Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

Published byBaby Heskett Modified over 9 years ago

Similar presentations

Presentation on theme: "CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion."— Presentation transcript:

1 CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion

2 CS555Topic 192 Outline and Readings Outline CPA Security for public key encryption Hybrid encryption Padded RSA El Gamal Encryption CCA Security for public key encryption Readings: Katz and Lindell: Section 10.2, 10.3, 10.4, 10.5, 10.6

3 IND-CPA Security For public key encryption, Ciphertext Indistinguishability against Chosen Plaintext Attacker is equivalent to Ciphertext Indistinguishability against Eavesdroppers –Because one gets the Encryption Oracle for free in public key encryption schemes CS555Topic 193

4 Hybrid Encryption Construction 10.12. Given a CPA-secure public- key encryption Enc pk, and a private key encryption scheme E k. –To encrypt a message m, randomly choose k  {0,1} n, –Cipheretext is  Enc pk (k), E k (m)  –A new k is chosen for each encryption; encryption is randomized CS555Topic 194

5 Hybrid Encryption is Secure Theorem 10.13: If Enc pk is CPA-secure, and E k is secure against eavesdropper, then Construction 10.12 is CPA- secure. –Why E k only needs to be secure against eavesdropper, and does not need to be CPA-secure? Proof idea. Need to show the following are IND a=  pk, Enc pk (k), E k (m 0 )  d=  pk, Enc pk (k), E k (m 1 )  Consider b=  pk, Enc pk (0 n ), E k (m 0 )  c=  pk, Enc pk (0 n ), E k (m 1 )  (a,b), (c,d) IND because Enc pk is secure; (b,c) IND because E k is secure. This proof technique is known as Hybrid argument. CS555Topic 195

6 Simply Padded RSA Construction 10.18. To encrypt m using RSA, randomly chooses r (so that r||m is of length ||N||-1), compute ciphertextc := [(r||m) e mod N] When m is really short (O(log ||N||)), this construction can be prove secure assume that the RSA problem is hard. –That is, computing O(log ||N||) least significant bits of the e’th root is as hard as computing the e’th root –When r is not that long, there exists no proof of the security of the construction under the assumption that the RSA problem is hard. CS555Topic 196

7 RSA-OAEP Optimal Asymmetric Encryption Padding (OAEP) –Roughly, to encrypt m, chooses random r, encode m as m’ = [X = m  H 1 (r), Y= r  H 2 (X) ] where H 1 and H 2 are cryptographic hash functions, then encrypt it as (m’) e mod n –To decrypt m’=[X,Y], compute r = Y  H 2 (X), and m = X  H 1 (r) Proven secure under the RSA assumption when H 1 and H 2 are assumed to be random oracles. –Unless both X and Y are fully recovered, cannot obtain r, without r, cannot obtain any information of m. –We will not cover Random Oracle Model in this course. See Chapter 13 if interested. CS555Topic 197

8 ElGamal Encryption Public key Private key is a To encrypt m: chooses random b, computes C=[g b mod p, h b m mod p]. Idea: for each m, sender and receiver establish a shared secret h b = g ab via the DH protocol. The value g ab hides the message m by multiplying it. To decrypt C=[c 1,c 2 ], computes [c 2 / (c 1 a mod p) mod p]. CS555Topic 198

9 El Gamal Encryption is CPA- secure under DDH Assumption Decision Diffie Hellman (DDH) Problem: Given (g,g x,g y,g z ) sampled either from (g, g a,g b,g ab ) or from (g, g a,g b,g c ), tell which is the case –a,b,c uniformly randomly chosen from [1,p-1] Given adversary A for El Gamal encryption, construct adversary for DDH problem as follows: –Take (g,g x,g y,g z ) as input, use (g, g y ) as public key, when A outputs (m 0,m 1 ), encrypt m b as (g x, g z m b ) and send to A. If A wins, outputs sampled from (g, g a,g b,g ab ) –When (g,g x,g y,g z ) sampled from (g, g a,g b,g c ), g z m b has uniform distribution and independent from g x,g y CS555Topic 199

10 Chosen Ciphertext Security Most public key encryption schemes we have examined are insecure against chosen ciphertext attacks –Textbook RSA: Given a RSA ciphertext c=m e mod N, construct c’=c2 e mod n, after obtaining plaintext m’, compute m’  2 -1 mod n –El Gamal: Given C=[g b mod p, h b m mod p], how to change the ciphertext? –What about Simply Padded RSA: c=(r||m) e mod N? Insecure. –What about RSA-OAEP? Secure, why? CS555Topic 1910

11 CS555Topic 1911 Coming Attractions … Other Public Key Encryption Schemes Reading: Katz & Lindell: Chapter 11

Download ppt "CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion."

Similar presentations

ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
Data Security 1 El_Gamal Cryptography. Data Security2 Introduction El_Gamal is a public-key cryptosystem technique El_Gamal is a public-key cryptosystem.

Data Security 1 El_Gamal Cryptography. Data Security2 Introduction El_Gamal is a public-key cryptosystem technique El_Gamal is a public-key cryptosystem.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.

Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Cryptography Lecture 9 Arpita Patra.

Cryptography Lecture 9 Arpita Patra.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.

Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
7. Asymmetric encryption-

7. Asymmetric encryption-
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.

Similar presentations

Ads by Google