1 Generic Conversions for Constructing IND-CCA2 Public-key Encryption in the Random Oracle Model Tatsuaki Okamoto NTT.

Slides:



Advertisements
Similar presentations
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Advertisements

Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Encryption Public-Key, Identity-Based, Attribute-Based.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
7. Asymmetric encryption-
CS 395T Computational Soundness of Formal Models.
1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.
The RSA Cryptosystem Dan Boneh Stanford University.
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.
The RSA Cryptosystem Dan Boneh Stanford University.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Lecturer: Moni Naor Foundations of Cryptography Lecture 11: Security of Encryption Schemes.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Foundations of Cryptography Lecture 10: Pseudo-Random Permutations and the Security of Encryption Schemes Lecturer: Moni Naor Announce home )deadline.
A Brief History of Provable Security and PKE Alex Dent Information Security Group Royal Holloway, University of London.
How to Construct Multicast Cryptosystems Provably Secure Against Adaptive Chosen Ciphertext Attack Yitao Duan Computer Science Division, University of.
Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.
1 Introduction to Information Security , Spring 2015 Lecture 7: Applied cryptography: asymmetric Eran Tromer Slides credit: John Mitchell, Stanford.
0x1A Great Papers in Computer Security
1 CIS 5371 Cryptography 8. Asymmetric encryption-.
Dan Boneh Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Online Cryptography Course Dan Boneh.
8. Data Integrity Techniques
Status of Draft ANSI X9.44 (& More) Burt Kaliski and Jakob Jonsson RSA Laboratories NIST Key Management Workshop November 1–2, 2001 (Rev. November 6, 2001)
Cryptography Lecture 8 Stefan Dziembowski
CS 4/585: Cryptography Tom Shrimpton FAB
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
Lecture 11 Chosen-Ciphertext Security Stefan Dziembowski MIM UW ver 1.0.
1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.
Cryptography Lecture 9 Stefan Dziembowski
Background on security
1 Number Theory and Advanced Cryptography 5. Cryptanalysis of RSA Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced Cryptography.
Dan Boneh Public Key Encryption from trapdoor permutations PKCS 1 Online Cryptography Course Dan Boneh.
Cryptography Lecture 11 Stefan Dziembowski
IND-CPA and IND-CCA Concepts Summary  Basic Encryption Security Definition: IND-CPA  Strong Encryption Security Definition: IND-CCA  IND-CPA, IND-CCA.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.
CHES 2002 Presented at the workshop CHES 2002, August 13-15, 2002, Redwood Shores, California, USA.
Dan Boneh Public key encryption from Diffie-Hellman The ElGamal Public-key System Online Cryptography Course Dan Boneh.
1 P 2 KC Kazukuni Kobara 1 and Hideki Imai 1,2 1: Research Center for Information Security (RCIS) National Institute of Advanced Industrial Science (AIST)
Rennes, 02/10/2014 Cristina Onete Attacks on RSA. Safe modes.
Tae-Joon Kim Jong yun Jun
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa, Ibaraki Univ. Yvo Desmedt, UCL and FSU.
Cryptography Lecture 11 Arpita Patra. Generic Results in PK World  CPA-secure KEM  SKE COA-secure SKE  Hyb CPA-secure CPA SecurityCCA Security Bit.
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
Compact CCA-Secure Encryption for Messages of Arbitrary Length Presentation By: D. Vamsi Krishna CS09B006.
Dan Boneh Public Key Encryption from trapdoor permutations Constructions Online Cryptography Course Dan Boneh Goal: construct chosen-ciphertext secure.
Cryptography Lecture 10 Arpita Patra © Arpita Patra.
1 Introduction to Information Security , Spring 2016 Lecture 4: Applied cryptography: asymmetric Zvi Ostfeld Slides credit: Eran Tromer.
Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:
Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.
Dan Boneh Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Online Cryptography Course Dan Boneh.
B504/I538: Introduction to Cryptography
Topic 24: Finding Prime Numbers, RSA
Cryptography Lecture 26.
Topic 25: Discrete LOG, DDH + Attacks on Plain RSA
Topic 30: El-Gamal Encryption
The power of Pairings towards standard model security
Cryptography Lecture 22.
Cryptography Lecture 25.
Presentation transcript:

1 Generic Conversions for Constructing IND-CCA2 Public-key Encryption in the Random Oracle Model Tatsuaki Okamoto NTT

2 Security of Public-Key Cryptosystems Target One-wayness (OW) : hard to invert Semantically secure (Indistinguishable) (IND) : No partial information is released Non-malleable (NM ) : for any non-trivial relation R E(M)→E(R(M)) Attacks Passive attacks (Cosen Plaintext Attacks: CPA) Chosen-ciphertext attacks ( Cosen Ciphertex Attacks: CCA ) hard

3 Semantic Security (IND : Indistinguishability) The probability of correctly guessing (b = b ’ ) is negligible Adv b’ m 0, m 1 : randomly selected : guess of

4 Chosen Ciphertext Attack (CCA) CCA1 (Lunch time attack, Naor-Yung 90) C 0 is given to the attacker, after the active attack is completed. CCA2 (Rackoff – Simon 91) C 0 is given to the attacker, before the active attack starts. Ciphertext C 0 Information on Plaintext P 0 C 1, C n P 1, P n Rule: C 0 ≠C 1,,C n () Public-key Attacker Decryption oracle

5 Relationships among Security Definitions (1) Non-malleable (NM) → Semantically secure (IND) i.e., NM-CPA → IND-CPA, NM-CCA2 → IND-CCA2) IND-CCA2 → NM-CCA2 Remark : NM-CPA → IND-CCA1 Conclusion : Strongest security Semantically secure against chosen-ciphertext attack 2 IND-CCA2=NM-CCA2 ←

6 Relationships among Security Definitions (2) One-way (OW) Semantically secure (IND) Non-malleable (NM) Passive attack (CPA) OW-CPAIND-CPANM-CPA Active attack (Chosen- ciphertext attack) (CCA) CCA1OW-CCA1IND-CCA1NM-CCA1 CCA2OW-CCA2IND-CCA2NM-CCA2 Target Attack

7 History of Provably Secure Public-key Encryption DDN (NM-CCA2) BR (Random oracle model) Rabin GM (IND-CPA) DH RSA NY (IND-CCAI) (OW-CPA) Concept of public-key cryptosystem Proposal of various tricks Provable security (Theory) Practical scheme in the standard model CS Practical approach by random oracle model BDPR OAEPRS (IND-CCA2)

8 The plain RSA scheme is not secure in the sense of IND-CCA2 not indistinguishable (IND) deterministic vulnerable against CCA2 random-self-reducibility Adv DO C’ = C ・ R e M’/R C Decryption oracle =Plaintext of C Adv b = 0/1:correctly output m 0, m 1

9 EC-ElGamal Encryption elliptic curve point with order Public-key (E, P, W, ) Secret-key x Encryption plaintext m, bit-wise exclusive-or, (rW) X is the x -coordinate of rW Decryption ciphertext

10 The Elliptic Curve ElGamal Scheme Is Not Secure in the Sense of IND-CCA2 (1) Malleable Non-trivial relation with m’ =

11 The Elliptic Curve ElGamal Scheme Is Not Secure in the Sense of IND-CCA2 (2) CCA2 Attack Adv Decryption Oracle

12 How to Construct an Encryption Scheme with the Strongest Security (IND-CCA2) Based on zero-knowledge proofs Dolev-Dwork-Naor (1991) Inefficient Based on truly random function (random oracle model) Bellare-Rogaway : OAEP (1994)..PKCS#1(Ver.2)1998 Fujisaki-Okamoto (1999), Pointcheval (2000) Okamoto-Pointcheval : REACT (2001) Practical (using practical one-way functions in place of random functions) Practical construction without using a random function Cramer-Shoup (1998)

13 Design Strategy of Practical and Provably Secure Public-key Encryption Primitive Encryption Function (Trapdoor Function) Example RSA ElGamal etc Secure Encryption Scheme Semantically Secure against Adaptively Chosen Ciphertext Attacks (IND-CCA2) Conversion Using Hash Functions (Random Functions)

14 Random Oracle Model (Truly Random Model) 0・・・・ ・・・・0 0・・・・ ・・・・1 1・・・・ ・・・・1 01011・・・ ・・・0 10011・・・ ・・・0 011001・・ ・・0 Random oracle Random function H User 1 User 2 x1x1 xkxk H(xk)H(xk) H(x1)H(x1) 2n2n n bits random Input Output ・・・ H (random oracle/ random function) H

15 Conversions for the RSA Encryption Function OAEP (Bellare-Rogaway 1994) OAEP+ (Shoup 2001) SAEP (Boneh 2001) SAEP+ (Boneh 2001) REACT (Okamoto-Pointcheval 2001)

16 OAEP m00…0r G(r)G(r) s H(s)H(s) t ( Example ) RSA-OAEP G H RSA-OAEP : de facto standard format of the RSA encryption ・・・ used in SSL(PKCS#1) and SET one-way permutation

17 Security of OAEP (FOPS 2001) OAEP is IND-CCA2 secure under the partial-domain one-wayness assumption in the random oracle model. RSA-OAEP is IND-CCA2 secure under the RSA assumption in the random oracle model. The reduction efficiency (to the RSA inversion) is less than that of the optimal case.

