COMP443-9publickey-screen.pdf

(1)

Modern Cryptography

COMP 443 / 543

Chapter 9 & 10 & 12

Alptekin K¨up¸c¨u

Computer Science and Engineering Ko¸c University

(2)

Main Topics

Key-Distribution Problem

Public-Key Revolution

Diffie-Hellman Key Exchange Public-Key Encryption

RSA El Gamal

Trapdoor Permutations (TDP) Digital Signatures

RSA

Hash-and-sign paradigm

Public Key Infrastructure

(3)

Key-Distribution Problem

How to share a key between two people?

What if they are

geographically far away?

Sharing a key between each pair of n people?

Key-distribution centers

Internet ?? Figure:_Lindell Figure from book by Katz and

(4)

Key-Distribution Problem

What if they are

(5)

Key-Distribution Problem

What if they are

(6)

Key-Distribution Problem

What if they are

(7)

Key-Exchange Protocol

Key-Exchange Protocol:

k ←Alice(1n)↔Bob(1n)→k

Key-Exchange Game against eavesdropper:

Challenger runsGen(1n)→k0 to pick a random key from the same domain of keys that are produced by the key-exchange protocol. Challenger also simulates the key-exchange protocol.

Challenger flips a coin and sends the adversary k if it comes

heads,k0 if it comestails.

Adversary is also given thetranscript of the protocol, and tries to guess if the coin was heads or tails (i.e., if the key was a result of that transcript or not).

Adversary wins if his guess is correct. Key-Exchange Protocol is secure if

∀PPT A ∃ neg(n) Pr[Awins] = 1₂ +neg(n)

(8)

Diffie-Hellman Key-Exchange

Figure: Figure from book by Katz and Lindell

(9)

Decisional Diffie-Hellman Assumption (DDH)

Decisional Diffie-Hellman Assumption (DDH) ∀PPT D ∃ neg(n)

Pr[D(1n,group,gx,gy,gxy) → 1] =

Pr[D(1n,group,gx,gy,gz) → 1]±neg(n)

where the group information contains all the necessary information for the distinguisher to be able to perform the group operation, including theorderq of the groupand the generatorg; and x,y,z

are chosen randomly from{0, . . . ,q−1}.

Proof of Diffie-Hellman Key-Exchange Protocol follows immediately from DDH assumption.

DH Key-Exchangeinsecure against man-in-the-middle attacks.

(10)

Decisional Diffie-Hellman Assumption (DDH)

Decisional Diffie-Hellman Assumption (DDH) ∀PPT D ∃ neg(n)

Pr[D(1n,group,gx,gy,gxy) → 1] =

Pr[D(1n,group,gx,gy,gz) → 1]±neg(n)

where the group information contains all the necessary information for the distinguisher to be able to perform the group operation, including theorderq of the groupand the generatorg; and x,y,z

are chosen randomly from{0, . . . ,q−1}.

Proof of Diffie-Hellman Key-Exchange Protocol follows immediately from DDH assumption.

DH Key-Exchangeinsecure against man-in-the-middle attacks.

(11)

Public-Key Encryption

Public-Key Encryption Scheme (3 PPT Algorithms):

Gen(1n)→sk,pk

Encpk(m)→c ∀m∈ M

Decsk(c)→m0

Correctness: ∀ m∈ M ∃ neg(n)

Pr[Gen(1n)→(sk,pk);Encpk(m)→c;Decsk(c)→m0 :m= m0] = 1−neg(n)

(12)

Chosen-Plaintext Attack

PubK_Acpa_,Π(n) game:

1 Challenger generates keysk,pk pair upon input 1n

2 _{Adversary, given 1}n _and_pk _{generates and sends}_m0 _and_m1 _of

equal length

3 Challenger flips bit b← {0,1}

4 _{Challenger encrypts}_c ←_Enc_pk₍_m_b_{), sends}_c _{to Adversary} 5 _{Adversary finally guesses bit}_b0

Adversary wins ifb =b0

∀PPT A ∃ neg(n)

Pr[Awins PubK_Acpa_,Π(n)] = 1

2+neg(n)

Note: Implicitly, the adversary is already givenEncpk(.) oracle.

Indeed, the adversary is given more than just the oracle.

(13)

Multi-Message Security

If secure for a single message, then secure for multiple messages

(for CPA case only!)

Hybrid argument proof. (pages 341-346)

If secure for fixed-length messages, then secure for arbitrary-length messages(for CPA case only!)

If a variable-length MAC is used on top, then CCA security can be achieved.

(14)

Hybrid Encryption

Encrypt message with symmetric encryption Encrypt symmetric key using public key Send both ciphertexts together.

Secure if symmetric encryption used is secure against eavesdropperand

public-key encryption used is

CPA-secure.

Proof on page 350-355

(15)

Hybrid Encryption

Encrypt message with symmetric encryption Encrypt symmetric key using public key Send both ciphertexts together.

Secure if symmetric encryption used is secure against eavesdropperand

public-key encryption used is

CPA-secure.

Proof on page 350-355

(16)

RSA

RSA Assumption ∀PPT A ∃ neg(n)

Pr[x ←Z_N∗ :A(1n,N,e,xe)→x] =neg(n)

When picking a randomx, it is enough to pick it from

{0, . . . ,N−1}. If one findsx ∈ZN−ZN∗ then using

gcd(m,N)6= 1 one can factorN. Thus, ifN is hard to factor, finding such anx is hard.

Textbook RSA Encryption:

Gen(1n_{) picks an RSA modulus} _N₌_pq_{, and two values}_e_,_d

such that ed ≡1 mod (p−1)(q−1) and outputssk =d,

pk = (N,e)

Encpk(m) setsc =me mod N

Decsk(c) setsm0 =cd mod N (N in sk ?)

(17)

RSA

RSA Assumption ∀PPT A ∃ neg(n)

Pr[x ←Z_N∗ :A(1n,N,e,xe)→x] =neg(n)

When picking a randomx, it is enough to pick it from

{0, . . . ,N−1}. If one findsx ∈ZN−ZN∗ then using

gcd(m,N)6= 1 one can factorN. Thus, ifN is hard to factor, finding such anx is hard.

Textbook RSA Encryption:

Gen(1n_{) picks an RSA modulus} _N₌_pq_{, and two values}_e_,_d

pk = (N,e)

Encpk(m) setsc =me mod N

Decsk(c) setsm0 =cd mod N (N in sk ?)

(18)

Attacks on

textbook

RSA

Details on pages 359-362.

1 _If_e_{= 3 and}_m_<_N1/3_{, then just take cube-root over integers (i.e.,}

m=√3_c_).

2 _If_e_{= 3 and the same message}_m_{is encrypted under}_N₁_,_N₂_,_N₃_,

then using Chinese-Remainder Theorem, sincem3_<_N

1∗N2∗N3, same as above.

3 _{General attack with runtime}p|M|_{successful when}|M|_{is small.} 4 _Given_e_,_d _{one can factor}_N_{. If multiple people use the same}_N _with

differentei,di, then any one of them can decrypt each other’s

message.

5 _{Even if those people trust each other, using multiple keys under the}

same modulus to encrypt the same message lets the adversary to decrypt.

“Solutions”:

RSA-PKCS: Not proven but believed to be CPA-secure.

RSA-OAEP: Provably CCA-secure in the Random-Oracle Model.

(19)

Attacks on

textbook

RSA

m=√3_c_).

2 _If_e_{= 3 and}_{the same message}_m_{is encrypted under}_N₁_,_N₂_,_N₃_,

message.

“Solutions”:

(20)

Attacks on

textbook

RSA

m=√3_c_).

3 _{General attack with runtime}p|M|_{successful when}|M|_{is small.}

4 _Given_e_,_d _{one can factor}_N_{. If multiple people use the same}_N _with

message.

“Solutions”:

(21)

Attacks on

textbook

RSA

m=√3_c_).

3 _{General attack with runtime}p|M|_{successful when}|M|_{is small.} 4 _Given_e_,_d _{one can factor}_N_{. If}_{multiple people use the same}_N _with

message.

“Solutions”:

(22)

Attacks on

textbook

RSA

m=√3_c_).

message.

5 _{Even if those people trust each other,} _{using multiple keys under the}

same modulus to encrypt the same messagelets the adversary to decrypt.

“Solutions”:

(23)

Attacks on

textbook

RSA

m=√3_c_).

message.

“Solutions”:

(24)

A Very Useful Theorem

Theorem

Let G be a finite group and m∈G , pick a random g ←G , then for any g0∈G

Pr[m∗g =g0] = _|G|1

Proof.

Pr[m∗g =g0] =Pr[g =m−1∗g0] = _|G1_|

Note thatm−1∗g0 is fixed in this probability, because the probability is over the random choice ofg.

Sinceg is a random element, the probability that it is equal to a fixed element is exactly 1/number of elements, which is _|G1_|.

(25)

El Gamal Encryption

Gen(1n)→(sk,pk) picks an order-q cyclic group together with a generator g. Then picks a random exponentx ←Zq,

setsh =gx and outputssk =x,pk = (group,h)

Encpk(m)→c picks a random exponenty ←Zq, computes c1=gy andc2 =hy∗m, and outputsc = (c1,c2)

Decsk(c)→m0 setsm0 = _cc2x

1

El Gamal encryption is CPA secure if DDH assumption holds.

Note: El Gamal group can be shared with differentx values in secret key.

(26)

El Gamal Proof

If PPTAbreaks El Gamal, then we construct PPTDdistinguishes DDH:

1 D _{is given (1}n_,_group_,_gx_,_gy_,_h0_{) where}_h0 ₌_gxy _or _h0 ₌_gz

for random z.

2 D _sendsA₍₁n_,_group_,_h₌_gx_{) as the public key} 3 A outputs two messages m₀,m₁

4 D picks a bitb ← {0,1}, setsc₁ =gy and computes c2=h0∗mb. D sendsc = (c1,c2) toA

5 A outputsb0. Doutputs “xy” if b=b0, “z” otherwise.

Full proof on pages 366-367.

(27)

Chosen-Ciphertext Attack

PubKcca

A,Π(n) game:

1 Challenger generates sk,pk pair upon input 1n

2 Adversary, given 1n andpk andoracleDec_sk(.), generates and

sendsm0 andm1 of equal length

4 Challenger encryptsc ←Enc_pk(m_b), sendsc to Adversary 5 _{Adversary continues using its oracle, but is} _{not allowed to}

query Decsk(c), and finally guesses bitb0

Pr[Adversary A winsPubK_Acca_,Π(n)] = 1

2+neg(n)

(28)

Chosen-Ciphertext Attack

PubKcca

A,Π(n) game:

1 Challenger generates sk,pk pair upon input 1n

2 Adversary, given 1n andpk andoracleDec_sk(.), generates and

sendsm0 andm1 of equal length

4 Challenger encryptsc ←Enc_pk(m_b), sendsc to Adversary 5 _{Adversary continues using its oracle, but is} _{not allowed to}

query Decsk(c), and finally guesses bitb0

Pr[Adversary A winsPubK_Acca_,Π(n)] = 1

2+neg(n)

(29)

Family of TDP

Family of Trapdoor Permutationsrequires the following PPT algorithms:

Gen(1n) picks a trapdoor permutation together with its domain and range: f :D_fn→R_fn as well as itstrapdoortd Sample(D_fn) outputs a uniformly-distributed element in the domain D_fn

f as before computesy ∈R_fn givenx ∈D_fn. Resultingf must be a one-way permutation together with its associatedGen

andSample, without the trapdoor informationtd

f_td−1 is the inversion function that computes x ∈D_fn given

y ∈R_fn such that f(x) =y in polynomial time when the trapdoortd is given

(30)

PKE from any TDP

Encrypting a single bit: (M={0,1})

Gen(1n)→(sk,pk) picks a TDP. pk is f,sk is td

Encpk(m)→c samples a random x, computesc1=f(x) and

c2=hc(x)⊕m, and outputsc = (c1,c2)

Decsk(c)→m0 computesftd−1(c1) to obtain x, then sets m0=hc(x)⊕c2

Proof on page 376-377.

(31)

Digital Signatures

Similar to message authentication codes in the public-key setting.

3 PPT algorithms

Gen(1n)→(sk,vk) outputs a secretsigning key, and a public

verification key

Sign_sk(m)→σ signs a given message using the signing key

VerifySign_vk(m, σ)→accept/rejectverifies the signature on a message using the public verification key

Digital Signatures have three properties MACs don’t have:

Public Verifiability Transferability

Non-repudiation

and thus can be usedlegally.

(32)

Digital Signatures

Similar to message authentication codes in the public-key setting.

3 PPT algorithms

Gen(1n)→(sk,vk) outputs a secretsigning key, and a public

verification key

Sign_sk(m)→σ signs a given message using the signing key

VerifySign_vk(m, σ)→accept/rejectverifies the signature on a message using the public verification key

Digital Signatures have three properties MACs don’t have:

Public Verifiability

Transferability Non-repudiation

and thus can be usedlegally.

(33)

Digital Signature Security

CPA-like game, just as for MAC schemes.

Secure Digital Signature = Existentially unforgeable under

adaptivechosen-message attack.

Sig-forgeA,Π(n) game:

1 _{Challenger generates keys} _sk_,_vk _{upon input 1}n 2 Adversary, given 1n,oracle access toSign

sk(.) andvk,

generates and sendsm, σ

Adversary wins ifVerifySign_vk(m, σ)→accept and mwas not asked as a query to the oracle.

Note thatthe adversary is also given a verification oracle through the verification key, unlike the definition for MAC schemes. Yet, for secure MAC schemes, the adversary may assume that the verification oracle would returnreject, and thus can simulate the oracle himself, with only negligible error.

