Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 11 Arpita Patra. Generic Results in PK World  CPA-secure KEM  SKE COA-secure SKE  Hyb CPA-secure CPA SecurityCCA Security Bit.

Published byLewis Butler Modified over 9 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 11 Arpita Patra. Generic Results in PK World  CPA-secure KEM  SKE COA-secure SKE  Hyb CPA-secure CPA SecurityCCA Security Bit."— Presentation transcript:

1 Cryptography Lecture 11 Arpita Patra

2 Generic Results in PK World  CPA-secure KEM  SKE COA-secure SKE  Hyb CPA-secure CPA SecurityCCA Security Bit Encryption Gen Hyb = Gen m pk c c SK E (c, c SKE ) sk c k c SKE m Enc Hyb k Encaps Enc SKE Decaps Dec SKE Dec Hyb  = (Gen, Encaps, Decaps)  SKE = (Gen SKE, Enc SKE, Dec SKE )  Hyb = (Gen Hyb, Enc Hyb, Dec Hyb )  CCA-secure KEM  SKE CCA-secure SKE  Hyb CCA-secure Many-bit EncryptionBit EncryptionMany-Bit Encryption

3 Constructions for PK World Variant El Gamal KEM PRG-based SKE  Hyb CPA-secure CPA SecurityCCA Security PKE Instantiation: DDH based El Gamal Gen Hyb = Gen m pk c c SK E (c, c SKE ) sk c k c SKE m Enc Hyb k Encaps Enc SKE Decaps Dec SKE Dec Hyb  = (Gen, Encaps, Decaps)  SKE = (Gen SKE, Enc SKE, Dec SKE )  Hyb = (Gen Hyb, Enc Hyb, Dec Hyb ) KEM Instantiation: HDH based variation of El Gamal Variant ElGamal KEM CPA-secure SKE + sCMA MAC  Hyb CCA-secure KEM Instantiation: ODH based (the same) variation of El Gamal Instantiation: DDH + CR Hash based Cramer- Shoup Scheme (first ever CCA secure under standard assumption )

4 CCA Security for KEM  = (Gen, Encaps, Decaps) I can break  Let me verifyGen(1 n ) b  {0, 1} b’  {0, 1} (Attacker’s guess about encapsulated key) Game Output b = b’ 1 --- attacker won b  b’ 0 --- attacker lost CCA experiment KEM (n) A,  cca PPT A pk, sk pk  is CPA-secure if for every PPT attacker A, the probability that A wins the experiment is at most negligibly better than ½ ½ + negl(n) Pr KEM (n) A,  cca = 1  (c,k’) (c,k)  Encaps pk (1 n ) k’  k if b=0  uniform random string, b =1 Also have to give Decaps sk (.) service to the attacker

5 El Gamal like KEM Enc pk (m) c 1 = g y for random y c 2 = h y.. m c= (c 1,c 2 ) Dec sk (c) c 2 / (c 1 ) x = c 2. [(c 1 ) x ] -1 Gen(1 n ) (G, o, q, g) h = g x. For random x pk= (G,o,q,g,h), sk = x Encaps pk (1 n ) c = g y for random y k = H(h y ) = H(g xy. ) (c,k) Decaps sk (c) k = H(c x )= H(g xy ) Gen(1 n ) (G, o, q, g) h = g x. For random x pk= (G,o,q,g,h,H), sk = x - Ciphertext= 1 element- Ciphertext= 2 elements -No Multiplication, hashing - Multiplication -No Multiplication, hashing - Multiplication Security: DDH Assumption -No need of that- Need to choose m randomly Security: ??

6 El Gamal like KEM Encaps pk (1 n ) c = g y for random y k = H(h y ) = H(g xy. ) (c,k) Dec sk (c) k = H(c x )= H(g xy ) Gen(1 n ) (G, o, q, g) h = g x. For random x pk= (G,o,q,g,h,H), sk = x ODH (Oracle Diffie-Hellman) Assumption It is stronger than HDH. ODH problem is hard relative to (G, o) and hash function H: G -> {0,1} m if for every PPT A, (it is hard to distinguish H(g xy ) from a random string {0,1} m even given g x, g y AND an oracle O y (X): = H(X y ); anything other than g x can be quired) ): Pr[A o y (.) (G, o, q, g, g x, g y, H(g xy )) = 1] Pr[A o y (.) (G, o, q, g, g x, g y, r ) = 1] | |-  negl() Theorem: ODH assumption holds   is a CCA-secure KEM ODH assumption is just the belief that there exist a group and hash function H so that the above is true.

7 Gen Hyb = Gen m pk c c SK E (c, c SKE ) sk c k c SKE m Enc Hyb k Encaps Enc SKE Decaps Dec SKE Dec Hyb  = (Gen, Encaps, Decaps)  SKE = (Gen SKE, Enc SKE, Dec SKE )  Hyb = (Gen Hyb, Enc Hyb, Dec Hyb ) CCA Secure  SKE -CPA Secure  SKE + Strong CMA Secure  MAC CCA Secure  - Oracle Function assumption (ODH) Construction of Hybrid CCA-secure PKE DHIES (Diffie-Hellman Integrated Encryption Scheme)- – ISO/IEC 18033-2

8 DHIES- – ISO/IEC 18033-2 Gen Hyb = (G, o, q, g) h = g x. For random x H: G  {0,1} 2n pk= (G,o,q,g,h,H), sk = x m pk c t MAC (c, c SKE =(c CPA,t MAC )) sk c Enc Hyb k c = g y for random y k = H(h y ) = H(g xy. ) k = H(c x ) = H(g xy ) Dec Hyb  (CCA) = (Gen, Encaps, Decaps)  SKE (CPA) = (Gen SKE, Enc SKE, Dec SKE )  Hyb (CCA) = (Gen Hyb, Enc Hyb, Dec Hyb ) CCA Secure  SKE -CPA Secure  SKE + Strong CMA Secure  MAC CCA Secure  - Number theoretic assumption + Hash Function (ODH) k=k E || k M Enc CPA kEkE c CPA Mac sCMA kEkE k k=k E || k M Dec CPA kMkM Yes Vrfy sCMA kEkE c SKE (c CPA, t MAC ) m m c CPA  MAC (sCMA)= (Gen MAC, Mac, Vrfy)

9 DHIES (Term Paper) Michel Abdalla, Mihir Bellare, Phillip Rogaway: The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES. CT-RSA 2001: 143-158CT-RSA 2001: 143-158

10 Cramer-Shoup Cryptosystem Ronald Cramer, Victor Shoup: A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack. CRYPTO 1998: 13-25CRYPTO 1998: 13-25

11 Another Look at DDH Assumption/ An alternative Formulation Cramer-Shoup Cryptosystem- Route map CPA Secure Scheme (different from El Gamal) CCA1 Secure Scheme CCA Secure Scheme + Collision-Resistant Hash Function

12 Another Look at DDH (G,o,q,g) – Group of Prime Order q (g 0, g 1,g0y,g0y,g 1 y ) Pr[A(g, g x, g y, g xy ) = 1] Pr[A(g, g x, g y, g z ) = 1] || -  negl() (g 0, g 1,g0y,g0y,g 1 y’ ) Pr[A(g 0, g 1, g 0 r, g 1 r ) = 1] Pr[A(g 0, g 1, g 0 r, g 1 r’ ) = 1] | | -  negl()

13 Randomization Function (g 0, g 1, h 0, h 1 )Random (x,y) from Z q u = g 0 x. g 1 y v = h 0 x. h 1 y Case I (g 0, g 1, h 0 = g 0 r, h 1 = g 1 r ): Proof: u r = (g 0 x. g 1 y ) r = h 0 x. h 1 y = v Case II (g 0, g 1, h 0 = g 0 r, h 1 = g 1 r’ ): Proof: A can compute r, r’, α (where g 1 = g 0 α ) and discrete log of u (say R) Claim: u r = v Claim: An all powerful adv A can guess v with probability at most 1/|G|, even given (g 0, g 1, h 0, h 1, u). u = g 0 R = (g 0 x. g 1 y ) = g 0 x + α y x + α y = R --- (1) v = h 0 x. h 1 y = g 0 rx. g 1 r’y = g 0 rx + αr’ y Way 1: Given x, y, h 0,h 1 Way 2: Given r, u rx + αr’ y is linearly independent of x + α y For every guess R’ of this value rx + αr’ y, there exist a pair of unique values for x,y satisfying equation (1) InputOutput

14 CPA Secure Scheme Enc pk (m) Random r from Z q h 0 = g 0 r, h 1 = g 1 r c = u r.m = v.m (Way2) (h 0, h 1, c) Dec sk = (x,y) (h 0, h 1, c) v = h 0 x. h 1 y (Way1) m = c/v Gen(1 n ) (G, o, q, g 0,g 1 ) Random (x,y) from Z q u = g 0 x. g 1 y pk= (G,o,q, g 0,g 1, u), sk = (x,y) Theorem. If DDH is hard, then  is a CPA-secure scheme. Proof: Assume  is not CPA-secure A, p(n): ½ + 1/p(n) Pr PubK (n) A,  cpa = 1 > A D (G,o,q,g 0, g 1, h 0, h 1 ) Let us run PubK (n) A,  cpa m 0, m 1 , |m 0 | = |m 1 | (h 0, h 1, c) b’  {0, 1} DDH or non-DDH tuple? pk = (G,o,q,g 0, g 1,u) Random (x,y) from Z q u = g 0 x. g 1 y c = h 0 x. h 1 y. m b

15 CPA Secure Scheme Enc pk (m) Random r from Z q h 0 = g 0 r, h 1 = g 1 r c = u r.m = v.m (Way2) (h 0, h 1, c) Dec sk = (x,y) (h 0, h 1, c) v = h 0 x. h 1 y (Way1) m = c/v Gen(1 n ) (G, o, q, g 0,g 1 ) Random (x,y) from Z q u = g 0 x. g 1 y pk= (G,o,q, g 0,g 1, u), sk = (x,y) Theorem. If DDH is hard, then  is a CPA-secure scheme. Proof: Assume  is not CPA-secure A, p(n): ½ + 1/p(n) Pr PubK (n) A,  cpa = 1 > A D (G,o,q,g 0, g 1, h 0 = g 0 r, h 1 = g 1 r ) Let us run PubK (n) A,  cpa m 0, m 1 , |m 0 | = |m 1 | (h 0, h 1, c) b’  {0, 1} DDH Tuple pk = (G,o,q, g 0, g 1,u) Random (x,y) from Z q u = g 0 x. g 1 y c = h 0 x. h 1 y. m b h 0 x. h 1 y = g 0 rx. g 1 ry = u r

