Upload
joseph-kelly
View
226
Download
2
Embed Size (px)
Citation preview
Plan
1. Insecurity of the “handbook RSA”
2. Formal security definitions
3. Improved version of RSA
4. El Gamal encryption
5. Hybrid encryption
The “handbook” RSA function
N = pq, such that p and q are large distinct primes
e is such that gcd(e, φ(N)) = 1
d is such that ed = 1 (mod φ(N))
Ee: ZN* → ZN
* is defined as:
E(m) = me mod N.
Dd: ZN* → ZN
* is defined as:
D(c) = cd mod N.
Correctness:
Dd(Ee(m)) = (me)d = med = m
φ(N)) = (p-1)(q-1).
public key:(N,e)
private key:(N,d)
Problems
1. Ee is deterministic, so:– if one encrypts twice the same message then the
ciphertexts are the same– therefore it is completely insecure if the message
space M is small,because the adversary can check all possible messages:given a ciphertext c do:
for every m є M check if Ee (m) = c
for example if M={yes,no}, then the encryption is not secure.
2. RSA has some “algebraic properties”.
Algebraic properties of RSA
1. RSA is homorphic:Ee(m0 · m1) = (m0 · m1)e
= m0e · m1
e
= Ee(m0) · Ee(m1)why is it bad?
By checking ifc0 · c1 = c
the adversary can detect ifDd(c0) · Dd(c1) = Dd(c).
2. The “Jacobi symbol” leaks.
What is “Jacobi symbol”
If p is prime then
Jp(x) = +1 if x is a quadratic residue modulo p -1 otherwise
If n = pq (where p and q are prime) then
Jn(x) = Jp(x) · Jq(x)
The Jacobi symbol
n = pq
From CRT Zn* can be depicted as follows:
+1 -1
-1 +1
QRpnot QRp
not QRq
QRq
By the way:
only these are quadratic residues
modulo n
How to compute the Jacobi symbol
Jacobi symbol (in Zn*) can be efficiently computed if the factorization of n is known (this is easy).
What if the factorization is unknown?
It can also be efficiently computed (but the algorithm is not that trivial).
Fact Ee – encryption function of the RSAThen:
Jn(Ee(m)) = Jn(m)
ProofLeft-hand-side:
Jn(Ee(m)) = Jp(Ee(m)) · Jq(Ee(m)) Right-hand-side:
Jn(m) = Jp(m) · Jq(m)
Therefore it is enough to prove that:
Jp(Ee(m)) = Jp(m) and
Jq(Ee(m)) = Jq(m).
Since p and q are symmetric we can just prove it for p.
We have to show thatJp(Ee(m)) = Jp(m)
In other words:Ee(m) is a QRp
iff m is a QRp
Now observe that e is always odd (because gcd(e,(p-1)(q-1)) = 1).
To finish the proof we need to show that for an odd e:
me mod p is a QRp iff
m mod p is a QRp
This is equal tome mod p
For an odd e:me mod p is a QRp
iff m mod p is a QRp
Let g be the generator of Zp*.Recall that x is a QRp iff x is an even power of gIt is easy to see that
me mod p is an even power of g iff
m mod p is an even power of g.
Hence we are done.
Conclusion
The Jacoby symbol “leaks”, i.e.:from c
one can compute Jn(Dd(c))(without knowing the factorization of n)
Is it a big problem?
Depends on the application...
Question: Is RSA secure?
Looks like it has some weaknesses...
Plan:
1. Provide a formal security definition.
2. Modify RSA so that it is secure according to this definition.
The security definition
Remember the symmetric-key case?
We considered a chosen-plaintext attack.
How would it look in the case of the public-key encryption?
A chosen-plaintext attack (CPA)
oracle
chooses m’1 m’1
c1 = Enc(pk,m’1)
has to guess b
chooses m’t m’t
ct = Enc(pk,m’t)
m0,m1
c = Enc(pk,mb)
chooses m0,m1
the interaction continues . . .
security parameter1n
1. selects random (pk,sk) = Gen(1n)
2. chooses a random b = 0,1
. . .challenge phase:
pk
This is notneeded.
Why?Because if Eve knows pk she can compute all these ciphertexts herself!
A simplified view
oracle
has to guess b
m0,m1
c = Enc(pk,mb)
chooses m0,m1
security parameter1n
1. selects random (pk,sk) = Gen(1n)
2. chooses a random b = 0,1
challenge phase:
pk
CPA-security
Security definition:
We say that (Gen,Enc,Dec) has indistinguishable encryptions under a chosen-plaintext attack (CPA) if any
randomized polynomial time adversary
guesses b correctly
with probability at most 0.5 + ε(n), where ε is negligible.
Alternative name: CPA-secure
What about the multiple encryptions?
What if the users use several times the same public key?
The game between the adversary and the oracle needs to be modified:
We will allow the adversary to choose vectors if messages• M0 = (m0
1,..., m0t),
• M1 = (m11,..., m1
t)such that for each i we have
|m1i| = |m0
i|.Then the oracle will output
(c1,...,ct) := Enc(pk,mb1),..., Enc(pk,mb
t)
Multiple messages experiment
oracle
has to guess b
(m01,..., m0
t),(m1
1,..., m1t)
Enc(pk,mb1),...,Enc(pk,mb
t)
security parameter1n
1. selects random (pk,sk) = Gen(1n)
2. chooses a random b = 0,1
challenge phase:
pk
CPA-security with multiple encryptions
Security definition:
We say that (Gen,Enc,Dec) has indistinguishable multiple encryptions under a chosen-plaintext attack (CPA) if any
randomized polynomial time adversary
guesses b correctly
with probability at most 0.5 + ε(n), where ε is negligible.
Fact
It can be proven that these two notions are equivalent, i.e.:
(Gen,Enc,Dec) has indistinguishable encryptions under a chosen-plaintext attack (CPA)
iff
(Gen,Enc,Dec) has indistinguishable multiple encryptions under a chosen-plaintext attack (CPA).
Is the “handbook RSA” secure?
No!In fact:No deterministic encryption scheme is secure.
How can the adversary win the game?
Trivial attack: 1. he just chooses any m0,m1 , 2. computes c0=Enc(pk,m0) himself3. compares the result.
Moral: encryption has to be randomized.
Encoding
Therefore, before encrypting a message we usually encode it (adding some randomness).
This has the following advantages:
• makes the encryption non-deterministic
• breaks the “algebraic properties” of encryption.
How is it done in real-life?PKCS #1: RSA Encryption Standard Version 1.5:
public-key: (N,e)let k := length on N in bytes.let D := length of the plaintextrequirement: D ≤ k - 11.
Enc((N,e), m) := xe mod N, where x is equal to
00000000 00000001 r 00000000 m
(k - D - 3) random bytes D bytes
k bytes
Security of the PKCS #1: RSA Encryption Standard Version 1.5.
It is believed to be CPA-secure.
It has however some weaknesses (it is not “chosen-ciphertext secure”).
Optimal Asymmetric Encryption Padding (OAEP) is a more secure encoding.
(we will discuss it later)
El Gamal encryption
El Gamal is another popular public-key encryption scheme.
It is based on the Diffie-Hellman key-exchange.
Let us look at it again now.
The Diffie-Hellman Key exchangeG – a group, where discrete log is hardq = |G|g – a generator of G
Alice Bob
x ← Zq
y ← Zq
h2 = gy
security parameter 1n
(G,g),q, h1 = gx
(G,g) ← H(1n)
output:kA=(h2)x
output:kB=(h1)y
Idea
x ← Zq
security parameter 1n
(G,g,q,gx)
(G,g) ← H(1n)
Let this be the public key of Alice
To encrypt a message m with the key of Alice “play the role of Bob”, i.e.:
1. select y ← Zq and send h2 = gy to Alice2. calculate k = (h1)y
3. we have somehow to encrypt m....4. “encrypt it with k” and send to Alice.How to do it? Simply set c := k · m.Alice will also calculate k = (h2)x, and calculate m := c · k-1.
El Gamal encryption – implementation issues
Which group to choose?
E.g.: QR(p), where p is a strong prime, i.e.: q = (p-1)/2 is also prime.
Plaintext space is a set of integers {1,...,q}.
How to map an integer i є {1,...,q} to QR(p)?
Just square: f(i) = i2 mod p.
Why is it one-to-one?
Observation
In Zp* the function f “glues” only the elements i and p-i
f(x) = x21
...
q
q+1
...
2q
we take only this
The mapping
Sof(i) = i2 mod p
is one-to-one (on {1,...,q}).
Is it also efficiently invertible?
Yes (but this fact is not trivial)
Public key vs. private key encryption
Private-key encryption has a following advantage:
it is much more efficient.
Practical solution:
combine both!
It is called: the hybrid encryption.
Hybrid encryption
Encrypt the symmetric key with a public-key encryption scheme.
EncpkEnc’k
k m
pk
c1 c2
random
private key enc.
public key enc.
ciphertext