in Encryption Schemes Payman Mohassel University of Calgary Public Key Encryption PKE pk pk sk KG C Enc pkm m Dec skC PKE KG Enc Dec 2 Traditional Security Notions ID: 392057
Download Presentation The PPT/PDF document "Anonymity and Robustness" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Anonymity and Robustness in Encryption Schemes
Payman
Mohassel
University of CalgarySlide2
Public Key Encryption (PKE)
pk
(
pk
,
sk
) KG
C = Enc(
pk,m)
m = Dec(sk,C)
PKE = (KG, Enc, Dec)
2Slide3
Traditional Security Notions(Data Secrecy)
Semantic security
No function of the message is leaked
Equivalent to
indistinguishability
Non-malleabilityHard to create ciphertext for related messages
Chosen plaintext attacks (CPA)Chosen ciphertext attacks (CCA)Slide4
Mobile Communication
Mobile User
Base Station
key exchange
eavesdropper wants to learn identity of mobile user
Enc(
pk
, message)
pkSlide5
Secure Auction [Sako’00]First practical auction to hide bid values
Keys correspond to bid values
A known message is encrypted using the key
Hiding a bid value requires hiding the key Slide6
(
pk
,
sk
)
c
c
c = Enc(
pk
, m)
c
Dec(
sk
’, c) = Slide7
Other GuaranteesDoes the ciphertext hide the key?
Anonymity
What happens when decrypting using a different key?
RobustnessSlide8
ANON-CCAChallenger
(pk
0
, sk
0
) KG(1n
) (pk1, sk1) KG(1n) b {0,1}
pk
0, pk
1
c
1
, b
1
Dec(sk
b1
, c
1
)
. . . .
c
i
, b
i
Dec(
sk
bi
,
c
i
)
m
C=Enc(
pk
b
,m)
b’
Adv
anon-cca,PKE
(A) =|Pr[b’ = b] – ½| is negligible
c
i+1
, b
i+1
Dec(sk
bi+1
, c
1
)
. . . .
c
q
,
b
q
Dec(
sk
bq
,
c
q
)Slide9
Weak Robustness (WROB-CCA)
M
(pk
0
, sk
0
) KG(1n)
(pk1, sk1) KG(1
n)
pk
0, pk1
c
i
, b
i
Dec(
sk
bi
,
c
i
)
. . . .
Challenger
Adv wins if
Dec(sk
1
, C)
≠
, where C = Enc(pk
0
,M)Slide10
Strong Robustness (SROB-CCA)
C
(pk
0
, sk
0
) KG(1n)
(pk1, sk1) KG(1
n)
pk
0, pk1
c
i
, b
i
Dec(
sk
bi
,
c
i
)
. . . .
Challenger
Adv wins if
Dec(sk
0
,
C)
≠
and
Dec(pk
1
,
C)
≠
Slide11
What is Known?Anonymity
Not always satisfied
y =
x
e mod N for random xpk0
= (N0, e0) pk1
= (N1, e1), N1 > N0 If y > N0 return pk
1 else return pk0 Robustness
ElGamal is not robust[pk0 = (G, p, g, gx
) , sk0 = x] , [pk1 = (G, p, g,
gy), sk1 = y]Enc(pk
0
, m) = (c
1
, c
2
) = (
g
r
,
mg
xr
)
m’ = Dec(sk
1
, (c
1
, c
2
)) = c
2
/c
1
y
= mg
(x-y)r
Slide12
What is Known?Anonymous PKE and IBE[
Bellare
et al. 2001], [
Abdalla
et al. 2008]PKE: DHIES, [Cramer-Shoup’01]IBE:
[Boneh-Franklin’01], [Boyen-Waters’06]Robust PKE and IBE[Abdalla et al
. 2010]Strongly robust IBE: [Boneh-Franklin’01]Weakly robust PKE: DHIES, [Cramer-Shoup’01]Not robust: [Boyen-Waters’06]Slide13
Our ContributionStudying anonymity of hybrid encryption
Positive and negative results
More efficient transformations for
robust encryption schemes
Computation and ciphertext size
Please see the paperSlide14
Question: Given an
“anonymous PKE/IBE”
and an
“anonymous SKE”
, is the hybrid encryption scheme also
anonymous?Slide15
Anonymity of Hybrid EncryptionANON-CPA PKE/IBE + IND-CPA SKE
The hybrid encryption is ANON-CPA
[negative]
ANON-CCA PKE/IBE + IND-CCA SKE
The hybrid encryption is NOT always ANON-CCATrue if SKE is ANON-CCA or more
[positive] (WROB + ANON)-CCA PKE/IBE + AE SKEThe hybrid encryption is ANON-CCAMore evidence that “anonymity” and “robustness” are needed simultaneously Slide16
Counter Example (PKE) Start with (WROB + ANON)-CCA PKE1
PKE
1
= (KG
1, Enc1, Dec1)
Build PKE2 = (KG2, Enc2
, Dec2) Dec2 Run Dec1, if it returns return 0n Else return what Dec1
outputsPKE2 is still ANON-CCASlide17
Counter Example (SKE)We use a key-binding IND-CCA SKE
Key-binding
SKE = (K, SE, SD)
For any k
K, randomness r, and message mThere is no k’ ≠ k where
SDk’
(SEk(m,r)) ≠ PKE2 +
key-binding SKENot ANON-CCASlide18
Counter Example
m
(c
1
, c
2
) = (Enc2(pkb
,k), SE(k,m))
Challenger
(pk0, sk0)
KG(1n) (pk1
, sk
1
)
KG(1
n
)
b
{0,1}
Decryption query under pk
0
for (c
1
, SE(0
n
,m’))
pk
0
, pk
1
If the answer is let b’ = 0, else b’ = 1
b’
Slide19
Counter ExampleRequiring stronger security notion for SKE does NOT helpIf
it
can
be combined
with key-bindingWhat about stronger notions for the PKE?Slide20
Positive Result
Claim
: If PKE is (ANON + WROB
+ IND)-CCA and SKE is a (one-time) authenticated encryption, the hybrid construction is (ANON + IND)-CCASlide21
Game 0Challenger
(pk
0
, sk
0
) KG(1n
) (pk1, sk1) KG(1n) b {0,1}
pk
0, pk
1
C
1
, b
1
Dec(sk
b1
, C
1
)
. . . .
