斯坦福 密码学 I 学习笔记7：Lecture 6 Public-Encryption

本系列为斯坦福 Dan Boneh教授的"密码学 I"的学习笔记
课程网址: http://www.coursera.org/lecture/crypto/course-overview-lboqg

---

内容在CSDN、知乎和微信公众号同步更新

• CSDN博客
• 知乎
• 微信公众号

• Markdown源文件暂未开源，如有需要可联系邮箱
• 笔记难免存在问题，欢迎联系邮箱指正

---

课程完整目录如下

• 课程大纲
• 0 Introduction
• 1 Stream Ciphers
• 2 Block Ciphers
• 3 Message Integrity
• 4 Authenticated Encryption
• 5 Basic Key Exchange
• 6 Public-Encryption

本文为其中Chapter 6 Public-Encryption 的内容，包括：

---

6 Public-Encryption

6.1 Public Key Encryption from Trapdoor Permutations

Trapdoor Permutations 陷门置换

This chapter:

• constuct a number of secure public key encryption schemes

6.1.1 Definitions and Security

首先：

• 定义what is public key encryption
• 以及the security of public key!

Public key encryption

• Bob
  • generates (Pk, SK) and gives PK to Alice
• Pk and SK:
  • key pair

Applicaions

公钥加密 (public key encryption)两大应用：

• Session setup
• non-interact encryption

此外, public key 还可以用于认证

• Session setup
  • 建立会话密钥x
  • for now, 只讲了only eavestrdopping security

• Non-interactive applications:
  • e.g., Email
    • 通信双方无法即时通信
    • 无法establish session key
  • Note: Bob needs $p{k}_{alice}$
    • 通过public key management实现

Public key encryption

• Def: a public-key encryption system is a triple of algs (G,E,D)
  • G(): randomized alg. outputs a key pair (pk, sk)
  • E(pk, m): randomized alg. that taks $m\in M$
    • outputs $c\in C$
  • D(sk,c): det. alg. that takes $c\in C$ and outputs $m\in M$ or $\perp$
• Consistency:
  • $\forall (pk,sk)$ output by G:
    • $\forall m\in M$: D(sk, E(pk, m)) = m

Semantci Security (as a quick review)

• For b = 0,1 define experiments EXP(0) and EXP(1) as:
  • 1st: the challenger run the key generation alg.
  • 2nd: the challenger send pk to the adv.
    • and keep the sk to himself
  • 3rd: the adv output two equal length messages: $m_0$ and $m_1$
  • 4th: the challenger 任选$m_0$ / $m_1$之一进行加密，并返回$c\leftarrow E(pk,m_b)$
  • 5th: the adv. 猜测b的值，若猜对则攻击成功
• Semantic security definition:
  • 目标：攻击者无法区分到底是实验0还是实验1，即输出0和输出1的概率是相等：
  • Def: E= (G,E,D) is sem. secure (a.k.a IND-CPA)
    • INDistinguishability under Chosen Plaintext Attack
  • if for all efficient A:
    • $Ad{v}_{SS}[A,E]=|Pr[EXP(0)=1]-Pr[EXP(1)=1]|<negligible$
• 注意：
  1. 对于public encryption, 没有必要突出“选择明文攻击”
     • The adv. 根据pk可自行Encryption， 因为没有区分"选择明文"攻击
  2. 该定义仅适用于概率性加密方案，即仅根据E和pk无法得到唯一的encryption + 敌手必须是多项式时间
     • 否则敌手就可以计算出encryption再进行比较
     • (来自杨波老师现代密码学第四版):

Relation to symmetric cipher security

• Recall: for symmetric ciphers we had two security notions:

  • One-time securityand many-time security
    • One-time security: Key used once
    • many-time security: Key used many times
  • We showed that one-time security 弱于 many-time security

• For public key encryption

  • One-time security 和 many-time security (CPA) 等价！！
    • follows from the fact that attacker can decrypt by himself!
    • adv.能够自行使用pk加密任意多的消息！

• 结论：

  • public key 本质上 inherently 就是和加密many messages using one given public key!
    • 不需要经常更换密钥

Security against active attacks

主动攻击

• CCA Security!
• Authenticated Encryption!

• What if attacker can tampler with ciphertext?
  • 一个gmail的例子
  • attacker通过更改header 实现攻击

• 如何抵御主动攻击？
  • 首先要引入CCA的definition

(pub-key) Chosen Ciphertext Security: definition

• E = (G,E,D) public-key enc. over (M,C)

• For b = 0,1 define EXP(b)

  • 1st: 定义exp 0 和 exp 1
  • 2nd: Chal. generates (pk,sk)
  • 3rd: send pk to the adv.
  • 4th: CCA phase 1:
  • 5th: Adv. 选择挑战消息 $m_0$ 和 $m_1$, 发给 challenger
  • 6th: 挑战者返回某实验下的c
  • 7th: adv. 再次选择一个密文，该密文只要和6th中的c不同即可
    • 并得到相应的明文
  • 最后，adv. 根据以上所有的信息去判断b, 只要能判断出b, 就不安全

• 整个过程：

  • T**he adv. 能够获得任何ciphertext的decryption**
    • 除了 challenge ciphertext c
  • 即便Adv. 获得这么多解密的消息
    • 它也无法判断challenge plaintext 到底是 $$m_1$ 还是 $m_0$
  • 所以其实是一个非常保守的定义
    • 比上一页定义的攻击更加保守！

• Def: E is CCA secure (a.k.a IND-CCA) if for all efficient A:

  • $Ad{v}_{CCA}[A,E]=|Pr[EXP(0)=1]-Pr[EXP(1)=1]|isnegligible$

• Example:

  • 刚刚gmali攻击的例子
  • Suppose (to: Alice, body) $\to$ (to: charlie, body)
  • 被攻击的本质原因：
    • The adv. 拥有完成从 E(to:alice, b) 到 E(to:charlie, b)的能力！

• 可见， Adv.能够轻易地从CCA phase 2中获得b

Public-key CCA security的神奇之处：

• 即便the attacker有能力decrypt除了challenge ciphertext外的任何密文，它也就是没办法decrypt challenge ciphertext!

This and next module:

• Constructing CCA secure pub-key systems
  • 每次不是CCA secure 的public key systems都会出现安全问题

6.1.2 Constructions

Last segment:

• What a pubic key encryption system is
• What it means for a public key encrypion system to be secure
  • defined CCA security

This segment:

• start by constructing public key encryptions from trapdoor permutation
  

Trapdoor functions (TDF)

• Def: a trapdoor func. $X\to Y$ is a triple of efficient algs. (G, F, $F^{-1}$)

  • G(): randomized alg. outputs a key pair (pk,sk)
    • 产生密钥对
  • F(pk, $\cdot$): det. alg. that defines a function $X\to Y$
  • $F^{-1}(sk,\cdot )$: defines a function $Y\to X$ that inverts $F(pk,\cdot )$

• More precisely:

  • $\forall$ (pk,sk) output by G
    • $\forall x\in X$: $F^{-1}(sk,F(pk,x))=x$
  • 如下图所示

Secure Trapdoor Functions (TDFs)

• (G,F, $F^{-1}$) is secure if $F(pk,\cdot )$ is a “one-way” function:
  • can be evaluated, but cannot be inverted without sk!

• Def: (G, F, $F^{-1}$) is a secure TDF if for all efficient A:
  • $Ad{v}_{OW}[A,F]=Pr[x=x^{\prime }]$ < negligible
• 无sk, 无法求逆

Public-key encryption from TDFs

• 构建Public-key encryption system 需要的工具：

  • (G,F,$F^{-1}$): secure TDF $X\to Y$
  • $(E_s,D_s)$: symmetric auth. encryption defined over $(K,M,C)$
  • H: $X\to K$: a hash function

• We construct a pub-key enc. system (G,E,D):

  • Part1: Key generation G
    • same as G for TDF
    • 得到了key pair: (pk, sk)
  • Part2: Encryption:
    • E(pk,m):
      • $x{\leftarrow }^{R}X$
      • $y\leftarrow F(pk,x)$
      • $k\leftarrow H(x)$
      • $x\leftarrow E_s(k,m)$
      • output (y,c)
  • Part3: Decryption
    • D(sk, ciphertext) = D(sk, (y,c))
    • $x\leftarrow F^{-1}(sk,y)$
    • $k\leftarrow H(x)$
    • $m\leftarrow D_s(k,c)$
    • output m

• In pictures:

• Security Theorem:
  • If (G,F, $F^{-1}$) is a secure TDF
    • $(E_s,D_s)$ provides auth. enc.
  • and $H:X\to K$ is a “random oracle”
    • oracle 预告，甲骨文
    • 意味着H是从X到K的随机映射
      • 如SHA-256
  • then (G,E,D) is $CC{A}^{ro}$ secure
    • ro: denote the fact that security is set in random oracle model
• There is an ISO standard that defines this mode of encryption!
  • 这种加密体制是一个标准 fine to use

Incorrect use of a Trapdoor Function (TDF)

• Never encrypt by applying F directly to plaintext!
  • 直接使用F 进行加密是错误的！！！！
    • 例如直接使用RSA进行加密是错误的！
  • 即 E(pk,m): output $c\leftarrow F(pk,m)$
    • D(sk,c): output $F^{-1}(sk,c)$
• Problems:
  • Deterministic: cannot be semantically secure!
    • 杨波老师现代密码学中说的是determinsitic public key encryption不可能是语义安全的！
    • 从CPA game中即可得到
  • Many attacks exist! (next segment!)
• Lesson:
  • we should use public key encryption system like the ISO standard
  • 而不是直接用TDF进行加密！！

现在：

• 了解了public key encryption system的构造

下面：

• 真正建立系统
• 以及介绍可能的attacks

6.2 Public Key Encryption from Trapdoor Permutations: RSA

6.2.1 The RSA Trapdoor Permutation

This segment:

• build a classic trapdoor function: RSA

Review: Trapdoor permutations

• Def: a trapdoor func. $X\to Y$ is a triple of efficient algs. (G, F, $F^{-1}$)

  • G(): randomized alg. outputs a key pair (pk,sk)
    • 产生密钥对
  • F(pk, x): det. alg. that defines a function $X\to X$
    • Permutation: 所以是$X\to X$
  • $F^{-1}(sk,y)$: inverts the function at y using sk

• Secure trapdoor permutation:

  • The function $F(pk,\cdot )$ is one-way without the trapdoor sk

Review: arithmetic mod composites

• Notation:
  • Let N = $p\cdot q$, where p, q are prime
    • 意味着p, q $\approx$ $\sqrt{N}$
  • ${\mathcal{Z}}_N=0,1,2,...,N-1$;
  • ${\mathcal{Z}}_N^{\ast }$ = {invertible elements in ${\mathcal{Z}}_N$}
• Facts:
  • $x\in$ ${\mathcal{Z}}_N$ is invertible $\leftrightarrow$ gcd(x,N) = 1
  • number of elements in ${\mathcal{Z}}_N^{\ast }$ is $\varphi (N)$ = (p-1)(q-1) = N-p - q +1
    • 当N很大时， $\varphi (N)$与N非常接近
    • 意味着从0~N随机选一个数，属于 ${\mathcal{Z}}_N^{\ast }$的概率非常大！
• Euler’s thm:
  • $\forall x\in$ (${\mathcal{Z}}_N^{\ast }$): $x^{\varphi (N)}=1$

The RSA trapdoor permutation

• First published:

  • Scientific American, Aug. 1977
  • RSA: Rivest, Shamir, and Adleman
  • From MIT

• 应用极广 very widely used:

  • SSL/TLS: certificates and key-exchange
  • Secure e-mail and file systems
    • many others

• 由3部分组成: G, F, $F^{-1}$

---

• G():
  • choose random primes
    • p,q $\approx$ 1024 bits
    • Set N = pq
  • Choose integers:
    • e,d
    • 满足ed = 1 mod ($\varphi (N)$)
  • output:
    • pk = (N,e)
      • e: encryption component
    • sk = (N,d)
      • d: decryption component

---

• F(pk,x):
  • ${\mathcal{Z}}_N^{\ast }\to {\mathcal{Z}}_N^{\ast }$
  • RSA(x) = $x^e$ (in ${\mathcal{Z}}_N$)

---

• $F^{-1}$
  • $F^{-1}(sk,y)=y^d$
  • $y^d$ = RSA(x)${}^d$ = $x^{ed}$ = $x^{k\varphi (N)}+1$ = ($x\varphi (N)$)${}^k$ $\cdot x$ = x (in ${\mathcal{Z}}_N$)
    • 原因：
      • ed = 1 mod ($\varphi (N)$)；
      • 欧拉theorem

The RSA assumption

• RSA assumption:

  • RSA is one-way permutation

• For all efficient alg. A:

  • $Pr[A(N,e,y)=y^{1/e}]$ < negligible
    • 即d (private key)未知时无法decryption
  • where p,q ${\leftarrow }^R$ n-bit primes
    • N $\leftarrow$ pq
    • $y \leftarrow ^R $ ${\mathcal{Z}}_N^{\ast }$

Review: RSA pub-key encryption

• 构建Public-key encryption system 需要的工具：

  • (G,F,$F^{-1}$): secure TDF $X\to Y$
  • $(E_s,D_s)$: symmetric auth. encryption defined over $(K,M,C)$
  • H: $X\to K$: a hash function

• We construct a pub-key enc. system (G,E,D):

  • Part1: Key generation G
    • generate RSA params
    • pk = (N,e), sk = (N,d)
  • Part2: Encryption:
    • (1) choose random x in $Z_N$
    • (2) $y\leftarrow RSA(x)=x^e$, $k\leftarrow H(x)$
    • (3) output (y,$E_s(k,m)$)
  • Part3: Decryption
    • D(sk, (y,c)):
      • output $D_s(H(RS{A}^{-1}(y0)),c)$

Textbook RSA is insecure

警告： RSA不能直接用来作为加密框架！

• Textbook RSA encryption:
  • public key: (N,e); secret key (N,d)
  • Encryption: c $\leftarrow m^e$ (in ${\mathcal{Z}}_N$)
  • Decryption: $c^d\to m$
• Insecure cryptosystem!!!
  • is not semantically secure and many attacks exist!
• $\Rightarrow$ The RSA trapdoor permutation is not an encryption scheme!
  • 仅仅是一个trapdoor permutation
  • 很多教科书没有区分RSA加密框架和RSA陷门置换！！
  • 实际上绝对不能用RSA陷门置换直接加密！！(如下例$\downarrow$)

A simple attack on textbook RSA

• Web browser 和 Web Server通过RSA对一个session key进行加密交换

• 直接使用RSA加密会不安全！

  • suppose k is 64 bits: $k\in$ {0,1,2, …, $2^{64}$}
    • 转换为一个integer
  • Eve sees: $c=k^e$ is ${\mathcal{Z}}_N$
  • 攻击方法：
    • If $k=k_1\cdot k_2$ where $k_1,k_2<2^{34}$ (概率约为20%)
      • then $c/k_1^e=k_2^e$ in ${\mathcal{Z}}_N$
    • Meet in the middle attack 中间相遇攻击
      • Step 1: build table: $c/1^e$, $c/2^e$, $c/3^e$, … ,$c/(2^{34}{)}^e$.
        • time: $2^{34}$
      • step 2: for $k_2=0,...,2^{34}$, test if $k_2^e$ is in table:
        • time: $2^{34}$
    • Output matching $(k_1,k_2)$
  • Total attack time:
    • $\approx 2^{40}<<2^{64}$

• Never never use RSA directly to encrypt!!!

  • 要使用标准的框架，如ISO定义的框架

6.2.2 PKCS 1

How RSA is used in practice

RSA encryption in practice

• Never use textbook RSA

• RSA in practice:

  • (since ISO standard is not often used)
  • 在使用RSA之前必须进行preprocessing!
  • 例如：
    • 输入的msg (要交换的key): AES key (128 bits)
    • 将其扩展为 2048 bits
    • 之后再使用RSA进行encryption
      

• Main questions:

  • How should the preprocessing be done?
  • Can we argue about security of resulting system

PKCS 1 V1.5

• PKCS 1 mode 2:
  • mode 2: encryption
    • mode 1: signatures
  • FF: 16 bits of 1
  • 02: 表示mode
  • 加密：
    • the string (2048 bits) 输入到RSA function中
      • raised to the power of e mod N
      • 最终得到ciphertext
  • 解密：
    • 1 RSA解密
    • 2 根据02， 确定是encryption mode
    • 3 删除FF及之前的部分，得到的即为msg

• Resulting value is RSA encrypted
• Widely deployed. e.g., in HTTPS

该方法并没有security proof

---

• 事实证明，没有security proof的算法常常会存在elegant attack!

---

Attack on PKCS 1 v1.5 (Bleichenbacher 1998)

• PKCS 1 used in HTTPS:

• $\Rightarrow$ attacker can test if 16 MSBs of plaintext = ‘02’

  • 尽管只泄露了2 bit， 但已经可以让attacker恢复全部明文！

• Chosen-ciphertext attack:

  • to decrypt a given ciphertext c, do:
    • 1 Choose $r\in$ ${\mathcal{Z}}_N$
    • 2 Compute $c^{\prime }\leftarrow r^e\cdot c=(r\cdot PKCS1(m){)}^e$
      • just multiply plaintext by r
      • the r is determined by the attacker
      • 重复该步骤很多次，能够重建全部的PKCS1(m)！
        • 即全部的明文
        • 具体原因见next slide
    • 3 send c’ to web server and use response

Baby Bleichenbacher

• 方便理解上一页 (Bleichenbacher) 的一个简单函数
• Compute $x\leftarrow c^d$ in ${\mathcal{Z}}_N$

• Suppose N is $N=2^n$ (an invalid RSA modulus), Then:

  • Sending c reveals msb(x)
    • 即能够确定 $ms{b}_1(x)$
  • Sending $2^e\cdot c=(2x{)}^e$ in ${\mathcal{Z}}_N$
    • reveals msb(2x mod N) = $ms{b}_2(x)$
  • Sending $4^e\cdot c$
    • reveals msb(4x mod N) = $ms{b}_3(x)$
  • 以此类推
  • 即可获得entire plaintext

• How to define this attack? 见下文

HTTPS Defense (RFC 5246)

• 思路

  • 1 Generate a string R of 46 random bytes
    • 解密后，发现Plaintext不对，这时不报错，而是直接认为plaintext就是R！
    • then, the protocol will fail later on
  • 2 Decrypt the message to recover the plaintext
  • 3 If the PKCS #1 padding is not correct
    • $pr{e}_{m}aste{r}_{s}ecret=R$

• Most web servers today implement this version!

但这上述bug也引发了一个思考：

• PKCS 是否应该全盘改动？

PKCS v 2.0: OAEP

• New preprocessing function: OAEP
  • check pad on encryption
  • reject CT if invalid
  • 补全长度：与RSA算法一致，如2047 bits
  • 最后将整个concate的text 进行RSA加密

• OAEP: Optimal Asymmetric Encryption Padding

  • optimal: 是指the ciphertext的长度是最短的！
  • ciphertext的长度就是RSA输出的长度
    • no trailing values that are appended to the ciphertext
  • 但ISO就需要额外的padding

• Thm [FOPS’01]:

  • RSA is a trap-door permutation
  • $\Rightarrow$ RSA-OAEP is CCA secure when H,G are random oracles
    • 需要依赖于RSA! 如果是一个普通的trap-door permutation, 怎么办？
      • 见下一页

• in practice: use SHA-256 for H and G

OAEP Improvements

• OAEP+: [Shoup’ 01]
  • $\forall$ trap-door permutation F
    • F-OAEP is CCA secure when H,G,W are random oracles
  • During decryption, validate W(m,r) field

---

• SAEP+: [B’ 01]
  • RSA (e=3) is a trap-door perm
  • $\Rightarrow$ RSA-SAEP+ is CCA secure when H,W are rnadom oracle
  • 解密：
    • $(x,r)⟵RS{A}^{-1}(sk,ct),(m,w)⟵x\oplus H(r),$ output $m$ if $w=W(m,r)$

Subtleties in implementing OAEP

• 解码技巧：

OAEP-decrypt(ct):
  error = 0
  ...
  if (RSA^{-1} (ct) > 2^{n-1}) # 取值范围约束
    {error = 1; goto exit;}
  ...
  if (pad(OAEP^{-1}(RSA^{-1}(ct))) != "01000")    # padding 约束
    {error = 1; goto exit;}

• 但应注意采取措施防止计时攻击

  • Problem: timing information leaks type of error
    • $\Rightarrow$ Attacker can decrypt any ciphertext

• Lesson: Do not implement RSA-OAEP yourself!

Next segment:

• The security of RSA trapdoor permutation

6.3 Public Key Encryption from Trapdoor Permutations: Attacks

6.3.1 Is RSA a One-Way Function?

注意：RSA 不是对数运算！！！！所以不基于离散对数！！

• 离散对数: 已知$g^x(modN)$ 和 g, 求x
• RSA, 已知$x^e(modN)$ 和 e, 求x
  • RSA更像是开方运算

This segment:

• Is RSA a one-way permutation?
• 不知道secret key时，是否无法求逆

Is RSA a one-way permutation?

• To invert the RSA one-way function (without d), attacker must compute:
  • x from $c=x^e(modN)$
• How hard is computing e’th roots modulo N?
• Best known algorithm:
  • Step 1: factor N (hard)
  • Step 2: compute e’th roots modulo p and q

Shortcuts?

• Must one factor N in order to compute e’th roots?
• To prove no shortcut exists show a reduction:
  • Efficient algorithm for e’th roots mod N
    • $\Rightarrow$ efficient algorithm for factoring N
    • 改为证明(已reduction)：能够求解RSA的算法必然能够进行大数分解
      • 意味着 不存在比大数分解更快的RSA算法
  • Oldest problem in public key cryptography
  • 该问题尚无定论！
    • $e=3\Rightarrow$ Factor N??
      • 尚无定论
    • $e=2\Rightarrow$ Factor N
      • YEs ! 但是RSA中的e 不可能是偶数
        • $e\cdot d$ = 1 $(modN)$
        • $\Rightarrow$ $gcd(e,\varphi (N))=1$
        • $\varphi (N)=(p-1)(q-1)$为偶数
        • 因此e不是偶数！
• 目前公认：
  • 要破解RSA，就要对大数进行分解！
  • 这一点是目前公认的、SOTA的方法！
  • 尽管无法证明

How Not to improve RSA’s performance

• “Not”:
  • 意思是很多方法试图提高RSA的性能
  • 但是他们都错了，反而成了Not 的方法
• To speed up RSA decryption use small private key d
  • $d\approx 2^{128}$
  • $c^d=m(modN)$
• 但事实上：
  • Wiener’87: if $d<N^{0.25}$, then RSA is insecure
    • 例如N = $2^{2}048$
    • d就不能小于$2^{5}12$
    • 理由in the next slide
  • BD’98: if $d<N^{0.292}$, then RSA is insecure
• Insecure: private key d can be found from (N,e)

Wiener’s attack

• Recall:
  • $e\cdot d=1(mod\varphi (N))$
    • $\Rightarrow$ $\exists k\in Z$: $e\cdot d=k\cdot \varphi (N)+1$
  • $\Rightarrow$ $|N-\phi (N)|\le p+q\le 3\sqrt{N}$
  • $\Rightarrow$ if $d\le N^{0.25}/3$, then:
    • |e/N - k/d| $\le$ $\frac{1}{2d^2}$
    • 证明见视频
    • e/N: 已知
    • 而k/d又与e/N非常非常接近
• Continued function expansion of e/N gives k/d
  • 能够推导出log(N)种可能的k/d值
  • 再进行遍历尝试
  • 即可破解k/d
  • 然后：
    • $c\cdot d=1(\mathrm{m}\mathrm{o}\mathrm{d}k)\Rightarrow \gcd (d,k)=1\Rightarrow$ can find $d$ from $k/d$
    • 即可得到d

6.3.2 RSA in Practice

This segment:

• How RSA is used in practice
• to conclude this module

RSA with Low public exponent

• To speed up RSA encryption use a small e:
  • $c=m^e(modN)$
• Minimum value: e = 3
  • gcd(e,$\varphi (N)$) = 1
• Recommended value:
  • $e=65537=2^{16}+1$
  • Encryption: 17 multiplications
• Asymmetry of RSA:
  • Fast enc. / slow dec.
    • decryption:$X^{65537}(modN)$
      • need the order of 2000 multiplications
      • a speed-up method: RSA-CRT, but still much slower than the encryption
  • EIGammal (next module) approx. same time for both

Key Lengths

• Security of public key system should be comparable to security of symmetric cipher:

Implementation attacks

• Timing attack: (Kecher 97)

  • The time it takes to compute $c^d(modN)$ can expose d

• Power attack: (Kocher 99)

  • The power consumption of a smartcard while it is computing $c^d(modN)$ can expose d

• Faults attack: (BDL 97)

  • A computer error during $c^d(modN)$ can expose d
  • just one error completely reveals the secret key
  • A common defense: check output (e = c mod N ??)
    • take less time: 10% slowdown

• Lesson:

  • 按照RSA定义去实现仍无法避免诸多攻击！
  • 应尽量避免使用未经验证的实现方法

An example Fault Attack on RSA (CRT)

• A common implementation of RSA decryption:
  • $x=c^d$ in ${\mathcal{Z}}_N$
    • 通常的解密方法：先浸塑p上的，再计算q上的，合到一起就能得到最后结果
    • decrypt mod p: $x_p=c^d$ in ${\mathcal{Z}}_p$
    • decrypt mod q: $x_q=c^d$ in ${\mathcal{Z}}_q$
    • combine them to get $x=c^d$ ${\mathcal{Z}}_N$
    • 这样可以把解密加速四倍， 但会受到Fault Attack!
• Suppose error occurs when computing $x^q$, but no error in $x_p$
  • 处理器运算时出现了错误
  • Then:
    • output is x’ where $x^{\prime }=c^d$ in ${\mathcal{Z}}_p$
    • but $x^{\prime }\ne c^d$ in ${\mathcal{Z}}_q$
  • $\Rightarrow$:
    • $(x^{\prime }{)}^e$ in ${\mathcal{Z}}_p$
    • but ((x’)^e) $\ne c$ in ${\mathcal{Z}}_q$
  • $\Rightarrow$:
    • gcd($(x^{\prime }{)}^e-c,N$) = p
      • 因为p能够整除$(x^{\prime }{)}^e-c$，但是q不能整除$(x^{\prime }{)}^e-c$
    • 得到q，意味着完成了因式分解！！！
  • 从而完成密钥的恢复
• 解决方法：验证输出的正确性

RSA Key Generation Trouble [Heninger et al. / Lenstra et al.]

• 如果RSA产生密钥时熵很小，就会产生问题

• OpenSSL RSA key generation (abstract):

# 若随机数生成器的熵很小，就会出问题！
prng.seed(seed)
p = prng.generate_random_prime()
prng.add_randomness(bits)
q = prng.generate_random_prime()
N = p*q

• Suppose poor entropy at startup:
  • same p will be generated by multiple devices
    • but different q
  • $N_1,N_2$: RSA keys from different devices $\Rightarrow$ gcd($N_1$,$N_2$) = p
  • 相当于完成了因式分解
  • 因此不安全

---

Experiment: factors 0.4% of public HTTP keys!!!
Lesson:

• Make sure random number generator is properly seeded when generating keys
  • 事实上，不管是RSA, EIGammal, 还是对称密码，这一点都需要满足！

Further reading

• 1998, Why chosen ciphertext security matters
  • 密码必须是chosen ciphertext security的
• 1999, Twenty years of attacks on the RSA cryptosystem
  • 一个survey
• 2001, OAEP reconsidered
• 2004, Key lengths
  • 如何为密码系统选择密钥长度

6.4 Public Key Encryption From Diffie-Hellman: EIGamal

6.4.1 The EIGamal Public-key system

This segment

• 另一种加密框架 EIGamal
• are built from Diffie-Hellman protocol

Recap: public key encryption (Gen, E, D) & Applications

---

Applications:

• Key exchange:
  • e.g., in HTTPS
• Encryption in non-interactive settings:
  • Secure Email:
    • Bob has Alice’s Pub-Key and Sends her an email
  • Encrypted File Systems
    • 例如下图是Bob 加密文件，但A也可以访问的情况
    • A只需要用自己的secret key解密即可
    • A和B之间不需要交互
  • Key escrow: data recovery without Bob’s key
    • 密钥第三方(如公司)托管
    • 把Alice换成escrow即可

