Review of Elementary Cryptography For more material, see my notes of CSE 5351, available on my webpage Outline • Security (CPA, CCA, semantic security, indistinguishability) • RSA • ElGamal • Homomorphic encryption 2 Two types of encryption schemes • Private-key encryption schemes Also called symmetric-key encryption schemes • Public-key encryption schemes Also called asymmetric-key encryption schemes • We are more interested in the latter. 3 Symmetric-key encryption scheme • Message space: M ⊆ {0,1}* . • Key generation algorithm G: On input 1nn , G(1 ) outputs a key kK← {0,1}nn . (= {0,1} ; and n is the security parameter.) • Encryption algorithm E : On input a key k and a plaintext m∈ M, E outputs a ciphertext c. We write c← Ekm(, ) or c← Emk ( ). • Decryption algorithm D : On input a key kc and a ciphertext , D outputs a message m. We write mDkcmDc:= ( , ) or := k ( ). • Correctness requirement: for each kK∈ and mM∈ , DEmkk( ()) = m . • GE, , probabilistic algorithms. D, deterministic. All poly-time. 4 Public-key encryption scheme • Key generation algorithm G: On input 1nn , G(1 ) outputs a pair of keys, ( pk, sk ) , each of length at least n. • Encryption algorithm E : On input a public key pk and a plaintext mM∈←pk , E outputs a ciphertext c. We write c Epk ( m ). (The message space may depend on pk.) • Decryption algorithm D : On input a secret key sk and a ciphertext cD, outputs a message m. We write m:= Dcsk ( ). • Correctness requirement: = ←= PrDEmsk( pkk ( )) m : mMp 1 except for a negligible portion of key pairs output by G(1n ). Symmetric vs. Asymmetric • Symmetric encryptions are much faster than asymmetric ones. – AES is typically 100 times faster than RSA encryption and 1000 times faster than RSA decryption. • Use asymmetric cipher to set up a session key and then use symmetric cipher to encrypt data. Security Issues What does it mean that an encryption scheme is secure (or insecure)? • Semantic security • Ciphertext-indistinguishability • Non-malleability Different types of attacks • Different types of attacks (classified by the amount of information available to the attacker): – Ciphertext-only attack (eavesdropper) – Known-plaintext attack – Chosen-plaintext attack (CPA) – Chosen-ciphertext attack (CCA) 8 Negligible functions • A nonegative function fN:→ R is said to be negligible if for every positive polynomial Pn( ), there is an integer n0 such that 1 fn( )<> for all n n (i.e., for sufficiently large n). Pn() 0 • Examples: 2−−nn , 2 , n −log n are negligible functions. • Negligible functions approach zero faster than the reciprocal of every polynomial. • We write negl(n ) to denote an unspecified negligible function. 9 Security Parameter • The security of an encryption scheme typically depends on its key length. Is RSA secure if N = 216, 512, or 1024? • In general, an encryption scheme is associated with an integer called its security parameter. (For now, you may think of it as key length.) • When we say that the probability Pr(λ ) of an encryption scheme being broken is negligible, it is w. r.t. the encryption scheme's security parameter λ. 10 Semantic Security (simplified) • A private-key encryption scheme (GED , , ) with sesutiry parameter n is semantically secure against an eavesdropper if for every probabilistic polynomial-time (PPT) algorithm A there exists a PPT A′ such that for all polynomial-time computable functions fh and : n n n =←← | P r A(1,Emk ( ) ,() hm) f () m: kG(1 ) , m{0, 1} n n ′ −= Pr Ah(1, (m)) fm( ) : m ←{0,1} | ≤ negl(n ). 11 Ciphertext-Indistinguishability • Adversary: a polynomial-time eavesdropper. • (GED , , ) : an encryption scheme with security parameter n. • Imagine a game played by Bob and Eve (adversary): n Eve is given input 1 and outputs a pair of messages mm01, of the same length. n Bob chooses a key k←← G(1 ) and mu { mm01 , }. He computes c← Emk ( ) and gives c to Eve. Eve tries to determine whether c is the encryption of mm01 or . • An encryption scheme is ciphertext-indistinguishable against eavesdroppers if no adversary can succeed with probability non-negligibly greater than 12. 12 • Definition: An encryption scheme is ciphertext-indistinguishable against eavesdroppers if for every PPT algorithm A and all mm01,∈ M , m01= m , it holds: n = ← ← n PrA (1 , mmEm01 , ,ku ( )) m : m{m01 , m }, kG(1 ) 1 ≤+negl(n ) 2 13 Equivalence of semantic security and ciphertext-indistinguishability • Theorem: Against an eavesdropper, an encryption scheme is semantically secure iff it is ciphertext-indistinguishable. • Theorem: Under CPA, CCA1 or CCA2, an encryption scheme is semantically secure if and only if it is ciphertext-indistinguisha.ble 14 Chosen-plaintext attacks (CPA) • Informally, we may describe CPA as follows: Given: (mc11 , ), ( mc 2 , 2 ), ……, ( mctt , ), where m1, m 2, , mt are chosen by the adversary; and a new ciphertext c. Q : what is the plaintext of c? • Adaptively-chosen-plaintext attack : mm12, , …, mt are chosen adaptively. • Now we describe CPA in terms of oracle. 15 Chosen-plaintext attacks (CPA) A CPA on an encryption scheme (GED , , ) is modeled as follows. 1. A key kG← (1n ) is generated. n 2. The adversary is given input 1 and oracle access to Ek . She may request the oracle to encrypt plaintexts of her choice. 3. The adversary chooses two message mm01, with m 0= m 1; and is given a challenge ciphertext c←← Emkb( ), where b u{0,1}. 4. The adversary continues to have oracle access and may request the encryptions of additional plaintexts of her choice, even mm01 and . 5. The adversary finally answers 0 or 1. Note: The CPA here actually refers to an adaptive CPA. 16 Ciphertext-indistinguishability against CPA • An encryption scheme (GED , , ) is IND-CPA if no polynomial-time adversary can answer correctly with probability non-negligibly greater than 1 2. • Definition: an encryption scheme (GED , , ) is IND-CPA if for ever polynomial adversary A it holds that: Ek nn=←← | PrA( 1 , mmE01 , ,ku (mm )) : k G(1 ), m{ mm01 , }, mm01,←A M] | 1 ≤+ negl(n ) 2 17 Chosen-ciphertext attacks (CCA) • Informally we may describe CCA as follows: Given: (mc11 , ), ( mc 2 , 2 ), ……, ( mctt , ), where c1, c 2, , ct are chosen by the adversary; and a new ciphertext c. Q : what is the plaintext of c? • Adaptively-chosen-plaintext attack : cc12, , …, ct are chosen adaptively. • Now we describe CCA in terms of oracle. • We will allow a CCA adversary to also have CPA capability. (So, by CCA we mean CCA+CPA, rather than pure CCA.) 18 Chosen-ciphertext attacks (CCA) A CCA on an encryption scheme (GED , , ) is modeled as follows . 1. A key kG← (1n ) is generated. n 2. The adversary is given input 1 and oracle access to EDkk and . She may request the oracles to perform encryptions and/or decryptions for her. 3. The adversary chooses two message mm01, with m 0= m 1; and is given a challenge ciphertext c←← Emkb( ), where b u{0,1}. 4. The adversary continues to have oracle access to EDkk and , but is not allowed to request the decryption of c. 5. The adversary finally answers 0 or 1. 19 Ciphertext-indistinguishability against CCA • An encryption scheme (GED , , ) is IND-CCA if no polynomial-time adversary can answer correctly with probability non-negligibly greater than 1 2. • Definition: an encryption scheme (GED , , ) is IND-CCA if for ever polynomial-time adversary A, it holds that: EDkk, nn=←← | PrA( 1 , mmE01 ,10 ,ku (mm )) : k G(1 ), m{ mm , }, mm01,←A M] | 1 ≤+ negl(n ) 2 20 CCA1 vs. CCA2 • The CCA described above is also called CCA2. • If in item #4 the adversary has no access to the decryption oracle, the CCA is called CCA1. 21 Non-malleability • An encryption scheme (GED , , ) is non-malleable if given a ciphertext c= Em( ), it is computationally infeasible for an adversary to produce a ciphertext c′ such that m′′= Dc( ) has some known relation with m. • RSA is malleable. • malleable⇒ not IND-CCA2. • Every homomorphic encryption scheme is malleable, and hence cannot be IND-CCA2. Highest security level possible for homomorphic encryption scheme: IND-CCA1. 22 Homomorphic Encryption RSA is homomorphic • RSA(mm12⋅= ) RSA( m1 ) ⋅ RSA( m 2 ) * where ⋅ is the multiplication in Znn (i.e., modulo ). • Easy to verify: e RSA(mm12⋅=⋅ ) ( mm 12) e RSA(mm11 ) = e RSA(mm22 ) = ee e RSA(m1 )⋅RSA(m2 ) =⋅=⋅ m 1 m 2( mm 12) Homomorphic encryption M : message space C : ciphertext space M : some binary operation in M C : some binary operation in C Definitin o : An encryption scheme is M -homomorphic if the encryption funcoti n E satisfies Epk ( m12MC m )= Epk () m 1 Emk () 2 for all keys pk and messages m12, m∈ M . Comm:ent doesn't work for probabilistic encryptions. ElGamal encryption is homomorphic • Em(12 ⋅← m ) Em ( 1 ) ⋅ Em ( 2 ), in the following sense: Em(12 )⋅ Em ( ) is a valid encryption of mm12. • Verification: kk11 k2 k 2 If Em(1 )= ( g , my1) and Em( 22 )= ( g , my ), then k1 kk 12 k 2 Em( 12)⋅=Em ( )( g , my 1) ⋅( g, my 2) kk12++kk12 = ( g , m12m y ) is a valid encryption of m12m . 26 Homomorphic encryption redefined M : message space C : ciphertext space M : some binary operation in M C : some binary operation in C Definition: An encryption scheme is M -homomorphic if the encryption function E satisfies m12MC m= Dsk( E pk () m1 Em () 2) for all messages mm12,∈ M and all encryption/decryption key pairs (pk , sk ). A generalized definition Definiti: on An encryption scheme is homomorphic w.r.t M if there is a polynomial time algorithm A such that m12 M mD= sk ( Apk ( Em(1 ), Em( 2 ))) for all messages mm12,∈ M and all encryption/decryption key pairs.