This preview shows pages 1–2. Sign up to view the full content.
21/02/2012
1
Introduction
CCASecurity
Cryptography and Protocols
Andrei Bulatov
Cryptography and Protocols – CCASecurity
122
CCA Security
(take 1)
Let
(K,E,D)
be a symmetric encryption scheme and (T,
ε
)
a
superpolynomial pair.
Consider the following game:
(1)
Alice and Bob choose a shared
k
at random from
(2)
Eve gets access to black boxes
and
(3)
Eve chooses
and
(4)
Alice chooses
i
∈
{1,2}
at random and gives Eve
(5)
Eve gets more access to black boxes
and
(6)
Eve outputs
j
∈
{1,2}
Eve wins if
j = i.
Scheme
(K,E,D)
is
(T,
ε
)CCAsecure if for any if of time
complexity at most
T
Pr[Eve wins] < 1/2 +
ε
n
}
1
,
0
{
)
(
⋅
k
E
)
(
⋅
k
D
1
P
2
P
)
(
i
k
P
E
C
=
)
(
⋅
k
E
)
(
⋅
k
D
Cryptography and Protocols – CCASecurity
123
CCA Security
(fix)
Change
(5)
to:
(5’)
Eve gets access to black boxes
and
,
where
)
(
⋅
k
E
)
(
'
⋅
k
D
=
⊥
≠
=
C
C
C
C
C
D
C
D
k
k
'
,
'
),
'
(
)
'
(
'
if
if
Cryptography and Protocols – CCASecurity
124
Construction of a CCASecure Scheme
Let
(Sign, Ver)
be a
CMAsecure
MAC
and
(K’,E’,D’)
a
CPAsecure scheme.
Define
(K,E,D)
as follows
K:
keys
k, k’
selected uniformly at random from
E:
compute
,
,
and send
(C,t)
D:
Upon receiving
(C,t),
first verify that
if not,
abort
(output
⊥
).
If check passes
compute
n
}
1
,
0
{
)
(
'
P
E
C
k
=
)
(
'
C
t
k
Sign
=
1
)
,
(
'
=
t
C
k
Ver
)
(
'
C
D
k
Cryptography and Protocols – CCASecurity
125
Security
A
MAC
(Sign, Ver)
satisfies the unique signatures property if for
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
This is the end of the preview. Sign up
to
access the rest of the document.
This note was uploaded on 03/05/2012 for the course CMPT 404 taught by Professor Andreia.bulatov during the Spring '12 term at Simon Fraser.
 Spring '12
 AndreiA.Bulatov

Click to edit the document details