Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 11 Stefan Dziembowski

Published byChester Nelson Modified over 9 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 11 Stefan Dziembowski"— Presentation transcript:

1 Cryptography Lecture 11 Stefan Dziembowski www.dziembowski.net stefan@dziembowski.net

2 Plan 1.Definition of CCA-security 2.Construction of the CCA-secure schemes 1.in the private-key settings, 2.in the public-key settings.

3 Problem How to encode a message m before encrypting it (with RSA, for example)? m x := encode(m) x e mod N decode(v) v := z d mod N z

4 Remember the chosen-plaintext attack? oracle has to guess b m 0,m 1 c = Enc(pk,m b ) chooses m 0,m 1 security parameter 1 n 1.selects random (pk,sk) = Gen(1 n ) 2.chooses a random b = 0,1 challenge phase: pk

5 The PKCS #1 v1.5 encoding We observed that encoding has to be randomized. This is the encoding that we presented: 0000000000000002r00000000m (k - D - 3) random bytes D bytes k bytes

6 Today’s lecture The PKCS #1 v1.5 encoding looks ad-hoc... Today we present a more “scientific” encoding. For this, we are going to use a stronger security definition.

7 Chosen Ciphertext Attack (CCA) The adversary may also choose a ciphertext and learn the corresponding plaintext. Does it make sense? – Aren’t we too paranoid? – How to formalize it?

8 Aren’t we too paranoid? No! Bleichenbacher [1998] showed a “practical” chosen ciphertext attack on encoding proposed for the PKCS #1 v.2 standard. [see also: Bleichenbacher, D., Kaliski B., Staddon J., "Recent results on PKCS #1: RSA encryption standard", RSA Laboratories' bulletin #7, ftp://ftp.rsasecurity.com/pub/pdfs/bulletn7.pdf ] ftp://ftp.rsasecurity.com/pub/pdfs/bulletn7.pdf Why is Blaichenbacher’s attack practical? Because it assumes that the adversary can get only one bit of information about the plaintext...

9 PKCS #1: RSA Encryption Standard Version 2 public-key: (N,e) let k := length on N in bytes. let D := length of the plaintext requirement: D ≤ k - 11. Enc((N,e), m) := x e mod N, where x is equal to 0000000000000002r00000000m (k - D - 3) random bytes D bytes k bytes

10 Bleichenbacher’s attack – the scenario sk = (N,d) c1c1 computes x = c 1 d mod N and checks if x is a correct PKCS #1 v2 encoding pk = (N,d) yes/no... c Goal: compute c d mod N Bleichenbacher [1998]: There exists a successful attack that requires k = 2 20 questions for N = 1024. ckck yes/no

11 So, chosen ciphertext attacks are practical! In Bleichenbacher’s attack the adversary could obtain just one bit of information. Conservative approach: assume that he can get the entire plaintext.

12 Idea 1.Provide a security definition that “covers” this type of an attack. 2.Propose a scheme that is “provably secure” according to this definition. This will lead to an encoding that is less ad- hoc than PKCS #1 v1.5

13 CCA - security It makes sense to consider CCA-security in private-key settings public-key settings more interesting

14 Decryption oracle To define the CCA-security we consider a decryption oracle. sk c1c1 D sk (c 1 )... c2c2 D sk (c 2 ) ckck D sk (c k ) D sk (c i ) := error if c i cannot be decrypted

15 Decryption/encryption oracle Two types of queries: (sk,pk) Decrypt c i D sk (c i ) Encrypt m i E pk (m i ) We assume that also CPA is allowed.

16 CCA-security– the game oracle has to guess b m 0,m 1 c = Enc(pk,m b ) chooses m 0,m 1 security parameter 1 n 1.selects random (pk,sk) = Gen(1 n ) 2.chooses a random b = 0,1 challenge phase: pk (in the public-key settings) CCA-attack |m 0 | = |m 1 | Here Eve cannot ask for decryption of c. in the private-key settings: pk = sk

17 CCA-security Security definition: We say that (Gen,Enc,Dec) has indistinguishable encryptions under a chosen-ciphertext attack (CCA) if any randomized polynomial time adversary guesses b correctly with probability at most 0.5 + ε(n), where ε is negligible. Alternative name: CCA-secure

18 CCA in practice (1/2) Some actions of the receiver may depend on the decrypted message. For example, the receiver may communicate an error if the message “looks strange”. (like in the Bleichenbacher’s attack)

19 CCA in practice (2/2) m := “Some top-secret information” Alice Alice: c := E(pk,m) wants to decrypt c Eve: c’ replies quoting m’=D(sk,c’) Alice (pk,sk) Why Eve cannot just set c’ := c ? Because Bob would get suspicious (why message from Eve has Alice’s name inside?) replies (in an encrypted way) to Alice quoting m

20 CCA in the private-key settings CCA-security in the private-key settings can be achieved by adding authentication. How to combine authentication with encryption? We already considered this problem some time ago.

21 Authentication and Encryption Options: Encrypt-and-authenticate: c ← Enc k1 (m) and t ← Mac k2 (m) Authenticate-then-encrypt: t ← Mac k2 (m) and c ← Enc k1 (m||t) Encrypt-then-authenticate: c ← Enc k1 (m) and t ← Mac k2 (c) wrong better the best

22 A CCA-secure encryption scheme (Gen,Enc,Dec) – a CPA-secure encryption scheme (Gen MAC,Tag,Vrfy) – a MAC. Create a new encryption scheme (Gen’,Enc’,Dec’) where: Gen’(1 n ) := (Gen(1 n ),Gen MAC (1 n )), Enc’((k 0,k 1 ),m) := (Enc(k 0,m), Tag(k 1,Enc(k 0,m))) Dec’((k 0,k 1 ),m) := decrypt and verify the tag

23 Why is it secure? Intuition An adversary cannot create a new valid pair (Enc(k 0,m), Tag(k 1,Enc(k 0,m))) without knowing k 1. So he will always receive an error message from the oracle (unless he replays the ciphertexts that he already received from the oracle – but this gives him no extra information)

24 Is authenticate-then-encrypt secure? Authenticate-then-encrypt: t ← Mac k2 (m) and c ← Enc k1 (m||t) Not always! There exists (artificial) counter-examples...

25 The first counter-example Authenticate-then-encrypt: t ← Mac k2 (m) and c ← Enc k1 (m||t) Suppose the encryption scheme adds a random bit at the end of the ciphertext. Enc k1 (m || Mac k2 (m)) B neg B Then is a different ciphertext and the adversary is allowed to ask the oracle to decrypt it. This example is really artificial. There exist better ones...

26 The second counter-example Consider the following transformation T : {0,1}* → {0,1}* defined on every (x 1,x 2,...,x n ) as T(x 1,x 2,...,x n ) = (U(x 1 ),U(x 2 ),...,U(x n )), where U(0) = 00 U(1) = 01, or 10, randomly. This transformation is of course invertible. Example: 11001 0110000001 T

27 Remember the stream ciphers? m s G(IV,s) G(IV,s) xor m IV xor IV Enc(s,m)

28 Our new (artificial) encryption scheme To encrypt a message m do the following: T(m) s G(IV,s) G(IV,s) xor T(m) IV xor IV Enc(s,m) If Enc is CPA-secure then also this scheme is CPA-secure.

29 CCA-security? Suppose we use this encryption scheme with the authenticate-then- encrypt method: t ← Mac k2 (m) and c ← Enc k1 (m||t) T(m, Mac k2 (m)) s G(IV,s) G(IV,s) xor T(m, Mac k2 (m) ) IV xor IV Enc(s,m)

30 How does the ciphertext look? T(m) pad 1 T(Mac k2 (m)) xor T(m) xor pad 1 T(Mac k2 (m)) xor pad 2 pad 2

31 C’ The attack The adversary that wants to decrypt the first bit of C1C1 C2C2 can modify the ciphertext by flipping the first two bits: C1C1 C2C2 xor X C2C2 1 If the first two bits are 01 or 10 then the corresponding plaintext doesn’t change. If the first two bits are 00 then the plaintext changes and the tag becomes invalid!

32 The chosen-ciphertext attack (just based on the error messages) The adversary is given c and wants to learn the first bit of the corresponding plaintext. Let c’ be the ciphertext c with the first two bits flipped. The adversary sends c’ to the oracle. If the oracle answers “error” then the adversary knows that the first bit was 0. The same can be done for any other bit.

33 These examples are artificial It is likely that for many “normal” schemes this combination is secure. However, these examples show that the authenticate-then-encrypt method cannot be proven secure... (from the standard assumptions)

34 How does it look in the public-key settings There are many constructions of a CCA-secure public-key encryption scheme. Probably the most famous is the one of Cramer and Shoup: [Ronald Cramer and Victor Shoup: "A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack." 1998]. It is based on hardness of discrete logarithm and is quite efficient. Still, many practitioners prefer more efficient schemes (with a weaker security proof).

35 Plan We present two CCA-secure schemes based on RSA. 1.efficient and simple, 2.even more efficient and a bit less simple.

36 First attempt Idea: take the symmetric-key CCA-secure scheme (Enc’,Dec’) and use something similar to hybrid encryption. public key: (N,e) private key: (N,d) Enc((N,e),m) := (r e mod N, Enc’(r,m)) Dec((N,d),(c 0,c 1 )) := Dec’(c 0 d mod N, c 1 ) r is random

37 Problem Enc((N,e),m) := (r e mod N, Enc’(r,m)) |N| is normally much larger than the length of a key for symmetric encryption. Typically |N| = 1024 and length of the key is 128. First idea: truncate. But is it secure? It may be the case that RSA is hard to invert, but 128 first bits are easy to compute...

38 Idea Instead of truncating – hash! t – length of the symmetric key H : {0,1}* → {0,1} t – a hash function Enc((N,e),m) := (r e mod N, Enc’(H(r),m)) Dec((N,d),(c 0,c 1 )) := Dec’((H(c 0 ) d mod N, c 1 ) But can we prove anything about it? depends...

39 Which properties should H have? If we just assume that H is collision-resistant we cannot prove anything... We have to assume that H “outputs random values on different inputs”. This can be formalized by modeling H as random oracle. This is also called a Random Oracle Model. And it is controversial.

40 The Random Oracle Model (ROM) In the proofs we model the hash function as a random oracle. real protocol: SHA1 in the proof: oracle Ω

41 The oracle Ω oracle Ω has a random function H : {0,1}* → {0,1} n Everybody (including the adversary) can query the oracle: x H(x) In the proof: every call to the hash function is replaced with the query to the oracle Ω

42 Problems with the ROM This model is too strong. Random Oracle cannot be implemented in real-life. Moreover, there are examples of protocols that are secure in ROM, but they are not secure if the random oracle is replaced with any hash function. [The Random-Oracle Model, Revisited. R. Canetti, O. Goldreich and S. Halevi. J. ACM 51(4): 557-594 (2004).]

43 Security proof – the intuition H – a hash function Enc((N,e),m) := (r e mod N, Enc’(H(r), m)) Why is this scheme secure in the random oracle model? Because, as long as the adversary did not query the oracle on r, the value of H(r) is completely random. To learn r the adversary would need to compute it from r e mod N, so he would need to invert RSA. So (with a very high probability) from the point of view of the adversary H(r) is random. Therefore the CCA security of (Enc,Dec) follows from the CCA-security of (Enc’,Dec’).

44 Disadvantages of this method Enc((N,e),m) := (r e mod N, Enc’(H(r), m)) The ciphertext is longer than the plaintext. This is especially important if the message is short. Therefore in practice another method is used: Optimal Asymmetric Encryption Padding (OAEP).

45 Optimal Asymmetric Encryption Padding (OAEP) – the history Introduced in: [M. Bellare, P. Rogaway. Optimal Asymmetric Encryption -- How to encrypt with RSA. Eurocrypt '94] An error in the security proof was spoted in [V. Shup. OAEP Reconsidered. Crypto ’01] This error was repaired in [E. Fujisaki, T. Okamoto, D. Pointcheval, and J. Stern. RSA-OAEP is secure under the RSA assumption. Crypto ’01] It is now a part of a PKCS#1 v. 2.0 standard.

46 OAEP G,H – hash functions OAEP(m) := m000...0random r G H XY n/4

47 How to invert? mZ G H XY check if Z = 000...0

48 RSA-OAEP private key: (N,d) public key: (N,e) Enc((N,e),m) = (OAEP(m)) e mod N Dec((N,e),m) = (OAEP -1 (m)) d mod N

49 Security – the intuition m000...0random r G H XY 1. OAEP is hard to invert if you don’t know X and Y completely.

50 Why? mZ G H XY Assume G and H are random oracles...

51 Security – the intuition m000...0random r G H XY 2. It is hard to produce a valid (X,Y) “without knowing m”

52 Why? mZ G H XY Again, look at OAEP -1 and assume that G and H are random oracles. requirement: Z = 000...0

53 Security – the conclusion If it is hard to produce a valid (X,Y) “without knowing m”, then CCA should not help the adversary. Because he will only receive the error messages from the oracle. (that was just an intuition – in reality the proof is complicated)

Download ppt "Cryptography Lecture 11 Stefan Dziembowski"

Similar presentations

Lecture 8 Public-Key Encryption I Stefan Dziembowski www.dziembowski.net MIM UW 23.11.12ver 1.0.

Lecture 8 Public-Key Encryption I Stefan Dziembowski MIM UW ver 1.0.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
7. Asymmetric encryption-

7. Asymmetric encryption-
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.

Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.

Similar presentations

Ads by Google