|
| 1 | +\documentclass[psamsfonts]{amsart} |
| 2 | + |
| 3 | +%-------Packages--------- |
| 4 | +\usepackage{amssymb,amsfonts} |
| 5 | +\usepackage{enumerate} |
| 6 | +\usepackage[margin=1in]{geometry} |
| 7 | +\usepackage{amsthm} |
| 8 | +\usepackage{theorem} |
| 9 | +\usepackage{verbatim} |
| 10 | + |
| 11 | +\bibliographystyle{plain} |
| 12 | + |
| 13 | +\voffset = -10pt |
| 14 | +\headheight = 0pt |
| 15 | +\topmargin = -20pt |
| 16 | +\textheight = 690pt |
| 17 | + |
| 18 | +%--------Meta Data: Fill in your info------ |
| 19 | +\title{6.857 \\ |
| 20 | +Network and Computer Security \\ |
| 21 | +Lecture 15: ElGamal and RSA} |
| 22 | + |
| 23 | +\author{Lecturer: Ronald Rivest\\ |
| 24 | +Scribe: John Wang} |
| 25 | + |
| 26 | +\begin{document} |
| 27 | + |
| 28 | +\maketitle |
| 29 | + |
| 30 | +\section{ElGamal: Malleability and Homomorphisms} |
| 31 | + |
| 32 | +Recall that ElGamal works modulo $p$. We have $SK = x$ and $PK = g^x = y$. We encrypt a message by $Enc(m) = (g^k, m y^k)$ where $k$ is randomized. |
| 33 | + |
| 34 | +Unfortunately, ElGamal is malleable. If all you see is the ciphertext, is it hard for you to get an encryption of a related message? $Enc(2m) = (g^k, 2 (m y^k))$ so it's pretty easy to multiply by 2 and get a new ciphertext. |
| 35 | + |
| 36 | +It's even stronger than that though, we have homomorphic encryption. |
| 37 | + |
| 38 | +\subsection{El Gamal is Homomorphic} |
| 39 | + |
| 40 | +We have $c_1 = Enc(m_1) = (g^r, m_1 y^r)$ and a second cipher text $c_2 = Enc(m_2) = (g^s, m_2 y^s)$. We can obtain $c_1 c_2 = (g^{r+s}, (m_1 m_2) y^{r+s}) = Enc(m_1, m_2)$. |
| 41 | + |
| 42 | +Homomorphism could be wonderful or bad depending on what you want. For example, in CryptDB, a homomorphic encryption scheme is awesome. Computations can be done on the ciphertext which actually do operations on the underlying plaintext. |
| 43 | + |
| 44 | +To get a new encryption with a different secret key, pick some new secret key $t$ and compute $g^t$ and $y^t$. Then we can use $(g^t g^r, m_1 y^r y^t) = (g^{r+t}, m_1 y^{r+t})$ and this rerandomizes the ciphertet. |
| 45 | + |
| 46 | +For many applications, homomorphism is not what you want because you don't want the adversary to be able to change your inputs. |
| 47 | + |
| 48 | +\section{IND-CCA2 Security} |
| 49 | + |
| 50 | +Phase I: |
| 51 | +\begin{itemize} |
| 52 | + \item Examiner generates ($PK, SK$) using $Keygen(1^\lambda)$. |
| 53 | + \item Give the $PK$ to the adversary. |
| 54 | + \item Adversary gets time to compute in time polynomial in $\lambda$ which access to $Dec(SK, x)$ oracle. (This is a new ability where he gets access to the decryption box). |
| 55 | + \item Adversary outputs $m_0, m_1$ of the same length and notes $s$ which will be carried over to phase II. |
| 56 | +\end{itemize} |
| 57 | + |
| 58 | +Phase II: |
| 59 | +\begin{itemize} |
| 60 | + \item Examiner picks $b \leftarray \{0,1\}$ randomly and computes $c_* = Enc(PK, m_b)$ and sends $c_*$ to adversary. |
| 61 | + \item Adversary computes for time polynomial in $\lambda$ with access to $Dec(SK,*)$ except on $c_*$. Adversary outputs $\hat{b}$ (his guess for $b$) and wins if $\hat{b} = b$. |
| 62 | +\end{itemize} |
| 63 | + |
| 64 | +\emph{Definition:} PK enryption method is \emph{INDC-CCA2} secure (ACCA-secure) if $Prob(\text{Adv wins}) \leq \frac{1}{2} + \epsilon$ where $\epsilon = 2^{-\lambda}$. |
| 65 | + |
| 66 | +\subsection{El Gamal and IND-CCA2 Security} |
| 67 | + |
| 68 | +Let's say you have $c_* = (g^r, m_b y^r)$. You can make a new message $c_*' = (g^r, (2 m_b) y^r)$ and decrypt to get $2m$ as the message. You can therefore trivially get $m$. Thus, ElGamal is not IND-CCA2 secure. |
| 69 | + |
| 70 | +\section{Cramer Shoup} |
| 71 | + |
| 72 | +We have a group $G_q$ of size $q$ which is prime (this can be done by finding a safe prime $p$ and just deal with the group of quadratic residues modulo $p$). We'll have a keygen algorithm $g_1, g_2 \leftarrow G_q$ picked at random. We will have $SK = x_1, x_2, y_1, y_2, z \leftarrow Z_q$ picked at random. We set $c = g_1^{x_1} g_2^{x_2}$ and $d = g_1^{y_1} g_2^{y_2}$, as well as $h = g_1^{z}$. |
| 73 | + |
| 74 | +We will now have a public key $PK = (g_1, g_2, c, d, h)$. |
| 75 | + |
| 76 | +For encryption, we do $Enc(m)$: $r \leftarrow Z_q$ picked randomly, $u_1 = g_1^r$, $u_2 = g_2^r$, $e = h^r m$, $\alpha = H(u_1, u_2, e)$, $v = c^r d^{r \alpha}$. The ciphertext will be $c = (u_1, u_2, e, v)$. |
| 77 | + |
| 78 | +For decryption, we have $Dec(u_1, u_2, e, v)$: $\alpha = H(u_1, u_2, e)$ and does a check $u_1^{x_1 + y_1 \alpha} u_2^{x_2 + y_2 \alpha} = v$. If this check does not work, then we fail. Otherwise, we output our decrypted message $m = e/u_1^z$. |
| 79 | + |
| 80 | +Looking at the check: |
| 81 | +$u_1^{x_1} u_2^{x_2} = g_1^{r x_1} g_2^{r x_2} = c^r$ |
| 82 | +$u_1^{y_1} u_2^{y_2} = d^r$ |
| 83 | +$u_1^{z} = g_1^{r z} = h^r$. |
| 84 | + |
| 85 | +\emph{Theorem:} Cramer-Shoup is IND-CCA2 secure. |
| 86 | + |
| 87 | +\section{RSA} |
| 88 | + |
| 89 | +\subsection{Public Key Scheme} |
| 90 | + |
| 91 | +The public key scheme is proposed as follows: |
| 92 | + |
| 93 | +$Keygen(1^\lambda) \to (PK, SK, \mathrm{M}, \mathrm{C})$ where $|\mathrm{M}| = |\mathrm{C}|$. $Enc(PK, .)$ is efficiently computable, deterministic map from $\mathrm{M}$ to $\mathrm{C}$. $c = Enc(PK, m)$ is a unique ciphertext for message $m$. |
| 94 | + |
| 95 | +$Dec(SK,.)$ is efficiently computable inverse: $Dec(SK, c) = Dec(SK, Enc(PK, m)) = m$. It should be infeasible to decrypt knowing only $PK$. |
| 96 | + |
| 97 | +\subsection{Keygen for RSA} |
| 98 | + |
| 99 | +Keygen: two large primes $p,q$ of length $\lambda$ bits. $n = pq$ and have $\phi(n) = |Z_n^*| = (p-1) (q-1)$. Key insight is that you don't know the size of the group $|Z_n^*|$. Randomly select $e \leftarrow Z_{\phi(n)}^*$ where $gcd(e, \phi(n)) = 1$. Now we set $d = e^{-1} \pmod{ \phi(n)}$ and we can run Euclid's algorithm to find $d$ quickly. |
| 100 | + |
| 101 | +$PK = (n,e)$ and $SK = (d, p, q)$. Now we have $\mathrm{M} = \mathrm{C} = Z_n$. |
| 102 | + |
| 103 | +\subsection{Encryption and Decryption} |
| 104 | + |
| 105 | +To encrypt, we just raise to a power. $Enc(PK,m) = c = m^e \pmod{n}$. You raise to the public exponent $e$. |
| 106 | + |
| 107 | +Decryption is similar. $Dec(SK, c) = c^d \pmod{n}$, execept you raise to the private exponent $d$. |
| 108 | + |
| 109 | +We assume the adversary cannot factor $n$, because if he could, he could repeat the keygeneration operations and compute $\phi(n)$. This allows him to compute the private exponent $d = e^{-1} \pmod{\phi(n)}$. Once the adversary knows $\phi(n)$, adversary has access to $SK$. |
| 110 | + |
| 111 | +\subsection{Proof of Correctness} |
| 112 | + |
| 113 | +Lemma (Chinese Remainder Theorem): Let $n = pq$. We have $x = y \pmod{n}$ if and only if $x = y \pmod{p}$ and $x = y \pmod{q}$. |
| 114 | + |
| 115 | +We know that $ed = 1 \pmod{\phi(n)}$ which means that $ed = 1 + t \phi(n) = 1 + t(p-1)(q-1)$ for some $t$. This implies that $ed = 1 \pmod{p-1}$. |
| 116 | + |
| 117 | +Correctness of RSA is just $(m^e)^d = m \pmod{n}$. By CRT, we only need to show that $(m^e)^d = m \pmod{p}$ and $(m^e)^d = m \pmod{q}$. We'll just argue the case of $p$ because the case of $q$ follows similarly. |
| 118 | + |
| 119 | +Case 1: $m = 0 \pmod{p}$. Then $(0^e)^d = 0 \pmod{p} = m \pmod{p}$ which works. |
| 120 | + |
| 121 | +Case 2: $m \neq 0 \pmod{p}$ and $m \in Z_p^*$. Then we know that $m^{p-1} = 1 \pmod{p}$. Thus, let $u = t(q-1)$ then we have $m^{ed} = m^{1 + u(p-1)} \pmod{p} = m (m^{p-1})^u = m 1 = m \pmod{p}$. This works. |
| 122 | + |
| 123 | +Therefore, we see that $m^{ed} = m \pmod{p}$ and $m^{ed} = m \pmod{q}$ for all $m$, which by CRT implies that for all $m$ we have $m^{ed} = m \pmod{n}$. |
| 124 | +\end{document} |
0 commit comments