Recent Progress in PublicKey Encryption

1
Recent Progress in Public-Key Encryption
Eike Kiltz
CWI, Amsterdam
2
Overview

• Introduction
• Public-key encryption
• Concrete schemes
• Part I Standard Model schemes
• Part II Schemes with Hedged Security

3
1. Introduction
4
Public-Key Encryption

• Most fundamental basic primitive in cryptography
• Used in daily life
• Online shopping/banking
• Right now, checking your emails?

5
This talk

• How efficient can we do
• provably secure
• public-key encryption
• based onreasonable assumptions?

6
Theory vs Practice

• Idealized Models

7
Random Oracle Model BR93

• Cryptographic scheme uses a hash function H
  
• Pro
• Very efficient schemes
• Contra
• Only heuristic Random Oracles do not exist!
• Unnatural schemes Insecure w/o ROs
• Natural schemes provably unprovabe w/o ROs

Security analysis in ROM H random oracle
Scheme in SM H SHA-256
!?
8
Oded Goldreich says
Random Oracle Model
Standard Model
9
Bruce Schneier says
Random Oracle Model
Standard Model
10
Later PKE schemes

• Part I
• Part II

11
2. Public-Key Encryption

• Definitions Security

12
Syntax of PKE

• Formally, PKE three efficient (probabilistic)
  algorithms
• KeyGen(k)
• Outputs public key pk and secret key sk
• Enc(pk, M)
• Outputs a ciphertext C for message M
• Dec(sk, C)
• Outputs message M

13
PKE Picture
Correctness MM
security parameter k
KeyGen
pk
sk
Key Generation Center
C
Decryption
Encryption
M
M
Insecure channel
Receiver
Sender
14
Security IND-CCA
Adversary A wins if bb
Adversary
Challenger
Generate (pk,sk)
pk
output
b
M0,M1
random b C ? Enc (pk,Mb)
C
Scheme is called IND-CCA secure if PrA
wins - 1/2 negligible for all efficient
adversaries A.
C
M
C ? C
Decryption oracle M ? Dec (sk , C)
15
3. Schemes
16
Part I standard model
17
History of public-key encryption in the standard
model
1991 NY
unpractical
1998 CS
practical
2004 CHK
2004 KD
more practical
2007 HK
18
Tweaked KD Scheme

• HK 2007

19
Building Blocks

• G cyclic group of prime order p, where DDH is
  hard
• lt g, gx, gy , gxy gt lt g, gx, gy , gr gt
• (E,D) is strongly secure symmetric encryption
  (authenticated encryption)
• H G ? Zp is bijection (or TCR)

20
Tweaked KD
Correctness p (g x H(c) y)r c x H(c)
y (p is unique)

• Key Generation
• pk ? g, hgw,ugx, vgy (from G)
• sk ? w,x,y
• Encrypt(pk, M)
• Pick random r
• c ? gr
• p ? ( uH(c)v )r
• K ? hr
• e ? EK(M)
• Ciphertext C ltc, p, egt

Correctness K (gw)r c w

• Decrypt(sk, Cltc, p, egt)
• check if C is consistentif p ? cx H(c) y
  then reject
• K ? cw
• M ? DK(e) (or reject)

21
Security

• Theorem Assume
• DDH hard in G
• (E,D) is authenticated symmetric encryption
  scheme
• H is bijection (or TCR)
• Then tweaked KD is IND-CCA secure
• Proof (sketch)...

22

• Key Generation
• pk ? g, hgw,ugx, vgy
• sk ? w,x,y
• Challenge(M0,M1)
• c ? gr p ? ( uH(c)v )r
• K ? hr e ? EK(Mb)
• Ciphertext Cltc, p, egt

• Decrypt(Cltc, p, egt)
• check p ? cx H(c) y
• K ? cw
• M ? DK(e) (or reject)

• Conclusion
• Decryption oracle can be simulated for all C ? C
• Destinguishing CEnc(M0) from CEnc(M1) implies
  solving DDH
• Hence schemes is secure

• IND-CPA security
• Scheme is IND-CPA secure under DDH

• IND-CCA security
• Ingredient 1 From c setup u,v from pk such that
  for consistent ciphertexts
• Decryption of Cltc, p, egt easy for all c ? c
  (using p)
• Distinguishing CEnc(M0) from CEnc(M1) implies
  solving DDH

• IND-CCA security
• Ingredient 2 setup u,v from pk such that for
  inconsistent ciphertexts
• Decryption of ltc, p, egt leads to one random K
• Outsource rejection to strong security of (E,D).

23
Syntactical comparison with CS98
24
Part II Hedged Security
25
Motivation

• Security proof of CS98 based on DDH in standard
  model
• Criticism DDH strong assumption
• Shoup01 Hedge the SM proof with a ROM proof
• Additional proof of CS98 based on CDH in
  random oracle model

• CS98 is secure...
• In the ROM under a weak assumption (CDH)
• AND
• In the SM under a strong assumption (DDH)

26
Hedged Security KN07

• Random Oracle Model BR93
• Treat hash function as perfect random function
• Unnatural schemes Insecure w/o ROs CGH98,...
• Natural schemes provably unprovabe w/o ROs
  DOP05,...

• A cryptographic scheme involving hash function H
  comes with two different proofs
• Proof 1 security in the Random Oracle Model,
  when H random oracle
• Proof 2 security in the Generic Group Model,
  when H fulfills standard security property

Security granted as long as one of the
heuristics is sound!

• Generic Group Model Shoup97
• Treat group as generic, only group operations
  allowed
• Restricted model of computation, security
  unconditional
• Unnatural schemes Insecure w/o GGs Dent02,...

27
Hashed ElGamal Scheme
28
Scheme

• Hashed ElGamal Encryption (HEG-PKE)
• Hashed ElGamal KEM CCA-secure DEM
• Very efficient (optimal)
• Standardized as DHIES ABR98
• IEEE 1363
• ANSI X9.63
• SECG

29
Security of HEG-KEM
Standard Model
Random Oracle Model
Secure?
Secure gap-CDH ABR98
Generic Group Model
Secure KN07
30
Building Blocks

• G cyclic group of prime order p, where gap-CDH
  is hard
• Given lt g, gx, gy gt, hard to compute gxy even
  with DDH oracle.
• H 0,1 ? 0,1k pseudorandom, length
  shrinking, independent of G
• (E,D) is CCA-secure symmetric encryption with
  keys in 0,1k

31
HEG-PKE

• Key Generation
• pk ? g, ugx (from G)
• sk ? x
• Encrypt(pk, M)
• Pick random r
• c ? gr
• K ? H(hr)
• e ? EK(M)
• Ciphertext C ltc, egt

• Decrypt(sk, Cltc, egt)
• K ? H(cx)
• M ? DK(e) (or reject)

32
Hedging the RO proof of HEG-PKE

• Theorem ABR98 Assume the gap-CDH assumption
  holds and H is a random oracle. Then HEG-PKE is
  IND-CCA secure in the Random Oracle Model.
• Theorem KN07 Assume H is pseudorandom and
  independent of group G. Then HEG-PKE is IND-CCA
  secure in the Generic Group Model.

33

• Key Generation
• pk ? g, ugx
• sk ? x
• Challenge(M0,M1)
• c ? gr K ? H(hr)
• e ? EK(Mb)
• Ciphertext C ltc, egt

• Security in the GGM
• Group elements are represented as random strings
  in 0,1m, m gt 2k
• If representation is unknown the group element
  cant be accessed
• Initially all group elements have gt2k bits of
  entropy

• Decrypt(Cltc, egt)
• K ? H(cx)
• M ? DK(e) (or reject)

• IND-CCA security
• In the GGM adversary A sees
• Group elements g, ugx, cgr,
• Non-group elements eEK(Mb), answers to
  Dec-queries
• From 1. A can only deduce elements gP(x,r),
  P(x,r)a0 a1x a2 r
• Lemma From Dec-queries A cant deduce more group
  elements

