1 / 41

A Brief History of Provable Security and PKE

A Brief History of Provable Security and PKE. Alex Dent Information Security Group Royal Holloway, University of London. A Provable Timeline. Late 1970s: First secure schemes 1980s: Definitions 1990s: Random oracle model schemes Late 1990s: “Double and add” schemes NIZK proof schemes

chana
Download Presentation

A Brief History of Provable Security and PKE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A Brief History of Provable Security and PKE Alex Dent Information Security Group Royal Holloway, University of London

  2. A Provable Timeline • Late 1970s: First secure schemes • 1980s: Definitions • 1990s: Random oracle model schemes • Late 1990s: “Double and add” schemes • NIZK proof schemes • Cramer-Shoup encryption • 2000s: Signatures and identities • 2000s: Extracting the truth

  3. Definitions • Confidentiality means that an attacker cannot find any information about a plaintext from a ciphertext. • Semantic security captures this notion.

  4. Definitions • IND-CPA is equivalent to semantic security [Goldwasser-Micali, 1984].

  5. Definitions • Attacker wins if b = b′ • Advantage of an attacker is: | Pr[ b = b′ ] - ½ | m0 b ← {0,1} C* = Enc(pk,mb) C* pk b′ m1

  6. Definitions • IND-CCA1 security: Allows access to a decryption oracle before the challenge ciphertext is issued [Naor-Yung, 1990].

  7. Definitions • IND-CCA2 security: Allow access to a decryption oracle before and after the challenge ciphertext is issued. [Rackoff-Simon, 1991]

  8. Definitions • Advantage of an attacker is: | Pr[ b = b′ ] - ½ | m = Dec(sk,C) m = Dec(sk,C) C C m m (C ≠ C*) m0 b ← {0,1} C* = Enc(pk,mb) C* pk b′ m1

  9. Definitions • Why is this such a difficult notion of security to achieve?

  10. Definitions • Decryption oracle has to be “consistent”. • Trivial oracle queries. Simulated Decryption Oracle C m C m Simulated Ciphertext m0 C* Solution Problem b´ pk m1

  11. Random Oracle Model • The random oracle methodology models hash functions as random functions. [Bellare-Rogaway, 1993] • Enables security proofs for very efficient schemes such as ECIES and RSA-OAEP.

  12. Random Oracle Model • There exists schemes that are secure in the random oracle model, but insecure when used with any hash function. [Canetti-Goldreich-Halevi, 1998]

  13. “Double and Add” Schemes • A series of schemes prove security by encrypting a message twice with a weak scheme and adding a “checksum”. • Principle proposed by Naor and Yung. • IND-CCA2 version of the scheme given in [Sahai, 1999] • “Checksum” is NIZK proof.

  14. “Double and Add” Schemes • Non-interactive zero-knowledge (NIZK) proof that two ciphertexts encrypt the same message. Public value: σ Proof π Message and coins

  15. “Double and Add” Schemes • Zero knowledge: it must be possible to choose σ in such a way that there is a trapdoor τ which allows “false” proofs. Public value: σ Private value: τ Proof π Proof π Message and coins Any two ciphertexts

  16. “Double and Add” Schemes • Simulation sound: it must not be possible to find a false proof (given only σ) even if you have seen one false proof. Public value: σ Private value: τ Proof π Proof π Message and coins Any two ciphertexts

  17. “Double and Add” Schemes • Use an IND-CPA scheme (G ,E ,D ). • Public key is (pk1,pk2,σ). • Private key is sk1. • To decrypt: • Check proof • Decrypt C1. m E E NIZK pk1 pk2 σ C1 C2 π

  18. “Double and Add” Schemes • This scheme is theoretical. • The NIZK is impractical (very long output and time consuming to compute). • However, it does show that public key encryption exists as long as trapdoor one-way permutations exist.

  19. “Double and Add” Schemes • The Cramer-Shoup scheme was the first practical and provably secure scheme. [Cramer-Shoup, 1998]

  20. “Double and Add” Schemes • The Cramer-Shoup encryption scheme works on the same principles as Sahai. • Key generation: • g, g′← G • x1,x2,y1,y2,z ← Zp • h ← gz • e ← gx1·g′x2 • f ← gy1·g′y2 • pk = (g,g′,h,e,f) • sk = (x1,x2,y1,y2,z) • Encrypt: • r ← Zp • a ← gr • a′ ← g′r • c ← hr ·m • v ← Hash(a,a′,c) • d ← er · frv • C = (a,a′,c,d)

  21. “Double and Add” Schemes • Start with a version of ElGamal • ElGamal is passively secure under the DDH assumption. • Publicly known, random element h ← G. • Key generation: • z ← Zp • g ← h1/z • pk = g • sk = z • Encrypt: • r ← Zp • a ← gr • c ← hr ·m • C = (a,c)

  22. “Double and Add” Schemes • We need to encrypt twice under independent public keys. • Key generation: • z, z′← Zp • g ← h1/z • g′ ← h1/z′ • pk = (g,g′) • sk = (z,z′) • Encrypt: • r, r′← Zp • a ← gr • c ← hr ·m • a′ ← g′r′ • c′ ← hr′ ·m • C = (a,c,a′,c′)

  23. “Double and Add” Schemes • However, a paper by [Bellare-Boldyreva-Staddon, 2003] says we can reuse the random value r without losing security.

