420 likes | 639 Views
Asymmetric Cryptography part 1 & 2 . Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from http://www.cs.biu.ac.il/~herzbea/89-690/index.html. Talk Outline. Heuristic vs Provable Security Approaches Kerkhoff Principle Public-key Encryption Scheme Definition
E N D
Asymmetric Cryptographypart 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from http://www.cs.biu.ac.il/~herzbea/89-690/index.html
Talk Outline • Heuristic vs Provable Security Approaches • Kerkhoff Principle • Public-key Encryption Scheme Definition • Security Definition • Adversarial Power and the Break • Symmetric&Asymmetric Security Specifications (CPA, CCA, CCA2) • Information Theoretically Secure Public Key Encryption Scheme? • Deterministic Public Key Schemes? • Hybrid encryption
Heuristic vs Provable Security Approaches • The heuristic approach • Build-break-fix paradigm • Failed cryptanalysis • The provable security • Reductions to hardness assumptions • Reduction is a basic cryptographic technique • The information theoretic security
Kerckhoff’s Principle: Known Design • Security through obscurity is a common approach in the industry • Attacks (e.g. cryptanalysis) of unknown design can be much harder • But using public (non-secret) designs… • Published designs are often stronger • No need to replace the system once the design is exposed • No need to worry that design was exposed • Establish standards for multiple applications: • Efficiency of production and of test attacks / cryptanalysis • Kerckhoff’s Known Design Principle [1883]: adversary knows the design – everything except the secret keys
Talk Outline 好晚 • Heuristic vs Provable Security Approaches • Kerkhoff Principle • Public-key Encryption Scheme Definition • Security Definition • Adversarial Power and the Break • Symmetric&Asymmetric Security Specifications (CPA, CCA, CCA2) • Information Theoretically Secure Public Key Encryption Scheme? • Deterministic Public Key Schemes? • Hybrid encryption
Public-key Encryption Scheme Key Alice uses to encrypt to Bob Key Bob uses to decrypt B.e is a public encryption key, B.d is a matchingprivate decryption key Only the key protects confidentiality B.e B.d encryption algorithm plaintext decryption algorithm ciphertext plaintext Alice (the sender) Bob (the receiver)
Encryption Scheme Definition • No distinction between public/ secret key encryption schemes • No security requirement • Includes trivial (insecure) encryption schemes
Talk Outline • Heuristic vs Provable Security Approaches • Kerkhoff Principle • Public-key Encryption Scheme Definition • Security Definition • Adversarial Power and the Break • Symmetric&Asymmetric Security Specifications (CPA, CCA, CCA2) • Information Theoretically Secure Public Key Encryption Scheme? • Deterministic Public Key Schemes? • Hybrid encryption
Defining Adversarial Power • Computational power • Computational bounds on its running time • Uniform/ non-uniform • What actions can it take? • Passive, eavesdropping • Active, can obtain encryptions/ decryptions
Defining the Break • Define the successful break of the scheme • Recovering the secret key • Decrypting the challenge • Learning some partial information about the encrypted message! • Simulating reality using experiments • Indistinguishability (CPA, CCA, adaptive-CCA)
Indistinguishability Experiment(asymmetric encryption, a.k.a Public Key) Encrypt, or select b{0,1} and encrypt mb Key Bob uses to decrypt B.e B.d plaintext encryption algorithm decryption algorithm ciphertext plaintext Chosen ciphertext c Ciphertextc=EB.e(m) Alice Bob Decryptionsm=DB.d(c) Chosen plaintext m Selected messages m0, m1 Eve Guess of b
Indistinguishability Experiment(symmetric encryption, i.e. shared key) Encrypt, or select b{0,1}and encrypt mb k k plaintext encryption algorithm decryption algorithm ciphertext plaintext Chosen ciphertext c Ciphertextc=Ek(m,re) Alice Bob Decryptionsm=Dk(c) Chosen plaintext m Selected messages m0, m1 Eve Guess of b
Eavesdropping (Passive) Attacks Security Specification • Weakest type of adversary • Adversary only obtains the ciphertext that it wishes to decrypt • Eavesdropps on the communication line between two parties and intercepts the encrypted communication • Does not obtain oracle access to encryption or decryption functionality • Does not obtain the encryption key
Talk Outline • Heuristic vs Provable Security Approaches • Kerkhoff Principle • Public-key Encryption Scheme Definition • Security Definition • Adversarial Power and the Break • Symmetric&Asymmetric Security Specifications (CPA, CCA, CCA2) • Information Theoretically Secure Public Key Encryption Scheme? • Deterministic Public Key Schemes? • Hybrid encryption
Perfectly Secure Public-Key Encryption Scheme • A public key encryption scheme is perfectly secure if for every public encryption key e, all messages m0, m1, |m0|=|m1|, all ciphertexts c and all algorithms A holds • What does it mean for an encryption scheme to be perfectly secure? • The adversary gains no advantage • Above pure guess
Perfectly Secure Public-Key Encryption Schemes Do NOT Exist • Proof • Let = (G,E,D) be a public key encryption scheme • operates over messages of one bit and encryption/ decryption always succeeds • Construct an algorithm A s.t.
Perfectly Secure Public-Key Encryption Schemes Do NOT Exist • If c is an encryption of 0 then there exists a random i0, otherwise there exists i1 • A will always return a correct answer since while
Talk Outline • Heuristic vs Provable Security Approaches • Kerkhoff Principle • Public-key Encryption Scheme Definition • Security Definition • Adversarial Power and the Break • Symmetric&Asymmetric Specifications (CPA, CCA, CCA2) • Information Theoretically Secure Public Key Encryption Scheme? • Deterministic Public Key Schemes? • Hybrid encryption
Deterministic Public Key Encryption Schemes Do NOT Exist • Proof • Let =(G,E,D) be a deterministic public key encryption scheme • operates over messages of one bit length and the decryption always succeeds • Construct A s.t.
Talk Outline • Heuristic vs Provable Security Approaches • Kerkhoff Principle • Public-key Encryption Scheme Definition • Security Definition • Adversarial Power and the Break • Symmetric&Asymmetric Security Specifications (CPA, CCA, CCA2) • Information Theoretically Secure Public Key Encryption Scheme? • Deterministic Public Key Schemes? • Hybrid encryption
Symmetric vs. Asymmetric • Is there a perfectly secure private key encryption scheme? • Is there a secure deterministic private key encryption scheme? • Depends on the attack model • Why not define the strongest security for any scheme? • There is a price for being overly conservative
Arbitrary Length Public-key Encryption Scheme • Secure public-key encryption scheme for one bit implies security under multiple encryptions, given m=m1…mL encrypt • Inefficient • L times the computational cost of encrypting one block • Ciphertext length increases • Public key cryptosystems are slow • Also: most (e.g. RSA) have fixed block size (FIL) • Using a long block size is veeery slooow
Hybrid Encryption (`enveloping`) • Can we do better? • Use VIL secret key cryptosystem, encrypt shared key and use it to encrypt plaintext e Decryption Encryption CKEY K {0,1}k K DPKd(CKEY) CKEY EPKe(K) Plaintext m CMSG CMSGESKK(m) DSKK(CMSG)
Hybrid Encryption - Construction • Secure public key encryption scheme • Secure private key encryption scheme construct a hybrid encryption scheme
Hybrid Encryption - Security • Theorem: If is an IND-CPA secure public key encryption scheme and is an IND-CPA secure private key encryption scheme then is an IND-CPA secure public key encryption scheme for arbitrary length messages • Proof: We need to show that • For any PPT A and any m0, m1 we need to bound
Hybrid Encryption Proof, cont’ • By definition of hybrid encryption algorithm it is equivalent to • Now given A against the hybrid scheme construct an algorithm ASK against the private key encryption scheme
Hybrid Encryption Proof, cont’ • Analysis of ASK‘s success probability • But, is this equivalent to • Why? • BecauseThere is no way for to choose the key K’ s.t. it is equal to K used to encrypt the challenge
Hybrid Encryption Proof, 2nd Attempt • Given A=(A1,A2) against we construct and against and against • The advantage of A is bounded by the sum of the advantages of each of the algorithms above
Hybrid Encryption Proof, cont’ • We first show that • Given a PPT algorithm A=(A1,A2) construct a PPT against
Hybrid Encryption Proof, cont’ • The success probability of • Since is IND-CPA secure the advantage is negligible
Hybrid Encryption Proof, cont’ • We next show that • Given a PPT algorithm A=(A1,A2) construct a PPT against
Hybrid Encryption Proof, cont’ • The success probability of • Since is IND-CPA secure the advantage is negligible
Hybrid Encryption Proof, cont’ • In the third step show that • Given a PPT algorithm A=(A1,A2) construct a PPT against
Hybrid Encryption Proof, cont’ • The success probability of • Since is IND-CPA secure the advantage is negligible • We obtain and conclude that
Asymmetric Encryption • End of part 1 and 2 • Questions? • Thank you.