chosen ciphertext security chosen ciphertext security
play

Chosen-Ciphertext Security Chosen-Ciphertext Security without - PowerPoint PPT Presentation

Nov 18, 2022 •25 likes •235 views

Chosen-Ciphertext Security Chosen-Ciphertext Security without Redundancy without Redundancy Duong Hieu Phan David Pointcheval ENS France CNRS-ENS France Asiacrypt '03 Taipei - Taiwan December 1 st 2003 Summary Summary Asymmetric

  1. Chosen-Ciphertext Security Chosen-Ciphertext Security without Redundancy without Redundancy Duong Hieu Phan David Pointcheval ENS – France CNRS-ENS – France Asiacrypt '03 Taipei - Taiwan December 1 st 2003

  2. Summary Summary Asymmetric Encryption Full-Domain Permutation Encryption 3-round OAEP Conclusion David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 2

  3. Asymmetric Encryption Asymmetric Encryption An asymmetric encryption scheme π = ( G , E , D ) is defined by 3 algorithms: ➢ G – key generation ω G ( k e , k d ) k d k e ➢ E – encryption m c E D ➢ D – decryption m r David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 3

  4. Security Notions Security Notions One-Wayness (OW) : without the private key, it is computationally impossible to recover the plaintext Semantic Security (IND - Indistinguishability) : the ciphertext reveals no more information about the plaintext to a polynomial adversary David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 4

  5. Attacks Attacks Chosen-Plaintext Attacks (CPA) ➢ the basic attack in the public-key setting → the adversary can encrypt any message of its choice More information: oracle access Chosen-Ciphertext Attacks (CCA) the adversary has access to the decryption oracle on any ciphertext of its choice (except the challenge) ➢ non-adaptive (CCA1): only before receiving the challenge ➢ adaptive (CCA2): unlimited oracle access David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 5

  6. IND-CCA2 IND-CCA2 G k d k e c D b ∈ {0,1} m or ⊥ m 0 CCA1 r random m 1 A m b E c * c ≠ c * r D ? m or ⊥ CCA2 b’ = b b’ David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 6

  7. Indistinguishability: Probabilistic y: Probabilistic Indistinguishabilit To achieve indistinguishability, a public-key encryption scheme must be probabilistic otherwise, with the chalenge c = E ( m b ) one computes c 0 = E ( m 0 ) and checks whether c 0 = c For any plaintext, the number of possible ciphertexts must be lower-bounded by 2 k , for a security level in 2 k : at least length( c ) ≥ length( m ) + k David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 7

  8. Chosen-Ciphertext Security: Chosen-Ciphertext Security: Redundancy Redundancy To resist chosen-ciphertext attacks, all the proposed constructions introduce redundancy: } OAEP: redundancy in the padding plaintext -awareness REACT: MAC in the ciphertext Cramer-Shoup: Proof of validity = redundancy Such a redundancy makes that a random ciphertext is valid (a possible output of the encryption algorithm) with a very small probability, less than 2 - k : in practice: at least length( c ) ≥ length( m ) + 2 k David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 8

  9. Optimal Size = No Redundancy Optimal Size = No Redundancy No redundancy = any ciphertext is valid: ➢ is a possible output of E ( m , r ) ➢ the function E : M × R → C → c is a surjection ( m , r ) Advantages: ➢ optimal bandwidth ➢ no reaction attack / implementation issues ➢ easier distribution of the decryption process David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 9

  10. Full-Domain Permutation Encryption Full-Domain Permutation Encryption First candidate: in the same vein as the Full-Domain Hash Signature Public permutation P (Random Permutation Model) onto M × R ≈ C ≈ {0,1} n × {0,1} k ≈ {0,1} l Trapdoor one-way permutation f onto {0,1} l E : M × R C → c = f ( P ( m,r )) → ( m , r ) ➢ the public key is the pair ( f , P ) which includes P -1 ➢ the private key is the trapdoor f -1 David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 10

  11. FDP Encryption is IND-CCA2 Secure FDP Encryption is IND-CCA2 Secure In the RPM, a ( t, ε )-IND-CCA2 adversary helps to invert f within almost the same time t , and with success probability greater than ε – q /2 k Simulation of the oracles P , P -1 and D using a list Λ of tuples {( m , r , p , c )}: p = P ( m,r ), c = f ( p ) = E ( m,r ) ➢ problem if ( m,r ) is assumed to correspond to P -1 ( f -1 (c)) from the D -simulation, and the adversary asks for P ( m,r ): → the simulation should output p = f -1 (c) , which is unknown but D outputs m only: r is unpredictable David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 11

