Modern Cryptography

1
Modern Cryptography

• New Directions in Cryptography
• W.Diffie M.E.Hellman
• Probabilistic Encryption
• S.Goldwasser S.Micali

2
By 1976...
Practically Computers and Private key
security exist (DES), and are becoming more and
more applicable.
Theoretically Perfect secrecy Shannon. NOT
MUCH BESIDES The notion of a function easy to
compute but hard to inverse arose...
Purdy Complexity NP (completeness) vs. P
Cook, Karp.
3
By 1976... (hush hush!)

• In fact, computers and cryptography go hand in
  hand from the first computers. (WWII)
• In fact, there were confidential papers in
  cryptography (in CESG)
• Non-secret-encryption J.H.Ellis 70 (with a
  proof!)
• ¼RSA C.C.Cocks 73

4
By 1976... (biographical details)
In 1972, Whitfiled Diffie, an AI graduate
student, developes more than an interest in
cryptography. In 1974, at the age of 30, he
phones Martin Hellman, assistant professor in
Stanford, to discuss issues in crypto. They begin
collaborating.
In 1975, Diffie thinks of quitting altogether. "I
was worried that I wasn't particularly remarkable
as a programmer and that my lot in life would get
progressively worse if things continued going as
they were."
Also In 1975, he bares success. "The thing I
remember distinctly is that I was sitting in the
living room when I thought of it the first time
and then I went downstairs to get a Coke and I
almost lost it," he says. "I mean, there was this
moment when - I was thinking about something.
What was it? And then I got it back and didn't
forget it."
5
New Directions in CryptographyW.Diffie
M.E.Hellman
Hellman
Diffie
We stand today on the brink of a revolution in
cryptography
6
Emphasis
This is an invited paper, so

• NO definitions, notations, claims, proofs etc.

2. HOWEVER clever ideas, clever insights!
3. Practicality. Historical survey.
7
So, what do we have in conventional
cryptographic system (block or stream)?
SkP!C
8
Conventional Cryptographic System
Goal Enciphering and deciphering
inexpensive, but any cryptananlytic operation
is too complex to be economical. We call a
task computationally infeasible, if its cost...
is finite but impossibly large.
Important desired property- Error propagation
A small change in the input block produces a
major change in the resulting output.
9
Conventional Cryptographic System
Threats (Sk is known) Eavesdropping
Ciphertext only, Known plaintext, Chosen
plaintext. Injecting new messages, or
combining/repeating.
Problems
1. Where does the secure channel comes from?
2. Authentication Signature.
3. n users ) ?(n2) keys.
10
Introducing THE PUBLIC KEY CRYPTOSYSTEM!
11
THE PUBLIC KEY CRYPTOSYSTEM!

• Two families Ekk, Dkk of invertible
  transformations, Ek, DkM!M, s.t. the
  following holds
• 8 k, Ek is the inverse of Dk.
• 8 k, 8 m2M, Ek(m), Dk(m), are easy to
  compute.
• For almost every k, each easily computed
  algorithm equivalent Dk to is computationally
  infeasible to derive given Ek.
• 8 k, it easy to come up with the pair h Dk, Ek i.

RANDOMIZED!
Publicize Ek, but keep Dk to yourself!
12
Suggestions

• (useless) An invertible matrix E, D E-1.
  (n2 vs. n3, at the time)
• One way compiler.

Public Key Distribution System Securely
exchange a key over an insecure channel.
3. Merkle. 4. The Diffie-Hellman key exchange.
13
The DH Key Exchange
Everybody knows q a prime, g a generator
for Zq
A Selects xA2r Zq. Sends mA gxA mod
q. Computes K mBxA mod q.
B Selects xB2r Zq. Sends mB gxB mod
q. Computes K mAxB mod q.
K gxAxB mod q.
Secure, if discrete log takes ?(q1/2)
14
Signature
By public key cryptosystem!
Just send - h m, Dk(m)i.
One Way
A function f is a one-way function if it is easy
to compute f(x), but for almost every y it is
computationally infeasible to solve the equation
yf(x). (Polynomials offer an elementary
example of one-way functions. One way functions
are easy to devise.)
15
One Way Authentication

• Techniques
• Login user picks PW, but sends f(PW).
• Login revised user picks PW, send fT(PW). At
  time t, user authenticates by sending fT-t(PW)
  (requires fast enumerations of f).
• Select x01,x11,x02,x12,,x0N,x1N.
• Compute their images under f y01, y11, y02,
  y12,,y0N,y1N. Publicize these 2N images.
• Send the message m m1,m2,mN and
  x1m1,x2m2,,xNmN

16
Insights
A cryptosystem which is secure against a known
plaintext attack, can be used to produce a OWF.
Choose P0 arbitrarily. Define f(x) Sx(P0)
17
Insights (cont.)
Trap-door OWF a simply computed inverse exists,
but given only f it is infeasible to find an
inverse. Only possession of a trap-door
information allows computing an inverse easily.
(e.g. The random string used to produce E,D.) (A
quasi-OWF same definition, without the trap-door
information.) Trap-door cipher resists any
cryptanalysis by anyone not in possession of a
trap-door information.
A trap-door cryptosystem can be used to produce
a public key distribution system. A enciphers
and publicize m, Ek(m), B breaks the encryption.
18
Insights (cont.)

• Public Key Cryptosystem ) OW authentication.

The converse does not appear to hold.
Public Key Cryptosystem ) Public Key Distribution
System.
Not conversly.
Public Key Cryptosystem ) Trap-door OWF.
The converse the function must be invertible
19
Connection to Complexity
The cryptanalytic difficulty of a system whose
encryption and decryption operations can be done
in P time cannot be greater than
NP. Nondeterministically, choose the key (maybe
also the message). Verify by encryption /
decryption in polytime.
The general cryptanalytic problem is
NP-complete. By Constructing a OWF from the
Knapsack Problem.
20
The Knapsack Problem
Given a1, a2, , an, and x20,1n, computing
yf(x)?iaixi is easy, yet finding a subset of
aii that sums up to a given y is NP-complete.
Problems
1. f cannot be degenerate.
2. f cannot be super-increasing.
Is f hard on average?
Probably not. Knapsack based encryption
given 77 Merkle, Hellman, broken 82 Shamir
and later others.
21
Historical Note
From Caesar cipher to WWII. References a book
1200 pages D. Kahn, The Codebreakers, The
Story of Secret Writing. Emphasize the following
point innovation has come primarily from the
amateurs. We hope this will inspire others to
work in this facinating area in which
participation has been discouraged in the recent
past by a nearly total government monopoly.
22
And what happened to Diffie Hellman?
Diffie didn't finish his degree, left to work in
cryptography oriented companies. Works till
today. Was awarded doctorate in 1992 (!) by the
Swiss Federal IT.
Hellman became a prof. in 79 and is currently
retired.
Both highly respected, highly awarded.
23
After DHPractical Public Keys
Several suggestions, including the knapsack, and
McEliece (ECC of invertible matrix and
permutation a random small mistake).
1978 RSA!
1979 Rabin (RSA with squaring)
Mathematical definitions of security
1982-4 Blum Goldwasser Micali.
24
Probabilistic Encryption

• Goldwasser Micali 84

25
Main contributions of this paper

• First paper to give formal definitions of
  security
• Chose an adversary with limited power
  (polynomial)
• Showed equivalence of security definitions
• Gave a construction which satisfies the
  definition and proved its security based on a
  common assumption (quadratic residuosity is hard)

26
Previous Attempts at Public Key Cryptography

• DH 76
• RSA 78
• Rabin 79

27
Examples of Problems

• Might be easy for some messages
• In RSA, 1 and 0 always encrypt to themselves
• Small messages can be easily decrypted
• Might reveal partial information
• In RSA, the Jacobi symbol of the message is
  preserved under encryption
• Message Indistinguishability
• Given two messages m1 and m2 and their
  encryptions Ek(m1) and Ek(m2) decide which is
  which
• No deterministic public key encryption gives
  message indistinguishability !!

28
Main Idea ? Make the Encryption Probabilistic !

• Messages encrypt to many possible ciphertexts
• The encryption algorithm is probabilistic
• The decryption algorithm has a deterministic
  output
• Notice that any deterministic encryption can be
  converted into a randomized one
• part (lengthl) of plaintext consist of a
  randomly generated bit-string
• not provably secure

29
Security Definitions

• Polynomial security
• no passive adversary can in polynomial time
• select two plaintext m1 and m2 and
• then distinguish between encryptions of m1 and m2
  with probability greater than ½ 1/poly(k)

30
Security Definitions II

• Semantically secure
• for all probability distributions over the
  message space
• whatever a passive adversary can compute in
  expected polynomial time about the plaintext
  given the ciphertext
• it can also compute in expected polynomial time
  without the ciphertext.
• Semantic security of PKC no partial information
  leakage

31
Perfect vs. Semantic security

• perfect secrecy
• a passive adversary, even with infinite
  computational resources
• can learn nothing about plaintext from ciphertext
• Limitation cannot be achieved unless key is as
  long as message
• semantic security polynomially bounded perfect
  secrecy
• a passive adversary with poly. bounded resources
  can learn nothing
• ? semantically secure PKC where keys are shorter
  than messages

32
Unapproximable Trapdoor Predicates

• A family of unapproximable trapdoor predicates
  (UTP) is
• a family of predicates Bi(x)i
• Which is unapproximable, i.e., for any
  polynomially sized circuit C, PrC(x)Bi(x)
  lt½1/poly(k)
• And has a trapdoor
• given i and y0,1 can easily find x s.t. Bi(x)y
  with uniform probability over the possible x
• There exists an algorithm T and a function ?(i)
  s.t. given (?(i), i, x) T can compute Bi(x)
• It is possible to select pairs (i, ?(i)) with
  uniform probability

33
A note on quadratic residuosity

• y is a quadratic residue modulo n if y has a
  square root modulo n
• That is yx2 modulo n
• y is a quadratic non-residue modulo n if y
  doesnt have a square root modulo n
• If n is prime, computing whether y is a quadratic
  residue is easy.
• The Legendre symbol (y/p) is defined to be 1 if y
  is a quadratic residue mod p and -1 otherwise
• The Jacobi symbol (y/n) is defined as
  (y/p1)(y/p2)(y/pk)

34
A note on quadratic residuosity

• Computing the Jacobi symbol is easy even if the
  factorization of n is not known !!
• Raising to an odd power preserves the Jacobi
  symbol
• y is a quadratic residue mod n iff
  (y/p1)(y/p2)1
• But (y/n)1 does not imply that y is a quadratic
  residue
• If (y/p1)(y/p2)-1 then (y/n)1 but y is not a
  quadratic residue

35
Quadratic Residuosity as a UTP

• Private key (?(i)) is a pair of primes p1,p2
• Public key (i) is np1p2 and y a quadratic
  non-residue
• Qi(x) 1 iff x is a quadratic residue modulo n
• Facts
• Qi(x) is hard to approximate
• Given p1, p2 it is easy to compute Qi(x)
• It is easy to generate residues with uniform
  probability
• Given a non-residue it is easy to generate
  non-residues with uniform probability
• It is easy to generate p1,p2,y

36
PKC and PPKC

• Public Key Cryptosystem (PKC) is composed of a
  server ? which given
• MG a message generator and a security parameter
  k
• Outputs, (E)ncryption and (D)ecryption algorithms
• Probabilistic PKC (PPKC) with UTP B
• Outputs a pair (i, ?(i)) where i specifies the
  Encryption algorithm E, and ?(i) specifies the
  Decryption algorithm D
• E takes an l bit input m1m2ml for each mj, E
  randomly selects xj such that Bi(xj)mj. The
  output is (x1,x2,,xl)
• D takes (x1,x2,,xl) and uses T to find mj for
  each xj (remember that T takes (x, i, ?(i)) and
  outputs Bi(x))

37
PPKC with Quadratic Residuosity

• Generates p1,p2 and y a quadratic non-residue
• Outputs a pair (i, ?(i)) where i is (np1p2 ,y),
  and ?(i) (p1,p2)
• The encryption algorithm generates for every bit
  mj of the message a xj s.t., Qi(x)mj and outputs
  (x1,,xl)
• The decryption algorithm takes (x1,x2,,xl) and
  uses its knowledge of p1,p2 to find mj for each xj

38
Main Results

• Any PPKC with a UTP is polynomially secure
• A PKC is polynomially secure ? it is semantically
  secure

39
PPKC is Polynomially Secure

• Assume that an (polynomially bounded) adversary A
  can find two messages m1,m2 and them distinguish
  with non-negligible probability between Ei(m1)
  and Ei(m2)
• Look at a sequence of messages m1x1,x2,,xtm2
  s.t. xj and xj1 differ by a single bit
• There must be j s.t. A can distinguish between
  Ei(xj) and Ei(xj1) with non-negligible
  probability
• But now we can use this fact to contradict the
  unapproximability of Bi

40
PPKC is Polynomially Secure

• Given y we can approximate Bi(y) by generating
  many messages which encrypt to Ei(xj) or Ei(xj1)
  where the jth element of the message is y
• Since we can distinguish between encryptions of
  xj and xj1 with non-negligible probability, we
  can approximate Bi(y) with non-negligible
  probability
• A contradiction to the unapproximability of Bi

41
Polynomially Secure ? Semantically Secure

• Recall a PKC is semantically secure if for all
  message distributions and for all functions f and
  for all polynomially sized circuit C, given an
  encryption E(m) of m the probability that C(E(m))
  f(m) is at most the probability of f(m), up to
  a negligible factor (over the given message
  distribution).
• Let ? be a polynomially secure PKC and assume for
  a contradiction that ? is not semantically
  secure.
• So we have a polynomially sized circuit C that
  given E(m) can compute f(m) with probability
  higher than the probability of f(m) (over message
  distribution).

42
Polynomially ? Semantically

• By the assumption we have advantage ?k1/poly(k)
• Denote by rEm, y the probability that C outputs y
  on input E(m)
• Fix some message ?
• Let M be the set of all messages m s.t.
  rEm,v-rE?,v gt ?2/10
• Lemma 1
• Given m2 M we can find v s.t.,
  rEm,v-rE?,vgt?2/20 in polynomial time
• Lemma 2
• ?m2 M pm gt ?k/10

43
Polynomially ? Semantically

• Lemma 1
• Given m2 M we can find v s.t.,
  rEm,v-rE?,vgt?2/20 in polynomial time
• Lemma 2
• ?m2 M pm gt ?k/10
• Lemma 1 and 2 imply that we can find two messages
  m1, m2 and a value v s.t., rEm1,v-rEm2,vgt?2/20
  
• But this allows us to distinguish between m1 and
  m2 in contradiction to the polynomially secure
  PKC
• Conclusion polynomial security ? semantic
  security

44
Other solutions

• Notice that every bit of the message is expanded
  into k bits in the encryption
• Using apseudo-random generator, it is possible to
  add a total of k bits to the entire message GB
  84
• Idea is to generate a random seed, and send the
  encryption of the seed together with the message
  xored with the pseudo-random output

45
Further development

• Pseudo-random generators/functions GGM 84
• Interactive proofs/Zero knowledge GMR 85
• Digital Signatures GMY 83

46
Thank You