Constructions (11 min)

Edit subtitles

0:00 - 0:04

In the last segment, we explained what is
a public key encryption system. And we
0:04 - 0:08

defined what it means for a public key
encryption system to be secure. If you
0:08 - 0:11

remember, we required security against
active attacks. And in particular, we
0:11 - 0:15

defined chosen cipher text security as our
goal. This week, we're gonna construct two
0:15 - 0:19

families of public key encryption systems
that are chosen cipher text secure. And in
0:19 - 0:23

this segment, we're gonna start by
constructing public key encryptions from,
0:23 - 0:27

a concept called a trapdoor
permutation. So let's start by defining a
0:27 - 0:31

general concept called a trapdoor
function. So what is a trapdoor function?
0:31 - 0:35

Well, a trapdoor function basically is a
function that goes from some set X to some
0:35 - 0:40

set Y. And it's really defined by a triple
of algorithms. There's a generation
0:40 - 0:44

algorithm, the function f, and the inverse
of the function f. So the generation
0:44 - 0:48

algorithm, basically what it does when you
run it, it will generate a key pair, a
0:48 - 0:52

public key and a secret key. The public
key is gonna define a specific function
0:52 - 0:57

from the set X to the set Y. And then the
secret key is going to define the inverse
0:57 - 1:02

function now from the set Y to the set
X. So the idea is that you can evaluate
1:02 - 1:07

the function at any point using a public key
PK and then you can invert that function
1:07 - 1:12

using the secret key, SK. So what do I
mean by inversion? More precisely, if we
1:12 - 1:17

look at any public key and secret key pair
generated by the key generation algorithm
1:17 - 1:22

G, then it so happens that if I evaluate
the function at the point X, and then I
1:22 - 1:26

evaluate the inverse at the resulting
point, I should get the original point X
1:26 - 1:31

back. So the picture you should have in
your mind, is there is this big set X and
1:31 - 1:36

this big set Y And then, this function
will map any point in X to a point in Y,
1:36 - 1:42

and this can be done using the public key.
So again any point in X can be mapped, to
1:42 - 1:47

a point in Y. And then if someone has the
secret key, then basically they can go in
1:47 - 1:54

the reverse direction by applying, this
secret key sk. So now that we
1:54 - 1:58

understand what a trapdoor function is,
let's define what it means for a trapdoor
1:58 - 2:03

function to be secure. And so we'll say
that this triple, (G, F, F inverse), is secure
2:03 - 2:07

if in fact this function F(PK, .) is what's
called a one way function. And let me
2:07 - 2:11

explain what a, what is a one way
function. The idea is that basically the
2:11 - 2:16

function can be evaluated at any point,
but inverting it is difficult without the
2:16 - 2:20

secret key SK. So let's define that more
precisely. As usual we define that using a
2:20 - 2:24

game. So here we have our game between the
challenger and the adversary. And the game
2:24 - 2:27

proceeds as follows. Basically the
challenger will generate a public key and
2:27 - 2:32

a secret key. And then they will generate
a random X. It will send the public key
2:32 - 2:36

over to the adversary and then it will
evaluate the function at the point X and
2:36 - 2:40

send the resulting Y also to the
adversary. So all the adversary gets to
2:40 - 2:45

see is just a public key, which defines
what the function is, and then he gets to
2:45 - 2:49

see the image of this function on a random
point X and is goal is basically to invert
2:49 - 2:54

the function at this point Y. Okay, so he
outputs some X prime. And we said that the
2:54 - 2:59

trap door function is secure if the
probability that the ad, adversary inverts
2:59 - 3:03

the given at point y is negligible. In
other words, given y the probability that
3:03 - 3:07

the adversary's able to alter the pre
image of y is in fact a negligible
3:07 - 3:12

probability and if that's true for all
efficient algorithms then we say that this
3:12 - 3:18

trapdor function is secure. So again
abstractly, it's a really interesting
3:18 - 3:22

concept in that you can evaluate the
function in the forward direction very
3:22 - 3:26

easily. But then no one can evaluate the
function in the reverse direction unless
3:26 - 3:30

they have this trapdoor, the secret key
SK, which then all of a sudden lets them
3:30 - 3:35

invert the function very, very easily. So
using the concept of a trapdoor function,
3:35 - 3:40

it's not too difficult to build a public key encryption system, and let me show you how
3:40 - 3:44

to do it. So here we have we our trap door
function, (G, F, and F inverse). The other
3:44 - 3:48

tool that we are going to need is a symmetric encryption scheme, and I'm going to
3:48 - 3:52

assume that this encryption scheme is actually
secure against active attacks, so in
3:52 - 3:55

particular I needed to provide
authenticated encryption. Notice that the
3:55 - 4:01

symmetric encryption system takes keys in
K and the trapdoor function takes inputs
4:01 - 4:06

in X. Those are two different sets and so
we're also gonna need the hash function.
4:06 - 4:10

