Unit 44 April 27, 2011 1 Semantic Security Can we apply the ideas from the previous unit to public-key crypto? Suppose we are using RSA to encrypt messages. Let us assume(!) that computing m from c = E(m) = me % n is intractable. There are still problems using RSA 1. Small message space attacker can perform dictionary attack c 2011 Clifford Bergman Unit 44 April 27, 2011 2 2. Hybrid encryption using RSA+AES For Alice to encrypt message M and send to Bob: choose random AES key K 2 B128 send hRSABob(K); AESK (M)i M can be obtained with 265 encryptions with probability .18 c 2011 Clifford Bergman Unit 44 April 27, 2011 3 What should we demand from a public-key cryptosystem to be assured of some level of security? A public-key system is semantically secure if there is no algorithm A with advantage 2−128 in the following game: A: pick two plaintexts x1 6= x2 You: Pick i 2 f1; 2g and compute y = E(xi ) A: Guesses value of i. Such an algorithm A is called a ciphertext distinguisher c 2011 Clifford Bergman Unit 44 April 27, 2011 4 Obviously no deterministic system can possibly be semantically secure Obvious solution: add randomness to messages before encryption Recall El Gamal. Suppose p is prime and g is primitive mod p. a is secret key, b = g a % p is public key c 2011 Clifford Bergman Unit 44 April 27, 2011 5 E(m) = hg k ; mbk i = hy; zi for k random y gk k p = p = (−1) So we can determine the parity of k. z m bk p = p · p b m Since we know p and the parity of k we can determine p . If A picks x1 to be a quadratic residue and x2 a nonresidue, it can win the game. Thus this version of El Gamal is not semantically secure c 2011 Clifford Bergman Unit 44 April 27, 2011 6 The concept of semantic security motivated the idea of probabilistic encryption. Both Goldwasser-Micali and Blum-Goldwasser are semantically secure assuming the quadratic residue problem is hard. A deterministic public-key system can be made semantically secure by (carefully!) employing random padding. c 2011 Clifford Bergman Unit 44 April 27, 2011 7 Example padding technique E is a public-key cipher with block size k H a hash function with block size m To encrypt x 2 Bm: Pick r 2 Bk at random E ∗(x) = hE(r); H(r) ⊕ xi ∗ D hy1; y2i = H(D(y1)) ⊕ y2 c 2011 Clifford Bergman Unit 44 April 27, 2011 8 Theorem: If inverting E is intractable then E ∗ is semantically secure. Proof. Suppose we have a ciphertext distinguisher A with advantage > 2−128 for E ∗. We shall construct an algorithm D that inverts E with probability . We replace the hash function H with an algorithm H with certain properties. c 2011 Clifford Bergman Unit 44 April 27, 2011 9 Definition of D input: a block y 2 Bk . D tries to compute x with E(x) = y. Use A to choose x1; x2 2 Bm Choose y2 2 Bm at random Call A x1; x2; hy; y2i If A tries to compute H(r) and E(r) = y then return r else fail c 2011 Clifford Bergman Unit 44 April 27, 2011 10 Definition of H: 1 H keeps track of the pairs (r; s) it creates 2 To compute H(r): if E(r) = y then H(r) = y2 ⊕ xj for j 2R f1; 2g Otherwise, choose H(r) = s at random c 2011 Clifford Bergman Unit 44 April 27, 2011 11 What about this business of replacing H with H?! We are assuming that H is treated like a black-box. We don't know how it works. Stuff goes in and stuff comes out. That is: we treat H as a random oracle. c 2011 Clifford Bergman Unit 44 April 27, 2011 12 What demands are we making on the original cipher E? Given y with y = E(x) it should be impossible to compute x efficiently with probability greater than 2−128. c 2011 Clifford Bergman Unit 44 April 27, 2011 13 E ∗(x) = hE(r); H(r) ⊕ xi Note that in this system, plaintext block is m bits, ciphertext block is k + m bits. If E = RSA and H = SHA1 then k = size of modulus = 1024 and m = 160. There is a more sophisticated scheme called OAEP (Optimal Asymmetric Encryption Padding) that uses 128 bits of pad (current technology). c 2011 Clifford Bergman.