# Malleability of Cryptosystems KEVIN ALLISON. Definitions.

## Presentation on theme: "Malleability of Cryptosystems KEVIN ALLISON. Definitions."— Presentation transcript:

Malleability of Cryptosystems KEVIN ALLISON

Definitions

What Does Non-malleablity Provide? Improved security by knowing the encrypted message has not been tampered Ideologically equivalent to existentially unforgeable signatures Secrecy does not imply independence ◦Non-malleable cryptosystems prove this

Simple Example Professor Kaminsky enjoys encrypting his grades and giving each student their own symmetric key for decryption. Unfortunately you forgot how to add and did not do so well on the first test. With a malleable cryptosystem, this can be fixed! Encrypt D Various Operations α Relation Check β Decrypt If R(α, β) == 1 Done! A Start Grade End Grade (The previous assumes Professor Kaminsky uses a malleable encryption scheme. This is unlikely).

Security α – Messageβ – Rel. MsgG – AttackA - AttackerA’ - SimulatorR - Relation

Semantic Security

Types of Attacks Chosen Plaintext ◦Attacker can encrypt any plaintext to get the ciphertext ◦Least Powerful Chosen Ciphertext – Pre Processing ◦Access a decryption oracle < x p times, then remove oracle Chosen Ciphertext – Post Processing ◦Gets challenge ciphertext before oracle is removed ◦Can decrypt any ciphertext excluding the challenge via the oracle ◦Most Powerful

Incorrect Implementations (Dolav et al.) Appending encryption to a zero-knowledge proof ◦Proof could be malleable, therefore possible to generate new encryption and new proof Sending encryption plus signature ◦Possible to generate new encrypted message E(m+1) and new signature based-off that Signature inside Ciphertext ◦Same as above

Public Key Overview Scheme S (Dolev et al.) ◦Create public signature verification key/private signing key ◦Encrypt message using several keys derived from public signature verification key ◦Zero-knowledge proof used to show value encrypted is the same ◦Encryptions and proof are signed from using the key from step 1

Public Key Generation (Dolev et al.) GP – Key GeneratorU – Random String

Public Key Encryption (Dolev et al.) GS – Signature Key Generatorh – One Way Hash Function

Public Key Encryption (Dolev et al.) ZKP – Zero Knowledge Proofk – Length of inputn –size of the generator

Non-malleable Security

Critical Components Security of the one-way hash function ◦If it is possible to reverse the hash function, then the Scheme is invalid ◦Does the hash function produce collisions? ◦Another failure case Is the Zero Knowledge Authentication system correct? ◦Otherwise verification of information is jeopardized.

Modern Implications

References Dorlev et al. Non-Malleable Cryptography. http://www.cs.rit.edu/~kra2178/crypto/files/10.1.1.49.4643.pdf http://www.cs.rit.edu/~kra2178/crypto/files/10.1.1.49.4643.pdf Fisclin, Marc. Completely Non-malleable Schemes. http://www.cs.rit.edu/~kra2178/crypto/files/completely_non_malleabl e_schemes.pdf http://www.cs.rit.edu/~kra2178/crypto/files/completely_non_malleabl e_schemes.pdf Ventre, Carmine. Completely Non-Malleabe Encryption Revisited. http://www.iacr.org/archive/pkc2008/49390068/49390068.pdf http://www.iacr.org/archive/pkc2008/49390068/49390068.pdf Boldyreva et al. Foundations of Non-malleable Hash and One-Way Functions. http://www.cs.rit.edu/~kra2178/crypto/files/found_non_malleable.pdf http://www.cs.rit.edu/~kra2178/crypto/files/found_non_malleable.pdf

Questions?