lecture 3.4: public key cryptography iv cs 436/636/736 spring 2013 nitesh saxena

Lecture 3.4: Public Key Cryptography IV

CS 436/636/736 Spring 2013

Nitesh Saxena

Course Administration

• HW1 due tomorrow at 11am• HW1 solution will be posted very soon• We will starting to grade it very soon

• No class next Tues (Feb 12)– I am at this conference, off campus:

http://thecenter.uab.edu/save-the-date/– Please utilize this time to prepare for HW2


http://thecenter.uab.edu/save-the-date/

Outline of Today’s Lecture

• Discrete Logarithm System• El Gamal Encryption• Digital Signatures


Discrete Logarithm Assumption• Work with a cyclic group G with generator g• Let |G| = m• G = {g0, g1, g2,…,gm-1}

• Given any y = gx in G (where x belongs to Zm), g and and m, it is not possible to compute x

• This is known as the DL assumption• Of course, x should be fairly large – at least

160-bits in length • This suggests that one can possibly use x as

the secret key, and y (and other parameters) as the public key

El Gamal Encryption -- KeyGen• p, q primes such that q|p-1• g is an element of order q and generates a group Gq of

order q – g = g’(p-1)/q (were g’ is the generator of Zp*)

• x in Zq, y = gx mod p• DL assumption -- given (p, q, g, y), it is computationally

hard to compute x– No polynomial time algorithm known– p should be 1024-bits and q be 160-bits

• x becomes the private key and y becomes the public key

ElGamal Encryption/Decryption

• Encryption (of m in Gq):– Choose random r in Zq

– k = gr mod p– c = myr mod p– Output (k,c)

• Decryption of (k,c)– M = ck-x mod p

• Secure under (a variant of) the discrete logarithm assumption


ElGamal Example: dummy

• Let’s construct an example• KeyGen:

– p = 11, q = 2 or 5; let’s say q = 5– g’ = 2 is a generator of Z11*

– g = 22 = 4– x = 2; y = 42 mod 11 = 5

• Enc(3):– r = 4 k = 44 mod 11 = 3– c = 3*54 mod 11 = 5

• Dec(3,5):– m = 5*3-2 mod 11 = 3


El Gamal Security

• Secure against CPA attacks assuming that discrete logarithm is hard

• Not secure against CCA attacks; why?– It is possible to massage the ciphertext in a

meaningful way– Given a ciphertext (k, c), compute k’ = kgr’and c’ =

cyr’ (r’ is picked by the adversary)– Query the decryption oracle on (k’,c’); it decrypts

and returns the response -- m


CCA Security

• Like in the case of symmetric key encryption, we can derive CCA secure encryption using CPA secure encryption

• Just prevent any massaging of the ciphertext• Integrity protection mechanism is needed– But, now a public-key based mechanism is needed

• Digital signatures -- next


Digital Signatures

• Message Integrity– Detect if message is tampered with while in the

transit

• Source/Sender Authentication– No forgery possible

• Non-repudiation– If I sign something, I can not deny later– A trusted third party (court) can resolve dispute

• Many applications – signed email, e-contracts, e-transactions…

Public Key Signatures

• Signer has public key, private key pair• Signer signs using its private key• Verifier verifies using public key of the signer


Security Notion/Model for Signatures

• Existential Forgery under (adaptively) chosen message attack (CMA)– Adversary (adaptively) chooses messages mi of its

choice– Obtains the signature si on each mi

– Outputs any message m (≠ mi) and a signature s on m


RSA Signatures

• Key Generation: same as in encryption• Sign(m): s = md mod N• Verify(m,s): (se == m mod N)

• The above text-book version is insecure; why?• In practice, we use a randomized version of

RSA (implemented in PKCS#1)– Hash the message and then sign the hash


Digital Signature Standard (DSS)

• Adopted as standard in 1994• Security based on hardness of the discrete

logarithm problem


DSS – KeyGen; Signing; Verification• KeyGen: the same way as El Gamal

– p, q primes such that q|p-1– g is an element of order q and generates a group Gq of order q

• g = g’(p-1)/q (were g’ is the generator of Zp*)

– x in Zq, y = gx mod p

• Sign: – Pick random r from Z*q

– k = (gr mod p) mod q; c = (m + xk)r-1 mod q– Output (k,c) and also the message m

• Verify: kc == gm.yk mod p


DSS Example

• Refer to 11.57 of HAC


Some Questions

• I encrypt m with Alice’s ElGamal PK, I get c– I encrypt m again, I get --?– What does this mean?

• Is RSA-OAEP CCA secure?• Is El Gamal CCA secure?


Further Reading

• Stalling Chapter 10• HAC Chapter 8 and Chapter 11


lecture 3.4: public key cryptography iv cs 436/636/736 spring 2013 nitesh saxena

Documents