Last week, we learned a number theory that's needed for public key encryption. This week we're gonna put this knowledge to work, and we're gonna construct a number of secure public key encryption schemes. But first, we need to define what is public key encryption, and what does it mean for public key encryption to be secure? So let me remind you that in a public key encryption scheme, there is an encryption algorithm which is usually denoted by E, and there's a decryption algorithm which we denote by D. However here, the encryption algorithm takes a public key, while the decryption algorithm takes a secret key. This pair is called a key pair. And the public key is used for encrypting messages while the secret key is used for decrypting messages. So in this case a message m is encrypting using the public key and what comes out of that is the ciphertext c. And similarly the ciphertext is fed into the decryption algorithm and using the secret key, what comes out of the decryption algorithm is the original message m. Now public key encryption has many applications. Last week we saw the classic application which is session setup, namely, key exchange and for now we're just looking at key exchange that is secure against eavesdropping only. And if you remember the way the protocol works, basically Alice, what she would do is she would generate a public key secret pair. She would send the public key to Bob. Bob will generate a random X, which is gonna serve as their shared secret, and then he sends X encrypted to Alice, encrypted under her public key. Alice can decrypt, recover X and now both of them have this shared secret X which they can use to communicate securely with one another. The attacker, of course, all he gets to see is just the public key, the encryption of X under the public key, from which he should not be able to get any information about X. And we are going to define that more precisely to understand what it means to not be able to learn anything about X. Public key encryption actually has many other applications. For example, it's very useful in non-interactive applications. So think of an email system for example. So here, Bob wants to send mail to Alice, and as Bob sends the email, the email passes from mail relay to mail relay until finally it reaches Alice, at which point Alice should decrypt. The way the email system is set up, is designed for kind of non-interactive settings where Bob sends the email. And then Alice is supposed to receive it. And Alice should not be to communicate with Bob in order to decrypt the email. So in this case, because of the non-interactivity, there's no opportunity for setting up a shared secret between Alice and Bob. So in this case, what would happen is, Bob basically would, would send the email encrypted, using Alice's, public key. So he sends the email. Anyone in the world can send the email encrypted to Alice, encrypted using her public key. When Alice receives this email, she uses her secret key to decrypt the ciphertext and recover the plain text message. Of course the one caveat in a system like this is that in fact Bob needs to somehow obtain Alice's public key So for now we are just going to assume Bob already has Alice's public key, but later on, actually, when we talk about digital signatures we're gonna see how, this can actually be done very efficiently using what's called public key management and as I said we'll actually get back to that at a later time. But the main thing I want you to remember, is that public key encryption is used for session setup. This is very common on the web, where public key encryption is used to set up a secure key between a web browser and, and web server. And public key encryption is also very useful for non-interactive applications, where anyone in the world, non-interactively, needs to send a message to Alice, they can encrypt the message using Alice's public key, and Alice can decrypt and recover the plain text. So let me remind you in a bit more detail what a public key encryption system is. Well, it's made up of three algorithms G, E, and D. G is called the key generation algorithm. Basically what it will do is it will generate this key pair, the public key and the secret key. As written here, G takes no arguments, but in real life, G actually does take an argument called the security parameter which specifies the size of the keys that are generated by this key generation algorithm. Then there are these encryption algorithms as usual that take a public key and a message and produce a ciphertext in a decryption algorithm that takes the corresponding secret key and a ciphertext and it produces a corresponding message. And as usual for consistency we say that if we encrypt a message under a given public key and then decrypt with a corresponding secret key we should get the original message back. Now what does it mean for a public key encryption to be secure? I'm going to start off by defining, security against eavesdropping. And then we're going to define security against active attacks. So the way to define security against eavesdropping is very similar to the symmetric case we've already this last week so we're gonna go through this quickly just as a review. Basically the attack game is defined as follows. We defined these two experiments, experiment zero and experiment one. At in either experiment the challenger is gonna generate a public and a secret key pair. He's gonna give the public key to the adversary. The adversary's gonna output two messages m0 and m1 of equal length and then what he gets back is either the encryption of m0 or the encryption of m1. In experiment zero he gets the encryption of m0. In experiment one he gets the encryption of m1. And then the adversary is supposed to say which one did he get. Did he get the encryption of m0 or did he get the encryption of m1? So in this game, the attacker only gets one ciphertext. This corresponds to an eavesdropping attack where he simply eavesdropped on that ciphertext C. And now his goal is to tell whether the ciphertext C i s the encryption of M0 or M1. No tampering on the ciphertext C is allowed just yet. And as usual we say that the public key encryption scheme is semantically secure if the attacker cannot distinguish experiment zero from experiment one. In other words he cannot tell whether he got the encryption of M0, or the encryption of M1. Before we move on to active attacks, I want to mention a quick relation between the definition we just saw, And the definition of, of eavesdropping security for symmetric ciphers. If you remember, when we talked about eavesdropping security for symmetric ciphers, we distinguished between the case where the key is used once, and the case where the key is used multiple times. And, in fact we saw that, there's a clear separation. For example, the onetime pad. Is secure if the key is used to encrypt a single message, but is completely insecure if the key is used to encrypt multiple messages. And in fact we had two different definitions if you remember we had a definition for one-time security, and then we had a separate definition, which was stronger, when the key was used multiple times. The definition that I showed you on the previous slide's very similar to the definition of one time security for symmetric ciphers. And in fact, it turns out that for public key encryption, if a system is secure under a onetime key, in a sense, it's also secure for a many time key. So in other words, we don't have to explicitly give the attacker the ability to, request encryptions of messages of his choice. Because he could just create those encryptions all by himself. He is given the public key, and therefore he can by himself encrypt any message he likes. As a result any public key secret pair in some sense inherently is used to encrypt multiple messages because the attacker could have just encrypted many, many messages of his choice using the given public key that we just gave him in the first step. And so, as a result in fact, the definition of one time security is enough to imply many time security and that's why we refer to the concept as indistinguishability under a chosen plain text attach. So this is just a minor point to explain why the settings of public encryption, we don't need a more complicated definition to capture eavesdropping security. Now that we understand eavesdropping security, let's look at more powerful adversaries that can actually mount active attacks. So, in particular, let's look at the email example. So here, we have our friend Bob who wants to send mail to his friend Caroline. And Caroline happens to have, an account at Gmail. And the way this works is basically, the email is sent to the Gmail server, encrypted. The Gmail server decrypts the email, looks at the, intended recipients. And then, if it's, the intended recipient is Caroline, it forwards the email to Caroline. If the intended recipient is the attacker, it forwards the email to the attacker. This is similar to how Gmail actually works because the sender would send the email encrypted over SSL to the Gmail server. The Gmail server would terminate the SSL and then forward the email to the appropriate recipients. Now suppose Bob encrypts the email using a system that allows the adversary to tamper with the ciphertext without being detected. For example, imagine this email is encrypted using Counter Mode, or something like that. Then when the attacker intercepts this email, he can change the recipient, so that now the recipient says attacker@gmail.com, and we know that for Counter Mode, for example, this is quite easy to do. The attacker knows that the email is intended for Caroline, he is just interested in the email body. So he can easily change the email recipient to attacker@gmail.com and now when the server receives the email, he will decrypt it, see that the recipient is supposed to be attacker, and forward the body to the attacker. And now the attacker was able to read the body of the email that was intended for Caroline. So this is a classic example of an active attack, and you notice what the attacker could do here, is it could decrypt any ciphertext where the intended recipient is to: attacker. So any ciphertext where the plain text begins with the words "to: attacker". So our goal is to design public key systems that are secure, even if the attacker can tamper with ciphertext and possibly decrypt certain cyphertexts. And again, I want to emphasize that here the attacker's goal was to get the message body. The attacker already knew that the email is intended for Caroline. And all he had to do was just change the, intended recipient. So this tampering attack motivates the definition of chosen ciphertext security. And in fact this is the standard notion of security for public key encryption. So let me explain how the attack [here procedes] and as I said our goal is to build systems that are secure under this very, very conservative notion of encryption. So we have an encryption scheme (G, E, D). And let's say that's defined over a message space and a ciphertext (M, C) and as usual we're