Public-Key Encryption

Saravanan Vijayakumaran

Department of Electrical Engineering, IIT Bombay

October 18, 2023

Public-Key Encryption Workflow

  • Suppose Bob wants to send a message to Alice

  • Alice will generate a public-private key-pair (pk_A, sk_A)

    • The private key is also called the secret key
  • Alice will share pk_A with Bob over the public channel

  • Bob will encrypt a message m as c \leftarrow \textsf{Enc}_{pk_A}(m) and send c to Alice over the public channel

  • Alice will decrypt c using her private key sk_A

Why bother with private-key encryption?

  • Public-key encryption is 2-3 orders of magnitude slower than private-key encryption

  • Hybrid encryption is often used in practice

  • Here \textsf{Enc} is a public-key encryption scheme and \textsf{Enc}' is a private-key encryption scheme

Public-Key Encryption Schemes

  • A public-key encryption scheme is a triple of PPT algorithms (\textsf{Gen}, \textsf{Enc}, \textsf{Dec}) such that:

    1. (pk,sk) \leftarrow \textsf{Gen}(1^n)

      • pk is the public key and sk is the private key
      • The public key defines a message space \mathcal{M}_{pk}
    2. For m \in \mathcal{M}_{pk}, c \leftarrow \textsf{Enc}_{pk}(m).

    3. m \coloneqq \textsf{Dec}_{sk}(c), where m \in \mathcal{M}_{pk} \cup \{\perp\}.

  • It is required that \textsf{Dec}_{sk}\left( \textsf{Enc}_{pk}\left( m \right) \right) = m for any message m \in \mathcal{M}_{pk}, except with negligible probability over the randomness of \textsf{Enc} and \textsf{Dec}

CPA Security

Eavesdropping Indistinguishability Experiment

  • Consider the following experiment \textsf{PubK}^{\textsf{eav}}_{\mathcal{A}, \Pi}(n):
    • \textsf{Gen}(1^n) is run to obtain keys (pk, sk)
    • \mathcal{A} is given pk and outputs a pair of equal-length messages m_0, m_1 \in \mathcal{M}_{pk}
    • A uniform bit b \in \{0,1\} is chosen
    • Challenge ciphertext c \leftarrow \textsf{Enc}_k(m_b) is computed and given to \mathcal{A}
    • \mathcal{A} outputs a bit b'
    • The output of the experiment is defined to be 1 if b' = b, and 0 otherwise

Security Definition

  • A public-key encryption scheme \Pi = (\textsf{Gen}, \textsf{Enc}, \textsf{Dec}) has indistinguishable encryptions in the presence of an eavesdropper, or is EAV-secure, if for all PPT adversaries \mathcal{A} there is a negligible function \textsf{negl} such that, for all n, \Pr\left[ \textsf{PubK}^{\textsf{eav}}_{\mathcal{A},\Pi}(n) = 1\right] \le \frac{1}{2} + \textsf{negl}(n).

CPA-Security for Public-Key Encryption

  • In public-key encryption, the adversary always has access to an encryption oracle

  • Proposition: If a public-key encryption scheme has indistinguishable encryptions in the presence of an eavesdropper, it is CPA-secure

El Gamal Encryption (1/2)

  • In 1985, Taher El Gamal constructed a public-key encryption scheme based on the Diffie-Hellman protocol

  • \textsf{Gen}:

    • Run \mathcal{G}(1^n) to get (G, q, g).
    • Choose a uniform x \in \mathbb{Z}_q and compute h \coloneqq g^x.
    • The public key is \langle G, q, g, h \rangle and the private key is \langle G, q, g, x\rangle.
    • The message space is G

El Gamal Encryption (2/2)

  • \textsf{Enc}:

    • For public key pk =\langle G, q, g, h \rangle and message m \in G, choose a uniform y \in \mathbb{Z}_q
    • Output the ciphertext as \langle g^y, h^y \cdot m \rangle
  • \textsf{Dec}:

    • For public key pk =\langle G, q, g, h \rangle and ciphertext \langle c_1, c_2 \rangle, output \hat{m} = c_2 \cdot c_1^{-x}.

CPA-Security of El Gamal Encryption

  • Theorem: If the DDH problem is hard relative to \mathcal{G}, then the El Gamal encryption scheme is CPA-secure.

  • Proof

    • Consider a modified “encryption scheme” \widetilde{\Pi} where the encryption of message m wrt public key \langle G, q, g, h \rangle is as follows
    • Choose uniform y,z \in \mathbb{Z}_q and output ciphertext \langle g^y, g^z \cdot m \rangle.

CPA-Security of El Gamal Encryption

  • Consider the following PPT algorithm D that attempts to solve the DDH problem

    1. D is given (G, q, g, h_1, h_2, h_3) as input
    2. Set pk = \langle G, q, g, h_1 \rangle and run \mathcal{A}(pk) to obtain two messages m_0, m_1 \in G
    3. Choose a uniform bit b
    4. Set c_1 \coloneqq h_2 and c_2 \coloneqq h_3 \cdot m_b
    5. Give the ciphertext \langle c_1, c_2 \rangle to \mathcal{A} and obtain a bit b'.
    6. If b' = b, output 1; otherwise, output 0.

CPA-Security of El Gamal Encryption

  • Case 1: h_3 = g^z for uniform z \in \mathbb{Z}_q

    • \langle c_1, c_2 \rangle = \langle g^y, g^z \cdot m_b \rangle
    • \mathcal{A} experiences the experiment \textsf{PubK}^{\textsf{eav}}_{\mathcal{A},\widetilde{\Pi}}(n)
    • Since D outputs 1 exactly when b' = b, we have \begin{align*} & \Pr\left[ D(G, q, g, g^x, g^y, g^z) =1 \right] \\ &= \Pr \left[ \textsf{PubK}^{\textsf{eav}}_{\mathcal{A}, \widetilde{\Pi}}(n)=1\right]\\ &= \frac{1}{2} \end{align*}

CPA-Security of El Gamal Encryption

  • Case 2: h_3 = g^{xy}

    • \langle c_1, c_2 \rangle = \langle g^y, g^{xy} \cdot m_b \rangle
    • \mathcal{A} experiences the experiment \textsf{PubK}^{\textsf{eav}}_{\mathcal{A},\Pi}(n)
    • Since D outputs 1 exactly when b' = b, we have \begin{align*}& \Pr\left[ D(G, q, g, g^x, g^y, g^z) =1 \right] \\ &= \Pr \left[ \textsf{PubK}^{\textsf{eav}}_{\mathcal{A}, \widetilde{\Pi}}(n)=1\right] \end{align*}

Multiple Encryptions

  • Can we guarantee security when the same key is used to encrypt multiple messages?
  • Surprisingly, CPA-security for one message implies CPA-security for multiple messages

Defining CPA-Security for Multiple Encryptions

  • We would define an experiment as follows

    • An adversary \mathcal{A} picks two lists of messages \vec{m}_0 = \langle m_{0,1}, m_{0,2},\ldots,m_{0,l} \rangle and \vec{m}_1 = \langle m_{1,1}, m_{1,2},\ldots,m_{1,l} \rangle
    • A uniform bit b is chosen
    • The challenge ciphertext is the encryption of \vec{m}_b
  • But this does not allow \mathcal{A} to adaptively choose the messages

The Left-or-Right Oracle

  • On input a pair of equal-length messages m_0, m_1, oracle \textsf{LR}_{pk,b}(\cdot, \cdot) returns the ciphertext c \leftarrow \textsf{Enc}_{pk}(m_b)
  • Access to this oracle allows \mathcal{A} to adaptively choose the messages that are used to produce challenge ciphertext

LR-Oracle Experiment

  • Consider the following experiment \textsf{PubK}^{\textsf{LR-cpa}}_{\mathcal{A}, \Pi}(n):
    • A keypair (pk,sk) is generated using \textsf{Gen}(1^n)
    • A uniform bit b \in \{0,1\} is chosen
    • \mathcal{A} is given 1^n and oracle access to \textsf{LR}_{pk,b}(\cdot,\cdot)
    • \mathcal{A} outputs a bit b'
    • The output of the experiment is 1 if b' = b, and 0 otherwise

Security Definition

  • A public-key encryption scheme \Pi = (\textsf{Gen}, \textsf{Enc}, \textsf{Dec}) has indistinguishable multiple encryptions if for all PPT adversaries \mathcal{A} there is a negligible function \textsf{negl} such that \Pr\left[ \textsf{PubK}^{\textsf{LR-cpa}}_{\mathcal{A},\Pi}(n) = 1\right] \le \frac{1}{2} + \textsf{negl}(n).

