Lots of PKE schemes, including
- A Generic PKE Construction
- Text Book RSA
- Padding RSA
- OAEP RSA
- El-Gamal
- Cramer-Shoup
The Asymmetric Encryption consists of a triple of efficient algorithms (KG,E,D)
.
(Satisfies correctness
and security
)
- KG: Key Generator, returns
public-key PK
andprivate-key SK
- E: the encryption algorithm,
E(m,PK) -> c
- D: the decryption algorithm,
D(c,SK) -> m
Definition:
- An Asymmetric Encryption satisfies IND, if the adversary can’t take advantage even if PK, m(0), m(1) and c are given.
If an Asymmetric Encryption satisfies IND, the adversary can’t take advantage in the presence of an eavesdropper.
Chosen Plaintext/Message Attack
Definition:
- An Asymmetric Encryption satisfies IND-CPA, if the adversary can’t take advantage even if PK, m(0), m(1) and c are given + the adversary could access the
E
.
Because the encryption encryption algorithm is open to the public so if a public key encryption scheme satisfies IND, it satisfies IND-CPA, too.
Tip: Encrypting each bit of a message using an IND-CPA secure scheme results in an IND-CPA secure encryption of the message
Chosen Ciphertext Attack
Definetion:
- Asymmetric Encryption satisfies IND-CPA, if the adversary can’t take advantage even if PK, m(0), m(1) and c are given + the adversary could access to the
E
andD
(can’t queryc
).
(I think it’s insane. And most of public key encryption can’t satisfies it.)
Lecture 10 Page14
f: OW function, P: hard-core Predicate, x: a random number
- Alice:
$y = f(x), d = P(x) \bigoplus b$ - Bob:
$f^{-1}(y)\rightarrow x , P(x) \bigoplus d \rightarrow b$
- This scheme satisfies IND-CPA.
f
andP
could use the hardness of RSA.- This scheme doesn't satiesfies IND-CCA; We could construct a IND-CCA scheme by
+Zero-Knowledge
- KG
KG: (p and q are big same-length prime)
$E\leftarrow c=m^emod\quad n$ $D\leftarrow m=c^dmod\quad n$
- Doesn't satisfies IND and IND-CPA
- Because it's deterministic, so if the adversary have the plaintext and the scheme, he could use
PK
to encryptm(0),m(1)
and compare the results and c.
Satisfies Randomness/One-Wayness under RSA assumption
Add randomness to the text book RSA. r is a randomnumber and |
means concatenation.
- KG: Same as Text-Book-RSA
$E\leftarrow c=(r|m)^emod\quad n$ $D\leftarrow m=c^dmod\quad n$
- Doesn't satisfies IND-CCA
- Satisfies IND and IND-CPA
Why Doesn't satisfies IND-CCA? (e.g. TB-RSA)
Attack
- Query
$c'\leftarrow c*r^e$ and get the resultm'
$m'=r^{ed} * c^{d} = r^1*m^{1}$ $m=m'r^{-1}$
To be honest, I don't know the details.
- Satisfies IND-CPA
- Conditinal IND-CCA-Secure
- OAEP+ Satisfies IND-CCA
Prime: p,q(p=2q+1); Cyclic Group: <g>
Private Key: x
Public Key:
E:
D:
- Satisfies IND-CPA
- Doesn't satisfies IND-CCA
I don't know this scheme, too.
- Satisfies IND-CCA
Can't get x
from <g>
.
Can't distinguish
- If DL is easy, DDL is easy.
- If DDL is hard, DL is hard.
- If F is easy, RSA is eay.
- If RSA is hard, F is hard.
- Public-key Encryption's Implementation Settings (Page31)
- Public-key Encryption's Implementation Pitfalls (Page32)