CS 6903 Modern Cryptography
April 23, 2009
Lecture 12: Asymmetric Key Encryption
Instructor: Nitesh Saxena
1
Scribe: Chang Liu,Wei Jiang
General
1.1
Review of Last Week
• Definitions of groups
• number theoretic Problems/Assumptions
– DLP: G = {g 0 , g 1 ...g m−1 },x ← Zm , y ← g x
Given g and y, it is hard to find x
– CDH: (g x , g y , g), it is hard to find g xy
– DDH: (g x , g y , g xy /g z ) it is hard to differentiate g xy from g z
– DDH ⇒ CDH ⇒ DL, DL 6=> DDH
2
RSA Problem/Assumption
ZN∗ ={ALL number relatively prime to N }
Pick two prime number p,q such that N = pq
Order of ZN∗ → φ(n) = (p − 1)(q − 1)
proof: {p, 2p, ...qp} + {q, 2q...(p − 1)q} are numbers that are not relatively prime to N
So |ZN∗ | = pq − (q + p − 1) = (p − 1)(q − 1)
Pick a value e relatively prime to φ(n)
d = e−1 mod φ(n)
x ∈ Zn∗
y = (x)e mod N
12-1
AdvRSA (A) = P r(ExpRSA (A) = 1)
If ∀A, AdvRSA (A) ≤ e, then RSA problem is said to be hard or the RSA assumption is
said to hold.
Example of RSA:
N = 10 = 2 ∗ 5(p = 2, q = 5),
ZN∗ = {1, 3, 7, 9},
φ(N ) = (p − 1)(q − 1) = 4,
e = 3, d = e−1 mod φ(N ) = 3,
x = 3, y = xe mod N = 33 mod 10 = 7,
y d mod N = 73 mod 10 = 3 = x
because
d = e−1 mod φ(N )
ed = 1 mod φ(N )
xed = xkφ(N ) ∗ x = x
12-2
AdvRSA (β) = AdvF ACT (A)
3
Public-Key/Asymmetric key encryption
Definition (Asymmetric key encryption)
• KeyGen: Randomized Algorithm, which outputs (sk,pk) (a secret key and a public
key)
• Encryption: c ← Encpk (m) and output c (Randomized algorithm)
• Dec: m ← Decsk (c)
3.1
Security notion for AE
Passive: Key-Recovery⇐ One-Way ⇐ IND
Active: IND-CPA, IND-CCA1, IND-CCA2.
These notions are very similar to what we studied for symmetric key encryption. The
only difference is that the challenger first provides the adversary the corresponding public
key.
It is important to note that since the encryptor (one who encrypts the message) has access
to public key of the intended recipient, it can conmpute ciphertexts on plaintexts of its
choice. Thus, every public-key encryption scheme needs to be secure against IND-CPA.
12-3
3.2
Construction of AE schemes
El Gamal Encryption
G = {g 0 , g 1 ...g m−1 }
• KeyGen: x ← Zm , y = g x
• Encryption: r ← Zm , k = g r , c = m ∗ y r , output (k, c)
• Dec: cy −r = c(g x )−r = c(g r )−x = ck −x
Proposition: If DDH in G is easy,then El Gamal is not IND-CPA
Proof:
12-4
We take G to be Zp∗ , where we have already shown that DDH is easy.
x
even
even
odd
odd
r
even
odd
even
odd
xr
even
even
even
odd
According to the table above, we can break the IND-CPA notion.
12-5
AdvDDH (β) = P r(ExpDDH−I (β) = 1) − P r(ExpDDH−0 (β) = 1)
= P r(ExpDDH−I (A) = 1) − P r(ExpDDH−0 (A) = 1)
Elgamal
= AdvIN
D−CP A (A)
Groups where DDH is hard (recall DDH ⇒ CDH ⇒ DL)
We have previously shown that the DDH asumption does not hold in the group Zp∗ , where
p is a prime. For this group, we can use the previously discussed trick to find the parity
of the exponent of a generator g x . Now, we will discuss some subgroups of Zp∗ , in which
the DDH assumption holds.
Example Group 1: If g is the generator of the Zp∗ , we will consider the subgroup:
G p−1 = {x2 ; x ∈ Zp∗ }
2
DDH is assumed to be hard in the group G, because the known trick of discovering the
exponent parity in Zp∗ does not work in G (every exponent has the same parity). One can
easily show that G is indeed a group. Note that the generator of this group is g 0 = g 2 ,
where g is the generator of Zp∗ .
Example Group 2: Once again we consider a subgroup ofZp∗ . This time, we assume
that some other prime q is known, such that p − 1 = kq for a constant k (i.e., q divides
p − 1). Now we consider the following group:
Gq = {x
p−1
q
: x ∈ Zp∗ } = {xk : x ∈ Zp∗ }
12-6
p−1
We see that (g q )k = g q q = g p−1 = 1 = g 0 , therefore this group is closed and has an
p−1
order of q. The generator of this group is g 0 = g q , where g is the generator of Zp∗ . Once
again, this group is assumed to satisfy the DDH property, as the trick to figure out the
parity of the exponent of a number belonging to this group will not work. Given g ik , we
can figure out the parity of ik, but not of i.
((g i )
p−1
q
i
even
even
odd
odd
)
p−1
2
= (g ik )
k
even
odd
even
odd
12-7
p−1
2
ik
even
even
even
odd