Malleability of Cryptosystems KEVIN ALLISON. Definitions.

Slides:

Advertisements

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Advertisements

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

PUBLIC KEY CRYPTOSYSTEMS Symmetric Cryptosystems 6/05/2014 | pag. 2.

Using Cryptography to Secure Information. Overview Introduction to Cryptography Using Symmetric Encryption Using Hash Functions Using Public Key Encryption.

Sri Lanka Institute of Information Technology

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

Digital Signatures and Hash Functions. Digital Signatures.

Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Attacks on Digital Signature Algorithm: RSA

Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

Chapter 5 Cryptography Protecting principals communication in systems.

A Designer’s Guide to KEMs Alex Dent

Lecturer: Moni Naor Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge.

CS1001 Lecture 24. Overview Encryption Encryption Artificial Intelligence Artificial Intelligence Homework 4 Homework 4.

Cryptography April 20, 2010 MIS 4600 – MBA © Abdou Illia.

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

1 CIS 5371 Cryptography 9. Data Integrity Techniques.

Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.

1 Introduction to Information Security , Spring 2015 Lecture 7: Applied cryptography: asymmetric Eran Tromer Slides credit: John Mitchell, Stanford.

Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Foundations of Cryptography Rahul Jain CS6209, Jan – April 2011

Public Key Model 8. Cryptography part 2.

Rachana Y. Patil 1 1.

CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.

DNSSEC Cryptography Review Track 2 Workshop July 3, 2010 American Samoa Hervey Allen.

Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.

Digital Signatures Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013.

CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.

Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena.

10/1/2015 9:38:06 AM1AIIS. OUTLINE Introduction Goals In Cryptography Secrete Key Cryptography Public Key Cryptograpgy Digital Signatures 2 10/1/2015.

The Dual Receiver Cryptosystem and its Applications Presented by Brijesh Shetty.

Topic 22: Digital Schemes (2)

Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.

1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.

Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.

4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.

Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 2 – Cryptographic.

1 Cryptography NOTES. 2 Secret Key Cryptography Single key used to encrypt and decrypt. Key must be known by both parties. Assuming we live in a hostile.

11-Basic Cryptography Dr. John P. Abraham Professor UTPA.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

1 Reasoning about Concrete Security in Protocol Proofs A. Datta, J.Y. Halpern, J.C. Mitchell, R. Pucella, A. Roy.

Lecture 8 Overview. Secure Hash Algorithm (SHA) SHA SHA SHA – SHA-224, SHA-256, SHA-384, SHA-512 SHA-1 A message composed of b bits.

A Quick Tour of Cryptographic Primitives Anupam Datta CMU Fall A: Foundations of Security and Privacy.

Privacy versus Authentication Confidentiality (Privacy) –Interceptors cannot read messages Authentication: proving the sender’s identity –The Problem of.

Digital Signatures, Message Digest and Authentication Week-9.

The Paillier Cryptosystem

15-499Page :Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.

NEW DIRECTIONS IN CRYPTOGRAPHY Made Harta Dwijaksara, Yi Jae Park.

Various Attacks on Cryptosystems slides (c) 2012 by Richard Newman.

Tae-Joon Kim Jong yun Jun

Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.

Discrete Mathematical Structures: Theory and Applications 1 Cryptography (advanced extra curricular topic)  Cryptography (from the Greek words Kryptos,

Unit 3 Section 6.4: Internet Security

B504/I538: Introduction to Cryptography

Digital signatures.

Cryptography Lecture 12.

Cryptography Lecture 10.

Cryptography Reference: Network Security

Cryptography Lecture 11.

Cryptography Lecture 12.

Topic 13: Message Authentication Code

Cryptography Lecture 9.

Presentation transcript:

Malleability of Cryptosystems KEVIN ALLISON

Definitions

What Does Non-malleablity Provide? Improved security by knowing the encrypted message has not been tampered Ideologically equivalent to existentially unforgeable signatures Secrecy does not imply independence ◦Non-malleable cryptosystems prove this

Simple Example Professor Kaminsky enjoys encrypting his grades and giving each student their own symmetric key for decryption. Unfortunately you forgot how to add and did not do so well on the first test. With a malleable cryptosystem, this can be fixed! Encrypt D Various Operations α Relation Check β Decrypt If R(α, β) == 1 Done! A Start Grade End Grade (The previous assumes Professor Kaminsky uses a malleable encryption scheme. This is unlikely).

Security α – Messageβ – Rel. MsgG – AttackA - AttackerA’ - SimulatorR - Relation

Semantic Security

Types of Attacks Chosen Plaintext ◦Attacker can encrypt any plaintext to get the ciphertext ◦Least Powerful Chosen Ciphertext – Pre Processing ◦Access a decryption oracle < x p times, then remove oracle Chosen Ciphertext – Post Processing ◦Gets challenge ciphertext before oracle is removed ◦Can decrypt any ciphertext excluding the challenge via the oracle ◦Most Powerful

Incorrect Implementations (Dolav et al.) Appending encryption to a zero-knowledge proof ◦Proof could be malleable, therefore possible to generate new encryption and new proof Sending encryption plus signature ◦Possible to generate new encrypted message E(m+1) and new signature based-off that Signature inside Ciphertext ◦Same as above

Public Key Overview Scheme S (Dolev et al.) ◦Create public signature verification key/private signing key ◦Encrypt message using several keys derived from public signature verification key ◦Zero-knowledge proof used to show value encrypted is the same ◦Encryptions and proof are signed from using the key from step 1

Public Key Generation (Dolev et al.) GP – Key GeneratorU – Random String

Public Key Encryption (Dolev et al.) GS – Signature Key Generatorh – One Way Hash Function

Public Key Encryption (Dolev et al.) ZKP – Zero Knowledge Proofk – Length of inputn –size of the generator

Non-malleable Security

Critical Components Security of the one-way hash function ◦If it is possible to reverse the hash function, then the Scheme is invalid ◦Does the hash function produce collisions? ◦Another failure case Is the Zero Knowledge Authentication system correct? ◦Otherwise verification of information is jeopardized.

Modern Implications

References Dorlev et al. Non-Malleable Cryptography. Fisclin, Marc. Completely Non-malleable Schemes. e_schemes.pdf e_schemes.pdf Ventre, Carmine. Completely Non-Malleabe Encryption Revisited. Boldyreva et al. Foundations of Non-malleable Hash and One-Way Functions.

Questions?