Applied Cryptography Lecture on CCA Secure Encryption, Lecture notes of Cryptography and System Security

A lecture on CCA (chosen ciphertext attack) secure encryption, specifically examining implementations of RSA encryption. The lecture explores Bleichenbacher’s CCA attack on some of the first versions of RSA encryption, as well as the topics of random oracles and trusted third parties to aid against man-in-the-middle attacks. The document also provides definitions of the RSA system, trapdoor permutation, and secure trapdoor permutation, and discusses the RSA assumption. The lecture is part of the CS/ECE 498AC3/4 course at the University of Illinois, Urbana Champaign.

Typology: Lecture notes

2019/2020

Uploaded on 05/11/2023

anvi
anvi 🇺🇸

4.8

(4)

228 documents

1 / 12

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
University of Illinois, Urbana Champaign
CS/ECE 498AC3/4 Applied Cryptography
Instructor: Dakshita Khurana
Scribe: Luke Cessna
Date: September 29, 2020
LECTURE
11
CCA Secure Encryption
The focus of this lecture is CCA (chosen ciphertext attack) secure encryption. If the reader
recalls the previous two lectures, we were introduced to the idea of RSA encryption. What
prompted this exploration of RSA encryption was the desire to create public-key encryption.
Up until the lectures 9, and 10 we have been assuming two parties, Alice and Bob, were able
to achieve semantic security in the face of an eavesdropper assuming they had somehow both
met and agreed upon a secret key k in advance. However, we know that such a system is
entirely impractical, and now armed with our knowledge of hard problems aquired from the
previous two lectures, we can begin our discussion of real-world public-key encryptions in
earnest. To motivate this discussion, the lecture examines CCA secure encryption by exam-
ining implementations of RSA (Rivest-Shamir-Adleman) encryption. Namely, we examine
Bleichenbacher’s CCA attack on some of the first versions of RSA encryption. Additionally,
we broach the topics of some vital mechanics in exploring such attacks, such as what a
random oracle is. Finally, we briefly begin the discussion of trusted third parties to aid
against man-in-the-middle attacks.
11.1 A Bit of Backround Knowledge
First, I would like to remind the reader of the textbook RSA system. This is important
to keep in mind throughout this reading as all of the systems we are discussing here are
based on the assumption of the hardness of factoring primes and the RSA system is a formal
defininition of how, at least for right now, we put this idea into pratice to encrypt.
Definition 11.1.Textbook RSA system:
Choose random prime numbers p, q with sizes Approx. 1024 bits and set N = p*q.
Choose integers e, d s.t. e*d = 1 mod(phi(N))
output pk = (N, e), sk = (N, d) where pk is the public encyption key and sk is the
secret key
With this, we define RSA encryption as RSA-Enc(pk, x) = xe(in ZN)
pf3
pf4
pf5
pf8
pf9
pfa

Partial preview of the text

Download Applied Cryptography Lecture on CCA Secure Encryption and more Lecture notes Cryptography and System Security in PDF only on Docsity!

University of Illinois, Urbana Champaign CS/ECE 498AC3/4 Applied Cryptography

Instructor: Dakshita Khurana Scribe: Luke Cessna Date: September 29, 2020

LECTURE

CCA Secure Encryption

The focus of this lecture is CCA (chosen ciphertext attack) secure encryption. If the reader recalls the previous two lectures, we were introduced to the idea of RSA encryption. What prompted this exploration of RSA encryption was the desire to create public-key encryption. Up until the lectures 9, and 10 we have been assuming two parties, Alice and Bob, were able to achieve semantic security in the face of an eavesdropper assuming they had somehow both met and agreed upon a secret key k in advance. However, we know that such a system is entirely impractical, and now armed with our knowledge of hard problems aquired from the previous two lectures, we can begin our discussion of real-world public-key encryptions in earnest. To motivate this discussion, the lecture examines CCA secure encryption by exam- ining implementations of RSA (Rivest-Shamir-Adleman) encryption. Namely, we examine Bleichenbacher’s CCA attack on some of the first versions of RSA encryption. Additionally, we broach the topics of some vital mechanics in exploring such attacks, such as what a random oracle is. Finally, we briefly begin the discussion of trusted third parties to aid against man-in-the-middle attacks.

11.1 A Bit of Backround Knowledge

First, I would like to remind the reader of the textbook RSA system. This is important to keep in mind throughout this reading as all of the systems we are discussing here are based on the assumption of the hardness of factoring primes and the RSA system is a formal defininition of how, at least for right now, we put this idea into pratice to encrypt.

Definition 11.1. Textbook RSA system:

  • Choose random prime numbers p, q with sizes Approx. 1024 bits and set N = p*q.
  • Choose integers e, d s.t. e*d = 1 mod(phi(N))
  • output pk = (N, e), sk = (N, d) where pk is the public encyption key and sk is the secret key
  • With this, we define RSA encryption as RSA-Enc(pk, x) = xe^ (in ZN )
  • and RSA decryption as RSA-Dec(pk, y) = yd^ (in ZN )

We can easily verify that this satisfies correctness yd^ = xe^ ∗d = xkphi(N^ )+1^ = (xphi(N^ ))k^ ∗x = (1)k^ ∗ x = x. Remember that this RSA system is called a trapdoor permutation, which is defined as follows:

Definition 11.2. Trapdoor permutation:

  • Three algorithms: (G, F, F (−1))
  • G: outputs pk, sk. pk defines a function F(pk,*): X→X
  • F(pk,x): evalutates the function at x
  • F −^1 (sk, y): inverts the function at y using sk, gives x s.t. F(pk, x) = y

Addintionally, a secure trapdoor permutation is defined to have one more requirement:

Definition 11.3. Secure trapdoor permutation, same requirements as above plus:

  • The function F(pk,*) is one-way without the trapdoor sk

This last requirement is an important one, recall that we rely on the hardness of problems for provable security, and if the function F(pk,) is a one-way function without the secret key k, then we know that this trapdoor permutation is secure. Additionally, before I move on to the rest of the lecture, I would like to point out an important point that is reiterated repeatedly throughout the course. I stated above that we know the trapdoor permutation is provablely secure if the function F(pk,) is a one-way function without the secret key k. However, as we have seen in other lectures, security systems we have thought secure in the past proved to be broken rather easily. When we talk about these formal definintions, we must remember that it comes down to the implementation of the encryption we are dealing with. As such, this means that the best way to prove the security of something is through repeated tests, and building encryptions on systems that have, so far, withstood the test of time and remain secure. Finally, I state here the RSA assumption. This, as implied by the name, is an assumption that we take without a formal proof other than our knowledge of hard problems. This assumption is an important one because we are basing the security of the hardness problem encryptions we are looking at on it.

Definition 11.4. RSA assumption:

  • RSA is a one-way permutation, and for all efficient algorithms A:
  • P r[A(N, e, y) = y(1/e)] < neglible
  • where p,q ←R n-bit primes, N←p*q, y←R Z N∗

To state this in plain Engilsh, because we are assuming the hardness of factoring primes, and these encryptions are built on these primes, we can conclude that an adversary A’s advantage is related to their ablity to factor primes quickly, which is negligble.

Figure 11.1: PKCS1 v1.5 example.

Figure 11.2: CCA Attack on PKCS1 v1.5 example.

Figure 11.4: chosen ciphertext security for public key encryption attack game.

Figure 11.5: PKCS1 v2.0 OAEP example

I include the figure ?? to demonstrate how this works. The important point in this figure ?? is that if RSA is a trap-door permuation then RSA-OAEP is CCA secure when H, G are random oracles. This leads us to one of our most important topics in this lecture. Here I define random oracles.

Definition 11.5. Random Oracles:

  • A random oracle requires three things
  • that is a function H that is a truly random function, with memory.
  • it is ”observerable”
  • it is ”programmable”

First, a random oracle is considered to be a function such that on any given input, it outputs a uniform random string, except, if that input has already been seen before, output the same uniform random string as before. This I hope is self explanatory. Second, observerable means that for an attacker to obtain z = H(y), it must querry the oracle on y. This means that it is impossible for an attacker to obatin one of the uniform random

Figure 11.6: PKCS1 v2.0 OAEP revisted

Figure 11.7: signature scheme attack game