introduction to cryptologydanadach/cryptography_20/lec... · 2020-04-23 · –el gamal encryption...
TRANSCRIPT
![Page 1: Introduction to Cryptologydanadach/Cryptography_20/lec... · 2020-04-23 · –El Gamal Encryption (11.4) –RSA Encryption (11.5) ... ( v o Ç U ( } v Ç Á Z À o ' u o v Ç ] }](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fab70f55417397c4c4b0668/html5/thumbnails/1.jpg)
Cryptography
Lecture 23
![Page 2: Introduction to Cryptologydanadach/Cryptography_20/lec... · 2020-04-23 · –El Gamal Encryption (11.4) –RSA Encryption (11.5) ... ( v o Ç U ( } v Ç Á Z À o ' u o v Ç ] }](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fab70f55417397c4c4b0668/html5/thumbnails/2.jpg)
Announcements
• HW8 due 5/4• HW9 due 5/11
![Page 3: Introduction to Cryptologydanadach/Cryptography_20/lec... · 2020-04-23 · –El Gamal Encryption (11.4) –RSA Encryption (11.5) ... ( v o Ç U ( } v Ç Á Z À o ' u o v Ç ] }](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fab70f55417397c4c4b0668/html5/thumbnails/3.jpg)
Agenda
• Last time:– Elliptic Curve Groups
– Key Exchange Definitions (10.3)
• This time:– More on Key Exchange Definitions– Diffie-Hellman Key Exchange (10.3)– El Gamal Encryption (11.4)
– RSA Encryption (11.5)
![Page 4: Introduction to Cryptologydanadach/Cryptography_20/lec... · 2020-04-23 · –El Gamal Encryption (11.4) –RSA Encryption (11.5) ... ( v o Ç U ( } v Ç Á Z À o ' u o v Ç ] }](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fab70f55417397c4c4b0668/html5/thumbnails/4.jpg)
Key AgreementThe key-exchange experiment
,
1. Two parties holding execute protocol . This results in a transcriptcontaining all the messages sent by the parties, and a key
output by each of the parties.2. A uniform bit is chosen. If set , and if then
choose uniformly at random.is given and , and outputs a bit .
4. The output of the experiment is defined to be 1 if and otherwise.
Definition: A key-exchange protocol is secure in the presence of an eavesdropper if for all ppt adversaries there is a negligible function such that
,
![Page 5: Introduction to Cryptologydanadach/Cryptography_20/lec... · 2020-04-23 · –El Gamal Encryption (11.4) –RSA Encryption (11.5) ... ( v o Ç U ( } v Ç Á Z À o ' u o v Ç ] }](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fab70f55417397c4c4b0668/html5/thumbnails/5.jpg)
Discussion of Definition
• Why is this the “right” definition?• Why does the adversary get to see ?
![Page 6: Introduction to Cryptologydanadach/Cryptography_20/lec... · 2020-04-23 · –El Gamal Encryption (11.4) –RSA Encryption (11.5) ... ( v o Ç U ( } v Ç Á Z À o ' u o v Ç ] }](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fab70f55417397c4c4b0668/html5/thumbnails/6.jpg)
![Page 7: Introduction to Cryptologydanadach/Cryptography_20/lec... · 2020-04-23 · –El Gamal Encryption (11.4) –RSA Encryption (11.5) ... ( v o Ç U ( } v Ç Á Z À o ' u o v Ç ] }](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fab70f55417397c4c4b0668/html5/thumbnails/7.jpg)
Diffie-Hellman Key Exchange
![Page 8: Introduction to Cryptologydanadach/Cryptography_20/lec... · 2020-04-23 · –El Gamal Encryption (11.4) –RSA Encryption (11.5) ... ( v o Ç U ( } v Ç Á Z À o ' u o v Ç ] }](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fab70f55417397c4c4b0668/html5/thumbnails/8.jpg)
Recall DDH problem
We say that the DDH problem is hard relative to if for all ppt algorithms , there exists a
negligible function such that
![Page 9: Introduction to Cryptologydanadach/Cryptography_20/lec... · 2020-04-23 · –El Gamal Encryption (11.4) –RSA Encryption (11.5) ... ( v o Ç U ( } v Ç Á Z À o ' u o v Ç ] }](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fab70f55417397c4c4b0668/html5/thumbnails/9.jpg)
Security Analysis
Theorem: If the DDH problem is hard relative to , then the Diffie-Hellman key-exchange
protocol is secure in the presence of an eavesdropper.
![Page 10: Introduction to Cryptologydanadach/Cryptography_20/lec... · 2020-04-23 · –El Gamal Encryption (11.4) –RSA Encryption (11.5) ... ( v o Ç U ( } v Ç Á Z À o ' u o v Ç ] }](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fab70f55417397c4c4b0668/html5/thumbnails/10.jpg)
![Page 11: Introduction to Cryptologydanadach/Cryptography_20/lec... · 2020-04-23 · –El Gamal Encryption (11.4) –RSA Encryption (11.5) ... ( v o Ç U ( } v Ç Á Z À o ' u o v Ç ] }](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fab70f55417397c4c4b0668/html5/thumbnails/11.jpg)
Public Key EncryptionDefinition: A public key encryption scheme is a triple of ppt algorithms
such that:1. The key generation algorithm takes as input the security parameter
and outputs a pair of keys . We refer to the first of these as the public key and the second as the private key. We assume for convenience that and each has length at least , and that can be determined from .
2. The encryption algorithm takes as input a public key and amessage from some message space. It outputs a ciphertext , and wewrite this as .
3. The deterministic decryption algorithm takes as input a private key and a ciphertext , and outputs a message or a special symbol
denoting failure. We write this as .
Correctness: It is required that, except possibly with negligible probability over output by , we have for any legal message .
![Page 12: Introduction to Cryptologydanadach/Cryptography_20/lec... · 2020-04-23 · –El Gamal Encryption (11.4) –RSA Encryption (11.5) ... ( v o Ç U ( } v Ç Á Z À o ' u o v Ç ] }](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fab70f55417397c4c4b0668/html5/thumbnails/12.jpg)
CPA-SecurityThe CPA experiment
,:
is run to obtain keys .2. Adversary is given , and outputs a pair of equal-length
messages in the message space.3. A uniform bit is chosen, and then a challenge ciphertext
is computed and given to .outputs a bit . The output of the experiment is 1 if , and
0 otherwise.
Definition: A public-key encryption scheme is CPA-secure if for all ppt adversaries there is a negligible function such that
,
![Page 13: Introduction to Cryptologydanadach/Cryptography_20/lec... · 2020-04-23 · –El Gamal Encryption (11.4) –RSA Encryption (11.5) ... ( v o Ç U ( } v Ç Á Z À o ' u o v Ç ] }](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fab70f55417397c4c4b0668/html5/thumbnails/13.jpg)
Discussion
• Discuss how in the public key setting securityin the presence of an eavesdropper and CPAsecurity are equivalent (since anyone canencrypt using the public key).
• Discuss how CPA-secure encryption cannot bedeterministic!!– Why not?
![Page 14: Introduction to Cryptologydanadach/Cryptography_20/lec... · 2020-04-23 · –El Gamal Encryption (11.4) –RSA Encryption (11.5) ... ( v o Ç U ( } v Ç Á Z À o ' u o v Ç ] }](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fab70f55417397c4c4b0668/html5/thumbnails/14.jpg)
El Gamal Encryption
--Show how we can derive El Gamal PKE from Diffie-Hellman Key Exchange
![Page 15: Introduction to Cryptologydanadach/Cryptography_20/lec... · 2020-04-23 · –El Gamal Encryption (11.4) –RSA Encryption (11.5) ... ( v o Ç U ( } v Ç Á Z À o ' u o v Ç ] }](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fab70f55417397c4c4b0668/html5/thumbnails/15.jpg)
![Page 16: Introduction to Cryptologydanadach/Cryptography_20/lec... · 2020-04-23 · –El Gamal Encryption (11.4) –RSA Encryption (11.5) ... ( v o Ç U ( } v Ç Á Z À o ' u o v Ç ] }](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fab70f55417397c4c4b0668/html5/thumbnails/16.jpg)
Important Property
Lemma: Let be a finite group, and let be arbirary. Then choosing uniform and setting gives the same distribution for as choosing uniform Put differently, for any we have
![Page 17: Introduction to Cryptologydanadach/Cryptography_20/lec... · 2020-04-23 · –El Gamal Encryption (11.4) –RSA Encryption (11.5) ... ( v o Ç U ( } v Ç Á Z À o ' u o v Ç ] }](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fab70f55417397c4c4b0668/html5/thumbnails/17.jpg)
El Gamal Encryption Scheme
![Page 18: Introduction to Cryptologydanadach/Cryptography_20/lec... · 2020-04-23 · –El Gamal Encryption (11.4) –RSA Encryption (11.5) ... ( v o Ç U ( } v Ç Á Z À o ' u o v Ç ] }](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fab70f55417397c4c4b0668/html5/thumbnails/18.jpg)
Security Analysis
Theorem: If the DDH problem is hard relative to 𝐺, then the El Gamal encryption scheme is CPA-secure.
![Page 19: Introduction to Cryptologydanadach/Cryptography_20/lec... · 2020-04-23 · –El Gamal Encryption (11.4) –RSA Encryption (11.5) ... ( v o Ç U ( } v Ç Á Z À o ' u o v Ç ] }](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fab70f55417397c4c4b0668/html5/thumbnails/19.jpg)
Textbook RSA Encryption
![Page 20: Introduction to Cryptologydanadach/Cryptography_20/lec... · 2020-04-23 · –El Gamal Encryption (11.4) –RSA Encryption (11.5) ... ( v o Ç U ( } v Ç Á Z À o ' u o v Ç ] }](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fab70f55417397c4c4b0668/html5/thumbnails/20.jpg)
Is Plain-RSA Secure?
• It is deterministic so cannot be secure!
![Page 21: Introduction to Cryptologydanadach/Cryptography_20/lec... · 2020-04-23 · –El Gamal Encryption (11.4) –RSA Encryption (11.5) ... ( v o Ç U ( } v Ç Á Z À o ' u o v Ç ] }](https://reader034.vdocuments.us/reader034/viewer/2022042606/5fab70f55417397c4c4b0668/html5/thumbnails/21.jpg)
Additional Attacks
We will look at additional attacks in one of the upcoming discussion sessions.