Notions For Public Key Encryptions


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Notions For Public Key Encryptions

  1. 1. Notions of Public-Key Encryptions Xuhua Ding
  2. 2. Outline • Introduction • Preliminaries • Notions For Security • Some Well-known Examples • Encryption in Multi-User Setting
  3. 3. Introduction • Goals of Public-key Encryption: – to provide privacy or confidentiality – no data origin authentication or data integrity • Primary objective of attacks: – systematically recover plaintext from ciphertext Question: Is it adequate to model the realistic attacks?
  4. 4. Preliminaries • Provable Security: – The security of scheme A is reduced to scheme B iff given an efficient algorithm to break B, one can efficiently break A. • Some well-know intractable problems (primitives) – Factorization – Discrete log – RSA problem – Strong RSA problem – Square root – Computational Diffie-Hellman problem – Decision Diffie-Hellman problem
  5. 5. Random Oracle • What is the Random Oracle? – A public “black box” which, on input string x, return a random string R(x) of some appropriate length • What is the meaning of “secure in RO model”? – proven security against generic attack – heuristically, no non-generic attack against “natural” schemes. • Limitations: heuristic proof of security – breaking the scheme ≠ breaking the underlying intractability assumption – breaking the scheme ≠ finding weakness in hash functions
  6. 6. Attacker’s Algorithm: • Two Stages (A1, A2) – Stage I: Given the pk, seeks and outputs test instance; (may output information to A2 ) – Stage II: Given a challenge ciphertext. The purpose of each stage, and the meaning of pass the challenge depend on the adversarial goal. • Both A1 and A2 are polynomial probabilistic algorithms
  7. 7. Attack Models II • CPA: Chosen Plaintext Attack • Plaintext Checking Attack • Validity Checking Attack • CCA-1: Non-adaptive Chosen Ciphertext Attack (lunch time attack) • CCA-2: Adaptive Chosen Ciphertext Attack CPA CCA-1 CCA-2
  8. 8. Notions of Security • Plaintext recovery • Semantic Security • Indistinguishability (by Goldwasser and Micali) • Non-malleability (by Dolev, Dwork, and Naor) • Plaintext Awareness (by Bellare and Rogaway)
  9. 9. Indistinguishability m0, m1 b∈R{0,1} Challenge: C=E(mb) PKE(pk, sk) Guess b? The adversary win if he guess b correctly with a probability significantly greater than 1/2
  10. 10. Non-malleability Sampling message space M Challenge: y=E pk(x), x ∈R M Outputs: relation R and a vector y. PKE(pk, sk) Succeed if R(x, x) where x =Dsk(y), y∉ y with higher probability than R(x’, x), for random x’ from M NOTE: M is valid if |x|=|x’| for any x,x’ that are given non-zero probability in M
  11. 11. Plaintext Awareness in the Random Oracle Model Eve H queries/answers Random Plaintext oracle H {yi}, y, pk extractor xi K yi x outputs y Encryption ? oracle EpkH x = DskH(y)
  12. 12. Six Notions of Security IND-CPA IND-CCA1 IND-CCA2 CPA IND Goals CCA1 Attacks NM CCA2 NM-CPA NM-CCA1 NM-CCA2
  13. 13. Relations NM-CPA NM-CCA1 NM-CCA2 PA IND-CPA IND-CCA1 IND-CCA2 A B: proven that meeting notion A implies meeting B A B: proven that meeting notion A implies not meeting B NOTE: A implies B iff there is a path from A to B
  14. 14. Exemplary Schemes I • RSA/OAEP is IND-CCA2 in RO (RSA is NOT) under the RSA assumption • Encryption: m∈{0,1}n, r ←R{0,1}k0, compute s=(m||0k1)⊕G(r), t=r ⊕H(s). c=RSA-EN(m) • Decryption: (s,t)=RSA-DE(c), r=t⊕H(s), M=s ⊕G(r). Check the format of M • RSA can replaced by any trapdoor permutation function
  15. 15. RSA-OAEP: PKCS1v.2.1 DB Seed MGF ⊕ 00 ⊕ MGF 00 maskedSeed maskedDB EM OAEP Encoding
  16. 16. El Gamal Encryption • El Gamal Encryption – x,y=g^x mod p – encrypt m: γ =g^k, δ =my^k , c= (γ, δ), k is a random integer – decrypt c: m=γ^{-x}δ • Semantic security ≡ Decision Diffie-Hellman • Secure against chosen-plaintext attack • Insecure against adaptive chosen-ciphertext attack
  17. 17. Exemplary Schemes III • Cramer-Shoup Encryption: IND-CCA2 • Key Generation – private: x1,x2,y1,y2,z in group G with prime order q – public: c=g1x1 g2x2, d=g1x1 g2x2, h=g1z • Encryption: u 1=g1r, u 2=g2r, e=hrm, w=H(u 1,u2,e), v=crdrw. Output (u1,u2,e,v) • Decryption: – check if u1x1+wy1 u2x2+wy2 = v – m= e/u1z • Assumptions: DDH and universal one-way family of hash functions
  18. 18. Håstad Attack on RSA N1, 3 y1=m3 mod N1 Sender y2=m3 mod N2 N2, 3 y3=m3 mod N3 I can compute m3 mod N1N2N3, N3, 3 but, m3 < N1N2N3, so….
  19. 19. IND in Multi-user Setting any m0, m1 same b∈R{0,1}for all Challenge: C=E(mb) oracles queries Guess b? PKE(pk, sk) The adversary win if he guess b correctly with a probability significantly greater than 1/2
  20. 20. General Reduction • An Encryption scheme in the multi-user setting is semantically secure as it in the single-user setting. • The reduction is in polynormial Adv1(t’,qe) ≤ qenAdvn(t), t’=t+O(log(qen)) where qe is the number of allowed encryption operations, t’ and t are the running time.
  21. 21. Immediate Impact on Practice • Generally, security degrades linearly as new users join and as the users encrypt more data. • For ElGamal, the bound is 2Advddh • For Cramer-Shoup, the bound is 2(Advddh++AdvH)