• Proof of lemma
• Dec(c,e) query from A (c ? c)
• We give adversary even K H(cx)
• H 0,1m ? 0,1k length-shrinking ? cx has
  still gtk bits of entropy, given KH(cx)
• H is independent of G so K does not decrease
  entropy of any other element

• Conclusion
• Only chance for A to win is compute K as K
  H(grx)
• Hence, A has to compute grx as gP(x,y).
• Since P(x,r)a0 a1x a2 r not possible
  (unless x,r are of special form)

34
Comparison
Gelliptic curve with k80 bits security, p160
bits
35
More Hedged Security KN07

• OHEG-PKE
• Optimal hashed ElGamal encryption
• works with any one-time pad
• Identity-based encryption
• SK-IBE identity-based encryption scheme with 160
  bit ciphertext overhead
• Signatures
• SK-SIG Unique signatures in 160 bits

36
Conclusions

• KD/KD most efficient PKE scheme in the standard
  model
• HEG-PKE more efficient PKE with hedged security
• Ethical question SM? ROM? GGM?

37
Open Research Problems

• Join the race
• Improve efficiency of standard model schemes
• Or prove it is not possible
• Prove HEG-PKE in the standard model
• Based on a reasonable (non-interactive)
  assumption on G and a reasonable
  (non-interactive) assumption on H
  (non-malleability?)
• Or prove it is not possible
• Analyze hedged security of other standardized
  schemes
• BF-IBE, OAEP,

38
(No Transcript)
39
Graveyard for slides
40
Authenticated Encyption

• AE schemes
• provides privacy and authenticity
• KDF encrypt-then-mac ?
• very efficient single-pass schemes ?
• stronger than CCA (? inherently k bits overhead)

Adversary AE,D (1k) has to distinguish
between(one query to oracle E and D)

• Real
• Random key K
• Encryption oracle EK() outputs real ciphertext
• Decryption oracle DK() returns real plaintext

• Random
• Encryption oracle EK() outputs random ciphertext
• Decryption oracle DK() returns reject

41
Proof of security

• Game 1 real CCA game (real K)
• Game 4 random CCA game (random K)
• A Adversary against CCA game
• We show PrA outputs 1 in Game 1
  - PrA outputs 1 in Game 4 neg

42
Game 1 real CCA game

• Adversary A gets
• Public-key pk
• Challenge ciphertext lt C, K gt
• Dec-oracle(C) (C ? C)

• Key Generation
• c ? gr t ? TCR(c)
• pk ? g, ugx, vgy,
• sk ? x,y
• Enc-oracle(M)
• c ? gr t ? TCR(c)
• p ? ( ut v )r
• K ? H(hr)
• C ltc, pgt

• Dec-oracle(C)
• t ? TCR(c)
• if p ? cxt y then reject
• K ? H(cx)
• Return K

43
Game 3 change pk
Nothing happened
IBE trick BB04

• Key Generation
• c ? gr t ? TCR(c)
• pk ? g, ugx, vgdu-t
• sk ? x,yd -xt
• Enc-oracle(M)
• p ? ( ut v )r (c)d
• K ? H(hr)
• C ltc, pgt

Correctness p c xt y c xt - xt d
(cx)(t-t) cd
Correctness p (c) xt y (c) xt
- xt d (c) d

• Dec-oracle(C)
• t ? TCR(c) if t t then rej.
• if p ? cxt y then reject
• K ? H(cx) H((p/cd)1/(t-t))
• Return K

Independent of x,y ?
44
Game 4 GHDH
Summing up PrA outputs 1 in real CCA game -
PrA outputs 1 in random CCA game
neg
Lemma Difference between Games 4 and 5 is
GHDH Game 4 lt g, cgr, u, KH(ur)gt Game 5 lt
g, cgr, u, Krandom gt Use DDH oracle to
simulate consistency check!

