Download presentation

Presentation is loading. Please wait.

Published byNaomi Gamage Modified over 2 years ago

2
Security proofs for practical encryption schemes Yiannis Tsiounis, GTE Labs Moti Yung, CertCo LLC

3
Secure encryption zSemantic Security [GM84, Gol89] yHide all partial information yImmune against a-priori knowledge “Security”: Semantic security:

4
Semantic security (cont.) “Secure” encryption:or Semantically Secure: (probabilistic) = “Buy” = “Sell” “A-priori” info: (Indistinguishability of encryptions)

5
Beyond semantic security zChosen ciphertext security [NY90] y“Lunch-time” attack [NY90] yRackoff-Simon attack (adaptive) [RS91] zNon-malleability [DDN91] yInfeasible to create a “related” ciphertext yMessage & sender cannot be altered by man- in-the-middle

6
(Random oracles) zA “necessary evil” simplification yCollision-freeInformation hiding “Random oracle” QA i i Requires tamper-proof devices, or exponential memory

7
The big picture Attacks Security Plaintext Awareness BRP+98 EG EG+RO+A

8
Contributions (cont.) zSemantic security yDirectly from decision Diffie-Hellman yRetaining homomorphic properties yExact analysis of efficiency of the reduction zNon-malleability ydecision D-H + R.O. [PS96] + oracle-related assumption

9
Preliminaries zElGamal encryption yP = aQ + 1, P,Q primes, |g| = Q yPrivate key: x yPublic key: y = g x (mod P) yE(m) = g k, y k m (m є G Q ) zDecision Diffie-Hellman yP = aQ + 1, P,Q primes, |g| = Q yDistinguish from

10
Preliminaries (cont.) zSemantic security = indistinguishability of encryptions: It is infeasible to find 2 messages whose encryptions can be distinguished (non- negl. better than random guessing)

11
ElGamal => decision D-H zAssume we have ElGamal oracle zGiven a triplet decide if it is a D-H triplet (y = g ab ?) 1. Preparation stage: Find two messages that the oracle can distinguish 2. Testing phase: test if the oracle can distinguish between message 1 (or 2) and random messages

12
Proof (cont.) 3. Decision phase: generator g, public key g bw (w random) zRandomize message 1 (or 2) yCorrectly: E(m) = g u, m (g b ) wu yBased on given triplet E(m’) = (g a ) t g v, m y wt (g b ) wv m’ = m (if y = g ab ), random otherwise zRun oracle on E(m), E(m’) 1. Distinguish? ==> not D-H triplet 2. Else: correct D-H triplet

13
Decision D-H => ElGamal zGiven decision D-H oracle, find two messages whose ElGamal encryptions can be distinguished zFor any two m, m’: (y = g x ) yE(m 0 ) = g a, m 0 y a, E(m 1 ) = g b, m 1 y b yFeed = (random v) yIf it is a correct triplet, then m 0 =m, else m 0 = m’

14
Non-malleability zGiven ciphertext C, cannot construct ciphertext C’ such that the plaintexts are related zAll we need is a proof of knowledge of the plaintext yI.e., a proof of knowledge of k in E(m) = g k, y k m yBut, it must be a non-malleable ZK proof: it must be bound to the prover

15
The non-malleable extension zA Schnorr-type ZK proof of knowledge of k, with the sender’s identity in the challenge (hash) A = [g k, y k m], F = g v, C = k H(ID, g, A, F) + v E(m) = [A, F, C, ID] zRandom oracle is used only as a “trusted beacon” [PS96] - not for information hiding

16
Security proof 1.We need to verify that semantic security still holds (the knowledge proof does not leak information) 2.Knowledge of k: provided from Schnorr proof 3.Sender-bound: the addition forms a Schnorr signature of ID based on k, which is existentially unforgeable [PS96]

17
Practical implications: Encryption zElGamal is as secure as [BR94+Can97] zNon-malleability can be added at minimal efficiency costs zIn applications a signature is still needed yOtherwise senders can be impersonated ySignatures using Schnorr-proofs is a smooth addition

18
Implications: protocols zFirst encryption scheme with homomorphic properties that is semantically secure zAnonymous e-cash: escrowing can be performed based on decision D-H

Similar presentations

OK

1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.

1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on eid festival pictures Ppt on polynomials download movies Ppt on dollar vs rupee Ppt on 9/11 conspiracy essay Ppt on economic order quantity pdf Ppt on current account deficit in india Ppt on elements and principles of art design Ppt on soft skills free download Ppt on amplitude shift keying generator Ppt on phonetic transcription online