CHAPMAN & HALL/CRC
CRYPTOGRAPHY AND NETWORK SECURITY

lnt:roduct:ion t:o

Modern Cryptography


CHAP

N & HALL/CRC

CRYPTOGRAPHY AND NETWORK SECURITY
Series Editor

Douglas

R.

Stinson

Published Titles
Jonathan Katz and Yehuda Lindell, Introduction to Modern Cryptography

Forthcoming Titles
Burton Rosenberg, Handbook of Financial Cryptography
Maria Isabel Vasco, Spyros Magliveras, and Rainer Steinwandt,

Group Theoretic Cryptography
Shiu-Kai Chin and Susan Beth Older, A Mathematical Introduction to

Access Control


CHAPMAN & HALL/CRC
CRYPTOGRAPHY AND NETWORK SECURITY

Introduction to

Modern Cryptography

_jtJna1:han Ka1:z
Yehuda Lindell

Boca Raton

London

New York

Chapman & Haii/CRC is an imprint of the

Taylor & Francis Group, an informa business


Chapman & Hall/CRC

Taylor & Francis Group

6000 Broken Sound Parkway NW, Suite 300


Boca Raton, FL 33487-2742

© 2008 by Taylor & Francis Group, LLC

Chapman & Hall/CRC is an imprint of Taylor & Francis Group, an Informa business
No claim to original U.S. Government works

Printed in the United States of America on acid-free paper
.

10 9 8 7 6 5 4

International Standard Book Number-13: 978-1-58488-551-1 (Hardcover)
This book contains information obtained from authentic and highly regarded sources. Reprinted

material is quoted with permission, and sources are indicated. A wide variety of references are

listed. Reasonable efforts have been made to publish reliable data and information, but the author
and the publisher cannot assume responsibility for the validity of all materials or for the conse­

quences of their use.

No part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any

electronic, mechanical, or other means, now known or hereafter invented, including photocopying,

microfilming, and recording, or in any information storage or retrieyal system, without written

permission from the publishers.


For permission to photocopy or use material electronically from this work, please access www.
copyright.com ( or contact the Copyright Clearance Center, Inc. (CCC)

222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that
·

provides licenses and registration for a variety of users. For organizations that have been granted a
photocopy license by the CCC, a separate system of payment has been arranged.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and

are used only for identification and explanation without intent to infringe.

Library of Congress Cataloging-in-Publication Data

Katz, Jonathan.

Introduction to modern cryptography : principles and protocols I Jonathan

Katz and Yehuda Lindell.
p.cm.

Includes bibliographical references and index.
ISBN 978-1-58488-551-1 (alk. paper)

1. Computer security. 2. Cryptography. I. Lindell, Yehuda. II. Title.
QA76.9.A25K36 2007
005.8--dc22


Visit the Taylor & Francis Web site at

and the CRC Press Web site at


2007017861


Preface

This book presents the basic paradigms and principles of modern cryptogra­
phy.It is designed to serve as a textbook for undergraduate- or graduate-level
courses in cryptography (in computer science or mathematics departments),
as a general introduction suitable for self-study (especially for beginning grad­
uate students), and as a reference for students, researchers, and practitioners.
There are numerous other cryptography textbooks available today, and the
reader may rightly ask whether another book on the subject is needed. We
would not have written this book if the answer to that question were anything
other than an unequivocal yes. The novelty of this book - and what, in our
opinion, distinguishes it from all other books currently available - is that it
provides a rigorous treatment of modern cryptography in an accessible manner
appropriate for an introduction to the topic.
As mentioned, our focus is on modem (post-1980s) cryptography, which
is distinguished from classical cryptography by its emphasis on definitions,
precise assumptions, and rigorous proofs of security. We briefly discuss each
of these in turn (these principles are explored in greater detail in Chapter 1):
•

A key intellectual contribution of
modern cryptQgraphy has been the recognition that formal definitions

The central role of definitions:

of security are an essential first step ·'in the design of any cryptographic

The reason, in retrospect, is simple; ifyop don't
know what it is you are trying to achieve, how can you hope to know
when you have achieved it? As we will see in this book, cryptographic
definitions of security are quite strong and - at first glance - may
appear impossible to achieve. One of the most amazing aspects of cryp­
tography is that {under mild and widely-believed assumptions) efficient·
constructions satisfying such strong definipons can be proven to exist.
primitive or-protocol.

•

As will be
explained in Chapters 2 and 3, many cryptographic constructions can­
not currently be proven secure in an unconditional sense. Security often
relies, instead, on some widely-believed (albeit unproven) assumption.
The modern cryptographic approach dictates that any such assumption
must be clearly stated and unambiguously defined. This not only al­
lows for objective evaluation of the assumption but, more importantly,
enables rigorous proofs of security as described next.

•

The previous two
ideas lead naturally to the current one, which is the realization that cryp-

The importance of formal and precise assumptions:


The possibility of rigorous proofs of security:

v


Vl

with respect to a clearlY ­
stated definition of security and relative to a well-defined cryptographic
assumption. This is the essence of modern cryptography, and what lJ.aS
transformed cryptography from an art to a science.
The importance of this idea cannot be over-emphasized. HistoricallY,
cryptographic schemes were designed in a largely ad-hoc fashion, a:o.d
were deemed to be secure if the designers themselves could not fi:o.d
any attacks. In contrast, modern cryptography promotes the desig:Il
of schemes with formal, mathematical proofs of security in well-defi:o.ed
models. Such schemes are guaranteed to be secure unless the underlY­
ing assumption is false (or the security definition did not appropria t elY
model the real-world security concerns) . By relying on long-st_andillg
assumptions (e.g., the assumption that "factoring is hard"), it is t hllS
possible to obtain schemes that are extremely unli�ely to be broken.
tographic constructions can be proven secure

The above contributions of modern cryptography are
relevant not only to the "theory of cryptography" community. The impor­
tance of precise definitions is, by now, widely understood and appreciated bY
those in the security community who use cryptographic tools to build secure
systems, and rigorous proofs of security have become one of the requirements
for cryptographic schemes to be standardized. As such, we do not separ ate

"applied cryptography" from "provable security" ; rather, we present practical
and widely-used constructions along with precise statements (and, most of t h e
time, a proof) of what definition of security is achieved.
A unified approach.

Guide to Using this Book_

·

This section is intended primarily for instructors seeking to adopt this bo ok
for their course, though the student picking up this book on his or her own
may also find it a useful overview of the topics that wil l be covered.
Required background. This book uses definitions, proofs, and mathemat­
ical concepts, and therefore requires some mathematical maturity. In par­
ticular, the reader is assumed to have· had some exposure to proofs at the
college level, say in an upper-level mathematics course or a course on discre te
mathematics, algorithms, or computabiiity theory. Having sa id this, we have
made a significant effort to simplify· the presentation and make it generallY
accessible. It is our belief that this book is not more difficult than analogous
textbooks that are less rigorous. On the contrary, we believe that (to take one
example) once security goals are clearly formulated, it often becomes easier
to understand the design choices made in a particular construction.
We have structured the book so that the only formal prerequisites are a
course in algorithms and a course in discrete mathematics. Even here we re lY
on very little material: specifically, we assume some familiarity with basic
probability and big-0 notation, modular arithmetic, and the idea of equating

·



Vll

efficient algorithms with those running in polynomial time. These concepts
are reviewed in Appendix A and/or when first used in the book.
The core material of this book,
which we strongly recommend should be covered in any introductory course
on cryptography, consists of the following (starred sections are excluded in
what follows; see further discussion regarding starred material below):
Suggestions for course organization.

•

Chapters 1-4 (through Section 4.6), discussing classical cryptography,
modern cryptography, and the basics of private-key cryptography (both
private-key encryption and message authentication) .

•

Chapter 5, illustrating basic design principles for block ciphers and in­
cluding material on the widely-used block ciphers DES and AES.1

•

Chapter 7, introducing concrete mathematical problems believed to be
"hard" , and providing the number-theoretic background needed to un­
derstand the RSA, Diffie-Hellman, and El Gamal cryptosystems. This
chapter also gives the first examples of how number-theoretic assump­
tions are used in cryptography.

•


Chapters 9 and 10, motivating the public-key setting and discussing
public-key encryption (including RSA-based schemes and El Gamal en­
cryption) .

•

Chapter 12, describing digital signature schemes.

•

Sections 13.1 and 13.3, introducing the random oracle model and the
RSA-FDH signature scheme.

We believe that this core material - possibly omitting some of the'more in­
depth discussion and proofs- dm be covered in a 30-35-hour undergraduate
course. Instructors with more time available could proceed at a more leisurely
pace, e.g.; giving details of all proofs and going more slowly when introducing
the underlying group theory and number-theoretic background. Alternatively,
additional topics could be incorporated as discussed next.
Those wishing to cover additional material, in either a longer course or a
faster-paced graduate course, will find that the book has been structured to
allow flexible incorporation of other topics as time permits (and depending on
the instructor's interests) . Specifically, some of the chapters and sections are
starred (*) . These sections are not less important in any way, but arguably
do not constitute "core material" for an introductory course in cryptography.
As made evident by the course outline just given (which does not include any
starred material), starred chapters and sections may be skipped- or covered
at any point subsequent to their appearance in the book - without affecting
1


1 Although we consider this to be core material, it is not used in the remainder of the book
and so this chapter can be skipped if desired.


Vlll

the flow of the course. In particular, we have taken care to ensure that none of
the later un-starred material depends on any starred material. For the most
part, the starred chapters also do not depend on each other (and when they
do, this dependence is explicitly noted) .
We suggest the following from among the starred topics for those wishing
to give their course a particular flavor:
•

A more theoretically-inclined course could include material
from Section 3.2.2 (building to a definition of semantic security for en­
cryption); Sections 4.8 and 4.9 (dealing with stronger notions of secu­
rity for private-key encryption); Chapter 6 (introducing one-way func­
tions and hard-core bits, and constructing pseudorandom generators
and pseudorandom functions/permutations starting from any one-way
permutation); Section 10.7 (constructing public-key encryption from
trapdoor permutations); Chapter 11 (describing the Goldwasser-Micali,
Rabin, and Paillier encryption schemes); and Section 12.6 (showing a
signature scheme that does not rely on random oracles) .

•

An instructor wanting to emphasize practical aspects
of cryptography is highly encouraged to cover Section 4.7 (describing

HMAC) and all of Chapter 13 (giving cryptographic constructions in
the random oracle model).

•

A course directed at students with a strong mathematics
background- or taught by someone who enjoys this aspect of crypt?g­
raphy - could incorporate some of the more advanced number th�ory
from Chapter 7 (e.g., the Chinese remainder theorem and/or elliptic­
curve groups); all of Chapter 8 (algorithms for factoring and computing
discrete logarithms); and selections from Chapter 11 (describing the
Goldwasser-MicaH, Rabin, and Paillier encryption schemes along with
the necessary number-theoretic background).

Theory:

Applications:

Mathematics:

Comments and Errata
Our goal in writing this book was to make modern cryptography accessible
to a wide audience outside the "theoretical computer science" community.We·
hope you will let us know whether we have succeeded. In particular, we are
always more than happy to receive feedback on this book, especially construc­
tive comments telling us how the book can be improved. We hope there are
no errors or typos in the book; if you do find any, however, we would greatly
appreciate it if you let us know. (A list of known errata will be maintained
at http: I /www. cs.umd. edu/-jkatz/imc.html.) You can email your com­
ments and errata to jkatz@cs. umd. edu and lindell@cs. biu.ac. il; please

put "Introduction to Modern Cryptography" in the subject line.


IX

Acknowledgements
Jonathan Katz: I am indebted to Zvi Galil, Moti Yung, and Rafail Ostrovsky
for their help, guidance, and support throughout my career.This book would
never have come to be without their contributions to my development. I
would also like to thank my colleagues with whom I have enjoyed numerous
discussions on the "right" approach to writing a cryptography textbook. My
work on this project was supported in part by the National Science Foundation
under Grants #0627306, #0447075, and #0310751. Any opinions, findings,
and conclusions or recommendations expressed in this book are my own, and
do not necessarily reflect the views of the National Science Foundation.

I wish to first and foremost thank Oded Goldreich and Moni
Naor for introducing me to the world of cryptography. Their influence is felt
until today and will undoubtedly continue to be felt in the future. There are
many, many other people who have also had considerable influence over the
years and instead of mentioning them all, I will just say thank you - you
know who you are.
Yehuda Lindell:

We both thank Zoe Bermant for producing the figures used in this book; David
Wagner for answering questions related to block ciphers and their cryptanal­
ysis; and Salil Vadhan and Alon Rosen for experimenting with this text in
an introductory course on cryptography at Harvard University and providing
us with valuable feedback. We would also like to extend our gratitude to
those who read and commented on earlier drafts of this book and to those

who sent us corr�ctions to previous printings: Adam Bender, Chiu-Yuen Koo,
Yair Dombb, Michael Fuhr, W illiam Glenn, S. Dov Gordon, Carmit Hazay,
Eyal Kushilevitz; Avivit Levy, Matthew Mah, Ryan Murphy, Steve Myers,
Martin Paraskevov, Eli Quiroz, Jason Rogers, Rui Xue, ])icky Yan,_ Arkady
Yerukhimovich, and Hila Zarosim. Their comments have greatly imp:rovedthe
book and helped minimize the number of errors. We are extremely grateful
to all those who encouraged us to write this book; and concurred with our
·
feeling that a book of this nature is badly needed.
Finally, we thank our (respective ) wives and children for all their support and
understanding during :the many hours, days, and months that we have spent
on this project.



To our wives·and children



Contents

I
1

2

Introduction and Classical Cryptography
Introduction

3


3

1.1
1.2
1.3
1.4

Cryptography and Modern Cryptography
The Setting of Private-Key Encryption
Historical Ciphers and Their Cryptanalysis
The Basic Principles of Modern Cryptography
1.4.1 Principle 1 - Formulation of Exact Definitions
1.4.2 Principle 2- Reliance on Precise Assumptions
1.4.3 Principle 3- Rigorous Proofs of Security
References and Additional Reading
Exercises . . . . . . . . . . . . .

3
4
9
18
18
24
26
27
27

Perfectly-Secret Encryption


29

Definitions and Basic Properties
The One-Time Pad (Vernam's Cipher )
Limitations of Perfect Secrecy
*Shannon's Theorem . . . . .
Summary . . . . . . . . . . . .
References and Additional Reading
Exercises . . . . . . . . . . . . . . .

29
34
36
37
40
40
41

2.1
2.2
2.3
2. 4
2.5

II

1

Private-Key (Symmetric) Cryptography


45

Private-Key Encryption and Pseudorandomness

47

A Computational Approach to Cryptography . . .
3.1.1 The Basic Idea of Computational Security .
3.1. 2 Efficient Algorithms and Negligible Success Probability
3.1. 3 Proofs by Reduction . . . . . . . . . .
3.2 Defining Computationally-Secure Encryption
3.2.1 The Basic Definition of Security
3.2.2 * Properties of the Definition . . .
3.3 Pseudorandomness . . . . . . . . . . . . .
3.4 Constructing Secure Encryption Schemes
3.4.1 A Secure Fixed-Length Encryption Scheme
3.4.2 Handling Variable-Length Messages . . .
3.4.3 Stream Ciphers and Multiple Encryptions .

47
48
54
58
60
61
64
69
72
72
76

77

3.1

l

Xlll


XIV

Security Against Chosen-Plaintext Attacks (CPA)
82
Constructing CPA-Secure Encryption Schemes . .
85
3.6.1 Pseudorandom Functions . . . . . . . . . .
86
89
3.6. 2 CPA-Secure Encryption from Pseudorandom Functions
94
3.6.3 Pseudorandom Permutations and Block Ciphers
96
3.6.4 Modes of Operation . . . . . . . . . . . . . . .
103
3. 7 Security Against Chosen-Ciphertext Attacks (CCA)
References and Additional Reading
105
106
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . .
3. 5

3.6

·

4

Message Authentication Codes and Collision-Resistant Hash

111

Functions

Secure Communication and Message Integrity
Encryption vs.Message Authentication . . .
Message Authentication Codes - Definitions
Constructing Secure Message Authentication Codes
CBC-MAC . . . . . . . . . . . . . . .
Collision-Resistant Hash Functions ......... .
4.6.1 Defining Collision Resistance ........ .
4. 6. 2 Weaker Notions of Security for Hash Functions
4.6.3 A Generic "Birthday" Attack ......... .
4. 6.4 The Merkle-Damgard Transform ....... .
4.6.5 Collision-Resistant Hash Functions in Practice
4.7 * NMAC and HMAC ....
4. 7.1 Nested MAC (NMAC) .......... .
. �. 7.2 HMAC . . . . .
. i
4.8 *·Constructing CCA-Secure Encryption Schemes
4.9 * Obtaining Privacy and Message Authentication
References and Additional Reading

Exercises ........................ .
4.1
4. 2
4.3
4.4
4.5
4.6

·

·

·

·

·

·

·

·

·

·

·


·

.·

5

111
112
114
118
125
127
128
130
131
133
136
. 138
138
141
144
148
154
155

Practical Constructions of Pseudorandom Permutations ( Block
Ciphers} ··.

Substitution-Permutation Networks
Feistel Networks ...........

DES - The Data Encryption Standard·
5.3. 1 The Design of DES ...... .
5.3.2 Attacks on Reduced-Round Variants ofDES
5.3.3 The Security of DES . .. . . . . . . .
5.4 Increasing the Key Length of a Block Cipher ... .
5.5 AES- The Advanced Encryption Standard .... .
5.6 Differential and Linear Cryptanalysis- A Brief Look
Additional Reading and References
Exercises ............. . ............ .
5.1
5. 2
5.3

1 59

162
170
173
173
176
179·
181
185
187
189
189


XV


6

Theoretical Constructions of Pseudorandom Objects

193

One-Way Functions 0 0 0 0 0 0 0 0 0 0
6°1.1 Definitions 0 0 0 0 0 0 0 0 0 .
6°1.2 Candidate One-Way Functions
6°1.3 Hard-Core Predicates 0 0 0 .
602 Overview: From One-Way Functions to Pseudorandomness
603 A Hard-Core Predicate for Any One-Way Function
6.301 A Simple Case 0 0 0 0
60302 A More Involved Case . 0 . . . .
0 0 0 . . 0 . 0
60303 The Full Proof
604 Constructing Pseudorandom Generators
6.401 Pseudorandom Generators with Minimal Expansion
60402 Increasing the Expansion Factor . . 0 0 . 0 0
605 Constructing Pseudorandom Functions 0 . . 0 0
6.6 Constructing (Strong) Pseudorandom Permutations
607 Necessary Assumptions for Private-Key Cryptography
608 A Digression - Computational Indistinguishability 0 .
608.1 Pseudorandomness and Pseudorandom Generators
6.802 Multiple Samples 0 0 0 0
References and Additional Reading
. 0 . .
Exercises- 0 0 . . 0 0 0 0

194

194
197
198
200
202
202
203
208
213
214
215
221
225
227
232
233
234
237
237

*

601

0

0

0


0

0

.

0

III
7

0

0

Public-Key (Asymmetric) Cryptography

241

Number Theory and Cryptographic Hardness Assumptions 243

Preliminaries and Basic Group Theory
7.1.1 Primes and Divisibility 0
7.1.2 Modular Arithmetic
701.3 Groups 0 . 0 0 . . . .
701.4 The Group ZjV
. . . 0
7.1.5 *Isomorphisms and the Chinese Remainder Theorem
7. 2 Primes, Factoring, and RSA
7.201 Generating Random Primes

7.2. 2 * Primality Testing . . . 0 0
7°203 The Factoring Assumpti�n
70204 The RSA Assumption 0 0 0
703 Assumptions in Cyclic Groups
7.3°1 Cyclic Groups and Generators
70302 The Discrete Logarithm and Diffie-Hellman Assump­
0 0 0 0
tions 0 0 0 0 . 0 .
0 0
7.3.3 Working in (Subgroups of) z; 0 0 0 0 0 0 0 0 0
7. 3.4 * Elliptic Curve Groups 0 0 0 . 0 . 0 . 0 0 . 0 0 . 0 0
7.4 Cryptographic Applications of Number-Theoretic Assumptions
7.401 One-Way Functions and Permutations 0 . 0 0 0
7.402 Constructing Collision-Resistant Hash Functions

7.1

0

.

0

.

0

0

0


0

0

0

l

0

245
246
248
250
254
256
261
262
265
271
271
274
274
277
281
282
287
287
290



XVl

References and Additional Reading
Exercises .. . . .. . . . .. . . .
8

*

293
294

Factoring and Computing Discrete Logarithms

Algorithms for Factoring
8.1.1 Pollard's p- 1 Method . . . . . .
8.1. 2 Pollard's Rho Method . . . . . .
8. 1.3 The Quadratic Sieve Algorithm .
8. 2 Algorithms for Computing Discrete Logarithms
8.2.1 The Baby-Step/Giant-Step Algorithm .
8.2.2 The Pohlig.,.Hellman Algorithm . . . . .
8. 2.3 The Discrete Logarithm Problem in ZN
8.2.4 The Index Calculus Method .
References and Additional Reading
Exercises . . . . . . . . . . . . . . . . . .
8. 1

9


Private-Key Management and the Public-Key Revolution

Limitations of Private-Key Cryptography . .
A Partial Solution- Key Distribution Centers
The Public-Key Revolution . .
Diffie-Hellman KeyExchange
References and Additional Reading
Exercises ..... .. .. .
9.1
9.2
9.3
9.4

· .

297

297
298
301
303
305
307
309
310
311
313
314
315


315
317
320
324
330
331
333

10 Public-Key Encryption

10.1 Public-KeyEncryption- An Overview' . . .
10.2 Definitions . . . . . . . . . . . . . . . . . . . . . .
10.2.1 Security against Chosen-Plaintext Attacks .
10. 2. 2 MultipleEncryptions .
. . . .
10.3 HybridEncryption ... . . . ... . . . . . . . .
10.4 RSAEncryption . . . . . . . . . . . . . · :.· .· .
10.4.1 "Textbook RSA" and its Insecurity . ·.: .
10. 4.2 Attacks on Textbook RSA .
10.4.3 Padded RSA . . . . . . . . . . . . . .
10.5 TheEl GamalEncryption S{::heme . : . . . .
.

.

·.:

.

-


10.6 Security Against Chosen-Ciphertext Attacks
10. 7 * Trapdoor Permutations . . . . . . . . . .
10. 7.1 Definition . . . . . . . . .
. . . . . .
10.7. 2 Public-KeyEncryption from Trapdoor Permutations
.

.

References and Additional Reading
Exercises . . . . . . . . . . . . . . . . . . . . . . . .

333
336
337
340
347
355
355
359
362
364
369
373
374
375
378
379



xvii
11

*

385

Additional Public-Key Encryption Schemes

11.1 The Goldwasser-Micali Encryption Scheme . .
11.1.1 Quadratic Residues Modulo a Prime . .
11.1. 2 Quadratic Residues Modulo a Composite
11.1.3 The Quadratic Residuosity Assumption .
11.1.4 The Goldwasser-MicaH Encryption Scheme
11. 2 The Rabin Encryption Scheme . . . . . . . . . . .
11.2 .1 Computing Modular Square Roots . . . . .
11.2. 2 A Trapdoor Permutation Based on Factoring
11.2.3 The Rabin Encryption Scheme
11.3 The Paillier Encr_yption Scheme
11.3.1 The Structure of Z?v2
11.3.2 The Paillier Encryption Scheme .
11.3.3 Homomorphic Encryption

386
386
389
392
394
397

397
402
406
408
409
411
416
418
418

References and Additional Reading
Exercises . . . . . . . . . . . .

421

. 12 Digital Signature Schemes

12.1 Digital Signatures- An Overview
12.2 Definitions . . . . . . . . . . . . .
12.3 RSA Signatures . . . . . . . . . .
12. 3. 1 "Textbook RSA" and its Insecurity .
12.3.2 Hashed RSA . . . . . . . . . . .
12.4 The "Hash-and-Sign" Paradigm . . . .
12. 5 Lamport's One-Time Signature Scheme
12.6 *Signatures from Collision-Resistant Hashing
12.6.1 "Cha:ln-Based" Signatures . . . .
12.6.2 "Tree-Based" Signatures . . . . . . .
12.7 The Digital Signature Standard ( DSS)
12.8 Certificates and Public-Key Infrastructures


:·'·

.,

421
423
426
426
428
429
432
435
436
439
445
446
453
454

..... " · ·

References and Additional Reading
Exercises . . . . . . . . . . . . . . . . . . . . . .

457

13 Public-Key Cryptosystems in the Random Oracle Model

13.1 The Random Oracle Methodology . . . . . . . . .
13.1.1 The Random Oracle Model in Detail . . . . .

13.1.2 Is the Random Oracle Methodology Sound? .
13.2 Public-Key Encryption in the Random Oracle Model
13. 2.1 Security Against Chosen-Plaintext Attacks .
13.2.2 Security Against Chosen-Ciphertext Attacks
13.2.3 OAEP . . . . . . . . . . . . . . .
13.3 Signatures in the Random Oracle Model

References and Additional Reading
Exercises . . . . . . . . . . . . . . . . . . . .

,

458
459
465
469
469
473
479
481
486
486


XVlll

Index of Common Notation

489


A Mathematical Background

493

A.1

B

Identities and Inequalities

493

A.2

Asymptotic Notation

493

A.3

Basic Probability

A.4

The "Birthday" Problem

. . . .

Supplementary Algorithmic Number Theory


B.1

B.2

B.3

Integer Arithmetic

494
496
499

. . . . . . . . . . . . . . . . . . . . . . .

501

B.l.1

Basic Operations . . . . . . . . . . . . . . . . . . . .

501

B.l.2

The Euclidean and Extended Euclidean Algorithms

502

Modular Arithmetic


. . . . . . . . .

504

B.2.1

Basic Operations . . . . . . .

504

B.2.2

Computing Modular Inverses

505

B.2.3

Modular Exponentiation . . .

505

B.2.4

Choosing a Random Group Element

508

*


Finding a Generator of a Cyclic Group

512

B.3.1

Group-Theoretic Background

512

B.3.2

Efficient Algorithms . .

513

References and Additional Reading

515

Exercises

515

. . . . . . . . . . . . . . .

References

517


Index

529


Part I
Introduction and Classical
·�

Cryptography

1



Chapter 1
Introduction

1.1

Cryptography and Modern Cryptography

The Concise Oxford Dictionary ( 2006) defines cryptography as the art of
writing or solving codes. This definition may be historically accurate, but it
does not capture the essence of modern cryptography. F irst, it focuses solely
on the problem of secret communication. This is evidenced by the fact that
the definition specifies "codes", elsewhere defined as "a system of pre-arranged
signals, especially used to ensure secrecy in transmitting messages" . Second,
the definition refers to cryptography as an art form. Indeed, until the 20th
century ( and arguably until late in that century) , cryptography was an art.

Constructing good codes, or breaking existing ones, relied on creativity and
personal skill. There was very little theory that could be relied upon and
there was not even a well-defined notion of what constitutes a good code.
In the late 20th century, this picture of cryptography radically changed. A
rich theory emerged, enabling the rigorous study of cryptography- as a sci­
ence. Furthermore, the field of cryptography now encompasses .much more
than secret communication. For example, it deals with the problems of mes­
sage authentication, digital signatures, protocols for exchanging secret keys,
authentication protocols, electronic auctions and elections, digital cash and
more. In fact, modern cryptography can be said to be concern�d with prob­
lems that may arise in any distributed computation that may come- und er
internal or external attack. Without attempting to provide a perfect_ defi­
.
nition of modern cryptography, we would say that it is the scientifi�· study
of techniques for securing digital information, transactions, and dist ributed
computations.
Another very important difference between classical cryptography ( say, be­
fore the 1980s) and modern cryptography relates to who uses it. Historically,
the major consumers of cryptography were military and intelligence organi­
zations. Today, however, cryptography is everywhere! Security mechanisms
that rely on cryptography are an integral part of almost any computer sys­
tem. Users ( often unknowingly) rely on cryptography every time they access
a secured website. Cryptographic methods are used to enforce access control
in multi-user operating systems, and to prevent thieves from extracting trade
secrets from stolen laptops. Software protection methods employ encryption,
authentication, and other tools to prevent copying. The list goes on and on.
3


4


In short, cryptography has gone from an art form that dealt with secret
communication for the military to a science that helps to secure systems for
ordinary people all across the globe. This also means that cryptography is
becoming a more and more central topic within computer science.
The focus of this book is modern cryptography. Yet we will begin our
study by examining the state of cryptography before the changes mentioned
above. Besides allowing us to ease into the material, it will also provide an
understanding of where cryptography has come from so that we can later
appreciate how much it has changed. The study of "classical cryptography"
- replete with ad-hoc constructions of codes, and relatively simple ways to
break them - serves as good motivation for the more rigorous approach that
we will be taking in the re�t of the book. 1

1.2

·

·

The Setting of Private-Key Encryption

As noted above, cryptography was historically concerned with secret com­
munication. Specifically, cryptography was concerned with the construction
of ciphers ( now called encryption schemes) for providing secret communica­
tion between two parties sharing some information in advance. The setting in
which the communicating parties share some secret information in advance is
now known as the private-key ( or the symmetric-key) setting. Before descr ib­
ing some historical ciphers, we discuss the private-key setting and encryption
in more genera1 terms.

In the private-key setting, two parties share some secret information called
a key, and use this key when they wish to communicate secretly with each
other. A party se nding a message uses the key to encr:ypt ( or "scramble" ) the
message before it is sent, and the· receiver uses the same key to decrypt ( or
"unscramble" ) and recover the message upon receipt. The message itself is
called the plaintext, and the "scrambled" information that is actually trans, mitted from the sender to the receiver is called the ciphertext; ,see Figure 1.1.
The shared key serves to distinguish the communicating parties from any
other parties who may be eavesdropping on their communication ( assumed to
take place over a public channel) .
In this setting, the same key is used to convert th e plaintext into a ciphertext
and back. This explains why this setting is also known as the symmetric2key
setting, where the symmetry lies in the fact that both parties hold the same
key which is used for both encryption and decryption. This is in contrast to

_

1This is our primary intent in presenting this material and, as such, this chapter should

not be taken as a representative historical account. The reader interested in the history of
cryptography shoul

q consult the references at the end of this chapter.


Introduction

5

m


FIGURE 1.1:

The basic setting of private-key encryption.

the setting of asymmetric encryption (introduced in Chapter 9) , where the
sender and receiver do not share any secrets and different keys are used for
encryption and decryption. The private-key setting is the classic one, as we
will s·ee· later in this chapter.
An implicit assumption in any system using private-key encryption is that
the communicating parties have some way of initially sharing a key in. a secret
manner. (Note that if one party simply sends the key to the other over the
public channel, an eavesdropper obtains the key too! ) In military settings, this
is not a severe problem because communicating parties are able to physically
meet in a secure location in order to agree upon a key. In many modern
settings, however, parties cannot arrange any such physical meeting. As we
will see in Chapter 9, this is a source of great concern and actually limits the
applicability of cryptographic systems that rely solely on private-key methods.
Despite this, there are still many settings where private-key methods suffice
and are in wide use; one example is disk encryption, where the same user (at
different points in time) uses a fixed secret key to both write to and read from
the disk. As we will explore further in Chapter 10 , private-key encryption is
also widely used in conjunction with asymmetric methods.
A private-key encryption scheme is comprised
of three algorith·
the first is a procedure for generating keys, the second
a procedure for encr pting, and the third a procedure for decrypting. These
have the following unctionality:

The syntax of encryption.


e
·

1. The key-generation algorithm Gen is a probabilistic algorithm that out­
puts a key k chosen according to some distribution that is determined
by the scheme.


6
2. The encryption algorithm Enc takes as input a key k and a plaintext
message m and outputs a ciphertext c. We denote by Enck (m) the
encryption of the plaintext m using the key k.
3. The decryption algorithm Dec takes as input a key k and a ciphertext c
and outputs a plaintext m. We denote the decryption of the ciphertext
c using the key k by Deck ( c) .

The set of all possible keys output by the key-generation algorithm is called
the key space and is denoted by K. Almost always, Gen simply chooses a key
uniformly at random from the key space (in fact, one can assume without
loss of generality that this is the case) . The set of all "legal" messages (i.e.,
those supported by the encryption algorithm) is denoted M and is called the
plaintext (or message ) space, Since any ciphertext is obtained by encrypting
some plaintext under some key, the sets K and M together define a set of all
possible ciphertexts denoted by C. An encryption scheme is fully defined by
specifying the three algorithms (Gen, Enc, Dec) and the plaintext space M.
The basic correctness requirement ofany encryption scheme is that for every
key k output by Gen and every plaintext message m E M, it holds that

In words, decrypting a ciphertext (using the appropriate key) yields the orig­
inal message that was encrypted.

Recapping our earlier discussion, an encryption scheme would be used by
two parties who wish to communicate as follows. First,, Gen is run to obtain
a key k that the parties share. When one party wants to send a plaintext m
to the other, he computes c :---:·Erick(m) and sends the resulting ciph ertext c
over the public channel to the other. party.2 Upon receiving c, the other party
computes m := Deck(c) to recoverthe original plaintext.
As is clear from the above formulation,
if an eavesdropping adversary kno�s the algorithm Dec as well as the key k
shared by the two communicating parties, then that adversary will be able to
decrypt all communication between·th�se parties. It is for this reason that
the communicating parties must sha:r;e: the key k secretly, and keep k com­
pletely secret from everyone else. But maybe they should keep the decryptio n
algorithm Dec a secret, too? For -that matt er, perhaps all the algorithms
constituting the encryption scheme (i. e. , Gen and Enc as well) should be kept
secret? (Note that the plaintext space M is typically assumed to be kndwn,
e.g. , it may consist of English-language sentences. )
In thelate 19th century, Auguste Kerckhoffs gave his opinion on this matter
in a paper he published outlining important design principles for military

Keys and Kerckhoffs' principle.

2 Throughout the book, we use

":="

to denote the assignment operation. A list of common

notation can be found in the back of the book.

/