lecture 3.4: public key cryptography iv cs 436/636/736 spring 2013 nitesh saxena
TRANSCRIPT
Lecture 3.4: Public Key Cryptography IV
CS 436/636/736 Spring 2013
Nitesh Saxena
Course Administration
• HW1 due tomorrow at 11am• HW1 solution will be posted very soon• We will starting to grade it very soon
• No class next Tues (Feb 12)– I am at this conference, off campus:
http://thecenter.uab.edu/save-the-date/– Please utilize this time to prepare for HW2
Lecture 3.4: Public Key Cryptography IV
Outline of Today’s Lecture
• Discrete Logarithm System• El Gamal Encryption• Digital Signatures
Lecture 3.4: Public Key Cryptography IV
Discrete Logarithm Assumption• Work with a cyclic group G with generator g• Let |G| = m• G = {g0, g1, g2,…,gm-1}
• Given any y = gx in G (where x belongs to Zm), g and and m, it is not possible to compute x
• This is known as the DL assumption• Of course, x should be fairly large – at least
160-bits in length • This suggests that one can possibly use x as
the secret key, and y (and other parameters) as the public key
El Gamal Encryption -- KeyGen• p, q primes such that q|p-1• g is an element of order q and generates a group Gq of
order q – g = g’(p-1)/q (were g’ is the generator of Zp*)
• x in Zq, y = gx mod p• DL assumption -- given (p, q, g, y), it is computationally
hard to compute x– No polynomial time algorithm known– p should be 1024-bits and q be 160-bits
• x becomes the private key and y becomes the public key
ElGamal Encryption/Decryption
• Encryption (of m in Gq):– Choose random r in Zq
– k = gr mod p– c = myr mod p– Output (k,c)
• Decryption of (k,c)– M = ck-x mod p
• Secure under (a variant of) the discrete logarithm assumption
Lecture 3.4: Public Key Cryptography IV
ElGamal Example: dummy
• Let’s construct an example• KeyGen:
– p = 11, q = 2 or 5; let’s say q = 5– g’ = 2 is a generator of Z11*
– g = 22 = 4– x = 2; y = 42 mod 11 = 5
• Enc(3):– r = 4 k = 44 mod 11 = 3– c = 3*54 mod 11 = 5
• Dec(3,5):– m = 5*3-2 mod 11 = 3
Lecture 3.4: Public Key Cryptography IV
El Gamal Security
• Secure against CPA attacks assuming that discrete logarithm is hard
• Not secure against CCA attacks; why?– It is possible to massage the ciphertext in a
meaningful way– Given a ciphertext (k, c), compute k’ = kgr’and c’ =
cyr’ (r’ is picked by the adversary)– Query the decryption oracle on (k’,c’); it decrypts
and returns the response -- m
Lecture 3.4: Public Key Cryptography IV
CCA Security
• Like in the case of symmetric key encryption, we can derive CCA secure encryption using CPA secure encryption
• Just prevent any massaging of the ciphertext• Integrity protection mechanism is needed– But, now a public-key based mechanism is needed
• Digital signatures -- next
Lecture 3.4: Public Key Cryptography IV
Digital Signatures
• Message Integrity– Detect if message is tampered with while in the
transit
• Source/Sender Authentication– No forgery possible
• Non-repudiation– If I sign something, I can not deny later– A trusted third party (court) can resolve dispute
• Many applications – signed email, e-contracts, e-transactions…
Public Key Signatures
• Signer has public key, private key pair• Signer signs using its private key• Verifier verifies using public key of the signer
Lecture 3.4: Public Key Cryptography IV
Security Notion/Model for Signatures
• Existential Forgery under (adaptively) chosen message attack (CMA)– Adversary (adaptively) chooses messages mi of its
choice– Obtains the signature si on each mi
– Outputs any message m (≠ mi) and a signature s on m
Lecture 3.4: Public Key Cryptography IV
RSA Signatures
• Key Generation: same as in encryption• Sign(m): s = md mod N• Verify(m,s): (se == m mod N)
• The above text-book version is insecure; why?• In practice, we use a randomized version of
RSA (implemented in PKCS#1)– Hash the message and then sign the hash
Lecture 3.4: Public Key Cryptography IV
Digital Signature Standard (DSS)
• Adopted as standard in 1994• Security based on hardness of the discrete
logarithm problem
Lecture 3.4: Public Key Cryptography IV
DSS – KeyGen; Signing; Verification• KeyGen: the same way as El Gamal
– p, q primes such that q|p-1– g is an element of order q and generates a group Gq of order q
• g = g’(p-1)/q (were g’ is the generator of Zp*)
– x in Zq, y = gx mod p
• Sign: – Pick random r from Z*q
– k = (gr mod p) mod q; c = (m + xk)r-1 mod q– Output (k,c) and also the message m
• Verify: kc == gm.yk mod p
Lecture 3.4: Public Key Cryptography IV
DSS Example
• Refer to 11.57 of HAC
Lecture 3.4: Public Key Cryptography IV
Some Questions
• I encrypt m with Alice’s ElGamal PK, I get c– I encrypt m again, I get --?– What does this mean?
• Is RSA-OAEP CCA secure?• Is El Gamal CCA secure?
Lecture 3.4: Public Key Cryptography IV
Further Reading
• Stalling Chapter 10• HAC Chapter 8 and Chapter 11
Lecture 3.4: Public Key Cryptography IV