Recommended Book ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Steven Levy. - PowerPoint PPT Presentation

Recommended Book ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Steven Levy. Crypto . Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. Mihir Bellare UCSD 1 Mihir Bellare UCSD 2 Recall Symmetric Cryptography Public Key Encryption • Alice has a secret key that is shared with nobody, and an associated public key that is known to everybody. • Before Alice and Bob can communicate securely, they need to have a • Anyone (Bob, Charlie, . . . ) can use Alice’s public key to send her an common secret key K AB . encrypted message which only she can decrypt. • If Alice wishes to also communicate with Charlie then she and Charlie must also have another common secret key K AC . Think of the public key like a phone number that you can look up in a • If Alice generates K AB , K AC , they must be communicated to her database partners over private and authenticated channels. Mihir Bellare UCSD 3 Mihir Bellare UCSD 4

Public Key Encryption Syntax of PKE A public-key (or asymmetric) encryption scheme AE = ( K , E , D ) consists of three algorithms, where • Alice has a secret key that is shared with nobody, and an associated pk K public key that is known to everybody. • Anyone (Bob, Charlie, . . . ) can use Alice’s public key to send her an encrypted message which only she can decrypt. sk Think of the public key like a phone number that you can look up in a database • Senders don’t need secrets M C C E D M or ? • There are no shared secrets A Mihir Bellare UCSD 5 Mihir Bellare UCSD 6 Correct decryption requirement How it works Step 1: Key generation Let AE = ( K , E , D ) be an asymmetric encryption scheme. The correct $ Alice locally computers ( pk , sk ) K and stores sk . decryption requirement is that Step 2: Alice enables any prospective sender to get pk . Pr[ D ( sk , E ( pk , M )) = M ] = 1 Step 3: The sender encrypts under pk and Alice decrypts under sk . for all ( pk , sk ) that may be output by K and all messages M in the We don’t require privacy of pk but we do require authenticity: the sender should be assured pk is really Alice’s key and not someone else’s. One message space of AE . The probability is over the random choices of E . could This simply says that decryption correctly reverses encryption to recover • Put public keys in a trusted but public “phone book”, say a the message that was encrypted. When we specify schemes, we indicate cryptographic DNS. what is the message space. • Use certificates as we will see later. Mihir Bellare UCSD 7 Mihir Bellare UCSD 8

Security of PKE Schemes The games for IND-CPA Let AE = ( K , E , D ) be a PKE scheme and A an adversary. Game Left AE Game Right AE procedure Initialize procedure Initialize $ $ ( pk , sk ) K ; return pk ( pk , sk ) K ; return pk Same as for symmetric encryption, except for one new element: The procedure LR ( M 0 , M 1 ) procedure LR ( M 0 , M 1 ) adversary needs to be given the public key. $ $ Return C E pk ( M 0 ) Return C E pk ( M 1 ) We formalize IND-CPA accordingly. Associated to AE , A are the probabilities h i h i Left A Right A Pr AE ) 1 Pr AE ) 1 that A outputs 1 in each world. The ind-cpa advantage of A is h i h i Adv ind - cpa Right A Left A ( A ) = Pr AE ) 1 � Pr AE ) 1 AE Mihir Bellare UCSD 9 Mihir Bellare UCSD 10 IND-CPA: Explanations Building a PKE Scheme We would like security to result from the hardness of computing discrete logarithms. The “return pk ” statement in Initialize means the adversary A gets the Let the receiver’s public key be g where G = h g i is a cyclic group. Let’s public key pk as input. It does not get sk . let the encryption of x be g x . Then It can call LR with any equal-length messages M 0 , M 1 of its choice to get $ back an encryption C E pk ( M b ) of M b under sk , where b = 0 in game hard g x � � ! x Left AE and b = 1 in game Right AE . Notation indicates encryption |{z} E g ( x ) algorithm may be randomized. so to recover x , adversary must compute discrete logarithms, and we know A is not allowed to call LR with messages M 0 , M 1 of unequal length. Any it can’t, so are we done? such A is considered invalid and its advantage is undefined or 0. It outputs a bit, and wins if this bit equals b . Mihir Bellare UCSD 11 Mihir Bellare UCSD 12

Building a PKE Scheme Key Encapsulation Mechanisms (KEMs) A KEM KEM = ( KK , EK , DK ) is a triple of algorithms We would like security to result from the hardness of computing discrete logarithms. pk KK Let the receiver’s public key be g where G = h g i is a cyclic group. Let’s let the encryption of x be g x . Then hard g x � � ! x sk |{z} E g ( x ) EK C a C a DK K so to recover x , adversary must compute discrete logarithms, and we know it can’t, so are we done? Problem: Legitimate receiver needs to compute discrete logarithm to K A decrypt too! But decryption needs to be feasible. Above, receiver has no secret key! K 2 { 0 , 1 } k is a key of some key length k associated to KEM Mihir Bellare UCSD 13 Mihir Bellare UCSD 14 KEM Security KEM IND-CPA security Let KEM = ( KK , EK , DK ) be a KEM with key length k , and A an adversary. Let KEM = ( KK , EK , DK ) be a KEM with key length k . Security requires that if we let Game Left KEM Game Right KEM $ ( K 1 , C a ) EK pk procedure Initialize procedure Initialize then K 1 should look “random”. Somewhat more precisely, if we also $ $ ( pk , sk ) KK ( pk , sk ) KK { 0 , 1 } k ; b $ $ generate K 0 { 0 , 1 } then return pk return pk procedure Enc procedure Enc { 0 , 1 } k ; ( K 1 , C a ) C a $ $ $ $ { 0 , 1 } k ; ( K 1 , C a ) K 0 EK pk K 0 EK pk A ? return ( K 0 , C a ) return ( K 1 , C a ) K b We allow only one call to Enc . The ind-cpa advantage of A is A has a hard time figuring out b h i h i Adv ind - cpa Right A Left A KEM ( A ) = Pr KEM ) 1 � Pr KEM ) 1 Mihir Bellare UCSD 15 Mihir Bellare UCSD 16

Recall DH Secret Key Exchange The EG KEM: Idea The following are assumed to be public: A large prime p and a generator g of Z ⇤ p . We can turn DH key exchange into a KEM via Alice Bob • Let Alice have public key g x and secret key x Z p � 1 ; X g x mod p $ x • Bob picks y and sends g y to Alice as the ciphertext X � � � � � � ! • The key K is (a hash of) the shared DH key g xy = Y x = X y Z p � 1 ; Y g y mod p $ y Y � � � � � � The DH key is a group element. Hashing results in a key that is a string of K A Y x mod p K B X y mod p a desired length. • Y x = ( g y ) x = g xy = ( g x ) y = X y modulo p , so K A = K B • Adversary is faced with the CDH problem. Mihir Bellare UCSD 17 Mihir Bellare UCSD 18 The EG KEM: Specification From KEMs to PKE: Hybrid encryption Let G = h g i be a cyclic group of order m and H : { 0 , 1 } ⇤ ! { 0 , 1 } k a (public, keyless) hash function. Define KEM KEM = ( KK , EK , DK ) by Alg EK X Alg KK Alg DK x ( C a ) Given a KEM KEM = ( KK , EK , DK ) with key length k , we can build a Z m ; C a g y $ y $ Z C x x Z m a Z X y PKE scheme with the aid of a symmetric encryption scheme SE = ( KS , X g x K H ( C a k Z ) K H ( C a k Z ) ES , DS ) that also has key length k . Namely, define the PKE scheme AE return ( X , x ) return K return ( K , C a ) = ( KK , E , D ) via: Alg E pk ( M ) Alg D sk (( C a , C s )) $ y Z m x $ ( K , C a ) EK pk K DK sk ( C a ) $ M DS K ( C s ) C s ES K ( M ) g x C a = g y g xy g xy Return M Return ( C a , C s ) H H K K Mihir Bellare UCSD 19 Mihir Bellare UCSD 20

Simplification: For PKE we can assume just one LR query Hybrid encryption works If the KEM and symmetric encryption scheme are both IND-CPA, then so is the PKE scheme constructed by hybrid encryption. In assessing IND-CPA security of a PKE scheme, we may assume A makes only one LR query. It can be shown that this can decrease its advantage Theorem: Let KEM KEM = ( KK , EK , DK ) and symmetric encryption by at most the number of LR queries. scheme SE = ( KS , ES , DS ) both have key length k , and let AE = ( KK , E , D ) be the corresponding PKE scheme built via hybrid encryption. Let A Theorem: Let AE be a PKE scheme and A an ind - cpa adversary making q be an adversary making 1 LR query. Then there are adversaries B a , B s LR queries. Then there is a ind - cpa adversary A 1 making 1 LR query such such that that Adv ind - cpa ( A )  q · Adv ind - cpa Adv ind - cpa ( A )  2 · Adv ind - cpa KEM ( B a ) + Adv ind - cpa ( A 1 ) ( B s ) . AE AE AE SE and the running time of A 1 is about that of A . Furthermore B a makes one Enc query, B s makes one LR query, and both have running time about the same as that of A . Mihir Bellare UCSD 21 Mihir Bellare UCSD 22 Benefits of hybrid encryption Proof of Theorem: Intuition Modular design and assurance via proof as above. $ $ $ { 0 , 1 } k ; ( K 1 , C a ) With b { 0 , 1 } ; K 0 EK pk Also speed . Game Challenge ciphertext Adversary goal Asymmetric cryptography is orders of magnitude slower than symmetric G 0 C a , ES K 1 ( M b ) Compute b cryptography. G 1 C a , ES K 0 ( M b ) Compute b An exponentiation in a 160-bit elliptic curve group costs about the same • A unlikely to win in G 1 because of security of symmetric scheme as 3000-4000 hashes or block cipher operations. • A is about as likely to win in G 1 as in G 0 due to KEM security So performance is improved by limiting the asymmetric operations as in hybrid encryption. Mihir Bellare UCSD 23 Mihir Bellare UCSD 24