Lecture 8 Public-Key Encryption I Stefan Dziembowski MIM UW 23.11.12ver 1.0.

Lecture 8 Public-Key Encryption I

Stefan Dziembowskiwww.dziembowski.net

MIM UW

23.11.12 ver 1.0

Plan

1. Handbook RSA and its insecuritya. introductionb. algebraic properties of RSA

2. Security definitions3. How to encrypt with RSA

a. a practical constructionb. a theoretical construction based on hard-

core bits

4. Rabin encryption5. Theoretical constructions

Public-Key Encryption

Alice Bob

m c := Enc(pk,m) Dec(sk,c)

pk sk

Use 2 keys (pk,sk), wherepk is used for encryption,sk is used for decryption.

The RSA trap-door permutation from the last lecture

ZN* ZN

*

easy

• easy (if you know p,q)• believed to be hard (otherwise)

f(x) = xe mod N

N = pq - RSA moduluse is such that gcd(e, φ(N)) = 1, d is such that ed = 1 (mod φ(N))

Q: How to formalize this?

A: “RSA assumption”

A naïve idea

Alice Bob

m ZN* c := me mod N m = cd mod N

(N,e) (N,d)

• pk = (N,e) is used for encryption,• sk = (N,d) is used for decryption.

The “handbook RSA encryption”

N = pq - RSA modulus

e is such that gcd(e, φ(N)) = 1, d is such that ed = 1 (mod φ(N))

RSA(e,N) (m) = me mod N,

and RSA(d,N) (c) = cd mod N.

φ(N) = (p-1)(q-1)

= RSA-1(e,N)

A game oracle

choose:• N = pq where p and q are random

primes such that |p| = |q| = k• x – a random element of ZN* ,• e – a random element of Zφ(N)*

adversary

(x,e,N)

outputsy

We say that the adversary wins if y = RSA-1(e,N) (x) mod N

RSA assumptionNo poly-time adversary wins this game with a non-negligible

probability.

security parameter 1k

RSA assumption – more formally

RSA assumptionFor any randomized polynomial time algorithm A we have:

P(ye = x mod N : y := A(x,N,e)) is negligible in k

where N = pq where p and q are random primes such that |p| = |q| = k, and x is a random element of ZN* ,and e is random element of Zφ(N)*

The ZN* group is a bit strange

Some elements of ZN = {0,...,n-1}

are not there but you don’t know which if you don’t know p and q.

Is it a problem?

No, for 2 reasons:• it is hard to find an element in ZN* \ ZN (other than 0),

• RSA works also over ZN (“by accident”).

Remember the Chinese Reminder Theorem?

Example Zpq where p=5, q = 7

0 1 2 3 4 5 60 0 5 10 15 20 25 301 7 1 16 31 11 26 62 12 22 2 17 32 12 273 17 8 23 3 18 33 134 22 29 9 24 4 19 34

Z35 Z35*

x mod 5

x mod 7

It is hard to find an element in ZN \ ZN* (other than 0)

Why?

ZN

ZN*

mod p

mod q

Suppose we have found a non-zero element

x ZN \ ZN*

For example:x mod q = 0 and x ≠ 0

Hence gcd(x,N) = q.

So we can factor N.

Example

0 1 2 3 4 5 60 0 5 10 15 20 25 301 7 1 16 31 11 26 62 12 22 2 17 32 12 273 17 8 23 3 18 33 134 22 29 9 24 4 19 34

Z35 Z35*

x mod 5

x mod 7gcd(15,35) = 5

RSA works also over ZN

Suppose x is such thatx mod q = 0 and x mod p ≠ 0

We show thatRSA(N,d)(RSA(N,e)(x)) = x mod N

By CRT it is enough to show that: xed = x mod qxed = x mod p

= xed

this holds because both sides are divisible by q

Recall that: (p-1)(q-1) | ed - 1Hence: (p-1) | ed - 1

Therefore: xed-1 = 1 mod pThis implies that xed = x mod p

Question?

