CS 6903 Modern Cryptography February 14th, Lecture 4: Instructor: Nitesh Saxena Scribe: Neil Stewart, Chaya Pradip Vavilala

Similar documents
Lecture 2: Symmetric Key Encryption. Security Notions for Symmetric Key Encryption

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Block ciphers, stream ciphers

Computer Security CS 526

Information Security

Notion Of Security. February 18, 2009

Lecture 15: Public Key Encryption: I

Lecture 18 - Chosen Ciphertext Security

Cryptography. Andreas Hülsing. 6 September 2016

CS408 Cryptography & Internet Security

Authenticated encryption

Homework 3: Solution

Computational Security, Stream and Block Cipher Functions

Concrete Security of Symmetric-Key Encryption

Proofs for Key Establishment Protocols

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

IND-CCA2 secure cryptosystems, Dan Bogdanov

Lecture 8. 1 Some More Security Definitions for Encryption Schemes

Strong Privacy for RFID Systems from Plaintext-Aware Encryption

Information Security CS526

2 Secure Communication in Private Key Setting

Definitions and Notations

Applied Cryptography and Computer Security CSE 664 Spring 2018

On the Security of a Certificateless Public-Key Encryption

1-7 Attacks on Cryptosystems

Brief Introduction to Provable Security

SECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems

1 Achieving IND-CPA security

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

Lecture 8 - Message Authentication Codes

Lecture 5. Constructions of Block ciphers. Winter 2018 CS 485/585 Introduction to Cryptography

Code-Based Cryptography McEliece Cryptosystem

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

Introduction to Cryptography. Lecture 3

CS 395T. Formal Model for Secure Key Exchange

Security of Cryptosystems

Lecture 3: Symmetric Key Encryption

A Designer s Guide to KEMs. Errata List

CS 495 Cryptography Lecture 6

CSA E0 312: Secure Computation October 14, Guest Lecture 2-3

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 4: Symmetric Key Encryption

Advanced Cryptography 1st Semester Symmetric Encryption

Feedback Week 4 - Problem Set

Lecture IV : Cryptography, Fundamentals

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Inductive Trace Properties for Computational Security

A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security. T. Shrimpton October 18, 2004

Efficient chosen ciphertext secure PKE scheme with short ciphertext

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

ISA 562: Information Security, Theory and Practice. Lecture 1

Lecture 3.4: Public Key Cryptography IV

Private-Key Encryption

CPSC 467: Cryptography and Computer Security

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018

2 What does it mean that a crypto system is secure?

Distributed Key Management and Cryptographic Agility. Tolga Acar 24 Feb. 2011

Stateful Key Encapsulation Mechanism

Security Models: Proofs, Protocols and Certification

Authenticated Encryption

Scanned by CamScanner

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

Inductive Trace Properties for Computational Security

Katz, Lindell Introduction to Modern Cryptrography

On Symmetric Encryption with Distinguishable Decryption Failures

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Solutions to exam in Cryptography December 17, 2013

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

Secure Multiparty Computation

: Practical Cryptographic Systems March 25, Midterm

Lecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model

On the Security of Group-based Proxy Re-encryption Scheme

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Concrete cryptographic security in F*

Introduction to Cryptography. Lecture 3

A CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model

What Can Be Proved About Security?

Chosen-Ciphertext Security (II)

Security of Identity Based Encryption - A Different Perspective

Further Observations on Certificate-Base Encryption and its Generic Construction from Certificateless Public Key Encryption

A Parametric Family of Attack Models for Proxy Re-Encryption

Practical Symmetric On-line Encryption

Message Authentication ( 消息认证 )

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

Symmetric-Key Cryptography

OAEP 3-Round A Generic and Secure Asymmetric Encryption Padding. Asiacrypt '04 Jeju Island - Korea

COMP4109 : Applied Cryptography

Cryptology complementary. Symmetric modes of operation

Relations Among Notions of Plaintext Awareness

CS 161 Computer Security

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack

On the Notions of PRP-RKA, KR and KR-RKA for Block Ciphers

Weak adaptive chosen ciphertext secure hybrid encryption scheme

On Compression of Data Encrypted with Block Ciphers

Cryptographically Sound Security Proofs for Basic and Public-key Kerberos

Transcription:

CS 6903 Modern Cryptography February 14th, 2008 Lecture 4: Instructor: Nitesh Saxena Scribe: Neil Stewart, Chaya Pradip Vavilala Definition 1 (Indistinguishability (IND-G)) IND-G is a notion that was defined to prove that IND OW. Recall that Indistinguishability(IND) is a notion which says that it should be infeasible for an adversary to differentiate ciphertexts of two different messages. Formally, the notion of security against (IND-G) is defined using the following experiment between a computationally bounded adversay A and a challenger possessing a shared key K. Exp IND G (A) where A is the adversary, is Symmetric Key Encryption and IND G is Indistinguishable guess. The adversarial game is shown below in Figure 1: Figure 1: Exp IND G (A) Notice that unlike IND the notion of IND-G does not rely on the the existence of a preinitialized world. 1. The adversay A chooses two messages m 0,m 1 from the message space M at random and sends them to the challenger. 4-1

2. The challenger randomly chooses a bit b {0, 1}, and sends ciphertext C= Enc(K, m b ) to the adversary. 3. The adversary performs some computation and tries to guess which message was encrypted by selecting b. 4. The outcome of the experiment would return d=1 if b =b or d=0 otherwise. The advantage of A being able to make the right guess for b is given by: Adv IND G (A) = Pr(Exp KR (A) = 1) 1 + ε 2 The advantage for IND-G is not shown as the difference of two probabilities as was the case with IND but as the probability of the experiment returning the correct guess for b. Theorem 1 (IND G OW) If is secure with respect to the IND G notion, then it is also secure against the OW notion. Proof. The theorem is proven by contradiction ( OW IND G) We will show that if an adversary A who can break the OW security notion, then we can construct and adversary B who can break IND G. We first perform an experiment between two adeversaries A,B and the challenger. The adverarial game for this experiment is given below in Figure 2: Figure 2: Exp OW (A) 1. Adversary B chooses two messages m 0, m 1 from the message space M at random and sends them to the challenger. 4-2

2. The challenger randomly chooses a bit b {0, 1}, and sends ciphertext C= Enc(K, m b ) to adversary B. 3. Adversary B forwards the ciphertext to adversary A, who tries to determine the message given the ciphertext and returns m to adversary B The experiment returns d=0 if m =m 0 or d=1 if m =m 1. The advantage of the adversary B can be shown to be: Adv IND G (B) = Pr(Exp IND G (B) = 1) =Adv OW (A) + 1 2 ( 1 - AdvOW (A)) We know from Definition 1 that Adv OW(A) 1 + ε, hence 2 Adv OW (A) 2ε It can be said that if there is no adversary who can break OW with a significant probability we cannot construct one who can break IND-G Theorem 2 (M IND) If an is secure with respect to the M notion, then it is also secure with respect to the IND notion. Proof. We prove the theorem by contradiction ( IND M) We will show that if an adversary A who can break the scheme with respect to the IND security notion, then we can construct an adversary B who can break the with respect to M. The adverarial game for this experiment is given below in Figure 3: 1. Adversary A chooses two messages m 0, m 1 and sends them over to adversary B. 2. Adversary B takes these two messages m 0, m 1 from A and sends them to the challenger. 3. The challenger encrypts the message m b where b {0, 1},depending on whether he is in World 1 or World 2 4. The challenger now sends the encrypted cipher c to B. 5. B now simply forwards c to the adversary A. 4-3

Figure 3: Construction of M attacker B from a IND attacker A 6. A now does a computation to determine which message,m 0 or m 1, corresponds to the the cipher text C and outputs a bit b where b {0, 1}. 7. Adversary B now checks the bit recieved from A and sets Y=m 1 if d=1 and Y=m 0 if d=0. 8. B now sends a function f and its output Y to the challenger. The advantage of the M adversary B can be shown as: IND M Adv M (B) = Pr(ExpM 1 = Pr(Exp IND 1 Definition 2 (Active Adversary) (B)=1)) - Pr(Exp M 0 (B)=1)) (A)=1)) - Pr(Exp IND 0 (A)=1)) = Adv IND(A) An active adversary is modeled as having access to special oracles called the encryption or decryption oracle. This is a more powerful adversarial model than the passive attackers that were used so far. 4-4

Adaptive Chosen Plaintext attack(cpa). This attack assumes the attacker has access to an encryption oracle and that the attacker can choose an arbitrary number of plaintexts to be encrypted and obtain the corresponding ciphertexts. The adversary s strategy is to try and derive partial information by querying the encryption oracle based on the information gained from the preceeding encryptions. This is a very important model in the case of public key cryptography. Chosen ciphertext attack(cca). Contrary to the previous model, the adversary,in these attacks,has access to a decryption oracle and chooses an arbitrary number of ciphertexts to derive the corresponding ciphertext. Adaptive Chosen Ciphertext attack(cca2). This attack is a more interactive version of the previous one, in that, the adversary tries to gain partial information by making queries to the decryption oracle based on the results previous decryptions. Indistinguishability under Chosen-plaintext attack (IND-CPA). A cryptosystem is said to have achieved indistinguishablility under chosen plaintext attack, if a PPT adversary first queries the encryption oracle a reasonable number of times, then chooses two plaintexts for the challenger to encrypt and has only a negligible advantage over random guessing in distinguishing which plaintext belongs to which ciphertext. Indistinguishability under Chosen-ciphertext attack( IND-CCA). A cryptosystem is said to have achieved indistinguishablility under chosen ciphertext attack, if a PPT adversary, first queries the deccryption oracle a reasonable number of times, chooses two plaintexts for the challenger to encrypt and has only a negligible advantage over random guessing in distinguishing which ciphertext belongs to which plaintext. Indistinguishability under Adaptive Chosen-ciphertext attack (IND-CCA2). A cryptosystem is said to have achieved indistinguishablility under adaptive chosen ciphertext attack, if a PPT adversary, first queries the deccryption oracle a reasonable number of times, chooses two plaintext 4-5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback