Advanced Cryptography 1st Semester Public Encryption

Similar documents
Lecture Note 3 Date:

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Provable security. Michel Abdalla

The Cramer-Shoup Cryptosystem

ASYMMETRIC ENCRYPTION

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Introduction to Cybersecurity Cryptography (Part 4)

Public-Key Encryption: ElGamal, RSA, Rabin

Introduction to Cryptography. Lecture 8

Introduction to Cybersecurity Cryptography (Part 4)

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

On The Security of The ElGamal Encryption Scheme and Damgård s Variant

Short Exponent Diffie-Hellman Problems

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Lecture 17: Constructions of Public-Key Encryption

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Advanced Topics in Cryptography

A Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

5.4 ElGamal - definition

ON CIPHERTEXT UNDETECTABILITY. 1. Introduction

Equivalence between Semantic Security and Indistinguishability against Chosen Ciphertext Attacks

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Public Key Cryptography

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Public Key Cryptography

Chapter 11 : Private-Key Encryption

RSA-OAEP and Cramer-Shoup

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

G Advanced Cryptography April 10th, Lecture 11

Lecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004

Advanced Cryptography 03/06/2007. Lecture 8

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

Cryptography IV: Asymmetric Ciphers

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Lecture 28: Public-key Cryptography. Public-key Cryptography

1 Number Theory Basics

Public Key Cryptography

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Key-Privacy in Public-Key Encryption

Introduction to Elliptic Curve Cryptography

How to Enhance the Security of Public-Key. Encryption at Minimum Cost 3. NTT Laboratories, 1-1 Hikarinooka Yokosuka-shi Kanagawa Japan

On the CCA1-Security of Elgamal and Damgård s Elgamal

El Gamal A DDH based encryption scheme. Table of contents

Chosen-Ciphertext Security without Redundancy

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality

f (x) f (x) easy easy

ECS 189A Final Cryptography Spring 2011

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Simple SK-ID-KEM 1. 1 Introduction

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Notes for Lecture 17

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Adaptive Security of Compositions

14 Diffie-Hellman Key Agreement

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

Introduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Computer Science A Cryptography and Data Security. Claude Crépeau

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

CS 395T. Probabilistic Polynomial-Time Calculus

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University

Public-Key Cryptosystems CHAPTER 4

Lecture 11: Key Agreement

Chosen-Ciphertext Secure RSA-type Cryptosystems

Lossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

RSA OAEP is Secure under the RSA Assumption

Introduction to Cybersecurity Cryptography (Part 5)

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Type-based Proxy Re-encryption and its Construction

Encoding-Free ElGamal Encryption Without Random Oracles

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Computational security & Private key encryption

Non-malleability under Selective Opening Attacks: Implication and Separation

Lecture 14 - CCA Security

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

A New Paradigm of Hybrid Encryption Scheme

Relations Among Notions of Security for Public-Key Encryption Schemes. Debdeep Mukhopadhyay IIT Kharagpur. Notions

Extractable Perfectly One-way Functions

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

An Introduction to Probabilistic Encryption

Parallel Decryption Queries in Bounded Chosen Ciphertext Attacks

Non-Malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Lecture 1: Introduction to Public key cryptography

Non-malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization

Lecture 7: ElGamal and Discrete Logarithms

Public Key Cryptography

Lecture Notes, Week 6

Efficient Identity-based Encryption Without Random Oracles

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Transcription:

Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64

Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability definition Hybrid argument Remarks, questions, comments? 2 / 64

Last Time (II) Exercises done 1) Negligible functions 2) Probabilities 3 5) Indistinguishability 3 / 64

Outline of Today: Security Notions 1 Cyclic Groups 4 / 64

Outline of Today: Security Notions 1 Cyclic Groups 2 Hard Problems 4 / 64

Outline of Today: Security Notions 1 Cyclic Groups 2 Hard Problems 3 Ideas of Security Notions 4 / 64

Outline of Today: Security Notions 1 Cyclic Groups 2 Hard Problems 3 Ideas of Security Notions 4 Definitions of Security Notions 4 / 64

