



Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Various public key encryption schemes, focusing on their malleability and homomorphic properties. Topics include rsa, elgamal, and paillier's encryption. Mallable encryption schemes, such as elgamal and rsa, allow an adversary to succeed in a chosen ciphertext attack. Homomorphic encryption schemes, like paillier's, enable parties to compute valid encryptions of values that are a function of other encrypted values.
Typology: Study notes
1 / 7
This page cannot be seen from the preview
Don't miss anything!




CS 120/CSCI E-177: Introduction to Cryptography
Salil Vadhan and Alon Rosen Nov. 16, 2006
Recommended Reading.
e.g. Plain RSA: 1000 × slower than DES in hardware, and 100 × slower in software (for 512-bit modulus). Mainly used to exchange a session key for a private-key encryption scheme hybrid encryption (see KatzLindell 9.4)
Plain RSA: insecure Padding a 1-bit message with random bits: provably secure Padding longer mesages with random bits (PKCS #1 v 1.5 RSA): unproven but conjec- tured to be secure. Use a 88-bit random pad for 512-bit messages. More sophisticated padding using cryptographic hash functions (PKCS #1 v 2, OAEP): G is a PRG and H is a hash function. The encryption of m using a random pad R is (m ⊕ G(R)||R ⊕ H(m ⊕ G(R)))e^ mod N. This can be proven to be secure (even against chosen-ciphertext attack) in Random Oracle Model, which models the hash function as a random function, which it is not, so this is only a heuristic argument. Encryption exponent 3: (change RSA assumption accordingly)
DieHellman Key Exchange ∗ Standardized in ANSI X9. ∗ Widely used in protocols to establish temporary keys for network communication, including SSH, HTTPS (SSL), and others. ElGamal ∗ No patent restrictions (RSA was patented) ∗ Used in free products, e.g. GNU Privacy Guard, PGP
∗ Used in threshold crypto applications requiring distributed key generation (we may cover this later) CramerShoup Encryption ∗ Standardized in ISO 18033- ∗ Similar in spirit to ElGamal ∗ Requires a collision-resistant cryptographic hash function to be discussed later in the course ∗ Uses extra math (ciphertext and keys are longer) to achieve security under CCA (1998: rst practical algorithm to do so based on a standard complexity assumption; the earlier Dolev-Dwork-Naor work using trapdoor permutations requires random oracles.)
Informally, an encryption scheme is malleable if given a ciphertext c that is an encryption of a plaintext m (and the public key), one can eciently generate a ciphertext c′^ that is an encryption of a transformation of m, that is, c′^ ∈ E(f (m)). (We recall that in a probabilistic encryption scheme a message may have many valid encryptions.) In particular this can be done without any knowledge of m or the secret key. Thus, it does not contradict the encryption scheme being secure in the sense of having indistinguishable encryptions. Nevertheless, in some applications, malleability is a weakness. For example, in the context of a sealed-bid auction, an adversary observing another bid encrypted with a malleable algorithm could construct a more competitive bid without breaking the scheme or learning anything about the other bid. Many of the public-key encryption schemes we have seen are trivially malleable:
ElGamal: Encryption of m is (c 1 , c 2 ) = (gy, m · hy), with G, g ∈ G, h public and y random. To transform a ciphertext encrypting m into an encryption of f (m) = 2m, calculate (c′ 1 , c′ 2 ) = (c 1 , 2 · c 2 ).
RSA, Rabin: Semantically secure encryption uses the hardcore bits of the a randomly selected trapdoor permutation fk with trapdoor t; pk = k, sk = t. Encryption chooses x ←R Dk and outputs c = (fk(x), bk(x) ⊕ m) using the hardcore bits bk(x). How is this malleable?
Plain RSA, Rabin: These are sometimes used directly in practice but they are not semantically secure. Encryption is c = me^ mod n, with n = p · q; n is public and p, q secret. (Rabin encryption is not equivalent to RSA with public exponent 2, but this attack applies to Rabin encryption: set e = 2.) To transform a ciphertext encrypting m into an encryption of f (m) = 3 m, calculate c′^ = 3e^ · c mod n ≡ (3 · m)e^ mod n.
It is no coincidence that ElGamal, RSA and Rabin encryption are all insecure under chosen ciphertext attack: any malleable encryption scheme allows an adversary to succeed in a chosen ciphertext attack by applying the transformation to the challenge c = E(m). In one informal setting, the adversary computes c′^ = f ′(c) = E(f (m)), queries the decryption oracle on c′^ to recover f (m), then nally inverts f (m) to recover m.
Paillier's trapdoor function is an isomorphism f : ZN × Z∗ N → Z∗ N 2 given by f (a, b) = (1 + N )a^ · bN^ mod N 2 , where N = pq for distinct odd primes p, q of equal length. This function f can be eciently computed but inverting it is believed to be dicult without the factorization of N under the Composite Residuosity Assumption. One can encrypt directly using this trapdoor function by letting a be the message m and b the random help value r. Our scheme is thus dened by three polynomial-time algorithms (G, E, D):
G: Pick two n-bit primes p, q. Set pk = N = p · q, sk = ϕ(N ) = (p − 1) · (q − 1).
E: Let m ∈ ZN be the message to encrypt and obtain random help value r ←R Z∗ N. Set c = EN (m, r) = (1 + N )m^ · rN^ ≡ (1 + m · N )rN^ mod N 2.
D: To decrypt c using ϕ(N ), compute ˆc = cϕ(N^ )^ ≡ (1 + N )m·ϕ(N^ )^ ≡ (1 + m · ϕ(N ) · N ) mod N 2 (by Fermat's Little Theorem). Then compute m′^ = (^) ϕˆc(−N^1 ) mod N 2 and recover m = m′/N. (We cannot divide by N modulo N 2 because N , which divides N 2 , has no inverse.) To decrypt c using r, compute cˆ = c · r−N^ mod N 2 , then recover m = (ˆc − 1)/N. Anyone who knows the secret key sk can recover r from c; r = cN^ − (^1) mod ϕ(N ) mod N.
c ≡ (N, (1 + N )m^1 ∗ S′) (pk , Epk (m 0 )) ≡ (N, (1 + N )m^0 ∗ RN^ ) c ≡ (N, (1 + N )m^0 ∗ S) (pk , Epk (m 1 )) ≡ (N, (1 + N )m^1 ∗ R′N^ ) c ≡ (N, (1 + N )m^1 ∗ S′). These imply that (pk , Epk (m 0 )) ≡ (N, (1+N )m^0 ∗RN^ ) c ≡(N, (1+N )m^1 ∗R′N^ ) ≡ (pk , Epk (m 1 )), that is, the Paillier scheme is semantically secure under the DCRA. This argument uses the general fact that multiplying a xed element of a group by a uniformly random element gives you a uniformly random element of the group.
One of the most attractive properties of the Paillier system is that it is additively homomorphic over plaintexts and also allows for multiplication of plaintexts by a constant. All of these primitives can be performed by anyone.
With these primitives, one can divide the plaintext by any constant k ∈ Z∗ N (equivalent to mul- tiplying by k−^1 mod N ). One can subtract two plaintexts via their ciphertexts c 1 = E(m 1 , r 1 ), c 2 = E(m 2 , r 2 ). c 1 · c− 2 1 ≡ E(m 1 − m 2 , r 1 /r 2 ) (mod N 2 ). Even more complex primitives are possible. Given c 1 = E(m 1 , r 1 ), c 2 = E(m 2 , r 2 ), anyone who has the random help values r 1 , r 2 or the secret key sk can prove the following facts to a verier who has only c 1 and c 2 , revealing minimal information about m 1 or m 2. (In your homework, you will be asked to show that the Equality proof reveals nothing about m 1 and m 2 by proving that any two pairs of ciphertexts are indistinguishable given only the quotient of their random help values.)
Some of these primitives and others are explored in detail in a paper A Generalisation, a Simpli- cation and some Applications of Paillier's Probabilistic Public-Key System by Dåmgard and Jurik (2001); other formulations are presented in Practical Secrecy-Preserving, Veriably Correct and Trustworthy Auctions by Parkes, Rabin, Shieber and Thorpe (2006).
4.2.1 Proof of Range
(This section is derived from the Parkes et al. paper cited above.) Given ciphertext c = E(m, r) we need to prove that m < 2 t^ for some constant t.
Denition 2 A valid test set S for the assertion c = E(m, r) is an encryption of a number x < 2 t is a set of 2 t randomly ordered encryptions, S = {G 1 = E(u 1 , s 1 ),... , G 2 t = E(u 2 t, s 2 t)}, where each of the powers of 2 { 1 , 2 ,... , 2 t−^1 } appears among the ui exactly once and the remaining t values uj are all 0.
Paillier is an attractive protocol for voting because it is additively homomorphic, and makes it possible to count votes without decrypting any voter's particular vote.
j Vˆj^ ∈^ Epk^ (
j Vj^ ).
Clearly, plain Paillier is not appropriate as the only mechanism in an auction protocol. (Why?)
We have not yet studied digital signatures and message authentication codes; later we will see how they complement plain homomorphic encryption schemes to prevent a participant in a protocol from creating an encryption based on someone else's published encrypted values.
It remains an important open question whether one can construct a homomorphic encryption scheme that is doubly homomorphic in the ciphertexts, that is, there exist two pairs of operations 〈+, ⊕〉, 〈×, ⊗〉 such that E(a + b) = E(a) ⊕ E(b) and E(a × b) = E(a) ⊗ E(b). Paillier's scheme is sometimes said to be doubly homomorphic, but its multiplicative homomorphism is limited to creating new encryptions of products of plaintexts with constant factors. If someone were to construct a truly doubly homomorphic scheme allowing both addition and multiplication over plaintexts by operations on the ciphertexts, what would the implications be?