# Lecture 8 Public-Key Encryption I Stefan Dziembowski www.dziembowski.net MIM UW 23.11.12ver 1.0.

## Presentation on theme: "Lecture 8 Public-Key Encryption I Stefan Dziembowski www.dziembowski.net MIM UW 23.11.12ver 1.0."— Presentation transcript:

Lecture 8 Public-Key Encryption I Stefan Dziembowski www.dziembowski.net MIM UW 23.11.12ver 1.0

Plan 1.Handbook RSA and its insecurity a.introduction b.algebraic properties of RSA 2.Security definitions 3.How to encrypt with RSA a.a practical construction b.a theoretical construction based on hard- core bits 4.Rabin encryption 5.Theoretical constructions

Public-Key Encryption Alice Bob m m c := Enc(pk,m) Dec(sk,c) pk sk Use 2 keys (pk,sk), where pk is used for encryption, sk is used for decryption.

The RSA trap-door permutation from the last lecture ZN*ZN* ZN*ZN* ZN*ZN* ZN*ZN* easy easy (if you know p,q) believed to be hard (otherwise) easy (if you know p,q) believed to be hard (otherwise) f(x) = x e mod N N = pq - RSA modulus e is such that gcd(e, φ(N)) = 1, d is such that ed = 1 (mod φ(N)) Q: How to formalize this? A: “RSA assumption” Q: How to formalize this? A: “RSA assumption”

A naïve idea Alice Bob m  Z N * c := m e mod N m = c d mod N (N,e) (N,d) pk = (N,e) is used for encryption, sk = (N,d) is used for decryption.

The “handbook RSA encryption” N = pq - RSA modulus e is such that gcd(e, φ(N)) = 1, d is such that ed = 1 (mod φ(N)) RSA (e,N) (m) = m e mod N, and RSA (d,N) (c) = c d mod N. N = pq - RSA modulus e is such that gcd(e, φ(N)) = 1, d is such that ed = 1 (mod φ(N)) RSA (e,N) (m) = m e mod N, and RSA (d,N) (c) = c d mod N. φ(N) = (p-1)(q-1) = RSA -1 (e,N)

A game oracle choose: N = pq where p and q are random primes such that |p| = |q| = k x – a random element of Z N *, e – a random element of Z φ(N) * adversary (x,e,N) outputs y outputs y We say that the adversary wins if y = RSA -1 (e,N) (x) mod N RSA assumption No poly-time adversary wins this game with a non-negligible probability. security parameter 1 k

RSA assumption – more formally RSA assumption For any randomized polynomial time algorithm A we have: P(y e = x mod N : y := A(x,N,e)) is negligible in k where N = pq where p and q are random primes such that |p| = |q| = k, and x is a random element of Z N *, and e is random element of Z φ(N) *

The Z N * group is a bit strange Some elements of Z N = {0,...,n-1} are not there but you don’t know which if you don’t know p and q. Is it a problem? No, for 2 reasons: it is hard to find an element in Z N * \ Z N (other than 0), RSA works also over Z N (“by accident”).

Remember the Chinese Reminder Theorem? Example Z pq where p=5, q = 7 Z 35 Z 35 * x mod 5 x mod 7

It is hard to find an element in Z N \ Z N * (other than 0) Why? ZNZN ZN*ZN* mod p mod q Suppose we have found a non-zero element x  Z N \ Z N * For example: x mod q = 0 and x ≠ 0 Hence gcd(x,N) = q. So we can factor N.

Example Z 35 Z 35 * x mod 5 x mod 7 gcd(15,35) = 5

RSA works also over Z N Suppose x is such that x mod q = 0 and x mod p ≠ 0 We show that RSA (N,d) (RSA (N,e) (x)) = x mod N By CRT it is enough to show that: x ed = x mod q x ed = x mod p = x ed this holds because both sides are divisible by q Recall that: (p-1)(q-1) | ed - 1 Hence: (p-1) | ed - 1 Therefore: x ed-1 = 1 mod p This implies that x ed = x mod p Recall that: (p-1)(q-1) | ed - 1 Hence: (p-1) | ed - 1 Therefore: x ed-1 = 1 mod p This implies that x ed = x mod p

Question? Can we use this permutation for encryption? Answer: yes, but not directly...

Problems RSA has some “algebraic properties”. RSA pk is deterministic, so: if one encrypts twice the same message then the ciphertexts are the same Therefore if the message space M is small, the adversary can check all possible messages: given a ciphertext c do: for every m є M check if RSA pk (m) = c for example if M={yes,no}, then the adversary can decrypt the message.

Plan 1.Handbook RSA and its insecurity a.introduction b.algebraic properties of RSA 2.Security definitions 3.How to encrypt with RSA a.a practical construction b.a theoretical construction based on hard- core bits 4.Rabin encryption 5.Theoretical constructions

Algebraic properties of RSA 1.RSA is homomorphic: RSA (e,N) (m 0 · m 1 ) = (m 0 · m 1 ) e = m 0 e · m 1 e = RSA (e,N ) (m 0 ) · RSA (e,N ) (m 1 ) why is it bad? By checking if c 0 · c 1 = c the adversary can detect if RSA (d,N) (c 0 ) · RSA (d,N) (c 1 ) = RSA (d,N) (c) 2.The Jacobi symbol leaks.

Jacobi Symbol QR(p) QR(q) mod q mod p QR(n) for N=pq define J N (x) := J p (x) · J q (x) + 1 if x Є QR p for any prime p define J p (x) := - 1 otherwise +1 +1 J N (x) := Jacobi symbol can be computed efficiently! (even if p and q are unknown)

Fact: the RSA function “preserves” the Jacobi symbol J N (x) = J N (x e mod N) N = pq - RSA modulus e is such that gcd(e, φ(N)) = 1 N = pq - RSA modulus e is such that gcd(e, φ(N)) = 1

Actually, something even stronger holds: RSA (N,e) is a permutation on each “quarter” of Z N * In other words: m mod p  QR p iff m e mod p  QR p m mod p  QR q iff m e mod q  QR q QR p QR q

Example Z 35 * QR 7 QR 5 Calculate RSA (23,35) (m) = m 23 mod 35 mod 7 mod 5

How to prove it? By the CRT and by the fact that p and q are symmetric it is enough to show that m is a QR p iff m e is a QR p

Fact Proof. Let g be the generator of Z p *. Let y be such that m=g y. Recall that x is a QR p iff x is an even power of g It is easy to see that (g y ) e mod p is an even power of g iff g y mod p is an even power of g. Hence we are done. g ye = g ye mod (p-1) (remember that p and e are odd) For an odd e: m e mod p is a QR p iff m mod p is a QR p For an odd e: m e mod p is a QR p iff m mod p is a QR p

Conclusion The Jacobi symbol “leaks”, i.e.: from c one can compute J N (Dec (N,d) (c)) (without knowing the factorization of N) The Jacobi symbol “leaks”, i.e.: from c one can compute J N (Dec (N,d) (c)) (without knowing the factorization of N) Is it a big problem? Depends on the application... Is it a big problem? Depends on the application...

Note The fact that the Jacobi symbol leaks does not contradict the RSA assumption. oracle choose: N = pq where p and q are random primes such that |p| = |q| = k x – a random element of Z N *, e – is random element of Z φ(N) * adversary (x,e,N) cannot compute RSA -1 (e,N) (x) mod N but can compute J N (RSA -1 (e,N) (x) mod N) cannot compute RSA -1 (e,N) (x) mod N but can compute J N (RSA -1 (e,N) (x) mod N)

Question: Is RSA secure? Looks like it has some weaknesses... Plan: 1.Provide a formal security definition. 2.Modify RSA so that it is secure according to this definition.

Plan 1.Handbook RSA and its insecurity a.introduction b.algebraic properties of RSA 2.Security definitions 3.How to encrypt with RSA a.a practical construction b.a theoretical construction based on hard- core bits 4.Rabin encryption 5.Theoretical constructions

A mathematical view A public-key encryption (PKE) scheme is a triple (Gen, Enc, Dec) of poly-time algorithms, where Gen is a key-generation randomized algorithm that takes as input a security parameter 1 n and outputs a key pair (pk,sk). Enc is an encryption algorithm that takes as input the public key pk and a message m, and outputs a ciphertext c, Dec is an decryption algorithm that takes as input the private key sk and the ciphertext c, and outputs a message m’. A public-key encryption (PKE) scheme is a triple (Gen, Enc, Dec) of poly-time algorithms, where Gen is a key-generation randomized algorithm that takes as input a security parameter 1 n and outputs a key pair (pk,sk). Enc is an encryption algorithm that takes as input the public key pk and a message m, and outputs a ciphertext c, Dec is an decryption algorithm that takes as input the private key sk and the ciphertext c, and outputs a message m’. We will sometimes write Enc pk (m) and Dec sk (c) instead of Enc(pk,m) and Dec(sk,c). Correctness P ( Dec sk (Enc pk (m)) ≠ m ) is negligible in n Correctness P ( Dec sk (Enc pk (m)) ≠ m ) is negligible in n

The security definition Remember the symmetric-key case? We considered a chosen-plaintext attack. How would it look in the case of the public-key encryption?

A chosen-plaintext attack (CPA) oracle chooses m’ 1 m’ 1 c 1 = Enc(pk,m’ 1 ) has to guess b chooses m’ t m’tm’t m’tm’t c t = Enc(pk,m’ t ) m 0,m 1 c = Enc(pk,m b ) chooses m 0,m 1 the interaction continues... security parameter 1 n security parameter 1 n 1.selects random (pk,sk) = Gen(1 n ) 2.chooses a random b = 0,1 1.selects random (pk,sk) = Gen(1 n ) 2.chooses a random b = 0,1... challenge phase: pk This is not needed. Why? Because if Eve knows pk she can compute all these ciphertexts herself! This is not needed. Why? Because if Eve knows pk she can compute all these ciphertexts herself!

A simplified view oracle has to guess b m 0,m 1 c = Enc(pk,m b ) chooses m 0,m 1 security parameter 1 n security parameter 1 n 1.selects random (pk,sk) = Gen(1 n ) 2.chooses a random b = 0,1 1.selects random (pk,sk) = Gen(1 n ) 2.chooses a random b = 0,1 challenge phase: pk

CPA-security Security definition: We say that (Gen,Enc,Dec) has indistinguishable encryptions under a chosen-plaintext attack (CPA) if any randomized polynomial time adversary guesses b correctly with probability at most 0.5 + ε(n), where ε is negligible. Alternative name: CPA-secure

Is the “handbook RSA” secure? Not secure! In fact: No deterministic encryption scheme is secure. How can the adversary win the game? 1.he just chooses any m 0,m 1, 2.computes c 0 =Enc(pk,m 0 ) himself 3.compares the result. Moral: encryption has to be randomized. Not secure! In fact: No deterministic encryption scheme is secure. How can the adversary win the game? 1.he just chooses any m 0,m 1, 2.computes c 0 =Enc(pk,m 0 ) himself 3.compares the result. Moral: encryption has to be randomized. the “handbook RSA” N = pq - RSA modulus e is such that gcd(e,d) = 1, d is such that ed = 1 (mod φ(N)) Enc (N,e) (m) = m e mod N, and Dec (d,N) (c) = c d mod N. the “handbook RSA” N = pq - RSA modulus e is such that gcd(e,d) = 1, d is such that ed = 1 (mod φ(N)) Enc (N,e) (m) = m e mod N, and Dec (d,N) (c) = c d mod N.

