ind cca2 secure cryptosystems
play

IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu - PowerPoint PPT Presentation

Aug 25, 2022 •185 likes •396 views

MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 1 Overview Notion of

  1. MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 1

  2. Overview • Notion of indistinguishability • The Cramer-Shoup cryptosystem • Newer results Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 2

  3. Indistinguishability assumptions Indistinguishability under a ... • Chosen Plaintext Attack - ( IND-CPA security ) • Chosen Ciphertext Attack - ( IND-CCA security ) • Adaptive Chosen Ciphertext Attack - ( IND-CCA2 security ) Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 3

  4. Who is the bad guy? We are protecting ourselves from the evil A , who • is a probabilistic polynomial time Turing machine, • has all the algorithms and • has full access to communication media. Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 4

  5. IND-CPA Definition - Startup In the following game E ( PK, m ) represents the encryption of a message m using the key PK . 1. The challenger generates a key pair PK, SK based on the security parameter k (which can be the key size in bits), and publishes PK to the adversary. The challenger retains SK . 2. The adversary may perform any number of encryptions or other oper- ations. 3. Eventually, the adversary submits two distinct chosen plaintexts m 0 and m 1 to the challenger. Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 5

  6. IND-CPA Definition - The Challenge 4. The challenger selects a bit b ∈ { 0 , 1 } uniformly at random, and sends the challenge ciphertext C = E ( PK, m b ) back to the adversary. 5. The adversary is free to perform any number of additional computa- tions or encryptions. Finally, it outputs a guess for the value of b . Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 6

  7. IND-CPA Definition - The Result • The adversary A wins the game if it guesses the bit b . • A cryptosystem is indistinguishable under chosen plaintext attack if no adversary can win the above game with probability p greater than 1 2 + ǫ , where ǫ is a negligible function in the security parameter k . • If p > 1 2 then the difference p − 1 2 is the advantage of the given adver- sary in distinguishing the ciphertext. Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 7

  8. IND-CCA Definition - Startup NEW: The adversary A gains access to a decryption oracle which decrypts arbitrary ciphertexts at the adversary’s request, returning the plaintext. 1. The challenger generates a key pair PK, SK based on some secu- rity parameter k (e.g., a key size in bits), and publishes PK to the adversary. The challenger retains SK . 2. The adversary may perform any number of encryptions, calls to the decryption oracle based on arbitrary ciphertexts, or other operations. 3. Eventually, the adversary submits two distinct chosen plaintexts m 0 , m 1 to the challenger. Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 8

  9. IND-CCA Definition - The Challenge 4. The challenger selects a bit b ∈ { 0 , 1 } uniformly at random, and sends the ”challenge” ciphertext C = E ( PK, m b ) back to the adversary. The adversary is free to perform any number of additional computa- tions or encryptions. (a) In the non-adaptive case (IND-CCA), the adversary may not make further calls to the decryption oracle before guessing. (b) In the adaptive case (IND-CCA2), the adversary may make further calls to the decryption oracle, but may not submit the challenge ciphertext C . 5. In the end it will guess the value of b . Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 9

  10. IND-CCA Definition - The Result • Again, the adversary A wins the game if it guesses the bit b . • A cryptosystem is indistinguishable under chosen ciphertext at- tack if no adversary can win the above game with probability p greater than 1 2 + ǫ , where ǫ is a negligible function in the security parameter k . • If p > 1 2 then the difference p − 1 2 is the advantage of the given adver- sary in distinguishing the ciphertext. Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 10

  11. The Cramer-Shoup cryptosystem Published in: R. Cramer, V. Shoup. ”A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack” . In Advances in Cryptology CRYPTO 1998, volume 1462 of LNCS, 1998. • Provably secure against adaptive chosen ciphertext attacks. • The first practical such cryptosystem. • The security proof is based on the hardness of the Diffie-Hellman de- cision problem in the used group. Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 11

  12. The Cramer-Shoup Scheme - Assumptions • We assume that we have a group G of prime order q where q is large. • The encrypted messages are elements of G . • An universal family one-way family of hash functions that map long bit strings to elements of Z q is also required. Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 12

  13. The Cramer-Shoup Scheme - Key Generation 1. We choose two random elements g 1 , g 2 ∈ G and x 1 , x 2 , y 1 , y 2 , z ∈ Z q . 2. We calculate c = g x 1 1 g x 2 2 , d = g y 1 1 g y 2 2 , h = g z 1 . 3. We choose a hash function H from our family of universal one-way hash functions. 4. The public key is ( g 1 , g 2 , c, d, h, H ) and the secret key is ( x 1 , x 2 , y 1 , y 2 , z ) . Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 13

  14. The Cramer-Shoup Scheme - Encryption 1. To encrypt a message m ∈ G we choose a random r ∈ Z q and compute (a) u 1 = g r 1 , u 2 = g r 2 (b) e = h r m (c) α = H ( u 1 , u 2 , e ) , v = c r d rα 2. The ciphertext for m is ( u 1 , u 2 , e, v ) . Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 14

  15. The Cramer-Shoup Scheme - Encryption 1. Given a ciphertext ( u 1 , u 2 , e, v ) we first compute α = H ( u 1 , u 2 , e ) 2. Check if u x 1 + y 1 α u x 2 + y 2 α = v 1 2 (a) If the condition does not hold, we reject the ciphertext as invalid. (b) Otherwise we decrypt the message m = e/u z 1 . Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 15

  16. The Cramer-Shoup Scheme - Verification To verify the scheme we have to check if we actually get our encrypted m back after decrypting. From key generation we know that c = g x 1 1 g x 2 2 and from the encryption algorithm we know that u 1 = g r 1 , u 2 = g r 2 . From this we get u x 1 1 u x 2 2 = g rx 1 g rx 2 = c r . 1 2 Also, u y 1 1 u y 2 2 = d r and u z 1 = h r . The decryption algorithm tests, if u x 1 + y 1 α u x 2 + y 2 α = v . From encryption 1 2 we have v = c r d rα . This gives us the left side of the test equation and so the test will go through. If it does, we can get the m by simply reversing the e = h r m computation from encryption. Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 16

  17. The Cramer-Shoup generalisation In 2001 Cramer and Shoup published a general approach to constructing IND-CCA2 secure cryptosystems. • They introduce Universal Hash Proof Systems (UHPS) which is a kind of non-interactive zero-knowledge proof system for a language. • They show that when given an efficient UHPS for a language with cer- tain natural cryptographic indistinguishability properties, one can con- struct an efficient IND-CCA2 secure public-key encryption scheme. • They construct two more systems and show that their original system is a case in their general theory. Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 17

  18. The Oblivious Decryptors method Proposed in 2002 by Elkind and Sahai. • A unifying methodology for constructing IND-CCA2 secure schemes. Generalises the Cramer-Shoup scheme and other schemes (at the time of writing the article). • Main construction: An encryption scheme satisfying Oblivious De- cryptors can be extended with Simulation-Sound Non-Interactive Zero- Knowledge proof to produce an IND-CCA2 secure encryption system. Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 18

  19. An Identity-Based IND-CCA2 secure cryptosystem Bleeding-edge: proposed by Boyen, Mei and Waters in 2005. • An Identity-Based Encryption (IBE) scheme is a key authentication system in which the public key of a user is some unique information about the identity of the user (eg. a user’s email address). • Build a compact IND-CCA2 encryption system based on the Waters identity-based encryption system. • A fresh approach as it doesn’t fall under previous unified models. • The proposed cryptosystem is efficient and has short ciphertexts. This is due to integration with the underlying IBE. Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 19

  20. End of talk Thanks for listening! Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outline Threshold Homomorphic Cryptosystems (THCs) Basic examples Secure multiparty

Outline Threshold Homomorphic Cryptosystems (THCs) Basic examples Secure multiparty

ECRYPT: Achievements and Perspectives Antwerp / May 27, 2008 PROVILAB Focus 2 Secure Multiparty Computation Based on Threshold Homomorphic Cryptosystems Berry Schoenmakers Coding & Crypto group Dept. Math & CS TU Eindhoven Outline

583 views • 13 slides
The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the communication - all cryptosystems we discussed so far - also called: symmetric-key cryptosystems Public-key cryptosystems (Chapter 6) : - what to do if

281 views • 4 slides
Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and Computeralgebra, Department of Computer Science, Technische Universit at Darmstadt, Germany, fstrenzke@crypto-source.de April 13, 2015 Fast and

494 views • 38 slides
Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks joint work with Pierre-Alain

Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks joint work with Pierre-Alain

Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks joint work with Pierre-Alain Fouque Asiacrypt 01 Gold Coast - Australia December 2001 David Pointcheval Dpartement dInformatique ENS - CNRS David.Pointcheval@ens.fr

436 views • 9 slides
Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s

Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s

Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s Many important and storied examples. See: http://users.telenet.be/d.rijmenants/ Jim Royer Well talk about just one in detail: the one-time pad .

250 views • 6 slides
Knowing without Seeing Informational Power, Cryptosystems and the Law @mikarv Centralised Data,

Knowing without Seeing Informational Power, Cryptosystems and the Law @mikarv Centralised Data,

Michael Veale University College London // the Alan Turing Institute Knowing without Seeing Informational Power, Cryptosystems and the Law @mikarv Centralised Data, Broadcast Data is a third way possible? @mikarv References: Secure

256 views • 23 slides
Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric cryptosystems Computer Security Digital signatures January 30, 2006 Digital hashes Key recovery cryptosystems Lecture 4 Lecture 4 Page 1 Page

358 views • 11 slides
Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically

Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically

Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically breakable given the time are theoretically breakable given the time Security Notions and computational resources. However,

307 views • 10 slides
Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Note: Log = logarithm, not Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to Cryptography 1 References Symmetric and Asymmetric Cryptosystems Public-Key Cryptosystems Based on the Discrete

436 views • 9 slides
Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and

Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and

Modern Block Ciphers DES Games with Block Ciphers Modern Block Ciphers DES Games with Block Ciphers Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and their applications are the primary focus

521 views • 5 slides
Contents Introduction to data security Public key cryptosystems: Classical

Contents Introduction to data security Public key cryptosystems: Classical

Contents Introduction to data security Public key cryptosystems: Classical cryptosystems RSA Introduction to modern Prime number generation cryptography Polynomial arithmetic T-79.159 Block ciphers: DES, IDEA,

439 views • 15 slides
Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland PQCrypto 2017, 26th of June 1/15 Outline 1 Preliminaries Introduction Supersingular isogenies SSI cryptosystems 2 Fault attack

378 views • 33 slides
HQC: H amming Q uasi- C yclic An IND-CCA2 Code-based Public Key Encryption Scheme August the 24 th

HQC: H amming Q uasi- C yclic An IND-CCA2 Code-based Public Key Encryption Scheme August the 24 th

HQC: H amming Q uasi- C yclic An IND-CCA2 Code-based Public Key Encryption Scheme August the 24 th , 2019 NIST 2 nd PQC Standardization Conference Santa-Barbara https://pqc-hqc.org C. Aguilar Melchor ISAE-Supa ero, University of Toulouse N.

188 views • 15 slides
QC-MDPC: A Timing Attack and a CCA2 KEM PQCrypto April 9, 2018 Edward Eaton 1 , Matthieu

QC-MDPC: A Timing Attack and a CCA2 KEM PQCrypto April 9, 2018 Edward Eaton 1 , Matthieu

QC-MDPC: A Timing Attack and a CCA2 KEM PQCrypto April 9, 2018 Edward Eaton 1 , Matthieu Lequesne 2,3 , Alex Parent 1 and Nicolas Sendrier 3 1 - ISARA Corporation, Waterloo, Canada 2 - Sorbonne Universit Paris, France 3 - Inria Paris,

1.05k views • 91 slides
Why Cryptosystems Fail? Ross J. Anderson - Communications of the ACM 1994 By Hassan Shahid Khan

Why Cryptosystems Fail? Ross J. Anderson - Communications of the ACM 1994 By Hassan Shahid Khan

CS 598 - COMPUTER SECURITY IN THE PHYSICAL WORLD Why Cryptosystems Fail? Ross J. Anderson - Communications of the ACM 1994 By Hassan Shahid Khan What are cryptosystems? - A suite of cryptographic algorithms (generation, encryption and

834 views • 16 slides
CCA2 Key-Privacy for Code-Based Encryption in the Standard Model Yusuke Yoshida with Kirill

CCA2 Key-Privacy for Code-Based Encryption in the Standard Model Yusuke Yoshida with Kirill

CCA2 Key-Privacy for Code-Based Encryption in the Standard Model Yusuke Yoshida with Kirill Morozov and Keisuke Tanaka from Tokyo Institute of Technology, Japan 1 Contents Contents Key-Privacy for PKE Indistinguishability of keys (IK) 2

598 views • 58 slides
Block ciphers CS 161: Computer Security Prof. Raluca Ada Popa February 26, 2016 Announcements

Block ciphers CS 161: Computer Security Prof. Raluca Ada Popa February 26, 2016 Announcements

Block ciphers CS 161: Computer Security Prof. Raluca Ada Popa February 26, 2016 Announcements Last time Syntax of encryption: Keygen, Enc, Dec Security definition for known plaintext attack: attacker provides two messages m0, m1

993 views • 43 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A function E : {0, 1} k {0, 1} n

553 views • 32 slides
Fast Prototyping Network Data Mining Applications Gianluca Iannaccone Intel Research Berkeley

Fast Prototyping Network Data Mining Applications Gianluca Iannaccone Intel Research Berkeley

Fast Prototyping Network Data Mining Applications Gianluca Iannaccone Intel Research Berkeley Motivation Developing new network monitoring apps is unnecessarily time-consuming Familiar development steps Need deep understanding of

874 views • 44 slides
Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or

Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or

Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy. Choke point between secured

613 views • 34 slides
Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity

Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity

Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity @jurajsomorovsky 1 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 1 Recent years

406 views • 29 slides
Basic Ciphers Computer Security: Ensure security of data kept on the computer Ahmet Burak

Basic Ciphers Computer Security: Ensure security of data kept on the computer Ahmet Burak

8.10.2019 Information Security Basic Ciphers Computer Security: Ensure security of data kept on the computer Ahmet Burak Can Network Security: Hacettepe University Ensure security of communication over insecure medium

267 views • 10 slides
Security II: Cryptography Markus Kuhn Computer Laboratory Lent 2012 Part II

Security II: Cryptography Markus Kuhn Computer Laboratory Lent 2012 Part II

Security II: Cryptography Markus Kuhn Computer Laboratory Lent 2012 Part II http://www.cl.cam.ac.uk/teaching/1213/SecurityII/ 1 Related textbooks Jonathan Katz, Yehuda Lindell: Introduction to Modern Cryptography Chapman & Hall/CRC,

887 views • 39 slides
Fubswrjudskb Frxuvh qxpehu: 4003-482 / 4005-705 Lqvwuxfwru: Lyrqd Ehcdnryd Wrgdbv Wrslfv:

Fubswrjudskb Frxuvh qxpehu: 4003-482 / 4005-705 Lqvwuxfwru: Lyrqd Ehcdnryd Wrgdbv Wrslfv:

Fubswrjudskb Frxuvh qxpehu: 4003-482 / 4005-705 Lqvwuxfwru: Lyrqd Ehcdnryd Wrgdbv Wrslfv: 1. Orjlvwlfv: - Fodvv olvw - Vboodexv 2. Wkh Pdwk 3. Zkdw lv Fubswrjudskb 4. Vrph Fodvvlfdo Fubswrvbvwhpv Cryptography Course number: 4003-482

484 views • 21 slides

More recommend