Unit 44 April 27, 2011 1 Unit 44 April 27, 2011 2 Semantic Security

Can we apply the ideas from the previous unit to public-key 2. Hybrid encryption using RSA+AES crypto? For Alice to encrypt message M and send to Bob: Suppose we are using RSA to encrypt messages. Let us choose random AES key K 128 assume(!) that computing m from c = E(m) = me % n is ∈ B send RSABob(K), AESK (M) intractable. h i M can be obtained with 265 encryptions with probability .18 There are still problems using RSA

1. Small message space attacker can perform dictionary attack

c 2011 Clifford Bergman c 2011 Clifford Bergman

Unit 44 April 27, 2011 3 Unit 44 April 27, 2011 4

What should we demand from a public-key cryptosystem to be assured of some level of security? Obviously no deterministic system can possibly be semantically secure

A public-key system is semantically secure if there is no Obvious solution: add randomness to messages before 128 algorithm with advantage 2− in the following game: encryption A : pick two plaintexts x1 = x2 You:A Pick i 1, 2 and6 compute y = E(x ) i Recall El Gamal. Suppose p is prime and g is primitive mod p. : Guesses value∈ { of}i. A a is secret key, b = g a % p is public key Such an algorithm is called a ciphertext distinguisher A

c 2011 Clifford Bergman c 2011 Clifford Bergman

Unit 44 April 27, 2011 5 Unit 44 April 27, 2011 6

E(m) = g k , mbk = y, z for k random h i h i y g k The concept of semantic security motivated the idea of = = ( 1)k So we can determine the parity of k. p p − probabilistic encryption. Both Goldwasser-Micali and

k Blum-Goldwasser are semantically secure assuming the z = m b p p · p quadratic residue problem is hard.


b m Since we know p and the parity of k we can determine p . A deterministic public-key system can be made semantically If picks x to be
a quadratic residue and x a nonresidue,
it 1 2 secure by (carefully!) employing random padding. canA win the game.

Thus this version of El Gamal is not semantically secure

c 2011 Clifford Bergman c 2011 Clifford Bergman

Unit 44 April 27, 2011 7 Unit 44 April 27, 2011 8

Theorem: If inverting E is intractable then E ∗ is semantically Example padding technique secure.

E is a public-key cipher with block size k Proof. Suppose we have a ciphertext distinguisher with H a hash function with block size m 128 A advantage  > 2− for E ∗.

To encrypt x m: We shall construct an algorithm that inverts E with Pick r ∈ Bat random D ∈ Bk probability . E ∗(x) = E(r), H(r) x h ⊕ i We replace the hash function H with an algorithm with D∗ y , y = H(D(y )) y H h 1 2i 1 ⊕ 2 certain properties.

c 2011 Clifford Bergman c 2011 Clifford Bergman

Unit 44 April 27, 2011 9 Unit 44 April 27, 2011 10

Definition of D Definition of : input: a block y k . H tries to compute∈ Bx with E(x) = y. D 1 keeps track of the pairs (r, s) it creates H Use to choose x1, x2 m 2 To compute (r): A ∈ B H Choose y2 m at random if E(r) = y then (r) = y x for j 1, 2 ∈ B H 2 ⊕ j ∈R { } Call x1, x2, y, y2 Otherwise, choose (r) = s at random If Atries to computeh i (r) and E(r) = y H
Athen return r H else fail

c 2011 Clifford Bergman c 2011 Clifford Bergman

Unit 44 April 27, 2011 11 Unit 44 April 27, 2011 12

What about this business of replacing H with ?! H What demands are we making on the original cipher E? We are assuming that H is treated like a black-box. We don’t Given y with y = E(x) it should be impossible to compute x know how it works. Stuff goes in and stuff comes out. 128 efficiently with probability greater than 2− . That is: we treat H as a random oracle.

c 2011 Clifford Bergman c 2011 Clifford Bergman

Unit 44 April 27, 2011 13

E ∗(x) = E(r), H(r) x h ⊕ i Note that in this system, plaintext block is m bits, ciphertext block is k + m bits.

If E = RSA and H = SHA1 then k = size of modulus = 1024 and m = 160.

There is a more sophisticated scheme called OAEP (Optimal Asymmetric Encryption Padding) that uses 128 bits of pad (current technology).

c 2011 Clifford Bergman