Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malleability of Cryptosystems KEVIN ALLISON. Definitions.

Published byCorey Copeland Modified over 9 years ago

Similar presentations

Presentation on theme: "Malleability of Cryptosystems KEVIN ALLISON. Definitions."— Presentation transcript:

1 Malleability of Cryptosystems KEVIN ALLISON

2 Definitions

3 What Does Non-malleablity Provide? Improved security by knowing the encrypted message has not been tampered Ideologically equivalent to existentially unforgeable signatures Secrecy does not imply independence ◦Non-malleable cryptosystems prove this

4 Simple Example Professor Kaminsky enjoys encrypting his grades and giving each student their own symmetric key for decryption. Unfortunately you forgot how to add and did not do so well on the first test. With a malleable cryptosystem, this can be fixed! Encrypt D Various Operations α Relation Check β Decrypt If R(α, β) == 1 Done! A Start Grade End Grade (The previous assumes Professor Kaminsky uses a malleable encryption scheme. This is unlikely).

5 Security α – Messageβ – Rel. MsgG – AttackA - AttackerA’ - SimulatorR - Relation

6 Semantic Security

7 Types of Attacks Chosen Plaintext ◦Attacker can encrypt any plaintext to get the ciphertext ◦Least Powerful Chosen Ciphertext – Pre Processing ◦Access a decryption oracle < x p times, then remove oracle Chosen Ciphertext – Post Processing ◦Gets challenge ciphertext before oracle is removed ◦Can decrypt any ciphertext excluding the challenge via the oracle ◦Most Powerful

8 Incorrect Implementations (Dolav et al.) Appending encryption to a zero-knowledge proof ◦Proof could be malleable, therefore possible to generate new encryption and new proof Sending encryption plus signature ◦Possible to generate new encrypted message E(m+1) and new signature based-off that Signature inside Ciphertext ◦Same as above

9 Public Key Overview Scheme S (Dolev et al.) ◦Create public signature verification key/private signing key ◦Encrypt message using several keys derived from public signature verification key ◦Zero-knowledge proof used to show value encrypted is the same ◦Encryptions and proof are signed from using the key from step 1

10 Public Key Generation (Dolev et al.) GP – Key GeneratorU – Random String

11 Public Key Encryption (Dolev et al.) GS – Signature Key Generatorh – One Way Hash Function

12 Public Key Encryption (Dolev et al.) ZKP – Zero Knowledge Proofk – Length of inputn –size of the generator

13 Non-malleable Security

14 Critical Components Security of the one-way hash function ◦If it is possible to reverse the hash function, then the Scheme is invalid ◦Does the hash function produce collisions? ◦Another failure case Is the Zero Knowledge Authentication system correct? ◦Otherwise verification of information is jeopardized.

15 Modern Implications

16 References Dorlev et al. Non-Malleable Cryptography. http://www.cs.rit.edu/~kra2178/crypto/files/10.1.1.49.4643.pdf http://www.cs.rit.edu/~kra2178/crypto/files/10.1.1.49.4643.pdf Fisclin, Marc. Completely Non-malleable Schemes. http://www.cs.rit.edu/~kra2178/crypto/files/completely_non_malleabl e_schemes.pdf http://www.cs.rit.edu/~kra2178/crypto/files/completely_non_malleabl e_schemes.pdf Ventre, Carmine. Completely Non-Malleabe Encryption Revisited. http://www.iacr.org/archive/pkc2008/49390068/49390068.pdf http://www.iacr.org/archive/pkc2008/49390068/49390068.pdf Boldyreva et al. Foundations of Non-malleable Hash and One-Way Functions. http://www.cs.rit.edu/~kra2178/crypto/files/found_non_malleable.pdf http://www.cs.rit.edu/~kra2178/crypto/files/found_non_malleable.pdf

17 Questions?

Download ppt "Malleability of Cryptosystems KEVIN ALLISON. Definitions."

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
PUBLIC KEY CRYPTOSYSTEMS Symmetric Cryptosystems 6/05/2014 | pag. 2.

PUBLIC KEY CRYPTOSYSTEMS Symmetric Cryptosystems 6/05/2014 | pag. 2.
Using Cryptography to Secure Information. Overview Introduction to Cryptography Using Symmetric Encryption Using Hash Functions Using Public Key Encryption.

Using Cryptography to Secure Information. Overview Introduction to Cryptography Using Symmetric Encryption Using Hash Functions Using Public Key Encryption.
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.

Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Attacks on Digital Signature Algorithm: RSA

Attacks on Digital Signature Algorithm: RSA
Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.

Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Chapter 5 Cryptography Protecting principals communication in systems.

Chapter 5 Cryptography Protecting principals communication in systems.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Lecturer: Moni Naor Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge.

Lecturer: Moni Naor Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge.
CS1001 Lecture 24. Overview Encryption Encryption Artificial Intelligence Artificial Intelligence Homework 4 Homework 4.

CS1001 Lecture 24. Overview Encryption Encryption Artificial Intelligence Artificial Intelligence Homework 4 Homework 4.
Cryptography April 20, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Cryptography April 20, 2010 MIS 4600 – MBA © Abdou Illia.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Similar presentations

Ads by Google