410 likes | 638 Views
A Brief History of Provable Security and PKE. Alex Dent Information Security Group Royal Holloway, University of London. A Provable Timeline. Late 1970s: First secure schemes 1980s: Definitions 1990s: Random oracle model schemes Late 1990s: “Double and add” schemes NIZK proof schemes
E N D
A Brief History of Provable Security and PKE Alex Dent Information Security Group Royal Holloway, University of London
A Provable Timeline • Late 1970s: First secure schemes • 1980s: Definitions • 1990s: Random oracle model schemes • Late 1990s: “Double and add” schemes • NIZK proof schemes • Cramer-Shoup encryption • 2000s: Signatures and identities • 2000s: Extracting the truth
Definitions • Confidentiality means that an attacker cannot find any information about a plaintext from a ciphertext. • Semantic security captures this notion.
Definitions • IND-CPA is equivalent to semantic security [Goldwasser-Micali, 1984].
Definitions • Attacker wins if b = b′ • Advantage of an attacker is: | Pr[ b = b′ ] - ½ | m0 b ← {0,1} C* = Enc(pk,mb) C* pk b′ m1
Definitions • IND-CCA1 security: Allows access to a decryption oracle before the challenge ciphertext is issued [Naor-Yung, 1990].
Definitions • IND-CCA2 security: Allow access to a decryption oracle before and after the challenge ciphertext is issued. [Rackoff-Simon, 1991]
Definitions • Advantage of an attacker is: | Pr[ b = b′ ] - ½ | m = Dec(sk,C) m = Dec(sk,C) C C m m (C ≠ C*) m0 b ← {0,1} C* = Enc(pk,mb) C* pk b′ m1
Definitions • Why is this such a difficult notion of security to achieve?
Definitions • Decryption oracle has to be “consistent”. • Trivial oracle queries. Simulated Decryption Oracle C m C m Simulated Ciphertext m0 C* Solution Problem b´ pk m1
Random Oracle Model • The random oracle methodology models hash functions as random functions. [Bellare-Rogaway, 1993] • Enables security proofs for very efficient schemes such as ECIES and RSA-OAEP.
Random Oracle Model • There exists schemes that are secure in the random oracle model, but insecure when used with any hash function. [Canetti-Goldreich-Halevi, 1998]
“Double and Add” Schemes • A series of schemes prove security by encrypting a message twice with a weak scheme and adding a “checksum”. • Principle proposed by Naor and Yung. • IND-CCA2 version of the scheme given in [Sahai, 1999] • “Checksum” is NIZK proof.
“Double and Add” Schemes • Non-interactive zero-knowledge (NIZK) proof that two ciphertexts encrypt the same message. Public value: σ Proof π Message and coins
“Double and Add” Schemes • Zero knowledge: it must be possible to choose σ in such a way that there is a trapdoor τ which allows “false” proofs. Public value: σ Private value: τ Proof π Proof π Message and coins Any two ciphertexts
“Double and Add” Schemes • Simulation sound: it must not be possible to find a false proof (given only σ) even if you have seen one false proof. Public value: σ Private value: τ Proof π Proof π Message and coins Any two ciphertexts
“Double and Add” Schemes • Use an IND-CPA scheme (G ,E ,D ). • Public key is (pk1,pk2,σ). • Private key is sk1. • To decrypt: • Check proof • Decrypt C1. m E E NIZK pk1 pk2 σ C1 C2 π
“Double and Add” Schemes • This scheme is theoretical. • The NIZK is impractical (very long output and time consuming to compute). • However, it does show that public key encryption exists as long as trapdoor one-way permutations exist.
“Double and Add” Schemes • The Cramer-Shoup scheme was the first practical and provably secure scheme. [Cramer-Shoup, 1998]
“Double and Add” Schemes • The Cramer-Shoup encryption scheme works on the same principles as Sahai. • Key generation: • g, g′← G • x1,x2,y1,y2,z ← Zp • h ← gz • e ← gx1·g′x2 • f ← gy1·g′y2 • pk = (g,g′,h,e,f) • sk = (x1,x2,y1,y2,z) • Encrypt: • r ← Zp • a ← gr • a′ ← g′r • c ← hr ·m • v ← Hash(a,a′,c) • d ← er · frv • C = (a,a′,c,d)
“Double and Add” Schemes • Start with a version of ElGamal • ElGamal is passively secure under the DDH assumption. • Publicly known, random element h ← G. • Key generation: • z ← Zp • g ← h1/z • pk = g • sk = z • Encrypt: • r ← Zp • a ← gr • c ← hr ·m • C = (a,c)
“Double and Add” Schemes • We need to encrypt twice under independent public keys. • Key generation: • z, z′← Zp • g ← h1/z • g′ ← h1/z′ • pk = (g,g′) • sk = (z,z′) • Encrypt: • r, r′← Zp • a ← gr • c ← hr ·m • a′ ← g′r′ • c′ ← hr′ ·m • C = (a,c,a′,c′)
“Double and Add” Schemes • However, a paper by [Bellare-Boldyreva-Staddon, 2003] says we can reuse the random value r without losing security.
“Double and Add” Schemes • However, a paper by [Bellare-Boldyreva-Staddon, 2003] says we can reuse the random value r without losing security. • Key generation: • z, z′← Zp • g ← h1/z • g′ ← h1/z′ • pk = (g,g′) • sk = (z,z′) • Encrypt: • r ← Zp • a ← gr • c ← hr ·m • a′ ← g′r • c′ ← hr ·m • C = (a,c,a′,c′)
“Double and Add” Schemes • However, now c and c′ are the same value • Key generation: • z, z′← Zp • g ← h1/z • g′ ← h1/z′ • pk = (g,g′) • sk = (z,z′) • Encrypt: • r ← Zp • a ← gr • c ← hr ·m • a′ ← g′r • C = (a,c,a′)
“Double and Add” Schemes • Now, the value z′ is never used and so we can remove it. • Key generation: • z ← Zp • g ← h1/z • g′ ← G • pk = (g,g′) • sk = z • Encrypt: • r ← Zp • a ← gr • c ← hr ·m • a′ ← g′r • C = (a,c,a′)
“Double and Add” Schemes • And if we just tidy up a bit, then we get… • (I’m hiding a few things here!) • Key generation: • g, g′ ← G • z ← Zp • h ← gz • pk = (g,g′,h) • sk = z • Encrypt: • r ← Zp • a ← gr • a′ ← g′r • c ← hr ·m • C = (a,a′,c)
“Double and Add” Schemes • However, this is over half the Cramer-Shoup scheme: • Key generation: • g, g′ ← G • z ← Zp • h ← gz • pk = (g,g′,h) • sk = z • Key generation: • g, g′← G • x1,x2,y1,y2,z ← Zp • h ← gz • e ← gx1·g′x2 • f ← gy1·g′y2 • pk = (g,g′,h,e,f) • sk = (x1,x2,y1,y2,z)
“Double and Add” Schemes • However, this is over half the Cramer-Shoup scheme: • Encrypt: • r ← Zp • a ← gr • a′ ← g′r • c ← hr ·m • C = (a,a′,c) • Encrypt: • r ← Zp • a ← gr • a′ ← g′r • c ← hr ·m • v ← Hash(a,a′,c) • d ← er · frv • C = (a,a′,c,d)
So this fits the Sahai mold providing d acts like a NIZK. In the proof, it is shown the d can be faked if you know x1,x2,y1,y2. In the proof, it is shown that if a = gr and a′ = g′r′ then the decryption algorithm will reject. “Double and Add” Schemes • Encrypt: • r ← Zp • a ← gr • a′ ← g′r • c ← hr ·m • v ← Hash(a,a′,c) • d ← er · frv • C = (a,a′,c,d)
Signatures and Identites • It is possible to turn a passively secure identity-based encryption scheme into a secure public-key encryption scheme. [Canetti-Halevi-Katz, 2004]
Signatures and Identites • It is possible to turn a passively secure identity-based encryption scheme into a secure public-key encryption scheme. [Canetti-Halevi-Katz, 2004] • A little odd that it took the development of identity-based encryption before we got new public-key encryption schemes.
Extracting the Truth • Plaintext awareness is a property of an encryption scheme that says that the only way to create a valid ciphertext is to generate a plaintext and encrypt it. • So, if an attacker generates a valid ciphertext, then it must know the underlying message. • Hence, a decryption oracle is no help.
Extracting the Truth • It’s difficult to say what it means for an attacker (computer) to “know” something. • The definitions are complex. • All known proofs rely on the random oracle model, an unrealistic architecture, or suspect “extractor” assumptions. • The subject for another lecture…
Extracting the Truth • The idea was first given a full formal treatment in [Bellare-Desai-Pointcheval-Rogaway, 1998].
Extracting the Truth • The idea was first given a full formal treatment in [Bellare-Desai-Pointcheval-Rogaway, 1998]. • However, this definition could only be achieved in the random oracle model.
Extracting the Truth • [Herzog-Liskov-Micali, 2003] gave a new interpretation of the problem, but it needed an unrealistic architecture. • The first fully satisfactory definition for plaintext awareness in the standard model was given by [Bellare-Palacio, 2004]
Extracting the Truth • The Cramer-Shoup scheme was the first to be proven plaintext aware [Dent, 2006] • Cramer-Shoup and Kurosawa-Desmedt “hash proof system” schemes can be shown to be plaintext aware [Birkett-Dent].
Where are we now? • [Boneh-Katz, 2005] is a signature-identity scheme similar to the CHK transform. • Transform efficiency overhead is minimal. • Still requires a passively secure IBE scheme • [Hofheinz-Kiltz, 2007] mixes Cramer-Shoup and IBE techniques. • 2.5 exponentiations for encryption • 1.5 exponentiations for decryption
Conclusions • None of the approaches really work… • Use the random oracle model • Or they intrinsically require two operations • Or they use weak “extractor” assumptions • New approach is needed if we’re going to prove the ultra-high-speed schemes secure. • Plenty missing from this presentation