security engineering lecture notes (5/7)

고려대학교정보보호대학원

마스터 제목 스타일 편집


Design Assurance





3

Cryptography amp Secure Design



4

Cryptography has a firmer theoretical foundation than other security techniques

So if you study this you will be able to have an insight to design and analyze other security systems more systematically




5

Modern cryptography which is distinguished from classical cryptography by

Its emphasis on ( ) If you donlsquot know what it is you are trying to achieve how

can you hope to know when you have achieved it

Precise ( ) and Many cryptographic constructions cannot currently be

proven secure in an unconditional sense Security often relies instead on some widely-believed (albeit unproven) assumption The modern cryptographic approach dictates that any such assumptions must be clearly and unambiguously defined

( ) of security This is the essence of modern cryptography and was

responsible for the transformation of cryptography from an art to a science

Emphases of Modern Cryptography



6

Symmetric Ciphers



7

The World of Symmetric Ciphers

RSA Discrete Log Factoring hellip

One-Way Function (or One-Way Permutation)

Hard-Core Predicate

Pseudorandom Generator with +1 Expansion

Pseudorandom Generator with Arbitrary Expansion

Pseudorandom Function

(Strong) Pseudorandom Permutation Pseudorandom Function + Feistel

Network

Block Ciphers

Theoretical Construction Practical Construction

CPA-Secure Secret-Key Encryption Scheme for arbitrary-length messages amp Existentially Unforgeable MAC

CCA-Secure Secret-Key Encryption Schemes

CPA-Secure Secret-Key Encryption Scheme for fixed-length message



8

Modes of Operation

Suppose that X is a pseudorandom

permutation

scheme X-CBC is secure

scheme X-OFB is secure

scheme X-CTR is secure

Of course to get any information about practical relevance of these results one needs to look at the concrete parameters hidden in the ldquoasymptoticsrdquo



9

Asymmetric Ciphers



10

The challenge(target) for the adversary should be as ( ) as possible

The adversary should be as ( ) as possible

The assumptions should be as ( ) as possible

Quality of security reduction should be as ( ) as possible

Ideal Properties of a Proof

Cited from BKaliski and JJonsson( RSA Lab)rsquos Presentation Material



11

Brief History of Provable Security

1976 1978 1979 1982 1984 1990 1991 1994 1998

DDN

(NM-CCA2)

BR

(Random oracle model)

Rabin GM

(IND-CPA)

DH RSA NY

(IND-CCA1)(OW-CPA)

CSEPOC

Cited from Dr TOkamotorsquos Presentation Material in KISA



12

Blum Goldwasser amp Micali (1982~1988) Mathematical definitions of security

Encryption [Goldwasser Micali 86] Signatures [Goldwasser Micali Rivest 88]

Now a common requirement to support emerging standards (IEEE P1363 ISO Cryptrec NESSIE)




13




14




15

Symmetric Cipher (Secret Key Encryption) Encryption Key = Decryption Key

Asymmetric Cipher (Public Key Encryption) Encryption Key ne Decryption Key

Symmetric vs Asymmetric



16

Ralph Merkle and independently Marty Hellman and Whit Diffie invented the notion of public-key cryptography

In November 1976 Diffie and Hellman published ldquoNew Directions in Cryptographyrdquo

The Origin of PKC

Hellman Diffie



17

Public Key Private Key

Encryption Key Decryption Key

PKC in a Nutshell (12)



18

Alice Bob

Directory

Alice

+ +

Bob

+

Encryption Decryption




19

Two families Ekk Dkk of invertible transformations Ek Dk M -gt M st the following holds

For ( ) k Ek is the inverse of Dk

For ( ) k all m isin M Ek(m) Dk(m) are ldquoeasy to computerdquo

For ( ) every k each easily computed algorithm equivalent Dk to is computationally infeasible to derive given Ek

For ( ) k it easy to come up with the pair ltDk Ekgt

Publicize Ek but keep Dk to yourself

PKC in Formal



20

RSA in a Nutshell (1978) (16)

Rivest Adleman

Shamir



21


LCS-82 Technical Memo (April 1977)

CACM article (Feb 1978)



22


Alice

+ +

Bob

+

Alice Bob

Directory

31 13

ldquoArdquo 13

6513 369720589101871337890625

113

(6513)113 = 65 = ldquoArdquo




23

Hard

317 = 129140163129140163 ₗ = 3

rarr l = 117

317 mod 2773 = 15531553 ₗmod 2773 = 3

rarr l = 157

Easy




24


Alice

+ +

Bob

+

Directory

ldquoZrdquo(13 143) 37

Encryption DecryptionBob

13 143 (= 1113)

9013 mod 143= 129 129 12937 mod 143 = 90 = ldquoZrdquo



25

M = 10101111010011111helliphellip(2)

= a143n-1 + b143n-2 + hellip C1430

(where 0 lt= a b hellip c lt= 142)

C = M13 mod 143

= (a13 mod 143 b13 mod 143 hellip c13 mod 143)




26

MΦ(n) = 1 mod n

(MΦ(n))c = 1 mod n

McmiddotΦ(n)+1 = M mod n

If emiddotd = cmiddotΦ(n)+1 then (Me)d = M mod n

emiddotd = 1 mod Φ(n)

emiddotd = 1 mod (p-1)(q-1)

RSA in Formal (13)



27

Generates two large primes p = 47 and q = 59

Computes n = p q = 47 59 = 2773

Φ(n) = (p-1)(q-1) = 46 58 = 2668

Chooses Ke = 17 such that GCD(KeΦ(n)) = GCD(172668) = 1

Computes Kd Ke Kd = 17 Kd = 1 mod Φ(n) using the Euclidean algorithm Kd = 157

Publishes Ke = 17 and n = 2773

RSA in Formal (23)



28

1553Kd mod n

= (317)157 mod 2773

= 32669 mod 2773

= 3(12668 + 1) mod 2773

= 32668 3 mod 2773

= 3Φ(n) 3 mod 2773

= 1 3 mod 2773 (by Fermats little theorem)

= 3 mod 2773

RSA in Formal (33)



29

RSA is clearly no harder than Integer Factoring

How to select primes p and q

Security - Relationship to IF (12)



30

However it is not clear whether the converse is true




31

Design Secure Asymmetric Cipher

OWF

x

y

E

x

y

Random kasymp



32

One-Way Function

One-Way Function A function

f 01 -gt 01

is called ldquoone-way rdquo if there is an efficient algorithm that on input x outputs f(x) whereas any feasible algorithm that tries to find a preimage of f(x) under f may succeed only with negligible probability

- Any Feasible Algorithm

bull HW DTM NDTM PTMbull SW COA KPA CPA CCA

- Preimage

bull Whole Partial Correlated



33

Preimage (Goal)

One-Way (OW) Hard to invert the encryption function

Semantically Secure (IND) Hard to obtain any partial information of a plaintext from the ciphertext

Non-Malleability (NM) For any non-trivial relation R E(M) -gt E(R(M)) is hard

One-Way Function



34

Algorithm (HW Attack Method)

FA (Finite Automata)

PDA (Pushdown Automata)

TM (Turing Machine)

PTM (Probabilistic TM)

von Neumann Machine

One-Way Function



35

Algorithm (SW Attack Method)

Passive Attack (CPA) Ciphertext Only Attack (COA)

Chosen Plaintext Attack (CPA)

Active Attack (CCA) Chosen Ciphertext Attack (CCA)

1990) Static Chosen-Ciphertext Attack (Lunch time attack Naor amp Yung)

1991) Adaptive Chosen-Ciphertext Attack (Rackoff amp Simon)

One-Way Function



36


One-Way Function



37

6 Notions of Security

Goals

IND

NM

CPA

CCA1

CCA2

Attacks

IND-CPAIND-CCA1IND-CCA2

NM-CPANM-CCA1NM-CCA2



38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

A B proven that meeting notion A implies meeting B

A B proven that meeting notion A implies not meeting B

NOTE A implies B iff there is a path from A to B

PA



39

One-Wayness (OW-CPA)

Security Goal One-wayness

ndash Easy to compute ciphertext from plaintextbut hard to invert

Attacker Model

PassiveAttacker

PublicKey

CP

Security Proof Relative complexity by reduction



40


EncryptionAlgorithm A

(Assumption)Computationally

DifficultProblem B

Encryption Algorithm Complexity Theory

Reducible

If an adversarycan break the secrecy of A

Contradicting Assumption

Partial information problem Leak partial informationif the plaintext comes from small plaintext space

Then we can breakThe problem B



41

Private Key p = q = 3 (mod 4)

Public Key n = pq

Encryption C = M2 (mod n)

Decryption m1 = C(p+1)4 (mod p) m2 = (p ndash C(p+1)4) (mod p)

m3 = C(q+1)4 (mod q) m4 = (q ndash C(q+1)4) (mod p)

a = q(q-1 mod p) p = p(p-1 mod q) M1 = (am1+bm3) mod n M2 = (am1+bm4) mod

n M3 = (am2+bm3) mod n M4 = (am2+bm4) mod n

M is one of M1 M2 M3 M4

OW-CPA Example Rabin Scheme



42

Proof Sketch of Rabin Scheme

Algorithm Arsquo solving IFP

Algorithm A cryptanalyzing Rabin

Let A be an adversary that breaks the Rabin scheme Then A can be used to solve IFP If so we say solving IFP reduces to breaking the Rabin scheme-gt Conclusion If IFP untractable then Rabin scheme is unbreakable



43

Semantic Security



44

Semantic Security (= Polynomial Security) is a ( ) of Shannonrsquos ldquoperfect secrecyrdquo

Semantic Security



45


Semantic Security

How to definethis goal formally



46

Semantic Security in Formal



47



48

Semantic Security definition is technical and is clumsy to work with while proving security of cryptosystems

Thus we use an alternate definition based on indistinguishabiity of messages as our working definition

Polynomial Security (IND-CPA)



49


Security Goal Polynomial Security

ndash Cannot distinguish 2 ciphertexts(Indistinguishability)

Attacker Model

PassiveAttacker

Public Key

C 01

rarr Encryption Alg must be probabilistic

Msg SpaceM0 M1



50




51

Probabilistic Encryption

Plaintext

Ciphertext

0

1

Encryption (Random Selection)

Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119

(75||R19)119 = 75||R -gt 75 = ldquoKrdquo



54

Relationships

Random Padding Polynomial Security

(IND-CPA)

Ciphertext leaks Semantic Security

NO information

against CPA



55

Chosen Ciphertext Attack

Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

If attacker can manipulate Ciphertext



56


ActiveAttacker

① Generate random integer 3

④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57


RULE C0 = C1 helliphellip Cn

ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO

After queries to DO Before queries to DO



58

Non-Malleability

Active Attacker

C Crsquo

Alicersquos Public Key

Bobrsquos Public Key

Directory

mrsquo is unknown but related in some known way to m



59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60

How to Make Non-Malleable Cipher

How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62

Authenticated Encryption

Plaintext Awareness




63


Authenticated Encryption Scheme



64

Many popular Internet protocols rely on authenticated encryption schemes for privacy and authenticity Examples SSL TLS SSH IPSEC hellip

Many applications on the Internet require both privacy and authenticity Examples online banking online retail

online auctions instant messaging remote login secure file transfer hellip

Relevance to Internet Security



65

Encrypt-and-MAC ĒKeKm(M) = EKe(M) || TKm(M)

MAC-then-Encrypt ĒKeKm(M) = EKe(M || TKm(M))

Encrypt-then-MAC ĒKeKm = EKe(M) || TKm(EKe(M))

Generic Composition Methods



66

Question

Assuming the base encryption scheme is secure (IND-CPA) and the base MAC scheme is secure (UF-CMA)

is the composed scheme CCA-secure

Generic Composition Results



67


SecurityComposition Method

1) Encrypt-and-MAC

EKeKm(M) = EKe(M)||TKm(M)

2) MAC-then-Encrypt

EKeKm(M) = EKe(M||TKm(M))

3) Encrypt-then-MAC

EKeKm(M) = EKe(M)||TKm(EKe(M))



68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69

PA is merely a ( ) rather than a ( )

A scheme with IND-CPA security is plaintext aware (PA) if an adversary cannot produce a valid ciphertext without knowing the corresponding plaintext The adversary has access to an encryption

oracle and random oracles but no decryption oracle

PA implies IND-CCA2 security Decryption queries give no information since

the adversary already rdquoknowsrdquo the plaintext

Plaintext Awarenes




70

Sometimes it is helpful to consider models where some tools (primitives) used by cryptographic schemes such as Hash functions Block ciphers Finite groups

are considered to be ideal that is the adversary can only use (attack) them in a certain way

Idealized Security Models Hash function -gt Random oracle Block ciphers -gt Ideal cipher Finite groups -gt Generic group

Standard model no idealized primitives (sort of)

PA amp Random Oracle Model



71

A paradigm for designing efficient provably secure protocols (MBellare and PRogaway 1993)

In cryptography a RO is an oracle (a theoretical black box) that responds to every query with a (truly) random response chosen uniformly from its output domain except that for any specific query it responds the same way every time it receives that query




72

PA makes sense only in the ROM

The RO is used in the definition of plaintext awareness to give the extractor a ldquowindowrdquo into the internal state of the adversary (as revealed through its queries) If the external RO is replaced by an internal algorithm then this window is closed

In the standard model the adversary can encrypt a plaintext and then ldquoforgetrdquo it




73

Optimal Asymmetric Encryption Padding

The main drawback of the previous scheme is that ciphertexts are longer than a single element of ZN even when short messages are encrypted

The encoding function OAEP is designed so that the only way to find an element in the image of OAEP is to choose m and r and then explicitly compute OAEP(mr)

OAEP is essentially a ( )

OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H

( ) bullf one-way permutation

C = f(OAEP(mr)) = (m1||m2

)e mod N



75

A new padding scheme OAEP++ was proposed by Jonsson (2002) The one-time pad on the OAEP (xor

between random and output of H) is replaced by a strong block cipher (ideal cipher model)

Ideal Cipher Model Consider block cipher E as a family of

perfectly random and independent permutations

OAEP++



76

Key Management



77

Diffie-Hellman Key Exchange

갑돌이 갑순이

gx mod P = h1

gy mod P = h2

K = h2x = (gy)x = gxy (mod P)

시스템 공개정보

g P

K = h1y = (gx)y = gxy (mod P)



78

Definition of Security

Indistinguishable

Completelyrandom key

수동적 공격자

bull This is much stronger than simply requiring that theadversary be unable to compute K exactly

bull Can compute K -gt Can distinguish K

K

K



79

2-Party Protocols

Cited from Vitaly Shmatikovrsquos Presentation Material



80

Interactive Turing Machine

Interactive Protocol



81

Interactive Turing Machines




82

An interactive proof system involves a prover and a verifier

Zero-Knowledge Proofs

Prover Verifier

(Interactive proofs)



83

Idea the prover proves a statement to the verifier without revealing anything except the fact that the statement is true

Zero-Knowledge Proof of Knowledge (ZKPK) prover convinces verifier that he knows a secret without revealing the secret




84

Completeness If both prover and verifier are honest

protocol succeeds with overwhelming probability

Soundness No one who does not know the secret can

convince the verifier with nonnegligibleprobability Intuition the protocol should not enable prover

to prove a false statement

Zero-Knowledge The proof does not leak any information

Properties of ZKPK



85

The proof does not leak any information

There exists a simulator that taking what the verifier knows before the protocol starts produces a fake ldquotranscriptrdquo of protocol messages that is indistinguishable from actual protocol messages Because all messages can be simulated from

verifierrsquos initial knowledge verifier does not learn anything that he didnrsquot know before

Indistinguishability perfect statistical or computational

Honest-verifier ZK only considers verifiers that follow the protocol

Zero-Knowledge Property



86

Zero knowledge proofs are simulatable(conversation distributions are indistinguishable)


Prover(knowing the secret)

Verifier

Simulator(without the secret)

Verifier

conversation 1

conversation 2

cannot extract the secret from

the prover because conversation1is indistinguishable from conversation2


this simulator because simulatordoes not know it

Same Probability Distribution



87

No one who does not know the secret can convince the verifier with nonnegligibleprobability

Let A be any prover who convinces the verifier hellip

hellip there must exist a knowledge extractor algorithm that given A extracts the secret from A Intuition if there existed some prover A who

manages to convince the verifier that he knows the secret without actually knowing it then no algorithm could possibly extract the secret from this A




88

1 V stands at A

2 P walks to C or D

3 V walks to B

4 V asks P to come L or R

5 P follows the request

6 Repeat 1 ~ 5 n times

Zero-Knowledge for KidsA

B

DC



89

System parameters

N

ZKIP for QRP

P V

Knows aKnows r such that a=r2 mod N

Wants to prove this fact to V

y = t2 mod N

b

z = rbt mod N

Verifies z2 = yab mod N

Chooses random t in [1N]

Chooses random b in [0 1]

= t2(r2)b = (trb)2 mod NP proves that he knows quadratic residue

of a without revealing its value



90

Prover can cheat if he can guess b in advance Guess b set y=z2a-b for random z in 1st message What is the probability of guessing b

Cheating against ZKIP for QRP

P Vb

z

y=z2a-b

P proves that he ldquoknowsrdquo quadratic residue

of a even though he does not know r

Chooses random t in [1N] y = t2 mod N





91

System parameters Prime p and q such that q divides p-1 g is a generator of an order-q subgroup of Zp

Schnorrrsquos Id Protocol (ZKIP for DLP)

P V

Knows tKnows s such that t=gs mod p


x = gr mod p

c

y = r+sc

Verifies x= gyt-c mod p

Chooses random r in [1q]

Chooses random c in [12n]

= gr+sc(gs)-c mod p = gr mod pP proves that he knows discrete log

of t without revealing its value



92

Prover can cheat if he can guess c in advance Guess c set x=gyt-c for random y in 1st message What is the probability of guessing c

Cheating against Schnorrrsquos Id Protocol

P V

x = gr mod p

c

y




x=gyt-c

P proves that he ldquoknowsrdquo discrete log

of t even though he does not know s



93

But Schnorrrsquos Id Protocol Is Sound

Prover can cheat if he can guess c in advance Given P who successfully passes the protocol extract s

such that t=gs mod p run P twice as a subroutine

P Ext

x

y1 such that x=gy1t-c1

Chooses random c1 in [12n]c1

Knows t



ldquorewindrdquo P

Compute s=(y1-y2)(c1-c2)-1

gy1t-c1 = gy2t-c2 implies gy1-y2= tc1-c2

Therefore gy1-y2(c1-c2)-1 =t



94

Schnorrrsquos Id Protocol Is HVZK

Simulator produces a transcript which is indistinguishable from the real transcript

Vx

c Pick random c in [12n]

y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim

Simulated transcriptDoes not know s such that t=gs mod p (why)

PThese transcripts are indistinguishable

hellip but only if c in the real protocol is indeed random

(verifier must run the protocol honestly)Schnorrrsquos ID protocol is

honest-verifier zero-knowledge



95

Digital Signatures



96

Target

Total Break Find private key

Selective Forgery Signature on selected message

Existential Forgery Signature on some message

Security Goal amp Attack Model



97

Attack

Key-Only Attack

Known Message Attack

Chosen Message Attack




98

Existential Forgery - KOA

공격자

Random σ

위조문서 m = σe

위조서명



99

Selective Forgery - CMA

공격자

(m1 σ1=m1d)

σ = σ1 times σ2

위조문서 m = m1 times m2

위조서명

(m2=mm1 σ2=m2d)



100

Hash-and-Sign Paradigm

H Dsk

m

σ

sk



101



102

Protocol Analysis Techniques

protocol security analysis

Formal models Computational models

Model checkingInductive method

Dolev-Yao(perfect cryptography)

Random oracleProbabilistic process calculi

Probabilistic IO automatahellip

Finite-statechecking

Protocol logics hellip

Symbolic analysis

Finite processesinfinite attacker

Finite processesfinite attacker

Probabilisticmodel checking



103

KRACK ACM CCSrsquo17 amp Black Hat EU



104

Machine-Assisted Verification


마스터 제목 스타일 편집Machine-Assisted Verification



106

Provable security does not yield proofs

Proofs are relative (to computational assumptions) and to the definition of the schemersquos goal

Proofs often done in ideal models (Random Oracle Model Ideal Cipher Model Generic Group Model) with debatable meaning

Definitions and proofs need time for acceptance

Limits of Provable Security



107

Still provable security

Provides some form of guarantee that the scheme is not flawed

Motivates us to spell out (clarify) definitions and models formally a process that in itself may help us to better understand the problem

Gives well-defined reductions from which we can distill practical implications of the result (exact security)




108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance





3




4






5











6

Symmetric Ciphers



7




Hard-Core Predicate





Network

Block Ciphers







8

Modes of Operation


permutation







9

Asymmetric Ciphers



10









11


1976 1978 1979 1982 1984 1990 1991 1994 1998

DDN

(NM-CCA2)

BR


Rabin GM

(IND-CPA)

DH RSA NY

(IND-CCA1)(OW-CPA)

CSEPOC




12







13




14




15






16



The Origin of PKC

Hellman Diffie



17






18

Alice Bob

Directory

Alice

+ +

Bob

+





19







PKC in Formal



20


Rivest Adleman

Shamir



21






22


Alice

+ +

Bob

+

Alice Bob

Directory

31 13

ldquoArdquo 13

6513 369720589101871337890625

113

(6513)113 = 65 = ldquoArdquo




23

Hard

317 = 129140163129140163 ₗ = 3

rarr l = 117

317 mod 2773 = 15531553 ₗmod 2773 = 3

rarr l = 157

Easy




24


Alice

+ +

Bob

+

Directory



13 143 (= 1113)




25

M = 10101111010011111helliphellip(2)

= a143n-1 + b143n-2 + hellip C1430


C = M13 mod 143





26

MΦ(n) = 1 mod n

(MΦ(n))c = 1 mod n





RSA in Formal (13)



27


Computes n = p q = 47 59 = 2773

Φ(n) = (p-1)(q-1) = 46 58 = 2668




RSA in Formal (23)



28

1553Kd mod n

= (317)157 mod 2773

= 32669 mod 2773

= 3(12668 + 1) mod 2773

= 32668 3 mod 2773

= 3Φ(n) 3 mod 2773


= 3 mod 2773

RSA in Formal (33)



29






30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



4






5











6

Symmetric Ciphers



7




Hard-Core Predicate





Network

Block Ciphers







8

Modes of Operation


permutation







9

Asymmetric Ciphers



10









11


1976 1978 1979 1982 1984 1990 1991 1994 1998

DDN

(NM-CCA2)

BR


Rabin GM

(IND-CPA)

DH RSA NY

(IND-CCA1)(OW-CPA)

CSEPOC




12







13




14




15






16



The Origin of PKC

Hellman Diffie



17






18

Alice Bob

Directory

Alice

+ +

Bob

+





19







PKC in Formal



20


Rivest Adleman

Shamir



21






22


Alice

+ +

Bob

+

Alice Bob

Directory

31 13

ldquoArdquo 13

6513 369720589101871337890625

113

(6513)113 = 65 = ldquoArdquo




23

Hard

317 = 129140163129140163 ₗ = 3

rarr l = 117

317 mod 2773 = 15531553 ₗmod 2773 = 3

rarr l = 157

Easy




24


Alice

+ +

Bob

+

Directory



13 143 (= 1113)




25

M = 10101111010011111helliphellip(2)

= a143n-1 + b143n-2 + hellip C1430


C = M13 mod 143





26

MΦ(n) = 1 mod n

(MΦ(n))c = 1 mod n





RSA in Formal (13)



27


Computes n = p q = 47 59 = 2773

Φ(n) = (p-1)(q-1) = 46 58 = 2668




RSA in Formal (23)



28

1553Kd mod n

= (317)157 mod 2773

= 32669 mod 2773

= 3(12668 + 1) mod 2773

= 32668 3 mod 2773

= 3Φ(n) 3 mod 2773


= 3 mod 2773

RSA in Formal (33)



29






30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



5











6

Symmetric Ciphers



7




Hard-Core Predicate





Network

Block Ciphers







8

Modes of Operation


permutation







9

Asymmetric Ciphers



10









11


1976 1978 1979 1982 1984 1990 1991 1994 1998

DDN

(NM-CCA2)

BR


Rabin GM

(IND-CPA)

DH RSA NY

(IND-CCA1)(OW-CPA)

CSEPOC




12







13




14




15






16



The Origin of PKC

Hellman Diffie



17






18

Alice Bob

Directory

Alice

+ +

Bob

+





19







PKC in Formal



20


Rivest Adleman

Shamir



21






22


Alice

+ +

Bob

+

Alice Bob

Directory

31 13

ldquoArdquo 13

6513 369720589101871337890625

113

(6513)113 = 65 = ldquoArdquo




23

Hard

317 = 129140163129140163 ₗ = 3

rarr l = 117

317 mod 2773 = 15531553 ₗmod 2773 = 3

rarr l = 157

Easy




24


Alice

+ +

Bob

+

Directory



13 143 (= 1113)




25

M = 10101111010011111helliphellip(2)

= a143n-1 + b143n-2 + hellip C1430


C = M13 mod 143





26

MΦ(n) = 1 mod n

(MΦ(n))c = 1 mod n





RSA in Formal (13)



27


Computes n = p q = 47 59 = 2773

Φ(n) = (p-1)(q-1) = 46 58 = 2668




RSA in Formal (23)



28

1553Kd mod n

= (317)157 mod 2773

= 32669 mod 2773

= 3(12668 + 1) mod 2773

= 32668 3 mod 2773

= 3Φ(n) 3 mod 2773


= 3 mod 2773

RSA in Formal (33)



29






30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



6

Symmetric Ciphers



7




Hard-Core Predicate





Network

Block Ciphers







8

Modes of Operation


permutation







9

Asymmetric Ciphers



10









11


1976 1978 1979 1982 1984 1990 1991 1994 1998

DDN

(NM-CCA2)

BR


Rabin GM

(IND-CPA)

DH RSA NY

(IND-CCA1)(OW-CPA)

CSEPOC




12







13




14




15






16



The Origin of PKC

Hellman Diffie



17






18

Alice Bob

Directory

Alice

+ +

Bob

+





19







PKC in Formal



20


Rivest Adleman

Shamir



21






22


Alice

+ +

Bob

+

Alice Bob

Directory

31 13

ldquoArdquo 13

6513 369720589101871337890625

113

(6513)113 = 65 = ldquoArdquo




23

Hard

317 = 129140163129140163 ₗ = 3

rarr l = 117

317 mod 2773 = 15531553 ₗmod 2773 = 3

rarr l = 157

Easy




24


Alice

+ +

Bob

+

Directory



13 143 (= 1113)




25

M = 10101111010011111helliphellip(2)

= a143n-1 + b143n-2 + hellip C1430


C = M13 mod 143





26

MΦ(n) = 1 mod n

(MΦ(n))c = 1 mod n





RSA in Formal (13)



27


Computes n = p q = 47 59 = 2773

Φ(n) = (p-1)(q-1) = 46 58 = 2668




RSA in Formal (23)



28

1553Kd mod n

= (317)157 mod 2773

= 32669 mod 2773

= 3(12668 + 1) mod 2773

= 32668 3 mod 2773

= 3Φ(n) 3 mod 2773


= 3 mod 2773

RSA in Formal (33)



29






30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



7




Hard-Core Predicate





Network

Block Ciphers







8

Modes of Operation


permutation







9

Asymmetric Ciphers



10









11


1976 1978 1979 1982 1984 1990 1991 1994 1998

DDN

(NM-CCA2)

BR


Rabin GM

(IND-CPA)

DH RSA NY

(IND-CCA1)(OW-CPA)

