Download presentation

Presentation is loading. Please wait.

Published byMyah Hanney Modified about 1 year ago

1
1 Generic Conversions for Constructing IND-CCA2 Public-key Encryption in the Random Oracle Model Tatsuaki Okamoto NTT

2
2 Security of Public-Key Cryptosystems Target One-wayness (OW) : hard to invert Semantically secure (Indistinguishable) (IND) : No partial information is released Non-malleable (NM ） : for any non-trivial relation R E(M)→E(R(M)) Attacks Passive attacks (Cosen Plaintext Attacks: CPA) Chosen-ciphertext attacks （ Cosen Ciphertex Attacks: CCA ） hard

3
3 Semantic Security (IND : Indistinguishability) The probability of correctly guessing (b = b ’ ) is negligible Adv b’ m 0, m 1 : randomly selected : guess of

4
4 Chosen Ciphertext Attack (CCA) CCA1 (Lunch time attack, Naor-Yung 90) C 0 is given to the attacker, after the active attack is completed. CCA2 (Rackoff – Simon 91) C 0 is given to the attacker, before the active attack starts. Ciphertext C 0 Information on Plaintext P 0 C 1, C n P 1, P n Rule: C 0 ≠C 1,,C n () Public-key Attacker Decryption oracle

5
5 Relationships among Security Definitions (1) Non-malleable (NM) → Semantically secure (IND) i.e., NM-CPA → IND-CPA, NM-CCA2 → IND-CCA2) IND-CCA2 → NM-CCA2 Remark : NM-CPA → IND-CCA1 Conclusion : Strongest security Semantically secure against chosen-ciphertext attack 2 IND-CCA2=NM-CCA2 ←

6
6 Relationships among Security Definitions (2) One-way (OW) Semantically secure (IND) Non-malleable (NM) Passive attack (CPA) OW-CPAIND-CPANM-CPA Active attack (Chosen- ciphertext attack) (CCA) CCA1OW-CCA1IND-CCA1NM-CCA1 CCA2OW-CCA2IND-CCA2NM-CCA2 Target Attack

7
7 History of Provably Secure Public-key Encryption DDN (NM-CCA2) BR (Random oracle model) Rabin GM (IND-CPA) DH RSA NY (IND-CCAI) (OW-CPA) Concept of public-key cryptosystem Proposal of various tricks Provable security (Theory) Practical scheme in the standard model CS Practical approach by random oracle model BDPR OAEPRS (IND-CCA2)

8
8 The plain RSA scheme is not secure in the sense of IND-CCA2 not indistinguishable (IND) deterministic vulnerable against CCA2 random-self-reducibility Adv DO C’ ＝ C ・ R e M’/R C Decryption oracle =Plaintext of C Adv b ＝ 0/1:correctly output m 0, m 1

9
9 EC-ElGamal Encryption elliptic curve point with order Public-key (E, P, W, ) Secret-key x Encryption plaintext m, bit-wise exclusive-or, (rW) X is the x -coordinate of rW Decryption ciphertext

10
10 The Elliptic Curve ElGamal Scheme Is Not Secure in the Sense of IND-CCA2 (1) Malleable Non-trivial relation with m’ =

11
11 The Elliptic Curve ElGamal Scheme Is Not Secure in the Sense of IND-CCA2 (2) CCA2 Attack Adv Decryption Oracle

12
12 How to Construct an Encryption Scheme with the Strongest Security (IND-CCA2) Based on zero-knowledge proofs Dolev-Dwork-Naor (1991) Inefficient Based on truly random function (random oracle model) Bellare-Rogaway : OAEP (1994)..PKCS#1(Ver.2)1998 Fujisaki-Okamoto (1999), Pointcheval (2000) Okamoto-Pointcheval : REACT (2001) Practical (using practical one-way functions in place of random functions) Practical construction without using a random function Cramer-Shoup (1998)

13
13 Design Strategy of Practical and Provably Secure Public-key Encryption Primitive Encryption Function (Trapdoor Function) Example RSA ElGamal etc Secure Encryption Scheme Semantically Secure against Adaptively Chosen Ciphertext Attacks (IND-CCA2) Conversion Using Hash Functions (Random Functions)

14
14 Random Oracle Model (Truly Random Model) ０・・・・ ・・・・０ ０・・・・ ・・・・１ １・・・・ ・・・・１ ０１０１１・・・ ・・・０ １００１１・・・ ・・・０ ０１１００１・・ ・・０ Random oracle Random function H User 1 User 2 x1x1 xkxk H(xk)H(xk) H(x1)H(x1) ２n２n n bits random Input Output ・・・ H (random oracle/ random function) H

15
15 Conversions for the RSA Encryption Function OAEP (Bellare-Rogaway 1994) OAEP+ (Shoup 2001) SAEP (Boneh 2001) SAEP+ (Boneh 2001) REACT (Okamoto-Pointcheval 2001)

16
16 OAEP m00…0r G(r)G(r) s H(s)H(s) t （ Example ） RSA-OAEP G H RSA-OAEP ： de facto standard format of the RSA encryption ・・・ used in SSL(PKCS#1) and SET one-way permutation

17
17 Security of OAEP (FOPS 2001) OAEP is IND-CCA2 secure under the partial-domain one-wayness assumption in the random oracle model. RSA-OAEP is IND-CCA2 secure under the RSA assumption in the random oracle model. The reduction efficiency (to the RSA inversion) is less than that of the optimal case.

18
18 OAEP+ mF(m||r)r G(r)G(r) s H(s)H(s) t （ Example ） RSA-OAEP+ G H one-way permutation

19
19 RSA-REACT (Hybrid Encryption) (ex)

20
20 Comparison of the RSA Family SchemesSecurityAssumptionReduction Efficiency Provable Hybrid Usage Number- Theoretic Functio nal RSA-OAEPIND-CCA2RSAROM * No RSA-OAEP+IND-CCA2RSAROM * No RSA-SAEP (low exponent) IND-CCA2 RSA with low exponent ROM * * * No RSA-REACTIND-CCA2RSAROM * * * Yes

21
21 IND-CCA2 Conversions for (Elliptic Curve) ElGamal Encryption FO-1 FO-2 Pointcheval REACT DHAES / ECIES CS （ ACE) PSEC-KEM ACE-KEM (Fujisaki-Okamoto: PKC 1999) (Fujisaki-Okamoto: Crypto 1999) (Pointcheval 2000) (Okamoto-Pointcheval 2001) (Abdala-Bellare-Rogaway 1999) (Cramer-Shoup 1998) (Shoup + Fujisaki-Okamoto 2001) (Shoup 2001) (Remark: OAEP, OAEP+, SAEP, SAEP+ cannot be applied for Probabilistic Encryption Schemes such as ElGamal

22
22 FO-1/2 FO-1 FO-2 Check in decryption ？ ？

23
23 FO-2 ： Applied to EC-ElGamal … PSEC-2 : plaintext ciphertext (Ex.1) (Ex.2) one-time pad block-cipher

24
24 Decryption of PSEC-2 Check Yes No null string ?

25
25 Security of PSEC-2 EC-DH Assumption SymEnc ： semantically secure against passive attack g, h ： random oracle PSEC-2 is IND-CCA2

26
26 REACT Check in decryption ？

27
27 Security of REACT f is Gap-one way G and H are random oracles （ SymE is semantically secure against passive attacks ） AsymE is IND-CCA2

28
28 A Typical Usage of REACT Session key 暗号 復号 IND-CCA2 is guaranteed in total.

29
29 Inverting Problems relation x→y s.t. f (x, y)=1 f (x, y)=1 y x

30
30 R -decision problems ( x,y ) decide whether R ( f, x, y )=1 (Examples) (e,g., decision DH ) (e,g., quadratic residuosity) z is even when z with f (x,z) is uniquely determined. (e,g., lsb of RSA) s.t.

31
31 Gap problems (R-gap problems) R-decision problem Oracle R-decision problem Oracle or x x y y s.t.

32
32 Duality of Gap and Decision problems R-gap problem of f is tractable ⇒ inverting problem of f = R-decision problem of f R-decision problem of is tractable ⇒ inverting problem of f = R-gap problem of f (e.g., f : RSA function; ) reducible to each other

33
33 Relationship among the Assumptions Decisional Assumption Gap- One-way Assumption Gap- One-way Assumption Dual

34
34 Relationship among the DH Assumptions Decision DH Assumption Gap DH Assumption DH Assumption Dual

35
35 EC-ElGamal-REACT ： PSEC-3 : plaintext ciphertext

36
36 Decryption of PSEC- 3 Check Yes No null string ?

37
37 Security of PSEC-3 EC-GapDH （ GDH) Assumption SymEnc ： semantically secure against passive attack g, h ： random oracle PSEC-3 is IND-CCA2

38
38 ECIES ’ (modified by Shoup) Encryption r : random Decryption Check ？

39
39 Security of ECIES ’ Gap-EDH assumption SymEnc ： semantically secure against passive attack Mac ： secure g ： random oracle ECIES’ is IND-CCA2

40
40 EC-ACE-KEM (1) Public-key Secret-key w, x, y, z Encryption Ciphertext ： Shared key ：

41
41 EC-ACE-KEM （２） Decryption check ? ?

42
42 Security of EC-ACE-KEM （１） EC-DDH h ： Universal One-Way Hash Function (UOWHF) EC-ACE is IND-CCA2 （２） EC-DH h ： Random Oracle EC-ACE is IND-CCA2

43
43 PSEC-KEM (revised by Shoup based on PSEC- 2) Encryption Ciphertext (R, v) Decryption

44
44 Security of PSEC-KEM EC-DH h,g ： Random Oracle PSEC-KEM is IND-CCA2

45
45 Comparison of the EC-ElGamal Family SchemeSecurity AssumptionPerformance Number- Theoretic Functional Enc.Dec. PSEC-2IND-CCA2EC-DHRandom oracle Security of SymE 22 PSEC-3IND-CCA2EC-GDHRandom oracle Security of SymE 21 ECIES ’ IND-CCA2EC-GDHRandom oracle, Security of SymE and Mac 21 EC-ACE-KEM （ + SymE, Mac ） IND-CCA2EC-DDHUniversal One-way Hash, Security of SymE and Mac 53 PSEC-KEM （ + SymE, Mac ） IND-CCA2EC-DHRandom oracle Security of SymE and Mac 22 The above numbers are those of EC-addition operations

46
46 Conclusion Simple RSA and (EC)ElGamal are not secure against active attacks Several practical(efficient) conversions are proposed to realize the strongest level of security (IND-CCA2) based on any primitive encryption functions such as RSA and (EC) ElGamal.

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google