Can we use this permutation for encryption?

Answer:• yes, • but not directly...

Problems

RSA has some “algebraic properties”.

RSApk is deterministic, so:if one encrypts twice the same message then the

ciphertexts are the same

Therefore if the message space M is small, the adversary can check all possible messages:

given a ciphertext c do:for every m є M check if RSApk(m) = c

for example if M={yes,no}, then the adversary can decrypt the message.

Plan




core bits


Algebraic properties of RSA1. RSA is homomorphic:

RSA(e,N)(m0 · m1) = (m0 · m1)e = m0

e · m1e

= RSA(e,N )(m0) · RSA(e,N )(m1)why is it bad?

By checking ifc0 · c1 = c

the adversary can detect ifRSA(d,N) (c0) · RSA(d,N)(c1) = RSA (d,N) (c)

2. The Jacobi symbol leaks.

Jacobi Symbol

QR(p)

QR(q)

mod q

mod p

QR(n)

for N=pq define JN(x) := Jp(x) · Jq(x)

+ 1 if x Є QRp for any prime p define Jp(x) := - 1 otherwise

+1 -1

-1 +1

JN(x) :=

Jacobi symbol can be computed efficiently! (even if p and q are unknown)

Fact: the RSA function “preserves” the Jacobi symbol

JN(x) = JN(xe mod N)

N = pq - RSA modulus

e is such that gcd(e, φ(N)) = 1

Actually, something even stronger holds:

RSA(N,e) is a permutation on each “quarter” of ZN*

In other words:• m mod p QRp iff me mod p QRp • m mod p QRq iff me mod q QRq

QRp QRp

QRq

Example Z35*

1 2 4 3 5 61 1 16 11 31 26 64 29 9 4 24 19 342 22 2 32 17 12 273 8 23 18 3 33 13

QR7

QR5 1 4 2 5 3 61 1 11 16 26 31 64 29 4 9 19 24 343 8 18 23 33 3 132 22 32 2 12 17 27

Calculate RSA(23,35)(m) = m23 mod 35

mod 7

mod

5

How to prove it?

By the CRT and by the fact that p and q are symmetric it is enough to show that

m is a QRp

iffme is a QRp

Fact

Proof.Let g be the generator of Zp*. Let y be such that m=gy.

Recall that x is a QRp iff x is an even power of g

It is easy to see that

(gy)e mod p is an even power of g iff

gy mod p is an even power of g.

Hence we are done.

gye = gye mod (p-1) (remember that p and e are odd)

For an odd e:me mod p is a QRp

iff m mod p is a QRp

Conclusion

The Jacobi symbol “leaks”, i.e.:from c

one can compute JN(Dec(N,d)(c))(without knowing the factorization of N)

Is it a big problem?

Depends on the application...

Note

The fact that the Jacobi symbol leaks does not contradict the RSA assumption.

oracle


primes such that |p| = |q| = k• x – a random element of ZN* ,• e – is random element of Zφ(N)*

adversary

(x,e,N)

cannot compute RSA-1(e,N) (x) mod N

but can compute JN(RSA-1(e,N) (x) mod N)

Question: Is RSA secure?

Looks like it has some weaknesses...

Plan:1. Provide a formal security definition.2. Modify RSA so that it is secure according to

this definition.

Plan




core bits


A mathematical viewA public-key encryption (PKE) scheme is a triple (Gen, Enc, Dec) of

poly-time algorithms, whereGen is a key-generation randomized algorithm that takes as input

a security parameter 1n and outputs a key pair (pk,sk).Enc is an encryption algorithm that takes as input the public key

pk and a message m, and outputs a ciphertext c,Dec is an decryption algorithm that takes as input the private key

sk and the ciphertext c, and outputs a message m’.

We will sometimes write Encpk(m) and Decsk(c) instead of Enc(pk,m) and Dec(sk,c).

Correctness

P(Decsk(Encpk(m)) ≠ m) is negligible in n

The security definition

Remember the symmetric-key case?

We considered a chosen-plaintext attack.

How would it look in the case of the public-key encryption?

A chosen-plaintext attack (CPA)

oracle

chooses m’1 m’1

c1 = Enc(pk,m’1)

has to guess b

chooses m’t m’t

ct = Enc(pk,m’t)

m0,m1

c = Enc(pk,mb)

chooses m0,m1

the interaction continues . . .

security parameter1n

1. selects random (pk,sk) = Gen(1n)

2. chooses a random b = 0,1

. . .challenge phase:

pk

This is notneeded.

Why?Because if Eve knows pk she can compute all these ciphertexts herself!

A simplified view

oracle

has to guess b

m0,m1

c = Enc(pk,mb)

chooses m0,m1

security parameter1n

1. selects random (pk,sk) = Gen(1n)

2. chooses a random b = 0,1

challenge phase:

pk

CPA-security

Security definition:

We say that (Gen,Enc,Dec) has indistinguishable encryptions under a chosen-plaintext attack (CPA) if any

randomized polynomial time adversary

guesses b correctly

with probability at most 0.5 + ε(n), where ε is negligible.

Alternative name: CPA-secure

Is the “handbook RSA” secure?

Not secure!In fact:

No deterministic encryption scheme is secure.

How can the adversary win the game?1. he just chooses any m0,m1 , 2. computes c0=Enc(pk,m0) himself3. compares the result.

Moral: encryption has to be randomized.

the “handbook RSA”N = pq - RSA moduluse is such that gcd(e,d) = 1, d is such that ed = 1 (mod φ(N))

Enc(N,e)(m) = me mod N, and Dec(d,N)(c) = cd mod N.

Plan




core bits


Encoding

Therefore, before encrypting a message we usually encode it (adding some randomness).

This has the following advantages:• makes the encryption non-deterministic• breaks the “algebraic properties” of

encryption.

How is it done in real-life?PKCS #1: RSA Encryption Standard Version 1.5:

public-key: (N,e)let k := length on N in bytes.let D := length of the plaintextrequirement: D ≤ k - 11.

Enc((N,e), m) := xe mod N, where x is equal to:

00000000 00000001 r 00000000 m

(k - D - 3) random non-zero bytes

D bytes

k bytes

How to encrypt?

00000000 00000001 r 00000000 m

m

RSA

Encoding(x) :=

RSA(Encoding(x))

How to decrypt?

00000000 00000001 r 00000000 m

RSA-1(y)

ciphertext y

check if the format agrees....

outputm

Example

If the adversary can calculate the Jacobi symbol of

most probably it doesn’t help him in learning any information about m...

00000000 00000001 r 00000000 m

Security of the PKCS #1: RSA Encryption Standard Version 1.5.

It is believed to be CPA-secure.

It has however some weaknesses (it is not “chosen-ciphertext secure”).

Optimal Asymmetric Encryption Padding (OAEP) is a more secure encoding.

(we will discuss it later)

The situation

Can we construct a public-key encryption scheme whose security

can be provably based on the RSA assumption?

Answer:yes!

the PKCS #1 encryption scheme is secure

RSA assumption holds

???

Plan




core bits


Notation

For an integer x we will writeLSB(x)

to denote the least significant bit of x.

x:LSB(x)

In other words: LSB(x) = x mod 2

Fact (informally)

LSB is the “hardest bit to compute” in RSA.

(it is called a “hard-core bit”).

More precisely:If you can compute LSB then you can invert RSA.

Note:In some sense it is a “dual” predicate to Jacobi symbol...

Recall: oracle


primes such that |p| = |q| = k• x – a random element of ZN* ,• e – a random element of Zφ(N)*

adversary

(x,e,N)

outputsy

We say that the adversary wins if y = RSA-1(e,N) (x) mod N

RSA assumptionNo poly-time adversary wins this game with a non-negligible

probability.


Game 2oracle


primes such that |p| = |q| = k• x – a random element of ZN* ,• e – is random element of Zφ(N)*• d – such that ed = 1 mod φ(N)

adversary

(x,e,N)

outputsb

We say that the adversary wins if b is the least significant bit of y = RSA-1

(e,N) (x) mod N


Theorem

In other words:The least significant bit is a hard-core bit for RSA.

W. Alexi, B. Chor, O. Goldreich, and C.P. SchnorrOn the hardness of the least-signficant bits of the RSA and Rabin functions, 1984

Suppose the RSA assumption holds.Then every poly-time adversary wins Game 2 with a probability at most

0.5 + ε(k),where ε is negligible.

http://www.wisdom.weizmann.ac.il/~oded/p_acgs.html



Proof strategy

Suppose we are given a poly-time adversary

that wins Game 2.

We construct a poly-time adversary

that breaks the RSA assumption.

For simplicity suppose that this happens with

probability 1

(not: 0.5 + something)

Outline of the construction

(x,e,N)

(x1,e,N)

b1

(xt,e,N)

bt

. . .

y=xd

Observation

Adversary can be used to compute

LSB of xd mod N.

It can also be used to compute (for any c)LSB of c · xd mod N.

How?

(ce · x, e, N)

outputsb’ = LSB((ce· x)d) = LSB (ced · xd )

= LSB (c · xd )

The method

The adversary will use to

compute:• LSB(2x)• LSB(4x)• LSB(8x)

Why is it usefull?

. . .

Observation

1 . . . N-1

2 . . . 2N-2

1 . . . N-1 1 . . . N-1

x

2x

2x mod N

= 2x = 2x - N

x≤(N-1)/2 x>(N-1)/2

Remember:N=pq is odd

even

Moral: x [1,...,(N-1)/2] iff 2x mod N is even

odd

1 . . . N-1

4 . . . 4N-4

x

4x

4xmod N

= 4x = 4x - 3N

(N-1)/4

even

Moral: x [1,...,(N-1)/4] [(N/2)+1,...,3(N-1)/4] iff 4x mod N is even

(N-1)/23(N-1)/4

1 . . . N-1 1 . . . N-1 1 . . . N-1 1 . . . N-1

= 4x - N = 4x – 2N

odd

even

odd

. . .

. . .

x

8x

8xmod N

= 8x

(N-1)/8

Moral: x [1,...,(N-1)/8] [(2N/8)+1,...,3(N-1)/8] [4(N/8)+1,...,5(N-1)/8] [6(N/8)+1,...,7(N-1)/8] iff 8x mod N is even

7(N-1)/8

= 8x-3N = 8x-4N

. . .

= 8x-N = 8x-2N = 8x-5N = 8x-6N = 8x-7N

even

odd

even

odd

even

odd

even

odd

So we can use bisection1 N-1

. . .

calculateLSB((2·x)d)




0 10 1

0 1

How to encrypt a one-bit message b?

(N,e) – public key(N,d) – private key

Enc1(N,e)(b) = (LSB(x) b, xe mod N),

where x ZN* is random.

Dec1(N,d)(b’,y) = LSB(yd mod N) b’

How to encrypt long messages?

Let m=(m1,..., mt)

Use the one-bit scheme bit-by-bit

Enc(N,e)(m1,..., mt) = (Enc1(N,e)(m1),..., (Enc1

(N,e)(mt))

Dec(N,d)(c1,..., ct) = (Dec1(N,d)(c1),..., (Dec1

(N,d)(ct))

(we omit the security proof)

Conclusion

Advantage:Security of this scheme is implied by the RSA

assumption.

Disadvantage:The ciphertext is much longer than the plaintext.