CPA-Security \implies Indistinguishable Multiple Encryptions

  • Theorem: If public-key encryption scheme \Pi is CPA-secure, then it also has indistinguishable multiple encryptions

  • Consequently, all the following security definitions are equivalent

    1. Indistinguishable encryptions in the presence of an eavesdropper
    2. CPA-security
    3. Indistinguishable multiple encryptions

Proof (1/7)

  • Let \Pi be a CPA-secure public-key encryption scheme
  • Let \mathcal{A} be an arbitrary PPT adversary in the \textsf{PubK}^{\textsf{LR-cpa}}_{\mathcal{A},\Pi}(n) experiment
  • We want to show that \Pr\left[ \textsf{PubK}^{\textsf{LR-cpa}}_{\mathcal{A},\Pi}(n) =1\right] \le \frac{1}{2} + \textsf{negl}(n)

Proof (2/7)

  • Let t = t(n) be the number of oracle queries made by \mathcal{A}

  • For 0 \le i \le t, let \textsf{LR}_{pk}^i be the oracle that on input (m_0, m_1)

    • Returns \textsf{Enc}_{pk}(m_0) for the first i queries
    • Returns \textsf{Enc}_{pk}(m_1) for the next t-i queries
  • Note that \Pr\left[ \textsf{PubK}^{\textsf{LR-cpa}}_{\mathcal{A},\Pi}(n) =1\right] = \frac{1}{2} \Pr\left[\mathcal{A}^{\textsf{LR}_{pk}^t}(pk) = 0\right] \\+\frac{1}{2} \Pr\left[\mathcal{A}^{\textsf{LR}_{pk}^0}(pk) = 1\right]

  • It is enough to show that \bigg| \Pr\left[\mathcal{A}^{\textsf{LR}_{pk}^t}(pk) = 1\right] - \Pr\left[\mathcal{A}^{\textsf{LR}_{pk}^0}(pk) = 1\right]\bigg|\\ \le \textsf{negl}(n)

Proof (3/7)

  • Consider an adversary \mathcal{A}' that eavesdrops on the encryption of a single message

  • It will use the adversary \mathcal{A} of the \textsf{PubK}^{\textsf{LR-cpa}}_{\mathcal{A},\Pi}(n) experiment as a subroutine

  • Note the IO interfaces of the two adversaries

    • \mathcal{A} queries the \textsf{LR}_{pk,b}(\cdot, \cdot) oracle t times. It then outputs a bit
    • \mathcal{A}' outputs a pair of messages (m_0, m_1) and receives the encryption of one of them as a challenge ciphertext. It then outputs a bit.

Proof (4/7)

  • Consider an adversary \mathcal{A}' that does the following

    1. \mathcal{A}', given pk, chooses a uniform index i \leftarrow \{1,\ldots,t\}

    2. \mathcal{A}' runs \mathcal{A}(pk), answering its jth oracle query (m_{j,0}, m_{j,1}) as follows:

      1. For j <i, adversary \mathcal{A}' computes c_j \leftarrow \textsf{Enc}_{pk}(m_{j,0}) and returns c_j to \mathcal{A} as the response from its oracle
      2. For j =i, adversary \mathcal{A}' outputs (m_{j,0}, m_{j,1}) and receives a challenge ciphertext c_j. This is returned to \mathcal{A} as the response from its oracle
      3. For j >i, adversary \mathcal{A}' computes c_j \leftarrow \textsf{Enc}_{pk}(m_{j,1}) and returns c_j to \mathcal{A} as the response from its oracle
    3. \mathcal{A}' outputs the bit b' that is output by A

Proof (5/7)

  • Consider the experiment \textsf{PubK}^{\textsf{eav}}_{\mathcal{A}',\Pi}

  • Fixing some i=i^*, not that if c_{i^*} is the encryption of m_{i^*,0} then \mathcal{A} is interacting with \textsf{LR}_{pk}^{i^*}

  • Then we have \begin{align*} & \Pr \left[ \mathcal{A}' \text{ outputs } 1 \mid b = 0\right] \\ & = \sum_{i^*=1}^t \Pr[i=i^*]\Pr \left[ \mathcal{A}' \text{ outputs } 1 \mid b = 0 \cap i = i^*\right] \\ & = \sum_{i^*=1}^t \frac{1}{t}\Pr \left[ \mathcal{A}^{\textsf{LR}_{pk}^{i^*}}(pk)=1\right] \\ \end{align*}

Proof (6/7)

  • If c_{i^*} is the encryption of m_{i^*,1} then \mathcal{A} is interacting with \textsf{LR}_{pk}^{i^*-1}

  • Then we have \begin{align*} & \Pr \left[ \mathcal{A}' \text{ outputs } 1 \mid b = 1\right] \\ & = \sum_{i^*=1}^t \Pr[i=i^*]\Pr \left[ \mathcal{A}' \text{ outputs } 1 \mid b = 1 \cap i = i^*\right] \\ & = \sum_{i^*=1}^t \frac{1}{t}\Pr \left[ \mathcal{A}^{\textsf{LR}_{pk}^{i^*-1}}(pk)=1\right] \\ & = \sum_{i^*=0}^{t-1} \frac{1}{t}\Pr \left[ \mathcal{A}^{\textsf{LR}_{pk}^{i^*}}(pk)=1\right] \\ \end{align*}

Proof (7/7)

  • Since \Pi is CPA-secure, we have \begin{align*}&\bigg| \Pr\left[ \mathcal{A}' \text{ outputs } 1 \mid b=0\right] \\ &\quad - \Pr\left[ \mathcal{A}' \text{ outputs } 1 \mid b=1\right]\bigg| \le \textsf{negl}(n)\end{align*}

  • This gives us \bigg| \Pr\left[\mathcal{A}^{\textsf{LR}_{pk}^t}(pk) = 1\right] - \Pr\left[\mathcal{A}^{\textsf{LR}_{pk}^0}(pk) = 1\right]\bigg|\\ \le t \cdot \textsf{negl}(n)

Plain RSA

Plain RSA Key Generation

  • Let \textsf{GenRSA} be a PPT algorithm that on input 1^n, outputs a modulus N that is the product of two n-bit primes, along with integers e,d > 1 satisfying ed = 1 \bmod \phi(N)

  • \textsf{Gen:} On input 1^n, run \textsf{GenRSA}(1^n) to obtain N, e, and d

    • The public key is \langle N,e \rangle and the private key is \langle N,d \rangle.

Plain RSA Encryption and Decryption

  • \textsf{Enc:} On input a public key pk = \langle N,e \rangle and message m \in \mathbb{Z}_N^*, compute the ciphertext c = m^e \bmod N
  • \textsf{Dec:} On input a private key sk = \langle N, d \rangle and ciphertext c \in \mathbb{Z}_N^*, output \hat{m} = c^d \bmod N

The RSA Experiment

  • \textsf{RSA-inv}_{\mathcal{A}, \textsf{GenRSA}}(n):

    • Run \textsf{GenRSA}(1^n) to obtain (N,e,d)
    • Choose a uniform y \in \mathbb{Z}_N^*
    • \mathcal{A} is given N,e,y, and outputs x \in \mathbb{Z}_N^*
    • The output of the experiment is 1 if x^e = y \bmod N, and 0 otherwise.

The RSA Assumption

  • Definition: The RSA problem is hard relative to \textsf{GenRSA} if for all PPT algorithms \mathcal{A} there exists a negligible function \textsf{negl} such that \Pr[\textsf{RSA-inv}_{\mathcal{A}, \textsf{GenRSA}}(n) = 1] \le \textsf{negl}(n).

  • The RSA assumption states that there exists a \textsf{GenRSA} relative to which RSA is hard.

