Download presentation

Presentation is loading. Please wait.

Published byCorey Copeland Modified over 2 years ago

1
Malleability of Cryptosystems KEVIN ALLISON

2
Definitions

3
What Does Non-malleablity Provide? Improved security by knowing the encrypted message has not been tampered Ideologically equivalent to existentially unforgeable signatures Secrecy does not imply independence ◦Non-malleable cryptosystems prove this

4
Simple Example Professor Kaminsky enjoys encrypting his grades and giving each student their own symmetric key for decryption. Unfortunately you forgot how to add and did not do so well on the first test. With a malleable cryptosystem, this can be fixed! Encrypt D Various Operations α Relation Check β Decrypt If R(α, β) == 1 Done! A Start Grade End Grade (The previous assumes Professor Kaminsky uses a malleable encryption scheme. This is unlikely).

5
Security α – Messageβ – Rel. MsgG – AttackA - AttackerA’ - SimulatorR - Relation

6
Semantic Security

7
Types of Attacks Chosen Plaintext ◦Attacker can encrypt any plaintext to get the ciphertext ◦Least Powerful Chosen Ciphertext – Pre Processing ◦Access a decryption oracle < x p times, then remove oracle Chosen Ciphertext – Post Processing ◦Gets challenge ciphertext before oracle is removed ◦Can decrypt any ciphertext excluding the challenge via the oracle ◦Most Powerful

8
Incorrect Implementations (Dolav et al.) Appending encryption to a zero-knowledge proof ◦Proof could be malleable, therefore possible to generate new encryption and new proof Sending encryption plus signature ◦Possible to generate new encrypted message E(m+1) and new signature based-off that Signature inside Ciphertext ◦Same as above

9
Public Key Overview Scheme S (Dolev et al.) ◦Create public signature verification key/private signing key ◦Encrypt message using several keys derived from public signature verification key ◦Zero-knowledge proof used to show value encrypted is the same ◦Encryptions and proof are signed from using the key from step 1

10
Public Key Generation (Dolev et al.) GP – Key GeneratorU – Random String

11
Public Key Encryption (Dolev et al.) GS – Signature Key Generatorh – One Way Hash Function

12
Public Key Encryption (Dolev et al.) ZKP – Zero Knowledge Proofk – Length of inputn –size of the generator

13
Non-malleable Security

14
Critical Components Security of the one-way hash function ◦If it is possible to reverse the hash function, then the Scheme is invalid ◦Does the hash function produce collisions? ◦Another failure case Is the Zero Knowledge Authentication system correct? ◦Otherwise verification of information is jeopardized.

15
Modern Implications

16
References Dorlev et al. Non-Malleable Cryptography. http://www.cs.rit.edu/~kra2178/crypto/files/10.1.1.49.4643.pdf http://www.cs.rit.edu/~kra2178/crypto/files/10.1.1.49.4643.pdf Fisclin, Marc. Completely Non-malleable Schemes. http://www.cs.rit.edu/~kra2178/crypto/files/completely_non_malleabl e_schemes.pdf http://www.cs.rit.edu/~kra2178/crypto/files/completely_non_malleabl e_schemes.pdf Ventre, Carmine. Completely Non-Malleabe Encryption Revisited. http://www.iacr.org/archive/pkc2008/49390068/49390068.pdf http://www.iacr.org/archive/pkc2008/49390068/49390068.pdf Boldyreva et al. Foundations of Non-malleable Hash and One-Way Functions. http://www.cs.rit.edu/~kra2178/crypto/files/found_non_malleable.pdf http://www.cs.rit.edu/~kra2178/crypto/files/found_non_malleable.pdf

17
Questions?

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google