(34)

Digital Signature Security

CPA-like game, just as for MAC schemes.

Secure Digital Signature = Existentially unforgeable under adaptive chosen-message attack.

Sig-forgeA,Π(n) game:

1 _{Challenger generates keys} _sk_,_vk _{upon input 1}n 2 Adversary, given 1n,oracle access toSign

sk(.) andvk,

generates and sendsm, σ

Adversary wins ifVerifySign_vk(m, σ)→accept and mwas not asked as a query to the oracle.

Note thatthe adversary is also given a verification oracle through the verification key, unlike the definition for MAC schemes. Yet, for secure MAC schemes, the adversary may assume that the verification oracle would returnreject, and thus can simulate the oracle himself, with only negligible error.

(35)

RSA Signatures

Texbook RSA Signatures:

Gen(1n) picks an RSA modulus N=pq, and two valuese,d

vk = (N,e)

Sign_sk(m) setsσ=md _mod _N

VerifySign_vk(m, σ) outputs acceptiff m≡σe modN

No-query attack: Pick randomσ ←Z_N∗, output m=σe mod N

andσ as forgery. Forged a signature on some random message.

2-query attack: Want to forge signature on messagem. Pick a random messagem1 and setm2= _mm

1 modN. Obtain two signaturesσ1, σ2. Output m andσ=σ1∗σ2 as forgery.

(36)

RSA Signatures

Texbook RSA Signatures:

Gen(1n) picks an RSA modulus N=pq, and two valuese,d

vk = (N,e)

Sign_sk(m) setsσ=md _mod _N

VerifySign_vk(m, σ) outputs acceptiff m≡σe modN

No-query attack: Pick randomσ ←Z_N∗, output m=σe mod N

andσ as forgery. Forged a signature on some random message.

2-query attack: Want to forge signature on messagem. Pick a random messagem1 and setm2= _mm

1 modN. Obtain two signaturesσ1, σ2. Output m andσ=σ1∗σ2 as forgery.

(37)

Hash-and-Sign Paradigm

Given a signature schemeGen0,Sign0,VerifySign0 that is

existentially unforgeable under adaptive chosen-message attack, and a hash functionGenH that is collision-resistant, construct:

Gen(1n)→(sk,vk) runsGen0(1n)→sk0,vk0 and

GenH(1n)→hash, setssk =sk0 andvk=vk0,hash Sign_sk(m) outputs Sign0_sk0(hash(m))→σ

VerifySign_vk(m, σ) outputs the same as

VerifySign0_vk0(hash(m), σ)

Proof on page 430.

Similar to the hash-and-mac idea used in HMAC and NMAC (skipped in class, Section 4.7 of your textbook).

(38)

One-Time Signatures

Same game, with the number of signing oracle queries restricted to one.

Sig-forge1_A−time_,Π (n) game:

1 Challenger generates keys sk,vk upon input 1n 2 _{Adversary, given 1}n _and _vk_{, asks one query}_m0 3 _{Challenger runs}_Sign

sk(m0)→σ0 and sens σ0 to the adversary 4 Adversary generates and sendsm, σ

Adversary wins ifVerifySign_vk(m, σ)→accept and m6=m0.

(39)

Lamport’s One-Time Signature Scheme

yi,j =f(xi,j) wheref is a one-way function

Simple proof idea, on page 434.

(40)

One-Time Signature

⇒

Multi-Time

Uses hash-and-sign paradigm Each level uses a one-time signature

Signing (and possibly verification) keeps state information

(41)

One-Time Signature

⇒

Multi-Time

Skipping pages 434 - 446

To make it stateless, use a PRF to generate randomness to be used in key-generation.

(42)

Public-Key Infrastructure

A digital certificate is a signature on a message of the form “Bob’s public key ispkB”.

Certificate Authority (CA)

Issues a certificate by asking for (physical) proofs only once Possible to use multiple CAs, and to trust at different levels CA chains or trees may be formed

Web-of-trust model of PGP: anyone is a CA, you decide how much to trust.

Certificate revocation is a big problem, mostly done through including expiration dates in certificates, or via certificate revocation lists (CRL).

(43)

TODO Next

Solve exercises 7. 1,3,6-9,13,14.

Pay special attention to exercises 7. 4,15,16.

Solve exercises 8. 1,4*,5*.

Solve exercises 9. 1,2, with special attention to 3.

Solve exercises 10. 1,2,7*,8,12*,15,17.

Pay special attention to exercises 10. 3,4,11,16.

Solve exercises 12. 1,3,7,9,13.