Cryptography Lecture 25 Public-key encryption - PowerPoint Presentation

Presentation on theme: "Cryptography Lecture 25 Public-key encryption"— Presentation transcript

Slide1

Cryptography

Lecture 25Slide2

Public-key encryption

pk

,

sk

pk

c



Encpk(m)

m = Decsk(c)

c

pk

pkSlide3

Public-key encryption

A public-key encryption scheme is composed of three PPT algorithms:

Gen:

key-generation algorithm that on input 1n outputs pk,

skEnc: encryption algorithm that on input pk and a message m outputs a ciphertext c

Dec: decryption algorithm that on input sk and a ciphertext c outputs a message m or an error

3

For all

m and pk, sk output by Gen,

Decsk(Encpk(m)) = m

Slide4

CPA-security

Fix a public-key encryption scheme

 and an adversary A

Define experiment PubK-CPAA,

(n):Run Gen(1n) to get keys pk

, skGive pk to A, who outputs (m

0, m1) of same length

Choose uniform b  {0,1} and compute the ciphertext c  Encpk

(mb); give c to AA outputs a guess b’, and the experiment evaluates to 1 if b’=b4Slide5

CPA-security

Public-key encryption scheme

 is

CPA-secure if for all PPT adversaries A: Pr

[PubK-CPAA, (n

) = 1] ≤ ½ + negl(n)

5Slide6

Notes on the definition

No encryption oracle?!

Encryption oracle redundant in public-key setting

 No perfectly secret public-key encryption

No deterministic public-key encryption scheme can be CPA-secure CPA-security implies security for encrypting multiple messages as in the private-key case

6Slide7

Chosen-ciphertext

attacks

pk

,

sk

pk

c

 Enc

pk(m)c

c

’

m

’Slide8

Chosen-ciphertext attacks

Chosen-

ciphertext

attacks are arguably even a greater concern in the public-key settingAttacker might be a legitimate senderEasier for attacker to obtain full decryptions of

ciphertexts of its choice Related concern: malleabilityI.e., given a ciphertext c that is the encryption of an unknown message m, might be possible to produce

ciphertext c’ that decrypts to a related message m’This is also undesirable in the public-key setting

8Slide9

Chosen-ciphertext attacks

Can define CCA-security for public-key encryption by analogy to the definition for private-key encryption

See book for details

9Slide10

Hybrid encryption

10

k

pk

ciphertext

“encapsulated key”

The

functionality

of public-key encryption

at the (asymptotic)

efficiency

of private-key encryption!

Enc

Enc

’

m

Decryption done in the obvious waySlide11

Security of hybrid encryption

Let

 be the public-key component, and ’ the private-key component; let 

hy denote their combinationIf  is a CPA-secure public-key scheme, and ’ is a CPA-secure private-key scheme, then

hy is a CPA-secure public-key schemeSimilarly for CCA-security

11Slide12

KEM/DEM paradigm

For hybrid encryption, something

weaker

than public key encryption would sufficeSufficient to have an “encapsulation algorithm” that takes a public key and outputs a ciphertext/key pair (c, k)

Correctness: k is recoverable from c given skSecurity: k is indistinguishable from uniform given pk and cThis can lead to more-efficient constructionsSlide13

Dlog

-based PKESlide14

Diffie-Hellman key exchange

k = (h

2

)

x

m

= c

2

/k

k = (h1)

y

(G, q, g)  G(1n)

x  ℤq

h1 = g

x

G, q, g, h

1

y



ℤ

q

h

2

=

g

y

h

2

c

2

= k · mSlide15

El Gamal encryption

k = (h

2

)

x

m

= c

2

/k

k = (h1

)y

(G, q, g)  G(1n)

x  ℤ

qh1 =

gx

G, q, g, h

1

y



ℤ

q

h

2

=

g

y

h

2

c

2

= k · m

Public key

h

2

, h

1

y

· m Slide16

El Gamal encryption

Gen(1

n

)Run G(1

n) to obtain G, q, g. Choose uniform xℤq. The public key is (G, q, g,

gx) and the private key is xEncpk

(m), where pk = (G, q, g, h) and mG

Choose uniform y ℤq. The

ciphertext is gy, hy·mDec

sk(c1, c2)Output c2/c1

x

16Slide17

Security?

If the DDH assumption is hard for

G

, then the El Gamal encryption scheme is CPA-secureFollows from security of Diffie

-Hellman key exchange, or can be proved directly(Discrete-logarithm assumption alone is not enough here)17Slide18

In practice…

Parameters G, q, g are standardized and shared

Inconvenient to treat message as group element

Use key derivation to derive a key k instead, and use k to encrypt the messageI.e.,

ciphertext is gy, Enc’k(m),

where k = H(hy)Can be analyzed using KEM/DEM paradigm

18Slide19

Chosen-ciphertext attacks?

El

Gamal

encryption is not secure against chosen-ciphertext attacks

Follows from the fact that it is malleableGiven ciphertext c1, c2

, transform it to obtain the ciphertext c1, c’2 = c1

,  · c2 for arbitrary

Since c1, c2 = g

y, hy · m, we have c1, c’2 = gy

, hy · (m)I.e., encryption of m becomes an encryption of m!

19Slide20

Attack!

20

G, q, g, h

c

1

, c

2

c

1

, 2 ·c

2

(Assume 2

 G 

ℤ*p)

First bid: mSecond bid: 2mSlide21

Chosen-ciphertext security

Use key derivation coupled with CCA-secure private-key encryption scheme

I.e.,

ciphertext is

gy, Enc’k(m),where k = H(hy) and

Enc’ is a CCA-secure schemeCan be proved CCA-secure under appropriate assumptions, if H is modeled as a random oracleDHIES/ECIES

21