PLANTA DE NITRATO DE AMONIO
6. ANÁLISIS DE MERCADO
6.2 Transporte y Almacenamiento de Amoniaco
Ifg is a generator of Z∗p then g2 modp is a generator of Qp:
Qp ={g0, g2, . . . g2(p−2)}
Which is exactly
Qp ={(g2)0,(g2)1, . . .(g2)(p−2)}
It is believed that if p is a prime of the form 2q+ 1, where q is again prime then taking G = Qp and letting g be any generator of G satisfies (??), with t and 1/ exponentially large in the number of digits of q.
13.6
El Gamal Encryption
The El Gamal encryption scheme works as follows. Let D be a distribution over (G, g, q) that satisfies the Decision Diffie-Hellman assumption:
• G() samples (G, g, q), and picks a random numberx∈ {0, . . . , q−1}.
– P K= (G, g, q, gx) – SK = (G, g, q, x) • E((G, g, q, a), m) : – pick at random r∈ {0, . . . , q−1} – output (gr, ar·m) • D((G, g, q, x),(c1, c2)) – Compute b:=cx 1
– Find the multiplicative inverseb0 of b
– output b0·c2
The decryption algorithm works as follows. c1 is gr (as returned byE), so b=grx. c2, as
returned byE, isar·m, whereaisgx. This means thatc
2 =grx·m. We see thatc2=b·m,
which is why multiplyingc2 byb−1 correctly yields m.
Theorem 59 Suppose D is a distribution that satisfies the (t, ) Decision Diffie-Hellman assumption and that it is possible to perform multiplication in time ≤ r in the groups G occurring in D.
Then the El Gamal cryptosystem is(t−r,2) message-indistinguishable.
Proof: LetAbe an algorithm of complexity≤t−r and fix any two messagesm1, m2. We
|P[A(G, g, q, gx, gr, gxr·m1) = 1]−P[A(G, g, q, gx, gr, gxr·m2) = 1]| ≤2
(From now, we shall not write the dependency onG, g, q.)
We utilize a variant of the encryption algorithm that uses a random group element gy
(instead ofgxr) as the multiplier form.1
|P[A(gx, gr, gxr·m1) = 1]−P[A(gx, gr, gxr·m2) = 1]| (13.2)
≤ |P[A(G, g, q, gx, gr, gxr·m1) = 1]−P[A(gx, gr, gy·m1) = 1]| (13.3)
+|P[A(gx, gr, gy·m1) = 1]−P[A(gx, gr, gy·m2) = 1]| (13.4)
+|P[A(gx, gr, gxr·m2) = 1]−P[A(gx, gr, gy·m2) = 1]| (13.5)
Each of the expressions in (13.3) and (13.5) is≤due to the (t, ) Decision Diffie-Hellman Assumption. There is an extra factor ofm1 or m2, respectively, but the D.D.H. still holds
in this case. Informally, multiplying a group element that looks random by a fixed element yields another random-looking element. We can formalize this as follows:
We claim that if G, g, q satisfies the (t, ) Decision Diffie-Hellman Assumption, and r is an upper bound to the time it takes to compute products inG, then for all group elements m and for all algorithms Aof complexity ≤t−r
|P[A(gx, gy, gxy·m) = 1]−P[A(gx, gy, gz·m) = 1]| ≤
To prove this claim, suppose to the contrary that there exists an algorithmAof complexity ≤t−r and a group element m such that the above difference is> .
LetA0 be an algorithm that on input (G, g, q, a, b, c) outputs A(G, g, q, a, b, c·m). Then A0 has complexity≤tand
|P[A0(gx, gy, gxy) = 1]−P[A0(gx, gy, gz) = 1]| = |P[A(gx, gy, gxy·m) = 1]−P[A(gx, gy, gz·m) = 1]| >
which contradicts the (t, ) Decision Diffie-Hellman Assumption.
Next, we consider (13.4). This is an instance of “perfect security,” since distinguishing between m1 and m2 requires distinguishing two completely random elements. (Again, we
use the fact that multiplying a random element by a fixed element yields a random element.) Thus, the expression in line (13.4) is equal to 0.
This means that (13.2) is at most 2.
1
This would not actually function as an encryption algorithm, but we can still consider it, as the con- struction is well-defined.
Lecture 14
CPA-secure Public-Key Encryption
Summary
Today we discuss the three ways in which definitions of security given in class differ from the way they are given in the Katz-Lindell textbook,.
Then we study the security of hybrid encryption schemes, in which a public-key scheme is used to encode the key for a private-key scheme, and the private-key scheme is used to encode the plaintext.
We also define RSA and note that in order to turn RSA into an encryption scheme we need a mechanism to introduce randomness.
Finally, we abstract RSA via the notion of a “family of trapdoor permutations,” and show how to achieve CPA-secure encryption from any family of trapdoor permutations.
14.1
Hybrid Encryption
Let (G1, E1, D1) be a public-key encryption scheme and (E2, D2) a private-key encryption
scheme.
Consider the following hybridscheme (G, E, D): • G(): same asG1()
• E(pk, m): pick a random keyK forE2, output (E1(pk, K), E2(K, m))
• D(sk,(C1, C2)): output D2(D1(sk, C1), C2)
A hybrid approach to public key cryptography is often desired due to the fact that public key operations are computationally expensive (i.e modular exponentiation), while symmetric key cryptosystem are usually more efficient. The basic idea behind the hybrid approach that if we encrypt the symmetric private key with the public key and encrypt the message
with the symmetric private key, only the small symmetric private key needs to be encrypted with the public key and symmetric key encryption/decryption can take place on the actual message. This allows for efficient computation of the message encryption and decryption while only using asymmetric key cryptography for transmitting the symmetric shared secret. This construction makes encryption and decryption much more efficient while still ensuring the construction has message indistinguishability and CPA security.
Theorem 60 Suppose (G1, E1, D1) is (t, 1)-secure for one encryption and (E2, D2) is
(t, 2)-secure for one encryption. Suppse also thatE1, E2 have running time≤r.
Then (G, E, D) is(t−2r,21+2)-secure for one encryption.
We begin by assuming the conclusion of the theorem is false, that is (G, E, D) is not (t−2r,21+2)-secure.
Suppose there is an adversary A, that runs in time t0 and there are two messagesm0 and
m1 such that:
|P[A(pk, E(pk, m0)) = 1]−P[A(pk, E(pk, m1)) = 1]|> 21+2
Then the definition ofE() is applied, so
|P[A(pk, E1(pk, K), E2(K, m0)) = 1]−P[A(pk, E1(pk, K), E2(K, m1) = 1]|>21+2
We then apply a hybrid argument in which the hybrid distributions haveE1(pk,0) instead
of E1(pk, K). (0 denotes a string of zeroes; any other fixed string could be used in the
proof.) Producing: 21+2 <P[A(pk, E1(pk, K), E2(K, m0)) = 1]−P[A(pk, E1(pk, K), E2(K, m1) = 1]≤ kP[A(pk, E1(pk, K), E2(K, m0)) = 1]−P[A(pk, E1(pk,0), E2(K, m0)) = 1]k+ kP[A(pk, E1(pk,0), E2(K, m0)) = 1]−P[A(pk, E1(pk,0), E2(K, m1)) = 1]k+ kP[A(pk, E1(pk,0), E2(K, m1)) = 1]−P[A(pk, E1(pk, K), E2(K, m1)) = 1]k
This means that at least one of the following cases must happen:
a) the first difference is at least 1
b) the second difference is at least2