Attacks on Plain RSA

  • Plain RSA is deterministic and hence not CPA-secure
  • It is insecure even if used to encrypt “random messages”

Quadratic Improvement in Recovering Message (1/2)

  • Suppose an attacker knows that m < B

  • Given ciphertext c, the attacker can always determine m in \mathcal{O}(B) time

  • There is a better attack that recovers m in \mathcal{O}(\sqrt{B}) with high probability

    • Can be the difference between 2^{80} and 2^{40}
  • Lemma: For appropriate \alpha \approx \frac{1}{2}, if m is a uniform n-bit integer then with high probability there exist r,s with 1 < r \le s \le 2^{\alpha n} for which m = r \cdot s

Quadratic Improvement in Recovering Message (2/2)

  • Input: Public key \langle N, e \rangle; ciphertext c; bound 2^n
  • Output: m < 2^n such that m^e = c \bmod N \begin{align*} &\textbf{set } T \coloneqq 2^{\alpha n}\\ &\textbf{for } r = 1 \text{ to } T:\\ &\quad x_r \coloneqq [c/r^e \bmod N]\\ &\textbf{sort } \text{the pairs } \{(r,x_r)\}_{r=1}^T \text{ by } x_r\\ &\textbf{for } s = 1 \text{ to } T:\\ &\quad \textbf{if } [s^e \bmod N] \overset{?}{=} x_r \text{ for some } r\\ &\quad \quad \textbf{return } [r \cdot s \bmod N] \end{align*}

Encrypting Short Messages Using Small e

  • Suppose m < N^{1/e}
  • Raising m to the eth power involves no modular reduction
  • Give c, message m = c^{1/e} can be computed over the integers in \textsf{poly}(\| N \|) time
  • Suppose e = 3 and \| N \| = 2048 bits; then the attack works when m is a 256-bit string

Sending the Same Message to Multiple Receivers (1/2)

  • Suppose e = 3
  • Suppose the same message m is encrypted to three receivers having public keys pk_1 = \langle N_1, 3 \rangle, pk_2 = \langle N_2, 3 \rangle, pk_3 = \langle N_3, 3 \rangle
  • Assume \gcd(N_i, N_j) = 1 for i \neq j

Sending the Same Message to Multiple Receivers (2/2)

  • Eavesdropper observes c_1 = [m^3 \bmod N_1], c_2 = [m^3 \bmod N_2], c_3 = [m^3 \bmod N_3]
  • For N^* = N_1N_2N_3, by CRT there exists a unique \hat{c} < N^* such that \hat{c} =c_1 \bmod N_1\\ \hat{c} = c_2 \bmod N_2\\\hat{c} = c_3 \bmod N_3
  • As m < \min\{N_1, N_2, N_3\}, we have m^3 < N^*
  • Then \hat{c} = m^3 over the integers
  • Message m can be recovered by computing the integer cube root of \hat{c}

RSA-OAEP

  • OAEP = Optimal Asymmetric Encryption Padding
  • CCA-secure encryption scheme from RSA
  • RSA-OAEP has been standardized (see RFC 8017)

RSA-OAEP

  • Let l, k \in \mathbb{N} such that 2k+l < \| N \|
  • Suppose a message m \in \{0,1\}^l is to be encrypted
  • It is mapped to a message \hat{m} \in \{0,1\}^{2k+l}
  • \hat{m} is encrypted using plain RSA
  • Let G: \{0,1\}^k \mapsto \{0,1\}^{l+k} and H: \{0,1\}^{l+k} \mapsto \{0,1\}^k be hash functions
  • Let m' = m \| 0^k
  • \hat{m} = s \| t where t = m' \oplus G(r) and s = r \oplus H(t)

RSA-OAEP

  • \hat{m} = s \| t where t = m' \oplus G(r) and s = r \oplus H(t)
  • To get m from \hat{m}, compute r = H(t) \oplus s \text{ and } m'= G(r) \oplus t

RSA Keys Should be Chosen Carefully

  • Suppose all employees in a company share the same RSA modulus N
  • Suppose two employees have encryption exponents e_1, e_2 such that e_1 \neq e_2 and \gcd(e_1, e_2) = 1
  • Suppose the same message m is encrypted to give c_1 = m^{e_1} \bmod N \text{ and } c_2 = m^{e_2} \bmod N
  • Then m can be recovered

Further Reading

  • Section 12.1, 12.2.1, 12.2.2, 12.4.1, 12.5.1, 12.5.4 of Katz & Lindell