G Advanced Cryptography April 10th, Lecture 11

Similar documents
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Applied cryptography

Lecture 7: Boneh-Boyen Proof & Waters IBE System

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Pairing-Based Cryptography An Introduction

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

An Introduction to Pairings in Cryptography

Simple SK-ID-KEM 1. 1 Introduction

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

Short Exponent Diffie-Hellman Problems

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Public Key Cryptography

Advanced Topics in Cryptography

Discrete logarithm and related schemes

Gentry IBE Paper Reading

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Advanced Cryptography 03/06/2007. Lecture 8

Identity-based encryption

14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University

The Cramer-Shoup Cryptosystem

1 Number Theory Basics

Cryptography from Pairings

Introduction to Cryptography. Lecture 8

Introduction to Cybersecurity Cryptography (Part 4)

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

Lecture 17: Constructions of Public-Key Encryption

Remove Key Escrow from The Identity-Based Encryption System

Efficient Identity-based Encryption Without Random Oracles

A Strong Identity Based Key-Insulated Cryptosystem

Lecture Note 3 Date:

Introduction to Cybersecurity Cryptography (Part 4)

Boneh-Franklin Identity Based Encryption Revisited

Public Key Cryptography

Notes for Lecture 17

Efficient Identity-Based Encryption Without Random Oracles

Provable security. Michel Abdalla

Advanced Cryptography 1st Semester Public Encryption

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman

Secure and Practical Identity-Based Encryption

Stronger Public Key Encryption Schemes

Secure Certificateless Public Key Encryption without Redundancy

RSA-OAEP and Cramer-Shoup

Efficient Selective Identity-Based Encryption Without Random Oracles

Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Recent Advances in Identity-based Encryption Pairing-based Constructions

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

The Twin Diffie-Hellman Problem and Applications

T Advanced Course in Cryptology. March 28 th, ID-based authentication frameworks and primitives. Mikko Kiviharju

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

One can use elliptic curves to factor integers, although probably not RSA moduli.

CSC 774 Advanced Network Security

CSC 774 Advanced Network Security

REMARKS ON IBE SCHEME OF WANG AND CAO

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

On The Security of The ElGamal Encryption Scheme and Damgård s Variant

ASYMMETRIC ENCRYPTION

A New Paradigm of Hybrid Encryption Scheme

Public-Key Cryptography. Public-Key Certificates. Public-Key Certificates: Use

DATA PRIVACY AND SECURITY

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Post-quantum security models for authenticated encryption

Introduction to Elliptic Curve Cryptography

2 Preliminaries 2.1 Notations Z q denotes the set of all congruence classes modulo q S denotes the cardinality of S if S is a set. If S is a set, x R

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

On (Hierarchical) Identity Based Encryption Protocols with Short Public Parameters (With an Exposition of Waters Artificial Abort Technique)

Lecture 7: ElGamal and Discrete Logarithms

Type-based Proxy Re-encryption and its Construction

ABHELSINKI UNIVERSITY OF TECHNOLOGY

Foundations. P =! NP oneway function signature schemes Trapdoor oneway function PKC, IBS IBE

Smooth Projective Hash Function and Its Applications

On the relations between non-interactive key distribution, identity-based encryption and trapdoor discrete log groups

ON CIPHERTEXT UNDETECTABILITY. 1. Introduction

A ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Structure Preserving CCA Secure Encryption

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

On the security of Jhanwar-Barua Identity-Based Encryption Scheme

Generic Constructions of Identity-Based and Certicateless KEMs K. Bentahar, P. Farshim, J. Malone-Lee and N.P. Smart Dept. Computer Science, Universit

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Lecture 11: Key Agreement

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

Lecture 28: Public-key Cryptography. Public-key Cryptography

Improved ID-based Authenticated Group Key Agreement Secure Against Impersonation Attack by Insider

Public-Key Encryption: ElGamal, RSA, Rabin

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Efficient chosen ciphertext secure identity-based encryption against key leakage attacks

Recent Advances in Identity-based Encryption Pairing-free Constructions

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

On the CCA1-Security of Elgamal and Damgård s Elgamal

A Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack

ECS 189A Final Cryptography Spring 2011

The Decisional Diffie-Hellman Problem and the Uniform Boundedness Theorem

Master s thesis, defended on June 20, 2007, supervised by Dr. Oleg Karpenkov. Mathematisch Instituut. Universiteit Leiden

Instructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year

Lecture 5, CPA Secure Encryption from PRFs

Transcription:

G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems as a mean of NIZK proofs for achieving a CCA-1 secure scheme. Now, we extend that to achieve CCA- security; this way, we present the Cramer-Shoup encryption scheme which was the first efficient scheme provably secure against adaptive chosen ciphertext attack. Then, we switch to pairing-based cryptography and look into identity based encryption. 1 CCA-Secure Public Key Encryption 1.1 CCA-1 Last time we studied a practical PKE scheme which is somewhat similar to ElGamal encryption: G is a group of primer order q PK: generators g 1, g G and h = g x 1 1 gx SK: x 1, x Enc(m): u 1 = g r, v = hr, w = v.m c = (u 1, u, w, π), where π is a proof that u 1 = log g u Dec(SK,c): check π, m w/(u x 1 1 ux ) At first, we considered the idea of implementing π using the Fiat-Shamir Heuristic. Then, we gave a construction without random oracles using a Hash Proof System for π: HPK: c = g y 1 1 gy HSK: y 1, y π: c r verify π: π? = π u y 1 1 uy (π is the expected correct value of the proof) If u 1 = g r 1, and say g = g1 t, then: ( 1 t ) ( y1 ) r t This gives CCA-1 security. r 1 y = ( logg1 c π ) L11-1

1. CCA For CCA- security we need -wise pseudorandom property for π. HPK: c = g y 1 1 gy, d = gz 1 1 gz HSK: y 1, y, z 1, z π: c r d rα, where α = H(u 1, u, w) and H is a CRHF (actually, TCR suffices for H, but one should be careful because although the first input to H is random, w depends on M chosen by A; still, security could be shown) Verify: π =? π u y 1+αz 1 1 u y +αz, where α is computed in the same way (Note that if u 1 = g r 1, and say g = g1 t, then: ( ) u y 1+αz 1 1 u y +αz = g r 1(y 1 +αz 1 ) 1 g r (y +αz ) = g r 1y 1 +r 1 αz 1 +tr y +tr αz 1 ) Consider two invalid ciphertexts: u 1 = g r 1, w, π, r 1 r ū 1 = g r 1 1, ū = g r, w, π, r 1 r for simplicity, we could assume t 0, α ᾱ, r 1 r, r 1 r ; then, define M to be 1 t 0 0 M = 0 0 1 t r 1 tr r 1 α tr α r 1 t r r 1 ᾱ t r ᾱ From (*) and the definitions of c and d, we get: y 1 1 t 0 0 M y z 1 = 0 0 1 t r 1 tr r 1 α tr α z r 1 t r r 1 ᾱ t r ᾱ y 1 y z 1 z = c d π π Claim: matrix M is non-singular (one could verify det M = t (r r 1 )( r r 1 )(α ᾱ) 0) So, if y 1, y, z 1, z are chosen at random, the log values will be uniform and random; π will be independent and random when conditioned on the other three log values. Pairing Based Cryptography The Discrete Logarithm (DL) is a nice problem that is widely used in cryptography. People have looked into number of groups in which the problem appears to be hard but computations could be done efficiently. Although there is no algorithm for computing DL in polynomial time, for Z p there are so-called index calculus methods which compute discrete logs in time exp(c(log p) 1/3 (log log p) /3 ); whereas the brute-force attack uses q steps for a subgroup of order q. So, one would want to use q 160 to avoid brute-force and p 104 to avoid sub-exponential attacks. An advantage of using elliptic curves is that there is no known sub-exponential attacks for the DL problem. L11-

.1 What is an elliptic curve? An elliptic curve is defined by an equation y = f(x) where f(x) is a cubic polynomial with no repeated roots. The curve consists of the points {(x, y) : y = f(x)} {O}, where O is the point at infinity. When working over R, for two points P and Q on the curve, P + Q is equal to R such that P, Q, and R lie on the same line; we make relations between the coordinates and transfer those when working in a field. It is a non-trivial fact that this is an abelian group. Hasse s theorem states that #points on the curve p + 1 p when working over field F p. The original motivation for Elliptic Curve Cryptography was to work with group that has more compact representation. An initial product of Certicom Corp (one of co-founders of which is S.Vanstone) was based on a special elliptic curve, called a supersingular curve, due to the nice implementation features. But, unfortunately, it was insecure.. Pairings Let E be an elliptic curve over Z p (for some k) and has the follow- Definition A pairing is a function e : E E F p k ing properties: - bilinear e(p 1 + P, Q) = e(p 1, Q).e(P, Q) e(p, Q 1 + Q ) = e(p, Q 1 ).e(p, Q ) - non-degenerate: not everything maps to 1 if P is a point on E of prime order q, due to bilinearity e(ap, bp ) = e(p, P ) ab and e(p, P ) = γ, where γ has order q for supersingular curve a pairing exists with k = 1 or and e is easy to compute MOV reduction given: P and Q = xp, we can find x as follows: e(p, Q) = e(p, xp ) = e(p, P ) x = γ x log P Q = log γ e(p, Q), so x could be computed using subexponential methods if k is small pairings can be useful too - we can choose elliptic curbes w/ pairings into F p k for small k - Joux observed that the Diffie-Hellman key exchange protocol could be extended to 3-way key exchange protocol (both protocols are single round): In the original Diffie-Hellman key exchange idea, A chooses x and sends g x, and B chooses y and sends g y. Then, each of them could compute g xy = (g y ) x = (g x ) y. However, any eavesdropper has to compute CDH(g, g x, g y ) in order to obtain the key used by A and B Using pairings: A : xp, B : yp, C : zp and each party could compute γ xyz = e(yp, zp ) x = e(xp, zp ) y = e(xp, yp ) z The security of this protocol is based on the BDH assumption, a natural extension of the CDH assumption, which is defined in the next chapter. L11-3

.3 Bilinear Diffie Hellman Assumption Given prime order groups and a pairing e: G 1 G 1 G, where G 1 = G = q and e(p, P ) = γ, the bilinear versions of the CDH and DDH assumptions are as follows: Bilinear Diffie Hellman Assumption (BDH): Given P, xp, yp, zp, it is hard to compute γ xyz Decisional Bilinear Diffie Hellman Assumption (DBDH): The decisional version says that (P, xp, yp, zp, γ xyz ) c (P, xp, yp, zp, γ r ) Fact: DDH in G 1 is easy Given P, xp, yp, zp, the question whether z =? xy could easily be answered by checking e(xp, yp ) =? e(p, zp ) Fact: BDH CDH in G 1 & CDH in G Proof: assume we can break CDH in G 1 then given P, xp, yp, zp, one could compute γ xyz = e(xyp, zp ), where xyp = CDH(P, xp, yp ) assume we can break CDH in G then given P, xp, yp, zp, here is how to break BDH: γ xy = e(xp, yp ), γ z = e(p, zp ), and, in the end, γ xyz = CDH(γ, γ xy, γ z ) two interesting results: Maurer showed an example of groups where CDH=DL; Joux extended that line of work and showed examples where CDH=DL, but DDH is easy.4 Identity Based Encryption Scheme Identity Based Encryption (IBE) was proposed by Shamir in 1984. Generally speaking, it provides an encryption mechanism where one s identity, e.g. bob@company.com, is used as his public key. The private keys are generated by a so called Secret Key Authority (SKA). Bob obtains his private key by contacting the SKA and authenticating himself. Although the model was proposed a long time ago, and it was not until the 001 paper by Boneh and Franklin that a formal security model and a practical implementation were proposed. An IBE is specified by the following four PPT algorithms: KeyGen() = (MP K, MSK), that is a master P K and a master SK SKExtract(MSK, ID) = SK ID - that s ID s personal secret key E(ID, M) = C D(SK ID, C) = M The identity ID could be any binary string, ID {0, 1}, and the message and the cyphertext belong to the corresponding spaces (M M, C C). L11-4

Semantic Security (IND-ID-CPA): An IBE scheme is semantically secure if any PPT adversary A has a negligible advantage in the following game: Setup: The challenger takes a security parameter and runs the KeyGen algorithm. It send the adversary the MP K and keeps the MSK to itself. Phase 1: The challenger answers extraction queries for IDs chosen by A: for each extract: ID the adversary sends the challenger replies with SKExtract(M SK, ID) Challenge: A sends encrypt: ID, M 0, M 1. Then, the challenger chooses a random bit (b R 0, 1), encrypts M b (c E(ID, M b )), and sends back c. Phase : The adversary asks more extract queries which are answered as before. Guess: The adversary outputs a guess ˆb Note that the adversary is not allowed to extract SK ID and the advantage in the above game in defined as usual to be Adv = P r[b = ˆb] 1. CCA-Security (IND-ID-CCA): The attack game above is enhanced to allow decryption queries in phase 1 and : A could send decrypt: ID, c the challenger responds with D(SK ID, c), where SK ID = SKExtract(MSK, ID) The additional constraint is that A can t ask decrypt: ID, c in phase. A silly observation: no decryption queries are needed in phase for ID ID. L11-5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback