Advanced Topics in Cryptography

Similar documents
Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Introduction to Cryptography. Lecture 8

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

A Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Short Exponent Diffie-Hellman Problems

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

RSA-OAEP and Cramer-Shoup

Advanced Cryptography 03/06/2007. Lecture 8

El Gamal A DDH based encryption scheme. Table of contents

G Advanced Cryptography April 10th, Lecture 11

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Provable security. Michel Abdalla

Advanced Cryptography 1st Semester Public Encryption

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

Notes for Lecture 17

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

CS 395T. Probabilistic Polynomial-Time Calculus

Discrete logarithm and related schemes

On The Security of The ElGamal Encryption Scheme and Damgård s Variant

Lecture 7: CPA Security, MACs, OWFs

Public-Key Cryptosystems CHAPTER 4

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Public-Key Encryption: ElGamal, RSA, Rabin

Lecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004

Lecture Note 3 Date:

Public Key Cryptography

Topics in Cryptography. Lecture 5: Basic Number Theory

The Cramer-Shoup Cryptosystem

Adaptive Security of Compositions

Lecture 17: Constructions of Public-Key Encryption

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Efficient Identity-Based Encryption Without Random Oracles

Solutions to homework 2

6.892 Computing on Encrypted Data September 16, Lecture 2

Lecture 28: Public-key Cryptography. Public-key Cryptography

Cryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography

Efficient Identity-based Encryption Without Random Oracles

Gentry IBE Paper Reading

A New Paradigm of Hybrid Encryption Scheme

Cryptography IV: Asymmetric Ciphers

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman

Lecture 7: Boneh-Boyen Proof & Waters IBE System

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Lecture 7: ElGamal and Discrete Logarithms

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Introduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016

Lecture 11: Key Agreement

5.4 ElGamal - definition

Lecture Notes 20: Zero-Knowledge Proofs

1 Number Theory Basics

2 Preliminaries 2.1 Notations Z q denotes the set of all congruence classes modulo q S denotes the cardinality of S if S is a set. If S is a set, x R

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

The Decisional Diffie-Hellman Problem and the Uniform Boundedness Theorem

ON CIPHERTEXT UNDETECTABILITY. 1. Introduction

Public Key Cryptography

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Public Key Cryptography

Lossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems

An Introduction to Probabilistic Encryption

CPSC 467b: Cryptography and Computer Security

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Simple SK-ID-KEM 1. 1 Introduction

A New Variant of the Cramer-Shoup KEM Secure against Chosen Ciphertext Attack

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Introduction to Cybersecurity Cryptography (Part 4)

A Fair and Efficient Solution to the Socialist Millionaires Problem

Introduction to Cybersecurity Cryptography (Part 4)

Lecture Notes, Week 6

CS259C, Final Paper: Discrete Log, CDH, and DDH

Efficient chosen ciphertext secure identity-based encryption against key leakage attacks

Introduction to Elliptic Curve Cryptography

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

5199/IOC5063 Theory of Cryptology, 2014 Fall

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Stronger Public Key Encryption Schemes

Round-Optimal Password-Based Authenticated Key Exchange

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Computational security & Private key encryption

CPA-Security. Definition: A private-key encryption scheme

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

1 Public-key encryption

Master s thesis, defended on June 20, 2007, supervised by Dr. Oleg Karpenkov. Mathematisch Instituut. Universiteit Leiden

ECS 189A Final Cryptography Spring 2011

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

III. Pseudorandom functions & encryption

Identity-based encryption

Improved Non-Committing Encryption Schemes based on a General Complexity Assumption

REMARKS ON IBE SCHEME OF WANG AND CAO

Introduction to Cryptography. Lecture 6

Lecture 14 - CCA Security

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

14 Diffie-Hellman Key Agreement

Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme

f (x) f (x) easy easy

Lecture 5, CPA Secure Encryption from PRFs

Week : Public Key Cryptosystem and Digital Signatures

Non-malleability under Selective Opening Attacks: Implication and Separation

Transcription:

Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1

Related papers Lecture notes of Moni Naor, http://www.cs.ioc.ee/yik/schools/win2004/naor-slides- 2.5.ppt Lecture notes of Jonathan Katz, http://www.cs.umd.edu/~jkatz/gradcrypto2/notes/lecture 2.pdf page 2 2

To specify security of encryption The power of the adversary computational Probabilistic polynomial time machine (PPTM) access to the system Can it change the messages? What constitutes a failure of the system What it means to break the system. Reading a message Forging a message? page 3 3

El Gamal Encryption We will show that El Gamal encryption provides semantic security under the DDH assumption. Before doing that, let s discuss the DDH assumption. page 4 4

Discrete Log Problem A finite cyclic group G of order n. A generator g. DL problem for G to the base g: given Y G find 0 a n-1 such that Y=g a DL Assumption for group G to the base g : No efficient algorithm can solve whp the DL problem for Y=g x, with x R [0..n-1] Very useful group for DL: Z P *. P and Q: Large primes, s.t. Q P-1. g is an element of order Q in Z P*. Best known algorithms run in time Q or subexponential in log P. Randomized reduction Given a specific instance generate a random instance: given y generate Y = Yg r for r R [Q] Therefore worst case is the same as average case page 5 5

Diffie-Hellman Search Problem For a,b R [Q] Given Y=g a and X=g b find Z=g ab. Assumption - no algorithm can succeed with high probability No harder than DL - but not much easier. page 6 6

Decisional Diffie-Hellman Problem (DDH) For for generator g and a,b [Q] Given g, Y=g a, X=g b and Z decide whether Z =g ab or Z g ab Equivalent: is log g Y = log X Z DDH-Assumption: The DDH-Problem is hard in the worst case. page 7 7

Average DDH For a,b R [Q] and c which is either c= ab c R [Q] Given Y=g a and X=g b and Z =g c decide whether Z =g ab or Z g ab DDH-Assumption average case: The DDH-Problem is hard for above distribution page 8 8

Worst to Average case reduction Theorem:The average case and worst case of the DDH- Assumption are equivalent (solving the DDH problem is no easier on the average case than in the worst case) Proof: Given g a and g b and g c (and P, Q) Sample r,s 1,s 2 R [Q] compute g a = (g a ) r g s 1 g b = (g b ) g s 2 g c = (g c ) r (g a ) rs 2 (g b ) s 1 g s 1 s 2 page 9 9

Worst to average If c=ab +e mod Q then a =ra + s 1 mod Q b =b + s 2 mod Q c' = a'b'+ e r mod Q Always: a and b' are uniformly distributed. If e =0, then c' = a'b'. Otherwise c' is uniform and independent in [Q] page 10 10

Evidence to Validity of DDH Endured extensive research for DH search DH-search related to discrete log Hard for generic algorithms that work in a black-box group Computing the most significant bits of g ab is hard Random-self-reducibility page 11 11

El-Gamal Cryptosystem: Private key a R [Q] Public key Y=g a and P, Q To encrypt M choose r R [Q] compute X=g r and Y r send <X, Y r M> To decrypt <X, W>: compute X a = Y r and output W / X a page 12 12

Semantic security of El Gamal encryption Semantic security = indistinguishability of encryptions = indistinguishability of an encryption of M from an encryption of a random element Suppose that an adversary can Choose M Receive either an encryption of X ( g r, Y r M ) or an encryption of a random element ( g r, Y r R ), and distinguish between these cases. Then we can use the adversary to break the DDH We are given g a and g b and g c (where g c is either g ab or random) Define the public key as Y=g a The adversary chooses M We send it (g b, g c M) page 13 13

El-Gamal Security Under the DDH assumption the cryptosystem is semantically secure against chosen plaintext attacks but... Scheme is malleable To change M to M =M C: change X, W to X, W C Therefore the scheme is insecure against chosen ciphertext attacks Given an encryption of M, change it to an encryption of M and ask to see its decryption. Why is this important? page 14 14

Security against chosen-ciphertext attacks Adversary can ask to receive decryptions of messages of his choice Adversary chooses two messages m 0,m 1 (possibly based on the answers he previously received) Adversary is given an encryption E(m b ), where b R {0,1} Adversary can issue further decryption queries Adversary guesses b Adversary succeeds if its probability of guessing b correctly is not negligibly close to ½ page 15 15

The Cramer-Shoup cryptosystem Cramer and Shoup suggested (in 1998) an encryption scheme which is practical and provably secure against chosen ciphertext attacks Security is based on the DDH assumption The overhead is only a few exponentiations The basic idea: Add redundancy to the cryptosystem. A ciphertext with the right redundancy is valid. Otherwise it is invalid. Decryption is only performed for valid ciphertexts. page 16 16

Non-adaptive chosen ciphertext security, aka security against lunch-time (or preprocessing) attacks Adversary can ask to receive decryptions of messages of his choice Adversary chooses two messages m 0,m 1 (possibly based on the answers he previously received) Adversary is given an encryption E(m b ), where b R {0,1} Adversary can issue further decryption queries Adversary guesses b Adversary succeeds if its probability of guessing b correctly is not negligibly close to ½ page 17 17

Cramer-Shoup Lite A simplification of the Cramer-Shoup cryptosystem, which is only secure against non-adaptive chosen ciphertext attacks. page 18 18

Cramer-Shoup Lite Setup: A subgroup G of order q, with generators g 1,g 2 Key generation: x,y,a,b R Z q h = (g 1 ) x (g 2 ) y c = (g 1 ) a (g 2 ) b Public key = g 1,g 2,h,c Private key = x,y,a,b Encryption of m: Correctness? Overhead? r R Z q Ciphertext is g 1r, g 2r, h r m, c r Decryption of u,v,e,w : If (w=u a v b ) then output e/(u x v y ), otherwise no output. page 19 19

Security proof (against non-adaptive chosen ciphertext attacks) Assume that A attacks the cryptosystem. We build an A which breaks the DDH assumption. We are given an input to A and we generate a setting for A to work in. We want the following to hold: If the input to A is a DDH tuple, then the setting of A is exactly as in the case it is attacking the cryptosystem. If the input to A is a random tuple, then the setting of A provides it with an encryption of a random element. The queries that A makes to the decryption oracle do not reveal anything. page 20 20

Constructing A Our input is (g 1,g 2,g 3,g 4 ), which is either a DDH tuple (of the form g,g a,g b,g ab, namely log g1 (g 3 )=log g2 (g 4 ) ), or a random tuple. x,y,a,b R Z q h = (g 1 ) x (g 2 ) y c = (g 1 ) a (g 2 ) b Public key = g 1,g 2,h,c Private key = x,y,a,b Answer decryption queries of A, and then receive m 0,m 1. Choose s R {0,1}. Send to A the ciphertext g 3, g 4, g 3x g 4y m s, g 3a g 4b If the response of A is equal to s then output DDH tuple, otherwise output random tuple page 21 21

Case 1: The input of A is a DDH tuple THM: If A receives an input which is a DDH tuple, then the view of A is the same as when it is interacting with a real cryptosystem. Corollary: Pr(A outputs DDH DDH input) = Pr(A succeeds when attacking a real cryptosystem) Proof: The public and secret keys generated by A are of the right format, and the decryption queries are answered correctly. If the input of A is a DDH tuple then log g1 (g 3 )=log g2 (g 4 )=r and then the ciphertext g 3,g 4, (g 3 ) x (g 4 ) y m s, (g 3 ) a (g 4 ) b is of the form (g 1 )r,(g 2 ) r,h r m s, c r, which is the right format. page 22 22

Case 2: The input of A is a random tuple THM: If A receives an input which is a random tuple, then (except with negligible probability) A has no information about the bit s chosen by A. Namely, Pr(A guesses s random tuple) ½ is negligible. Corollary: Pr(A outputs DDH random tuple input) ½ = Pr(A guesses s random tuple) ½, and is negligible Pr(A outputs DDH DDH input) Pr(A outputs DDH random tuple input) = Pr(A succeeds when attacking a real cryptosystem) - ½ page 23 23

Proof of the theorem We will prove the theorem for the case of a computationally unbounded A Therefore A knows γ=log g1 g 2 Claim 1: With all but negligible prob, all decryption queries (u,v,e,w) s.t. log g1 u log g2 v, fail. Proof: Suppose u=g 1r, v=g 2 r, r r. z, a single pair (a,b), s.t. w=u a v b, namely log g1 w=ar+br γ. Therefore, for A the value u a v b is uniformly distributed, and its guess of w is rejected with probability 1-1/q. If A performs n queries, they are all rejected with prob 1-n/q. page 24 24

Proof of the theorem (contd) Claim 2: Assuming all bad decryption queries are rejected, A learns no information about x and y. Proof: A knows γ=log g1 g 2. The public key contains h=g 1x g 2y, and A therefore learns that log g1 h=x+y γ. Bad (rejected) queries reveal nothing about (x,y), since the rejection is based on the values of (a,b) alone. For good queries (u,v,e,w), A learns e/m=g 1 rx g 2 ry. Namely, that log g1 (e/m)=xr+yr γ. (Which is a relation it already knows.) Claims 1+ 2 after n queries, with probability 1-n/q it holds that the ciphertext g 3, g 4, g 3x g 4y m s, g 3a g 4b has (qn) equal probability options for (x,y), and therfore for m. QED page 25 25

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback