12345678901234567890123456789012345678901234567890123456789012345678901234567890 -------------------------------------------------------------------------- CSE 227 - Lecture 9 - November 26, 2001 -------------------------------------------------------------------------- Announcements - o sign up for final-discussion today. Time slots: this Friday, next Thursday, the following Monday Don't miss your appointment! Bring the paper you read. Today: 1 Number theory background 2 Public-key encryption -------------------------------------------------------------------------- 1. NUMBER THEORY BASICS ----------------------- pi(n) 1. Prime numbers | {#of primes < n} | 2. Prime number density theorem: lim ---------------------- = 1 n->infty n / ln n (conjectured by Gauss in 1791) Actually, the right answer is pi(n) ~ li(n), where li(n) = \integral_0^n du/ln u du, proven by Hadamard (1896) and de la Vallee Poussin.) 3. "Easy" to test for primality. (Famous algorithms, like Adleman, Manders, Miller). (In fact, 2^{n-1} = 1 mod n is a quite good test, though it's occasionally wrong.) 4. Efficient to multiply (grade school method works fine) 5. Of course you all know how to factor in sqrt(n) time. Best known algorithms much better, current champion is the general number field sieve, conjectured running time to factor n is expected time 1.923 (ln n)^1/3 (ln ln n)^2/3 O ( e ) Current technology: RSA-512 (155 decimal digits) Aug 1999, 8000 mips years. Lenstra, Montgomery et al, GNFS. Distributed. RSA-155 = 1094173864157052742180970732204035761200373294544920599091384213147634\ 9984288934784717997257891267332497625752899781833797076537244027146743\ 531593354333897, product of two 78-digit primes. 6. gcd(a,b). 7. Can calculate gcd(a,b) with Euclid's algorithm. In fact, given a, b Euclid's algorithm finds x, y s.t. ax + by = gcd(a,b). Time is linear O(lg a + lg b). 8. Groups. Additive and multiplicative notation. 9. Z_n 10. If gcd(a,n)=1, then a has an inverse in Z_n. Indeed you can compute them, using Euclid's algorithm -- find x,y s.t. ax + yn = 1 ax = 1 (mod n) ) 11. For any finite group G having q elements, a^q = 1 So, looking at Z_p, a^{p-1}=1 mod p 12. Z_n^* as a set: {i in [1..n] such that gcd(i,n)=1). Make multiplication table for Z_15^* = {1,2,4,7,8,11,13,14} 1 2 4 7 8 11 13 14 1| ---------------------------------------- 2| ---------------------------------------- 4| ---------------------------------------- 7| ---------------------------------------- 8| ---------------------------------------- 11| ----------------------------------------- 13| ---------------------------------------- 14| ---------------------------------------- 13. phi(n) = |Z_n^*|. If n=pq product of distinct odd primes, phi(pq)=(p-1)(q-1). 14. Z_p^* is cyclic: there exists an element g s.t. every element a in G=Z_p^* is of the form g^i. In fact, any group of prime order is cyclic, easy to find a generator for it. ============================================================================== 2. Public-key encryption 2.1 Diffie-Hellman's idea for using a trapdoor permutation 2.2 Constructing a trapdoor permutation: the RSA trapdoor permutation 2.3 Does it work? Definition of secure encryption 2.4 Hardness of RSA (as a one-way function/trapdoor permutation) 2.5 Achieving secure-encryption: the notion of a hard-bit notion, and the Goldreich-Levin hardcore bit 2.6 How is public-key encryption _really_ done: RSA PKCS #1, v.1 2.7 Trying to do better the: f(x) || H(x) xor M method and its analysis (introduce random oracles, then prove this method is secure assuming them) 2.8 OAEP method 2.9 Mention Cramer-Shoup 2.10 Encryption without a trapdoor permutation: ElGamal method and it's security %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2.1 Diffie-Hellman's idea f: easy -----------------------------> D f^-1: hard R <----------------------------- f^-1: easy if know secret <----------------------------- To encrypt x: compute f(x) To decrypt y: compute f^-1(y) Formally -------- Trapdoor permutation: Specified by three algorithms: \G = (Gen, Forward, Backward, Sample) Gen: Prob. alg. takes a "security parameter" k as input, and returns two strings, f and f^{-1}. Forward: Det. alg. Takes a string f and an input x and computes Forward(f,x), which we normally abbreviate f(x). This is a map from some set D to some set R. Backwards: Det. alg. Takes a string f^-1 and an input y and computes Backwards(f^-1,y), which we normally abbreviate f^-1(y). Sample: Prob. alg. Takes f and returns a random point in D. It must be the case that f^-1(f(x)) = f(x) for all x in D. Lovely idea, but how to realize. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2.2 Constructing a trapdoor permutation: the RSA trapdoor permutation First realization: RSA, 1978. Gen: takes k and chooses two random k-bit primes, p, q, sets n=pq, multiplies them to n. Choose e that is relatively prime to (p-1)(q-1). The choice of e=3 is reasonable. Commute d=e^{-1} mod (p-1)(q-1). Output f=(n,e), f^-1=(n,d). Forward: Given (n,e). Domain D=Z_n^*. f(x) = x^e mod n. Backward: Given (n,e). Range R = Z_n^*. f(y) = y^d mod n. Sample: Chooses a random * Do the arithmetic to check that f^{-1} is the inverse of f. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2.3 Does it work? Definition of secure encryption 2.3.1. Syntax Encryption scheme Pi = (\K, \E, \D) \K: prob, takes a security parameter k produces (pk, sk) There is a message space \M associated to the public key pk, \M(pk), and a ciphertext space \C(pk). Both easily tested. \E: prob (stateful is never done). Takes pk and a message M in \M and produces a ciphertext C in ciphertext space \C. \D: det alg. Take sk and a ciphertext C in \bits^* and returns M in \M, or an indication of failure. Require: for all k, all (pk,sk) that might be output by Gen(k), for all M in \M(pi), for all coins r, D_sk(E_pk(M,r))=M 2.3.2 Security Can lift all of our prior definitions. Eg: Let Pi=(\K,\E,\D) be an enc scheme, let k be a security parameter, let A be an adversary. Then Adv^rr_Pi(A,k) = Pr[(pk,sk)<-\K(k); A^\E(.)(pk)=1] - Pr[(pk,sk)<-\K(k); A^\E($^|.|)(pk)=1] Can lift all our notions: lr, rr, fg, sem. Again come out essentially equivalent. "Semantic security" refers t all. 2.3.3. Does it work? Raw RSA is deterministic, so certainly doesn't satisfy the definition. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2.4 Hardness of RSA (as a one-way function/trapdoor permutation) Let \G = (Gen, Forward, Backward, Sample) be a trapdoor permutation, and let I be an adversary. Then Adv^owf(I,k) = Pr[(f,f^-1)<-Gen(k); x<-Sample(f); y<-f(x): f(I(f, y))=y] For RSA: Adv^owf(I,k) = Pr[(n,e,d)<-Gen(k); x<-Z_n^*; I(n,e,x^e)=x] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2.5 Achieving secure-encryption: the notion of a hard-bit notion, and the Goldreich-Levin hardcore bit Want to encrypt 1 bit: a. use the structure of RSA: Th. by ACGA: [informal] if there exists an efficient algorithm that, given a random (n,e,x^e), predicts lsb(x) 0.5 + delta of the time, then there exists an efficient algorithm that, most of time time, finds x given a random (n,e,x^e). show how that gives rise to a secure encryption scheme: to encrypt a bit b, choose a random x in Z_n^* that ends in b. Compute x^e mod n. To encrypt a string, encrypt bit-by-bit. b. generically, for any trapdoor permutation. [Goldreich, Levin] Given a one-way function/trapdoor permutation (Gen, Forward, Backward, Sample). easy x -------------------> f(x) | hard | | <------------------- | easy | | we can't quite say that this exists, for \|/ | any particular function B. Instead, we hard slightly modify the owf to get it to exists B(x) <- - - - - - - - - - + easy x p -------------------> f(x) p | hard | | <------------------- | easy | | we can't quite say that this exists, for \|/ | any particular function B. Instead, we hard slightly modify the owf to get it to exists x \inprod p <- - - - - - - - - - + That is, the [GL] result says that given an oracle that predicts (with advantage) x \inprod p from (f, f(x), p) you can make an algorithm that usually inverts f. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2.6 How is public-key encryption _really_ done: RSA PKCS #1, v.1 (00 02 $$ $$ $$ ... $$ 00 x)^e mod n $$ = random nonzero byte (must be at least 8 of them) Is it secure?? No attack; no sort of proof. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2.7 Trying to do better the: f(x) || H(x) xor M method and its analysis (introduce random oracles, then prove this method is secure assuming them) Let \G be a trapdoor permutation --> spits out f, f^-1. Let H be a hash function -- think SHA1. Think of message space as \calM. To encrypt M: Choose a random X. return To decrypt M Parse C as X = f^-1(Y) return H(X) xor C' Adv^rr_Pi(A,k) = Pr[(pk,sk)<-\K(k); H <- Omega: A^{\E^H(.),H}(pk)=1] - Pr[(pk,sk)<-\K(k); H <- Omega: A^{\E^H($^|.|),H}(pk)=1] Security proof. To be concrete, and to get a better bound, I will do this for the case of RSA. So we have an adversary A that breaks the encryption scheme X^e mod n || H(X) xor M Doing a good job to distinguish "real" and "random" oracles. Want to construct an algorithm I that, given Y = X^e mod n, does a good job to find X. Def of I (n,e,goalY) -- wants to find goalX0 s.t. goalX^e mod n =goalY Run A^H(n,e). //rr-adversary for the enc scheme. When A makes an oracle query U to H, choose a random value R_U in Z_n^* and return R_U^e * Ygoal mod n Finally, A outputs a bit. Ignore it. For each query X asked of H, For each U that we made up an R_U for if (X/R_U)^e = goalY mod n return X/R_U Explain the RO paradigm %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2.8 OAEP method Build up to it: First, M || r. Then M || r || s %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2.9 Cramer-Shoup: Most efficient standard-model mechanism known. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2.10 Encryption without a trapdoor permutation: ElGamal method and it's security Z_p group with p elements. Cyclic group: generator g. Imagine Sender Receiver g^a ----------------------> g^b <---------------------- g^ab g^ab To make into an encryption scheme: g^b is receiver's public key. Choose a as an "ephemeral" secret key, g^a as the "ephemeral" public key. g^a || g^{ab}*M ------------------------> Or, more reasonably, g^a || H(g^{ab})*M ------------------------> ==============================================================================