Download presentation

Presentation is loading. Please wait.

Published byDavid Wadkins Modified about 1 year ago

1
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure E.g., a standard and a proprietary, a new and old ● Cascade [EG85]: E*=E◦E’ ● E* is CPA - secure if either E or E’ is CPA – secure We say that cascade is cryptanalysis tolerant E E’

2
2 Cascading CPA - question ● Given two encryption schemes which one of them is candidate CPA secure, E and E’, define: E* k,k' (x) = E k (E’ k' (x)) ● Question: assume either E or E’ is a CPA secure. Is then E* a CPA secure crypto system? ● Answer:

3
3 Cascading CPA-Secure system ● Claim: if either E or E’ is a CPA-Secure, then E* is a CPA-Secure. ● Proof: Suppose to contrary there exists adv A* That Pr X=EX(Є,ADV) [X.win ^ X.t≤ t|X=EX(E(E',A*,k)]>½+ ε*(k,t,q) i.e. Can distiniguishE* from some random permutation. ● Let adv A(for E), A'(for E') use A* (As sub routine) to distinguish. ● Prove for A (A and A' are similar).

4
4 Cont' ● A tries to win test for E while using A* on E*. A uses E as a black box. ● Key generation - A generates keys for E'. ● Select – A needs to respond to encryption and decryption requests to E* (requests sent from A*). When A* asks to encrypt m, A asks for encryption by c=E(m) and calculates E'(c) (has keys). ● Encrypt – When A* outputs, A outputs same for E and calculates on E' (returns result to A). ● When A* outputs guess, b' then A outputs the same. Wins if A* wins since performs only one more computation.

5
5 A controls E’, e.g. Encrypt A selects messages to encrypt, e.g. select

6
6 Cryptographic Constructions Demonstrating insecurity ● Usual method: Let g’ be an arbitrary function for goal G. Design g which also satisfies G: Security of g follows (easily?) from security of g’ But g is not good for the construction… Namely: the function f which is constructed using g does not satisfy goal F.

7
7 Plaintext Encrypted ECBEncrypted Non ECB An example of patterns ECB leaves in cipher text When encrypting pixels (pixel by pixel encryption)

8
8 CBC

9
9 OFB

10
10 CBC - OFB ● CBC requires padding of message to block size. Decryption can be parallelized 1 bit change of plaintext affects all cipher texts ● OFB Does not require message padding Decryption can't be done in parallel Bit flips can be detected in many embedded ECC ● Both “Randomization” properties – can't detect same block.

11
11 Problem ● CBC and OFB are great for creating VIL cipher from FIL blocks, however they have some drawbacks. ● Transmission errors. ● Parallel computation. ● Please describe the drawbacks in detail. ● Please suggest a scheme for creating VIL cipher from FIL blocks which has CBC/OFB properties and eliminates the limitations described above.

12
12 Solution ● Drawbacks Block dependency causes encryption/decryption to be synchronous (CBC decryption can be parallel) Decryption (CBC) - In case a block is damaged, its dependent block can't be deciphered as well. CBC Block damage can be from a single bit. OFB can correct errors with embedded ECC (single bits).

13
13 Solution ● Instead of chaining to disguise cipher, use counter.(Counter must be kept secret)

14
14 Indistinguishability Test ● Prove that the following encryption scheme does not pass Ind. Test. ● Discrete log – base for several public key crypto systems ● Assumption: for known prime p, generator g of Z_p and y it's hard to find x such that g x mod p = y ● For public prime p and generator g (for Z_p), where m< p: Ek(m) = { x = g^m mod p; y = g^(kx) mod p; return x||(y xor m) }

15
15 Solution ● Adv can calculate x, thus distinguish the message from a random message.

16
16 Indistinguishability Test is Strong ● Two encryptions of the same message should be indistinguishable Otherwise adversary can ask for another encryption of known message and identify it Encryption must be randomized and/or state variable With state variable, encryption depends on history In practice: usually encryption is randomized ● No assumption about the plaintext May be just two messages, ‘0’ and ‘1’ May be biased (90% is ‘0’)

17
17 CPA-IND Secure Cryptosystem from KPA-Secure ● Let C k be a KPA – Secure crypto system ● Then encrypt each message m using E k (m)=r||C k (m r), where r is random ● Observation: this is simply CBC-mode of C k with a single block! Proof extends to multiple-block CBC ● Theorem [GM89]: E k (m) is CPA-IND secure.

18
18 Question ● Let E be a KPA secure crypto system. Consider the following function on {0,1} 2n (for any n): E’ k (x)= E k (x[1..n)]) || E k (E k (x[1..n)]) x[(n+1)..2n]). ● Is E'k(x) KPA secure? ● Is E'k(x) CPA secure?

19
19 Solution ● Not CPA Secure - Choose 2 different input texts, for example 1010||1100, 1010||1001 Output of MSB is same for both “different” outputs. This is the case because of E k (x[1..n)]) ● KPA Secure - Never choose messages with same MSB.

20
20 Error Detection ● We would like to transmit ciphertext over the wire. Alice suggests to use parity check as error-detection code. ● Do we have privacy ? ● Do we have integrity ?

21
21 Error Detection ● Assume OTP encryption, interceptive adversary. ● Adversary doesn’t know k, sees c on the wire. ● c = m xor k || parity(m) [bit] ● Adversary removes c, replace with c’ where any even number of bits can be flipped (notice, that in this example, adversary doesn’t even need to know m). ● Ok, no integrity, but maybe privacy ? ● What about known domain of messages (money transfer)

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google