Presentation is loading. Please wait.

Presentation is loading. Please wait.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

Published byNichole Bruley Modified over 9 years ago

Similar presentations

Presentation on theme: "11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext."— Presentation transcript:

1 11 Provable Security

2 22 Given a ciphertext, find the corresponding plaintext.

3 33 Distinguish between encryptions of 2 chosen plaintexts.

4 44 Given a ciphertext, find another ciphertext s.t.2 ciphertexts related.

5 History of Provably Secure Public-key Cryptosystems (Encryption ) 1976 1978 1979 1982 1984 1990 1991 1994 1998 DDN (NM-CCA2) BR (Random oracle model) Rabin GM (IND-CPA) DH RSA NY (IND-CCAI)(OW-CPA) Concept of public-key cryptosystem Proposal of various tricks Provable security (Theory) Practical scheme in the standard model CS Practical approach by random oracle model EPOC

6 66 Try to find an attack Prove the absence of attacks under some assumptions Attack found Insecure ? Yes No Attack found Assumption was false Yes

7  Ad hoc security arguments are too skeptical to believe and convince  Proofs improves constructions  Proofs are something everyone can verify (well…) 77

8  Provable security is composed of ◦ A scheme ◦ A security model ◦ Assumptions ◦ A construction ◦ Theorems ◦ Proofs !  They are tightly coupled into one piece 88

9 In a nutshell, construct an algorithm, which:  Assume the existence of a winning adversary  Accepts a hard problem instance  Simulate an environment for the adversary according to the model  Using the adversary, answers the hard problem instance  Thus arriving at a contradiction 99

10 How to Prove the Security of Cryptosystems To prove the security (intractability of breaking) directly ・・・ very hard (as hard as to solve the P vs NP problem) To prove the security relatively (e.g., A cryptosystem is secure assuming that factoring is hard.)

11  Models are abstractions ◦ They simplify the problem, by omitting subtleties ◦ Some ignores  Protocol composition  Real-world deployment  Will not help if ◦ Implementation is incorrect ◦ Keys are compromised ◦ There are real attacks not covered in the model ◦ Proof is incorrect ◦ Scheme is misused. …  1111

12 Glodwasser-Micali: Probabilistic Encryption Hardcore bits for RSA & other one-way functions Existence of provably secure schemes Some efficient schemes e.g. Blum-Goldwasser But minimal impact on practice  1212 Theoretical foundations

13 Efficient proven secure schemes : RSA-OAEP, Cramer-Shoup Adoption of proven-secure cryptosystems in Standards: - RSA-OAEP in PKCS#1 v2.0, P1363a - DHIES in ANSI X 9.63, P1363a, SECG Standards bodies and even NIST ask for proofs supporting submissions. Provably secure cryptosystems are widely deployed.  1313

14  1414 Provable-security is no longer just for theoretical cryptographers. Product developers, security architects and users want to know: Which systems to use How different cryptosystems compare

15  [Setup] Select security parameter, 1 k  [KeyGen] Key generation algorithm K  [Encryption] algorithm E  [Decryption] algorithm D  1515 K k coins (pk, sk) E pk M C C D sk M Adversary channel coins

16  1616 How to Prove IND-CCA

17  To prove the security of efficient schemes, cryptographic primitives are replaced by their ideal counterparts. ◦ Random oracle model: hash function=random function ◦ Ideal cipher model: block cipher=random permutation ◦ Generic model: concrete group= blackbox group  There are cryptosystems which are (probably) secure in the random oracle model, but insecure when the random function is replaced by a concrete hash function. All known examples are pathological.  1717

18  1818 C*C* Adv DO Secret key IND-CCA IND-CPA ( indistinguishable against passive attacks ) IND-CPA ( indistinguishable against passive attacks ) Simulating the answers of DO without the secret key Attack result on C * C m /invalid

19 Informally  Key generator generates a key pair  Message finder F get the public key and chooses 2 messages, m 0, m 1.  Line tapper T gets 2 plaintexts and the encryption of one of them and answers 0 if he thinks the encrypted message is m 0 and 1(null) otherwise.  Both message finder and line tapper may encrypt (polynomially many) plaintexts with arbitrary keys (CPA)  When m 0 is encrypted the probability that T answers 0 should be negilibly bigger than when m1 is encrypted.  1919

20  2020

21  OW-CPA (RSA Problem)  OW-CCA2 : no (ciphertext binding)  IND-CPA: no (encrypt the 2 plaintexts and compare)  2121

22  2222

23  2323

24  2424

25  Encryption (basically):  1 -> 0 a random square modulo n  0 -> a random non-square modulo n  Security  IND-CPA : reduction to QRA  OW-CCA2: no (multiplying- y attack)  2525

26  2626

Download ppt "11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext."

Similar presentations

1 Generic Conversions for Constructing IND-CCA2 Public-key Encryption in the Random Oracle Model Tatsuaki Okamoto NTT.

1 Generic Conversions for Constructing IND-CCA2 Public-key Encryption in the Random Oracle Model Tatsuaki Okamoto NTT.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.

1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
7. Asymmetric encryption-

7. Asymmetric encryption-
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.

1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.
The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.

The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

Similar presentations

Ads by Google