Hybrid Encryption and Key Encapsulation Slides Overview

hybrid encryption n.w
1 / 22
Embed
Share

Explore the concept of hybrid encryption, combining public-key and symmetric-key schemes for secure communication. Understand the encryption of long messages, benefits of hybrid encryption, and the efficiency it offers. Learn about the process of decryption and the security aspects of hybrid encryption.

  • Encryption
  • Security
  • Hybrid
  • Public-Key
  • Symmetric
rayaanacharya
oluwa Follow

Uploaded on | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Hybrid Encryption and Key Encapsulation Slides by Prof. Jonathan Katz. Lightly edited by me.

  2. Encrypting long messages Public-key encryption schemes natively defined for short messages E.g., El Gamal encryption How can longer messages be encrypted?

  3. Encrypting long messages Can always encrypt block-by-block I.e., to encrypt M = m1, m2, , ml, do: Encpk(m1), , Encpk(ml) If the underlying scheme is CPA-secure (for short messages), then this is CPA-secure (for arbitrary length messages) What is the size of the ciphertext?

  4. Note (Public-key) encryption is NOT a block cipher Fk is deterministic, one-to-one, and looks random Encpk is randomized (if it is CPA-secure), thus not one-to-one, and may not look random CTR-mode/CBC-mode don t make sense for public-key encryption

  5. Encrypting long messages Encrypting block-by-block is inefficient Ciphertext expansion in each block Public-key encryption is expensive Can we do better?

  6. Hybrid encryption Main idea Use public-key encryption to establish a (shared, secret) key k Use k to encrypt the message with a symmetric- key encryption scheme Benefits Lower ciphertext expansion Amortized efficiency of symmetric-key encryption

  7. Hybrid encryption Decryption done in the obvious way m Enc ciphertext encapsulated key k Enc pk The functionality of public-key encryption at the (asymptotic) efficiency of private-key encryption! 7

  8. Formally Let be a public-key scheme, and let be a symmetric-key scheme Define hy as follows: Genhy = Gen (i.e., same as ) Enchy(pk, m): Choose k {0,1}n c Encpk(k) c Enc k(m) Output c, c Decryption done in the natural way

  9. Security of hybrid encryption If is a CPA-secure public-key scheme, and is a CPA-secure private-key scheme, then hy is a CPA-secure public-key scheme Suffices for to be EAV-secure If is a CCA-secure public-key scheme, and is a CCA-secure private-key scheme, then hy is a CCA-secure public-key scheme 9

  10. Application to El Gamal? To use hybrid encryption with El Gamal, would need to encode key k as a group element Can we avoid this? The sender doesn t care about encrypting a specific key, it just needs to send a random key Idea: encrypt a random group element K; define the key as k = H(K)

  11. KEMs For hybrid encryption, something weaker than public-key encryption suffices Sufficient to have a key encapsulation mechanism (KEM) that takes a public key and outputs a ciphertext c and a key k Correctness: k can be recovered from c given sk Security: k is indistinguishable from uniform given pk and c; can define CPA-/CCA-security Can still combine with symmetric-key encryption as before! Hybrid encryption KEM/DEM

  12. KEMs For hybrid encryption, something weaker than public-key encryption suffices Sufficient to have a key encapsulation mechanism (KEM) that takes a public key and outputs a ciphertext c and a key k Correctness: k can be recovered from c given sk Security: k is indistinguishable from uniform given pk and c; can define CPA-/CCA-security Can still combine with symmetric-key encryption as before!

  13. Security of KEM/DEM If is a CPA-secure KEM, and is a CPA- secure private-key scheme, then combination is a CPA-secure public-key scheme Suffices for to be EAV-secure If is a CCA-secure KEM, and is a CCA- secure private-key scheme, then combination is a CCA-secure public-key scheme 13

  14. KEMs vs. PKE schemes For short messages, direct encryption using a PKE scheme (with no hybrid encryption) can sometimes be the best choice For anything longer, KEM/DEM or hybrid encryption will be more efficient This is how things are done in practice (unless very short messages are being encrypted)

  15. KEM based on El Gamal Gen(1n) Run G(1n) to obtain G, q, g. Choose uniform x q. The public key is (G, q, g, gx) and the private key is x Ecapspk, where pk = (G, q, g, h) Choose uniform y q. The ciphertext is gy, and the key is k = H(hy) Decapssk(c), where sk = x Output k = H(cx) 15

  16. Security? If the DDH assumption holds, and H is modeled as a random oracle, then this KEM is CPA-secure

  17. Complete scheme Combine the KEM with private-key encryption I.e., encryption of message m is gy, Enc k(m), where k = H(hy) and Enc is a symmetric-key encryption scheme If Enc is CPA-secure and H is modeled as a random oracle, this is a CPA-secure public-key encryption scheme

  18. Chosen-ciphertext security Under stronger assumptions, this approach can be proven to give CCA security If Enc is a CCA-secure symmetric-key scheme Can at least see why the previous attack no longer works Standardized as DHIES/ECIES 18

  19. RSA-based KEM Idea: use plainRSA but on a random value! Then use that random value to derive a key

  20. RSA-based KEM Encaps: Choose uniform r *N Ciphertext is c = [re mod N] Key is k = H(r) Decaps(c) Compute r = [cd mod N] Compute the shared key k = H(r)

  21. Security? This KEM can be proven CCA-secure under the RSA assumption, if H is modeled as a random oracle

  22. Comparison to RSA-OAEP? The RSA-KEM must be used with a symmetric- key encryption scheme For very short messages (< 1500 bits), RSA- OAEP will have shorter ciphertexts For anything longer, ciphertexts will be the same length; RSA-KEM is simpler

Related


Master NS0-604 Elevate Your Hybrid Cloud - Architect Exam Success

Master NS0-604 Elevate Your Hybrid Cloud - Architect Exam Success

certsgrade
Adelaide s Premier Hybrid Solar Systems by Allstate Solar

Adelaide s Premier Hybrid Solar Systems by Allstate Solar

Allstate
Installing Hybrid Flooring | Temisflooring.com.au

Installing Hybrid Flooring | Temisflooring.com.au

temisflooring
Drive Clean Truck Incentive Program Details

Drive Clean Truck Incentive Program Details

montgomery
Embracing Hybrid Working for Enhanced Productivity

Embracing Hybrid Working for Enhanced Productivity

jove
Embracing Hybrid Working: A New Framework for Success

Embracing Hybrid Working: A New Framework for Success

lancelot
UCL Staff Feedback on Hybrid Work Model Implementation

UCL Staff Feedback on Hybrid Work Model Implementation

granger
Guidelines and Setup for Hybrid Speech Contests

Guidelines and Setup for Hybrid Speech Contests

qasim
Hybrid Apps vs. Native Apps_ Making the Right Choice for Your Mobile Strategy

Hybrid Apps vs. Native Apps_ Making the Right Choice for Your Mobile Strategy

Consagous
IRCC10 Meeting Outcomes and Initiatives

IRCC10 Meeting Outcomes and Initiatives

muhs_a
How to Develop Hybrid Work Policies that Boost Employee Productivity_

How to Develop Hybrid Work Policies that Boost Employee Productivity_

Hammad
Introduction to NASA Hybrid Rocket Competition

Introduction to NASA Hybrid Rocket Competition

ann_ba
Guidelines for Session Chairs and Room Managers at Hybrid Conferences

Guidelines for Session Chairs and Room Managers at Hybrid Conferences

dhud
MACHC Hydrographic Commission Updates and Coordination Efforts

MACHC Hydrographic Commission Updates and Coordination Efforts

cott489
Financial Arrangement Proposal for ENC Distribution by EA-RECC in Bali, Indonesia

Financial Arrangement Proposal for ENC Distribution by EA-RECC in Bali, Indonesia

dwer275
Sri Lanka Hydrographic Commission Progress Report

Sri Lanka Hydrographic Commission Progress Report

rsemo
Construction Schedule for Baseline and Hybrid A Configuration at J-POWER MDI-CFS Meeting, Ichinoseki City, Japan

Construction Schedule for Baseline and Hybrid A Configuration at J-POWER MDI-CFS Meeting, Ichinoseki City, Japan

keesling_a
Challenges and Strategies for Leading Hybrid Teams in the Workplace

Challenges and Strategies for Leading Hybrid Teams in the Workplace

kpart
IHO ENC Maintenance Working Group Report 2019

IHO ENC Maintenance Working Group Report 2019

iduma
Electric and Hybrid Vehicles: Hybridization and Interdisciplinary Aspects

Electric and Hybrid Vehicles: Hybridization and Interdisciplinary Aspects

kard154
Ensuring Consistency in Navigational Data Sharing

Ensuring Consistency in Navigational Data Sharing

sine_vyn
STEAME Goes Hybrid: Blueprint Guidelines and Policy Recommendations Project

STEAME Goes Hybrid: Blueprint Guidelines and Policy Recommendations Project

carradine_y

More Related Content