That goes from X to K. In other words, it
maps elements in the set X into keys for
4:10 - 4:14

the symmetric encryption systems. And now
once we have these three components, we
4:14 - 4:18

can actually construct the public key encryption system as follows: so the key
4:18 - 4:22

generation for the public key encryption
system is basically exactly the same as
4:22 - 4:26

the key generation for the trap door
function. So we run G for the trap door
4:26 - 4:30

function, we get a public key and a secret
key. And those are gonna be the public and
4:30 - 4:34

secret keys for the public key encryption
system. And how do we encrypt and decrypt? Let's
4:34 - 4:39

start with encryption. So the encryption
algorithm takes a public key and a message
4:39 - 4:44

as input. So what it will do is it will
generate a random X from the set capital
4:44 - 4:49

X. It will then apply the trapdoor
function to this random X, to obtain Y. So
4:49 - 4:53

Y is the image of X under the trapdoor
function. Then it will go ahead and
4:53 - 4:58

generate a symmetric key by hashing X. So
this is a symmetric key for the symmetric
4:58 - 5:03

key system. And then finally it encrypts
the plain text message 'm' using this key that was
5:03 - 5:08

just generated. And then it outputs the
value Y that it just computed, which is
5:08 - 5:13

the image of X, along the encryption under
the symmetric system of the message M. So
5:13 - 5:18

that's how encryption works. And I want to
emphasize again that the trapdoor function
5:18 - 5:23

is only applied to this random value X,
whereas the message itself is encrypted
5:23 - 5:28

using a symmetric key system using a key
that was derived from the value X that we
5:28 - 5:33

chose at random. So now that we understand
encryption, let's see how to decrypt.
5:33 - 5:37

While the decryption algorithm takes a
secret key as input, and the ciphertext.
5:37 - 5:42

The ciphertext itself contains two
components, the value Y and the value C.
5:42 - 5:46

So the first step we're gonna do, is we're
gonna apply the inverse transformation,
5:46 - 5:50

the inverse trap door function to the
value Y, and that will give us back the
5:50 - 5:54

original X that was chosen during
encryption. So now let me ask you, how do
5:54 - 6:00

we derive the symmetric decryption key K
from this X that we just obtained? Well,
6:00 - 6:05

so that's an easy question. We basically
hash X again. That gives us K just as
6:05 - 6:09

during encryption. And now that we have
this symmetric encryption key we can apply
6:09 - 6:14

the, the symmetric decryption algorithm to
decrypt the ciphertext C. We get the
6:14 - 6:18

original message M and that's what we
output. So, that's how the public key
6:18 - 6:22

encryption system works were this trap
door function is only used for encrypting
6:22 - 6:27

some sort of a random value X and the
actual message is encrypted using the
6:27 - 6:31

symmetric system. So in pictures here, we
have the message M obviously the plain
6:31 - 6:36

text could be quite large. So, here we
have the body of the deciphered text which
6:36 - 6:40

can be quite long is actually encrypted
using the symmetric system. And then again
6:40 - 6:44

I emphasize that the key for the
symmetric system is simply the hash of X.
6:44 - 6:48

And then the header of ciphertext is simply
this application of the trapdoor
6:48 - 6:53

function to this random X that we picked.
And so during decryption what happens is
6:53 - 6:57

we first decrypt the header to get X and
then we decrypt the body using the
6:57 - 7:02

symmetric system to actually get the
original plain text M. So as usual when I
7:02 - 7:07

show you a system like this, obviously you
want to verify that decryption in fact is
7:07 - 7:11

the inverse of encryption. But more
importantly you want to ask why is this
7:11 - 7:15

system secure. And in fact there's a nice
security theorem here that says. That if
7:15 - 7:19

the trap door function that we started
with is secure. In other words, that's a
7:19 - 7:23

one way function if the adversary doesn't
have a secret key. The symmetric
7:23 - 7:27

encryption system provides authenticated
encryption. And the hash function is a
7:27 - 7:31

random oracle, which simply means that
it's a random function from the set X to
7:31 - 7:35

the set of keys K. So a random oracle is
some sort of an idealization of, what a
7:35 - 7:38

hash function is supposed to be. In
practice, of course, when you come to
7:38 - 7:42

implement a system like this, you would
just use, SHA-256, or any of the
7:42 - 7:47

other hash functions that we discussed in
class. So, under those three conditions in
7:47 - 7:52

fact the system that we just described is
chosen cipher text secure so it is CCA
7:52 - 7:56

secure, the little ro here just denote the
fact that security is set in whats called
7:56 - 8:01

a random oracle model. But, that's a detail
that's actually not so important for
8:01 - 8:05

discussion here, what I want you to
remember is that if the trap door function
8:05 - 8:09

is in fact a secure trap door function. The
symmetric encryption system is secure
8:09 - 8:13

against tampering so it provides
authenticated encryption. And H
8:13 - 8:17

is in some sense a good hash function.
It's a random, function, which in practice
8:17 - 8:22

you would just use SHA-256, then in
fact the system that we just showed is CCA
8:22 - 8:28

secure, is chosen ciphertext secure. I should
tell you that there's actually an ISO
8:28 - 8:32

standard that, defines this mode of
encryption, of public encryption. ISO
8:32 - 8:36

stands for International Standards
Organization. So in fact this particular
8:36 - 8:40

system has actually been standardized, and
this is a fine thing to use. I'll refer to
8:40 - 8:45

this as the ISO encryption in the next few
segments. To conclude this segment, I want
8:45 - 8:49

to warn you about an incorrect way of
using a trapdoor function to build a
8:49 - 8:53

public key encryption system. And in fact
this method might be the first thing that
8:53 - 8:58

comes to mind, and yet it's completely
insecure. So let me show you, how not to
8:58 - 9:02

encrypt using a trapdoor function. Well
the first thing that might come to mind
9:02 - 9:06

is, well, let's apply the trapdoor
function directly to the message M. So we
9:06 - 9:10

encrypt simply by applying a function to
the message M, and we decrypt simply by
9:10 - 9:14

applying F inverse to the ciphertext C to
recover the original message M. So
9:14 - 9:19

functionally, this is in fact, decryption
is the inverse of encryption, and yet this
9:19 - 9:23

is completely insecure for many, many
different reasons. The easiest way to see
9:23 - 9:27

that this is insecure, is that it's
simply, this is deterministic encryption.
9:27 - 9:31

You notice there is no randomness being
used here. When we encrypt a message
9:31 - 9:34

M, and since it is
deterministic, it's cannot possibly be
9:34 - 9:38

semantically secure. But in fact, as I
said, when we instantiate this trap door
9:38 - 9:42

function with particular implementations,
for example with the RSA trap door
9:42 - 9:45

function, then there are many, many
attacks that are possible on this
9:45 - 9:49

particular construction, and so you should
never, ever, ever use it, and I'm gonna
9:49 - 9:53

repeat this throughout this module, and in
fact in the next segment I'll show you a
9:53 - 9:57

number of attacks on this particular
implementation. Okay so, what I would like
9:57 - 10:01

you to remember is that you should be
using an encryption system like the ISO
10:01 - 10:05

standard, and you should never apply the
trap door function directly to the message M.
10:05 - 10:09

Although in the next segment we'll
see other ways to encrypt using a trap
10:09 - 10:13

door function that are also correct, but
this particular method is clearly, clearly
10:13 - 10:18

incorrect. Okay, so now that we understand
how to build public key encryption
10:18 - 10:21

given a trap door function, the next
question is how to construct trap door
10:21 - 10:24

functions, and we're going to do that in
the next segment.

Title:: Constructions (11 min)
Video Language:: English

	rodolfojcj edited English subtitles for Constructions (11 min)
	rodolfojcj edited English subtitles for Constructions (11 min)
	rodolfojcj edited English subtitles for Constructions (11 min)
	iracly.kv edited English subtitles for Constructions (11 min)
	iracly.kv edited English subtitles for Constructions (11 min)
	iracly.kv edited English subtitles for Constructions (11 min)
	stanford-bot edited English subtitles for Constructions (11 min)
	stanford-bot edited English subtitles for Constructions (11 min)

Show all

English subtitles

Revisions

Revision 8

rodolfojcj

Constructions (11 min)

Revisions

Our website uses cookies

Operating cookies (Required)