An Uninstantiable RandomOracleModel Scheme for a HybridEncryption Problem - PowerPoint PPT Presentation

1 / 38
About This Presentation
Title:

An Uninstantiable RandomOracleModel Scheme for a HybridEncryption Problem

Description:

An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem ... And HEG is innocuous looking; one would not suspect any anomalies in advance. ... – PowerPoint PPT presentation

Number of Views:42
Avg rating:3.0/5.0
Slides: 39
Provided by: alexandra69
Learn more at: https://www.iacr.org
Category:

less

Transcript and Presenter's Notes

Title: An Uninstantiable RandomOracleModel Scheme for a HybridEncryption Problem


1
An Uninstantiable Random-Oracle-Model Scheme
for a Hybrid-Encryption
Problem
Mihir Bellare ? Alexandra Boldyreva ?
Adriana Palacio University of California at San
Diego
2
The Random-Oracle (RO) model BR93
(M)
..
a
H
hH(a)
..
b
A
G
gG(b)
..
  • Algorithms of the scheme, as well as the
    adversary have oracle access to random functions.
  • Very popular there are numerous schemes designed
    and proven secure in this model.

3
Moving to the real world
However, the RO model is an idealized setting.
To get a real-world scheme we must instantiate
the ROs with real functions.
4
Instantiation of this scheme via SHA1
(M)
..
hSHA1(a)
..
gSHA1(b)
..
5
Instantiation more generally
Let F1, F2 be poly-time computable families of
functions
(M)
..
h F1L1(a)
..
g F2L2(b)
..
6
Security of instantiated schemes
RO model thesis If a scheme is proven secure in
the RO model, then it remains secure under a
suitable instantiation. Question Is this
true? Answer No. Past work has shown the
existence of uninstantiable schemes.
7
Uninstantiable schemes
Definition. A scheme is uninstantiable (with
respect to some cryptographic goal) if
  • The scheme satisfies the goal in the RO model
  • No instantiation satisfies the goal in the
    standard model

8
Examples of uninstantiable schemes
9
Examples of uninstantiable schemes
_

_

_

10
Reaction
OK, but in practice, the RO model thesis is true
Practical RO model thesis The RO model thesis
holds for natural, practical schemes for
practical goals.
11
Our work
We present a RO model scheme that
  • is simple and natural, and resembles existing RO
    model schemes.
  • is for a practical security goal.
  • but is uninstantiable.

12
Caveats and impact
  • Our result does have artificial aspects as we
    will see, and should not be taken to indicate
    that the practical RO model thesis is false.
  • But it shows that uninstantiable schemes arise in
    more practical situations than indicated by
    previous work.

13
Plan
  • The goal
  • The scheme
  • The positive result
  • The negative result
  • Conclusions

14
Plan
  • The goal
  • The scheme
  • The positive result
  • The negative result
  • Conclusions

15
Classical view of asymmetric encryption usage
AS (AK,AE,AD)
M
skR
Sender
Receiver R
16
In practice hybrid approach
skR
Sender
Receiver R
17
Goal IND-CCA-secure MM-Hybrid Encryption
  • We can define, in a natural way, IND-CCA security
    for an MM-hybrid scheme (AS,SS).
  • Certainly, a necessary condition for IND-CCA
    security of an MM-hybrid (AS,SS) is IND-CCA
    security of SS.
  • But what do we need from the asymmetric
    encryption scheme AS?

18
Easy theorem However, the above could be
true even if AS satisfies a weaker condition than
IND-CCA.


19
IND-CCA-preserving asymmetric schemes
  • What emerges A new notion of security for
    asymmetric encryption schemes.
  • Definition An asymmetric encryption scheme AS is
    IND-CCA-preserving if


Any IND-CCA SS

IND-CCA MM-hybrid (AS,SS)
AS
20
Why IND-CCA-preserving schemes?
For asymmetric schemes
IND-CCA
IND-CCA-preserving
In particular, an IND-CCA preserving scheme need
not even be randomized, since it is used to
encrypt random keys. The hope IND-CCA-preserving
schemes more efficient than existing IND-CCA
ones. The benefit Security of encryption in
practice at lower cost.
21
Summary
  • Our goal IND-CCA preserving asymmetric encryption

22
Plan
  • The goal
  • The scheme
  • The positive result
  • The negative result
  • Conclusions

23
Hash ElGamal RO model asymmetric encryption
scheme HEG (AK,AE,AD)
pk (k,q,g,Xgx), sk (k,q,g,x),

where q, 2q1 are primes and g has order q in
?2q1
(Y,W)
(K)
K?G(Yx)?W If gH(K)Y then Return K else
Reject
r?H(K)
P?G(Xr)
Return (gr,P?K)
Note. HEG is deterministic and thus not even
IND-CPA!
24
Plan
  • The goal
  • The scheme
  • The positive result
  • The negative result
  • Conclusions

25
Security of Hash ElGamal
Theorem 1. Under the Computational Diffie-Hellman
assumption (CDH) HEG is IND-CCA-preserving in the
RO model.

IND-CCA MM-hybrid (HEG,SS)
Any IND-CCA SS

HEG
26
HEG is similar to existing schemes GEM, GEM1,
GEM2, FO, REACT
Something almost identical (but randomized)
appeared in BaLeKi00.
27
Plan
  • The goal
  • The scheme
  • The positive result
  • The negative result
  • Conclusions

28
Now, the interesting stuff
  • Theorem 2 . No instantiation of HEG is
    IND-CCA-preserving in the standard model.

I.e. it is IND-CCA preserving in the RO model,
but no standard model implementation of it is
IND-CCA preserving?
Right! More precisely
29
Security of HEG instantiations
Let F1, F2 be poly-time computable families of
functions
(K)
r?F1L1(K)
P?F2L2(Xr)
Return (gr,P?K)
  • Theorem 2. For any F1, F2 the above standard
    model asymmetric encryption scheme is not IND-CCA
    preserving.

30
A caveat
  • Proof of Theorem 2 shows that for every F1, F2
    (poly-time families of functions) THERE EXISTS SS
    such that (HEG,SS) is not an IND-CCA secure
    MM-hybrid.
  • But SS is an artificial scheme, depending on
    F1, F2.
  • Theorem 2 does not imply that e.g. (HEG,CBC-type
    SS) is insecure.
  • So although HEG is simple and natural, there is
    some artificiality under the rug.

31
However, we still believe the result is valuable
because we have
  • A practical goal IND-CCA preserving encryption
  • A simple, natural scheme resembling existing RO
    schemes HEG.
  • Yet HEG is uninstantiable its real-world
    implementation loses the security property.
  • And HEG is innocuous looking one would not
    suspect any anomalies in advance.

32
About the proof of Theorem 2
  • Let HEG be ANY instantiation of HEG via poly-time
    computable families of functions.
  • We present a symmetric encryption scheme
    SS(SK,SE,SD), such that
  • SS is IND-CCA secure
  • (HEG,SS) is not IND-CCA secure

33
Key and ciphertext verifiability
  • Def. An asymmetric encryption scheme is
    key-verifiable if there is a poly-time algorithm
    KV

1, if pk is a valid public key 0, otherwise
pk
KV
34
SS construction for Proof of Theorem 2
Let SS(SK,SE,SD) be any IND-CCA symmetric
scheme.
SEK1K2(M)
SK(1k)
K1 ? SK(1k/2) K2 ?0,1k/2 Return K1K2
C ? SEK2(M) Parse M as M1M2 If M1 is a valid
pk for HEG and if M2 is a valid HEG ciphertext of
K1K2 under pk Then Return C0 else Return
C1
35
  • We show that SS is IND-CCA.
  • In order to show that (HEG,SS) is not IND-CCA we
    use the fact that HEG is key- and
    ciphertext-verifiable. The details are in the
    paper.
  • In general no key- and ciphertext-verifiable
    scheme is IND-CCA preserving.

36
Plan
  • The goal
  • The scheme
  • The positive result
  • The negative result
  • Conclusions

37
Conclusions
  • We presented a simple uninstantiable scheme for a
    practical goal
  • We do not suggest one abandon the RO model.
  • We do suggest that designers of RO model schemes
    pay more attention to the question of
    instantiation, which is usually entirely
    neglected.
  • Our examples shows that uninstantiable schemes
    really come up.

38
  • Thank you!
Write a Comment
User Comments (0)
About PowerShow.com