Plan 1.Handbook RSA and its insecurity a.introduction b.algebraic properties of RSA 2.Security definitions 3.How to encrypt with RSA a.a practical construction b.a theoretical construction based on hard- core bits 4.Rabin encryption 5.Theoretical constructions

Encoding Therefore, before encrypting a message we usually encode it (adding some randomness). This has the following advantages: makes the encryption non-deterministic breaks the “algebraic properties” of encryption.

How is it done in real-life? PKCS #1: RSA Encryption Standard Version 1.5: public-key: (N,e) let k := length on N in bytes. let D := length of the plaintext requirement: D ≤ k - 11. Enc((N,e), m) := x e mod N, where x is equal to: 0000000000000001r00000000m (k - D - 3) random non-zero bytes D bytes k bytes

How to encrypt? 0000000000000001r00000000m m m RSA Encoding(x) := RSA(Encoding(x))

How to decrypt? 0000000000000001r00000000m RSA -1 (y) ciphertext y check if the format agrees.... output m output m

Example If the adversary can calculate the Jacobi symbol of most probably it doesn’t help him in learning any information about m... 0000000000000001r00000000m

Security of the PKCS #1: RSA Encryption Standard Version 1.5. It is believed to be CPA-secure. It has however some weaknesses (it is not “chosen- ciphertext secure”). Optimal Asymmetric Encryption Padding (OAEP) is a more secure encoding. (we will discuss it later)

The situation Can we construct a public-key encryption scheme whose security can be provably based on the RSA assumption? Answer: yes! the PKCS #1 encryption scheme is secure RSA assumption holds ???

Plan 1.Handbook RSA and its insecurity a.introduction b.algebraic properties of RSA 2.Security definitions 3.How to encrypt with RSA a.a practical construction b.a theoretical construction based on hard- core bits 4.Rabin encryption 5.Theoretical constructions

Notation For an integer x we will write LSB(x) to denote the least significant bit of x. x:x: LSB(x) In other words: LSB(x) = x mod 2

Fact (informally) LSB is the “hardest bit to compute” in RSA. (it is called a “hard-core bit”). More precisely: If you can compute LSB then you can invert RSA. Note: In some sense it is a “dual” predicate to Jacobi symbol...

Recall: oracle choose: N = pq where p and q are random primes such that |p| = |q| = k x – a random element of Z N *, e – a random element of Z φ(N) * adversary (x,e,N) outputs y outputs y We say that the adversary wins if y = RSA -1 (e,N) (x) mod N RSA assumption No poly-time adversary wins this game with a non-negligible probability. security parameter 1 k

Game 2 oracle choose: N = pq where p and q are random primes such that |p| = |q| = k x – a random element of Z N *, e – is random element of Z φ(N) * d – such that ed = 1 mod φ(N) adversary (x,e,N) outputs b outputs b We say that the adversary wins if b is the least significant bit of y = RSA -1 (e,N) (x) mod N security parameter 1 k

Theorem In other words: The least significant bit is a hard-core bit for RSA. W. Alexi, B. Chor, O. Goldreich, and C.P. Schnorr On the hardness of the least-signficant bits of the RSA and Rabin functions, 1984 On the hardness of the least-signficant bits of the RSA and Rabin functions W. Alexi, B. Chor, O. Goldreich, and C.P. Schnorr On the hardness of the least-signficant bits of the RSA and Rabin functions, 1984 On the hardness of the least-signficant bits of the RSA and Rabin functions Suppose the RSA assumption holds. Then every poly-time adversary wins Game 2 with a probability at most 0.5 + ε (k), where ε is negligible.

Proof strategy Suppose we are given a poly-time adversary that wins Game 2. We construct a poly-time adversary that breaks the RSA assumption. For simplicity suppose that this happens with probability 1 (not: 0.5 + something) For simplicity suppose that this happens with probability 1 (not: 0.5 + something)

Outline of the construction (x,e,N) (x 1,e,N) b1b1 b1b1 (x t,e,N) btbt btbt... y=x d

Observation Adversary can be used to compute LSB of x d mod N. It can also be used to compute (for any c) LSB of c · x d mod N. How? (c e · x, e, N) outputs b’ = LSB((c e · x) d ) = LSB (c ed · x d ) = LSB (c · x d ) outputs b’ = LSB((c e · x) d ) = LSB (c ed · x d ) = LSB (c · x d )

The method The adversary will use to compute: LSB(2x) LSB(4x) LSB(8x) Why is it usefull?...

Observation 1...N-1 2...2N-2 1...N-11...N-1 x 2x 2x mod N = 2x = 2x - N x≤(N-1)/2x>(N-1)/2 Remember: N=pq is odd even Moral: x  [1,...,(N-1)/2] iff 2x mod N is even odd

1...N-1 4...4N-4 x 4x 4x mod N = 4x= 4x - 3N (N-1)/4 even Moral: x  [1,...,(N-1)/4]  [(N/2)+1,...,3(N-1)/4] iff 4x mod N is even (N-1)/2 3(N-1)/4 1...N-11...N-11...N-11...N-1 = 4x - N= 4x – 2N odd even odd

... x 8x 8x mod N = 8x (N-1)/8 Moral: x  [1,...,(N-1)/8]  [(2N/8)+1,...,3(N-1)/8]  [4(N/8)+1,...,5(N-1)/8]  [6(N/8)+1,...,7(N-1)/8] iff 8x mod N is even 7(N-1)/8 = 8x-3N= 8x-4N... = 8x-N= 8x-2N= 8x-5N= 8x-6N= 8x-7N even odd even odd even odd even odd

So we can use bisection 1 N-1... calculate LSB((2·x) d ) calculate LSB((8·x) d ) calculate LSB((16·x) d ) calculate LSB((4·x) d ) 0 0 1 1 0 0 1 1 0 0 1 1

How to encrypt a one-bit message b? (N,e) – public key (N,d) – private key Enc 1 (N,e) (b) = (LSB(x)  b, x e mod N), where x  Z N * is random. Dec 1 (N,d) (b’,y) = LSB(y d mod N)  b’

How to encrypt long messages? Let m=(m 1,..., m t ) Use the one-bit scheme bit-by-bit Enc (N,e) (m 1,..., m t ) = (Enc 1 (N,e) (m 1 ),..., (Enc 1 (N,e) (m t )) Dec (N,d) (c 1,..., c t ) = (Dec 1 (N,d) (c 1 ),..., (Dec 1 (N,d) (c t )) (we omit the security proof)

Conclusion Advantage: Security of this scheme is implied by the RSA assumption. Disadvantage: The ciphertext is much longer than the plaintext. It is a rather theoretical construction! the public-key encryption scheme that we just constructed is secure RSA assumption holds

Plan 1.Handbook RSA and its insecurity a.introduction b.algebraic properties of RSA 2.Security definitions 3.How to encrypt with RSA a.a practical construction b.a theoretical construction based on hard- core bits 4.Rabin encryption 5.Theoretical constructions

The situation public-key encryption exists RSA assumption holds factoring RSA moduli is hard ??? question: can we construct PKE based on the “factoring assumption” Yes: Rabin encryption question: can we construct PKE based on the “factoring assumption” Yes: Rabin encryption

Rabin encrypion introduced by Michael O. Rabin in 1979 based on squaring in Z N * security equivalent to factoring Michael O. Rabin (1931 – ) One of the founding fathers of computer science. introduced non-determinism decidability of the monadic second order logic efficient primality testing oblivious transfer,.... received Turing Award in 1976 Michael O. Rabin (1931 – ) One of the founding fathers of computer science. introduced non-determinism decidability of the monadic second order logic efficient primality testing oblivious transfer,.... received Turing Award in 1976

Remember squaring modulo N=pq? ZN*ZN* ZN*ZN* Rabin N (x) = x 2 mod N This function “glues” 4 elements together

