/
Anonymity and Robustness Anonymity and Robustness

Anonymity and Robustness - PowerPoint Presentation

cheryl-pisano
cheryl-pisano . @cheryl-pisano
Follow
401 views
Uploaded On 2016-07-05

Anonymity and Robustness - PPT Presentation

in Encryption Schemes Payman Mohassel University of Calgary Public Key Encryption PKE pk pk sk KG C Enc pkm m Dec skC PKE KG Enc Dec 2 Traditional Security Notions ID: 392057

pke cca pk1 dec cca pke dec pk1 anon enc ske encryption sk1 sk0 challenger hybrid ibe key pk0 robustness ind robust

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Anonymity and Robustness" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

Anonymity and Robustness in Encryption Schemes

Payman

Mohassel

University of CalgarySlide2

Public Key Encryption (PKE)

pk

(

pk

,

sk

)  KG

C = Enc(

pk,m)

m = Dec(sk,C)

PKE = (KG, Enc, Dec)

2Slide3

Traditional Security Notions(Data Secrecy)

Semantic security

No function of the message is leaked

Equivalent to

indistinguishability

Non-malleabilityHard to create ciphertext for related messages

Chosen plaintext attacks (CPA)Chosen ciphertext attacks (CCA)Slide4

Mobile Communication

Mobile User

Base Station

key exchange

eavesdropper wants to learn identity of mobile user

Enc(

pk

, message)

pkSlide5

Secure Auction [Sako’00]First practical auction to hide bid values

Keys correspond to bid values

A known message is encrypted using the key

Hiding a bid value requires hiding the key Slide6

(

pk

,

sk

)

c

c

c = Enc(

pk

, m)

c

Dec(

sk

’, c) = Slide7

Other GuaranteesDoes the ciphertext hide the key?

Anonymity

What happens when decrypting using a different key?

RobustnessSlide8

ANON-CCAChallenger

(pk

0

, sk

0

)  KG(1n

) (pk1, sk1)  KG(1n) b  {0,1}

pk

0, pk

1

c

1

, b

1

Dec(sk

b1

, c

1

)

. . . .

c

i

, b

i

Dec(

sk

bi

,

c

i

)

m

C=Enc(

pk

b

,m)

b’

Adv

anon-cca,PKE

(A) =|Pr[b’ = b] – ½| is negligible

c

i+1

, b

i+1

Dec(sk

bi+1

, c

1

)

. . . .

c

q

,

b

q

Dec(

sk

bq

,

c

q

)Slide9

Weak Robustness (WROB-CCA)

M

(pk

0

, sk

0

)  KG(1n)

(pk1, sk1)  KG(1

n)

pk

0, pk1

c

i

, b

i

Dec(

sk

bi

,

c

i

)

. . . .

Challenger

Adv wins if

Dec(sk

1

, C)

, where C = Enc(pk

0

,M)Slide10

Strong Robustness (SROB-CCA)

C

(pk

0

, sk

0

)  KG(1n)

(pk1, sk1)  KG(1

n)

pk

0, pk1

c

i

, b

i

Dec(

sk

bi

,

c

i

)

. . . .

Challenger

Adv wins if

Dec(sk

0

,

C)

and

Dec(pk

1

,

C)

Slide11

What is Known?Anonymity

Not always satisfied

y =

x

e mod N for random xpk0

= (N0, e0) pk1

= (N1, e1), N1 > N0 If y > N0 return pk

1 else return pk0 Robustness

ElGamal is not robust[pk0 = (G, p, g, gx

) , sk0 = x] , [pk1 = (G, p, g,

gy), sk1 = y]Enc(pk

0

, m) = (c

1

, c

2

) = (

g

r

,

mg

xr

)

m’ = Dec(sk

1

, (c

1

, c

2

)) = c

2

/c

1

y

= mg

(x-y)r

Slide12

What is Known?Anonymous PKE and IBE[

Bellare

et al. 2001], [

Abdalla

et al. 2008]PKE: DHIES, [Cramer-Shoup’01]IBE:

[Boneh-Franklin’01], [Boyen-Waters’06]Robust PKE and IBE[Abdalla et al

. 2010]Strongly robust IBE: [Boneh-Franklin’01]Weakly robust PKE: DHIES, [Cramer-Shoup’01]Not robust: [Boyen-Waters’06]Slide13

Our ContributionStudying anonymity of hybrid encryption

Positive and negative results

More efficient transformations for

robust encryption schemes

Computation and ciphertext size

Please see the paperSlide14

Question: Given an

“anonymous PKE/IBE”

and an

“anonymous SKE”

, is the hybrid encryption scheme also

anonymous?Slide15

Anonymity of Hybrid EncryptionANON-CPA PKE/IBE + IND-CPA SKE

The hybrid encryption is ANON-CPA

[negative]

ANON-CCA PKE/IBE + IND-CCA SKE

The hybrid encryption is NOT always ANON-CCATrue if SKE is ANON-CCA or more

[positive] (WROB + ANON)-CCA PKE/IBE + AE SKEThe hybrid encryption is ANON-CCAMore evidence that “anonymity” and “robustness” are needed simultaneously Slide16

Counter Example (PKE) Start with (WROB + ANON)-CCA PKE1

PKE

1

= (KG

1, Enc1, Dec1)

Build PKE2 = (KG2, Enc2

, Dec2) Dec2 Run Dec1, if it returns return 0n Else return what Dec1

outputsPKE2 is still ANON-CCASlide17

Counter Example (SKE)We use a key-binding IND-CCA SKE

Key-binding

SKE = (K, SE, SD)

For any k

 K, randomness r, and message mThere is no k’ ≠ k where

SDk’

(SEk(m,r)) ≠ PKE2 +

key-binding SKENot ANON-CCASlide18

Counter Example

m

(c

1

, c

2

) = (Enc2(pkb

,k), SE(k,m))

Challenger

(pk0, sk0)

 KG(1n) (pk1

, sk

1

)

 KG(1

n

)

b

 {0,1}

Decryption query under pk

0

for (c

1

, SE(0

n

,m’))

pk

0

, pk

1

If the answer is let b’ = 0, else b’ = 1

b’

Slide19

Counter ExampleRequiring stronger security notion for SKE does NOT helpIf

it

can

be combined

with key-bindingWhat about stronger notions for the PKE?Slide20

Positive Result

Claim

: If PKE is (ANON + WROB

+ IND)-CCA and SKE is a (one-time) authenticated encryption, the hybrid construction is (ANON + IND)-CCASlide21

Game 0Challenger

(pk

0

, sk

0

)  KG(1n

) (pk1, sk1)  KG(1n) b  {0,1}

pk

0, pk

1

C

1

, b

1

Dec(sk

b1

, C

1

)

. . . .

C

i

, b

i

Dec(

sk

bi

,

C

i

)

m

c*

1

=

Enc(

pk

b

,k

*)

c*

2

=

SE(k*,

m)

b’

Adv

anon-cca,PKE

(A) =|Pr[b’ = b] – ½| is negligible

C

i+1

, b

i+1

Dec(sk

b1

, C

1

)

. . . .

C

q

,

b

q

Dec(

sk

bq

,

C

q

)Slide22

Game 1Challenger

(pk

0

, sk

0

)  KG(1n

) (pk1, sk1)  KG(1n) b  {0,1}

pk

0, pk

1

m

c*

1

= Enc(

pk

b

, k

*)

c*

2

= SE(k*, m)

b’

(c*

1

, c

2

≠ c*

2

), b

SD(k*, c

2

)

Difference in games:

decryption errorSlide23

Game 2Challenger

(pk

0

, sk

0

)  KG(1n

) (pk1, sk1)  KG(1n) b  {0,1}

pk

0, pk

1

m

c*

1

= Enc(

pk

b

,k*)

c*

2

= SE(k*,m)

b’

(c*

1

, c

2

≠ c*

2

), 1-b

Difference in games:

weak robustness of the PKE

only if c*

1

decrypts under

pk

b

and pk

1-bSlide24

Game 3Challenger

(pk

0

, sk

0

)  KG(1n

) (pk1, sk1)  KG(1n) b  {0,1}

pk

0, pk

1

m

c*

1

= Enc(

pk

b

,k*)

c*

2

= SE(

k’

,m

)

b’

Difference in games:

IND-CCA security of the PKESlide25

Game 4Challenger

(pk

0

, sk

0

)  KG(1n

) (pk1, sk1)  KG(1n) b  {0,1}

pk

0, pk

1

m

c*

1

= Enc(

pk

b

,k*)

c*

2

= SE(

k’,m

)

b’

Difference in games:

CTXT integrity of the SKE

only if a valid ciphertext under k’ is generated

(c*

1

, c

2

≠ c*

2

), {b or 1-b}

Slide26

Putting Things TogetherAdvanon-cca

(hybrid)

<

Advwrob-cca

(PKE) + Advind-cca(PKE)

+ Advctxt-int(SKE) + Advanon-cca(PKE) Boneh-Franklin, Cramer-Shoup, DHIES are

WROB-CCABoyen-Waters IBE is notSlide27

SummaryANON-CCA PKE + (…) SKE

ANON-CCA hybrid

(WROB + ANON)-CCA PKE + AE SKE

 ANON-CCA hybrid

Is weak-robustness a necessary condition?Is

Boyen-Waters (in)secure when used in a hybrid construction? Slide28

Thank youSlide29

Results on Robustness[Abdalla et al.’10]

Transforming ANON-CCA schemes to robust ones

We design more efficient transformations

Refer to the paperSlide30

Indentity-based encryption (IBE)

id

(

sk,pk

)

PKG

C =

Enc

pk(m)

m = Decsk(C)

IBE = (MKG, Enc, Dec)

30

(par,

msk

)

MKGSlide31

IND-CCAChallenger

c

1

(

pk

,

sk

) KG(1n) ; b

 {0,1}Decsk

(c1)

. . . .

c

i

Dec

sk

(

c

i

)

m

0

, m

1

C=

Enc

pk

(

m

b

)

c

i+1

Dec

sk

(c

i+1

)

. . . .

c

q

Dec

sk

(

c

q

)

b’

Adv

ind-cca,PKE

(A) =|Pr[b’ = b] – ½| is negligible

31