Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dan Boneh Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Online Cryptography Course Dan Boneh.

Published byEthelbert Morris Modified over 9 years ago

Similar presentations

Presentation on theme: "Dan Boneh Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Online Cryptography Course Dan Boneh."— Presentation transcript:

1 Dan Boneh Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Online Cryptography Course Dan Boneh

2 Dan Boneh Public key encryption E E D D AliceBob pk sk mccm Bob: generates (PK, SK) and gives PK to Alice

3 Dan Boneh Applications Session setup (for now, only eavesdropping security) Non-interactive applications: (e.g. Email) Bob sends email to Alice encrypted using pk alice Note: Bob needs pk alice (public key management) Generate (pk, sk) Alice choose random x (e.g. 48 bytes) choose random x (e.g. 48 bytes) Bob pk E(pk, x) x

4 Dan Boneh Public key encryption Def: a public-key encryption system is a triple of algs. (G, E, D) G(): randomized alg. outputs a key pair (pk, sk) E(pk, m): randomized alg. that takes m ∈ M and outputs c ∈ C D(sk,c): det. alg. that takes c ∈ C and outputs m ∈ M or ⊥ Consistency: ∀ (pk, sk) output by G : ∀ m ∈ M: D(sk, E(pk, m) ) = m

5 Dan Boneh Security: eavesdropping For b=0,1 define experiments EXP(0) and EXP(1) as: Def: E = (G,E,D) is sem. secure (a.k.a IND-CPA) if for all efficient A: Adv SS [A, E ] = | Pr[EXP(0)=1] – Pr[EXP(1)=1] | < negligible Chal. b Adv. A (pk,sk)  G() m 0, m 1  M : |m 0 | = |m 1 | c  E(pk, m b ) b’  {0,1} EXP(b) pk

6 Dan Boneh Relation to symmetric cipher security Recall: for symmetric ciphers we had two security notions: One-time security and many-time security (CPA) We showed that one-time security ⇒ many-time security For public key encryption: One-time security ⇒ many-time security (CPA) (follows from the fact that attacker can encrypt by himself) Public key encryption must be randomized

7 Dan Boneh Security against active attacks attacker sk server pk server to: caroline@gmail body body Attacker is given decryption of msgs that start with “to: attacker” What if attacker can tamper with ciphertext? to: attacker@gmail body attacker: mail server (e.g. Gmail) Caroline

8 Dan Boneh (pub-key) Chosen Ciphertext Security: definition E = (G,E,D) public-key enc. over (M,C). For b=0,1 define EXP(b): b Adv. A Chal. (pk,sk)  G() b’  {0,1} challenge: m 0, m 1  M : |m 0 | = |m 1 | c  E(pk, m b ) pk CCA phase 1: c i  C m i  D(k, c i ) CCA phase 2: c i  C : c i ≠ c m i  D(k, c i )

9 Dan Boneh Chosen ciphertext security: definition Def: E is CCA secure (a.k.a IND-CCA) if for all efficient A: Adv CCA [A, E ] = | Pr[EXP(0)=1] – Pr[EXP(1)=1] | is negligible. Example: Suppose (to: alice, body) (to: david, body) Adv. A b Chal. (pk,sk)  G() b chal.: (to:alice, 0), (to:alice, 1) c  E(pk, m b ) pk CCA phase 2: c’ = ≠c m’  D(sk, c’ ) (to: david, b) c

10 Dan Boneh Active attacks: symmetric vs. pub-key Recall: secure symmetric cipher provides authenticated encryption [ chosen plaintext security & ciphertext integrity ] Roughly speaking: attacker cannot create new ciphertexts Implies security against chosen ciphertext attacks In public-key settings: Attacker can create new ciphertexts using pk !! So instead: we directly require chosen ciphertext security

11 Dan Boneh End of Segment This and next module: constructing CCA secure pub-key systems

Download ppt "Dan Boneh Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Online Cryptography Course Dan Boneh."

Similar presentations

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.
ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted email, new key for every message.

Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted , new key for every message.
Trusted 3rd parties Basic key exchange

Trusted 3rd parties Basic key exchange
Online Cryptography Course Dan Boneh

Online Cryptography Course Dan Boneh
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.

Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.

New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
Cryptography: Review Day David Brumley Carnegie Mellon University.

Cryptography: Review Day David Brumley Carnegie Mellon University.
1 PRPs and PRFs CS255: Winter 2008 1.Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.

1 PRPs and PRFs CS255: Winter Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.
Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.
Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.

Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.

Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.

1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Identity Based Encryption

Identity Based Encryption
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.

Similar presentations

Ads by Google