CSEPOC




12







13




14




15






16



The Origin of PKC

Hellman Diffie



17






18

Alice Bob

Directory

Alice

+ +

Bob

+





19







PKC in Formal



20


Rivest Adleman

Shamir



21






22


Alice

+ +

Bob

+

Alice Bob

Directory

31 13

ldquoArdquo 13

6513 369720589101871337890625

113

(6513)113 = 65 = ldquoArdquo




23

Hard

317 = 129140163129140163 ₗ = 3

rarr l = 117

317 mod 2773 = 15531553 ₗmod 2773 = 3

rarr l = 157

Easy




24


Alice

+ +

Bob

+

Directory



13 143 (= 1113)




25

M = 10101111010011111helliphellip(2)

= a143n-1 + b143n-2 + hellip C1430


C = M13 mod 143





26

MΦ(n) = 1 mod n

(MΦ(n))c = 1 mod n





RSA in Formal (13)



27


Computes n = p q = 47 59 = 2773

Φ(n) = (p-1)(q-1) = 46 58 = 2668




RSA in Formal (23)



28

1553Kd mod n

= (317)157 mod 2773

= 32669 mod 2773

= 3(12668 + 1) mod 2773

= 32668 3 mod 2773

= 3Φ(n) 3 mod 2773


= 3 mod 2773

RSA in Formal (33)



29






30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



8

Modes of Operation


permutation







9

Asymmetric Ciphers



10









11


1976 1978 1979 1982 1984 1990 1991 1994 1998

DDN

(NM-CCA2)

BR


Rabin GM

(IND-CPA)

DH RSA NY

(IND-CCA1)(OW-CPA)

CSEPOC




12







13




14




15






16



The Origin of PKC

Hellman Diffie



17






18

Alice Bob

Directory

Alice

+ +

Bob

+





19







PKC in Formal



20


Rivest Adleman

Shamir



21






22


Alice

+ +

Bob

+

Alice Bob

Directory

31 13

ldquoArdquo 13

6513 369720589101871337890625

113

(6513)113 = 65 = ldquoArdquo




23

Hard

317 = 129140163129140163 ₗ = 3

rarr l = 117

317 mod 2773 = 15531553 ₗmod 2773 = 3

rarr l = 157

Easy




24


Alice

+ +

Bob

+

Directory



13 143 (= 1113)




25

M = 10101111010011111helliphellip(2)

= a143n-1 + b143n-2 + hellip C1430


C = M13 mod 143





26

MΦ(n) = 1 mod n

(MΦ(n))c = 1 mod n





RSA in Formal (13)



27


Computes n = p q = 47 59 = 2773

Φ(n) = (p-1)(q-1) = 46 58 = 2668




RSA in Formal (23)



28

1553Kd mod n

= (317)157 mod 2773

= 32669 mod 2773

= 3(12668 + 1) mod 2773

= 32668 3 mod 2773

= 3Φ(n) 3 mod 2773


= 3 mod 2773

RSA in Formal (33)



29






30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



9

Asymmetric Ciphers



10









11


1976 1978 1979 1982 1984 1990 1991 1994 1998

DDN

(NM-CCA2)

BR


Rabin GM

(IND-CPA)

DH RSA NY

(IND-CCA1)(OW-CPA)

CSEPOC




12







13




14




15






16



The Origin of PKC

Hellman Diffie



17






18

Alice Bob

Directory

Alice

+ +

Bob

+





19







PKC in Formal



20


Rivest Adleman

Shamir



21






22


Alice

+ +

Bob

+

Alice Bob

Directory

31 13

ldquoArdquo 13

6513 369720589101871337890625

113

(6513)113 = 65 = ldquoArdquo




23

Hard

317 = 129140163129140163 ₗ = 3

rarr l = 117

317 mod 2773 = 15531553 ₗmod 2773 = 3

rarr l = 157

Easy




24


Alice

+ +

Bob

+

Directory



13 143 (= 1113)




25

M = 10101111010011111helliphellip(2)

= a143n-1 + b143n-2 + hellip C1430


C = M13 mod 143





26

MΦ(n) = 1 mod n

(MΦ(n))c = 1 mod n





RSA in Formal (13)



27


Computes n = p q = 47 59 = 2773

Φ(n) = (p-1)(q-1) = 46 58 = 2668




RSA in Formal (23)



28

1553Kd mod n

= (317)157 mod 2773

= 32669 mod 2773

= 3(12668 + 1) mod 2773

= 32668 3 mod 2773

= 3Φ(n) 3 mod 2773


= 3 mod 2773

RSA in Formal (33)



29






30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



10









11


1976 1978 1979 1982 1984 1990 1991 1994 1998

DDN

(NM-CCA2)

BR


Rabin GM

(IND-CPA)

DH RSA NY

(IND-CCA1)(OW-CPA)

CSEPOC




12







13




14




15






16



The Origin of PKC

Hellman Diffie



17






18

Alice Bob

Directory

Alice

+ +

Bob

+





19







PKC in Formal



20


Rivest Adleman

Shamir



21






22


Alice

+ +

Bob

+

Alice Bob

Directory

31 13

ldquoArdquo 13

6513 369720589101871337890625

113

(6513)113 = 65 = ldquoArdquo




23

Hard

317 = 129140163129140163 ₗ = 3

rarr l = 117

317 mod 2773 = 15531553 ₗmod 2773 = 3

rarr l = 157

Easy




24


Alice

+ +

Bob

+

Directory



13 143 (= 1113)




25

M = 10101111010011111helliphellip(2)

= a143n-1 + b143n-2 + hellip C1430


C = M13 mod 143





26

MΦ(n) = 1 mod n

(MΦ(n))c = 1 mod n





RSA in Formal (13)



27


Computes n = p q = 47 59 = 2773

Φ(n) = (p-1)(q-1) = 46 58 = 2668




RSA in Formal (23)



28

1553Kd mod n

= (317)157 mod 2773

= 32669 mod 2773

= 3(12668 + 1) mod 2773

= 32668 3 mod 2773

= 3Φ(n) 3 mod 2773


= 3 mod 2773

RSA in Formal (33)



29






30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



11


1976 1978 1979 1982 1984 1990 1991 1994 1998

DDN

(NM-CCA2)

BR


Rabin GM

(IND-CPA)

DH RSA NY

(IND-CCA1)(OW-CPA)

CSEPOC




12







13




14




15






16



The Origin of PKC

Hellman Diffie



17






18

Alice Bob

Directory

Alice

+ +

Bob

+





19







PKC in Formal



20


Rivest Adleman

Shamir



21






22


Alice

+ +

Bob

+

Alice Bob

Directory

31 13

ldquoArdquo 13

6513 369720589101871337890625

113

(6513)113 = 65 = ldquoArdquo




23

Hard

317 = 129140163129140163 ₗ = 3

rarr l = 117

317 mod 2773 = 15531553 ₗmod 2773 = 3

rarr l = 157

Easy




24


Alice

+ +

Bob

+

Directory



13 143 (= 1113)




25

M = 10101111010011111helliphellip(2)

= a143n-1 + b143n-2 + hellip C1430


C = M13 mod 143





26

MΦ(n) = 1 mod n

(MΦ(n))c = 1 mod n





RSA in Formal (13)



27


Computes n = p q = 47 59 = 2773

Φ(n) = (p-1)(q-1) = 46 58 = 2668




RSA in Formal (23)



28

1553Kd mod n

= (317)157 mod 2773

= 32669 mod 2773

= 3(12668 + 1) mod 2773

= 32668 3 mod 2773

= 3Φ(n) 3 mod 2773


= 3 mod 2773

RSA in Formal (33)



29






30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



12







13




14




15






16



The Origin of PKC

Hellman Diffie



17






18

Alice Bob

Directory

Alice

+ +

Bob

+





19







PKC in Formal



20


Rivest Adleman

Shamir



21






22


Alice

+ +

Bob

+

Alice Bob

Directory

31 13

ldquoArdquo 13

6513 369720589101871337890625

113

(6513)113 = 65 = ldquoArdquo




23

Hard

317 = 129140163129140163 ₗ = 3

rarr l = 117

317 mod 2773 = 15531553 ₗmod 2773 = 3

rarr l = 157

Easy




24


Alice

+ +

Bob

+

Directory



13 143 (= 1113)




25

M = 10101111010011111helliphellip(2)

= a143n-1 + b143n-2 + hellip C1430


C = M13 mod 143





26

MΦ(n) = 1 mod n

(MΦ(n))c = 1 mod n





RSA in Formal (13)



27


Computes n = p q = 47 59 = 2773

Φ(n) = (p-1)(q-1) = 46 58 = 2668




RSA in Formal (23)



28

1553Kd mod n

= (317)157 mod 2773

= 32669 mod 2773

= 3(12668 + 1) mod 2773

= 32668 3 mod 2773

= 3Φ(n) 3 mod 2773


= 3 mod 2773

RSA in Formal (33)



29






30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



13




14




15






16



The Origin of PKC

Hellman Diffie



17






18

Alice Bob

Directory

Alice

+ +

Bob

+





19







PKC in Formal



20


Rivest Adleman

Shamir



21






22


Alice

+ +

Bob

+

Alice Bob

Directory

31 13

ldquoArdquo 13

6513 369720589101871337890625

113

(6513)113 = 65 = ldquoArdquo




23

Hard

317 = 129140163129140163 ₗ = 3

rarr l = 117

317 mod 2773 = 15531553 ₗmod 2773 = 3

rarr l = 157

Easy




24


Alice

+ +

Bob

+

Directory



13 143 (= 1113)




25

M = 10101111010011111helliphellip(2)

= a143n-1 + b143n-2 + hellip C1430


C = M13 mod 143





26

MΦ(n) = 1 mod n

(MΦ(n))c = 1 mod n





RSA in Formal (13)



27


Computes n = p q = 47 59 = 2773

Φ(n) = (p-1)(q-1) = 46 58 = 2668




RSA in Formal (23)



28

1553Kd mod n

= (317)157 mod 2773

= 32669 mod 2773

= 3(12668 + 1) mod 2773

= 32668 3 mod 2773

= 3Φ(n) 3 mod 2773


= 3 mod 2773

RSA in Formal (33)



29






30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



14




15






16



The Origin of PKC

Hellman Diffie



17






18

Alice Bob

Directory

Alice

+ +

Bob

+





19







PKC in Formal



20


Rivest Adleman

Shamir



21






22


Alice

+ +

Bob

+

Alice Bob

Directory

31 13

ldquoArdquo 13

6513 369720589101871337890625

113

(6513)113 = 65 = ldquoArdquo




23

Hard

317 = 129140163129140163 ₗ = 3

rarr l = 117

317 mod 2773 = 15531553 ₗmod 2773 = 3

rarr l = 157

Easy




24


Alice

+ +

Bob

+

Directory



13 143 (= 1113)




25

M = 10101111010011111helliphellip(2)

= a143n-1 + b143n-2 + hellip C1430


C = M13 mod 143





26

MΦ(n) = 1 mod n

(MΦ(n))c = 1 mod n





RSA in Formal (13)



27


Computes n = p q = 47 59 = 2773

Φ(n) = (p-1)(q-1) = 46 58 = 2668




RSA in Formal (23)



28

1553Kd mod n

= (317)157 mod 2773

= 32669 mod 2773

= 3(12668 + 1) mod 2773

= 32668 3 mod 2773

= 3Φ(n) 3 mod 2773


= 3 mod 2773

RSA in Formal (33)



29






30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



15






16



The Origin of PKC

Hellman Diffie



17






18

Alice Bob

Directory

Alice

+ +

Bob

+





19







PKC in Formal



20


Rivest Adleman

Shamir



21






22


Alice

+ +

Bob

+

Alice Bob

Directory

31 13

ldquoArdquo 13

6513 369720589101871337890625

113

(6513)113 = 65 = ldquoArdquo




23

Hard

317 = 129140163129140163 ₗ = 3

rarr l = 117

317 mod 2773 = 15531553 ₗmod 2773 = 3

rarr l = 157

Easy




24


Alice

+ +

Bob

+

Directory



13 143 (= 1113)




25

M = 10101111010011111helliphellip(2)

= a143n-1 + b143n-2 + hellip C1430


C = M13 mod 143





26

MΦ(n) = 1 mod n

(MΦ(n))c = 1 mod n





RSA in Formal (13)



27


Computes n = p q = 47 59 = 2773

Φ(n) = (p-1)(q-1) = 46 58 = 2668




RSA in Formal (23)



28

1553Kd mod n

= (317)157 mod 2773

= 32669 mod 2773

= 3(12668 + 1) mod 2773

= 32668 3 mod 2773

= 3Φ(n) 3 mod 2773


= 3 mod 2773

RSA in Formal (33)



29






30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



16



The Origin of PKC

Hellman Diffie



17






18

Alice Bob

Directory

Alice

+ +

Bob

+





19







PKC in Formal



20


Rivest Adleman

Shamir



21






22


Alice

+ +

Bob

+

Alice Bob

Directory

31 13

ldquoArdquo 13

6513 369720589101871337890625

113

(6513)113 = 65 = ldquoArdquo




23

Hard

317 = 129140163129140163 ₗ = 3

rarr l = 117

317 mod 2773 = 15531553 ₗmod 2773 = 3

rarr l = 157

Easy




24


Alice

+ +

Bob

+

Directory



13 143 (= 1113)




25

M = 10101111010011111helliphellip(2)

= a143n-1 + b143n-2 + hellip C1430


C = M13 mod 143





26

MΦ(n) = 1 mod n

(MΦ(n))c = 1 mod n





RSA in Formal (13)



27


Computes n = p q = 47 59 = 2773

Φ(n) = (p-1)(q-1) = 46 58 = 2668




RSA in Formal (23)



28

1553Kd mod n

= (317)157 mod 2773

= 32669 mod 2773

= 3(12668 + 1) mod 2773

= 32668 3 mod 2773

= 3Φ(n) 3 mod 2773


= 3 mod 2773

RSA in Formal (33)



29






30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



17






18

Alice Bob

Directory

Alice

+ +

Bob

+





19







PKC in Formal



20


Rivest Adleman

Shamir



21






22


Alice

+ +

Bob

+

Alice Bob

Directory

31 13

ldquoArdquo 13

6513 369720589101871337890625

113

(6513)113 = 65 = ldquoArdquo




23

Hard

317 = 129140163129140163 ₗ = 3

rarr l = 117

317 mod 2773 = 15531553 ₗmod 2773 = 3

rarr l = 157

Easy




24


Alice

+ +

Bob

+

Directory



13 143 (= 1113)




25

M = 10101111010011111helliphellip(2)

= a143n-1 + b143n-2 + hellip C1430


C = M13 mod 143





26

MΦ(n) = 1 mod n

(MΦ(n))c = 1 mod n





RSA in Formal (13)



27


Computes n = p q = 47 59 = 2773

Φ(n) = (p-1)(q-1) = 46 58 = 2668




RSA in Formal (23)



28

1553Kd mod n

= (317)157 mod 2773

= 32669 mod 2773

= 3(12668 + 1) mod 2773

= 32668 3 mod 2773

= 3Φ(n) 3 mod 2773


= 3 mod 2773

RSA in Formal (33)



29






30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



18

Alice Bob

Directory

Alice

+ +

Bob

+





19







PKC in Formal



20


Rivest Adleman

Shamir



21






22


Alice

+ +

Bob

+

Alice Bob

Directory

31 13

ldquoArdquo 13

6513 369720589101871337890625

113

(6513)113 = 65 = ldquoArdquo




23

Hard

317 = 129140163129140163 ₗ = 3

rarr l = 117

317 mod 2773 = 15531553 ₗmod 2773 = 3

rarr l = 157

Easy




24


Alice

+ +

Bob

+

Directory



13 143 (= 1113)




25

M = 10101111010011111helliphellip(2)

= a143n-1 + b143n-2 + hellip C1430


C = M13 mod 143





26

MΦ(n) = 1 mod n

(MΦ(n))c = 1 mod n





RSA in Formal (13)



27


Computes n = p q = 47 59 = 2773

Φ(n) = (p-1)(q-1) = 46 58 = 2668




RSA in Formal (23)



28

1553Kd mod n

= (317)157 mod 2773

= 32669 mod 2773

= 3(12668 + 1) mod 2773

= 32668 3 mod 2773

= 3Φ(n) 3 mod 2773


= 3 mod 2773

RSA in Formal (33)



29






30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



19







PKC in Formal



20


Rivest Adleman

Shamir



21






22


Alice

+ +

Bob

+

Alice Bob

Directory

31 13

ldquoArdquo 13

6513 369720589101871337890625

113

(6513)113 = 65 = ldquoArdquo




23

Hard

317 = 129140163129140163 ₗ = 3

rarr l = 117

317 mod 2773 = 15531553 ₗmod 2773 = 3

rarr l = 157

Easy




24


Alice

+ +

Bob

+

Directory



13 143 (= 1113)




25

M = 10101111010011111helliphellip(2)

= a143n-1 + b143n-2 + hellip C1430


C = M13 mod 143





26

MΦ(n) = 1 mod n

(MΦ(n))c = 1 mod n





RSA in Formal (13)



27


Computes n = p q = 47 59 = 2773

Φ(n) = (p-1)(q-1) = 46 58 = 2668




RSA in Formal (23)



28

1553Kd mod n

= (317)157 mod 2773

= 32669 mod 2773

= 3(12668 + 1) mod 2773

= 32668 3 mod 2773

= 3Φ(n) 3 mod 2773


= 3 mod 2773

RSA in Formal (33)



29






30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



20


Rivest Adleman

Shamir



21






22


Alice

+ +

Bob

+

Alice Bob

Directory

31 13

ldquoArdquo 13

6513 369720589101871337890625

113

(6513)113 = 65 = ldquoArdquo




23

Hard

317 = 129140163129140163 ₗ = 3

rarr l = 117

317 mod 2773 = 15531553 ₗmod 2773 = 3

rarr l = 157

Easy




24


Alice

+ +

Bob

+

Directory



13 143 (= 1113)




25

M = 10101111010011111helliphellip(2)

= a143n-1 + b143n-2 + hellip C1430


C = M13 mod 143





26

MΦ(n) = 1 mod n

(MΦ(n))c = 1 mod n





RSA in Formal (13)



27


Computes n = p q = 47 59 = 2773

Φ(n) = (p-1)(q-1) = 46 58 = 2668




RSA in Formal (23)



28

1553Kd mod n

= (317)157 mod 2773

= 32669 mod 2773

= 3(12668 + 1) mod 2773

= 32668 3 mod 2773

= 3Φ(n) 3 mod 2773


= 3 mod 2773

RSA in Formal (33)



29






30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



21






22


Alice

+ +

Bob

+

Alice Bob

Directory

31 13

ldquoArdquo 13

6513 369720589101871337890625

113

(6513)113 = 65 = ldquoArdquo




23

Hard

317 = 129140163129140163 ₗ = 3

rarr l = 117

317 mod 2773 = 15531553 ₗmod 2773 = 3

rarr l = 157

Easy




24


Alice

+ +

Bob

+

Directory



13 143 (= 1113)




25

M = 10101111010011111helliphellip(2)

= a143n-1 + b143n-2 + hellip C1430


C = M13 mod 143





26

MΦ(n) = 1 mod n

(MΦ(n))c = 1 mod n





RSA in Formal (13)



27


Computes n = p q = 47 59 = 2773

Φ(n) = (p-1)(q-1) = 46 58 = 2668




RSA in Formal (23)



28

1553Kd mod n

= (317)157 mod 2773

= 32669 mod 2773

= 3(12668 + 1) mod 2773

= 32668 3 mod 2773

= 3Φ(n) 3 mod 2773


= 3 mod 2773

RSA in Formal (33)



29






30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



22


Alice

+ +

Bob

+

Alice Bob

Directory

31 13

ldquoArdquo 13

6513 369720589101871337890625

113

(6513)113 = 65 = ldquoArdquo




23

Hard

317 = 129140163129140163 ₗ = 3

rarr l = 117

317 mod 2773 = 15531553 ₗmod 2773 = 3

rarr l = 157

Easy




24


Alice

+ +

Bob

+

Directory



13 143 (= 1113)




25

M = 10101111010011111helliphellip(2)

= a143n-1 + b143n-2 + hellip C1430


C = M13 mod 143





26

MΦ(n) = 1 mod n

(MΦ(n))c = 1 mod n





RSA in Formal (13)



27


Computes n = p q = 47 59 = 2773

Φ(n) = (p-1)(q-1) = 46 58 = 2668




RSA in Formal (23)



28

1553Kd mod n

= (317)157 mod 2773

= 32669 mod 2773

= 3(12668 + 1) mod 2773

= 32668 3 mod 2773

= 3Φ(n) 3 mod 2773


= 3 mod 2773

RSA in Formal (33)



29






30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



23

Hard

317 = 129140163129140163 ₗ = 3

rarr l = 117

317 mod 2773 = 15531553 ₗmod 2773 = 3

rarr l = 157

Easy




24


Alice

+ +

Bob

+

Directory



13 143 (= 1113)




25

M = 10101111010011111helliphellip(2)

= a143n-1 + b143n-2 + hellip C1430


C = M13 mod 143





26

MΦ(n) = 1 mod n

(MΦ(n))c = 1 mod n





RSA in Formal (13)



27


Computes n = p q = 47 59 = 2773

Φ(n) = (p-1)(q-1) = 46 58 = 2668




RSA in Formal (23)



28

1553Kd mod n

= (317)157 mod 2773

= 32669 mod 2773

= 3(12668 + 1) mod 2773

= 32668 3 mod 2773

= 3Φ(n) 3 mod 2773


= 3 mod 2773

RSA in Formal (33)



29






30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



24


Alice

+ +

Bob

+

Directory



13 143 (= 1113)




25

M = 10101111010011111helliphellip(2)

= a143n-1 + b143n-2 + hellip C1430


C = M13 mod 143





26

MΦ(n) = 1 mod n

(MΦ(n))c = 1 mod n





RSA in Formal (13)



27


Computes n = p q = 47 59 = 2773

Φ(n) = (p-1)(q-1) = 46 58 = 2668




RSA in Formal (23)



28

1553Kd mod n

= (317)157 mod 2773

= 32669 mod 2773

= 3(12668 + 1) mod 2773

= 32668 3 mod 2773

= 3Φ(n) 3 mod 2773


= 3 mod 2773

RSA in Formal (33)



29






30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



25

M = 10101111010011111helliphellip(2)

= a143n-1 + b143n-2 + hellip C1430


C = M13 mod 143





26

MΦ(n) = 1 mod n

(MΦ(n))c = 1 mod n





RSA in Formal (13)



27


Computes n = p q = 47 59 = 2773

Φ(n) = (p-1)(q-1) = 46 58 = 2668




RSA in Formal (23)



28

1553Kd mod n

= (317)157 mod 2773

= 32669 mod 2773

= 3(12668 + 1) mod 2773

= 32668 3 mod 2773

= 3Φ(n) 3 mod 2773


= 3 mod 2773

RSA in Formal (33)



29






30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



26

MΦ(n) = 1 mod n

(MΦ(n))c = 1 mod n





RSA in Formal (13)



27


Computes n = p q = 47 59 = 2773

Φ(n) = (p-1)(q-1) = 46 58 = 2668




RSA in Formal (23)



28

1553Kd mod n

= (317)157 mod 2773

= 32669 mod 2773

= 3(12668 + 1) mod 2773

= 32668 3 mod 2773

= 3Φ(n) 3 mod 2773


= 3 mod 2773

RSA in Formal (33)



29






30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



27


Computes n = p q = 47 59 = 2773

Φ(n) = (p-1)(q-1) = 46 58 = 2668




RSA in Formal (23)



28

1553Kd mod n

= (317)157 mod 2773

= 32669 mod 2773

= 3(12668 + 1) mod 2773

= 32668 3 mod 2773

= 3Φ(n) 3 mod 2773


= 3 mod 2773

RSA in Formal (33)



29






30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



28

1553Kd mod n

= (317)157 mod 2773

= 32669 mod 2773

= 3(12668 + 1) mod 2773

= 32668 3 mod 2773

= 3Φ(n) 3 mod 2773


= 3 mod 2773

RSA in Formal (33)



29






30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



29






30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



30





31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



31


OWF

x

y

E

x

y

Random kasymp



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



32

One-Way Function


f 01 -gt 01




- Preimage




33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



33

Preimage (Goal)




One-Way Function



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



34




TM (Turing Machine)


von Neumann Machine

One-Way Function



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



35







One-Way Function



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



36


One-Way Function



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



37


Goals

IND

NM

CPA

CCA1

CCA2

Attacks





38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



38

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2




PA



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



39




Attacker Model

PassiveAttacker

PublicKey

CP




40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



40




DifficultProblem B


Reducible







41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



41


Public Key n = pq










42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



42







43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



43

Semantic Security



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



44


Semantic Security



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



45


Semantic Security




46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



46




47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



47



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



48






49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



49




Attacker Model

PassiveAttacker

Public Key

C 01


Msg SpaceM0 M1



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



50




51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



51


Plaintext

Ciphertext

0

1


Decryption

E(0)

E(1)



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



52


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

Random Padding



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



53


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt

31 19

ldquoKrdquo 19

(75||R)19

(75||R)19

119




54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



54

Relationships


(IND-CPA)


NO information

against CPA



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



55


Alice Bob

Directory

Alice

+ +

Bob

+

Encrypt Decrypt




56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



56


ActiveAttacker


④ 2253 = (375)3 = 75 = ldquoKrdquo

② 319C = (375)19 = 22519

③ 225

C = 7519

Intercept

(22519)119

= 225 =



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



57



ActiveAttacker

DecryptionOracle

C1 hellip Cn

M1 hellip Mn

C0

M0

PKDO




58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



58

Non-Malleability

Active Attacker

C Crsquo



Directory




59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



59

Non-Malleability

Active Attacker

C

① C = 100019

Crsquo

② Crsquo = C (09)19 = (1000 09)19 = 90019

-10

Alice Bob

Directory

31 19



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



60


How to make it



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



61


NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

PA



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



62


Plaintext Awareness




63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



63





64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



64







65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



65







66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



66

Question






67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



67



1) Encrypt-and-MAC


2) MAC-then-Encrypt


3) Encrypt-then-MAC




68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



68

Encrypt-then-MAC

Ek1 Mk2

m

c

k1

k2

t



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



69






Plaintext Awarenes




70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



70








71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



71






72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



72







73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



73





OAEP



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



74

RSA-OAEP

m 00hellip0 r

G(r)

m1

H(m1)

m2

G

H



)e mod N



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



75





OAEP++



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



76

Key Management



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



77


갑돌이 갑순이

gx mod P = h1

gy mod P = h2



g P




78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



78


Indistinguishable


수동적 공격자



K

K



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



79

2-Party Protocols




80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



80





81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



81





82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



82



Prover Verifier




83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



83






84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



84







Properties of ZKPK



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



85









86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



86




Verifier


Verifier

conversation 1

conversation 2








87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



87








88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



88

1 V stands at A

2 P walks to C or D

3 V walks to B





B

DC



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



89

System parameters

N

ZKIP for QRP

P V



y = t2 mod N

b

z = rbt mod N








90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



90



P Vb

z

y=z2a-b








91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



91



P V



x = gr mod p

c

y = r+sc








92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



92



P V

x = gr mod p

c

y




x=gyt-c





93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



93




P Ext

x



Knows t



ldquorewindrdquo P






94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



94



Vx


y such that x=gyt-c

Real transcript

gyt-c

c

Pick random c and y

ySim








95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



95

Digital Signatures



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



96

Target







97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



97

Attack

Key-Only Attack






98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



98


공격자

Random σ


위조서명



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



99


공격자

(m1 σ1=m1d)

σ = σ1 times σ2


위조서명

(m2=mm1 σ2=m2d)



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



100


H Dsk

m

σ

sk



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



101



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



102










Symbolic analysis






103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



103




104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



104






106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance





106








107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



107








108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



108

To Learn More



109

To Learn More



110

To Learn More




Design Assurance



109

To Learn More



110

To Learn More




Design Assurance



110

To Learn More




Design Assurance




Design Assurance

security engineering lecture notes (5/7)

Engineering