Introduction - Computer Science and...

87
Introduction 788.11 Cryptography and Security Fall 2009 Steve Lai

Transcript of Introduction - Computer Science and...

Page 1: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

Introduction

788.11 Cryptography and SecurityFall 2009Steve Lai

Page 2: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

Outline

■ Basics of encryption

■ Homomorphic encryption

Page 3: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

Basics of Encryption

For more information, see my CSE 651 or 794Q notes

Page 4: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

Summary• Symmetric encryption

– Stream cipher (e.g., RC4)– Block cipher (e.g., DES, AES)

• Asymmetric encryption– RSA– ElGamal (based on Diffie-Hellman)

• Performance issues• Security issues

Page 5: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

5

Symmetric-Key Encryption

• Stream cipher (e.g., Vernan’s one-time pad, RC4)

• Block cipher (e.g., DES, AES)

Page 6: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

6

Stream ciphers

Page 7: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

7

1 2 3

Stream ciphers typically process the plaintext byte by byte. So, the plaintext is a stream of bytes: , , , Use a key as the seed to generate a sequence of

pseudora

Stream ciphers

P P PK

••

1 2 3

1 2 3 4

ndom bytes (key-stream): , , , The ciphertext is , , , , , where

Various stream ciphers differ in their key-stream generators. Stream ciphers require tha

i i i

K K KC C C C

C P K

……

= ⊕

•• t a new key be used for each plaintext (or it will not be sesure).

Page 8: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

8

In practice, Alice and Bob wish to share a permanent key and use it to encrypt many messages. One possible strategy: Suppose Bob and Alice share a secret key . Each time Bob (o

r

K

K

ii Alice) wants to send a message, he randomly

generates a string and use as the key (seed) to the pseudorandom generator. Send along with the ciphertext. Unfo

rtunately,

IV K IV

IV•i

the resulting scheme is not necessarily secure.

Page 9: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

Example: WEP’s use of RC4• WEP is a protocol using RC4 to encrypt packets for

transmission over IEEE 802.11 wireless LAN.

• Each packet is encrypted with a separate key equal to the concatenation of a 24-bit IV (initialization vector) and a

40 or 104-bit permanent key.

• Not secure. See “Breaking 104 bit WEP in less than 60 seconds.”

9

lRC4 key:   IV (24)   Permanent key (40 or 104 bits)

Page 10: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

Block Ciphers

Block ciphers are encryption schemes that use pseudorandom functions or pseudorandom permutations.

10

Page 11: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

11

A block cipher is a symmetric-key that maps a block of bits to a block of bits.

encryption scheme

{0,1} and {0,1} . Block length

: .

Traditional view of block ciphers

n r

n nM C K

n= = =

ii

{ } { } Key length: .

For a fixed key , : 0,1 0,1 is a permutation.

n nk

r

k K E∈ →

i

i

Page 12: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

Practical Block Ciphers: DES and AES

DES: Data Encryption StandardAES: Advanced Encryption Standard

12

Page 13: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

Public‐Key Cryptography and RSA

Page 14: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

Public-Key Cryptography• Also known as asymmetric-key cryptography.• Each user has a pair of keys: a public key and a

private key.• The public key is used for encryption.

– The key is known to the public.

• The private key is used for decryption.– The key is only known to the owner.

Page 15: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

Public-Key Cryptosystem (PKC)• Each user u has a pair of keys (PKu, SKu).

– PKu is the public key, available in a public directory.

– SKu the private key, known to u only.• Key-generation algorithm: to generate keys.• Encryption algorithm E: to send message M to

user u, compute C = E(PKu, M).• Decryption algorithm D: Upon receiving C,

user u computes D(SKu, C).• Requirement: D(SKu , E(PKu, M)) = M.

Page 16: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

Why Public-Key Cryptography?• Developed to address two main issues:

– key distribution– digital signatures

• Invented by Diffie & Hellman in 1976.

Page 17: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

1

1

trapdoor

Easy:

Hard:

Easy:

Use as the private key.

Most (believed) one-way functions come from number theory.

trapdoor

One-way function with trapdoorf

f

f

x y

x y

x y

⎯⎯→

←⎯⎯

←⎯⎯⎯

Page 18: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

The RSA Cryptosystem

• RSA Encryption• RSA Digital signature

Page 19: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

By ivest, hamir & dleman of MIT in 1977. Best known and most widely used public-key scheme. Based on the one-way property

of mo

R S

du

lar powering:

A

assumed

The RSA Cryptosystem•••

1

: mod (easy) : mod (hard)

e

e

f x x nf x x n−

Page 20: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

1

RSA

RSA

*

Encryption (easy):

Decryption (hard):

Looking for a trapdoor: ( ) .If is a number such that 1mod ( ), then

( )

It works in group

1

.

Idea behind RSA

e

e

e d

n

x x

x x

x xd ed n

e n

Z

d kϕ

ϕ

⎯⎯⎯→

←⎯⎯⎯

=≡

= +

( )( ) 1 ( )

for some , and

( ) 1 .ke ed n nd k

k

x x x x x x xϕ ϕ+= = = ⋅ = ⋅ =

Page 21: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

1

(a) Choose large primes and , and let : . (b) Choose (1 ( )) coprime to ( ), and compute : mod ( ). ( .) (c) Public ke

Key generation:

1 mod ( )

RSA Cryptosystem

p q n pqe e n nd nn ede

ϕ ϕ

ϕϕ−

=< <

= ≡

*

*

*

Encryption:

Decrypti

y: . Secret key: . ( ) : mod , where .

( ) : mod , where .

( and work for , \ , but not secu

on:

( , ) ( ,

re.)

)e

pk n

dsk n

pk sk n n

E x x n x Z

D y y n y Z

E D

pk n e sk

x y Z Z

n d= ∈

=

=

=

Page 22: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

1

Then ( ) ( 1)( 1) andmod ( ) can be calculated

Factor into .

Determine ( ) directly

easily.

Equivalent to factoring . Knowing ( ) will enable us to f

.

Mathematical Attacksn p q

d e n

nn

n pq

ϕ

ϕ

ϕ

= − −

=

•actor by solving

( 1)( 1)

The best known algorithms are not faster than those for factoring . Also, if is known, can be factored with

Determine directly

high pro

( )

b

.

npq

p q

n dd

n

nnϕ=⎧

⎨ = −

−⎩

ability.

Page 23: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

*

In light of current factorization technoligies, RSA recommends that be of 1024-2048 bits.

If a message \ ,

RSA works, but Since gcd( , ) 1, the sender can factor

.

Remarks

n n

n

m Z Z

m n n

>

ii

*

Also, sincegcd( , ) 1, the adversary can factor , too.

Question: how likely is

\ ?

e

n n

m n n

m Z Z•

>

i

Page 24: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

We have seen many attacks on RSA.

Also, RSA is deterministic and, therefore, not CPA-secure (i.e., not ciphertext-indistinguishable against CPA).

We wish to make RSA secure

Security of RSA•

• against CPA and aforementioned attacks.

RSA primitive: the RSA we have described. also called plain RSA or textbook RSA•i

Page 25: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

Encryption: ( ) RSA( ) ( ) mod ,

where is a random string.

Thus, Padded-RSA( ) RSA( ) for some random .

Secure against many of aforementioned attacks.

Theorem: Padd

Padded RSAe

pkE m r m r m n

r

m r m r

=•

=

=

( )ed RSA is CPA-secure if log .

Padded RSA is adopted in PKCS #1 v.1.5.

m O n

=

Page 26: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

PKCS: ublic ey ryptography tandard. Let ( , , ) give a pair of RSA keys. Say bytes (e.g., 216). First byte 00. To encrypt a message :

pad so

P K C S

Padded RSA as in PKCS #1 v.1.5

n e dn

mk

m

k= = ≠

••

•i

( ) ( )

that 00 02 00 ( bytes) where 8 or more random bytes 00. original message must be 11 bytes.

the ciphertext is : RSA mod . In 1998, Bleichenbacher published

e

m r kr

m k

c m

m

m n

′ == ≠

≤ −

′= =

ii

ia chosen-ciphertext

attack, forcing RSA to upgrade its PKCS #1, now using OAEP.

Page 27: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

Message padding: instead of encrypting directly, we encrypt , where is a random bit string. As such, however, there is a 50% overhead.

So, we wish to use a shor

OAEP: basic ideam

m r r r•

⊕•

ter bit string . Besides, should be protected, too. This leads to a scheme called Optimal Asy

can be appmmetrilie

c Encryption Padding ( ). It not only to RS

dto ot

OAEPher trapdoo r A but

rr•

functions.

Page 28: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

Choose , ( ) s.t. = . ( , RSA modulus).

:{0,1} {0,1} , a pseudorandom generator. :{0,1} {0,1} , a hash function.

To encrypt a block of bits : 1. choose a

Encryption. rand

OAEP

k l

l k

k l k l k l n n

Gh

m l

+

om bit string {0,1} . 2. encode as : ( ( ) ( ( ))) (if , the message space of RSA, return to step 1). 3. compute the ciphertext : ( ).

: ( ) . Decryption:

k

n

pk

sk

rm x m G r r h m G r

x Zy E x

x D y a b

∈= ⊕ ⊕

= =•

⊕∉

=

( )( ) .m a G b h a= ⊕ ⊕

Page 29: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

OAEP is adopted in current RSA PKCS #1 (v. 2.1). It is a scheme, not an encryption scheme. Intuitively, with OAEP, the ciphertext should not reveal any

informatio

p

n ab

adding

o

Remarks on OAEP•••

ut the plaintext if RSA is one-way and and are A slightly more complicated version of OAEP, in which

( ( ) ( ( ))), has been p

truely random (random or

0 0

c es

r

a l ).

k k

h G

x m G r r h m G r′ ′⊕ ⊕

= ⊕oved CCA-secure in the model

(i.e., if , are random oracles.)