It is a rather theoretical construction!

the public-key encryption scheme that we just constructed is secure


Plan




core bits


The situation

public-key encryption exists


factoring RSA moduli is hard

???

question:

can we construct PKE based on the

“factoring assumption”

Yes:Rabin encryption

Rabin encrypion

• introduced by Michael O. Rabin in 1979

• based on squaring in ZN*• security equivalent to factoring

Michael O. Rabin (1931 – )

One of the founding fathers of computer science.• introduced non-determinism• decidability of the monadic second

order logic• efficient primality testing• oblivious transfer,• ....

received Turing Award in 1976

Remember squaring modulo N=pq?ZN* ZN*

RabinN(x) = x2 mod N

This function “glues” 4 elements together

Example

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14

0 1 4 3 1 5 6 4 4 9 10 1 12 4 1

Z15*:

a

a2

A nice thing about Rabin’s function

Finding a square root modulo N is as hard as factoring.

Can we base an encryption scheme on this?YES!

How to do it?

First step: “make the inversion unique”.

factoring RSA moduli is hard

RabinN(x) = x2 mod Nis a one-way function

How to do it?An ad-hoc method:

add an encoding (like in the RSA encryption).In such a way that only 1 out of the 4 square roots “make sense”.

ZN* ZN*

f(x) = x2 mod NIn other words:

make the set of legal ciphertexts “sparse”

Another approach

FactSuppose N=pq where

p = q = 3 (mod 4)Then the function

RabinN(x) = x2 mod N

is a permutationRabinN : QRN QRN

Such an N is called a “Blum integer”

How does it look like?

ZN* ZN*

RabinN (x) = x2 mod NQRN

QRN

Rabin restricted to QRN is a permutation

ZN* ZN*RabinN(x) = x2 mod N

QRNQRN

Rabin restricted to QRN is a permutation - proof

Suppose we have x,y QRN such that

x2 = y2 mod N

x2 = y2 mod p

g4i = g4j mod p

g4(i-j) mod p

p-1 | 4(i-j)

4k+2 | 4(i-j)

2k+1 | 2(i-j)

2k+1 | i-j

i = j

x = y (mod p)

p = 4k + 3q = 4k’ + 3N=pq

= (4k+2)/2 = 2k+1

Let i,j N be such that g2i = x mod p and g2j = y mod qwhere g is a generator of Zp* and (p-1)/2 ≥ i > j ≥ 0.

By a symmetric argument:

x = y (mod q)

x = y mod N

CRTQED

How to encrypt a one-bit message b?

N – public key(N,p,q) – private key

Enc1N(b) = (LSB(x) b, RabinN(x)),

where x QRN is random.

Dec1(N,p,q)(b’,y) = LSB(RabinN

-1(y)) b’

a Blum integer

FactThe least significant bit is also a hard-core bit for the Rabin permutation.

this can be computed if one knows p and q

RabinN (x) = x2 mod NRabinN : QRN QRN

Plan




core bits


Hard-core predicates

A concept of a hard-core bit

can be generalized to a hard core predicate.

Definition (informal)

π : {0,1}n {0,1} is a hard core predicate for a trap-door permutation f: {0,1}n {0,1}n if it is impossible to guess π(f-

1(y)) from y(significantly better than with prob. 0.5)

Example

π : {0,1}n {0,1} defined asπ(x1,...,xn) = xn

is a hard-core predicate for RSA and Rabin.

π : {0,1}n {0,1} defined asπ(x) = JN(x)

for sure is not a hard core predicate for RSA.

A fact

Does every trap-door permutation have a hard-core predicate?

Almost:

Suppose that f is a trap-door permutation.

It can be used to build a trap-door permutation g that has a hard-core predicate.

How to encrypt with such an g?

public key: description of gprivate key: trapdoor t for g

Enc1g(b) = (π(x) b, g(x)),

where x ZN* is random.

Dec1t(b’,y) = π(g-1(y)) b’

Is the public-key encryption in Minicrypt?

As far as we know: no!

public-key encryption exists

trap-door permutations exist

one way functionsexistminicrypt

???

cryptomania

©2011 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.

Lecture 8 Public-Key Encryption I Stefan Dziembowski MIM UW 23.11.12ver 1.0.

Documents

Transcript of Lecture 8 Public-Key Encryption I Stefan Dziembowski MIM UW 23.11.12ver 1.0.