relaxing ind cca indistinguishability against chosen
play

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext - PowerPoint PPT Presentation

Jun 07, 2023 •240 likes •624 views

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar Pandey Indian Statistical Institute Kolkata January 14, 2012 Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen Outline 1

  1. Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar Pandey Indian Statistical Institute Kolkata January 14, 2012 Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen

  2. Outline 1 Definitions • Encryption Scheme • IND-CPA • IND-CCA • IND-CCVA 2 Bleichenbacher’s attack on PKCS#1 3 ElGamal Encryption Scheme 4 Cramer-Shoup light version 5 ElGamal-ElGamal Encryption Scheme 6 Generic Construction Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen

  3. Definition: Encryption Scheme • KG( 1 λ ): A probabilistic polynomial time algorithm which takes security parameter 1 λ as input and outputs a public-private key pair ( PK , SK ). • ENC( m , PK ): A probabilistic polynomial time algorithm which takes a message m and public key PK as input and returns ciphertext C . • DEC( C , SK , PK ): A deterministic polynomial time algorithm which takes ciphertext C , secret key SK and public key PK as input and returns a message m if C is a valid ciphertext else ⊥ . Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen

  4. Definition: Encryption Scheme • KG( 1 λ ): A probabilistic polynomial time algorithm which takes security parameter 1 λ as input and outputs a public-private key pair ( PK , SK ). • ENC( m , PK ): A probabilistic polynomial time algorithm which takes a message m and public key PK as input and returns ciphertext C . • DEC( C , SK , PK ): A deterministic polynomial time algorithm which takes ciphertext C , secret key SK and public key PK as input and returns a message m if C is a valid ciphertext else ⊥ . For consistency, it is required that for all ( PK , SK ) ← KG(1 λ ) and all messages m , m = DEC(ENC( m , PK ) , SK , PK ). Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen

  5. Definition: IND-CPA An encryption scheme S ENC is said to be IND-CPA (indistinguishable against chosen plaintext attack) secure if no probabilistic polynomial time algorithm A = ( A 1 , A 2 ) has a non-negligible advantage in the following game: Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen

  6. Definition: IND-CPA An encryption scheme S ENC is said to be IND-CPA (indistinguishable against chosen plaintext attack) secure if no probabilistic polynomial time algorithm A = ( A 1 , A 2 ) has a non-negligible advantage in the following game: Game IND − CPA S ENC , A • ( PK , SK ) ← KG(1 λ ) • ( m 0 , m 1 , st ) ← A 1 ( PK ) • b R ← { 0 , 1 } • y ← ENC ( m b , PK ) • b ′ ← A 2 ( y , PK , st ) The advantage of A is defined as A dv ( A ) = | Pr( b = b ′ ) − 1 2 | Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen

  7. Definition: IND-CCA An encryption scheme S ENC is said to be IND-CCA (indistinguishable against chosen ciphertext attack) secure if no probabilistic polynomial time algorithm A = ( A 1 , A 2 ) has a non-negligible advantage in the following game: Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen

  8. Definition: IND-CCA An encryption scheme S ENC is said to be IND-CCA (indistinguishable against chosen ciphertext attack) secure if no probabilistic polynomial time algorithm A = ( A 1 , A 2 ) has a non-negligible advantage in the following game: • DecryptionOracle ( O ): Given a ciphertext C , except the challenge ciphertext, the oracle returns m ← DEC( C , SK , PK ). Game IND − CCA S ENC , A • ( PK , SK ) ← KG(1 λ ) • ( m 0 , m 1 , st ) ← A O 1 ( PK ) • b R ← { 0 , 1 } • y ← ENC( m b , PK ) • b ′ ← A O 2 ( y , PK , st ) The advantage of A is defined as A dv ( A ) = | Pr( b = b ′ ) − 1 2 | Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen

  9. Definition: IND-CCVA An encryption scheme S ENC is said to be IND-CCVA (indistinguishable against chosen ciphertext verification attack) secure if no probabilistic polynomial time algorithm A = ( A 1 , A 2 ) has a non-negligible advantage in the following game: Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen

  10. Definition: IND-CCVA An encryption scheme S ENC is said to be IND-CCVA (indistinguishable against chosen ciphertext verification attack) secure if no probabilistic polynomial time algorithm A = ( A 1 , A 2 ) has a non-negligible advantage in the following game: • ChosenCiphertextVerificationOracle ( O ): Given a ciphertext C , the oracle returns 1 if C is valid else returns 0. Game IND − CCVA S ENC , A • ( PK , SK ) ← KG(1 λ ) • ( m 0 , m 1 , st ) ← A O 1 ( PK ) • b R ← { 0 , 1 } • y ← ENC( m b , PK ) • b ′ ← A O 2 ( y , PK , st ) The advantage of A is defined as A dv ( A ) = | Pr( b = b ′ ) − 1 2 | Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen

  11. Trivial Conclusions 1 IND-CCVA secure encryption schemes are IND-CPA secure also. IND-CCVA → IND-CPA 2 IND-CCA secure encryption schemes are IND-CCVA secure also. IND-CCA → IND-CCVA Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen

  12. Does CCVA make sense? Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen

  13. PKCS#1 • KG( 1 λ ): Choose primes p , q (4 k bit each) and compute n = pq ( n is k byte number). Choose e , d , such that ed ≡ 1 (mod φ ( n )). The public key, PK , is ( n , e ) and the secret key, SK , is ( p , q , d ). • ENC( m , PK ): A data block D , consisting of | D | bytes, is encrypted as follows: • First, a padding string PS , consisting of k − 3 − | D | nonzero bytes, is generated pseudo-randomly (the byte length of PS is atleast 8). • Now, the encryption block EB = 00 || 02 || PS || 00 || D is formed, is converted into an integer x , and is encrypted with RSA, giving the ciphertext c = x e (mod n ). Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen

  14. PKCS#1 • DEC( c , SK , PK ) A Ciphertext c is decrypted as follows: • Compute x ′ = c d (mod n ). • Converts x ′ into an encryption block EB ′ . • Check, if the encryption block is PKCS conforming ( An encryption block EB consisting of k bytes, EB = EB 1 || . . . || EB k , is called PKCS conforming, if it satisfies the following conditions: EB 1 = 00, EB 2 = 02, EB 3 through EB 10 are nonzero and at least one of the bytes EB 11 through EB k is 00). • If the encryption block is PKCS conforming, then output the data block; otherwise an error sign. Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen

  15. Bleichenbacher’s Attack on PKCS#1 Bleichenbacher’s attack assumes that the adversary has access to an oracle that, for every ciphertext, returns whether the corresponding plaintext is PKCS conforming. If the plaintext is not PKCS conforming, the oracle outputs an error sign. Given just these error signs, because of specific properties of PKCS #1, Bleichenbacher showed how a very clever program can decrypt a target ciphertext (the oracle answer will reveal the first two bytes of the corresponding plaintext of the chosen ciphertext). Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen

  16. Bleichenbacher’s Attack on PKCS#1 Bleichenbacher’s attack assumes that the adversary has access to an oracle that, for every ciphertext, returns whether the corresponding plaintext is PKCS conforming. If the plaintext is not PKCS conforming, the oracle outputs an error sign. Given just these error signs, because of specific properties of PKCS #1, Bleichenbacher showed how a very clever program can decrypt a target ciphertext (the oracle answer will reveal the first two bytes of the corresponding plaintext of the chosen ciphertext). D. Bleichenbacher. Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1. In Proc. Crypto’98, pages 1-12, 1998. Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen

  17. • CCVA makes sense. Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen

  18. • CCVA makes sense. Questions 1 Does there exist any encryption scheme which is IND-CCVA secure but not IND-CCA secure? 2 Does there exist any encryption scheme which is IND-CPA secure but not IND-CCVA secure? Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen

  19. A glance over some existing schemes Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen

  20. ElGamal Encryption Scheme • KG( 1 λ ): The key generation algorithm runs as follows. • Choose a group G of prime order p , where 2 λ − 1 < p < 2 λ R R • Choose g ← G and x ← Z p . • Compute c = g x . • The public key, PK , for this scheme is tuple ( G , g , c ), with corresponding secret key, SK , is x . • message space = G . • ciphertext space = G × G • ENC( m , PK ): To encrypt a message m ∈ G , the encryption algorithm runs as follows. R • Choose r ← Z p . • Compute u = g r , e = mc r . • The ciphertext, C , is ( u , e ). • DEC( C , SK , PK ): Decryption works in the following way: given the ciphertext ( u , e ) and secret key ( x ), • Compute m = eu − x Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen

  21. Security of ElGamal Encryption Scheme • ElGamal is IND-CPA secure if DDH assumption holds in G . Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen

Recommend

Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation

Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation

Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation Dan Boneh Mark Zhandry Stanford University {dabo, zhandry}@cs.stanford.edu Abstract In this work, we show how to use indistinguishability

780 views • 49 slides
Decidability of a Sound Set of Inference Rules for Computational Indistinguishability Adrien

Decidability of a Sound Set of Inference Rules for Computational Indistinguishability Adrien

Decidability of a Sound Set of Inference Rules for Computational Indistinguishability Adrien Koutsos LSV, CNRS, ENS Paris-Saclay June 29, 2019 Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 1 / 34 Introduction Motivation

1.06k views • 76 slides
Limits on the Power of Indistinguishability Obfuscation Gilad Asharov Gil Segev Limits on the

Limits on the Power of Indistinguishability Obfuscation Gilad Asharov Gil Segev Limits on the

Limits on the Power of Indistinguishability Obfuscation Gilad Asharov Gil Segev Limits on the Power of iO Limits on the Power of Indistinguishability Obfuscation (and Functional Encryption) FOCS 2015 On Constructing One-Way

841 views • 47 slides
But amidst this relaxing, serene beauty, big problems are revealed the next day Difficult to

But amidst this relaxing, serene beauty, big problems are revealed the next day Difficult to

Deciphering my new onset Brain Fog Mark Drangsholt, D.D.S. M.P.H, Ph.D. Professor and Chair Department of Oral Medicine University of Washington Seattle USA drangs@uw.edu But amidst this relaxing, serene beauty, big problems are

804 views • 33 slides
Simplifying Game-Based Definitions Indistinguishability up to correctness and its application to

Simplifying Game-Based Definitions Indistinguishability up to correctness and its application to

Simplifying Game-Based Definitions Indistinguishability up to correctness and its application to stateful AE Phillip Rogaway Yusi (James) Zhang University of California, Davis, USA C RYPTO 2018 1. Introduction 2. IND|C 3. Examples 1

523 views • 20 slides
Abstraction Relaxing Synchronous Composition with Clock publics ou privs. recherche franais

Abstraction Relaxing Synchronous Composition with Clock publics ou privs. recherche franais

HAL Id: hal-00645333 scientifjques de niveau recherche, publis ou non, with Clock Abstraction. Hardware Design and Functional Languages Workshop, Mar 2009, York, Albert Cohen, Louis Mandel, Florence Plateau, Marc Pouzet. Relaxing Synchronous

490 views • 19 slides
Deciding Indistinguishability: A Decision Result for a Set of Cryptographic Game Transformations

Deciding Indistinguishability: A Decision Result for a Set of Cryptographic Game Transformations

Deciding Indistinguishability: A Decision Result for a Set of Cryptographic Game Transformations Adrien Koutsos March 13, 2018 Adrien Koutsos Deciding Indistinguishability March 13, 2018 1 / 37 Introduction 1 The Model 2 Game

746 views • 73 slides
Chosen-Ciphertext Security Chosen-Ciphertext Security without Redundancy without Redundancy

Chosen-Ciphertext Security Chosen-Ciphertext Security without Redundancy without Redundancy

Chosen-Ciphertext Security Chosen-Ciphertext Security without Redundancy without Redundancy Duong Hieu Phan David Pointcheval ENS France CNRS-ENS France Asiacrypt '03 Taipei - Taiwan December 1 st 2003 Summary Summary Asymmetric

235 views • 21 slides
Geo-indistinguishability: A Principled Approach to Location Privacy Kostas Chatzikokolakis CNRS,

Geo-indistinguishability: A Principled Approach to Location Privacy Kostas Chatzikokolakis CNRS,

Geo-indistinguishability: A Principled Approach to Location Privacy Kostas Chatzikokolakis CNRS, INRIA, LIX Ecole Polytechnique joint work with Miguel Andr es, Nicol as Bordenabe, Catuscia Palamidessi, Marco Stronati PRINCESS QIF Day,

478 views • 45 slides
PhD Defense Symbolic Proofs of Computational Indistinguishability Adrien Koutsos Thse

PhD Defense Symbolic Proofs of Computational Indistinguishability Adrien Koutsos Thse

PhD Defense Symbolic Proofs of Computational Indistinguishability Adrien Koutsos Thse prpare au sein du LSV, ENS Paris-Saclay September 27, 2019 Introduction Motivation Security Protocols Distributed programs which aim at providing some

1.55k views • 142 slides
Relaxing Exclusive Control in Boolean Games Arianna Novaro IRIT, University of Toulouse F.

Relaxing Exclusive Control in Boolean Games Arianna Novaro IRIT, University of Toulouse F.

Relaxing Exclusive Control in Boolean Games Arianna Novaro IRIT, University of Toulouse F. Belardinelli U. Grandi A. Herzig D. Longin E. Lorini L. Perrussel SEGA Workshop, Prague 2018 Relaxing Exclusive Control in Boolean Games SEGA 2018

471 views • 30 slides
SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of

SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of

The SHA-1 Hash Function Chosen-prefix Collisions Our Results Conclusion Extra Materials SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust Ga etan Leurent (INRIA - France) Thomas Peyrin (NTU

650 views • 29 slides
Chosen Vessels David Lipscomb 1 The poor of this world were the chosen vessels of mercy,

Chosen Vessels David Lipscomb 1 The poor of this world were the chosen vessels of mercy,

Lesson Thirteen Gods Chosen Vessels David Lipscomb 1 The poor of this world were the chosen vessels of mercy, the especially honored and blessed of God. They, as a class, constitute His elect . -- David Lipscomb (1869) -- 2 In

872 views • 43 slides
Limits on the Power of Indistinguishability Obfuscation and Functional Encryption Gilad Asharov

Limits on the Power of Indistinguishability Obfuscation and Functional Encryption Gilad Asharov

Limits on the Power of Indistinguishability Obfuscation and Functional Encryption Gilad Asharov Gil Segev Hebrew University This Talk A framework for proving impossibility results for commonly-used non-black-box techniques Limits on

596 views • 22 slides
Whether youre relaxing on the 600m beach or trying your skills windsurfing for the first time,

Whether youre relaxing on the 600m beach or trying your skills windsurfing for the first time,

A magnificent resort surrounded by the coconut groves and the glistening Caribbean sea. Whether youre relaxing on the 600m beach or trying your skills windsurfing for the first time, theres something for the whole family here.

491 views • 27 slides
Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (iO) from

Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (iO) from

Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (iO) from Degree-5 Multilinear maps Prabhanjan Ananth Amit Sahai Constructions of iO All current constructions of iO are based on multilinear maps [GGHRSW13,

649 views • 39 slides
Relaxing Constraints on Inflation Models with the Curvaton February 15, 2005 @ Sendai Int.

Relaxing Constraints on Inflation Models with the Curvaton February 15, 2005 @ Sendai Int.

Relaxing Constraints on Inflation Models with the Curvaton February 15, 2005 @ Sendai Int. Workshop Windows to New Paradigm in Particle Physics Tomo Takahashi ICRR, University of Tokyo Ref. Moroi, T.T. , Toyoda, [hep-ph/0501007]

521 views • 25 slides
Voice-Indistinguishability Protecting Voiceprint in Privacy-Preserving Speech Data Release

Voice-Indistinguishability Protecting Voiceprint in Privacy-Preserving Speech Data Release

Voice-Indistinguishability Protecting Voiceprint in Privacy-Preserving Speech Data Release Yaowei Han, Sheng Li, Yang Cao, Qiang Ma, Masatoshi Yoshikawa Department of Social Informatics, Kyoto University, Kyoto, Japan 1 National Institute of

611 views • 27 slides
START RELAXING YOUR SOUL AND ENJOY YOUR STAY www.hotelgermanpalace.com ROOMS | CONFERENCE

START RELAXING YOUR SOUL AND ENJOY YOUR STAY www.hotelgermanpalace.com ROOMS | CONFERENCE

START RELAXING YOUR SOUL AND ENJOY YOUR STAY www.hotelgermanpalace.com ROOMS | CONFERENCE HALL | BANQUETS | MULTI-CUISINE RESTAURANT Welcome Hotel German Palace, one of the best signature property among all mid-segment hotels in

251 views • 13 slides
Verification of Indistinguishability Properties Stphanie Delaune quipe EMSEC (IRISA), CNRS,

Verification of Indistinguishability Properties Stphanie Delaune quipe EMSEC (IRISA), CNRS,

Verification of Indistinguishability Properties Stphanie Delaune quipe EMSEC (IRISA), CNRS, France November 16th, 2016 VIP in a nutshell V erifiation of I ndistinguishability P roperties Projet JCJC Jeunes Chercheuses Jeunes Chercheurs

488 views • 31 slides
The Bramble-Pasciak + preconditioner and combination preconditioning (Relaxing Conditions for the

The Bramble-Pasciak + preconditioner and combination preconditioning (Relaxing Conditions for the

The Bramble-Pasciak + preconditioner and combination preconditioning (Relaxing Conditions for the Bramble Pasciak CG) Martin Stoll &amp; Andy Wathen Computational Methods with Applications,Harrachov, Czech Republic, August 19 - 25, 2007 The

446 views • 30 slides
INDISTINGUISHABILITY OBFUSCATION Mark Zhandry Stanford University * Joint work with Dan Boneh

INDISTINGUISHABILITY OBFUSCATION Mark Zhandry Stanford University * Joint work with Dan Boneh

INDISTINGUISHABILITY OBFUSCATION Mark Zhandry Stanford University * Joint work with Dan Boneh Program Obfuscation Intuition: Mangle a program Same functionality as original Hides all implementation details Potential uses: IP

295 views • 28 slides
Relaxing Bijectivitiy Constraints with Continuously Indexed Normalising Flows ICML 2020 Rob

Relaxing Bijectivitiy Constraints with Continuously Indexed Normalising Flows ICML 2020 Rob

. . . . . . . . . . . . . . Relaxing Bijectivitiy Constraints with Continuously Indexed Normalising Flows ICML 2020 Rob Cornish, Anthony Caterini, George Deligiannidis, Arnaud Doucet University of Oxford July 12-18, 2020

548 views • 31 slides
Annual modulation from secular variations: not relaxing DAMA? March 27th, 2020 A. Messina, M.

Annual modulation from secular variations: not relaxing DAMA? March 27th, 2020 A. Messina, M.

Annual modulation from secular variations: not relaxing DAMA? March 27th, 2020 A. Messina, M. Nardecchia, S. Piacentini [ArXiv:2003.03340] On-line Newton 1665 seminars Phenomenology / theory / astro / cosmo Why? Because by eye the

584 views • 20 slides

More recommend