






Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A lecture on CCA (chosen ciphertext attack) secure encryption, specifically examining implementations of RSA encryption. The lecture explores Bleichenbacher’s CCA attack on some of the first versions of RSA encryption, as well as the topics of random oracles and trusted third parties to aid against man-in-the-middle attacks. The document also provides definitions of the RSA system, trapdoor permutation, and secure trapdoor permutation, and discusses the RSA assumption. The lecture is part of the CS/ECE 498AC3/4 course at the University of Illinois, Urbana Champaign.
Typology: Lecture notes
1 / 12
This page cannot be seen from the preview
Don't miss anything!







University of Illinois, Urbana Champaign CS/ECE 498AC3/4 Applied Cryptography
Instructor: Dakshita Khurana Scribe: Luke Cessna Date: September 29, 2020
CCA Secure Encryption
The focus of this lecture is CCA (chosen ciphertext attack) secure encryption. If the reader recalls the previous two lectures, we were introduced to the idea of RSA encryption. What prompted this exploration of RSA encryption was the desire to create public-key encryption. Up until the lectures 9, and 10 we have been assuming two parties, Alice and Bob, were able to achieve semantic security in the face of an eavesdropper assuming they had somehow both met and agreed upon a secret key k in advance. However, we know that such a system is entirely impractical, and now armed with our knowledge of hard problems aquired from the previous two lectures, we can begin our discussion of real-world public-key encryptions in earnest. To motivate this discussion, the lecture examines CCA secure encryption by exam- ining implementations of RSA (Rivest-Shamir-Adleman) encryption. Namely, we examine Bleichenbacher’s CCA attack on some of the first versions of RSA encryption. Additionally, we broach the topics of some vital mechanics in exploring such attacks, such as what a random oracle is. Finally, we briefly begin the discussion of trusted third parties to aid against man-in-the-middle attacks.
First, I would like to remind the reader of the textbook RSA system. This is important to keep in mind throughout this reading as all of the systems we are discussing here are based on the assumption of the hardness of factoring primes and the RSA system is a formal defininition of how, at least for right now, we put this idea into pratice to encrypt.
Definition 11.1. Textbook RSA system:
We can easily verify that this satisfies correctness yd^ = xe^ ∗d = xkphi(N^ )+1^ = (xphi(N^ ))k^ ∗x = (1)k^ ∗ x = x. Remember that this RSA system is called a trapdoor permutation, which is defined as follows:
Definition 11.2. Trapdoor permutation:
Addintionally, a secure trapdoor permutation is defined to have one more requirement:
Definition 11.3. Secure trapdoor permutation, same requirements as above plus:
This last requirement is an important one, recall that we rely on the hardness of problems for provable security, and if the function F(pk,) is a one-way function without the secret key k, then we know that this trapdoor permutation is secure. Additionally, before I move on to the rest of the lecture, I would like to point out an important point that is reiterated repeatedly throughout the course. I stated above that we know the trapdoor permutation is provablely secure if the function F(pk,) is a one-way function without the secret key k. However, as we have seen in other lectures, security systems we have thought secure in the past proved to be broken rather easily. When we talk about these formal definintions, we must remember that it comes down to the implementation of the encryption we are dealing with. As such, this means that the best way to prove the security of something is through repeated tests, and building encryptions on systems that have, so far, withstood the test of time and remain secure. Finally, I state here the RSA assumption. This, as implied by the name, is an assumption that we take without a formal proof other than our knowledge of hard problems. This assumption is an important one because we are basing the security of the hardness problem encryptions we are looking at on it.
Definition 11.4. RSA assumption:
To state this in plain Engilsh, because we are assuming the hardness of factoring primes, and these encryptions are built on these primes, we can conclude that an adversary A’s advantage is related to their ablity to factor primes quickly, which is negligble.
Figure 11.1: PKCS1 v1.5 example.
Figure 11.2: CCA Attack on PKCS1 v1.5 example.
Figure 11.4: chosen ciphertext security for public key encryption attack game.
Figure 11.5: PKCS1 v2.0 OAEP example
I include the figure ?? to demonstrate how this works. The important point in this figure ?? is that if RSA is a trap-door permuation then RSA-OAEP is CCA secure when H, G are random oracles. This leads us to one of our most important topics in this lecture. Here I define random oracles.
Definition 11.5. Random Oracles:
First, a random oracle is considered to be a function such that on any given input, it outputs a uniform random string, except, if that input has already been seen before, output the same uniform random string as before. This I hope is self explanatory. Second, observerable means that for an attacker to obtain z = H(y), it must querry the oracle on y. This means that it is impossible for an attacker to obatin one of the uniform random
Figure 11.6: PKCS1 v2.0 OAEP revisted
Figure 11.7: signature scheme attack game