DOCSLIB.ORG

Introduction

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Introduction Review of Elementary Cryptography For more material, see my notes of CSE 5351, available on my webpage Outline • Security (CPA, CCA, semantic security, indistinguishability) • RSA • ElGamal • Homomorphic encryption 2 Two types of encryption schemes • Private-key encryption schemes Also called symmetric-key encryption schemes • Public-key encryption schemes Also called asymmetric-key encryption schemes • We are more interested in the latter. 3 Symmetric-key encryption scheme • Message space: M ⊆ {0,1}* . • Key generation algorithm G: On input 1nn , G(1 ) outputs a key kK← {0,1}nn . (= {0,1} ; and n is the security parameter.) • Encryption algorithm E : On input a key k and a plaintext m∈ M, E outputs a ciphertext c. We write c← Ekm(, ) or c← Emk ( ). • Decryption algorithm D : On input a key kc and a ciphertext , D outputs a message m. We write mDkcmDc:= ( , ) or := k ( ). • Correctness requirement: for each kK∈ and mM∈ , DEmkk( ()) = m . • GE, , probabilistic algorithms. D, deterministic. All poly-time. 4 Public-key encryption scheme • Key generation algorithm G: On input 1nn , G(1 ) outputs a pair of keys, ( pk, sk ) , each of length at least n. • Encryption algorithm E : On input a public key pk and a plaintext mM∈←pk , E outputs a ciphertext c. We write c Epk ( m ). (The message space may depend on pk.) • Decryption algorithm D : On input a secret key sk and a ciphertext cD, outputs a message m. We write m:= Dcsk ( ). • Correctness requirement: = ←= PrDEmsk( pkk ( )) m : mMp 1 except for a negligible portion of key pairs output by G(1n ). Symmetric vs. Asymmetric • Symmetric encryptions are much faster than asymmetric ones. – AES is typically 100 times faster than RSA encryption and 1000 times faster than RSA decryption. • Use asymmetric cipher to set up a session key and then use symmetric cipher to encrypt data. Security Issues What does it mean that an encryption scheme is secure (or insecure)? • Semantic security • Ciphertext-indistinguishability • Non-malleability Different types of attacks • Different types of attacks (classified by the amount of information available to the attacker): – Ciphertext-only attack (eavesdropper) – Known-plaintext attack – Chosen-plaintext attack (CPA) – Chosen-ciphertext attack (CCA) 8 Negligible functions • A nonegative function fN:→ R is said to be negligible if for every positive polynomial Pn( ), there is an integer n0 such that 1 fn( )<> for all n n (i.e., for sufficiently large n). Pn() 0 • Examples: 2−−nn , 2 , n −log n are negligible functions. • Negligible functions approach zero faster than the reciprocal of every polynomial. • We write negl(n ) to denote an unspecified negligible function. 9 Security Parameter • The security of an encryption scheme typically depends on its key length. Is RSA secure if N = 216, 512, or 1024? • In general, an encryption scheme is associated with an integer called its security parameter. (For now, you may think of it as key length.) • When we say that the probability Pr(λ ) of an encryption scheme being broken is negligible, it is w. r.t. the encryption scheme's security parameter λ. 10 Semantic Security (simplified) • A private-key encryption scheme (GED , , ) with sesutiry parameter n is semantically secure against an eavesdropper if for every probabilistic polynomial-time (PPT) algorithm A there exists a PPT A′ such that for all polynomial-time computable functions fh and : n n n =←← | P r A(1,Emk ( ) ,() hm) f () m: kG(1 ) , m{0, 1} n n ′ −= Pr Ah(1, (m)) fm( ) : m ←{0,1} | ≤ negl(n ). 11 Ciphertext-Indistinguishability • Adversary: a polynomial-time eavesdropper. • (GED , , ) : an encryption scheme with security parameter n. • Imagine a game played by Bob and Eve (adversary): n Eve is given input 1 and outputs a pair of messages mm01, of the same length. n Bob chooses a key k←← G(1 ) and mu { mm01 , }. He computes c← Emk ( ) and gives c to Eve. Eve tries to determine whether c is the encryption of mm01 or . • An encryption scheme is ciphertext-indistinguishable against eavesdroppers if no adversary can succeed with probability non-negligibly greater than 12. 12 • Definition: An encryption scheme is ciphertext-indistinguishable against eavesdroppers if for every PPT algorithm A and all mm01,∈ M , m01= m , it holds: n = ← ← n PrA (1 , mmEm01 , ,ku ( )) m : m{m01 , m }, kG(1 ) 1 ≤+negl(n ) 2 13 Equivalence of semantic security and ciphertext-indistinguishability • Theorem: Against an eavesdropper, an encryption scheme is semantically secure iff it is ciphertext-indistinguishable. • Theorem: Under CPA, CCA1 or CCA2, an encryption scheme is semantically secure if and only if it is ciphertext-indistinguisha.ble 14 Chosen-plaintext attacks (CPA) • Informally, we may describe CPA as follows: Given: (mc11 , ), ( mc 2 , 2 ), ……, ( mctt , ), where m1, m 2, , mt are chosen by the adversary; and a new ciphertext c. Q : what is the plaintext of c? • Adaptively-chosen-plaintext attack : mm12, , …, mt are chosen adaptively. • Now we describe CPA in terms of oracle. 15 Chosen-plaintext attacks (CPA) A CPA on an encryption scheme (GED , , ) is modeled as follows. 1. A key kG← (1n ) is generated. n 2. The adversary is given input 1 and oracle access to Ek . She may request the oracle to encrypt plaintexts of her choice. 3. The adversary chooses two message mm01, with m 0= m 1; and is given a challenge ciphertext c←← Emkb( ), where b u{0,1}. 4. The adversary continues to have oracle access and may request the encryptions of additional plaintexts of her choice, even mm01 and . 5. The adversary finally answers 0 or 1. Note: The CPA here actually refers to an adaptive CPA. 16 Ciphertext-indistinguishability against CPA • An encryption scheme (GED , , ) is IND-CPA if no polynomial-time adversary can answer correctly with probability non-negligibly greater than 1 2. • Definition: an encryption scheme (GED , , ) is IND-CPA if for ever polynomial adversary A it holds that: Ek nn=←← | PrA( 1 , mmE01 , ,ku (mm )) : k G(1 ), m{ mm01 , }, mm01,←A M] | 1 ≤+ negl(n ) 2 17 Chosen-ciphertext attacks (CCA) • Informally we may describe CCA as follows: Given: (mc11 , ), ( mc 2 , 2 ), ……, ( mctt , ), where c1, c 2, , ct are chosen by the adversary; and a new ciphertext c. Q : what is the plaintext of c? • Adaptively-chosen-plaintext attack : cc12, , …, ct are chosen adaptively. • Now we describe CCA in terms of oracle. • We will allow a CCA adversary to also have CPA capability. (So, by CCA we mean CCA+CPA, rather than pure CCA.) 18 Chosen-ciphertext attacks (CCA) A CCA on an encryption scheme (GED , , ) is modeled as follows . 1. A key kG← (1n ) is generated. n 2. The adversary is given input 1 and oracle access to EDkk and . She may request the oracles to perform encryptions and/or decryptions for her. 3. The adversary chooses two message mm01, with m 0= m 1; and is given a challenge ciphertext c←← Emkb( ), where b u{0,1}. 4. The adversary continues to have oracle access to EDkk and , but is not allowed to request the decryption of c. 5. The adversary finally answers 0 or 1. 19 Ciphertext-indistinguishability against CCA • An encryption scheme (GED , , ) is IND-CCA if no polynomial-time adversary can answer correctly with probability non-negligibly greater than 1 2. • Definition: an encryption scheme (GED , , ) is IND-CCA if for ever polynomial-time adversary A, it holds that: EDkk, nn=←← | PrA( 1 , mmE01 ,10 ,ku (mm )) : k G(1 ), m{ mm , }, mm01,←A M] | 1 ≤+ negl(n ) 2 20 CCA1 vs. CCA2 • The CCA described above is also called CCA2. • If in item #4 the adversary has no access to the decryption oracle, the CCA is called CCA1. 21 Non-malleability • An encryption scheme (GED , , ) is non-malleable if given a ciphertext c= Em( ), it is computationally infeasible for an adversary to produce a ciphertext c′ such that m′′= Dc( ) has some known relation with m. • RSA is malleable. • malleable⇒ not IND-CCA2. • Every homomorphic encryption scheme is malleable, and hence cannot be IND-CCA2. Highest security level possible for homomorphic encryption scheme: IND-CCA1. 22 Homomorphic Encryption RSA is homomorphic • RSA(mm12⋅= ) RSA( m1 ) ⋅ RSA( m 2 ) * where ⋅ is the multiplication in Znn (i.e., modulo ). • Easy to verify: e RSA(mm12⋅=⋅ ) ( mm 12) e RSA(mm11 ) = e RSA(mm22 ) = ee e RSA(m1 )⋅RSA(m2 ) =⋅=⋅ m 1 m 2( mm 12) Homomorphic encryption M : message space C : ciphertext space M : some binary operation in M C : some binary operation in C Definitin o : An encryption scheme is M -homomorphic if the encryption funcoti n E satisfies Epk ( m12MC m )= Epk () m 1 Emk () 2 for all keys pk and messages m12, m∈ M . Comm:ent doesn't work for probabilistic encryptions. ElGamal encryption is homomorphic • Em(12 ⋅← m ) Em ( 1 ) ⋅ Em ( 2 ), in the following sense: Em(12 )⋅ Em ( ) is a valid encryption of mm12. • Verification: kk11 k2 k 2 If Em(1 )= ( g , my1) and Em( 22 )= ( g , my ), then k1 kk 12 k 2 Em( 12)⋅=Em ( )( g , my 1) ⋅( g, my 2) kk12++kk12 = ( g , m12m y ) is a valid encryption of m12m . 26 Homomorphic encryption redefined M : message space C : ciphertext space M : some binary operation in M C : some binary operation in C Definition: An encryption scheme is M -homomorphic if the encryption function E satisfies m12MC m= Dsk( E pk () m1 Em () 2) for all messages mm12,∈ M and all encryption/decryption key pairs (pk , sk ). A generalized definition Definiti: on An encryption scheme is homomorphic w.r.t M if there is a polynomial time algorithm A such that m12 M mD= sk ( Apk ( Em(1 ), Em( 2 ))) for all messages mm12,∈ M and all encryption/decryption key pairs.
Load more

Recommended publications
  • Practical Homomorphic Encryption and Cryptanalysis
    Practical Homomorphic Encryption and Cryptanalysis Dissertation zur Erlangung des Doktorgrades der Naturwissenschaften (Dr. rer. nat.) an der Fakult¨atf¨urMathematik der Ruhr-Universit¨atBochum vorgelegt von Dipl. Ing. Matthias Minihold unter der Betreuung von Prof. Dr. Alexander May Bochum April 2019 First reviewer: Prof. Dr. Alexander May Second reviewer: Prof. Dr. Gregor Leander Date of oral examination (Defense): 3rd May 2019 Author's declaration The work presented in this thesis is the result of original research carried out by the candidate, partly in collaboration with others, whilst enrolled in and carried out in accordance with the requirements of the Department of Mathematics at Ruhr-University Bochum as a candidate for the degree of doctor rerum naturalium (Dr. rer. nat.). Except where indicated by reference in the text, the work is the candidates own work and has not been submitted for any other degree or award in any other university or educational establishment. Views expressed in this dissertation are those of the author. Place, Date Signature Chapter 1 Abstract My thesis on Practical Homomorphic Encryption and Cryptanalysis, is dedicated to efficient homomor- phic constructions, underlying primitives, and their practical security vetted by cryptanalytic methods. The wide-spread RSA cryptosystem serves as an early (partially) homomorphic example of a public- key encryption scheme, whose security reduction leads to problems believed to be have lower solution- complexity on average than nowadays fully homomorphic encryption schemes are based on. The reader goes on a journey towards designing a practical fully homomorphic encryption scheme, and one exemplary application of growing importance: privacy-preserving use of machine learning.
    [Show full text]
  • The Twin Diffie-Hellman Problem and Applications
    The Twin Diffie-Hellman Problem and Applications David Cash1 Eike Kiltz2 Victor Shoup3 February 10, 2009 Abstract We propose a new computational problem called the twin Diffie-Hellman problem. This problem is closely related to the usual (computational) Diffie-Hellman problem and can be used in many of the same cryptographic constructions that are based on the Diffie-Hellman problem. Moreover, the twin Diffie-Hellman problem is at least as hard as the ordinary Diffie-Hellman problem. However, we are able to show that the twin Diffie-Hellman problem remains hard, even in the presence of a decision oracle that recognizes solutions to the problem — this is a feature not enjoyed by the Diffie-Hellman problem in general. Specifically, we show how to build a certain “trapdoor test” that allows us to effectively answer decision oracle queries for the twin Diffie-Hellman problem without knowing any of the corresponding discrete logarithms. Our new techniques have many applications. As one such application, we present a new variant of ElGamal encryption with very short ciphertexts, and with a very simple and tight security proof, in the random oracle model, under the assumption that the ordinary Diffie-Hellman problem is hard. We present several other applications as well, including: a new variant of Diffie and Hellman’s non-interactive key exchange protocol; a new variant of Cramer-Shoup encryption, with a very simple proof in the standard model; a new variant of Boneh-Franklin identity-based encryption, with very short ciphertexts; a more robust version of a password-authenticated key exchange protocol of Abdalla and Pointcheval.
    [Show full text]
  • Linear Generalized Elgamal Encryption Scheme Pascal Lafourcade, Léo Robert, Demba Sow
    Linear Generalized ElGamal Encryption Scheme Pascal Lafourcade, Léo Robert, Demba Sow To cite this version: Pascal Lafourcade, Léo Robert, Demba Sow. Linear Generalized ElGamal Encryption Scheme. In- ternational Conference on Security and Cryptography (SECRYPT), Jul 2020, Paris, France. hal- 02559556 HAL Id: hal-02559556 https://hal.archives-ouvertes.fr/hal-02559556 Submitted on 30 Apr 2020 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Linear Generalized ElGamal Encryption Scheme Pascal Lafourcade1,Leo´ Robert1, and Demba Sow2 1LIMOS, Universite´ Clermont Auvergne, France, [email protected] , [email protected] 2LACGAA, Universite´ Cheikh Anta Diop de Dakar, Sen´ egal´ , [email protected] Keywords: Cryptography, Partial homomorphic encryption, Linear Assumption, ElGamal encryption scheme. Abstract: ElGamal public key encryption scheme has been designed in the 80’s. It is one of the first partial homomorphic encryption and one of the first IND-CPA probabilistic public key encryption scheme. A linear version has been recently proposed by Boneh et al. In this paper, we present a linear encryption based on a generalized version of ElGamal encryption scheme. We prove that our scheme is IND-CPA secure under linear assumption.
    [Show full text]
  • Semantic Security and Indistinguishability in the Quantum World June 1, 2016?
    Semantic Security and Indistinguishability in the Quantum World June 1, 2016? Tommaso Gagliardoni1, Andreas H¨ulsing2, and Christian Schaffner3;4;5 1 CASED, Technische Universit¨atDarmstadt, Germany [email protected] 2 TU Eindhoven, The Netherlands [email protected] 3 Institute for Logic, Language and Compuation (ILLC), University of Amsterdam, The Netherlands [email protected] 4 Centrum Wiskunde & Informatica (CWI) Amsterdam, The Netherlands 5 QuSoft, The Netherlands Abstract. At CRYPTO 2013, Boneh and Zhandry initiated the study of quantum-secure encryption. They proposed first indistinguishability def- initions for the quantum world where the actual indistinguishability only holds for classical messages, and they provide arguments why it might be hard to achieve a stronger notion. In this work, we show that stronger notions are achievable, where the indistinguishability holds for quantum superpositions of messages. We investigate exhaustively the possibilities and subtle differences in defining such a quantum indistinguishability notion for symmetric-key encryption schemes. We justify our stronger definition by showing its equivalence to novel quantum semantic-security notions that we introduce. Furthermore, we show that our new security definitions cannot be achieved by a large class of ciphers { those which are quasi-preserving the message length. On the other hand, we pro- vide a secure construction based on quantum-resistant pseudorandom permutations; this construction can be used as a generic transformation for turning a large class of encryption schemes into quantum indistin- guishable and hence quantum semantically secure ones. Moreover, our construction is the first completely classical encryption scheme shown to be secure against an even stronger notion of indistinguishability, which was previously known to be achievable only by using quantum messages and arbitrary quantum encryption circuits.
    [Show full text]
  • Exploring Naccache-Stern Knapsack Encryption
    Exploring Naccache-Stern Knapsack Encryption Éric Brier1, Rémi Géraud2, and David Naccache2 1 Ingenico Terminals Avenue de la Gare f- Alixan, France [email protected] 2 École normale supérieure rue d’Ulm, f- Paris cedex , France {remi.geraud,david.naccache}@ens.fr Abstract. The Naccache–Stern public-key cryptosystem (NS) relies on the conjectured hardness of the modular multiplicative knapsack problem: Q mi Given p, {vi}, vi mod p, find the {mi}. Given this scheme’s algebraic structure it is interesting to systematically explore its variants and generalizations. In particular it might be useful to enhance NS with features such as semantic security, re-randomizability or an extension to higher-residues. This paper addresses these questions and proposes several such variants. Introduction In , Naccache and Stern (NS, []) presented a public-key cryptosystem based on the conjectured hardness of the modular multiplicative knapsack problem. This problem is defined as follows: Let p be a modulus and let v0, . , vn−1 ∈ Zp. n−1 Y mi Given p, v0, . , vn−1, and vi mod p, find the {mi}. i=0 Given this scheme’s algebraic structure it is interesting to determine if vari- ants and generalizations can add to NS features such as semantic security, re-randomizability or extend it to operate on higher-residues. This paper addresses these questions and explores several such variants. The Original Naccache–Stern Cryptosystem The NS cryptosystem uses the following sub-algorithms: p is usually prime but nothing prevents extending the problem to composite RSA moduli. – Setup: Pick a large prime p and a positive integer n.
    [Show full text]
  • Cs 255 (Introduction to Cryptography)
    CS 255 (INTRODUCTION TO CRYPTOGRAPHY) DAVID WU Abstract. Notes taken in Professor Boneh’s Introduction to Cryptography course (CS 255) in Winter, 2012. There may be errors! Be warned! Contents 1. 1/11: Introduction and Stream Ciphers 2 1.1. Introduction 2 1.2. History of Cryptography 3 1.3. Stream Ciphers 4 1.4. Pseudorandom Generators (PRGs) 5 1.5. Attacks on Stream Ciphers and OTP 6 1.6. Stream Ciphers in Practice 6 2. 1/18: PRGs and Semantic Security 7 2.1. Secure PRGs 7 2.2. Semantic Security 8 2.3. Generating Random Bits in Practice 9 2.4. Block Ciphers 9 3. 1/23: Block Ciphers 9 3.1. Pseudorandom Functions (PRF) 9 3.2. Data Encryption Standard (DES) 10 3.3. Advanced Encryption Standard (AES) 12 3.4. Exhaustive Search Attacks 12 3.5. More Attacks on Block Ciphers 13 3.6. Block Cipher Modes of Operation 13 4. 1/25: Message Integrity 15 4.1. Message Integrity 15 5. 1/27: Proofs in Cryptography 17 5.1. Time/Space Tradeoff 17 5.2. Proofs in Cryptography 17 6. 1/30: MAC Functions 18 6.1. Message Integrity 18 6.2. MAC Padding 18 6.3. Parallel MAC (PMAC) 19 6.4. One-time MAC 20 6.5. Collision Resistance 21 7. 2/1: Collision Resistance 21 7.1. Collision Resistant Hash Functions 21 7.2. Construction of Collision Resistant Hash Functions 22 7.3. Provably Secure Compression Functions 23 8. 2/6: HMAC And Timing Attacks 23 8.1. HMAC 23 8.2.
    [Show full text]
  • Probabilistic Public-Key Encryption
    PROBABILISTIC PUBLIC-KEY ENCRYPTION By Azymbek Beibyt Fundamentals Semantic Security A public-key cryptosystem is semantically secure if it’s computationally infeasible for opponent to derive any information about plaintext given only ciphertext and public key. Semantic Security = Cryptosystem Indistinguishability Fundamentals Semantic Security (Cont.) Semantic security are obtained using trapdoor (one- way) functions: - prime factorization in RSA - discrete logarithm problem in ElGamal Fundamentals Semantic Security (Cont.) Why not use trapdoor functions as before? ¨ The fact that f is a trapdoor function does not rule out the possibility of computing x from f (x) when x is of a special form. ¨ The fact that f is a trapdoor function does not rule out the possibility of easily computing some partial information about x (even every other bit of x) from f(x). Probabilistic Encryption New approach introduced by Shafi Goldwasser and Silvio Micali in 1983. ¨ Replace deterministic block encryption by probabilistic encryption of single bits. ¨ Proved to be hard to extract any information about plaintext under polynomially bounded computational resources, because is based on intractability of deciding Quadratic Residuosity modulo composite numbers whose factorization is unknown. Probabilistic Public -Key Cryptosystem General Idea (P, C, K, E, D, R), where R is a set of randomizers, encryption is public and decryption is secret and following properties should be satisfied: 1. , where b Є P, r Є R and if Probabilistic Public -Key Cryptosystem General Idea (Cont.) 2. Let ϵ be specified security parameter. Define probability distribution on C, which denotes the probability that y is the ciphertext given that K is the key and x is the plaintext .
    [Show full text]
  • Lecture 9 1 Introduction 2 Background
    CMSC 858K | Advanced Topics in Cryptography February 24, 2004 Lecture 9 Julie Staub Avi Dalal Lecturer: Jonathan Katz Scribe(s): Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed public-key encryption schemes which were provably secure against non-adaptive chosen-ciphertext (CCA-1) attacks, and also adaptive chosen- ciphertext (CCA-2) attacks. However, both constructions used generic non-interactive zero- knowledge proof systems which | although poly-time | are not very efficient (as we will see later in the course). Therefore, the constructions are not very practical. In 1998, Cramer and Shoup proposed an encryption scheme [1] which was provably secure against adaptive chosen-ciphertext attacks and was also practical. The proof of security relies on the hardness of the Decisional Diffie-Hellman (DDH) problem in some underlying group. In this lecture, we will first review the Decisional Diffie-Hellman assumption and the El-Gamal cryptosystem. Then we will modify the El-Gamal encryption scheme to construct a scheme secure against non-adaptive chosen-ciphertext attacks. This will be a step toward the full Cramer-Shoup cryptosystem, which we will cover in later lectures. 2 Background The Cramer-Shoup cryptosystem relies on the DDH assumption in some finite group. In Lecture 4, we defined the Discrete Logarithm (DL) problem and DDH problem; we review them here. Let G be a finite cyclic group of prime order q, and let g 2 G be a generator. Given h 2 G, the discrete logarithm problem requires us to compute x 2 q such that x g = h. We denote this (unique) x by logg h.
    [Show full text]
  • DHIES: an Encryption Scheme Based on the Diffie-Hellman Problem
    Earlier versions of of this work appear in [9] and [1]. This is the full version. DHIES: An encryption scheme based on the Diffie-Hellman Problem Ý Þ Michel Abdalla £ Mihir Bellare Phillip Rogaway September 18, 2001 Abstract This paper describes a Diffie-Hellman based encryption scheme, DHIES (formerly named DHES and DHAES), which is now in several (draft) standards. The scheme is as efficient as ElGamal en- cryption, but has stronger security properties. Furthermore, these security properties are proven to hold under appropriate assumptions on the underlying primitive. DHIES is a Diffie-Hellman based scheme that combines a symmetric encryption method, a message authentication code, and a hash function, in addition to number-theoretic operations, in a way which is intended to provide security against chosen- ciphertext attacks. The proofs of security are based on the assumption that the underlying symmetric primitives are secure and on appropriate assumptions about the Diffie-Hellman problem. The latter are interesting variants of the customary assumptions on the Diffie-Hellman problem, and we investigate relationships among them, and provide security lower bounds. Our proofs are in the standard model; no random-oracle assumption is required. Keywords: Cryptographic standards, Diffie-Hellman key exchange, ElGamal encryption, elliptic curve cryptosystems, generic model, provable security. £Dept. of Computer Science & Engineering, University of California at San Diego, 9500 Gilman Drive, La Jolla, California 92093. E-Mail: [email protected]. URL: http://www.michelabdalla./net. Supported by CAPES under Grant BEX3019/95-2. ÝDept. of Computer Science & Engineering, University of California at San Diego, 9500 Gilman Drive, La Jolla, California 92093.
    [Show full text]
  • On DRSA Public Key Cryptosystem Sahadeo Padhye School of Studies in Mathematics, Pandit Ravishankar Shukla University, India
    334 The International Arab Journal of Information Technology, Vol. 3, No. 4, Oc tober 2006 On DRSA Public Key Cryptosystem Sahadeo Padhye School of Studies in Mathematics, Pandit Ravishankar Shukla University, India Abstract: The standard RSA cryptosystem is not semantically secure. Pointcheviel proposed a variant of RSA cryptosystem with the property of semantic security by introducing a new problem known as DRSA problem. He called it DRSA scheme. In this paper , we underlined a shortcoming of that scheme and proposed an alternative DRSA public key cryptosystem. Keywords: Public key cryptosys tem, RSA, DRSA, semantically secure . Received Ma y 26 , 2005; accepted August 1, 2005 1. Introduction variants of RSA were developed. The standard RSA cryptosystem was not semantically secure. Although, The most striking development in the history of its variants such as [1, 4, 10] were semantically secure cryptography came in 1976 when Diffie and Hellman against the chosen plaintext attack and chosen published “New Direction in Cryptography” [ 5]. This ciphertext attack but not all of them were more paper introduced the revolutionary concept of public efficient than the ElGamal [7] encryption scheme. key cryptosystem and also provided a new and Pointcheviel [ 11] proposed a new DRSA (Dependent- ingenious method for key exchange, its security RSA) problem and introduced an efficient RSA depends on the intractability on the discrete logarithm version of ElGamal encryption with some security problem. In such a system , each user secretly obtains a properties, namely semantically security against cry pto cell (E, D) and then publishes the encryptor E in chosen -plaintext attacks. The scheme given by a public file.
    [Show full text]
  • Security II: Cryptography
    Security II: Cryptography Markus Kuhn Computer Laboratory Lent 2012 { Part II http://www.cl.cam.ac.uk/teaching/1213/SecurityII/ 1 Related textbooks Jonathan Katz, Yehuda Lindell: Introduction to Modern Cryptography Chapman & Hall/CRC, 2008 Christof Paar, Jan Pelzl: Understanding Cryptography Springer, 2010 http://www.springerlink.com/content/978-3-642-04100-6/ http://www.crypto-textbook.com/ Douglas Stinson: Cryptography { Theory and Practice 3rd ed., CRC Press, 2005 Menezes, van Oorschot, Vanstone: Handbook of Applied Cryptography CRC Press, 1996 http://www.cacr.math.uwaterloo.ca/hac/ 2 Private-key (symmetric) encryption A private-key encryption scheme is a tuple of probabilistic polynomial-time algorithms (Gen; Enc; Dec) and sets K; M; C such that the key generation algorithm Gen receives a security parameter ` and outputs a key K Gen(1`), with K 2 K, key length jKj ≥ `; the encryption algorithm Enc maps a key K and a plaintext m message M 2 M = f0; 1g to a ciphertext message C EncK (M); the decryption algorithm Dec maps a key K and a ciphertext n C 2 C = f0; 1g (n ≥ m) to a plaintext message M := DecK (C); ` m for all `, K Gen(1 ), and M 2 f0; 1g : DecK (EncK (M)) = M. Notes: A \probabilistic algorithm" can toss coins (uniformly distributed, independent). Notation: assigns the output of a probabilistic algorithm, := that of a deterministic algorithm. A \polynomial-time algorithm" has constants a; b; c such that the runtime is always less than a · `b + c if the input is ` bits long. (think Turing machine) Technicality: we supply the security parameter ` to Gen here in unary encoding (as a sequence of ` \1" bits: 1`), merely to remain compatible with the notion of \input size" from computational ` complexity theory.
    [Show full text]
  • The Notion of Security for Probabilistic Cryptosystems (Extended Abstract) *
    The Notion of Security for Probabilistic Cryptosystems (Extended Abstract) *. Silvio Micalit Charles Rackoff Bob Sload MIT University of Toronto MIT Abstract Three very different formal definitions of security for public-key cryptosystems have been proposed-two by Goldwasser and Micali and one by Yao. We prove all of them to be equiva- lent. This equivalence provides evidence that the right formalization of the notion of security has been reached. 1 Introduction The key desideratum for any cryptosystem is that encrypted messages must be secure. Before one can discuss whether a cryptosystem has this property, however, one must first rigorously define what is meant by security. Three different rigorous notions of security have been proposed. Goldwasser and Micali[5] suggested two different definitions, polynomial security and semantic security, and proved that the first notion implies the second. Yao[8] proposed a third dehition, one inspired by information theory, and suggested that it implies semantic security. Not completely knowing the relative strength of these dehitions is rather unpleasant. For instance, several protocols have been proved correct adopting the notion of polynomial security. Are these protocols that are secure with respect to a particular definition or are they secure protocols in a more general sense? In other words, a natural question arises: Which of the definitions is the “correct” one? Even better: How should we decide the “correctness” of a definition? The best possible answer to these questions would be to find that the proposed defbitions- each attempting to be as general as possible-are all equivalent. In this case, one obviously no longer has to decide which one definition is best.
    [Show full text]