1. B504/I538: Introduction to Cryptography
Spring • Lecture 23
(2017—04—04)

2. Recall: Diffie-Hellman key exchange
a∊℥q
b∊℥q
≔h((gb)a)
≔h((ga)b) ga gb
Enc (m)
Alice
Bob
Eve
=???
m=???
Suppose (G，q，g)←Ｇ(1s) for some group generating algorithm Ｇ

3. Recall: CDH assumption
Challenger (C)
Attacker (A)
1 s
1 s
(G，q，g)←Ｇ(1 s)
a,b∊℥q h1≔ga, h2≔gb
(G，q，g，h1，h2) h
Let E be the event that h=gab
Define A’s advantage to be AdvCDH,Ｇ(A)≔Pr[E]
Defn: Let Ｇ be a group generating algorithm. The (computational) Diffie-Hellman (CDH) assumption holds with respect to Ｇ if, for every PPT algorithm A, there exists a negligible function ε：ℕ→ℝ+ such that AdvCDH,Ｇ(A)≤ε(s).

4. Recall: DDH assumption
Defn: Let (G，q，g)←Ｇ(1s). Then (G，q，g，ga，gb，h) is a DH tuple if and only if h=gab.
Game 0: (input to A is a DH tuple)
1s∈1ℕ
1s∈1ℕ
Challenger
Distinguisher (D)
(G，q，g)←Ｇ(1 s)
a，b∊℥q
(G，q，g，ga，gb，gab)
b’∈{0，1}
Game 1: (input to A is not a DH tuple)
1s∈1ℕ
Challenger
Distinguisher (D)
1s∈1ℕ
(G，q，g)←Ｇ(1 s)
a，b，c∊℥q
(G，q，g，ga，gb，gc)
b’∈{0，1}
Let E be the event that b’=0 in Game 0 or b’=1 in Game 1 3
Defn: AdvDDH,Ｇ(D)≔|Pr[E]- ½|

5. El Gamal encryption
Intuitively, El Gamal encryption is the result of converting Diffie-Hellman key exchange into a public- key encryption scheme
Fact 1: Let (G，•) be a group with prime order q and g∈G be a generator. Then exponentiation with base g is a uniform random variable on G; that is, if r∊℥q, then gr is distributed uniformly at random in G.
Fact 2: Let (G，•) be a group, let m∈G. Then multiplication with m is a uniform random variable on G; that is, if h∊G, then m•h is distributed uniformly at random in G.
choosing
random
OTP
OTP
in G

6. El Gamal encryption (Ｍ=Ｃ=G)
Let Ｇ be a group-generating algorithm. The El Gamal encryption scheme is the following:
Gen(1s) invokes (G，q，g)←Ｇ(1s), chooses a∊℥q, and computes h≔ga
The public key is ke≔(G，q，g，h)
The private key is kd≔a
Enc(ke，m) chooses r∊℥q and computes c1≔gr and c2≔hr•m
The ciphertext is c≔(c1，c2)
Dec(ke，kd，c) outputs m’≔c2•c1-a
(Ｍ=Ｃ=G)

7. El Gamal encryption Thm: El Gamal encryption is correct.
Proof: Let c≔(c1，c2)=(gr，hr•m) with ke≔(G，q，g，h) and kd=a
Then Dec(ke，kd，m)
=c2•c1-a
=(hr•m)•c1-a
=(hr•m)•(gr)-a
=((ga)r•m)•(gr)-a
=m•(gar•g-ar)
=m ☐

8. El Gamal encryption
Thm: El Gamal encryption is IND-CPA secure whenever the DDH assumption holds with respect to Ｇ.
Proof (sketch): Consider a “modified” El Gamal in which
“encryption” is done by choosing r，s∊℥q and outputting c≔(c1,c2) for c1≔gr and c2≔gs•m
By Facts 1 and 2, c1 and c2 are independent uniform random variables on G — decryption is impossible.

9. El Gamal encryption
Thm: El Gamal encryption is IND-CPA secure whenever the DDH assumption holds with respect to Ｇ.
Proof (sketch): Assume attacker A can break IND-CPA security of El Gamal with advantage μ(s)
We construct a DDH distinguisher D for Ｇ from A as follows:
Given a DDH instance (G，q，g，h1，h2，h3), send ke≔(G，q，g，h1) to A to get (m0，m1)
Choose b∊{0，1} and set c≔(h2，h3•mb) to A
Obtain b’’∈{0，1} from A and output b’≔b⊕b’’
Note that AdvDDH,Ｇ(D)=AdvCPA(A)=μ(s) ☐

10. Multiplicative homomorphism
Thm: El Gamal encryption is multiplicatively homormorphic; that is, if (c1，c2)←Enc(ke，m) and (c′1，c′2)←Enc(ke，m’), then Dec(kd，(c1•c′1，c2•c′2))=m•m’.
Proof: Let (c1，c2)=(gr，hr•m) and (c′1，c′2)≔(gs，hs•m’).
Then c1•c′1=gr•gs=gr+s and c2•c′2=(hr•m)•(hs•m’)=hr+s•(m•m’);
hence, Dec(ke，kd，(c1•c′1，c2•c′2))=(gr+s)a•hr+s•(m•m’)=m•m’ ☐
In other words, by taking the component-wise product of two ciphertexts (encrypted under the same key), we obtain an encryption of the product of the two messages

11. Recall: Quadratic residues
Defn: An element a∈ℤn is a quadratic residue modulo n if and only if it has a square root modulo n.
At most half of elements in ℤn can be quadratic residues modulo n!
The set of quadratic residues modulo n is denoted QRn.
Fact 3: (QRn,⊡) is a group, where ⊡ is multiplication modulo n!
More generally, a is an eth residue modulo n if it has an eth root modulo n.

12. Recall: Legendre symbols
Defn: If p>2 is prime, then ( a p )≔a(p-1)⁄2 is called the Legendre Symbol of a modulo p.
Q: What makes ( a p ) worthy of special consideration?
A: Fermat’s Little Theorem implies that ( a p )2≡1 whenever a∈℥p!
(Note: ( a p )∈{-1,0,1})
Thm (Euler’s Criterion): a∈℥p is a quadratic residue modulo p if and only if ( a p )=1; that is, if and only if ( a p )≡1.

13. Recall: Jacobi Symbols
The Legendre Symbol generalizes to composite moduli, but the properties are slightly trickier:
If ( a N )=-1, then a is definitely not a quadratic residue modulo n
If a is a quadratic residue modulo N, then ( a N ) is definitely equal to 1
However, if ( a N )=1, then a may or may not be a quadratic residue modulo N!
Fact 4: Let N=pq be the product of two distinct primes. Then a∈QRN ifand only if it is a∈QRp and a∈QRq
It is easy to tell if a∈QRN if you know p and q!
Fact 5: If a∈QRN and b∉QRN, then a·b∉QRN.
Fact 6: For all a，b∈ℤN, ( a N )·( b N )=( ab N )

14. Quadratic residuosity
Q: If p and q are not known, how easy is it to determine if a∈QRN?
A: Sometimes it is easy, sometimes it appears hard!
If a∈QRp but a∉QRq or a∉QRp but a∈QRq, it is easy (because Jacobi symbol is -1)
If a∉QRp and a∉QRq, then Jacobi symbol is +1 and it appears difficult to distinguish this from case wheren a∈QRN
Define QNRN+={a∉QRN｜( a N )=1}

15. Quadratic residuosity assumption
Let Ｇ be a PPT algorithm that, on input a security parameter 1s∈1ℕ, outputs a pair of distinct s-bit primes (p ，q). We call such a Ｇ a QR instance generator. Defn: The quadratic residuosity assumption holds with respect to a QR instance generator Ｇ if, for every PPT attacker A, there exists a negligible function ε：ℕ→ℝ+ such that ∣ Pr[A(pq，a)=1｜(p，q)←Ｇ(1s)∧a∊QNRN+] - Pr[A(pq，a)=1｜(p，q)←Ｇ(1s)∧a∈QRN] ∣≤ε(s)

16. Goldwasser-Micali bit encryption
Let Ｇ be a QR instance generator. The Goldwasser-Micali bit encryption scheme is the following:
Gen(1s) invokes (p，q)←Ｇ(1s) and chooses z∊QNRN+
The public key is ke≔(pq，z)
The private key is kd≔(p，q)
Enc(ke，b) does the following:
If b≟0, it chooses a∊ℤN and outputs c≔a2 mod N
If b≟0, it chooses a∊ℤN and outputs c≔za2 mod N
Dec(ke，kd，c) outputs b’=0 if c∈QRN and b’=1 otherwise
(Ｍ={0，1}; Ｃ=ℤN)

17. El Gamal encryption Thm: Goldwasser-Micali encryption is correct.
Proof: If b=0, then c≔a2 mod N for some a∈ℤN.
Hence, c∈QRN and Dec(ke，kd，c)=0.
If b=1, then c≔a2·z mod N for some a∈ℤN.
Since a2∈QRN and z∉QRN,
by Fact 5 we have c∉QRN and Dec(ke，kd，c)= ☐

18. El Gamal encryption
Thm: Goldwasser-Micali encryption is IND-CPA secure whenever the quadratic residuosity assumption holds with respect to Ｇ.
Proof (sketch): If b=0, then c∊QRN; on the other hand, if b=1, then, by Fact 6, c∊QNRN+.
Hence, distinguishing encryptions of 0 from encryptions of 1 is directly equivalent to winning in the quadratic residuosity game.

19. XOR homomorphism
Thm: Goldwasser-Micali encryption is XOR-homormorphic; that is, if c←Enc(ke，b) and c’←Enc(ke，b’), then Dec(ke，kd，c•c’)=b⊕b’.
Proof: If (b，b’)=(0，0), then (c，c’)≔(a2,a’2)⇒ c·c’=(a·a’)2∈QRN
If (b，b’)=(1，1), then (c，c’)≔(a2z，a’2z)⇒c·c’=(a·a’·z)2∈QRN
If (b，b’)=(0，1), then (c，c’)=(a2,a’2z)⇒c·c’=(a·a’)2z∈QNRN+ If (b，b’)=(1，0), then (c，c’)=(a2z,a’2)⇒c·c’=(a·a’)2z∈QNRN+
In other words, by taking the product of two ciphertexts (encrypted under the same key), we obtain an encryption of the XOR of the two messages!

20. Paillier encryption
Paillier encryption is based on some fairly advanced algebra, which we won’t discuss here
It is IND-CPA secure under the composite residuosity assumption, which posits that it is infeasible to distinguish a uniform random Nth residue modulo N2 from uniform random number modulo N2
It is noteworthy due to the following theorem:
Thm: Paillier encryption is additively homormorphic; that is, if c←Enc(ke，m) and c’←Enc(ke，m’), then Dec(ke，kd，c•c’)=m+m’ mod N2.

21. That’s all for today, folks!