chosen ciphertext security chosen ciphertext security
play

Chosen-Ciphertext Security Chosen-Ciphertext Security without - PowerPoint PPT Presentation

Nov 18, 2022 •25 likes •235 views

Chosen-Ciphertext Security Chosen-Ciphertext Security without Redundancy without Redundancy Duong Hieu Phan David Pointcheval ENS France CNRS-ENS France Asiacrypt '03 Taipei - Taiwan December 1 st 2003 Summary Summary Asymmetric

  1. Chosen-Ciphertext Security Chosen-Ciphertext Security without Redundancy without Redundancy Duong Hieu Phan David Pointcheval ENS – France CNRS-ENS – France Asiacrypt '03 Taipei - Taiwan December 1 st 2003

  2. Summary Summary Asymmetric Encryption Full-Domain Permutation Encryption 3-round OAEP Conclusion David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 2

  3. Asymmetric Encryption Asymmetric Encryption An asymmetric encryption scheme π = ( G , E , D ) is defined by 3 algorithms: ➢ G – key generation ω G ( k e , k d ) k d k e ➢ E – encryption m c E D ➢ D – decryption m r David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 3

  4. Security Notions Security Notions One-Wayness (OW) : without the private key, it is computationally impossible to recover the plaintext Semantic Security (IND - Indistinguishability) : the ciphertext reveals no more information about the plaintext to a polynomial adversary David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 4

  5. Attacks Attacks Chosen-Plaintext Attacks (CPA) ➢ the basic attack in the public-key setting → the adversary can encrypt any message of its choice More information: oracle access Chosen-Ciphertext Attacks (CCA) the adversary has access to the decryption oracle on any ciphertext of its choice (except the challenge) ➢ non-adaptive (CCA1): only before receiving the challenge ➢ adaptive (CCA2): unlimited oracle access David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 5

  6. IND-CCA2 IND-CCA2 G k d k e c D b ∈ {0,1} m or ⊥ m 0 CCA1 r random m 1 A m b E c * c ≠ c * r D ? m or ⊥ CCA2 b’ = b b’ David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 6

  7. Indistinguishability: Probabilistic y: Probabilistic Indistinguishabilit To achieve indistinguishability, a public-key encryption scheme must be probabilistic otherwise, with the chalenge c = E ( m b ) one computes c 0 = E ( m 0 ) and checks whether c 0 = c For any plaintext, the number of possible ciphertexts must be lower-bounded by 2 k , for a security level in 2 k : at least length( c ) ≥ length( m ) + k David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 7

  8. Chosen-Ciphertext Security: Chosen-Ciphertext Security: Redundancy Redundancy To resist chosen-ciphertext attacks, all the proposed constructions introduce redundancy: } OAEP: redundancy in the padding plaintext -awareness REACT: MAC in the ciphertext Cramer-Shoup: Proof of validity = redundancy Such a redundancy makes that a random ciphertext is valid (a possible output of the encryption algorithm) with a very small probability, less than 2 - k : in practice: at least length( c ) ≥ length( m ) + 2 k David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 8

  9. Optimal Size = No Redundancy Optimal Size = No Redundancy No redundancy = any ciphertext is valid: ➢ is a possible output of E ( m , r ) ➢ the function E : M × R → C → c is a surjection ( m , r ) Advantages: ➢ optimal bandwidth ➢ no reaction attack / implementation issues ➢ easier distribution of the decryption process David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 9

  10. Full-Domain Permutation Encryption Full-Domain Permutation Encryption First candidate: in the same vein as the Full-Domain Hash Signature Public permutation P (Random Permutation Model) onto M × R ≈ C ≈ {0,1} n × {0,1} k ≈ {0,1} l Trapdoor one-way permutation f onto {0,1} l E : M × R C → c = f ( P ( m,r )) → ( m , r ) ➢ the public key is the pair ( f , P ) which includes P -1 ➢ the private key is the trapdoor f -1 David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 10

