• 沒有找到結果。

可證明安全的公開金鑰密碼系統與通行碼驗證金鑰交換

N/A
N/A
Protected

Academic year: 2021

Share "可證明安全的公開金鑰密碼系統與通行碼驗證金鑰交換"

Copied!
146
0
0

加載中.... (立即查看全文)

全文

(1)

資訊工程學系

可證明安全的公開金鑰密碼系統與通行碼驗證金鑰

交換

Provably Secure Public Key Cryptosystems and Password

Authenticated Key Exchange Protocols

研 究 生:張庭毅

指導教授:楊維邦 教授

黃明祥 教授

(2)

可證明安全的公開金鑰密碼系統與通行碼驗證金鑰交換

Provably Secure Public Key Cryptosystems and Password

Authenticated Key Exchange Protocols

研 究 生:張庭毅 Student:Ting-Yi

Chang

指導教授:楊維邦 博士 Advisor:Dr. Wei-Pang Yang

黃明祥 博士

Dr. Min-Shiang Hwang

國 立 交 通 大 學

資 訊 工 程 學 系

博 士 論 文

A Dissertation Submitted to Department of Computer Science

College of Computer Science National Chiao Tung University in partial Fulfillment of the Requirements

for the Degree of Doctor of Philosophy

in

Computer Science December 2006

(3)

    Æ  Æ    Æ !"  Æ  ElGamal !" #$%&' #()p*$+,-./0) 123456 127+,8&

p9:;56 12<ElGamal Hwang=>?@6 A#BC DEElGamal-like F#G H%$*IJKL MN@OPGQRSTUVWXElGamal-like 9O YZIND-CPA[ \]^_J`Labcd

Eefg H%$*hHJKL ?@6 iBjM YZIND-CPA#ElGamal i0k`lm(jXYZ

IND-CCA2DEElGamal-extended Ee$O$noEp  ]^qrs t)uGvw# xy6 A#vwYz DEIND-CPAPAIRElGamal-extended  \]^RS{ |o}~#€‚ƒ7„…†# JKL

(4)

BC¦§g¨©¡ª«¬­®¯°ª«}±C?² ³´µ¶·`  <6¸?@6 ¹º#…;D G“” 6 »¼rs½j¾¿GM"‚À#ÁÂÛ#|ÄÅÇÈ BC#vw$Bellare-Pointcheval-Rogawayvw(jÉX9ÊËÌS #Diffie-HellmanÍGÎÏ#[|ĽjEk`lmÐ* <6 ¸?@6 A#ÑÒÓÔxÕBC‡ˆ3Ö×ØÙÓ … ÚÛÜÝÞµ#ßફ¡ßà$ª« Diffie-HellmanÍßફ¨©¡ª«O–áâ O–ãä­®¯°å·–$vw k`lm

(5)

Provably Secure Public Key Cryptosystems and

Password Authenticated Key Exchange Protocols

Student: Ting-Yi Chang

Advisor: Dr. Wei-Pang Yang

Dr. Min-Shiang Hwang

Institute of Computer Science and Engineering

National Chiao Tung University

ABSTRACT

In this thesis, we focus on two topics: public key cryptosystems and pass-word authenticated key exchange protocols.

Public Key Cryptosystems. In the ElGamal cryptosystem, when the plain-text is lager than the modulus p, it should be divided into several pieces which are smaller than p and then each piece is applied to ElGamal cryp-tosystem one by one. Hwang et al. proposed an ElGamal-like crypcryp-tosystem for encrypting a large plaintext efficiently. However, we show that their scheme is insecure against IND-CPAwhether the cryptosystem is operated in the quadratic residue modulo p or not. Moreover, the encryption and/or decryption in their scheme have the probability to be failed.

In order to encrypt a large plaintext efficiently, we present an efficient conversion fromIND-CPAsecure ElGamal encryption scheme to aIND-CCA2

secure extension of the ElGamal encryption scheme in the random oracle model, called the ElGamal-extension cryptosystem. To demonstrate that the ElGamal-Extension cryptosystem is secure using only two random num-bers no matter what the length of a plaintext, a new security notation

(6)

IND-cryptosystems in terms of computational complexity and the amount of data transformation.

Password Authenticated Key Exchange Protocols. A password authen-ticated key exchange (PAKE) protocol allows two parties (a client and a server) to establish a session key when the secret key used for authentica-tion is a human-memorable password. We show some (PAKE) schemes are vulnerable to the forged authenticator attacks, off-line password guessing attacks, and do not provide perfect forward secrecy.

We present a simplePAKEprotocol which was conjectured secure when the symmetric-encryption primitive is instantiated via a mask generation function that is the product of the message with a hash of the password. This protocol is secure in the Ballare-Poincheval-Rogaway security model under the assumption that the computational Diffie-Hellman problem is hard and that the hash functions closely behaves like a random oracle. At the same time, we propose a new protected password change (PPC) protocol. The

PPCprotocol offers users the freedom of changing passwords at will.

Keywords: Adaptive chosen-ciphertext attack, authentication, chosen-plaintext at-tack, Diffie-Hellman problem, chosen-ciphertext atat-tack, forged authenticator atat-tack, indistinguishable, key exchange, non-malleability, off-line password guessing at-tack, one-wayness, password, provably secure, public key cryptosystem, random oracle.

(7)

4æ¶ç³0"èéêë# ìNaíîïðñíî}ò$ó íîOGôõ›öE>÷øùš;ús#ûüNaýþ ìNaíî#ÿ Xúse\‹pôõ?²“ 3úsh¶ç 4úì}úgôõ#o}BC9ús ú# ]^êg È· ìÆb›.#êë êëï0íî¬0íî¬%í yíî} íî;&O!Ní}?²ˆ#œž È”"êë #"èéêë$%¬&&êë'>( #)*+, 3h-¶#³0ú./34æ01&#ôõ›È0Ç# '>23

I would like to thank Dr. Wei-Pang Yang and Dr. Min-Shiang Hwang, my supervisors, for their many suggestions and constant support during this research.

In addition, I wish to thank the following: Professor C. C. Yang, Pro-fessor T. C. Wu, ProPro-fessor D. J. Guan, ProPro-fessor G. Horng, ProPro-fessor Y. S. Yeh and Professor S. M. Yuan. They gave me many suggestions that make a better perspective on my own results.

Of course, I am grateful to my mom and sister for their patience and love. Without them this work would never have come into existence (literally). In particular, my wife keep my family will, it makes me more concentrate my mind in this research.

45A6 789

(8)

Contents

Abstract in Chinese i

Abstract in English iii

1 Introduction 1

1.1 Motivation . . . 1

1.1.1 Cryptographic Schemes and Their Security . . . 1

1.1.2 Scope of This Thesis . . . 6

1.2 Overview of Chapters . . . 7

1.2.1 Chapter 2: Background . . . 7

1.2.2 Chapter 3: Security Analysis of ElGamal-Like Cryp-tosystem . . . 8

1.2.3 Chapter 4: An ElGamal-Extension Cryptosystem . . . 9

1.2.4 Chapter 5: Password Authenticated Key Exchange Pro-tocols . . . 9

1.2.5 Chapter 6: Simple Password Authenticated Key Ex-change and Protected Password Change Protocols . . . 10

1.2.6 Chapter 7: Conclusions . . . 10

2 Background 11 2.1 Introduction . . . 11

2.1.1 Public Key Cryptosystems . . . 12

(9)

2.1.3 ElGamal Cryptosystm . . . 15

2.2 Computational Primitives . . . 16

2.3 Security Notations . . . 17

2.4 The Random Oracle Model . . . 24

2.5 Plaintext Awareness . . . 25

2.6 Related Work . . . 27

2.7 Definitions and Security Models . . . 30

3 Security Analysis of ElGamal-Like Cryptosystem 37 3.1 Review of ElGamal Cryptosystem . . . 37

3.2 Security Analysis . . . 38

3.3 Review of ElGamal-Like Cryptosystem . . . 41

3.4 Security Analysis . . . 44 4 An ElGamal-Extension Cryptosystem 50 4.1 ElGamal-Extension Cryptosystem . . . 50 4.2 Security Analysis . . . 53 4.3 Performance Analysis . . . 71 4.4 Discussions . . . 75

5 Password Authenticated Key Exchange Protocols 76 5.1 Introduction . . . 76

5.2 Related Work . . . 79

5.3 The Security Model . . . 83

5.4 Attacks on Some Password Authenticated Key Exchange Pro-tocols . . . 88

6 Simple Password Authenticated Key Exchange and Protected Pass-word Change Protocols 98 6.1 Password Authenticated Key Exchange Protocol . . . 98

(10)

6.3 Security Analysis . . . 102

7 Conclusions 121

(11)

List of Figures

1.1 Reduction approach . . . 3

2.1 Encryption and decryption in a public key cryptosystem . . . 13

2.2 Relations amongGOAL-ATK . . . 21

2.3 A concept of IND-CCA2, C: cryptosystem,K: key generation algorithm, Epk: encryption algorithm, Dsk: decryption algo-rithm,A: adversary, B: flips a coin . . . 23

2.4 A concept ofPA,B: adversary, PE: plaintext extractor . . . 27

6.1 An execution of the protocolPAKE . . . 100

6.2 An execution of the protocolSPC . . . 101

6.3 Specification of protocol initialization . . . 103

6.4 Specification of protocolPAKE . . . 104

6.5 Specification of protocolPPC . . . 105

6.6 Simulation of the hash functionsG, Hi . . . 110

6.7 Simulation of protocolPAKE(1) . . . 111

6.8 Simulation of protocolPAKE(2) . . . 112

(12)

List of Tables

2.1 Assumptions and security notations of some related schemes 29 4.1 Computational complexity, ciphertext size among three

en-cryption schemes . . . 74 5.1 Summary of related schemes inPAKE . . . 82

(13)

Chapter 1

Introduction

1.1 Motivation

1.1.1 Cryptographic Schemes and Their Security

Numerous cryptographic schemes have been proposed to meet various sirable security and performance requirements. It is very important to de-sign robust and versatile cryptographic schemes which can serve as sound security primitives. However, many schemes were subsequently found to be flawed, and were then either modified to withstand the new attacks or totally abandoned. The designers do all they can to think a lot of attacks and fight for those attacks one by one. Baek [6] gives a good example is that Bleichenbacher’s attack [17] on the RSA [69] encryption standard PKCS #1 which was implemented in the widely-used Secure Socket Layer (SSL) pro-tocol. It seems the attacked PKCS #1 had been constructed through intuitive heuristics rather than a rigorous analysis. Via that intuitive heuristics analy-sis, we call those schemes are attack-response secure. Consequently,

(14)

Bleichen-bacher’s attack suggests that the heuristic approach to design cryptographic schemes can be risky and the security of cryptographic schemes should be evaluated very carefully before they are deployed.

How do we know that a cryptographic scheme be secure? A sound ap-proach to evaluating the security of cryptographic schemes or protocols al-ready exists. This approach is called “provable security” and stems from Goldwasser and Micali’s [35] pioneering work on public key encryption schemes that hides all partial information about plaintext. According to Stinson [79], the provable security approach can be described as follows:

“This approach is to provide evidence of security by reducing the security of the cryptosystem to some well-studied problem that is thought to be difficult. For example, it may be able to prove a statement of the type ‘a given cryptosystem is secure if a given integer N cannot be factored.’ Cryptosystems of this type are sometimes called provably secure.”

A reductionist approach to evaluate the security of cryptographic schemes is popular. One shows with mathematical rigor that any attacker that can break the cryptographic scheme can be transformed into an efficient algo-rithm to solve the underlying well-studied problem, e.g., integer factoriza-tion problem, discrete logarithm problem, that is widely believed to be very hard. We call such assumption is the existence primitive cryptographic

as-sumptions. Are those assumptions are correct? The answer will give at least

until the famous P=NP question is resolved. Unfortunately, the current? state of the art in the theory of computational complexity is such that one cannot hope to prove the truth of these computational hardness assump-tions [33].

(15)

Turning this logic around: Via the reduction, we have constructed an algo-rithm that solves the underlying well-studied problem. However, we know that the problem is difficult. We give an concept in Figure 1.1 as follows.

n = p · q -Algorithm A1 : 1. · · · ; 2. Call Algorithm A2; 3. · · · ; -p, q

Figure 1.1: Reduction approach

Algorithm A1: an algorithm for solving integer factorization problem, Algorithm A2: an algorithm for braking cryptographic scheme.

A security proof in this style, in addition to the name reduction to

contradic-tion, is also called a reduction proof. Via that analysis, we call the scheme

is provably secure in the standard model [35, 79]. We give the notation in the theory of computational complexity [56] as follows. A ≤p B: problem A is

reducible to B in a polynomial-time if (1) Given an instanceIAof A we can

construct an instanceIBof B such that the solution B(IB) can be converted

into the solution A(IA), and (2) Both the construction of the instance and the

conversion of the solutions can be done in polynomial time.

If A ≤p B, then problem A is no harder to solve than B. If A ≤p B and

B ≤p A, two problems are equal, denoted as A ≡p B. Back to the

crypto-graphic schemes, the notation in the theory of computational complexity is as follows.

(16)

primitive cryptographic assumptions≤p breaking cryptographic scheme

[Proof ]

If there is an algorithm A2 can break the cryptographic scheme, then we can con-struct an algorithm A1 to break (solve) the primitive cryptographic assumption

(hardness problem).

To design a cryptographic scheme and prove it secure in this way is no easy task, especially if one wants to have a practical cryptographic scheme. The provable security approach was beginning to be applied to the analysis of practical schemes, it was found that a major stumbling block to providing security proofs for these schemes involved the modelling of one-way

crypto-graphic hash functions. Such functions were used in many schemes, i.e. for

the purpose of collision-resistant compression (hashing) of information be-fore the application of a digital signature, for producing authentication, for checking validity of chiphertexts, and other cryptographic values without leaking information on the secret hashed value via the hash function out-put. To make this task more manageable, an ideal hash function [12] named

random oracle is proposed. It is a powerful and imaginary function, which

is deterministic and efficient and has uniform output values. This result of this approach is a reduction proof in the above sense, but the proof is only valid in a parallel universe where random oracle exists. We call the scheme via the above analysis is provably secure in the random oracle model.

[Theorem]

primitive cryptographic assumptions∧ random oracle

(17)

[Proof ]

If there is an algorithm A2 can break the cryptographic scheme in the random or-acle model, then we can construct an algorithm A1 to break (solve) the primitive cryptographic assumption (hardness problem).

The existence of random oracle is not a hardness assumption like integer fac-torization problem. In the real word, random oracles are replaced by hash functions (or pseudo-random functions) using in schemes which are prov-ably secure in the random oracle model. However, an random oracle model-based technique for security proof is a useful test-bed and often gives a bet-ter performance [7]; cryptographic schemes which do not perform well on the test-bed should be dumped.

The following are two important properties for reduction to contradiction [55].

• The reduction should be efficient (in a polynomial-time). For example,

an algorithm A2 breaking the cryptographic scheme in 10−6 seconds

and the reduction is required 23 of the security parameter 1024-bit to construct an algorithm A1 solving the hard problem. Then the time complexity for the reduction is at the level of 10248 = 280. The time complexity of A1for solving the hard problem is 38 billion years.

• The assumptions which are required for a cryptographic scheme should

be as weak as possible. Weaker assumptions are easier to satisfy using more practical and available cryptographic constructions, which pro-vide a higher security confidence than those using stronger assump-tions.

(18)

works taking this approach and it has become a paradigm of cryptographic research. As a consequence, and possibly affected by the negative results on the security of the past cryptographic standards, e.g, [1], [40], and [17], to-day’s standard organizations such as ISO-IEC [73], P1363 [63], and NESSIE [29] strongly recommend that a precise security analysis based on the prov-able security approach should be included in a proposal of new crypto-graphic schemes or protocols.

1.1.2 Scope of This Thesis

We have discuss the provable security approach above. It is not only im-portant to analyze the security of a designed cryptographic scheme but also helps to design new ones, with high level of security guarantee. In this the-sis, we aim at two cryptographic schemes: public key cryptosystems and password authenticated key exchange protocols.

PART I: Public Key Cryptosystem

1. We show that the ElGamal-like cryptosystem [44] for encrypting large messages is insecure, which is attack-response secure. However, their motivation is good, since the ElGamal cryptosystem [28] encrypts large messages is inefficient.

2. In order to encrypt a large message efficiently in the ElGamal cryp-tosystem, we propose a new crypcryp-tosystem, called ElGamal-extension and prove its security in the random oracle model.

(19)

1. Many password authenticated key exchangePAKEprotocols are pro-posed. Most of them belong to attack-response secure. We show that Tseng [81], Ku and Wang [49], Tseng, Jan and Chien [82], Hwang and Yeh [43] schemes are insecure.

2. We present a simplePAKEprotocol which was conjectured secure when the symmetric-encryption primitive is instantiated via a mask genera-tion funcgenera-tion that is the product of the message with a hash of the pass-word. This protocol is secure in the Ballare-Poincheval-Rogaway se-curity model [10] under the assumption that the computational Diffie-Hellman problem is hard and that the hash functions closely behaves like a random oracle. At the same time, we propose a new protected password change (PPC) protocol. The PPCprotocol offers users the freedom of changing passwords at will.

1.2 Overview of Chapters

1.2.1 Chapter 2: Background

In Chapter 2, we survey the background theory on which the subject matter of the rest of the public key cryptosystem is based. First, we review the basic of public key cryptosystem and some computational primitives such as inte-ger factorization, discrete logarithm, various Diffie-Hellman problems. We then study the important security notations for public key cryptosystems by using the pair GOAL={OW, IND, CPA} and ATK={CPA, CCA1, CCA2}

(20)

con-troversial but is an important ingredient of the practice-oriented probable security paradigm in which one can design efficient probably-secure cryp-tographic schemes [7]. A special security notationPAis introduced, which is proposed in the random oracle model.PAhas some properties, for example, a cryptosystem meetsPAandIND-CPAimplies it meetsIND-CCA2.

1.2.2 Chapter 3: Security Analysis of ElGamal-Like

Cryp-tosystem

In Chapter 3, we first give a brief review of the famous ElGamal cryptosys-tem [28]. It has been proven to meetIND-CPAin the quadratic residue under the Diffie-Hellman assumption [83]. In order to state our results clearly and precisely in breaking the the ElGamal cryptosystem [44] in Section 3.3. We first show that the ElGamal cryptosystem is insecure in theIND-CPAsense if the operations are not in the quadratic residue in Section 3.2. In order to efficiently encrypt a large message in the ElGamal cryptosystem, Hwang, Chang, and Hwang [44] proposed an ElGamal-like cryptosytem and de-clare that their scheme is secure in chosen-plaintext attacks. However, In Section 3.4, we separately show that the ElGmal-like cryptosystem is inse-cure in theIND-CPAsense no matter in the quadratic residue and not in the quadratic residue.

(21)

1.2.3 Chapter 4: An ElGamal-Extension Cryptosystem

In Chapter 4, we propose a new ElGmal-extension cryptosystem and prove it is secure in theIND-CCA2 sense in the random oracle model, which has the following advantages:

• It is only necessary to generate two random numbers. The total

num-ber of modular exponentiations is 4/2 in the encryption/decryption, which is not be increased by the number of plaintexts. Only some low computational complexity operations such as random function opera-tions and modular multiplicaopera-tions are needed.

• The size of ciphtertext is smaller when the plaintext is large enough. • It is secure in the IND-CCA2 sense, which provides a higher

secu-rity level than that of IND-CPAachieved by the ElGamal encryption scheme.

We then design a special security notation IND-CPAPAIR and show the

pro-posed scheme can achieve it. Then, we compare the computational com-plexity and ciphertext size of our scheme with those of some cryptosystems, which achieve the same security levelIND-CCA2.

1.2.4 Chapter 5: Password Authenticated Key Exchange

Pro-tocols

(22)

mat-We study the important security model [10] proposed by Bellare, Pointcheval, and Rogaway for password authenticated key exchange protocols, which defines the adversary’s capabilities such as passive attacks, active attacks, known-key attacks, password guessing attacks, etc. and the goals such as mutual authentication, authenticated key exchange semantic security. we show that Tseng [81], Ku and Wang [49], Tseng, Jan and Chien [82], Hwang and Yeh [43] password authenticated key exchange protocols are insecure.

1.2.5 Chapter 6: Simple Password Authenticated Key

Ex-change and Protected Password Change Protocols

In Section 5.4, we shall present a simple password authenticated key ex-change protocol by modifying the Yeh-Sun scheme [85]. At the same time, we shall also present a new protected password change protocol which un-like the previously proposed schemes [47, 49, 53, 70, 81, 85] where the parties cannot arbitrarily change their own passwords, offers users the freedom of changing passwords at will.

1.2.6 Chapter 7: Conclusions

(23)

Chapter 2

Background

2.1 Introduction

Cryptosystems are classified as symmertic cryptosystems and asymmertic (public key) cryptosystems. In symmertic cryptosystems, , such as DES [76] and Rijndael [23, 24, 25], use the common secret key to encrypt plaintext and to decrypt ciphertext. This brings two difficulties as follows.

• To privately distribute the secret keys.

• To management a large number of secret keys. For example, if there

are n users who want exchange confident data, then n(n − 1)

2 secret keys are needed. This number increases rapidly as the number of user grows.

In public key (asymmertic) cryptosystems, each user creates a pair of keys, one of which is published in a public directory while the one is to be kept

(24)

but the secret key, referred to as private (secret) key, is used as decryption key. As a result, there is no key distribution problem and key sharing problem as in symmertic key cryptosystem. However, it is time consuming when encrypting large messages with asymmertic cryptosystems.

In this chapter, we first give an overview of public key cryptosystems and its security notations in an informal way in and the following sections give the definitions will be revisited in a formal way.

2.1.1 Public Key Cryptosystems

Here, we see that how to run public key cryptosystems, which are often divided into three phases as follows.

- Key generation phase:

The receiver Bob creates his secret key skBand public key pkB.

- Encryption phase:

Anyone who wants to encrypt a confident message (plaintext x) to Bob by using pkB.

- Decryption phase:

Upon receiving the corresponding ciphertext y, Bob uses her skB to

recover the plaintext x.

Figure 2.1 illustrates a schematic outline of a public key cryptosystem. To reveal Bob’s secret key skB from the public key pkB is difficult. This

(25)

B

pk skB

x y x

Figure 2.1: Encryption and decryption in a public key cryptosystem Trapdoor one-way function ft(x) : X → Y: It is easy to compute ft(x) for

all x ∈ X but difficult to invert for almost all values in Y. If the trapdoor information t is used, then for all values y ∈ Y are easy to compute x ∈ X such that y = ft(x).

Diffie and Hellman [27] constructed a trapdoor one-way function based on modulo exponentiation. This function made it possible for distribut-ing a common session key to be shared between two users to establish a secret communication over an channel. This protocol is the famous “Diffie-Hellman key agreement protocol”. However, the first practical realization of public cryptosystem was accomplished by Revist, Shamir, and Adleman, called RSA cryptosystem [69]. Later, ElGamal [28] constructed a new public key cryptosystem based on Diffie-Hellman trapdoor one-way function. Two typical primitives of the trapdoor one-way function are RSA [69] and ElGamal [28] as described before. The difference between ElGamal function and RSA function is that probabilistic, rather than deterministic. In a proba-bilistic trapdoor one-way function, when encrypting a plaintext x twice, the probability that we regain the same ciphertext y must be negligibly small. In Section 2.1.2 and Section 2.1.3, we review RSA cryptoystem and ElGamal cryptosystem, respectively.

(26)

2.1.2 RSA Cryptosystem

- Key generation phase:

The receiver Bob creates his secret key skB and public key pkB as

fol-lows.

1. Choose two large distinct primes p and q, and compute N = p · q 2. Choose e that is prime to ϕ(N) and pkB = (N, e), where ϕ(N) =

(p − 1) · (q − 1).

3. Choose d with e· d = 1 mod ϕ(N) and skB = (N, d).

- Encryption phase:

Anyone who wants to encrypt a plaintext x < N to Bob by using pkB

as follow.

y = xe mod N. - Decryption phase:

Upon receiving the corresponding ciphertext y, Bob uses his skB to

recover the plaintext x as follows.

yd = (xe)dmod N

= x mod N.

The factorization of N can be reduced to an algorithm that computes d from (N, e). However, there is an open question as to whether an efficient algo-rithm for factoring can be derived from an efficient algoalgo-rithm with inputs (N, e) and y to invert RSA [26]. Note that d should be greater than n1/4; oth-erwise, a polynomial-time algorithms to compute d can be constructed [84]. For choosing large prime, the readers can refer to [39] for more details.

(27)

2.1.3 ElGamal Cryptosystm

- Key generation phase:

The receiver Bob creates his secret key skBand public key pkB.

1. Choose a large prime p and a primitive root g ∈ Z∗p.

2. Choose an integer s at random with range 1 ≤ s ≤ p − 2 and

skB = (p, g, s).

3. Compute Y = gsmod p and pk

B = (p, g, Y ).

- Encryption phase:

Anyone who wants to encrypt a plaintext x to Bob by using pkB.

y = (y1, y2) = (gr mod p, x · Yr mod p),

where r is chosen at random with range 1 ≤ k ≤ p − 2. - Decryption phase:

Upon receiving the corresponding ciphertext y, Bob uses his skB to

recover the plaintext x.

y2· ((y1)s)−1 = (x · Yr) · ((gr)s)−1 mod p

= x mod p.

The ElGamal cryptosystem has been proposed several years ago and is one of the few probability encryption schemes. Until 1998, Tsiounis and Yung [83] proved the security of the ElGamal cryptosystem (operations in the quadratic residue) is actually equivalent to the decision Diffie-Hellman prob-lem. However, we will further analysis the security for ElGamal

(28)

cryptosys-2.2 Computational Primitives

The secure core of a public key cryptosystem is relied on the hardness of a certain computational problem. Though various computational problems have been proposed so far, we only review the integer factorization and dis-crete logarithm problems, which are the most widely-used computational problems in the conventional cryptographic schemes.

Integer Factorization (IF) Problem:Given N = p · q where p and q are large primes, find p and q.

Many public key cryptosystems based on IF-related problems are proposed, which are RSA [69], Robin [67], Okamoto-Uchiyama [62], Pointcheval [66], Paillier [64], etc.

There are several computational problems related the discrete logarithm problem as follows.

Discrete Logarithm (DL) Problem:Given a finite cyclicG={ g1, g2, . . . , gp−1}

where g be a generator of G and p = |G| is the order of G, and a random element r∈ G, find the unique integer i ∈ Zpsuch that r = gi.

Computational Diffie-Hellman (CDH) problem: given a finite cyclic G={

g1, g2, . . . , gp−1} where where g be a generator of G and p = |G| is the prime

order ofG, and ga, gb ∈ G for random integers a, b ∈ Z

p, compute gab∈ G.

Decisional Diffie-Hellman (DDH) problem:given a finite cyclicG={ g1, g2,

. . . , gp−1} where where g be a generator of G and p = |G| is the prime order

ofG, and ga, gb, gc ∈ G for random integers a, b, c ∈ Z

(29)

Relative to a fixed groupG and generator g for G, it is obvious polynomial-time reductions from the DDH problem to CDH problem, and from CDH

problem toDLproblem (if one can solve theDLproblem then he can solve theCDHproblem, and if one can solve theCDHproblem then he can solve theDDHproblem),

DDHproblem≤p CDHproblem≤p DLproblem

but reductions in the reverse direction are not know. In other words, ifDDH

problem is hard then CDHproblem is hard? and if CDH problem is hard thenDLproblem is hard?

DLproblem≤p CDHproblem≤pDDHproblem?

All three problems are widely conjectured to be hard, and have been used as assumptions in proving the security of a variety of cryptographic schemes. See [18, 19, 57] for more detailed on this issue. Shoup [71] gives a heuristic evidence for the hardness of all there problem in a certain model, structured model of computation.

2.3 Security Notations

As discussed in Chapter 1, provable security evaluates the security of a given cryptographic scheme by presenting a reduction between the prop-erly defined security notation for the scheme and the undprop-erlying

(30)

primi-was not known at the time, Rabin [67], nevertheless, has given a scheme where an eavesdropper’s ability to exact the complete plaintext when given a ciphertext is computationally equivalent to factoring. This was the first scheme in which security problem was reduced to some complexity as-sumption. This presented a methodology of reducing the security property to a well-defined complexity assumption which, in the absence of lower bound proofs, has become the major one in cryptography.

Previously, what we have to face is that a passive attacker could break a cryptosystem only in the all-or-nothing (one-wayness) sense. However, this security notation which only deals with the case of passive attackers is not strong enough. On the contrary, the attacker maybe more active rather than passive; that is, she has more powerful capabilities to modify a ciphertext or to calculate a plaintext in some unspecified ways. In many applications, plaintexts may contain information which can be guessed easily such as in a BUY/SELL instruction to a stock broker. The attack only need to know a character (bit) of BUY/SELL instruction without decrypting the whole plaintext BUY/SELL instruction. He has the ability to determine what in-struction is sent by the victim.

For example, recall the RSA cryptosystem described in Section 2.1.1. As-sume that one encrypts his instruction x to a stock using the stock’s public key pk = (N, e) as follows.

y = xe mod N.

It seems a safe bet that if an eavesdropper sees a ciphertext y corresponding to a random plaintext x, then it will impossible for that eavesdropper to fig-ure out what x is. But when the plaintext is not random such as BUY/SELL

(31)

instruction in this example, the eavesdropper can easily to check what the corresponding plaintext is as follows.



(BUY)emod N = y,?

(SELL)e mod N = y.?

Since the RSA encryption is deterministic, the eavesdropper only encrypts the guessed plaintexts BUY/SELL and then checks its ciphertext is equal to his interception.

For the same situation, what happens in the ElGamal cryptosystem in Sec-tion 2.1.2? Note that there is a random integer r in the encrypSec-tion phase and this results in the ciphertext is different for the same plaintext. Obvi-ously, the ElGamal cryptosytem can withstand the above attack. In many applications of cryptosystems, it is often the case that user is required, upon receipt of a challenge message, to perform a decryption operation using her private key and send the decryption result back. If we give the power that the adversary can arbitrarily generate the ciphertexts and obtain the corre-sponding plaintexts. We can see the ElGamal cryptosystem cannot with-stand the adversary with this power. For example, the adversary intercepts the ciphertext y = (y1, y2) = (gr mod p, (BUY) · Yrmod p), which encrypts

the message BUY. How can the adversary know the plaintext is BUY? He can generate a ciphertext as follows:

y = (y1, y2/2)

= (gr mod p, ((BUY) · Yr mod p)/2)

(32)

To capture the powerful attackers, the stronger security notations are nec-essary and have been proposed. Bellare et al. [8] uses the pair goal (GOAL) and adversary models (ATK) to define the security notations of public key cryptosystems and describe the relations among them.

The goalsGOAL={OW,IND,NM} are defined as follows.

One-wayness (OW): given the challenge ciphertext y, the adversary has no ability to decrypt y to obtain the whole plaintext x.

Indistinguishability (IND): given the challenge ciphertext y, the adversary has no ability to obtain any information about the plaintext x.

Non-malleability (NM): given the challenge ciphertext y, the adversary has no ability to decrypt y to get a different ciphertext y and output a meaningful relation to relate the corresponding plaintexts x and x.

The adversary modelsATK={CPA,CCA1,CCA2} are defined as follows.

Chosen-Plaintext Attack (CPA) [35]: the adversary is only given the public key and she can obtain any ciphertext from any plaintext chosen by her. In the public key cryptosystems, this attack cannot be avoided. It is considered as a basic requirement for most provably secure public key cryptosystems.

Chosen-Ciphertext Attack (CCA1) [59]: not only given the public key, but also the adversary has to access a decryption oracle before being given the chal-lenge ciphertext. It has also been called a lunch-time or midnight attack.

Adaptive Chosen-Ciphertext Attack (CCA2) [68]: The adversary queries the de-cryption before and after being challenged; her only restriction here is that she may not feed the decryption oracle with the challenge ciphertext itself. It has also been called a small-hours attack.

(33)

Figure 2.2

NM-CPA ←− NM-CCA1 ←−−→ NM-CCA1

  ↓ ↑

IND-CPA ←− IND-CCA1 ←− IND-CCA2

OW-CPA ←− OW-CCA1 ←− OW-CCA2

Figure 2.2: Relations amongGOAL-ATK

For A, BGOAL-ATK, “A→B” denotes A implies B, which means if a cryp-tosystem is secure in the sense of A, it is also secure in the sense of B. “A→B” denotes A doesn’t imply B, which means if a cryptosystem is secure in the sense of A, it is not always secure in the sense of B.

Bellare [7] explains precisely how to achieve provable security, which are summarized in the following steps.

Step 1. Set up aGOAL, e.g. confidentiality via encryption;

Step 2. Construct aATKand define what it means for a cryptographic scheme be secure;

Step 3. Show by a reduction that the only way to break the security notation

GOAL-ATKof cryptographic schemes is to solve computationally hard problems or break other primitives.

primitive cryptographic assumptions≤p the proposed cryptosystem

is secure in theGOAL-ATKsense

Actually, setting up security goals and constructing relevant attack mod-els, in other words, formulating right definitions for the security of

(34)

crypto-important notations widely used in public key cryptography. We begin by describing theIND-ATKscenario, which is usually described in terms of the following game.

Stage 1. The public key pk and secure key sk is generated in the key genera-tion algorithm with inputting a security parameter κ. The adversary obtains pk but not sk.

Stage 2. The adversary makes a number of arbitrary queries to a decryption oracle. Each query is a ciphertext that is decrypted by the decryption

oracle, making use of sk of the cryptosytem. The corresponding

plain-text is given to the adversary. The adversary is free to construct the ci-phertexts in an arbitrary way without using the encryption algorithm. Stage 3. The adversary arbitrarily chooses two plaintexts x0 and x1 with the same length |x0| = |x1| and gives these to an encryption oracle. Upon receiving x0, x1, the encryption oracle chooses a coin b∈ {0, 1} at ran-dom, encrypt xb and give the resulting “challenge” ciphertext y to the

adversary.

Stage 4. The adversary continues to submit ciphertexts to the decryption ora-cle, subject to the restriction that the submitted ciphertexts are not the same as the challenge ciphertext y.

Stage 5. The adversary outputs b ∈ {0, 1}, representing its “guess” of b.

- If Stage 2 and Stage 4 are omitted from the above, thenATK=CPA; - If Stage 2 is omitted from the above, thenATK=CCA1;

(35)

The adversary’s advantage in this attack scenario is defined to be

|Pr[b = b] −1

2|

A cryptosystem is defined to be secure in the IND-ATKsense if for any ad-versary, its advantage is negligible. A concept of IND-CCA2 is present in Figure 2.3 and an exact definition is in Section 2.7.

C A Dsk ? κ ? b = b? K B Epk  pk, sk -pk  x0, x1  b -xb  y -y  b -y  ... - x -y  ... - x

Figure 2.3: A concept of IND-CCA2, C: cryptosystem, K: key generation algorithm,Epk: encryption algorithm,Dsk: decryption algorithm,A:

adver-sary, B: flips a coin

Recently, Phan and Pointcheval [65] defined different levels for indistin-guishability and non-malleability, and it leads to a stricter and more com-plex hierarchy for security notations in the public key cryptosystem. That is, an adversary can ask at most i queries before receiving the challenge and at

(36)

2.4 The Random Oracle Model

After formulating security notations, we shall show give the reduction from

GOAL-ATKto the proposed cryptosystem. However, this is not always easy unless hash functions used in the construction of cryptosystem are assumed to behave as completely random functions. In order to introduce the ran-dom oracle model, we first recall the definitions of collision resistant hash functions and universal one-way hash function [79].

Collision Resistant Hash Functions. The definition of a collision resistant hash function is as follows. We say H is (t, )-collision resistant if for any algorithm A running in time at most t we have:

Pr[(x, y) ← A : H(x) = H(y) ∧ x = y] ≤ .

That is, the algorithm A outputs two distinct values x and y such that H(x) =

H(y) with at most .

Universal One-Way Functions. A different from the collision resistant hash functions is that [58], the algorithm does not get to choose both x and y in-stead, the algorithm is given a random value x and must find a different value y such that H(x) = H(y). Let H : {0, 1}m → {0, 1}n be a hash

func-tion, we say this function is (t, )-universal one-way if for all algorithms A running in time t we have:

Pr[x ← {0, 1}m; y ← A(x) : H(x) = H(y) ∧ x = y] ≤ .

This makes the adversary’s job harder, meaning that the universal one-way functions are weaker than the collision-resistant hash functions. The

(37)

uni-versal one-way function families are also called target collision resistant. See [15] for recent results and further discussion.

Random Oracle Model. The random oracle model was first appeared in [30] and popularized by Bellare and Rogaway [12], gives a mathematical model if such ideal hash functions. In this model, a hash function H is a map from{0, 1}ato{0, 1}b for some special values a and b. Security proofs

in this model treat the hash functions as oracles, that is, one can only query oracles to get the hash results. For each new query, the oracles respond by producing a truly random value. That is, for x ∈ {0, 1}aand y ∈ {0, 1}b, we

have the probability Pr[H(x) = y] = |y|1 . For repeated queries, the oracles respond the corresponding answer again.

However, a problem of the random oracle is that the behavior of the ran-dom oracles is so ideal so that no realization is possible. In the real world for implementation, one can do is to replace the random oracles by the con-ventional hash functions such as SHA-2 [61].

2.5 Plaintext Awareness

In the random oracle model, there is a special notation “plaintext awareness (PA)”, that was suggested in [12] (calls it PA-BR) and later enhanced in [8] (calls it PA-BDPR). The idea is that an adversary has no ability to create a ciphertext y without knowing its underlying plaintext x. To capture PA-BDPR, we give a scenario as follows. LetB be an adversary and PE be the plaintext (knowledge) exactor.

(38)

Stage 1. B is given a public key pk, access to the random oracle H, and an en-cryption oracle EpkH with pk and its random oracle access. B outputs a ciphertext y, where y is not in the results of receiving answers by queryingEpkH.

Stage 2. PE could output the corresponding plaintext x (equal to DskH’s output) just by looking at pk,B’s H-queries and the answers to them, and the answers toB’s queries to EpkH.

The existence ofPE is, intuitively, what it means for the encryption scheme to be plaintext awareness. Obviously, B can do whatever PE was doing since, undenyable, she has access to the same things whichPE does. Doing this,B would know the cleartext for any ciphertext she produces. The dif-ferent between PA-BDPRandPA-BRis thatPA-BRdoes not provide EpkH to

B. This resists the ability of the adversary to obtain ciphertexts via

eaves-dropping on communications made to the receiver. We refer PA-BDPR as

PA. A concept of PA is present in Figure 2.4 and an exact definition is in Section 2.7.

The following results are proven [8].

Proposition 1. PA-BRIND-CPAIND-CCA1in the random oracle model.

Proposition 2. PAIND-CPAIND-CCA2in the random oracle model.

Indeed, PA is designed for the random oracle model. We can see that if a scheme does not use the random oracle for which an exactor as above exists then the exactor is essentially a decryption box. [8] leaves an open question to find an analogous but achievable formulation of plaintext awareness for the standard model.

(39)

K B PE DH sk EH pk H ? κ ? pk x1, . . . , xqE C = {y1, . . . , yqE} - ... - -ΛH, C, pk ΛH - ... - y -? y∈ C ? x ? x ? =

Figure 2.4: A concept ofPA,B: adversary, PE: plaintext extractor Herzog et al. [41] first proposed aPAwithout the random oracle model via the key registration. Later, Bellare and Palacio [9] removed the burden of key registration. The readers can refer [9, 41] for more details.

2.6 Related Work

Many various public key cryptosystems [64, 66, 74] have been proposed, which aim at to be secure in the stronger notations. The general method-ology for formally provable security is to reduce an alleged attack on an encryption scheme to a solution of an intractable problem.

(40)

cryptosys-tem operated in the quadratic residue modulo p is actually equivalent to the Decision Diffie-Hellman (DDH) problem. At the same time, they also pro-posed an enhanced ElGamal cryptosystem is secure in theIND-CCA2sense under the Random Oracle (RO) model and the decision Diffie-Hellman as-sumption. The random oracle is assumed be an ideally random function when proving the security and it is replaced by a practical random-like function such as one-way hash function [12].

On the other hand, Cramer and Shoup [22] proposed a new public key cryp-tosystem based on the ElGamal crypcryp-tosystem, which is the first practical

IND-CCA2 secure only under decision Diffie-Hellman assumption and the universal one-way hash functions, i.e., in the standard model (without the use of random oracles).

Most schemes are specified, they cannot be adopted by other schemes. There are two major conversions to convert existed trap-door one-way permuta-tions to achieve IND-CCA2. Bellare-Rogaway conversion [13] faces on the deterministic trap-door one-way permutations such as RSA and a comment [72] revealed a flaw in that proof. Later, Fujisaki et al. [31] find a way to rescue Bellare-Rogaway conversion for the trap-door partial-domain one-way permutations being the partial-domain. On the other hand, Fujisaki-Okamoto conversion faces on the probabilistic trap-door one-way functions such as ElGamal. Both conversions are under the random oracle model and trap-door one-way function assumption.

Table 2.1 shows the different assumptions andGOAL-ATK among some re-lated schemes. As we realize it is not pratical to implement the security proof in the RO-based technique since this kind of proof is heuristic only.

(41)

Table 2.1: Assumptions and security notations of some related schemes

Schemes Assumptions GOAL-ATK

ElGamal in QRp[83] DDHproblem IND-CPA

Tsiouns-Yung [83] DDHproblem,RO IND-CCA2

Shoup-Gennaro [74] DDHproblem,RO IND-CCA2

Cramer-Shoup [22] DDHproblem,UOWHF IND-CCA2

Pointcheval [66] DRSAproblem,RO IND-CCA2

Paillier-Pointcheval [64] DCRproblem,DPDLproblem,RO IND-CCA2

Hwang et al. [44] DDHproblem IND-CPA

Bellare-Rogaway [13] deterministic trap-door partial-domain IND-CCA2

one-way permutations,RO

Fujisaki-Okamoto [31] probabilistic trap-door one-way IND-CCA2

functions ,RO

universal one-way hash function (UOWHF), dependent-RSA (DRSA) prob-lem, decision composite residuosity (DCR) problem, decision partial dis-crete logarithm (DPDL) problem

(42)

However, the RO model usually has better efficiency and is still a useful test-bed to prove the security.

Hwang, Chang, and Hwang [44] consider a situation in the ElGamal cryp-tosystem. When the plaintext x is larger than the modulus p, it should be divided into several pieces x1, x2,· · · , xnand the length of each xi (for i = 1

to n) is smaller than p. Then we would need n times to apply ElGamal en-cryption to obtain n ciphertexts yi’s. According n ciphertexts yi’s, we also

need to apply n times ElGamal decryption. This is due to withstand the known-plaintext attacks. In the known-plaintext attacks, the attacker has the ability to obtain plaintext-ciphertext pairs and uses these pair to decrypt a cipher for which she does not have the plaintext. To withstand the re-duce the computational complexity and the amount of data transformation as compared to the ElGamal cryptosystem, they proposed an ElGamal-like cryptosystem for encrypting large messages and declared that the resulting scheme is in theIND-CPAsense under decision Diffie-Hellman assumption. However, we will show that their scheme is insecure in the IND-CPAsense in Section 3.3.

2.7 Definitions and Security Models

In this section, we give some definitions using in this thesis as follows. Definition 1. Let x∈ Z∗n, x is said to be a quadratic residue modulo n, denoted by

QRn.

QRn = {x ∈ Z∗n| T here is a y ∈ Z∗nwith x = y2 mod n},

(43)

Definition 2. Let p be a prime > 2, and let x ∈ Z be prime to p.  x p  = ⎧ ⎪ ⎨ ⎪ ⎩ +1, if [x] ∈ QRp, −1, if [x] ∈ QNRp,

is called the Legendre symbol of x mod p.

Definition 3. A function ε(k) is negligible if for every positive polynomial P (k) ∈

Z[X], there is k0, such that for every k≥ k0, ε(k) < 1/P (k)

Definition 4. Let A be a probabilistic algorithm and let A(a1, a2, . . . ; r) be the result of running A on input a1, a2, . . .and coins r. We let y ← A(a1, a2, . . .) denote the experiment of choosing r at random and letting y beA(a1, a2, . . . ; r). If Sis a finite set, let a←R Sbe the operation of choosing a at random and uniformly

from S. For probability spaces S, T, . . ., the notation Pr[a1 ← S; a2 ← T ; . . . :

p(a1, a2, . . .)] denotes the probability that predicate p(a1, a2, . . .) is true after the

ordered execution of the algorithms a1 ← S, a2 ← T, . . ..

Definition 5 (Computational Diffie-Hellman (CDH) problem). Let G be a group of large prime q and g be the generator of G. An algorithm algorithm A is said to (t, )-solve theCDHproblem in group G if T runs in no more than time t and furthermore

Pr[x, y ←RZq : A(g, gx, gy) = gxy] ≥ 

We say thatCDHproblem is hard if there is no such polynomial-time algorithmA.

Definition 6 (Decisional Diffie-Hellman (DDH) problem). A distinguishing algorithm T is said to (t, )-solve the DDH problem in group G if T runs in no more than time t and furthermore

(44)

Definition 7 (Probabilistic Public-Key Encryption Scheme). Let a triple of algorithm Π = (K, E, D) be a probabilistic public key encryption scheme.

- The key generation algorithmK, is a probabilistic algorithm which on input

1k, where k is the security parameter, outputs a pair (pk, sk) of matching

public and secret key.

- The encryption algorithm E, is a probabilistic algorithm which on input a plaintext x and public key pk, outputs a ciphertext y.

- The decryption algorithm D, is a deterministic algorithm which on input ciphertext y and the secret key sk, outputs the plaintext x.

Definition 8 (Random Oracle Model). Let Ω be the set of all maps from the set {0, 1}∗of finite strings to the set{0, 1}of infinite strings. H ← Ω denotes as we

chose mapH from a set of an appropriate finite length {0, 1}ato a set of an

appropri-ate finite length of{0, 1}b, from Ω at random and uniformly, restricting the domain

to{0, 1}aand the range to the first b bits of output. By the assumption made in the

random oracle model, for fix x ∈ {0, 1}aand y∈ {0, 1}b, then Pr[H(x) = y] = 1

2b.

Π = (K, EH,DH) denotes the E and D in public key cryptosystem are allowed to access such identical map H, and we call this encryption scheme is defined in the random oracle model.

Definition 9 (IND-ATK). LetA = (A1,A2) be a pair of probabilistic algorithms for adversary, Π = (K, E, D). ForATK={CPA,CCA1,CCA2} and k ∈ N, denote

the success event ofA for Π by

SuccIND−ATKA,Π (k) = [(pk, sk) ← K(1k); (x0, x1, state) ← AO11(pk); b ←R {0, 1};

(45)

where the first two components of a triple (x0, x1, state) are the plaintexts with the

same length |x0| = |x1|, and the last is state information (including the public key

pk) and some information to be preserved. Here,O1(·), O2(·) are defined as follows:

- IfATK=CPAthenO1(·)=null and O2(·)=null;

- IfATK=CCA1thenO1(·) = Dsk(·) and O2(·)=null;

- IfATK=CCA2thenO1(·) = Dsk(·) and O2(·) = Dsk(·).

In the case ofIND-CCA2, A2 does not ask its oracle to decrypt y. We denote the advantage ofA for Π as

AdvIND−ATKA,Π (k) = 2 · Pr[SuccIND−ATKA,Π (k)] − 1.

We say that Π is secure in theIND-ATKsense if for any adversaryA being polynomial-time in k, AdvIND−ATKA,Π (k) is negligible in k.

If we insist that A = (A1,A2) is allowed to access to a random oracle H in the random oracle model, we rewrite SuccIND−ATKA,Π (k) as follows:

SuccIND−ATKA,Π (k) = [H ← Ω; (pk, sk) ← K(1k); (x0, x1, state) ← AO11,H(pk);

b←R{0, 1}; y ← EpkH(xb) : A2O2,H(x0, x1, state, y) = b].

On the other hand, when we insist on the random oracle model, we rewrite DskH

instead ofDsk.

Definition 10 (NM-ATK). LetA = (A1,A2) be a pair of probabilistic algorithms

for adversary, Π = (K, E, D). ForATK={CPA,CCA1,CCA2} and k ∈ N, denote

the advantage ofA for Π by

AdvNM−ATKA,Π (k) = |Pr[SuccNM−ATKA,Π (k)] − Pr[SuccNM−ATKA,Π,$ (k)]|,

where

(46)

and

SuccNM−ATKA,Π,$ (k) = [(pk, sk) ← K(1k); (M, state) ← AO1

1 ; x, x ← M; y ← Epk(x)

(R, y) ← AO22(M, state, y); x ← Dsk(y) : (y ∈ y) ∧ (null ∈ x) ∧ R(x,x)].

Here, O1, O2 are defined as before in Definition 9. In the case ofIND-CCA2, A2

does not ask its oracle to decrypt y.

We say that M is valid if|x| = |x| for any x, x that are given non-zero probability in the message space M.

We say that Π is secure in theNM-ATKsense if for any adversaryA being polynomial-time in k outputs a valid message space M samplable in polynomial in k and a relation R computable in polynomial in k, then AdvNM−ATKA,Π (k) is negligible in k.

If we insist that A = (A1,A2) is allowed to access to a random oracle H in the

random oracle model, we rewrite SuccNM−ATKA,Π (k) and SuccNM−ATKA,Π,$ (k) as follows:

SuccA,ΠNM−ATK(k) = [H ← Ω; (pk, sk) ← K(1k); (M, state) ← A1O1,H; x, x ← M; y ← EpkH(x)

(R, y) ← AO2,H

2 (M, state, y); x ← Dsk(y) : (y ∈ y) ∧ (null ∈ x) ∧ R(x, x)]

and

SuccA,Π,$NM−ATK(k) = [H ← Ω; (pk, sk) ← K(1k); (M, state) ← A1O1,H; x, x ← M; y ← EpkH(x)

(R, y) ← AO22,H(M, state, y); x ← Dsk(y) : (y ∈ y) ∧ (null ∈ x) ∧ R(x,x)].

On the other hand, when we insist on the random oracle model, we rewrite DskH

instead ofDsk.

Definition 11 (PA). Let Π = (K, E, D) be a public key encryption scheme, let B be an adversary, letPE be an polynomial-time plaintext extractor. For any k ∈ N

(47)

define

SuccPAPE,B,Π(k) = Pr[H ← Ω; (pk, sk) ← K(1k); (ΛH, C, y) ← run BH,EpkH(pk) :

PE(ΛH, C, y, pk) = DskH(y)],

where ΛH = {(h1, H1), . . . , (hqH, HqH)}, C = {y1, . . . , yqE}, and y ∈ C.

H, C, y) ← run BH,EpkH(pk) denotes run B on input pk, oracles H, and EpkH,

recording B’s interaction with its oracles. ΛH denotes the set of all B’s queries and the corresponding answers of H. C denotes the set of all answers received as the result ofEpkH. Here, C does not include the the corresponding queries from B. Finally,B outputs y.

We say that PE is a (t, λ(k))-plaintext extractor if SuccPAPE,B,Π(k) ≥ λ(k) and PE

runs within at most running time t.

We say that Π is secure in the sense of PAif Π is secure in the sense ofIND-CPA

and there exists a (t, λ(k))-plaintext extractor PE where t is polynomial in k and λ(k) is overwhelming in k.

To demonstrate that the ElGamal-Extension scheme is secure using only two random numbers, a new pair GOAL and ATK are constructed called

IND-CPAPAIR. The difference from IND-CPAis that, we also provide the

ad-versary with the knowledge of a pair of plaintext-ciphertext. Intuitively, this pair does not provide any help for the adversary, since the adversary has ability to generate any pair she wants by herself in the public key en-cryption scheme. This is the refinement presented here and its purpose is explained later in Chapter 4.

(48)

rithms for adversary, Π = (K, E, D). For k ∈ N, denote the success event of A for

Π by

SuccIND−CPAPAIRA,Π (k) = [(pk, sk) ← K(1k); (x∗, x0, x1, state) ← A1(pk); b ←R{0, 1};

y← Epk(xb); y∗← Epk(x∗) : A2(x0, x1, x∗  y∗, state, y) = b].

We describe a supplementary explanation: A1 outputs (x∗, x0, x1, state) is defined

as before in Definition 9 and an additional plaintext x∗, where|x∗| = |x0| = |x1|.

The encryption oracle encrypts xb to obtain y according to a coin flipping b. It also

encrypts x∗ to obtain a ciphertext y∗. A2additionally has the input x∗  y∗, where

x∗  y∗denotes x∗ as the corresponding plaintext of the ciphertext y∗. We denote the advantage ofA for Π as

AdvIND−CPAPAIRA,Π (k) = 2 · Pr[SuccIND−CPAPAIRA,Π (k)] − 1.

We say that Π is secure in the IND-CPAPAIR sense if for any adversary A being

(49)

Chapter 3

Security Analysis of ElGamal-Like

Cryptosystem

3.1 Review of ElGamal Cryptosystem

Though the ElGamal cryptosystem operated in the quadratic residue mod-ulo p has been showed that is secure in theIND-CPAsense under the Diffie-Hellman assumption [83]. In order to state our results clearly and precisely in breaking the ElGamal-like cryptosystem [44] in Section 3.3, we begin with a review of the ElGamal cryptosystem which is not operated in the quadratic residue modulo p and then show that is insecure against IND-CPA.

Let Π = (K, E, D) be the ElGamal cryptosystem.

- Key generation algorithmK : (pk, sk) ← K(1k), pk = (p, g, Y ) and sk =

(p, g, s), where Y = gsmod p, |p| = k, 1 ≤ s ≤ p − 2, and # < g >= p.

(50)

- Encryption algorithmE:

(y1, y3) = Epk(x, r) = (gr mod p, x · Yr mod p),

where message x ∈ {0, 1}k, x < p, and r

R{0, 1}k.

- Decryption algorithmD:

x = Dsk(y1, y3) = y3· (ys1)−1 mod p.

3.2 Security Analysis

We can see that g is a primitive root ofGp by employing the key generation

algorithm K in Seciton 3.1. Below, we first give the following lemmas [26] and then show that encryption scheme is not secure in theIND-CPAsense. Lemma 1. Let p be a prime > 2 and g be a primitive root of Z∗p. Let [x] ∈ Z∗p. Then

x∈ QRpif and only if x = gα mod p some even number α, 0 ≤ α < p − 1.

Lemma 2. The Legendre symbol is multiplicative in x

 xy p  =  x p   y p 

It means [xy] ∈ QRp if and only if either both [x], [y] ∈ QRp or both [x], [y] ∈

QNRp.

Theorem 1. Let Π = (K, E, D) be the ElGamal cryptosystem described in Sec-tion 3.1. An adversaryA is a (t, )-breaker for Π(1k) inIND-CPAif AdvCPA

A,Π(k) ≥

 andA runs within at most running time t, where  = 1 and t ≤ t1+ 3 · tQR.

(51)

Proof. We construct a breaking algorithmA = (A1,A2) for Π = (K, E, D) as

follows.

Adversary: A1(pk)

Obtain{x0, x1}, where x0 ∈QRpand x1 ∈QNRp

Return (x0, x1, state) End. Encryption oracle: OEN(x0, x1, pk) r←RZq b←R {0, 1} (y1, y3) ← Epk(xb, r) Return (y1, y3) End. Adversary: A2(x0, x1, state, (y1, y3)) CASE1: Y ∈QRp and y1 ∈{QRp, QNRp} If y3 ∈QRp, then outputs 0 If y3 ∈QNRp, then outputs 1 CASE2: y1 ∈QRpand Y ∈QNRp If y3 ∈QRp, then outputs 0 If y3 ∈QNRp, then outputs 1 CASE3: Y ∈QNRp, y1 ∈QNRp If y3 ∈QNRp, then outputs 0 If y3 ∈QRp, then outputs 1 End.

We now analyze the successful probability of adversary A = (A1,A2). We

define the following events.

E1 be the event (Y ∈QRp)∧(y1 ∈{QRp, QNRp}),

E2 be the event (y1 ∈QRp)∧(Y ∈QNRp),

E3 be the event (Y ∈QNRp)∧(y1 ∈QNRp).

Let b be the output of A2. For CASE 1, Y = gs ∈QR

p. By Lemma 1, s is

(52)

We see that A2 will output the correct b=0 (b=1) if and only if y3 ∈QRp

(y3 ∈QNRp). This is due to the multiplicative property of Legendre symbol

in Lemma 2 as follows.  y3 p  =  xb p   Yr p 

Therefore, the condition probability Pr[b = b|E1]=1 and the probability Pr[E1] = 1/2. For the same reason, in CASE 2, the condition probability Pr[b =

b|E2]=1. Note that (y1 ∈QRp)∧(Y ∈QRp) is included in the event E1 and

the probability Pr[E1] = 1/4. For CASE 3, Y ∈QNRp and y1 ∈QNRp, by

Lemma 1, s and r are odd, Yr

= gsr ∈QNRp. A2 will output the correct

b=0 (b=1) if and only if y3 ∈QRp (y3 ∈QNRp). Thus, the condition

proba-bility Pr[b = b|E3] = 1 and the probability Pr[E3] = 1/4. By the law of total probability,

Pr[SuccCPAA,Π(k)] = Pr[b = b] = 3  i=1 Pr[b = b|Ei] · Pr[Ei] = 1 · 1 2 + 1 · 1 4+ 1 · 1 4 = 1,

we haveAdvCPAA,Π(k) = 2 · Pr[SuccCPAA,Π(k)] − 1 = 1.

Thus, we have the ability to distinguish the distinct plaintext x0 and x1. To

secure againstIND-CPA, for security parameter k, primes p and q are chosen such that p = 2q + 1 (q is called a Sophie-Germain prime if p is also a prime), where|p| = k and |q| = k − 1. Then a unique subgroup Gq of prime order q

of the multiplicative group Z∗p and g ofGq are defined. In other words, the

key generation algorithmK should be modified as K.

(53)

(p, g, s), where Y = gsmod p, |p| = k, p = 2q + 1, # < h >= p, g = h2 mod p,

s ∈ Zq, and # < g >= q.

We can see that g generates all the quadratic residues inGq = QRp. In order

to make all the ciphertexts are in QRp (the algorithm A cannot determine

which message x0 ∈ QRp/x1 ∈ QNRpis the corresponding plaintext

accord-ing the ciphertext), there two are simple methods to achieve it:

Method 1. The messages for encrypting are always in QRp.

Method 2. If the message x is in QRp, then we are done. Otherwise, x is replaced

by−x = p − x ∈ QRp. Since

(−1)(p−1)/2 = (−1)q = −1 mod p, where q is an odd number,

we have

(−x)(p−1)/2 = (−1)(p−1)/2· (x)(p−1)/2 = (−1) · (−1) = 1 mod p.

A value is determined whether it is in QRp or not can be computed

effi-ciently by Euler’s criterion in a polynomial-time. Let tQR be the time of

determining whether a value is in QRp or not. Let t1 be the time of

choos-ing two messages x0 ∈QRp and x1 ∈QNRp. Then, from the specification of

A = (A1,A2), it runs within at most 3 times tQRin CASE2 or CASE3. Hence,

t ≤ t1+ 3 · tQRand it is in a polynomial-time.

3.3 Review of ElGamal-Like Cryptosystem

數據

Figure 1.1: Reduction approach
Figure 2.1 illustrates a schematic outline of a public key cryptosystem.
Figure 2.1: Encryption and decryption in a public key cryptosystem
Figure 2.3: A concept of IND-CCA2, C: cryptosystem, K: key generation algorithm, E pk : encryption algorithm, D sk : decryption algorithm, A:  adver-sary, B: flips a coin
+7

參考文獻

相關文件

— John Wanamaker I know that half my advertising is a waste of money, I just don’t know which half.. —

By integrating data from a variety of government and commercial sources, we discovered 19,397 potential new commercial properties to inspect, based on the property usage types that

如果我們有 一個簡單的位移密碼, 則字母 e 變成密文中的某一個字母, 所以這個字母出現 的頻率會跟 e 在原文中出現的頻率一樣。 因此頻率分析之後, 鑰匙可能就會被逼現身。

Automatic Term Mapping 2017.8.8查詢結果 “heart attack”- 3819 "heart attack"[All Fields] heart attack – 229975 "myocardial infarction"[MeSH Terms] OR "myocardial"[All Fields]

二十六、 押標金有效期(無押標金者免填):廠商以銀行開發或保兌之不可撤銷 擔保信用狀、銀行之書

The/That new smartphone has a better camera and (a) thinner screen than the/that old

當接收到一密文(ciphertext)為「YBIR」 ,而且知道它是將明文(plaintext)的英文字母所對應 之次序數字(如 A 的字母次序數字為 1,B 次序數字為

使用者甲與使用者乙約定藉由非對稱加密(asymmetric encryption)進行溝通,假設使用者甲先以