Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 24.

Published byGertrud Koch Modified over 5 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 24."— Presentation transcript:

1 Cryptography Lecture 24

2 Special topics? It looks like we will have 1-2 lectures devoted to “special topics” Will not be on final exam Schedule on webpage has some candidate topics Feel free to me suggestions for topics

3 Dlog-based PKE

4 Diffie-Hellman key exchange
G, q, g, h1 h2 (G, q, g)  G(1n) x  ℤq h1 = gx y  ℤq h2 = gy c2 = k · m k = (h1)y k = (h2)x m = c2 · k-1

5 El Gamal encryption Public key G, q, g, h1 h2, h1y · m h2
(G, q, g)  G(1n) x  ℤq h1 = gx y  ℤq h2 = gy c2 = k · m k = (h1)y k = (h2)x m = c2 · k-1

6 El Gamal encryption Gen(1n)
Run G(1n) to obtain G, q, g. Choose uniform xℤq. The public key is (G, q, g, gx) and the private key is x Encpk(m), where pk = (G, q, g, h) and m  G Choose uniform y  ℤq. The ciphertext is gy, hy·m Decsk(c1, c2), where sk = x Output c2/c1x = c2  c1-x

7 Security? If the DDH assumption is hard for G, then the El Gamal encryption scheme is CPA-secure Follows from security of Diffie-Hellman key exchange, or can be proved directly Note that the discrete-logarithm assumption alone is not enough here  Secure for encryption of multiple messages (using the same public key)! Note that sender(s) must use fresh randomness for each encryption

8 El Gamal in practice Parameters G, q, g are standardized and shared
Need to encode message as a group element In some groups, there are natural ways to do this In other cases, not as easy Will see later a better way of resolving this issue

9 Chosen-ciphertext attacks?
El Gamal encryption is not secure against chosen-ciphertext attacks Follows from the fact that it is malleable Given ciphertext (c1, c2), transform it to obtain the ciphertext (c1, c’2) = (c1,  · c2) for arbitrary  Since (c1, c2) = (gy, hy · m), we have (c1, c’2) = (gy, hy · (m)) I.e., encryption of m becomes an encryption of m!

10 Attack! (Assume 2  G  ℤ*p) G, q, g, h c1, c2 c1, 2 ·c2
First bid: m Second bid: 2m

11 Hybrid encryption and KEMs

12 Encrypting long messages
Public-key encryption schemes “natively” defined for short messages E.g., El Gamal encryption How can longer messages be encrypted?

13 Encrypting long messages
Can always encrypt block-by-block I.e., to encrypt M = m1, m2, …, ml, do: Encpk(m1), …, Encpk(ml) If the underlying scheme is CPA-secure (for short messages), then this is CPA-secure (for arbitrary length messages) Why?

14 Note (Public-key) encryption is NOT a block cipher
Fk is deterministic, one-to-one, and looks random Encpk is randomized (if it is CPA-secure), thus not one-to-one, and may not look random CTR-mode/CBC-mode don’t make sense for public-key encryption CTR-mode is completely insecure... “ECB mode” is secure for public-key encryption Because underlying scheme is randomized

15 Encrypting long messages
Encrypting block-by-block is inefficient Ciphertext expansion in each block Public-key encryption is “expensive” Can we do better?

16 Hybrid encryption Main idea Benefits
Use public-key encryption to establish a (shared, secret) key k Use k to encrypt the message with a symmetric-key encryption scheme Benefits Lower ciphertext expansion Amortized efficiency of symmetric-key encryption

17 Hybrid encryption Decryption done in the obvious way Enc’ m ciphertext
“encapsulated key” Enc k pk The functionality of public-key encryption at the (asymptotic) efficiency of private-key encryption!

