• Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Notions of Public-Key Encryptions Xuhua Ding xhding@ics.uci.edu
  • 2. Outline • Introduction • Preliminaries • Notions For Security • Some Well-known Examples • Encryption in Multi-User Setting
  • 3. Introduction • Goals of Public-key Encryption: – to provide privacy or confidentiality – no data origin authentication or data integrity • Primary objective of attacks: – systematically recover plaintext from ciphertext Question: Is it adequate to model the realistic attacks?
  • 4. Preliminaries • Provable Security: – The security of scheme A is reduced to scheme B iff given an efficient algorithm to break B, one can efficiently break A. • Some well-know intractable problems (primitives) – Factorization – Discrete log – RSA problem – Strong RSA problem – Square root – Computational Diffie-Hellman problem – Decision Diffie-Hellman problem
  • 5. Random Oracle • What is the Random Oracle? – A public “black box” which, on input string x, return a random string R(x) of some appropriate length • What is the meaning of “secure in RO model”? – proven security against generic attack – heuristically, no non-generic attack against “natural” schemes. • Limitations: heuristic proof of security – breaking the scheme ≠ breaking the underlying intractability assumption – breaking the scheme ≠ finding weakness in hash functions
  • 6. Attacker’s Algorithm: • Two Stages (A1, A2) – Stage I: Given the pk, seeks and outputs test instance; (may output information to A2 ) – Stage II: Given a challenge ciphertext. The purpose of each stage, and the meaning of pass the challenge depend on the adversarial goal. • Both A1 and A2 are polynomial probabilistic algorithms
  • 7. Attack Models II • CPA: Chosen Plaintext Attack • Plaintext Checking Attack • Validity Checking Attack • CCA-1: Non-adaptive Chosen Ciphertext Attack (lunch time attack) • CCA-2: Adaptive Chosen Ciphertext Attack CPA CCA-1 CCA-2
  • 8. Notions of Security • Plaintext recovery • Semantic Security • Indistinguishability (by Goldwasser and Micali) • Non-malleability (by Dolev, Dwork, and Naor) • Plaintext Awareness (by Bellare and Rogaway)
  • 9. Indistinguishability m0, m1 b∈R{0,1} Challenge: C=E(mb) PKE(pk, sk) Guess b? The adversary win if he guess b correctly with a probability significantly greater than 1/2
  • 10. Non-malleability Sampling message space M Challenge: y=E pk(x), x ∈R M Outputs: relation R and a vector y. PKE(pk, sk) Succeed if R(x, x) where x =Dsk(y), y∉ y with higher probability than R(x’, x), for random x’ from M NOTE: M is valid if |x|=|x’| for any x,x’ that are given non-zero probability in M
  • 11. Plaintext Awareness in the Random Oracle Model Eve H queries/answers Random Plaintext oracle H {yi}, y, pk extractor xi K yi x outputs y Encryption ? oracle EpkH x = DskH(y)
  • 12. Six Notions of Security IND-CPA IND-CCA1 IND-CCA2 CPA IND Goals CCA1 Attacks NM CCA2 NM-CPA NM-CCA1 NM-CCA2
  • 13. Relations NM-CPA NM-CCA1 NM-CCA2 PA IND-CPA IND-CCA1 IND-CCA2 A B: proven that meeting notion A implies meeting B A B: proven that meeting notion A implies not meeting B NOTE: A implies B iff there is a path from A to B
  • 14. Exemplary Schemes I • RSA/OAEP is IND-CCA2 in RO (RSA is NOT) under the RSA assumption • Encryption: m∈{0,1}n, r ←R{0,1}k0, compute s=(m||0k1)⊕G(r), t=r ⊕H(s). c=RSA-EN(m) • Decryption: (s,t)=RSA-DE(c), r=t⊕H(s), M=s ⊕G(r). Check the format of M • RSA can replaced by any trapdoor permutation function
  • 15. RSA-OAEP: PKCS1v.2.1 DB Seed MGF ⊕ 00 ⊕ MGF 00 maskedSeed maskedDB EM OAEP Encoding
  • 16. El Gamal Encryption • El Gamal Encryption – x,y=g^x mod p – encrypt m: γ =g^k, δ =my^k , c= (γ, δ), k is a random integer – decrypt c: m=γ^{-x}δ • Semantic security ≡ Decision Diffie-Hellman • Secure against chosen-plaintext attack • Insecure against adaptive chosen-ciphertext attack
  • 17. Exemplary Schemes III • Cramer-Shoup Encryption: IND-CCA2 • Key Generation – private: x1,x2,y1,y2,z in group G with prime order q – public: c=g1x1 g2x2, d=g1x1 g2x2, h=g1z • Encryption: u 1=g1r, u 2=g2r, e=hrm, w=H(u 1,u2,e), v=crdrw. Output (u1,u2,e,v) • Decryption: – check if u1x1+wy1 u2x2+wy2 = v – m= e/u1z • Assumptions: DDH and universal one-way family of hash functions
  • 18. Håstad Attack on RSA N1, 3 y1=m3 mod N1 Sender y2=m3 mod N2 N2, 3 y3=m3 mod N3 I can compute m3 mod N1N2N3, N3, 3 but, m3 < N1N2N3, so….
  • 19. IND in Multi-user Setting any m0, m1 same b∈R{0,1}for all Challenge: C=E(mb) oracles queries Guess b? PKE(pk, sk) The adversary win if he guess b correctly with a probability significantly greater than 1/2
  • 20. General Reduction • An Encryption scheme in the multi-user setting is semantically secure as it in the single-user setting. • The reduction is in polynormial Adv1(t’,qe) ≤ qenAdvn(t), t’=t+O(log(qen)) where qe is the number of allowed encryption operations, t’ and t are the running time.
  • 21. Immediate Impact on Practice • Generally, security degrades linearly as new users join and as the users encrypt more data. • For ElGamal, the bound is 2Advddh • For Cramer-Shoup, the bound is 2(Advddh++AdvH)