gonna define two experiments, experiment zero, and experiment one. So 'b' here says whether the challenger is implementing experiment zero or experiment one. The challenger begins by generating a public key and a secret key, and then gives the public key to the adversary. Now the adversary can say, "Well, here are a bunch of ciphertexts, please decrypt them for me." So here the adversary submits ciphertext C1 and he gets the decryption of ciphertext C1, namely M1. And he gets to do this again and again, so he submits ciphertext C2, and he gets the decryption, which is M2, ciphertext C3, and he gets the decryption M3, and so on and so forth. Finally, the adversary says, "This squaring phase is over," and now he submits basically two equal length messages, M0 and M1 as normal, and he receives in response the challenge ciphertext C, Which is the encryption of M zero or the encryption of M one. Depending on whether we're in experiment zero or experiment one. Now, the adversary can continue to issue these ciphertext queries. So he can continue to issue, decryption requests. So he submits a ciphertext, and he gets a decryption of that ciphertext, but of course, now, there has to be a caveat. If the attacker could submit arbitrary ciphertext of his choice, of course, he could break the challenge. What he would do is he would submit the challenge ciphertext C as a decryption query. And then he would be told whether in the challenge phase he was given the encryption of M0 or the encryption of M1. As a result we put this limitation here, that says that he can in fact submit any ciphertext of his choice except. For the challenge ciphertext. So the attacker could ask for the decryption of any ciphertext of his choice other than the challenge ciphertext. And even though he was given all these decryptions, he still shouldn't be able to tell whether he was given the encryption of M0 or the encryption of M1. So you notice this is a very conservative definition. It gives the attacker more power than what we saw in the previous slide. On the previous slide, the attacker could only decrypt messages where the plain text began with the words "to: attacker". Here, we're saying the attacker can decrypt any ciphertext of his choice, as long as it's different from the challenge ciphertext C. Okay? And then his goal is to say whether the challenge ciphertext is the encryption of M0 or the encryption of M1. And as usual, if he can't do that, in other words, his behavior in experiment zero is basically the same as his behavior in experiment one, so he wasn't able to distinguish the encryption of M0 from the encryption of M1, even though he had all this power Then we say that the system is chosen ciphertext secure, CCA secure. And sometimes there is an acronym, the acronym for this is indistinguishability under a chosen ciphertext attack, but I'm just gonna say CCA secured. So let's see how this captures, the email example we saw before. So suppose the encryption system being used is such that just given the encryption of a message the attacker can change the intended recipient from to Alice say to, to Charlie. Then here's how we would win the CCA game. Well in the first step he's given the public key of course. And then what the attacker will do is he would issue two equal length messages, namely in the first message, the body is zero. In the second message the body is one. But both messages are intended for Alice. And in response, he would be given the challenge ciphertext C. Okay, so now here we have our challenge ciphertext C. Now what the attacker is gonna do is he's gonna use his, his ability here to modify the intended recipient. And he's gonna send back a ciphertext C', where C' is the encryption of the message to Charlie with body being the challenge body b. So if you remember is either zero or one. Now, because the plain text is different, we know that the ciphertext must also be different. So in particular, C prime must be different from the challenge ciphertext C, yeah? So the C prime here must be different from C. And as a result, the poor challenger now has to decrypt by definition of the CCA game. The challenger must decrypt any ciphertext that's not equal to a challenge ciphertext. So the challenger decrypts give the adversary M prime. Basically he gave the adversary B, and now the adversary can output the challenge B and he wins the game with advantage one. So he's advantage with this particular scheme is one. So, simply because the attacker was able to change the challenge ciphertext from one recipient to another that allows him to, to win the CCA game with advantage one. So as I said, chosen ciphertext security turns out actually is the correct notion of security for public key encryption systems. And it's a very, very interesting concept, right? Basically, somehow even though the attacker has this ability to decrypt anything he wants. Other than the challenge ciphertext, still he can't learn what the challenge ciphertext is. And so the goal for the remainder of this module and actually the next module as well, is to construct CCA secure systems. It's actually quite remarkable that this is achievable and I'm going to show you exactly how to do it. And in fact those CCA secure systems that we build are the ones that are used in the real world. And every time a system has tried to deploy a public key encryption mechanism that's not CCA secure someone has come up with an attack and was able to break it. And we're going to see some of these example attacks actually in the next few segments.