Recall: symmetric setting CS 4803 A Computer and Network Security - PowerPoint PPT Presentation

Recall: symmetric setting CS 4803 A Computer and Network Security K K Alexandra (Sasha) Boldyreva S R Public-key encryption 1 2 Public-key (asymmetric) setting Asymmetric encryption schemes A scheme AE is specified a key generation algorithm K , an encryption algorithm E , and a decryption algorithm D . AE=( K,E,D ) pk R A (pk,sk) MsgSp(pk)-message space K sk R pk sk S R C C M E D M or ⊥ or ⊥ Sender S Receiver R It is required that for every (pk,sk) that can be output by K and every M ∈ MsgSp(pk), if C= E (pk,M) then D (sk,C)=M 3 4

Indistinguishability under chosen-plaintext attacks • A sender must know the receiver’s public key, and must be assured that this public key is authentic (really belongs to the Fix an encryption scheme AE =(K,E,D) receiver). This is ensured be the PKI processes, which are not Pick keys (pk,s k) by running K part of encryption. For an adversary A and a bit b consider two experiments Exp-ind-cpa-b (AE,A), for • Unlike in a symmetric encryption, the asymmetric encryption b=0 or b=1 b algorithm is never stateful. pk • Messages will often be numbers or group elements, encoded M0,M1 Mb LR( � , � , � ) ( • ) E pk as bitstrings whenever necessary. C=E pk( Mb ) Epk( LR( � , � , b ) ) A d The difference between probabilities of outputting 0 in two experiments is called ind-cpa-advantage of A in attacking AE. An asymmetric encryption scheme AE is indistinguishable under chosen- plaintext attacks (IND-CPA secure) if ind-cca-advantage of any adversary with “reasonable” resources is “close” to 0. 5 6 IND-CPA is not always enough Indistinguishability under chosen-ciphertext attacks Fix an encryption scheme AE =(K,E,D) Bleichenbacher’s attack on a previous version of SSL: Pick keys (pk,s k) by running K C' For an adversary A and a bit b consider two experiments Exp-ind-cca-b (AE,A), for pk “invalid ciphertext!” b=0 or b=1 b pk A is not allowed to query C'' its decryption oracle on M0,M1 Mb LR( � , � , � ) ( • ) “invalid ciphertext!” E pk ciphertexts returned by its LR encryption oracle C''' O C = E pk ( Alice's session key ) K C=E pk( Mb ) Epk( LR( � , � , b ) ) OK A C’ ( • ) D sk M’ d Alice's session key The difference between probabilities of outputting 0 in two experiments is called ind-cca-advantage of A in attacking SE. C''''''''' “invalid ciphertext!” A symmetric encryption scheme SE is indistinguishable under chosen- ciphertext attacks (IND-CCA secure) if ind-cca-advantage of any adversary with “reasonable” resources is “close” to 0. 7 8

IND-CCA⇒IND-CPA The ElGamal scheme • Let G be a cyclic group of order n and let g be a generator of • IND-CCA secure schemes guarantee security G. The ElGamal encryption scheme EG =( K , E , D ) associated against more powerful adversaries to G,g is as follows: • Any IND-CCA scheme is also IND-CPA Algorithm K Algorithm E X ( M ) Algorithm D x (( Y, W )) • $ If M �∈ G then return ⊥ K ← Y x x ← Z n • But an IND-CPA scheme is not necessarily X ← g x ← Z n ; Y ← g y $ M ← WK − 1 y K ← X y ; W ← KM Return ( X, x ) Return M • IND-CCA Return ( Y, W ) • Security depends on the choice of G. 9 10 The ElGamal scheme in Zp for a prime p � • Theorem. The ElGamal is IND-CPA secure in groups where the Decisional Diffie-Hellman (DDH) problem is hard, • In this group the ElGamal is IND-CPA insecure, namely there exists an adversary A with ind-cpa advantage 1. � � • i.e. in QR( Zp ) -the subgroup of quadratic residues of Zp where p=2q+1 and p,q are primes. It’s a cyclic group of • The idea: given a ciphertext A can compute Jp(M). prime order. Adversary A E X (LR( · , · ,b )) ( X ) • • Proof. M 0 ← 1 ; M 1 ← g • $ ( Y, W ) ← E X (LR( M 0 , M 1 , b )) If X ( p − 1) / 2 ≡ − 1 (mod p ) and Y ( p − 1) / 2 ≡ − 1 (mod p )) • then s ← − 1 else s ← 1 EndIf • If W ( p − 1) / 2 ≡ s (mod p ) then return 0 else return 1 EndIf • = J p ( K ) · J p ( M b ) = s · J p ( M b ) J p ( W ) = J Note that M0 is a square and M1 is not. Why? If b=0 then Jp(M0)=1, Jp(W)=s , if b=1 then Jp(M1)=-1, Jp(W) � s � � Hence and � � Exp ind − cpa − 0 Exp ind − cpa − 1 Pr ( A ) = 1 = 0 Pr ( A ) = 1 = 1 EG EG 11 12

IND-CCA insecurity of ElGamal Cramer-Shoup encryption scheme • ElGamal is not IND-CCA secure regardless of the choice of • The scheme is somewhat similar to ElGamal, but uses more exponentiations and a hash function. group G. • The Cramer-Shoup scheme is IND-CCA secure if the DDH problem • Adversary A E X (LR( · , · ,b )) , D x ( · ) ( X ) is hard in the group and if the hash function family is universal one- • way. Let M 0 , M 1 be any two distinct elements of G $ ( Y, W ) ← E X (LR( M 0 , M 1 , b )) • • Reference: R. Cramer and V. Shoup, “A practical public key cryptosystem provably secure against adaptive chosen ciphertext W � ← Wg • attack”, In proceedings of Crypto ‘98. M ← D x (( Y, W � )) • If M = M 0 g then return 0 else return 1 • M = D x (( Y, W � )) = K − 1 W � = K − 1 Wg = M b g . • • The ind-cca advantage of A is 1 and A makes just one LR encryption and one decryption oracle queries and makes 2 group multiplications. 13 14