MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture - PowerPoint PPT Presentation

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 10

Today: Constructions of Public-Key Encryption 1: Trapdoor Permutations (RSA) composite N/factoring 2: Quadratic Residuosity/Goldwasser-Micali composite N/factoring 3: Diffie-Hellman/El Gamal prime p/discrete log small numbers, large 4: Learning with Errors/Regev dimensions

Trapdoor One-way Permutations Trapdoor One-way Functions F Easy to compute Hard to invert Easy to invert domain range given a range trapdoor Domain = Range

Review: Number Theory Let’s review some number theory from L7-8. Let 𝑂 = 𝑞𝑟 be a product of two large primes. ∗ = {𝑏 ∈ 𝑎 ! : gcd a, N = 1} is a group. Fact: 𝑎 ! group operation is multiplication mod 𝑂 . • inverses exist and are easy to compute (how so?) • the order of the group is ϕ 𝑂 = 𝑞 − 1 (𝑟 − 1) • Lecture 8: The map 𝐺 𝑦 = 𝑦 # mod 𝑂 is a 4-to-1 trapdoor function, as hard to invert as factoring 𝑂 .

The RSA Trapdoor Permutation Today: Let 𝑓 be an integer with gcd 𝑓, ϕ(𝑂) = 1. Then, !,% 𝑦 = 𝑦 % mod 𝑂 is a trapdoor permutation. the map 𝐺 Key Fact: Given 𝑒 such that 𝑓𝑒 = 1 mod ϕ 𝑂 , it is easy to compute 𝑦 given 𝑦 % . Proof: (𝑦 % ) & = 𝑦 '( ! )* = (𝑦 ( ! ) ' = 𝑦 = 𝑦 mod 𝑂 (for some integer k) This gives us the RSA trapdoor permutation collection. {𝐺 !,% : gcd 𝑓, 𝑂 = 1} Trapdoor for inversion: 𝑒 = 𝑓 +* mod ϕ 𝑂 .

The RSA Trapdoor Permutation Today: Let 𝑓 be an integer with gcd 𝑓, ϕ(𝑂) = 1. Then, !,% 𝑦 = 𝑦 % mod 𝑂 is a trapdoor permutation. the map 𝐺 Hardness of inversion without trapdoor = RSA assumption given 𝑂, 𝑓 (as above) and 𝑦 % mod N, hard to compute 𝑦. We know that if factoring is easy, RSA is broken (and that’s the only known way to break RSA) Major Open Problem: Are factoring and RSA equivalent?

The RSA Trapdoor Permutation Today: Let 𝑓 be an integer with gcd 𝑓, ϕ(𝑂) = 1. Then, !,% 𝑦 = 𝑦 % mod 𝑂 is a trapdoor permutation. the map 𝐺 Hardcore bits (galore) for the RSA trapdoor one-way perm: The Goldreich-Levin bit GL 𝑠; 𝑠 , = 𝑠, 𝑠′ mod 2 • The least significant bit LSB 𝑠 • The “most significant bit” 𝐼𝐵𝑀𝐺 ! 𝑠 = 1 iff 𝑠 < 𝑂/2 • In fact, any single bit of 𝑠 is hardcore. •

RSA Encryption 𝐻𝑓𝑜 1 - : Let 𝑂 = 𝑞𝑟 and 𝑓, 𝑒 be such that • 𝑓𝑒 = 1 𝑛𝑝𝑒 𝜚(𝑂) . Let 𝑞𝑙 = (𝑂, 𝑓) and let 𝑡𝑙 = 𝑒 . 𝐹𝑜𝑑 𝑞𝑙, 𝑐 where 𝑐 is a bit: Generate random 𝑠 ∈ • ∗ and output 𝑠 % mod 𝑂 and LSB 𝑠 ⨁𝑛 . 𝑎 ! 𝐸𝑓𝑑 𝑡𝑙, 𝑑 : Recover 𝑠 via RSA inversion. • IND-secure under the RSA assumption: given 𝑂, 𝑓 (as above) and 𝑠 % mod N, hard to compute 𝑠.

Today: Constructions of Public-Key Encryption 1: Trapdoor Permutations (RSA) 2: Quadratic Residuosity/Goldwasser-Micali 3: Diffie-Hellman/El Gamal 4: Learning with Errors/Regev

Quadratic Residuosity Let’s review some more number theory from L7-8. Let 𝑂 = 𝑞𝑟 be a product of two large primes. ∗ 𝑎 ! 𝐾𝑏𝑑 )* 𝐾𝑏𝑑 +* {𝑦: 𝑦 {𝑦: 𝑦 𝑂 = +1} 𝑂 = −1} Jacobi symbol . ! = . . 0 is +1 if 𝑦 is a square mod / both 𝑞 and 𝑟 or a non-square mod both 𝑞 and 𝑟 .

Quadratic Residuosity Let’s review some more number theory from L7-8. Let 𝑂 = 𝑞𝑟 be a product of two large primes. ∗ 𝑎 ! 𝐾𝑏𝑑 )* 𝐾𝑏𝑑 +* {𝑦: 𝑦 {𝑦: 𝑦 𝑂 = +1} 𝑂 = −1} Surprising fact : Jacobi symbol . ! = . . 0 is / computable in poly time without knowing 𝑞 and 𝑟 .

Quadratic Residuosity Let’s review some more number theory from L7-8. Let 𝑂 = 𝑞𝑟 be a product of two large primes. 𝐾𝑏𝑑 )* " " 𝑅𝑆 ! So: 𝑅𝑆 ! = {𝑦: # = $ = +1} 𝑅𝑂𝑆 ! " " 𝑅𝑂𝑆 ! = {𝑦: # = $ = −1} 𝑅𝑆 ! is the set of squares mod 𝑂 and 𝑅𝑂𝑆 ! is the set of non-squares mod 𝑂 with Jacobi symbol +1.

Quadratic Residuosity Let’s review some more number theory from L7-8. Let 𝑂 = 𝑞𝑟 be a product of two large primes. Quadratic Residuosity Assumption (QRA) Let 𝑂 = 𝑞𝑟 be a product of two large primes. No PPT algorithm can distinguish between a random element of 𝑅𝑆 ! from a random element of 𝑅𝑂𝑆 ! given only 𝑂 .

Goldwasser-Micali (GM) Encryption 𝐻𝑓𝑜 1 - : Generate random 𝑜 -bit primes 𝑞 and 𝑟 and let 𝑂 = 𝑞𝑟 . Let 𝑧 ∈ 𝑅𝑂𝑆 ! be some quadratic non- residue with Jacobi symbol +1. Let 𝑞𝑙 = (𝑂, 𝑧) and let 𝑡𝑙 = (𝑞, 𝑟) . 𝐹𝑜𝑑 𝑞𝑙, 𝑐 where 𝑐 is a bit: ∗ and output 𝑠 # mod 𝑂 if Generate random 𝑠 ∈ 𝑎 ! 𝑐 = 0 and 𝑠 # 𝑧 mod 𝑂 if 𝑐 = 1 . ∗ is a quadratic residue 𝐸𝑓𝑑 𝑡𝑙, 𝑑 : Check if c ∈ 𝑎 ! using 𝑞 and 𝑟 . If yes, output 0 else 1.

Goldwasser-Micali (GM) Encryption 𝐹𝑜𝑑 𝑞𝑙, 𝑐 where 𝑐 is a bit: ∗ and output 𝑠 # mod 𝑂 if Generate random 𝑠 ∈ 𝑎 ! 𝑐 = 0 and 𝑠 # 𝑧 mod 𝑂 if 𝑐 = 1 . IND-security follows directly from the quadratic residuosity assumption.

GM is a Homomorphic Encryption Given a GM-ciphertext of 𝑐 and a GM-ciphertext of 𝑐′ , I can compute a GM-ciphertext of 𝑐 + 𝑐 , 𝑛𝑝𝑒 2. without knowing anything about 𝒄 or 𝒄′ ! 𝐹𝑜𝑑 𝑞𝑙, 𝑐 where 𝑐 is a bit: ∗ and output 𝑠 # 𝑧 < mod 𝑂. Generate random 𝑠 ∈ 𝑎 ! Claim: 𝐹𝑜𝑑 𝑞𝑙, 𝑐 = 𝐹𝑜𝑑(𝑞𝑙, 𝑐 , ) is an encryption of 𝑐⨁𝑐 , = 𝑐 + 𝑐 , 𝑛𝑝𝑒 2 .

Today: Constructions of Public-Key Encryption 1: Trapdoor Permutations (RSA) 2: Quadratic Residuosity/Goldwasser-Micali 3: Diffie-Hellman/El Gamal 4: Learning with Errors/Regev

Diffie-Hellman Key Exchange (𝑕 . ) = = (𝑕 = ) . Commutativity in the exponent: (where 𝑕 is an element of some group) So, you can compute 𝑕 .= given either 𝑕 . and 𝑧 , or 𝑕 = and 𝑦. Diffie-Hellman Assumption (DHA): Hard to compute 𝑕 .= given only 𝑕, 𝑕 . and 𝑕 =

Diffie-Hellman Key Exchange Diffie-Hellman Assumption (DHA): Hard to compute it given only 𝑕, 𝑕 . and 𝑕 = We know that if discrete log is easy, DHA is false. Major Open Problem: Are discrete log and DHA equivalent?

Diffie-Hellman Key Exchange 𝑞, 𝑕: Generator of our group 𝑎 ! ∗ 𝑕 . mod 𝑞 𝑕 = mod 𝑞 Pick a random Pick a random number 𝑦 ∈ 𝑎 /+* number y ∈ 𝑎 /+* Shared key K = 𝑕 .= mod 𝑞 Shared key K = 𝑕 .= mod 𝑞 = (𝑕 = ) . mod 𝑞 = (𝑕 . ) = mod 𝑞

Diffie-Hellman/El Gamal Encryption 𝐻𝑓𝑜 1 - : Generate an 𝑜 -bit prime 𝑞 and a generator • ∗ . Choose a random number 𝑦 ∈ 𝑎 /+* 𝑕 of 𝑎 / Let 𝑞𝑙 = (𝑞, 𝑕, 𝑕 . ) and let 𝑡𝑙 = 𝑦 . ∗ : Generate random 𝑧 ∈ 𝐹𝑜𝑑 𝑞𝑙, 𝑛 where 𝑛 ∈ 𝑎 / • 𝑎 /+* and output (𝑕 = , 𝑕 .= = 𝑛 ) 𝐸𝑓𝑑 𝑡𝑙 = 𝑦, 𝑑 : Compute 𝑕 .= using 𝑕 = and 𝑦 and • divide the second component to retrieve 𝑛 . Is this Secure?

The Problem Claim: Given p, g, 𝑕 . mod 𝑞 and 𝑕 = mod 𝑞, adversary can compute some information about 𝑕 .= mod 𝑞. determine if 𝑕 .= mod 𝑞 is a square mod 𝑞 . Corollary: Therefore, additionally given 𝑕 .= = 𝑛 mod 𝑞 , the adversary can determine whether 𝑛 is a square mod 𝑞 , violating “IND-security”.

The Problem Claim: Given p, g, 𝑕 . mod 𝑞 and 𝑕 = mod 𝑞, adversary can determine if 𝑕 .= mod 𝑞 is a square mod 𝑞 . 𝑕 .= mod 𝑞 is a square ⟺ 𝑦𝑧 (mod 𝑞 − 1) is even ⟺ 𝑦𝑧 is even ⟺ 𝑦 is even or 𝑧 is even ⟺ 𝑦 (𝑛𝑝𝑒 𝑞 − 1) is even or 𝑧 (mod p − 1) is even ⟺ 𝑕 . 𝑛𝑝𝑒 𝑞 or 𝑕 = 𝑛𝑝𝑒 𝑞 is a square This can be checked in poly time!

Diffie-Hellman Encryption Claim: Given p, g, 𝑕 . mod 𝑞 and 𝑕 = mod 𝑞, adversary can determine if 𝑕 .= mod 𝑞 is a square mod 𝑞 . More generally, dangerous to work with groups that have non-trivial subgroups (in our case, the subgroup of all squares mod p) Lesson: Best to work over a group of prime order. Such groups have no subgroups. An Example: Let 𝑞 = 2𝑟 + 1 where 𝑟 is a prime itself. /+* Then, the group of squares mod 𝑞 has order = 𝑟 . #

Diffie-Hellman/El Gamal Encryption 𝐻𝑓𝑜 1 - : Generate an 𝑜 -bit “safe” prime 𝑞 = 2𝑟 + 1 • ∗ and let ℎ = 𝑕 # mod 𝑞 be a and a generator 𝑕 of 𝑎 / generator of 𝑅𝑆 / . Choose a random number 𝑦 ∈ 𝑎 0 . Let 𝑞𝑙 = (𝑞, ℎ, ℎ . ) and let 𝑡𝑙 = 𝑦 . 𝐹𝑜𝑑 𝑞𝑙, 𝑛 where 𝑛 ∈ 𝑅𝑆 / : Generate random 𝑧 ∈ • 𝑎 0 and output (𝑕 = , 𝑕 .= = 𝑛 ) 𝐸𝑓𝑑 𝑡𝑙 = 𝑦, 𝑑 : Compute 𝑕 .= using 𝑕 = and 𝑦 and • divide the second component to retrieve 𝑛 .

Decisional Diffie-Hellman Assumption Decisional Diffie-Hellman Assumption (DDHA): Hard to distinguish between 𝑕 .= and a uniformly random group element, given 𝑕, 𝑕 . and 𝑕 = That is, the following two distributions are computationally indistinguishable: (𝑕, 𝑕 . , 𝑕 = , 𝑕 .= ) ≈ (𝑕, 𝑕 . , 𝑕 = , 𝑣) DH/El Gamal is IND-secure under the DDH assumption.