Download presentation

Presentation is loading. Please wait.

Published byDavid Wadkins Modified over 2 years ago

1
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure E.g., a standard and a proprietary, a new and old ● Cascade [EG85]: E*=E◦E’ ● E* is CPA - secure if either E or E’ is CPA – secure We say that cascade is cryptanalysis tolerant E E’

2
2 Cascading CPA - question ● Given two encryption schemes which one of them is candidate CPA secure, E and E’, define: E* k,k' (x) = E k (E’ k' (x)) ● Question: assume either E or E’ is a CPA secure. Is then E* a CPA secure crypto system? ● Answer:

3
3 Cascading CPA-Secure system ● Claim: if either E or E’ is a CPA-Secure, then E* is a CPA-Secure. ● Proof: Suppose to contrary there exists adv A* That Pr X=EX(Є,ADV) [X.win ^ X.t≤ t|X=EX(E(E',A*,k)]>½+ ε*(k,t,q) i.e. Can distiniguishE* from some random permutation. ● Let adv A(for E), A'(for E') use A* (As sub routine) to distinguish. ● Prove for A (A and A' are similar).

4
4 Cont' ● A tries to win test for E while using A* on E*. A uses E as a black box. ● Key generation - A generates keys for E'. ● Select – A needs to respond to encryption and decryption requests to E* (requests sent from A*). When A* asks to encrypt m, A asks for encryption by c=E(m) and calculates E'(c) (has keys). ● Encrypt – When A* outputs, A outputs same for E and calculates on E' (returns result to A). ● When A* outputs guess, b' then A outputs the same. Wins if A* wins since performs only one more computation.

5
5 A controls E’, e.g. Encrypt A selects messages to encrypt, e.g. select

6
6 Cryptographic Constructions Demonstrating insecurity ● Usual method: Let g’ be an arbitrary function for goal G. Design g which also satisfies G: Security of g follows (easily?) from security of g’ But g is not good for the construction… Namely: the function f which is constructed using g does not satisfy goal F.

7
7 Plaintext Encrypted ECBEncrypted Non ECB An example of patterns ECB leaves in cipher text When encrypting pixels (pixel by pixel encryption)

8
8 CBC

9
9 OFB

10
10 CBC - OFB ● CBC requires padding of message to block size. Decryption can be parallelized 1 bit change of plaintext affects all cipher texts ● OFB Does not require message padding Decryption can't be done in parallel Bit flips can be detected in many embedded ECC ● Both “Randomization” properties – can't detect same block.

11
11 Problem ● CBC and OFB are great for creating VIL cipher from FIL blocks, however they have some drawbacks. ● Transmission errors. ● Parallel computation. ● Please describe the drawbacks in detail. ● Please suggest a scheme for creating VIL cipher from FIL blocks which has CBC/OFB properties and eliminates the limitations described above.

12
12 Solution ● Drawbacks Block dependency causes encryption/decryption to be synchronous (CBC decryption can be parallel) Decryption (CBC) - In case a block is damaged, its dependent block can't be deciphered as well. CBC Block damage can be from a single bit. OFB can correct errors with embedded ECC (single bits).

13
13 Solution ● Instead of chaining to disguise cipher, use counter.(Counter must be kept secret)

14
14 Indistinguishability Test ● Prove that the following encryption scheme does not pass Ind. Test. ● Discrete log – base for several public key crypto systems ● Assumption: for known prime p, generator g of Z_p and y it's hard to find x such that g x mod p = y ● For public prime p and generator g (for Z_p), where m< p: Ek(m) = { x = g^m mod p; y = g^(kx) mod p; return x||(y xor m) }

15
15 Solution ● Adv can calculate x, thus distinguish the message from a random message.

16
16 Indistinguishability Test is Strong ● Two encryptions of the same message should be indistinguishable Otherwise adversary can ask for another encryption of known message and identify it Encryption must be randomized and/or state variable With state variable, encryption depends on history In practice: usually encryption is randomized ● No assumption about the plaintext May be just two messages, ‘0’ and ‘1’ May be biased (90% is ‘0’)

17
17 CPA-IND Secure Cryptosystem from KPA-Secure ● Let C k be a KPA – Secure crypto system ● Then encrypt each message m using E k (m)=r||C k (m r), where r is random ● Observation: this is simply CBC-mode of C k with a single block! Proof extends to multiple-block CBC ● Theorem [GM89]: E k (m) is CPA-IND secure.

18
18 Question ● Let E be a KPA secure crypto system. Consider the following function on {0,1} 2n (for any n): E’ k (x)= E k (x[1..n)]) || E k (E k (x[1..n)]) x[(n+1)..2n]). ● Is E'k(x) KPA secure? ● Is E'k(x) CPA secure?

19
19 Solution ● Not CPA Secure - Choose 2 different input texts, for example 1010||1100, 1010||1001 Output of MSB is same for both “different” outputs. This is the case because of E k (x[1..n)]) ● KPA Secure - Never choose messages with same MSB.

20
20 Error Detection ● We would like to transmit ciphertext over the wire. Alice suggests to use parity check as error-detection code. ● Do we have privacy ? ● Do we have integrity ?

21
21 Error Detection ● Assume OTP encryption, interceptive adversary. ● Adversary doesn’t know k, sees c on the wire. ● c = m xor k || parity(m) [bit] ● Adversary removes c, replace with c’ where any even number of bits can be flipped (notice, that in this example, adversary doesn’t even need to know m). ● Ok, no integrity, but maybe privacy ? ● What about known domain of messages (money transfer)

Similar presentations

OK

DES Analysis and Attacks CSCI 5857: Encoding and Encryption.

DES Analysis and Attacks CSCI 5857: Encoding and Encryption.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on water resources in civil engineering Presentations ppt online shopping Ppt on file system in unix script Ppt on polytene chromosomes in drosophila Ppt on l&t finance stock price Ppt on number theory Ppt on bluetooth technology free download Ppt on aggregate production planning Download ppt on acid bases and salts for class 10 Ppt on edge detection algorithms