Notions For Public Key Encryptions
description
Transcript of Notions For Public Key Encryptions
Notions of Public-Key Encryptions
Xuhua [email protected]
Outline
• Introduction
• Preliminaries
• Notions For Security
• Some Well-known Examples
• Encryption in Multi-User Setting
Introduction• Goals of Public-key Encryption:
– to provide privacy or confidentiality– no data origin authentication or data integrity
• Primary objective of attacks:– systematically recover plaintext from ciphertext
Question: Is it adequate to model the realistic attacks?
Preliminaries• Provable Security:
– The security of scheme A is reduced to scheme B iff given an efficient algorithm to break B, one can efficiently break A.
• Some well-know intractable problems (primitives)– Factorization– Discrete log– RSA problem– Strong RSA problem– Square root– Computational Diffie-Hellman problem– Decision Diffie-Hellman problem
Random Oracle
• What is the Random Oracle?– A public “black box” which, on input string x, return a
random string R(x) of some appropriate length• What is the meaning of “secure in RO model”?
– proven security against generic attack– heuristically, no non-generic attack against “natural”
schemes.• Limitations: heuristic proof of security
– breaking the scheme ≠ breaking the underlying intractability assumption
– breaking the scheme ≠ finding weakness in hash functions
Attacker’s Algorithm:
• Two Stages (A1, A2)– Stage I: Given the pk, seeks and outputs test
instance; (may output information to A2 )– Stage II: Given a challenge ciphertext. The purpose of each stage, and the meaning of
pass the challenge depend on the adversarial goal.
• Both A1 and A2 are polynomial probabilistic algorithms
Attack Models II
• CPA: Chosen Plaintext Attack• Plaintext Checking Attack• Validity Checking Attack• CCA-1: Non-adaptive Chosen Ciphertext Attack
(lunch time attack)• CCA-2: Adaptive Chosen Ciphertext Attack
CPA CCA-1 CCA-2
Notions of Security
• Plaintext recovery
• Semantic Security
• Indistinguishability (by Goldwasser and Micali)
• Non-malleability (by Dolev, Dwork, and Naor)
• Plaintext Awareness (by Bellare and Rogaway)
Indistinguishability
m0, m1
b∈R{0,1}
PKE(pk, sk)
Challenge: C=E(mb)
Guess b?
The adversary win if he guess b correctly with a probability significantly greater than 1/2
Non-malleability
PKE(pk, sk)
Challenge: y=Epk(x), x ∈R M
Outputs: relation R and a vector y.Succeed if R(x, x) where x =Dsk(y), y∉ y with higher probability than R(x’, x), for random x’ from M
Sampling message space M
NOTE: M is valid if |x|=|x’| for any x,x’ that are given non-zero probability in M
Plaintext Awareness in the Random Oracle Model
Random oracle H
Encryption oracle Epk
H
xi
yi
Eve
outputs y
H queries/answers
{yi}, y, pkPlaintext extractor K
x = DskH(y)?
x
Six Notions of Security
Goals
IND
NM
CPA
CCA1
CCA2
Attacks
IND-CPAIND-CCA1IND-CCA2
NM-CPANM-CCA1NM-CCA2
Relations
NM-CPA
IND-CPA
NM-CCA1
IND-CCA1
NM-CCA2
IND-CCA2
A B: proven that meeting notion A implies meeting B
A B: proven that meeting notion A implies not meeting B
NOTE: A implies B iff there is a path from A to B
PA
Exemplary Schemes I
• RSA/OAEP is IND-CCA2 in RO (RSA is NOT) under the RSA assumption
• Encryption: m∈{0,1}n, r ←R{0,1}k0, compute s=(m||0k1)⊕G(r), t=r ⊕H(s). c=RSA-EN(m)
• Decryption: (s,t)=RSA-DE(c), r=t⊕H(s), M=s ⊕G(r). Check the format of M
• RSA can replaced by any trapdoor permutation function
RSA-OAEP: PKCS1v.2.1
00MGF ⊕
maskedSeed
Seed
DB
maskedDB00
⊕ MGF
OAEP Encoding
EM
El Gamal Encryption
• El Gamal Encryption– x,y=g^x mod p
– encrypt m: γ =g^k, δ =my^k , c= (γ, δ), k is a random integer
– decrypt c: m=γ^{-x}δ
• Semantic security ≡ Decision Diffie-Hellman
• Secure against chosen-plaintext attack
• Insecure against adaptive chosen-ciphertext attack
Exemplary Schemes III• Cramer-Shoup Encryption: IND-CCA2• Key Generation
– private: x1,x2,y1,y2,z in group G with prime order q– public: c=g1
x1g2x2, d=g1
x1g2x2, h=g1
z
• Encryption: u1=g1r, u2=g2
r, e=hrm, w=H(u1,u2,e), v=crdrw. Output (u1,u2,e,v)
• Decryption:– check if u1
x1+wy1u2x2+wy2 = v
– m= e/u1z
• Assumptions: DDH and universal one-way family of hash functions
Håstad Attack on RSA
N1, 3
N2, 3
N3, 3
y1=m3 mod N1
y2=m3 mod N2
y3=m3 mod N3
I can compute m3 mod N1N2N3,
but, m3 < N1N2N3, so….
Sender
IND in Multi-user Setting
any m0, m1
same b∈R{0,1}for all oracles queries
PKE(pk, sk)
Challenge: C=E(mb)
Guess b?
The adversary win if he guess b correctly with a probability significantly greater than 1/2
General Reduction
• An Encryption scheme in the multi-user setting is semantically secure as it in the single-user setting.
• The reduction is in polynormialAdv1(t’,qe) ≤ qenAdvn(t), t’=t+O(log(qen))
where qe is the number of allowed encryption operations, t’ and t are the running time.
Immediate Impact on Practice
• Generally, security degrades linearly as new users join and as the users encrypt more data.
• For ElGamal, the bound is 2Advddh
• For Cramer-Shoup, the bound is 2(Advddh++AdvH)