  24. “Double and Add” Schemes • However, a paper by [Bellare-Boldyreva-Staddon, 2003] says we can reuse the random value r without losing security. • Key generation: • z, z′← Zp • g ← h1/z • g′ ← h1/z′ • pk = (g,g′) • sk = (z,z′) • Encrypt: • r ← Zp • a ← gr • c ← hr ·m • a′ ← g′r • c′ ← hr ·m • C = (a,c,a′,c′)

  25. “Double and Add” Schemes • However, now c and c′ are the same value • Key generation: • z, z′← Zp • g ← h1/z • g′ ← h1/z′ • pk = (g,g′) • sk = (z,z′) • Encrypt: • r ← Zp • a ← gr • c ← hr ·m • a′ ← g′r • C = (a,c,a′)

  26. “Double and Add” Schemes • Now, the value z′ is never used and so we can remove it. • Key generation: • z ← Zp • g ← h1/z • g′ ← G • pk = (g,g′) • sk = z • Encrypt: • r ← Zp • a ← gr • c ← hr ·m • a′ ← g′r • C = (a,c,a′)

  27. “Double and Add” Schemes • And if we just tidy up a bit, then we get… • (I’m hiding a few things here!) • Key generation: • g, g′ ← G • z ← Zp • h ← gz • pk = (g,g′,h) • sk = z • Encrypt: • r ← Zp • a ← gr • a′ ← g′r • c ← hr ·m • C = (a,a′,c)

  28. “Double and Add” Schemes • However, this is over half the Cramer-Shoup scheme: • Key generation: • g, g′ ← G • z ← Zp • h ← gz • pk = (g,g′,h) • sk = z • Key generation: • g, g′← G • x1,x2,y1,y2,z ← Zp • h ← gz • e ← gx1·g′x2 • f ← gy1·g′y2 • pk = (g,g′,h,e,f) • sk = (x1,x2,y1,y2,z)

  29. “Double and Add” Schemes • However, this is over half the Cramer-Shoup scheme: • Encrypt: • r ← Zp • a ← gr • a′ ← g′r • c ← hr ·m • C = (a,a′,c) • Encrypt: • r ← Zp • a ← gr • a′ ← g′r • c ← hr ·m • v ← Hash(a,a′,c) • d ← er · frv • C = (a,a′,c,d)

  30. So this fits the Sahai mold providing d acts like a NIZK. In the proof, it is shown the d can be faked if you know x1,x2,y1,y2. In the proof, it is shown that if a = gr and a′ = g′r′ then the decryption algorithm will reject. “Double and Add” Schemes • Encrypt: • r ← Zp • a ← gr • a′ ← g′r • c ← hr ·m • v ← Hash(a,a′,c) • d ← er · frv • C = (a,a′,c,d)

  31. Signatures and Identites • It is possible to turn a passively secure identity-based encryption scheme into a secure public-key encryption scheme. [Canetti-Halevi-Katz, 2004]

  32. Signatures and Identites • It is possible to turn a passively secure identity-based encryption scheme into a secure public-key encryption scheme. [Canetti-Halevi-Katz, 2004] • A little odd that it took the development of identity-based encryption before we got new public-key encryption schemes.

  33. Extracting the Truth • Plaintext awareness is a property of an encryption scheme that says that the only way to create a valid ciphertext is to generate a plaintext and encrypt it. • So, if an attacker generates a valid ciphertext, then it must know the underlying message. • Hence, a decryption oracle is no help.

  34. Extracting the Truth • It’s difficult to say what it means for an attacker (computer) to “know” something. • The definitions are complex. • All known proofs rely on the random oracle model, an unrealistic architecture, or suspect “extractor” assumptions. • The subject for another lecture…

  35. Extracting the Truth • The idea was first given a full formal treatment in [Bellare-Desai-Pointcheval-Rogaway, 1998].

  36. Extracting the Truth • The idea was first given a full formal treatment in [Bellare-Desai-Pointcheval-Rogaway, 1998]. • However, this definition could only be achieved in the random oracle model.

  37. Extracting the Truth • [Herzog-Liskov-Micali, 2003] gave a new interpretation of the problem, but it needed an unrealistic architecture. • The first fully satisfactory definition for plaintext awareness in the standard model was given by [Bellare-Palacio, 2004]

  38. Extracting the Truth • The Cramer-Shoup scheme was the first to be proven plaintext aware [Dent, 2006] • Cramer-Shoup and Kurosawa-Desmedt “hash proof system” schemes can be shown to be plaintext aware [Birkett-Dent].

  39. Where are we now? • [Boneh-Katz, 2005] is a signature-identity scheme similar to the CHK transform. • Transform efficiency overhead is minimal. • Still requires a passively secure IBE scheme • [Hofheinz-Kiltz, 2007] mixes Cramer-Shoup and IBE techniques. • 2.5 exponentiations for encryption • 1.5 exponentiations for decryption

  40. Conclusions • None of the approaches really work… • Use the random oracle model • Or they intrinsically require two operations • Or they use weak “extractor” assumptions • New approach is needed if we’re going to prove the ultra-high-speed schemes secure. • Plenty missing from this presentation

  41. Questions?

More Related