CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz

Review: El Gamal encryption  (Some aspects of the actual scheme are simplified)  Key generation –Choose a large prime p, and an element g  Z p * –Choose random x  {0, …, p-2}, set h=g x –The public key is (p, g, h), and the private key is x  Encryption –View the message m as an element of Z p * –Choose random r  {0, …, p-2} –The ciphertext is (g r, h r  m)  To decrypt ciphertext (c 1, c 2 ) output c 2 /c 1 x –Correctness?

Security?  Security of El Gamal encryption is based on the decisional Diffie-Hellman assumption  Best current algorithm for the decisional Diffie- Hellman problem in Z p * runs in time ≈ exp(|p| 1/3 ) –So if p is a 1024-bit prime, best current attack on El Gamal encryption requires time ≈ 2 60  In other groups, the Diffie-Hellman problem is currently ‘harder’ –E.g., for elliptic curve groups, best current algorithms require time exp(|p|/2) –Can use 120-bit primes to get 2 60 security

RSA background  N=pq, p and q distinct, odd primes   (N) = (p-1)(q-1) = |Z N * | –Easy to compute  (N) given the factorization of N –Hard to compute  (N) without the factorization of N  For all x  Z N *, it holds that x  (N) = 1 mod N  If ed=1 mod  (N), then for all m: (m e ) d = m mod N I.e., given d, we can compute e th roots

We have an asymmetry!  Let e be relatively prime to  (N) –Needed so that ed=1 mod  (N) has a solution  Given e and the factors of N, can compute d and hence compute e th roots  Without the factorization of N, no apparent way to compute e th roots

Hardness of computing e th roots?  The RSA problem: –Given N, e, and c, compute c 1/e mod N  If factoring is easy, then the RSA problem is easy  We know of no other way to solve the RSA problem besides factoring N –But we do not know how to prove that the RSA problem is as hard as factoring  The upshot: we believe factoring is hard, and we believe the RSA problem is hard

How hard is factoring?  Best current algorithms for factoring N=pq a product of two equal-length primes, run in time ≈ exp(|N| 1/3 )  So need |N| ≈ 1024 for reasonable security  Currently |N| ≈ 2048 recommended for good security margins

We have an asymmetry!  Given d (which can be computed from e and the factorization of N), possible to compute e th roots  Without the factorization of N, no apparent way to compute e th roots  Let’s use this to encrypt…

RSA key generation  Generate random p, q of sufficient length  Compute N=pq and  (N) = (p-1)(q-1)  Compute e and d such that ed = 1 mod  (N) –e must be relatively prime to  (N) –Typical choice: e = 3; other choices possible  Public key = (N, e); private key = (N, d)

“Textbook RSA” encryption  Public key (N, e); private key (N, d)  To encrypt a message m  Z N *, compute c = m e mod N  To decrypt a ciphertext c, compute m = c d mod N  Correctness…  …what about security?

Textbook RSA is insecure!  It is deterministic!  Furthermore, it can be shown that the ciphertext leaks specific information about the plaintext

Padded RSA  Introduce randomization…  Public key (N, e); private key (N, d) –Say |N| = 1024 bits  To encrypt m  {0,1} 895, –Choose random r  {0,1} 128 –Compute c = (r | m) e mod N  Decryption done in the natural way…  Essentially this is standardized as PKCS #1 v1.5

Hybrid encryption  Public-key encryption is “slow”  Encrypting “block-by-block” would be inefficient for long messages  Hybrid encryption gives the functionality of public-key encryption at the (asymptotic) efficiency of private-key encryption!

Hybrid encryption Enc’ message Enc k “encapsulated key” “encrypted message” ciphertext Enc = public-key encryption scheme Enc’ = private-key encryption scheme pk random!

Security  If public-key component and private-key component are secure against chosen-plaintext attacks, then hybrid encryption is secure against chosen-plaintext attacks

Extension  How should hybrid encryption be done when sending the same message to multiple recipients (e.g., encryption)?

Malleability  All the public-key encryption schemes we have seen so far are malleable –Given ciphertext c that encrypts (unknown) message m, possible to generate a ciphertext c’ that encrypts a related message m’  In the public-key setting, security against chosen- ciphertext attacks implies non-malleability  In many scenarios, malleability/chosen-ciphertext attacks are problematic –E.g., auction example; password example; Bleichenbacher attack…

Bleichenbacher’s attack  RSA PKCS #1 v1.5 is actually defined as: c = (00 || 02 || r || 0 || m) e mod N  When decrypting, return an error if formatting is not obeyed  This enables a chosen-ciphertext attack that relies only on the ability to detect errors upon decryption

Bleichenbacher’s attack c = Enc pk (m) c1c1 error/no error c 999 error/no error … If the {c i } are carefully constructed, this information is enough to determine m!

Malleability  All the public-key encryption schemes we have seen so far are malleable –Given a ciphertext c that encrypts an (unknown) message m, possible to generate a ciphertext c’ that encrypts a related message m’  Note: the problem is not integrity (there is no integrity in public-key encryption, anyway), but malleability and/or the ability to conduct a chosen- ciphertext attack

Malleability in private-key setting  Malleability is an issue in the private-key setting as well –Recall that CBC, OFB, CTR mode are all vulnerable to chosen-ciphertext attacks, and are all malleable  Authenticated encryption schemes (e.g., “encrypt- then-authenticate”) are secure against chosen- ciphertext attacks (and non-malleable)