Lecture 3.4: Public Key Cryptography IV

Similar documents
If DDH is secure then ElGamal is also secure w.r.t IND-CPA

Lecture 6.2: Protocols - Authentication and Key Exchange II. CS 436/636/736 Spring Nitesh Saxena. Course Admin

Lecture 8: Privacy and Anonymity Using Anonymizing Networks. CS 336/536: Computer Network Security Fall Nitesh Saxena

The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who

Digital Signature. Raj Jain

Cryptography V: Digital Signatures

Cryptography V: Digital Signatures

LECTURE NOTES ON PUBLIC- KEY CRYPTOGRAPHY. (One-Way Functions and ElGamal System)

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Public Key Algorithms

Cryptography and Network Security. Sixth Edition by William Stallings

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Lecture 3: Cryptography II. Course Administration

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Other Topics in Cryptography. Truong Tuan Anh

Cryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44

1. Digital Signatures 2. ElGamal Digital Signature Scheme 3. Schnorr Digital Signature Scheme 4. Digital Signature Standard (DSS)

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CS408 Cryptography & Internet Security

CSC 5930/9010 Modern Cryptography: Digital Signatures

CSC 474/574 Information Systems Security

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack

Public-Key Cryptography

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Introduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information

Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Introduction to Cryptography ECE 597XX/697XX

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Introduction to Cryptography Lecture 7

Symmetric Encryption 2: Integrity

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Introduction to Public-Key Cryptography

Introduction to Cryptography Lecture 10

Cryptography. Andreas Hülsing. 6 September 2016

Introduction to Cryptography Lecture 7

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Security of Cryptosystems

Lecture 15: Public Key Encryption: I

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Cryptography. Lecture 12. Arpita Patra

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

CS 161 Computer Security

Lecture 10, Zero Knowledge Proofs, Secure Computation

Part VI. Public-key cryptography

Chapter 9 Public Key Cryptography. WANG YANG

RSA. Public Key CryptoSystem

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

Cryptography and Network Security Chapter 13. Digital Signatures & Authentication Protocols

CS 161 Computer Security

Public-Key Cryptanalysis

Overview of Cryptography

Lecture III : Communication Security Mechanisms

CS 161 Computer Security

Lecture 6 - Cryptography

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

CPSC 467: Cryptography and Computer Security

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Advanced Cryptography 1st Semester Symmetric Encryption

Applied Cryptography and Computer Security CSE 664 Spring 2018

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

Cryptography: More Primitives

Lecture 9: Public-Key Cryptography CS /05/2018

Securely Combining Public-Key Cryptosystems

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Verifiably Encrypted Signature Scheme with Threshold Adjudication

Public Key Cryptography, OpenPGP, and Enigmail. 31/5/ Geek Girls Carrffots GVA

Cryptography and Network Security Chapter 13. Fourth Edition by William Stallings. Lecture slides by Lawrie Brown

Making Use of the Subliminal Channel in DSA

Key Escrow free Identity-based Cryptosystem

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

Authenticated encryption

INFSCI 2935: Introduction of Computer Security 1. Courtesy of Professors Chris Clifton & Matt Bishop. INFSCI 2935: Introduction to Computer Security 2

Digital Signatures 1

Public Key (asymmetric) Cryptography

Lecture 2 Applied Cryptography (Part 2)

Public key encryption: definitions and security

Grenzen der Kryptographie

Asymmetric Primitives. (public key encryptions and digital signatures)

Cryptography. Lecture 03

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Computer Security CS 526

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

Reminder: Homework 4. Due: Friday at the beginning of class

ISA 662 Internet Security Protocols. Outline. Prime Numbers (I) Beauty of Mathematics. Division (II) Division (I)

Lecture 8 - Message Authentication Codes

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

Secure Multiparty Computation

Chapter 7 Public Key Cryptography and Digital Signatures

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

CS 6903: Modern Cryptography Spring 2011

Transcription:

Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2012 Nitesh Saxena

Course Administration HW1 submitted Trouble with BB Trying to check with BB support HW1 solution will be posted very soon We are starting to grade it today

Outline of Today s Lecture Discrete Logarithm System El Gamal Encryption Digital Signatures

Discrete Logarithm Assumption Work with a cyclic group G with generator g Let G = m G = {g 0, g 1, g 2,,g m-1 } Given any y = g x in G (where x belongs to Z m ), g and and m, it is not possible to compute x This is known as the DL assumption Of course, x should be fairly large at least 160-bits in length This suggests that one can possibly use x as the secret key, and y (and other parameters) as the public key

El Gamal Encryption --KeyGen p, q primes such that q p-1 g is an element of order q and generates a group G q of order q g = g (p-1)/q (were g is the generator of Z p *) x in Z q, y = g x mod p DL assumption --given (p, q, g, y), it is computationally hard to compute x No polynomial time algorithm known p should be 1024-bits and q be 160-bits x becomes the private key and y becomes the public key

ElGamal Encryption/Decryption Encryption (of m in G q ): Choose random r in Z q k = g r mod p c = my r mod p Output (k,c) Decryption of (k,c) M = ck -x mod p Secure under (a variant of) the discrete logarithm assumption

ElGamal Example: dummy Let s construct an example KeyGen: p = 11, q = 2 or 5; let s say q = 5 g = 2 is a generator of Z 11 * g = 2 2 = 4 x = 2; y = 4 2 mod 11 = 5 Enc(3): r = 4 k = 4 4 mod 11 = 3 c = 3*5 4 mod 11 = 5 Dec(3,5): m = 5*3-2 mod 11 = 3

El Gamal Security Secure against CPA attacks assuming that discrete logarithm is hard Not secure against CCA attacks; why? It is possible to massage the ciphertextin a meaningful way Given a ciphertext(k, c), compute k = kg r andc = cy r (r is picked by the adversary) Query the decryption oracle on (k,c ); it decrypts and returns the response --m

CCA Security Like in the case of symmetric key encryption, we can derive CCA secure encryption using CPA secure encryption Just prevent any massaging of the ciphertext Integrity protection mechanism is needed But, now a public-key based mechanism is needed Digital signatures -- next

Digital Signatures Message Integrity Detect if message is tampered with while in the transit Source/Sender Authentication No forgery possible Non-repudiation If I sign something, I can not deny later A trusted third party (court) can resolve dispute Many applications signed email, e-contracts, e-transactions

Public Key Signatures Signer has public key, private key pair Signer signs using its private key Verifier verifies using public key of the signer

Security Notion/Model for Signatures Existential Forgery under (adaptively) chosen message attack (CMA) Adversary (adaptively) chooses messages m i of its choice Obtains the signature s i on each m i Outputs any message m ( mi) and a signature s on m

RSA Signatures Key Generation: same as in encryption Sign(m): s = m d mod N Verify(m,s): (s e == m mod N) The above text-book version is insecure In practice, we use a randomized version of RSA (implemented in PKCS#1) Hash the message and then sign the hash

Digital Signature Standard (DSS) Adopted as standard in 1994 Security based on hardness of the discrete logarithm problem

DSS KeyGen; Signing; Verification KeyGen: the same way as El Gamal p, q primes such that q p-1 g is an element of order q and generates a group G q of order q g = g (p-1)/q (were g is the generator of Z p *) x in Z q, y = g x mod p Sign: Pick random r from Z* q k = (g r mod p) mod q; c = (m + xk)r -1 mod q Output (k,c) and also the message m Verify: k c == g m.y k mod p

DSS Example Refer to 11.57 of HAC

Some Questions I encrypt m with Alice s ElGamalPK, I get c I encrypt m again, I get --? What does this mean? Is RSA-OAEP IND-CCA? Is El GamalIND-CCA?

Further Reading Stalling Chapter 10 HAC Chapter 8 and Chapter 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback