public key cryptography public key cryptography
play

Public-Key Cryptography Public-Key Cryptography Lecture 8 - PowerPoint PPT Presentation

Public-Key Cryptography Public-Key Cryptography Lecture 8 Public-Key Cryptography Lecture 8 Public-Key Encryption from Trapdoor OWP Public-Key Cryptography Lecture 8 Public-Key Encryption from Trapdoor OWP CCA Security El Gamal Encryption


  1. Abstracting El Gamal Trapdoor PRG: Random y Y Y=g KeyGen: a pair (PK,SK) Random x X X=g Three functions: G PK (.) (a PRG) K=Y K=X and T PK (.) (make trapdoor info) C C=MK and R SK (.) (opening the trapdoor) M=CK G PK (x) is pseudorandom even KeyGen: PK=(G,g,Y), SK=(G,g,y) given T PK (x) and PK Enc (PK,T PK (x),G PK (x)) ≈ (PK,T PK (x),r) Dec KeyGen: (PK,SK) Enc PK (M) = (X=T PK (x), C=M.G PK (x)) Dec SK (X,C) = C/R SK (T PK (x))

  2. Abstracting El Gamal Trapdoor PRG: Random y Y Y=g KeyGen: a pair (PK,SK) Random x X X=g Three functions: G PK (.) (a PRG) K=Y K=X and T PK (.) (make trapdoor info) C C=MK and R SK (.) (opening the trapdoor) M=CK G PK (x) is pseudorandom even KeyGen: PK=(G,g,Y), SK=(G,g,y) given T PK (x) and PK Enc (PK,T PK (x),G PK (x)) ≈ (PK,T PK (x),r) Dec T PK (x) hides G PK (x). SK opens it. KeyGen: (PK,SK) Enc PK (M) = (X=T PK (x), C=M.G PK (x)) Dec SK (X,C) = C/R SK (T PK (x))

  3. Abstracting El Gamal Trapdoor PRG: Random y Y Y=g KeyGen: a pair (PK,SK) Random x X X=g Three functions: G PK (.) (a PRG) K=Y K=X and T PK (.) (make trapdoor info) C C=MK and R SK (.) (opening the trapdoor) M=CK G PK (x) is pseudorandom even KeyGen: PK=(G,g,Y), SK=(G,g,y) given T PK (x) and PK Enc (PK,T PK (x),G PK (x)) ≈ (PK,T PK (x),r) Dec T PK (x) hides G PK (x). SK opens it. KeyGen: (PK,SK) R SK (T PK (x)) = G PK (x) Enc PK (M) = (X=T PK (x), C=M.G PK (x)) Dec SK (X,C) = C/R SK (T PK (x))

  4. Abstracting El Gamal Trapdoor PRG: Random y Y Y=g KeyGen: a pair (PK,SK) Random x X X=g Three functions: G PK (.) (a PRG) K=Y K=X and T PK (.) (make trapdoor info) C C=MK and R SK (.) (opening the trapdoor) M=CK G PK (x) is pseudorandom even KeyGen: PK=(G,g,Y), SK=(G,g,y) given T PK (x) and PK Enc (PK,T PK (x),G PK (x)) ≈ (PK,T PK (x),r) Dec T PK (x) hides G PK (x). SK opens it. KeyGen: (PK,SK) R SK (T PK (x)) = G PK (x) Enc PK (M) = (X=T PK (x), C=M.G PK (x)) Enough for an IND-CPA secure PKE Dec SK (X,C) = C/R SK (T PK (x)) scheme

  5. Abstracting El Gamal Trapdoor PRG: Random y Y Y=g KeyGen: a pair (PK,SK) Random x X X=g Three functions: G PK (.) (a PRG) K=Y K=X and T PK (.) (make trapdoor info) C C=MK and R SK (.) (opening the trapdoor) M=CK G PK (x) is pseudorandom even KeyGen: PK=(G,g,Y), SK=(G,g,y) given T PK (x) and PK Enc (PK,T PK (x),G PK (x)) ≈ (PK,T PK (x),r) Dec T PK (x) hides G PK (x). SK opens it. KeyGen: (PK,SK) R SK (T PK (x)) = G PK (x) Enc PK (M) = (X=T PK (x), C=M.G PK (x)) Enough for an IND-CPA secure PKE Dec SK (X,C) = C/R SK (T PK (x)) scheme (cf. Security of El Gamal)

  6. Trapdoor PRG from Generic Assumption? KeyGen PK SK T R x G z z (PK,T PK (x),G PK (x)) ≈ (PK,T PK (x),r)

  7. Trapdoor PRG from Generic Assumption? KeyGen PRG constructed from OWP (or OWF) PK SK T R x G z z (PK,T PK (x),G PK (x)) ≈ (PK,T PK (x),r)

  8. Trapdoor PRG from Generic Assumption? KeyGen PRG constructed from OWP (or OWF) PK SK Allows us to instantiate the construction with several T R x G candidates z z (PK,T PK (x),G PK (x)) ≈ (PK,T PK (x),r)

  9. Trapdoor PRG from Generic Assumption? KeyGen PRG constructed from OWP (or OWF) PK SK Allows us to instantiate the construction with several T R x G candidates z z Is there a similar construction for TPRG from OWP? (PK,T PK (x),G PK (x)) ≈ (PK,T PK (x),r)

  10. Trapdoor PRG from Generic Assumption? KeyGen PRG constructed from OWP (or OWF) PK SK Allows us to instantiate the construction with several T R x G candidates z z Is there a similar construction for TPRG from OWP? (PK,T PK (x),G PK (x)) ≈ (PK,T PK (x),r) Trapdoor property seems fundamentally different: generic OWP does not suffice

  11. Trapdoor PRG from Generic Assumption? KeyGen PRG constructed from OWP (or OWF) PK SK Allows us to instantiate the construction with several T R x G candidates z z Is there a similar construction for TPRG from OWP? (PK,T PK (x),G PK (x)) ≈ (PK,T PK (x),r) Trapdoor property seems fundamentally different: generic OWP does not suffice Will start with “Trapdoor OWP”

  12. Trapdoor OWP

  13. Trapdoor OWP (KeyGen,f,f’) (all PPT) is a trapdoor one- way permutation (TOWP) if

  14. Trapdoor OWP (KeyGen,f,f’) (all PPT) is a trapdoor one- way permutation (TOWP) if For all (PK,SK) ← KeyGen

  15. Trapdoor OWP (KeyGen,f,f’) (all PPT) is a trapdoor one- way permutation (TOWP) if For all (PK,SK) ← KeyGen f PK a permutation

  16. Trapdoor OWP (KeyGen,f,f’) (all PPT) is a trapdoor one- way permutation (TOWP) if For all (PK,SK) ← KeyGen f PK a permutation f’ SK is the inverse of f PK

  17. Trapdoor OWP (KeyGen,f,f’) (all PPT) is a trapdoor one- way permutation (TOWP) if For all (PK,SK) ← KeyGen f PK a permutation f’ SK is the inverse of f PK For all PPT adversary, probability of success in the TOWP experiment is negligible

  18. Trapdoor OWP (KeyGen,f,f’) (all PPT) is a trapdoor one- way permutation (TOWP) if f PK (x),PK For all (PK,SK) ← KeyGen x’ f PK a permutation (PK,SK) ← KeyGen x ← {0,1} k f’ SK is the inverse of f PK x’ = x? For all PPT adversary, probability of success in the TOWP experiment is Yes/No negligible

  19. Trapdoor OWP (KeyGen,f,f’) (all PPT) is a trapdoor one- way permutation (TOWP) if f PK (x),PK For all (PK,SK) ← KeyGen b’ f PK a permutation (PK,SK) ← KeyGen x ← {0,1} k f’ SK is the inverse of f PK b’ = B PK (x)? For all PPT adversary, probability of success in the TOWP experiment is Yes/No negligible Hardcore predicate: B PK s.t. (PK,f PK (x),B PK (x)) ≈ (PK,f PK (x),r)

  20. Trapdoor PRG from Trapdoor OWP KeyGen PK SK T R x G z z (PK,T PK (x),G PK (x)) ≈ (PK,T PK (x),r)

  21. Trapdoor PRG from Trapdoor OWP KeyGen PK SK Same construction as PRG from OWP T R x G z z (PK,T PK (x),G PK (x)) ≈ (PK,T PK (x),r)

  22. Trapdoor PRG from Trapdoor OWP KeyGen PK SK Same construction as PRG from OWP T One bit TPRG R x G z z (PK,T PK (x),G PK (x)) ≈ (PK,T PK (x),r)

  23. Trapdoor PRG from Trapdoor OWP KeyGen PK SK Same construction as PRG from OWP T One bit TPRG R x G KeyGen same as TOWP’ s KeyGen z z (PK,T PK (x),G PK (x)) ≈ (PK,T PK (x),r)

  24. Trapdoor PRG from Trapdoor OWP KeyGen PK SK Same construction as PRG from OWP T One bit TPRG R x G KeyGen same as TOWP’ s KeyGen z z G PK (x) := B PK (x). T PK (x) := f PK (x). (PK,T PK (x),G PK (x)) ≈ (PK,T PK (x),r) R sK (y) := G PK (f’ SK (y)) f PK x T PK (x) B PK G PK (x)

  25. Trapdoor PRG from Trapdoor OWP KeyGen PK SK Same construction as PRG from OWP T One bit TPRG R x G KeyGen same as TOWP’ s KeyGen z z G PK (x) := B PK (x). T PK (x) := f PK (x). (PK,T PK (x),G PK (x)) ≈ (PK,T PK (x),r) R sK (y) := G PK (f’ SK (y)) (PK,f PK (x),B PK (x)) ≈ (PK,f PK (x),r) f PK x T PK (x) B PK G PK (x)

  26. Trapdoor PRG from Trapdoor OWP KeyGen PK SK Same construction as PRG from OWP T One bit TPRG R x G KeyGen same as TOWP’ s KeyGen z z G PK (x) := B PK (x). T PK (x) := f PK (x). (PK,T PK (x),G PK (x)) ≈ (PK,T PK (x),r) R sK (y) := G PK (f’ SK (y)) (PK,f PK (x),B PK (x)) ≈ (PK,f PK (x),r) (SK assumed to contain PK) f PK x T PK (x) B PK G PK (x)

  27. Trapdoor PRG from Trapdoor OWP KeyGen PK SK Same construction as PRG from OWP T One bit TPRG R x G KeyGen same as TOWP’ s KeyGen z z G PK (x) := B PK (x). T PK (x) := f PK (x). (PK,T PK (x),G PK (x)) ≈ (PK,T PK (x),r) R sK (y) := G PK (f’ SK (y)) (PK,f PK (x),B PK (x)) ≈ (PK,f PK (x),r) (SK assumed to contain PK) f PK x T PK (x) More generally, last permutation B PK output serves as T PK G PK (x)

  28. Trapdoor PRG from Trapdoor OWP KeyGen PK SK Same construction as PRG from OWP T One bit TPRG R x G KeyGen same as TOWP’ s KeyGen z z G PK (x) := B PK (x). T PK (x) := f PK (x). (PK,T PK (x),G PK (x)) ≈ (PK,T PK (x),r) R sK (y) := G PK (f’ SK (y)) (PK,f PK (x),B PK (x)) ≈ (PK,f PK (x),r) (SK assumed to contain PK) ... f PK f PK f PK x T PK (x) T PK (x) More generally, last permutation B PK B PK B PK output serves as T PK G PK (x) G PK (x)

  29. Candidate TOWPs

  30. Candidate TOWPs From some (candidate) OWP collections, with index as public-key

  31. Candidate TOWPs From some (candidate) OWP collections, with index as public-key Recall candidate OWF collections

  32. Candidate TOWPs From some (candidate) OWP collections, with index as public-key Recall candidate OWF collections Rabin OWF: f Rabin (x; N) = x 2 mod N, where N = PQ, and P, Q are k-bit primes (and x uniform from {0...N})

  33. Candidate TOWPs From some (candidate) OWP collections, with index as public-key Recall candidate OWF collections Rabin OWF: f Rabin (x; N) = x 2 mod N, where N = PQ, and P, Q are k-bit primes (and x uniform from {0...N}) Fact: f Rabin (.; N) is a permutation among quadratic residues, when P, Q are ≡ 3 (mod 4)

  34. Candidate TOWPs From some (candidate) OWP collections, with index as public-key Recall candidate OWF collections Rabin OWF: f Rabin (x; N) = x 2 mod N, where N = PQ, and P, Q are k-bit primes (and x uniform from {0...N}) Fact: f Rabin (.; N) is a permutation among quadratic residues, when P, Q are ≡ 3 (mod 4) Fact: Can invert f Rabin (.; N) given factorization of N

  35. Candidate TOWPs From some (candidate) OWP collections, with index as public-key Recall candidate OWF collections Rabin OWF: f Rabin (x; N) = x 2 mod N, where N = PQ, and P, Q are k-bit primes (and x uniform from {0...N}) Fact: f Rabin (.; N) is a permutation among quadratic residues, when P, Q are ≡ 3 (mod 4) Fact: Can invert f Rabin (.; N) given factorization of N RSA function: f RSA (x; N,e) = x e mod N where N=PQ, P,Q k-bit primes, e s.t. gcd(e, φ (N)) = 1 (and x uniform from {0...N})

  36. Candidate TOWPs From some (candidate) OWP collections, with index as public-key Recall candidate OWF collections Rabin OWF: f Rabin (x; N) = x 2 mod N, where N = PQ, and P, Q are k-bit primes (and x uniform from {0...N}) Fact: f Rabin (.; N) is a permutation among quadratic residues, when P, Q are ≡ 3 (mod 4) Fact: Can invert f Rabin (.; N) given factorization of N RSA function: f RSA (x; N,e) = x e mod N where N=PQ, P,Q k-bit primes, e s.t. gcd(e, φ (N)) = 1 (and x uniform from {0...N}) Fact: f RSA (.; N,e) is a permutation

  37. Candidate TOWPs From some (candidate) OWP collections, with index as public-key Recall candidate OWF collections Rabin OWF: f Rabin (x; N) = x 2 mod N, where N = PQ, and P, Q are k-bit primes (and x uniform from {0...N}) Fact: f Rabin (.; N) is a permutation among quadratic residues, when P, Q are ≡ 3 (mod 4) Fact: Can invert f Rabin (.; N) given factorization of N RSA function: f RSA (x; N,e) = x e mod N where N=PQ, P,Q k-bit primes, e s.t. gcd(e, φ (N)) = 1 (and x uniform from {0...N}) Fact: f RSA (.; N,e) is a permutation Fact: While picking (N,e), can also pick d s.t. x ed = x

  38. Candidate TOWPs From some (candidate) OWP collections, with index as public-key Recall candidate OWF collections Rabin OWF: f Rabin (x; N) = x 2 mod N, where N = PQ, and P, Q are k-bit primes (and x uniform from {0...N}) Fact: f Rabin (.; N) is a permutation among quadratic residues, when P, Q are ≡ 3 (mod 4) Fact: Can invert f Rabin (.; N) given factorization of N RSA function: f RSA (x; N,e) = x e mod N where N=PQ, P,Q k-bit primes, e s.t. gcd(e, φ (N)) = 1 (and x uniform from {0...N}) see handout Fact: f RSA (.; N,e) is a permutation Fact: While picking (N,e), can also pick d s.t. x ed = x

  39. Recap

  40. Recap CPA-secure PKE

  41. Recap CPA-secure PKE DH Key-exchange, El Gamal and DDH assumption

  42. Recap CPA-secure PKE DH Key-exchange, El Gamal and DDH assumption Trapdoor PRG

  43. Recap CPA-secure PKE DH Key-exchange, El Gamal and DDH assumption Trapdoor PRG Abstracts what DDH gives for El Gamal

  44. Recap CPA-secure PKE DH Key-exchange, El Gamal and DDH assumption Trapdoor PRG Abstracts what DDH gives for El Gamal With a secret-key, trapdoor information can also yield the pseudorandom string

  45. Recap CPA-secure PKE DH Key-exchange, El Gamal and DDH assumption Trapdoor PRG Abstracts what DDH gives for El Gamal With a secret-key, trapdoor information can also yield the pseudorandom string Can be used to get IND-CPA secure PKE scheme

  46. Recap CPA-secure PKE DH Key-exchange, El Gamal and DDH assumption Trapdoor PRG Abstracts what DDH gives for El Gamal With a secret-key, trapdoor information can also yield the pseudorandom string Can be used to get IND-CPA secure PKE scheme Trapdoor OWP

  47. Recap CPA-secure PKE DH Key-exchange, El Gamal and DDH assumption Trapdoor PRG Abstracts what DDH gives for El Gamal With a secret-key, trapdoor information can also yield the pseudorandom string Can be used to get IND-CPA secure PKE scheme Trapdoor OWP With a secret-key, invert the OWP

  48. Recap CPA-secure PKE DH Key-exchange, El Gamal and DDH assumption Trapdoor PRG Abstracts what DDH gives for El Gamal With a secret-key, trapdoor information can also yield the pseudorandom string Can be used to get IND-CPA secure PKE scheme Trapdoor OWP With a secret-key, invert the OWP Can be used to construct Trapdoor PRG

  49. Recap CPA-secure PKE DH Key-exchange, El Gamal and DDH assumption Trapdoor PRG Abstracts what DDH gives for El Gamal With a secret-key, trapdoor information can also yield the pseudorandom string Can be used to get IND-CPA secure PKE scheme Trapdoor OWP With a secret-key, invert the OWP Can be used to construct Trapdoor PRG Next: CCA secure PKE

  50. CCA Secure PKE

  51. CCA Secure PKE In SKE, to get CCA security, we used a MAC

  52. CCA Secure PKE In SKE, to get CCA security, we used a MAC Bob would accept only messages from Alice

  53. CCA Secure PKE In SKE, to get CCA security, we used a MAC Bob would accept only messages from Alice But in PKE, Bob wants to receive messages from Eve as well

  54. CCA Secure PKE In SKE, to get CCA security, we used a MAC Bob would accept only messages from Alice But in PKE, Bob wants to receive messages from Eve as well Only if it is indeed Eve’ s own message: she should know her own message!

  55. Chosen Ciphertext Attack

  56. Chosen Ciphertext Attack Suppose Enc SIM-CPA secure

  57. Chosen Ciphertext Attack Suppose Enc SIM-CPA secure A subtle e-mail attack

  58. Chosen Ciphertext Attack Suppose Enc SIM-CPA secure A subtle e-mail attack

  59. Chosen Ciphertext Attack Suppose Enc SIM-CPA secure A subtle e-mail attack I look around � for your eyes shining � I seek you � in everything...

  60. Chosen Ciphertext Attack Suppose Enc SIM-CPA secure A subtle e-mail attack Alice → Bob: Enc(m) I look around � for your eyes shining � I seek you � in everything...

  61. Chosen Ciphertext Attack Suppose Enc SIM-CPA secure A subtle e-mail attack Alice → Bob: Enc(m) I look around � for your eyes shining � I seek you � in everything...

  62. Chosen Ciphertext Attack Suppose Enc SIM-CPA secure A subtle e-mail attack Alice → Bob: Enc(m) I look around � for your eyes shining � I seek you � in everything...

  63. Chosen Ciphertext Attack Suppose Enc SIM-CPA secure A subtle e-mail attack Alice → Bob: Enc(m) Eve: Hack(Enc(m)) = Enc(m*) I look around � for your eyes shining � I seek you � in everything...

  64. Chosen Ciphertext Attack Suppose Enc SIM-CPA secure A subtle e-mail attack Alice → Bob: Enc(m) Eve: Hack(Enc(m)) = Enc(m*) (where m* = Reverse of m) I look around � for your eyes shining � I seek you � in everything...

Recommend


More recommend