18 Formally Let  be a public-key scheme, and let ’ be a symmetric-key scheme Define hy as follows: Genhy = Gen (i.e., same as ) Enchy(pk, m): Choose k  {0,1}n c  Encpk(k) c’  Enc’k(m) Output c, c’ Decryption done in the natural way…

19 Security of hybrid encryption
If  is a CPA-secure public-key scheme, and ’ is a CPA-secure private-key scheme, then hy is a CPA-secure public-key scheme Suffices for ’ to be EAV-secure If  is a CCA-secure public-key scheme, and ’ is a CCA-secure private-key scheme, then hy is a CCA-secure public-key scheme

20 Application to El Gamal?
To use hybrid encryption with El Gamal, would need to encode key k as a group element Can we avoid this? The sender doesn’t care about encrypting a specific key, it just needs to send a random key Idea: encrypt a random group element K; define the key as k = H(K)

21 KEMs For hybrid encryption, something weaker than public-key encryption suffices Sufficient to have a “key encapsulation mechanism” (KEM) that takes a public key and outputs a ciphertext c and a key k Correctness: k can be recovered from c given sk Security: k is indistinguishable from uniform given pk and c; can define CPA-/CCA-security Can still combine with symmetric-key encryption as before!

22 KEM/DEM paradigm Hybrid encryption KEM/DEM

23 Security of KEM/DEM If  is a CPA-secure KEM, and ’ is a CPA-secure private-key scheme, then combination is a CPA-secure public-key scheme Suffices for ’ to be EAV-secure If  is a CCA-secure KEM, and ’ is a CCA-secure private-key scheme, then combination is a CCA-secure public-key scheme

24 KEMs vs. PKE schemes For short messages, direct encryption using a PKE scheme (with no hybrid encryption) can sometimes be the best choice For anything longer, KEM/DEM or hybrid encryption will be more efficient This is how things are done in practice (unless very short messages are being encrypted)

25 KEM based on El Gamal Gen(1n) Ecapspk, where pk = (G, q, g, h)
Run G(1n) to obtain G, q, g. Choose uniform xℤq. The public key is (G, q, g, gx) and the private key is x Ecapspk, where pk = (G, q, g, h) Choose uniform y  ℤq. The ciphertext is gy, and the key is k = H(hy) Decapssk(c), where sk = x Output k = H(cx)

26 Security? If the DDH assumption holds, and H is modeled as a random oracle, then this KEM is CPA-secure

27 Complete scheme Combine the KEM with private-key encryption
I.e., encryption of message m is gy, Enc’k(m), where k = H(hy) and Enc’ is a symmetric-key encryption scheme If Enc’ is CPA-secure and H is modeled as a random oracle, this is a CPA-secure public-key encryption scheme

28 Chosen-ciphertext security
Under stronger assumptions, this approach can be proven to give CCA security If Enc’ is a CCA-secure symmetric-key scheme Can at least see why the previous attack no longer works Standardized as DHIES/ECIES

Download ppt "Cryptography Lecture 24."

Similar presentations

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena.

Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena.
Cryptography Lecture 8 Stefan Dziembowski

Cryptography Lecture 8 Stefan Dziembowski
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.

Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
Lecture 11 Chosen-Ciphertext Security Stefan Dziembowski www.dziembowski.net MIM UW 14.12.12ver 1.0.

Lecture 11 Chosen-Ciphertext Security Stefan Dziembowski MIM UW ver 1.0.
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.

Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.

CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
Randomness Leakage in the KEM/DEM Framework Hitoshi Namiki (Ricoh) Keisuke Tanaka (Tokyo Inst. of Tech.) Kenji Yasunaga (Tokyo Inst. of Tech.  ISIT) ProvSec.

Randomness Leakage in the KEM/DEM Framework Hitoshi Namiki (Ricoh) Keisuke Tanaka (Tokyo Inst. of Tech.) Kenji Yasunaga (Tokyo Inst. of Tech.  ISIT) ProvSec.
Topic 26: Discrete LOG Applications

Topic 26: Discrete LOG Applications
Encryption and Integrity

Encryption and Integrity

Similar presentations

Ads by Google