Chapter 8' Public Key Encryption

1
Chapter 8.Public Key Encryption

• Yongdae Kim
• February 26, 2002

2
Types of Attacks

• Chosen plaintext attack
• Chosen ciphertext attack
• adversary selects ciphertext, and obtains the
  corresponding plaintext
• the adversary is provided with decryptions of any
  ciphertexts of its choice, but these must be
  chosen prior to receiving the target
• Adaptive chosen-ciphertext attack
• the adversary may use decryption oracle even
  after seeing the target ciphertext c
• The adversary may request decryptions of
  ciphertext which may be related to both the
  target ciphertext, and to the decryptions
  obtained from previous queries
• a restriction is that it may not request the
  decryption of the target c itself.

3
RSA Encryption

• Key Generation
• two large random primes p and q, each roughly the
  same size
• n pq, F (p-1)(q-1)
• e, 1lt e lt F, such that gcd(F, e) 1
• ed ?1 mod F
• As public key is (n, e) As private key is d
• Encryption compute c me mod n
• Decryption m cd mod n
• universal exponent ? lcm(p 1, q-1)
• smaller decryption exponent d
• if p, q are chosen at random, then gcd(p-1, q-1)
  is expected to be small

4
Security of RSA

• Factoring vs. RSA
• Factor ? RSAP
• Computing d from (n, e) and factoring n are
  computationally equivalent
• ed ? 1 (mod F) ? ? k such that ed - 1 k F
• a ed-1 ? 1 (mod n) for all a ? Zn
• Let ed - 1 2 s t, where t odd
• Then ? i ? 1, s such that a 2 i-1 t !? ?1 (mod
  n), a 2 i t ? 1 (mod n) for at least half of all
  a ? Zn
• if a and i are such integers then gcd(a 2 i-1 t
  1, n) is a non-trivial factor of n
• Small encryption exponent e
• Computing cube root when same m is encrypted
  three times to different people
• Padding required

5
Security of RSA (cntd.)

• Forward Search Attack
• If message space is small, eve can make
  dictionary (make c for all possible m)
• Small decryption exponent d
• If d ¼ p, there exists an efficient attack
• Homomorphic (multiplicative) property
• c1c2 m1em2e mod n (m1m2)e mod n
• Adaptive chosen ciphertext attack
• c c xe mod n
• Decryption oracle cd cd x mod n m x mod n
• Careful padding can prevent OAEP

6
Security of RSA (cntd.)

• Common modulus attack
• Sharing n is a bad idea -)
• Cycling attack
• ce1 mod n, ce2 mod n, , cek mod n c mod n
• generalized cycling attack
• find the smallest positive integer u such that f
  gcd (ceu mod n c, n) gt 1
• ceu ? c mod p and ceu !? c mod q ? f p
• ceu !? c mod p and ceu ? c mod q ? f q
• ceu ? c mod p and ceu ? c mod q ? f n basic
  cycling attack (less frequent)
• the generalized cycling attack algorithm for
  factoring n (assumed to be hard)

7
RSA Encryption in Practice

• Recommended size of modulus gt 1024
• Selecting primes
• Roughly same size p and q to prevent elliptic
  curve factoring
• p q should be large enough (attacking numbers
  near sqrt(n))
• Strong prime
• p 1 has large prime factor r ? Pollard p 1
  factoring
• p 1 has large prime factor ? p 1 factoring
  algorithm
• r 1 has large prime factor ? cycling attacks
• Random p, q has good property in general
• Selecting e
• In general 3 or 2161 65537

8
Rabin public key encryption

• Key Generation
• n pq
• As public key is n, As private key is p, q
• Encryption compute c m2 mod n
• Decryption
• find square root of c mod p and mod q
• use CRT, retrieve m1, m2, m3, m4
• Choose one of them unambiguously

9
Security of Rabin

• Rabin SQRT Factoring
• Provably secure against passive adversary
• Susceptible to chosen ciphertext attack similar
  to RSA
• Many RSA attacks can be also applicable to RSA
• Solved by Padding such as OAEP
• Use of redundancy
• To find exact m

10
ElGamal public-key encryption

• Key Generation
• prime p (system-wide parameter) and a generator g
  of Zp
• As public key is ygx, As private key is x
• Encryption
• generate random integer k and compute r gk mod
  p
• compute c m y k mod p
• Ciphertext (r, c)
• Decryption
• m c r a mod p

11
Discussions on ElGamal

• Efficiency
• 2 mod exp, 2 times message expansion
• Security
• Randomized encryption
• precluding or decreasing CCA
• Depending on DH problem
• DDH or CDH?
• Use fresh k for each encryption
• c1 / c2 m1 / m2 if k is same

12
Generalized ElGamal

• Works on any finite cyclic group G
• The multiplicative group Zp of the integers
  modulo a prime p.
• The multiplicative group F2m of the finite field
  F2m of characteristic 2
• The group of points on an elliptic curve over a
  finite field
• Braid group based on Knot theory

13
McEliece PKE

• based on error-correcting codes
• first select a particular code for which an
  efficient decoding algorithm is known, then to
  disguise it as a general linear code
• the problem of decoding an arbitrary linear code
  is NP-hard
• description of the original code can serve as the
  private key
• while a description of the transformed code
  serves as the public key
• Very inefficient PK 219
• No more -)

14
Knapsack

• Based on Subset sum problem NP-complete
• select a subset sum problem that is easy to solve
• then disguise it as an instance of the general
  subset sum problem which is hopefully difficult
  to solve
• Key
• The original knapsack set can serve as the
  private key
• while the transformed knapsack set serves as the
  public key
• Most are broken
• Out of scope

15
Deterministic Cipher

• minimal hard for a passive adversary to find
  plaintext
• RSA, Rabin deterministic
• under fixed public key, a plaintext always
  encrypted to same ciphertext
• Properties of deterministic cipher
• not secure for all probability distributions of
  message space
• in RSA, 0 and 1 get encrypted to themselves, and
  hence are easy to detect
• often easy to compute partial info. about
  plaintext from ciphertext
• (c/n) (me/n) (m/n)e (m/n)
• It is easy to detect when the same message is
  sent twice
• any deterministic encryption can be converted
  into randomized
• part (lengthl) of plaintext consist of a
  randomly generated bit-string
• not provably secure, though

16
Probabilistic Encryption

• utilizes randomness to attain a provable and
  strong security
• Polynomial vs. semantic security
• Polynomial security
• no passive adversary can
• in polynomial time
• select two plaintext m1 and m2 and
• then distinguish between encryptions of m1 and m2
  with probability significantly greater than ½
• Semantically secure
• for all probability distributions over the
  message space
• whatever a passive adversary can compute in
  expected polynomial time about the plaintext
  given the ciphertext
• it can also compute in expected polynomial time
  without the ciphertext.
• Semantic security of PKE no partial information
  leakage

17
Perfect vs. Semantic security

• perfect secrecy
• a passive adversary, even with infinite
  computational resources
• can learn nothing about plaintext from
  ciphertext, except its length
• Limitation cannot be achieved unless key is as
  long as message
• semantic security polynomially bounded perfect
  secrecy
• a passive adversary with poly. bounded resources
  can learn nothing
• ? semantically secure PKE where keys are shorter
  than messages
• PKE is semantically secure ? it is polynomially
  secure

18
Goldwasser-Micali PKE

• intractability of the QRP
• Key Generation
• n p q
• select y in Zn such that y is QNR but (y/n) 1
• public key (n, y), private key (p, q)
• Encryption for m m1m2 mt
• For i 1 to t
• pick random x in Zn
• if mi 1, ci yx2 mod n, otherwise ci x2 mod
  n
• Decryption
• For i 1 to t
• ei (ci / p)
• if ei 1, mi 0, otherwise mi 1

19
Discussion

• Security
• eve sees x2 mod n, yx2 mod n
• If QRP is hard, eve can do no better than
  guessing each message bit
• More formally, if QRP is hard, then GM PKE is
  semantically secure
• Efficiency
• log n times message expansion

20
Blum-Goldwasser

• Based on factorization problem
• most efficient probabilistic encryption scheme
  known
• comparable to the RSA encryption scheme
• Vulnerable to CCA
• Based on BBS RNG
• Key Generation
• n p q (p, q 3 mod 4 ? Blum Integer)
• compute a and b such that ap bq 1
• public key n, private key (p, q, a, b)

21
Blum-Goldwasser (cntd.)

• Encryption for m m1m2 mt
• k ?lg n?, h ?lg k?, x0 random QR mod n
• For i1 to t
• xi xi-12 mod n, pi h LSB of xi
• ci pi ? mi
• Compute xt1 xt2 mod n
• Ciphertext (m1, m2 , , mt , xt1)
• Decryption
• Compute d1((p1)/4)t1 mod p-1, d2((q1)/4)t1
  mod q-1
• Compute u xt1d1 mod p, v xt1d2 mod q, x0
  vap ubq
• For i 1 to t
• xi xi-12 mod n, pi h LSB of xi
• mi pi ? ci

22
Blum-Goldwasser (cntd.)

• Decryption works?
• xt QR mod n ? QR mod p ? xt(p-1)/2 1 mod p
• xt1(p1)/4 xt 2(p1)/4 xt mod p, similarly
  xt (p1)/4 xt-1 mod p
• xt1((p1)/4)2 xt-1
• Repeating this ? u xt1d1 xt1((p1)/4)t1
  x0 mod p, also v x0 mod q
• Since ap bq 1, vap uaq x0 mod p, and vap
  uaq x0 mod q
• Hence, vap uaq x0 mod n
• Now we find the seed, then decryption is same as
  encryption

23
Discussion

• Security
• n Blum integer, If factoring n is difficult, the
  h LSB of the principal square root xt of xt1 mod
  n are simultaneously secure
• Eve can do no better than to guess the
  pseudorandom bits pi, 1 .. t
• If n is a 1025-bit integer, then k 1024 and h
  10
• Vulnerable to CCA since no randomization ? not so
  much attention
• Efficiency
• Message expansion xt1
• Encryption efficiency 1 mod mult to encrypt h
  bits of plaintext
• If e is chosen random in RSA, almost same
  performance
• If e 3, BG is worse than RSA
• Decryption efficiency 4 mod p exp, t mod mul
• RSA 1 mod exp mod n

24
Non-malleability

• Non-malleability
• given a ciphertext, computationally infeasible to
  generate a different ciphertext such that the
  respective plaintexts are related
• Fact If PKE is non-malleable, it is also
  semantically secure
• Plaintext-aware
• if computationally infeasible for an adversary to
  produce a valid ciphertext without knowing the
  corresponding plaintext
• Plaintext-aware encryption OAEP
• Mihir Bellare Philip Rogaway
• Shoup

25
Thank You