  12. FDP Encryption: Properties FDP Encryption: Properties No redundancy Optimal bandwidth: length( c ) = length( m ) + k High security level: IND-CCA2 ➢ with efficient reduction ➢ but in the Random-Permutation Model Can we weaken the assumptions? David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 12

  13. The Random-Oracle Model The Random-Oracle Model A weaker model : the random-oracle model ➢ access to a truly random function How to build a random permutation from a random function? ➢ Luby-Rackoff: a Feistel construction ➢ not that easy: here, one has access to the internal function... Let us try anyway: OAEP David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 13

  14. 2-round OAEP 2-round OAEP r random M = m || 0 k E ( m ) : c = f ( s || t ) G D ( c ) : s || t = f -1 ( c ) then invert OAEP, if the redundancy H is satisfied, one returns m s t G , H : random functions David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 14

  15. 2-round OAEP (cont'd) 2-round OAEP (cont'd) In the random-oracle model If f is a trapdoor partial-domain OW permutation : ➢ ( s , t ) → f ( s || t ) trapdoor one-way ➢ f ( s || t ) → s also hard to compute With a redundancy 0 k and random of size k 0 The encryption scheme f -OAEP: IND-CCA2 with quadratic time reduction (in q F q G T f ) + quadratic lost (in q D q G / 2 k 0 : k 0 = 2 k ) length( c ) = length( m ) + 3 k David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 15

  16. What About the Redundancy? What About the Redundancy? For IND-CCA2: redundancy Plaintext-awareness = unvalid ciphertexts Without redundancy... is it still IND-CCA2? ➢ 2-round OAEP: no known attack, but no proof either → Any simulation seems to be subject to the Shoup's attack (malleability of OAEP) ➢ 3-round OAEP: can be proven David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 16

  17. 3-round OAEP 3-round OAEP r m E ( m ) : c = f ( t || u ) F D ( c ) : t || u = f -1 ( c ) s G then invert OAEP, and return m H u t F , G and H : random functions David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 17

  18. Idea of the Security Idea of the Security 2-round OAEP: as in the Shoup's attack, ➢ the adversary can forge a ciphertext c , with the same r as in the challenge ciphertext ➢ the simulator cannot check that! With one more round: ➢ the adversary is stuck! ⇒ one can simulate everything ➢ at random when not already known David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 18

  19. Tightness of the Reduction Tightness of the Reduction Everything works well with lists, Λ F , Λ G , Λ H , Λ D But for g = G ( s ) , which implies r m ➢ F (r) = m ⊕ F s for r = t ⊕ g ➢ for any ( t, h) ∈ Λ H , and ( m,c ) ∈ Λ D s G such that c = f ( t, h ⊕ s ) H in case such a query is asked later u t Problem if such a query has already been asked... Since g is random, the overall probability of such a bad event is upper-bounded by q D q F / 2 k . David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 19

  20. Security Result Security Result With a random of size k 0 , but no redundancy In the ROM, a ( t, ε )-IND-CCA2 adversary helps to partially invert f within t' ≈ t + q G q H T f , and with success probability greater than ε – q D Q / 2 k 0 The 3-round OAEP is: IND-CCA2 with quadratic time reduction + quadratic lost ( ⇒ k 0 = 2 k ) length( c ) = length( m ) + 2 k David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 20

  21. Conclusion Conclusion We have proposed the first IND-CCA2 encryption schemes, without redundancy: the FDP encryption is optimal ➢ based on the OW of the trapdoor permutation ➢ optimal bandwidth ➢ but in the Random-Permutation Model the 3-round OAEP has similar characteristics as the 2-round OAEP, but without redundancy David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security Jian Weng, Yanjiang

Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security Jian Weng, Yanjiang

Introduction Model of C-PRE Our proposed C-PRE Scheme Conclusion Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Institute for Infocomm Research (I2R),

1.04k views • 15 slides
Chosen-Ciphertext Security from Subset Sum PKC 2016, 07.03.2016 Sebastian Faust 1 Daniel Masny 1

Chosen-Ciphertext Security from Subset Sum PKC 2016, 07.03.2016 Sebastian Faust 1 Daniel Masny 1

Chosen-Ciphertext Security from Subset Sum PKC 2016, 07.03.2016 Sebastian Faust 1 Daniel Masny 1 Daniele Venturi 2 1 Ruhr Universitt Bochum 2 Sapienza University of Rome 1 Outline 1 Our Contribution 2 Subset Sum 3 CCA secure PKE 4 Tag-Based

965 views • 80 slides
Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key

Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key

Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Public-Key Encryption Accepted security notion: chosen-ciphertext security

1.16k views • 83 slides
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar Pandey Indian Statistical Institute Kolkata January 14, 2012 Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen Outline 1

624 views • 37 slides
Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and

Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and

Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Baodong Qin and Shengli Liu Shanghai Jiao Tong University ASIACRYPT 2013 Dec 5, Bangalore, India B. Qin and S. Liu LR-CCA Secure

580 views • 47 slides
On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic

On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic

On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic (UMD, NIST), Stacey Jeffery (QuSoft, CWI), and Maris Ozols (QuSoft, UvA) Alexander Poremba August 29, 2018 Heidelberg University; California Institute

511 views • 24 slides
Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva,

Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva,

Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva, Jean Paul Degabriele , Kenny

924 views • 43 slides
Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks joint work with Pierre-Alain

Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks joint work with Pierre-Alain

Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks joint work with Pierre-Alain Fouque Asiacrypt 01 Gold Coast - Australia December 2001 David Pointcheval Dpartement dInformatique ENS - CNRS David.Pointcheval@ens.fr

436 views • 9 slides
Computing World Dan Boneh and Mark Zhandry Stanford University Classical Chosen Message Attack

Computing World Dan Boneh and Mark Zhandry Stanford University Classical Chosen Message Attack

Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World Dan Boneh and Mark Zhandry Stanford University Classical Chosen Message Attack (CMA) m = S(sk, m) signing key sk Classical CMA + Quantum Computer (post-quantum

341 views • 21 slides
RSA Cryptography basics of security / cryptography Bob encrypts message M into ciphertext

RSA Cryptography basics of security / cryptography Bob encrypts message M into ciphertext

RSA Cryptography basics of security / cryptography Bob encrypts message M into ciphertext C=P(M) using a public key; Bob sends C to Alice Alice decrypts ciphertext back into M using a private key (secret) M = S(C) anyone else

796 views • 16 slides
Active Adversary Lecture 7 CCA Security MAC Active Adversary An active adversary can inject

Active Adversary Lecture 7 CCA Security MAC Active Adversary An active adversary can inject

Active Adversary Lecture 7 CCA Security MAC Active Adversary An active adversary can inject messages into the channel Eve can send ciphertexts to Bob and get them decrypted Chosen Ciphertext Attack (CCA) If Bob decrypts all ciphertexts for Eve,

352 views • 14 slides
On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

Introduction Related-Key Attacks Chosen-Key Attacks Conclusion On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key Attacks Benot Cogliati 1 and Yannick Seurin 2 1 Versailles University, France 2

1.23k views • 94 slides
The Security of Ciphertext Stealing Phillip Rogaway 1 Mark Wooding 2 Haibin Zhang 1 1 Department of

The Security of Ciphertext Stealing Phillip Rogaway 1 Mark Wooding 2 Haibin Zhang 1 1 Department of

The Security of Ciphertext Stealing Phillip Rogaway 1 Mark Wooding 2 Haibin Zhang 1 1 Department of Computer Science University of California at Davis 2 Thales e-Security Ltd March 20, 2012 Rogaway, Wooding, Zhang (UC Davis, Thales) The Security

1.19k views • 105 slides
Ofgem Gas Security of Supply SCR Workshop 2 Place your chosen image here. The four corners

Ofgem Gas Security of Supply SCR Workshop 2 Place your chosen image here. The four corners

Ofgem Gas Security of Supply SCR Workshop 2 Place your chosen image here. The four corners must just cover the arrow tips. For covers, the three pictures should be the same size and in a straight line. 23/01/2012 Contents Current

425 views • 16 slides
The security of customer-chosen banking PINs Joseph Bonneau , S oren Preibusch, Ross Anderson

The security of customer-chosen banking PINs Joseph Bonneau , S oren Preibusch, Ross Anderson

The security of customer-chosen banking PINs Joseph Bonneau , S oren Preibusch, Ross Anderson jcb82,sdp36,rja14@cl.cam.ac.uk Computer Laboratory Financial Crypto 2012 Kralendijk, Bonaire, Netherlands Feb 27, 2012 Whats a stolen wallet

816 views • 49 slides
Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES

Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES

Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES and AES Public Key Cryptography 2 1 Cryptographic Keys Alices Bobs K A encryption decryption K B key key ciphertext encryption

381 views • 12 slides
Practical Security and Key Management Management University of Amsterdam Introduction SNE -

Practical Security and Key Management Management University of Amsterdam Introduction SNE -

Practical Security and Key Practical Security and Key Management Management University of Amsterdam Introduction SNE - Research Project 2 Research Question Security levels Secure elements By: Key Magiel van der Meer management PGP

778 views • 20 slides
Secure UHF Tags with Strong Cryptography Development of ISO/IEC 18000-63 Compatible Secure RFID

Secure UHF Tags with Strong Cryptography Development of ISO/IEC 18000-63 Compatible Secure RFID

Secure UHF Tags with Strong Cryptography Development of ISO/IEC 18000-63 Compatible Secure RFID Tags and Presentation of First Results Walter Hinz, Klaus Finkenzeller, Martin Seysen Barcelona, February 19 th , 2013 Agenda Motivation for

416 views • 26 slides
Post-Quantum Crypto Challenges Prof. Audun Jsang Universitetet i Oslo DN.no, 1 December 2017

Post-Quantum Crypto Challenges Prof. Audun Jsang Universitetet i Oslo DN.no, 1 December 2017

Post-Quantum Crypto Challenges Prof. Audun Jsang Universitetet i Oslo DN.no, 1 December 2017 Audun Jsang - 2018 PQ Crypto Challenges 2 Aftenposten.no, 10 May 2018 Audun Jsang - 2018 PQ Crypto Challenges 3 Principle for Quantum

587 views • 42 slides
Hardware Arithmetic Units and Cryptoprocessors for Hyperelliptic Curve Cryptography Gabriel

Hardware Arithmetic Units and Cryptoprocessors for Hyperelliptic Curve Cryptography Gabriel

Hardware Arithmetic Units and Cryptoprocessors for Hyperelliptic Curve Cryptography Gabriel GALLIN CNRS IRISA Univ. Rennes 1 November 29 th , 2018 Ph.D. supervised by Arnaud TISSERAND, CNRS Lab-STICC Introduction 1 HTMM

591 views • 40 slides
Oblivious Computation in Public Cloud for Privacy-aware Access Control Policies and Data Search

Oblivious Computation in Public Cloud for Privacy-aware Access Control Policies and Data Search

Oblivious Computation in Public Cloud for Privacy-aware Access Control Policies and Data Search Ph.D. Dissertation Defense Zeeshan Pervez Department of Computer Engineering Kyung Hee University, Global Campus, Korea email:

650 views • 24 slides
Secure Networks Starting with Basic Reference Model for Security Architecture A Historic Review

Secure Networks Starting with Basic Reference Model for Security Architecture A Historic Review

Secure Networks Starting with Basic Reference Model for Security Architecture A Historic Review of a Nascent Industry Seattle University CSSE 572 Spring 2008 Mohsen Banan Guest Speaker May 15, 2008 Less Talked About Security

215 views • 19 slides
Anonymity from Asymmetry: New Constructions for Anonymous HIBE Ducas L eo, Ecole Normale

Anonymity from Asymmetry: New Constructions for Anonymous HIBE Ducas L eo, Ecole Normale

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion Anonymity from Asymmetry: New Constructions for Anonymous HIBE Ducas L eo, Ecole Normale Superieure, Paris February 23, 2010 Ducas L eo, Ecole Normale

366 views • 32 slides
Knowing Just Enough Crypto to be Dangerous Vasilij Schneidermann April 2018 Outline 1 Intro 2

Knowing Just Enough Crypto to be Dangerous Vasilij Schneidermann April 2018 Outline 1 Intro 2

Knowing Just Enough Crypto to be Dangerous Vasilij Schneidermann April 2018 Outline 1 Intro 2 Selected attacks 3 Outro Section 1 Intro About Vasilij Schneidermann, 25 Software developer at bevuta IT, Cologne mail@vasilij.de

485 views • 47 slides

More recommend