Unit 44 April 27, 2011 1 Semantic Security

Can we apply the ideas from the previous unit to public-key crypto?

Suppose we are using RSA to encrypt messages. Let us assume(!) that computing m from c = E(m) = me % n is intractable.

There are still problems using RSA

1. Small message space attacker can perform dictionary attack

c 2011 Clifford Bergman Unit 44 April 27, 2011 2

2. Hybrid encryption using RSA+AES

For Alice to encrypt message M and send to Bob: choose random AES key K ∈ B128 send hRSABob(K), AESK (M)i M can be obtained with 265 encryptions with probability .18

c 2011 Clifford Bergman Unit 44 April 27, 2011 3

What should we demand from a public-key cryptosystem to be assured of some level of security?

A public-key system is semantically secure if there is no algorithm A with advantage 2−128 in the following game: A: pick two plaintexts x1 6= x2 You: Pick i ∈ {1, 2} and compute y = E(xi ) A: Guesses value of i.

Such an algorithm A is called a ciphertext distinguisher

c 2011 Clifford Bergman Unit 44 April 27, 2011 4

Obviously no deterministic system can possibly be semantically secure

Obvious solution: add randomness to messages before encryption

Recall El Gamal. Suppose p is prime and g is primitive mod p. a is secret key, b = g a % p is public key

c 2011 Clifford Bergman Unit 44 April 27, 2011 5

E(m) = hg k , mbk i = hy, zi for k random

y
g
k k p = p = (−1) So we can determine the parity of k.

z
m
b
k p = p · p

b
m
Since we know p and the parity of k we can determine p .

If A picks x1 to be a quadratic residue and x2 a nonresidue, it can win the game.

Thus this version of El Gamal is not semantically secure

c 2011 Clifford Bergman Unit 44 April 27, 2011 6

The concept of semantic security motivated the idea of probabilistic encryption. Both Goldwasser-Micali and Blum-Goldwasser are semantically secure assuming the quadratic residue problem is hard.

A deterministic public-key system can be made semantically secure by (carefully!) employing random padding.

c 2011 Clifford Bergman Unit 44 April 27, 2011 7

Example padding technique

E is a public-key cipher with block size k H a hash function with block size m

To encrypt x ∈ Bm: Pick r ∈ Bk at random E ∗(x) = hE(r), H(r) ⊕ xi

∗ D hy1, y2i = H(D(y1)) ⊕ y2

c 2011 Clifford Bergman Unit 44 April 27, 2011 8

Theorem: If inverting E is intractable then E ∗ is semantically secure.

Proof. Suppose we have a ciphertext distinguisher A with advantage  > 2−128 for E ∗.

We shall construct an algorithm D that inverts E with probability .

We replace the hash function H with an algorithm H with certain properties.

c 2011 Clifford Bergman Unit 44 April 27, 2011 9

Definition of D input: a block y ∈ Bk . D tries to compute x with E(x) = y.

Use A to choose x1, x2 ∈ Bm Choose y2 ∈ Bm at random
Call A x1, x2, hy, y2i If A tries to compute H(r) and E(r) = y then return r else fail

c 2011 Clifford Bergman Unit 44 April 27, 2011 10

Definition of H:

1 H keeps track of the pairs (r, s) it creates 2 To compute H(r): if E(r) = y then H(r) = y2 ⊕ xj for j ∈R {1, 2} Otherwise, choose H(r) = s at random

c 2011 Clifford Bergman Unit 44 April 27, 2011 11

What about this business of replacing H with H?!

We are assuming that H is treated like a black-box. We don’t know how it works. Stuff goes in and stuff comes out.

That is: we treat H as a random oracle.

c 2011 Clifford Bergman Unit 44 April 27, 2011 12

What demands are we making on the original cipher E?

Given y with y = E(x) it should be impossible to compute x efficiently with probability greater than 2−128.

c 2011 Clifford Bergman Unit 44 April 27, 2011 13

E ∗(x) = hE(r), H(r) ⊕ xi

Note that in this system, plaintext block is m bits, ciphertext block is k + m bits.

If E = RSA and H = SHA1 then k = size of modulus = 1024 and m = 160.

There is a more sophisticated scheme called OAEP (Optimal Asymmetric Encryption Padding) that uses 128 bits of pad (current technology).

c 2011 Clifford Bergman