A Graduate Course in Applied Cryptography Dan Boneh and Victor Shoup Version 0.4, September 2017 Preface Cryptography is an indispensable tool used to protect information in computing systems. It is used everywhere and by billions of people worldwide on a daily basis. It is used to protect data at rest and data in motion. Cryptographic systems are an integral part of standard protocols, most notably the Transport Layer Security (TLS) protocol, making it relatively easy to incorporate strong encryption into a wide range of applications. While extremely useful, cryptography is also highly brittle. The most secure cryptographic system can be rendered completely insecure by a single specification or programming error. No amount of unit testing will uncover a security vulnerability in a cryptosystem. Instead, to argue that a cryptosystem is secure, we rely on mathematical modeling and proofs to show that a particular system satisfies the security properties attributed to it. We often need to introduce certain plausible assumptions to push our security arguments through. This book is about exactly that: constructing practical cryptosystems for which we can argue security under plausible assumptions. The book covers many constructions for di↵erent tasks in cryptography. For each task we define a precise security goal that we aim to achieve and then present constructions that achieve the required goal. To analyze the constructions, we develop a unified framework for doing cryptographic proofs. A reader who masters this framework will be capable of applying it to new constructions that may not be covered in the book. Throughout the book we present many case studies to survey how deployed systems operate. We describe common mistakes to avoid as well as attacks on real-world systems that illustrate the importance of rigor in cryptography. We end every chapter with a fun application that applies the ideas in the chapter in some unexpected way. Intended audience and how to use this book The book is intended to be self contained. Some supplementary material covering basic facts from probability theory and algebra is provided in the appendices. The book is divided into three parts. Part I develops symmetric encryption which explains how two parties, Alice and Bob, can • securely exchange information when they have a shared key unknown to the attacker. We discuss data confidentiality, data integrity, and the important concept of authenticated en- cryption. Part II develops the concepts of public-key encryption and digital signatures, which allow • Alice and Bob to communicate securely, without having a pre-shared secret key. Part III is about cryptographic protocols, such as protocols for user identification, key ex- • change, zero knowledge, and secure computation. ii A beginning reader can read though the book to learn how cryptographic systems work and why they are secure. Every security theorem in the book is followed by a proof idea that explains at a high level why the scheme is secure. On a first read one can skip over the detailed proofs without losing continuity. A beginning reader may also skip over the mathematical details sections that explore nuances of certain definitions. An advanced reader may enjoy reading the detailed proofs to learn how to do proofs in cryptog- raphy. At the end of every chapter you will find many exercises that explore additional aspects of the material covered in the chapter. Some exercises rehearse what was learned, but many exercises expand on the material and discuss topics not covered in the chapter. Status of the book The current draft contains part I and most of parts II and III. The remaining four chapters are forthcoming. We hope you enjoy this write-up. Please send us comments and let us know if you find typos or mistakes. Citations: While the current draft is mostly complete, we still do not include citations and references to the many works on which this book is based. Those will be coming soon and will be presented in the Notes section at the end of every chapter. Dan Boneh and Victor Shoup September, 2017 iii Contents 1 Introduction 1 1.1 Historic ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Terminology used throughout the book . . . . . . . . . . . . . . . . . . . . . . . . . 1 I Secret key cryptography 3 2 Encryption 4 2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2 Shannon ciphers and perfect security . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2.1 Definition of a Shannon cipher . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2.2 Perfect security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2.3 The bad news . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.3 Computational ciphers and semantic security . . . . . . . . . . . . . . . . . . . . . . 13 2.3.1 Definition of a computational cipher . . . . . . . . . . . . . . . . . . . . . . 14 2.3.2 Definition of semantic security . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.3.3 Connections to weaker notions of security . . . . . . . . . . . . . . . . . . . 18 2.3.4 Consequences of semantic security . . . . . . . . . . . . . . . . . . . . . . . 22 2.3.5 Bit guessing: an alternative characterization of semantic security . . . . . . 25 2.4 Mathematical details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 2.4.1 Negligible, super-poly, and poly-bounded functions . . . . . . . . . . . . . . 28 2.4.2 Computational ciphers: the formalities . . . . . . . . . . . . . . . . . . . . . 29 2.4.3 E�cient adversaries and attack games . . . . . . . . . . . . . . . . . . . . . 32 2.4.4 Semantic security: the formalities . . . . . . . . . . . . . . . . . . . . . . . . 34 2.5 A fun application: anonymous routing . . . . . . . . . . . . . . . . . . . . . . . . . . 35 2.6 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 2.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 3 Stream ciphers 45 3.1 Pseudo-random generators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 3.1.1 Definition of a pseudo-random generator . . . . . . . . . . . . . . . . . . . . 46 3.1.2 Mathematical details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 3.2 Stream ciphers: encryption with a PRG . . . . . . . . . . . . . . . . . . . . . . . . . 48 3.3 Stream cipher limitations: attacks on the one time pad . . . . . . . . . . . . . . . . 52 3.3.1 The two-time pad is insecure . . . . . . . . . . . . . . . . . . . . . . . . . . 53 iv 3.3.2 The one-time pad is malleable . . . . . . . . . . . . . . . . . . . . . . . . . . 53 3.4 Composing PRGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 3.4.1 A parallel construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 3.4.2 A sequential construction: the Blum-Micali method . . . . . . . . . . . . . 59 3.4.3 Mathematical details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 3.5 The next bit test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 3.6 Case study: the Salsa and ChaCha PRGs . . . . . . . . . . . . . . . . . . . . . . . . 67 3.7 Case study: linear generators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 3.7.1 An example cryptanalysis: linear congruential generators . . . . . . . . . . 70 3.7.2 The subset sum generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 3.8 Case study: cryptanalysis of the DVD encryption system . . . . . . . . . . . . . . . 74 3.9 Case study: cryptanalysis of the RC4 stream cipher . . . . . . . . . . . . . . . . . . 76 3.9.1 Security of RC4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 3.10 Generating random bits in practice . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 3.11 A broader perspective: computational indistinguishability . . . . . . . . . . . . . . . 81 3.11.1 Mathematical details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 3.12 A fun application: coin flipping and commitments . . . . . . . . . . . . . . . . . . . 87 3.13 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 3.14 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 4 Block ciphers 94 4.1 Block ciphers: basic definitions and properties . . . . . . . . . . . . . . . . . . . . . 94 4.1.1 Some implications of security . . . . . . . . . . . . . . . . . . . . . . . . . . 96 4.1.2 E�cient implementation of random permutations . . . . . . . . . . . . . . . 99 4.1.3 Strongly secure block ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . 99 4.1.4 Using a block cipher directly for encryption . . . . . . . . . . . . . . . . . . 100 4.1.5 Mathematical details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 4.2 Constructing block ciphers in practice . . . . . . . . . . . . . . . . . . . . . . . . . . 105 4.2.1 Case study: DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 4.2.2 Exhaustive search on DES: the DES challenges . . . . . . . . . . . . . . . . 111 4.2.3 Strengthening ciphers against exhaustive search: the 3 construction . . . . 113 E 4.2.4 Case study: AES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 4.3 Sophisticated attacks on block ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . 120 4.3.1 Algorithmic attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 4.3.2 Side-channel attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 4.3.3 Fault-injection attacks on AES . . . . . . . . . . . . . . . . . . . . . . . . . 128 4.3.4 Quantum exhaustive search attacks . . . . . . . . . . . . . . . . . . . . . . . 129 4.4 Pseudo-random functions: basic definitions and properties . . . . . . . . . . . . . . 130 4.4.1 Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 4.4.2 E�cient implementation of random functions . . . . . . . . . . . . . . . . . 131 4.4.3 When is a secure block cipher a secure PRF? . . . . . . . . . . . . . . . . . 132 4.4.4 Constructing PRGs from PRFs . . . . . . . . . . . . . . . . . . . . . . . . . 136 4.4.5 Mathematical details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 4.5 Constructing block ciphers from PRFs . . . . . . . . . . . . . . . . . . . . . . . . . . 139 4.6 The tree construction: from PRGs to PRFs . . . . . . . . . . . . . . . . . . . . . . . 145 4.6.1 Variable length tree construction . . . . . . . . . . . . . . . . . . . . . . . . 149 v 4.7 The ideal cipher model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 4.7.1 Formal definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 4.7.2 Exhaustive search in the ideal cipher model . . . . . . . . . . . . . . . . . . 153 4.7.3 The Even-Mansour block cipher and the X construction . . . . . . . . . . 156 E 4.7.4 Proof of the Even-Mansour and X theorems . . . . . . . . . . . . . . . . . 157 E 4.8 Fun application: comparing information without revealing it . . . . . . . . . . . . . 163 4.9 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 4.10 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 5 Chosen Plaintext Attack 174 5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 5.2 Security against multi-key attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 5.3 Semantic security against chosen plaintext attack . . . . . . . . . . . . . . . . . . . 178 5.4 Building CPA secure ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 5.4.1 A generic hybrid construction . . . . . . . . . . . . . . . . . . . . . . . . . . 180 5.4.2 Randomized counter mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 5.4.3 CBC mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 5.4.4 Case study: CBC padding in TLS 1.0 . . . . . . . . . . . . . . . . . . . . . 196 5.4.5 Concrete parameters and a comparison of counter and CBC modes . . . . . 196 5.5 Nonce-based encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 5.5.1 Nonce-based generic hybrid encryption . . . . . . . . . . . . . . . . . . . . . 200 5.5.2 Nonce-based Counter mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 5.5.3 Nonce-based CBC mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 5.6 A fun application: revocable broadcast encryption . . . . . . . . . . . . . . . . . . . 202 5.7 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 5.8 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 6 Message integrity 212 6.1 Definition of a message authentication code . . . . . . . . . . . . . . . . . . . . . . . 214 6.1.1 Mathematical details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 6.2 MAC verification queries do not help the attacker . . . . . . . . . . . . . . . . . . . 217 6.3 Constructing MACs from PRFs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 6.4 Prefix-free PRFs for long messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 6.4.1 The CBC prefix-free secure PRF . . . . . . . . . . . . . . . . . . . . . . . . 223 6.4.2 The cascade prefix-free secure PRF . . . . . . . . . . . . . . . . . . . . . . . 226 6.4.3 Extension attacks: CBC and cascade are insecure MACs . . . . . . . . . . . 227 6.5 From prefix-free secure PRF to fully secure PRF (method 1): encrypted PRF . . . 228 6.5.1 ECBC and NMAC: MACs for variable length inputs . . . . . . . . . . . . . 229 6.6 From prefix-free secure PRF to fully secure PRF (method 2): prefix-free encodings . 232 6.6.1 Prefix free encodings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 6.7 From prefix-free secure PRF to fully secure PRF (method 3): CMAC . . . . . . . . 233 6.8 Converting a block-wise PRF to bit-wise PRF . . . . . . . . . . . . . . . . . . . . . 236 6.9 Case study: ANSI CBC-MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 6.10 Case study: CMAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 6.11 PMAC: a parallel MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 6.12 A fun application: searching on encrypted data . . . . . . . . . . . . . . . . . . . . . 242 vi 6.13 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 6.14 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 7 Message integrity from universal hashing 248 7.1 Universal hash functions (UHFs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 7.1.1 Multi-query UHFs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 7.1.2 Mathematical details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 7.2 Constructing UHFs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 7.2.1 Construction 1: UHFs using polynomials . . . . . . . . . . . . . . . . . . . 