• Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. 8.4 The Diffie-Hellman Problem and the Discrete Logarithm Problem The secrecy of the agreed shared key from the Diffie-Hellman key exchange protocol is exactly the problem of computing g ab (mod p ) given g a and g b . This problem is called computational Diffie-Hellman problem (CDH problem). Definition 8.1: Computational Diffie-Hellman Problem (CDH Problem) ( in finite field ) INPUT desc( ): the description of finite field ; : a generator element of ; g a , for some integers 0 < a, b < q . OUTPUT g ab . We have formulated the problem in a general form working in a finite field . The Diffie- Hellman key exchange protocol in § 8.3 uses a special case. For formalism purpose, in definition of a general problem, an assumption, etc., we will try to be as general as possible, while in explanations outside formal definitions we will often use special cases which help to expose ideas with clarity. If the CDH problem is easy, then g ab (mod p ) can be computed from the values p, g, g a ,g b , which are transmitted as part of the protocol messages. According to our assumptions on the ability of our adversary (see § 2.3 ), these values are available to an adversary. The CDH problem lies, in turn, on the difficulty of the discrete logarithm problem (DL problem) . Definition 8.2: Discrete Logarithm Problem (DL Problem) ( in finite field ) INPUT desc( ): the description of finite field ; : a generator element of ; . OUTPUT the unique integer a < q such that h = g a . We denote the integer a by log g h . The DL problem looks similar to taking ordinary logarithms in the reals. But unlike logarithms in the reals where we only need approximated "solutions," the DL problem is defined in a discrete domain where a solution must be exact . We have discussed in Chapter 4 that the security theory of modern public-key cryptography is • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. established on a complexity-theoretic foundation. Upon this foundation, the security of a public- key cryptosystem is conditional on some assumptions that certain problems are intractable. The CDH problem and the DL problem are two assumed intractable problems. Intuitively we can immediately see that the difficulties of these problems depend on the size of the problems (here, it is the size of the field ), as well as on the choice of the parameters (here, it is the choice of the public parameter g and the private data a, b ). Clearly, these problems need not be difficult for small instances. In a moment we will further see that these problems need not be difficult for poorly chosen instances. Thus, a precise description of the difficulty must formulate properly both the problem size and the choice of the instances. With the complexity-theoretic foundations that we have established in Chapter 4 , we can now describe precisely the assumptions on the intractabilities of these two problems. The reader may review Chapter 4 to refresh several notions to be used in the following formulations (such as "1 k ," "probabilistic polynomial time," and "negligible quantity in k "). Assumption 8.1: Computational Diffie-Hellman Assumption (CDH Assumption) A CDH problem solver is a PPT algorithm such that with an advantage > 0: where the input to is defined in Definition 8.1 . Let be an instance generator that on input 1 k , runs in time polynomial in k, and outputs (i) desc( ) with | q | = k, (ii) a generator element . We say that satisfies the computational Diffie-Hellman (CDH) assumption if there exists no CDH problem solver for (1 k ) with advantage > 0 non-negligible in k for all sufficiently large k . Assumption 8.2: Discrete Logarithm Assumption (DL Assumption) A DL problem solver is a PPT algorithm such that with an advantage > 0: where the input to is defined in Definition 8.2 . Let be an instance generator that on input 1 k , runs in time polynomial in k, and outputs (i) desc( ) with | q | = k, (ii) a generator element , (iii) . We say that satisfies the discrete logarithm (DL) assumption if there exists no DL problem solver for (1 k ) with advantage e > 0 non-negligible in k for all sufficiently large k . In a nutshell, these two assumptions state that in finite fields for all sufficiently large instances, there exists no efficient algorithm to solve the CDH problem or the DL problem for almost all instances. A negligible fraction of exceptions are due to the existence of weak instances. However, much more decent elaborations are needed for these two assumptions. Let us first make a few important remarks, in which we will keep the "formal tone". • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. . Remark 8.1 In Assumptions 8.1 and 8.2 , the respective probability space should consider (i) the instance space, i.e., arbitary finite fields and arbitrary elements are sampled (the importance of this will be discussed in § 8.4.1 ), and (ii) the space of the random operations in an efficient algorithm. The need for considering (ii) is because by "polynomial-time" or "efficient" algorithm we include randomized algorithms (see Definition 4.6 in § 4.4.6 ) . 1. The number k in the both formulations is called a security parameter . (1 k ) is a random instance of the field and the element(s). From our study of the probabilistic prime generation in § 4.4.6.1 and the field construction in § 5.4 we know that (1 k ) indeed terminates in polynomial time in k. It is now widely accepted that k = 1024 is the lower bound setting of security parameter for the DLP in finite fields. This lower bound is a result of a subexponential time algorithm (index calculus) for solving the DLP in finite fields. The subexponential complexity expression is in ( 8.4.2 ). For |q| = 1024, the expression yields a quantity greater than 2 80 . This is why the setting of k = 1024 becomes the widely agreed lower bound. Thus, as stipulated by the phrase "for all sufficiently large k" in both assumptions, we should only consider k greater than this lower bound . 2. Holding of the DL assumption means that the function Equation 8.4.1 is one-way. Therefore, holding of the DL assumption implies the existence of one-way function. It is widely believed that the DL assumption should actually hold (a case under the belief , see § 4.5 ), or the function in ( 8.4.1 ) should be one-way, or in other words, one-way function should exist . 3. It is not known to date whether or not the function in ( 8.4.1 ) is a trapdoor function (see Property 8.1 in § 8.1 for the meaning of one-way trapdoor function). That is, no one knows how to embed trapdoor information inside this function to enable an efficient inversion of the function (i.e., an efficient method to compute x from g x using trapdoor information). However, if the function uses a composite modulus (the function remains one-way), then the function becomes a trapdoor where the prime factorization of the modulus forms the trapdoor information. The reader is referred to [ 229 , 224 , 228 ] for the technical details. 4. We still need more "common-language" explanations for these two assumptions. These two assumptions essentially say that "there is no polynomial in k algorithms for solving these two problems". However, we must read this statement with great care. A "poly( k ) solver", if it exists, runs in time k n for some integer n . On the other hand, we know there exists a "subexponential solver" for the DLP running in time Equation 8.4.2 • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. where c is a small constant (e.g., c < 2). Combining "no poly( k ) solver" and "having an sub_exp( q ) solver", we are essentially saying that k n is much much smaller than sub_exp( k log 2) (for k = | q | = log 2 q , we have log q = k log2). However, this "much much smaller" relation can only be true when n is fixed and k (as a function of n ) is sufficiently large. Let us make this point explicit. Suppose k is not sufficiently large. Taking natural logarithm on poly ( k ) and on sub_exp( k log 2), we become comparing the following two quantities: where . Now we see that the known subexponential solver will be quicker than a supposedly "non-existing poly solver" when n is at the level of . The real meaning of "no poly( k ) solver" is when k is considered as a variable which is not bounded (and hence can be "sufficiently large" as stated in the two assumptions), while n is a fixed constant. In reality, k cannot be unbounded. In particular, for the commonly agreed lower bound setting for security parameter: k = 1024, and for c < 2, there does exist a "poly( k ) solver" which has a running time bounded by a degree-9 polynomial in k (confirm this by doing Exercise 8.4 ). From our discussions so far, we reach an asymptotic explanation for "no poly( k ) solver": k is unbound and is sufficiently large. In reality k must be bounded , and hence a poly( k ) solver does exist . Nevertheless, we can set a lower bound for k so that we can be content that the poly solver will run in time which is an unmanageable quantity. In fact, the widely agreed lower bound k = 1024 is worked out this way. This asymptotic meaning of "no poly solver" will apply to all complexity-theoretic based intractability assumptions to appear in the rest of the book. Finally let us look at the relationship between these two problems. Notice that the availability of a = log g g 1 or b = log g g 2 will permit the calculation of That is, an efficient algorithm which solves the DLP will lead to an efficient algorithm to solve the CDH problem. Therefore if the DL assumption does not hold, then we cannot have the CDH assumption. We say that the CDH problem is weaker than the DL problem, or equivalently, the CDH assumption is a stronger assumption than the DL assumption. The converse of this statement is an open question: Can the DL assumption be true if the CDH assumption is false? Maurer and Wolf give a strong heuristic argument on the relation between these two problems; they suggest that it is very likely that these two problems are equivalent [ 190 ]. • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. 8.4.1 Importance of Arbitrary Instances for Intractability Assumptions We should emphasize the importance of arbitrary instances required in the DL assumption. Let us consider with p being a k -bit prime and the problem of extracting a from h g a (mod p ). We know that a is an element in . If p – 1 = q 1 q 2 … q e with each factor q i being small (meaning, q i polynomial( k ) for i = 1, 2, …, ), then the discrete-logarithm-extraction problem can be turned into extracting a i a (mod q i ) from h (p-1)/q i (mod p ) but now a i are small and can be extracted in time polynomial in k . After a 1 , a 2 , …, a e are extracted, a can be constructed by applying the Chinese Remainder Theorem (Theorem 6.7). This is the idea behind the polynomial- time algorithm of Pohlig and Hellman [ 231 ] for solving the DL problem modulo p if p – 1 has no large prime factor. Clearly, if every prime factor of p – 1 is bounded by a polynomial in k , then the Pohlig-Hellman algorithm has a running time in polynomial in k . A prime number p with p – 1 containing no large prime factor is called a smooth prime . But sometimes we also say " p – 1 is smooth" with the same meaning. A standard way to avoid the smooth-prime weak case is to construct the prime p such that p – 1 is divisible by another large prime p' . By Theorem 5.2 (2), the cyclic group contains the unique subgroup of order p' . If p' is made public, the users of the Diffie-Hellman key exchange protocol can make sure that the protocol is working in this large subgroup; all they need to do is to find an element such that This element g generates the group of the prime order p' . The Diffie-Hellman key exchange protocol should use ( p, p', g ) so generated as the common input. An accepted value for the size of the prime p' is at least 160 (binary bits), i.e., p' > 2 160 . (Also see our discussion in § 10.4.8.1 .) The DLP and the CDH problem are also believed as intractable in a general finite abelian group of a large order, such as a large prime-order subgroup of a finite field, or a group of points on an elliptic curve defined over a finite field (for group construction: § 5.5 , and for the elliptic-curve discrete logarithm problem, ECDLP: § 5.5.3 ). Thus, the Diffie-Hellman key exchange protocol will also work well in these groups. There are several exponential-time algorithms which are very effective for extracting the discrete logarithm when the value to be extracted is known to be small. We have described Pollard's l - method (§ 3.6.1 ). Extracting small discrete logarithms has useful applications in many cryptographic protocols. Research into the DLP is very active. Odlyzko provided a survey of the area which included an extensive literature on the topic [ 221 ]. • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. 8.5 The RSA Cryptosystem (Textbook Version) The best known public-key cryptosystem is the RSA, named after its inventors Rivest, Shamir and Adleman [ 246 ]. The RSA is the first practical realization of public-key cryptography based on the notion of one-way trapdoor function which Diffie and Hellman envision [ 97, 98]. The RSA cryptosystem is specified in Alg 8.1 . We notice that this is a textbook version for encryption in RSA. We now show that the system specified in Alg 8.1 is indeed a cryptosystem, i.e., Alice's decryption procedure will actually return the same plaintext message that Bob has encrypted. Algorithm 8.1: The RSA Cryptosystem Key Setup To set up a user's key material, user Alice performs the following steps: choose two random prime numbers p and q such that | p | | q |; (* this can be done by applying a Monte-Carlo prime number finding algorithm, e.g., Alg 4.7 *) 1. compute N = pq ; 2. compute f ( N ) = ( p – 1) ( q – 1); 3. choose a random integer e < f ( N ) such that gcd( e , f ( N )) = 1, and compute the integer d such that (* since gcd( e , f ( N )) = 1, this congruence does have a solution for d which can be found by applying the Extended Euclid Algorithm ( Alg 4.2 ). *) 4. publicize ( N, e ) as her public key, safely destroy p, q and f ( N ), and keep d as her private key. 5. Encryption To send a confidential message m < N to Alice, the sender Bob creates the ciphertext c as follows (* viewed by Bob, the plaintext message space is the set of all positive numbers less • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. N , although in fact the space is .*) Decryption To decrypt the ciphertext c , Alice computes From the definition of the modulo operation (see Definition 4.4 in § 4.3.2.5 ), congruence ed 1 (mod f ( N )) in Alg 8.1 means for some integer k . Therefore, the number returned from Alice's decryption procedure is Equation 8.5.1 We should notice that for m < N , it is almost always the case that (the multiplicative group of integers relatively prime to N ). In fact, the cases for are m = up or m = vq for some u < q or v < p . In such cases, Bob can factor N by computing gcd( m, N ). Assuming that the factoring is difficult (we will formulate the factorization problem and an assumption on its difficulty in a moment), we can assume that any message m < N prepared by Bob satisfies . For , by Lagrange's Theorem ( Corollary 5.2 ), we have This is true for all . By the definition of the order of a group element (see Definition 5.9 in § 5.2.2 ), this means that for all Obviously, this further implies • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. for any integer k . Thus, the value in ( 8.5.1 ) is, indeed, m . Example 8.2. Let Alice set N = 7x13 = 91 and e = 5. Then f ( N ) = 6x12 = 72. Applying Alg 4.2 (by inputting ( a, b ) = (72, 5)), Alice obtains: that is, 5x29 1 (mod 72). Therefore Alice has computed 29 to be her private decryption exponent. She publicizes ( N, e ) = (91, 5) as her public key material for the RSA cryptosystem. Let Bob encrypt a plaintext m = 3. Bob performs encryption by computing The resultant ciphertext message is 61. To decrypt the ciphertext message 61, Alice computes • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. 8.6 Cryptanalysis Against Public-key Cryptosystems It makes sense to say "Cryptosystem X is secure against attack Y but is insecure against attack Z," that is, the security of a cryptosystem is defined by an attack. Active attacks have been modeled into three usual modes. These modes of active attacks will be used in the analysis of the cryptosystems to be introduced in rest of this chapter. They are defined as follows. Definition 8.3 : Active Attacks on Cryptosystems Chosen-plaintext attack (CPA) An attacker chooses plaintext messages and gets encryption assistance to obtain the corresponding ciphertext messages. The task for the attacker is to weaken the targeted cryptosystem using the obtained plaintext-ciphertext pairs . Chosen-ciphertext attack (CCA) An attacker chooses ciphertext messages and gets decryption assistance to obtain the corresponding plaintext messages. The task for the attacker is to weaken the targeted cryptosystem using the obtained plaintext-ciphertext pairs. The attacker is successful if he can retrieve some secret plaintext information from a "target ciphertext" which is given to the attacker after the decryption assistance is stopped. That is, upon the attacker receipt of the target ciphertext, the decryption assistance is no longer available . Adaptive chosen-ciphertext attack (CCA2) This is a CCA where the decryption assistance for the targeted cryptosystem will be available forever, except for the target ciphertext . We may imagine these attacks with the following scenarios: In a CPA, an attacker has in its possession an encryption box. In a CCA, an attacker is entitled to a conditional use of a decryption box: the box will be switched off before the target ciphertext is given to the attacker. In a CCA2, an attack has in its possession a decryption box for use as long as he wishes, before or after the target ciphertext is made available to the attacker, provided that he does not feed the target ciphertext to the decryption box. This single restriction on CCA2 is reasonable since otherwise there will be no difficult problem for the attacker to solve. In all cases, the attacker should not have in its possession the respective cryptographic keys. CPA and CCA are originally proposed as active cryptanalysis models against secret-key cryptosystems where the objective of an attacker is to weaken the targeted cryptosystem using the plaintext-ciphertext message pairs he obtains from the attacks (see e.g., § 1.2 of [ 284]). They have been adopted for modeling active cryptanalysis on public-key cryptosystems. We should notice the following three points which are specific to public-key cryptosystems. The encryption assistance of a public-key cryptosystem is always available to anybody since given a public key anyone has complete control of the encryption algorithm. In other words, CPA can always be mounted against a public-key cryptosystem. So, we can call an attack against a public-key cryptosystem CPA if the attack does not make use of any decryption assistance. Consequently and obviously, any public-key cryptosystem must resist CPA or else it is not a useful cryptosystem. • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. In general, the mathematics underlying most public-key cryptosystems has some nice properties of an algebraic structure underlying these cryptosystems, such as closure, associativity, and homomorphism, etc., (review Chapter 5 for these algebraic properties). An attacker may explore these nice properties and make up a ciphertext via some clever calculations. If the attacker is assisted by a decryption service, then his clever calculations may enable him to obtain some plaintext information, or even the private key of the targeted cryptosystem, which otherwise should be computationally infeasible for him to obtain. Therefore, public-key cryptosystems are particularly vulnerable to CCA and CCA2. We will see that every public-key cryptosystem to be introduced in this chapter is vulnerable to CCA or CCA2. As a general principle, we have provided in Property 8.2 (ii) an advice that the owner of a public key should always be careful not to allow oneself to provide any decryption assistance to anybody. This advice must be followed for every public-key cryptosystem introduced in this chapter. In Chapter 14 we will introduce stronger public-key cryptosystems. Such cryptosystems do not require users to keep in such an alert state all the time. It seems that CCA is too restrictive. In applications a user under attack (i.e., is asked to provide decryption assistance) actually does not know the attack. Therefore the user can never know when (s)he should begin to stop providing decryption assistance. We generally assume that normal users are too naive to know the existence of attackers, and hence decryption assistance should be generally available all the time . On the other hand, any public-key cryptosystem must be secure against CPA since an attacker can always help himself to perform encryption "assistance" on chosen plaintext messages. For these reasons, we will mainly consider techniques to counter CCA2. [...]... Contents Modern Cryptography: Theory and Practice ByWenbo Mao Hewlett-Packard Company ThePublisher: Prentice Hall PTR is 155 resultant ciphertext Pub Date: July 25, 2003 To decrypt the ciphertext 155 , Alice first computes Dc using (8.10.2): ISBN: 0-13-066943-1 Pages: 648 Now applying Alg 6 .5, Alice finds that the four square roots of 42 modulo 209 are 1 35, 173, 36, Many cryptographic schemes and protocols,... most textbook on cryptography Now let us look at the security (or insecurity) properties of the textbook RSA encryption algorithm • Table of Contents Modern Cryptography: Theory and Practice message instance, by Definition 8 .5 and Assumption 8.3, For random key instance and random the existence of an efficient CPA against the RSA cryptosystem means the RSA assumption must ByWenbo Mao Hewlett-Packard... Contents Modern Cryptography: Theory and Practice Alice publicizes her public key material (p, g, y) = (43, 3, 37) ByWenbo Mao Hewlett-Packard Company Let Bob encrypt a plaintext message m = 14 Bob picks a random exponent 26 and computes Publisher: Prentice Hall PTR Pub Date: July 25, 2003 ISBN: 0-13-066943-1 Pages: 648 The resultant ciphertext message pair is ( 15, 31) To decrypt the ciphertext message ( 15, ... show formal evidence of its security under the strong and fit-for-application security notion • Table of Contents Modern Cryptography: Theory and Practice ByWenbo Mao Hewlett-Packard Company Publisher: Prentice Hall PTR Pub Date: July 25, 2003 ISBN: 0-13-066943-1 Pages: 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto"... 8.10.1 Modern Cryptography: Theory and Practice ByWenbo Mao Hewlett-Packard Company Publisher: Prentice Hall PTR Pub Date: July 25, 2003 ISBN: 0-13-066943-1 Pages: 648 where Equation 8.10.2 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. .. encryption algorithm (8.12.1) of the ElGamal cryptosystem is probabilistic: it uses a random input • Suppose that Alice's private key x is relatively prime to p – 1; then by Table of Contents Theorem 5. 2(3) (in 5. 2.3), her public key y Modern Cryptography: Theory and Practice k (mod (sinceg is), and thereby y Companyp) ByWenbo Mao Hewlett-Packard g x (mod p) remains being a generator of will range over multiplication... number satisfying Equation 8.9.2 • Table of Contents Modern Cryptography: Theory and Practice ByWenbo Mao Hewlett-Packard Company Publisher: Prentice Hall PTR With RSA's multiplicative property, we have Pub Date: July 25, 2003 ISBN: 0-13-066943-1 Pages: 648 Equation 8.9.3 Many cryptographic schemes and protocols, especially those based on public-keycryptography, Malice can or so-called "textbook crypto"... computing 229 modulo exponentiations Both the space and time costs can be realistically handled by a good personal computer, while direct searching for the DES key from the of Contents requires computing 256 modulo exponentiations which can be quite • Table encryption Modern Cryptography: Theory and Practice prohibitive even using a dedicated device ByWenbo Mao Hewlett-Packard Company Now we know that we... ElGamal's work inspires great interest in both research and • Table of Contents applications which has remained high to this day We will see two further development of this Modern Cryptography: Theory1 3 (an identity-based ElGamal encryption scheme), and in Chapter 15 cryptosystem in Chapter and Practice (a variation with a strong Company ByWenbo Mao Hewlett-Packard provable security) One reason for the... 8.4:RSA Problem Modern Cryptography: Theory and Practice ByWenbo Mao Hewlett-Packard Company INPUT N = pq with p, q prime numbers; Publisher: Prentice Hall PTR Pub Date: July 25, 2003 e: an integer such that gcd(e, (p – 1) (q – 1)) = 1; ISBN: 0-13-066943-1 Pages: 648 OUTPUT the unique integer c (mod N) satisfying m e Many cryptographic schemes and protocols, especially those based on public-keycryptography, . discussed in Chapter 4 that the security theory of modern public-key cryptography is • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher :. 18% -50 % (see Table 1 of [ 52 ]). • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN :. < N 0.292 [50 ]. • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages :