Introduction

788.11 Cryptography and SecurityFall 2009Steve Lai

Outline

■ Basics of encryption

■ Homomorphic encryption

Basics of Encryption

For more information, see my CSE 651 or 794Q notes

Summary• Symmetric encryption

– Stream cipher (e.g., RC4)– Block cipher (e.g., DES, AES)

• Asymmetric encryption– RSA– ElGamal (based on Diffie-Hellman)

• Performance issues• Security issues

5

Symmetric-Key Encryption

• Stream cipher (e.g., Vernan’s one-time pad, RC4)

• Block cipher (e.g., DES, AES)

6

Stream ciphers

7

1 2 3

Stream ciphers typically process the plaintext byte by byte. So, the plaintext is a stream of bytes: , , , Use a key as the seed to generate a sequence of

pseudora

Stream ciphers

P P PK

••

•

…

1 2 3

1 2 3 4

ndom bytes (key-stream): , , , The ciphertext is , , , , , where

Various stream ciphers differ in their key-stream generators. Stream ciphers require tha

i i i

K K KC C C C

C P K

……

= ⊕

•

•• t a new key be used for each plaintext (or it will not be sesure).

8

In practice, Alice and Bob wish to share a permanent key and use it to encrypt many messages. One possible strategy: Suppose Bob and Alice share a secret key . Each time Bob (o

r

K

K

•

ii Alice) wants to send a message, he randomly

generates a string and use as the key (seed) to the pseudorandom generator. Send along with the ciphertext. Unfo

rtunately,

IV K IV

IV•i

the resulting scheme is not necessarily secure.

Example: WEP’s use of RC4• WEP is a protocol using RC4 to encrypt packets for

transmission over IEEE 802.11 wireless LAN.

• Each packet is encrypted with a separate key equal to the concatenation of a 24-bit IV (initialization vector) and a

40 or 104-bit permanent key.

• Not secure. See “Breaking 104 bit WEP in less than 60 seconds.”

9

lRC4 key:   IV (24)   Permanent key (40 or 104 bits)

Block Ciphers

Block ciphers are encryption schemes that use pseudorandom functions or pseudorandom permutations.

10

11

A block cipher is a symmetric-key that maps a block of bits to a block of bits.

encryption scheme

{0,1} and {0,1} . Block length

: .

Traditional view of block ciphers

n r

n nM C K

n= = =

•

ii

{ } { } Key length: .

For a fixed key , : 0,1 0,1 is a permutation.

n nk

r

k K E∈ →

i

i

Practical Block Ciphers: DES and AES

DES: Data Encryption StandardAES: Advanced Encryption Standard

12

Public‐Key Cryptography and RSA

Public-Key Cryptography• Also known as asymmetric-key cryptography.• Each user has a pair of keys: a public key and a

private key.• The public key is used for encryption.

– The key is known to the public.

• The private key is used for decryption.– The key is only known to the owner.

Public-Key Cryptosystem (PKC)• Each user u has a pair of keys (PKu, SKu).

– PKu is the public key, available in a public directory.

– SKu the private key, known to u only.• Key-generation algorithm: to generate keys.• Encryption algorithm E: to send message M to

user u, compute C = E(PKu, M).• Decryption algorithm D: Upon receiving C,

user u computes D(SKu, C).• Requirement: D(SKu , E(PKu, M)) = M.

Why Public-Key Cryptography?• Developed to address two main issues:

– key distribution– digital signatures

• Invented by Diffie & Hellman in 1976.

1

1

trapdoor

Easy:

Hard:

Easy:

Use as the private key.

Most (believed) one-way functions come from number theory.

trapdoor

One-way function with trapdoorf

f

f

x y

x y

x y

−

−

⎯⎯→

←⎯⎯

←⎯⎯⎯

•

The RSA Cryptosystem

• RSA Encryption• RSA Digital signature

By ivest, hamir & dleman of MIT in 1977. Best known and most widely used public-key scheme. Based on the one-way property

of mo

R S

du

lar powering:

A

assumed

The RSA Cryptosystem•••

1

: mod (easy) : mod (hard)

e

e

f x x nf x x n−

→

→

1

RSA

RSA

*

Encryption (easy):

Decryption (hard):

Looking for a trapdoor: ( ) .If is a number such that 1mod ( ), then

( )

It works in group

1

.

Idea behind RSA

e

e

e d

n

x x

x x

x xd ed n

e n

Z

d kϕ

ϕ

−

⎯⎯⎯→

←⎯⎯⎯

=≡

= +

( )( ) 1 ( )

for some , and

( ) 1 .ke ed n nd k

k

x x x x x x xϕ ϕ+= = = ⋅ = ⋅ =

1

(a) Choose large primes and , and let : . (b) Choose (1 ( )) coprime to ( ), and compute : mod ( ). ( .) (c) Public ke

Key generation:

1 mod ( )

RSA Cryptosystem

p q n pqe e n nd nn ede

ϕ ϕ

ϕϕ−

=< <

= ≡

•

*

*

*

Encryption:

Decrypti

y: . Secret key: . ( ) : mod , where .

( ) : mod , where .

( and work for , \ , but not secu

on:

( , ) ( ,

re.)

)e

pk n

dsk n

pk sk n n

E x x n x Z

D y y n y Z

E D

pk n e sk

x y Z Z

n d= ∈

=

=

∈

∈

•

•

=

1

Then ( ) ( 1)( 1) andmod ( ) can be calculated

Factor into .

Determine ( ) directly

easily.

Equivalent to factoring . Knowing ( ) will enable us to f

.

Mathematical Attacksn p q

d e n

nn

n pq

nϕ

ϕ

ϕ

ϕ

−

= − −

=

•

•actor by solving

( 1)( 1)

The best known algorithms are not faster than those for factoring . Also, if is known, can be factored with

Determine directly

high pro

( )

b

.

npq

p q

n dd

n

nnϕ=⎧

⎨ = −

•

−⎩

ability.

*

In light of current factorization technoligies, RSA recommends that be of 1024-2048 bits.

If a message \ ,

RSA works, but Since gcd( , ) 1, the sender can factor

.

Remarks

n n

n

m Z Z

m n n

∈

>

•

•

ii

*

Also, sincegcd( , ) 1, the adversary can factor , too.

Question: how likely is

\ ?

e

n n

m n n

m Z Z•

>

∈

i

We have seen many attacks on RSA.

Also, RSA is deterministic and, therefore, not CPA-secure (i.e., not ciphertext-indistinguishable against CPA).

We wish to make RSA secure

Security of RSA•

•

• against CPA and aforementioned attacks.

RSA primitive: the RSA we have described. also called plain RSA or textbook RSA•i

Encryption: ( ) RSA( ) ( ) mod ,

where is a random string.

Thus, Padded-RSA( ) RSA( ) for some random .

Secure against many of aforementioned attacks.

Theorem: Padd

Padded RSAe

pkE m r m r m n

r

m r m r

=•

•

•

•

=

=

( )ed RSA is CPA-secure if log .

Padded RSA is adopted in PKCS #1 v.1.5.

m O n

•

=

PKCS: ublic ey ryptography tandard. Let ( , , ) give a pair of RSA keys. Say bytes (e.g., 216). First byte 00. To encrypt a message :

pad so

P K C S

Padded RSA as in PKCS #1 v.1.5

n e dn

mk

m

k= = ≠

••

•

•i

( ) ( )

that 00 02 00 ( bytes) where 8 or more random bytes 00. original message must be 11 bytes.

the ciphertext is : RSA mod . In 1998, Bleichenbacher published

e

m r kr

m k

c m

m

m n

′ == ≠

≤ −

′

•

′= =

ii

ia chosen-ciphertext

attack, forcing RSA to upgrade its PKCS #1, now using OAEP.

Message padding: instead of encrypting directly, we encrypt , where is a random bit string. As such, however, there is a 50% overhead.

So, we wish to use a shor

OAEP: basic ideam

m r r r•

⊕•

ter bit string . Besides, should be protected, too. This leads to a scheme called Optimal Asy

can be appmmetrilie

c Encryption Padding ( ). It not only to RS

dto ot

OAEPher trapdoo r A but

rr•

•

functions.

Choose , ( ) s.t. = . ( , RSA modulus).

:{0,1} {0,1} , a pseudorandom generator. :{0,1} {0,1} , a hash function.

To encrypt a block of bits : 1. choose a

Encryption. rand

OAEP

k l

l k

k l k l k l n n

Gh

m l

•

•

•

•

+

→

→

om bit string {0,1} . 2. encode as : ( ( ) ( ( ))) (if , the message space of RSA, return to step 1). 3. compute the ciphertext : ( ).

: ( ) . Decryption:

k

n

pk

sk

rm x m G r r h m G r

x Zy E x

x D y a b

∈= ⊕ ⊕

= =•

⊕∉

=

( )( ) .m a G b h a= ⊕ ⊕

OAEP is adopted in current RSA PKCS #1 (v. 2.1). It is a scheme, not an encryption scheme. Intuitively, with OAEP, the ciphertext should not reveal any

informatio

p

n ab

adding

o

Remarks on OAEP•••

ut the plaintext if RSA is one-way and and are A slightly more complicated version of OAEP, in which

( ( ) ( ( ))), has been p

truely random (random or

0 0

c es

r

a l ).

k k

h G

x m G r r h m G r′ ′⊕ ⊕

•

= ⊕oved CCA-secure in the model

(i.e., if , are random oracles.)

In practice, hash functions such as SHA-1 are

ran

us

dom orac

ed for ,

le

.

G h

G h•

( )

( ) 2

( ) 2

A random oracle is a random function :{0,1} {0,1} .

Recall: there are 2 such functions. Each random oracle is a black box that implements one

of the 2 random

Random Oracle

n

n

n l n

l n

l n

f⋅

⋅

••

→•

0

0

0

0

functions, say .

The 2 values of are totally independent and random. The only way to know the value of ( ) is to explicitly

evaluate at (i.e., to ask the oracle). No practical

n

f

ff x

f x

••

• /feasible way to implement a random oracle. Infeasible: use a trusted authority. Infeasible: use a ( ) 2 -bit dis .

k nl n ⋅

ii

31

Cryptosystems Based on Discrete Logarithms

32

Outline

• Discrete Logarithm Problem• Diffie-Hellman key agreement• ElGamal encryption

33

{ }0 1 2 | | 1

A group is if there is an element of order | |.

In this case, , , , , ; is called a generator.

If ( , ) be a finite gr

cycl

oup

(n

ic

ot n

Discrete logarithm problem (DLP)

G

G G G

G

G

α

α α α α α−

∈

=

∗

•

•

…

{ }0 1 2 1

ecessarily cyclic) and an element of order , then

, , , , is a cyclic (sub)group of order .

For any , there is a unique such that . This integer is called the

d

n

xn

G n

n

y x Z yx

α

α α α α α

α α

−

∈

=

∈ ∈ =•

…

iscrete logarithm (or index) of with respect to base . We write log .

The DLP is to compute log for a given .

yy x

y yα

α

α•

=

34

{ }

{ }

* 0 1 2 2

*

* 0 1 2 1 *

*

. , , , , ,

where is a large prime, and is a generator of . ( is cyclic when is prime.)

. , , , , ,

where

Frequently used settings p

p

p

qp p

p

G Z G

p GZ p

G Z Z

Z

α α α α α

α

α α α α α

α

−

−

• = = =

• = = ⊂

∈

…

…

is an element of prime order .

For these settings, there is no polynomial-time algorithm for DLP.

q

•

35

*19

*19

0 1 2 3 4 5

6 7

2

2

2

{1, 2, ..., 18}.

2 is a generator. That is, 2 .

2 1, 2 2, 2 4, 2 8, 2 16, 2 13, 2 7, 2 14, log 7 6log 14 7log 12 ?

Example 1

G Z

Z

= =

=

= = = = = =

= ====

…

36

{ }

{ }

*11

*11

3

3

1, 2, , 10 .

3 = 1, 3, 9, 5, 4

3 is a generator of , but not a generator of .log 5 3log 10 not defined

Example 2

G Z

G

G Z

= =

′ =

′

==

…

37

{ } { }{ }

0 1 2

*

*

1

*1

*

2

Let be a generator of (a primitive root of unity modulo ).

Z 1, 2, , 1 , , , , .

, , , , .

Given , find the uni

0 1 2 2

que such that m

DLP in

p

p

p

p

p

xp p

p

Z p

p

Z

y Z x Z y

Z

α

α α α α

α−

−

−

= − =

=

∈

•

•

•

−

∈ =

…

… …

( )( )

*

lo

*

g

od .

That is, given , find .

There is a subexponential-time algorithm for DLP in

Index Calculus, 2 , where log .

p

O

p

n n

x

p

Z

O

x

n p

Z

α• ∈

•

=i

38

( )

1

1

RSA

RSA

RSA

RSA is a one-way function: (easy)

(difficult)

trapdo

( is a trapdoor)

Logar

or

RSA vs. Discrete Logarithm

e

e

de

x x

x x

x x d

−

−

•

⎯⎯⎯→

←⎯⎯⎯

←⎯⎯⎯

•exp

log

ithm is the inverse of exponetiation: (easy) (difficult) log is hard to compute, so exp is a one-way function,

but without a trapd

x

x

xx

α

α

α

α

⎯⎯⎯→

←⎯⎯⎯•

. An encryption scheme based on the difficu

oor

nolty of log

will simply encrypt as .t xx α

•

39

{ } { }

0* 2 21

1 Z , , , , . , , , , .

Alice and Bob wish to set up a key. 1. Alice and Bob agree on a large prime and a primitive

0 1

root

2 2

secret

Diffie-Hellman key agreement

p pp

p

pZα α α α −−• = =

•

−… …

*

R 1

R 1

(generator) Z . ( )

2. Alice Bob: mod , where .

3. Alice Bob: mod , where .

4. They agree on the key: mod . Diffie-Hellman problem: given ,

, , not se ret

cp

ap

bp

ab

a b

p a Z

p b Z

p

pα

α

α

α

α

α α

−

−

∈

→ ←

← ←

• * , compute .

Diffie-Hellman assumption: the Diffie-Hellman problem is intractable.

abpZ α∈

•

40

*

*

0. Bob is to send a message to Alice, who has private key and public key : .

1. Regard as an element in Z .

2. Use Diffie-Hellman to set up a temp

Ideas behind ElGamal encryption in

x

p

p

mx y

m

Z

α=

( )

orary key. Bob generates and computes ( ).

3. Bob uses this key to encrypt as .

4. Bob sends along with so that Alice can compute .

That is, ( ) ,

k xk

k

k k xk

k k

k y

m m y

m y

E m m y

α

α α

α

=

⋅

⋅

= ⋅

i

41

*

*

1

1. Key generation (e.g. for Alice): choose a large prime and a primitive root Z ,

where 1 has a large prime factor. randomly choose a number a

ElGamal encryption in p

p

p

p

px Z

Z

α

−

• ∈

−

• ∈

*R 1

*

nd compute ;

set ( , , ) and ( , , ).2. Encryption: ( ) ( , ), where Z , .

3. Decryption: ( , ) .

4. Remarks: All operations are done in Z , . ., modulo .

x

k kpk p p

xsk

p

y

p pE m my m k Z

D a b ba

i e

sk x pk y

p

α

α α

α −

−

=

• = =

= ∈ ←

=

The encryption scheme non-deterministiis c.

42

Based on the Diffie-Hellman assumption. Diffie-Hellman problem discrete logarithm problem. Open problem: discrete logarithm Diffie-Hellman

?

Theorem:

Security of ElGamal encryption against CPA•• ≤• ≤

If the Diffie-Hellman assumption is true, then the ElGamal encryption scheme is CPA-secure.

43

A function : is if ( ) ( ) ( ).

ElGamal encryption is h ( ) ( ) ( ), in the following sense:

If ( )

homo

om

morph

omorphic,

,

ic

Security of ElGamal encryption against CCA

k

f G G f xy f x f y

E mm E m E m

E m α

′• → =

′ ′• = ⋅

= ( ) ( )( ) ( ) ( ) ( )

and ( ) , , then ( ) ( )

= , , , ,

is a valid encryption of .

As such, ElGamal encryption is (i.e., no

not CCA-secure t indisting

k k k

k k k k k k k kk k k k

my E m m y E m E m

my m y m mm

mm

y m y y

α

α α α α α ′ ′+ +

′ ′

′ ′ ′ ′

′ ′ ′= ⋅

′ ′⋅ = =

•

′

′

uishable against CCA).

Symmetric vs. Asymmetric

• Symmetric encryptions are much faster than asymmetric ones.– AES is typically 100 times faster than RSA

encryption, and1000 times faster than RSA decryption.

• Use asymmetric cipher to set up a session key and then use symmetric cipher to encrypt data.

Security Issues

What does it mean that an encryption scheme is secure (or insecure)?

• Semantic security• Ciphertext-indistinguishability• Non-malleability

46

Consider ciphertext-only attacks; i.e., the adversary is an eavesdropper.

Several op

tions An encryption scheme is if giHow to define security?

ven a c

: ecu s re

Different levels of security•

•

(1) (2) (3)

iphertext ( ), no adversary can find the secret key find the plaintext find any character of the plaintext find any meaningful information about the plaintext

(4)

kc E mk

m

=

find any information about the plaintext. We will adopt (and formalize) , which is called

and seems to indicat th#5 semantic

sec e highest level o

f

(5

seuri curt

.

)

y ity•

47

Different types of attackers• Different types of attacks (classified by the

amount of information that may be obtained by the attacker):– Ciphertext-only attack

– Known-plaintext attack

– Chosen-plaintext attack (CPA)

– Chosen-ciphertext attack (CCA)

48

The security of an encryption scheme typically depends on its key length. Is RSA secure if 216, 512, or 1024?

In general, an encryption scheme is associate

d with an

Security Parameter

n

•

•

=i

integer called its (For now, you may think of it as .)

When probability Pr( ) of an encr

security parameter. key lengt

yption scheme being broken

we say that the is negligible, it .

h

is w rn•

.t. the encryption scheme'security param

s eter.

49

0

0

A nonegative function : is said to be if for every positive polynomial ( ), there is an integer such that

1

negligible

( ) for all (i( )

.

Negligible functionsf N R

P nn

f n n nP n

→

< >

•

log

e., for sufficiently large ).

Examples: 2 , 2 , are negligible functions.

Negligible functions approach zero faster than the reciprocal of polynomial. We wri

everynegl( )te to d

n n n

n

n

n

− − −•

•

• enote an unspecified negligible function.

50

* Message space: {0,1} . Key generation algorithm : On input 1 , (1 ) outputs

a key {0,1} . ( {0,1} ; and is the security parameter.) Encryption a

lg

o

Symmetric-key encryption scheme

n n

n n

MG G

k K n•

=

•

⊆

←

•

rithm : On input a key and a plaintext , outputs a ciphertext . We write ( , ) or ( ).

Decryption algorithm : On input a key and a ciphertext , outputs a messag

e

k

E km M E c c E k m

c E mD k c

D

∈ ←

•

←

( )

. We write : ( , ) or : ( ). Correctness requirement: for each and ,

( ) . , are polynomial probabilistic algorithms. is determin is

tic.

k

k k

m m D k c m D ck K m M

D E m mG E D

=

∈

=

•

•

=

∈

51

Informally, an encryption scheme is if whatever an adversary with can learn about , one can learn equally well without . A private-key encrypt

semantically secure( )

Semantic Security

mcc

E m

•

=•

ion scheme ( , , ) with security parameter is against an eavesdropper if for every probabilistic polynomial-time (PPT) algorithm there exists a

sem

PPT such that for

antically secure

a

G E Dn

A A′

( )( )

ll polynomial-time computable functions and , there exists a negligible function such that:

Pr : (1 ), {0,1}

1 , , ( ) ( )

1 , ( ) ( )

( )

Pr : {0,1}

||

n nk

n n

n

f h

A h m f m

A h m f

negl

k G m

m

E m

m

⎡ ⎤= ← ←⎣ ⎦

⎡ ⎤− = ←⎣ ⎦′ negl( ).n≤

52

Adversary: a eavesdropper. ( , , ) : an encryption scheme with security parameter . Imagine a game played by Bob and Eve (adversary)

polynomial-ti

: Eve

me

i

Ciphertext-Indistinguishability

G E D n•••

i 0 1

0 1

s given input 1 and outputs a pair of messages , .

Bob chooses a key (1 ) and { , }. He computes ( ) and gives to Eve.

Eve tries to det

of the same

leng

h

rm

t

e

n

nu

k

m m

k G m m mc E m c

← ←

←

i

i 0 1

ciphertext-indistinguishable against eavesd

ine whether is the encryption of or . An encryption scheme is

if no adversary can succeed with probability non-negligibly g

rr

eater thanoppers

c m m•

1 2.

53

0 10 1

0 1 0 1

An encryption scheme is

if for every PPT algorithm and a

Definit ciphertext-indistinguishable again

ll , , , it holds:

Pr (1

st eavesdrop

, , , ( )) :

perion:

{ , },

s

nk u

A m m M

A m m E m m m m

m

m

m

•

= ←

=∈

(1 )

1 negl( )2

nk G

n

⎡ ⎤←⎣ ⎦

≤ +

54

Against an eavesdropper, an encryption scheme

Theorem is semantical

ly secure iff it is ciphertext-indisti

ngu

:i

Equivalence of semantic security and ciphertext-indistinguishability

•shable.

Under CPA, CCA1 or CCA2, an encryption scheme is semantically secure if and only if it is ciphertext-indistin

Theor

guish

em

a .

:

ble

•

55

1 1 2 2 1 2

In CSE 651 we described CPA as follows:

Given : ( , ), ( , ), , ( , ), where , , , are chosen by the adversary; and a new ciphertext .

Chosen-plaintext attacks (CPA)

t t tm c m c m c m m mc

•

… …i

1 2

Q : what is the plaintext of ?

Adaptively-chosen-plaintext attack : , , , are chosen adaptively.

Now we describe CPA in terms of oracle.

t

c

m m m•

•

…

i

56

1. A ke

A CPA on an encryption scheme ( , , ) is modeled as fo

y (1 ) is generated.2. The adversary is given input 1 and oracle access to . She

llow

may request

s.

Chosen-plaintext attacks (CPA)

n

nk

k GE

G E D

←

0 1 0 1

the oracle to encrypt plaintexts of her choice. 3. The adversary chooses two message , with ; and is given a challenge ciphertext ( ), where {0,1}.4. The adversary continues to hav

k b u

m m m mc E m b

=

← ←

0 1

e oracle access and may request the encryptions of additional plaintexts of her choice, even and .5. The adversary finally answers 0 or 1.

Note: The CPA here actually refers to an adaptive CPA

m m

.

57

polynomia An encryption scheme ( , , ) is IND-CPA if no

adversary can answer correctly with probability n

l-timon-negligibly greater than 1 2.

Defi

e

Ciphertext-indistinguishability against CPAG E D•

•

( )0 1 0 1

nition: an encryption scheme ( , , ) is IND-CPA if for ever polynomial adversary it holds that:

Pr 1 , , , ( ) : (1 ), { , },

| k n nk u

E m m

G E DA

A m m E k G m m m⎡ = ← ←⎣

]0 1 , 1 negl( )2

|Am m M

n

←

≤ +

58

1 1 2 2 1 2

In CSE 651 we also described CCA as follows:

Given : ( , ), ( , ), , ( , ), where , , , are chosen by the adversary; and a new ciphertext

Chosen-ciphertext attacks (CCA)

t t tm c m c m c c c c

•

… …i

1 2

. Q : what is the plaintext of ?

Adaptively-chosen-ciphertext attack : , , , are chosen adaptively.

Now we describe CCA in terms of oracle.

We will allow a CCA adversary to al

t

cc

c c c•

•

…

•

i

so have CPA capability. (So, combined CCA+CPA, rather than pure CCA.)

59

1. A key

A CCA on an encryption scheme ( , , ) is modeled as f

(1 ) is generated.2. The adversary is given input 1 and oracle access to and . S

ol

he

low .

ay

s

m

Chosen-ciphertext attacks (CCA)

n

nk k

k GE D

G E D

←

0 1 0 1

request the oracles to perform encryptions and/or decryptions for her.3. The adversary chooses two message , with ; and is given a challenge ciphertext ( ), where {0,1}.4. The

k b u

m m m mc E m b

=

← ← adversary continues to have oracle access to and , but

is not allowed to request the decryption of .5. The adversary finally answers 0 or 1.

k k

cE D

60

The CCA described above is also called CCA2.

If in item #4 the adversary has no access to the decryption oracle, the CCA is called CCA

1.

CCA1 vs. CCA2•

•

61

polynomia An encryption scheme ( , , ) is IND-CCA if no

adversary can answer correctly with probability n

l-timon-negligibly greater than 1 2.

Defi

e

Ciphertext-indistinguishability against CCAG E D•

•

( )

0 1,

1 0

nition: an encryption scheme ( , , ) is IND-CCA if for ever polynomial-time adversary , it holds that:

Pr 1 , , , ( ) : (1 ), { , },

| k k n nk u

E D m m

G E DA

A m m E k G m m m⎡ = ← ←⎣

]0 1 , 1 negl( )2

|Am m M

n

←

≤ +

62

An encryption scheme ( , , ) is if given a ciphertext ( ), it is computationally infeasible for an adversary to produce

non-ma

a cip

lleabl

hertext

e

such

that (

Non-malleabilityG E D

c E mc

m D c

=′

′ ′=

•

) has some known relation with .

RSA is malleable.

IND-CCA2 non-malleable.

Later we will see that every homomorphic encryption scheme is malleable, and hence cannot be IND-CCA2.

Highes t s

m

•

•

•

•

⇒

ecurity level possible: IND-CCA1. (?)

Homomorphic Encryption

Fontaine and Galand, “A survey of homomorphic encryption for nonspecialists,” EURASIP Journal on Information Security, 2007.

( )

1 2 1 2*

1 2 1 2

1 1

2 2

1

RSA( ) RSA( ) RSA( )

where is the multiplication in (i.e., modulo ).

Easy to ver

ify:

RSA( )

RSA( )

RSA( )

RSA( )

RS

RSA is homomorphic

n

e

e

e

m m m m

Z n

m m m m

m m

m m

m

⋅ = ⋅

⋅

⋅ = ⋅

•

•

=

=

⋅

i

ii

i ( )2 1 2 1 2A( ) ee em m m m m= ⋅ = ⋅

: message space: ciphertext space

: some binary operation in : some binary operation in

An encryption scheme is if for any encryDefinit hom

ptionion:

key omorphic

Homomorphic encryption

M

C

MC

MC

k

1 2 1 2

1 2

the encryption function satisfies ( ) ( ) ( )for all messages , .

applicable only to deterministic encryption schemeComment: s.

M C

EE m m E m E m

m m M=

∈

66

( ) ( )1 1 2 2

1 2 1 2

1 2

1

1 2

1 2 2

a

( ) ( ) ( ), in the following sense:

( ) ( ) is valid encryption of .

Verification:

If ( ) , and ( ) , , then

(

ElGamal encryption is homomorphic

k k k k

m m

E m m E m E m

E m E m

E m g m y E m g m y

E m

• ⋅ ← ⋅

⋅

•

= =

( ) ( )( )

1 1 2 2

1 2 1 2

1

1

2 1 2

2

) ( ) , ,

,

is a encryption of .

n

k k k k

k k k k

E m g m y g m y

g ym m

mm

+ +

⋅ = ⋅

=

′

: message space: ciphertext space

: some binary operation in : some binary operation in

An encryption scheme is Definition if forhomo any

:

morphicencrypt

Homomorphic encryption redefined

M

C

MC

MC

1 2 1 2

1 2

ion key the encryption function satisfies ( ) ( ) ( )for all messages , .

a means " encryption can be computed fromComm "ent: n

M C

k EE m m E m E m

m m M←

←

∈

( )1 2 1 2

1 2

An encryption scheme is ifits encryption and decryption satisfy ( ) ( )for all messages , and all encryption/decrypt

Definition: homomorp

i

hic

on

An equivalent definition

M C

E Dm m D E m E m

m m M=

∈key pairs.

( )

( )( )

1

1 21 2

1 22

An encryption scheme is w.r.t if there is a polynomial time algorithm such tha

homomort

( )or

fo

Defi phic

( ), ( )

( ), ( )

nition:

r

A generalized definition

M

M

M

A

E m m

m m

A E m E m

A E m E mD

←

=

1 2all messages , and all encryption/decryptionkey pairs.

How to further Question: generalize it?

m m M∈

An encryption scheme is

homomorphic if it is homomor additively multipli

phic w.r.t homomorphic if it iscatively

alg homomorphic w.r.t

ebraicly mo

homo

Various homomorphic encryptions

M

M

+

•

⋅iii rphic if it is homomorphic w.r.t both

and

RSA and ElGamal are homomorphic.

Padded RSA and OAEP-RSA are homomorphic.

RSA is not

m

ultiplicatively

n

IND-CPA secure; ElGamal is

ot

.

M M+

•

⋅

•

•

( )( )Now, encrypt as ( ) ,

ElGamal encryption can be made additively homomorphic.

Original ElGamal: ( ) , .

, where , are

generator

s of

Additively homomorphic ElGamal encryption

k k

k k

mm c E m g h y

E m g my

g h= =•

• =

•

*

DL ElGamal decryption

1 2 1 2

Descrypting takes two steps:

.

( ) ( ) ( ).

p

m

c

h

Z

m c

E m m E m E m

•

←⎯⎯ ←⎯⎯⎯⎯⎯⎯

+ ← ⋅•

( )

A simple application To vote yes or no, encode a yes-vote as 1 and a no-vote as 1.

Encrypt as , .

Send the encrypted vote to a trusted party.

k m k

mm

m c g h y

c

=

=

•

= −

⋅

i

i

i{ }

( )

1 2 3

1 1

1 1 1

All votes: , , , ,

, mod ( 1)

(why?) mod ( 1)

i i i

k

i

k

k kk m k

i ii i

k k

i ii i i

c c c c

c g h y E m p

D c m p m=

= =

= =

⎛ ⎞∑ ∑ ∑= ⋅ → −⎜ ⎟⎝ ⎠

⎛ ⎞ = −⎜ ⎟⎝

=⎠

∏ ∑

∏ ∑ ∑

i

i

i

…

Alice is worth millions, and Bob millions. Q: ?

Two millionnairs, Alice and Bob, want to know who is richer without revealing their actual wealth.

Initially

s

Yao's Millionaire Problem

a b a b<•

•

•

Multiparty Computation

uggested and solved by Andrew Yao in 1982.

Later latergeneralized to a problem called .

Would be trivial if there is a secure encryption scheme that is homomorphic w.r "

.t.

•

•

( )( )1 2 1 2

<", namely,

( ), ( )

m m D A E m E m< ←

{ }

*

*

* *

Let 2 be any number . Quadratic residues: elements in which are a square.

QR = the subgroup of quadratic residues in .

QNR = QR = quadratic non-residues in .

Quadratic Residues

n

n n

n n n n

nZ

Z

Z Z

• ≥

•

•

• −

( )

( )( ) ( ) ( )

( 1)/2

1 if [ ] QR ( is a square)1 if [ ] QNR (not a square) Legendre symbol:

0 if [ ] 0

Euler's criterion: mod .

Jacobi symbol: , assuming .

p

p

p

xp

xp

x x xn p q

x xx

x

x p

n pq

−

+ ∈⎧⎪− ∈• = ⎨⎪ =⎩

• =

• = =

( ) ( ) ( )( ) ( )

( )( )

*

*

Thus, 1 iff 1.

is a quadratic residue in iff 1.

QR QNR QR QNR QNR .

If 1, then QNR .

If 1, QR QN Quadratic resi

R .

Quadratic Residues (cont'd)

x xn p q

n n n n n n

n

n n

xn

x xp q

xnxn

x Z

Z

x

x

+ −

−

+

• = = = ±

• = =

• = ∪ = ∪ ∪

• = − ∈

• = ∈ ∪

•

( )*

Given with 1, it is intractable to determine

whether QR or QNR without knowing .

Knowin

duosity

g , easy to determine if QR or QNR

assumption:

.

n

n n

n n

xnx Z

x x n pq

n pq x

+

+

∈ =

∈ ∈ =

• = ∈

{ } First probabilistic encryption scheme. Encrypt one bit 0,1 at a time. Encrypt 0 as a random number in QR .

Encrypt 1 as a random number

Goldwasser-Micali encryption scheme (idea)

n

bb

b

•

•

•

∈

=

=

•

( ) ( )

in QNR . To decrypt ( ), simply determine if QR

(i.e., 1?)

n

n

c cp q

c E b c

+

=

=

• ∈

=

1R

2 *R

System setup: Alice chooses and QNR . Public key: ( , ). Private key: ( , ) Encryption: ( ) , where . Note: ( ) is a

Goldwasser-Micali encryption scheme

n

bn

n pq gn g p qE b g r r Z

E b

+= ∈

=

•

••

∈ quadratic residue iff 0.

To decrypt ( ), simply determine if QR .

Drawback: it takes =1024 bits to encrypt a single bit. This scheme has an expansion of 1024.

n

bc E b c

n

== ∈•

0 1

Idea of Goldwasser-Micali: Take a group and a subgroup . Partition into two parts: and \ . Randomly select an element in to e

Reducing the expansion

b

G HG M H M G H

M= =

•iii

{ }

ncrypt . To generalize, choose and such that can be split into more parts. Benaloh: small prime; ( ) , 0, 1 ;

expansion: . Okamoto & Uchiya

m k

bG H G

k E m g r m k

n k

= = ∈ −

•

•

•

…

2

1

*

*

ma: reduced the expansion to 3. Paillier: reduced the expansion to 2 using group .

Damgard & Jurik: generalized Paillier's scheme using group , with expansion 1 1/ .s

n

n

Z

Z s+

•

+

•

( ){ }

2*

2

2

2

One of the most well-known homomorphic encryption. , where .

( ).

: is an th residue mod .

mod for some .

Paillier's encryption scheme

n

n

G Z n pq

G n n n

H z G z n n

z y n y G

ϕ ϕ

•

•

•

= =

= =

= ∈

= ∈

i

i is a subgroup and ( ). Use to divide into classes. Let be any element with order a multiple of .

H H nH G ng G n

ϕ•

=

• ∈

i

( )

( ) { }

2

2

* *

2

*

* *

Define :

, mod Theorem: is bijective. Each defines a class in , namely,

, ( , ) :

Encryption:

n n nx n

n n

n n

f Z Z Z

x y g y nf

x Z Z

f x Z f x y y Z

× →

→

∈

=

•

•

•

∈

•

*

2

plaintext

select a random

ciphertext mod additively homomorphic

n

nm n

m Z

r Z

c g r n

∈

∈

=

iiii

( )( )

2*

( ) 2

( ) 2

Decryption: (private key: or ( )) ciphertext

mod plaintext mod

mod

where ( ) ( 1) / ( ) is the Carmichael function, i.e

n

n

n

n pq nc Z

L c nm n

L g n

L u u nn

λ

λ

λ

λ

=

∈

⎡ ⎤⎢ ⎥=⎢ ⎥⎣ ⎦

•

= −

i

i

ii

( ) *

., the smallest integer such that 1mod for all . For , ( ) lcm( 1, 1). (In RSA, ( ) can be used in place of ( ).)

nna n a Z

n pq n p qn n

λ

λλ ϕ

≡ ∈= = − −i

i

2*

2

Security: Assumption: Without knowing , it is intractable to determine if an element is an th residue

modulo . If this assumption holds, Paillier

n

n pqz Z n

n

=

∈

•i

i

0 1

0

0 1

2 20 1

0

's encryption scheme is semantically secure under CPA.

Let be the ciphertext o f either or .

So, either m orod

mod .

So,

m mn n

m

c m m

c g r n g r n

cg r−

=

=

iii 1 0

0

2 21

02

mod mod .

is the ciphertext of iff is an th residue

modulo .

o

r m mn n

m

n g r n

c m cg n

n

−

−i

Question: In the above argument, which problem is reduced to which problem?

i

( )( )( )2 2

2 *R

21 2 1 2

2

21 1

Additively homomorphic on :

Recall: ( ) mod , , .

( ) ( ) mod mod .

( ) mod mod .

( ) mod mod .

n

m nn n

k k

m m

Z

E m g r n m Z r Z

D E m E m n m m n

D E m n m n

D E m n m n

= ∈ ∈

= +

=

=

•

i

i

i

i

2

A simple application To vote yes or no, encode a yes vote as 1 and a no vote as 1. Encrypt as mod . Send the encrypted vote to a trusted party.

m n

mm

m c g r nc

=−

=

•

=i

ii

{ }

1

1 2 3

2

11

All votes: , , , ,

(wh mod mod y?)

k

k k

i

k

i ii

ii

c c c c

D c n m n m== =

⎛ ⎞=⎜ ⎟

⎝ ⎠⇒∏ ∑∑i

…i

At STOC'09, Craig Gentry presented a fully homomorphic encryption scheme. A homomorphic public-key encryption scheme has four algorithms: KeyGen, E

Fully homomorphic encryption

S

•

•

1

1

ncrypt, Decrypt, Evaluate. : a circuit. is homomorphic for if for any key pair (sk, pk) output by KeyGen, any plaintext , , , and any ciphertext , , with Encrypt( )

t

t i i

CS C

π πψ ψ ψ π=

••

……

( )( )1 1

, it holds that:

( , , ) Decrypt Evaluate , , , .

is if it is homomorphic for all circfully homomorp uihic ts.t tC C

S

π π ψ ψ=

•

… …

Applications

– Protection of mobile agents– Watermarking/fingerprinting protocols– Electronic auction and lottery protocols– Multiparty computation– Oblivious transfer– Privacy preserving data mining– Others