Chapter 3: Semantically Secure Encryption - PowerPoint PPT Presentation

1 / 11
About This Presentation
Title:

Chapter 3: Semantically Secure Encryption

Description:

(2) Algorithm A2, on input m0, m1, c =E(mb), guesses b (guess stage) ... m0, m1 ASS1 (n,e); b{0,1}; r ASS2 (m0, m1, x,mby) If b=r then return 1; else return 0; ... – PowerPoint PPT presentation

Number of Views:28
Avg rating:3.0/5.0
Slides: 12
Provided by: cdcInform
Category:

less

Transcript and Presenter's Notes

Title: Chapter 3: Semantically Secure Encryption


1
Chapter 3Semantically Secure Encryption
2
semantically secure
(1) Algorithm A1, on input pk, finds two message
m0, m1 (find stage).
m0 message
A1
e public key
m1 message
ciphertext of m0 or m1
encryption cE(mb)
random
(2) Algorithm A2, on input m0, m1, c E(mb),
guesses b (guess stage).
A2
b
3
RSA is not semantically secure
p, q primes, n pq, L (p-1)(q-1), ed 1
mod L e, n public key, d secret key,
(factoring, n 1024 bits) M message, M
?0,1,2,.,n-1.
Encryption C Me mod n
It is easy to distinguish M0e mod n and M1e mod n
for given M0, M1.
An easy way is to encrypt (Mr)e mod n for a
random integer rltn-M. But there is no security
proof for this padding way!
4
Semantically Secure
Public-key cryptosystem is a triple of algorithms
(K, E, D) such that (1)K is a probabilistic key
generating algorithm which returns public key pk
and secret key sk depending on the security
parameter n. (2)E is a probabilistic encryption
algorithm, which on input pk, a message
m?0,1k, and a random number r ?0,1k (kltn),
returns a ciphertext c. (3)D is a deterministic
decryption algorithm, which on input sk and c,
returns the original message m. We require
Dsk(Epk(m,r)) m.
A public-key cryptosystem (K,E,D) is semantically
secure if Adv(A) 2 Pr
(sk,pk)?K(0,1n), (m0, m1)?A1(pk),
b?0,1, c?Epk(mb)
A2(m0, m1, c) b 1 lt e(n). holds for any
polynomial time algorithm A(A1, A2).
Algorithm A1, on input pk, finds two message m0,
m1 (find stage). Algorithm A2, on input m0,
m1, c, guesses b (guess stage).
5
One-way trap-door function f has hard core bit
function v ? f is semantically secure
Encryption Generate r?R0,1n, for message
m?0,1, the ciphertext (t,c) is
computed by t f(r) and Decryption Compute
r f--1(t) and
If f is not semantically secure, then we have
m message ?0,1 Encryption generate r?RZn,
the ciphertext is (t,c) s.t. t re mod
n, For 1024-bit n, we can encrypt only one bit.
(less bandwidth)
6
Blum-Goldwasser cryptosystem 84
Key generation Let (n,e) be the public-key and
let (p,q) be the secret key
of the RSA cryptosystem. a log2(log2
n). Encryption choose r?RZn, and compute the a
least significant bits si of
rei mod n for i1,2,,k and let ss1s2sk.
For a message m?0,1ak, the
ciphertext is t rek and Decryption Compute d
(ek) 1 mod f(n), and r td mod n.
Reconstruct ss1s2sk and recover
This cryptosystem is semantically secure under
the RSA assumption.
n 1024 bits, e216 1 ? a log2(log2 n) 10,
Message size 10k bits (k is polynomial size of
log n) Encryption k times RSA encryptions.
Decryption 1 time modular multiplication k
times RSA encryptions
7
Dependent RSA Cryptosystem99
Key generation (e,n) RSA public key, d RSA
secret key Encryption message m
?0,1,2,..,n-1, random choose r ?(Zn),
ciphertext (c1,c2) (re mod n,
m(r1)e mod n) Decryption r c1d mod n, m
c2 (r1)-e mod n.
Key generation p 47, q 53, n 2491, e 3
gt d 1595 Encryption r 1089, re mod n
1546, (r1)e mod n 447
c1 1546, c2 777447 mod n
1070 Decryption r c1d mod n 1089, m
c2 (r1)-e mod n 777
8
Security of the dependent RSA
One-way assumption of DpdRSA for any adversary
AOW we have

Semantic security of DpdRSA for any adversary
ASS we have

9
Number Theoretic Problem I
Computational Dependent RSA (C-DpdRSA) problem
Let cre mod n. Compute (r1)e mod n, for given
RSA key (n,e), ciphertext c.
Computational DpdRSA (C-DpdRSA) assumption for
any adversary AC-DpdRSA we have
Theorem 1 solving C-DpdRSA problem
ltgt breaking one-wayness of DpdRSA
Theorem 2 solving C-DpdRSA problem lt solving
RSA problem (the direction
gt is unknown)
10
Number Theoretic Problem II
Decisional Dependent RSA (D-DpdRSA) problem
Distinguish two distributions Rand (x,y)
x?(Zn), y?Zn, DpdRSA (xe mod n, (x1)e mod
n)x?(Zn)
Decisional DpdRSA (D-DpdRSA) assumption for any
adversary AD-DpdRSA we have

If e is small, then we can break D-DpdRSA problem
using the related message attack. We should
choose large e.
Theorem 3 DpdRSA scheme is semantically secure
under D-DpdRSA assumption
11
DpdRSA is semantically secure under D-DpdRSA
assumption
We prove that if the advantage of ASS is not
negligible then the advantage of the adversary
ADRSA is also not negligible.
  • Algorithm adversary ADRSA
  • Input n, x,y ?(Zn)
  • Output 1 if (x,y) is in DpdRSA,
  • 0 if (x,y) is in Rand
  • m0, m1? ASS1 (n,e)
  • b?0,1
  • r? ASS2 (m0, m1, x,mby)
  • If br then return 1
  • else return 0

If (x,y)?Rand then the distribution of (x,mby)
is random and ASS2 can not distinguish m0, m1.
Pr ADRSA(x?Rand)1 1/2.
If (x,y) is in DpdRSA, then (x,mby) is a
cipher- text of mb and ASS2 can distinguish m0,
m1. Pr ADRSA(x? DpdRSA)1 1/2 Adv(ASS2)/2.
Adv(ADRSA) Pr ADRSA(x?DpdRSA)1 Pr
ADRSA(x?Rand)1
Adv(ASS2)/2.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Chapter 3: Semantically Secure Encryption" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!