COM S 687 Introduction to Cryptography October 19, 2006

Similar documents
Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

1 Message Authentication

1 Construction of CCA-secure encryption

Lecture 15 - Digital Signatures

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

Lecture 3: One-Way Encryption, RSA Example

Introduction. Digital Signature

1 Signatures vs. MACs

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks

Digital Signatures. Prof. Zeph Grunschlag

Computational Soundness of Symbolic Security and Implicit Complexity

Talk announcement please consider attending!

Authenticated encryption

Lecture 9 - Message Authentication Codes

Lecture 5 - CPA security, Pseudorandom functions

Victor Shoup Avi Rubin. Abstract

Overview of Public-Key Cryptography

CIS 5371 Cryptography. 8. Encryption --

Message Authentication Code

The application of prime numbers to RSA encryption

CryptoVerif Tutorial

Lecture 11: The Goldreich-Levin Theorem

MAC. SKE in Practice. Lecture 5

MACs Message authentication and integrity. Table of contents

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MTAT Cryptology II. Digital Signatures. Sven Laur University of Tartu

Message Authentication Codes 133

Public Key Cryptography: RSA and Lots of Number Theory

Authentication and Encryption: How to order them? Motivation

Cryptography. Jonathan Katz, University of Maryland, College Park, MD

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Digital Signatures. What are Signature Schemes?

New Efficient Searchable Encryption Schemes from Bilinear Pairings

Post-Quantum Cryptography #4

Lecture 2: Complexity Theory Review and Interactive Proofs

Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Non-interactive and Reusable Non-malleable Commitment Schemes

RSA Encryption. Tom Davis October 10, 2003

Lecture 2: Universality

Proofs in Cryptography

Yale University Department of Computer Science

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc Theoretical Computer Science Konstantinos Vamvourellis

Chosen-Ciphertext Security from Identity-Based Encryption

Advanced Cryptography

a Course in Cryptography

Introduction to Cryptography CS 355

Cryptography. Lecture Notes from CS276, Spring Luca Trevisan Stanford University

DIGITAL SIGNATURES 1/1

Lecture 13: Message Authentication Codes

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

Department Informatik. Privacy-Preserving Forensics. Technical Reports / ISSN Frederik Armknecht, Andreas Dewald

Lecture 17: Re-encryption

RSA and Primality Testing

Lecture 13: Factoring Integers

Chosen-Ciphertext Security from Identity-Based Encryption

1. The RSA algorithm In this chapter, we ll learn how the RSA algorithm works.

Cryptography and Network Security Chapter 9

Thinking of a (block) cipher as a permutation (depending on the key) on strings of a certain size, we would not want such a permutation to have many

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives

Keywords: Authentication, Third party audit, cloud storage, cloud service provider, Access control.

3-6 Toward Realizing Privacy-Preserving IP-Traceback

Key Agreement from Close Secrets over Unsecured Channels Winter 2010

Identity-Based Encryption from the Weil Pairing

A Probabilistic Quantum Key Transfer Protocol

QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Certificate Based Signature Schemes without Pairings or Random Oracles

How To Understand And Understand The History Of Cryptography

Solutions for Practice problems on proofs

CS558. Network Security. Boston University, Computer Science. Midterm Spring 2014.

Simulation-Based Security with Inexhaustible Interactive Turing Machines

Discrete Mathematics and Probability Theory Fall 2009 Satish Rao, David Tse Note 10

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

A Proposal for an ISO Standard for Public Key Encryption (version 2.1)

Lecture 25: Pairing-Based Cryptography

Provable-Security Analysis of Authenticated Encryption in Kerberos

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Chapter 12. Digital signatures Digital signature schemes

Digital signatures. Informal properties

CS 758: Cryptography / Network Security

Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

Cryptography and Network Security, PART IV: Reviews, Patches, and Theory 1 / 53

CRYPTOGRAPHY IN NETWORK SECURITY

Computational Complexity: A Modern Approach

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

An Efficient and Secure Data Sharing Framework using Homomorphic Encryption in the Cloud

Transcription:

COM S 687 Introduction to Cryptography October 19, 2006 Lecture 16: Non-Malleability and Public Key Encryption Lecturer: Rafael Pass Scribe: Michael George 1 Non-Malleability Until this point we have discussed encryptions that prevent a passive attacker from discovering any information about messages that are sent. In some situations, however, we may want to prevent an attacker from creating a new message from a given encryption. Consider an auction for example. Suppose the Bidder Bob is trying to send a message containing his bid to the Auctioneer Alice. Private key encryption could prevent an attacker Eve from knowing what Bob bids, but if she could construct a message that contained one more than Bob s bid, then she could win the auction. We say that an encryption scheme that prevents these kinds of attacks is non-malleable. Informally, if a scheme is non-malleable, then it is impossible to output an encrypted message containing any function of a given encrypted message. Formally, we have the following definition: Definition 1 (Non-Malleability) Let (Gen, Enc, Dec) be an encryption scheme. Let NM(m, A) be the output of the following experiment: 1. k Gen(1 m ) 2. c Enc k (m) 3. c 1, c 2, c 3,..., c l A(c, 1 m ) 4. m i if c i = c and Dec k (c i ) otherwise 5. output (m 1, m 2,...,m l ) Then (Gen, Enc, Dec) is non-malleable if for every non-uniform PPT A, and for every non-uniform PPT D, there exists a negligible ǫ such that for all m 0, m 1 {0, 1} n, Pr [D(NM(m 0, A)) = 1] Pr [D(NM(m 1, A)) = 1] ǫ(n) One non-trivial aspect of this definition is the conversion to of queries that have already been made (step 4). Clearly without this, the definition would be trivially unsatisfiable, because the attacker could simply forge the encryptions that they have already seen by replaying them. 16-1

1.1 Relation Based Non-Malleability We chose this definition because it mirrors our definition of secrecy in a satisfying way. However, an earlier and arguably more natural definition can be given by formalizing the intuitive notion that the attacker cannot output an encryption of a message that is related to a given message. For example, we might consider the relation R next (x) = {x + 1}, or the relation R within-one (x) = {x 1, x, x + 1}. We want to ensure that the encryption of x doesn t help the attacker encrypt an element of R(x). Formally: Definition 2 (Relation Based Non-Malleability) We say that an encryption scheme (Gen, Enc, Dec) is relation based non-malleable if for every PPT adversary A there exists a PPT simulator S such that for all PPT-recognizable relations R, there exists a negligible ǫ such that for all m M with m = n, and for all z, it holds that Pr[NM(A(z), m) R(m)] Pr[k Gen(1 n ); c S(1 n, z); m = Dec k (c) : m R(m)] where i ranges from 1 to a polynomial of n and NM is defined as above. This definition is equivalent to the non-relational definition given above. < ǫ Theorem 1 (Enc, Dec, Gen) is a non-malleable encryption scheme if and only if it is a relation-based non-malleable encryption scheme. Proof. ( ) Assume that the scheme is non-malleable by the first definition. For any given adversary A, we need to produce a simulator S that hits any given relation R as often as A does. Let S be the machine that performs the first 3 steps of NM(A(z), m ) and outputs the sequence of cyphertexts, and let D be the distinguisher for the relation R. Then Pr[NM(A(z), m) R(m)] Pr[k Gen(1 n ); c S(1 n, z); m = Dec k (c) : m R(m)] = Pr[D(NM(A(z), m))] Pr[D(NM(A(z), m ))] ǫ as required. ( ) Now, assume that the scheme is relation-based non-malleable. Given an adversary A, we know there exists a simulator S that outputs related encryptions as well as A does. The relation-based definition tells us that NM(A(z), m 0 ) Dec(S()) and Dec(S()) NM(A(z), m 1 ). Thus, by the polynomial jump lemma, NM(A(z), m 0 ) NM(A(z), m 1 ) which is the first definition of non-malleability. 16-2

1.2 Non-Malleability and Secrecy Note that non-malleability is a distinct concept from secrecy. For example, one-time pad is perfectly secret, yet is not non-malleable (since one can easily produce the encryption of a b give then encryption of a, for example). However, if we consider CCA2 attacks, then the two definitions coincide. Theorem 2 An encryption scheme Σ = (Enc, Dec, Gen) is CCA2 secret if and only if it is CCA2 non-malleable Proof sketch. If Σ is not CCA2 non-malleable, then a CCA2 attacker can break secrecy by changing the provided encryption into a related encryption, using the decryption oracle on the related message, and then distinguishing the unencrypted related messages. Similarly, if Σ is not CCA2 secret, then a CCA2 attacker can break non-malleability by simply decrypting the cyphertext, applying a function, and then re-encrypting the modified message. 2 Public Key Encryption Thus far we have considered private key encryption schemes where the encrypter and the decrypter share a common secret. This means that they are forced to meet in advance and agree on a secret. Ideally, we would like to drop this requirement. At first blush this seems impossible. Certainly the decryptor needs a key or else there is nothing preventing an attacker from doing the same thing that the decryptor does. Moreover, the encryptor needs the key because otherwise the key cannot help to decrypt the cyphertext. The flaw in this argument is that there is no need for the encrypter and the decryptor to have the same key, and in fact this is how public key cryptography works. We split the key into a secret decryption key S k and a public encryption key P k. The public key is published in a secure repository, where anyone can use it to encrypt messages. The private key is kept by the recipient, so that only she can decrypt. We define a public key encryption scheme as follows: Definition 3 (public key encryption scheme) A triple (Gen, Enc, Dec) is a public key encryption scheme over a message space M if 1. Gen is a PPT that outputs a pair P k, S k 2. Enc is a PPT that given P k and m produces a cyphertext c 16-3

3. Dec is a PPT that given c and S k produces a message m 4. For all m M and for all p k, s k Gen(1 k ), Dec Sk (Enc Pk (m)) = m Definition 4 (Secure PK Encryption) We say that a public key encryption scheme is secure if for every non-uniform PPT A, there exists a negligible ǫ such that for all messages m 0 and m 1 with m 0 = m 1, it holds that Pr[P k, S k Gen(1 n ) : A(P k, Enc Pk (m 0 )) = 1] Pr[P k, S k Gen(1 n ) : A(P k, Enc Pk (m 1 )) = 1] ǫ These definitions can be extended in a straightforward manner to get appropriate definitions for CPA security, as well as CCA1 and CCA2 security. Since the public key is available to the attacker, CPA security comes almost for free, but CCA1 and CCA2 secure schemes are much harder to come by. With these definitions, there are some immediate impossibility results: perfect secrecy it is clearly impossible to do perfect public-key secrecy, since an unbounded adversary could simply encrypt every message with every random string and lookup the cyphertext deterministic encryption it is impossible to have a deterministic encryption algorithm, because with a deterministic encryption algorithm, the encrypt and compare strategy easily distinguishes between messages. In addition, it is a straightforward excercise to show that single-message security implies many-message security. 2.1 Constructing a PK encryption system Trapdoor permutations seem to fit the requirements for a public key cryptosystem. We could let the public key be the index i of the function to apply, and the private key be the trapdoor t. Then we might consider Enc(m, i) = f i (m), and Dec(c, i, t) = fi 1 (c). This makes it easy to encrypt, and easy to decrypt with the public key, and hard to decrypt without. Using the RSA function defined in lecture 7, this construction yields the commonly used RSA cryptosystem. However, according to our definition, this construction does not yield a secure encryption scheme. In particular, it is deterministic, so it is subject to comparison attacks. A better scheme (for single-bit messages) is to let Enc(x, i) = {r {0, 1} n : f i (r), b(r) m } 16-4

where b is a hardcore bit for f. This scheme is secure, because distinguishing encryptions of 0 and 1 is essentially the same as recognizing the hardcore bit of a OWP, which we have argued is infeasible. 16-5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information