Incremental Codes - PowerPoint PPT Presentation

About This Presentation

Title:

Incremental Codes

Description:

In fact, holds even if reuse the same f for both signature and encryption ... If c = G(d) m2, d = (m1,r,G'(m2)) get SAP. Probabilistic Signature Encryption P ... – PowerPoint PPT presentation

Number of Views:79

Avg rating:3.0/5.0

Slides: 41

Provided by: yevgeni

Learn more at: https://www.cs.princeton.edu

Category:

more less

Transcript and Presenter's Notes

Title: Incremental Codes

1
Signcryption what, why and how
Yevgeniy Dodis New York University
2
Signature and Encryption

Most basic cryptographic tools
Signature
Receiver is sure message came from sender
Provides Authentication
Encryption
Only receiver can understand the message
Provides Privacy

3
Common Design Wisdom

Never mix things together
Make the design as modular as possible
Have freedom to design independent privacy and
authentication components
When both are needed, combine known solutions
Encrypt-then-sign (EtS) Sig(Enc(m))
Sign-then-encrypt (StE) Enc(Sig(m))

But given both are needed so often, shall we
define/design tailored solutions?

Signcryption???
4
Signcryption as a Primitive?

Are we sure EtS and StE are secure?
NO, if we are not careful ! (yes, if we are)
Do we know exactly what we mean by private
authenticated communication?
Definition is non-trivial !

Maybe we can build significantly more
efficient/secure solutions than EtS/StE?

Maybe we can in fact simplify protocol design by
having this high-level primitive?

5
Prior Work

Initial study of signcryption Zheng97,
Main motivation efficiency
Security arguments no formal definitions/proofs
Using authentication to go CPA-gtCCA
ElGamal Encryption TY98,SJ00
Symmetric setting BN00,K01,BR00
Authenticated Encryption (symmetric setting)
Definitions KY00,BN00,BR00
Sequential Composition EtA/AtE BN00,K01
Called good if MAC helps CPA-gtCCA (justified
but unnatural)
Encrypt/encipher-with-redundancy AB01,BR00
New Block Cipher Modes (RFC,IAPM,OCB,SNCBC,)

6
Our Results I ADR02

Formal definition(s) of signcryption
Multi-user vs. Two-user setting
Insider vs. Outsider distinction
EtS/StE are secure if modeled properly
Paradigm of parallel signcryption
Performs expensive Enc and Sig in parallel
Commit-then-Encrypt-and-Sign (CtSE)
Leads to fast On-line/Off-line Signcryption
Definitional inadequacy of CCA security

7
Our Results II DFW03

More efficient parallel signcryption
Padding-based Parallel Signcryption (PbPS)
Fully compatible with PKCS1 standard
Works with PSS-R, OAEP, OAEP other paddings
Based on any TDP f (e.g., RSA)
Simple and flexible key management
Same f can be used to both send receive data
Effortlessly supports associated data
Tight exact security and many more
New notion universal two-padding schemes
New padding PSEP, hybrid of PSS-R OAEP

8
Our Results III DA03

General way to build signcryption on long
messages from that on short messages
Very simple and efficient
Couple with PbPS ? very practical signcryption !
Utilizes a new primitive of independent interest
Concealment
Strong version equivalent to CRHFs, weak version
can be built from UOWHFs (and, thus, OWFs)
Remotely Keyed (Authenticated) Encryption
Formal definition and simple solution
Considerably simplifies/generalizes prior work

9
Defining Signcryption
Ideal Functionality

Implementation
Each player P publishes key pair (SecP,PubP)
To send m from sender S to receiver R
u SigEnc(m SecS, PubR) m VerDec(u PubS,
SecR)

10
Example EtS
11
Example EtS (cont)
Moral Need to use identities in
multi-user setting! Both for syntax and
constructions
12
Proper EtS with IDs
Binds messages and IDs In fact, secure now
13
Formal Definition (multi-user)

When attacking U, adversary A(PubU) can
Ask SigEnc(m SecU, PubR), for any receiver R
Ask DecVer(m PubS, SecU), for any sender S
To break authenticity, outputs new forgery
(m SecR) s.t. DecVer(m PubU, SecR)
Note, allow A to choose receiver R !
To break privacy, guesses b w/pr. gt ½
Chooses (m0, m1, SecS), for S of As choice !
m ? SigEnc(mb SecS, PubU), for random b

14
Two- vs. Multi-User Setting

Can formally define both settings
Two-user is much simpler no IDs !
Only sender S and receiver R
Shows no attacks on the scheme, only on IDs
But multi-user needed in applications
Multi-User Two-User ID fraud protection
For all our schemes, some natural tricks always
work to go two-user ? multi-user
First describe two-user version
Then show how to get multi-user

15
Parallel Signcryption

Apply expensive encrypting and singing on in
parallel
New alternative to sequential composition
Can offer other advantages beside parallelism and
efficiency
More flexible key management
Easier for tight security reductions
On-line/Off-line Signcryption
Aesthetics more elegant ?

16
Generic Parallel Signcryption
CtES m d c ?
EncR(d) s SigS(c) d DecR(?) c
VerS(s) m
EtS m ? EncR(m) u SigS(?) ?
VerS(u) m DecR(?)
StE m s SigS(m) u EncR(s) s
DecR(u) m VerS(s)
What properties on (c,d) are needed for CtES?
17
Properties of c and d

Recall, Signcrypt(m) (Sig(c), Enc(d))
m ? (c,d) ? m should be fast
Privacy c should not reveal any information
about m
Indeed, c goes in the clear
Authenticity should be hard to reuse Sig(c)
If find d such that (c,d) is valid and d?d,
then (Sig(c), Enc(d)) is a new forgery

18
Improving Generic Approach

Need IND-CCA Enc and sUF-CMA Sig
Expensive
What if implement in RO model?
Say, PSS for Sig, OAEP/OAEP for Enc
Wasteful, need to pad twice !
Poor exact security
Poor message bandwidth
Less efficient
Need to store two independent keys
Aesthetics inelegant ?
Can we do (much) better? YES!

19
Padding-based Parallel Signcryption
20
Advantages of PbPS

Replace expensive Enc and Sig by a TDP f and its
inverse f-1 (e.g., RSA)
Can reuse f for sending and receiving
Entire PubU f, SecU f-1
Consistent with current PKI infrastructure
suggested by PKCS1
Better exact security
More efficient if two-paddings are fast
What are these two-paddings???

21
Universal Two-Paddings

Invertible Pad(m) ? (w,s) s.t. for any TDP f
f(w), s is IND-CCA-secure encryption
w, f1(s) is sUF-CMA-secure signature
In fact, holds even if reuse the same f for both
signature and encryption
Lemma if Pad is universal two-padding, then
fR(w), fS1(s) is a secure signcryption in the
two-user setting
Later extend to multi-user setting

22
Two-Padding Results

Note must use Random Oracle Model as use TDPs
Give a wide variety of universal two-paddings
Old PSS-R, OAEP, OAEP, SAP (scramble all
padding)
New many, most notably PSEP (mix of PSS-R
OAEP)
All are special cases of one general
construction!
In particular, found generalization of most
padding schemes commonly used for plain
signature/encryption

23
Intuition Behind Construction

Most known padding schemes already naturally
consist of two pieces (w,s)
Moreover, always have (w,s) Feistel(d,c) for
some pair (d,c).

Example PSS-R
Have w G(m,r), s H(w) ? (m,r).
Can write w c, s H(c) ? d, where c G(m,r),
d (m,r)
What properties on (d,c) suffice??

24
Extractable Commitment

Given by two properties
(Strong) Hiding c(m) looks random, for any m
usually holds anyway for any natural commitment
Extractability using some trapdoor T, can find
d from c.
There is Extract(c,T) ? d procedure s.t. for any
A
Pr (c,d) valid Extract(c,T) ? d (c,d) ? A
negl.
In the RO model, trapdoor T RO queries made by
A
Note extractability implies strong binding
Hard to find (c,d,d) s.t. (c,d), (c,d) are
valid and d ? d

25
Feistel Two-Paddings

Theorem If Commit(m) ? (c,d) is an extractable
commitment then Pad(m) (w c, s H(c) ? d) is
a universal two-padding scheme
Note we will see that all natural commitments in
the RO model are anyway extractable
Thus, essentially show that applying one round of
Feistel to a pair (c,d) good for CtES, get a
two-padding (w,s) good PbPS !
Feistel allows to replace expensive Enc and Sig
by a TDP f and its inverse f-1 (e.g., RSA)

26
Examples

If c G(m,r), d (m,r) ? get PSS-R
If c G(r)?(m,0k), d r ? get OAEP
If c (G(r)?m, G(m,r)), d r ? get OAEP
If c G(d)?m2, d (m1,r,G(m2)) ? get SAP
Probabilistic Signature Encryption Padding
(PSEP) arbitrarily split m m1m2 and set c
(G(r)?m1, G(m2,r)), d (m2,r)
if m10 ? get PSS-R, if m20 ? get OAEP
but now can achieve much higher bandwidth !
E.g., with 1024-bit keys can fit 1600 bits of m

27
Associated Data Support

Associated data binds a public label L to m
L is transmitted in the clear, together with
actual signcryption of m
Still, authentication applies to both L and m
Very useful in many contexts Rogaway02
All our constructs easily support arbitrarily
long associated data at nearly no cost !
Simply stick L into H during the Feistel round
Simple two-user ? multi-user conversion
Add public keys of S and R as part of the label

Full PbPS scheme
short messages
long labels

m
L
IDR
IDS
Commit
d
c
H
w
s
L
?
s
29
Signcrypting Long Messages

Main Question given good signcryption SC on
short messages m, how to signcryption arbitrarily
long messages M?
Approach transform M ? (b,h) and set
SC(M) (SC(b), h)
(note want to have b ltlt M )
Sub-Question what transformations T are needed
to make SC secure?
Answer concealments !

30
Concealments

Recall, SC(M) (SC(b), h)
b lt M (non-triviality)
Privacy h should reveal no information about M
Indeed, h goes in the clear
Authenticity should be hard to reuse SC(b)
If find h such that (b,h) is valid and h ? h,
then (SC(b), h) is a new forgery

31
Commitment vs. Concealment

commitment c decommitment d

hider h
binder b

32
Constructing Concealments

Use one-time symmetric encryption (E,D)
Set h Et(M), b (t, K(h)), where K is CRHF
Hiding is obvious, binding is due to CRHF K
Notice, b is indeed short
If SC supports (long) associated data, can set h
Et(M), b t and L h (extra label)
Binding since pair (b t, L Et(M)) commits M
Nicely applies to PbPS
Here is the final multi-user signcryption of long
messages with associated data