DENSIDAD ÓPTICA (DO)

many plaintext s using the same encryption-key. Loosely speaking, an encryption scheme is secure in the multiple-messages setting if analo- gous definitions (to Definitions 5.1 and 5.2) hold when polynomially- many plaintext s are encrypted using the same encryption-key (cf. (67, Sec. 5.2.4)). It is easy to see thatin the public-key model, security in the single-message setting implies security in the multiple-messages setting. We stress that this is not necessarily truefor the private-key model.

5.2 Constructions

It is common practice to use “pseudorandom generators” as a basis for private-key encryption schemes. We stress that this is a very dangerous practice when the “pseudorandom generator” is easy to predict (such as the linear congruential generator or some modifications of it that output a constant fraction of the bits of each resulting number). However, this common practice becomes sound provided one uses pseudorandom generators (as defined in Section 3.2). An alternative and more flexible construction follows.

Private-key encryption scheme based on pseudorandom func- tions: We present a simple construction that uses pseudorandom functions as defined in Section 3.3. The key generation algorithm con- sists of selecting a seed, denoted s, for a (pseudorandom) function, denotedfs. To encrypt a messagex∈ {0,1}n(using keys), the encryp-

tion algorithm uniformly selects a string r ∈ {0,1}n and produces the ciphertext (r, x⊕fs(r)), where⊕denotes the exclusive-or of bit strings.

To decrypt the ciphertext (r, y) (using key s), the decryption algo- rithm just computes y⊕fs(r). The proof of security of this encryption

scheme consists of two steps (suggested as a general methodology in Section 3.3):

(1) Prove that an idealized version of the scheme, in which one uses a uniformly selected functionF:{0,1}n_→{0,1}n_{, rather}

than the pseudorandom functionf_s, is secure.

(2) Conclude that the real scheme (as presented above) is secure (because, otherwise one could distinguish a pseudorandom function from a truly random one).

Note that we could have gotten rid of the randomization (in the encryp- tion process) if we had allowed the encryption algorithm to be history- dependent (e.g., use a counter in the role of r). This can be done pro- vided that either only one party uses the key for encryption (and main- tains a counter) or that all parties that encrypt, using the same key, coordinate their actions (i.e., maintain a joint state (e.g., counter)). Indeed, when using a private-key encryption scheme, a common situa- tion is that the same key is only used for communication between two specific parties, which update a joint counter during their communi- cation. Furthermore, if the encryption scheme is used for fifo com- munication between the parties and both parties can reliably maintain the counter value, then there is no need (for the sender) to send the counter value. (The resulting scheme is related to “stream ciphers” that are commonly used in practice.)

We comment that the use of a counter (or any other state) in the encryption process is not reasonable in the case of public-key encryp- tion schemes, because it is incompatible with the canonical usage of such schemes (i.e., allowing all parties to send encrypted messages to the “owner of the encryption-key” without engaging in any type of fur- ther coordination or communication). Furthermore, as discussed before, probabilistic encryption is essential for a secure public-key encryption scheme even in the case of encrypting a single message (unlike in the case of private-key schemes). Following Goldwasser and Micali (80), we now demonstrate the use ofprobabilistic encryption in the construction of a public-key encryption scheme.

Public-key encryption scheme based on trapdoor permuta- tions: We present two constructions that employ a collection of trap- door permutations, as defined in Definition 2.3. Let{f_i :D_i →D_i}_i be such a collection, and letbbe a corresponding hard-core predicate. The key generation algorithm consists of selecting a permutation f_i along with a corresponding trapdoor t, and outputting (i, t) as the key-pair. To encrypt a (single) bit σ (using the encryption-key i), the encryp- tion algorithm uniformly selects r ∈ Di, and produces the ciphertext

(f_i(r), σ⊕b(r)). To decrypt the ciphertext (y, τ) (using the decryption- key t), the decryption algorithm computes τ ⊕b(f_i−1(y)) (using the