C
i
, b
i
Dec(
sk
bi
,
C
i
)
m
c*
1
=
Enc(
pk
b
,k
*)
c*
2
=
SE(k*,
m)
b’
Adv
anon-cca,PKE
(A) =|Pr[b’ = b] – ½| is negligible
C
i+1
, b
i+1
Dec(sk
b1
, C
1
)
. . . .
C
q
,
b
q
Dec(
sk
bq
,
C
q
)Slide22
Game 1Challenger
(pk
0
, sk
0
) KG(1n
) (pk1, sk1) KG(1n) b {0,1}
pk
0, pk
1
m
c*
1
= Enc(
pk
b
, k
*)
c*
2
= SE(k*, m)
b’
(c*
1
, c
2
≠ c*
2
), b
SD(k*, c
2
)
Difference in games:
decryption errorSlide23
Game 2Challenger
(pk
0
, sk
0
) KG(1n
) (pk1, sk1) KG(1n) b {0,1}
pk
0, pk
1
m
c*
1
= Enc(
pk
b
,k*)
c*
2
= SE(k*,m)
b’
(c*
1
, c
2
≠ c*
2
), 1-b
Difference in games:
weak robustness of the PKE
only if c*
1
decrypts under
pk
b
and pk
1-bSlide24
Game 3Challenger
(pk
0
, sk
0
) KG(1n
) (pk1, sk1) KG(1n) b {0,1}
pk
0, pk
1
m
c*
1
= Enc(
pk
b
,k*)
c*
2
= SE(
k’
,m
)
b’
Difference in games:
IND-CCA security of the PKESlide25
Game 4Challenger
(pk
0
, sk
0
) KG(1n
) (pk1, sk1) KG(1n) b {0,1}
pk
0, pk
1
m
c*
1
= Enc(
pk
b
,k*)
c*
2
= SE(
k’,m
)
b’
Difference in games:
CTXT integrity of the SKE
only if a valid ciphertext under k’ is generated
(c*
1
, c
2
≠ c*
2
), {b or 1-b}
Slide26
Putting Things TogetherAdvanon-cca
(hybrid)
<
Advwrob-cca
(PKE) + Advind-cca(PKE)
+ Advctxt-int(SKE) + Advanon-cca(PKE) Boneh-Franklin, Cramer-Shoup, DHIES are
WROB-CCABoyen-Waters IBE is notSlide27
SummaryANON-CCA PKE + (…) SKE
ANON-CCA hybrid
(WROB + ANON)-CCA PKE + AE SKE
ANON-CCA hybrid
Is weak-robustness a necessary condition?Is
Boyen-Waters (in)secure when used in a hybrid construction? Slide28
Thank youSlide29
Results on Robustness[Abdalla et al.’10]
Transforming ANON-CCA schemes to robust ones
We design more efficient transformations
Refer to the paperSlide30
Indentity-based encryption (IBE)
id
(
sk,pk
)
PKG
C =
Enc
pk(m)
m = Decsk(C)
IBE = (MKG, Enc, Dec)
30
(par,
msk
)
MKGSlide31
IND-CCAChallenger
c
1
(
pk
,
sk
) KG(1n) ; b
{0,1}Decsk
(c1)
. . . .
c
i
Dec
sk
(
c
i
)
m
0
, m
1
C=
Enc
pk
(
m
b
)
c
i+1
Dec
sk
(c
i+1
)
. . . .
c
q
Dec
sk
(
c
q
)
b’
Adv
ind-cca,PKE
(A) =|Pr[b’ = b] – ½| is negligible
31