Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.

Published byDana Simmons Modified over 9 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal."— Presentation transcript:

1 Cryptography Lecture 10 Arpita Patra

2 Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal Encryption Scheme >> Hybrid Encryption (PKE from PKE + SKE with almost the same efficiency of SKE) >> Key Encapsulation Mechanism (KEM): Little sister of PKE CPA Security >> CPA-secure KEM + COA-secure SKE => CPA-secure PKE >> CPA-secure KEM from HDH Assumption (close relative of DDH assumption) >> CCA Security for PKE >> Single message CCA implies Multi message CCA >> CCA KEM >> CCA KEM + CCA SKE => CCA PKE (Hybrid encryption)

3 Two worlds: PKE, SKE >> No assumption of shared Key >> Very expensive PKESKE >> Shared Key assumption needed >> Lightweight (small computation/less ciphertext expansion) Best of the Both Worlds No shared-key assumption Lightweight Hybrid Encryption= PKE + SKE Gen PKE Enc PKE Dec PKE Gen SKE Enc SKE Dec SKE Gen Hyb = Gen PKE m pk c PKE c SKE (c PKE, c SKE ) sk c PKE k c SKE m Enc Hyb k Enc PKE Enc SKE Dec PKE Dec SKE Dec Hyb Gen SKE

4 Advantage of Hybrid Encryption = Gen PKE sk c PKE k c SKE m Dec PKE Dec SKE Dec Hyb |m|>>>>> |k| = n If PKE is used: If Hybrid PKE is used: α : Cost of encrypting 1 bit message using PKE β : Cost of encrypting 1 bit message using SKE Ciphertext Expansion?? Gen Hyb m pk c PKE c SKE (c PKE, c SKE ) Enc Hyb k Enc PKE Enc SKE Gen SKE

5 = Gen PKE sk c PKE k c SKE m Dec PKE Dec SKE Dec Hyb Gen Hyb m pk c PKE c SKE (c PKE, c SKE ) Enc Hyb k Enc PKE Enc SKE Gen SKE Hybrid Encryption using KEM & DEM

6 Gen Hyb = Gen m pk c c SKE (c, c SKE ) sk c k c SKE m Enc Hyb k Encaps Enc SKE Decaps Dec SKE Dec Hyb

7 KEM: Syntax  KEM is a collection of 3 PPT algorithms (Gen, Encaps, Decaps) Gen 1n1n pk, sk  {0, 1} n Syntax: (pk, sk)  Gen(1 n ) Encaps 1n1n c,k pk Syntax: (c,k)  Encaps pk (1 n ) Randomized Algo Decaps ck sk Syntax: k := Dec sk (c) Except with a negligible probability over (pk, sk) output by Gen(1 n ), we require that if Encaps(1 n ) outputs (c,k) then Dec sk (c):= k Randomized Algo Deterministic (w.l.o.g)

8 CPA Security for KEM  = (Gen, Encaps, Decaps) I can break  Let me verifyGen(1 n ) b  {0, 1} b’  {0, 1} (Attacker’s guess about encapsulated key) Game Output b = b’ 1 --- attacker won b  b’ 0 --- attacker lost Indistinguishability experiment KEM (n) A,  cpa PPT A pk, sk pk  is CPA-secure if for every PPT attacker A, the probability that A wins the experiment is at most negligibly better than ½ ½ + negl(n) Pr KEM (n) A,  cpa = 1  (c,k’) (c,k)  Encaps pk (1 n ) k’  k if b=0  uniform random string, b =1

9 CPA-Secure KEM + COA-Secure SKE -> CPA-secure PKE Theorem (Blum Goldwasser CRYPTO’84):  is CPA-security KEM &  SKE is COA-secure SKE   Hyb is CPA-secure PKE Proof: Yet another Hybrid argument based Proof Gen Hyb = Gen m pk c c SK E (c, c SKE ) sk c k c SKE m Enc Hyb k Encaps Enc SKE Decaps Dec SKE Dec Hyb  = (Gen, Encaps, Decaps)  SKE = (Gen SKE, Enc SKE, Dec SKE )  Hyb = (Gen Hyb, Enc Hyb, Dec Hyb ) (pk,c, Enc k SKE (m 0 )) (pk,c, Enc k SKE (m 1 )) (pk,c, Enc k’ SKE (m 0 )) (pk,c, Enc k’ SKE (m 1 )) Indistingui shable due to CPA- security of KEM Indistingui shable due to COA- security of SKE

10 CPA-Secure KEM + COA-Secure SKE -> CPA-secure PKE Theorem:  is CPA-security KEM &  SKE is COA-secure SKE   Hyb is CPA-secure PKE (pk,c, Enc k SKE (m 0 )) (pk,c, Enc k SKE (m 1 )) (pk,c, Enc k’ SKE (m 0 )) (pk,c, Enc k’ SKE (m 1 )) PPT Adv PPT Adv breaking KEM security (pk,c,k) Encapsulated key or Random Key? pk mm (c,c SKE = Enc k SKE (m)) b’  {0, 1} b’ PPT Adv PPT Adv breaking KEM security (pk,c,k) Encapsulated key or Random Key? pk mRmR b’  {0, 1} b’ (c,c SKE = Enc k SKE (m))

11 CPA-Secure KEM + COA-Secure SKE -> CPA-secure PKE Theorem:  is CPA-security KEM &  SKE is COA-secure SKE   Hyb is CPA-secure PKE (pk,c, Enc k SKE (m 0 )) (pk,c, Enc k SKE (m 1 )) (pk,c, Enc k’ SKE (m 0 )) (pk,c, Enc k’ SKE (m 1 )) Pr [A(pk,c, Enc k’ SKE (m 0 )) = 1]Pr [A(pk,c, Enc k SKE (m 0 )) = 1] - negl(n) < Pr [A(pk,c, Enc k’ SKE (m 1 )) = 1]Pr [A(pk,c, Enc k SKE (m 1 )) = 1] - negl(n) < PPT Adv (pk,sk) <- Gen(1 n ) Encyption of m 0 or m 1 ? pk (c,c SKE ) b’  {0, 1} c SKE PrivK (n) A,  SKE coa m 0, m 1 , |m 0 | = |m 1 | m 0, m 1 (c,k) <- Encaps pk (1 n ) b’ PubK (n) A,  cpa

12 CPA-Secure KEM + COA-Secure SKE -> CPA-secure PKE Theorem:  is CPA-security KEM &  SKE is COA-secure SKE   Hyb is CPA-secure PKE (pk,c, Enc k SKE (m 0 )) (pk,c, Enc k SKE (m 1 )) (pk,c, Enc k’ SKE (m 0 )) (pk,c, Enc k’ SKE (m 1 )) Pr [A(pk,c, Enc k’ SKE (m 0 )) = 1]Pr [A(pk,c, Enc k SKE (m 0 )) = 1] - negl(n) < Pr [A(pk,c, Enc k SKE (m 1 )) = 1]Pr [A(pk,c, Enc k’ SKE (m 1 )) = 1] - negl(n) < Pr [A(pk,c, Enc k’ SKE (m 1 )) = 1]Pr [A(pk,c, Enc k’ SKE (m 0 )) = 1] -< negl’(n) + +

13 El Gamal like KEM Enc pk (m) c 1 = g y for random y c 2 = h y.. m c= (c 1,c 2 ) Dec sk (c) c 2 / (c 1 ) x = c 2. [(c 1 ) x ] -1 Gen(1 n ) (G, o, q, g) h = g x. For random x pk= (G,o,q,g,h), sk = x Encaps pk (1 n ) c = g y for random y k = h y = g xy. (c,k) Dec sk (c) k = c x = g xy Gen(1 n ) (G, o, q, g) h = g x. For random x pk= (G,o,q,g,h), sk = x

14 El Gamal like KEM Enc pk (m) c 1 = g y for random y c 2 = h y.. m c= (c 1,c 2 ) Dec sk (c) c 2 / (c 1 ) x = c 2. [(c 1 ) x ] -1 Gen(1 n ) (G, o, q, g) h = g x. For random x pk= (G,o,q,g,h), sk = x Encaps pk (1 n ) c = g y for random y k = H(h y ) = H(g xy. ) (c,k) Dec sk (c) k = H(c x )= H(g xy ) Gen(1 n ) (G, o, q, g) h = g x. For random x pk= (G,o,q,g,h,H), sk = x - Ciphertext= 1 element- Ciphertext= 2 elements -No Multiplication, hashing - Multiplication -No Multiplication, hashing - Multiplication Security: DDH AssumptionSecurity?? -No need of that- Need to choose m randomly

15 El Gamal like KEM Encaps pk (1 n ) c = g y for random y k = H(h y ) = H(g xy. ) (c,k) Dec sk (c) k = H(c x )= H(g xy ) Gen(1 n ) (G, o, q, g) h = g x. For random x pk= (G,o,q,g,h,H), sk = x CPA-secure KEM + COA-secure SKE => CPA-secure PKE @ COA-secure SKE HDH (Hash Diffie-Hellman) Assumption It is weaker than DDH but stronger than CDH when Hash function is implemented using known practical hash functions. HDH problem is hard relative to (G, o) and hash function H: G -> {0,1} m if for every PPT A (it is hard to distinguish H(g xy ) from a random string r from {0,1} m even given g x, g y )): Pr[A(G, o, q, g, g x, g y, H(g xy )) = 1] Pr[A(G, o, q, g, g x, g y, r ) = 1] | |-  negl() Theorem: HDH assumption holds   is a CPA-secure KEM Proof: Easy HDH assumption is that there exists a group and hash function H so that HDH is hard relative to them

16 CCA Attacks in Public-key World  CCA attacks --- attacker gets access to decryption oracle  More powerful than CPA attacks  Launching CCA attacks in the public-key world is relatively easier  In the symmetric-key setting, a message encrypted with the (secret) key k can originate only from a source who has the key k  In the public-key world, an entity can receive encrypted messages from multiple sources who knows the public key for that entity

17 CCA Security CCA experiment I can break  Let me verify m 0, m 1, |m 0 |=|m 1 | Gen(1 n ) b  {0, 1} c*  Enc pk (m b ) b’  {0, 1} PPT A pk, sk pk C 1, C 2, …, C q M 1, M 2, …, M q M i = Dec sk (C i ) C 1, C 2, …, C q M 1, M 2, …, M q M i = Dec sk ( C i ) Game Output 1, if b’ = b 0, otherwise  = (Gen, Enc, Dec) PubK (n) A,  cca  is CCA-secure if: ½ + negl(n) Pr = 1  PubK (n) A,  cca Encryption oracle does not need to be not explicitly provided

18 Non-malleability : An Issue Related to CCA Attacks  An encryption scheme (symmetric/asymmetric) is malleable if the following is possible:  Given an encryption c of an unknown message m  Possible to compute a ciphertext c’ from c which is an encryption of an unknown m’, but which is related to m in a known fashion m c f(m) c’  Ex: Known f m c 2m c’  If an encryption scheme is CCA-secure  it is non-malleable and vice versa  Otherwise an attacker in the CCA game on receiving challenge ciphertext c*  Enc(m b ) can query the decryption oracle on c’  Enc(f(m b )) and obtain f(m b )  Malleability has both advantages as well as disadvantages  Disadvantage: consider an e-auction among two bidders.  A malicious bidder can always win without even knowing the other bid  Advantage ?  Think of it. Will see in the next course

19 El Gamal is malleable (NOT CCA-secure) m,pk= (G,o,q,g,h=g x ) c Public Key pk = (G,o,q,g,h=g x ) c,sk=x Enc pk (m) c 1 = g y for random y c 2 = h y.. m Dec sk (c) c 2 / (c 1 ) x = c 2. [(c 1 ) x ] -1  Given El Gamal encryption (c 1, c 2 ) of m under the public key h, can you come up with an encryption of 2m ?  What will (c 1, 2c 2 ) correspond to ?  Can you compute a different ciphertext (c’ 1, c’ 2 ) for 2m, where c 1  c’ 1 ?

20 CCA Multi-message Security CCA experiment I can break  Let me verify Gen(1 n ) b  {0, 1} b’  {0, 1} PPT A pk, sk pk C 1, C 2, …, C q M 1, M 2, …, M q M i = Dec sk (C i ) C 1, C 2, …, C q M 1, M 2, …, M q M i = Dec sk ( C i ) Game Output 1, if b’ = b 0, otherwise  = (Gen, Enc, Dec) PubK (n) A,  cca-mult (m 0,1, m 1,1 ) c* 2  Enc k (m b,1 ) LR pk,b (m 0,1, m 1,1 ) c* 1  Enc k (m b,1 )

21 CCA Multi-message Security CCA experiment I can break  Let me verify Gen(1 n ) b  {0, 1} b’  {0, 1} PPT A pk, sk pk C 1, C 2, …, C q M 1, M 2, …, M q M i = Dec sk (C i ) C 1, C 2, …, C q M 1, M 2, …, M q M i = Dec sk ( C i ) Game Output 1, if b’ = b 0, otherwise  = (Gen, Enc, Dec) PubK (n) A,  cca-mult (m 0,2, m 1,2 ) c* 2  Enc k (m b,2 ) LR pk,b (m 0,2, m 1,2 ) c* 2  Enc k (m b,2 )

22 CCA Multi-message Security CCA experiment I can break  Let me verify Gen(1 n ) b  {0, 1} b’  {0, 1} PPT A pk, sk pk C 1, C 2, …, C q M 1, M 2, …, M q M i = Dec sk (C i ) C 1, C 2, …, C q M 1, M 2, …, M q M i = Dec sk ( C i ) Game Output 1, if b’ = b 0, otherwise  = (Gen, Enc, Dec) PubK (n) A,  cca-mult  is CCA-secure if: ½ + negl(n) Pr = 1  PubK (n) A,  cca-mult (m 0,t, m 1,t ) c* t  Enc k (m b,t ) LR pk,b (m 0,t, m 1,t ) c* t  Enc k (m b,t )

23 (Single vs Multi-message CCA Security) Theorem: single-message CCA security  multi-message CCA security. Proof: The very same proof for CPA security using hybrid argument will work with minor necessary changes PKESKE COA ≈ COA-mult ≈ CPA-mult CPA ≈ COA COA-mult CPA-mult CPA ≈ CCA-mult CCA ≈ CCA-mult CCA ≈

24 Implication of Single message Implies multi-message Security  Given CCA secure scheme Π for bit/small messages, construct CCA-secure PKE for long message Enc m1m1 m2m2 m3m3 m4m4 m5m5 m6m6 llllll c1c1 c2c2 c4c4 c3c3 c5c5 c6c6 pk m c 1 c 2 …c 6  Enc pk (m)  Is Π ’ CCA-secure ?  No! Truncate and take DO service  CCA secure scheme Π for bit/small messages  CCA-secure PKE for long message- Very non-trivial construction Term Paper: Steven Myers, Abhi Shelat: Bit Encryption Is Complete. FOCS 2009: 607-616FOCS 2009: 607-616

25 Hybrid Encryption using KEM Gen Hyb = Gen m pk c c SK E (c, c SKE ) sk c k c SKE m Enc Hyb k Encaps Enc SKE Decaps Dec SKE Dec Hyb  = (Gen, Encaps, Decaps)  SKE = (Gen SKE, Enc SKE, Dec SKE )  Hyb = (Gen Hyb, Enc Hyb, Dec Hyb )  CPA-secure  SKE COA-secure  Hyb CPA-secure CPA WorldCCA World If  SKE is malleable (think of PRG/PRF based schemes), then irrespective of ,  Hyb is malleable too! (c (KEM ciphertext), G(k) + m (SKE ciphertext))

26 Hybrid Encryption using KEM Gen Hyb = Gen m pk c c SK E (c, c SKE ) sk c k c SKE m Enc Hyb k Encaps Enc SKE Decaps Dec SKE Dec Hyb  = (Gen, Encaps, Decaps)  SKE = (Gen SKE, Enc SKE, Dec SKE )  Hyb = (Gen Hyb, Enc Hyb, Dec Hyb )  CPA-secure  SKE COA-secure  Hyb CPA-secure CPA WorldCCA World If  is malleable, then  Hyb can malleable! (c (KEM ciphertext), G(k) + m (SKE ciphertext))

27 Hybrid Encryption using KEM Gen Hyb = Gen m pk c c SK E (c, c SKE ) sk c k c SKE m Enc Hyb k Encaps Enc SKE Decaps Dec SKE Dec Hyb  = (Gen, Encaps, Decaps)  SKE = (Gen SKE, Enc SKE, Dec SKE )  Hyb = (Gen Hyb, Enc Hyb, Dec Hyb )  CPA-secure  SKE COA-secure  Hyb CPA-secure CPA WorldCCA World  CCA-secure  SKE CCA-secure  Hyb CCA-secure Proof: Suitable modification of the CPA proof works. Sufficient but NOT necessary! In fact there are works proving this is true. Weaker than CCA-secure KEM + CCA SKE => CCA Hybrid encryption

28

Download ppt "Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal."

Similar presentations

ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.

New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Cryptography Lecture 9 Arpita Patra.

Cryptography Lecture 9 Arpita Patra.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.

Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.
7. Asymmetric encryption-

7. Asymmetric encryption-
1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.

1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.

Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary.

Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.

Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.
0x1A Great Papers in Computer Security

0x1A Great Papers in Computer Security
1 CIS 5371 Cryptography 8. Asymmetric encryption-.

1 CIS 5371 Cryptography 8. Asymmetric encryption-.

Similar presentations

Ads by Google