Constructions

• This week: two families of public-key encryption schemes
• Previous lecture:
  • based on trapdoor functions
    • such as RSA
    • Schemes: ISO standard, OAEP+
• This lecture:
  • based on Diffie-Hellman protocol
  • Schemes: EIGamal encryption and variants (e.g., used in GPG)
    • GPG: an email encryption system (GNU privacy guard)
• Security goals:
  • chosen ciphertext security

Review: the Diffie-Hellman protocol

• Fix a finite cyclic group G of order n

  • e.g., G = ${\mathcal{Z}}_p^{\ast }$
  • 或者是the points of an 椭圆曲线
  • order n: means $g^n=1$

• Fix a generator g in G:

  • 即 $\mathrm{G}=\left\{1,g,{\mathrm{g}}^2,{\mathrm{g}}^3,\dots ,{\mathrm{g}}^{\mathrm{n}-1}\right\}$

• Step:

  • Alice: choose random a in {1,2, …, n}
  • Bob: choose random b in {1,2, …, n}
  • generated session key: $g^{ab}$
  • 注意：
    • $A=g^a$ 和 $B=g^b$ 均是 G中的元素！

EIGamal: converting to pub-key enc.

• Fix a finite cyclic group of order n

  • e.g., G = ${\mathcal{Z}}_p^{\ast }$

• Fix a generator g in G:

  • 即 $\mathrm{G}=\left\{1,g,{\mathrm{g}}^2,{\mathrm{g}}^3,\dots ,{\mathrm{g}}^{\mathrm{n}-1}\right\}$

• Step:

  • 1 Key generation:
    • Alice: choose random a in {1,2, …, n} and compute $A=g^a$
    • public key: A
    • private key: a
    • 从A得到a的过程是一个离散对数问题！
  • 2 Bob 希望加密消息m，并发送给A (E)
    • Bob: choose random b in {1,2, …, n}
    • Bob compute $g^{ab}=A^b$
    • Bob derive symmetric key k
      • 根据$g^{ab}$
    • ct = [$B=g^b$, encrypt message m with k]
  • 3 Alice 解密消息：
    • Alice compute $g^{ab}=B^a$
    • Alice derive k
      • 根据$g^{ab}$
    • 即可用k完成对m的解密

• 注意: EI Gammal每次的加密结果并不同
  • 因为Bob每次加密时都会随机选取一个b
  • 与RSA不一样

更加细节的描述: $\downarrow$

The EIGamal system (a modern view)

• G: finite cyclic group of order n
• $(E_s,D_s)$: symmetric auth. encryption defined over (K,M,C)
• H: $G^2\to K$: a hash function

The pub-key enc. system (Gen, E, D):

• 1 Key generation Gen:
  • choose random generator g in G and random a in $Z_n$
  • output sk = a; pk = (g, h = $g^a$)
• 2 Encryption E(pk=(g,h), m):
  • $b\leftarrow Z_n,u⟵g^b,v⟵h^b$
    • u相当于$B=g^b$, v相当于$g^{ab}$
  • $\mathrm{k}⟵\mathrm{H}(\mathrm{u},\mathrm{v}),\mathrm{c}⟵{\mathrm{E}}_{\mathrm{s}}(\mathrm{k},\mathrm{m})$
  • output (u,c)
• 3 Decryption D(sk = a, (u,c)):
  • $v\leftarrow u^a$
  • $k\leftarrow H(u,v)$
  • $m\leftarrow D_s(k,c)$
  • output m

EIGamal performance

• Encryption: 2 exp (fixed basis) (计算u, 计算v)
  • Can pre-compute $[g^{\left(2^{\wedge }i\right)},h^{\left(2^{\wedge }i\right)}$ for $i=1,\dots ,{\log }_{2}n]$
  • 3X speed-up (or more)
    • 如果g和h不固定，那就没办法加速
    • 如果encryption是瓶颈，那就选择RSA
• Decryption: 1 exp. (variable basis)

Next segment:

• Why is EIGamal system chosen ciphertext secure?
• under what assumpetions?

6.4.2 EIGamal Security

Computational Diffie-Hellman Assumption

• G: finite cuclic group of order n

假设1： 最弱的假设 CDH 假设

• computational DH假设

• Comp. DH (CDH) assumpation holds in G if:
  • $g,g^a,g^b\nRightarrow g^{ab}$
  • 更专业的描述 (more precisely):
    • for all efficient algs. A:
      • Pr$[A(g,g^a,g^b)=g^{ab}]<$ negligible
    • where $g\leftarrow $ {generators of G}, a,b $\leftarrow$ ${\mathcal{Z}}_N$

但CDH假设尚不足以证明EIGamal的semantic security， 下面引入更强的假设 HDH

Hash Diffie-Hellman Assumption

• G: finite cyclic group of order n

• H: $G^2\to K$

  • a hash function

• Def: Hash-DH (HDH) assumption holds for (G,H) if:

  • $\left(g,g^a,g^b,H\left(g^b,g^{ab}\right)\right){\approx }_p\left(g,g^a,g^b,R\right)$
    • where $g\leftarrow$ {generators of G}, $a,b\leftarrow$ ${\mathcal{Z}}_N$, $R\leftarrow K$
  • 也就是说新增了H必须是理想Hash的条件

• 注意: HDH假设比CDH假设更强！

  • 有些系统满足CDH假设，但是不满足HDH假设！

---

Example: 一个是符合CDH但不符合HDH的system

• Suppose K = { 0 , 1 } 128 \{0,1 \}^{128} {0,1}128 and
  • H: $G^2\leftarrow K$ only outputs strings in K that begins with 0
    • 即 for all x,y: msb(H(x,y)) = 0
• Can Hash-DH hold for (G,H)?

ANs: No, Hash-DH is easy to break in this case!!

• 满足CDH假设，但是不满足HDH假设!

EIGamal is sem. secure under Hash-DH

---

首先回顾EIGamal加密系统

The pub-key enc. system (Gen, E, D):

• 1 Key generation Gen:
  • choose random generator g in G and random a in $Z_n$
  • output sk = a; pk = (g, h = $g^a$)
• 2 Encryption E(pk=(g,h), m):
  • $b\leftarrow Z_n,u⟵g^b,v⟵h^b$
    • u相当于$B=g^b$, v相当于$g^{ab}$
  • $\mathrm{k}⟵\mathrm{H}(\mathrm{u},\mathrm{v}),\mathrm{c}⟵{\mathrm{E}}_{\mathrm{s}}(\mathrm{k},\mathrm{m})$
  • output (u,c)
• 3 Decryption D(sk = a, (u,c)):
  • $v\leftarrow u^a$
  • $k\leftarrow H(u,v)$
  • $m\leftarrow D_s(k,c)$
  • output m

---

下面证明语义安全：

• 上下两个等号：
  • 基于Hash函数的理想性
• 左边的等号：
  • 基于对称加密的语义安全
    • 密文不体现关于密文的任何信息
• 因此即可证明HDH下的语义安全

但这样仍无法证明CCA security!

• 需要更强的假设 – IDH

EIGamal chosen ciphertext security?

• To prove chosen ciphertext security need stronger assumption
• Interactive Diffie-Hellman (IDH) in group G:
  • 再ODH的基础上赋予了Adv. 更强的一个能力：
    • Adv. 可以询问挑战者 (u,v)是否满足$(u{)}^a=v$.
    • 添加该能力的原因仅仅是为了满足CCA security

• IDH holds in G if $\mathrm{Pr}[$ A outputs $g^{ab}$] $<$ negligible

EIGamal chosen ciphertext security

• Security theorem:

  • If
    • IDH holds in the group G:
    • $(E_s,D_s)$ provides auth. enc.
    • H: $G^2\leftarrow$ K is a “random oracle”
  • Then
    • EIGamal is $CC{A}^{ro}$ secure
      • ro: means random oracle model

• Questions: 待解决的问题

  • 1 Can we prove CCA security based on HDH
    • 即避免IDH中奇怪的询问能力
  • 2 Can we prove CCA security based on CDH (without random oracle)
    • 即使用具体的Hash函数即可证明

6.4.3 EIGamal Variants With Better Security

Last segment:

• 在有些奇怪的假设下说明了EIGamal CCA Security

This segment:

• Look at variants of EIGamal that have a much better CCA security analysis

Review: EIGamal Encryption

The pub-key enc. system (Gen, E, D):

• 1 Key generation Gen:
  • choose random generator g in G and random a in $Z_n$
  • output sk = a; pk = (g, h = $g^a$)
• 2 Encryption E(pk=(g,h), m):
  • $b\leftarrow Z_n,u⟵g^b,v⟵h^b$
  • $\mathrm{k}⟵\mathrm{H}(\mathrm{u},\mathrm{v}),\mathrm{c}⟵{\mathrm{E}}_{\mathrm{s}}(\mathrm{k},\mathrm{m})$
  • output (u,c)
• 3 Decryption D(sk = a, (u,c)):
  • $v\leftarrow u^a$
  • $k\leftarrow H(u,u^a)$
  • $m\leftarrow D_s(k,c)$
  • output m

EIGamal Chosen Ciphertext Security

• Security Theorem:

  • If IDH holds in the group G:
    • $(E_s,D_s)$ provides auth. enc.
    • and $H:G^2\to K$ is a “random oracle”
  • Then
    • EIGamal is $CC{A}^{ro}$ secure

• Question: Can we prove CCA security based on CDH $g,g^a,g^b\nRightarrow g^{ab}$

• Answer: 有两种方法实现：

  • 方法1 Use Group G where CDH = IDH (a.k.a, bilibear group)
  • 方法2 Change the EIGamal system

• 下面介绍方法2中的一个

Variants: twin EIGamal [CKS’ 08]

• KeyGen: $g\leftarrow$ {generators of G}

  • $a1,a2\leftarrow Z_n$
  • Output
    • pk = ($g,h_1=g^{a1},h_2=g^{a2}$)
    • sk = (a1,a2)

• Encryption: E(pk=(g, h1, h2), m):

  • $b \leftarrow $ ${\mathcal{Z}}_N$
  • $k\leftarrow H(g^b,h_1^b,h_2^b)$
  • $c\leftarrow E_S(k,m)$
  • output $(g^b,c)$

• Decryption: D(sk = (a1,a2), (u,c))

  • $\mathrm{k}⟵\mathrm{H}\left(\mathrm{u},{\mathrm{u}}^{\mathrm{a}1},{\mathrm{u}}^{\mathrm{a}2}\right)$
  • $m\leftarrow D_s(k,c)$
  • output m

• 下面说明 twin EIGamal 的CCA security

Chosen ciphertext security

• Security Theorem:

  • If CDH holds in the group G:
    • $(E_s,D_s)$ provides auth. enc.
    • H: $G^3\to K$ is a “random oracle”
      • ideal hash function (“random oracle”)
  • then:
    • Twin EIGamal is $CC{A}^{ro}$ secure

• 去掉那个奇怪的假设的Cost

  • One more exponentiation during enc/dec
    • enc: 从2变成了3
    • dec: 从1变成了2
  • 这样值得吗？
    • 不知道！这取决于是否存在满足上面If的那些条件(CDH, 加密认证、random oracle)，但并不CCA secure的系统
      • 或者说取决于是否有满足CDH但不满足IDH的groups
    • 如果有的话，那就值得；否则，不值得。答案未知

EIGamal security without random oracles

继续去掉random oracles！

Can we prove CCA Security without random oracles?

• Option 1: use Hash-DH assumption in “bilinear groups”
  • special elliptic curve with more structure
    • [CHK’04 + BB’04]
• Option 2: Use Decision-DH assumption in any group [CS’98]

本课程不进行详细介绍，可参考论文

Further reading

• The Decision Diffie-Hellman problem, 1998
  • Decision-DH assumption
• Universal hash proofs and a paradigm for chosen ciphertext secure public key encryption, 2002
  • 如何使用Decision-DH assumption等建立CCA secure的公钥加密系统
• Chosen-ciphertext security from Identity-Based Encryption, 2007
  • 如何从Bilinear Group中建立CCA secure的系统
• The twin Diffie-Hellman problem and applications, 2008
  • twin Diffie-Hellman construction
• Efficient chosen-ciphertext security via extractable hash proofs, 2010
  • a very general framework for building CCA secure systems
    • using extractable hash proofs

Next segment:

• 将RSA和EIGamal统一到general principle

6.5 Public Key Encryption: Summary

6.5.1 A unifying Theme

到目前为止，见过两类public key:

• 1 RSA: 基于trapdoor function
• 2 EIGamal: 基于Diffie-Hellman

接下来：

• 说明它们其实都follow from a more general principle
  

One-way function

A function $f:x\to y$ is one-way if

• There is an efficient algorithm to evaluate $f(\cot )$
• 但，Inverting f is hard
  • 这里的意思是，给定y, 找到对应的原像x非常困难
  • 即 for all efficient A and $x\leftarrow X$:
    • Pr[f (A(f(x))) = f(x)] < negligible
  • 给定f(x) ,找到对应的原像x (满足f(A(f(x))) = f(x))，非常困难

• Functions that are not one-way:

  • f(x) = x: 可逆
  • f(x) = 0: 很容易找到原像: 任何x都是原像

• （待查证）但是，证明一个函数f是one-way function非常困难

  • NP 难问题

下面通过例子，以One-way function统一 public key encryption

Ex. 1: Generic one-way functions

• Let $f:x\to Y$ be a secure PRG
  • where |Y| >> |X|
  • e.g., f built using det. counter mode
• Lemma: f a secure PRG $\Rightarrow$ f is one-way
• Proof sketch: 反证法 contra positive
  • 假如A inverts f $\Rightarrow$ 可构造下面的B，B能够对来自y的输入全部输出A，对于真的随机数全部输出0
    • 意味着可以区分，意味着f不是a secure PRG
    • 证毕！
  • 因此，f是一个one-way function
• Generic: no special properties
  • 但PRG没有特殊的性质，因此无法用于公钥密码学， 如key exchange

Ex 2: The DLOG one-way function

• Fix a finite cyclic group G (e.g $G={\left(Z_p\right)}^{\ast })$ of order n

• g: a random generator in G

  • i.e. G = {1,g , $g^2$, … , $g^{n-1}$}

• Define:

  • f: $Z_n\to G$ as $f(x)=g^x\in G$

• Lemma: Dlog hard in G $\Rightarrow$ f is one-way

• Properties:

  • 不同的是，离散对数满足有些性质：
  • 已知f(x), f(y), 则 可计算 f(x+y) = f(x) f(y)
    • $\Rightarrow$ 能够被用于key-exchange 和 public-key encryption

Ex.3 The RSA one-way function

• choose random prime p,q $\approx 1024$ bits, Set N = pq

• choose integers e,d s.t., $e\cdot d=1(\mathrm{m}\mathrm{o}\mathrm{d}\phi (N))$

• Define: f: ${\mathbb{Z}}_N^{\ast }\to {\mathbb{Z}}_N^{\ast }$ as $f(x)=x^e$ in ${\mathbb{Z}}_N$

• Lemma:

  • f is one-way under the RSA assumption
    • RSA assumption 就是说它是一个One-way function

• Properties:

  • $f(x\cdot y)=f(x)\cdot f(y)$
  • f has a trapdoor
    • 这个性质使RSA能够非常方便地用于数字签名

Summary

• Public key encryption:
  • 基于one-way functions with special properties!
  • properties例如：
    • homomorphic properties
      • 给定f(x)和f(y)就能计算f(x+y)或者f(xy)
    • trapdoors

密码学2：

• 将会继续介绍数字签名

6.5.2 Farewell (For Now)

6 周课程结束，本节进行总结

Quick Review: primiteves

• Week 1: PRG
• Week 2: PRF and PRP
• Week 3: Data integrity
  • MAC 各种MAC地构造
  • Hash 函数
  • Collision Resistance 生日悖论等
• Week 4: Authenticated Encryption
  • 认证 + 加密
• Week 5: 开始一个新的topic- 公钥密码
  • Trapdoor functions
  • Diffie-Hellman groups
• Week 6: 具体方法
  • RSA
  • EIGamal

Remaining Core Topics (Part 2)

密码学2的内容包括:

• Digital signatures and certificates
• Authenticated key exchange
• User authentication
  • Passwords
  • one-time passwords
  • challenge-response
• Privacy mechanism
• Zero-knowledge protocols

Many more topics to cover

密码学中更多的领域

• Elliptic Curve Crypto
• Quantum Computing
• New key management paradigms
  • identity based encryption and functional encryption
• Anonymous digital cash
• Private voting and auction systems
• Computing on ciphertexts: fully homomorphic encryption
• Lattice-based crypto
• Two party and multi-party computation

Final Words: 不要轻易尝试使用自己实现的密码

• Be careful when using crypto
  • A tramendous tool, but if incorrectly implemented:
    • 系统能够工作，但可能会遭受意想不到的easy attack!
• Make sure to have others review your designs and code

#密码学1结束