18 OAEP+ mF(m||r)r G(r)G(r) s H(s)H(s) t ( Example ) RSA-OAEP+ G H one-way permutation

19 RSA-REACT (Hybrid Encryption) (ex)

20 Comparison of the RSA Family SchemesSecurityAssumptionReduction Efficiency Provable Hybrid Usage Number- Theoretic Functio nal RSA-OAEPIND-CCA2RSAROM * No RSA-OAEP+IND-CCA2RSAROM * No RSA-SAEP (low exponent) IND-CCA2 RSA with low exponent ROM * * * No RSA-REACTIND-CCA2RSAROM * * * Yes

21 IND-CCA2 Conversions for (Elliptic Curve) ElGamal Encryption FO-1 FO-2 Pointcheval REACT DHAES / ECIES CS ( ACE) PSEC-KEM ACE-KEM (Fujisaki-Okamoto: PKC 1999) (Fujisaki-Okamoto: Crypto 1999) (Pointcheval 2000) (Okamoto-Pointcheval 2001) (Abdala-Bellare-Rogaway 1999) (Cramer-Shoup 1998) (Shoup + Fujisaki-Okamoto 2001) (Shoup 2001) (Remark: OAEP, OAEP+, SAEP, SAEP+ cannot be applied for Probabilistic Encryption Schemes such as ElGamal

22 FO-1/2 FO-1 FO-2 Check in decryption ? ?

23 FO-2 : Applied to EC-ElGamal … PSEC-2 : plaintext ciphertext (Ex.1) (Ex.2) one-time pad block-cipher

24 Decryption of PSEC-2 Check Yes No null string ?

25 Security of PSEC-2 EC-DH Assumption SymEnc : semantically secure against passive attack g, h : random oracle PSEC-2 is IND-CCA2

26 REACT Check in decryption ?

27 Security of REACT f is Gap-one way G and H are random oracles ( SymE is semantically secure against passive attacks ) AsymE is IND-CCA2

28 A Typical Usage of REACT Session key 暗号 復号 IND-CCA2 is guaranteed in total.

29 Inverting Problems relation x→y s.t. f (x, y)=1 f (x, y)=1 y x

30 R -decision problems ( x,y ) decide whether R ( f, x, y )=1 (Examples) (e,g., decision DH ) (e,g., quadratic residuosity) z is even when z with f (x,z) is uniquely determined. (e,g., lsb of RSA) s.t.

31 Gap problems (R-gap problems) R-decision problem Oracle R-decision problem Oracle or x x y y s.t.

32 Duality of Gap and Decision problems R-gap problem of f is tractable ⇒ inverting problem of f = R-decision problem of f R-decision problem of is tractable ⇒ inverting problem of f = R-gap problem of f (e.g., f : RSA function; ) reducible to each other

33 Relationship among the Assumptions Decisional Assumption Gap- One-way Assumption Gap- One-way Assumption Dual

34 Relationship among the DH Assumptions Decision DH Assumption Gap DH Assumption DH Assumption Dual

35 EC-ElGamal-REACT : PSEC-3 : plaintext ciphertext

36 Decryption of PSEC- 3 Check Yes No null string ?

37 Security of PSEC-3 EC-GapDH ( GDH) Assumption SymEnc : semantically secure against passive attack g, h : random oracle PSEC-3 is IND-CCA2

38 ECIES ’ (modified by Shoup) Encryption r : random Decryption Check ?

39 Security of ECIES ’ Gap-EDH assumption SymEnc : semantically secure against passive attack Mac : secure g : random oracle ECIES’ is IND-CCA2

40 EC-ACE-KEM (1) Public-key Secret-key w, x, y, z Encryption Ciphertext : Shared key :

41 EC-ACE-KEM (2) Decryption check ? ?

42 Security of EC-ACE-KEM (1) EC-DDH h : Universal One-Way Hash Function (UOWHF) EC-ACE is IND-CCA2 (2) EC-DH h : Random Oracle EC-ACE is IND-CCA2

43 PSEC-KEM (revised by Shoup based on PSEC- 2) Encryption Ciphertext (R, v) Decryption

44 Security of PSEC-KEM EC-DH h,g : Random Oracle PSEC-KEM is IND-CCA2

45 Comparison of the EC-ElGamal Family SchemeSecurity AssumptionPerformance Number- Theoretic Functional Enc.Dec. PSEC-2IND-CCA2EC-DHRandom oracle Security of SymE 22 PSEC-3IND-CCA2EC-GDHRandom oracle Security of SymE 21 ECIES ’ IND-CCA2EC-GDHRandom oracle, Security of SymE and Mac 21 EC-ACE-KEM ( + SymE, Mac ) IND-CCA2EC-DDHUniversal One-way Hash, Security of SymE and Mac 53 PSEC-KEM ( + SymE, Mac ) IND-CCA2EC-DHRandom oracle Security of SymE and Mac 22 The above numbers are those of EC-addition operations

46 Conclusion Simple RSA and (EC)ElGamal are not secure against active attacks Several practical(efficient) conversions are proposed to realize the strongest level of security (IND-CCA2) based on any primitive encryption functions such as RSA and (EC) ElGamal.