Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Generic Conversions for Constructing IND-CCA2 Public-key Encryption in the Random Oracle Model Tatsuaki Okamoto NTT.

Published byMyah Hanney Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Generic Conversions for Constructing IND-CCA2 Public-key Encryption in the Random Oracle Model Tatsuaki Okamoto NTT."— Presentation transcript:

1 1 Generic Conversions for Constructing IND-CCA2 Public-key Encryption in the Random Oracle Model Tatsuaki Okamoto NTT

2 2 Security of Public-Key Cryptosystems Target One-wayness (OW) : hard to invert Semantically secure (Indistinguishable) (IND) : No partial information is released Non-malleable (NM ) : for any non-trivial relation R E(M)→E(R(M)) Attacks Passive attacks (Cosen Plaintext Attacks: CPA) Chosen-ciphertext attacks ( Cosen Ciphertex Attacks: CCA ) hard

3 3 Semantic Security (IND : Indistinguishability) The probability of correctly guessing (b = b ’ ) is negligible Adv b’ m 0, m 1 : randomly selected : guess of

4 4 Chosen Ciphertext Attack (CCA) CCA1 (Lunch time attack, Naor-Yung 90) C 0 is given to the attacker, after the active attack is completed. CCA2 (Rackoff – Simon 91) C 0 is given to the attacker, before the active attack starts. Ciphertext C 0 Information on Plaintext P 0 C 1, C n P 1, P n Rule: C 0 ≠C 1,,C n () Public-key Attacker Decryption oracle

5 5 Relationships among Security Definitions (1) Non-malleable (NM) → Semantically secure (IND) i.e., NM-CPA → IND-CPA, NM-CCA2 → IND-CCA2) IND-CCA2 → NM-CCA2 Remark : NM-CPA → IND-CCA1 Conclusion : Strongest security Semantically secure against chosen-ciphertext attack 2 IND-CCA2=NM-CCA2 ←

6 6 Relationships among Security Definitions (2) One-way (OW) Semantically secure (IND) Non-malleable (NM) Passive attack (CPA) OW-CPAIND-CPANM-CPA Active attack (Chosen- ciphertext attack) (CCA) CCA1OW-CCA1IND-CCA1NM-CCA1 CCA2OW-CCA2IND-CCA2NM-CCA2 Target Attack

7 7 History of Provably Secure Public-key Encryption 1976 1978 1979 1982 1984 1990 1991 1993 1994 1998 2001 DDN (NM-CCA2) BR (Random oracle model) Rabin GM (IND-CPA) DH RSA NY (IND-CCAI) (OW-CPA) Concept of public-key cryptosystem Proposal of various tricks Provable security (Theory) Practical scheme in the standard model CS Practical approach by random oracle model BDPR OAEPRS (IND-CCA2)

8 8 The plain RSA scheme is not secure in the sense of IND-CCA2 not indistinguishable (IND) deterministic vulnerable against CCA2 random-self-reducibility Adv DO C’ = C ・ R e M’/R C Decryption oracle =Plaintext of C Adv b = 0/1:correctly output m 0, m 1

9 9 EC-ElGamal Encryption elliptic curve point with order Public-key (E, P, W, ) Secret-key x Encryption plaintext m, bit-wise exclusive-or, (rW) X is the x -coordinate of rW Decryption ciphertext

10 10 The Elliptic Curve ElGamal Scheme Is Not Secure in the Sense of IND-CCA2 (1) Malleable Non-trivial relation with m’ =

11 11 The Elliptic Curve ElGamal Scheme Is Not Secure in the Sense of IND-CCA2 (2) CCA2 Attack Adv Decryption Oracle

12 12 How to Construct an Encryption Scheme with the Strongest Security (IND-CCA2) Based on zero-knowledge proofs Dolev-Dwork-Naor (1991) Inefficient Based on truly random function (random oracle model) Bellare-Rogaway : OAEP (1994)..PKCS#1(Ver.2)1998 Fujisaki-Okamoto (1999), Pointcheval (2000) Okamoto-Pointcheval : REACT (2001) Practical (using practical one-way functions in place of random functions) Practical construction without using a random function Cramer-Shoup (1998)

13 13 Design Strategy of Practical and Provably Secure Public-key Encryption Primitive Encryption Function (Trapdoor Function) Example RSA ElGamal etc Secure Encryption Scheme Semantically Secure against Adaptively Chosen Ciphertext Attacks (IND-CCA2) Conversion Using Hash Functions (Random Functions)

14 14 Random Oracle Model (Truly Random Model) 0・・・・ ・・・・0 0・・・・ ・・・・1 1・・・・ ・・・・1 01011・・・ ・・・0 10011・・・ ・・・0 011001・・ ・・0 Random oracle Random function H User 1 User 2 x1x1 xkxk H(xk)H(xk) H(x1)H(x1) 2n2n n bits random Input Output ・・・ H (random oracle/ random function) H

15 15 Conversions for the RSA Encryption Function OAEP (Bellare-Rogaway 1994) OAEP+ (Shoup 2001) SAEP (Boneh 2001) SAEP+ (Boneh 2001) REACT (Okamoto-Pointcheval 2001)

16 16 OAEP m00…0r G(r)G(r) s H(s)H(s) t ( Example ) RSA-OAEP G H RSA-OAEP : de facto standard format of the RSA encryption ・・・ used in SSL(PKCS#1) and SET one-way permutation

17 17 Security of OAEP (FOPS 2001) OAEP is IND-CCA2 secure under the partial-domain one-wayness assumption in the random oracle model. RSA-OAEP is IND-CCA2 secure under the RSA assumption in the random oracle model. The reduction efficiency (to the RSA inversion) is less than that of the optimal case.

18 18 OAEP+ mF(m||r)r G(r)G(r) s H(s)H(s) t ( Example ) RSA-OAEP+ G H one-way permutation

19 19 RSA-REACT (Hybrid Encryption) (ex)

20 20 Comparison of the RSA Family SchemesSecurityAssumptionReduction Efficiency Provable Hybrid Usage Number- Theoretic Functio nal RSA-OAEPIND-CCA2RSAROM * No RSA-OAEP+IND-CCA2RSAROM * No RSA-SAEP (low exponent) IND-CCA2 RSA with low exponent ROM * * * No RSA-REACTIND-CCA2RSAROM * * * Yes

21 21 IND-CCA2 Conversions for (Elliptic Curve) ElGamal Encryption FO-1 FO-2 Pointcheval REACT DHAES / ECIES CS ( ACE) PSEC-KEM ACE-KEM (Fujisaki-Okamoto: PKC 1999) (Fujisaki-Okamoto: Crypto 1999) (Pointcheval 2000) (Okamoto-Pointcheval 2001) (Abdala-Bellare-Rogaway 1999) (Cramer-Shoup 1998) (Shoup + Fujisaki-Okamoto 2001) (Shoup 2001) (Remark: OAEP, OAEP+, SAEP, SAEP+ cannot be applied for Probabilistic Encryption Schemes such as ElGamal

22 22 FO-1/2 FO-1 FO-2 Check in decryption ? ?

23 23 FO-2 : Applied to EC-ElGamal … PSEC-2 : plaintext ciphertext (Ex.1) (Ex.2) one-time pad block-cipher

24 24 Decryption of PSEC-2 Check Yes No null string ?

25 25 Security of PSEC-2 EC-DH Assumption SymEnc : semantically secure against passive attack g, h : random oracle PSEC-2 is IND-CCA2

26 26 REACT Check in decryption ?

27 27 Security of REACT f is Gap-one way G and H are random oracles ( SymE is semantically secure against passive attacks ) AsymE is IND-CCA2

28 28 A Typical Usage of REACT Session key 暗号 復号 IND-CCA2 is guaranteed in total.

29 29 Inverting Problems relation x→y s.t. f (x, y)=1 f (x, y)=1 y x

30 30 R -decision problems ( x,y ) decide whether R ( f, x, y )=1 (Examples) (e,g., decision DH ) (e,g., quadratic residuosity) z is even when z with f (x,z) is uniquely determined. (e,g., lsb of RSA) s.t.

31 31 Gap problems (R-gap problems) R-decision problem Oracle R-decision problem Oracle or x x y y s.t.

32 32 Duality of Gap and Decision problems R-gap problem of f is tractable ⇒ inverting problem of f = R-decision problem of f R-decision problem of is tractable ⇒ inverting problem of f = R-gap problem of f (e.g., f : RSA function; ) reducible to each other

33 33 Relationship among the Assumptions Decisional Assumption Gap- One-way Assumption Gap- One-way Assumption Dual

34 34 Relationship among the DH Assumptions Decision DH Assumption Gap DH Assumption DH Assumption Dual

35 35 EC-ElGamal-REACT : PSEC-3 : plaintext ciphertext

36 36 Decryption of PSEC- 3 Check Yes No null string ?

37 37 Security of PSEC-3 EC-GapDH ( GDH) Assumption SymEnc : semantically secure against passive attack g, h : random oracle PSEC-3 is IND-CCA2

38 38 ECIES ’ (modified by Shoup) Encryption r : random Decryption Check ?

39 39 Security of ECIES ’ Gap-EDH assumption SymEnc : semantically secure against passive attack Mac : secure g : random oracle ECIES’ is IND-CCA2

40 40 EC-ACE-KEM (1) Public-key Secret-key w, x, y, z Encryption Ciphertext : Shared key :

41 41 EC-ACE-KEM (2) Decryption check ? ?

42 42 Security of EC-ACE-KEM (1) EC-DDH h : Universal One-Way Hash Function (UOWHF) EC-ACE is IND-CCA2 (2) EC-DH h : Random Oracle EC-ACE is IND-CCA2

43 43 PSEC-KEM (revised by Shoup based on PSEC- 2) Encryption Ciphertext (R, v) Decryption

44 44 Security of PSEC-KEM EC-DH h,g : Random Oracle PSEC-KEM is IND-CCA2

45 45 Comparison of the EC-ElGamal Family SchemeSecurity AssumptionPerformance Number- Theoretic Functional Enc.Dec. PSEC-2IND-CCA2EC-DHRandom oracle Security of SymE 22 PSEC-3IND-CCA2EC-GDHRandom oracle Security of SymE 21 ECIES ’ IND-CCA2EC-GDHRandom oracle, Security of SymE and Mac 21 EC-ACE-KEM ( + SymE, Mac ) IND-CCA2EC-DDHUniversal One-way Hash, Security of SymE and Mac 53 PSEC-KEM ( + SymE, Mac ) IND-CCA2EC-DHRandom oracle Security of SymE and Mac 22 The above numbers are those of EC-addition operations

46 46 Conclusion Simple RSA and (EC)ElGamal are not secure against active attacks Several practical(efficient) conversions are proposed to realize the strongest level of security (IND-CCA2) based on any primitive encryption functions such as RSA and (EC) ElGamal.

Download ppt "1 Generic Conversions for Constructing IND-CCA2 Public-key Encryption in the Random Oracle Model Tatsuaki Okamoto NTT."

Similar presentations

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.

Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.

New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)

REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
7. Asymmetric encryption-

7. Asymmetric encryption-
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.

1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.
The RSA Cryptosystem Dan Boneh Stanford University.

The RSA Cryptosystem Dan Boneh Stanford University.
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.
The RSA Cryptosystem Dan Boneh Stanford University.

The RSA Cryptosystem Dan Boneh Stanford University.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Lecturer: Moni Naor Foundations of Cryptography Lecture 11: Security of Encryption Schemes.

Lecturer: Moni Naor Foundations of Cryptography Lecture 11: Security of Encryption Schemes.

Similar presentations

Ads by Google