Lecture 6. Lecturer: Yevgeniy Dodis Spring

Pages 17
Views 38

Please download to get full document.

View again

of 17
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
CSCI-GA MATH-GA Introduction to Cryptography February 29, 2012 Lecture 6 Lecturer: Yevgeniy Dodis Spring Public-Key Encryption Last lecture we studied in great detail the notion
CSCI-GA MATH-GA Introduction to Cryptography February 29, 2012 Lecture 6 Lecturer: Yevgeniy Dodis Spring Public-Key Encryption Last lecture we studied in great detail the notion of pseudorandom generators (PRG), a deterministic functions that stretch randomness by any polynomial amount: from k to p(k) bits. As we already indicated, PRG s have a lot of applications including constructions of both public- and private-key encryptions, and implementation of ideal randomness in essentially any programming language. In this lecture we will begin examining these application in more detail by starting with the formal study of public-key encryption (PKE). As we explained before, the informal scenario is this: Before the Encryption. Alice publishes to the world her public key PK. Therefore, both Bob and Eve know what PK is. This public key is only used to encrypt messages, and a separate key SK is used to decrypt messages. (This is unlike the Secret-Key scheme where one key S is used to both encrypt and decrypt.) Only Alice knows what SK is, and nobody else, not even Bob. Encryption. When Bob wishes to send Alice a plaintext message M via the Internet, Bob encrypts M using Alice s public key P K to form a ciphertext C. (Formally, we summarize encryption with PK as E PK and say that C = E PK (M).) Bob then sends C over the Internet to Alice. Decryption. Upon receiving C, Alice uses her secret private key SK to decrypt C, giving her M, the original plaintext message. (Formally, we summarize decryption with SK as D SK and say that D SK (C) = D SK (E PK (M)) = M.) Eve s Standpoint. Unlike the Secret-Key scheme, Eve knows everything Bob knows and can send the same messages Bob can. And, only Alice can decrypt. And, when Bob sends his message, Eve only sees C, and knows PK in advance. But, she has no knowledge of SK. And, if it is hard for Eve to learn about SK or plaintexts based on ciphertexts and PK, then our system is secure. 2 Definition of Public-key Encryption We start with the syntax of a public-key encryptions scheme, and only later talk about its security. Definition 1 [Public-key encryption (PKE)] A PKE is a triple of PPT algorithms E = (Gen, E, D) where: Lecture 6, page-1 1. Gen is the key-generation algorithm. Gen(1 k ) outputs (PK, SK, M k ), where SK is the secret key, PK is the public-key, and M k is the message space associated with the P K/SK-pair. Here k is an integer usually called the security parameter, which determines the security level we are seeking for (i.e., everybody is polynomial in k and adversary s advantage should be negligible in k). 2. E is the encryption algorithm. For any m M k, E outputs c r E(m; PK) the encryption of m. c is called the ciphertext. We sometimes also write E(m; PK) as E PK (m), or E(m; r, PK) and E PK (m; r), when we want to emphasize the randomness r used by E. 3. D is the decryption algorithm. D(c; SK) r m {invalid} M k is called the decrypted message. We also sometimes denote D(c; SK) as D SK (c), and remark that usually D is deterministic. 4. We require the correctness property: if everybody behaves as assumed m M k, m = m, that is D SK (E PK (m)) = m Example: RSA. Let us check that RSA satisfies the above definition. Notice, both E and D are deterministic. 1. Gen(1 k ) corresponds to the following algorithm: (p, q) are random primes of k bits, n = pq, e r Z ϕ(n), d = e 1 mod ϕ(n), M k = Z n. Set PK = (n, e), SK = d. 2. c = E(m; (n, e)) = m e mod n. 3. m = D(c; (d, n)) = c d mod n. More generally, we could construct a PKE from any TDP. Suppose we have a TDP f with trap-door information t k and algorithm I for inversion. Here is the induced PKE: 1. Gen(1 k ) r (f, t k, {0, 1} k ), and f is the PK and the trapdoor t k is the SK. 2. E(m; PK) = f(m). 3. D(m; SK) = I(c, t k ). Conventions about message spaces M k. Without loss of generality we will assume that the message space M k can be determined from the public key PK (so we will not explicitly output its desciption in Gen). Also, in many schemes the message space M k does not depend on the particular public key PK and depends only on k, e.g. M k = {0, 1} and M k = {0, 1} k. In the latter cases we will sometimes say that E is an encryption for a sequence of message spaces {M k }. Notice, however, that in most concrete examples (i.e., in the RSA example above), M k could depend on the PK. As we will see, this will create some definitional issues when defining security of encryption. Lecture 6, page-2 Problems. The problem of the above general construction is that it does not meet our requirement of security. First, it reveals partial information. For example, in the RSA case, f(m) preserves the Jacobi symbol of m. Furthermore, if f is a TDP f(a, b) = (a, f (b)) is also a TDP however it reveals half of the input message. Second, our definition of TDP is based on the assumption of uniform distribution of the input. Here, it corresponds to the uniformity of the distribution on the message space. However, in practice, such uniformity is rarely satisfied, and in some interesting cases, the message spaces is actually quite sparse, for example, the English text. Third, when the message space is sparse (i.e., sell/buy), this method is completely insecure and can be broken by a simple exhaustive search. Many more problems exist. For example, the adversary can tell whether the same message is being sent twice or not. For completeness, we would like to point out the general construction does satisfy a very weak security notion. Definition 2 [One-way secure encryption] A PKE E is called one-way secure if it is hard to completely decrypt a random message. Formally, for any PPT A Pr(A(c) = m (SK, PK) r Gen(1 k ), m r M k, c r E PK (m)) negl(k) Here is a simple lemma directly from the definitions of TDP that shows Lemma 1 If M k = {0, 1} k is the domain of a TDP f, then the PKE induced from f is one-way secure. Conclusions. Much stronger definition is needed in order not to reveal partial information. Encryption scheme cannot be deterministic in order to solve the problem of nonuniform/sparse message space. Even starting with 1-bit encryption, M k = {0, 1}, is interesting and non-trivial. 3 Secure encryption of one bit From the previous section, we discussed the problems with one-way security and the straightforward usage of a TDP. In order to have a stronger definition, let us first begin from from trying to encrypt one bit, i.e. M k = {0, 1}. One of the conclusions we had is that the encryption scheme must be probabilistic. For each bit from M k = {0, 1}, there is cloud of messages in the encrypted message space C corresponding to that bit. Informally, we want the distribution of these two clouds to be Lecture 6, page-3 indistinguishable to the adversary even conditioned on the public key PK and even though their supports are totally disjoint (the disjointness is from the fact that we want to decrypt the message without ambiguity). We write it as PK, E PK (0) PK, E PK (1), where E PK (0) and E PK (1) are two random variables denoting random encryption of 0 and 1 respectively. Notice this is not possible in the Shannon theory, because there the adversary has infinite power and the only way for the distribution to be indistinguishable is that they are exactly the same, which is not the case since the supports of two distributions are totally different. However, in our case it is doable because we assume the adversary is only PPT. We also point out that when the public key PK is clear, we will sometime be sloppy and simply write E(0) E(1), always implicitly assuming that P K is public knowledge. Here is the formal definition. Definition 3 A PKE for M k = {0, 1} is called polynomially indistinguishable if PK, E PK (0) PK, E PK (1), meaning that PPT A Pr(A(c, PK) = 1 (SK, PK) r Gen(1 k ), c r E PK (0)) Pr(A(c, PK) = 1 (SK, PK) r Gen(1 k ), c r E PK (1)) negl(k) Or equivalently, Pr(A(c, PK) = b (SK, PK) r Gen(1 k ), b r {0, 1}, c r E PK (b)) 1 2 negl(k) Example. Suppose f is a TDP with trapdoor information t k and efficient algorithm I for inversion, and h is a hardcore bit for f. Here is the PKE we informally considered earlier: 1. Gen(1 k ) r (f, t k ). 2. E(b) f(x), h(x) b = y, d. (x is random in {0, 1} k ). 3. D( y, d, t k ) : x = I(y, t k ), b = d h(x). Here is another, slightly more efficient suggestion: 1. Gen(1 k ) r (f, t k ). 2. E(b): sample x r {0, 1} k until h(x) = b, then set ciphertext y = f(x). 3. D(y): recover x r I(y, t k ), then decrypt b = h(x). Notice, E is efficient, since sampling the right x will terminate after approximately two trials, since h must be balanced between 0 and 1. We analyze these schemes formally later (or in the homework). Lecture 6, page-4 4 Secure Encryption of Many bits Now, we will consider the case M k = {0, 1} p(k), where p is some polynomial in k. The definition is an obvious generalization of the bit version. Definition 4 [Polynomial indistinguishability] A PKE E for M k = {0, 1} p(k) is called polynomially indistinguishable (against PK-only attack) if for any m 0, m 1 M k, we have PK, E PK (m 0 ) PK, E PK (m 1 ). Formally, PPT A Pr(A(c, PK) = b (SK, PK) r Gen(1 k ), b r {0, 1}, c r E PK (m b )) 1 2 negl(k) Comments. The definition includes the situation when m 0 and m 1 are the same. In this case, no matter b = 0 or b = 1, E and A will know nothing about what b is, because they only see the message m b, which is the same, no matter b = 0 or b = 1. As will will see this definition is extremely robust and prevents a lot of attacks. For example, it also excludes the possibility for the adversary to tell whether a message was being sent twice. Informally, if A could determine this, when given c, A can generate c E(m 0 ), and see if c and c correspond to the same message, thus determining if b = 0. Blum-Goldwasser construction. In the Blum-Goldwasser construction, as we mentioned earlier, we are given a TDP f with trapdoor t k, inversion algorithm I, and a hardcore bit h. Recall also that if we let G(x) = G (x) f (n) (x), where G (x) = h(x) h(f 1 (x)) h(f (n 1) (x)), then both G and G are PRG s. We define: 1. PK = f and SK = t k. 2. E(m): get x r {0, 1} k, send c = (G (x) m, f (n) (x)). 3. D(c): use t k to get f (n 1) (x),..., f(x), x, and use them to calculate G (x) with hardcore bit function h. After we have G (x), recovering m is clear. To check the correctness of Blum-Goldwasser construction, we need to prove that for all m 0 and m 1 (below we omit PK = f since it s fixed) E(m 0 ) (f (n) (x), G (x) m 0 ) (f (n) (x), G (x) m 1 ) E(m 1 ) (1) In order to prove this, we will instead prove a more general lemma. Lemma 2 (One-Time Pad Lemma) Let R denote the uniform distribution. Then for all distributions X, Y (not necessarily independent!), if (X, Y ) (X, R), then for all m 0 and m 1 we have (X, Y m 0 ) (X, Y m 1 ). Lecture 6, page-5 Proof: The simplest proof is to notice that for any fixed message m, R m R, where R is a random string. I.e., random+fixed=random. Thus, since XOR is an efficient operation, (X, Y m 0 ) (X, R m 0 ) (X, R) (X, R m 1 ) (X, Y m 1 ) We see that Lemma 2 indeed implies the needed Equation (1). Indeed, consider X = f (n) (x), Y = G (x). Then, to apply Lemma 2, we only need to argue that (f (n) (x), G (x)) (f (n) (x), R ), where R is random. But since f is a permutation and x is random, f (n) (x) is just a random string, so (f (n) (x), R ) R, and we just need to show that G(x) = f (n) (x) G (x) is a PRG, which is precisely what we showed last time. Thus, we get Theorem 1 BG construction above defines a polynomially indistinguishable encryption. As a special case, we also get the security of the one-bit version of BG encryption that we considered in the previous section. Efficient example: squaring over Blum integers. Recall, the Blum-Blum-Shub construction of G uses the OWF SQ(x) = x 2 mod n. This function is a TDP when n = pq with p = 3 mod 4 and q = 3 mod 4. Specifically, it can be proved that it is a permutation on SQ n, and the trapdoor key is the factorization (p, q) of n = pq. The associated hardcore bit is the least significant bit of x. Now we see that this construction is quite efficient, because in order to encrypt p(k) bits, we only need to do p(k) multiplications mod n. 5 Key Encapsulation Mechanism The BG example above follows the following key encapsulation principle which we will meet in virtually any public-key encryption scheme. The idea is to derive a radom-looking key s and its encryption, and then use s to one-time pad the message. For example, in the BG scheme above, the key s was equal to G (x), while the encryption of s was the value ψ = f (n) (x). A bit more formally, Definition 5 [Key Encapsulation Mechanism (KEM)] A Key Encapsulation Mechanism is a triple of PPT algorithms E = (Gen, KE, KD) where: 1. Gen is the key-generation algorithm. Gen(1 k ) outputs (PK, SK, M k ), where SK is the secret key, PK is the public-key, and M k is the key space associated with the P K/SK-pair. 2. KE is the key encapsulation algorithm. It takes the public key PK and outputs a pair ψ, s r KE(PK), where s M k is a key and ψ is called the ciphertext representing encryption of s. We sometimes write ψ, s = KE PK (r) to emphasize the randomness r used by KE. 3. KD is the key decapsulation algorithm. KD(ψ; SK) r s {invalid} M k attempts to extract a key from the ciphertext ψ. We sometimes denote KD(ψ; SK) as KD SK (ψ), and remark that usually KD is deterministic. Lecture 6, page-6 4. We require the correctness property: if ψ, s r KE(PK), then KD(ψ, SK) = s. As we mentioned, in the BG example, KE(x) uses random x to set s = G (x), ψ = f (n) (x), while KD(ψ) = G (f ( n) (ψ)). The usefulness of KEM comes from the fact that it immediately yields a PKE, by using the symmetric key s to encrypt the message m. For concreteness, below we assume M k = {0, 1} n for some parameter n = p(k) (like in the BG case), and we will use the one-time pad encryption to encrypt m (although later we will see that any symmetric-key encryption will do!). But first we need a definition of security for KEM. Definition 6 [Polynomial indistinguishability] A KEM (Gen, KE, KD) for M k = {0, 1} p(k) is called polynomially indistinguishable (against P K-only attack) if for randomly generated PK and ψ, s KE(PK) we have PK, ψ, s PK, ψ, R, where R is a fresh random string sampled from M k. Formally, PPT A Pr(A(ψ, s b, PK) = b (SK, PK) r Gen(1 k ), b r {0, 1}, (ψ, s 0 ) r KE(PK), s 1 r {0, 1} p(k) ) negl(k) Lemma 3 Assume (Gen, KE, KD) is polynomially indistinguishable KEM for {0, 1} n. Then the following PKE is polynomially indistinguishable for {0, 1} n : key generation Gen is the same as in KEM. encryption E(m): compute ψ, s KE, and let c = ψ, m s. decryption D(ψ, z) = z KD(ψ). Proof: The proof immediately follows from the One-Time Pad Lemma, where X = (PK, ψ), and Y = s. We will see several other applications of the KEM paradigm. In particular, we will see that the one-time pad can be replaced by any (one-time) secure symmetrci-key encryption. As a concrete illustration, we can apply it to the symmetric scheme E s (m) = G(s) m, where G is any PRG. Although we did not yet prove that this scheme is secure, we directly prove that it yields a good KEM. Lemma 4 Assume (Gen, KE, KD) is polynomially indistinguishable KEM for {0, 1} k and G is a PRG from {0, 1} k to {0, 1} n. Then the following (Gen, KE, KD ) is a polynomially indistinguishable KEM for {0, 1} n : Gen = Gen. KE (PK): compute ψ, s KE(PK), and let ψ = ψ, s = G(s). Output ψ, s. Lecture 6, page-7 KD (ψ ) = G(KD(ψ )). We leave the proof as a simple exercise in the hybrid argument. We also remark that a trivial generalization of the above result shows that any polynomially indistinguishable encryption (Gen, E, D) on {0, 1} k can be combined with any secure PRG from k to n bits to directly give a polynomially indistinguishable encryption (Gen, E, D ) on {0, 1} n : simply pick a random k-bit key s, encrypt it using E, and append G(s) m to obtain the encryption of m. This shows that one can, in principle, only show how to encrypt relatively short messages, and then be able to encrypt much longer messages, provided a good PRG is availble. 6 General transformation from one bit to many bit Blum-Goldwasser construction shows that given a TDP, we could transfer many bits, by efficiently generalizing the corresponding original BG scheme to encrypt one bit. More generally, the above discussion following Lemma 4 shows that we only need to encrypt messages roughly as long as the security parameter to be able to encrypt much longer messages. However, suppose we have some PKE scheme for one bit, which possibly does not depend on any TDP and does not seem to obviously generalize to encrypt many bits. In fact, assume that the only thing we know about it is that it is indistinguishable one-bit encryption. Is it possible for us to use this scheme to encrypt many bits without using any other assumptions on this scheme? A naive answer is to regard each bit to be a separate message and encrypt it using the PKE scheme for one bit. Luckily, this naive approach works for public key encryption. 1 Formally, let E = (Gen, E, D) be a polynomial indistinguishable PKE scheme for one bit, we could define a PKE scheme E = (Gen, E, D ) for M k = {0, 1} n (n = p(k) for some polynomial p) as follows: 1. Gen (1 k ) = Gen(1 k ) (PK, SK), i.e. PK and SK are generated in the same way as before Gen, except the message space now is M k = {0, 1} p(k). Now, given m M k = {0, 1} n, we denote m as m 1 m 2 m n. 2. Define E PK (m1 m 2 m n ) = (E PK (m 1 ), E PK (m 2 ),, E PK (m n )) c 1 c 2 c n = c. 3. Define m = D SK (c1 c 2 c n ) = (D SK (c 1 ), D SK (c 2 ),, D SK (c n )) And it turns out that this bit-by-bit encryption indeed works! Theorem 2 If E is polynomially indistinguishable for one bit, then E is polynomial indistinguishable for n = p(k) bits. Proof: Take two messages m 0 and m 1. We first construct a sequence of intermediate messages that slowly go from m 0 to m 1 : M 0 = m 1 0 m m n 1 0 m n 0 M 1 = m 1 1 m m n 1 0 m n 0.. M n 1 = m 1 1 m m1 n 1 m n 0 M n = m 1 1 m m1 n 1 m n 1 1 As we will see, things are a bit more complex in the symmetric key setting. Lecture 6, page-8 Notice, M 0 = m 0 and M n = m 1. Also, M i 1 and M i differ in at most one bit bit number i. We now define a sequence of distributions C i E (M i ) = E(m 1 1)...E(m i 1)E(m i+1 0 )...E(m n 0) Using the hybrid argument, in order to prove that (we omit the PK from all the distributions for compactness) E (m 0 ) = E (m 1 0m 2 0 m n 0) E (m 1 1m 2 1 m n 1) = E (m 1 ) i.e. C 0 C n, we only need to show that for any i, we have C i 1 = E (x i 1 ) E (x i ) = C i. Graphically, C i 1 C i = E(m 1 1 )... E(mi 1 1 ) E(m i 0 ) E(mi+1 0 )... E(m n 0 ) = E(m 1 1 )... E(mi 1 1 ) E(m i 1 ) E(mi+1 0 )... E(m n 0 ) Now, let A = E(m 1 1 )... E(mi 1 1 ), B = E(m i+1 0 )... E(m n 0 ). Thus, we only need to show that (PK, E(m i 0), A, B) (PK, E(m i 1), A, B) But this is obvious now! Since by our assumption on (Gen, E, D), we have (PK, E PK (m i 0 )) (PK, E(m i 1 )), and since both A and B can be computed in polynomial time with the knowledge of PK (i.e., (A, B) = g(pk) for some efficient function g), we immediately get the desired conclusion. To recap the whole proof, we used the fact that if one can distinguish between encryptions of two long messages encrypted bit-by-bit, there must be some particular index i that gives the adversary this advantage, but this contradicts the bit security of our base encryption scheme. Also, notice that we loose a polynomial factor p(k) = n in security by using the hybrid argument, but this is OK since n is polynomial. Remark 1 We notice that the above one-bit to many-bit result is false for private-key encryption (which we did not cover formally yet). For example, consider the one-time pad with secret bit s and E s (b) = b s. We know it is perfectly secure. However, if we are to encrypt
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!