Professional Documents
Culture Documents
Public-Key Cryptography: CCA Secure PKE Hybrid Encryption
Public-Key Cryptography: CCA Secure PKE Hybrid Encryption
Public-Key Cryptography: CCA Secure PKE Hybrid Encryption
Lecture 8
CCA Secure PKE
Hybrid Encryption
CCA Secure PKE
!
in everything...
Hey Eve,
PK/ SK/
Enc Dec I look around
for your eyes shining
I seek you
!
in everything...
Hey Eve,
Env
!
SIM-CCA Security (PKE)
PK
PK
Send Recv Enc SK
Dec
Replay
Filter
Secure (and
correct) if:
"
# s.t.
"
output of
is distributed
Env identically in Env
REAL
IDEAL REAL and IDEAL
IND-CCA +
IND-CCA (PKE version) ~correctness
equivalent to
SIM-CCA
Expt picks a random bit b. It also runs
KeyGen to get a key (PK,SK). Adv gets PK Enc(mb,PK)
Enc SK
PK
Adv sends two messages m0, m1 to
Expt mb
Replay Filter:
Challenge
Expt returns Enc(mb,K) to the ciphertext not
answered
adversary (and installs replay Þlter)
m0,m1
Adversary returns a guess bÕ bÕ
RSA-OAEP
Fujisaki-Okamoto
Hope: the code for H has Òno simple structureÓ and only way to
get anything useful from it is to evaluate it on an input
Encoding is randomized
RSA-OAEP
SKE and MAC (e.g., using Block Ciphers like AES) are very fast
Hybrid encryption: Use (CCA secure) PKE to transfer a key for the
(CCA secure) SKE. Use SKE with this key for sending data
Note: PKE used to encrypt only a (short) key for the SKE
Relatively low overhead on top of the (fast) SKE encryption
Hybrid Encryption n e
ge ey
to
Or e a
rat
Hybrid Encryption: KEM/DEM paradigm k