Cryptography. Lecture 11. Arpita Patra

Size: px

Start display at page:

Download "Cryptography. Lecture 11. Arpita Patra"

Claud Horton
6 years ago
Views:

1 Cptogaph Lectue Apita Pata

2 Geneic Results in PK Wold CPA Secuit CCA Secuit Bit Encption Man-bit Encption Bit Encption Man-Bit Encption Π CPA-secue KEM Π SKE COA-secue SKE Π Hb CPA-secue Π CCA-secue KEM Π SKE CCA-secue SKE Π Hb CCA-secue Gen Hb = Gen pk m Enc Hb c Encaps k c Enc SKE SKE (c, c SKE ) sk c ec Hb ecaps k c SKE ec SKE m Π = (Gen, Encaps, ecaps) Π SKE = (Gen SKE, Enc SKE, ec SKE ) Π Hb = (Gen Hb, Enc Hb, ec Hb )

Constuctions fo PK Wold CPA Secuit PKE Instantiation: H based El Gamal KEM Instantiation: HH based vaiation of El Gamal CCA Secuit Instantiation: H + CR Hash based Came- Shoup Scheme (fist eve CCA

3 Constuctions fo PK Wold CPA Secuit PKE Instantiation: H based El Gamal KEM Instantiation: HH based vaiation of El Gamal CCA Secuit Instantiation: H + CR Hash based Came- Shoup Scheme (fist eve CCA secue unde standad assumption ) KEM Instantiation: OH based (the same) vaiation of El Gamal Vaiant El Gamal KEM PRG-based SKE Π Hb CPA-secue Vaiant ElGamal KEM CPA-secue SKE + scma MAC Π Hb CCA-secue Gen Hb = Gen pk m Enc Hb c Encaps k c Enc SKE SKE (c, c SKE ) sk c ec Hb ecaps k c SKE ec SKE m Π = (Gen, Encaps, ecaps) Π SKE = (Gen SKE, Enc SKE, ec SKE ) Π Hb = (Gen Hb, Enc Hb, ec Hb )

about encapsulated ke) k k if b=0 unifom andom sting, b = --- attacke won b = b Game Output b b 0 --- attacke lost Π is

4 CCA Secuit fo KEM cca CCA epeiment KEM (n) A, Π PPT A pk (c,k ) Π = (Gen, Encaps, ecaps) Also have to give ecaps sk (.) sevice to the (c,k) attacke Encaps pk ( n ) b {0, } b {0, } pk, sk I can beak Π Let me veif Gen( n ) (Attacke s guess about encapsulated ke) k k if b=0 unifom andom sting, b = --- attacke won b = b Game Output b b attacke lost Π is CPA-secue if fo eve PPT attacke A, the pobabilit that A wins the epeiment is at most negligibl bette than ½ cca P KEM (n) A, Π = ½ + negl(n)

5 El Gamal like KEM Gen( n ) (G, o, q, g) h = g. Fo andom pk= (G,o,q,g,h), sk = Gen( n ) (G, o, q, g) h = g. Fo andom pk= (G,o,q,g,h,H), sk = c = g fo andom c 2 = h.. m c= (c,c 2 ) - Need to choose m andoml - Multiplication - Ciphetet= 2 elements - No need of that - No Multiplication, hashing - Ciphetet= element Encaps pk ( n ) c = g fo andom k = H(h ) = H(g. ) (c,k) ec sk (c) c 2 / (c ) = c 2. [(c ) ] - - Multiplication - No Multiplication, hashing ecaps sk (c) k = H(c )= H(g ) Secuit: H Assumption Secuit:??

6 El Gamal like KEM Gen( n ) (G, o, q, g) h = g. Fo andom pk= (G,o,q,g,h,H), sk = Encaps pk ( n ) c = g fo andom k = H(h ) = H(g. ) (c,k) ec sk (c) k = H(c )= H(g ) OH (Oacle iffie-hellman) Assumption OH poblem is had elative to (G, o) and hash function H: G -> {0,} m if fo eve PPT A, (it is had to distinguish H(g ) fom a andom sting {0,} m even given g, g AN an oacle O (X): = H(X ); anthing othe than g can be quied) ): P[A o (.) (G, o, q, g, g, g, H(g )) = ] - P[A o(.) (G, o, q, g, g, g, ) = ] negl() OH assumption is just the belief that thee eist a goup and hash function H so that the above is tue. It is stonge than HH. Theoem: OH assumption holds Π is a CCA-secue KEM

7 Constuction of Hbid CCA-secue PKE Gen Hb = Gen pk m Enc Hb c Encaps k c Enc SKE SKE (c, c SKE ) sk c ec Hb ecaps k c SKE ec SKE m Π = (Gen, Encaps, ecaps) Π SKE = (Gen SKE, Enc SKE, ec SKE ) Π Hb = (Gen Hb, Enc Hb, ec Hb ) CCA Secue Π SKE - CPA Secue Π SKE + Stong CMA Secue Π MAC CCA Secue Π - Oacle Function assumption (OH) HIES (iffie-hellman Integated Encption Scheme)- ISO/IEC

HIES- ISO/IEC 8033-2 Π (CCA) = (Gen, Encaps, ecaps) Gen Hb = (G, o, q, g) Π SKE (CPA) = (Gen SKE, Enc SKE, ec SKE ) Π MAC (scma)= (Gen MAC, Mac, Vf) Π Hb (CCA) = (Gen Hb, Enc Hb, ec Hb ) h = g.

8 HIES- ISO/IEC Π (CCA) = (Gen, Encaps, ecaps) Gen Hb = (G, o, q, g) Π SKE (CPA) = (Gen SKE, Enc SKE, ec SKE ) Π MAC (scma)= (Gen MAC, Mac, Vf) Π Hb (CCA) = (Gen Hb, Enc Hb, ec Hb ) h = g. Fo andom H: G à {0,} 2n pk= (G,o,q,g,h,H), sk = pk Enc Hb c = g fo andom k = H(h ) = H(g. ) c (c, c SKE =(c CPA,t MAC )) sk c k = H(c ) = H(g ) ec Hb k k k=k E k M k=k E k M m k E Enc CPA c CPA k E Mac scma t MAC k M c SKE (c CPA, t MAC ) Vf scma Yes k E c CPA ec CPA m m CCA Secue Π SKE - CPA Secue Π SKE + Stong CMA Secue Π MAC CCA Secue Π - Numbe theoetic assumption + Hash Function (OH)

9 HIES (Tem Pape) Michel Abdalla, Mihi Bellae, Phillip Rogawa: The Oacle iffie-hellman Assumptions and an Analsis of HIES. CT-RSA 200: 43-58

10 Came-Shoup Cptosstem Ronald Came, Victo Shoup: A Pactical Public Ke Cptosstem Povabl Secue Against Adaptive Chosen Ciphetet Attack. CRYPTO 998: 3-25

11 Came-Shoup Cptosstem- Route map Anothe Look at H Assumption/ An altenative Fomulation CPA Secue Scheme (diffeent fom El Gamal) CCA Secue Scheme + Collision-Resistant Hash Function CCA Secue Scheme

12 Anothe Look at H (G,o,q,g) Goup of Pime Ode q - P[A(g, g, g, g ) = ] P[A(g, g, g, g z ) = ] negl() (g 0,, g 0, ) (g 0,, g 0, ) - P[A(g 0,, g 0, g ) = ] P[A(g 0,, g 0, g ) = ] negl()

13 Randomization Function Input Output (g 0,, h 0, h ) Random (,) fom Z q. Wa : Given,, h 0,h v = h 0. h Case I (g 0,, h 0 = g 0, h = ): Wa 2: Given, u Claim: u = v Poof: u. ) = h 0. h = v Case II (g 0,, h 0 = g 0, h = g ): Claim: An all poweful adv A can guess v with pobabilit at most / G, even given (g 0,, h 0, h, u). Poof: A can compute,, α (whee = g 0α ) and discete log of u (sa R) u = g R 0. ) = g +α 0 +α = R --- () v = h 0. h = g 0. g = g +α 0 +α is lineal independent of +α Fo eve guess R of this value +α, thee eist a pai of unique values fo, satisfing equation ()

14 CPA Secue Scheme Gen( n ) (G, o, q, g 0, ) Random fom Z q Random (,) fom Z q h 0 = g 0, h = g. g c = u.m = v.m (Wa2) pk= (G,o,q, g 0,, u), sk = (,) (h 0, h, c) ec sk = (,) (h 0, h, c) v = h 0. h (Wa) m = c/v Theoem. If H is had, then Π is a CPA-secue scheme. Poof: Assume Π is not CPA-secue A, p(n): P PubK (n) = > ½ + /p(n) A, Π H o non-h tuple? (G,o,q,g 0,, h 0, h ) Random (,) fom Z q. g Let us un PubK (n) A, Π pk = (G,o,q,g 0,,u) m 0, m, m 0 = m (h 0, h, c) A c = h 0. h. m b b {0, }

15 CPA Secue Scheme Gen( n ) (G, o, q, g 0, ) Random fom Z q Random (,) fom Z q h 0 = g 0, h = g. g c = u.m = v.m (Wa2) pk= (G,o,q, g 0,, u), sk = (,) (h 0, h, c) ec sk = (,) (h 0, h, c) v = h 0. h (Wa) m = c/v Theoem. If H is had, then Π is a CPA-secue scheme. Poof: Assume Π is not CPA-secue A, p(n): P PubK (n) = > ½ + /p(n) A, Π H Tuple (G,o,q,g 0,, h 0 = g 0, h = ) Random (,) fom Z q. g h 0. h = g 0. g = u c = h 0. h. m b Let us un PubK (n) A, Π pk = (G,o,q, g 0,,u) m 0, m, m 0 = m (h 0, h, c) b {0, } A

16 CPA Secue Scheme Gen( n ) (G, o, q, g 0, ) Random fom Z q Random (,) fom Z q h 0 = g 0, h = g. g c = u.m = v.m (Wa2) pk= (G,o,q, g 0,, u), sk = (,) (h 0, h, c) ec sk = (,) (h 0, h, c) v = h 0. h (Wa) m = c/v Theoem. If H is had, then Π is a CPA-secue scheme. Poof: Assume Π is not CPA-secue A, p(n): P PubK (n) = > ½ + /p(n) A, Π P PubK (n) A, Π = = ½ Non-H Tuple (G,o,q,g 0,, h 0 = g 0, h = ) Random (,) fom Z q. g h 0. h is unifoml andom element c = h 0. h. m b Let us un PubK (n) A, Π pk = (G,o,q, g 0,,u) m 0, m, m 0 = m (h 0, h, c) b {0, } A

17 CPA Secue Scheme Gen( n ) (G, o, q, g 0, ) Random fom Z q Random (,) fom Z q h 0 = g 0, h = g. g c = u.m = v.m (Wa2) pk= (G,o,q, g 0,, u), sk = (,) (h 0, h, c) ec sk = (,) (h 0, h, c) v = h 0. h (Wa) m = c/v Theoem. If H is had, then Π is a CPA-secue scheme. Poof: Assume Π is not CPA-secue A, p(n): P PubK (n) = > ½ + /p(n) P PubK (n) = = ½ A, Π A, Π = = P [(H tuple) = ] - P [(non-h tuple) = ] > /p(n) H o non-h tuple? (G,o,q,g 0,, h 0, h ) if b = b 0 othewise Random (,) fom Z q. g c = h 0. h. m b Let us un PubK (n) A, Π pk = (G,o,q, g 0,,u) m 0, m, m 0 = m (h 0, h, c) b {0, } A

18 Wh NOT El Gamal? Gen( n ) (G, o, q, g) Random fom Z q, h = g c = g fo andom pk= (G,o,q, g 0, h), sk = c 2 = g.. m ec sk (c) c 2 / (c ) = c 2. [(c ) ] - Theoem. If H is had, then Π is a CPA-secue scheme. Poof: Assume Π is not CPA-secue A, p(n): P PubK (n) = > ½ + /p(n) P PubK (n) A, Π A, Π = = ½ = = P [(H tuple) = ] - P [(non-h tuple) = ] > /p(n) The secet ke is not with the eduction and so cannot Let us un PubK (n) H o non-h tuple? povide O sevice to A! A, Π (G,o,q,g, g, g, g z ) pk = (G,o,q,g,g ) m 0, m, m 0 = m A if b = b c = (g, g z.m b ) 0 othewise b b {0, }

19 Is the Scheme CCA secue? Gen( n ) ec sk = (,) (h 0, h, c) (G, o, q, g v = h Random fom Z 0. h 0, ) (Wa) q Random (,) fom Z q h 0 = g 0, h = g m = c/v. g c = u.m = v.m (Wa2) pk= (G,o,q, g 0,, u), sk = (,) (h 0, h, c) It is malleable. Not CCA Secue

20 Is the Scheme CCA secue? Gen( n ) ec sk = (,) (h 0, h, c) (G, o, q, g v = h Random fom Z 0. h 0, ) (Wa) q Random (,) fom Z q h 0 = g 0, h = g m = c/v. g c = u.m = v.m (Wa2) pk= (G,o,q, g 0,, u), sk = (,) (h 0, h, c) Theoem. If H is had, then Π is a CPA-secue scheme. Poof: Assume Π is not CPA-secue A, p(n): P PubK (n) = > ½ + /p(n) P PubK (n) = = ½ A, Π A u,π = = P [(H tuple) = ] - P [(non-h tuple) = ] > /p(n) H o non-h tuple? (G,o,q,g 0,, h 0, h ) if b = b Random (,) fom Z q. g pk = (G,o,q, g 0,,u) ecption que m 0, m, m 0 = m (h 0, h, c) A 0 othewise c = h 0. h. m b b {0, }

21 Is the Scheme CCA secue? Gen( n ) (G, o, q, g 0, ) Random (,) fom Z q. pk= (G,o,q, g 0,, u), sk = (,) Random fom Z q h 0 = g 0, h = c = u.m = v.m (Wa2) (h 0, h, c) ec sk = (,) (h 0, h, c) v = h 0. h (Wa) m = c/v Claim. Just one decption que is enough fo an unbounded poweful advesa A u to know, and guess b with pobabilit. Poof: A u can compute discete log of u &, sa R & α R. ) = g 0 +α +α = R --- () A u need anothe (lineal) independent equation on and to ecove them. Can ecption Que help? Random (,) fom Z q. pk = (G,o,q, g 0,,u) Q: (h 0, h, c) A u

22 Is the Scheme CCA secue? Gen( n ) (G, o, q, g 0, ) Random (,) fom Z q. pk= (G,o,q, g 0,, u), sk = (,) Random fom Z q h 0 = g 0, h = c = u.m = v.m (Wa2) (h 0, h, c) ec sk = (,) (h 0, h, c) v = h 0. h (Wa) m = c/v Claim. Just one decption que is enough fo an unbounded poweful advesa to know, and guess b with pobabilit. Poof: A u can compute discete log of u &, sa R & α R. ) = g 0 +α +α = R --- () A u need anothe (lineal) independent equation on and to ecove them. Can ecption Que help? c/m = v = g 0 R = (h 0. h ) = g 0 +α +α = R --- (2) (lineal) ependent L No use Random (,) fom Z q. pk = (G,o,q, g 0,,u) Q: (h 0 = g 0, h =, c) m A u

23 Gen( n ) (G, o, q, g 0, ) Random (,) fom Z q. pk= (G,o,q, g 0,, u), sk = (,) Is the Scheme CCA secue? Random fom Z q h 0 = g 0, h = c = u.m = v.m (Wa2) (h 0, h, c) ec sk = (,) (h 0, h, c) v = h 0. h (Wa) m = c/v Claim. Just one decption que is enough fo an unbounded poweful advesa to know, and guess b with pobabilit. Poof: A u can compute discete log of u &, sa R & α R. ) = g 0 +α +α = R --- () A u need anothe (lineal) independent equation on and to ecove them. Can ecption Que help? c/m = v = g 0 R = (h 0. h ) = g 0 + α + α = R --- (2) (lineal) independent J Solving () & (2) gives the secet ke (,) P PubK (n) A u,π = = Random (,) fom Z q. pk = (G,o,q, g 0,,u) Q: (h 0 = g 0, h =, c) m A u

