Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications

Slide - Cristina Onete

advertisement 
Key-Indistinguishability and Robustness.
Anonymous Encryption.
Rennes, 07/11/2014
CIDRE/
INRIA
Cristina Onete
maria-cristina.onete@irisa.fr
οƒ˜ What is anonymity?
Anonymous: from “anonymos” (Greek)“, meaning “nameless”:
“without any name ackowledged, whose name is withheld. Lacking
individuality, unique character, or distinction”
English Dictionary, Dictionary.com
Anonyme/anonymat: du grec “anonymos”, ce qui veut dire “sans
nom” : se dit de quelqu’un dont on ignore le nom, la qualité de ce
qui est sans nom ou sans renommée.
Larousse, www.larousse.fr; Wikipedia, fr.wikipedia.org
Cristina Onete ||
07/11/2014
||
2
οƒ˜ Encryption
B
B
Amélie
Baptiste
οƒ˜ Security guarantees:
• Message confidentiality: ciphertext hides plaintext
π‘π‘˜
𝑐 = Encπ‘π‘˜ (π‘š)
π‘š
π‘ π‘˜
Random-looking
Cristina Onete ||
07/11/2014
||
3
οƒ˜ Encryption
π‘š = "π»π‘’π‘™π‘™π‘œ π‘€π‘œπ‘Ÿπ‘™π‘‘! "
Encrypted with 2048-bit RSA key
-----BEGIN PGP MESSAGE----wcBMAxDZjxP1noe7AQf+M0T6qNMgf7I2T0ADeUdwmx4J9uxGBFdptH0
RPOGbwLIeGjcKG6PZpemKCtu5iRVCfgE/iMBvE0bxMIWaesxBawBElm3R
L8PZ6ZjREWYgDfNJmazpDCraLXnSNJEFVxRkQWApUfw2QMLGf0OVMj5
CRpkd/XjHaMkNEfe+F6M2tUxuxpzdTEMGWxZ+ESrP/gACxTTy3ewm7xl
uztdXaracw7RV1UbpM4+9UPBce1kIzPn68w7uIOEZvhEGPeipLAKL8FC3J
C9+rAEbDXf+nGZiRPyFQuJn2Pz3Cv+IxZ43hDsSctjLvxUxVMNCEz3QcR
mpPXN6h5f7TTFFN2fMdRwOrdJEAdaJt3aE5I5ssJlfxJzBDH1dc8eVfH2d7
9AAUo6chn25kyGQRUvtYfto057ae5Jvl8mpipy37wZKIuKK52D57VNW1x
A==2X4l
-----END PGP MESSAGE----Cristina Onete ||
07/11/2014
||
4
οƒ˜ Plaintext Security
οƒ˜ Plaintext-hiding:
• The attacker can’t get the full plaintext
B
B
οƒ˜ What if the message space is small?
Cristina Onete ||
07/11/2014
||
5
οƒ˜ Plaintext Security
οƒ˜ Ciphertext Indistinguishability (IND-CCA)
B
B
1/2
?? ?
1/2
οƒ˜ Not even 1 bit of the message is leaked!
Cristina Onete ||
07/11/2014
||
6
οƒ˜ Plaintext Security
Plaintext Space
Ciphertext Space
B
Cristina Onete ||
07/11/2014
||
7
οƒ˜ Goal: receiver anonymity
οƒ˜ Make ciphertext hide the receiver
B
𝑐 = Encπ‘π‘˜ (π‘š)
Baptiste
π‘š
Amélie
Charles
?? ?
Cristina Onete ||
07/11/2014
||
8
οƒ˜ Contents
οƒ˜ Key Indistinguishability
• IK-CCA
• IND-CCA vs. IK-CCA
• IK-CCA of RSA and ElGamal-based systems
οƒ˜ Robustness of Encryption
• Weak and Strong Robustness
• Robustness of RSA and ElGamal
• WROB- and SROB encryption schemes
οƒ˜ Receiver-anonymous encryption
• Construction and limitations
οƒ˜ Key-(in)distinguishability
B
𝑐 = Encπ‘π‘˜ (π‘š)
Baptiste
π‘š
Amélie
Charles
οƒ˜ Ciphertext hides the message
οƒ˜ Does it also hide the recipient (the pk used for encryption)?
Not necessarily! Counterexample: take 𝑐 ≔ (π‘π‘˜, Encπ‘π‘˜ (π‘š))
Cristina Onete ||
07/11/2014
||
10
οƒ˜ Key-(in)distinguishability
οƒ˜ Goal: ciphertext hides the key under which it was created
B
B C
B
?? ?
B
1/2
1/2
C
οƒ˜ IK-CCA: Can’t tell whether it was one key or the other
Cristina Onete ||
07/11/2014
||
11
οƒ˜ IND-CCA, but not IK-CCA
Plaintext Space
Ciphertext Space
B
C
Cristina Onete ||
07/11/2014
||
12
οƒ˜ IND-CCA and IK-CCA
Plaintext Space
Ciphertext Space
B
C
Cristina Onete ||
07/11/2014
||
13
οƒ˜ RSA is not IK-CCA
οƒ˜ Textbook RSA:
• Key Generation:
Primes 𝑝, π‘ž of size 𝑙. Define 𝑁 = π‘π‘ž, πœ‘ 𝑁 = (𝑝 − 1)(π‘ž − 1)
Public key: choose 𝑒 s.t. 𝐺𝐢𝐷 𝑒, πœ‘ 𝑁
= 1. Now π‘π‘˜ = (𝑁, 𝑒)
Secret key: find inverse 𝑑 of 𝑒: 𝑑𝑒 = 1 π‘šπ‘œπ‘‘ πœ‘ 𝑁 . Now π‘ π‘˜ = 𝑑
• Encryption (using pk = (e, N)):
𝑐 ≔ πΈπ‘›π‘π‘π‘˜ π‘š = π‘šπ‘’ (π‘šπ‘œπ‘‘ 𝑁)
• Decryption (using sk = d):
π‘š ≔ π·π‘’π‘π‘ π‘˜ 𝑐 = 𝑐 𝑑 (π‘šπ‘œπ‘‘ 𝑁)
Cristina Onete ||
07/11/2014
||
14
οƒ˜ RSA is not IK-CCA
οƒ˜ Case I: Moduli of different length
• π‘π‘˜1 = (𝑁1 , 𝑒1 ) , with length 𝑁1 = 𝑙1 (say 512 bits)
• π‘π‘˜2 = (𝑁2 , 𝑒2 ) , with length 𝑁2 = 𝑙2 (say 1024 bits)
• π‘‡β„Žπ‘’π‘› π‘Žπ‘› π‘’π‘›π‘π‘Ÿπ‘¦π‘π‘‘π‘–π‘œπ‘› π‘’π‘›π‘‘π‘’π‘Ÿ π‘π‘˜1 𝑀𝑖𝑙𝑙 𝑏𝑒 512 𝑏𝑖𝑑𝑠, π‘€β„Žπ‘–π‘™π‘’ π‘Žπ‘› 𝑒𝑛 −
π‘π‘Ÿπ‘¦π‘π‘‘π‘–π‘œπ‘› π‘’π‘›π‘‘π‘’π‘Ÿ π‘π‘˜2 𝑀𝑖𝑙𝑙 𝑏𝑒 1024 𝑏𝑖𝑑𝑠 π‘™π‘œπ‘›π‘”
• When Adv. gives a message m and the two pk’s, she
just needs to look at the length of the outcome
Cristina Onete ||
07/11/2014
||
15
οƒ˜ RSA is not IK-CCA
οƒ˜ Case II: Moduli of same length
• π‘π‘˜1 = (𝑁1 , 𝑒1 )
• π‘π‘˜2 = (𝑁2 , 𝑒2 )
• Let 𝑁1 > 𝑁2
• π‘‡β„Žπ‘’π‘› π‘Žπ‘› π‘’π‘›π‘π‘Ÿπ‘¦π‘π‘‘π‘–π‘œπ‘› π‘’π‘›π‘‘π‘’π‘Ÿ π‘π‘˜2 𝑀𝑖𝑙𝑙 𝑏𝑒 π‘ π‘šπ‘Žπ‘™π‘™π‘’π‘Ÿ π‘‘β„Žπ‘Žπ‘› 𝑁2 , π‘€β„Žπ‘–π‘™π‘’
π‘Žπ‘› π‘’π‘›π‘π‘Ÿπ‘¦π‘π‘‘π‘–π‘œπ‘› π‘’π‘›π‘‘π‘’π‘Ÿ π‘π‘˜1 π‘π‘Žπ‘› 𝑏𝑒 π‘™π‘Žπ‘Ÿπ‘”π‘’π‘Ÿ π‘‘β„Žπ‘Žπ‘› 𝑁2
• Because the encryption of any message m has to
cover the output space well:
Prob πΈπ‘›π‘π‘π‘˜1 π‘š > 𝑁2 is significant
Cristina Onete ||
07/11/2014
||
16
οƒ˜ ElGamal is IK-CCA
οƒ˜ Textbook ElGamal:
• Key Generation:
Prime π‘ž of size 𝑙 s.t. 2q + 1 also prime. Let Gπ‘ž = < 𝑔 >
Secret key: choose π‘ π‘˜ ∈ {1, … π‘ž − 1}.
Public key: π‘π‘˜ = 𝑔 π‘ π‘˜ (π‘šπ‘œπ‘‘ π‘ž)
• Encryption:
Choose random π‘Ÿ ∈ {1, … , π‘ž − 1}. Set 𝑐1 ≔ π‘”π‘Ÿ (π‘šπ‘œπ‘‘ π‘ž)
Set 𝑐2 ≔ π‘š π‘π‘˜ π‘Ÿ (π‘šπ‘œπ‘‘ π‘ž).
Send: 𝑐 = (𝑐1 , 𝑐2 )
• Decryption:
Compute: π‘š = 𝑐2 / 𝑐1π‘ π‘˜ (π‘šπ‘œπ‘‘ π‘ž)
Cristina Onete ||
07/11/2014
||
17
οƒ˜ ElGamal is IK-CCA
οƒ˜ Intuition:
• All pk’s in the same group
• All ciphertexts are of the same length and format
• Given π‘π‘˜1 , the encryption of π‘š is:
π‘Ÿ
𝑐 = (π‘”π‘Ÿ1 , π‘š π‘π‘˜11 )
• Given π‘π‘˜2 , the encryption of π‘š is:
π‘Ÿ
𝑐 = (π‘”π‘Ÿ2 , π‘š π‘π‘˜22 )
• Output is identically distributed
Cristina Onete ||
07/11/2014
||
18
οƒ˜ Contents
οƒ˜ Key Indistinguishability
• IK-CCA
• IND-CCA vs. IK-CCA
• IK-CCA of RSA and ElGamal-based systems
οƒ˜ Robustness of Encryption
• Weak and Strong Robustness
• Robustness of RSA and ElGamal
• WROB- and SROB encryption schemes
οƒ˜ Receiver-anonymous encryption
• Construction and limitations
οƒ˜ Weak and Strong Robustness
οƒ˜ What happens if we get someone else’s ciphertext?
• Theory: you can’t decrypt it
• Security: you can’t recover the message
• Practice: you’ll recover a nonsense message
B
Baptiste
Charles
οƒ˜ Robustness: can’t decrypt other ciphertexts
Cristina Onete ||
07/11/2014
||
20
οƒ˜ Why do we care?
οƒ˜ Our goal: receiver anonymity
B
𝑐 = Encπ‘π‘˜ (π‘š)
Baptiste
π‘š
Amélie
Charles
?? ?
Cristina Onete ||
07/11/2014
||
21
οƒ˜ Why do we care?
οƒ˜ Setting:
• Amélie wants to send π‘š to Baptiste anonymously
• She encrypts π‘š under Baptiste’s public key, then
broadcasts the ciphertext to multiple receivers
• How do the receivers know whether the ciphertext
was for them or not?
οƒ˜ Robust encryption:
• If π‘š was encrypted for someone else, the ciphertext
decrypts to an error symbol
Cristina Onete ||
07/11/2014
||
22
οƒ˜ Weak Robustness
οƒ˜ Honestly encrypted ciphertext is robust
B
B C
B
Cristina Onete ||
07/11/2014
||
23
οƒ˜ Strong Robustness
οƒ˜ Adversary-chosen ciphertext is robust
B
B C
B
At most 1 decryption
Cristina Onete ||
07/11/2014
||
24
οƒ˜ RSA and ElGamal not robust
RSA Encryption
οƒ˜ Encryption
οƒ˜ Encryption
𝑐 ≔ πΈπ‘›π‘π‘π‘˜ π‘š = π‘šπ‘’ (π‘šπ‘œπ‘‘ 𝑁)
οƒ˜ Decryption (with 𝑑)
π‘š ≔ π·π‘’π‘π‘ π‘˜ 𝑐 = 𝑐 𝑑 (π‘šπ‘œπ‘‘ 𝑁)
οƒ˜ Decryption (with 𝑑′)
′
ElGamal Encryption
′
𝑐 𝑑 π‘šπ‘œπ‘‘ 𝑁 = π‘šπ‘’π‘‘ π‘šπ‘œπ‘‘ 𝑁
= π‘š′
𝑐 = 𝑐1 , 𝑐2 = (π‘”π‘Ÿ , π‘š π‘π‘˜ π‘Ÿ )
οƒ˜ Decryption (with π‘ π‘˜)
π‘š = 𝑐2 𝑐1π‘ π‘˜ (π‘šπ‘œπ‘‘ π‘ž)
οƒ˜ Decryption (with π‘ π‘˜′)
𝑐2 / 𝑐1π‘ π‘˜
′
π‘šπ‘œπ‘‘ π‘ž = π‘š 𝑔 π‘ π‘˜ π‘Ÿ /π‘”π‘Ÿ π‘ π‘˜
= π‘š π‘”π‘Ÿ(π‘ π‘˜ − π‘ π‘˜
;
′)
= π‘š′
Cristina Onete ||
07/11/2014
||
25
οƒ˜ Strongly Robust Encryption
οƒ˜ Modified Cramer-Shoup (finite fields)
• Setting: cyclic group Gπ‘ž of prime order π‘ž
two generators 𝑔1 and 𝑔2 of Gπ‘ž
choose random 𝐾 ←𝑅 Keysπ»π‘Žπ‘ β„Ž
• Key generation: pick π’™πŸ , π’™πŸ , π’šπŸ , π’šπŸ , π’›πŸ , π’›πŸ ←𝑅 {0 … π‘ž − 1}
π‘₯
π‘₯
𝑦
𝑦
𝑧
𝑧
set 𝒆 = 𝑔1 1 𝑔2 2 , 𝒇 = 𝑔1 1 𝑔2 2 , 𝒉 = 𝑔1 1 𝑔22
• Encrypt 𝑀: pick 𝑒 ←𝑅 {1 … π‘ž − 1}, set π’‚πŸ ≔ 𝑔1𝑒 , π’‚πŸ ≔ 𝑔2𝑒
set 𝒄 ≔ 𝑀 β„Žπ‘’ , 𝑣 ≔ 𝐻(𝐾; π‘Ž1 π‘Ž2 𝑐), 𝒅 ≔ 𝑒 𝑒 𝑓 𝑒𝑣
−𝑧
−𝑧2
• Decrypt (π‘Ž1 , π‘Ž2 , 𝑐, 𝑑): do 𝑣 = 𝐻(𝐾; π‘Ž1 π‘Ž2 𝑐), 𝑀 = 𝑐 π‘Ž1 1 π‘Ž2
π‘₯ +𝑣 𝑦1 π‘₯2 +𝑣 𝑦2
π‘Ž2
if π‘Ž1 ≠ 1 or 𝑑 ≠ π‘Ž1 1
Cristina Onete ||
set 𝑀 = ∎
07/11/2014
||
26
οƒ˜ Contents
οƒ˜ Key Indistinguishability
• IK-CCA
• IND-CCA vs. IK-CCA
• IK-CCA of RSA and ElGamal-based systems
οƒ˜ Robustness of Encryption
• Weak and Strong Robustness
• Robustness of RSA and ElGamal
• WROB- and SROB encryption schemes
οƒ˜ Receiver-anonymous encryption
• Construction and limitations
οƒ˜ Receiver-anonymous encryption
οƒ˜ Our goal: receiver anonymity
B
𝑐 = Encπ‘π‘˜ (π‘š)
Baptiste
π‘š
Amélie
Charles
?? ?
Cristina Onete ||
07/11/2014
||
28
οƒ˜ Construction & Limitations
οƒ˜ Use IK-CCA and SROB encryption
• Adversary won’t know whom a ciphertext is for
B
𝑐 = Encπ‘π‘˜ (π‘š)
Baptiste
π‘š
Amélie
?? ?
Charles
Cristina Onete ||
07/11/2014
||
29
οƒ˜ Construction & Limitations
οƒ˜ Use IK-CCA and SROB encryption
• What if the adversary waits for an answer?
B
𝑐 = Encπ‘π‘˜ (π‘š)
Baptiste
π‘š
Amélie
Charles
Cristina Onete ||
07/11/2014
||
30
οƒ˜ Constructions & Limitations
οƒ˜ Use “onion” routing – use routers to encrypt and
send messages between sender and receiver
Source: cdn.arstechnica.net
Cristina Onete ||
07/11/2014
||
31
οƒ˜ MRI students: papers
• Karame, Androulaki, Capkun: “Two Bitcoins at the
Price of One? Double-spending attacks on fast payments in Bitcoin”
https://eprint.iacr.org/2012/248.pdf
• Burmester, Desmedt: “A Secure and Efficient Conference Key Distribution System”
http://www.cs.fsu.edu/~langley/Eurocrypt/euro-pre.pdf
• Sarkar, Fitzgerald: “Attacks on SSL. A comprehensive study of BEAST, CRIME, TIME, BREACH, LUCKY
13 & RC4 biases”
https://www.isecpartners.com/media/106031/ssl_attacks_survey.pdf
Cristina Onete ||
07/11/2014
||
32
οƒ˜ MRI students: papers
• BSI: “Advanced Security Mechanisms for MachineReadable Travel Documents – Part 2”
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publ
ications/TechGuidelines/TR03110/TR03110_v2.1_P2pdf.pdf;jsessionid=A06695D3F0DCA020B98B4
CAC8946CD13.2_cid294?__blob=publicationFile
• Bordes: “BitLocker”
https://www.sstic.org/media/SSTIC2011/SSTICactes/bitlocker/SSTIC2011-Article-bitlocker-bordes.pdf
• Fluhrer, Matin, Shamir: “Weaknesses in the Key Scheduling Algorithm of RC4”
http://merlot.usc.edu/cs531-s11/papers/Fluhrer01a.pdf
Cristina Onete ||
07/11/2014
||
33
οƒ˜ MRI students: papers
• Montalvo, Defrance, Lefebvre, Le Scouarnec, Pérez:
“Système de stockage-en-ligne avec confidentialité des
données personnelles”
https://www.sstic.org/media/SSTIC2011/SSTIC-actes/
systeme_de_stockage-en-ligne_de_photos_avec_confid/
SSTIC2011-Article-systeme_de_stockage-en-ligne_de_photos_
avec_confidentialite_des_donnees_personnelles-montalvo.pdf
• Marechal: “État de l’art sur le cassage de mots de
passe”
https://www.sstic.org/media/SSTIC2007/SSTICactes/Etat_de_l_art_cassage_de_mots_de_passe/SSTIC2007Article-Etat_de_l_art_cassage_de_mots_de_passe-marechal.pdf
Cristina Onete ||
07/11/2014
||
34
οƒ˜ MRI students: papers
• Shi, Chan, Stefanov, Li: “Oblivious RAM with O((log
N)3) Worse-Case Cost”
https://eprint.iacr.org/2011/407.pdf
• Curtmola, Garay, Kamara, Ostrovsky: “Searchable
Symmetric Encryption: Improved Definitions and
Efficient Constructions”
http://eprint.iacr.org/2006/210.pdf
• Dodis, Pointcheval, Ruhault, Vergnaud, Wichs: “Security Analysis of Pseudo-Random Number Generators
with Input: /dev/random is not robust”
https://eprint.iacr.org/2013/338.pdf
Cristina Onete ||
07/11/2014
||
35
οƒ˜ MRI students: papers
• Bellare, Paterson, Rogaway: “Security of Symmetric
Encryption against Mass Surveillance”
https://eprint.iacr.org/2014/438.pdf
Cristina Onete ||
07/11/2014
||
36
Thanks!
CIDRE/
INRIA
Related documents
Slide - Cristina Onete
Slide - Cristina Onete
Slide - Cristina Onete
Slide - Cristina Onete
2_23
2_23
Unit 7: Design
Unit 7: Design
Topic 7 Using cryptography in mobile computing
Topic 7 Using cryptography in mobile computing
Download
advertisement