Trapdoor Permutations and Encryption - Cryptography. Lecture Notes from CS276, Spring Luca Trev

A family of trapdoor permutationsis a triple of algorithms (G, E, D) such that:

1. G() is a randomized algorithm that takes no input and generates a pair (pk, sk), where pk is apublic keyand sk is asecret key;

2. E is a deterministic algorithm such that, for every fixed public key pk, the mapping x→E(pk, x) is a bijection;

3. D is a deterministic algorithm such that for every possible pair of keys (pk, sk) generated by G() and for everyx we have

D(sk, E(pk, x)) =x

That is, syntactically, a family of trapdoor permutations is like an encryption scheme except that the “encryption” algorithm is deterministic. A family of trapdoor permutations is secure if inverting E() for a random x is hard for an adversary that knows the public key but not the secret key. Formally,

Definition 61 A family of trapdoor permutations(G, E, D) is(t, )-secure if for every algorithm A of complexity _≤t

(pk,sk)←G(),x

[A(pk,(E(pk, x))) =x]≤

It is believed that RSA defines a family of trapdoor permutations with security parameterst and 1/that grow exponentially with the number of digits of the key. Right now the fastest factoring algorithm is believed to run in time roughly 2O(k1/3₎

, where k is the number of digits, and so RSA with k-bit key can also be broken in that much time. In 2005, an RSA key of 663 bits was factored, with a computation that used about 262 _elementary

14.3. TRAPDOOR PERMUTATIONS AND ENCRYPTION 97

operations. RSA with keys of 2048 bits may plausibly be (260_,₂−30_{)-secure as a family of}

trapdoor permutations.

In order to turn a family of trapdoor permutations into a public-key encryption scheme, we use the notion of a trapdoor predicate.

Definition 62 Let(G, E, D)be a family of trapdoor permutations, whereE takes plaintexts of length m. A boolean function P : {0,1}m _{→ {}₀_,₁_} _{is a} ₍_t,_{)-secure trapdoor predicate}

for (G, E, D) if for every algorithm A of complexity _≤t we have

(pk,sk)←G(), x

[A(pk, E(pk, x)) =P(x)]≤ 1₂ +

Remark 63 The standard definition is a bit different. This simplified definition will suffice for the purpose of this section, which is to show how to turn RSA into a public-key encryption scheme.

Essentially, P is a trapdoor predicate if it is a hard-core predicate for the bijection x → E(pk, x). If (G, E, D) is a secure family of trapdoor permutations, then x _→ E(pk, x) is one-way, and so we can use Goldreich-Levin to show thathx, ri is a trapdoor predicate for the permutation E0(pk,(x, r)) =E(pk, x), r.

Suppose now that we have a family of trapdoor permutations (G, E, D) and a trapdoor predicate P. We define the following encryption scheme (G0, E0, D0) which works with one-bitmessages:

• G0_{(): same as} _G₍₎

• E0(pk, b): pick random x, output E(pk, x), P(x)⊕b • D0(pk,(C, c)) :=P(D(pk, C))⊕c

Theorem 64 Suppose thatP is(t, )-secure trapdoor predicate for(G, E, D), then(G0, E0, D0) as defined above is (t₋O(1),2)-CPA secure public-key encryption scheme.

Proof: In Theorem 2 of Lecture 13 we proved that if f is a permutation and P is a (t, )

hard-core predicate for f, then for every algorithmAof complexity _≤t₋O(1) we have |P[A(f(x), P(x)) = 1]−P[A(f(x)), r) = 1]| ≤ (14.1) wherer is a random bit. Since

P[A(f(x)), r) = 1] = 1 2P[A(f(x), P(x)) = 1] + 1 2P[A(f(x),1⊕P(x)) = 1] we can rewrite (14.1) as |P[A(f(x), P(x)) = 1]−P[A(f(x)), P(x)⊕1) = 1]| ≤2

And takingf to be our trapdoor permutation,

|P[A(E(pk, x), P(x)⊕0) = 1]−P[A(E(pk, x), P(x)⊕1) = 1]| ≤2 that is,

|P[A(E0(pk,0)) = 1]−P[A(E0(pk,1)) = 1]| ≤2 showing that E0 is (t₋O(1),2) CPA secure.

The encryption scheme described above is only able to encrypt a one-bit message. Longer messages can be encrypted by encrypting each bit separately. Doing so, however, has the undesirable property that an ` bit message becomes an `·m bit ciphertext, if m is the input length of P and E(pk,·). A “cascading construction” similar to the one we saw for pseudorandom generators yields a secure encryption scheme in which an `-bit message is encrypted as a cyphertext of length only`+m.

Lecture 15

Signature Schemes

Summary

Today we begin to talk aboutsignature schemes.

We describe various ways in which “textbook RSA” signatures are insecure, develop the notion ofexistential unforgeability under chosen message attack, analogous to the notion of security we gave for authentication, and discuss the difference between authentication in the private-key setting and signatures in the public-key setting.

As a first construction, we see Lamport’s one-time signaturesbased on one-way functions, and we develop a rather absurdly inefficient stateful scheme based on one-time signatures. The scheme will be interesting for its idea of “refreshing keys” which can be used to design a stateless, and reasonably efficient, scheme.

15.1 Signature Schemes

Signatures are the public-key equivalents of MACs. The set-up is that Alice wants to send a messageM to Bob, and convince Bob of the authenticity of the message. Alice generates a public-key/ secret-key pair (pk, sk), and makes the public key known to everybody (in- cluding Bob). She then uses an algorithmSign() to compute asignatureσ:=Sign(sk, M) of the message; she sends the message along with the signature to Bob. Upon receiving M, σ, Bob runs a verification algorithmV erif y(pk, M, σ), which checks the validity of the signature. The security property that we have in mind, and that we shall formalize below, is that while a valid signature can be efficiently generated given the secret key (via the algorithm Sign()), a valid signature cannot be efficiently generated without knowing the secret key. Hence, when Bob receives a message M along with a signature σ such that V erif y(pk, M, σ) outputs “valid,” then Bob can be confident that M is a message that came from Alice. (Or, at least, from a party that knows Alice’s secret key.)

There are two major differences between signatures in a public key setting and MAC in a private key setting:

1. Signatures are transferrable: Bob can forward (M, σ) to another party and the other party can be confident that Alice actually sent the message, assuming a public key infrastructure is in place (or, specifically that the other party has Alice’s public key).

2. Signature are non-repudiable: Related to the first difference, once Alice signs the

message and sends it out, she can no longer deny that it was actually her who sent the message.

Syntactically, a signature scheme is a collection of three algorithms (Gen, Sign, V erif y) such that

• Gen() takes no input and generates a pair (pk, sk) wherepk is a public key andsk is a secret key;

• Given a secret keysk and a message M,Sign(sk, M) outputs a signature σ;

• Given a public key pk, a message M, and an alleged signature σ, V erif y(sk, M, σ) outputs either “valid” or “invalid”, with the property that for every public key/ secret key pair (pk, sk), and every messageM,

V erif y(pk, M, Sign(sk, M)) = “valid”

The notion of a signature scheme was described by Diffie and Hellman without a proposed implementation. The RSA paper suggested the following scheme:

• Key Generation: As in RSA, generate primesp, q, generatee, d such thated_≡1 mod (p₋1)_·(q₋1), define N :=p_·q, and let pk:= (N, e) andsk:= (N, d).

• Sign: for a messageM ∈ {0, . . . , N−1}, the signature of M isMd_mod_N

• Verify: for a messageM and an alleged signatureσ, we check thatσe_≡_M _(mod_N_).

Unfortunately this proposal has several security flaws.

• Generating random messages with valid signatures: In this attack, you pick a random string σ and compute M := σe _mod_N _{and now} _σ _{is a valid signature for} _M_{. This}

can be an effective attack if there are a large number of messages that are useful to forge.

• Combining signed messages to create the signature of their products: Suppose you have M1 and M2 with valid signatures σ1 and σ2 respectively. Note that σ1 :=

1 modN and σ2 :=M2emodN. We can now generate a valid signature for M :=

M1·M2modN:

In document Cryptography. Lecture Notes from CS276, Spring Luca Trevisan Stanford University (Page 103-108)