24 CPA Secue Scheme Gen( n ) (G, o, q, g 0, ) Random fom Z q Random (,) fom Z q h 0 = g 0, h = g. g c = u.m = v.m (Wa2) pk= (G,o,q, g 0,, u), sk = (,) (h 0, h, c) ec sk = (,) (h 0, h, c) v = h 0. h (Wa) m = c/v Theoem. If H is had, then Π is a CPA-secue scheme. Poof: Assume Π is not CPA-secue A, p(n): P PubK (n) = > ½ + /p(n) P PubK (n) = = ½ A, Π A, Π = = Illegal ecption Que: (g P [(H tuple) = ] - P [(non-h 0, g tuple), c) = ] > /p(n) A checking mechanism in ec so that illegal queies Let us un PubK (n) H o non-h tuple? will be REJECTE with ve high A, pobabilit Π A pk = (G,o,q, g (G,o,q,g 0,, h 0, h ) 0,,u) Random (,) fom Z q. g m 0, m, m 0 = m if b = b 0 othewise c = h 0. h. m b (h 0, h, c) b {0, }

25 Gen( n ) (G, o, q, g 0, ) Random (,,, ) fom Z q u = g e = g pk= (G,o,q, g 0,,u,e), sk = (,,, ) CCA Scheme Random fom Z q h 0 = g 0, h = g c = u.m = v.m ; f = e (Wa2) (h 0, h, c, f) ec sk = (,,, ) (h 0, h, c, f) f = h (Wa)?? v = h (Wa) m = c/v Claim. An unbounded poweful advesa computes (,) ecept with neg. pobabilit. Theefoe it can guess bit b with pobabilit no bette than ½ + negl(.). Poof: A u can compute discete log of u, e, sa R, S & α R ) = g 0 +α e = g 0 S ) = g 0 +α +α = R -() +α = S -(2) What if A u can guess f so that f = h 0 h?? o ou see the disaste??????? f = g 0 S = (h 0 h ) = g 0 + α c/m = v = g 0 R = (h 0. h ) = g 0 + α Solving () & (4) gives the secet ke (,) P PubK (n) A u,π = = + α = S --- (3) (lineal) independent of (2) + α = R --- (4) (lineal) independent of () Random (,,, ) fom Z q e = g 0 f = h?? If es, then send m pk = (G,o,q, g 0,,u,e) Q: (h 0 =g 0, h =, c, f) m A u

26 Secuit Poof of CCA Scheme Gen( n ) (G, o, q, g 0, ) Random (,,, ) fom Z q Random fom Z q h 0 = g 0, h = g ec sk = (,,, ) (h 0, h, c, f) f = h (Wa)?? v = h (Wa) u = g e = g c = u.m = v.m ; f = e (Wa2) m = c/v pk= (G,o,q, g 0,,u,e), sk = (,,, ) (h 0, h, c, f) Claim. An unbounded poweful advesa computes (,) ecept with neg. pobabilit. Theefoe it can guess bit b with pobabilit no bette than ½ + negl(.). Poof: A u can compute discete log of u &, sa R & α R ) = g 0 +α +α = R --- () e = g 0 S ) = g 0 +α +α = S --- (2) What is the pob of A u guessing f so that f = h 0 h = g 0 +α Yes! It does. A u knows its chosen value in the fist Q is NOT a possibilit. Net time it can guess f fom G minus that value in his FIRST Q Recall that h 0 h is unifoml andom fo A u even given (g 0,, h 0 =g 0, h =, e) P[A u succeeds in fist Q] = / G --- negligible But A u can make polnomials man attempts sa, t man. oes getting ejected in the fist Q help in succeeding second Q? Random (,,, ) fom Z q e = g 0 f = h?? If es, then send m pk = (G,o,q, g 0,,u,e) Q: (h 0 =g 0, h =, c, f) m A u

27 Secuit Poof of CCA Scheme Gen( n ) (G, o, q, g 0, ) Random (,,, ) fom Z q Random fom Z q h 0 = g 0, h = g ec sk = (,,, ) (h 0, h, c, f) f = h (Wa)?? v = h (Wa) u = g e = g c = u.m = v.m ; f = e (Wa2) m = c/v pk= (G,o,q, g 0,,u,e), sk = (,,, ) (h 0, h, c, f) Claim. An unbounded poweful advesa computes (,) ecept with neg. pobabilit. Theefoe it can guess bit b with pobabilit no bette than ½ + negl(.). Poof: A u can compute discete log of u &, sa R & α R ) = g 0 +α +α = R --- () e = g 0 S ) = g 0 +α +α = S --- (2) What is the pob of A u guessing f so that f = h 0 h = g 0 +α in his SECON Q P[A u succeeds in second Q] = / ( G -) - negligible Random (,,, ) fom Z q u = g e = g f = h?? If es, then send m pk = (G,o,q, g 0,,u,e) Q: (h 0 =g 0, h =, c, f) m A u

28 Secuit Poof of CCA Scheme Gen( n ) (G, o, q, g 0, ) Random (,,, ) fom Z q Random fom Z q h 0 = g 0, h = g ec sk = (,,, ) (h 0, h, c, f) f = h (Wa)?? v = h (Wa) u = g e = g c = u.m = v.m ; f = e (Wa2) m = c/v pk= (G,o,q, g 0,,u,e), sk = (,,, ) (h 0, h, c, f) Claim. An unbounded poweful advesa computes (,) ecept with neg. pobabilit. Theefoe it can guess bit b with pobabilit no bette than ½ + negl(.). Poof: A u can compute discete log of u &, sa R & α R ) = g 0 +α +α = R --- () e = g 0 S ) = g 0 +α +α = S --- (2) What is the pob of A u guessing f so that f = h = g +α 0 bound on the numbe of Qs) in his t th Q (t is the uppe P[A u succeeds in t th Q] = / ( G -t) - negligible P[A u succeeds in one of t Qs] t / ( G -t) - negligible P PubK (n) A u,π = ½ + negl(.) Random (,,, ) fom Z q u = g e = g f = h?? If es, then send m pk = (G,o,q, g 0,,u,e) Q: (h 0 =g 0, h =, c, f) m A u

29 Is the Scheme CCA-secue? Gen( n ) (G, o, q, g 0, ) Random (,,, ) fom Z q Random fom Z q h 0 = g 0, h = g ec sk = (,,, ) (h 0, h, c, f) f = h (Wa)?? v = h (Wa) u = g e = g c = u.m = v.m ; f = e (Wa2) m = c/v pk= (G,o,q, g 0,,u,e), sk = (,,, ) (h 0, h, c, f) Claim. Just one Q in post-challenge phase is enough fo an unbounded poweful advesa to compute (,) completel and guess bit b with pobabilit. Poof: A u can compute discete log of u &, sa R & α R ) = g 0 +α +α = R --- () e = g 0 S ) = g 0 +α +α = S --- (2) What is the pob of A u guessing f so that f = h = g +α 0 bound on the numbe of Qs) in his t th Q (t is the uppe P[A u succeeds in t th Q] = / ( G -t) - negligible P[A u succeeds in one of t Qs] t / ( G -t) - negligible P PubK (n) A u,π = ½ + negl(.) Random (,,, ) fom Z q u = g e = g f = h?? If es, then send m pk = (G,o,q, g 0,,u,e) Q: (h 0 =g 0, h =, c, f) m A u

30 Is the Scheme CCA-secue? Gen( n ) (G, o, q, g 0, ) Random (,,, ) fom Z q Random fom Z q h 0 = g 0, h = g ec sk = (,,, ) (h 0, h, c, f) f = h (Wa)?? v = h (Wa) u = g e = g c = u.m = v.m ; f = e (Wa2) m = c/v pk= (G,o,q, g 0,,u,e), sk = (,,, ) (h 0, h, c, f) Claim. Just one Q in post-challenge phase is enough fo an unbounded poweful advesa to compute (,) completel and guess bit b with pobabilit. Poof: A u can compute discete log of u &, sa R & α u = g R 0 = (g 0 ) = g +α We +α need = R --- to () ensue A P PubK (n) = = 0 u can not make illegal Q and get O sevice even afte seeing A u,π the challenge e = g S 0 = (g ) = g +α +α = S --- (2) 0 We ae now consideing the case when eceived a non-h tuple (g 0,, h * 0, h* ) and so h* 0 =g 0, h * = f * = g 0 S* = (h 0 h ) = g 0 + α ciphetet. Incease the no. of vaiables??? + α = S* --- (3) (lineal) independent of (2) Solving (2) & (3) gives (, ) Now A u can make illegal Q in post-challenge phase and still pass the veification and get m and discove (,) Random (,,, ) fom Z q e = g 0 c = h 0 h. m b f = h 0 h pk = (G,o,q, g 0,,u,e) m 0, m, m 0 = m (h * 0, h*, c*, f * ) A u

31 Gen( n ) (G, o, q, g 0, ) Random (,,,,, ) fom Z q e = g 0 k = g 0 pk= (G,o,q, g 0,,u,e,k), sk = (,,,,, ) oes above help? Is the Scheme CCA-secue? Random fom Z q h 0 = g 0, h = c = u.m = v.m ; f = e ; l = k (Wa2) (h 0, h, c, f, l) ec sk = (,,,,,, ) (h 0, h,c,f,l) f = h 0 h (Wa)?? l = h 0 h (Wa)?? v = h 0 h (Wa) m = c/v Poof: A u can compute discete log of u &, sa R & α R ) = g 0 +α +α = R - () e = g 0 S ) = g 0 +α +α = S - (2) Random (,,, ) fom Z q e = g 0 c = h 0 h. m b f = h 0 h f * = g 0 S* = (h 0 h ) = g 0 + α + α = S* - (4) k = g 0 T ) = g 0 +α +α = T - (3) l * = g 0 T* = (h 0 h ) = g 0 + α + α = T * - (5) We ae now consideing the case when eceived a non-h tuple (g 0,, h * 0, h* ) and so h* 0 =g 0, h * = Now A u can make illegal Q in post-challenge phase and still pass the veification and get m and discove (,) Adding moe vaiable in the above wa does not help. pk = (G,o,q, g 0,,u,e,k) m 0, m, m 0 = m (h * 0, h*, c*, f *,l * ) A u

32 Gen( n ) (G, o, q, g 0, ) Random (,,,,, ) fom Z q e = g 0 k = g 0 pk= (G,o,q, g 0,,u,e,k), sk = (,,,,, ) oes above help? Poof: Is the Scheme CCA-secue? Random fom Z q h 0 = g 0, h = c = u.m = v.m ; f = e k (Wa2) (h 0, h, c, f) ec sk = (,,,,, ), (h 0,h,c,f) f = h 0 + h +?? v = h 0 h (Wa) m = c/v R ) = g 0 +α +α = R - () e = g 0 S ) = g 0 +α +α = S - (2) k = g 0 T ) = g 0 +α +α = T - (3) f * = g 0 S* = (h 0 + h + ) = g 0 (+ ) + α( + ) ( + ) + α( + ) = S* - (4) Fom (2), (3) & (4), A u can compute ( + ) and ( + ) and that s enough to make an illegal Q in postchallenge phase and still pass the veification and get m and discove (,). Adding moe vaiable in the above wa does not help. Random (,,, ) fom Z q e = g 0 c = h 0 h. m b f = h 0 h pk = (G,o,q, g 0,,u,e,k) m 0, m, m 0 = m (h * 0, h*, c*, f * ) A u

33 Gen( n ) (G, o, q, g 0, ) Random (,,,,, ) fom Z q e = g 0 k = g 0 pk= (G,o,q, g 0,,u,e,k, H), sk = (,,,,, ) oes above help? Poof: Is the Scheme CCA-secue? Random fom Z q h 0 = g 0, h = c = u.m = v.m ; f = e k β β = H(h 0, h, c) (h 0, h, c, f) ec sk = (,,,,, ) (h 0,h,c,f) β = H(h 0, h, c) f = h 0 + β h + β?? v = h 0 h m = c/v R ) = g 0 +α +α = R - () e = g 0 S ) = g 0 +α +α = S - (2) k = g 0 T ) = g 0 +α +α = T - (3) f * = g 0 S = (h 0 + β h + β ) = g 0 ( + β ) + α( + β ) ( + β ) + α( + β ) = S - (4) Fom (2), (3) & (4), A u can compute ( + β ) and ( + β ) BUT.to make an illegal Q in post-challenge phase A u must find a collision fo H i.e h 0, h, c such that β = H(h 0, h, c ) because.. pk = (G,o,q, g 0,,u,e,k) A u.he is not allowed to submit Random (,,, ) fom Z q the challenge ciphetet to O m u = g e = g 0, m, m 0 = m (h * 0, h*, c*, f * ) c = h. m b f = h

34 Gen( n ) (G, o, q, g 0, ) Random (,,,,, ) fom Z q The Came-Shoup Cptosstem e = g 0 k = g 0 pk= (G,o,q, g 0,,u,e,k, H), sk = (,,,,, ) Random fom Z q h 0 = g 0, h = c = u.m = v.m ; f = e k β β = H(h 0, h, c) (h 0, h, c, f) Theoem. If H is had + H is CR HF, then Π is a CCA-secue scheme. ec sk = (,,,,, ) (h 0,h,c,f) β = H(h 0, h, c) f = h 0 + β h + β?? v = h 0 h m = c/v Case I: If (h 0, h, c) = (h * 0, h*, c* ) and f * f à will eject Case II: If (h 0, h, c) (h * 0, h*, c* ) and f * = f [i.e. H(h 0, h, c) = H(h * 0, h*, c* ) ] à A has found collision but since H is CR, this happens with negl pobabilit pk = (G,o,q, g 0,,u,e,k) H o non-h tuple? (G,o,q,g 0,, h 0, h ) Random (,,,,, ) Compute u,e,k (h 0, h, c, f) Reject (if veification fails) m 0, m, m 0 = m A (h * 0, h*, c*, f * ) c * = h 0 h m b and f* (h 0, h, c, f) if b = b 0 othewise Reject (if veification fails) b {0, }

35 Gen( n ) (G, o, q, g 0, ) Random (,,,,, ) fom Z q The Came-Shoup Cptosstem e = g 0 k = g 0 pk= (G,o,q, g 0,,u,e,k, H), sk = (,,,,, ) Random fom Z q h 0 = g 0, h = c = u.m = v.m ; f = e k β β = H(h 0, h, c) (h 0, h, c, f) Theoem. If H is had + H is CR HF, then Π is a CCA-secue scheme. ec sk = (,,,,, ) (h 0,h,c,f) β = H(h 0, h, c) f = h 0 + β h + β?? v = h 0 h m = c/v Case III: H(h 0, h, c) H(h * 0, h*, c* ) ]: Thee is a possibilit that it is a valid ciphetet. But it can happen b shee luck. We can have fou INEPENENT constaints on,.. : () e (2) k (3) challenge ciphe (4) O => Beaking secuit But befoe making O que A had onl thee constaints and so finding an matching f fo the O can be donewith pob at most / G pk = (G,o,q, g 0,,u,e,k) H o non-h tuple? (G,o,q,g 0,, h 0, h ) if b = b 0 othewise Random (,,,,, ) Compute u,e,k (h 0, h, c, f) Reject (if veification fails) m 0, m, m 0 = m (h * 0, h*, c*, f * ) c * = h 0 h m b and f* (h 0, h, c, f) Reject (if veification fails) b {0, } A

36 Public Ke Summa Pimitives Secuit Notions Assumptions PKE KEM Hbid Encption CPA CCA Adaptive Attack (Non-committing Encption) Selective Opening Attack (eniable Encption) >> Close Relatives of L assumptions- CH, H, HH, OH >> RSA Assumption (Padded RSA, RSA OAEP) >> Factoing assumptions (Rabin Cptosstem) >> Quadatic Residuacit Assumptions (Micali-Goldwasse) >> ecisional Composite Residuacit (CR) Assumptions (Paillie) >> Lattice-based Assumptions LWE, LPN (Regev) Man moe assumptions

10/04/18. P [P(x)] 1 negl(n).

10/04/18. P [P(x)] 1 negl(n). Mastemath, Sping 208 Into to Lattice lgs & Cypto Lectue 0 0/04/8 Lectues: D. Dadush, L. Ducas Scibe: K. de Boe Intoduction In this lectue, we will teat two main pats. Duing the fist pat we continue the