ind cca2 secure cryptosystems
play

IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu - PowerPoint PPT Presentation

Aug 25, 2022 •185 likes •396 views

MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 1 Overview Notion of

  1. MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 1

  2. Overview • Notion of indistinguishability • The Cramer-Shoup cryptosystem • Newer results Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 2

  3. Indistinguishability assumptions Indistinguishability under a ... • Chosen Plaintext Attack - ( IND-CPA security ) • Chosen Ciphertext Attack - ( IND-CCA security ) • Adaptive Chosen Ciphertext Attack - ( IND-CCA2 security ) Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 3

  4. Who is the bad guy? We are protecting ourselves from the evil A , who • is a probabilistic polynomial time Turing machine, • has all the algorithms and • has full access to communication media. Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 4

  5. IND-CPA Definition - Startup In the following game E ( PK, m ) represents the encryption of a message m using the key PK . 1. The challenger generates a key pair PK, SK based on the security parameter k (which can be the key size in bits), and publishes PK to the adversary. The challenger retains SK . 2. The adversary may perform any number of encryptions or other oper- ations. 3. Eventually, the adversary submits two distinct chosen plaintexts m 0 and m 1 to the challenger. Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 5

  6. IND-CPA Definition - The Challenge 4. The challenger selects a bit b ∈ { 0 , 1 } uniformly at random, and sends the challenge ciphertext C = E ( PK, m b ) back to the adversary. 5. The adversary is free to perform any number of additional computa- tions or encryptions. Finally, it outputs a guess for the value of b . Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 6

  7. IND-CPA Definition - The Result • The adversary A wins the game if it guesses the bit b . • A cryptosystem is indistinguishable under chosen plaintext attack if no adversary can win the above game with probability p greater than 1 2 + ǫ , where ǫ is a negligible function in the security parameter k . • If p > 1 2 then the difference p − 1 2 is the advantage of the given adver- sary in distinguishing the ciphertext. Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 7

  8. IND-CCA Definition - Startup NEW: The adversary A gains access to a decryption oracle which decrypts arbitrary ciphertexts at the adversary’s request, returning the plaintext. 1. The challenger generates a key pair PK, SK based on some secu- rity parameter k (e.g., a key size in bits), and publishes PK to the adversary. The challenger retains SK . 2. The adversary may perform any number of encryptions, calls to the decryption oracle based on arbitrary ciphertexts, or other operations. 3. Eventually, the adversary submits two distinct chosen plaintexts m 0 , m 1 to the challenger. Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 8

  9. IND-CCA Definition - The Challenge 4. The challenger selects a bit b ∈ { 0 , 1 } uniformly at random, and sends the ”challenge” ciphertext C = E ( PK, m b ) back to the adversary. The adversary is free to perform any number of additional computa- tions or encryptions. (a) In the non-adaptive case (IND-CCA), the adversary may not make further calls to the decryption oracle before guessing. (b) In the adaptive case (IND-CCA2), the adversary may make further calls to the decryption oracle, but may not submit the challenge ciphertext C . 5. In the end it will guess the value of b . Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 9

  10. IND-CCA Definition - The Result • Again, the adversary A wins the game if it guesses the bit b . • A cryptosystem is indistinguishable under chosen ciphertext at- tack if no adversary can win the above game with probability p greater than 1 2 + ǫ , where ǫ is a negligible function in the security parameter k . • If p > 1 2 then the difference p − 1 2 is the advantage of the given adver- sary in distinguishing the ciphertext. Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 10

  11. The Cramer-Shoup cryptosystem Published in: R. Cramer, V. Shoup. ”A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack” . In Advances in Cryptology CRYPTO 1998, volume 1462 of LNCS, 1998. • Provably secure against adaptive chosen ciphertext attacks. • The first practical such cryptosystem. • The security proof is based on the hardness of the Diffie-Hellman de- cision problem in the used group. Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 11

  12. The Cramer-Shoup Scheme - Assumptions • We assume that we have a group G of prime order q where q is large. • The encrypted messages are elements of G . • An universal family one-way family of hash functions that map long bit strings to elements of Z q is also required. Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 12

  13. The Cramer-Shoup Scheme - Key Generation 1. We choose two random elements g 1 , g 2 ∈ G and x 1 , x 2 , y 1 , y 2 , z ∈ Z q . 2. We calculate c = g x 1 1 g x 2 2 , d = g y 1 1 g y 2 2 , h = g z 1 . 3. We choose a hash function H from our family of universal one-way hash functions. 4. The public key is ( g 1 , g 2 , c, d, h, H ) and the secret key is ( x 1 , x 2 , y 1 , y 2 , z ) . Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 13

  14. The Cramer-Shoup Scheme - Encryption 1. To encrypt a message m ∈ G we choose a random r ∈ Z q and compute (a) u 1 = g r 1 , u 2 = g r 2 (b) e = h r m (c) α = H ( u 1 , u 2 , e ) , v = c r d rα 2. The ciphertext for m is ( u 1 , u 2 , e, v ) . Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 14

  15. The Cramer-Shoup Scheme - Encryption 1. Given a ciphertext ( u 1 , u 2 , e, v ) we first compute α = H ( u 1 , u 2 , e ) 2. Check if u x 1 + y 1 α u x 2 + y 2 α = v 1 2 (a) If the condition does not hold, we reject the ciphertext as invalid. (b) Otherwise we decrypt the message m = e/u z 1 . Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 15

  16. The Cramer-Shoup Scheme - Verification To verify the scheme we have to check if we actually get our encrypted m back after decrypting. From key generation we know that c = g x 1 1 g x 2 2 and from the encryption algorithm we know that u 1 = g r 1 , u 2 = g r 2 . From this we get u x 1 1 u x 2 2 = g rx 1 g rx 2 = c r . 1 2 Also, u y 1 1 u y 2 2 = d r and u z 1 = h r . The decryption algorithm tests, if u x 1 + y 1 α u x 2 + y 2 α = v . From encryption 1 2 we have v = c r d rα . This gives us the left side of the test equation and so the test will go through. If it does, we can get the m by simply reversing the e = h r m computation from encryption. Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 16

  17. The Cramer-Shoup generalisation In 2001 Cramer and Shoup published a general approach to constructing IND-CCA2 secure cryptosystems. • They introduce Universal Hash Proof Systems (UHPS) which is a kind of non-interactive zero-knowledge proof system for a language. • They show that when given an efficient UHPS for a language with cer- tain natural cryptographic indistinguishability properties, one can con- struct an efficient IND-CCA2 secure public-key encryption scheme. • They construct two more systems and show that their original system is a case in their general theory. Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 17

  18. The Oblivious Decryptors method Proposed in 2002 by Elkind and Sahai. • A unifying methodology for constructing IND-CCA2 secure schemes. Generalises the Cramer-Shoup scheme and other schemes (at the time of writing the article). • Main construction: An encryption scheme satisfying Oblivious De- cryptors can be extended with Simulation-Sound Non-Interactive Zero- Knowledge proof to produce an IND-CCA2 secure encryption system. Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 18

  19. An Identity-Based IND-CCA2 secure cryptosystem Bleeding-edge: proposed by Boyen, Mei and Waters in 2005. • An Identity-Based Encryption (IBE) scheme is a key authentication system in which the public key of a user is some unique information about the identity of the user (eg. a user’s email address). • Build a compact IND-CCA2 encryption system based on the Waters identity-based encryption system. • A fresh approach as it doesn’t fall under previous unified models. • The proposed cryptosystem is efficient and has short ciphertexts. This is due to integration with the underlying IBE. Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 19

  20. End of talk Thanks for listening! Research Seminar in Cryptography, 31.10.2005 IND-CCA2 secure cryptosystems, Dan Bogdanov 20

Recommend

Outline Threshold Homomorphic Cryptosystems (THCs) Basic examples Secure multiparty

Outline Threshold Homomorphic Cryptosystems (THCs) Basic examples Secure multiparty

ECRYPT: Achievements and Perspectives Antwerp / May 27, 2008 PROVILAB Focus 2 Secure Multiparty Computation Based on Threshold Homomorphic Cryptosystems Berry Schoenmakers Coding & Crypto group Dept. Math & CS TU Eindhoven Outline

583 views • 13 slides
The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the communication - all cryptosystems we discussed so far - also called: symmetric-key cryptosystems Public-key cryptosystems (Chapter 6) : - what to do if

281 views • 4 slides
Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and Computeralgebra, Department of Computer Science, Technische Universit at Darmstadt, Germany, fstrenzke@crypto-source.de April 13, 2015 Fast and

494 views • 38 slides
Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks joint work with Pierre-Alain

Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks joint work with Pierre-Alain

Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks joint work with Pierre-Alain Fouque Asiacrypt 01 Gold Coast - Australia December 2001 David Pointcheval Dpartement dInformatique ENS - CNRS David.Pointcheval@ens.fr

436 views • 9 slides
Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s

Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s

Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s Many important and storied examples. See: http://users.telenet.be/d.rijmenants/ Jim Royer Well talk about just one in detail: the one-time pad .

250 views • 6 slides
Knowing without Seeing Informational Power, Cryptosystems and the Law @mikarv Centralised Data,

Knowing without Seeing Informational Power, Cryptosystems and the Law @mikarv Centralised Data,

Michael Veale University College London // the Alan Turing Institute Knowing without Seeing Informational Power, Cryptosystems and the Law @mikarv Centralised Data, Broadcast Data is a third way possible? @mikarv References: Secure

256 views • 23 slides
Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric cryptosystems Computer Security Digital signatures January 30, 2006 Digital hashes Key recovery cryptosystems Lecture 4 Lecture 4 Page 1 Page

358 views • 11 slides
Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically

Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically

Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically breakable given the time are theoretically breakable given the time Security Notions and computational resources. However,

307 views • 10 slides
Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Note: Log = logarithm, not Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to Cryptography 1 References Symmetric and Asymmetric Cryptosystems Public-Key Cryptosystems Based on the Discrete

436 views • 9 slides
Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and

Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and

Modern Block Ciphers DES Games with Block Ciphers Modern Block Ciphers DES Games with Block Ciphers Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and their applications are the primary focus

521 views • 5 slides
Contents Introduction to data security Public key cryptosystems: Classical

Contents Introduction to data security Public key cryptosystems: Classical

Contents Introduction to data security Public key cryptosystems: Classical cryptosystems RSA Introduction to modern Prime number generation cryptography Polynomial arithmetic T-79.159 Block ciphers: DES, IDEA,

439 views • 15 slides
Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland PQCrypto 2017, 26th of June 1/15 Outline 1 Preliminaries Introduction Supersingular isogenies SSI cryptosystems 2 Fault attack

379 views • 33 slides
HQC: H amming Q uasi- C yclic An IND-CCA2 Code-based Public Key Encryption Scheme August the 24 th

HQC: H amming Q uasi- C yclic An IND-CCA2 Code-based Public Key Encryption Scheme August the 24 th

HQC: H amming Q uasi- C yclic An IND-CCA2 Code-based Public Key Encryption Scheme August the 24 th , 2019 NIST 2 nd PQC Standardization Conference Santa-Barbara https://pqc-hqc.org C. Aguilar Melchor ISAE-Supa ero, University of Toulouse N.

188 views • 15 slides
QC-MDPC: A Timing Attack and a CCA2 KEM PQCrypto April 9, 2018 Edward Eaton 1 , Matthieu

QC-MDPC: A Timing Attack and a CCA2 KEM PQCrypto April 9, 2018 Edward Eaton 1 , Matthieu

QC-MDPC: A Timing Attack and a CCA2 KEM PQCrypto April 9, 2018 Edward Eaton 1 , Matthieu Lequesne 2,3 , Alex Parent 1 and Nicolas Sendrier 3 1 - ISARA Corporation, Waterloo, Canada 2 - Sorbonne Universit Paris, France 3 - Inria Paris,

1.05k views • 91 slides
Why Cryptosystems Fail? Ross J. Anderson - Communications of the ACM 1994 By Hassan Shahid Khan

Why Cryptosystems Fail? Ross J. Anderson - Communications of the ACM 1994 By Hassan Shahid Khan

CS 598 - COMPUTER SECURITY IN THE PHYSICAL WORLD Why Cryptosystems Fail? Ross J. Anderson - Communications of the ACM 1994 By Hassan Shahid Khan What are cryptosystems? - A suite of cryptographic algorithms (generation, encryption and

834 views • 16 slides
CCA2 Key-Privacy for Code-Based Encryption in the Standard Model Yusuke Yoshida with Kirill

CCA2 Key-Privacy for Code-Based Encryption in the Standard Model Yusuke Yoshida with Kirill

CCA2 Key-Privacy for Code-Based Encryption in the Standard Model Yusuke Yoshida with Kirill Morozov and Keisuke Tanaka from Tokyo Institute of Technology, Japan 1 Contents Contents Key-Privacy for PKE Indistinguishability of keys (IK) 2

598 views • 58 slides
T-79.159 Cryptography and Data Security Lecture 2: 2.1 Classical cryptosystems 2.2.Introduction

T-79.159 Cryptography and Data Security Lecture 2: 2.1 Classical cryptosystems 2.2.Introduction

T-79.159 Cryptography and Data Security Lecture 2: 2.1 Classical cryptosystems 2.2.Introduction to modern cryptographic primitives Kaufman et al: Chapter 2 Stallings: Chapter 2 1 2.1 Classical Cryptosystems Ceasar Cipher, or Shift Cipher

555 views • 21 slides
The Design of Cryptosystems: The Interplay between Proofs and Attacks French-German-Singaporean

The Design of Cryptosystems: The Interplay between Proofs and Attacks French-German-Singaporean

The Design of Cryptosystems 1 Stefan Lucks The Design of Cryptosystems: The Interplay between Proofs and Attacks French-German-Singaporean Workshop on Applied Cryptography 3rd of December, 2010 Stefan Lucks Bauhaus-Universit at Weimar,

715 views • 48 slides
How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research & Boston University y Michael Schapira

701 views • 54 slides
Ring-LWE Implementation Tobias Oder 1 , Tobias Schneider 2 , Thomas Pppelmann 3 , Tim Gneysu

Ring-LWE Implementation Tobias Oder 1 , Tobias Schneider 2 , Thomas Pppelmann 3 , Tim Gneysu

Practical CCA2-Secure and Masked Ring-LWE Implementation Tobias Oder 1 , Tobias Schneider 2 , Thomas Pppelmann 3 , Tim Gneysu 1,4 1 Ruhr-University Bochum, 2 Universit Catholique de Louvain, 3 Infineon Technologies AG, 4 DFKI 10.09.2018

736 views • 36 slides
A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas joint work with

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas joint work with

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas joint work with Simona Samardjiska, Paolo Santini and Edoardo Persichetti Latincrypt 2019 October 3rd, 2019 A Reaction Attack against Cryptosystems based on LRPC

590 views • 33 slides
On the Security of Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

On the Security of Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

On the Security of Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland AsiaCrypt 2016, 5th of December 1/17 Outline Joint work with Steven Galbraith , Christophe Petit and Barak Shani . 1

242 views • 23 slides
High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working systems Daniel J. Bernstein Cryptanalytic University of Illinois at Chicago & algorithm designers Technische Universiteit Eindhoven Unbroken

1.49k views • 145 slides
Security Notions 1

Security Notions 1

Security Notions 1 Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically breakable given the time are theoretically breakable given

1.1k views • 37 slides

More recommend