Upload
chaya-raff
View
212
Download
0
Embed Size (px)
Citation preview
Lecture 8 Public-Key Encryption I
Stefan Dziembowskiwww.dziembowski.net
MIM UW
23.11.12 ver 1.0
Plan
1. Handbook RSA and its insecuritya. introductionb. algebraic properties of RSA
2. Security definitions3. How to encrypt with RSA
a. a practical constructionb. a theoretical construction based on hard-
core bits
4. Rabin encryption5. Theoretical constructions
Public-Key Encryption
Alice Bob
m c := Enc(pk,m) Dec(sk,c)
pk sk
Use 2 keys (pk,sk), wherepk is used for encryption,sk is used for decryption.
The RSA trap-door permutation from the last lecture
ZN* ZN
*
easy
• easy (if you know p,q)• believed to be hard (otherwise)
f(x) = xe mod N
N = pq - RSA moduluse is such that gcd(e, φ(N)) = 1, d is such that ed = 1 (mod φ(N))
Q: How to formalize this?
A: “RSA assumption”
A naïve idea
Alice Bob
m ZN* c := me mod N m = cd mod N
(N,e) (N,d)
• pk = (N,e) is used for encryption,• sk = (N,d) is used for decryption.
The “handbook RSA encryption”
N = pq - RSA modulus
e is such that gcd(e, φ(N)) = 1, d is such that ed = 1 (mod φ(N))
RSA(e,N) (m) = me mod N,
and RSA(d,N) (c) = cd mod N.
φ(N) = (p-1)(q-1)
= RSA-1(e,N)
A game oracle
choose:• N = pq where p and q are random
primes such that |p| = |q| = k• x – a random element of ZN* ,• e – a random element of Zφ(N)*
adversary
(x,e,N)
outputsy
We say that the adversary wins if y = RSA-1(e,N) (x) mod N
RSA assumptionNo poly-time adversary wins this game with a non-negligible
probability.
security parameter 1k
RSA assumption – more formally
RSA assumptionFor any randomized polynomial time algorithm A we have:
P(ye = x mod N : y := A(x,N,e)) is negligible in k
where N = pq where p and q are random primes such that |p| = |q| = k, and x is a random element of ZN* ,and e is random element of Zφ(N)*
The ZN* group is a bit strange
Some elements of ZN = {0,...,n-1}
are not there but you don’t know which if you don’t know p and q.
Is it a problem?
No, for 2 reasons:• it is hard to find an element in ZN* \ ZN (other than 0),
• RSA works also over ZN (“by accident”).
Remember the Chinese Reminder Theorem?
Example Zpq where p=5, q = 7
0 1 2 3 4 5 60 0 5 10 15 20 25 301 7 1 16 31 11 26 62 12 22 2 17 32 12 273 17 8 23 3 18 33 134 22 29 9 24 4 19 34
Z35 Z35*
x mod 5
x mod 7
It is hard to find an element in ZN \ ZN* (other than 0)
Why?
ZN
ZN*
mod p
mod q
Suppose we have found a non-zero element
x ZN \ ZN*
For example:x mod q = 0 and x ≠ 0
Hence gcd(x,N) = q.
So we can factor N.
Example
0 1 2 3 4 5 60 0 5 10 15 20 25 301 7 1 16 31 11 26 62 12 22 2 17 32 12 273 17 8 23 3 18 33 134 22 29 9 24 4 19 34
Z35 Z35*
x mod 5
x mod 7gcd(15,35) = 5
RSA works also over ZN
Suppose x is such thatx mod q = 0 and x mod p ≠ 0
We show thatRSA(N,d)(RSA(N,e)(x)) = x mod N
By CRT it is enough to show that: xed = x mod qxed = x mod p
= xed
this holds because both sides are divisible by q
Recall that: (p-1)(q-1) | ed - 1Hence: (p-1) | ed - 1
Therefore: xed-1 = 1 mod pThis implies that xed = x mod p
Question?
Can we use this permutation for encryption?
Answer:• yes, • but not directly...
Problems
RSA has some “algebraic properties”.
RSApk is deterministic, so:if one encrypts twice the same message then the
ciphertexts are the same
Therefore if the message space M is small, the adversary can check all possible messages:
given a ciphertext c do:for every m є M check if RSApk(m) = c
for example if M={yes,no}, then the adversary can decrypt the message.
Plan
1. Handbook RSA and its insecuritya. introductionb. algebraic properties of RSA
2. Security definitions3. How to encrypt with RSA
a. a practical constructionb. a theoretical construction based on hard-
core bits
4. Rabin encryption5. Theoretical constructions
Algebraic properties of RSA1. RSA is homomorphic:
RSA(e,N)(m0 · m1) = (m0 · m1)e = m0
e · m1e
= RSA(e,N )(m0) · RSA(e,N )(m1)why is it bad?
By checking ifc0 · c1 = c
the adversary can detect ifRSA(d,N) (c0) · RSA(d,N)(c1) = RSA (d,N) (c)
2. The Jacobi symbol leaks.
Jacobi Symbol
QR(p)
QR(q)
mod q
mod p
QR(n)
for N=pq define JN(x) := Jp(x) · Jq(x)
+ 1 if x Є QRp for any prime p define Jp(x) := - 1 otherwise
+1 -1
-1 +1
JN(x) :=
Jacobi symbol can be computed efficiently! (even if p and q are unknown)
Fact: the RSA function “preserves” the Jacobi symbol
JN(x) = JN(xe mod N)
N = pq - RSA modulus
e is such that gcd(e, φ(N)) = 1
Actually, something even stronger holds:
RSA(N,e) is a permutation on each “quarter” of ZN*
In other words:• m mod p QRp iff me mod p QRp • m mod p QRq iff me mod q QRq
QRp QRp
QRq
Example Z35*
1 2 4 3 5 61 1 16 11 31 26 64 29 9 4 24 19 342 22 2 32 17 12 273 8 23 18 3 33 13
QR7
QR5 1 4 2 5 3 61 1 11 16 26 31 64 29 4 9 19 24 343 8 18 23 33 3 132 22 32 2 12 17 27
Calculate RSA(23,35)(m) = m23 mod 35
mod 7
mod
5
How to prove it?
By the CRT and by the fact that p and q are symmetric it is enough to show that
m is a QRp
iffme is a QRp
Fact
Proof.Let g be the generator of Zp*. Let y be such that m=gy.
Recall that x is a QRp iff x is an even power of g
It is easy to see that
(gy)e mod p is an even power of g iff
gy mod p is an even power of g.
Hence we are done.
gye = gye mod (p-1) (remember that p and e are odd)
For an odd e:me mod p is a QRp
iff m mod p is a QRp
Conclusion
The Jacobi symbol “leaks”, i.e.:from c
one can compute JN(Dec(N,d)(c))(without knowing the factorization of N)
Is it a big problem?
Depends on the application...
Note
The fact that the Jacobi symbol leaks does not contradict the RSA assumption.
oracle
choose:• N = pq where p and q are random
primes such that |p| = |q| = k• x – a random element of ZN* ,• e – is random element of Zφ(N)*
adversary
(x,e,N)
cannot compute RSA-1(e,N) (x) mod N
but can compute JN(RSA-1(e,N) (x) mod N)
Question: Is RSA secure?
Looks like it has some weaknesses...
Plan:1. Provide a formal security definition.2. Modify RSA so that it is secure according to
this definition.
Plan
1. Handbook RSA and its insecuritya. introductionb. algebraic properties of RSA
2. Security definitions3. How to encrypt with RSA
a. a practical constructionb. a theoretical construction based on hard-
core bits
4. Rabin encryption5. Theoretical constructions
A mathematical viewA public-key encryption (PKE) scheme is a triple (Gen, Enc, Dec) of
poly-time algorithms, whereGen is a key-generation randomized algorithm that takes as input
a security parameter 1n and outputs a key pair (pk,sk).Enc is an encryption algorithm that takes as input the public key
pk and a message m, and outputs a ciphertext c,Dec is an decryption algorithm that takes as input the private key
sk and the ciphertext c, and outputs a message m’.
We will sometimes write Encpk(m) and Decsk(c) instead of Enc(pk,m) and Dec(sk,c).
Correctness
P(Decsk(Encpk(m)) ≠ m) is negligible in n
The security definition
Remember the symmetric-key case?
We considered a chosen-plaintext attack.
How would it look in the case of the public-key encryption?
A chosen-plaintext attack (CPA)
oracle
chooses m’1 m’1
c1 = Enc(pk,m’1)
has to guess b
chooses m’t m’t
ct = Enc(pk,m’t)
m0,m1
c = Enc(pk,mb)
chooses m0,m1
the interaction continues . . .
security parameter1n
1. selects random (pk,sk) = Gen(1n)
2. chooses a random b = 0,1
. . .challenge phase:
pk
This is notneeded.
Why?Because if Eve knows pk she can compute all these ciphertexts herself!
A simplified view
oracle
has to guess b
m0,m1
c = Enc(pk,mb)
chooses m0,m1
security parameter1n
1. selects random (pk,sk) = Gen(1n)
2. chooses a random b = 0,1
challenge phase:
pk
CPA-security
Security definition:
We say that (Gen,Enc,Dec) has indistinguishable encryptions under a chosen-plaintext attack (CPA) if any
randomized polynomial time adversary
guesses b correctly
with probability at most 0.5 + ε(n), where ε is negligible.
Alternative name: CPA-secure
Is the “handbook RSA” secure?
Not secure!In fact:
No deterministic encryption scheme is secure.
How can the adversary win the game?1. he just chooses any m0,m1 , 2. computes c0=Enc(pk,m0) himself3. compares the result.
Moral: encryption has to be randomized.
the “handbook RSA”N = pq - RSA moduluse is such that gcd(e,d) = 1, d is such that ed = 1 (mod φ(N))
Enc(N,e)(m) = me mod N, and Dec(d,N)(c) = cd mod N.
Plan
1. Handbook RSA and its insecuritya. introductionb. algebraic properties of RSA
2. Security definitions3. How to encrypt with RSA
a. a practical constructionb. a theoretical construction based on hard-
core bits
4. Rabin encryption5. Theoretical constructions
Encoding
Therefore, before encrypting a message we usually encode it (adding some randomness).
This has the following advantages:• makes the encryption non-deterministic• breaks the “algebraic properties” of
encryption.
How is it done in real-life?PKCS #1: RSA Encryption Standard Version 1.5:
public-key: (N,e)let k := length on N in bytes.let D := length of the plaintextrequirement: D ≤ k - 11.
Enc((N,e), m) := xe mod N, where x is equal to:
00000000 00000001 r 00000000 m
(k - D - 3) random non-zero bytes
D bytes
k bytes
How to encrypt?
00000000 00000001 r 00000000 m
m
RSA
Encoding(x) :=
RSA(Encoding(x))
How to decrypt?
00000000 00000001 r 00000000 m
RSA-1(y)
ciphertext y
check if the format agrees....
outputm
Example
If the adversary can calculate the Jacobi symbol of
most probably it doesn’t help him in learning any information about m...
00000000 00000001 r 00000000 m
Security of the PKCS #1: RSA Encryption Standard Version 1.5.
It is believed to be CPA-secure.
It has however some weaknesses (it is not “chosen-ciphertext secure”).
Optimal Asymmetric Encryption Padding (OAEP) is a more secure encoding.
(we will discuss it later)
The situation
Can we construct a public-key encryption scheme whose security
can be provably based on the RSA assumption?
Answer:yes!
the PKCS #1 encryption scheme is secure
RSA assumption holds
???
Plan
1. Handbook RSA and its insecuritya. introductionb. algebraic properties of RSA
2. Security definitions3. How to encrypt with RSA
a. a practical constructionb. a theoretical construction based on hard-
core bits
4. Rabin encryption5. Theoretical constructions
Notation
For an integer x we will writeLSB(x)
to denote the least significant bit of x.
x:LSB(x)
In other words: LSB(x) = x mod 2
Fact (informally)
LSB is the “hardest bit to compute” in RSA.
(it is called a “hard-core bit”).
More precisely:If you can compute LSB then you can invert RSA.
Note:In some sense it is a “dual” predicate to Jacobi symbol...
Recall: oracle
choose:• N = pq where p and q are random
primes such that |p| = |q| = k• x – a random element of ZN* ,• e – a random element of Zφ(N)*
adversary
(x,e,N)
outputsy
We say that the adversary wins if y = RSA-1(e,N) (x) mod N
RSA assumptionNo poly-time adversary wins this game with a non-negligible
probability.
security parameter 1k
Game 2oracle
choose:• N = pq where p and q are random
primes such that |p| = |q| = k• x – a random element of ZN* ,• e – is random element of Zφ(N)*• d – such that ed = 1 mod φ(N)
adversary
(x,e,N)
outputsb
We say that the adversary wins if b is the least significant bit of y = RSA-1
(e,N) (x) mod N
security parameter 1k
Theorem
In other words:The least significant bit is a hard-core bit for RSA.
W. Alexi, B. Chor, O. Goldreich, and C.P. SchnorrOn the hardness of the least-signficant bits of the RSA and Rabin functions, 1984
Suppose the RSA assumption holds.Then every poly-time adversary wins Game 2 with a probability at most
0.5 + ε(k),where ε is negligible.
Proof strategy
Suppose we are given a poly-time adversary
that wins Game 2.
We construct a poly-time adversary
that breaks the RSA assumption.
For simplicity suppose that this happens with
probability 1
(not: 0.5 + something)
Outline of the construction
(x,e,N)
(x1,e,N)
b1
(xt,e,N)
bt
. . .
y=xd
Observation
Adversary can be used to compute
LSB of xd mod N.
It can also be used to compute (for any c)LSB of c · xd mod N.
How?
(ce · x, e, N)
outputsb’ = LSB((ce· x)d) = LSB (ced · xd )
= LSB (c · xd )
The method
The adversary will use to
compute:• LSB(2x)• LSB(4x)• LSB(8x)
Why is it usefull?
. . .
Observation
1 . . . N-1
2 . . . 2N-2
1 . . . N-1 1 . . . N-1
x
2x
2x mod N
= 2x = 2x - N
x≤(N-1)/2 x>(N-1)/2
Remember:N=pq is odd
even
Moral: x [1,...,(N-1)/2] iff 2x mod N is even
odd
1 . . . N-1
4 . . . 4N-4
x
4x
4xmod N
= 4x = 4x - 3N
(N-1)/4
even
Moral: x [1,...,(N-1)/4] [(N/2)+1,...,3(N-1)/4] iff 4x mod N is even
(N-1)/23(N-1)/4
1 . . . N-1 1 . . . N-1 1 . . . N-1 1 . . . N-1
= 4x - N = 4x – 2N
odd
even
odd
. . .
. . .
x
8x
8xmod N
= 8x
(N-1)/8
Moral: x [1,...,(N-1)/8] [(2N/8)+1,...,3(N-1)/8] [4(N/8)+1,...,5(N-1)/8] [6(N/8)+1,...,7(N-1)/8] iff 8x mod N is even
7(N-1)/8
= 8x-3N = 8x-4N
. . .
= 8x-N = 8x-2N = 8x-5N = 8x-6N = 8x-7N
even
odd
even
odd
even
odd
even
odd
So we can use bisection1 N-1
. . .
calculateLSB((2·x)d)
calculateLSB((8·x)d)
calculateLSB((16·x)d)
calculateLSB((4·x)d)
0 10 1
0 1
How to encrypt a one-bit message b?
(N,e) – public key(N,d) – private key
Enc1(N,e)(b) = (LSB(x) b, xe mod N),
where x ZN* is random.
Dec1(N,d)(b’,y) = LSB(yd mod N) b’
How to encrypt long messages?
Let m=(m1,..., mt)
Use the one-bit scheme bit-by-bit
Enc(N,e)(m1,..., mt) = (Enc1(N,e)(m1),..., (Enc1
(N,e)(mt))
Dec(N,d)(c1,..., ct) = (Dec1(N,d)(c1),..., (Dec1
(N,d)(ct))
(we omit the security proof)
Conclusion
Advantage:Security of this scheme is implied by the RSA
assumption.
Disadvantage:The ciphertext is much longer than the plaintext.
It is a rather theoretical construction!
the public-key encryption scheme that we just constructed is secure
RSA assumption holds
Plan
1. Handbook RSA and its insecuritya. introductionb. algebraic properties of RSA
2. Security definitions3. How to encrypt with RSA
a. a practical constructionb. a theoretical construction based on hard-
core bits
4. Rabin encryption5. Theoretical constructions
The situation
public-key encryption exists
RSA assumption holds
factoring RSA moduli is hard
???
question:
can we construct PKE based on the
“factoring assumption”
Yes:Rabin encryption
Rabin encrypion
• introduced by Michael O. Rabin in 1979
• based on squaring in ZN*• security equivalent to factoring
Michael O. Rabin (1931 – )
One of the founding fathers of computer science.• introduced non-determinism• decidability of the monadic second
order logic• efficient primality testing• oblivious transfer,• ....
received Turing Award in 1976
Remember squaring modulo N=pq?ZN* ZN*
RabinN(x) = x2 mod N
This function “glues” 4 elements together
Example
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
0 1 4 3 1 5 6 4 4 9 10 1 12 4 1
Z15*:
a
a2
A nice thing about Rabin’s function
Finding a square root modulo N is as hard as factoring.
Can we base an encryption scheme on this?YES!
How to do it?
First step: “make the inversion unique”.
factoring RSA moduli is hard
RabinN(x) = x2 mod Nis a one-way function
How to do it?An ad-hoc method:
add an encoding (like in the RSA encryption).In such a way that only 1 out of the 4 square roots “make sense”.
ZN* ZN*
f(x) = x2 mod NIn other words:
make the set of legal ciphertexts “sparse”
Another approach
FactSuppose N=pq where
p = q = 3 (mod 4)Then the function
RabinN(x) = x2 mod N
is a permutationRabinN : QRN QRN
Such an N is called a “Blum integer”
How does it look like?
ZN* ZN*
RabinN (x) = x2 mod NQRN
QRN
Rabin restricted to QRN is a permutation
ZN* ZN*RabinN(x) = x2 mod N
QRNQRN
Rabin restricted to QRN is a permutation - proof
Suppose we have x,y QRN such that
x2 = y2 mod N
x2 = y2 mod p
g4i = g4j mod p
g4(i-j) mod p
p-1 | 4(i-j)
4k+2 | 4(i-j)
2k+1 | 2(i-j)
2k+1 | i-j
i = j
x = y (mod p)
p = 4k + 3q = 4k’ + 3N=pq
= (4k+2)/2 = 2k+1
Let i,j N be such that g2i = x mod p and g2j = y mod qwhere g is a generator of Zp* and (p-1)/2 ≥ i > j ≥ 0.
By a symmetric argument:
x = y (mod q)
x = y mod N
CRTQED
How to encrypt a one-bit message b?
N – public key(N,p,q) – private key
Enc1N(b) = (LSB(x) b, RabinN(x)),
where x QRN is random.
Dec1(N,p,q)(b’,y) = LSB(RabinN
-1(y)) b’
a Blum integer
FactThe least significant bit is also a hard-core bit for the Rabin permutation.
this can be computed if one knows p and q
RabinN (x) = x2 mod NRabinN : QRN QRN
Plan
1. Handbook RSA and its insecuritya. introductionb. algebraic properties of RSA
2. Security definitions3. How to encrypt with RSA
a. a practical constructionb. a theoretical construction based on hard-
core bits
4. Rabin encryption5. Theoretical constructions
Hard-core predicates
A concept of a hard-core bit
can be generalized to a hard core predicate.
Definition (informal)
π : {0,1}n {0,1} is a hard core predicate for a trap-door permutation f: {0,1}n {0,1}n if it is impossible to guess π(f-
1(y)) from y(significantly better than with prob. 0.5)
Example
π : {0,1}n {0,1} defined asπ(x1,...,xn) = xn
is a hard-core predicate for RSA and Rabin.
π : {0,1}n {0,1} defined asπ(x) = JN(x)
for sure is not a hard core predicate for RSA.
A fact
Does every trap-door permutation have a hard-core predicate?
Almost:
Suppose that f is a trap-door permutation.
It can be used to build a trap-door permutation g that has a hard-core predicate.
How to encrypt with such an g?
public key: description of gprivate key: trapdoor t for g
Enc1g(b) = (π(x) b, g(x)),
where x ZN* is random.
Dec1t(b’,y) = π(g-1(y)) b’
Is the public-key encryption in Minicrypt?
As far as we know: no!
public-key encryption exists
trap-door permutations exist
one way functionsexistminicrypt
???
cryptomania
©2011 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.