16 CPA Secure Scheme Enc pk (m) Random r from Z q h 0 = g 0 r, h 1 = g 1 r c = u r.m = v.m (Way2) (h 0, h 1, c) Dec sk = (x,y) (h 0, h 1, c) v = h 0 x. h 1 y (Way1) m = c/v Gen(1 n ) (G, o, q, g 0,g 1 ) Random (x,y) from Z q u = g 0 x. g 1 y pk= (G,o,q, g 0,g 1, u), sk = (x,y) Theorem. If DDH is hard, then  is a CPA-secure scheme. Proof: Assume  is not CPA-secure A, p(n): ½ + 1/p(n) Pr PubK (n) A,  cpa = 1 > A D (G,o,q,g 0, g 1, h 0 = g 0 r, h 1 = g 1 r’ ) Let us run PubK (n) A,  cpa m 0, m 1 , |m 0 | = |m 1 | (h 0, h 1, c) b’  {0, 1} Non-DDH Tuple pk = (G,o,q, g 0, g 1,u) Random (x,y) from Z q u = g 0 x. g 1 y c = h 0 x. h 1 y. m b h 0 x. h 1 y is uniformly random element ½ Pr PubK (n) A,  cpa = 1 =

17 CPA Secure Scheme Enc pk (m) Random r from Z q h 0 = g 0 r, h 1 = g 1 r c = u r.m = v.m (Way2) (h 0, h 1, c) Dec sk = (x,y) (h 0, h 1, c) v = h 0 x. h 1 y (Way1) m = c/v Gen(1 n ) (G, o, q, g 0,g 1 ) Random (x,y) from Z q u = g 0 x. g 1 y pk= (G,o,q, g 0,g 1, u), sk = (x,y) Theorem. If DDH is hard, then  is a CPA-secure scheme. Proof: Assume  is not CPA-secure A, p(n): ½ + 1/p(n) Pr PubK (n) A,  cpa = 1 > A D (G,o,q,g 0, g 1, h 0, h 1 ) Let us run PubK (n) A,  cpa m 0, m 1 , |m 0 | = |m 1 | (h 0, h 1, c) b’  {0, 1} DDH or non-DDH tuple? ½ Pr PubK (n) A,  cpa = 1 = 1 if b = b’ 0 otherwise Pr [D(non-DDH tuple) = 1] Pr [D(DDH tuple) = 1] == pk = (G,o,q, g 0, g 1,u) - 1/p(n) > Random (x,y) from Z q u = g 0 x. g 1 y c = h 0 x. h 1 y. m b

18 Why NOT El Gamal? Theorem. If DDH is hard, then  is a CPA-secure scheme. Proof: Assume  is not CPA-secure Enc pk (m) c 1 = g y for random y c 2 = g xy.. m Dec sk (c) c 2 / (c 1 ) x = c 2. [(c 1 ) x ] -1 A, p(n): ½ + 1/p(n) Pr PubK (n) A,  cpa = 1 > A D (G,o,q,g, g x, g y, g z ) Let us run PubK (n) A,  cpa m 0, m 1 , |m 0 | = |m 1 | b c = (g y, g z.m b ) b’  {0, 1} DDH or non-DDH tuple? ½ Pr PubK (n) A,  cpa = 1 = 1 if b = b’ 0 otherwise Pr [D(non-DDH tuple) = 1]Pr [D(DDH tuple) = 1] = = pk = (G,o,q,g,g x ) - 1/p(n) > The secret key is not with the reduction and so cannot provide DO service to A! Gen(1 n ) (G, o, q, g) Random x from Z q, h = g x pk= (G,o,q, g 0, h), sk = x

19 Is the Scheme CCA secure? Enc pk (m) Random r from Z q h 0 = g 0 r, h 1 = g 1 r c = u r.m = v.m (Way2) (h 0, h 1, c) Dec sk = (x,y) (h 0, h 1, c) v = h 0 x. h 1 y (Way1) m = c/v Gen(1 n ) (G, o, q, g 0,g 1 ) Random (x,y) from Z q u = g 0 x. g 1 y pk= (G,o,q, g 0,g 1, u), sk = (x,y) It is malleable. Not CCA Secure

20 Is the Scheme CCA1 secure? Enc pk (m) Random r from Z q h 0 = g 0 r, h 1 = g 1 r c = u r.m = v.m (Way2) (h 0, h 1, c) Dec sk = (x,y) (h 0, h 1, c) v = h 0 x. h 1 y (Way1) m = c/v Gen(1 n ) (G, o, q, g 0,g 1 ) Random (x,y) from Z q u = g 0 x. g 1 y pk= (G,o,q, g 0,g 1, u), sk = (x,y) Theorem. If DDH is hard, then  is a CPA-secure scheme. Proof: Assume  is not CPA-secure A, p(n): ½ + 1/p(n) Pr PubK (n) A,  cpa = 1 > A D (G,o,q,g 0, g 1, h 0, h 1 ) m 0, m 1 , |m 0 | = |m 1 | (h 0, h 1, c) b’  {0, 1} DDH or non-DDH tuple? ½ Pr PubK (n) Au,Au, cpa = 1 = 1 if b = b’ 0 otherwise Pr [D(non-DDH tuple) = 1] Pr [D(DDH tuple) = 1] == pk = (G,o,q, g 0, g 1,u) - 1/p(n) > Random (x,y) from Z q u = g 0 x. g 1 y c = h 0 x. h 1 y. m b Decryption query

21 Is the Scheme CCA1 secure? Enc pk (m) Random r from Z q h 0 = g 0 r, h 1 = g 1 r c = u r.m = v.m (Way2) (h 0, h 1, c) Dec sk = (x,y) (h 0, h 1, c) v = h 0 x. h 1 y (Way1) m = c/v Gen(1 n ) (G, o, q, g 0,g 1 ) Random (x,y) from Z q u = g 0 x. g 1 y pk= (G,o,q, g 0,g 1, u), sk = (x,y) Claim. Just one decryption query is enough for an unbounded powerful adversary A u to know x,y and guess b with probability 1. AuAu D pk = (G,o,q, g 0, g 1,u) Random (x,y) from Z q u = g 0 x. g 1 y DQ: (h 0, h 1, c) A u can compute discrete log of u & g 1, say R & α Proof: u = g 0 R = (g 0 x. g 1 y ) = g 0 x + α y x + α y = R --- (1) A u need another (linearly) independent equation on x and y to recover them.Can Decryption Query help?

22 Is the Scheme CCA1 secure? Enc pk (m) Random r from Z q h 0 = g 0 r, h 1 = g 1 r c = u r.m = v.m (Way2) (h 0, h 1, c) Dec sk = (x,y) (h 0, h 1, c) v = h 0 x. h 1 y (Way1) m = c/v Gen(1 n ) (G, o, q, g 0,g 1 ) Random (x,y) from Z q u = g 0 x. g 1 y pk= (G,o,q, g 0,g 1, u), sk = (x,y) Claim. Just one decryption query is enough for an unbounded powerful adversary to know x,y and guess b with probability 1. AuAu D pk = (G,o,q, g 0, g 1,u) Random (x,y) from Z q u = g 0 x. g 1 y A u can compute discrete log of u & g 1, say R & α Proof: u = g 0 R = (g 0 x. g 1 y ) = g 0 x + α y x + α y = R --- (1) A u need another (linearly) independent equation on x and y to recover them.Can Decryption Query help? DQ: (h 0 = g 0 r, h 1 = g 1 r, c) m c/m = v = g 0 R’ = (h 0 x. h 1 y ) = g 0 rx +r α y rx +r α y = R’ --- (2) (linearly) Dependent  No use

23 Is the Scheme CCA1 secure? Enc pk (m) Random r from Z q h 0 = g 0 r, h 1 = g 1 r c = u r.m = v.m (Way2) (h 0, h 1, c) Dec sk = (x,y) (h 0, h 1, c) v = h 0 x. h 1 y (Way1) m = c/v Gen(1 n ) (G, o, q, g 0,g 1 ) Random (x,y) from Z q u = g 0 x. g 1 y pk= (G,o,q, g 0,g 1, u), sk = (x,y) Claim. Just one decryption query is enough for an unbounded powerful adversary to know x,y and guess b with probability 1. AuAu D pk = (G,o,q, g 0, g 1,u) Random (x,y) from Z q u = g 0 x. g 1 y A u can compute discrete log of u & g 1, say R & α Proof: u = g 0 R = (g 0 x. g 1 y ) = g 0 x + α y x + α y = R --- (1) A u need another (linearly) independent equation on x and y to recover them.Can Decryption Query help? DQ: (h 0 = g 0 r, h 1 = g 1 r’, c) m c/m = v = g 0 R’ = (h 0 x. h 1 y ) = g 0 rx +r’ α y rx +r’ α y = R’ --- (2) (linearly) independent Solving (1) & (2) gives the secret key (x,y) Pr PubK (n) Au,Au, cpa = 1

24 CPA Secure Scheme Enc pk (m) Random r from Z q h 0 = g 0 r, h 1 = g 1 r c = u r.m = v.m (Way2) (h 0, h 1, c) Dec sk = (x,y) (h 0, h 1, c) v = h 0 x. h 1 y (Way1) m = c/v Gen(1 n ) (G, o, q, g 0,g 1 ) Random (x,y) from Z q u = g 0 x. g 1 y pk= (G,o,q, g 0,g 1, u), sk = (x,y) Theorem. If DDH is hard, then  is a CPA-secure scheme. Proof: Assume  is not CPA-secure A, p(n): ½ + 1/p(n) Pr PubK (n) A,  cpa = 1 > A D (G,o,q,g 0, g 1, h 0, h 1 ) Let us run PubK (n) A,  cpa m 0, m 1 , |m 0 | = |m 1 | (h 0, h 1, c) b’  {0, 1} DDH or non-DDH tuple? ½ Pr PubK (n) A,  cpa = 1 = 1 if b = b’ 0 otherwise Pr [D(non-DDH tuple) = 1] Pr [D(DDH tuple) = 1] == pk = (G,o,q, g 0, g 1,u) - 1/p(n) > Random (x,y) from Z q u = g 0 x. g 1 y c = h 0 x. h 1 y. m b Illegal Decryption Query: (g 0 r, g 1 r’, c) A checking mechanism in Dec so that illegal queries will be REJECTED with very high probability

25 CCA1 Scheme Enc pk (m) Random r from Z q h 0 = g 0 r, h 1 = g 1 r c = u r.m = v.m ; f = e r (Way2) (h 0, h 1, c, f) Dec sk = (x,y,x’,y’) (h 0, h 1, c, f) f = h 0 x’ h 1 y’ (Way1) ?? v = h 0 x h 1 y (Way1) m = c/v Gen(1 n ) (G, o, q, g 0,g 1 ) Random (x,y,x’,y’) from Z q u = g 0 x g 1 y e = g 0 x’ g 1 y’ pk= (G,o,q, g 0,g 1,u,e), sk = (x,y,x’,y’) Claim. An unbounded powerful adversary computes (x,y) except with neg. probability. Therefore it can guess bit b with probability no better than ½ + negl(.). AuAu D pk = (G,o,q, g 0, g 1,u,e) Random (x,y,x’,y’) from Z q u = g 0 x g 1 y e = g 0 x’ g 1 y’ f = h 0 x’ h 1 y’ ?? If yes, then send m A u can compute discrete log of u, e g 1, say R, S & α Proof: u = g 0 R = (g 0 x g 1 y ) = g 0 x + α y x + α y = R -(1) DQ: (h 0 =g 0 r, h 1 =g 1 r’, c, f) m What if A u can guess f so that f = h 0 x’ h 1 y’ ?? Do you see the disaster??????? e = g 0 S = (g 0 x’ g 1 y’ ) = g 0 x’ + α y’ x’ + α y’ = S -(2) f = g 0 S’ = (h 0 x’ h 1 y’ ) = g 0 rx +r’ α y rx’ +r’ α y’ = S’ --- (3) (linearly) independent of (2) c/m = v = g 0 R’ = (h 0 x. h 1 y ) = g 0 rx +r’ α y rx +r’ α y = R’ --- (4) (linearly) independent of (1) Solving (1) & (4) gives the secret key (x,y) Pr PubK (n) Au,Au, cpa = 1

26 Security Proof of CCA1 Scheme Enc pk (m) Random r from Z q h 0 = g 0 r, h 1 = g 1 r c = u r.m = v.m ; f = e r (Way2) (h 0, h 1, c, f) Dec sk = (x,y,x’,y’) (h 0, h 1, c, f) f = h 0 x’ h 1 y’ (Way1) ?? v = h 0 x h 1 y (Way1) m = c/v Gen(1 n ) (G, o, q, g 0,g 1 ) Random (x,y,x’,y’) from Z q u = g 0 x g 1 y e = g 0 x’ g 1 y’ pk= (G,o,q, g 0,g 1,u,e), sk = (x,y,x’,y’) Claim. An unbounded powerful adversary computes (x,y) except with neg. probability. Therefore it can guess bit b with probability no better than ½ + negl(.). AuAu D pk = (G,o,q, g 0, g 1,u,e) Random (x,y,x’,y’) from Z q u = g 0 x g 1 y e = g 0 x’ g 1 y’ f = h 0 x’ h 1 y’ ?? If yes, then send m A u can compute discrete log of u & g 1, say R & α Proof: u = g 0 R = (g 0 x g 1 y ) = g 0 x + α y x + α y = R --- (1) DQ: (h 0 =g 0 r, h 1 =g 1 r’, c, f) m What is the prob of A u guessing f so that f = h 0 x’ h 1 y’ = g 0 rx + αr’ y in his FIRST DQ e = g 0 S = (g 0 x’ g 1 y’ ) = g 0 x’ + α y’ x’ + α y’ = S --- (2) Recall that h 0 x’ h 1 y’ is uniformly random for A u even given (g 0, g 1, h 0 =g 0 r, h 1 =g 1 r’, e) Pr[A u succeeds in first DQ] = 1/|G| --- negligible But A u can make polynomials many attempts say, t many. Does getting rejected in the first DQ help in succeeding second DQ? Yes! It does. A u knows its chosen value in the first DQ is NOT a possibility. Next time it can guess f from G minus that value

27 Security Proof of CCA1 Scheme Enc pk (m) Random r from Z q h 0 = g 0 r, h 1 = g 1 r c = u r.m = v.m ; f = e r (Way2) (h 0, h 1, c, f) Dec sk = (x,y,x’,y’) (h 0, h 1, c, f) f = h 0 x’ h 1 y’ (Way1) ?? v = h 0 x h 1 y (Way1) m = c/v Gen(1 n ) (G, o, q, g 0,g 1 ) Random (x,y,x’,y’) from Z q u = g 0 x g 1 y e = g 0 x’ g 1 y’ pk= (G,o,q, g 0,g 1,u,e), sk = (x,y,x’,y’) Claim. An unbounded powerful adversary computes (x,y) except with neg. probability. Therefore it can guess bit b with probability no better than ½ + negl(.). AuAu D pk = (G,o,q, g 0, g 1,u,e) Random (x,y,x’,y’) from Z q u = g 0 x g 1 y e = g 0 x’ g 1 y’ f = h 0 x’ h 1 y’ ?? If yes, then send m A u can compute discrete log of u & g 1, say R & α Proof: u = g 0 R = (g 0 x g 1 y ) = g 0 x + α y x + α y = R --- (1) DQ: (h 0 =g 0 r, h 1 =g 1 r’, c, f) m What is the prob of A u guessing f so that f = h 0 x’ h 1 y’ = g 0 rx + αr’ y in his SECOND DQ e = g 0 S = (g 0 x’ g 1 y’ ) = g 0 x’ + α y’ x’ + α y’ = S --- (2) Pr[A u succeeds in second DQ] = 1 / (|G|-1) - negligible

28 Security Proof of CCA1 Scheme Enc pk (m) Random r from Z q h 0 = g 0 r, h 1 = g 1 r c = u r.m = v.m ; f = e r (Way2) (h 0, h 1, c, f) Dec sk = (x,y,x’,y’) (h 0, h 1, c, f) f = h 0 x’ h 1 y’ (Way1) ?? v = h 0 x h 1 y (Way1) m = c/v Gen(1 n ) (G, o, q, g 0,g 1 ) Random (x,y,x’,y’) from Z q u = g 0 x g 1 y e = g 0 x’ g 1 y’ pk= (G,o,q, g 0,g 1,u,e), sk = (x,y,x’,y’) Claim. An unbounded powerful adversary computes (x,y) except with neg. probability. Therefore it can guess bit b with probability no better than ½ + negl(.). AuAu D pk = (G,o,q, g 0, g 1,u,e) Random (x,y,x’,y’) from Z q u = g 0 x g 1 y e = g 0 x’ g 1 y’ f = h 0 x’ h 1 y’ ?? If yes, then send m A u can compute discrete log of u & g 1, say R & α Proof: u = g 0 R = (g 0 x g 1 y ) = g 0 x + α y x + α y = R --- (1) DQ: (h 0 =g 0 r, h 1 =g 1 r’, c, f) m What is the prob of A u guessing f so that f = h 0 x’ h 1 y’ = g 0 rx + αr’ y in his t th DQ (t is the upper bound on the number of DQs) e = g 0 S = (g 0 x’ g 1 y’ ) = g 0 x’ + α y’ x’ + α y’ = S --- (2) Pr[A u succeeds in t th DQ] = 1 / (|G|-t) - negligible Pr[A u succeeds in one of t DQs] ≤ t / (|G|-t) - negligible Pr PubK (n) Au,Au, cpa = 1 ≤ ½ + negl(.)

29 Is the Scheme CCA-secure? Enc pk (m) Random r from Z q h 0 = g 0 r, h 1 = g 1 r c = u r.m = v.m ; f = e r (Way2) (h 0, h 1, c, f) Dec sk = (x,y,x’,y’) (h 0, h 1, c, f) f = h 0 x’ h 1 y’ (Way1) ?? v = h 0 x h 1 y (Way1) m = c/v Gen(1 n ) (G, o, q, g 0,g 1 ) Random (x,y,x’,y’) from Z q u = g 0 x g 1 y e = g 0 x’ g 1 y’ pk= (G,o,q, g 0,g 1,u,e), sk = (x,y,x’,y’) AuAu D pk = (G,o,q, g 0, g 1,u,e) Random (x,y,x’,y’) from Z q u = g 0 x g 1 y e = g 0 x’ g 1 y’ f = h 0 x’ h 1 y’ ?? If yes, then send m A u can compute discrete log of u & g 1, say R & α Proof: u = g 0 R = (g 0 x g 1 y ) = g 0 x + α y x + α y = R --- (1) DQ: (h 0 =g 0 r, h 1 =g 1 r’, c, f) m What is the prob of A u guessing f so that f = h 0 x’ h 1 y’ = g 0 rx + αr’ y in his t th DQ (t is the upper bound on the number of DQs) e = g 0 S = (g 0 x’ g 1 y’ ) = g 0 x’ + α y’ x’ + α y’ = S --- (2) Pr[A u succeeds in t th DQ] = 1 / (|G|-t) - negligible Pr[A u succeeds in one of t DQs] ≤ t / (|G|-t) - negligible Pr PubK (n) Au,Au, cpa = 1 ≤ ½ + negl(.) Claim. Just one DQ in post-challenge phase is enough for an unbounded powerful adversary to compute (x,y) completely and guess bit b with probability 1.

30 Is the Scheme CCA-secure? Enc pk (m) Random r from Z q h 0 = g 0 r, h 1 = g 1 r c = u r.m = v.m ; f = e r (Way2) (h 0, h 1, c, f) Dec sk = (x,y,x’,y’) (h 0, h 1, c, f) f = h 0 x’ h 1 y’ (Way1) ?? v = h 0 x h 1 y (Way1) m = c/v Gen(1 n ) (G, o, q, g 0,g 1 ) Random (x,y,x’,y’) from Z q u = g 0 x g 1 y e = g 0 x’ g 1 y’ pk= (G,o,q, g 0,g 1,u,e), sk = (x,y,x’,y’) Claim. Just one DQ in post-challenge phase is enough for an unbounded powerful adversary to compute (x,y) completely and guess bit b with probability 1. AuAu D pk = (G,o,q, g 0, g 1,u,e) Random (x,y,x’,y’) from Z q u = g 0 x g 1 y e = g 0 x’ g 1 y’ A u can compute discrete log of u & g 1, say R & α Proof: u = g 0 R = (g 0 x g 1 y ) = g 0 x + α y x + α y = R --- (1) e = g 0 S = (g 0 x’ g 1 y’ ) = g 0 x’ + α y’ x’ + α y’ = S --- (2) Pr PubK (n) Au,Au, cpa = 1 m 0, m 1 , |m 0 | = |m 1 | (h * 0, h * 1, c *, f * ) c = h 0 x h 1 y. m b f = h 0 x’ h 1 y’ We are now considering the case when D received a non-DDH tuple (g 0, g 1, h * 0, h * 1 ) and so h * 0 =g 0 r, h * 1 =g 1 r’ f * = g 0 S* = (h 0 x’ h 1 y’ ) = g 0 rx +r’ α y rx’ +r’ α y’ = S* --- (3) (linearly) independent of (2) Solving (2) & (3) gives (x’,y’) Now A u can make illegal DQ in post-challenge phase and still pass the verification and get m and discover (x,y) We need to ensure A u can not make illegal DQ and get DO service even after seeing the challenge ciphertext. Increase the no. of variables???

