security engineering lecture notes (5/6)

고려대학교 정보보호대학원

마스터 제목 스타일 편집


Secure Design





3

Cryptography amp Secure Design



4

Cryptography has a firmer theoretical foundation than other security techniques

So if you study this you will be able to have an insight to design and analyze other security systems more systematically




5

Modern cryptography which is distinguished from classical cryptography by

Its emphasis on ( ) If you donlsquot know what it is you are trying to achieve how

can you hope to know when you have achieved it

Precise ( ) and Many cryptographic constructions cannot currently be

proven secure in an unconditional sense Security often relies instead on some widely-believed (albeit unproven) assumption The modern cryptographic approach dictates that any such assumptions must be clearly and unambiguously defined

( ) of security This is the essence of modern cryptography and was

responsible for the transformation of cryptography from an art to a science

Emphases of Modern Cryptography



6

Symmetric Ciphers



7

The World of Symmetric Ciphers

RSA Discrete Log Factoring hellip

One-Way Function (or One-Way Permutation)

Hard-Core Predicate

Pseudorandom Generator with +1 Expansion

Pseudorandom Generator with Arbitrary Expansion

Pseudorandom Function

(Strong) Pseudorandom Permutation Pseudorandom Function + Feistel

Network

Block Ciphers

Theoretical Construction Practical Construction

CPA-Secure Secret-Key Encryption Scheme for arbitrary-length messages amp Existentially Unforgeable MAC

CCA-Secure Secret-Key Encryption Schemes

CPA-Secure Secret-Key Encryption Scheme for fixed-length message



8

Modes of Operation

Suppose that X is a pseudorandom

permutation

scheme X-CBC is secure

scheme X-OFB is secure

scheme X-CTR is secure

Of course to get any information about practical relevance of these results one needs to look at the concrete parameters hidden in the ldquoasymptoticsrdquo



9

Asymmetric Ciphers



10

The challenge(target) for the adversary should be as ( ) as possible

The adversary should be as ( ) as possible

The assumptions should be as ( ) as possible

Quality of security reduction should be as ( ) as possible

Ideal Properties of a Proof

Cited from BKaliski and JJonsson( RSA Lab)rsquos Presentation Material



11

Protocol Analysis Techniques

protocol security analysis

Formal models Computational models

Model checking Inductive method

Dolev-Yao (perfect cryptography)

Random oracle Probabilistic process calculi

Probabilistic IO automata hellip

Finite-state checking

Protocol logics hellip

Symbolic analysis

Finite processes infinite attacker

Finite processes finite attacker

Probabilistic model checking

Fully automated methods always terminate and give an answer



12

Brief History of Provable Security

1976 1978 1979 1982 1984 1990 1991 1994 1998

DDN

(NM-CCA2)

BR

(Random oracle model)

Rabin GM

(IND-CPA)

DH RSA NY

(IND-CCA1) (OW-CPA)

CS EPOC

Cited from Dr TOkamotorsquos Presentation Material in KISA



13

Blum Goldwasser amp Micali (1982~1988) Mathematical definitions of security Encryption [Goldwasser Micali 86] Signatures [Goldwasser Micali Rivest 88]

Now a common requirement to support

emerging standards (IEEE P1363 ISO Cryptrec NESSIE)




14

Design Secure Asymmetric Cipher

OWF

x

y

E

x

y

Random k asymp



15

One-Way Function

One-Way Function A function

f 01 -gt 01

is called ldquoone-way rdquo if there is an efficient algorithm

that on input x outputs f(x) whereas any feasible algorithm that tries to find a preimage of f(x) under f may succeed only with negligible probability

- Any Feasible Algorithm

bull HW DTM NDTM PTM bull SW COA KPA CPA CCA

- Preimage

bull Whole Partial Correlated



16

Preimage (Goal)

One-Way (OW) Hard to invert the encryption function

Semantically Secure (IND) Hard to obtain any partial information of a plaintext from the ciphertext

Non-Malleability (NM) For any non-trivial relation R E(M) -gt E(R(M)) is hard

One-Way Function



17

Algorithm (HW Attack Method)

FA (Finite Automata)

PDA (Pushdown Automata)

TM (Turing Machine)

PTM (Probabilistic TM)

von Neumann Machine

One-Way Function



18

Algorithm (SW Attack Method)

Passive Attack (CPA) Ciphertext Only Attack (COA)

Chosen Plaintext Attack (CPA)

Active Attack (CCA) Chosen Ciphertext Attack (CCA)

1990) Static Chosen-Ciphertext Attack (Lunch time attack Naor amp Yung)

1991) Adaptive Chosen-Ciphertext Attack (Rackoff amp Simon)

One-Way Function



19


One-Way Function



20

6 Notions of Security

Goals

IND

NM

CPA

CCA1

CCA2

Attacks

IND-CPA IND-CCA1 IND-CCA2

NM-CPA NM-CCA1 NM-CCA2



21

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

A B proven that meeting notion A implies meeting B

A B proven that meeting notion A implies not meeting B

NOTE A implies B iff there is a path from A to B

PA



22

One-Wayness (OW-CPA)

Security Goal One-wayness

ndash Easy to compute ciphertext from plaintext but hard to invert

Attacker Model

Passive Attacker

Public Key

C P

Security Proof Relative complexity by reduction



23


Encryption Algorithm A

(Assumption) Computationally

Difficult Problem B

Encryption Algorithm Complexity Theory

Reducible

If an adversary can break the secrecy of A

Contradicting Assumption

Partial information problem Leak partial information if the plaintext comes from small plaintext space

Then we can break The problem B



24

Private Key p = q = 3 (mod 4)

Public Key n = pq

Encryption C = M2 (mod n)

Decryption m1 = C(p+1)4 (mod p) m2 = (p ndash C(p+1)4) (mod p)

m3 = C(q+1)4 (mod q) m4 = (q ndash C(q+1)4) (mod p)

a = q(q-1 mod p) p = p(p-1 mod q) M1 = (am1+bm3) mod n M2 = (am1+bm4) mod

n M3 = (am2+bm3) mod n M4 = (am2+bm4) mod n

M is one of M1 M2 M3 M4

OW-CPA Example Rabin Scheme



25

Proof Sketch of Rabin Scheme

Algorithm Arsquo solving IFP

Algorithm A cryptanalyzing Rabin

Let A be an adversary that breaks the Rabin scheme Then A can be used to solve IFP If so we say solving IFP reduces to breaking the Rabin scheme -gt Conclusion If IFP untractable then Rabin scheme is unbreakable



26

Polynomial Security (IND-CPA)

Security Goal Polynomial Security

ndash Cannot distinguish 2 ciphertexts (Indistinguishability)

Attacker Model

Passive Attacker

Public Key

C 01

rarr Encryption Alg must be probabilistic

Msg Space M0 M1



27

Probabilistic Encryption

Plaintext

Ciphertext

0

1

Encryption (Random Selection)

Decryption

E(0)

E(1)



28


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119

(75||R19)119 = 75||R -gt 75 = ldquoKrdquo



30

Semantic Security (= Polynomial Security) is a ( ) of Shannonrsquos ldquoperfect secrecyrdquo

Semantic Security



31


Semantic Security

How to define this goal formally



32

How to Make Semantic Secure Cipher

How to make it



33

Chosen Ciphertext Attack

Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

If attacker can manipulate Ciphertext



34


Active Attacker

① Generate random integer 3

④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35


RULE C0 = C1 helliphellip Cn

Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO

After queries to DO Before queries to DO



36

Non-Malleability

Active Attacker

C Crsquo

Alicersquos Public Key

Bobrsquos Public Key

Directory

mrsquo is unknown but related in some known way to m



37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38

How to Make Non-Malleable Cipher

How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40

Authenticated Encryption

Plaintext Awareness




41


Authenticated Encryption Scheme



42

Many popular Internet protocols rely on authenticated encryption schemes for privacy and authenticity Examples SSL TLS SSH IPSEC hellip

Many applications on the Internet require both privacy and authenticity Examples online banking online retail

online auctions instant messaging remote login secure file transfer hellip

Relevance to Internet Security



43

Encrypt-and-MAC ĒKeKm(M) = EKe(M) || TKm(M)

MAC-then-Encrypt ĒKeKm(M) = EKe(M || TKm(M))

Encrypt-then-MAC ĒKeKm = EKe(M) || TKm(EKe(M))

Generic Composition Methods



44

Question

Assuming the base encryption scheme is secure (IND-CPA) and the base MAC scheme is secure (UF-CMA)

is the composed scheme CCA-secure

Generic Composition Results



45


Security Composition Method

1) Encrypt-and-MAC

EKeKm(M) = EKe(M)||TKm(M)

2) MAC-then-Encrypt

EKeKm(M) = EKe(M||TKm(M))

3) Encrypt-then-MAC

EKeKm(M) = EKe(M)||TKm(EKe(M))



46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47

PA is merely a ( ) rather than a ( )

A scheme with IND-CPA security is plaintext aware (PA) if an adversary cannot produce a valid ciphertext without knowing the corresponding plaintext The adversary has access to an encryption

oracle and random oracles but no decryption oracle

PA implies IND-CCA2 security Decryption queries give no information since

the adversary already rdquoknowsrdquo the plaintext

Plaintext Awarenes




48

Sometimes it is helpful to consider models where some tools (primitives) used by cryptographic schemes such as Hash functions Block ciphers Finite groups

are considered to be ideal that is the adversary can only use (attack) them in a certain way

Idealized Security Models Hash function -gt Random oracle Block ciphers -gt Ideal cipher Finite groups -gt Generic group

Standard model no idealized primitives (sort of)

PA amp Random Oracle Model



49

A paradigm for designing efficient provably secure protocols (MBellare and PRogaway 1993)

In cryptography a RO is an oracle (a theoretical black box) that responds to every query with a (truly) random response chosen uniformly from its output domain except that for any specific query it responds the same way every time it receives that query




50

PA makes sense only in the ROM

The RO is used in the definition of plaintext awareness to give the extractor a ldquowindowrdquo into the internal state of the adversary (as revealed through its queries) If the external RO is replaced by an internal algorithm then this window is closed

In the standard model the adversary can encrypt a plaintext and then ldquoforgetrdquo it




51

Optimal Asymmetric Encryption Padding

The main drawback of the previous scheme is that ciphertexts are longer than a single element of ZN even when short messages are encrypted

The encoding function OAEP is designed so that the only way to find an element in the image of OAEP is to choose m and r and then explicitly compute OAEP(mr)

OAEP is essentially a ( )

OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H

( ) bullf one-way permutation

C = f(OAEP(mr)) = (m1||m2

)e mod N



53

A new padding scheme OAEP++ was proposed by Jonsson (2002) The one-time pad on the OAEP (xor

between random and output of H) is replaced by a strong block cipher (ideal cipher model)

Ideal Cipher Model Consider block cipher E as a family of

perfectly random and independent permutations

OAEP++



54

Provable security does not yield proofs

Proofs are relative (to computational assumptions) and to the definition of the schemersquos goal

Proofs often done in ideal models (Random Oracle Model Ideal Cipher Model Generic Group Model) with debatable meaning

Definitions and proofs need time for acceptance

Limits of Provable Security



55

Still provable security

Provides some form of guarantee that the scheme is not flawed

Motivates us to spell out (clarify) definitions and models formally a process that in itself may help us to better understand the problem

Gives well-defined reductions from which we can distill practical implications of the result (exact security)




56

Key Management



57

Diffie-Hellman Key Exchange

갑돌이 갑순이

gx mod P = h1

gy mod P = h2

K = h2x = (gy)x = gxy (mod P)

시스템 공개정보

g P

K = h1y = (gx)y = gxy (mod P)



58

Definition of Security

Indistinguishable

Completely random key

수동적 공격자

bull This is much stronger than simply requiring that the adversary be unable to compute K exactly

bull Can compute K -gt Can distinguish K

K

K



59

2-Party Protocols

Cited from Vitaly Shmatikovrsquos Presentation Material



60

Interactive Turing Machine

Interactive Protocol



61

Interactive Turing Machines




62

An interactive proof system involves a prover and a verifier

Zero-Knowledge Proofs

Prover Verifier

(Interactive proofs)



63

Idea the prover proves a statement to the verifier without revealing anything except the fact that the statement is true

Zero-Knowledge Proof of Knowledge (ZKPK) prover convinces verifier that he knows a secret without revealing the secret




64

Completeness If both prover and verifier are honest

protocol succeeds with overwhelming probability

Soundness No one who does not know the secret can

convince the verifier with nonnegligible probability Intuition the protocol should not enable prover

to prove a false statement

Zero-Knowledge The proof does not leak any information

Properties of ZKPK



65

The proof does not leak any information

There exists a simulator that taking what the verifier knows before the protocol starts produces a fake ldquotranscriptrdquo of protocol messages that is indistinguishable from actual protocol messages Because all messages can be simulated from

verifierrsquos initial knowledge verifier does not learn anything that he didnrsquot know before

Indistinguishability perfect statistical or computational

Honest-verifier ZK only considers verifiers that follow the protocol

Zero-Knowledge Property



66

Zero knowledge proofs are simulatable (conversation distributions are indistinguishable)


Prover (knowing the secret)

Verifier

Simulator (without the secret)

Verifier

conversation 1

conversation 2

cannot extract the secret from

the prover because conversation1 is indistinguishable from conversation2


this simulator because simulator does not know it

Same Probability Distribution



67

No one who does not know the secret can convince the verifier with nonnegligible probability

Let A be any prover who convinces the verifier hellip

hellip there must exist a knowledge extractor algorithm that given A extracts the secret from A Intuition if there existed some prover A who

manages to convince the verifier that he knows the secret without actually knowing it then no algorithm could possibly extract the secret from this A




68

1 V stands at A

2 P walks to C or D

3 V walks to B

4 V asks P to come L or R

5 P follows the request

6 Repeat 1 ~ 5 n times

Zero-Knowledge for Kids A

B

D C



69

System parameters

N

ZKIP for QRP

P V

Knows a Knows r such that a=r2 mod N

Wants to prove this fact to V

y = t2 mod N

b

z = rbt mod N

Verifies z2 = yab mod N

Chooses random t in [1N]

Chooses random b in [0 1]

= t2(r2)b = (trb)2 mod N P proves that he knows quadratic residue

of a without revealing its value



70

Prover can cheat if he can guess b in advance Guess b set y=z2a-b for random z in 1st message What is the probability of guessing b

Cheating against ZKIP for QRP

P V b

z

y=z2a-b

P proves that he ldquoknowsrdquo quadratic residue

of a even though he does not know r

Chooses random t in [1N] y = t2 mod N





71

System parameters Prime p and q such that q divides p-1 g is a generator of an order-q subgroup of Zp

Schnorrrsquos Id Protocol (ZKIP for DLP)

P V

Knows t Knows s such that t=gs mod p


x = gr mod p

c

y = r+sc

Verifies x= gyt-c mod p

Chooses random r in [1q]

Chooses random c in [12n]

= gr+sc(gs)-c mod p = gr mod p P proves that he knows discrete log

of t without revealing its value



72

Prover can cheat if he can guess c in advance Guess c set x=gyt-c for random y in 1st message What is the probability of guessing c

Cheating against Schnorrrsquos Id Protocol

P V

x = gr mod p

c

y




x=gyt-c

P proves that he ldquoknowsrdquo discrete log

of t even though he does not know s



73

But Schnorrrsquos Id Protocol Is Sound

Prover can cheat if he can guess c in advance Given P who successfully passes the protocol extract s

such that t=gs mod p run P twice as a subroutine

P Ext

x

y1 such that x=gy1t-c1

Chooses random c1 in [12n] c1

Knows t


Chooses random c2 in [12n] c2 ldquorewindrdquo P

Compute s=(y1-y2)(c1-c2)-1

gy1t-c1 = gy2t-c2 implies gy1-y2= tc1-c2

Therefore gy1-y2(c1-c2)-1 =t



74

Schnorrrsquos Id Protocol Is HVZK

Simulator produces a transcript which is indistinguishable from the real transcript

V x

c Pick random c in [12n]

y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim

Simulated transcript Does not know s such that t=gs mod p (why)

P These transcripts are indistinguishable

hellip but only if c in the real protocol is indeed random

(verifier must run the protocol honestly) Schnorrrsquos ID protocol is

honest-verifier zero-knowledge



75

Digital Signatures



76

Target

Total Break Find private key

Selective Forgery Signature on selected message

Existential Forgery Signature on some message

Security Goal amp Attack Model



77

Attack

Key-Only Attack

Known Message Attack

Chosen Message Attack




78

Existential Forgery - KOA

공격자

Random σ

위조문서 m = σe

위조서명



79

Selective Forgery - CMA

공격자

(m1 σ1=m1d)

σ = σ1 times σ2

위조문서 m = m1 times m2

위조서명

(m2=mm1 σ2=m2d)



80

Hash-and-Sign Paradigm

H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design





3




4






5











6

Symmetric Ciphers



7




Hard-Core Predicate





Network

Block Ciphers







8

Modes of Operation


permutation







9

Asymmetric Ciphers



10









11










Symbolic analysis







12


1976 1978 1979 1982 1984 1990 1991 1994 1998

DDN

(NM-CCA2)

BR


Rabin GM

(IND-CPA)

DH RSA NY

(IND-CCA1) (OW-CPA)

CS EPOC




13







14


OWF

x

y

E

x

y

Random k asymp



15

One-Way Function


f 01 -gt 01





- Preimage




16

Preimage (Goal)




One-Way Function



17




TM (Turing Machine)


von Neumann Machine

One-Way Function



18







One-Way Function



19


One-Way Function



20


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





21

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



22




Attacker Model

Passive Attacker

Public Key

C P




23




Difficult Problem B


Reducible







24


Public Key n = pq










25







26




Attacker Model

Passive Attacker

Public Key

C 01


Msg Space M0 M1



27


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



28


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119




30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



4






5











6

Symmetric Ciphers



7




Hard-Core Predicate





Network

Block Ciphers







8

Modes of Operation


permutation







9

Asymmetric Ciphers



10









11










Symbolic analysis







12


1976 1978 1979 1982 1984 1990 1991 1994 1998

DDN

(NM-CCA2)

BR


Rabin GM

(IND-CPA)

DH RSA NY

(IND-CCA1) (OW-CPA)

CS EPOC




13







14


OWF

x

y

E

x

y

Random k asymp



15

One-Way Function


f 01 -gt 01





- Preimage




16

Preimage (Goal)




One-Way Function



17




TM (Turing Machine)


von Neumann Machine

One-Way Function



18







One-Way Function



19


One-Way Function



20


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





21

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



22




Attacker Model

Passive Attacker

Public Key

C P




23




Difficult Problem B


Reducible







24


Public Key n = pq










25







26




Attacker Model

Passive Attacker

Public Key

C 01


Msg Space M0 M1



27


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



28


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119




30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



5











6

Symmetric Ciphers



7




Hard-Core Predicate





Network

Block Ciphers







8

Modes of Operation


permutation







9

Asymmetric Ciphers



10









11










Symbolic analysis







12


1976 1978 1979 1982 1984 1990 1991 1994 1998

DDN

(NM-CCA2)

BR


Rabin GM

(IND-CPA)

DH RSA NY

(IND-CCA1) (OW-CPA)

CS EPOC




13







14


OWF

x

y

E

x

y

Random k asymp



15

One-Way Function


f 01 -gt 01





- Preimage




16

Preimage (Goal)




One-Way Function



17




TM (Turing Machine)


von Neumann Machine

One-Way Function



18







One-Way Function



19


One-Way Function



20


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





21

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



22




Attacker Model

Passive Attacker

Public Key

C P




23




Difficult Problem B


Reducible







24


Public Key n = pq










25







26




Attacker Model

Passive Attacker

Public Key

C 01


Msg Space M0 M1



27


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



28


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119




30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



6

Symmetric Ciphers



7




Hard-Core Predicate





Network

Block Ciphers







8

Modes of Operation


permutation







9

Asymmetric Ciphers



10









11










Symbolic analysis







12


1976 1978 1979 1982 1984 1990 1991 1994 1998

DDN

(NM-CCA2)

BR


Rabin GM

(IND-CPA)

DH RSA NY

(IND-CCA1) (OW-CPA)

CS EPOC




13







14


OWF

x

y

E

x

y

Random k asymp



15

One-Way Function


f 01 -gt 01





- Preimage




16

Preimage (Goal)




One-Way Function



17




TM (Turing Machine)


von Neumann Machine

One-Way Function



18







One-Way Function



19


One-Way Function



20


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





21

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



22




Attacker Model

Passive Attacker

Public Key

C P




23




Difficult Problem B


Reducible







24


Public Key n = pq










25







26




Attacker Model

Passive Attacker

Public Key

C 01


Msg Space M0 M1



27


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



28


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119




30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



7




Hard-Core Predicate





Network

Block Ciphers







8

Modes of Operation


permutation







9

Asymmetric Ciphers



10









11










Symbolic analysis







12


1976 1978 1979 1982 1984 1990 1991 1994 1998

DDN

(NM-CCA2)

BR


Rabin GM

(IND-CPA)

DH RSA NY

(IND-CCA1) (OW-CPA)

CS EPOC




13







14


OWF

x

y

E

x

y

Random k asymp



15

One-Way Function


f 01 -gt 01





- Preimage




16

Preimage (Goal)




One-Way Function



17




TM (Turing Machine)


von Neumann Machine

One-Way Function



18







One-Way Function



19


One-Way Function



20


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





21

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



22




Attacker Model

Passive Attacker

Public Key

C P




23




Difficult Problem B


Reducible







24


Public Key n = pq










25







26




Attacker Model

Passive Attacker

Public Key

C 01


Msg Space M0 M1



27


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



28


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119




30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



8

Modes of Operation


permutation







9

Asymmetric Ciphers



10









11










Symbolic analysis







12


1976 1978 1979 1982 1984 1990 1991 1994 1998

DDN

(NM-CCA2)

BR


Rabin GM

(IND-CPA)

DH RSA NY

(IND-CCA1) (OW-CPA)

CS EPOC




13







14


OWF

x

y

E

x

y

Random k asymp



15

One-Way Function


f 01 -gt 01





- Preimage




16

Preimage (Goal)




One-Way Function



17




TM (Turing Machine)


von Neumann Machine

One-Way Function



18







One-Way Function



19


One-Way Function



20


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





21

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



22




Attacker Model

Passive Attacker

Public Key

C P




23




Difficult Problem B


Reducible







24


Public Key n = pq










25







26




Attacker Model

Passive Attacker

Public Key

C 01


Msg Space M0 M1



27


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



28


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119




30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



9

Asymmetric Ciphers



10









11










Symbolic analysis







12


1976 1978 1979 1982 1984 1990 1991 1994 1998

DDN

(NM-CCA2)

BR


Rabin GM

(IND-CPA)

DH RSA NY

(IND-CCA1) (OW-CPA)

CS EPOC




13







14


OWF

x

y

E

x

y

Random k asymp



15

One-Way Function


f 01 -gt 01





- Preimage




16

Preimage (Goal)




One-Way Function



17




TM (Turing Machine)


von Neumann Machine

One-Way Function



18







One-Way Function



19


One-Way Function



20


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





21

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



22




Attacker Model

Passive Attacker

Public Key

C P




23




Difficult Problem B


Reducible







24


Public Key n = pq










25







26




Attacker Model

Passive Attacker

Public Key

C 01


Msg Space M0 M1



27


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



28


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119




30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



10









11










Symbolic analysis







12


1976 1978 1979 1982 1984 1990 1991 1994 1998

DDN

(NM-CCA2)

BR


Rabin GM

(IND-CPA)

DH RSA NY

(IND-CCA1) (OW-CPA)

CS EPOC




13







14


OWF

x

y

E

x

y

Random k asymp



15

One-Way Function


f 01 -gt 01





- Preimage




16

Preimage (Goal)




One-Way Function



17




TM (Turing Machine)


von Neumann Machine

One-Way Function



18







One-Way Function



19


One-Way Function



20


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





21

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



22




Attacker Model

Passive Attacker

Public Key

C P




23




Difficult Problem B


Reducible







24


Public Key n = pq










25







26




Attacker Model

Passive Attacker

Public Key

C 01


Msg Space M0 M1



27


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



28


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119




30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



11










Symbolic analysis







12


1976 1978 1979 1982 1984 1990 1991 1994 1998

DDN

(NM-CCA2)

BR


Rabin GM

(IND-CPA)

DH RSA NY

(IND-CCA1) (OW-CPA)

CS EPOC




13







14


OWF

x

y

E

x

y

Random k asymp



15

One-Way Function


f 01 -gt 01





- Preimage




16

Preimage (Goal)




One-Way Function



17




TM (Turing Machine)


von Neumann Machine

One-Way Function



18







One-Way Function



19


One-Way Function



20


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





21

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



22




Attacker Model

Passive Attacker

Public Key

C P




23




Difficult Problem B


Reducible







24


Public Key n = pq










25







26




Attacker Model

Passive Attacker

Public Key

C 01


Msg Space M0 M1



27


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



28


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119




30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



12


1976 1978 1979 1982 1984 1990 1991 1994 1998

DDN

(NM-CCA2)

BR


Rabin GM

(IND-CPA)

DH RSA NY

(IND-CCA1) (OW-CPA)

CS EPOC




13







14


OWF

x

y

E

x

y

Random k asymp



15

One-Way Function


f 01 -gt 01





- Preimage




16

Preimage (Goal)




One-Way Function



17




TM (Turing Machine)


von Neumann Machine

One-Way Function



18







One-Way Function



19


One-Way Function



20


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





21

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



22




Attacker Model

Passive Attacker

Public Key

C P




23




Difficult Problem B


Reducible







24


Public Key n = pq










25







26




Attacker Model

Passive Attacker

Public Key

C 01


Msg Space M0 M1



27


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



28


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119




30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



13







14


OWF

x

y

E

x

y

Random k asymp



15

One-Way Function


f 01 -gt 01





- Preimage




16

Preimage (Goal)




One-Way Function



17




TM (Turing Machine)


von Neumann Machine

One-Way Function



18







One-Way Function



19


One-Way Function



20


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





21

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



22




Attacker Model

Passive Attacker

Public Key

C P




23




Difficult Problem B


Reducible







24


Public Key n = pq










25







26




Attacker Model

Passive Attacker

Public Key

C 01


Msg Space M0 M1



27


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



28


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119




30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



14


OWF

x

y

E

x

y

Random k asymp



15

One-Way Function


f 01 -gt 01





- Preimage




16

Preimage (Goal)




One-Way Function



17




TM (Turing Machine)


von Neumann Machine

One-Way Function



18







One-Way Function



19


One-Way Function



20


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





21

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



22




Attacker Model

Passive Attacker

Public Key

C P




23




Difficult Problem B


Reducible







24


Public Key n = pq










25







26




Attacker Model

Passive Attacker

Public Key

C 01


Msg Space M0 M1



27


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



28


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119




30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



15

One-Way Function


f 01 -gt 01





- Preimage




16

Preimage (Goal)




One-Way Function



17




TM (Turing Machine)


von Neumann Machine

One-Way Function



18







One-Way Function



19


One-Way Function



20


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





21

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



22




Attacker Model

Passive Attacker

Public Key

C P




23




Difficult Problem B


Reducible







24


Public Key n = pq










25







26




Attacker Model

Passive Attacker

Public Key

C 01


Msg Space M0 M1



27


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



28


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119




30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



16

Preimage (Goal)




One-Way Function



17




TM (Turing Machine)


von Neumann Machine

One-Way Function



18







One-Way Function



19


One-Way Function



20


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





21

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



22




Attacker Model

Passive Attacker

Public Key

C P




23




Difficult Problem B


Reducible







24


Public Key n = pq










25







26




Attacker Model

Passive Attacker

Public Key

C 01


Msg Space M0 M1



27


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



28


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119




30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



17




TM (Turing Machine)


von Neumann Machine

One-Way Function



18







One-Way Function



19


One-Way Function



20


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





21

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



22




Attacker Model

Passive Attacker

Public Key

C P




23




Difficult Problem B


Reducible







24


Public Key n = pq










25







26




Attacker Model

Passive Attacker

Public Key

C 01


Msg Space M0 M1



27


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



28


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119




30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



18







One-Way Function



19


One-Way Function



20


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





21

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



22




Attacker Model

Passive Attacker

Public Key

C P




23




Difficult Problem B


Reducible







24


Public Key n = pq










25







26




Attacker Model

Passive Attacker

Public Key

C 01


Msg Space M0 M1



27


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



28


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119




30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



19


One-Way Function



20


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





21

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



22




Attacker Model

Passive Attacker

Public Key

C P




23




Difficult Problem B


Reducible







24


Public Key n = pq










25







26




Attacker Model

Passive Attacker

Public Key

C 01


Msg Space M0 M1



27


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



28


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119




30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



20


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





21

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



22




Attacker Model

Passive Attacker

Public Key

C P




23




Difficult Problem B


Reducible







24


Public Key n = pq










25







26




Attacker Model

Passive Attacker

Public Key

C 01


Msg Space M0 M1



27


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



28


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119




30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



21

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



22




Attacker Model

Passive Attacker

Public Key

C P




23




Difficult Problem B


Reducible







24


Public Key n = pq










25







26




Attacker Model

Passive Attacker

Public Key

C 01


Msg Space M0 M1



27


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



28


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119




30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



22




Attacker Model

Passive Attacker

Public Key

C P




23




Difficult Problem B


Reducible







24


Public Key n = pq










25







26




Attacker Model

Passive Attacker

Public Key

C 01


Msg Space M0 M1



27


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



28


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119




30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



23




Difficult Problem B


Reducible







24


Public Key n = pq










25







26




Attacker Model

Passive Attacker

Public Key

C 01


Msg Space M0 M1



27


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



28


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119




30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



24


Public Key n = pq










25







26




Attacker Model

Passive Attacker

Public Key

C 01


Msg Space M0 M1



27


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



28


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119




30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



25







26




Attacker Model

Passive Attacker

Public Key

C 01


Msg Space M0 M1



27


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



28


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119




30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



26




Attacker Model

Passive Attacker

Public Key

C 01


Msg Space M0 M1



27


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



28


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119




30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



27


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



28


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119




30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



28


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119




30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



29


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19 119




30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



30


Semantic Security



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



31


Semantic Security




32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



32


How to make it



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



33


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



34


Active Attacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



35



Active Attacker

Decryption Oracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



36

Non-Malleability

Active Attacker

C Crsquo



Directory




37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



37

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



38


How to make it



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



39


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



40


Plaintext Awareness




41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



41





42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



42







43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



43







44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



44

Question






45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



45



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



46

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



47






Plaintext Awarenes




48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



48








49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



49






50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



50







51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



51





OAEP



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



52

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



53





OAEP++



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



54








55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



55








56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



56

Key Management



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



57


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



58


Indistinguishable


수동적 공격자



K

K



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



59

2-Party Protocols




60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



60





61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



61





62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



62



Prover Verifier




63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



63






64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



64







Properties of ZKPK



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



65









66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



66




Verifier


Verifier

conversation 1

conversation 2








67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



67








68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



68

1 V stands at A

2 P walks to C or D

3 V walks to B





B

D C



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



69

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



70



P V b

z

y=z2a-b








71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



71



P V



x = gr mod p

c

y = r+sc








72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



72



P V

x = gr mod p

c

y




x=gyt-c





73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



73




P Ext

x



Knows t








74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



74



V x


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

y Sim








75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



75

Digital Signatures



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



76

Target







77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



77

Attack

Key-Only Attack






78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



78


공격자

Random σ


위조서명



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



79


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



80


H Dsk

m

σ

sk



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



81

To Learn More



82

To Learn More



83

To Learn More




Secure Design



82

To Learn More



83

To Learn More




Secure Design



83

To Learn More




Secure Design




Secure Design

security engineering lecture notes (5/6)

Engineering