Relations Among Notions of Security for Public-Key Encryption Schemes. Debdeep Mukhopadhyay IIT Kharagpur. Notions

Similar documents
Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Advanced Cryptography 1st Semester Public Encryption

III. Pseudorandom functions & encryption

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

CS 6260 Applied Cryptography

Chosen-Ciphertext Security (I)

Strong Security Models for Public-Key Encryption Schemes

CTR mode of operation

Lecture Note 3 Date:

Applied cryptography

Symmetric Encryption

Public-Key Encryption

Advanced Topics in Cryptography

ASYMMETRIC ENCRYPTION

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Lecture 7: CPA Security, MACs, OWFs

Lecture 9 - Symmetric Encryption

RSA-OAEP and Cramer-Shoup

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

CS 6260 Applied Cryptography

CPA-Security. Definition: A private-key encryption scheme

1 Number Theory Basics

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

REMARKS ON IBE SCHEME OF WANG AND CAO

Perfectly-Secret Encryption

Block ciphers And modes of operation. Table of contents

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality

Provable security. Michel Abdalla

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Notes on Property-Preserving Encryption

Equivalence between Semantic Security and Indistinguishability against Chosen Ciphertext Attacks

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Practice Assignment 2 Discussion 24/02/ /02/2018

1 Indistinguishability for multiple encryptions

Post-quantum security models for authenticated encryption

Lectures 2+3: Provable Security

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Modern Cryptography Lecture 4

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Public-Key Encryption: ElGamal, RSA, Rabin

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

5.4 ElGamal - definition

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

Identity-based encryption

G Advanced Cryptography April 10th, Lecture 11

2 Message authentication codes (MACs)

Searchable encryption & Anonymous encryption

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

The Cramer-Shoup Cryptosystem

Boneh-Franklin Identity Based Encryption Revisited

Notes for Lecture 17

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Lecture 5, CPA Secure Encryption from PRFs

G /G Advanced Cryptography November 11, Lecture 10. defined Adaptive Soundness and Adaptive Zero Knowledge

Modern symmetric-key Encryption

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

Non-Malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization

Some Comments on the Security of RSA. Debdeep Mukhopadhyay

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

Non-malleability under Selective Opening Attacks: Implication and Separation

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

Parallel Decryption Queries in Bounded Chosen Ciphertext Attacks

Chapter 11. Asymmetric Encryption Asymmetric encryption schemes

Short Exponent Diffie-Hellman Problems

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

Semantic Security and Indistinguishability in the Quantum World

Computational security & Private key encryption

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

ON CIPHERTEXT UNDETECTABILITY. 1. Introduction

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Introduction to Cybersecurity Cryptography (Part 4)

On the CCA1-Security of Elgamal and Damgård s Elgamal

Public Key Cryptography

A Strong Identity Based Key-Insulated Cryptosystem

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Introduction to Cybersecurity Cryptography (Part 4)

On The Security of The ElGamal Encryption Scheme and Damgård s Variant

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

Chapter 2 : Perfectly-Secret Encryption

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

Chapter 11 : Private-Key Encryption

Notes on Alekhnovich s cryptosystems

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

CS 395T. Probabilistic Polynomial-Time Calculus

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Implementation Tutorial on RSA

Public Key Cryptography

Lecture 2: Perfect Secrecy and its Limitations

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Lecture 13: Private Key Encryption

Transcription:

Relations Among Notions of Security for Public-Key Encryption Schemes Debdeep Muhopadhyay IIT Kharagpur Notions To organize the definitions of secure encryptions Classified depending on: security goals: Indistinguishability (GM) Non-malleability (DDN) attac models: Chosen Plain Text (CPA) Non-adaptive Chosen Ciphertext (CCA) Adaptive Chosen Ciphertext (CCA)

Relations ne can mix and match the goals (IND,NM) and the attac models (CPA, CCA, CCA) thus there are 6 notions of security IND-X: IND-CPA, IND-CCA, IND-CCA NM-X: NM-CPA, NM-CCA, NM-CCA Non-malleability Danny Dolev, Cynthia Dwor and Moni Naor, Non-malleable Cryptography, Siam J of Computing,.

Motivation Consider a bidding scheme. Company A gives a bit of say Rs,. It communicates to the arbiter by using a Public Key Infrastructure (PKI), E() Another company B, should not able to compute a bid value say E(x), st. x< more liely than when B does not have a nowledge of E(). ther Motivations For ey agreement protocols lie Kerberos, after the mutual ey K AB is agreed there is an exchange of nonces, N. ne party sends to the other E KAB (N) and expects E KAB (N-). the assumption being that without KAB it is not feasible to compute N- (or any f(n)) with a probability better than without having the nowledge of the ciphertext of N with KAB). 3

Informally Informally, given the CT it is no easier to generate a different CT, so that the corresponding PTs are related, than it is do with out the ciphertext. Indistinguishability A public ey scheme (E,D,G) is (t,q,ε)- secure in the IND-X sense if for all pairs of different messages of the same length, and for every adversary A that runs in time t and maes at most q queries to oracle : Pr ( p, )[ (, ( ) )] Pr (, )[ (, ( )) ] ( ) s A p Ep m = p s A p Ep m = ε n where the oracle is:, if IND-CPA = Ds, if IND-CCA and the adversary cannot query the decryption oracle at E ( m ) p i 4

CCA vs CCA Imagine all the algorithms A=(A,A ), both of which are also polytime algorithms in n. A generates a message pair and encrypts one of them and gives it to A as a challenge. A has to be successful against the challenge, depending on the goal: IND: It has to tell message / which has been encryptes. NM: It has to return a ciphertext whose corresponding message is related to the plaintext encrypted. Inter-relation IND-CCA=>IND-CCA=>IND-CPA SS 5

Non-Malleability A public-ey scheme (E,D,G) is (t,q,ε)-secure in the NM-X sense if for all message distributions M, and all relations R:MxM {,}, and for every adversary A that runs in time t, and maes at most q queries to oracle, there exists another adversary A that runs in time poly(t), st: Pr ( p, ), [ (, ( (, ( )))] Pr (, ), [ (, ( '( )))] ( ) s mrmds A p Ep m p s mrmds A p ε n where the oracle is:, if IND-CPA = Ds, if IND-CCA and the adversary cannot query the decryption oracle at E ( m) p Relation NM-X=>IND-X If a public-ey scheme is (t,q,ε)-secure in NM-X sense, then it is (t,q,ε)-secure in IND-X sense. Contradict that the scheme is (t,q,ε)- secure in IND-X sense. Show that the scheme is also not (t,q,ε)- secure in NM-X sense. 6

Let us assume that the scheme is not IND-X secure. There exists messages m = m and an adversary A, st: Pr [ A ( p, E ( m ) = )] Pr [ A ( p, E ( m )) = ] > ε ( n) ( p, s) p ( p, s) p We need to prove that there exists B for which there exists a R, so that for all B': Pr [ RmD (, ( B ( p, E ( m)))] Pr [ RmD (, ( B'( p)))] > ε ( n) ( p, s), m s p ( p, s), m s Note :Pr [ R( m, D ( B '( p )))] = / ( p, s), i {,} i s, u = v Consider, R( u, v) =, u v and B ( p, c) = E ( m ) p A ( p, c) Thus, Pr [ R( m, D ( B ( p, E ( m )))] = ( p, s), i {,} i s p i = Pr [ m = D ( B ( p, E ( m )))] ( p, s), m {,} i s p i = Pr [ A ( p, E ( m)) = i] ( p, s), m {,} p i = Pr ( p, ), {,}[ (, ( )) ] Pr s m A pep m = + ( p, s), m {, } [ A ( p, Ep ( m )) = ] = ( Pr ( p, ), {,}[ (, ( )) ]) Pr (, ), {,}[ (, ( )) ] s m A pep m = + p s m A pep m = (Pr (, ), {,} [ (, ( )) ] Pr (, ), {,} [ = + p s m A pep m = p s m A ( p, Ep ( m )) = ]) = + Adv[ A ] Thus, LHS= Adv[ A ] > ε ( n),by our assumption. Thus the assumption leads to a successful adversary against the Encryption in the NM-X sense. A Separation IND CPA > NM CPA Suppose, we have (E,D,G) which satisfies IND-CPA. Consider, E'( p ) = E ( x) p Thus, D' ( b y) = D ( y) s s (E',D',G) is also an IND-CPA scheme. It may be shown that (E',D'G) is not IND-NM. Informally, the IND-NM adversary is provided with y and is ased to produce another ciphertext, whose corresponding plaintext is related to the original plaintext. With probability, the adversary can mae the first bit and obtain y, whose corresponding plaintext is the the same as that corresponding to the challenge. Thus adversary A(p, E' ( m)) outputs y, where y=e ( m). p For an adversary A' who does not have access to E' ( m), its probability of guessing or is /. NM-CPA Thus, Adv[A ] = / = /. p p 7

Another Separation IND CPA > IND CCA Consider 3 : E(m)=x (mod n) s x.s m If the RSA function is a one-way function, then E(x) is a IND-CPA scheme. But, this is clearly not an IND-CCA scheme. Why? Equivalence of NM-CCA and IND-CCA We have proved NM-CCA=>IND-CCA We have to prove that IND-CCA=>NM- CCA We shall assume there is an adversary in the NM-CCA sense. We shall construct an adversary in the IND-CCA sense. 8

Suppose there is an (t,q, ε ) adversary in the NM-CCA sense against the scheme E. p That is there exists a message distribution M and a relation R: M M {,} such that for all simulators S running in polynomial time t: Pr[ RmAp (, (, E ( m))] Pr[ RmS (, ( p))] > ε ( n) p Modify A Adversary B(p, E ( m)), where m { m, m} D R p s Run A ( p, E ( m)) and assign to y If Rm (, D ( y)) return else s return r {,} p 9

Proof (contd.) Simulator S( p ) Generate m" M D s Return A ( p, E ( m")) p Now A is a good adversary in NM-CCA sense. Thus, Pr [ R( md, ( A ( p, E ( m)))] Pr [ RmD (, ( S( p)))] > ε ( n) ( p, s), m s p ( p, s), m s Let, p = Pr [ R( m, D ( A ( p, E ( m )))] ( p, s) s p and p' = Pr [ R( m, D ( A ( p, E ( m )))] ( p, s) s p = Pr [ Rm (, D ( S( p))] ( p, s) s So, we have p- p' > ε ( n)

For IND-CCA we have an adversary B st. Pr [ B ( p, E ( m )) = ] Pr [ B ( p, E ( m )) = ] ε ( n) ( p, s) p ( p, s) p ( p, s) B pep m = = ( p, s) R m Ds A p E i p m Pr [ (, ( )) ] Pr [ (, ( (, ( ))))] + Pr ( p, )[not (, ( (, ( )))) s Rm D s Ap E i p m =p'+ ( p ') Pr [ B ( p, E ( m )) = ] = Pr [ R( m, D ( A( p, E ( m ))))] ( p, s) p ( p, s) s i p + Pr ( p, )[not (, ( (, ( )))) s Rm D s Ap E i p m =p+ ( p) Thus, Adv[B ( p )] = p+ ( p) p'+ ( p') = ( p p') > ε ( n) This completes the proof. Inter-relationship NM-CPA NM-CCA IND-CPA IND-CCA

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback