Download presentation

Presentation is loading. Please wait.

Published byMyah Hanney Modified over 2 years ago

1
1 Generic Conversions for Constructing IND-CCA2 Public-key Encryption in the Random Oracle Model Tatsuaki Okamoto NTT

2
2 Security of Public-Key Cryptosystems Target One-wayness (OW) : hard to invert Semantically secure (Indistinguishable) (IND) : No partial information is released Non-malleable (NM ） : for any non-trivial relation R E(M)→E(R(M)) Attacks Passive attacks (Cosen Plaintext Attacks: CPA) Chosen-ciphertext attacks （ Cosen Ciphertex Attacks: CCA ） hard

3
3 Semantic Security (IND : Indistinguishability) The probability of correctly guessing (b = b ’ ) is negligible Adv b’ m 0, m 1 : randomly selected : guess of

4
4 Chosen Ciphertext Attack (CCA) CCA1 (Lunch time attack, Naor-Yung 90) C 0 is given to the attacker, after the active attack is completed. CCA2 (Rackoff – Simon 91) C 0 is given to the attacker, before the active attack starts. Ciphertext C 0 Information on Plaintext P 0 C 1, C n P 1, P n Rule: C 0 ≠C 1,,C n () Public-key Attacker Decryption oracle

5
5 Relationships among Security Definitions (1) Non-malleable (NM) → Semantically secure (IND) i.e., NM-CPA → IND-CPA, NM-CCA2 → IND-CCA2) IND-CCA2 → NM-CCA2 Remark : NM-CPA → IND-CCA1 Conclusion : Strongest security Semantically secure against chosen-ciphertext attack 2 IND-CCA2=NM-CCA2 ←

6
6 Relationships among Security Definitions (2) One-way (OW) Semantically secure (IND) Non-malleable (NM) Passive attack (CPA) OW-CPAIND-CPANM-CPA Active attack (Chosen- ciphertext attack) (CCA) CCA1OW-CCA1IND-CCA1NM-CCA1 CCA2OW-CCA2IND-CCA2NM-CCA2 Target Attack

7
7 History of Provably Secure Public-key Encryption 1976 1978 1979 1982 1984 1990 1991 1993 1994 1998 2001 DDN (NM-CCA2) BR (Random oracle model) Rabin GM (IND-CPA) DH RSA NY (IND-CCAI) (OW-CPA) Concept of public-key cryptosystem Proposal of various tricks Provable security (Theory) Practical scheme in the standard model CS Practical approach by random oracle model BDPR OAEPRS (IND-CCA2)

8
8 The plain RSA scheme is not secure in the sense of IND-CCA2 not indistinguishable (IND) deterministic vulnerable against CCA2 random-self-reducibility Adv DO C’ ＝ C ・ R e M’/R C Decryption oracle =Plaintext of C Adv b ＝ 0/1:correctly output m 0, m 1

9
9 EC-ElGamal Encryption elliptic curve point with order Public-key (E, P, W, ) Secret-key x Encryption plaintext m, bit-wise exclusive-or, (rW) X is the x -coordinate of rW Decryption ciphertext

10
10 The Elliptic Curve ElGamal Scheme Is Not Secure in the Sense of IND-CCA2 (1) Malleable Non-trivial relation with m’ =

11
11 The Elliptic Curve ElGamal Scheme Is Not Secure in the Sense of IND-CCA2 (2) CCA2 Attack Adv Decryption Oracle

12
12 How to Construct an Encryption Scheme with the Strongest Security (IND-CCA2) Based on zero-knowledge proofs Dolev-Dwork-Naor (1991) Inefficient Based on truly random function (random oracle model) Bellare-Rogaway : OAEP (1994)..PKCS#1(Ver.2)1998 Fujisaki-Okamoto (1999), Pointcheval (2000) Okamoto-Pointcheval : REACT (2001) Practical (using practical one-way functions in place of random functions) Practical construction without using a random function Cramer-Shoup (1998)

13
13 Design Strategy of Practical and Provably Secure Public-key Encryption Primitive Encryption Function (Trapdoor Function) Example RSA ElGamal etc Secure Encryption Scheme Semantically Secure against Adaptively Chosen Ciphertext Attacks (IND-CCA2) Conversion Using Hash Functions (Random Functions)

14
14 Random Oracle Model (Truly Random Model) ０・・・・ ・・・・０ ０・・・・ ・・・・１ １・・・・ ・・・・１ ０１０１１・・・ ・・・０ １００１１・・・ ・・・０ ０１１００１・・ ・・０ Random oracle Random function H User 1 User 2 x1x1 xkxk H(xk)H(xk) H(x1)H(x1) ２n２n n bits random Input Output ・・・ H (random oracle/ random function) H

15
15 Conversions for the RSA Encryption Function OAEP (Bellare-Rogaway 1994) OAEP+ (Shoup 2001) SAEP (Boneh 2001) SAEP+ (Boneh 2001) REACT (Okamoto-Pointcheval 2001)

16
16 OAEP m00…0r G(r)G(r) s H(s)H(s) t （ Example ） RSA-OAEP G H RSA-OAEP ： de facto standard format of the RSA encryption ・・・ used in SSL(PKCS#1) and SET one-way permutation

17
17 Security of OAEP (FOPS 2001) OAEP is IND-CCA2 secure under the partial-domain one-wayness assumption in the random oracle model. RSA-OAEP is IND-CCA2 secure under the RSA assumption in the random oracle model. The reduction efficiency (to the RSA inversion) is less than that of the optimal case.

18
18 OAEP+ mF(m||r)r G(r)G(r) s H(s)H(s) t （ Example ） RSA-OAEP+ G H one-way permutation

19
19 RSA-REACT (Hybrid Encryption) (ex)

20
20 Comparison of the RSA Family SchemesSecurityAssumptionReduction Efficiency Provable Hybrid Usage Number- Theoretic Functio nal RSA-OAEPIND-CCA2RSAROM * No RSA-OAEP+IND-CCA2RSAROM * No RSA-SAEP (low exponent) IND-CCA2 RSA with low exponent ROM * * * No RSA-REACTIND-CCA2RSAROM * * * Yes

21
21 IND-CCA2 Conversions for (Elliptic Curve) ElGamal Encryption FO-1 FO-2 Pointcheval REACT DHAES / ECIES CS （ ACE) PSEC-KEM ACE-KEM (Fujisaki-Okamoto: PKC 1999) (Fujisaki-Okamoto: Crypto 1999) (Pointcheval 2000) (Okamoto-Pointcheval 2001) (Abdala-Bellare-Rogaway 1999) (Cramer-Shoup 1998) (Shoup + Fujisaki-Okamoto 2001) (Shoup 2001) (Remark: OAEP, OAEP+, SAEP, SAEP+ cannot be applied for Probabilistic Encryption Schemes such as ElGamal

22
22 FO-1/2 FO-1 FO-2 Check in decryption ？ ？

23
23 FO-2 ： Applied to EC-ElGamal … PSEC-2 : plaintext ciphertext (Ex.1) (Ex.2) one-time pad block-cipher

24
24 Decryption of PSEC-2 Check Yes No null string ?

25
25 Security of PSEC-2 EC-DH Assumption SymEnc ： semantically secure against passive attack g, h ： random oracle PSEC-2 is IND-CCA2

26
26 REACT Check in decryption ？

27
27 Security of REACT f is Gap-one way G and H are random oracles （ SymE is semantically secure against passive attacks ） AsymE is IND-CCA2

28
28 A Typical Usage of REACT Session key 暗号 復号 IND-CCA2 is guaranteed in total.

29
29 Inverting Problems relation x→y s.t. f (x, y)=1 f (x, y)=1 y x

30
30 R -decision problems ( x,y ) decide whether R ( f, x, y )=1 (Examples) (e,g., decision DH ) (e,g., quadratic residuosity) z is even when z with f (x,z) is uniquely determined. (e,g., lsb of RSA) s.t.

31
31 Gap problems (R-gap problems) R-decision problem Oracle R-decision problem Oracle or x x y y s.t.

32
32 Duality of Gap and Decision problems R-gap problem of f is tractable ⇒ inverting problem of f = R-decision problem of f R-decision problem of is tractable ⇒ inverting problem of f = R-gap problem of f (e.g., f : RSA function; ) reducible to each other

33
33 Relationship among the Assumptions Decisional Assumption Gap- One-way Assumption Gap- One-way Assumption Dual

34
34 Relationship among the DH Assumptions Decision DH Assumption Gap DH Assumption DH Assumption Dual

35
35 EC-ElGamal-REACT ： PSEC-3 : plaintext ciphertext

36
36 Decryption of PSEC- 3 Check Yes No null string ?

37
37 Security of PSEC-3 EC-GapDH （ GDH) Assumption SymEnc ： semantically secure against passive attack g, h ： random oracle PSEC-3 is IND-CCA2

38
38 ECIES ’ (modified by Shoup) Encryption r : random Decryption Check ？

39
39 Security of ECIES ’ Gap-EDH assumption SymEnc ： semantically secure against passive attack Mac ： secure g ： random oracle ECIES’ is IND-CCA2

40
40 EC-ACE-KEM (1) Public-key Secret-key w, x, y, z Encryption Ciphertext ： Shared key ：

41
41 EC-ACE-KEM （２） Decryption check ? ?

42
42 Security of EC-ACE-KEM （１） EC-DDH h ： Universal One-Way Hash Function (UOWHF) EC-ACE is IND-CCA2 （２） EC-DH h ： Random Oracle EC-ACE is IND-CCA2

43
43 PSEC-KEM (revised by Shoup based on PSEC- 2) Encryption Ciphertext (R, v) Decryption

44
44 Security of PSEC-KEM EC-DH h,g ： Random Oracle PSEC-KEM is IND-CCA2

45
45 Comparison of the EC-ElGamal Family SchemeSecurity AssumptionPerformance Number- Theoretic Functional Enc.Dec. PSEC-2IND-CCA2EC-DHRandom oracle Security of SymE 22 PSEC-3IND-CCA2EC-GDHRandom oracle Security of SymE 21 ECIES ’ IND-CCA2EC-GDHRandom oracle, Security of SymE and Mac 21 EC-ACE-KEM （ + SymE, Mac ） IND-CCA2EC-DDHUniversal One-way Hash, Security of SymE and Mac 53 PSEC-KEM （ + SymE, Mac ） IND-CCA2EC-DHRandom oracle Security of SymE and Mac 22 The above numbers are those of EC-addition operations

46
46 Conclusion Simple RSA and (EC)ElGamal are not secure against active attacks Several practical(efficient) conversions are proposed to realize the strongest level of security (IND-CCA2) based on any primitive encryption functions such as RSA and (EC) ElGamal.

Similar presentations

Presentation is loading. Please wait....

OK

Cryptography Lecture 8 Stefan Dziembowski

Cryptography Lecture 8 Stefan Dziembowski

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on product specification example Ppt on recent changes in service tax Ppt on tata steel company Ppt on beer lambert law absorbance Ppt on bionics lab Ppt on scanner and its types Ping pay ppt online Ppt on area of plane figures Ppt on financial ratio analysis Ppt on conservation of land resources in india