• Key Generation
• c ? gr t ? TCR(c)
• pk ? g, ugx, vgdu-t
• sk ? x,yd -xt
• Enc-oracle(M)
• p ? (c)d
• K ? random
• C ltc, pgt

DDH-oracle p cxt y
? (g,utv,c,p) DDH tuple

• Dec-oracle(C)
• t ? TCR(c) if t t then rej.
• if p ? cxt y then reject
• K ? H( (p/cd)1/(t-t) )
• Return K

45
KEMDEMPKE
KeyGen
sk
pk
Encaps
Decaps
C
C
KEM
C
ciphertext
e
K
K
DEM
M
M
EK
DK
e
e
46
Hashed El-Gamal

• Key Generation
• H G ? 0,1n
• pk ? g, ugx
• sk ? x
• Encrypt(pk, M)
• c ? gr
• K ? H(ur)
• e ? K M
• Return ltc,egt

Security The PKE scheme is CPA secure
(semantically secure) under the Hashed-DDH
assumption

• Decrypt(sk, ltc,egt)
• K ? H(cx)
• M ? e K-1

47
Game 2 TCR
Standard argument Difference between Games 1 and
2 is TCR

• Key Generation
• c ? gr t ? TCR(c)
• pk ? g, ugx, vgy,
• sk ? x,y
• Enc-oracle(M)
• p ? ( ut v )r
• K ? H(hr)
• C ltc, pgt

• Dec-oracle(C)
• t ? TCR(c) if t t then rej
• if p ? cxt y then reject
• K ? H(cx)
• Return K

48
CCA(2) Security for KEMs

• Challenger

Adversary
(pk,sk) ? KeyGen ltK1,Cgt ? Encaps(pk) Pick
random K0 Pick random bit b
KEM/DEM composition theorem
CCA-secure KEM CCA-secure DEM
implies PKE
CCA-secure
pk, Kb, C
C
K ? Decaps(sk,C)
M
b
49
The KD scheme

• Security
• KD 04 DDH statistically secure SE ?
• AGKS05, GS 05 DDH computationally secure SE
  (MAC OTP) ?
• BKS 06, GS 05 DDH authenticated encryption ?
• HPS authenticated encryption

• Key Generation
• params, H G ? ZG
• pk ? g, hgw,ugx1hx2, vgy1hy2,
• sk ? x1,x2,y1,y2
• Encrypt(pk, M)
• c ? gr p ? hr
• t ? H(c, p)
• K ? ( ut v )r
• e ? EK(M)
• Ciphertext C ltc, p, egt

• Decrypt(sk, Cltc, p, egt)
• check if c, p are in G
• t ? H(c, p)
• K ? cx1 ty1 p x2 ty2
• M, ? DK(e)

symmetric scheme
reject
50
The KD scheme

• Key Generation
• params, H GxG ? ZG
• pk ? g, hgw,ugx1hx2, vgy1hy2,
• sk ? x1,x2,y1,y2
• Encrypt(pk, M)
• c ? gr p ? hr
• t ? H(c, p)
• K ? ( ut v )r
• e ? EK(M)
• Ciphertext C ltc, p, egt

• Decrypt(sk, Cltc, p, egt)
• check if c, p are in G
• t ? H(c, p)
• K ? cx1 ty1 p x2 ty2
• M, ? DK(e)

51
KD variant explicit rejection

• Security
• PO06 DDH computationally secure SE (MAC OTP)
• DDH authenticated encryption

• Key Generation
• params, H GxG ? ZG
• pk ? g, hgw,ugx,vgy,
• sk ? w,x,y
• Encrypt(pk, M)
• c ? gr p ? hr
• t ? H(c, p)
• K ? ( ut v )r
• e ? EK(M)
• Ciphertext C ltc, p, egt

• Decrypt(sk, Cltc, p, egt)
• check if c is in G
• t ? H(c, p)
• K ? cw
• M, ? DK(e)
• check if cx ty p

52
Decisional Diffie-Hellman (DDH) Assumption
No polynomial-time adversary can distinguish
between the two worlds

• Real
• lt g, gx, gy , gxy gt

Random lt g, gx, gy , gr gt
where x,y,r are random elements from Zp.