251 7.2.2 Construction 2: CBC and cascade are computational UHFs . . . . . . . . . 254 7.2.3 Construction 3: a parallel UHF from a small PRF . . . . . . . . . . . . . . 256 7.3 PRF(UHF) composition: constructing MACs using UHFs . . . . . . . . . . . . . . . 258 7.3.1 Using PRF(UHF) composition: ECBC and NMAC security . . . . . . . . . 261 7.3.2 Using PRF(UHF) composition with polynomial UHFs . . . . . . . . . . . . 261 7.3.3 Using PRF(UHF) composition: PMAC security . . . . . . . . . . . . . . . 262 0 7.4 The Carter-Wegman MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 7.4.1 Using Carter-Wegman with polynomial UHFs . . . . . . . . . . . . . . . . . 269 7.5 Nonce-based MACs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 7.5.1 Secure nonce-based MACs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 7.6 Unconditionally secure one-time MACs . . . . . . . . . . . . . . . . . . . . . . . . . 270 7.6.1 Pairwise unpredictable functions . . . . . . . . . . . . . . . . . . . . . . . . 271 7.6.2 Building unpredictable functions . . . . . . . . . . . . . . . . . . . . . . . . 271 7.6.3 From PUFs to unconditionally secure one-time MACs . . . . . . . . . . . . 272 7.7 A fun application: timing attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 7.8 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 7.9 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 8 Message integrity from collision resistant hashing 283 8.1 Definition of collision resistant hashing . . . . . . . . . . . . . . . . . . . . . . . . . 286 8.1.1 Mathematical details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 8.2 Building a MAC for large messages . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 8.3 Birthday attacks on collision resistant hash functions . . . . . . . . . . . . . . . . . 289 8.4 The Merkle-Damg˚ard paradigm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 8.4.1 Joux’s attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 8.5 Building Compression Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 8.5.1 A simple but ine�cient compression function . . . . . . . . . . . . . . . . . 295 8.5.2 Davies-Meyer compression functions . . . . . . . . . . . . . . . . . . . . . . 295 8.5.3 Collision resistance of Davies-Meyer . . . . . . . . . . . . . . . . . . . . . . 297 8.6 Case study: SHA256 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 8.6.1 Other Merkle-Damg˚ard hash functions . . . . . . . . . . . . . . . . . . . . . 300 8.7 Case study: HMAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 8.7.1 Security of two-key nest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 8.7.2 The HMAC standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 8.7.3 Davies-Meyer is a secure PRF in the ideal cipher model . . . . . . . . . . . 306 8.8 The Sponge Construction and SHA3 . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 8.8.1 The sponge construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 vii 8.8.2 Case study: SHA3, SHAKE256, and SHAKE512 . . . . . . . . . . . . . . . 314 8.9 Merkle trees: proving properties of a hashed sequence . . . . . . . . . . . . . . . . . 315 8.9.1 Authenticated data structures . . . . . . . . . . . . . . . . . . . . . . . . . . 318 8.10 Key derivation and the random oracle model . . . . . . . . . . . . . . . . . . . . . . 320 8.10.1 The key derivation problem . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 8.10.2 Random oracles: a useful heuristic . . . . . . . . . . . . . . . . . . . . . . . 322 8.10.3 Random oracles: safe modes of operation . . . . . . . . . . . . . . . . . . . 327 8.10.4 The leftover hash lemma . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 8.10.5 Case study: HKDF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330 8.11 Security without collision resistance . . . . . . . . . . . . . . . . . . . . . . . . . . . 331 8.11.1 Second preimage resistance . . . . . . . . . . . . . . . . . . . . . . . . . . . 331 8.11.2 Randomized hash functions: target collision resistance . . . . . . . . . . . . 333 8.11.3 TCR from 2nd-preimage resistance . . . . . . . . . . . . . . . . . . . . . . . 333 8.11.4 Using target collision resistance . . . . . . . . . . . . . . . . . . . . . . . . . 336 8.12 A fun application: an e�cient commitment scheme . . . . . . . . . . . . . . . . . . 339 8.13 Another fun application: proofs of work . . . . . . . . . . . . . . . . . . . . . . . . . 339 8.14 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 8.15 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 9 Authenticated Encryption 347 9.1 Authenticated encryption: definitions . . . . . . . . . . . . . . . . . . . . . . . . . . 348 9.1.1 One-time authenticated encryption . . . . . . . . . . . . . . . . . . . . . . . 349 9.2 Implications of authenticated encryption . . . . . . . . . . . . . . . . . . . . . . . . 350 9.2.1 Chosen ciphertext attacks: a motivating example . . . . . . . . . . . . . . . 350 9.2.2 Chosen ciphertext attacks: definition . . . . . . . . . . . . . . . . . . . . . . 352 9.2.3 Authenticated encryption implies chosen ciphertext security . . . . . . . . . 353 9.3 Encryption as an abstract interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 9.4 Authenticated encryption ciphers from generic composition . . . . . . . . . . . . . . 357 9.4.1 Encrypt-then-MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357 9.4.2 MAC-then-encrypt is not generally secure: padding oracle attacks on SSL . 359 9.4.3 More padding oracle attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . 362 9.4.4 Secure instances of MAC-then-encrypt . . . . . . . . . . . . . . . . . . . . . 363 9.4.5 Encrypt-then-MAC or MAC-then-encrypt? . . . . . . . . . . . . . . . . . . 367 9.5 Nonce-based authenticated encryption with associated data . . . . . . . . . . . . . . 367 9.6 One more variation: CCA-secure ciphers with associated data . . . . . . . . . . . . 370 9.7 Case study: Galois counter mode (GCM) . . . . . . . . . . . . . . . . . . . . . . . . 371 9.8 Case study: the TLS 1.3 record protocol . . . . . . . . . . . . . . . . . . . . . . . . 373 9.9 Case study: an attack on non-atomic decryption in SSH . . . . . . . . . . . . . . . . 376 9.10 Case study: 802.11b WEP, a badly broken system . . . . . . . . . . . . . . . . . . . 379 9.11 Case study: IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 9.12 A fun application: private information retrieval . . . . . . . . . . . . . . . . . . . . . 386 9.13 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386 9.14 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386 viii II Public key cryptography 393 10 Public key tools 394 10.1 A toy problem: anonymous key exchange . . . . . . . . . . . . . . . . . . . . . . . . 394 10.2 One-way trapdoor functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 10.2.1 Key exchange using a one-way trapdoor function scheme . . . . . . . . . . . 396 10.2.2 Mathematical details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 10.3 A trapdoor permutation scheme based on RSA . . . . . . . . . . . . . . . . . . . . . 398 10.3.1 Key exchange based on the RSA assumption . . . . . . . . . . . . . . . . . 400 10.3.2 Mathematical details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400 10.4 Di�e-Hellman key exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 10.4.1 The key exchange protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 10.4.2 Security of Di�e-Hellman key exchange . . . . . . . . . . . . . . . . . . . . 402 10.5 Discrete logarithm and related assumptions . . . . . . . . . . . . . . . . . . . . . . . 403 10.5.1 Random self-reducibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 10.5.2 Mathematical details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 10.6 Collision resistant hash functions from number-theoretic primitives. . . . . . . . . . 409 10.6.1 Collision resistance based on DL . . . . . . . . . . . . . . . . . . . . . . . . 409 10.6.2 Collision resistance based on RSA . . . . . . . . . . . . . . . . . . . . . . . 410 10.7 Attacks on the anonymous Di�e-Hellman protocol . . . . . . . . . . . . . . . . . . . 412 10.8 Merkle puzzles: a partial solution to key exchange using block ciphers . . . . . . . . 413 10.9 Fun application: Pedersen commitments . . . . . . . . . . . . . . . . . . . . . . . . . 415 10.10 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 10.11 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 11 Public key encryption 424 11.1 Two further example applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425 11.1.1 Sharing encrypted files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425 11.1.2 Key escrow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425 11.2 Basic definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426 11.2.1 Mathematical details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 11.3 Implications of semantic security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428 11.3.1 The need for randomized encryption . . . . . . . . . . . . . . . . . . . . . . 428 11.3.2 Semantic security against chosen plaintext attack . . . . . . . . . . . . . . . 429 11.4 Encryption based on a trapdoor function scheme . . . . . . . . . . . . . . . . . . . . 431 11.4.1 Instantiating with RSA . . . . . . . . . . . . . . . . . . . . . . . . . . 434 TDF E 11.5 ElGamal encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435 11.5.1 Semantic security of ElGamal in the random oracle model . . . . . . . . . . 436 11.5.2 Semantic security of ElGamal without random oracles . . . . . . . . . . . . 438 11.6 Threshold decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 11.6.1 Shamir’s secret sharing scheme . . . . . . . . . . . . . . . . . . . . . . . . . 443 11.6.2 ElGamal threshold decryption . . . . . . . . . . . . . . . . . . . . . . . . . . 445 11.7 Fun application: oblivious transfer from DDH . . . . . . . . . . . . . . . . . . . . . 448 11.8 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449 11.9 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449 ix 12 Chosen ciphertext secure public key encryption 456 12.1 Basic definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456 12.2 Understanding CCA security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458 12.2.1 CCA security and ciphertext malleability . . . . . . . . . . . . . . . . . . . 458 12.2.2 CCA security vs authentication . . . . . . . . . . . . . . . . . . . . . . . . . 459 12.2.3 CCA security and key escrow . . . . . . . . . . . . . . . . . . . . . . . . . . 460 12.2.4 Encryption as an abstract interface . . . . . . . . . . . . . . . . . . . . . . . 461 12.3 CCA-secure encryption from trapdoor function schemes . . . . . . . . . . . . . . . . 463 12.3.1 Instantiating with RSA . . . . . . . . . . . . . . . . . . . . . . . . . . 468 ET0DF 12.4 CCA-secure ElGamal encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468 12.5 CCA security from DDH without random oracles . . . . . . . . . . . . . . . . . . . 474 12.5.1 Universal projective hash functions . . . . . . . . . . . . . . . . . . . . . . . 474 12.5.2 Universal projective hash functions . . . . . . . . . . . . . . . . . . . . . . 476 2 12.5.3 The scheme. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478 CS E 12.6 CCA security via a generic transformation . . . . . . . . . . . . . . . . . . . . . . . 483 12.6.1 A generic instantiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488 12.6.2 A concrete instantiation with ElGamal . . . . . . . . . . . . . . . . . . . . . 489 12.7 CCA-secure public-key encryption with associated data . . . . . . . . . . . . . . . . 490 12.8 Case study: PKCS1, OAEP, OAEP+, and SAEP . . . . . . . . . . . . . . . . . . . 492 12.8.1 Padding schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492 12.8.2 PKCS1 padding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493 12.8.3 Bleichenbacher’s attack on the RSA-PKCS1 encryption scheme . . . . . . . 494 12.8.4 Optimal Asymmetric Encryption Padding (OAEP) . . . . . . . . . . . . . . 496 12.8.5 OAEP+ and SAEP+. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499 12.9 Fun application: sealed bid auctions . . . . . . . . . . . . . . . . . . . . . . . . . . . 499 12.10 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500 12.11 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500 13 Digital signatures 513 13.1 Definition of a digital signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 13.1.1 Secure signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516 13.1.2 Mathematical details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519 13.2 Extending the message space with collision resistant hashing . . . . . . . . . . . . . 519 13.2.1 Extending the message space using TCR functions . . . . . . . . . . . . . . 520 13.3 Signatures from trapdoor permutations: the full domain hash . . . . . . . . . . . . . 521 13.3.1 Signatures based on the RSA trapdoor permutation . . . . . . . . . . . . . 522 13.4 Security analysis of full domain hash. . . . . . . . . . . . . . . . . . . . . . . . . . . 525 13.4.1 Repeated one-way functions: a useful lemma . . . . . . . . . . . . . . . . . 525 13.4.2 Proofs of Theorems 13.3 and 13.4 . . . . . . . . . . . . . . . . . . . . . . . . 529 13.5 An RSA-based signature scheme with tighter security proof . . . . . . . . . . . . . . 530 13.6 Case study: PKCS1 signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532 13.6.1 Bleichenbacher’s attack on PKCS1 signatures . . . . . . . . . . . . . . . . . 534 13.7 Signcryption: combining signatures and encryption . . . . . . . . . . . . . . . . . . 535 13.7.1 Secure signcryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537 13.7.2 Signcryption as an abstract interface . . . . . . . . . . . . . . . . . . . . . . 539 13.7.3 Constructions: encrypt-then-sign and sign-then-encrypt . . . . . . . . . . . 542 x