31 Is the Scheme CCA-secure? Enc pk (m) Random r from Z q h 0 = g 0 r, h 1 = g 1 r c = u r.m = v.m ; f = e r ; l = k r (Way2) (h 0, h 1, c, f, l) Dec sk = (x,y,x’,y’,,x’’,y’’) (h 0, h 1,c,f,l) f = h 0 x’ h 1 y’ (Way1) ?? l = h 0 x’’ h 1 y’’ (Way1) ?? v = h 0 x h 1 y (Way1) m = c/v Gen(1 n ) (G, o, q, g 0,g 1 ) Random (x,y,x’,y’, x’’, y’’ ) from Z q u = g 0 x g 1 y e = g 0 x’ g 1 y’ k = g 0 x’’ g 1 y’’ pk= (G,o,q, g 0,g 1,u,e,k), sk = (x,y,x’,y’,x’’,y’’) Does above help? A u can compute discrete log of u & g 1, say R & α Proof: u = g 0 R = (g 0 x g 1 y ) = g 0 x + α y x + α y = R - (1) e = g 0 S = (g 0 x’ g 1 y’ ) = g 0 x’ + α y’ x’ + α y’ = S - (2) AuAu D pk = (G,o,q, g 0, g 1,u,e,k) Random (x,y,x’,y’) from Z q u = g 0 x g 1 y e = g 0 x’ g 1 y’ m 0, m 1 , |m 0 | = |m 1 | (h * 0, h * 1, c *, f *,l * ) c = h 0 x h 1 y. m b f = h 0 x’ h 1 y’ We are now considering the case when D received a non-DDH tuple (g 0, g 1, h * 0, h * 1 ) and so h * 0 =g 0 r, h * 1 =g 1 r’ f * = g 0 S* = (h 0 x’ h 1 y’ ) = g 0 rx’ +r’ α y’ rx’ +r’ α y’ = S* - (4) Now A u can make illegal DQ in post-challenge phase and still pass the verification and get m and discover (x,y) k = g 0 T = (g 0 x’’ g 1 y’’ ) = g 0 x’’ + α y’’ x’’ + α y’’ = T - (3)l * = g 0 T* = (h 0 x’’ h 1 y’’ ) = g 0 rx’’ +r’ α y’’ rx’’ +r’ α y’’ = T’* - (5) Adding more variable in the above way does not help.

32 Is the Scheme CCA-secure? Enc pk (m) Random r from Z q h 0 = g 0 r, h 1 = g 1 r c = u r.m = v.m ; f = e r k r (Way2) (h 0, h 1, c, f) Dec sk = (x,y,x’,y’,x’’,y’’), (h 0,h 1,c,f) f = h 0 x’+x’’ h 1 y’+y’’ ?? v = h 0 x h 1 y (Way1) m = c/v Gen(1 n ) (G, o, q, g 0,g 1 ) Random (x,y,x’,y’, x’’, y’’ ) from Z q u = g 0 x g 1 y e = g 0 x’ g 1 y’ k = g 0 x’’ g 1 y’’ pk= (G,o,q, g 0,g 1,u,e,k), sk = (x,y,x’,y’,x’’,y’’) Does above help? Proof: u = g 0 R = (g 0 x g 1 y ) = g 0 x + α y x + α y = R - (1) e = g 0 S = (g 0 x’ g 1 y’ ) = g 0 x’ + α y’ x’ + α y’ = S - (2) AuAu D pk = (G,o,q, g 0, g 1,u,e,k) Random (x,y,x’,y’) from Z q u = g 0 x g 1 y e = g 0 x’ g 1 y’ m 0, m 1 , |m 0 | = |m 1 | (h * 0, h * 1, c *, f * ) c = h 0 x h 1 y. m b f = h 0 x’ h 1 y’ f * = g 0 S* = (h 0 x’+x’’ h 1 y’+y’’ ) = g 0 r(x’+x’’) +r’ α( y’ + y’’) r(x’ + x’’) + r’ α( y’ + y’’) = S* - (4) From (2), (3) & (4), A u can compute (x’ + x’’) and (y’ + y’’) and that’s enough to make an illegal DQ in post- challenge phase and still pass the verification and get m and discover (x,y). k = g 0 T = (g 0 x’’ g 1 y’’ ) = g 0 x’’ + α y’’ x’’ + α y’’ = T - (3) Adding more variable in the above way does not help.

33 Is the Scheme CCA-secure? Enc pk (m) Random r from Z q h 0 = g 0 r, h 1 = g 1 r c = u r.m = v.m ; f = e r k β r β = H( h 0, h 1, c ) (h 0, h 1, c, f) Dec sk = (x,y,x’,y’,x’’,y’’) (h 0,h 1,c,f) β = H( h 0, h 1, c ) f = h 0 x’ + β x’’ h 1 y’ + β y’’ ?? v = h 0 x h 1 y m = c/v Gen(1 n ) (G, o, q, g 0,g 1 ) Random (x,y,x’,y’, x’’, y’’ ) from Z q u = g 0 x g 1 y e = g 0 x’ g 1 y’ k = g 0 x’’ g 1 y’’ pk= (G,o,q, g 0,g 1,u,e,k, H), sk = (x,y,x’,y’,x’’,y’’) Does above help? Proof: u = g 0 R = (g 0 x g 1 y ) = g 0 x + α y x + α y = R - (1) e = g 0 S = (g 0 x’ g 1 y’ ) = g 0 x’ + α y’ x’ + α y’ = S - (2) AuAu D pk = (G,o,q, g 0, g 1,u,e,k) Random (x,y,x’,y’) from Z q u = g 0 x g 1 y e = g 0 x’ g 1 y’ m 0, m 1 , |m 0 | = |m 1 | (h * 0, h * 1, c *, f * ) c = h 0 x h 1 y. m b f = h 0 x’ h 1 y’ f * = g 0 S’ = (h 0 x’ + β x’’ h 1 y’ + β y’’ ) = g 0 r(x’ + β x’’) +r’ α( y’ + β y’’) r(x’ + β x’’) + r’ α( y’ + β y’’) = S’ - (4) From (2), (3) & (4), A u can compute (x’ + β x’’) and (y’ + β y’’) BUT…… k = g 0 T = (g 0 x’’ g 1 y’’ ) = g 0 x’’ + α y’’ x’’ + α y’’ = T - (3) …….he is not allowed to submit the challenge ciphertext to DO …….to make an illegal DQ in post-challenge phase A u must find a collision for H i.e h’ 0, h’ 1, c’ such that β = H( h’ 0, h’ 1, c’ ) because…..

34 The Cramer-Shoup Cryptosystem Enc pk (m) Random r from Z q h 0 = g 0 r, h 1 = g 1 r c = u r.m = v.m ; f = e r k β r β = H( h 0, h 1, c ) (h 0, h 1, c, f) Dec sk = (x,y,x’,y’,x’’,y’’) (h 0,h 1,c,f) β = H( h 0, h 1, c ) f = h 0 x’ + β x’’ h 1 y’ + β y’’ ?? v = h 0 x h 1 y m = c/v Gen(1 n ) (G, o, q, g 0,g 1 ) Random (x,y,x’,y’, x’’, y’’ ) from Z q u = g 0 x g 1 y e = g 0 x’ g 1 y’ k = g 0 x’’ g 1 y’’ pk= (G,o,q, g 0,g 1,u,e,k, H), sk = (x,y,x’,y’,x’’,y’’) Theorem. If DDH is hard + H is CR HF, then  is a CCA-secure scheme. A D (G,o,q,g 0, g 1, h 0, h 1 ) m 0, m 1 , |m 0 | = |m 1 | b’  {0, 1} DDH or non-DDH tuple? 1 if b = b’ 0 otherwise pk = (G,o,q, g 0, g 1,u,e,k) Random (x,y,x’,y’,x’’,y’’) Compute u,e,k c * = h 0 x h 1 y m b and f* (h 0, h 1, c, f) (h * 0, h * 1, c *, f * ) Case I: If (h 0, h 1, c) = (h * 0, h * 1, c * ) and f * ≠ f  D will reject Case II: If (h 0, h 1, c) ≠ (h * 0, h * 1, c * ) and f * = f [i.e. H(h 0, h 1, c) = H(h * 0, h * 1, c * ) ]  A has found collision but since H is CR, this happens with negl probability (h 0, h 1, c, f) Reject (if verification fails)

35 The Cramer-Shoup Cryptosystem Enc pk (m) Random r from Z q h 0 = g 0 r, h 1 = g 1 r c = u r.m = v.m ; f = e r k β r β = H( h 0, h 1, c ) (h 0, h 1, c, f) Dec sk = (x,y,x’,y’,x’’,y’’) (h 0,h 1,c,f) β = H( h 0, h 1, c ) f = h 0 x’ + β x’’ h 1 y’ + β y’’ ?? v = h 0 x h 1 y m = c/v Gen(1 n ) (G, o, q, g 0,g 1 ) Random (x,y,x’,y’, x’’, y’’ ) from Z q u = g 0 x g 1 y e = g 0 x’ g 1 y’ k = g 0 x’’ g 1 y’’ pk= (G,o,q, g 0,g 1,u,e,k, H), sk = (x,y,x’,y’,x’’,y’’) Theorem. If DDH is hard + H is CR HF, then  is a CCA-secure scheme. Case III: H(h 0, h 1, c) ≠ H(h * 0, h * 1, c * ) ]: There is a possibility that it is a valid ciphertext. But it can happen by sheer luck. We can have four INDEPENDENT constraints on x’,y’.x’’.y’’ : (1) e (2) k (3) challenge cipher (4) DO => Breaking security But before making DO query A had only three constraints and so finding an matching f for the DO can be donewith prob at most 1/|G| A D (G,o,q,g 0, g 1, h 0, h 1 ) m 0, m 1 , |m 0 | = |m 1 | b’  {0, 1} DDH or non-DDH tuple? 1 if b = b’ 0 otherwise pk = (G,o,q, g 0, g 1,u,e,k) Random (x,y,x’,y’,x’’,y’’) Compute u,e,k c * = h 0 x h 1 y m b and f* (h 0, h 1, c, f) (h * 0, h * 1, c *, f * ) (h 0, h 1, c, f) Reject (if verification fails)

36 Public Key Summary PKE KEM Hybrid Encryption CPA CCA >> Close Relatives of DL assumptions- CDH, DDH, HDH, ODH >> RSA Assumption (Padded RSA, RSA OAEP) >> Quadratic Residuacity Assumptions (Micali-Goldwasser) >> Factoring assumptions (Rabin Cryptosystem) >> Decisional Composite Residuacity (DCR) Assumptions (Paillier) >> Lattice-based Assumptions LWE, LPN (Regev) Many more assumptions Adaptive Attack (Non-committing Encryption) Selective Opening Attack (Deniable Encryption) PrimitivesSecurity Notions Assumptions

37

Download ppt "Cryptography Lecture 11 Arpita Patra. Generic Results in PK World  CPA-secure KEM  SKE COA-secure SKE  Hyb CPA-secure CPA SecurityCCA Security Bit."

Similar presentations

ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Cryptography Lecture 9 Arpita Patra.

Cryptography Lecture 9 Arpita Patra.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.

Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.
7. Asymmetric encryption-

7. Asymmetric encryption-
1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.

1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary.

Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.

1 CIS 5371 Cryptography 8. Asymmetric encryption-.
8. Data Integrity Techniques

8. Data Integrity Techniques
Cryptography Lecture 12 Arpita Patra.  In PK setting, privacy is provided by PKE Digital Signatures  Integrity/authenticity is provided by digital signatures.

Cryptography Lecture 12 Arpita Patra.  In PK setting, privacy is provided by PKE Digital Signatures  Integrity/authenticity is provided by digital signatures.
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

Similar presentations

Ads by Google