Download - Asymmetric Cryptography part 1 & 2
![Page 1: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/1.jpg)
Asymmetric Cryptographypart 1 & 2Haya Shulman
Many thanks to Amir Herzberg who donated some of the slides from
http://www.cs.biu.ac.il/~herzbea/89-690/index.html
![Page 2: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/2.jpg)
Talk Outline
Heuristic vs Provable Security Approaches Kerkhoff Principle Public-key Encryption Scheme Definition Security Definition
Adversarial Power and the Break Symmetric&Asymmetric Security Specifications
(CPA, CCA, CCA2) Information Theoretically Secure Public Key
Encryption Scheme? Deterministic Public Key Schemes? Hybrid encryption
![Page 3: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/3.jpg)
Heuristic vs Provable Security Approaches The heuristic approach
Build-break-fix paradigm Failed cryptanalysis
The provable security Reductions to hardness assumptions Reduction is a basic cryptographic
technique
The information theoretic security
![Page 4: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/4.jpg)
Kerckhoff’s Principle: Known Design Security through obscurity is a common approach in the industry Attacks (e.g. cryptanalysis) of unknown design can be
much harder But using public (non-secret) designs…
Published designs are often stronger No need to replace the system once the design is
exposed No need to worry that design was exposed Establish standards for multiple applications:
Efficiency of production and of test attacks / cryptanalysis
Kerckhoff’s Known Design Principle [1883]: adversary knows the design – everything except the secret keys
![Page 5: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/5.jpg)
Talk Outline 好晚
Heuristic vs Provable Security Approaches Kerkhoff Principle Public-key Encryption Scheme Definition Security Definition
Adversarial Power and the Break Symmetric&Asymmetric Security Specifications
(CPA, CCA, CCA2) Information Theoretically Secure Public Key
Encryption Scheme? Deterministic Public Key Schemes? Hybrid encryption
![Page 6: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/6.jpg)
Public-key Encryption Scheme
B.e is a public encryption key, B.d is a matching private decryption key
Only the key protects confidentiality
plaintext plaintextciphertext
B.e
encryptionalgorithm
decryption algorithm
Key Alice uses to encrypt to Bob
Key Bob uses to decryptB.d
Alice(the sender)
Bob(the receiver)
![Page 7: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/7.jpg)
Encryption Scheme Definition
No distinction between public/ secret key encryption schemes
No security requirement Includes trivial (insecure) encryption schemes
![Page 8: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/8.jpg)
Talk Outline
Heuristic vs Provable Security Approaches Kerkhoff Principle Public-key Encryption Scheme Definition Security Definition
Adversarial Power and the Break Symmetric&Asymmetric Security Specifications
(CPA, CCA, CCA2) Information Theoretically Secure Public Key
Encryption Scheme? Deterministic Public Key Schemes? Hybrid encryption
![Page 9: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/9.jpg)
Defining Adversarial Power
Computational power Computational bounds on its running time Uniform/ non-uniform
What actions can it take? Passive, eavesdropping Active, can obtain encryptions/ decryptions
![Page 10: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/10.jpg)
Defining the Break
Define the successful break of the scheme Recovering the secret key Decrypting the challenge Learning some partial information about the
encrypted message!
Simulating reality using experiments Indistinguishability (CPA, CCA, adaptive-
CCA)
![Page 11: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/11.jpg)
Indistinguishability Experiment(asymmetric encryption, a.k.a Public Key)
plaintext plaintextciphertext
B.e
encryptionalgorithm
decryption algorithm
Encrypt, or select b
{0,1} and encrypt mb
Key Bob uses to decryptB.d
Chosen plaintext mSelected messages m0, m1
Chosen ciphertext c Ciphertext
c=EB.e(m)Decryptionsm=DB.d(c)
Guess of b
Alice Bob
Eve
![Page 12: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/12.jpg)
IND-CPA Security Specification
![Page 13: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/13.jpg)
IND-CCA Security Specification
![Page 14: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/14.jpg)
IND-CCA2 Security Specification
![Page 15: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/15.jpg)
Indistinguishability Experiment(symmetric encryption, i.e. shared key)
plaintext plaintextciphertext
k
encryptionalgorithm
decryption algorithm
Encrypt, or select b
{0,1} and encrypt mb
k
Chosen plaintext mSelected messages m0, m1
Chosen ciphertext c Ciphertext
c=Ek(m,re)Decryptionsm=Dk(c)
Guess of b
Alice Bob
Eve
![Page 16: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/16.jpg)
Eavesdropping (Passive) Attacks Security Specification Weakest type of adversary Adversary only obtains the ciphertext
that it wishes to decrypt Eavesdropps on the communication line
between two parties and intercepts the encrypted communication
Does not obtain oracle access to encryption or decryption functionality
Does not obtain the encryption key
![Page 17: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/17.jpg)
Eavesdropping Attacks Security Specification
![Page 18: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/18.jpg)
Chosen Plaintext Attacks Security Specification
![Page 19: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/19.jpg)
Talk Outline
Heuristic vs Provable Security Approaches Kerkhoff Principle Public-key Encryption Scheme Definition Security Definition
Adversarial Power and the Break Symmetric&Asymmetric Security Specifications
(CPA, CCA, CCA2) Information Theoretically Secure Public Key
Encryption Scheme? Deterministic Public Key Schemes? Hybrid encryption
![Page 20: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/20.jpg)
Perfectly Secure Public-Key Encryption Scheme
A public key encryption scheme is perfectly secure if for every public encryption key e, all messages m0, m1, |m0|=|m1|, all ciphertexts c and all algorithms A holds
What does it mean for an encryption scheme to be perfectly secure? The adversary gains no advantage Above pure guess
![Page 21: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/21.jpg)
Perfectly Secure Public-Key Encryption Schemes Do NOT Exist Proof
Let = (G,E,D) be a public key encryption scheme
operates over messages of one bit and encryption/ decryption always succeeds
Construct an algorithm A s.t.
![Page 22: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/22.jpg)
Perfectly Secure Public-Key Encryption Schemes Do NOT Exist If c is an encryption of 0 then there
exists a random i0, otherwise there exists i1
A will always return a correct answer since
while
![Page 23: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/23.jpg)
Talk Outline
Heuristic vs Provable Security Approaches Kerkhoff Principle Public-key Encryption Scheme Definition Security Definition
Adversarial Power and the Break Symmetric&Asymmetric Specifications (CPA, CCA,
CCA2) Information Theoretically Secure Public Key
Encryption Scheme? Deterministic Public Key Schemes? Hybrid encryption
![Page 24: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/24.jpg)
Deterministic Public Key Encryption Schemes Do NOT Exist Proof
Let =(G,E,D) be a deterministic public key encryption scheme
operates over messages of one bit length and the decryption always succeeds
Construct A s.t.
![Page 25: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/25.jpg)
Talk Outline
Heuristic vs Provable Security Approaches Kerkhoff Principle Public-key Encryption Scheme Definition Security Definition
Adversarial Power and the Break Symmetric&Asymmetric Security Specifications
(CPA, CCA, CCA2) Information Theoretically Secure Public Key
Encryption Scheme? Deterministic Public Key Schemes? Hybrid encryption
![Page 26: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/26.jpg)
Symmetric vs. Asymmetric
Is there a perfectly secure private key encryption scheme?
Is there a secure deterministic private key encryption scheme? Depends on the attack model
Why not define the strongest security for any scheme? There is a price for being overly
conservative
![Page 27: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/27.jpg)
Arbitrary Length Public-key Encryption Scheme
Secure public-key encryption scheme for one bit implies security under multiple encryptions, given m=m1…mL encrypt
Inefficient L times the computational cost of encrypting one
block Ciphertext length increases Public key cryptosystems are slow Also: most (e.g. RSA) have fixed block size (FIL) Using a long block size is veeery slooow
![Page 28: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/28.jpg)
Hybrid Encryption (`enveloping`) Can we do better?
Use VIL secret key cryptosystem, encrypt shared key and use it to encrypt plaintext
K {0,1}k CKEY EPKe(K)
CMSGESKK(m)
Encryption
e
Plaintext m
Decryption
K DPKd(CKEY)
DSKK(CMSG)
CKEY
CMSG
![Page 29: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/29.jpg)
Hybrid Encryption - Construction
Secure public key encryption scheme Secure private key encryption scheme
construct a hybrid encryption scheme
![Page 30: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/30.jpg)
Hybrid Encryption - Security
Theorem: If is an IND-CPA secure public key encryption scheme and is an IND-CPA secure private key encryption scheme then is an IND-CPA secure public key encryption scheme for arbitrary length messages
Proof: We need to show that
For any PPT A and any m0, m1 we need to bound
![Page 31: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/31.jpg)
Hybrid Encryption Proof, cont’ By definition of hybrid encryption
algorithm it is equivalent to
Now given A against the hybrid scheme construct an algorithm ASK against the private key encryption scheme
![Page 32: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/32.jpg)
Hybrid Encryption Proof, cont’ Analysis of ASK‘s success probability
But, is this equivalent to
Why? Because
There is no way for to choose the key K’ s.t. it is equal to K used to encrypt the challenge
![Page 33: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/33.jpg)
Hybrid Encryption Proof, 2nd Attempt Given A=(A1,A2) against we construct
and against
and against
The advantage of A is bounded by the sum of the advantages of each of the algorithms above
![Page 34: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/34.jpg)
Hybrid Encryption Proof, cont’
We first show that Given a PPT algorithm A=(A1,A2)
construct a PPT against
![Page 35: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/35.jpg)
Hybrid Encryption Proof, cont’ The success probability of
Since is IND-CPA secure the advantage is negligible
![Page 36: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/36.jpg)
Hybrid Encryption Proof, cont’
We next show that Given a PPT algorithm A=(A1,A2)
construct a PPT against
![Page 37: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/37.jpg)
Hybrid Encryption Proof, cont’ The success probability of
Since is IND-CPA secure the advantage is negligible
![Page 38: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/38.jpg)
Hybrid Encryption Proof, cont’
In the third step show that Given a PPT algorithm A=(A1,A2)
construct a PPT against
![Page 39: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/39.jpg)
Hybrid Encryption Proof, cont’ The success probability of
Since is IND-CPA secure the advantage is negligible
We obtain
and conclude that
![Page 40: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/40.jpg)
Hybrid Encryption Proof, fin’
![Page 41: Asymmetric Cryptography part 1 & 2](https://reader033.vdocuments.us/reader033/viewer/2022051401/56814ac3550346895db7d82e/html5/thumbnails/41.jpg)
Asymmetric Encryption
End of part 1 and 2 Questions? Thank you.