1. No category

Cryptography

Asymmetric Cryptography
part 1 & 2
Haya Shulman
Many thanks to Amir Herzberg who donated some of the slides from
http://www.cs.biu.ac.il/~herzbea/89-690/index.html
Talk Outline




Heuristic vs Provable Security Approaches
Kerkhoff Principle
Public-key Encryption Scheme Definition
Security Definition





Adversarial Power and the Break
Symmetric&Asymmetric Security Specifications (CPA, CCA, CCA2)
Information Theoretically Secure Public Key Encryption
Scheme?
Deterministic Public Key Schemes?
Hybrid encryption
Heuristic vs Provable Security Approaches

The heuristic approach



The provable security



Build-break-fix paradigm
Failed cryptanalysis
Reductions to hardness assumptions
Reduction is a basic cryptographic technique
The information theoretic security
Kerckhoff ’s Principle: Known Design

Security through obscurity is a common approach in the
industry


Attacks (e.g. cryptanalysis) of unknown design can be much harder
But using public (non-secret) designs…




Published designs are often stronger
No need to replace the system once the design is exposed
No need to worry that design was exposed
Establish standards for multiple applications:


Efficiency of production and of test attacks / cryptanalysis
Kerckhoff ’s Known Design Principle [1883]: adversary
knows the design – everything except the secret keys
Talk Outline 好晚




Heuristic vs Provable Security Approaches
Kerkhoff Principle
Public-key Encryption Scheme Definition
Security Definition





Adversarial Power and the Break
Symmetric&Asymmetric Security Specifications (CPA, CCA, CCA2)
Information Theoretically Secure Public Key Encryption
Scheme?
Deterministic Public Key Schemes?
Hybrid encryption
Public-key Encryption Scheme
plaintext
Key Alice uses
B.e to encrypt to
Bob
B.d
encryption
algorithm
decryption plaintext
algorithm
Alice
(the sender)
ciphertext
Key Bob uses
to decrypt
Bob
(the receiver)
B.e is a public encryption key, B.d is a matching private
decryption key
Only the key protects confidentiality
Encryption Scheme Definition


No distinction between public/ secret key encryption
schemes
No security requirement

Includes trivial (insecure) encryption schemes
Talk Outline




Heuristic vs Provable Security Approaches
Kerkhoff Principle
Public-key Encryption Scheme Definition
Security Definition





Adversarial Power and the Break
Symmetric&Asymmetric Security Specifications (CPA, CCA, CCA2)
Information Theoretically Secure Public Key Encryption
Scheme?
Deterministic Public Key Schemes?
Hybrid encryption
Defining Adversarial Power

Computational power



Computational bounds on its running time
Uniform/ non-uniform
What actions can it take?


Passive, eavesdropping
Active, can obtain encryptions/ decryptions
Defining the Break

Define the successful break of the scheme




Recovering the secret key
Decrypting the challenge
Learning some partial information about the encrypted
message!
Simulating reality using experiments

Indistinguishability (CPA, CCA, adaptive-CCA)
Indistinguishability Experiment
(asymmetric encryption, a.k.a Public Key)
plaintext
Alice
Encrypt, or
B.e select b {0,1}
and encrypt mb
B.d
encryption
algorithm
decryption plaintext
algorithm
ciphertext
Ciphertext
c=EB.e(m)
Chosen plaintext m
Selected messages m0, m1
Key Bob uses
to decrypt
Chosen
ciphertext c
Eve
Guess of b
Decryptions
m=DB.d(c)
Bob
IND-CPA Security Specification
IND-CCA Security Specification
IND-CCA2 Security Specification
Indistinguishability Experiment
(symmetric encryption, i.e. shared key)
k
plaintext
Alice
Encrypt, or
select b {0,1}
and encrypt mb
encryption
algorithm
k
decryption plaintext
algorithm
ciphertext
Ciphertext
c=Ek(m,re)
Chosen plaintext m
Selected messages m0, m1
Chosen
ciphertext c
Eve
Guess of b
Decryptions
m=Dk(c)
Bob
Eavesdropping (Passive) Attacks Security
Specification


Weakest type of adversary
Adversary only obtains the ciphertext that it wishes
to decrypt



Eavesdropps on the communication line between two
parties and intercepts the encrypted communication
Does not obtain oracle access to encryption or
decryption functionality
Does not obtain the encryption key
Eavesdropping Attacks Security
Specification
Chosen Plaintext Attacks Security
Specification
Talk Outline




Heuristic vs Provable Security Approaches
Kerkhoff Principle
Public-key Encryption Scheme Definition
Security Definition





Adversarial Power and the Break
Symmetric&Asymmetric Security Specifications (CPA, CCA, CCA2)
Information Theoretically Secure Public Key Encryption
Scheme?
Deterministic Public Key Schemes?
Hybrid encryption
Perfectly Secure Public-Key Encryption
Scheme

A public key encryption scheme is perfectly secure if
for every public encryption key e, all messages m0, m1,
|m0|=|m1|, all ciphertexts c and all algorithms A
holds

What does it mean for an encryption scheme to be
perfectly secure?


The adversary gains no advantage
Above pure guess
Perfectly Secure Public-Key Encryption
Schemes Do NOT Exist

Proof



Let = (G,E,D) be a public key encryption scheme
operates over messages of one bit and encryption/
decryption always succeeds
Construct an algorithm A s.t.
Perfectly Secure Public-Key Encryption
Schemes Do NOT Exist


If c is an encryption of 0 then there exists a
random i0, otherwise there exists i1
A will always return a correct answer since
while
Talk Outline




Heuristic vs Provable Security Approaches
Kerkhoff Principle
Public-key Encryption Scheme Definition
Security Definition





Adversarial Power and the Break
Symmetric&Asymmetric Specifications (CPA, CCA, CCA2)
Information Theoretically Secure Public Key Encryption
Scheme?
Deterministic Public Key Schemes?
Hybrid encryption
Deterministic Public Key Encryption
Schemes Do NOT Exist

Proof



Let =(G,E,D) be a deterministic public key encryption
scheme
operates over messages of one bit length and the
decryption always succeeds
Construct A s.t.
Talk Outline




Heuristic vs Provable Security Approaches
Kerkhoff Principle
Public-key Encryption Scheme Definition
Security Definition





Adversarial Power and the Break
Symmetric&Asymmetric Security Specifications (CPA, CCA, CCA2)
Information Theoretically Secure Public Key Encryption
Scheme?
Deterministic Public Key Schemes?
Hybrid encryption
Symmetric vs. Asymmetric


Is there a perfectly secure private key encryption
scheme?
Is there a secure deterministic private key
encryption scheme?


Depends on the attack model
Why not define the strongest security for any
scheme?

There is a price for being overly conservative
Arbitrary Length Public-key Encryption
Scheme

Secure public-key encryption scheme for one bit
implies security under multiple encryptions, given
m=m1…mL encrypt

Inefficient

L times the computational cost of encrypting one block
Ciphertext length increases
Public key cryptosystems are slow
Also: most (e.g. RSA) have fixed block size (FIL)

Using a long block size is veeery slooow



Hybrid Encryption (`enveloping`)

Can we do better?

Use VIL secret key cryptosystem, encrypt shared key and
use it to encrypt plaintext
e
Decryption
Encryption
K
Plaintext
m
{0,1}k
CKEY
CMSGESKK(m)
EPK
e(K)
CKEY
K DPKd(CKEY)
CMSG
DSKK(CMSG)
Hybrid Encryption - Construction


Secure public key encryption scheme
Secure private key encryption scheme
construct a hybrid encryption scheme
Hybrid Encryption - Security

Theorem: If
is an IND-CPA secure public key
encryption scheme and
is an IND-CPA secure
private key encryption scheme then
is an INDCPA secure public key encryption scheme for
arbitrary length messages
Proof: We need to show that

For any PPT A and any m0, m1 we need to bound

Hybrid Encryption Proof, cont’

By definition of hybrid encryption algorithm it is
equivalent to

Now given A against the hybrid scheme construct
an algorithm ASK against the private key encryption
scheme
Hybrid Encryption Proof, cont’

Analysis of ASK‘s success probability

But, is this equivalent to

Why?
Because
There is no way for to choose the key K’ s.t. it is
equal to K used to encrypt the challenge

Hybrid Encryption Proof,


nd
2
Attempt
Given A=(A1,A2) against we construct
and
and
against
against
The advantage of A is bounded by the sum of the
advantages of each of the algorithms above
Hybrid Encryption Proof, cont’


We first show that
Given a PPT algorithm A=(A1,A2) construct a PPT
against
Hybrid Encryption Proof, cont’

The success probability of

Since
is IND-CPA secure the advantage is
negligible
Hybrid Encryption Proof, cont’


We next show that
Given a PPT algorithm A=(A1,A2) construct a PPT
against
Hybrid Encryption Proof, cont’

The success probability of

Since
is IND-CPA secure the advantage is
negligible
Hybrid Encryption Proof, cont’


In the third step show that
Given a PPT algorithm A=(A1,A2) construct a PPT
against
Hybrid Encryption Proof, cont’

The success probability of

Since
is IND-CPA secure the advantage is
negligible
We obtain

and conclude that
Hybrid Encryption Proof, fin’
Asymmetric Encryption



End of part 1 and 2
Questions?
Thank you.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz