Presentation is loading. Please wait.

Presentation is loading. Please wait.

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from"— Presentation transcript:

1 Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from http://www.cs.biu.ac.il/~herzbea/89-690/index.html

2 Talk Outline Heuristic vs Provable Security Approaches Kerkhoff Principle Public-key Encryption Scheme Definition Security Definition  Adversarial Power and the Break  Symmetric&Asymmetric Security Specifications (CPA, CCA, CCA2) Information Theoretically Secure Public Key Encryption Scheme? Deterministic Public Key Schemes? Hybrid encryption

3 Heuristic vs Provable Security Approaches The heuristic approach Build-break-fix paradigm Failed cryptanalysis The provable security  Reductions to hardness assumptions  Reduction is a basic cryptographic technique The information theoretic security

4 Kerckhoff’s Principle: Known Design Security through obscurity is a common approach in the industry  Attacks (e.g. cryptanalysis) of unknown design can be much harder But using public (non-secret) designs…  Published designs are often stronger  No need to replace the system once the design is exposed  No need to worry that design was exposed  Establish standards for multiple applications: Efficiency of production and of test attacks / cryptanalysis Kerckhoff’s Known Design Principle [1883]: adversary knows the design – everything except the secret keys

5 Talk Outline 好晚 Heuristic vs Provable Security Approaches Kerkhoff Principle Public-key Encryption Scheme Definition Security Definition  Adversarial Power and the Break  Symmetric&Asymmetric Security Specifications (CPA, CCA, CCA2) Information Theoretically Secure Public Key Encryption Scheme? Deterministic Public Key Schemes? Hybrid encryption

6 Public-key Encryption Scheme B.e is a public encryption key, B.d is a matching private decryption key Only the key protects confidentiality plaintext ciphertext B.e encryption algorithm decryption algorithm Key Alice uses to encrypt to Bob Key Bob uses to decrypt B.d Alice (the sender) Bob (the receiver)

7 Encryption Scheme Definition No distinction between public/ secret key encryption schemes No security requirement  Includes trivial (insecure) encryption schemes

8 Talk Outline Heuristic vs Provable Security Approaches Kerkhoff Principle Public-key Encryption Scheme Definition Security Definition  Adversarial Power and the Break  Symmetric&Asymmetric Security Specifications (CPA, CCA, CCA2) Information Theoretically Secure Public Key Encryption Scheme? Deterministic Public Key Schemes? Hybrid encryption

9 Defining Adversarial Power Computational power  Computational bounds on its running time  Uniform/ non-uniform What actions can it take?  Passive, eavesdropping  Active, can obtain encryptions/ decryptions

10 Defining the Break Define the successful break of the scheme  Recovering the secret key  Decrypting the challenge  Learning some partial information about the encrypted message! Simulating reality using experiments  Indistinguishability (CPA, CCA, adaptive-CCA)

11 Indistinguishability Experiment (asymmetric encryption, a.k.a Public Key) plaintext ciphertext B.e encryption algorithm decryption algorithm Encrypt, or select b  {0,1} and encrypt m b Key Bob uses to decrypt B.d Chosen plaintext m Selected messages m 0, m 1 Chosen ciphertext c Ciphertext c=E B.e (m) Decryptions m=D B.d (c) Guess of b AliceBob Eve

12 IND-CPA Security Specification

13 IND-CCA Security Specification

14 IND-CCA2 Security Specification

15 Indistinguishability Experiment (symmetric encryption, i.e. shared key) plaintext ciphertext k encryption algorithm decryption algorithm Encrypt, or select b  {0,1} and encrypt m b k Chosen plaintext m Selected messages m 0, m 1 Chosen ciphertext c Ciphertext c=E k (m,r e ) Decryptions m=D k (c) Guess of b AliceBob Eve

16 Eavesdropping (Passive) Attacks Security Specification Weakest type of adversary Adversary only obtains the ciphertext that it wishes to decrypt  Eavesdropps on the communication line between two parties and intercepts the encrypted communication  Does not obtain oracle access to encryption or decryption functionality  Does not obtain the encryption key

17 Eavesdropping Attacks Security Specification

18 Chosen Plaintext Attacks Security Specification

19 Talk Outline Heuristic vs Provable Security Approaches Kerkhoff Principle Public-key Encryption Scheme Definition Security Definition  Adversarial Power and the Break  Symmetric&Asymmetric Security Specifications (CPA, CCA, CCA2) Information Theoretically Secure Public Key Encryption Scheme? Deterministic Public Key Schemes? Hybrid encryption

20 Perfectly Secure Public-Key Encryption Scheme A public key encryption scheme is perfectly secure if for every public encryption key e, all messages m 0, m 1, |m 0 |=|m 1 |, all ciphertexts c and all algorithms A holds What does it mean for an encryption scheme to be perfectly secure?  The adversary gains no advantage  Above pure guess

21 Perfectly Secure Public-Key Encryption Schemes Do NOT Exist Proof  Let = (G,E,D) be a public key encryption scheme  operates over messages of one bit and encryption/ decryption always succeeds  Construct an algorithm A s.t.

22 Perfectly Secure Public-Key Encryption Schemes Do NOT Exist If c is an encryption of 0 then there exists a random i 0, otherwise there exists i 1 A will always return a correct answer since while

23 Talk Outline Heuristic vs Provable Security Approaches Kerkhoff Principle Public-key Encryption Scheme Definition Security Definition  Adversarial Power and the Break  Symmetric&Asymmetric Specifications (CPA, CCA, CCA2) Information Theoretically Secure Public Key Encryption Scheme? Deterministic Public Key Schemes? Hybrid encryption

24 Deterministic Public Key Encryption Schemes Do NOT Exist Proof  Let =(G,E,D) be a deterministic public key encryption scheme  operates over messages of one bit length and the decryption always succeeds  Construct A s.t.

25 Talk Outline Heuristic vs Provable Security Approaches Kerkhoff Principle Public-key Encryption Scheme Definition Security Definition  Adversarial Power and the Break  Symmetric&Asymmetric Security Specifications (CPA, CCA, CCA2) Information Theoretically Secure Public Key Encryption Scheme? Deterministic Public Key Schemes? Hybrid encryption

26 Symmetric vs. Asymmetric Is there a perfectly secure private key encryption scheme? Is there a secure deterministic private key encryption scheme?  Depends on the attack model Why not define the strongest security for any scheme?  There is a price for being overly conservative

27 Arbitrary Length Public-key Encryption Scheme Secure public-key encryption scheme for one bit implies security under multiple encryptions, given m=m 1 …m L encrypt Inefficient  L times the computational cost of encrypting one block  Ciphertext length increases  Public key cryptosystems are slow  Also: most (e.g. RSA) have fixed block size (FIL)  Using a long block size is veeery slooow

28 Hybrid Encryption (`enveloping`) Can we do better?  Use VIL secret key cryptosystem, encrypt shared key and use it to encrypt plaintext K  {0,1} k C KEY  E PK e (K) C MSG  E SK K (m) Encryption e Plaintext m Decryption K  D PK d ( C KEY ) D SK K (C MSG ) C KEY C MSG

29 Hybrid Encryption - Construction Secure public key encryption scheme Secure private key encryption scheme construct a hybrid encryption scheme

30 Hybrid Encryption - Security Theorem: If is an IND-CPA secure public key encryption scheme and is an IND-CPA secure private key encryption scheme then is an IND- CPA secure public key encryption scheme for arbitrary length messages Proof: We need to show that For any PPT A and any m 0, m 1 we need to bound

31 Hybrid Encryption Proof, cont’ By definition of hybrid encryption algorithm it is equivalent to Now given A against the hybrid scheme construct an algorithm A SK against the private key encryption scheme

32 Hybrid Encryption Proof, cont’ Analysis of A SK ‘s success probability But, is this equivalent to Why? Because There is no way for to choose the key K’ s.t. it is equal to K used to encrypt the challenge

33 Hybrid Encryption Proof, 2 nd Attempt Given A=(A 1,A 2 ) against we construct and against The advantage of A is bounded by the sum of the advantages of each of the algorithms above

34 Hybrid Encryption Proof, cont’ We first show that Given a PPT algorithm A=(A 1,A 2 ) construct a PPT against

35 Hybrid Encryption Proof, cont’ The success probability of Since is IND-CPA secure the advantage is negligible

36 Hybrid Encryption Proof, cont’ We next show that Given a PPT algorithm A=(A 1,A 2 ) construct a PPT against

37 Hybrid Encryption Proof, cont’ The success probability of Since is IND-CPA secure the advantage is negligible

38 Hybrid Encryption Proof, cont’ In the third step show that Given a PPT algorithm A=(A 1,A 2 ) construct a PPT against

39 Hybrid Encryption Proof, cont’ The success probability of Since is IND-CPA secure the advantage is negligible We obtain and conclude that

40 Hybrid Encryption Proof, fin’

41 Asymmetric Encryption End of part 1 and 2 Questions? Thank you.

Download ppt "Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from"

Similar presentations

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.
Security Definitions in Computational Cryptography

Security Definitions in Computational Cryptography
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Lecture 2.1: Private Key Cryptography -- I CS 436/636/736 Spring 2013 Nitesh Saxena.

Lecture 2.1: Private Key Cryptography -- I CS 436/636/736 Spring 2013 Nitesh Saxena.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
7. Asymmetric encryption-

7. Asymmetric encryption-
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

Similar presentations

Ads by Google