Asymmetric Cryptography part 1 & 2

transcript

Asymmetric Cryptographypart 1 & 2Haya Shulman

Many thanks to Amir Herzberg who donated some of the slides from

http://www.cs.biu.ac.il/~herzbea/89-690/index.html

Talk Outline

Heuristic vs Provable Security Approaches Kerkhoff Principle Public-key Encryption Scheme Definition Security Definition

Adversarial Power and the Break Symmetric&Asymmetric Security Specifications

(CPA, CCA, CCA2) Information Theoretically Secure Public Key

Encryption Scheme? Deterministic Public Key Schemes? Hybrid encryption

Heuristic vs Provable Security Approaches The heuristic approach

Build-break-fix paradigm Failed cryptanalysis

The provable security Reductions to hardness assumptions Reduction is a basic cryptographic

technique

The information theoretic security

Kerckhoff’s Principle: Known Design Security through obscurity is a common approach in the industry Attacks (e.g. cryptanalysis) of unknown design can be

much harder But using public (non-secret) designs…

Published designs are often stronger No need to replace the system once the design is

exposed No need to worry that design was exposed Establish standards for multiple applications:

Efficiency of production and of test attacks / cryptanalysis

Kerckhoff’s Known Design Principle [1883]: adversary knows the design – everything except the secret keys

Talk Outline 好晚

Public-key Encryption Scheme

B.e is a public encryption key, B.d is a matching private decryption key

Only the key protects confidentiality

plaintext plaintextciphertext

encryptionalgorithm

decryption algorithm

Key Alice uses to encrypt to Bob

Key Bob uses to decryptB.d

Alice(the sender)

Bob(the receiver)

Encryption Scheme Definition

No distinction between public/ secret key encryption schemes

No security requirement Includes trivial (insecure) encryption schemes

Talk Outline

Defining Adversarial Power

Computational power Computational bounds on its running time Uniform/ non-uniform

What actions can it take? Passive, eavesdropping Active, can obtain encryptions/ decryptions

Defining the Break

Define the successful break of the scheme Recovering the secret key Decrypting the challenge Learning some partial information about the

encrypted message!

Simulating reality using experiments Indistinguishability (CPA, CCA, adaptive-

Indistinguishability Experiment(asymmetric encryption, a.k.a Public Key)

encryptionalgorithm

Encrypt, or select b

{0,1} and encrypt mb

Key Bob uses to decryptB.d

Chosen plaintext mSelected messages m0, m1

Chosen ciphertext c Ciphertext

c=EB.e(m)Decryptionsm=DB.d(c)

Guess of b

Alice Bob

IND-CPA Security Specification

IND-CCA Security Specification

IND-CCA2 Security Specification

Indistinguishability Experiment(symmetric encryption, i.e. shared key)

encryptionalgorithm

Encrypt, or select b

{0,1} and encrypt mb

Chosen plaintext mSelected messages m0, m1

Chosen ciphertext c Ciphertext

c=Ek(m,re)Decryptionsm=Dk(c)

Guess of b

Alice Bob

Eavesdropping (Passive) Attacks Security Specification Weakest type of adversary Adversary only obtains the ciphertext

that it wishes to decrypt Eavesdropps on the communication line

between two parties and intercepts the encrypted communication

Does not obtain oracle access to encryption or decryption functionality

Does not obtain the encryption key

Eavesdropping Attacks Security Specification

Chosen Plaintext Attacks Security Specification

Talk Outline

Perfectly Secure Public-Key Encryption Scheme

A public key encryption scheme is perfectly secure if for every public encryption key e, all messages m0, m1, |m0|=|m1|, all ciphertexts c and all algorithms A holds

What does it mean for an encryption scheme to be perfectly secure? The adversary gains no advantage Above pure guess

Perfectly Secure Public-Key Encryption Schemes Do NOT Exist Proof

Let = (G,E,D) be a public key encryption scheme

operates over messages of one bit and encryption/ decryption always succeeds

Construct an algorithm A s.t.

Perfectly Secure Public-Key Encryption Schemes Do NOT Exist If c is an encryption of 0 then there

exists a random i0, otherwise there exists i1

A will always return a correct answer since

Talk Outline

Adversarial Power and the Break Symmetric&Asymmetric Specifications (CPA, CCA,

CCA2) Information Theoretically Secure Public Key

Deterministic Public Key Encryption Schemes Do NOT Exist Proof

Let =(G,E,D) be a deterministic public key encryption scheme

operates over messages of one bit length and the decryption always succeeds

Construct A s.t.

Talk Outline

Symmetric vs. Asymmetric

Is there a perfectly secure private key encryption scheme?

Is there a secure deterministic private key encryption scheme? Depends on the attack model

Why not define the strongest security for any scheme? There is a price for being overly

conservative

Arbitrary Length Public-key Encryption Scheme

Secure public-key encryption scheme for one bit implies security under multiple encryptions, given m=m1…mL encrypt

Inefficient L times the computational cost of encrypting one

block Ciphertext length increases Public key cryptosystems are slow Also: most (e.g. RSA) have fixed block size (FIL) Using a long block size is veeery slooow

Hybrid Encryption (`enveloping`) Can we do better?

Use VIL secret key cryptosystem, encrypt shared key and use it to encrypt plaintext

K {0,1}k CKEY EPKe(K)

CMSGESKK(m)

Encryption

Plaintext m

Decryption

K DPKd(CKEY)

DSKK(CMSG)

Hybrid Encryption - Construction

Secure public key encryption scheme Secure private key encryption scheme

construct a hybrid encryption scheme

Hybrid Encryption - Security

Theorem: If is an IND-CPA secure public key encryption scheme and is an IND-CPA secure private key encryption scheme then is an IND-CPA secure public key encryption scheme for arbitrary length messages

Proof: We need to show that

For any PPT A and any m0, m1 we need to bound

Hybrid Encryption Proof, cont’ By definition of hybrid encryption

algorithm it is equivalent to

Now given A against the hybrid scheme construct an algorithm ASK against the private key encryption scheme

Hybrid Encryption Proof, cont’ Analysis of ASK‘s success probability

But, is this equivalent to

Why? Because

There is no way for to choose the key K’ s.t. it is equal to K used to encrypt the challenge

Hybrid Encryption Proof, 2nd Attempt Given A=(A1,A2) against we construct

and against

The advantage of A is bounded by the sum of the advantages of each of the algorithms above

Hybrid Encryption Proof, cont’

We first show that Given a PPT algorithm A=(A1,A2)

construct a PPT against

Hybrid Encryption Proof, cont’ The success probability of

Since is IND-CPA secure the advantage is negligible

We next show that Given a PPT algorithm A=(A1,A2)

In the third step show that Given a PPT algorithm A=(A1,A2)

We obtain

and conclude that

Hybrid Encryption Proof, fin’

Asymmetric Encryption

End of part 1 and 2 Questions? Thank you.

Asymmetric Cryptography part 1 & 2

Documents