1 / 41

Asymmetric Cryptography part 1 & 2

Asymmetric Cryptography part 1 & 2 . Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from http://www.cs.biu.ac.il/~herzbea/89-690/index.html. Talk Outline. Heuristic vs Provable Security Approaches Kerkhoff Principle Public-key Encryption Scheme Definition

cayla
Download Presentation

Asymmetric Cryptography part 1 & 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Asymmetric Cryptographypart 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from http://www.cs.biu.ac.il/~herzbea/89-690/index.html

  2. Talk Outline • Heuristic vs Provable Security Approaches • Kerkhoff Principle • Public-key Encryption Scheme Definition • Security Definition • Adversarial Power and the Break • Symmetric&Asymmetric Security Specifications (CPA, CCA, CCA2) • Information Theoretically Secure Public Key Encryption Scheme? • Deterministic Public Key Schemes? • Hybrid encryption

  3. Heuristic vs Provable Security Approaches • The heuristic approach • Build-break-fix paradigm • Failed cryptanalysis • The provable security • Reductions to hardness assumptions • Reduction is a basic cryptographic technique • The information theoretic security

  4. Kerckhoff’s Principle: Known Design • Security through obscurity is a common approach in the industry • Attacks (e.g. cryptanalysis) of unknown design can be much harder • But using public (non-secret) designs… • Published designs are often stronger • No need to replace the system once the design is exposed • No need to worry that design was exposed • Establish standards for multiple applications: • Efficiency of production and of test attacks / cryptanalysis • Kerckhoff’s Known Design Principle [1883]: adversary knows the design – everything except the secret keys

  5. Talk Outline 好晚 • Heuristic vs Provable Security Approaches • Kerkhoff Principle • Public-key Encryption Scheme Definition • Security Definition • Adversarial Power and the Break • Symmetric&Asymmetric Security Specifications (CPA, CCA, CCA2) • Information Theoretically Secure Public Key Encryption Scheme? • Deterministic Public Key Schemes? • Hybrid encryption

  6. Public-key Encryption Scheme Key Alice uses to encrypt to Bob Key Bob uses to decrypt B.e is a public encryption key, B.d is a matchingprivate decryption key Only the key protects confidentiality B.e B.d encryption algorithm plaintext decryption algorithm ciphertext plaintext Alice (the sender) Bob (the receiver)

  7. Encryption Scheme Definition • No distinction between public/ secret key encryption schemes • No security requirement • Includes trivial (insecure) encryption schemes

  8. Talk Outline • Heuristic vs Provable Security Approaches • Kerkhoff Principle • Public-key Encryption Scheme Definition • Security Definition • Adversarial Power and the Break • Symmetric&Asymmetric Security Specifications (CPA, CCA, CCA2) • Information Theoretically Secure Public Key Encryption Scheme? • Deterministic Public Key Schemes? • Hybrid encryption

  9. Defining Adversarial Power • Computational power • Computational bounds on its running time • Uniform/ non-uniform • What actions can it take? • Passive, eavesdropping • Active, can obtain encryptions/ decryptions

  10. Defining the Break • Define the successful break of the scheme • Recovering the secret key • Decrypting the challenge • Learning some partial information about the encrypted message! • Simulating reality using experiments • Indistinguishability (CPA, CCA, adaptive-CCA)

  11. Indistinguishability Experiment(asymmetric encryption, a.k.a Public Key) Encrypt, or select b{0,1} and encrypt mb Key Bob uses to decrypt B.e B.d plaintext encryption algorithm decryption algorithm ciphertext plaintext Chosen ciphertext c Ciphertextc=EB.e(m) Alice Bob Decryptionsm=DB.d(c) Chosen plaintext m Selected messages m0, m1 Eve Guess of b

  12. IND-CPA Security Specification

  13. IND-CCA Security Specification

  14. IND-CCA2 Security Specification

  15. Indistinguishability Experiment(symmetric encryption, i.e. shared key) Encrypt, or select b{0,1}and encrypt mb k k plaintext encryption algorithm decryption algorithm ciphertext plaintext Chosen ciphertext c Ciphertextc=Ek(m,re) Alice Bob Decryptionsm=Dk(c) Chosen plaintext m Selected messages m0, m1 Eve Guess of b

  16. Eavesdropping (Passive) Attacks Security Specification • Weakest type of adversary • Adversary only obtains the ciphertext that it wishes to decrypt • Eavesdropps on the communication line between two parties and intercepts the encrypted communication • Does not obtain oracle access to encryption or decryption functionality • Does not obtain the encryption key

  17. Eavesdropping Attacks Security Specification

  18. Chosen Plaintext Attacks Security Specification

  19. Talk Outline • Heuristic vs Provable Security Approaches • Kerkhoff Principle • Public-key Encryption Scheme Definition • Security Definition • Adversarial Power and the Break • Symmetric&Asymmetric Security Specifications (CPA, CCA, CCA2) • Information Theoretically Secure Public Key Encryption Scheme? • Deterministic Public Key Schemes? • Hybrid encryption

  20. Perfectly Secure Public-Key Encryption Scheme • A public key encryption scheme is perfectly secure if for every public encryption key e, all messages m0, m1, |m0|=|m1|, all ciphertexts c and all algorithms A holds • What does it mean for an encryption scheme to be perfectly secure? • The adversary gains no advantage • Above pure guess

  21. Perfectly Secure Public-Key Encryption Schemes Do NOT Exist • Proof • Let = (G,E,D) be a public key encryption scheme • operates over messages of one bit and encryption/ decryption always succeeds • Construct an algorithm A s.t.

  22. Perfectly Secure Public-Key Encryption Schemes Do NOT Exist • If c is an encryption of 0 then there exists a random i0, otherwise there exists i1 • A will always return a correct answer since while

  23. Talk Outline • Heuristic vs Provable Security Approaches • Kerkhoff Principle • Public-key Encryption Scheme Definition • Security Definition • Adversarial Power and the Break • Symmetric&Asymmetric Specifications (CPA, CCA, CCA2) • Information Theoretically Secure Public Key Encryption Scheme? • Deterministic Public Key Schemes? • Hybrid encryption

  24. Deterministic Public Key Encryption Schemes Do NOT Exist • Proof • Let =(G,E,D) be a deterministic public key encryption scheme • operates over messages of one bit length and the decryption always succeeds • Construct A s.t.

  25. Talk Outline • Heuristic vs Provable Security Approaches • Kerkhoff Principle • Public-key Encryption Scheme Definition • Security Definition • Adversarial Power and the Break • Symmetric&Asymmetric Security Specifications (CPA, CCA, CCA2) • Information Theoretically Secure Public Key Encryption Scheme? • Deterministic Public Key Schemes? • Hybrid encryption

  26. Symmetric vs. Asymmetric • Is there a perfectly secure private key encryption scheme? • Is there a secure deterministic private key encryption scheme? • Depends on the attack model • Why not define the strongest security for any scheme? • There is a price for being overly conservative

  27. Arbitrary Length Public-key Encryption Scheme • Secure public-key encryption scheme for one bit implies security under multiple encryptions, given m=m1…mL encrypt • Inefficient • L times the computational cost of encrypting one block • Ciphertext length increases • Public key cryptosystems are slow • Also: most (e.g. RSA) have fixed block size (FIL) • Using a long block size is veeery slooow

  28. Hybrid Encryption (`enveloping`) • Can we do better? • Use VIL secret key cryptosystem, encrypt shared key and use it to encrypt plaintext e Decryption Encryption CKEY K {0,1}k K DPKd(CKEY) CKEY EPKe(K) Plaintext m CMSG CMSGESKK(m) DSKK(CMSG)

  29. Hybrid Encryption - Construction • Secure public key encryption scheme • Secure private key encryption scheme construct a hybrid encryption scheme

  30. Hybrid Encryption - Security • Theorem: If is an IND-CPA secure public key encryption scheme and is an IND-CPA secure private key encryption scheme then is an IND-CPA secure public key encryption scheme for arbitrary length messages • Proof: We need to show that • For any PPT A and any m0, m1 we need to bound

  31. Hybrid Encryption Proof, cont’ • By definition of hybrid encryption algorithm it is equivalent to • Now given A against the hybrid scheme construct an algorithm ASK against the private key encryption scheme

  32. Hybrid Encryption Proof, cont’ • Analysis of ASK‘s success probability • But, is this equivalent to • Why? • BecauseThere is no way for to choose the key K’ s.t. it is equal to K used to encrypt the challenge

  33. Hybrid Encryption Proof, 2nd Attempt • Given A=(A1,A2) against we construct and against and against • The advantage of A is bounded by the sum of the advantages of each of the algorithms above

  34. Hybrid Encryption Proof, cont’ • We first show that • Given a PPT algorithm A=(A1,A2) construct a PPT against

  35. Hybrid Encryption Proof, cont’ • The success probability of • Since is IND-CPA secure the advantage is negligible

  36. Hybrid Encryption Proof, cont’ • We next show that • Given a PPT algorithm A=(A1,A2) construct a PPT against

  37. Hybrid Encryption Proof, cont’ • The success probability of • Since is IND-CPA secure the advantage is negligible

  38. Hybrid Encryption Proof, cont’ • In the third step show that • Given a PPT algorithm A=(A1,A2) construct a PPT against

  39. Hybrid Encryption Proof, cont’ • The success probability of • Since is IND-CPA secure the advantage is negligible • We obtain and conclude that

  40. Hybrid Encryption Proof, fin’

  41. Asymmetric Encryption • End of part 1 and 2 • Questions? • Thank you.

More Related