given composite 𝑁 and 𝑥 in ℤ𝑁 find 𝑥−1 in ℤ𝑁.
Given prime 𝑝 and polynomial 𝑓 𝑥
find 𝑥 in ℤ𝑝 s.t. 𝑓 𝑥 = 0 in ℤ𝑝 (if one exists)
Running time is linear in deg 𝑓 .
… but many problems are difficult.
Foundations of Cybersecurity 2016 23
9
CISPA
Center for IT Security, Privacy and Accountabiltiy
Intractable problems with primes – discrete logarithm
Fix a prime 𝑝 > 2 and 𝑔 in ℤ𝑝∗ of order 𝑞.
Consider the function 𝑥 → 𝑔𝑥 in ℤ𝑝
Now, consider the inverse function:
𝐷𝑙𝑜𝑔𝑔 𝑔𝑥 = 𝑥 where 𝑥 ∈ {0, … , 𝑞 − 2}
in : 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
Dlog2(⋅) : 0, 1, 8, 2, 4, 9, 7, 3, 6, 5
Example:
Foundations of Cybersecurity 2016 24
Computing Dlog in ℤ𝑝∗ (n-bit prime p)
Best known algorithm (GNFS): run time exp(𝑂 3 𝑛 )
Cipher key size Modulus Size Elliptic curve group size
80 bits 1024 bits 160 bits
128 bits 3072 bits 256 bits
256 bits (AES) 15360 bits 512 bits
As a result: slow transition away from (mod p) to elliptic curves
Foundations of Cybersecurity 2016 25
El-Gamal Encryption Scheme
10
CISPA
Center for IT Security, Privacy and Accountabiltiy
27
ElGamal Encryption System (1984)
Foundations of Cybersecurity 2016
Pick random n-bit prime 𝑝Pick random generator 𝑔 for ℤ𝑝
∗
Pick random 𝑥 ∈ {1, … , 𝑝 − 1}
Set 𝑝𝑘 ∶= (𝑝, 𝑔, ℎ: = 𝑔𝑥)Set 𝑠𝑘 ∶= (𝑝, 𝑔, 𝑥)
Output (𝑝𝑘, 𝑠𝑘)
Key Generation 𝐾(𝑛) for security parameter 𝑛
Can be publicly known}
Encryption 𝐸𝑛𝑐(𝑝𝑘,𝑚); 𝑝𝑘 = (𝑝, 𝑔, ℎ), 𝑚 ∈ ℤ𝑝∗
Pick random 𝑦 ∈ {1, … , 𝑝 − 1}
Set 𝑖 ∶= 𝑔𝑦, 𝑘 ∶= ℎ𝑦
Set 𝑐: = (𝑖,𝑚 • 𝑘)
Output 𝑐
28
ElGamal Encryption System (1984)
Foundations of Cybersecurity 2016
Decryption 𝐷𝑒𝑐 𝑠𝑘, 𝑐 ; 𝑠𝑘 = (𝑝, 𝑔, 𝑥) and 𝑐 = (𝐴, 𝐵)
Set 𝑑 ∶= 𝐵 • 𝐴−𝑥
Output 𝑑
Correctness: El-Gamal𝐵 • 𝐴−𝑥 = 𝐵 • 𝑔𝑦 −𝑥
= 𝐵 • 𝑔𝑥 −𝑦
= 𝐵 • ℎ−𝑦
= (𝑚 • ℎ𝑦) • ℎ−𝑦
= 𝑚
29
ElGamal Encryption System (cont’d)
Foundations of Cybersecurity 2016
Security intuition: 𝐵 = 𝑚 • 𝑔𝑥𝑦 is similar to the OTP: 𝑔𝑥𝑦 is the key and • the XOR.
but: why is this secure?
Goals:
Define security of public key encryption schemes. (yes, we do that!)
Prove that ElGamal is secure. (core lecture)
11
CISPA
Center for IT Security, Privacy and Accountabiltiy
Challenger(𝑏, 𝑛),𝑏 ∈ {0,1}
Generate Keys 𝐾(𝑛)
Encrypt(𝑝𝑘,𝑚𝑏)𝑐
(𝑝𝑘, 𝑠𝑘)
30
Indist. Ciphertexts under CPA
Foundations of Cybersecurity 2016
Let 𝑃𝐸 = (𝐾, 𝐸, 𝐷) be a public-key encryption scheme and 𝐴 an adversary. Define 𝐸𝑥𝑝𝑃𝐸,𝐴𝐶𝑃𝐴 (𝑏) as:
Adversary(𝑛)
Output 𝑏∗
𝑝𝑘
𝑚0,𝑚1
Definition: Indistinguishability of Ciphertexts under CPAA sequence of public-key encryption schemes PE has indistinguishable ciphertexts under chosen-plaintext attack (CPA) if for all efficient adversaries 𝐴 = 𝐴𝑛 𝑛∈ℕ:
𝐴𝑑𝑣𝑃𝐸,𝐴𝐶𝑃𝐴 = |Pr[𝐸𝑥𝑝𝑃𝐸,𝐴𝑛
𝐶𝑃𝐴 (0) = 1] – Pr[𝐸𝑥𝑝𝑃𝐸,𝐴𝑛𝐶𝑃𝐴 (1) = 1]|
is negligible.
31
Only a 1-CPA Variant?
Foundations of Cybersecurity 2016
Challenger(𝑏, 𝑛),𝑏 ∈ {0,1}
Generate Keys 𝐾(𝑛)
Encrypt(𝑝𝑘,𝑚𝑏)𝑐
(𝑝𝑘, 𝑠𝑘)
Adversary(𝑛)
Output 𝑏∗
𝑝𝑘
𝑚0,𝑚1
𝑚
𝐸(𝑝𝑘,𝑚)
Does the following extended experiment strengthen the definition?
No, since A can compute E(pk,m) itself for messages of its choice!
32
CPA-security of ElGamal
Foundations of Cybersecurity 2016
Theorem: IND-CPA of ElGamalElGamal has indistinguishable ciphertexts under CPA if the following Decisional Diffie-Hellman assumption holds in 𝐺:
Definition: Decisional Diffie-Hellman Assumption (DDH)Given a group 𝐺 with ~2𝑛 elements and a random 𝑔 ∈ 𝐺, no efficient adversary (in 𝑛) can distinguish
(𝑔𝑥, 𝑔𝑦, 𝑔𝑥𝑦) and (𝑔𝑥, 𝑔𝑦, 𝑔𝑧)for 𝑥, 𝑦, 𝑧 random in {1, … , |𝐺|}.
Why decisional? CPA-security says it must be hard to distinguish, CDH that it is hard to compute. But distinguishing might be easier...
12
CISPA
Center for IT Security, Privacy and Accountabiltiy
RSA based ciphers(origin in 1977)
Problem of information secrecy solved?
23Foundations of Cybersecurity 2016
We need alternative schemesbased on different assumptions!