1 / 17

Malleability of Cryptosystems

Malleability of Cryptosystems. Kevin Allison. Definitions. The ability to manipulate a given ciphertext α into a ciphertext β that, when decrypted, produces a related plaintext. Not being able to compute a different related ciphertext β from a given ciphertext α.

egil
Download Presentation

Malleability of Cryptosystems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Malleability of Cryptosystems Kevin Allison

  2. Definitions • The ability to manipulate a given ciphertextα into a ciphertextβ that, when decrypted, produces a related plaintext. • Not being able to compute a different related ciphertextβ from a given ciphertextα

  3. What Does Non-malleablity Provide? • Improved security by knowing the encrypted message has not been tampered • Ideologically equivalent to existentially unforgeable signatures • Secrecy does not imply independence • Non-malleable cryptosystems prove this

  4. Simple Example • Professor Kaminsky enjoys encrypting his grades and giving each student their own symmetric key for decryption. Unfortunately you forgot how to add and did not do so well on the first test. With a malleable cryptosystem, this can be fixed! Start Grade End Grade (The previous assumes Professor Kaminsky uses a malleable encryption scheme. This is unlikely).

  5. Security • Given a relation R and the ciphertext α • Malleable if • B is able to create a related ciphertext β from ciphertext α • Non-malleable if • For every attacker A launching an attack G there is an A’ that produces a ciphertext γ without access to ciphertext α and with a similar probability as A • Two types: • Semantic Security • Non-malleable Security

  6. Semantic Security • Definition 2.1: • A scheme S for public-key cryptosystems is semantically secure with respect to relations under chosen plaintext attack if for every probabilistic polynomial time adversary A as above there exists a probabilistic polynomial time adversary simulator A’ such that for every relation and function computable in probabilistic polynomial time is subpolynomial.

  7. Types of Attacks • Chosen Plaintext • Attacker can encrypt any plaintext to get the ciphertext • Least Powerful • Chosen Ciphertext – Pre Processing • Access a decryption oracle < xp times, then remove oracle • Chosen Ciphertext – Post Processing • Gets challenge ciphertext before oracle is removed • Can decrypt any ciphertext excluding the challenge via the oracle • Most Powerful

  8. Incorrect Implementations (Dolavet al.) • Appending encryption to a zero-knowledge proof • Proof could be malleable, therefore possible to generate new encryption and new proof • Sending encryption plus signature • Possible to generate new encrypted message E(m+1) and new signature based-off that • Signature inside Ciphertext • Same as above

  9. Public Key Overview • Scheme S (Dolev et al.) • Create public signature verification key/private signing key • Encrypt message using several keys derived from public signature verification key • Zero-knowledge proof used to show value encrypted is the same • Encryptions and proof are signed from using the key from step 1

  10. Public Key Generation (Dolev et al.)

  11. Public Key Encryption (Dolev et al.)

  12. Public Key Encryption (Dolev et al.) i

  13. Non-malleable Security • Run the Public Key Generation on Related Scheme (S’): • Only run GN(n) n times. Not2n. • Public Key: • Private Key: • Message ---encrypt---> • If S is broken for malleability, then S’ is broken for semantic security • Thus if S’ is semantically secure, then S is non-malleable

  14. Critical Components • Security of the one-way hash function • If it is possible to reverse the hash function, then the Scheme is invalid • Does the hash function produce collisions? • Another failure case • Is the Zero Knowledge Authentication system correct? • Otherwise verification of information is jeopardized.

  15. Modern Implications • What if the Key is malleable? • Is it possible to modify the key in such a way that it will produce a related plaintext that will decryption with correct public key. • Then the proposed encryption scheme does not work. It is vulnerable to that attack • To combat this, we need to make the relation take the public key into account! • Redefine a relation to be contain

  16. References • Dorlev et al. Non-Malleable Cryptography. http://www.cs.rit.edu/~kra2178/crypto/files/10.1.1.49.4643.pdf • Fisclin, Marc. Completely Non-malleable Schemes. http://www.cs.rit.edu/~kra2178/crypto/files/completely_non_malleable_schemes.pdf • Ventre, Carmine. Completely Non-Malleabe Encryption Revisited. http://www.iacr.org/archive/pkc2008/49390068/49390068.pdf • Boldyreva et al. Foundations of Non-malleable Hash and One-Way Functions. http://www.cs.rit.edu/~kra2178/crypto/files/found_non_malleable.pdf

  17. Questions?

More Related