  11. FDP Encryption is IND-CCA2 Secure FDP Encryption is IND-CCA2 Secure In the RPM, a ( t, ε )-IND-CCA2 adversary helps to invert f within almost the same time t , and with success probability greater than ε – q /2 k Simulation of the oracles P , P -1 and D using a list Λ of tuples {( m , r , p , c )}: p = P ( m,r ), c = f ( p ) = E ( m,r ) ➢ problem if ( m,r ) is assumed to correspond to P -1 ( f -1 (c)) from the D -simulation, and the adversary asks for P ( m,r ): → the simulation should output p = f -1 (c) , which is unknown but D outputs m only: r is unpredictable David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 11

  12. FDP Encryption: Properties FDP Encryption: Properties No redundancy Optimal bandwidth: length( c ) = length( m ) + k High security level: IND-CCA2 ➢ with efficient reduction ➢ but in the Random-Permutation Model Can we weaken the assumptions? David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 12

  13. The Random-Oracle Model The Random-Oracle Model A weaker model : the random-oracle model ➢ access to a truly random function How to build a random permutation from a random function? ➢ Luby-Rackoff: a Feistel construction ➢ not that easy: here, one has access to the internal function... Let us try anyway: OAEP David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 13

  14. 2-round OAEP 2-round OAEP r random M = m || 0 k E ( m ) : c = f ( s || t ) G D ( c ) : s || t = f -1 ( c ) then invert OAEP, if the redundancy H is satisfied, one returns m s t G , H : random functions David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 14

  15. 2-round OAEP (cont'd) 2-round OAEP (cont'd) In the random-oracle model If f is a trapdoor partial-domain OW permutation : ➢ ( s , t ) → f ( s || t ) trapdoor one-way ➢ f ( s || t ) → s also hard to compute With a redundancy 0 k and random of size k 0 The encryption scheme f -OAEP: IND-CCA2 with quadratic time reduction (in q F q G T f ) + quadratic lost (in q D q G / 2 k 0 : k 0 = 2 k ) length( c ) = length( m ) + 3 k David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 15

  16. What About the Redundancy? What About the Redundancy? For IND-CCA2: redundancy Plaintext-awareness = unvalid ciphertexts Without redundancy... is it still IND-CCA2? ➢ 2-round OAEP: no known attack, but no proof either → Any simulation seems to be subject to the Shoup's attack (malleability of OAEP) ➢ 3-round OAEP: can be proven David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 16

  17. 3-round OAEP 3-round OAEP r m E ( m ) : c = f ( t || u ) F D ( c ) : t || u = f -1 ( c ) s G then invert OAEP, and return m H u t F , G and H : random functions David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 17

  18. Idea of the Security Idea of the Security 2-round OAEP: as in the Shoup's attack, ➢ the adversary can forge a ciphertext c , with the same r as in the challenge ciphertext ➢ the simulator cannot check that! With one more round: ➢ the adversary is stuck! ⇒ one can simulate everything ➢ at random when not already known David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 18

  19. Tightness of the Reduction Tightness of the Reduction Everything works well with lists, Λ F , Λ G , Λ H , Λ D But for g = G ( s ) , which implies r m ➢ F (r) = m ⊕ F s for r = t ⊕ g ➢ for any ( t, h) ∈ Λ H , and ( m,c ) ∈ Λ D s G such that c = f ( t, h ⊕ s ) H in case such a query is asked later u t Problem if such a query has already been asked... Since g is random, the overall probability of such a bad event is upper-bounded by q D q F / 2 k . David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 19

  20. Security Result Security Result With a random of size k 0 , but no redundancy In the ROM, a ( t, ε )-IND-CCA2 adversary helps to partially invert f within t' ≈ t + q G q H T f , and with success probability greater than ε – q D Q / 2 k 0 The 3-round OAEP is: IND-CCA2 with quadratic time reduction + quadratic lost ( ⇒ k 0 = 2 k ) length( c ) = length( m ) + 2 k David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 20

  21. Conclusion Conclusion We have proposed the first IND-CCA2 encryption schemes, without redundancy: the FDP encryption is optimal ➢ based on the OW of the trapdoor permutation ➢ optimal bandwidth ➢ but in the Random-Permutation Model the 3-round OAEP has similar characteristics as the 2-round OAEP, but without redundancy David Pointcheval – CNRS - ENS Chosen-Ciphertext Security without Redundancy - 21

Recommend

Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security Jian Weng, Yanjiang

Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security Jian Weng, Yanjiang

Introduction Model of C-PRE Our proposed C-PRE Scheme Conclusion Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Institute for Infocomm Research (I2R),

1.04k views • 15 slides
Chosen-Ciphertext Security from Subset Sum PKC 2016, 07.03.2016 Sebastian Faust 1 Daniel Masny 1

Chosen-Ciphertext Security from Subset Sum PKC 2016, 07.03.2016 Sebastian Faust 1 Daniel Masny 1

Chosen-Ciphertext Security from Subset Sum PKC 2016, 07.03.2016 Sebastian Faust 1 Daniel Masny 1 Daniele Venturi 2 1 Ruhr Universitt Bochum 2 Sapienza University of Rome 1 Outline 1 Our Contribution 2 Subset Sum 3 CCA secure PKE 4 Tag-Based

965 views • 80 slides
Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key

Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key

Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Public-Key Encryption Accepted security notion: chosen-ciphertext security

1.16k views • 83 slides
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar Pandey Indian Statistical Institute Kolkata January 14, 2012 Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen Outline 1

624 views • 37 slides
Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and

Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and

Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Baodong Qin and Shengli Liu Shanghai Jiao Tong University ASIACRYPT 2013 Dec 5, Bangalore, India B. Qin and S. Liu LR-CCA Secure

580 views • 47 slides
On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic

On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic

On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic (UMD, NIST), Stacey Jeffery (QuSoft, CWI), and Maris Ozols (QuSoft, UvA) Alexander Poremba August 29, 2018 Heidelberg University; California Institute

511 views • 24 slides
Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva,

Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva,

Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva, Jean Paul Degabriele , Kenny

924 views • 43 slides
Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks joint work with Pierre-Alain

Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks joint work with Pierre-Alain

Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks joint work with Pierre-Alain Fouque Asiacrypt 01 Gold Coast - Australia December 2001 David Pointcheval Dpartement dInformatique ENS - CNRS David.Pointcheval@ens.fr

436 views • 9 slides
Computing World Dan Boneh and Mark Zhandry Stanford University Classical Chosen Message Attack

Computing World Dan Boneh and Mark Zhandry Stanford University Classical Chosen Message Attack

Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World Dan Boneh and Mark Zhandry Stanford University Classical Chosen Message Attack (CMA) m = S(sk, m) signing key sk Classical CMA + Quantum Computer (post-quantum

341 views • 21 slides
RSA Cryptography basics of security / cryptography Bob encrypts message M into ciphertext

RSA Cryptography basics of security / cryptography Bob encrypts message M into ciphertext

RSA Cryptography basics of security / cryptography Bob encrypts message M into ciphertext C=P(M) using a public key; Bob sends C to Alice Alice decrypts ciphertext back into M using a private key (secret) M = S(C) anyone else

796 views • 16 slides
Active Adversary Lecture 7 CCA Security MAC Active Adversary An active adversary can inject

Active Adversary Lecture 7 CCA Security MAC Active Adversary An active adversary can inject

Active Adversary Lecture 7 CCA Security MAC Active Adversary An active adversary can inject messages into the channel Eve can send ciphertexts to Bob and get them decrypted Chosen Ciphertext Attack (CCA) If Bob decrypts all ciphertexts for Eve,

352 views • 14 slides
On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

Introduction Related-Key Attacks Chosen-Key Attacks Conclusion On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key Attacks Benot Cogliati 1 and Yannick Seurin 2 1 Versailles University, France 2

1.23k views • 94 slides
The Security of Ciphertext Stealing Phillip Rogaway 1 Mark Wooding 2 Haibin Zhang 1 1 Department of

The Security of Ciphertext Stealing Phillip Rogaway 1 Mark Wooding 2 Haibin Zhang 1 1 Department of

The Security of Ciphertext Stealing Phillip Rogaway 1 Mark Wooding 2 Haibin Zhang 1 1 Department of Computer Science University of California at Davis 2 Thales e-Security Ltd March 20, 2012 Rogaway, Wooding, Zhang (UC Davis, Thales) The Security

1.19k views • 105 slides
Ofgem Gas Security of Supply SCR Workshop 2 Place your chosen image here. The four corners

Ofgem Gas Security of Supply SCR Workshop 2 Place your chosen image here. The four corners

Ofgem Gas Security of Supply SCR Workshop 2 Place your chosen image here. The four corners must just cover the arrow tips. For covers, the three pictures should be the same size and in a straight line. 23/01/2012 Contents Current

425 views • 16 slides
The security of customer-chosen banking PINs Joseph Bonneau , S oren Preibusch, Ross Anderson

The security of customer-chosen banking PINs Joseph Bonneau , S oren Preibusch, Ross Anderson

The security of customer-chosen banking PINs Joseph Bonneau , S oren Preibusch, Ross Anderson jcb82,sdp36,rja14@cl.cam.ac.uk Computer Laboratory Financial Crypto 2012 Kralendijk, Bonaire, Netherlands Feb 27, 2012 Whats a stolen wallet

816 views • 49 slides
Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES

Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES

Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES and AES Public Key Cryptography 2 1 Cryptographic Keys Alices Bobs K A encryption decryption K B key key ciphertext encryption

381 views • 12 slides
SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of

SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of

The SHA-1 Hash Function Chosen-prefix Collisions Our Results Conclusion Extra Materials SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust Ga etan Leurent (INRIA - France) Thomas Peyrin (NTU

650 views • 29 slides
Chosen Vessels David Lipscomb 1 The poor of this world were the chosen vessels of mercy,

Chosen Vessels David Lipscomb 1 The poor of this world were the chosen vessels of mercy,

Lesson Thirteen Gods Chosen Vessels David Lipscomb 1 The poor of this world were the chosen vessels of mercy, the especially honored and blessed of God. They, as a class, constitute His elect . -- David Lipscomb (1869) -- 2 In

872 views • 43 slides
Caesar Cipher Example plaintext: Z O O plaintext as numbers: 25 14 14 use key = 3

Caesar Cipher Example plaintext: Z O O plaintext as numbers: 25 14 14 use key = 3

Caesar Cipher Example plaintext: Z O O plaintext as numbers: 25 14 14 use key = 3 ciphertext as numbers: 28 17 17 ciphertext: C R R Groupwork 1. Log into our discord server. 2. Leave yourself muted on the main zoom call; I

434 views • 31 slides
Security Cryptography Arise from resources sharing Plaintext; Encryption algorithm;

Security Cryptography Arise from resources sharing Plaintext; Encryption algorithm;

Security Cryptography Arise from resources sharing Plaintext; Encryption algorithm; keys; Ciphertext; Resources are encapsulated by process; Decryption algorithm users access them through processs interface. Three

565 views • 7 slides
1 2 Symmetric crypto, part 2 client D. J.

1 2 Symmetric crypto, part 2 client D. J.

1 2 Symmetric crypto, part 2 client D. J. Bernstein message m 1 session key k client authenticated k ciphertext C 1 servers ciphertext C 0 public key S Internet Symmetric Internet

2.03k views • 175 slides
Cycle counts for authenticated encryption D. J. Bernstein http://cr.yp.to /streamciphers

Cycle counts for authenticated encryption D. J. Bernstein http://cr.yp.to /streamciphers

Cycle counts for authenticated encryption D. J. Bernstein http://cr.yp.to /streamciphers /timings.html Standard construction: encrypt with stream cipher; authenticate the ciphertext by appending encrypted hash. How to hash the ciphertext?

323 views • 4 slides
Stronger Security Guarantees for Authenticated Encryption Schemes Alexandra Boldyreva, Jean Paul

Stronger Security Guarantees for Authenticated Encryption Schemes Alexandra Boldyreva, Jean Paul

Ciphertext Fragmentation Distinguishable Decryption Failures Stronger Security Guarantees for Authenticated Encryption Schemes Alexandra Boldyreva, Jean Paul Degabriele , Kenny Paterson, and Martijn Stam DIAC Workshop - 5th July 2012 Boldyreva,

889 views • 49 slides
Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein Horizontal

Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein Horizontal

Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein Horizontal axis: ciphertext size Why focus on size instead of CPU time? Fitting into existing frameworks and protocols. Data from Google. Long term:

835 views • 23 slides

More recommend