Public Key Encryption Schemes: Mallable, Homomorphic, and Paillier's Scheme, Study notes of Cryptography and System Security

Various public key encryption schemes, focusing on their malleability and homomorphic properties. Topics include rsa, elgamal, and paillier's encryption. Mallable encryption schemes, such as elgamal and rsa, allow an adversary to succeed in a chosen ciphertext attack. Homomorphic encryption schemes, like paillier's, enable parties to compute valid encryptions of values that are a function of other encrypted values.

Typology: Study notes

2010/2011

Uploaded on 11/02/2011

thecoral
thecoral 🇺🇸

4.5

(30)

395 documents

1 / 7

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CS 120/CSCI E-177: Introduction to Cryptography
Salil Vadhan and Alon Rosen Nov. 16, 2006
Lecture Notes 15:
Public-Key Encryption in Practice
Recommended Reading.
KatzLindell, Sections 9.4, 9.5.3
1 Public-Key Encryption in Practice
All known public-key encryption schemes much slower than private-key ones and have much
larger keys.
e.g. Plain RSA:
1000×
slower than DES in hardware, and
100×
slower in software (for
512-bit modulus).
Mainly used to exchange a session key for a private-key encryption scheme
hybrid
encryption
(see KatzLindell 9.4)
RSA overwhelmingly most popular (despite not having security equivalent to factoring like
Rabin):
Plain RSA
: insecure
Padding a 1-bit message with random bits
:
provably
secure
Padding longer mesages with random bits (PKCS #1 v 1.5 RSA)
: unproven but conjec-
tured to be secure. Use a 88-bit random pad for 512-bit messages.
More sophisticated padding using cryptographic hash functions (PKCS #1 v 2, OAEP)
:
G
is a PRG and
H
is a hash function. The encryption of
m
using a random pad
R
is
(mG(R)||RH(mG(R)))emod N
. This can be proven to be secure (even against
chosen-ciphertext attack) in
Random Oracle Model
, which models the hash function as
a random function, which it is
not
, so this is only a heuristic argument.
Encryption exponent 3
: (change RSA assumption accordingly)
Discrete Log Based Schemes used in practice
DieHellman Key Exchange
Standardized in ANSI X9.42
Widely used in protocols to establish temporary keys for network communication,
including SSH, HTTPS (SSL), and others.
ElGamal
No patent restrictions (RSA was patented)
Used in free products, e.g. GNU Privacy Guard, PGP
1
pf3
pf4
pf5

Partial preview of the text

Download Public Key Encryption Schemes: Mallable, Homomorphic, and Paillier's Scheme and more Study notes Cryptography and System Security in PDF only on Docsity!

CS 120/CSCI E-177: Introduction to Cryptography

Salil Vadhan and Alon Rosen Nov. 16, 2006

Lecture Notes 15:

Public-Key Encryption in Practice

Recommended Reading.

  • KatzLindell, Sections 9.4, 9.5.

1 Public-Key Encryption in Practice

  • All known public-key encryption schemes much slower than private-key ones and have much larger keys.

 e.g. Plain RSA: 1000 × slower than DES in hardware, and 100 × slower in software (for 512-bit modulus).  Mainly used to exchange a session key for a private-key encryption scheme hybrid encryption (see KatzLindell Ÿ9.4)

  • RSA overwhelmingly most popular (despite not having security equivalent to factoring like Rabin):

 Plain RSA: insecure  Padding a 1-bit message with random bits: provably secure  Padding longer mesages with random bits (PKCS #1 v 1.5 RSA): unproven but conjec- tured to be secure. Use a 88-bit random pad for 512-bit messages.  More sophisticated padding using cryptographic hash functions (PKCS #1 v 2, OAEP): G is a PRG and H is a hash function. The encryption of m using a random pad R is (m ⊕ G(R)||R ⊕ H(m ⊕ G(R)))e^ mod N. This can be proven to be secure (even against chosen-ciphertext attack) in Random Oracle Model, which models the hash function as a random function, which it is not, so this is only a heuristic argument.  Encryption exponent 3: (change RSA assumption accordingly)

  • Discrete Log Based Schemes used in practice

 DieHellman Key Exchange ∗ Standardized in ANSI X9. ∗ Widely used in protocols to establish temporary keys for network communication, including SSH, HTTPS (SSL), and others.  ElGamal ∗ No patent restrictions (RSA was patented) ∗ Used in free products, e.g. GNU Privacy Guard, PGP

∗ Used in threshold crypto applications requiring distributed key generation (we may cover this later)  CramerShoup Encryption ∗ Standardized in ISO 18033- ∗ Similar in spirit to ElGamal ∗ Requires a collision-resistant cryptographic hash function to be discussed later in the course ∗ Uses extra math (ciphertext and keys are longer) to achieve security under CCA (1998: rst practical algorithm to do so based on a standard complexity assumption; the earlier Dolev-Dwork-Naor work using trapdoor permutations requires random oracles.)

2 Malleability

Informally, an encryption scheme is malleable if given a ciphertext c that is an encryption of a plaintext m (and the public key), one can eciently generate a ciphertext c′^ that is an encryption of a transformation of m, that is, c′^ ∈ E(f (m)). (We recall that in a probabilistic encryption scheme a message may have many valid encryptions.) In particular this can be done without any knowledge of m or the secret key. Thus, it does not contradict the encryption scheme being secure in the sense of having indistinguishable encryptions. Nevertheless, in some applications, malleability is a weakness. For example, in the context of a sealed-bid auction, an adversary observing another bid encrypted with a malleable algorithm could construct a more competitive bid without breaking the scheme or learning anything about the other bid. Many of the public-key encryption schemes we have seen are trivially malleable:

ElGamal: Encryption of m is (c 1 , c 2 ) = (gy, m · hy), with G, g ∈ G, h public and y random. To transform a ciphertext encrypting m into an encryption of f (m) = 2m, calculate (c′ 1 , c′ 2 ) = (c 1 , 2 · c 2 ).

RSA, Rabin: Semantically secure encryption uses the hardcore bits of the a randomly selected trapdoor permutation fk with trapdoor t; pk = k, sk = t. Encryption chooses x ←R Dk and outputs c = (fk(x), bk(x) ⊕ m) using the hardcore bits bk(x). How is this malleable?

Plain RSA, Rabin: These are sometimes used directly in practice but they are not semantically secure. Encryption is c = me^ mod n, with n = p · q; n is public and p, q secret. (Rabin encryption is not equivalent to RSA with public exponent 2, but this attack applies to Rabin encryption: set e = 2.) To transform a ciphertext encrypting m into an encryption of f (m) = 3 m, calculate c′^ = 3e^ · c mod n ≡ (3 · m)e^ mod n.

It is no coincidence that ElGamal, RSA and Rabin encryption are all insecure under chosen ciphertext attack: any malleable encryption scheme allows an adversary to succeed in a chosen ciphertext attack by applying the transformation to the challenge c = E(m). In one informal setting, the adversary computes c′^ = f ′(c) = E(f (m)), queries the decryption oracle on c′^ to recover f (m), then nally inverts f (m) to recover m.

4 Paillier Encryption

Paillier's trapdoor function is an isomorphism f : ZN × Z∗ N → Z∗ N 2 given by f (a, b) = (1 + N )a^ · bN^ mod N 2 , where N = pq for distinct odd primes p, q of equal length. This function f can be eciently computed but inverting it is believed to be dicult without the factorization of N under the Composite Residuosity Assumption. One can encrypt directly using this trapdoor function by letting a be the message m and b the random help value r. Our scheme is thus dened by three polynomial-time algorithms (G, E, D):

G: Pick two n-bit primes p, q. Set pk = N = p · q, sk = ϕ(N ) = (p − 1) · (q − 1).

E: Let m ∈ ZN be the message to encrypt and obtain random help value r ←R Z∗ N. Set c = EN (m, r) = (1 + N )m^ · rN^ ≡ (1 + m · N )rN^ mod N 2.

D: To decrypt c using ϕ(N ), compute ˆc = cϕ(N^ )^ ≡ (1 + N )m·ϕ(N^ )^ ≡ (1 + m · ϕ(N ) · N ) mod N 2 (by Fermat's Little Theorem). Then compute m′^ = (^) ϕˆc(−N^1 ) mod N 2 and recover m = m′/N. (We cannot divide by N modulo N 2 because N , which divides N 2 , has no inverse.) To decrypt c using r, compute cˆ = c · r−N^ mod N 2 , then recover m = (ˆc − 1)/N. Anyone who knows the secret key sk can recover r from c; r = cN^ − (^1) mod ϕ(N ) mod N.

4.1 The Decisional Composite Residuosity Assumption; Security of Paillier's

Scheme

  • The DCRA assumption says a random N th residue is computationally indistinguishable from a random element of Z∗ N 2. That is, (N, RN^ ) c ≡ (N, S), where N is a random Paillier modulus, R, R′^ are random elements of Z∗ N , and S, S′^ are random elements of ZN 2.
  • Then, we observe the following three facts: (N, (1 + N )m^0 ∗ S)

c ≡ (N, (1 + N )m^1 ∗ S′) (pk , Epk (m 0 )) ≡ (N, (1 + N )m^0 ∗ RN^ ) c ≡ (N, (1 + N )m^0 ∗ S) (pk , Epk (m 1 )) ≡ (N, (1 + N )m^1 ∗ R′N^ ) c ≡ (N, (1 + N )m^1 ∗ S′). These imply that (pk , Epk (m 0 )) ≡ (N, (1+N )m^0 ∗RN^ ) c ≡(N, (1+N )m^1 ∗R′N^ ) ≡ (pk , Epk (m 1 )), that is, the Paillier scheme is semantically secure under the DCRA. This argument uses the general fact that multiplying a xed element of a group by a uniformly random element gives you a uniformly random element of the group.

  • Paillier made a related argument that a successful CPA attacker can break the DCRA. Specif- ically, assume m 0 and m 1 are two known messages and c is a ciphertext of either m 0 or m 1. c ∈ E(m 0 ) if and only if c · (1 + N )−m^0 mod N 2 (which the adversary can compute) is an N th residue. Thus if an adversary has algorithm A(c, m 0 ) that can identify whether c is an encryption of m 0 with nonnegligible probability, he can use A to decide composite residuosity.

4.2 Homomorphic Properties of Paillier Encryption

One of the most attractive properties of the Paillier system is that it is additively homomorphic over plaintexts and also allows for multiplication of plaintexts by a constant. All of these primitives can be performed by anyone.

  • Addition:
  • Multiplication by a constant:

With these primitives, one can divide the plaintext by any constant k ∈ Z∗ N (equivalent to mul- tiplying by k−^1 mod N ). One can subtract two plaintexts via their ciphertexts c 1 = E(m 1 , r 1 ), c 2 = E(m 2 , r 2 ). c 1 · c− 2 1 ≡ E(m 1 − m 2 , r 1 /r 2 ) (mod N 2 ). Even more complex primitives are possible. Given c 1 = E(m 1 , r 1 ), c 2 = E(m 2 , r 2 ), anyone who has the random help values r 1 , r 2 or the secret key sk can prove the following facts to a verier who has only c 1 and c 2 , revealing minimal information about m 1 or m 2. (In your homework, you will be asked to show that the Equality proof reveals nothing about m 1 and m 2 by proving that any two pairs of ciphertexts are indistinguishable given only the quotient of their random help values.)

  • Equality: Since m 1 − m 2 = 0, the prover reveals the single integer r¯ = r 1 /r 2 mod N. The verier veries that Dr¯(c 1 /c 2 ) = m by checking that (c 1 /c 2 ) ≡ (1 + N )^0 ¯rN^ ≡ ¯rN^ (mod N 2 ).
  • Range: m 1 < 2 t^ < N for constant t (see next subsection)
  • Product of Two Plaintexts: c 3 = E(m 1 · m 2 , r 3 ) (see papers cited below)
  • Inequality: m 1 ≥ m 2 First prove m 1 , m 2 < 2 t^ where t is chosen so 2 t^ < N/ 2. Then compute c 3 = c 1 /c 2 = E(m 1 − m 2 , r 1 /r 2 ), and prove, using c 3 and the Range primitive, that (m 1 − m 2 ) < 2 t^ < N/ 2. This implies m 1 ≥ m 2 , because if not (m 1 − m 2 ) would wrap around mod N and we could not prove (m 1 − m 2 ) < 2 t. (This necessarily reveals that m 1 , m 2 < 2 t^ but nothing else.)

Some of these primitives and others are explored in detail in a paper A Generalisation, a Simpli- cation and some Applications of Paillier's Probabilistic Public-Key System by Dåmgard and Jurik (2001); other formulations are presented in Practical Secrecy-Preserving, Veriably Correct and Trustworthy Auctions by Parkes, Rabin, Shieber and Thorpe (2006).

4.2.1 Proof of Range

(This section is derived from the Parkes et al. paper cited above.) Given ciphertext c = E(m, r) we need to prove that m < 2 t^ for some constant t.

Denition 2 A valid test set S for the assertion c = E(m, r) is an encryption of a number x < 2 t is a set of 2 t randomly ordered encryptions, S = {G 1 = E(u 1 , s 1 ),... , G 2 t = E(u 2 t, s 2 t)}, where each of the powers of 2  { 1 , 2 ,... , 2 t−^1 }  appears among the ui exactly once and the remaining t values uj are all 0.

5.2 Voting

Paillier is an attractive protocol for voting because it is additively homomorphic, and makes it possible to count votes without decrypting any voter's particular vote.

  1. The election board creates a distributed Paillier key pair (pk , sk ) so that no one entity knows the secret decryption key but the public encryption key can be published.
  2. A constant k is chosen large enough so no more than 2 k^ votes will be cast. Each candidate is associated with a value Ci = 2ik. For example, k = 32 (about 4 billion votes), and Adams = 232 , Buchanan = 264 , Coolidge = 296.
  3. When a voter votes, their vote is an encryption of 1 + Ci. For example, a vote for Buchanan would be Vj = (1 + 2^64 ), encrypted: Vˆj ∈ Epk (1 + 2^64 , rj ). The voting machine computes these values.
  4. The voting machine proves that a vote is correct without revealing any information about the vote, using a protocol similar to the primitive that proves a value m < 2 t. Amazingly, the machine can do this without knowing the decryption key  provided it knows the random help value used to encrypt.
  5. The votes are tallied by computing the product of the encrypted votes:

j Vˆj^ ∈^ Epk^ (

j Vj^ ).

  1. The raw votes are destroyed. The election ocials then reconstruct the secret decryption key and decrypt the total. By taking the total modulo each successive Ci, the election board can extract the number of votes for each candidate.

5.3 What other applications can we think of?

  • Multi-Party Computation, e.g. the Professors' Salary Problem

5.4 Some Security Considerations

Clearly, plain Paillier is not appropriate as the only mechanism in an auction protocol. (Why?)

We have not yet studied digital signatures and message authentication codes; later we will see how they complement plain homomorphic encryption schemes to prevent a participant in a protocol from creating an encryption based on someone else's published encrypted values.

5.5 Other Facts About Homomorphic Encryption

It remains an important open question whether one can construct a homomorphic encryption scheme that is doubly homomorphic in the ciphertexts, that is, there exist two pairs of operations 〈+, ⊕〉, 〈×, ⊗〉 such that E(a + b) = E(a) ⊕ E(b) and E(a × b) = E(a) ⊗ E(b). Paillier's scheme is sometimes said to be doubly homomorphic, but its multiplicative homomorphism is limited to creating new encryptions of products of plaintexts with constant factors. If someone were to construct a truly doubly homomorphic scheme allowing both addition and multiplication over plaintexts by operations on the ciphertexts, what would the implications be?