MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture - - PowerPoint PPT Presentation
MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 10 Today: Constructions of Public-Key Encryption 1: Trapdoor Permutations (RSA) composite N/factoring 2: Quadratic Residuosity/Goldwasser-Micali composite N/factoring 3:
Lecture 10 Foundations of Cryptography
Today: Constructions of Public-Key Encryption
1: Trapdoor Permutations (RSA) 2: Quadratic Residuosity/Goldwasser-Micali 3: Diffie-Hellman/El Gamal 4: Learning with Errors/Regev
composite N/factoring composite N/factoring prime p/discrete log small numbers, large dimensions
F
domain range Easy to compute Hard to invert Easy to invert given a trapdoor
Trapdoor One-way Functions
range
Trapdoor One-way Permutations
Domain = Range
Review: Number Theory
Letβs review some number theory from L7-8. Let π = ππ be a product of two large primes. Fact: π!
β = {π β π!: gcd a, N = 1} is a group.
Lecture 8: The map πΊ π¦ = π¦# mod π is a 4-to-1 trapdoor function, as hard to invert as factoring π.
The RSA Trapdoor Permutation
Today: Let π be an integer with gcd π, Ο(π) = 1. Then, the map πΊ
!,% π¦ = π¦% mod π is a trapdoor permutation.
{πΊ
!,%: gcd π, π = 1}
Key Fact: Given π such that ππ = 1 mod Ο π , it is easy to compute π¦ given π¦%. Proof: (π¦%)& = π¦'( ! )* = (π¦( ! )' = π¦ = π¦ mod π
(for some integer k)
This gives us the RSA trapdoor permutation collection. Trapdoor for inversion: π = π+*mod Ο π .
The RSA Trapdoor Permutation
Today: Let π be an integer with gcd π, Ο(π) = 1. Then, the map πΊ
!,% π¦ = π¦% mod π is a trapdoor permutation.
Hardness of inversion without trapdoor = RSA assumption We know that if factoring is easy, RSA is broken (and thatβs the only known way to break RSA) Major Open Problem: Are factoring and RSA equivalent? given π, π (as above) and π¦% mod N, hard to compute π¦.
The RSA Trapdoor Permutation
Today: Let π be an integer with gcd π, Ο(π) = 1. Then, the map πΊ
!,% π¦ = π¦% mod π is a trapdoor permutation.
Hardcore bits (galore) for the RSA trapdoor one-way perm:
π , π β² mod 2
! π = 1 iff π < π/2
RSA Encryption
ππ = 1 πππ π(π). Let ππ = (π, π) and let π‘π = π.
π!
β and output π % mod π and LSB π β¨π.
IND-secure under the RSA assumption: given π, π (as above) and π % mod N, hard to compute π .
Today: Constructions of Public-Key Encryption
1: Trapdoor Permutations (RSA) 2: Quadratic Residuosity/Goldwasser-Micali 3: Diffie-Hellman/El Gamal 4: Learning with Errors/Regev
Quadratic Residuosity
Letβs review some more number theory from L7-8. Let π = ππ be a product of two large primes. πΎππ+* πΎππ)* π!
β
{π¦: π¦ π = β1} {π¦: π¦ π = +1}
Jacobi symbol .
! = . / . 0 is +1 if π¦ is a square mod
both π and π or a non-square mod both π and π.
Quadratic Residuosity
Letβs review some more number theory from L7-8. Let π = ππ be a product of two large primes. πΎππ+* πΎππ)* π!
β
{π¦: π¦ π = β1} {π¦: π¦ π = +1}
Surprising fact: Jacobi symbol .
! = . / . 0 is
computable in poly time without knowing π and π.
Quadratic Residuosity
Letβs review some more number theory from L7-8. Let π = ππ be a product of two large primes. πΎππ)* π π! is the set of squares mod π and π ππ! is the set
π π! π ππ!
So: π π! = {π¦:
" # = " $ = +1}
π ππ! = {π¦:
" # = " $ = β1}
Quadratic Residuosity
Letβs review some more number theory from L7-8. Let π = ππ be a product of two large primes. Quadratic Residuosity Assumption (QRA) Let π = ππ be a product of two large primes. No PPT algorithm can distinguish between a random element of π π! from a random element of π ππ! given only π.
Goldwasser-Micali (GM) Encryption
π»ππ 1- : Generate random π-bit primes π and π and let π = ππ. Let π§ β π ππ! be some quadratic non- residue with Jacobi symbol +1. Let ππ = (π, π§) and let π‘π = (π, π). πΉππ ππ, π where π is a bit: Generate random π β π!
β and output π # mod π if
π = 0 and π #π§ mod π if π = 1. πΈππ π‘π, π : Check if c β π!
β is a quadratic residue
using π and π. If yes, output 0 else 1.
Goldwasser-Micali (GM) Encryption
πΉππ ππ, π where π is a bit: Generate random π β π!
β and output π # mod π if
π = 0 and π #π§ mod π if π = 1. IND-security follows directly from the quadratic residuosity assumption.
GM is a Homomorphic Encryption
πΉππ ππ, π where π is a bit: Generate random π β π!
β and output π #π§< mod π.
Given a GM-ciphertext of π and a GM-ciphertext of πβ², I can compute a GM-ciphertext of π + π,πππ 2. without knowing anything about π or πβ²! Claim: πΉππ ππ, π = πΉππ(ππ, π,) is an encryption of πβ¨π, = π + π,πππ 2.
Today: Constructions of Public-Key Encryption
1: Trapdoor Permutations (RSA) 2: Quadratic Residuosity/Goldwasser-Micali 3: Diffie-Hellman/El Gamal 4: Learning with Errors/Regev
Diffie-Hellman Key Exchange
(π.)= = (π=). Commutativity in the exponent: So, you can compute π.= given either π. and π§, or π= and π¦. Hard to compute π.= given only π, π. and π= Diffie-Hellman Assumption (DHA): (where π is an element of some group)
Diffie-Hellman Key Exchange
Hard to compute it given only π, π. and π= Diffie-Hellman Assumption (DHA): We know that if discrete log is easy, DHA is false. Major Open Problem: Are discrete log and DHA equivalent?
Diffie-Hellman Key Exchange
Pick a random number π¦ β π/+* π. mod π π, π: Generator of our group π!
β
Pick a random number y β π/+* π= mod π Shared key K = π.= mod π = (π=). mod π Shared key K = π.= mod π = (π.)= mod π
Diffie-Hellman/El Gamal Encryption
π of π/
β. Choose a random number π¦ β π/+*
Let ππ = (π, π, π.) and let π‘π = π¦.
β: Generate random π§ β
π/+* and output (π=, π.= = π)
divide the second component to retrieve π.
Is this Secure?
The Problem
Claim: Given p, g, π. mod π and π= mod π, adversary can Corollary: Therefore, additionally given π.= = π mod π, the adversary can determine whether π is a square mod π, violating βIND-securityβ. compute some information about π.= mod π. determine if π.= mod π is a square mod π.
The Problem
Claim: Given p, g, π. mod π and π= mod π, adversary can determine if π.= mod π is a square mod π. π.= mod π is a square βΊ π¦π§ (mod π β 1) is even βΊ π¦π§ is even βΊ π¦ is even or π§ is even βΊ π¦ (πππ π β 1) is even or π§ (mod p β 1) is even βΊ π. πππ π or π= πππ π is a square This can be checked in poly time!
Diffie-Hellman Encryption
Claim: Given p, g, π. mod π and π= mod π, adversary can Lesson: Best to work over a group of prime order. Such groups have no subgroups. More generally, dangerous to work with groups that have non-trivial subgroups (in our case, the subgroup of all squares mod p) An Example: Let π = 2π + 1 where π is a prime itself. Then, the group of squares mod π has order
/+* #
= π. determine if π.= mod π is a square mod π.
Diffie-Hellman/El Gamal Encryption
and a generator π of π/
β and let β = π#mod π be a
generator of π π/ . Choose a random number π¦ β π0 . Let ππ = (π, β, β.) and let π‘π = π¦.
π0 and output (π=, π.= = π)
divide the second component to retrieve π.
Decisional Diffie-Hellman Assumption
Hard to distinguish between π.= and a uniformly random group element, given π, π. and π= Decisional Diffie-Hellman Assumption (DDHA): That is, the following two distributions are computationally indistinguishable: (π, π., π=, π.=) β (π, π., π=, π£) DH/El Gamal is IND-secure under the DDH assumption.
Today: Constructions of Public-Key Encryption
1: Trapdoor Permutations (RSA) 2: Quadratic Residuosity/Goldwasser-Micali 3: Diffie-Hellman/El Gamal 4: Learning with Errors/Regev (post-quantum secure, as far as we know)
Find ππ ππ
ππ ππ π π π π π π = 11 3 9
Find β π‘ How about:
(e1,e2,e3) are βsmallβ numbers Easy!
ππ ππ π π π π π π + π* π# π@ = 11 3 9
Very hard! in large dimensions
Find π
(A, πA+e)
π β π!
": random βsmallβ error vector)
Decisional LWE: LWE:
(A, b) (A, sA+π)
(b uniformly random)
c
(A β π!
"#$
s β π!
" random βsmallβ secret vector
[Regev05, following BFKL93, Ale03]
βDecisional LWE is as hard as LWEβ.
very hard!
&
β Sample uniformly random a Γ π%
&, βshortβ noise e Γ π
β The ciphertext c = (a, b = Γ‘a, sΓ± + e + m π/2 )
n = security parameter, q = βsmallβ prime [Regev05]
// correctness as long as |e| < q/4
[Regev05]
This is an incredibly cool scheme. In particular, additively homomorphic.
π = (a, b = Γ‘a, sΓ± + e + m π/2 ) π β² = (aβ² , bβ² = Γ‘aβ², sΓ± + eβ² + mβ² π/2 ) π + π β² = (a+aβ² , b+ bβ² = Γ‘ a +aβ², sΓ± + (e+eβ²) + (m+mβ²) π/2 )
+ In words: π + πβ² is an encryption of m+mβ² (mod 2)
[Regev05]
Here is a crazy idea. Public key has an encryption of 0 (call it πA) and an encryption of 1 (call it π*). If you want to encrypt 0, output πA and if you want to encrypt 1, output π*. Well, turns out to be a crazy bad idea. If only we could produce fresh encryptions of 0 or 1 given just the pkβ¦
[Regev05]
Here is another crazy idea. Public key has many encryptions of 0 and an encryption
This one turns out to be a crazy good idea. If you want to encrypt 0, output a random linear combination of the 0-encryptions. If you want to encrypt 1, output a random linear combination of the 0-encryptions plus π*.
& [Regev05]
π π = (ππ, ππ, π + π( + π 2 ), π π = (ππ, ππ, π + π*) Security: decisional LWE + βLeftover Hash Lemmaβ
+, β¦ , π ,
D
*-+ ,
π *π π + π E π π Correctness: additive homomorphism
We saw: Constructions of Public-Key Encryption
1: Trapdoor Permutations (RSA) 2: Quadratic Residuosity/Goldwasser-Micali 3: Diffie-Hellman/El Gamal 4: Learning with Errors/Regev
Practical Considerations
I want to encrypt to Bob. How do I know his public key? Public-key Infrastructure: a directory of identities together with their public keys. Needs to be βauthenticatedβ:
Practical Considerations
Public-key encryption is orders of magnitude slower than secret-key encryption.
duper inefficient.
typically linear time for secret key encryption (AES).
compared to SKE (AES: π = 128). Can solve problem 1 and minimize problems 2&3 using hybrid encryption.
Hybrid Encryption
To encrypt a long message π (think 1 GB): Pick a random key K (think 128 bits) for a secret- key encryption Encrypt K with the PKE: ππΏπΉ. πΉππ(ππ, πΏ) Encrypt m with the SKE: SKE. πΉππ(πΏ, π) To decrypt: recover πΏ using π‘π. Then using πΏ, recover π
Next Lecture: Digital Signatures