4.4 KiB
Lecture 17
Chapter 3: Indistinguishability and Pseudorandomness
Public key encryption scheme (1-bit)
Gen(1^n):(f_i, f_i^{-1})
f_i is the trapdoor permutation. (eg. RSA)
Output((f_i, h_i), f_i^{-1}), where (f_i, h_i) is the public key and f_i^{-1} is the secret key.
Enc_{pk}(m):r\gets \{0, 1\}^n
Output(f_i(r), h_i(r)\oplus m)
where f_i(r) is denoted as c_1 and h_i(r)\oplus m is the tag c_2.
The decryption function is:
Dec_{sk}(c_1, c_2):
r=f_i^{-1}(c_1)
m=c_2\oplus h_i(r)
Validity of the decryption
Proof of the validity of the decryption: Exercise.
Security of the encryption scheme
The encryption scheme is secure under this construction (Trapdoor permutation (TDP), Hardcore bit (HCB)).
Proof:
We proceed by contradiction. (Constructing contradiction with definition of hardcore bit.)
Assume that there exists a distinguisher \mathcal{D} that can distinguish the encryption of 0 and 1 with non-negligible probability \mu(n).
\{(pk,sk)\gets Gen(1^n):(pk,Enc_{pk}(0))\} v.s.\{(pk,sk)\gets Gen(1^n):(pk,Enc_{pk}(1))\} \geq \mu(n)
By prediction lemma (the distinguisher can be used to create and adversary that can break the security of the encryption scheme with non-negligible probability \mu(n)).
P[m\gets \{0,1\}; (pk,sk)\gets Gen(1^n):\mathcal{A}(pk,Enc_{pk}(m))=m]\geq \frac{1}{2}+\mu(n)
We will use this to construct an agent B which can determine the hardcore bit h_i(r) of the trapdoor permutation f_i(r) with non-negligible probability.
f_i,h_i are determined.
B is given f_i(r) and h_i(r) and outputs b\in \{0,1\}.
r\gets \{0,1\}^nis chosen uniformly at random.y=f_i(r)is given toB.b=h_i(r)is given toB.- Choose
c_2\gets \{0,1\}= h_i(r)\oplus muniformly at random. - Then use
\mathcal{A}withpk=(f_i, h_i),Enc_{pk}(m)=(f_i(r), h_i(r)\oplus m)to determine whetherris0or1. - Let
m'\gets \mathcal{A}(pk,(y,c_2)). - Since
c_2=h_i(r)\oplus m, we havem=b\oplus c_2,b=m'\oplus c_2. - Output
b=m'\oplus c_2.
The probability that B correctly guesses b given f_i,h_i is:
\begin{aligned}
&~~~~~P[r\gets \{0,1\}^n: y=f_i(r), b=h_i(r): B(f_i,h_i,y)=b]\\
&=P[r\gets \{0,1\}^n,c_2\gets \{0,1\}: y=f_i(r), b=h_i(r):\mathcal{A}((f_i,h_i),(y,c_2))=(c_2+b)]\\
&=P[r\gets \{0,1\}^n,m\gets \{0,1\}: y=f_i(r), b=h_i(r):\mathcal{A}((f_i,h_i),(y,b\oplus m))=m]\\
&>\frac{1}{2}+\mu(n)
\end{aligned}
This contradicts the definition of hardcore bit.
QED
Public key encryption scheme (multi-bit)
Let m\in \{0,1\}^k.
We can choose random r_i\in \{0,1\}^n, y_i=f_i(r_i), b_i=h_i(r_i),c_i=m_i\oplus b_i.
Enc_{pk}(m)=((y_1,c_1),\cdots,(y_k,c_k)),c\in \{0,1\}^k
Dec_{sk}:r_k=f_i^{-1}(y_k),h_i(r_k)\oplus c_k=m_k
Special public key cryptosystem: El-Gamal (based on Diffie-Hellman Assumption)
Definition 105.1 Decisional Diffie-Hellman Assumption (DDH)
Define the group of squares mod
pas follows:
p=2q+1,q\in \Pi_{n-1},g\gets \mathbb{Z}_p^*/\{1\},y=g^2
G=\{y,y^2,\cdots,y^q=1\}\mod p
These two listed below are indistinguishable.
\{p\gets \tilde{\Pi_n};y\gets Gen_q;a,b\gets \mathbb{Z}_q:(p,y,y^a,y^b,y^{ab})\}_n
\{p\gets \tilde{\Pi_n};y\gets Gen_q;a,b,\bold{z}\gets \mathbb{Z}_q:(p,y,y^a,y^b,y^\bold{z})\}_n
(Computational) Diffie-Hellman Assumption:
Hard to compute
y^{ab}givenp,y,y^a,y^b.
So DDH assumption implies discrete logarithm assumption.
Ideas:
If one can find a,b from y^a,y^b, then one can find ab from y^{ab} and compare to \bold{z} to check whether y^\bold{z} is a valid DDH tuple.
El-Gamal encryption scheme (public key cryptosystem)
Gen(1^n):
p\gets \tilde{\Pi_n},g\gets \mathbb{Z}_p^*/\{1\},y\gets Gen_q,a\gets \mathbb{Z}_q
Output:
pk=(p,y,y^a\mod p) (public key)
sk=(p,y,a) (secret key)
Message space: G_q=\{y,y^2,\cdots,y^q=1\}
Enc_{pk}(m):
b\gets \mathbb{Z}_q
c_1=y^b\mod p,c_2=(y^{ab}\cdot m)\mod p
Output: (c_1,c_2)
Dec_{sk}(c_1,c_2):
Since c_2=(y^{ab}\cdot m)\mod p, we have m=\frac{c_2}{c_1^a}\mod p
Output: m
Security of El-Gamal encryption scheme
Proof:
If not secure, then there exists a distinguisher \mathcal{D} that can distinguish the encryption of m_1,m_2\in G_q with non-negligible probability \mu(n).
\{(pk,sk)\gets Gen(1^n):D(pk,Enc_{pk}(m_1))\}\text{ vs. }\\
\{(pk,sk)\gets Gen(1^n):D(pk,Enc_{pk}(m_2))\}\geq \mu(n)
And proceed by contradiction. This contradicts the DDH assumption.
QED