1. Notions of Public-Key
Encryptions
Xuhua Ding
xhding@ics.uci.edu
2. Outline
• Introduction
• Preliminaries
• Notions For Security
• Some Well-known Examples
• Encryption in Multi-User Setting
3. Introduction
• Goals of Public-key Encryption:
– to provide privacy or confidentiality
– no data origin authentication or data integrity
• Primary objective of attacks:
– systematically recover plaintext from ciphertext
Question: Is it adequate to model the realistic
attacks?
4. Preliminaries
• Provable Security:
– The security of scheme A is reduced to scheme B iff
given an efficient algorithm to break B, one can
efficiently break A.
• Some well-know intractable problems (primitives)
– Factorization
– Discrete log
– RSA problem
– Strong RSA problem
– Square root
– Computational Diffie-Hellman problem
– Decision Diffie-Hellman problem
5. Random Oracle
• What is the Random Oracle?
– A public “black box” which, on input string x, return a
random string R(x) of some appropriate length
• What is the meaning of “secure in RO model”?
– proven security against generic attack
– heuristically, no non-generic attack against “natural”
schemes.
• Limitations: heuristic proof of security
– breaking the scheme ≠ breaking the underlying
intractability assumption
– breaking the scheme ≠ finding weakness in hash
functions
6. Attacker’s Algorithm:
• Two Stages (A1, A2)
– Stage I: Given the pk, seeks and outputs test
instance; (may output information to A2 )
– Stage II: Given a challenge ciphertext.
The purpose of each stage, and the meaning of
pass the challenge depend on the adversarial
goal.
• Both A1 and A2 are polynomial
probabilistic algorithms
8. Notions of Security
• Plaintext recovery
• Semantic Security
• Indistinguishability (by Goldwasser and Micali)
• Non-malleability (by Dolev, Dwork, and Naor)
• Plaintext Awareness (by Bellare and Rogaway)
9. Indistinguishability
m0, m1
b∈R{0,1}
Challenge: C=E(mb)
PKE(pk, sk) Guess b?
The adversary win if he guess b correctly
with a probability significantly greater
than 1/2
10. Non-malleability
Sampling message space M
Challenge: y=E pk(x), x ∈R M
Outputs: relation R and a vector y.
PKE(pk, sk) Succeed if R(x, x) where x =Dsk(y),
y∉ y with higher probability than
R(x’, x), for random x’ from M
NOTE: M is valid if |x|=|x’| for any x,x’ that are
given non-zero probability in M
11. Plaintext Awareness in the
Random Oracle Model
Eve
H queries/answers
Random Plaintext
oracle H {yi}, y, pk extractor
xi K
yi x
outputs y
Encryption ?
oracle EpkH
x = DskH(y)
12. Six Notions of Security
IND-CPA
IND-CCA1
IND-CCA2
CPA
IND
Goals CCA1 Attacks
NM
CCA2
NM-CPA
NM-CCA1
NM-CCA2
13. Relations
NM-CPA NM-CCA1 NM-CCA2
PA
IND-CPA IND-CCA1 IND-CCA2
A B: proven that meeting notion A implies meeting B
A B: proven that meeting notion A implies not meeting B
NOTE: A implies B iff there is a path from A to B
14. Exemplary Schemes I
• RSA/OAEP is IND-CCA2 in RO (RSA is
NOT) under the RSA assumption
• Encryption: m∈{0,1}n, r ←R{0,1}k0,
compute s=(m||0k1)⊕G(r), t=r ⊕H(s).
c=RSA-EN(m)
• Decryption: (s,t)=RSA-DE(c), r=t⊕H(s),
M=s ⊕G(r). Check the format of M
• RSA can replaced by any trapdoor
permutation function
15. RSA-OAEP: PKCS1v.2.1
DB
Seed
MGF ⊕
00
⊕ MGF
00 maskedSeed maskedDB EM
OAEP Encoding
16. El Gamal Encryption
• El Gamal Encryption
– x,y=g^x mod p
– encrypt m: γ =g^k, δ =my^k , c= (γ, δ), k is a random
integer
– decrypt c: m=γ^{-x}δ
• Semantic security ≡ Decision Diffie-Hellman
• Secure against chosen-plaintext attack
• Insecure against adaptive chosen-ciphertext attack
17. Exemplary Schemes III
• Cramer-Shoup Encryption: IND-CCA2
• Key Generation
– private: x1,x2,y1,y2,z in group G with prime order q
– public: c=g1x1 g2x2, d=g1x1 g2x2, h=g1z
• Encryption: u 1=g1r, u 2=g2r, e=hrm, w=H(u 1,u2,e),
v=crdrw. Output (u1,u2,e,v)
• Decryption:
– check if u1x1+wy1 u2x2+wy2 = v
– m= e/u1z
• Assumptions: DDH and universal one-way family
of hash functions
18. Håstad Attack on RSA
N1, 3
y1=m3 mod N1
Sender
y2=m3 mod N2 N2, 3
y3=m3 mod N3
I can compute
m3 mod N1N2N3, N3, 3
but, m3 < N1N2N3,
so….
19. IND in Multi-user Setting
any m0, m1
same b∈R{0,1}for all Challenge: C=E(mb)
oracles queries
Guess b?
PKE(pk, sk)
The adversary win if he guess b correctly
with a probability significantly greater
than 1/2
20. General Reduction
• An Encryption scheme in the multi-user
setting is semantically secure as it in the
single-user setting.
• The reduction is in polynormial
Adv1(t’,qe) ≤ qenAdvn(t), t’=t+O(log(qen))
where qe is the number of allowed encryption
operations, t’ and t are the running time.
21. Immediate Impact on Practice
• Generally, security degrades linearly as new
users join and as the users encrypt more
data.
• For ElGamal, the bound is 2Advddh
• For Cramer-Shoup, the bound is
2(Advddh++AdvH)
Be the first to comment