5.2. Constructions 69 trapdoor t of fi). Clearly, (σ ⊕b(r))⊕b(fi−1(fi(r))) = σ. Indistin-

guishability of encryptions can be easily proved using the fact thatbis a hard-core of fi. We comment that the above scheme is quite waste-

ful in bandwidth; however, the paradigm underlying its construction (i.e., applying the trapdoor permutation to a randomized version of the plaintext rather than to the actual plaintext ) is valuable in practice. A more efficient construction of a public-key encryption scheme, which uses the same key-generation algorithm, follows. To encrypt an -bit long string x (using the encryption-key i), the encryption algorithm uniformly selects r ∈ D_i, computes y ← b(r) ·b(f_i(r))· · ·b(f_i−1(r)) and produces the ciphertext (f_i(r), x ⊕y). To decrypt the cipher- text (u, v) (using the decryption-key t), the decryption algorithm first recovers r = f_i−(u) (using the trapdoor t of fi), and then obtains

v⊕b(r)·b(f_i(r))· · ·b(f_i−1(r)). Note the similarity to the construction in Theorem 3.3, and the fact that the proof can be extended to estab- lish the computational indistinguishability of (b(r)· · ·b(f_i−1(r)), f_i(r)) and (r, f_i(r)), for random and independent r ∈ Di and r ∈ {0,1}.

Indistinguishability of encryptions follows, and thus the aforementioned scheme is secure.

Concrete implementations of the aforementioned public-key encryption schemes: For the first scheme, we are going to use the RSA scheme (112) as a trapdoor permutation (rather than using it directly as an encryption scheme).4 The RSA scheme has an instance- generating algorithm that randomly selects two primes, p and q, com- putes their productN =p·q, and selects at random a pair of integers (e, d) such thate·d≡1 (modφ(N)), whereφ(N)def= (p−1)·(q−1). (The “plain RSA” operations are raising to power e or dmodulo N.) We construct a public-key encryption scheme as follows: The key- generation algorithm is identical to the instance-generator algorithm of RSA, and the encryption-key is set to (N, e) (resp., the decryption-key is set to (N, d)), just as in “plain RSA”. To encrypta single bitσ(using

4_{Recall that RSA itself is not semantically secure, because it employs a deterministic} encryption algorithm. The scheme presented here can be viewed as a “randomized version” of RSA.

Key-generation on security parametern:

(1) Select at random two n-bit primes,P and Q, each congruent to 3 mod 4.

(2) Compute dP = ((P + 1)/4)(n)modP−1, dQ = ((Q +

1)/4)(n)_{modQ−1, c}

P = Q·(Q−1modP), and cQ = P ·

(P−1_modQ).

The output key-pair is (N, T), where N = P Q and T = (P, Q, N, cP, dP, cQ, dQ).

(Note: for every s, it holds that (s2₎(P+1)/4 _{≡ s (modP), and so} (s2(n)₎dP _{≡ s} (modP). Thus, raising to the dP-th power modulo P is

equivalent to taking the 2_{-th root moduloP. To recover roots moduloN, we}

use the Chinese Remainder Theorem with the corresponding coefficientscP

andcQ.)

Encryption of messagex∈ {0,1}(n)_{using the encryption-keyN:} (1) Uniformly selects0∈ {1, ..., N}.

(2) Fori= 1, .., (n) + 1, computesi←s_i2₋₁modN andσi= lsb(si).

The ciphertext is (s(n)+1, y), wherey=x⊕σ1σ2· · ·σ(n). (Note:s1 plays the role played byrin the general scheme.)

Decryption of the ciphertext (r, y) using the encryption-key T = (P, Q, N, cP, dP, cQ, dQ):

(1) Lets←rdP modP, ands←rdQmodQ. (2) Lets1←cP·s+cQ·smodN.

(3) Fori= 1, .., (n), computeσi= lsb(si) andsi+1←s2i modN.

The plaintext isy⊕σ1σ2· · ·σ(n).

Note: lsb is a hard-core of the modular squaring function (3).

Fig. 5.3 The Blum–Goldwasser Public-Key Encryption Scheme (30). For simplicity we assume that, which is polynomially bounded (e.g.,(n) =n), is known at key-generation time.

the encryption-key (N, e)), the encryption algorithm uniformly selects an element,r, in the set of residues modN, and produces the ciphertext (re _{modN, σ⊕lsb(r)), where lsb(r) denotes the least significant bit of}

r(which is a hard-core of the RSA function (3)). To decrypt the cipher- text (y, τ) (using the decryption-key (N, d)), the decryption algorithm just computes τ ⊕lsb(ydmodN). Turning to the second scheme, we assume the intractability of factoring large integers, and use squaring modulo a composite as a trapdoor permutation over the corresponding quadratic residues (while using composites that are the product of two