calofmijuck/blog
1
0
Fork 0
mirror of https://github.com/calofmijuck/blog.git synced 2025-12-06 14:53:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

[PUBLISHER] upload files #157

Browse Source 
* PUSH NOTE : 9. Public Key Encryption.md

* PUSH NOTE : 8. Number Theory.md

* PUSH NOTE : 7. Key Exchange.md

* PUSH NOTE : 6. Hash Functions.md

* PUSH NOTE : 5. CCA-Security and Authenticated Encryption.md

* PUSH NOTE : 4. Message Authentication Codes.md

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 2. PRFs, PRPs and Block Ciphers.md

* PUSH NOTE : 18. Bootstrapping & CKKS.md

* PUSH NOTE : 17. BGV Scheme.md

* PUSH NOTE : 16. The GMW Protocol.md

* PUSH NOTE : 15. Garbled Circuits.md

* PUSH NOTE : 14. Secure Multiparty Computation.md

* PUSH NOTE : 13. Sigma Protocols.md

* PUSH NOTE : 12. Zero-Knowledge Proofs (Introduction).md

* PUSH NOTE : 11. Advanced Topics.md

* PUSH NOTE : 10. Digital Signatures.md

* PUSH NOTE : 0. Introduction.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-09-05-introduction.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-09-12-prfs-prps-block-ciphers.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-09-19-symmetric-key-encryption.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-09-21-macs.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-09-26-cca-security-authenticated-encryption.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-09-28-hash-functions.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-10-03-key-exchange.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-10-05-number-theory.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-10-19-public-key-encryption.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-10-26-digital-signatures.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-10-31-advanced-topics.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-11-02-zkp-intro.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-11-07-sigma-protocols.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-11-09-secure-mpc.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-11-14-garbled-circuits.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-11-16-gmw-protocol.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-11-23-bgv-scheme.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-12-08-bootstrapping-ckks.md
This commit is contained in:
Sungchan Yi
2024-11-12 20:41:08 +09:00
committed by GitHub
parent d55c927a9d
commit 68fcbab46c
18 changed files with 51 additions and 495 deletions
Download Patch File Download Diff File Expand all files Collapse all files

457
_posts/Lecture Notes/Modern Cryptography/2023-10-19-public-key-encryption.md
View File

@@ -1,457 +0,0 @@
---
share: true
toc: true
math: true
categories:
- Lecture Notes
- Modern Cryptography
tags:
- lecture-note
- cryptography
- security
title: 9. Public Key Encryption
date: 2023-10-19
github_title: 2023-10-19-public-key-encryption
image:
path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-09-ss-pke.png
attachment:
folder: assets/img/posts/Lecture Notes/Modern Cryptography
---
In symmetric encryption, we assumed that the two parties had a shared key in advance. If the two parties do not have a shared key, **public-key encryption** can be used to encrypt messages.
## Public Key Encryption
> **Definition.** A **public key encryption scheme** $\mc{E} = (G, E, D)$ is a triple of efficient algorithms: a **key generation** algorithm $G$, an **encryption algorithm** $E$, a decryption algorithm $D$.
>
> - $G$ generates a key pair as $(pk, sk) \la G()$. $pk$ is called a **public key** and $sk$ is called a **secret key**.
> - $E$ takes a public key $pk$ and a message $m$ and outputs ciphertext $c \la E(pk, m)$.
> - $D$ takes a secret key $sk$ and a ciphertext $c$ and outputs plaintext $m \la D(sk, c)$ or a special $\texttt{reject}$ value $\bot$.
>
> We say that $\mc{E} = (G, E, D)$ is defined over $(\mc{M}, \mc{C})$.
$G$ and $E$ may be probabilistic, but $D$ must be deterministic. Also, correctness condition is required. For any $(pk, sk)$ and $m \in \mc{M}$,
$$
\Pr[D(sk, E(pk, m)) = m] = 1.
$$
Public key $pk$ will be publicized. After Alice obtains $pk$, she can use it to encrypt any message and send it to Bob. This is the only interaction required. The public key can be used multiple times, and others besides Alice can use it too. Finally, $sk$ should be hard to compute from $pk$, obviously for security.
## CPA Security for Public Key Encryption
### Semantic Security
The following notion of security is only for an eavesdropping adversary.
![mc-09-ss-pke.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-09-ss-pke.png)
> **Definition.** Let $\mc{E} = (G, E, D)$ be a public key encryption scheme defined over $(\mc{M}, \mc{C})$. For an adversary $\mc{A}$, we define two experiments.
>
> **Experiment** $b$.
> 1. The challenger computes $(pk, sk) \la G()$ and sends $pk$ to the adversary.
> 2. The adversary chooses $m_0, m_1 \in \mc{M}$ of the same length, and sends them to the challenger.
> 3. The challenger computes $c \la E(pk, m_b)$ and sends $c$ to the adversary.
> 4. $\mc{A}$ outputs a bit $b' \in \braces{0, 1}$.
>
> Let $W_b$ be the event that $\mc{A}$ outputs $1$ in experiment $b$. The **advantage** of $\mc{A}$ with respect to $\mc{E}$ is defined as
>
> $$
> \Adv[SS]{\mc{A}, \mc{E}} = \abs{\Pr[W_0] - \Pr[W_1]}.
> $$
>
> $\mc{E}$ is **semantically secure** if $\rm{Adv}_{\rm{SS}}[\mc{A}, \mc{E}]$ is negligible for any efficient $\mc{A}$.
Note that $pk$ is sent to the adversary, and adversary can encrypt any message! Thus, encryption must be randomized. Otherwise, the adversary can compute $E(pk, m_b)$ for each $b$ and compare with $c$ given from the challenger.
### Semantic Security $\implies$ CPA
For symmetric ciphers, semantic security (one-time) did not guarantee CPA security (many-time). But in public key encryption, semantic security implies CPA security. This is because *the attacker can encrypt any message using the public key*.
First, we check the definition of CPA security for public key encryption. It is similar to that of symmetric ciphers, compare with [CPA Security for symmetric key encryption (Modern Cryptography)](../2023-09-19-symmetric-key-encryption/#cpa-security).
> **Definition.** For a given public-key encryption scheme $\mc{E} = (G, E, D)$ defined over $(\mc{M}, \mc{C})$ and given an adversary $\mc{A}$, define experiments 0 and 1.
>
> **Experiment $b$.**
> 1. The challenger computes $(pk, sk) \la G()$ and sends $pk$ to the adversary.
> 2. The adversary submits a sequence of queries to the challenger:
> - The $i$-th query is a pair of messages $m_{i, 0}, m_{i, 1} \in \mc{M}$ of the same length.
> 3. The challenger computes $c_i = E(pk, m_{i, b})$ and sends $c_i$ to the adversary.
> 4. The adversary computes and outputs a bit $b' \in \braces{0, 1}$.
>
> Let $W_b$ be the event that $\mc{A}$ outputs $1$ in experiment $b$. Then the **CPA advantage with respect to $\mc{E}$** is defined as
>
> $$
> \Adv[CPA]{\mc{A}, \mc{E}} = \abs{\Pr[W_0] - \Pr[W_1]}.
> $$
>
> If the CPA advantage is negligible for all efficient adversaries $\mc{A}$, then $\mc{E}$ is **semantically secure against chosen plaintext attack**, or simply **CPA secure**.
We formally prove the following theorem.
> **Theorem.** If a public-key encryption scheme $\mc{E}$ is semantically secure, then it is also CPA secure.
>
> For any $q$-query CPA adversary $\mc{A}$, there exists an SS adversary $\mc{B}$ such that
>
> $$
> \rm{Adv}_{\rm{CPA}}[\mc{A}, \mc{E}] = q \cdot \rm{Adv}_{\rm{SS}}[\mc{B}, \mc{E}].
> $$
*Proof*. The proof uses a hybrid argument. For $j = 0, \dots, q$, the *hybrid game* $j$ is played between $\mc{A}$ and a challenger that responds to the $q$ queries as follows:
- On the $i$-th query $(m_{i,0}, m_{i, 1})$, respond with $c_i$ where
- $c_i \la E(pk, m_{i, 1})$ if $i \leq j$.
- $c_i \la E(pk, m_{i, 0})$ otherwise.
So, the challenger in hybrid game $j$ encrypts $m_{i, 1}$ in the first $j$ queries, and encrypts $m_{i, 0}$ for the rest of the queries. If we define $p_j$ to be the probability that $\mc{A}$ outputs $1$ in hybrid game $j$, we have
$$
\Adv[CPA]{\mc{A}, \mc{E}} = \abs{p_q - p_0}
$$
since hybrid $q$ is precisely experiment $1$, hybrid $0$ is experiment $0$. With $\mc{A}$, we define $\mc{B}$ as follows.
1. $\mc{B}$ randomly chooses $\omega \la \braces{1, \dots, q}$.
2. $\mc{B}$ obtains $pk$ from the challenger, and forwards it to $\mc{A}$.
3. For the $i$-th query $(m_{i, 0}, m_{i, 1})$ from $\mc{A}$, $\mc{B}$ responds as follows.
- If $i < \omega$, $c \la E(pk, m_{i, 1})$.
- If $i = \omega$, forward query to the challenger and forward its response to $\mc{A}$.
- Otherwise, $c_i \la E(pk, m_{i, 0})$.
4. $\mc{B}$ outputs whatever $\mc{A}$ outputs.
Note that $\mc{B}$ can encrypt queries on its own, since the public key is given. Define $W_b$ as the event that $\mc{B}$ outputs $1$ in experiment $b$ in the semantic security game. For $j = 1, \dots, q$, we have that
$$
\Pr[W_0 \mid \omega = j] = p_{j - 1}, \quad \Pr[W_1 \mid \omega = j] = p_j.
$$
In experiment $0$ with $\omega = j$, $\mc{A}$ receives encryptions of $m_{i, 1}$ in the first $j - 1$ queries and receives encryptions of $m_{i, 1}$ for the rest of the queries. The second equation follows similarly.
Then the SS advantage can be calculated as
$$
\begin{aligned}
\Adv[SS]{\mc{B}, \mc{E}} &= \abs{\Pr[W_0] - \Pr[W_1]} \\
&= \frac{1}{q} \abs{\sum_{j=1}^q \Pr[W_0 \mid \omega = j] - \sum_{j = 1}^q \Pr[W_1 \mid \omega = j]} \\
&= \frac{1}{q} \abs{\sum_{j=1}^q (p_{j-1} - p_j)} \\
&= \frac{1}{q} \Adv[CPA]{\mc{A}, \mc{E}}.
\end{aligned}
$$
## CCA Security for Public Key Encryption
We also define CCA security for public key encryption, which models a wide spectrum of real-world attacks. The definition is also very similar to that of symmetric ciphers, compare with [CCA security for symmetric ciphers (Modern Cryptography)](../2023-09-26-cca-security-authenticated-encryption/#cca-security).
> **Definition.** Let $\mc{E} = (G, E, D)$ be a public-key encryption scheme over $(\mc{M}, \mc{C})$. Given an adversary $\mc{A}$, define experiments $0$ and $1$.
>
> **Experiment $b$.**
> 1. The challenger computes $(pk, sk) \la G()$ and sends $pk$ to the adversary.
> 2. $\mc{A}$ makes a series of queries to the challenger, which is one of the following two types.
> - *Encryption*: Send $(m_{i_,0}, m_{i, 1})$ and receive $c'_i \la E(pk, m_{i, b})$.
> - *Decryption*: Send $c_i$ and receive $m'_i \la D(sk, c_i)$.
> - Note that $\mc{A}$ is not allowed to make a decryption query for any $c_i'$.
> 3. $\mc{A}$ outputs a pair of messages $(m_0^ * , m_1^*)$.
> 4. The challenger generates $c^* \la E(pk, m_b^*)$ and gives it to $\mc{A}$.
> 5. $\mc{A}$ is allowed to keep making queries, but not allowed to make a decryption query for $c^*$.
> 6. The adversary computes and outputs a bit $b' \in \left\lbrace 0, 1 \right\rbrace$.
>
> Let $W_b$ be the event that $\mc{A}$ outputs $1$ in experiment $b$. Then the **CCA advantage with respect to $\mc{E}$** is defined as
>
> $$
> \rm{Adv}_{\rm{CCA}}[\mc{A}, \mc{E}] = \left\lvert \Pr[W_0] - \Pr[W_1] \right\lvert.
> $$
>
> If the CCA advantage is negligible for all efficient adversaries $\mc{A}$, then $\mc{E}$ is **semantically secure against a chosen ciphertext attack**, or simply **CCA secure**.
Note that encryption queries are not strictly required, since in public-key schemes, the adversary can encrypt any messages on its own. We can consider a restricted security game, where an adversary makes only a single encryption query.
> **Definition.** If $\mc{A}$ is restricted to making a single encryption query, we denote its advantage by $\Adv[1CCA]{\mc{A}, \mc{E}}$. A public-key encryption scheme $\mc{E}$ is **one-time semantically secure against chosen ciphertext attack**, or simply **1CCA** secure if $\Adv[1CCA]{\mc{A}, \mc{E}}$ is negligible for all efficient adversaries $\mc{A}$.
Similarly, 1CCA security implies CCA security, as in the above theorem. So to show CCA security for public-key schemes, *it suffices to show that the scheme is 1CCA secure*.
> **Theorem.** If a public-key encryption scheme $\mc{E}$ is 1CCA secure, then it is also CCA secure.
*Proof*. Same as the proof in above theorem.
### Active Adversaries in Symmetric vs Public Key
In symmetric key encryption, we studied [authenticated encryption (AE)](../2023-09-26-cca-security-authenticated-encryption/#authenticated-encryption-ae), which required the scheme to be CPA secure and provide ciphertext integrity. In symmetric key settings, AE implied CCA.
However in public-key schemes, adversaries can always create new ciphertexts using the public key, which makes the original definition of ciphertext integrity unusable. Thus we directly require CCA security.
## Hybrid Encryption and Key Encapsulation Mechanism
Symmetric key encryptions are significantly faster than public key encryption, so we use public-key encryption for sharing the key, and then the key is used for symmetric key encryption.
Generate $(pk, sk)$ for the public key encryption, and generate a symmetric key $k$. For the message $m$, encrypt it as
$$
(c, c_S) \la \big( E(pk, k), E_S(k, m) \big)
$$
where $E_S$ is the symmetric encryption algorithm, $E$ is the public-key encryption algorithm. The receiver decrypts $c$ and recovers $k$ that can be used for decrypting $c_S$. This is a form of **hybrid encryption**. We are *encapsulating* the key $k$ inside a ciphertext, so we call this **key encapsulation mechanism** (KEM).
We can use public-key schemes for KEM, but there are dedicated constructions for KEM which are more efficient. The dedicated algorithms does the key generation and encryption in one-shot.
> **Definition.** A KEM $\mc{E}_\rm{KEM}$ consists of a triple of algorithms $(G, E_\rm{KEM}, D_\rm{KEM})$.
>
> - The key generation algorithm generates $(pk, sk) \la G()$.
> - The encapsulation algorithm generates $(k, c_\rm{KEM}) \la E_\rm{KEM}(pk)$.
> - The decapsulation algorithm generates $k \la D_\rm{KEM}(sk, c_\rm{KEM})$.
Note that $E_\rm{KEM}$ only takes the public key as a parameter. The correctness condition is that for any $(pk, sk) \la G()$ and any $(k, c_\rm{KEM}) \la E_\rm{KEM}(pk)$, we must have $k \la D_\rm{KEM}(sk, c_\rm{KEM})$.
Using the KEM, the symmetric key is automatically encapsulated during encryption process.
> **Definition.** A KEM scheme is secure if any efficient adversary cannot distinguish between $(c_\rm{KEM}, k_0)$ and $(c_\rm{KEM}, k_1)$, where $k_0$ is generated by $E(pk)$, and $k_1$ is chosen randomly from $\mc{K}$.
Read more about this in Exercise 11.9.[^1]
## The ElGamal Encryption
We introduce a public-key encryption scheme based on the hardness of discrete logarithms.
> **Definition.** Suppose we have two parties Alice and Bob. Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$, let $\mc{E}_S = (E_S, D_S)$ be a symmetric cipher.
>
> 1. Alice chooses $sk = \alpha \la \Z_q$, computes $pk = g^\alpha$ and sends $pk$ to Bob.
> 2. Bob also chooses $\beta \la \Z_q$ and computes $k = h^\beta = g^{\alpha\beta}$.
> 3. Bob sends $\big( g^\beta, E_S(k, m) \big)$ to Alice.
> 4. Alice computes $k = g^{\alpha\beta} = (g^\beta)^\alpha$ using $\alpha$ and recovers $m$ by decrypting $E_S(k, m)$.
As a concrete example, set $E_S(k, m) = k \cdot m$ and $D_S(k, c) = k^{-1} \cdot c$. The correctness property automatically holds. Therefore,
- $G$ outputs $sk = \alpha \la \Z_q$, $pk = h = g^\alpha$.
- $E(pk, m) = (c_1, c_2) \la (g^\beta, h^\beta \cdot m)$ where $\beta \la \Z_q$.
- $D(sk, c) = c_2 \cdot (c_1)^{-\alpha} = m$.
### Security of ElGamal Encryption
> **Theorem.** If the DDH assumption holds on $G$, and the symmetric cipher $\mc{E}_S = (E_S, D_S)$ is semantically secure, then the ElGamal encryption scheme $\mc{E}_\rm{EG}$ is semantically secure.
>
> For any SS adversary $\mc{A}$ of $\mc{E}_\rm{EG}$, there exist a DDH adversary $\mc{B}$, and an SS adversary $\mc{C}$ for $\mc{E}_S$ such that
>
> $$
> \Adv[SS]{\mc{A}, \mc{E}_\rm{EG}} \leq 2 \cdot \Adv[DDH]{\mc{B}, G} + \Adv[SS]{\mc{C}, \mc{E}_S}.
> $$
*Proof Idea*. For any $m_0, m_1 \in G$ and random $\gamma \la \Z_q$,
$$
E_S(g^{\alpha\beta}, m_0) \approx_c E_S(g^{\gamma}, m_0) \approx_c E_S(g^\gamma, m_1) \approx_c E_S(g^{\alpha\beta}, m_1).
$$
The first two and last two ciphertexts are computationally indistinguishable since the DDH problem is hard. The second and third ciphertexts are also indistinguishable since $\mc{E}_S$ is semantically secure.
*Proof*. Full proof in Theorem 11.5.[^1]
Note that $\beta \la \Z_q$ must be chosen differently for each encrypted message. This is the randomness part of the encryption, since $pk = g^\alpha, sk =\alpha$ are fixed.
### Hashed ElGamal Encryption
**Hashed ElGamal encryption** scheme is a variant of the original ElGamal scheme, where we use a hash function $H : G \ra \mc{K}$, where $\mc{K}$ is the key space of $\mc{E}_S$.
The only difference is that we use $H(g^{\alpha\beta})$ as the key.[^2]
> 1. Alice chooses $sk = \alpha \la \Z_q$, computes $pk = g^\alpha$ and sends $pk$ to Bob.
> 2. Bob also chooses $\beta \la \Z_q$ and computes $h^\beta = g^{\alpha\beta}$**, and sets $k = H(g^{\alpha\beta})$.**
> 3. Bob sends $\big( g^\beta, E_S(k, m) \big)$ to Alice.
> 4. Alice computes $g^{\alpha\beta} = (g^\beta)^\alpha$ using $\alpha$, **computes $k = H(g^{\alpha\beta})$** and recovers $m$ by decrypting $E_S(k, m)$.
This is also semantically secure, under the random oracle model.
> **Theorem.** Let $H : G \ra \mc{K}$ be modeled as a random oracle. If the CDH assumption holds on $G$ and $\mc{E}_S$ is semantically secure, then the hashed ElGamal scheme $\mc{E}_\rm{HEG}$ is semantically secure.
*Proof Idea*. Given a ciphertext $\big( g^\beta, E_S(k, m) \big)$ with $k = H(g^{\alpha\beta})$, the adversary learns nothing about $k$ unless it constructs $g^{\alpha\beta}$. This is because we modeled $H$ as a random oracle. If the adversary learns about $k$, then this adversary breaks the CDH assumption for $G$. Thus, if CDH assumption holds for the adversary, $k$ is completely random, so the hashed ElGamal scheme is secure by the semantic security of $\mc{E}_S$.
*Proof*. Refer to Theorem 11.4.[^1]
Since the hashed ElGamal scheme is semantically secure, it is automatically CPA secure. But this is not CCA secure, and we need a stronger assumption.
### Interactive Computational Diffie-Hellman Problem (ICDH)
> **Definition.** Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. Let $\mc{A}$ be a given adversary.
>
> 1. The challenger chooses $\alpha, \beta \la \Z_q$ and sends $g^\alpha, g^\beta$ to the adversary.
> 2. The adversary makes a sequence of **DH-decision oracle queries** to the challenger.
> - Each query has the form $(v, w) \in G^2$, challenger replies with $1$ if $v^\alpha = w$, replies $0$ otherwise.
> 3. The adversary calculates and outputs some $w \in G$.
>
> We define the **advantage in solving the interactive computational Diffie-Hellman problem for $G$** as
>
> $$
> \Adv[ICDH]{\mc{A}, G} = \Pr[w = g^{\alpha\beta}].
> $$
>
> We say that the **interactive computational Diffie-Hellman (ICDH) assumption** holds for $G$ if for any efficient adversary $\mc{A}$, $\Adv[ICDH]{\mc{A}, G}$ is negligible.
This is also known as **gap-CDH**. Intuitively, it says that even if we have a DDH solver, CDH is still hard.
### CCA Security of Hashed ElGamal
> **Theorem.** If the gap-CDH assumption holds on $G$ and $\mc{E}_S$ provides AE and $H : G \ra \mc{K}$ is a random oracle, then the hashed ElGamal scheme is CCA secure.
*Proof*. See Theorem 12.4.[^1] (very long)
## The RSA Encryption
The RSA scheme was originally designed by Rivest, Shamir and Adleman in 1977.[^3] The RSA trapdoor permutation is used in many places such as SSL/TLS, both for encryption and digital signatures.
### Textbook RSA Encryption
The "textbook RSA" is done as follows.
- Key generation algorithm $G$ outputs $(pk, sk)$.
- Sample two large random primes $p, q$ and set $N = pq$.
- Choose $e \in \Z$ such that $\gcd(e, \phi(N)) = 1$, compute $d = e^{-1} \bmod{\phi(N)}$.
- Output $pk = (N, e)$, $sk = (N, d)$.
- Encryption $E(pk, m) = m^e \bmod N$.
- Decryption $D(sk, c) = c^d \bmod N$ .
Correctness holds by **Fermat's little theorem**. $ed = 1 \bmod \phi(N)$, so
$$
D(sk, (E(pk, m))) = m^{ed} = m^{1 + k(p-1)(q-1)} \bmod N.
$$
Since $m^{p-1} = 1 \bmod p$, $m^{ed} = m \bmod N$ (holds trivially if $p \mid m$). A similar argument holds for modulus $q$, so we have $m^{ed} = m \bmod N$.
### Attacks on Textbook RSA Encryption
But this scheme is not CPA secure, since it is deterministic and the ciphertext is malleable. For instance, one can choose two messages to be $1$ and $2$. Then the ciphertext is easily distinguishable.
Also, ciphertext is malleable by the **homomorphic property**. If $c_1 = m_1^e \bmod N$ and $c_2 = m_2^e \bmod N$, then set $c =c_1c_2 = (m_1m_2)^e \bmod N$, which is an encryption of $m_1m_2$.
#### Attack on KEM
Assume that the textbook RSA is used as KEM. Suppose that $k$ is $128$ bits, and the attacker sees $c = k^e \bmod N$. With high probability ($80\%$), $k = k_1 \cdot k_2$ for some $k_1, k_2 < 2^{64}$. Using the homomorphic property, $c = k_1^e k_2^e \bmod N$, so the following attack is possible.
1. Build a table of $c\cdot k_2^{-e}$ for $0 \leq k_2 < 2^{64}$.
2. For each $1 \leq k_1 < 2^{64}$, compute $k_1^e$ to check if it is in the table.
3. Output a match $(k_1, k_2)$.
The attack has complexity $\mc{O}(2^{n/2})$ where $n$ is the key length.
## Trapdoor Functions
Textbook RSA is not secure, but it is a **one-way trapdoor function**.
A **one-way function** is a function that is computationally hard to invert. But we sometimes need to invert the functions, so we need functions that have a **trapdoor**. A trapdoor is a secret door that allows efficient inversion, but without the trapdoor, the function must be still hard to invert.
> **Definition.** Let $\mc{X}$ and $\mc{Y}$ be finite sets. A **trapdoor function scheme** $\mc{T} = (G, F, I)$ defined over $(\mc{X}, \mc{Y})$ is a triple of algorithms.
>
> - $G$ is a probabilistic key generation algorithm that outputs $(pk, sk)$, where $pk$ is the public key and $sk$ is the secret key.
> - $F$ is a deterministic algorithm that outputs $y \la F(pk, x)$ for $x \in \mc{X}$.
> - $I$ is a deterministic algorithm that outputs $x \la I(sk, y)$ for $y \in \mc{Y}$.
The correctness property says that for any $(pk, sk) \la G()$ and $x \in \mc{X}$, $I(sk, F(pk, x)) = x$. So $sk$ is the trapdoor that inverts this function.
One-wayness is defined as a security game.
> **Definition.** Given a trapdoor function scheme $\mc{T} = (G, F, I)$ and an adversary $\mc{A}$, define a security game as follows.
>
> 1. The challenger computes $(pk, sk) \la G()$, $x \la \mc{X}$ and $y \la F(pk, x)$.
> 2. The challenger sends $pk$ and $y$ to the adversary.
> 3. The adversary computes and outputs $x' \in \mc{X}$.
>
> $\mc{A}$ wins if $\mc{A}$ inverts the function. The advantage is defined as
>
> $$
> \Adv[OW]{\mc{A}, \mc{T}} = \Pr[x = x'].
> $$
>
> If the advantage is negligible for any efficient adversary $\mc{A}$, then $\mc{T}$ is **one-way**.
A one-way trapdoor function is not an encryption. The algorithm is deterministic, so it is not CPA secure. Never encrypt with trapdoor functions.
### Textbook RSA as a Trapdoor Function
It is easy to see that the textbook RSA is a trapdoor function.
- Key generation algorithm $G$ chooses random primes $p, q$ and sets $N = pq$.
- Then chooses integer $e$ such that $\gcd(e, \phi(N)) = 1$.
- Set $d = e^{-1} \bmod \phi(N)$.
- Then $F(pk, x) = x^e \bmod N$, and $I(sk, y) = y^d \bmod N$.
- The correctness property holds by the above proof.
But is RSA a *secure* trapdoor function? Is it one-way?
- If $d$ is known, it is obviously not one-way.
- If $\phi(N)$ is known, it is not one-way.
- One can find $d = e^{-1} \bmod \phi(N)$.
- If $p$ and $q$ are known, it is not one-way.
- $\phi(N) = (p-1)(q-1)$.
Thus, if factoring is easy, RSA is not one-way. Thus if RSA is a secure trapdoor function, then factoring must be hard. How about the converse? We don't have a proof, but it seems reasonable to assume.
## The RSA Assumption
The RSA assumption says that the RSA problem is hard, which implies that RSA is a **one-way** trapdoor function.
### The RSA Problem
> **Definition.** Let $\mc{T}_\rm{RSA} = (G, F, I)$ the RSA trapdoor function scheme. Given an adversary $\mc{A}$,
>
> 1. The challenger chooses $(pk, sk) \la G()$ and $x \la \Z_N$.
> - $pk = (N, e)$, $sk = (N, d)$.
> 2. The challenger computes $y \la x^e \bmod N$ and sends $pk$ and $y$ to the adversary.
> 3. The adversary computes and outputs $x' \in \Z_N$.
>
> The adversary wins if $x = x'$. The advantage is defined as
>
> $$
> \rm{Adv}_{\rm{RSA}}[\mc{A}, \mc{T_\rm{RSA}}] = \Pr[x = x'].
> $$
>
> We say that the **RSA assumption** holds if the advantage is negligible for any efficient $\mc{A}$.
## RSA Public Key Encryption (ISO Standard)
- Let $(E_S, D_S)$ be a symmetric encryption scheme over $(\mc{K}, \mc{M}, \mc{C})$ that provides AE.
- Let $H : \Z_N^{\ast} \ra \mc{K}$ be a hash function.
The RSA public key encryption is done as follows.
- Key generation is the same.
- Encryption
1. Choose random $x \la \Z_N^{\ast}$ and let $y = x^e \bmod N$.
2. Compute $c \la E_S(H(x), m)$.
3. Output $c' = (y, c)$.
- Decryption
- Output $D_S(H(y^d), c)$.
This works because $x = y^d \bmod N$ and $H(y^d) = H(x)$. In short, this uses RSA trapdoor function as a **key exchange mechanism**, and the actual encryption is done by symmetric encryption.
It is known that with RSA assumption and $H$ modeled as a random oracle, this scheme is CPA secure.
### Optimizations for RSA
The computation time depends on the exponents $e, d$.
- To speed up RSA, choose a small public exponent $e$.
- $e = 65537 = 2^{16} + 1$ is often used, which only takes $17$ multiplications.
- But $d$ cannot be too small.
- RSA is insecure for $d < N^{0.25}$. (Wiener'87)
- RSA is insecure for $d < N^{0.292}$. (BD'98)
- Is RSA secure for $d < N^{0.5}$? (open problem)
- Often, encryption is fast, but decryption is slow.
- ElGamal takes approximately the same time for both.[^4]
## Attacks on RSA Implementation
- Timing Attack
- Time to compute $c^d \bmod N$ exposes $d$.
- More $1$'s in the binary representation of $d$ leads to more multiplications.
- Power Attack
- The power consumption of a smartcard during the computation of $c^d \bmod N$ exposes $d$.
- Faults Attack
- An error during computation exposes $d$.
- Poor Randomness
- Poor entropy at initialization, then same $p$ is generated for multiple devices.
- Collect modulus $N$ from many public keys, and their $\gcd$ will be $p$.
- *PRG must be properly seeded when generating keys.*
[^1]: A Graduate Course in Applied Cryptography.
[^2]: There is another variant that uses $H : G^2 \ra \mc{K}$ and sets $H(g^\beta, g^{\alpha\beta})$ as the key. This one is also semantically secure, and gives further security properties than the one in the text.
[^3]: This was one year before ElGamal.
[^4]: Discrete logarithms have the same complexity for average case and worst case, but this is not the case for RSA. (Source?)

1
_posts/Lecture Notes/Modern Cryptography/2023-09-05-introduction.md → _posts/lecture-notes/modern-cryptography/2023-09-05-introduction.md
View File

@@ -5,6 +5,7 @@ math: true
categories: categories:
- Lecture Notes - Lecture Notes
- Modern Cryptography - Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags: tags:
- lecture-note - lecture-note
- security - security

13
_posts/Lecture Notes/Modern Cryptography/2023-09-12-prfs-prps-block-ciphers.md → _posts/lecture-notes/modern-cryptography/2023-09-12-prfs-prps-block-ciphers.md
View File

@@ -5,6 +5,7 @@ math: true
categories: categories:
- Lecture Notes - Lecture Notes
- Modern Cryptography - Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags: tags:
- lecture-note - lecture-note
- cryptography - cryptography
@@ -118,7 +119,7 @@ This is a matter of *collisions* of $f(x_i)$, so we use the facts from the birth
A **block cipher** is actually a different name for PRPs. Since a PRP $E$ is a keyed function, applying $E(k, x)$ is in fact encryption, and applying its inverse is decryption. A **block cipher** is actually a different name for PRPs. Since a PRP $E$ is a keyed function, applying $E(k, x)$ is in fact encryption, and applying its inverse is decryption.
![mc-02-block-cipher.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-block-cipher.png) ![mc-02-block-cipher.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-block-cipher.png)
Block ciphers commonly have the following form. Block ciphers commonly have the following form.
- A key $k$ is chosen uniformly from $\left\lbrace 0, 1 \right\rbrace^s$. - A key $k$ is chosen uniformly from $\left\lbrace 0, 1 \right\rbrace^s$.
@@ -140,7 +141,7 @@ Block ciphers commonly have the following form.
Since block ciphers are PRPs, we have to build an invertible function. Suppose we are given **any** functions $F_1, \dots, F_d : \left\lbrace 0, 1 \right\rbrace^n \rightarrow \left\lbrace 0, 1 \right\rbrace^n$. Can we build an **invertible** function $F : \left\lbrace 0, 1 \right\rbrace^{2n} \rightarrow \left\lbrace 0, 1 \right\rbrace^{2n}$? Since block ciphers are PRPs, we have to build an invertible function. Suppose we are given **any** functions $F_1, \dots, F_d : \left\lbrace 0, 1 \right\rbrace^n \rightarrow \left\lbrace 0, 1 \right\rbrace^n$. Can we build an **invertible** function $F : \left\lbrace 0, 1 \right\rbrace^{2n} \rightarrow \left\lbrace 0, 1 \right\rbrace^{2n}$?
![mc-02-feistel-network.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-feistel-network.png) ![mc-02-feistel-network.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-feistel-network.png)
It turns out the answer is yes. Given an $2n$-bit long input, $L_0$ and $R_0$ denote the left and right halves ($n$ bits) of the input, respectively. Define It turns out the answer is yes. Given an $2n$-bit long input, $L_0$ and $R_0$ denote the left and right halves ($n$ bits) of the input, respectively. Define
@@ -160,7 +161,7 @@ Note that we did not require $F_i$ to be invertible. We can build invertible fun
In DES, the function $F_i$ is the DES round function. In DES, the function $F_i$ is the DES round function.
![mc-02-des-round.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-des-round.png) ![mc-02-des-round.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-des-round.png)
The Feistel function takes $32$ bit data and divides it into eight $4$ bit chunks. Each chunk is expanded to $6$ bits using $E$. Now, we have 48 bits of data, so apply XOR with the key for this round. Next, each $6$-bit block is compressed back to $4$ bits using a S-box. Finally, there is a permutation $P$ at the end, resulting in $32$ bit data. The Feistel function takes $32$ bit data and divides it into eight $4$ bit chunks. Each chunk is expanded to $6$ bits using $E$. Now, we have 48 bits of data, so apply XOR with the key for this round. Next, each $6$-bit block is compressed back to $4$ bits using a S-box. Finally, there is a permutation $P$ at the end, resulting in $32$ bit data.
@@ -168,7 +169,7 @@ The Feistel function takes $32$ bit data and divides it into eight $4$ bit chunk
DES uses $56$ bit keys that generate $16$ rounds keys. The diagram below shows that DES has 16-round Feistel networks. DES uses $56$ bit keys that generate $16$ rounds keys. The diagram below shows that DES has 16-round Feistel networks.
![mc-02-DES.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-DES.png) ![mc-02-DES.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-DES.png)
The input goes through initial/final permutation, which are inverses of each other. These have no cryptographic significance, and just for engineering. The input goes through initial/final permutation, which are inverses of each other. These have no cryptographic significance, and just for engineering.
@@ -176,7 +177,7 @@ The input goes through initial/final permutation, which are inverses of each oth
DES is not secure, since key space and block length is too small. Thankfully, we have a replacement called the **advanced encryption standard** (AES). DES is not secure, since key space and block length is too small. Thankfully, we have a replacement called the **advanced encryption standard** (AES).
![mc-02-aes-128.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-aes-128.png) ![mc-02-aes-128.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-aes-128.png)
- DES key only had $56$ bits, so DES was broken in the 1990s - DES key only had $56$ bits, so DES was broken in the 1990s
- NIST standardized AES in 2001, based on Rijndael cipher - NIST standardized AES in 2001, based on Rijndael cipher
@@ -254,7 +255,7 @@ Then the key space has increased (exponentially). As for 2DES, the key space is
Unfortunately, 2DES is only secure as DES, with the attack strategy called **meet in the middle**. The idea is that if $c = E(k_1, E(k_2, m))$, then $D(k_1, c) = E(k_2, m)$. Unfortunately, 2DES is only secure as DES, with the attack strategy called **meet in the middle**. The idea is that if $c = E(k_1, E(k_2, m))$, then $D(k_1, c) = E(k_2, m)$.
![mc-02-2des-mitm.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-2des-mitm.png) ![mc-02-2des-mitm.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-2des-mitm.png)
Since we have the plaintext and the ciphertext, we first build a table of $(k, E(k_2, m))$ over $k_2 \in \mathcal{K}$ and sort by $E(k_2, m)$. Next, we check if $D(k_1, c)$ is in the table for all $k_1 \in \mathcal{K}$. Since we have the plaintext and the ciphertext, we first build a table of $(k, E(k_2, m))$ over $k_2 \in \mathcal{K}$ and sort by $E(k_2, m)$. Next, we check if $D(k_1, c)$ is in the table for all $k_1 \in \mathcal{K}$.

9
_posts/Lecture Notes/Modern Cryptography/2023-09-19-symmetric-key-encryption.md → _posts/lecture-notes/modern-cryptography/2023-09-19-symmetric-key-encryption.md
View File

@@ -5,6 +5,7 @@ math: true
categories: categories:
- Lecture Notes - Lecture Notes
- Modern Cryptography - Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags: tags:
- lecture-note - lecture-note
- cryptography - cryptography
@@ -127,11 +128,11 @@ We learned how to encrypt a single block. How do we encrypt longer messages with
There are many ways of processing multiple blocks, this is called the **mode of operation**. There are many ways of processing multiple blocks, this is called the **mode of operation**.
Additional explanation available in [Modes of Operations (Internet Security)](../../internet-security/2023-09-18-symmetric-key-cryptography-2#modes-of-operations). Additional explanation available in [Modes of Operations (Internet Security)](../../Lecture%20Notes/Internet%20Security/2023-09-18-symmetric-key-cryptography-2.md#modes-of-operations).
### Electronic Codebook Mode (ECB) ### Electronic Codebook Mode (ECB)
![is-03-ecb-encryption.png](/assets/img/posts/is-03-ecb-encryption.png) ![is-03-ecb-encryption.png](../../../assets/img/posts/is-03-ecb-encryption.png)
- ECB mode encrypts each block with the same key. - ECB mode encrypts each block with the same key.
- Blocks are independent of each other. - Blocks are independent of each other.
@@ -139,7 +140,7 @@ Additional explanation available in [Modes of Operations (Internet Security)](..
### Ciphertext Block Chain Mode (CBC) ### Ciphertext Block Chain Mode (CBC)
![is-03-cbc-encryption.png](/assets/img/posts/is-03-cbc-encryption.png) ![is-03-cbc-encryption.png](../../../assets/img/posts/is-03-cbc-encryption.png)
Let $X = \left\lbrace 0, 1 \right\rbrace^n$ and $E : \mathcal{K} \times X \rightarrow X$ be a **PRP**. Let $X = \left\lbrace 0, 1 \right\rbrace^n$ and $E : \mathcal{K} \times X \rightarrow X$ be a **PRP**.
@@ -190,7 +191,7 @@ Note that if $k_1$ is the same as the key used for encrypting messages, then thi
### Counter Mode (CTR) ### Counter Mode (CTR)
![is-03-ctr-encryption.png](/assets/img/posts/is-03-ctr-encryption.png) ![is-03-ctr-encryption.png](../../../assets/img/posts/is-03-ctr-encryption.png)
Let $F : \mathcal{K} \times X \rightarrow X$ be a secure **PRF**. Let $F : \mathcal{K} \times X \rightarrow X$ be a secure **PRF**.

9
_posts/Lecture Notes/Modern Cryptography/2023-09-21-macs.md → _posts/lecture-notes/modern-cryptography/2023-09-21-macs.md
View File

@@ -5,6 +5,7 @@ math: true
categories: categories:
- Lecture Notes - Lecture Notes
- Modern Cryptography - Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags: tags:
- lecture-note - lecture-note
- cryptography - cryptography
@@ -26,7 +27,7 @@ On the other hand, MAC fixes data that is tampered in purpose. We will also requ
## Message Authentication Code ## Message Authentication Code
![mc-04-mac.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-04-mac.png) ![mc-04-mac.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-04-mac.png)
> **Definition.** A **MAC** system $\Pi = (S, V)$ defined over $(\mathcal{K}, \mathcal{M}, \mathcal{T})$ is a pair of efficient algorithms $S$ and $V$ where $S$ is a **signing algorithm** and $V$ is a **verification algorithm**. > **Definition.** A **MAC** system $\Pi = (S, V)$ defined over $(\mathcal{K}, \mathcal{M}, \mathcal{T})$ is a pair of efficient algorithms $S$ and $V$ where $S$ is a **signing algorithm** and $V$ is a **verification algorithm**.
> >
@@ -58,7 +59,7 @@ In the security definition of MACs, we allow the attacker to request tags for ar
For strong MACs, the attacker only has to change the tag for the attack to succeed. For strong MACs, the attacker only has to change the tag for the attack to succeed.
![mc-04-mac-security.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-04-mac-security.png) ![mc-04-mac-security.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-04-mac-security.png)
> **Definition.** Let $\Pi = (S, V)$ be a MAC system defined over $(\mathcal{K}, \mathcal{M}, \mathcal{T})$. Given an adversary $\mathcal{A}$, the security game goes as follows. > **Definition.** Let $\Pi = (S, V)$ be a MAC system defined over $(\mathcal{K}, \mathcal{M}, \mathcal{T})$. Given an adversary $\mathcal{A}$, the security game goes as follows.
> >
@@ -123,7 +124,7 @@ The above construction uses a PRF, so it is restricted to messages of fixed size
### CBC-MAC ### CBC-MAC
![mc-04-cbc-mac.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-04-cbc-mac.png) ![mc-04-cbc-mac.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-04-cbc-mac.png)
> **Definition.** For any message $m = (m_0, m_1, \dots, m_{l-1}) \in \left\lbrace 0, 1 \right\rbrace^{nl}$, let $F_k := F(k, \cdot)$. > **Definition.** For any message $m = (m_0, m_1, \dots, m_{l-1}) \in \left\lbrace 0, 1 \right\rbrace^{nl}$, let $F_k := F(k, \cdot)$.
> >
@@ -211,7 +212,7 @@ Since CBC-MAC is vulnerable to extension attacks, we encrypt the last block agai
ECBC-MAC doesn't require us to know the message length in advance, but it is relatively expensive in practice, since a block cipher has to be initialized with a new key. ECBC-MAC doesn't require us to know the message length in advance, but it is relatively expensive in practice, since a block cipher has to be initialized with a new key.
![mc-04-ecbc-mac.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-04-ecbc-mac.png) ![mc-04-ecbc-mac.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-04-ecbc-mac.png)
> **Theorem.** Let $F : \mathcal{K} \times X \rightarrow X$ be a secure PRF. Then for any $l \geq 0$, $F_\mathrm{ECBC} : \mathcal{K}^2 \times X^{\leq l} \rightarrow X$ is a secure PRF. > **Theorem.** Let $F : \mathcal{K} \times X \rightarrow X$ be a secure PRF. Then for any $l \geq 0$, $F_\mathrm{ECBC} : \mathcal{K}^2 \times X^{\leq l} \rightarrow X$ is a secure PRF.
> >

7
_posts/Lecture Notes/Modern Cryptography/2023-09-26-cca-security-authenticated-encryption.md → _posts/lecture-notes/modern-cryptography/2023-09-26-cca-security-authenticated-encryption.md
View File

@@ -5,6 +5,7 @@ math: true
categories: categories:
- Lecture Notes - Lecture Notes
- Modern Cryptography - Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags: tags:
- lecture-note - lecture-note
- cryptography - cryptography
@@ -53,7 +54,7 @@ Now we define a stronger notion of security against **chosen ciphertext attacks*
None of the encryption schemes already seen thus far is CCA secure. None of the encryption schemes already seen thus far is CCA secure.
Recall a [CPA secure construction from PRF](../2023-09-19-symmetric-key-encryption#secure-construction-from-prf). This scheme is not CCA secure. Suppose that the adversary is given $c^* = (r, F(k, r) \oplus m_b)$. Then it can request a decryption for $c' = (r, s')$ for some $s'$ and receive $m' = s' \oplus F(k, r)$. Then $F(k, r) = m' \oplus s'$, so the adversary can successfully recover $m_b$. Recall a [CPA secure construction from PRF](./2023-09-19-symmetric-key-encryption.md#secure-construction-from-prf). This scheme is not CCA secure. Suppose that the adversary is given $c^* = (r, F(k, r) \oplus m_b)$. Then it can request a decryption for $c' = (r, s')$ for some $s'$ and receive $m' = s' \oplus F(k, r)$. Then $F(k, r) = m' \oplus s'$, so the adversary can successfully recover $m_b$.
In general, any encryption scheme that allows ciphertexts to be *manipulated* in a controlled way cannot be CCA secure. In general, any encryption scheme that allows ciphertexts to be *manipulated* in a controlled way cannot be CCA secure.
@@ -83,7 +84,7 @@ The attacker shouldn't be able to create a new ciphertext that decrypts properly
In this case, we fix the decryption algorithm so that $D : \mathcal{K} \times \mathcal{C} \rightarrow \mathcal{M} \cup \left\lbrace \bot \right\rbrace$, where $\bot$ means that the ciphertext was rejected. In this case, we fix the decryption algorithm so that $D : \mathcal{K} \times \mathcal{C} \rightarrow \mathcal{M} \cup \left\lbrace \bot \right\rbrace$, where $\bot$ means that the ciphertext was rejected.
![mc-05-ci.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-05-ci.png) ![mc-05-ci.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-05-ci.png)
> **Definition.** Let $\mathcal{E} = (E, D)$ be a cipher defined over $(\mathcal{K}, \mathcal{M}, \mathcal{C})$. Given an adversary $\mathcal{A}$, the security game goes as follows. > **Definition.** Let $\mathcal{E} = (E, D)$ be a cipher defined over $(\mathcal{K}, \mathcal{M}, \mathcal{C})$. Given an adversary $\mathcal{A}$, the security game goes as follows.
> >
@@ -138,7 +139,7 @@ Most natural constructions of CCA secure schemes satisfy AE, so we don't need to
We want to combine CPA secure scheme and strongly secure MAC to get AE. Rather than focusing on the internal structure of the scheme, we want a general method to compose these two secure schemes so that we can get a AE secure scheme. We will see 3 examples. We want to combine CPA secure scheme and strongly secure MAC to get AE. Rather than focusing on the internal structure of the scheme, we want a general method to compose these two secure schemes so that we can get a AE secure scheme. We will see 3 examples.
![mc-05-etm-mte.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-05-etm-mte.png) ![mc-05-etm-mte.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-05-etm-mte.png)
### Encrypt-and-MAC (E&M) ### Encrypt-and-MAC (E&M)

13
_posts/Lecture Notes/Modern Cryptography/2023-09-28-hash-functions.md → _posts/lecture-notes/modern-cryptography/2023-09-28-hash-functions.md
View File

@@ -5,6 +5,7 @@ math: true
categories: categories:
- Lecture Notes - Lecture Notes
- Modern Cryptography - Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags: tags:
- lecture-note - lecture-note
- cryptography - cryptography
@@ -106,7 +107,7 @@ Now we want to construct collision resistant hash functions that work for arbitr
The Merkle-Damgård transform gives as a way to extend our input domain of the hash function by iterating the function. The Merkle-Damgård transform gives as a way to extend our input domain of the hash function by iterating the function.
![mc-06-merkle-damgard.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-06-merkle-damgard.png) ![mc-06-merkle-damgard.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-06-merkle-damgard.png)
> **Definition.** Let $h : \left\lbrace 0, 1 \right\rbrace^n \times \left\lbrace 0, 1 \right\rbrace^l \rightarrow \left\lbrace 0, 1 \right\rbrace^n$ be a hash function. The **Merkle-Damgård function derived from $h$** is a function $H$ that works as follows. > **Definition.** Let $h : \left\lbrace 0, 1 \right\rbrace^n \times \left\lbrace 0, 1 \right\rbrace^l \rightarrow \left\lbrace 0, 1 \right\rbrace^n$ be a hash function. The **Merkle-Damgård function derived from $h$** is a function $H$ that works as follows.
> >
@@ -149,9 +150,9 @@ See Joux's attack.[^2]
Now we only have to build a collision resistant compression function. We can build these functions from either a block cipher, or by using number theoretic primitives. Now we only have to build a collision resistant compression function. We can build these functions from either a block cipher, or by using number theoretic primitives.
Number theoretic primitives will be shown after we learn some number theory.[^3] An example is shown in [collision resistance using DL problem (Modern Cryptography)](../2023-10-03-key-exchange#collision-resistance-based-on-dl-problem). Number theoretic primitives will be shown after we learn some number theory.[^3] An example is shown in [collision resistance using DL problem (Modern Cryptography)](./2023-10-03-key-exchange.md#collision-resistance-based-on-dl-problem).
![mc-06-davies-meyer.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-06-davies-meyer.png) ![mc-06-davies-meyer.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-06-davies-meyer.png)
> **Definition.** Let $\mathcal{E} = (E, D)$ be a block cipher over $(\mathcal{K}, X, X)$ where $X = \left\lbrace 0, 1 \right\rbrace^n$. The **Davies-Meyer compression function derived from $E$** maps inputs in $X \times \mathcal{K}$ to outputs in $X$, defined as follows. > **Definition.** Let $\mathcal{E} = (E, D)$ be a block cipher over $(\mathcal{K}, X, X)$ where $X = \left\lbrace 0, 1 \right\rbrace^n$. The **Davies-Meyer compression function derived from $E$** maps inputs in $X \times \mathcal{K}$ to outputs in $X$, defined as follows.
> >
@@ -194,7 +195,7 @@ We needed a complicated construction for MACs that work on long messages. We mig
Here are a few approaches. Suppose that a compression function $h$ is given and $H$ is a Merkle-Damgård function derived from $h$. Here are a few approaches. Suppose that a compression function $h$ is given and $H$ is a Merkle-Damgård function derived from $h$.
Recall that [we can construct a MAC scheme from a PRF](../2023-09-21-macs#mac-constructions-from-prfs), so either we want a secure PRF or a secure MAC scheme. Recall that [we can construct a MAC scheme from a PRF](./2023-09-21-macs.md#mac-constructions-from-prfs), so either we want a secure PRF or a secure MAC scheme.
#### Prepending the Key #### Prepending the Key
@@ -214,9 +215,9 @@ Define $S((k_1,k_2), m) = H(k_2 \parallel H(k_1 \parallel m))$. This can also be
This can be thought of as blocking the length extension attack from prepending the key method. This can be thought of as blocking the length extension attack from prepending the key method.
### HMAC ### HMAC Definition
![mc-06-hmac.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-06-hmac.png) ![mc-06-hmac.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-06-hmac.png)
This is a variant of the two-key nest, but the difference is that the keys $k_1', k_2'$ are not independent. Choose a key $k \leftarrow \mathcal{K}$, and set This is a variant of the two-key nest, but the difference is that the keys $k_1', k_2'$ are not independent. Choose a key $k \leftarrow \mathcal{K}$, and set

7
_posts/Lecture Notes/Modern Cryptography/2023-10-03-key-exchange.md → _posts/lecture-notes/modern-cryptography/2023-10-03-key-exchange.md
View File

@@ -5,6 +5,7 @@ math: true
categories: categories:
- Lecture Notes - Lecture Notes
- Modern Cryptography - Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags: tags:
- lecture-note - lecture-note
- cryptography - cryptography
@@ -74,7 +75,7 @@ $$
We assume that the description of $p$, $q$ and $g$ are generated at the setup and shared by all parties. Now the actual protocol goes like this. We assume that the description of $p$, $q$ and $g$ are generated at the setup and shared by all parties. Now the actual protocol goes like this.
![mc-07-dhke.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-07-dhke.png) ![mc-07-dhke.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-07-dhke.png)
> 1. Alice chooses $\alpha \leftarrow \mathbb{Z}_q$ and computes $g^\alpha$. > 1. Alice chooses $\alpha \leftarrow \mathbb{Z}_q$ and computes $g^\alpha$.
> 2. Bob chooses $\beta \leftarrow \mathbb{Z}_q$ and computes $g^\beta$. > 2. Bob chooses $\beta \leftarrow \mathbb{Z}_q$ and computes $g^\beta$.
@@ -189,7 +190,7 @@ Taking $\mathcal{O}(N)$ steps is impractical in the real world, due to many comm
We assumed that the adversary only eavesdrops, but if the adversary carries out active attacks, then DHKE is not enough. The major problem is the lack of **authentication**. Alice and Bob are exchanging keys, but they both cannot be sure that there are in fact communicating with the other. An attacker can intercept messages and impersonate Alice or Bob. This attack is called a **man in the middle attack**, and this attack works on any key exchange protocol that lacks authentication. We assumed that the adversary only eavesdrops, but if the adversary carries out active attacks, then DHKE is not enough. The major problem is the lack of **authentication**. Alice and Bob are exchanging keys, but they both cannot be sure that there are in fact communicating with the other. An attacker can intercept messages and impersonate Alice or Bob. This attack is called a **man in the middle attack**, and this attack works on any key exchange protocol that lacks authentication.
![mc-07-dhke-mitm.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-07-dhke-mitm.png) ![mc-07-dhke-mitm.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-07-dhke-mitm.png)
The adversary will impersonate Bob when communicating with Alice, and will do the same for Bob by pretending to be Alice. The values of $\alpha, \beta$ that Alice and Bob chose are not leaked, but the adversary can decrypt anything in the middle and obtain the plaintext. The adversary will impersonate Bob when communicating with Alice, and will do the same for Bob by pretending to be Alice. The values of $\alpha, \beta$ that Alice and Bob chose are not leaked, but the adversary can decrypt anything in the middle and obtain the plaintext.
@@ -211,7 +212,7 @@ Before Diffie-Hellman, Merkle proposed an idea for secure key exchange protocol
The idea was to use *puzzles*, which are problems that can be solved with some effort. The idea was to use *puzzles*, which are problems that can be solved with some effort.
![mc-07-merkle-puzzles.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-07-merkle-puzzles.png) ![mc-07-merkle-puzzles.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-07-merkle-puzzles.png)
> Let $\mathcal{E} = (E, D)$ be a block cipher defined over $(\mathcal{K}, \mathcal{M})$. > Let $\mathcal{E} = (E, D)$ be a block cipher defined over $(\mathcal{K}, \mathcal{M})$.
> 1. Alice chooses random pairs $(k_i, s_i) \leftarrow \mathcal{K} \times \mathcal{M}$ for $i = 1, \dots, L$. > 1. Alice chooses random pairs $(k_i, s_i) \leftarrow \mathcal{K} \times \mathcal{M}$ for $i = 1, \dots, L$.

2
_posts/Lecture Notes/Modern Cryptography/2023-10-05-number-theory.md → _posts/lecture-notes/modern-cryptography/2023-10-05-number-theory.md
View File

@@ -5,6 +5,7 @@ math: true
categories: categories:
- Lecture Notes - Lecture Notes
- Modern Cryptography - Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags: tags:
- lecture-note - lecture-note
- cryptography - cryptography
@@ -15,7 +16,6 @@ date: 2023-10-05
github_title: 2023-10-05-number-theory github_title: 2023-10-05-number-theory
--- ---
## Background ## Background
### Number Theory ### Number Theory

16
_posts/Lecture Notes/Modern Cryptography/2023-10-26-digital-signatures.md → _posts/lecture-notes/modern-cryptography/2023-10-26-digital-signatures.md
View File

@@ -5,6 +5,7 @@ math: true
categories: categories:
- Lecture Notes - Lecture Notes
- Modern Cryptography - Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags: tags:
- lecture-note - lecture-note
- cryptography - cryptography
@@ -18,7 +19,6 @@ attachment:
folder: assets/img/posts/Lecture Notes/Modern Cryptography folder: assets/img/posts/Lecture Notes/Modern Cryptography
--- ---
## Digital Signatures ## Digital Signatures
> **Definition.** A **signature scheme** $\mc{S} = (G, S, V)$ is a triple of efficient algorithms, where $G$ is a **key generation** algorithm, $S$ is a **signing** algorithm, and $V$ is a **verification** algorithm. > **Definition.** A **signature scheme** $\mc{S} = (G, S, V)$ is a triple of efficient algorithms, where $G$ is a **key generation** algorithm, $S$ is a **signing** algorithm, and $V$ is a **verification** algorithm.
@@ -55,9 +55,9 @@ $$
## Secure Digital Signatures ## Secure Digital Signatures
The definition is similar to the [secure MAC](../2023-09-21-macs/#secure-mac-unforgeability). The adversary can perform a **chosen message attack**, but cannot create an **existential forgery**. The definition is similar to the [secure MAC](./2023-09-21-macs.md#secure-mac-unforgeability). The adversary can perform a **chosen message attack**, but cannot create an **existential forgery**.
![mc-10-dsig-security.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-10-dsig-security.png) ![mc-10-dsig-security.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-10-dsig-security.png)
> **Definition.** Let $\mc{S} = (G, S, V)$ be a signature scheme defined over $(\mc{M}, \Sigma)$. Given an adversary $\mc{A}$, the game goes as follows. > **Definition.** Let $\mc{S} = (G, S, V)$ be a signature scheme defined over $(\mc{M}, \Sigma)$. Given an adversary $\mc{A}$, the game goes as follows.
> >
@@ -97,7 +97,7 @@ Any signature scheme can be made strongly binding by appending a collision resis
## Extending the Message Space ## Extending the Message Space
We can extend the message space of a secure digital signature scheme, [as we did for MACs](../2023-09-28-hash-functions/#mac-domain-extension). Let $\mc{S} = (G, S, V)$ be a signature scheme defined over $(\mc{M}, \Sigma)$ and let $H : \mc{M}' \ra \mc{M}$ be a hash function with $\left\lvert \mc{M}' \right\lvert \geq \left\lvert \mc{M} \right\lvert$. We can extend the message space of a secure digital signature scheme, [as we did for MACs](./2023-09-28-hash-functions.md#mac-domain-extension). Let $\mc{S} = (G, S, V)$ be a signature scheme defined over $(\mc{M}, \Sigma)$ and let $H : \mc{M}' \ra \mc{M}$ be a hash function with $\left\lvert \mc{M}' \right\lvert \geq \left\lvert \mc{M} \right\lvert$.
Define a new signature scheme $\mc{S}' = (G, S', V')$ over $(\mc{M}', \Sigma)$ as Define a new signature scheme $\mc{S}' = (G, S', V')$ over $(\mc{M}', \Sigma)$ as
@@ -184,7 +184,7 @@ This scheme is originally from the **Schnorr identification protocol**.
Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. We consider an interaction between two parties, prover $P$ and a verifier $V$. The prover has a secret $\alpha \in \Z_q$ and the verification key is $u = g^\alpha$. **$P$ wants to convince $V$ that he knows $\alpha$, but does not want to reveal $\alpha$**. Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. We consider an interaction between two parties, prover $P$ and a verifier $V$. The prover has a secret $\alpha \in \Z_q$ and the verification key is $u = g^\alpha$. **$P$ wants to convince $V$ that he knows $\alpha$, but does not want to reveal $\alpha$**.
![mc-10-schnorr-identification.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-10-schnorr-identification.png) ![mc-10-schnorr-identification.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-10-schnorr-identification.png)
The protocol $\mc{I}_\rm{sch} = (G, P, V)$ works as follows. The protocol $\mc{I}_\rm{sch} = (G, P, V)$ works as follows.
@@ -206,7 +206,7 @@ We must check a few things.
- We can repeat this many times then the probability of reject is $1 - \frac{1}{q^n} \ra 1$. - We can repeat this many times then the probability of reject is $1 - \frac{1}{q^n} \ra 1$.
- Thus $q$ (the size of the challenge space) must be large. - Thus $q$ (the size of the challenge space) must be large.
- **Zero-knowledge**: $V$ learns no information about $x$ from the conversation. - **Zero-knowledge**: $V$ learns no information about $x$ from the conversation.
- This will be revisited later. See [here](../2023-11-07-sigma-protocols/#the-schnorr-identification-protocol-revisited). - This will be revisited later. See [here](./2023-11-07-sigma-protocols.md#the-schnorr-identification-protocol-revisited).
> **Theorem.** The Schnorr identification protocol is secure if the DL problem is hard, and the challenge space $\mc{C}$ is large. > **Theorem.** The Schnorr identification protocol is secure if the DL problem is hard, and the challenge space $\mc{C}$ is large.
@@ -239,7 +239,7 @@ Schnorr's scheme was protected by a patent, so NIST opted for a ad-hoc signature
How would you trust public keys? We introduce **digital certificates** for this. How would you trust public keys? We introduce **digital certificates** for this.
Read in [public key infrastructure (Internet Security)](../../internet-security/2023-10-16-pki). Read in [public key infrastructure (Internet Security)](../../Lecture%20Notes/Internet%20Security/2023-10-16-pki.md).
[^1]: A Graduate Course in Applied Cryptography [^1]: A Graduate Course in Applied Cryptography
[^2]: By using the [Fiat-Shamir transform](../2023-11-07-sigma-protocols/#the-fiat-shamir-transform). [^2]: By using the [Fiat-Shamir transform](./2023-11-07-sigma-protocols.md#the-fiat-shamir-transform).

2
_posts/Lecture Notes/Modern Cryptography/2023-10-31-advanced-topics.md → _posts/lecture-notes/modern-cryptography/2023-10-31-advanced-topics.md
View File

@@ -5,6 +5,7 @@ math: true
categories: categories:
- Lecture Notes - Lecture Notes
- Modern Cryptography - Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags: tags:
- lecture-note - lecture-note
- cryptography - cryptography
@@ -14,7 +15,6 @@ date: 2023-10-31
github_title: 2023-10-31-advanced-topics github_title: 2023-10-31-advanced-topics
--- ---
## Ciphertext Indistinguishability ## Ciphertext Indistinguishability
- By **Shafi Goldwasser** and **Silvio Micali** - By **Shafi Goldwasser** and **Silvio Micali**

4
_posts/Lecture Notes/Modern Cryptography/2023-11-02-zkp-intro.md → _posts/lecture-notes/modern-cryptography/2023-11-02-zkp-intro.md
View File

@@ -5,6 +5,7 @@ math: true
categories: categories:
- Lecture Notes - Lecture Notes
- Modern Cryptography - Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags: tags:
- lecture-note - lecture-note
- cryptography - cryptography
@@ -18,7 +19,6 @@ attachment:
folder: assets/img/posts/Lecture Notes/Modern Cryptography folder: assets/img/posts/Lecture Notes/Modern Cryptography
--- ---
- In 1980s, the notion of *zero knowledge* was proposed by Shafi Goldwasser, Silvio micali and Charles Rackoff. - In 1980s, the notion of *zero knowledge* was proposed by Shafi Goldwasser, Silvio micali and Charles Rackoff.
- **Interactive proof systems**: a **prover** tries to convince the **verifier** that some statement is true, by exchanging messages. - **Interactive proof systems**: a **prover** tries to convince the **verifier** that some statement is true, by exchanging messages.
- What if the prover is trying to trick the verifier? - What if the prover is trying to trick the verifier?
@@ -28,7 +28,7 @@ attachment:
## Identification Protocol ## Identification Protocol
![mc-12-id-protocol.png](/assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-12-id-protocol.png) ![mc-12-id-protocol.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-12-id-protocol.png)
> **Definition.** An **identification protocol** is a triple of algorithms $\mc{I} = (G, P, V)$ satisfying the following. > **Definition.** An **identification protocol** is a triple of algorithms $\mc{I} = (G, P, V)$ satisfying the following.
> >

1
_posts/Lecture Notes/Modern Cryptography/2023-11-07-sigma-protocols.md → _posts/lecture-notes/modern-cryptography/2023-11-07-sigma-protocols.md
View File

@@ -5,6 +5,7 @@ math: true
categories: categories:
- Lecture Notes - Lecture Notes
- Modern Cryptography - Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags: tags:
- lecture-note - lecture-note
- cryptography - cryptography

1
_posts/Lecture Notes/Modern Cryptography/2023-11-09-secure-mpc.md → _posts/lecture-notes/modern-cryptography/2023-11-09-secure-mpc.md
View File

@@ -5,6 +5,7 @@ math: true
categories: categories:
- Lecture Notes - Lecture Notes
- Modern Cryptography - Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags: tags:
- lecture-note - lecture-note
- cryptography - cryptography

1
_posts/Lecture Notes/Modern Cryptography/2023-11-14-garbled-circuits.md → _posts/lecture-notes/modern-cryptography/2023-11-14-garbled-circuits.md
View File

@@ -5,6 +5,7 @@ math: true
categories: categories:
- Lecture Notes - Lecture Notes
- Modern Cryptography - Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags: tags:
- lecture-note - lecture-note
- cryptography - cryptography

1
_posts/Lecture Notes/Modern Cryptography/2023-11-16-gmw-protocol.md → _posts/lecture-notes/modern-cryptography/2023-11-16-gmw-protocol.md
View File

@@ -5,6 +5,7 @@ math: true
categories: categories:
- Lecture Notes - Lecture Notes
- Modern Cryptography - Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags: tags:
- lecture-note - lecture-note
- cryptography - cryptography

1
_posts/Lecture Notes/Modern Cryptography/2023-11-23-bgv-scheme.md → _posts/lecture-notes/modern-cryptography/2023-11-23-bgv-scheme.md
View File

@@ -5,6 +5,7 @@ math: true
categories: categories:
- Lecture Notes - Lecture Notes
- Modern Cryptography - Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags: tags:
- lecture-note - lecture-note
- cryptography - cryptography

1
_posts/Lecture Notes/Modern Cryptography/2023-12-08-bootstrapping-ckks.md → _posts/lecture-notes/modern-cryptography/2023-12-08-bootstrapping-ckks.md
View File

@@ -5,6 +5,7 @@ math: true
categories: categories:
- Lecture Notes - Lecture Notes
- Modern Cryptography - Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags: tags:
- lecture-note - lecture-note
- cryptography - cryptography