Outline of Today: Security Notions 1 Cyclic Groups 2 Hard Problems 3 Ideas of Security Notions 4 Definitions of Security Notions 5 Examples RSA Diffie-Hellman ElGamal 4 / 64

Outline of Today: Security Notions 1 Cyclic Groups 2 Hard Problems 3 Ideas of Security Notions 4 Definitions of Security Notions 5 Examples RSA Diffie-Hellman ElGamal 6 Proofs IND-CCA2 NM-CCA2 IND-CCA1 NM-CPA 4 / 64

Outline of Today: Security Notions 1 Cyclic Groups 2 Hard Problems 3 Ideas of Security Notions 4 Definitions of Security Notions 5 Examples RSA Diffie-Hellman ElGamal 6 Proofs IND-CCA2 NM-CCA2 IND-CCA1 NM-CPA 7 Conclusion 4 / 64

Cyclic Groups Outline 1 Cyclic Groups 2 Hard Problems 3 Ideas of Security Notions 4 Definitions of Security Notions 5 Examples RSA Diffie-Hellman ElGamal 6 Proofs IND-CCA2 NM-CCA2 IND-CCA1 NM-CPA 7 Conclusion 5 / 64

Cyclic Groups Definitions (I) A group (G, ) is composed of a set G and a binary operator on G which satisfy the three following axioms: a, b, c G, a (b c) = (a b) c e G, a G, e a = a e = a a G, b G, a b = b a = e Associativity Neutral Element Inverse Element b is called the inverse of a and is denoted by a 1. Example (Z, +), (Z/nZ, +), permutation group, (M (n,n), +). Counter-Example (N, +), (M (n,n), ) 6 / 64

Cyclic Groups Definitions (II) Cyclic Group A group G is cyclic if G is finite and there exists an element g of G such that: a G, n N, a = g n Element g is called a generator of group G. Example If p is a prime number, then Z/pZ is a cyclic group. 7 / 64

Hard Problems Outline 1 Cyclic Groups 2 Hard Problems 3 Ideas of Security Notions 4 Definitions of Security Notions 5 Examples RSA Diffie-Hellman ElGamal 6 Proofs IND-CCA2 NM-CCA2 IND-CCA1 NM-CPA 7 Conclusion 8 / 64

Hard Problems Integer Factoring and RSA Use of algorithmically hard problems. Factorization p, q n = p.q n = p.q p, q easy (quadratic) difficult RSA function n = pq, p and q primes. e: public exponent x x e mod n easy (cubic) y = x e x mod n difficult x = y d where d = e 1 mod φ(n) 9 / 64

Hard Problems Complexity Estimates Estimates for integer factoring Lenstra-Verheul 2000 Modulus Operations (bits) (log 2 ) 512 58 1024 80 2048 111 4096 149 8192 156 2 60 years Can be used for RSA too. 10 / 64

Hard Problems The Diffie-Hellman Key Exchange Protocol Let g be a generator of a cyclic group of prime order q. A B : g a B A : g b A B : {N} g ab 11 / 64

Hard Problems Hard Problems Most cryptographic constructions are based on hard problems. Their security is proved by reduction to these problems: Discrete Logarithm problem, DL. Given a group g and g x, compute x. Computational Diffie-Hellman, CDH Given a group g, g x and g y, compute g xy. Decisional Diffie-Hellman, DDH Given a group g, distinguish between the distributions (g x, g y, g xy ) and (g x, g y, g r ). RSA. Given N = pq and e Z ϕ(n), compute the inverse of e modulo ϕ(n) = (p 1)(q 1). Factorization 12 / 64

Hard Problems Relation between the problems Prop DL CDH DDH. Prop (Moaurer & Wolf) For many groups, DL CDH Prop (Joux & Wolf) There are groups for which DDH is easier than CDH. 13 / 64

Hard Problems Usage of DH assumption The Diffie-Hellman problems are widely used in cryptography: Public key cryptosystems [ElGamal, Cramer& Shoup] Pseudo-random functions [Noar& Reingold, Canetti] Pseudo-random generators [Blum& Micali] (Group) key exchange protocols [many] 14 / 64

Hard Problems Example: ElGamal Encryption Scheme Key generation: Alice chooses a prime number p and a group generator g of (Z/pZ) and a (Z/(p 1)Z). Public key: (p, g, h), where h = g a mod p. Private key: a Encryption: Bob chooses r R (Z/(p 1)Z) and computes (u, v) = (g r, Mh r ) Decryption: Given (u, v), Alice computes M p v u a Justification: v u a = Mh r g ra p M Remarque: re-usage of the same random r leads to a security flaw: M 1 h r M 2 h r p M 1 M 2 Practical Inconvenience: Cipher is twice as long as plain text. 15 / 64

Ideas of Security Notions Outline 1 Cyclic Groups 2 Hard Problems 3 Ideas of Security Notions 4 Definitions of Security Notions 5 Examples RSA Diffie-Hellman ElGamal 6 Proofs IND-CCA2 NM-CCA2 IND-CCA1 NM-CPA 7 Conclusion 16 / 64

Ideas of Security Notions Adversary Model Qualities of the adversary: Clever: Can perform all operations he wants Limited time: Do not consider attack in 2 60. Otherwise a Brute force by enumeration is always possible. Model used: Any Turing Machine. Represents all possible algorithms. Probabilistic: adversary can generates keys, random number... 17 / 64

Ideas of Security Notions One-Wayness (OW) Without the private key, it is computationally impossible to recover the plain-text. (Near of Perfect Security of Shannon) 18 / 64

Ideas of Security Notions Not enough Does not exclude to recover half of the plain-text Even worse if one has already partial information of the message: Subject: XXXX From: XXXX 19 / 64

Ideas of Security Notions Indistinguishability (IND) The adversary is not able to guess in polynomial-time even a bit of the plain-text knowing the cipher-text, notion introduced by S. Goldwasser and S.Micali ([GM84]). 20 / 64

Ideas of Security Notions Non Malleability (NM) The adversary should not be able to produce a new cipher-text such that the plain-texts are meaningfully related, notion introduced by D. Dolev, C. Dwork and M. Naor in 1991 ([DDN91,BDPR98,BS99]). 21 / 64

Ideas of Security Notions Relations Non Malleability Indistinguishability One-Wayness 22 / 64

Ideas of Security Notions Adversary Models The adversary is given access to oracles : encryption of all messages of his choice decryption of all messages of his choice Three classical security levels: Chosen-Plain-text Attacks (CPA) Non adaptive Chosen-Cipher-text Attacks (CCA1) only before the challenge Adaptive Chosen-Cipher-text Attacks (CCA2) unlimited access to the oracle (except for the challenge) 23 / 64

Ideas of Security Notions Chosen-Plain-text Attacks (CPA) Adversary can obtain all cipher-texts from any plain-texts. It is always the case with a scheme. 24 / 64

Ideas of Security Notions Non adaptive Chosen-Cipher-text Attacks (CCA1) Adversary knows the public key, has access to a decryption oracle multiple times before to get the challenge (cipher-text), also called Lunchtime Attack introduced by M. Naor and M. Yung ([NY90]). 25 / 64

Ideas of Security Notions Adaptive Chosen-Cipher-text Attacks (CCA2) Adversary knows the public key, has access to a decryption oracle multiple times before and AFTER to get the challenge, but of course cannot decrypt the challenge (cipher-text) introduced by C. Rackoff and D. Simon ([RS92]). 26 / 64

Ideas of Security Notions Parallels Attacks (PA0, PA1) Introduced by M. Bellare and A. Sahai ([BS99]) to prove the link between NM and IND. PA0 = Chosen Cipher-text Parallel Attack, after getting the challenge the adversary can ask for decrypting a finite number of cipher-text all AT THE SAME TIME which can be dependent of the challenge, but not of responses to decryption oracle. PA1 = CCA1 followed by PA0. 27 / 64

Definitions of Security Notions Outline 1 Cyclic Groups 2 Hard Problems 3 Ideas of Security Notions 4 Definitions of Security Notions 5 Examples RSA Diffie-Hellman ElGamal 6 Proofs IND-CCA2 NM-CCA2 IND-CCA1 NM-CPA 7 Conclusion 28 / 64

Definitions of Security Notions Asymmetric Encryption An asymmetric encryption scheme S = (K, E, D) is defined by K: key generation E: encryption D: decryption K(η) = (k e, k d ) E ke (m, r) = c D(c, k d ) = m 29 / 64

Definitions of Security Notions One-Wayness (OW) AdversaryA: any polynomial time Turing Machine (PPTM) Basic security notion: One-Wayness (OW) Without the private key, it is computationally impossible to recover the plain text: Pr m,r [A(c) = m c = E(m, r)] is negligible. 30 / 64

Definitions of Security Notions Indistinguishability (IND) Game Adversary: A = (A 1, A 2 ) 1 The adversary A 1 is given the public key pk. 2 The adversary A 1 chooses two messages m 0, m 1. 3 b = 0, 1 is chosen at random and c = E(m b ) is given to the adversary. 4 The adversary A 2 answers b. The probability Pr[b = b ] 1 2 sould be negligible. 31 / 64

Definitions of Security Notions The IND-CPA Games Given an encryption scheme S = (K, E, D). An adversary is a pair A = (A 1, A 2 ) of polynomial-time probabilistic algorithms, b {0, 1}. Let Ind b CPA (A) be the following algorithm: Generate (pk, sk) R K(η). (s, m 0, m 1 ) R A 1 (η,pk) b R A2 (η,pk, s, E(pk, m b )) return b. Then, we define the advantage against the IND-CPA game by: Adv Ind CPA S,A (η) = Pr[b R Ind 1 CPA (A) : b = 1] Pr[b R Ind 0 CPA (A) : b = 1] 32 / 64

Definitions of Security Notions The IND-CCA1 Games Given an encryption scheme S = (K, E, D). An adversary is a pair A = (A 1, A 2 ) of polynomial-time probabilistic algorithms, b {0, 1}. Let Ind b CCA1 (A) be the following algorithm: Generate (pk, sk) R K(η). (s, m 0, m 1 ) R A O 1 1 (η,pk) where O 1 = D b R A2 (η,pk, s, E(pk, m b )) return b. Then, we define the advantage against the IND-CCA1 game by: Adv Ind CCA1 S,A (η) = Pr[b R Ind 1 CCA1 (A) : b = 1] Pr[b R Ind 0 CCA1 (A) : b = 1] 33 / 64

Definitions of Security Notions The IND-CCA2 Games Given an encryption scheme S = (K, E, D). An adversary is a pair A = (A 1, A 2 ) of polynomial-time probabilistic algorithms, b {0, 1}. Let Ind b CCA2 (A) be the following algorithm: Generate (pk, sk) R K(η). (s, m 0, m 1 ) R A O 1 1 (η,pk) where O 1 = D b R A O 2 2 (η,pk, s, E(pk, m b)) where O 2 = D return b. Then, we define the advantage against the IND-CCA2 game by: Adv Ind CCA2 S,A (η) = Pr[b R Ind 1 CCA2 (A) : b = 1] Pr[b R Ind 0 CCA2 (A) : b = 1] 34 / 64

Definitions of Security Notions IND-XXX Security Definition An encryption scheme is IND-XXX secure, if for any adversary A the function Adv IND XXX S,A is negligible. Exercice Prove that Adv Ind XXX S,A (η) = Pr[b R Ind 1 (A) : b = 1] Pr[b R Ind 0 (A) : b = 1] = 2Pr[b R Ind b (A) : b = b] 1 35 / 64

Definitions of Security Notions Summery of IND-XXX Games Given S = (K, E, D), A = (A 1, A 2 ) of polynomial-time probabilistic algorithms. Ind b XXX (A) follows: Generate (pk, sk) R K(η). (s, m 0, m 1 ) R A O 1 1 (η,pk) b R A O 2 2 (η,pk, s, E(pk, m b)) return b. Adv Ind XXX S,A (η) = Pr[b R Ind 1 XXX (A) : b = 1] Pr[b R Ind 0 XXX (A) : b = 1] IND-CPA, IND-CCA1, IND-CCA2 IND-CPA: O 1 = O 2 = Chosen Plain text Attack IND-CCA1: O 1 = {D}, O 2 = Non-adaptive Chosen Cipher text Attack IND-CCA2: O 1 = O 2 = {D} Adaptive Chosen Cipher text Attack. 36 / 64

Definitions of Security Notions Non Malleability Game Adversary: A = (A 1, A 2 ) 1 The adversary A 1 is given the public key pk. 2 The adversary A 1 chooses a message space M. 3 Two messages m and m are chosen at random in M and c = E(m; r) is given to the adversary. 4 The adversary A 2 outputs a binary relation R and a cipher-text c. Probability Pr[R(m, m )] Pr[R(m, m )] is negligible, where m = D(c ) 37 / 64

Definitions of Security Notions The NM-XXX Games Given S = (K, E, D). An adversary A = (A 1, A 2 ) of polynomial-time probabilistic algorithms, m,m,m M. Let NM b XXX (A): Generate (pk,sk) R K(η). (s,m) R A O1 1 (η,pk),m 0,m 1, M (R,C ) R A O2 2 (η,pk,s,m, E(pk,m b)),m D(C ) return R(m b,m ) Then, we define the advantage against the IND-CCA2 game by: Adv NM XXX S,A (η) = Pr[R(m,M ) R NMXXX 1 (A) : R(m,M ) = 1] Pr[R(m,M ) R NMXXX 0 (A) : R(m,M ) = 1] NM-CPA: O 1 = O 2 = Chosen Plain text Attack NM-CCA1: O 1 = {D}, O 2 = Non-adaptive Chosen Cipher text Attack NM-CCA2: O 1 = O 2 = {D} Adaptive Chosen Cipher text Attack. 38 / 64

Definitions of Security Notions Relations NM-CPA NM-CCA1 NM-CCA2 IND-CPA IND-CCA1 IND-CCA2 OW-CPA Relations Among Notions of Security for Public-Key Encryption Schemes, Crypto 98, by Mihir Bellare, Anand Desai, David Pointcheval and Phillip Rogaway [BDPR 98] 39 / 64

Definitions of Security Notions Relations NM-CPA NM-CCA1 NM-CCA2 IND-CPA IND-CCA1 IND-CCA2 minimal security OW-CPA weak security strong security Relations Among Notions of Security for Public-Key Encryption Schemes, Crypto 98, by Mihir Bellare, Anand Desai, David Pointcheval and Phillip Rogaway [BDPR 98] 39 / 64

Examples Outline 1 Cyclic Groups 2 Hard Problems 3 Ideas of Security Notions 4 Definitions of Security Notions 5 Examples RSA Diffie-Hellman ElGamal 6 Proofs IND-CCA2 NM-CCA2 IND-CCA1 NM-CPA 7 Conclusion 40 / 64

Examples RSA Example: RSA public n = pq e (public key) private d = e 1 mod φ(n) (private key) RSA Encryption E(m) = m e mod n D(c) = c d mod n OW-CPA = RSA problem by definition! 41 / 64

Examples RSA IND-XXX and the Determinism Prop The encryption algorithm of an IND-XXX scheme must probabilistic, if it is stateless. Proof. An exercise. 42 / 64

Examples Diffie-Hellman The Discret Logarithm (DL) Let G = ( g, ) be any finite cyclic group of prime order. Idea: it is hard for any adversary to produce x if he only knows g x. For any adversary A, [ ] Adv DL (A) = Pr A(g x ) x x, y R [1, q] is negligible. 43 / 64

Examples Diffie-Hellman Computational Diffie-Hellman (CDH) Idea: it is hard for any adversary to produce g xy if he only knows g x and g y. For any adversary A, ] Adv CDH (A) = Pr [A(g x, g y ) g xy x, R y [1, q] is negligible. 44 / 64

Examples Diffie-Hellman Decisional Diffie-Hellman (DDH) Idea: Knowing g x and g y, it should be hard for any adversary to distinguish between g xy and g r for some random value r. For any adversary A, the advantage of A [ ] Adv DDH (A) = Pr A(g x, g y, g xy ) 1 x, y R [1, q] [ ] Pr A(g x, g y, g r ) 1 x, y, r R [1, q] is negligible. This means that an adversary cannot extract a single bit of information on g xy from g x and g y. 45 / 64

Examples Diffie-Hellman DDH CDH DL Exercice DDH CDH DL 46 / 64

Examples ElGamal Recall Elgamal G = ( g, ) finite cyclic group of prime order q. x: private key. y = g x : public key. E(m; r) = (g r, y r m) (c, d) and D(c, d) = d c x OW = CDH Assumption IND-CPA= DDH Assumption 47 / 64

Examples ElGamal OW-CPA for Elgamal Exercice Prove that under CDH assumption El-Gamal is OW-CPA. 48 / 64

Examples ElGamal IND-CPA for Elgamal Exercice Prove that under DDH assumption El-Gamal is IND-CPA. 49 / 64

Proofs Outline 1 Cyclic Groups 2 Hard Problems 3 Ideas of Security Notions 4 Definitions of Security Notions 5 Examples RSA Diffie-Hellman ElGamal 6 Proofs IND-CCA2 NM-CCA2 IND-CCA1 NM-CPA 7 Conclusion 50 / 64

Proofs IND-CCA2 NM-CCA2 Intuition for IND-CCA2 NM-CCA2 Non-malleability deals with the ability to output ciphertexts. As the adversary is granted access to the decryption oracle during its whole attack, it can decrypt any ciphertext it outputs. The ability to output ciphertexts is thus not likely to increase the power of the adversary. 51 / 64

Proofs IND-CCA2 NM-CCA2 Main Idea We assume the scheme PE is secure in the IND-CCA2 sense. We let B = (B 1, B 2 ) be an NM-CCA2 adversary attacking PE. We must show that Adv NM CCA2 PE,B (k) is negligible. We construct an IND-CCA2 adversary A attacking the scheme, using B. Comparing these two advesaries, we show the advantages are such that : Adv NM CCA2 PE,B (k) = 2 Adv IND CCA2 PE,A (k) 52 / 64

Proofs IND-CCA2 NM-CCA2 Algorithm of Attack Algorithm A D sk 1 (pk) (s, M) R B D sk 1 (pk); (m 0, m 1 ) R M; s (m 0, m 1, M, s); Return (m 0, m 1, s ). Algorithm A D sk 2 (s, y) (R, C ) R B D sk 2 (M, s, y); M D sk ( C ); if R(m 0, M ) then d 0 else d R {0, 1}. Return d. 53 / 64

Proofs IND-CCA2 NM-CCA2 Notation Adv IND CCA2 PE,A (k) = pk(0) pk(1) p k (b) = Pr[(pk,sk) K(η);(s,m 0,m 1 ) A D sk 1 (pk) : A D sk 2 (s, E(pk,m b )) = 0] Adv NM CCA2 PE,B (k) = pk (0) pk (1) p k(b) = Pr[(pk,sk) K(η);(s,M) R B D sk 1 (pk);(m 0,m 1 ) R M; (R, C ) R B D sk 2 (M,s, E(pk,m b )) M D sk ( C ); R(m b, M )] 54 / 64

Proofs IND-CCA2 NM-CCA2 End of the Proof p k (0) = p k (0).Pr[d = 0 R(m 0, M)] + (1 p k (0)).Pr[d = 0 coinflip] = p k (0) + 1 2 1 2 p k (0) = 1 2 (1 + p k (0)) p k (1) = 1 2 (1 + p k (1)) Adv IND CCA2 PE,A (k) = pk(0) pk(1) = 1 2 (1 + p k (0)) 1 2 (1 + p k (1)) = 1 2 (p k (0) p k (1)) = 1 2 AdvNM CCA2 PE,B (k) 55 / 64

Proofs IND-CCA1 NM-CPA Idea:IND-CCA1 NM-CPA Assume there exists some IND-CCA1 secure encryption PE. We modifiy PE to build PE which is also IND-CCA1 secure but not NM-CPA secure. 56 / 64

Proofs IND-CCA1 NM-CPA Algorithm PE : Algorithm E pk (x) y 1 R Epk (x); y 2 R Epk (x); Return y 1 y 2 Where y 1 y 2 is a pair, and x us the bitwise complement of x. Algorithm D sk (y 1 y 2 ) Return D sk (y 1 ). 57 / 64

Proofs IND-CCA1 NM-CPA PE is not NM-CPA: Idea Given a cipher text y 1 y 2 of a messge x it is easy to create a cipher of x: just output y 2 y 1.Thus the scheme is malleable. Formally: A = (A 1, A 2 ) breaks PE in the sense of NM-CPA. (, M) R A 1 (pk), where M puts unforms distribution on {0, 1} k (R, y 2 y 1 ) R A 2 (, M, y 1 y 2 ), where R(m 1, m 2 ) = 1 if m 1 = m 2 Adv NM CPA PE,B (k) = 1 2 k 58 / 64

Proofs IND-CCA1 NM-CPA PE is IND-CPA: Idea Let B = (B 1, B 2 ) be some polynomial time adversary attacking PE in the IND-CCA1 sense. Show that Adv IND CCA1 PE,B (k) is negligible, using an hybrid argument. p k (i, j) = Pr[(s, m 0, m 1 ) R B D sk 1 ; y 1 R Epk (x i ); y 2 R Epk (x j ) : B 2 (s, m 0, m 1, y 1 y 2 ) = 1] Adv IND CCA1 PE,B (k) = p k (1, 1) p k (0, 0) Adv IND CCA1 PE,B (k) = p k (1, 1) p k (1, 0) + p k (1, 0) p k (0, 0) 59 / 64

Proofs IND-CCA1 NM-CPA Claim 1: p k (1, 1) p k (1, 0) is negligible Algorithm A D sk 1 (pk) (s,m 0,m 1 ) R B D sk 1 (pk); Return (m 0,m 1,s). Algorithm A 2 (s,m 0,m 1,y) (R, C ) R B D sk 2 (M,s,y); d R B 2 (m 0,m 1,s, E pk (m 1 ) y); Return d. Pr[(m 0,m 1,s) R A D sk 1 (pk) : A 2 (m 0,m 1,s, E pk (m 1 )] = p k (1,1) Pr[(m 0,m 1,s) R A D sk 1 (pk) : A 2 (m 0,m 1,s, E pk (m 0 )] = p k (1,0) Adv IND CCA1 PE,A (k) = p k (1,1) p k (0,0) is negligible, assumng security of PE in the IND-CCA1 sense. 60 / 64

Proofs IND-CCA1 NM-CPA Claim 2: p k (1, 0) p k (0, 0) is negligible Algorithm A D sk 1 (pk) (x 0,x 1,s) R B D sk 1 (pk); Return (x 0,x 1,s). Algorithm A 2 (x 0,x 1,s,y) (R, C ) R B D sk 2 (M,s,y); d R B 2 (x 0,x 1,s,y E pk (x 0 )); Return d. Pr[(x 0,x 1,s) R A D sk 1 (pk) : A 2 (x 0,x 1,s, E pk (x 1 )] = p k (1,0) Pr[(x 0,x 1,s) R A D sk 1 (pk) : A 2 (x 0,x 1,s, E pk (x 0 )] = p k (0,0) Adv IND CCA1 PE,A (k) = p k (1,0) p k (0,0) is negligible, assumng security of PE in the IND-CCA1 sense. 61 / 64

Conclusion Outline 1 Cyclic Groups 2 Hard Problems 3 Ideas of Security Notions 4 Definitions of Security Notions 5 Examples RSA Diffie-Hellman ElGamal 6 Proofs IND-CCA2 NM-CCA2 IND-CCA1 NM-CPA 7 Conclusion 62 / 64

Conclusion Summary Today Cyclic Groups Hard Problems One-way IND-CPA, IND-CCA1, IND-CCA2 NM-CPA, NM-CCA1, NM-CCA2 Examples RSA ElGamal IND-CCA2 NM-CCA2 NM-CCA1 NM-CPA 63 / 64

Conclusion Thank you for your attention. Questions? 64 / 64

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback