Introduction - Computer Science and...
87
Introduction 788.11 Cryptography and Security Fall 2009 Steve Lai
Transcript of Introduction - Computer Science and...
Introduction
788.11 Cryptography and SecurityFall 2009Steve Lai
Outline
■ Basics of encryption
■ Homomorphic encryption
Basics of Encryption
For more information, see my CSE 651 or 794Q notes
Summary• Symmetric encryption
– Stream cipher (e.g., RC4)– Block cipher (e.g., DES, AES)
• Asymmetric encryption– RSA– ElGamal (based on Diffie-Hellman)
• Performance issues• Security issues
5
Symmetric-Key Encryption
• Stream cipher (e.g., Vernan’s one-time pad, RC4)
• Block cipher (e.g., DES, AES)
6
Stream ciphers
7
1 2 3
Stream ciphers typically process the plaintext byte by byte. So, the plaintext is a stream of bytes: , , , Use a key as the seed to generate a sequence of
pseudora
Stream ciphers
P P PK
••
•
…
1 2 3
1 2 3 4
ndom bytes (key-stream): , , , The ciphertext is , , , , , where
Various stream ciphers differ in their key-stream generators. Stream ciphers require tha
i i i
K K KC C C C
C P K
……
= ⊕
•
•• t a new key be used for each plaintext (or it will not be sesure).
8
In practice, Alice and Bob wish to share a permanent key and use it to encrypt many messages. One possible strategy: Suppose Bob and Alice share a secret key . Each time Bob (o
r
K
K
•
ii Alice) wants to send a message, he randomly
generates a string and use as the key (seed) to the pseudorandom generator. Send along with the ciphertext. Unfo
rtunately,
IV K IV
IV•i
the resulting scheme is not necessarily secure.
Example: WEP’s use of RC4• WEP is a protocol using RC4 to encrypt packets for
transmission over IEEE 802.11 wireless LAN.
• Each packet is encrypted with a separate key equal to the concatenation of a 24-bit IV (initialization vector) and a
40 or 104-bit permanent key.
• Not secure. See “Breaking 104 bit WEP in less than 60 seconds.”
9
lRC4 key: IV (24) Permanent key (40 or 104 bits)
Block Ciphers
Block ciphers are encryption schemes that use pseudorandom functions or pseudorandom permutations.
10
11
A block cipher is a symmetric-key that maps a block of bits to a block of bits.
encryption scheme
{0,1} and {0,1} . Block length
: .
Traditional view of block ciphers
n r
n nM C K
n= = =
•
ii
{ } { } Key length: .
For a fixed key , : 0,1 0,1 is a permutation.
n nk
r
k K E∈ →
i
i
Practical Block Ciphers: DES and AES
DES: Data Encryption StandardAES: Advanced Encryption Standard
12
Public‐Key Cryptography and RSA
Public-Key Cryptography• Also known as asymmetric-key cryptography.• Each user has a pair of keys: a public key and a
private key.• The public key is used for encryption.
– The key is known to the public.
• The private key is used for decryption.– The key is only known to the owner.
Public-Key Cryptosystem (PKC)• Each user u has a pair of keys (PKu, SKu).
– PKu is the public key, available in a public directory.
– SKu the private key, known to u only.• Key-generation algorithm: to generate keys.• Encryption algorithm E: to send message M to
user u, compute C = E(PKu, M).• Decryption algorithm D: Upon receiving C,
user u computes D(SKu, C).• Requirement: D(SKu , E(PKu, M)) = M.
Why Public-Key Cryptography?• Developed to address two main issues:
– key distribution– digital signatures
• Invented by Diffie & Hellman in 1976.
1
1
trapdoor
Easy:
Hard:
Easy:
Use as the private key.
Most (believed) one-way functions come from number theory.
trapdoor
One-way function with trapdoorf
f
f
x y
x y
x y
−
−
⎯⎯→
←⎯⎯
←⎯⎯⎯
•
The RSA Cryptosystem
• RSA Encryption• RSA Digital signature
By ivest, hamir & dleman of MIT in 1977. Best known and most widely used public-key scheme. Based on the one-way property
of mo
R S
du
lar powering:
A
assumed
The RSA Cryptosystem•••
1
: mod (easy) : mod (hard)
e
e
f x x nf x x n−
→
→
1
RSA
RSA
*
Encryption (easy):
Decryption (hard):
Looking for a trapdoor: ( ) .If is a number such that 1mod ( ), then
( )
It works in group
1
.
Idea behind RSA
e
e
e d
n
x x
x x
x xd ed n
e n
Z
d kϕ
ϕ
−
⎯⎯⎯→
←⎯⎯⎯
=≡
= +
( )( ) 1 ( )
for some , and
( ) 1 .ke ed n nd k
k
x x x x x x xϕ ϕ+= = = ⋅ = ⋅ =
1
(a) Choose large primes and , and let : . (b) Choose (1 ( )) coprime to ( ), and compute : mod ( ). ( .) (c) Public ke
Key generation:
1 mod ( )
RSA Cryptosystem
p q n pqe e n nd nn ede
ϕ ϕ
ϕϕ−
=< <
= ≡
•
*
*
*
Encryption:
Decrypti
y: . Secret key: . ( ) : mod , where .
( ) : mod , where .
( and work for , \ , but not secu
on:
( , ) ( ,
re.)
)e
pk n
dsk n
pk sk n n
E x x n x Z
D y y n y Z
E D
pk n e sk
x y Z Z
n d= ∈
=
=
∈
∈
•
•
=
1
Then ( ) ( 1)( 1) andmod ( ) can be calculated
Factor into .
Determine ( ) directly
easily.
Equivalent to factoring . Knowing ( ) will enable us to f
.
Mathematical Attacksn p q
d e n
nn
n pq
nϕ
ϕ
ϕ
ϕ
−
= − −
=
•
•actor by solving
( 1)( 1)
The best known algorithms are not faster than those for factoring . Also, if is known, can be factored with
Determine directly
high pro
( )
b
.
npq
p q
n dd
n
nnϕ=⎧
⎨ = −
•
−⎩
ability.
*
In light of current factorization technoligies, RSA recommends that be of 1024-2048 bits.
If a message \ ,
RSA works, but Since gcd( , ) 1, the sender can factor
.
Remarks
n n
n
m Z Z
m n n
∈
>
•
•
ii
*
Also, sincegcd( , ) 1, the adversary can factor , too.
Question: how likely is
\ ?
e
n n
m n n
m Z Z•
>
∈
i
We have seen many attacks on RSA.
Also, RSA is deterministic and, therefore, not CPA-secure (i.e., not ciphertext-indistinguishable against CPA).
We wish to make RSA secure
Security of RSA•
•
• against CPA and aforementioned attacks.
RSA primitive: the RSA we have described. also called plain RSA or textbook RSA•i
Encryption: ( ) RSA( ) ( ) mod ,
where is a random string.
Thus, Padded-RSA( ) RSA( ) for some random .
Secure against many of aforementioned attacks.
Theorem: Padd
Padded RSAe
pkE m r m r m n
r
m r m r
=•
•
•
•
=
=
( )ed RSA is CPA-secure if log .
Padded RSA is adopted in PKCS #1 v.1.5.
m O n
•
=
PKCS: ublic ey ryptography tandard. Let ( , , ) give a pair of RSA keys. Say bytes (e.g., 216). First byte 00. To encrypt a message :
pad so
P K C S
Padded RSA as in PKCS #1 v.1.5
n e dn
mk
m
k= = ≠
••
•
•i
( ) ( )
that 00 02 00 ( bytes) where 8 or more random bytes 00. original message must be 11 bytes.
the ciphertext is : RSA mod . In 1998, Bleichenbacher published
e
m r kr
m k
c m
m
m n
′ == ≠
≤ −
′
•
′= =
ii
ia chosen-ciphertext
attack, forcing RSA to upgrade its PKCS #1, now using OAEP.
Message padding: instead of encrypting directly, we encrypt , where is a random bit string. As such, however, there is a 50% overhead.
So, we wish to use a shor
OAEP: basic ideam
m r r r•
⊕•
ter bit string . Besides, should be protected, too. This leads to a scheme called Optimal Asy
can be appmmetrilie
c Encryption Padding ( ). It not only to RS
dto ot
OAEPher trapdoo r A but
rr•
•
functions.
Choose , ( ) s.t. = . ( , RSA modulus).
:{0,1} {0,1} , a pseudorandom generator. :{0,1} {0,1} , a hash function.
To encrypt a block of bits : 1. choose a
Encryption. rand
OAEP
k l
l k
k l k l k l n n
Gh
m l
•
•
•
•
+
→
→
om bit string {0,1} . 2. encode as : ( ( ) ( ( ))) (if , the message space of RSA, return to step 1). 3. compute the ciphertext : ( ).
: ( ) . Decryption:
k
n
pk
sk
rm x m G r r h m G r
x Zy E x
x D y a b
∈= ⊕ ⊕
= =•
⊕∉
=
( )( ) .m a G b h a= ⊕ ⊕
OAEP is adopted in current RSA PKCS #1 (v. 2.1). It is a scheme, not an encryption scheme. Intuitively, with OAEP, the ciphertext should not reveal any
informatio
p
n ab
adding
o
Remarks on OAEP•••
ut the plaintext if RSA is one-way and and are A slightly more complicated version of OAEP, in which
( ( ) ( ( ))), has been p
truely random (random or
0 0
c es
r
a l ).
k k
h G
x m G r r h m G r′ ′⊕ ⊕
•
= ⊕oved CCA-secure in the model
(i.e., if , are random oracles.)
In practice, hash functions such as SHA-1 are
ran
us
dom orac
ed for ,
le
.
G h
G h•
( )
( ) 2
( ) 2
A random oracle is a random function :{0,1} {0,1} .
Recall: there are 2 such functions. Each random oracle is a black box that implements one
of the 2 random
Random Oracle
n
n
n l n
l n
l n
f⋅
⋅
••
→•
0
0
0
0
functions, say .
The 2 values of are totally independent and random. The only way to know the value of ( ) is to explicitly
evaluate at (i.e., to ask the oracle). No practical
n
f
ff x
f x
••
• /feasible way to implement a random oracle. Infeasible: use a trusted authority. Infeasible: use a ( ) 2 -bit dis .
k nl n ⋅
ii
31
Cryptosystems Based on Discrete Logarithms
32
Outline
• Discrete Logarithm Problem• Diffie-Hellman key agreement• ElGamal encryption
33
{ }0 1 2 | | 1
A group is if there is an element of order | |.
In this case, , , , , ; is called a generator.
If ( , ) be a finite gr
cycl
oup
(n
ic
ot n
Discrete logarithm problem (DLP)
G
G G G
G
G
α
α α α α α−
∈
=
∗
•
•
…
{ }0 1 2 1
ecessarily cyclic) and an element of order , then
, , , , is a cyclic (sub)group of order .
For any , there is a unique such that . This integer is called the
d
n
xn
G n
n
y x Z yx
α
α α α α α
α α
−
∈
=
∈ ∈ =•
…
iscrete logarithm (or index) of with respect to base . We write log .
The DLP is to compute log for a given .
yy x
y yα
α
α•
=
34
{ }
{ }
* 0 1 2 2
*
* 0 1 2 1 *
*
. , , , , ,
where is a large prime, and is a generator of . ( is cyclic when is prime.)
. , , , , ,
where
Frequently used settings p
p
p
qp p
p
G Z G
p GZ p
G Z Z
Z
α α α α α
α
α α α α α
α
−
−
• = = =
• = = ⊂
∈
…
…
is an element of prime order .
For these settings, there is no polynomial-time algorithm for DLP.
q
•
35
*19
*19
0 1 2 3 4 5
6 7
2
2
2
{1, 2, ..., 18}.
2 is a generator. That is, 2 .
2 1, 2 2, 2 4, 2 8, 2 16, 2 13, 2 7, 2 14, log 7 6log 14 7log 12 ?
Example 1
G Z
Z
= =
=
= = = = = =
= ====
…
36
{ }
{ }
*11
*11
3
3
1, 2, , 10 .
3 = 1, 3, 9, 5, 4
3 is a generator of , but not a generator of .log 5 3log 10 not defined
Example 2
G Z
G
G Z
= =
′ =
′
==
…
37
{ } { }{ }
0 1 2
*
*
1
*1
*
2
Let be a generator of (a primitive root of unity modulo ).
Z 1, 2, , 1 , , , , .
, , , , .
Given , find the uni
0 1 2 2
que such that m
DLP in
p
p
p
p
p
xp p
p
Z p
p
Z
y Z x Z y
Z
α
α α α α
α−
−
−
= − =
=
∈
•
•
•
−
∈ =
…
… …
( )( )
*
lo
*
g
od .
That is, given , find .
There is a subexponential-time algorithm for DLP in
Index Calculus, 2 , where log .
p
O
p
n n
x
p
Z
O
x
n p
Z
α• ∈
•
=i
38
( )
1
1
RSA
RSA
RSA
RSA is a one-way function: (easy)
(difficult)
trapdo
( is a trapdoor)
Logar
or
RSA vs. Discrete Logarithm
e
e
de
x x
x x
x x d
−
−
•
⎯⎯⎯→
←⎯⎯⎯
←⎯⎯⎯
•exp
log
ithm is the inverse of exponetiation: (easy) (difficult) log is hard to compute, so exp is a one-way function,
but without a trapd
x
x
xx
α
α
α
α
⎯⎯⎯→
←⎯⎯⎯•
. An encryption scheme based on the difficu
oor
nolty of log
will simply encrypt as .t xx α
•
39
{ } { }
0* 2 21
1 Z , , , , . , , , , .
Alice and Bob wish to set up a key. 1. Alice and Bob agree on a large prime and a primitive
0 1
root
2 2
secret
Diffie-Hellman key agreement
p pp
p
pZα α α α −−• = =
•
−… …
*
R 1
R 1
(generator) Z . ( )
2. Alice Bob: mod , where .
3. Alice Bob: mod , where .
4. They agree on the key: mod . Diffie-Hellman problem: given ,
, , not se ret
cp
ap
bp
ab
a b
p a Z
p b Z
p
pα
α
α
α
α
α α
−
−
∈
→ ←
← ←
• * , compute .
Diffie-Hellman assumption: the Diffie-Hellman problem is intractable.
abpZ α∈
•
40
*
*
0. Bob is to send a message to Alice, who has private key and public key : .
1. Regard as an element in Z .
2. Use Diffie-Hellman to set up a temp
Ideas behind ElGamal encryption in
x
p
p
mx y
m
Z
α=
( )
orary key. Bob generates and computes ( ).
3. Bob uses this key to encrypt as .
4. Bob sends along with so that Alice can compute .
That is, ( ) ,
k xk
k
k k xk
k k
k y
m m y
m y
E m m y
α
α α
α
=
⋅
⋅
= ⋅
i
41
*
*
1
1. Key generation (e.g. for Alice): choose a large prime and a primitive root Z ,
where 1 has a large prime factor. randomly choose a number a
ElGamal encryption in p
p
p
p
px Z
Z
α
−
• ∈
−
• ∈
*R 1
*
nd compute ;
set ( , , ) and ( , , ).2. Encryption: ( ) ( , ), where Z , .
3. Decryption: ( , ) .
4. Remarks: All operations are done in Z , . ., modulo .
x
k kpk p p
xsk
p
y
p pE m my m k Z
D a b ba
i e
sk x pk y
p
α
α α
α −
−
=
• = =
= ∈ ←
=
The encryption scheme non-deterministiis c.
42
Based on the Diffie-Hellman assumption. Diffie-Hellman problem discrete logarithm problem. Open problem: discrete logarithm Diffie-Hellman
?
Theorem:
Security of ElGamal encryption against CPA•• ≤• ≤
If the Diffie-Hellman assumption is true, then the ElGamal encryption scheme is CPA-secure.
43
A function : is if ( ) ( ) ( ).
ElGamal encryption is h ( ) ( ) ( ), in the following sense:
If ( )
homo
om
morph
omorphic,
,
ic
Security of ElGamal encryption against CCA
k
f G G f xy f x f y
E mm E m E m
E m α
′• → =
′ ′• = ⋅
= ( ) ( )( ) ( ) ( ) ( )
and ( ) , , then ( ) ( )
= , , , ,
is a valid encryption of .
As such, ElGamal encryption is (i.e., no
not CCA-secure t indisting
k k k
k k k k k k k kk k k k
my E m m y E m E m
my m y m mm
mm
y m y y
α
α α α α α ′ ′+ +
′ ′
′ ′ ′ ′
′ ′ ′= ⋅
′ ′⋅ = =
•
′
′
uishable against CCA).
Symmetric vs. Asymmetric
• Symmetric encryptions are much faster than asymmetric ones.– AES is typically 100 times faster than RSA
encryption, and1000 times faster than RSA decryption.
• Use asymmetric cipher to set up a session key and then use symmetric cipher to encrypt data.
Security Issues
What does it mean that an encryption scheme is secure (or insecure)?
• Semantic security• Ciphertext-indistinguishability• Non-malleability
46
Consider ciphertext-only attacks; i.e., the adversary is an eavesdropper.
Several op
tions An encryption scheme is if giHow to define security?
ven a c
: ecu s re
Different levels of security•
•
(1) (2) (3)
iphertext ( ), no adversary can find the secret key find the plaintext find any character of the plaintext find any meaningful information about the plaintext
(4)
kc E mk
m
=
find any information about the plaintext. We will adopt (and formalize) , which is called
and seems to indicat th#5 semantic
sec e highest level o
f
(5
seuri curt
.
)
y ity•
47
Different types of attackers• Different types of attacks (classified by the
amount of information that may be obtained by the attacker):– Ciphertext-only attack
– Known-plaintext attack
– Chosen-plaintext attack (CPA)
– Chosen-ciphertext attack (CCA)
48
The security of an encryption scheme typically depends on its key length. Is RSA secure if 216, 512, or 1024?
In general, an encryption scheme is associate
d with an
Security Parameter
n
•
•
=i
integer called its (For now, you may think of it as .)
When probability Pr( ) of an encr
security parameter. key lengt
yption scheme being broken
we say that the is negligible, it .
h
is w rn•
.t. the encryption scheme'security param
s eter.
49
0
0
A nonegative function : is said to be if for every positive polynomial ( ), there is an integer such that
1
negligible
( ) for all (i( )
.
Negligible functionsf N R
P nn
f n n nP n
→
< >
•
log
e., for sufficiently large ).
Examples: 2 , 2 , are negligible functions.
Negligible functions approach zero faster than the reciprocal of polynomial. We wri
everynegl( )te to d
n n n
n
n
n
− − −•
•
• enote an unspecified negligible function.
50
* Message space: {0,1} . Key generation algorithm : On input 1 , (1 ) outputs
a key {0,1} . ( {0,1} ; and is the security parameter.) Encryption a
lg
o
Symmetric-key encryption scheme
n n
n n
MG G
k K n•
=
•
⊆
←
•
rithm : On input a key and a plaintext , outputs a ciphertext . We write ( , ) or ( ).
Decryption algorithm : On input a key and a ciphertext , outputs a messag
e
k
E km M E c c E k m
c E mD k c
D
∈ ←
•
←
( )
. We write : ( , ) or : ( ). Correctness requirement: for each and ,
( ) . , are polynomial probabilistic algorithms. is determin is
tic.
k
k k
m m D k c m D ck K m M
D E m mG E D
=
∈
=
•
•
=
∈
51
Informally, an encryption scheme is if whatever an adversary with can learn about , one can learn equally well without . A private-key encrypt
semantically secure( )
Semantic Security
mcc
E m
•
=•
ion scheme ( , , ) with security parameter is against an eavesdropper if for every probabilistic polynomial-time (PPT) algorithm there exists a
sem
PPT such that for
antically secure
a
G E Dn
A A′
( )( )
ll polynomial-time computable functions and , there exists a negligible function such that:
Pr : (1 ), {0,1}
1 , , ( ) ( )
1 , ( ) ( )
( )
Pr : {0,1}
||
n nk
n n
n
f h
A h m f m
A h m f
negl
k G m
m
E m
m
⎡ ⎤= ← ←⎣ ⎦
⎡ ⎤− = ←⎣ ⎦′ negl( ).n≤
52
Adversary: a eavesdropper. ( , , ) : an encryption scheme with security parameter . Imagine a game played by Bob and Eve (adversary)
polynomial-ti
: Eve
me
i
Ciphertext-Indistinguishability
G E D n•••
i 0 1
0 1
s given input 1 and outputs a pair of messages , .
Bob chooses a key (1 ) and { , }. He computes ( ) and gives to Eve.
Eve tries to det
of the same
leng
h
rm
t
e
n
nu
k
m m
k G m m mc E m c
← ←
←
i
i 0 1
ciphertext-indistinguishable against eavesd
ine whether is the encryption of or . An encryption scheme is
if no adversary can succeed with probability non-negligibly g
rr
eater thanoppers
c m m•
1 2.
53
0 10 1
0 1 0 1
An encryption scheme is
if for every PPT algorithm and a
Definit ciphertext-indistinguishable again
ll , , , it holds:
Pr (1
st eavesdrop
, , , ( )) :
perion:
{ , },
s
nk u
A m m M
A m m E m m m m
m
m
m
•
= ←
=∈
(1 )
1 negl( )2
nk G
n
⎡ ⎤←⎣ ⎦
≤ +
54
Against an eavesdropper, an encryption scheme
Theorem is semantical
ly secure iff it is ciphertext-indisti
ngu
:i
Equivalence of semantic security and ciphertext-indistinguishability
•shable.
Under CPA, CCA1 or CCA2, an encryption scheme is semantically secure if and only if it is ciphertext-indistin
Theor
guish
em
a .
:
ble
•
55
1 1 2 2 1 2
In CSE 651 we described CPA as follows:
Given : ( , ), ( , ), , ( , ), where , , , are chosen by the adversary; and a new ciphertext .
Chosen-plaintext attacks (CPA)
t t tm c m c m c m m mc
•
… …i
1 2
Q : what is the plaintext of ?
Adaptively-chosen-plaintext attack : , , , are chosen adaptively.
Now we describe CPA in terms of oracle.
t
c
m m m•
•
…
i
56
1. A ke
A CPA on an encryption scheme ( , , ) is modeled as fo
y (1 ) is generated.2. The adversary is given input 1 and oracle access to . She
llow
may request
s.
Chosen-plaintext attacks (CPA)
n
nk
k GE
G E D
←
0 1 0 1
the oracle to encrypt plaintexts of her choice. 3. The adversary chooses two message , with ; and is given a challenge ciphertext ( ), where {0,1}.4. The adversary continues to hav
k b u
m m m mc E m b
=
← ←
0 1
e oracle access and may request the encryptions of additional plaintexts of her choice, even and .5. The adversary finally answers 0 or 1.
Note: The CPA here actually refers to an adaptive CPA
m m
.
57
polynomia An encryption scheme ( , , ) is IND-CPA if no
adversary can answer correctly with probability n
l-timon-negligibly greater than 1 2.
Defi
e
Ciphertext-indistinguishability against CPAG E D•
•
( )0 1 0 1
nition: an encryption scheme ( , , ) is IND-CPA if for ever polynomial adversary it holds that:
Pr 1 , , , ( ) : (1 ), { , },
| k n nk u
E m m
G E DA
A m m E k G m m m⎡ = ← ←⎣
]0 1 , 1 negl( )2
|Am m M
n
←
≤ +
58
1 1 2 2 1 2
In CSE 651 we also described CCA as follows:
Given : ( , ), ( , ), , ( , ), where , , , are chosen by the adversary; and a new ciphertext
Chosen-ciphertext attacks (CCA)
t t tm c m c m c c c c
•
… …i
1 2
. Q : what is the plaintext of ?
Adaptively-chosen-ciphertext attack : , , , are chosen adaptively.
Now we describe CCA in terms of oracle.
We will allow a CCA adversary to al
t
cc
c c c•
•
…
•
i
so have CPA capability. (So, combined CCA+CPA, rather than pure CCA.)
59
1. A key
A CCA on an encryption scheme ( , , ) is modeled as f
(1 ) is generated.2. The adversary is given input 1 and oracle access to and . S
ol
he
low .
ay
s
m
Chosen-ciphertext attacks (CCA)
n
nk k
k GE D
G E D
←
0 1 0 1
request the oracles to perform encryptions and/or decryptions for her.3. The adversary chooses two message , with ; and is given a challenge ciphertext ( ), where {0,1}.4. The
k b u
m m m mc E m b
=
← ← adversary continues to have oracle access to and , but
is not allowed to request the decryption of .5. The adversary finally answers 0 or 1.
k k
cE D
60
The CCA described above is also called CCA2.
If in item #4 the adversary has no access to the decryption oracle, the CCA is called CCA
1.
CCA1 vs. CCA2•
•
61
polynomia An encryption scheme ( , , ) is IND-CCA if no
adversary can answer correctly with probability n
l-timon-negligibly greater than 1 2.
Defi
e
Ciphertext-indistinguishability against CCAG E D•
•
( )
0 1,
1 0
nition: an encryption scheme ( , , ) is IND-CCA if for ever polynomial-time adversary , it holds that:
Pr 1 , , , ( ) : (1 ), { , },
| k k n nk u
E D m m
G E DA
A m m E k G m m m⎡ = ← ←⎣
]0 1 , 1 negl( )2
|Am m M
n
←
≤ +
62
An encryption scheme ( , , ) is if given a ciphertext ( ), it is computationally infeasible for an adversary to produce
non-ma
a cip
lleabl
hertext
e
such
that (
Non-malleabilityG E D
c E mc
m D c
=′
′ ′=
•
) has some known relation with .
RSA is malleable.
IND-CCA2 non-malleable.
Later we will see that every homomorphic encryption scheme is malleable, and hence cannot be IND-CCA2.
Highes t s
m
•
•
•
•
⇒
ecurity level possible: IND-CCA1. (?)
Homomorphic Encryption
Fontaine and Galand, “A survey of homomorphic encryption for nonspecialists,” EURASIP Journal on Information Security, 2007.
( )
1 2 1 2*
1 2 1 2
1 1
2 2
1
RSA( ) RSA( ) RSA( )
where is the multiplication in (i.e., modulo ).
Easy to ver
ify:
RSA( )
RSA( )
RSA( )
RSA( )
RS
RSA is homomorphic
n
e
e
e
m m m m
Z n
m m m m
m m
m m
m
⋅ = ⋅
⋅
⋅ = ⋅
•
•
=
=
⋅
i
ii
i ( )2 1 2 1 2A( ) ee em m m m m= ⋅ = ⋅
: message space: ciphertext space
: some binary operation in : some binary operation in
An encryption scheme is if for any encryDefinit hom
ptionion:
key omorphic
Homomorphic encryption
M
C
MC
MC
k
1 2 1 2
1 2
the encryption function satisfies ( ) ( ) ( )for all messages , .
applicable only to deterministic encryption schemeComment: s.
M C
EE m m E m E m
m m M=
∈
66
( ) ( )1 1 2 2
1 2 1 2
1 2
1
1 2
1 2 2
a
( ) ( ) ( ), in the following sense:
( ) ( ) is valid encryption of .
Verification:
If ( ) , and ( ) , , then
(
ElGamal encryption is homomorphic
k k k k
m m
E m m E m E m
E m E m
E m g m y E m g m y
E m
• ⋅ ← ⋅
⋅
•
= =
( ) ( )( )
1 1 2 2
1 2 1 2
1
1
2 1 2
2
) ( ) , ,
,
is a encryption of .
n
k k k k
k k k k
E m g m y g m y
g ym m
mm
+ +
⋅ = ⋅
=
′
: message space: ciphertext space
: some binary operation in : some binary operation in
An encryption scheme is Definition if forhomo any
:
morphicencrypt
Homomorphic encryption redefined
M
C
MC
MC
1 2 1 2
1 2
ion key the encryption function satisfies ( ) ( ) ( )for all messages , .
a means " encryption can be computed fromComm "ent: n
M C
k EE m m E m E m
m m M←
←
∈
( )1 2 1 2
1 2
An encryption scheme is ifits encryption and decryption satisfy ( ) ( )for all messages , and all encryption/decrypt
Definition: homomorp
i
hic
on
An equivalent definition
M C
E Dm m D E m E m
m m M=
∈key pairs.
( )
( )( )
1
1 21 2
1 22
An encryption scheme is w.r.t if there is a polynomial time algorithm such tha
homomort
( )or
fo
Defi phic
( ), ( )
( ), ( )
nition:
r
A generalized definition
M
M
M
A
E m m
m m
A E m E m
A E m E mD
←
=
1 2all messages , and all encryption/decryptionkey pairs.
How to further Question: generalize it?
m m M∈
An encryption scheme is
homomorphic if it is homomor additively multipli
phic w.r.t homomorphic if it iscatively
alg homomorphic w.r.t
ebraicly mo
homo
Various homomorphic encryptions
M
M
+
•
⋅iii rphic if it is homomorphic w.r.t both
and
RSA and ElGamal are homomorphic.
Padded RSA and OAEP-RSA are homomorphic.
RSA is not
m
ultiplicatively
n
IND-CPA secure; ElGamal is
ot
.
M M+
•
⋅
•
•
( )( )Now, encrypt as ( ) ,
ElGamal encryption can be made additively homomorphic.
Original ElGamal: ( ) , .
, where , are
generator
s of
Additively homomorphic ElGamal encryption
k k
k k
mm c E m g h y
E m g my
g h= =•
• =
•
*
DL ElGamal decryption
1 2 1 2
Descrypting takes two steps:
.
( ) ( ) ( ).
p
m
c
h
Z
m c
E m m E m E m
•
←⎯⎯ ←⎯⎯⎯⎯⎯⎯
+ ← ⋅•
( )
A simple application To vote yes or no, encode a yes-vote as 1 and a no-vote as 1.
Encrypt as , .
Send the encrypted vote to a trusted party.
k m k
mm
m c g h y
c
=
=
•
= −
⋅
i
i
i{ }
( )
1 2 3
1 1
1 1 1
All votes: , , , ,
, mod ( 1)
(why?) mod ( 1)
i i i
k
i
k
k kk m k
i ii i
k k
i ii i i
c c c c
c g h y E m p
D c m p m=
= =
= =
⎛ ⎞∑ ∑ ∑= ⋅ → −⎜ ⎟⎝ ⎠
⎛ ⎞ = −⎜ ⎟⎝
=⎠
∏ ∑
∏ ∑ ∑
i
i
i
…
Alice is worth millions, and Bob millions. Q: ?
Two millionnairs, Alice and Bob, want to know who is richer without revealing their actual wealth.
Initially
s
Yao's Millionaire Problem
a b a b<•
•
•
Multiparty Computation
uggested and solved by Andrew Yao in 1982.
Later latergeneralized to a problem called .
Would be trivial if there is a secure encryption scheme that is homomorphic w.r "
.t.
•
•
( )( )1 2 1 2
<", namely,
( ), ( )
m m D A E m E m< ←
{ }
*
*
* *
Let 2 be any number . Quadratic residues: elements in which are a square.
QR = the subgroup of quadratic residues in .
QNR = QR = quadratic non-residues in .
Quadratic Residues
n
n n
n n n n
nZ
Z
Z Z
• ≥
•
•
• −
( )
( )( ) ( ) ( )
( 1)/2
1 if [ ] QR ( is a square)1 if [ ] QNR (not a square) Legendre symbol:
0 if [ ] 0
Euler's criterion: mod .
Jacobi symbol: , assuming .
p
p
p
xp
xp
x x xn p q
x xx
x
x p
n pq
−
+ ∈⎧⎪− ∈• = ⎨⎪ =⎩
• =
• = =
( ) ( ) ( )( ) ( )
( )( )
*
*
Thus, 1 iff 1.
is a quadratic residue in iff 1.
QR QNR QR QNR QNR .
If 1, then QNR .
If 1, QR QN Quadratic resi
R .
Quadratic Residues (cont'd)
x xn p q
n n n n n n
n
n n
xn
x xp q
xnxn
x Z
Z
x
x
+ −
−
+
• = = = ±
• = =
• = ∪ = ∪ ∪
• = − ∈
• = ∈ ∪
•
( )*
Given with 1, it is intractable to determine
whether QR or QNR without knowing .
Knowin
duosity
g , easy to determine if QR or QNR
assumption:
.
n
n n
n n
xnx Z
x x n pq
n pq x
+
+
∈ =
∈ ∈ =
• = ∈
{ } First probabilistic encryption scheme. Encrypt one bit 0,1 at a time. Encrypt 0 as a random number in QR .
Encrypt 1 as a random number
Goldwasser-Micali encryption scheme (idea)
n
bb
b
•
•
•
∈
=
=
•
( ) ( )
in QNR . To decrypt ( ), simply determine if QR
(i.e., 1?)
n
n
c cp q
c E b c
+
=
=
• ∈
=
1R
2 *R
System setup: Alice chooses and QNR . Public key: ( , ). Private key: ( , ) Encryption: ( ) , where . Note: ( ) is a
Goldwasser-Micali encryption scheme
n
bn
n pq gn g p qE b g r r Z
E b
+= ∈
=
•
••
∈ quadratic residue iff 0.
To decrypt ( ), simply determine if QR .
Drawback: it takes =1024 bits to encrypt a single bit. This scheme has an expansion of 1024.
n
bc E b c
n
== ∈•
0 1
Idea of Goldwasser-Micali: Take a group and a subgroup . Partition into two parts: and \ . Randomly select an element in to e
Reducing the expansion
b
G HG M H M G H
M= =
•iii
{ }
ncrypt . To generalize, choose and such that can be split into more parts. Benaloh: small prime; ( ) , 0, 1 ;
expansion: . Okamoto & Uchiya
m k
bG H G
k E m g r m k
n k
= = ∈ −
•
•
•
…
2
1
*
*
ma: reduced the expansion to 3. Paillier: reduced the expansion to 2 using group .
Damgard & Jurik: generalized Paillier's scheme using group , with expansion 1 1/ .s
n
n
Z
Z s+
•
+
•
( ){ }
2*
2
2
2
One of the most well-known homomorphic encryption. , where .
( ).
: is an th residue mod .
mod for some .
Paillier's encryption scheme
n
n
G Z n pq
G n n n
H z G z n n
z y n y G
ϕ ϕ
•
•
•
= =
= =
= ∈
= ∈
i
i is a subgroup and ( ). Use to divide into classes. Let be any element with order a multiple of .
H H nH G ng G n
ϕ•
=
• ∈
i
( )
( ) { }
2
2
* *
2
*
* *
Define :
, mod Theorem: is bijective. Each defines a class in , namely,
, ( , ) :
Encryption:
n n nx n
n n
n n
f Z Z Z
x y g y nf
x Z Z
f x Z f x y y Z
× →
→
∈
=
•
•
•
∈
•
*
2
plaintext
select a random
ciphertext mod additively homomorphic
n
nm n
m Z
r Z
c g r n
∈
∈
=
iiii
( )( )
2*
( ) 2
( ) 2
Decryption: (private key: or ( )) ciphertext
mod plaintext mod
mod
where ( ) ( 1) / ( ) is the Carmichael function, i.e
n
n
n
n pq nc Z
L c nm n
L g n
L u u nn
λ
λ
λ
λ
=
∈
⎡ ⎤⎢ ⎥=⎢ ⎥⎣ ⎦
•
= −
i
i
ii
( ) *
., the smallest integer such that 1mod for all . For , ( ) lcm( 1, 1). (In RSA, ( ) can be used in place of ( ).)
nna n a Z
n pq n p qn n
λ
λλ ϕ
≡ ∈= = − −i
i
2*
2
Security: Assumption: Without knowing , it is intractable to determine if an element is an th residue
modulo . If this assumption holds, Paillier
n
n pqz Z n
n
=
∈
•i
i
0 1
0
0 1
2 20 1
0
's encryption scheme is semantically secure under CPA.
Let be the ciphertext o f either or .
So, either m orod
mod .
So,
m mn n
m
c m m
c g r n g r n
cg r−
=
=
iii 1 0
0
2 21
02
mod mod .
is the ciphertext of iff is an th residue
modulo .
o
r m mn n
m
n g r n
c m cg n
n
−
−i
Question: In the above argument, which problem is reduced to which problem?
i
( )( )( )2 2
2 *R
21 2 1 2
2
21 1
Additively homomorphic on :
Recall: ( ) mod , , .
( ) ( ) mod mod .
( ) mod mod .
( ) mod mod .
n
m nn n
k k
m m
Z
E m g r n m Z r Z
D E m E m n m m n
D E m n m n
D E m n m n
= ∈ ∈
= +
=
=
•
i
i
i
i
2
A simple application To vote yes or no, encode a yes vote as 1 and a no vote as 1. Encrypt as mod . Send the encrypted vote to a trusted party.
m n
mm
m c g r nc
=−
=
•
=i
ii
{ }
1
1 2 3
2
11
All votes: , , , ,
(wh mod mod y?)
k
k k
i
k
i ii
ii
c c c c
D c n m n m== =
⎛ ⎞=⎜ ⎟
⎝ ⎠⇒∏ ∑∑i
…i
At STOC'09, Craig Gentry presented a fully homomorphic encryption scheme. A homomorphic public-key encryption scheme has four algorithms: KeyGen, E
Fully homomorphic encryption
S
•
•
1
1
ncrypt, Decrypt, Evaluate. : a circuit. is homomorphic for if for any key pair (sk, pk) output by KeyGen, any plaintext , , , and any ciphertext , , with Encrypt( )
t
t i i
CS C
π πψ ψ ψ π=
••
……
( )( )1 1
, it holds that:
( , , ) Decrypt Evaluate , , , .
is if it is homomorphic for all circfully homomorp uihic ts.t tC C
S
π π ψ ψ=
•
… …
Applications
– Protection of mobile agents– Watermarking/fingerprinting protocols– Electronic auction and lottery protocols– Multiparty computation– Oblivious transfer– Privacy preserving data mining– Others
