Skip to Content
CSE442TIntroduction to Cryptography (Lecture 17)

CSE442T Introduction to Cryptography (Lecture 17)

Chapter 3: Indistinguishability and Pseudorandomness

Public key encryption scheme (1-bit)

Gen(1n):(fi,fi1)Gen(1^n):(f_i, f_i^{-1})

fif_i is the trapdoor permutation. (eg. RSA)

Output((fi,hi),fi1)Output((f_i, h_i), f_i^{-1}), where (fi,hi)(f_i, h_i) is the public key and fi1f_i^{-1} is the secret key.

Encpk(m):r{0,1}nEnc_{pk}(m):r\gets \{0, 1\}^n

Output(fi(r),hi(r)m)Output(f_i(r), h_i(r)\oplus m)

where fi(r)f_i(r) is denoted as c1c_1 and hi(r)mh_i(r)\oplus m is the tag c2c_2.

The decryption function is:

Decsk(c1,c2)Dec_{sk}(c_1, c_2):

r=fi1(c1)r=f_i^{-1}(c_1)

m=c2hi(r)m=c_2\oplus h_i(r)

Validity of the decryption

Proof of the validity of the decryption: Exercise.

Security of the encryption scheme

The encryption scheme is secure under this construction (Trapdoor permutation (TDP), Hardcore bit (HCB)).

Proof

We proceed by contradiction. (Constructing contradiction with definition of hardcore bit.)

Assume that there exists a distinguisher D\mathcal{D} that can distinguish the encryption of 00 and 11 with non-negligible probability μ(n)\mu(n).

{(pk,sk)Gen(1n):(pk,Encpk(0))}v.s.{(pk,sk)Gen(1n):(pk,Encpk(1))}μ(n)\{(pk,sk)\gets Gen(1^n):(pk,Enc_{pk}(0))\} v.s.\{(pk,sk)\gets Gen(1^n):(pk,Enc_{pk}(1))\} \geq \mu(n)

By prediction lemma (the distinguisher can be used to create and adversary that can break the security of the encryption scheme with non-negligible probability μ(n)\mu(n)).

P[m{0,1};(pk,sk)Gen(1n):A(pk,Encpk(m))=m]12+μ(n)P[m\gets \{0,1\}; (pk,sk)\gets Gen(1^n):\mathcal{A}(pk,Enc_{pk}(m))=m]\geq \frac{1}{2}+\mu(n)

We will use this to construct an agent BB which can determine the hardcore bit hi(r)h_i(r) of the trapdoor permutation fi(r)f_i(r) with non-negligible probability.

fi,hif_i,h_i are determined.

BB is given fi(r)f_i(r) and hi(r)h_i(r) and outputs b{0,1}b\in \{0,1\}.

  • r{0,1}nr\gets \{0,1\}^n is chosen uniformly at random.
  • y=fi(r)y=f_i(r) is given to BB.
  • b=hi(r)b=h_i(r) is given to BB.
  • Choose c2{0,1}=hi(r)mc_2\gets \{0,1\}= h_i(r)\oplus m uniformly at random.
  • Then use A\mathcal{A} with pk=(fi,hi),Encpk(m)=(fi(r),hi(r)m)pk=(f_i, h_i),Enc_{pk}(m)=(f_i(r), h_i(r)\oplus m) to determine whether rr is 00 or 11.
  • Let mA(pk,(y,c2))m'\gets \mathcal{A}(pk,(y,c_2)).
  • Since c2=hi(r)mc_2=h_i(r)\oplus m, we have m=bc2m=b\oplus c_2, b=mc2b=m'\oplus c_2.
  • Output b=mc2b=m'\oplus c_2.

The probability that BB correctly guesses bb given fi,hif_i,h_i is:

     P[r{0,1}n:y=fi(r),b=hi(r):B(fi,hi,y)=b]=P[r{0,1}n,c2{0,1}:y=fi(r),b=hi(r):A((fi,hi),(y,c2))=(c2+b)]=P[r{0,1}n,m{0,1}:y=fi(r),b=hi(r):A((fi,hi),(y,bm))=m]>12+μ(n)\begin{aligned} &~~~~~P[r\gets \{0,1\}^n: y=f_i(r), b=h_i(r): B(f_i,h_i,y)=b]\\ &=P[r\gets \{0,1\}^n,c_2\gets \{0,1\}: y=f_i(r), b=h_i(r):\mathcal{A}((f_i,h_i),(y,c_2))=(c_2+b)]\\ &=P[r\gets \{0,1\}^n,m\gets \{0,1\}: y=f_i(r), b=h_i(r):\mathcal{A}((f_i,h_i),(y,b\oplus m))=m]\\ &>\frac{1}{2}+\mu(n) \end{aligned}

This contradicts the definition of hardcore bit.

Public key encryption scheme (multi-bit)

Let m{0,1}km\in \{0,1\}^k.

We can choose random ri{0,1}nr_i\in \{0,1\}^n, yi=fi(ri)y_i=f_i(r_i), bi=hi(ri),ci=mibib_i=h_i(r_i),c_i=m_i\oplus b_i.

Encpk(m)=((y1,c1),,(yk,ck)),c{0,1}kEnc_{pk}(m)=((y_1,c_1),\cdots,(y_k,c_k)),c\in \{0,1\}^k

Decsk:rk=fi1(yk),hi(rk)ck=mkDec_{sk}:r_k=f_i^{-1}(y_k),h_i(r_k)\oplus c_k=m_k

Special public key cryptosystem: El-Gamal (based on Diffie-Hellman Assumption)

Definition 105.1 Decisional Diffie-Hellman Assumption (DDH)

Define the group of squares mod pp as follows:

p=2q+1p=2q+1, qΠn1q\in \Pi_{n-1}, gZp/{1}g\gets \mathbb{Z}_p^*/\{1\}, y=g2y=g^2

G={y,y2,,yq=1}modpG=\{y,y^2,\cdots,y^q=1\}\mod p

These two listed below are indistinguishable.

{pΠn~;yGenq;a,bZq:(p,y,ya,yb,yab)}n\{p\gets \tilde{\Pi_n};y\gets Gen_q;a,b\gets \mathbb{Z}_q:(p,y,y^a,y^b,y^{ab})\}_n

{pΠn~;yGenq;a,b,zZq:(p,y,ya,yb,yz)}n\{p\gets \tilde{\Pi_n};y\gets Gen_q;a,b,\bold{z}\gets \mathbb{Z}_q:(p,y,y^a,y^b,y^\bold{z})\}_n

(Computational) Diffie-Hellman Assumption:

Hard to compute yaby^{ab} given p,y,ya,ybp,y,y^a,y^b.

So DDH assumption implies discrete logarithm assumption.

Ideas:

If one can find a,ba,b from ya,yby^a,y^b, then one can find abab from yaby^{ab} and compare to z\bold{z} to check whether yzy^\bold{z} is a valid DDH tuple.

El-Gamal encryption scheme (public key cryptosystem)

Gen(1n)Gen(1^n):

pΠn~,gZp/{1},yGenq,aZqp\gets \tilde{\Pi_n},g\gets \mathbb{Z}_p^*/\{1\},y\gets Gen_q,a\gets \mathbb{Z}_q

Output:

pk=(p,y,yamodp)pk=(p,y,y^a\mod p) (public key)

sk=(p,y,a)sk=(p,y,a) (secret key)

Message space: Gq={y,y2,,yq=1}G_q=\{y,y^2,\cdots,y^q=1\}

Encpk(m)Enc_{pk}(m):

bZqb\gets \mathbb{Z}_q

c1=ybmodp,c2=(yabm)modpc_1=y^b\mod p,c_2=(y^{ab}\cdot m)\mod p

Output: (c1,c2)(c_1,c_2)

Decsk(c1,c2)Dec_{sk}(c_1,c_2):

Since c2=(yabm)modpc_2=(y^{ab}\cdot m)\mod p, we have m=c2c1amodpm=\frac{c_2}{c_1^a}\mod p

Output: mm

Security of El-Gamal encryption scheme

Proof

If not secure, then there exists a distinguisher D\mathcal{D} that can distinguish the encryption of m1,m2Gqm_1,m_2\in G_q with non-negligible probability μ(n)\mu(n).

{(pk,sk)Gen(1n):D(pk,Encpk(m1))} vs. {(pk,sk)Gen(1n):D(pk,Encpk(m2))}μ(n)\{(pk,sk)\gets Gen(1^n):D(pk,Enc_{pk}(m_1))\}\text{ vs. }\\ \{(pk,sk)\gets Gen(1^n):D(pk,Enc_{pk}(m_2))\}\geq \mu(n)

And proceed by contradiction. This contradicts the DDH assumption.

Last updated on
Introduction to Cryptography (Lecture 16)Introduction to Cryptography (Lecture 18)