In practice, hash functions such as SHA-1 are

ran

us

dom orac

ed for ,

le

.

G h

G h•

Page 30: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

( )

( ) 2

( ) 2

A random oracle is a random function :{0,1} {0,1} .

Recall: there are 2 such functions. Each random oracle is a black box that implements one

of the 2 random

Random Oracle

n

n

n l n

l n

l n

f⋅

••

→•

0

0

0

0

functions, say .

The 2 values of are totally independent and random. The only way to know the value of ( ) is to explicitly

evaluate at (i.e., to ask the oracle). No practical

n

f

ff x

f x

••

• /feasible way to implement a random oracle. Infeasible: use a trusted authority. Infeasible: use a ( ) 2 -bit dis .

k nl n ⋅

ii

Page 31: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

31

Cryptosystems Based on Discrete Logarithms

Page 32: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

32

Outline

• Discrete Logarithm Problem• Diffie-Hellman key agreement• ElGamal encryption

Page 33: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

33

{ }0 1 2 | | 1

A group is if there is an element of order | |.

In this case, , , , , ; is called a generator.

If ( , ) be a finite gr

cycl

oup

(n

ic

ot n

Discrete logarithm problem (DLP)

G

G G G

G

G

α

α α α α α−

=

{ }0 1 2 1

ecessarily cyclic) and an element of order , then

, , , , is a cyclic (sub)group of order .

For any , there is a unique such that . This integer is called the

d

n

xn

G n

n

y x Z yx

α

α α α α α

α α

=

∈ ∈ =•

iscrete logarithm (or index) of with respect to base . We write log .

The DLP is to compute log for a given .

yy x

y yα

α

α•

=

Page 34: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

34

{ }

{ }

* 0 1 2 2

*

* 0 1 2 1 *

*

. , , , , ,

where is a large prime, and is a generator of . ( is cyclic when is prime.)

. , , , , ,

where

Frequently used settings p

p

p

qp p

p

G Z G

p GZ p

G Z Z

Z

α α α α α

α

α α α α α

α

• = = =

• = = ⊂

is an element of prime order .

For these settings, there is no polynomial-time algorithm for DLP.

q

Page 35: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

35

*19

*19

0 1 2 3 4 5

6 7

2

2

2

{1, 2, ..., 18}.

2 is a generator. That is, 2 .

2 1, 2 2, 2 4, 2 8, 2 16, 2 13, 2 7, 2 14, log 7 6log 14 7log 12 ?

Example 1

G Z

Z

= =

=

= = = = = =

= ====

Page 36: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

36

{ }

{ }

*11

*11

3

3

1, 2, , 10 .

3 = 1, 3, 9, 5, 4

3 is a generator of , but not a generator of .log 5 3log 10 not defined

Example 2

G Z

G

G Z

= =

′ =

==

Page 37: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

37

{ } { }{ }

0 1 2

*

*

1

*1

*

2

Let be a generator of (a primitive root of unity modulo ).

Z 1, 2, , 1 , , , , .

, , , , .

Given , find the uni

0 1 2 2

que such that m

DLP in

p

p

p

p

p

xp p

p

Z p

p

Z

y Z x Z y

Z

α

α α α α

α−

= − =

=

∈ =

… …

( )( )

*

lo

*

g

od .

That is, given , find .

There is a subexponential-time algorithm for DLP in

Index Calculus, 2 , where log .

p

O

p

n n

x

p

Z

O

x

n p

Z

α• ∈

=i

Page 38: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

38

( )

1

1

RSA

RSA

RSA

RSA is a one-way function: (easy)

(difficult)

trapdo

( is a trapdoor)

Logar

or

RSA vs. Discrete Logarithm

e

e

de

x x

x x

x x d

⎯⎯⎯→

←⎯⎯⎯

←⎯⎯⎯

•exp

log

ithm is the inverse of exponetiation: (easy) (difficult) log is hard to compute, so exp is a one-way function,

but without a trapd

x

x

xx

α

α

α

α

⎯⎯⎯→

←⎯⎯⎯•

. An encryption scheme based on the difficu

oor

nolty of log

will simply encrypt as .t xx α

Page 39: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

39

{ } { }

0* 2 21

1 Z , , , , . , , , , .

Alice and Bob wish to set up a key. 1. Alice and Bob agree on a large prime and a primitive

0 1

root

2 2

secret

Diffie-Hellman key agreement

p pp

p

pZα α α α −−• = =

−… …

*

R 1

R 1

(generator) Z . ( )

2. Alice Bob: mod , where .

3. Alice Bob: mod , where .

4. They agree on the key: mod . Diffie-Hellman problem: given ,

, , not se ret

cp

ap

bp

ab

a b

p a Z

p b Z

p

α

α

α

α

α α

→ ←

← ←

• * , compute .

Diffie-Hellman assumption: the Diffie-Hellman problem is intractable.

abpZ α∈

Page 40: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

40

*

*

0. Bob is to send a message to Alice, who has private key and public key : .

1. Regard as an element in Z .

2. Use Diffie-Hellman to set up a temp

Ideas behind ElGamal encryption in

x

p

p

mx y

m

Z

α=

( )

orary key. Bob generates and computes ( ).

3. Bob uses this key to encrypt as .

4. Bob sends along with so that Alice can compute .

That is, ( ) ,

k xk

k

k k xk

k k

k y

m m y

m y

E m m y

α

α α

α

=

= ⋅

i

Page 41: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

41

*

*

1

1. Key generation (e.g. for Alice): choose a large prime and a primitive root Z ,

where 1 has a large prime factor. randomly choose a number a

ElGamal encryption in p

p

p

p

px Z

Z

α

• ∈

• ∈

*R 1

*

nd compute ;

set ( , , ) and ( , , ).2. Encryption: ( ) ( , ), where Z , .

3. Decryption: ( , ) .

4. Remarks: All operations are done in Z , . ., modulo .

x

k kpk p p

xsk

p

y

p pE m my m k Z

D a b ba

i e

sk x pk y

p

α

α α

α −

=

• = =

= ∈ ←

=

The encryption scheme non-deterministiis c.

Page 42: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

42

Based on the Diffie-Hellman assumption. Diffie-Hellman problem discrete logarithm problem. Open problem: discrete logarithm Diffie-Hellman

?

Theorem:

Security of ElGamal encryption against CPA•• ≤• ≤

If the Diffie-Hellman assumption is true, then the ElGamal encryption scheme is CPA-secure.

Page 43: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

43

A function : is if ( ) ( ) ( ).

ElGamal encryption is h ( ) ( ) ( ), in the following sense:

If ( )

homo

om

morph

omorphic,

,

ic

Security of ElGamal encryption against CCA

k

f G G f xy f x f y

E mm E m E m

E m α

′• → =

′ ′• = ⋅

= ( ) ( )( ) ( ) ( ) ( )

and ( ) , , then ( ) ( )

= , , , ,

is a valid encryption of .

As such, ElGamal encryption is (i.e., no

not CCA-secure t indisting

k k k

k k k k k k k kk k k k

my E m m y E m E m

my m y m mm

mm

y m y y

α

α α α α α ′ ′+ +

′ ′

′ ′ ′ ′

′ ′ ′= ⋅

′ ′⋅ = =

uishable against CCA).

Page 44: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

Symmetric vs. Asymmetric

• Symmetric encryptions are much faster than asymmetric ones.– AES is typically 100 times faster than RSA

encryption, and1000 times faster than RSA decryption.

• Use asymmetric cipher to set up a session key and then use symmetric cipher to encrypt data.

Page 45: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

Security Issues

What does it mean that an encryption scheme is secure (or insecure)?

• Semantic security• Ciphertext-indistinguishability• Non-malleability

Page 46: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

46

Consider ciphertext-only attacks; i.e., the adversary is an eavesdropper.

Several op

tions An encryption scheme is if giHow to define security?

ven a c

: ecu s re

Different levels of security•

(1) (2) (3)

iphertext ( ), no adversary can find the secret key find the plaintext find any character of the plaintext find any meaningful information about the plaintext

(4)

kc E mk

m

=

find any information about the plaintext. We will adopt (and formalize) , which is called

and seems to indicat th#5 semantic

sec e highest level o

f

(5

seuri curt

.

)

y ity•

Page 47: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

47

Different types of attackers• Different types of attacks (classified by the

amount of information that may be obtained by the attacker):– Ciphertext-only attack

– Known-plaintext attack

– Chosen-plaintext attack (CPA)

– Chosen-ciphertext attack (CCA)

Page 48: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

48

The security of an encryption scheme typically depends on its key length. Is RSA secure if 216, 512, or 1024?

In general, an encryption scheme is associate

d with an

Security Parameter

n

=i

integer called its (For now, you may think of it as .)

When probability Pr( ) of an encr

security parameter. key lengt

yption scheme being broken

we say that the is negligible, it .

h

is w rn•

.t. the encryption scheme'security param

s eter.

Page 49: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

49

0

0

A nonegative function : is said to be if for every positive polynomial ( ), there is an integer such that

1

negligible

( ) for all (i( )

.

Negligible functionsf N R

P nn

f n n nP n

< >

log

e., for sufficiently large ).

Examples: 2 , 2 , are negligible functions.

Negligible functions approach zero faster than the reciprocal of polynomial. We wri

everynegl( )te to d

n n n

n

n

n

− − −•

• enote an unspecified negligible function.

Page 50: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

50

* Message space: {0,1} . Key generation algorithm : On input 1 , (1 ) outputs

a key {0,1} . ( {0,1} ; and is the security parameter.) Encryption a

lg

o

Symmetric-key encryption scheme

n n

n n

MG G

k K n•

=

rithm : On input a key and a plaintext , outputs a ciphertext . We write ( , ) or ( ).

Decryption algorithm : On input a key and a ciphertext , outputs a messag

e

k

E km M E c c E k m

c E mD k c

D

∈ ←

( )

. We write : ( , ) or : ( ). Correctness requirement: for each and ,

( ) . , are polynomial probabilistic algorithms. is determin is

tic.

k

k k

m m D k c m D ck K m M

D E m mG E D

=

=

=

Page 51: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

51

Informally, an encryption scheme is if whatever an adversary with can learn about , one can learn equally well without . A private-key encrypt

semantically secure( )

Semantic Security

mcc

E m

=•

ion scheme ( , , ) with security parameter is against an eavesdropper if for every probabilistic polynomial-time (PPT) algorithm there exists a

sem

PPT such that for

antically secure

a

G E Dn

A A′

( )( )

ll polynomial-time computable functions and , there exists a negligible function such that:

Pr : (1 ), {0,1}

1 , , ( ) ( )

1 , ( ) ( )

( )

Pr : {0,1}

||

n nk

n n

n

f h

A h m f m

A h m f

negl

k G m

m

E m

m

⎡ ⎤= ← ←⎣ ⎦

⎡ ⎤− = ←⎣ ⎦′ negl( ).n≤

Page 52: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

52

Adversary: a eavesdropper. ( , , ) : an encryption scheme with security parameter . Imagine a game played by Bob and Eve (adversary)

polynomial-ti

: Eve

me

i

Ciphertext-Indistinguishability

G E D n•••

i 0 1

0 1

s given input 1 and outputs a pair of messages , .

Bob chooses a key (1 ) and { , }. He computes ( ) and gives to Eve.

Eve tries to det

of the same

leng

h

rm

t

e

n

nu

k

m m

k G m m mc E m c

← ←

i

i 0 1

ciphertext-indistinguishable against eavesd

ine whether is the encryption of or . An encryption scheme is

if no adversary can succeed with probability non-negligibly g

rr

eater thanoppers

c m m•

1 2.

Page 53: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

53

0 10 1

0 1 0 1

An encryption scheme is

if for every PPT algorithm and a

Definit ciphertext-indistinguishable again

ll , , , it holds:

Pr (1

st eavesdrop

, , , ( )) :

perion:

{ , },

s

nk u

A m m M

A m m E m m m m

m

m

m

= ←

=∈

(1 )

1 negl( )2

nk G

n

⎡ ⎤←⎣ ⎦

≤ +

Page 54: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

54

Against an eavesdropper, an encryption scheme

Theorem is semantical

ly secure iff it is ciphertext-indisti

ngu

:i

Equivalence of semantic security and ciphertext-indistinguishability

•shable.

Under CPA, CCA1 or CCA2, an encryption scheme is semantically secure if and only if it is ciphertext-indistin

Theor

guish

em

a .

:

ble

Page 55: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

55

1 1 2 2 1 2

In CSE 651 we described CPA as follows:

Given : ( , ), ( , ), , ( , ), where , , , are chosen by the adversary; and a new ciphertext .

Chosen-plaintext attacks (CPA)

t t tm c m c m c m m mc

… …i

1 2

Q : what is the plaintext of ?

Adaptively-chosen-plaintext attack : , , , are chosen adaptively.

Now we describe CPA in terms of oracle.

t

c

m m m•

i

Page 56: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

56

1. A ke

A CPA on an encryption scheme ( , , ) is modeled as fo

y (1 ) is generated.2. The adversary is given input 1 and oracle access to . She

llow

may request

s.

Chosen-plaintext attacks (CPA)

n

nk

k GE

G E D

0 1 0 1

the oracle to encrypt plaintexts of her choice. 3. The adversary chooses two message , with ; and is given a challenge ciphertext ( ), where {0,1}.4. The adversary continues to hav

k b u

m m m mc E m b

=

← ←

0 1

e oracle access and may request the encryptions of additional plaintexts of her choice, even and .5. The adversary finally answers 0 or 1.

Note: The CPA here actually refers to an adaptive CPA

m m

.

Page 57: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

57

polynomia An encryption scheme ( , , ) is IND-CPA if no

adversary can answer correctly with probability n

l-timon-negligibly greater than 1 2.

Defi

e

Ciphertext-indistinguishability against CPAG E D•

( )0 1 0 1

nition: an encryption scheme ( , , ) is IND-CPA if for ever polynomial adversary it holds that:

Pr 1 , , , ( ) : (1 ), { , },

| k n nk u

E m m

G E DA

A m m E k G m m m⎡ = ← ←⎣

]0 1 , 1 negl( )2

|Am m M

n

≤ +

Page 58: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

58

1 1 2 2 1 2

In CSE 651 we also described CCA as follows:

Given : ( , ), ( , ), , ( , ), where , , , are chosen by the adversary; and a new ciphertext

Chosen-ciphertext attacks (CCA)

t t tm c m c m c c c c

… …i

1 2

. Q : what is the plaintext of ?

Adaptively-chosen-ciphertext attack : , , , are chosen adaptively.

Now we describe CCA in terms of oracle.

We will allow a CCA adversary to al

t

cc

c c c•

i

so have CPA capability. (So, combined CCA+CPA, rather than pure CCA.)

Page 59: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

59

1. A key

A CCA on an encryption scheme ( , , ) is modeled as f

(1 ) is generated.2. The adversary is given input 1 and oracle access to and . S

ol

he

low .

ay

s

m

Chosen-ciphertext attacks (CCA)

n

nk k

k GE D

G E D

0 1 0 1

request the oracles to perform encryptions and/or decryptions for her.3. The adversary chooses two message , with ; and is given a challenge ciphertext ( ), where {0,1}.4. The

k b u

m m m mc E m b

=

← ← adversary continues to have oracle access to and , but

is not allowed to request the decryption of .5. The adversary finally answers 0 or 1.

k k

cE D

Page 60: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

60

The CCA described above is also called CCA2.

If in item #4 the adversary has no access to the decryption oracle, the CCA is called CCA

1.

CCA1 vs. CCA2•

Page 61: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

61

polynomia An encryption scheme ( , , ) is IND-CCA if no

adversary can answer correctly with probability n

l-timon-negligibly greater than 1 2.

Defi

e

Ciphertext-indistinguishability against CCAG E D•

( )

0 1,

1 0

nition: an encryption scheme ( , , ) is IND-CCA if for ever polynomial-time adversary , it holds that:

Pr 1 , , , ( ) : (1 ), { , },

| k k n nk u

E D m m

G E DA

A m m E k G m m m⎡ = ← ←⎣

]0 1 , 1 negl( )2

|Am m M

n

≤ +

Page 62: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

62

An encryption scheme ( , , ) is if given a ciphertext ( ), it is computationally infeasible for an adversary to produce

non-ma

a cip

lleabl

hertext

e

such

that (

Non-malleabilityG E D

c E mc

m D c

=′

′ ′=

) has some known relation with .

RSA is malleable.

IND-CCA2 non-malleable.

Later we will see that every homomorphic encryption scheme is malleable, and hence cannot be IND-CCA2.

Highes t s

m

ecurity level possible: IND-CCA1. (?)

Page 63: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

Homomorphic Encryption

Fontaine and Galand, “A survey of homomorphic encryption for nonspecialists,” EURASIP Journal on Information Security, 2007.

Page 64: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

( )

1 2 1 2*

1 2 1 2

1 1

2 2

1

RSA( ) RSA( ) RSA( )

where is the multiplication in (i.e., modulo ).

Easy to ver

ify:

RSA( )

RSA( )

RSA( )

RSA( )

RS

RSA is homomorphic

n

e

e

e

m m m m

Z n

m m m m

m m

m m

m

⋅ = ⋅

⋅ = ⋅

=

=

i

ii

i ( )2 1 2 1 2A( ) ee em m m m m= ⋅ = ⋅

Page 65: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

: message space: ciphertext space

: some binary operation in : some binary operation in

An encryption scheme is if for any encryDefinit hom

ptionion:

key omorphic

Homomorphic encryption

M

C

MC

MC

k

1 2 1 2

1 2

the encryption function satisfies ( ) ( ) ( )for all messages , .

applicable only to deterministic encryption schemeComment: s.

M C

EE m m E m E m

m m M=

Page 66: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

66

( ) ( )1 1 2 2

1 2 1 2

1 2

1

1 2

1 2 2

a

( ) ( ) ( ), in the following sense:

( ) ( ) is valid encryption of .

Verification:

If ( ) , and ( ) , , then

(

ElGamal encryption is homomorphic

k k k k

m m

E m m E m E m

E m E m

E m g m y E m g m y

E m

• ⋅ ← ⋅

= =

( ) ( )( )

1 1 2 2

1 2 1 2

1

1

2 1 2

2

) ( ) , ,

,

is a encryption of .

n

k k k k

k k k k

E m g m y g m y

g ym m

mm

+ +

⋅ = ⋅

=

Page 67: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

: message space: ciphertext space

: some binary operation in : some binary operation in

An encryption scheme is Definition if forhomo any

:

morphicencrypt

Homomorphic encryption redefined

M

C

MC

MC

1 2 1 2

1 2

ion key the encryption function satisfies ( ) ( ) ( )for all messages , .

a means " encryption can be computed fromComm "ent: n

M C

k EE m m E m E m

m m M←

Page 68: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

( )1 2 1 2

1 2

An encryption scheme is ifits encryption and decryption satisfy ( ) ( )for all messages , and all encryption/decrypt

Definition: homomorp

i

hic

on

An equivalent definition

M C

E Dm m D E m E m

m m M=

∈key pairs.

Page 69: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

( )

( )( )

1

1 21 2

1 22

An encryption scheme is w.r.t if there is a polynomial time algorithm such tha

homomort

( )or

fo

Defi phic

( ), ( )

( ), ( )

nition:

r

A generalized definition

M

M

M

A

E m m

m m

A E m E m

A E m E mD

=

1 2all messages , and all encryption/decryptionkey pairs.

How to further Question: generalize it?

m m M∈

Page 70: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

An encryption scheme is

homomorphic if it is homomor additively multipli

phic w.r.t homomorphic if it iscatively

alg homomorphic w.r.t

ebraicly mo

homo

Various homomorphic encryptions

M

M

+

⋅iii rphic if it is homomorphic w.r.t both

and

RSA and ElGamal are homomorphic.

Padded RSA and OAEP-RSA are homomorphic.

RSA is not

m

ultiplicatively

n

IND-CPA secure; ElGamal is

ot

.

M M+

Page 71: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

( )( )Now, encrypt as ( ) ,

ElGamal encryption can be made additively homomorphic.

Original ElGamal: ( ) , .

, where , are

generator

s of

Additively homomorphic ElGamal encryption

k k

k k

mm c E m g h y

E m g my

g h= =•

• =

*

DL ElGamal decryption

1 2 1 2

Descrypting takes two steps:

.

( ) ( ) ( ).

p

m

c

h

Z

m c

E m m E m E m

←⎯⎯ ←⎯⎯⎯⎯⎯⎯

+ ← ⋅•

Page 72: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

( )

A simple application To vote yes or no, encode a yes-vote as 1 and a no-vote as 1.

Encrypt as , .

Send the encrypted vote to a trusted party.

k m k

mm

m c g h y

c

=

=

= −

i

i

i{ }

( )

1 2 3

1 1

1 1 1

All votes: , , , ,

, mod ( 1)

(why?) mod ( 1)

i i i

k

i

k

k kk m k

i ii i

k k

i ii i i

c c c c

c g h y E m p

D c m p m=

= =

= =

⎛ ⎞∑ ∑ ∑= ⋅ → −⎜ ⎟⎝ ⎠

⎛ ⎞ = −⎜ ⎟⎝

=⎠

∏ ∑

∏ ∑ ∑

i

i

i

Page 73: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

Alice is worth millions, and Bob millions. Q: ?

Two millionnairs, Alice and Bob, want to know who is richer without revealing their actual wealth.

Initially

s

Yao's Millionaire Problem

a b a b<•

Multiparty Computation

uggested and solved by Andrew Yao in 1982.

Later latergeneralized to a problem called .

Would be trivial if there is a secure encryption scheme that is homomorphic w.r "

.t.

( )( )1 2 1 2

<", namely,

( ), ( )

m m D A E m E m< ←

Page 74: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

{ }

*

*

* *

Let 2 be any number . Quadratic residues: elements in which are a square.

QR = the subgroup of quadratic residues in .

QNR = QR = quadratic non-residues in .

Quadratic Residues

n

n n

n n n n

nZ

Z

Z Z

• ≥

• −

( )

( )( ) ( ) ( )

( 1)/2

1 if [ ] QR ( is a square)1 if [ ] QNR (not a square) Legendre symbol:

0 if [ ] 0

Euler's criterion: mod .

Jacobi symbol: , assuming .

p

p

p

xp

xp

x x xn p q

x xx

x

x p

n pq

+ ∈⎧⎪− ∈• = ⎨⎪ =⎩

• =

• = =

Page 75: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

( ) ( ) ( )( ) ( )

( )( )

*

*

Thus, 1 iff 1.

is a quadratic residue in iff 1.

QR QNR QR QNR QNR .

If 1, then QNR .

If 1, QR QN Quadratic resi

R .

Quadratic Residues (cont'd)

x xn p q

n n n n n n

n

n n

xn

x xp q

xnxn

x Z

Z

x

x

+ −

+

• = = = ±

• = =

• = ∪ = ∪ ∪

• = − ∈

• = ∈ ∪

( )*

Given with 1, it is intractable to determine

whether QR or QNR without knowing .

Knowin

duosity

g , easy to determine if QR or QNR

assumption:

.

n

n n

n n

xnx Z

x x n pq

n pq x

+

+

∈ =

∈ ∈ =

• = ∈

Page 76: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

{ } First probabilistic encryption scheme. Encrypt one bit 0,1 at a time. Encrypt 0 as a random number in QR .

Encrypt 1 as a random number

Goldwasser-Micali encryption scheme (idea)

n

bb

b

=

=

( ) ( )

in QNR . To decrypt ( ), simply determine if QR

(i.e., 1?)

n

n

c cp q

c E b c

+

=

=

• ∈

=

Page 77: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

1R

2 *R

System setup: Alice chooses and QNR . Public key: ( , ). Private key: ( , ) Encryption: ( ) , where . Note: ( ) is a

Goldwasser-Micali encryption scheme

n

bn

n pq gn g p qE b g r r Z

E b

+= ∈

=

••

∈ quadratic residue iff 0.

To decrypt ( ), simply determine if QR .

Drawback: it takes =1024 bits to encrypt a single bit. This scheme has an expansion of 1024.

n

bc E b c

n

== ∈•

Page 78: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

0 1

Idea of Goldwasser-Micali: Take a group and a subgroup . Partition into two parts: and \ . Randomly select an element in to e

Reducing the expansion

b

G HG M H M G H

M= =

•iii

{ }

ncrypt . To generalize, choose and such that can be split into more parts. Benaloh: small prime; ( ) , 0, 1 ;

expansion: . Okamoto & Uchiya

m k

bG H G

k E m g r m k

n k

= = ∈ −

2

1

*

*

ma: reduced the expansion to 3. Paillier: reduced the expansion to 2 using group .

Damgard & Jurik: generalized Paillier's scheme using group , with expansion 1 1/ .s

n

n

Z

Z s+

+

Page 79: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

( ){ }

2*

2

2

2

One of the most well-known homomorphic encryption. , where .

( ).

: is an th residue mod .

mod for some .

Paillier's encryption scheme

n

n

G Z n pq

G n n n

H z G z n n

z y n y G

ϕ ϕ

= =

= =

= ∈

= ∈

i

i is a subgroup and ( ). Use to divide into classes. Let be any element with order a multiple of .

H H nH G ng G n

ϕ•

=

• ∈

i

Page 80: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

( )

( ) { }

2

2

* *

2

*

* *

Define :

, mod Theorem: is bijective. Each defines a class in , namely,

, ( , ) :

Encryption:

n n nx n

n n

n n

f Z Z Z

x y g y nf

x Z Z

f x Z f x y y Z

× →

=

*

2

plaintext

select a random

ciphertext mod additively homomorphic

n

nm n

m Z

r Z

c g r n

=

iiii

Page 81: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

( )( )

2*

( ) 2

( ) 2

Decryption: (private key: or ( )) ciphertext

mod plaintext mod

mod

where ( ) ( 1) / ( ) is the Carmichael function, i.e

n

n

n

n pq nc Z

L c nm n

L g n

L u u nn

λ

λ

λ

λ

=

⎡ ⎤⎢ ⎥=⎢ ⎥⎣ ⎦

= −

i

i

ii

( ) *

., the smallest integer such that 1mod for all . For , ( ) lcm( 1, 1). (In RSA, ( ) can be used in place of ( ).)

nna n a Z

n pq n p qn n

λ

λλ ϕ

≡ ∈= = − −i

i

Page 82: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

2*

2

Security: Assumption: Without knowing , it is intractable to determine if an element is an th residue

modulo . If this assumption holds, Paillier

n

n pqz Z n

n

=

•i

i

0 1

0

0 1

2 20 1

0

's encryption scheme is semantically secure under CPA.

Let be the ciphertext o f either or .

So, either m orod

mod .

So,

m mn n

m

c m m

c g r n g r n

cg r−

=

=

iii 1 0

0

2 21

02

mod mod .

is the ciphertext of iff is an th residue

modulo .

o

r m mn n

m

n g r n

c m cg n

n

−i

Page 83: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

Question: In the above argument, which problem is reduced to which problem?

i

Page 84: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

( )( )( )2 2

2 *R

21 2 1 2

2

21 1

Additively homomorphic on :

Recall: ( ) mod , , .

( ) ( ) mod mod .

( ) mod mod .

( ) mod mod .

n

m nn n

k k

m m

Z

E m g r n m Z r Z

D E m E m n m m n

D E m n m n

D E m n m n

= ∈ ∈

= +

=

=

i

i

i

i

Page 85: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

2

A simple application To vote yes or no, encode a yes vote as 1 and a no vote as 1. Encrypt as mod . Send the encrypted vote to a trusted party.

m n

mm

m c g r nc

=−

=

=i

ii

{ }

1

1 2 3

2

11

All votes: , , , ,

(wh mod mod y?)

k

k k

i

k

i ii

ii

c c c c

D c n m n m== =

⎛ ⎞=⎜ ⎟

⎝ ⎠⇒∏ ∑∑i

…i

Page 86: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

At STOC'09, Craig Gentry presented a fully homomorphic encryption scheme. A homomorphic public-key encryption scheme has four algorithms: KeyGen, E

Fully homomorphic encryption

S

1

1

ncrypt, Decrypt, Evaluate. : a circuit. is homomorphic for if for any key pair (sk, pk) output by KeyGen, any plaintext , , , and any ciphertext , , with Encrypt( )

t

t i i

CS C

π πψ ψ ψ π=

••

……

( )( )1 1

, it holds that:

( , , ) Decrypt Evaluate , , , .

is if it is homomorphic for all circfully homomorp uihic ts.t tC C

S

π π ψ ψ=

… …

Page 87: Introduction - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/788-Au09/1.introduction.pdf · 2009-10-06 · In practice, Alice and Bob wish to share a permanent key

Applications

– Protection of mobile agents– Watermarking/fingerprinting protocols– Electronic auction and lottery protocols– Multiparty computation– Oblivious transfer– Privacy preserving data mining– Others