Example 01234567891011121314 01431564491011241 Z 15 *: a a2a2

A nice thing about Rabin’s function Finding a square root modulo N is as hard as factoring. Can we base an encryption scheme on this? YES! How to do it? First step: “make the inversion unique”. factoring RSA moduli is hard Rabin N (x) = x 2 mod N is a one-way function Rabin N (x) = x 2 mod N is a one-way function

How to do it? An ad-hoc method: add an encoding (like in the RSA encryption). In such a way that only 1 out of the 4 square roots “make sense”. ZN*ZN* ZN*ZN* f(x) = x 2 mod N In other words: make the set of legal ciphertexts “sparse”

Another approach Fact Suppose N=pq where p = q = 3 (mod 4) Then the function Rabin N (x) = x 2 mod N is a permutation Rabin N : QR N  QR N Such an N is called a “Blum integer”

How does it look like? ZN*ZN* ZN*ZN* Rabin N (x) = x 2 mod N QR N

Rabin restricted to QR N is a permutation ZN*ZN* ZN*ZN* Rabin N (x) = x 2 mod N QR N

Rabin restricted to QR N is a permutation - proof Suppose we have x,y  QR N such that x 2 = y 2 mod N  x 2 = y 2 mod p  g 4i = g 4j mod p  g 4(i-j) mod p  p-1 | 4(i-j)  4k+2 | 4(i-j)  2k+1 | 2(i-j)  2k+1 | i-j  i = j  x = y (mod p) p = 4k + 3 q = 4k’ + 3 N=pq p = 4k + 3 q = 4k’ + 3 N=pq = (4k+2)/2 = 2k+1 Let i,j  N be such that g 2i = x mod p and g 2j = y mod q where g is a generator of Z p * and (p-1)/2 ≥ i > j ≥ 0. By a symmetric argument: x = y (mod q) x = y mod N CRT QED

How to encrypt a one-bit message b? N – public key (N,p,q) – private key Enc 1 N (b) = (LSB(x)  b, Rabin N (x)), where x  QR N is random. Dec 1 (N,p,q) (b’,y) = LSB(Rabin N -1 (y))  b’ a Blum integer Fact The least significant bit is also a hard-core bit for the Rabin permutation. Fact The least significant bit is also a hard-core bit for the Rabin permutation. this can be computed if one knows p and q Rabin N (x) = x 2 mod N Rabin N : QR N  QR N

Plan 1.Handbook RSA and its insecurity a.introduction b.algebraic properties of RSA 2.Security definitions 3.How to encrypt with RSA a.a practical construction b.a theoretical construction based on hard- core bits 4.Rabin encryption 5.Theoretical constructions

Hard-core predicates A concept of a hard-core bit can be generalized to a hard core predicate. Definition (informal) π : {0,1} n  {0,1} is a hard core predicate for a trap-door permutation f: {0,1} n  {0,1} n if it is impossible to guess π(f -1 (y)) from y (significantly better than with prob. 0.5)

Example π : {0,1} n  {0,1} defined as π(x 1,...,x n ) = x n is a hard-core predicate for RSA and Rabin. π : {0,1} n  {0,1} defined as π(x) = J N (x) for sure is not a hard core predicate for RSA.

A fact Does every trap-door permutation have a hard-core predicate? Almost: Suppose that f is a trap-door permutation. It can be used to build a trap-door permutation g that has a hard-core predicate.

How to encrypt with such an g? public key: description of g private key: trapdoor t for g Enc 1 g (b) = ( π (x)  b, g(x)), where x  Z N * is random. Dec 1 t (b’,y) = π (g -1 (y))  b’

Is the public-key encryption in Minicrypt? As far as we know: no! public-key encryption exists trap-door permutations exist one way functions exist minicrypt ??? cryptomania

© 2011 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.

Download ppt "Lecture 8 Public-Key Encryption I Stefan Dziembowski www.dziembowski.net MIM UW 23.11.12ver 1.0."

Similar presentations