Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack

Similar documents
Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

Authenticated encryption

Chapter 11 : Private-Key Encryption

Lecture 15: Public Key Encryption: I

Security of Cryptosystems

A CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model

CS408 Cryptography & Internet Security

Lecture 3.4: Public Key Cryptography IV

IND-CCA2 secure cryptosystems, Dan Bogdanov

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

Cryptography. Andreas Hülsing. 6 September 2016

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Public-Key Encryption

Applied Cryptography and Computer Security CSE 664 Spring 2018

Homomorphic Encryption

Computer Security CS 526

Lecture 9: Public-Key Cryptography CS /05/2018

Defining Encryption. Lecture 2. Simulation & Indistinguishability

Block ciphers, stream ciphers

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Practical Attacks on Implementations

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

SECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems

RSA Cryptography in the Textbook and in the Field. Gregory Quenell

Introduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Hash Functions, Public-Key Encryption CMSC 23200/33250, Autumn 2018, Lecture 6

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

Public key encryption: definitions and security

Message Authentication ( 消息认证 )

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Distributed Key Management and Cryptographic Agility. Tolga Acar 24 Feb. 2011

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

1 Achieving IND-CPA security

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

On Symmetric Encryption with Distinguishable Decryption Failures

Brief Introduction to Provable Security

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Information Security

Stateful Key Encapsulation Mechanism

Network Security Technology Project

Public-Key Cryptography

Encrypted Data Deduplication in Cloud Storage

Chapter 9 Public Key Cryptography. WANG YANG

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Definitions and Notations

Information Security CS526

Private-Key Encryption

Lecture 18 - Chosen Ciphertext Security

Chosen-Ciphertext Security (II)

Introduction to Public-Key Cryptography

Introduction to Cryptography. Lecture 3

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

On the Security of a Certificateless Public-Key Encryption

Introduction to Cryptography. Lecture 3

Introduction to Cryptography Lecture 7

Strong Privacy for RFID Systems from Plaintext-Aware Encryption

Homework 3: Solution

Katz, Lindell Introduction to Modern Cryptrography

Cryptology complementary. Symmetric modes of operation

CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS

If DDH is secure then ElGamal is also secure w.r.t IND-CPA

Cryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44

10 Chosen Ciphertext Attacks

Introduction to Cryptography Lecture 7

OAEP 3-Round A Generic and Secure Asymmetric Encryption Padding. Asiacrypt '04 Jeju Island - Korea

From semantic security to chosen ciphertext security

CRYPTOGRAPHY KNOWLEDGE AREA (DRAFT FOR COMMENT) EDITOR: George Danezis University College London

Bob k. Alice. CS 558 Lecture Deck(c) = c k. Continuation of Encryption

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Concrete Security of Symmetric-Key Encryption

Cryptographic protocols

SHE AND FHE. Hammad Mushtaq ENEE759L March 10, 2014

Proofs for Key Establishment Protocols

Security Analysis and Modification of ID-Based Encryption with Equality Test from ACISP 2017

RSA. Public Key CryptoSystem

Lecture 07: Private-key Encryption. Private-key Encryption

Notion Of Security. February 18, 2009

CS 6903 Modern Cryptography February 14th, Lecture 4: Instructor: Nitesh Saxena Scribe: Neil Stewart, Chaya Pradip Vavilala

Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

: Practical Cryptographic Systems March 25, Midterm

ISA 562: Information Security, Theory and Practice. Lecture 1

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Inter-domain Identity-based Proxy Re-encryption

Deniable Cloud Storage: Sharing Files via Public-key Deniability

MTAT Cryptology II. Commitment Schemes. Sven Laur University of Tartu

The Exact Security of a Stateful IBE and New Compact Stateful PKE Schemes

Secure Multiparty Computation

MTAT Graduate Seminar in Cryptography Duality Between Encryption and Commitments

Workshop Challenges Startup code in PyCharm Projects

Code-Based Cryptography McEliece Cryptosystem

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks

Security Weaknesses of an Anonymous Attribute Based Encryption appeared in ASIACCS 13

Solutions to exam in Cryptography December 17, 2013

Transcription:

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar Pandey, Santanu Sarkar and Mahavir Prasad Jhanwar CR Rao AIMSCS Hyderabad November 2, 2012

Outline 1 Definitions Encryption Scheme IND-CPA IND-CCA IND-CCVA 2 Bleichenbacher s attack on PKCS#1 3 Generic Constructions

Definition: Encryption Scheme KG(1 λ ): A probabilistic polynomial time algorithm which takes security parameter 1 λ as input and outputs a public-private key pair (PK, SK). ENC(m, PK): A probabilistic polynomial time algorithm which takes a message m and public key PK as input and returns ciphertext C. DEC(C, SK, PK): A deterministic polynomial time algorithm which takes ciphertext C, secret key SK and public key PK as input and returns a message m if C is a valid ciphertext else.

Definition: Encryption Scheme KG(1 λ ): A probabilistic polynomial time algorithm which takes security parameter 1 λ as input and outputs a public-private key pair (PK, SK). ENC(m, PK): A probabilistic polynomial time algorithm which takes a message m and public key PK as input and returns ciphertext C. DEC(C, SK, PK): A deterministic polynomial time algorithm which takes ciphertext C, secret key SK and public key PK as input and returns a message m if C is a valid ciphertext else. For consistency, it is required that for all (PK, SK) KG(1 λ ) and all messages m, m = DEC(ENC(m, PK), SK, PK).

Definition: IND-CPA An encryption scheme S ENC is said to be IND-CPA (indistinguishable against chosen plaintext attack) secure if no probabilistic polynomial time algorithm A = (A 1, A 2 ) has a non-negligible advantage in the following game:

Definition: IND-CPA An encryption scheme S ENC is said to be IND-CPA (indistinguishable against chosen plaintext attack) secure if no probabilistic polynomial time algorithm A = (A 1, A 2 ) has a non-negligible advantage in the following game: Game IND CPA S ENC,A (PK, SK) KG(1 λ ) (m 0, m 1, st) A 1 (PK) b R {0, 1} y ENC(m b, PK) b A 2 (y, PK, st) The advantage of A is defined as Adv(A) = Pr(b = b ) 1 2

Definition: IND-CCA An encryption scheme S ENC is said to be IND-CCA (indistinguishable against chosen ciphertext attack) secure if no probabilistic polynomial time algorithm A = (A 1, A 2 ) has a non-negligible advantage in the following game:

Definition: IND-CCA An encryption scheme S ENC is said to be IND-CCA (indistinguishable against chosen ciphertext attack) secure if no probabilistic polynomial time algorithm A = (A 1, A 2 ) has a non-negligible advantage in the following game: DecryptionOracle(O): Given a ciphertext C, except the challenge ciphertext, the oracle returns m DEC(C, SK, PK). Game IND CCA S ENC,A (PK, SK) KG(1 λ ) (m 0, m 1, st) A O 1 (PK) b R {0, 1} y ENC(m b, PK) b A O 2 (y, PK, st) The advantage of A is defined as Adv(A) = Pr(b = b ) 1 2

Definition: IND-CCVA An encryption scheme S ENC is said to be IND-CCVA (indistinguishable against chosen ciphertext verification attack) secure if no probabilistic polynomial time algorithm A = (A 1, A 2 ) has a non-negligible advantage in the following game:

Definition: IND-CCVA An encryption scheme S ENC is said to be IND-CCVA (indistinguishable against chosen ciphertext verification attack) secure if no probabilistic polynomial time algorithm A = (A 1, A 2 ) has a non-negligible advantage in the following game: ChosenCiphertextVerificationOracle(O): Given a ciphertext C, the oracle returns 1 if C is valid else returns 0. Game IND CCVA S ENC,A (PK, SK) KG(1 λ ) (m 0, m 1, st) A O 1 (PK) b R {0, 1} y ENC(m b, PK) b A O 2 (y, PK, st) The advantage of A is defined as Adv(A) = Pr(b = b ) 1 2

Trivial Conclusions 1 IND-CCVA secure encryption schemes are IND-CPA secure also. IND-CCVA IND-CPA 2 IND-CCA secure encryption schemes are IND-CCVA secure also. IND-CCA IND-CCVA

Does CCVA make sense?

PKCS#1 KG(1 λ ): Choose primes p, q (4k bit each) and compute n = pq (n is k byte number). Choose e, d, such that ed 1 (mod φ(n)). The public key, PK, is (n, e) and the secret key, SK, is (p, q, d). ENC(m, PK): A data block D, consisting of D bytes, is encrypted as follows: First, a padding string PS, consisting of k 3 D nonzero bytes, is generated pseudo-randomly (the byte length of PS is atleast 8). Now, the encryption block EB = 00 02 PS 00 D is formed, is converted into an integer x, and is encrypted with RSA, giving the ciphertext c = x e (mod n).

PKCS#1 DEC(c, SK, PK) A Ciphertext c is decrypted as follows: Compute x = c d (mod n). Converts x into an encryption block EB. Check, if the encryption block is PKCS conforming ( An encryption block EB consisting of k bytes, EB = EB 1... EB k, is called PKCS conforming, if it satisfies the following conditions: EB 1 = 00, EB 2 = 02, EB 3 through EB 10 are nonzero and at least one of the bytes EB 11 through EB k is 00). If the encryption block is PKCS conforming, then output the data block; otherwise an error sign.

Bleichenbacher s Attack on PKCS#1 Bleichenbacher s attack assumes that the adversary has access to an oracle that, for every ciphertext, returns whether the corresponding plaintext is PKCS conforming. If the plaintext is not PKCS conforming, the oracle outputs an error sign. Given just these error signs, because of specific properties of PKCS #1, Bleichenbacher showed how a very clever program can decrypt a target ciphertext (the oracle answer will reveal the first two bytes of the corresponding plaintext of the chosen ciphertext).

Bleichenbacher s Attack on PKCS#1 Bleichenbacher s attack assumes that the adversary has access to an oracle that, for every ciphertext, returns whether the corresponding plaintext is PKCS conforming. If the plaintext is not PKCS conforming, the oracle outputs an error sign. Given just these error signs, because of specific properties of PKCS #1, Bleichenbacher showed how a very clever program can decrypt a target ciphertext (the oracle answer will reveal the first two bytes of the corresponding plaintext of the chosen ciphertext). D. Bleichenbacher. Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1. In Proc. Crypto 98, pages 1-12, 1998.

CCVA makes sense.

CCVA makes sense. Questions 1 Does there exist any encryption scheme which is IND-CCVA secure but not IND-CCA secure? 2 Does there exist any encryption scheme which is IND-CPA secure but not IND-CCVA secure?

Generic Constructions

IND-CCVA secure but not IND-CCA secure Let be a public key encryption scheme with K as key space, M as message space, and C as ciphertext space. In general, we have k K Enc(M) C.

IND-CCVA secure but not IND-CCA secure Let be a public key encryption scheme with K as key space, M as message space, and C as ciphertext space. In general, we have k K Enc(M) C. If is IND-CPA secure but not IND-CCA secure, and k K Enc(M) = C

IND-CCVA secure but not IND-CCA secure Let be a public key encryption scheme with K as key space, M as message space, and C as ciphertext space. In general, we have If k K Enc(M) C. is IND-CPA secure but not IND-CCA secure, and k K Enc(M) = C then, There exists an IND-CCVA secure encryption scheme but not IND-CCA secure.

IND-CCVA secure but not IND-CCA secure (2) Let is IND-CPA secure but not IND-CCA secure, and k K Enc(M) = C

IND-CCVA secure but not IND-CCA secure (2) Let is IND-CPA secure but not IND-CCA secure, and k K Enc(M) = C Ê = (KeyGenÊ, ENCÊ, DECÊ) based on KeyGenÊ: Same as KeyGen. ENCÊ: Encryption of a message m under a public key PK is given as ĉ = 1 c, where c = ENC(m, PK). DECÊ: DECÊ(ĉ, SK, PK) = DEC(c, SK, PK) if ĉ = 1 c, otherwise return.

IND-CCVA secure but not IND-CCA secure (2) Let is IND-CPA secure but not IND-CCA secure, and k K Enc(M) = C Ê = (KeyGenÊ, ENCÊ, DECÊ) based on KeyGenÊ: Same as KeyGen. ENCÊ: Encryption of a message m under a public key PK is given as ĉ = 1 c, where c = ENC(m, PK). DECÊ: DECÊ(ĉ, SK, PK) = DEC(c, SK, PK) if ĉ = 1 c, otherwise return. Ê is IND-CPA secure but not IND-CCA secure, and k K Enc(M) C

IND-CCVA secure but not IND-CCA secure (2) It is easy to check that Ê is IND-CPA secure but not IND-CCA secure with the added property that every ciphertext need not be valid. Since it is trivial to distinguish valid ciphertexts from invalid ciphertexts (by just looking at the most significant bit), CCVA oracle does not give any extra advantage to the adversary and thus Ê is IND-CCVA secure.

IND-CPA secure but not IND-CCVA secure Let E CPA be a public key encryption scheme described by the key generation algorithm KeyGen CPA, encryption algorithm ENC CPA and decryption algorithm DEC CPA. Now define a new public key encryption E as follows

IND-CPA secure but not IND-CCVA secure Let E CPA be a public key encryption scheme described by the key generation algorithm KeyGen CPA, encryption algorithm ENC CPA and decryption algorithm DEC CPA. Now define a new public key encryption E as follows KeyGen: Same as KeyGen CPA. Enc: Encryption of a message m under a public key PK is given as c = c 1 c 2 = ENC CPA (m, PK) ENC CPA (m, PK)

IND-CPA secure but not IND-CCVA secure Dec: Decryption of a ciphertext c = c 1 c 2 with the corresponding secret key SK will proceed as follows: m 1 DEC CPA(c 1, SK, PK) m 2 DEC CPA(c 2, SK, PK) If m 1 = m 2, return m 1, else return

IND-CPA secure but not IND-CCVA secure Attack b R {0, 1} C b = c b 1 cb 2 = ENC CPA(m b, PK) ENC CPA (m b, PK)

IND-CPA secure but not IND-CCVA secure Attack b R {0, 1} C b = c b 1 cb 2 = ENC CPA(m b, PK) ENC CPA (m b, PK) b R {0, 1} C b = c1 b cb 2 = ENC CPA(m b, PK) ENC CPA (m b, PK)

IND-CPA secure but not IND-CCVA secure Attack b R {0, 1} C b = c b 1 cb 2 = ENC CPA(m b, PK) ENC CPA (m b, PK) b R {0, 1} C b = c1 b cb 2 = ENC CPA(m b, PK) ENC CPA (m b, PK) if chosen ciphertext verification oracle returns 1, b = b, else b b

IND-CCA1 secure but not IND-CCVA secure Let E CCA1 be a public key encryption scheme described by the key generation algorithm KeyGen CCA1, encryption algorithm ENC CCA1 and decryption algorithm DEC CCA1. Now define a new public key encryption E as follows KeyGen: Same as KeyGen CCA1. Enc: Encryption of a message m under a public key PK is given as c = c 1 c 2 = ENC CCA1 (m, PK) ENC CCA1 (m, PK)

IND-CCA1 secure but not IND-CCVA secure Dec: Decryption of a ciphertext c = c 1 c 2 with the corresponding secret key SK will proceed as follows: m 1 DEC CCA1(c 1, SK, PK) m 2 DEC CCA1(c 2, SK, PK) If m 1 = m 2, return m 1, else return

IND-CCA1 secure but not IND-CCVA secure Attack b R {0, 1} C b = c b 1 cb 2 = ENC CCA1(m b, PK) ENC CCA1 (m b, PK)

IND-CCA1 secure but not IND-CCVA secure Attack b R {0, 1} C b = c b 1 cb 2 = ENC CCA1(m b, PK) ENC CCA1 (m b, PK) b R {0, 1} C b = c1 b cb 2 = ENC CCA1(m b, PK) ENC CCA1 (m b, PK)

IND-CCA1 secure but not IND-CCVA secure Attack b R {0, 1} C b = c b 1 cb 2 = ENC CCA1(m b, PK) ENC CCA1 (m b, PK) b R {0, 1} C b = c1 b cb 2 = ENC CCA1(m b, PK) ENC CCA1 (m b, PK) if chosen ciphertext verification oracle returns 1, b = b, else b b There exists an IND-CCA1 secure encryption scheme but not IND-CCVA secure.

Thank You

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback