Special Topics in Cryptography
Mohammad Mahmoody
Last time
β’ Public-key encryption and key-agreement
β’ Diffie Hellman (key agreement protocol)
β’ RSA public key encryption
β’ Digital signatures
Today
Public Key Encryption
β’ Secure communication even without shared secret keys!
Recalling Public Key Encryption
β’ Key generation: Gen 1π β ππ, ππ
β’ Encryption: Enc ππ,π β π
β’ Decryption: Dec ππ, π = πβ²
β’ Completeness: decrypting correction π = πβ²
β’ Security: same as CPA security for private-key, but the adversary does not need any encryption oracle: it has the encryption key itself!
Recalling Key Agreement
β’ Interactive protocol between randomized Alice and Bob
β’ The sequence of messages π = (π‘1, π‘2, β¦ π‘π) is called βtranscriptβ
β’ At the end, Alice and Bob output key ππ΄, ππ΅
β’ Completeness: getting same keys ππ΄ = ππ = πππ¦
β’ Security: suppose |πππ¦| = π, then(π, πππ¦) is computationally indistinguishable from π, ππNamely, even if π is known, πππ¦ is indistinguishable from uniform ππ
Diffie Hellman Key Agreement
β’ Public parameters: large prime π a (multiplicative) generator π for ππ
1. Alice picks π₯ β {1,β¦ π β 1} and Bob picks π¦ β 1,β¦π β 1 at random
2. Alice sends π = ππ₯ to Bob and Bob sends π = ππ¦ to Alice.
3. Alice takes ππ₯ = ππ₯π¦ = π and Bob takes ππ¦ = ππ₯π¦ = π as the key.
β’ To implement in efficiently, we use βfast exponentiationβ algorithm that computes ππ¦ mod π in time polynomial in lengths of π, π¦, π
RSA Public-Key Encryption
Main Idea of RSA: Trapdoor Permutations
β’ Intuition: Permutation π βΆ 0,β¦π β 1 β 0,β¦π β 11. Easy to compute π publically2. Easy to βinvertβ π only if have the trapdoor.
β’ Key generation find: ππ = π and ππ = π for permutations π, π such that :1. for all π₯ β 0,β¦π β 1 : π π π₯ = π₯ namely π(β ) = πβ1(β )2. Given π(π₯) it is βhardβ to invert it to find π₯. Formally, for all poly-time π΄
Prπ₯β 0,β¦πβ1
π΄ π π₯ = π₯ β€ negl(π) where π β log(π) is sec parameter
β’ What is useful intuitively?β’ Why cannot we use it naively?
Number Theory 101- (continued)
β’ gcd π,π = greatest common divisor of π,π
β’ π π = π 1 β€ π β€ π, gcd π, π = 1 |
β’ π(π) for prime π ?
β’ π ππ for primes π, π ?
β’ Eulerβs theorem: if gcd π, π = 1 β ππ(π) = 1 (mod π)
RSA Trapdoor Permutation
β’ Eulerβs theorem: if gcd π, π = 1 β ππ(π) = 1 (mod π)
β’ ππ(π) β ππ π β ππ π β¦ = 1 π1+πβ π(π) = π (mod π)
β’ If π β π = 1 + π β π(π) which is the same as π β π = 1 mod π π then ππ π = π (mod π π )
which means π π₯ = π₯π is inverse of π π¦ = π¦π for gcd π₯, π = 1
β’ Interestingly π π π₯ = π₯ even for gcd π₯, π β 1
How to use RSA Trapdoor Permutation for public-key encryption?β’ Intuition: Permutation π βΆ 0, β¦π β 1 β 0,β¦π β 1
1. Easy to compute π publically
2. Easy to βinvertβ π only if have the trapdoor.
β’ What is useful intuitively?
β’ Why cannot we use it naively?
One βcorrectβ way to use RSA trapdoor permutation for public key encryption
β’ Actual Randomized (CPA secure) Encryption of a big π: Pick π, π β {0, β¦ , π β 1} at random and output [π π , π , π, π β π]
More efficient way, using an βidealβ hash function
β’ Let β: 0,1 π β 0,1 π be an βideaβ hash functionβ’ Key gen: generate a pair ππ = π(β ), ππ = πβ1 (β )
β’ Encryption of π β 0,1 π: pick π β 0,1 π, output π = π π , β π βπ
β’ Decryption of π = (π¦, π§) : output π = πβ1 π¦ β π§
β’ Even possible to do it efficiently in a CCA secure way using ideal hashing
We need prime numbers for RSA and DH !
β’ We need large prime numbers!
β’ How many prime numbers are there?
β’ How can we fine one?
Public Key Authentication:Digital Signatures
β’ Secure authentication without shared secret keys!
Making MACs public key (just like how we moved to public key encryption)
Defining Digital Signatures
β’ Alice has a signing key π π and a verification key π£π
β’ Using π π Alice can sign π with π = Signπ π(π)
β’ If Bob verifies Verifπ£π π, π = 1 he can be sure Alice signed π
β’ Security:
One possible idea based on TDPs (e.g. RSA)
β’ Signing key: βprivate keyβ (or the trapdoor)
β’ Verification key: βpublic keyβ (or the description of the permutation)
β’ To sign π publish π π = π‘
β’ To verify (π, π‘) accept if and only if: π π‘ = π
β’ Is it secure signature?
βHash and signβ using ideal hash function