1 / 38

Mihir Bellare  Alexandra Boldyreva  Adriana Palacio

An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem. Mihir Bellare  Alexandra Boldyreva  Adriana Palacio U niversity of C alifornia at S an D iego. The Random-Oracle (RO) model [BR93]. (M). a. H. h=H(a). b. A. G. g=G(b).

della
Download Presentation

Mihir Bellare  Alexandra Boldyreva  Adriana Palacio

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem Mihir Bellare  Alexandra Boldyreva  Adriana Palacio University of California at San Diego

  2. The Random-Oracle (RO) model [BR93] (M) .. a H h=H(a) .. b A G g=G(b) .. • Algorithms of the scheme, as well as the adversary have oracle access to random functions. • Very popular: there are numerous schemes designed and proven secure in this model.

  3. Moving to the real world However, the RO model is an idealized setting. To get a real-world scheme we must instantiate the ROs with real functions.

  4. Instantiation of this scheme via SHA1 (M) .. h=SHA1(a) .. g=SHA1(b) ..

  5. Instantiation: more generally Let F1, F2 be poly-time computable families of functions (M) .. h= F1L1(a) .. g= F2L2(b) ..

  6. Security of instantiated schemes RO model thesis: If a scheme is proven secure in the RO model, then it remains secure under a suitable instantiation. Question: Is this true? Answer: No. Past work has shown the existence of uninstantiable schemes.

  7. Uninstantiable schemes Definition. A scheme is uninstantiable (with respect to some cryptographic goal) if • The scheme satisfies the goal in the RO model • No instantiation satisfies the goal in the standard model

  8. Examples of uninstantiable schemes

  9. Examples of uninstantiable schemes _ + _ + _ +

  10. John Smi Euro crypt Reaction OK, but “in practice”, the RO model thesis is true Practical RO model thesis: The RO model thesis holds for “natural, practical” schemes for “practical” goals.

  11. Our work We present a RO model scheme that • is simple and natural, and resembles existing RO model schemes. • is for a practical security goal. • but is uninstantiable.

  12. Caveats and impact • Our result does have artificial aspects as we will see, and should not be taken to indicate that the practical RO model thesis is false. • But it shows that uninstantiable schemes arise in more practical situations than indicated by previous work.

  13. Plan • The goal • The scheme • The positive result • The negative result • Conclusions

  14. Plan • The goal • The scheme • The positive result • The negative result • Conclusions

  15. pkR C AE M Classical view of asymmetric encryption usage AS = (AK,AE,AD) M skR Sender Receiver R

  16. SS = (SK,SE,SD) AS = (AK,AE,AD) pkR C0 K SK AE K K M1 M2 Mn Cn C1 M1 Mn … SE SE … … AS + SS = Multi-Message (MM) Hybrid (AS,SS) In practice: hybrid approach skR Sender Receiver R

  17. Goal: IND-CCA-secure MM-Hybrid Encryption We can define, in a natural way, IND-CCA security for an MM-hybrid scheme (AS,SS). Certainly, a necessary condition for IND-CCA security of an MM-hybrid (AS,SS) is IND-CCA security of SS. But what do we need from the asymmetric encryption scheme AS?

  18. IND-CCA MM-hybrid (AS,SS) IND-CCA AS Any IND-CCA SS Easy theorem: However, the above could be true even if AS satisfies a weaker condition than IND-CCA. + =

  19. IND-CCA-preserving asymmetric schemes What emerges: A new notion of security for asymmetric encryption schemes. Definition: An asymmetric encryption scheme AS is IND-CCA-preserving if = + Any IND-CCA SS IND-CCA MM-hybrid (AS,SS) AS

  20. Stronger notion Weaker notion Why IND-CCA-preserving schemes? For asymmetric schemes IND-CCA IND-CCA-preserving In particular, an IND-CCA preserving scheme need not even be randomized, since it is used to encrypt random keys. The hope: IND-CCA-preserving schemes more efficient than existing IND-CCA ones. The benefit: Security of encryption in practice at lower cost.

  21. Summary Our goal: IND-CCA preserving asymmetric encryption

  22. Plan • The goal • The scheme • The positive result • The negative result • Conclusions

  23. * H: {0,1}k q G: 2q+1{0,1}k Hash ElGamal RO model asymmetric encryption scheme HEG = (AK,AE,AD) pk = (k,q,g,X=gx), sk = (k,q,g,x), * where q, 2q+1 are primes and g has order q in 2q+1 (Y,W) (K) KG(Yx)W If gH(K)=Y then Return K else Reject rH(K) PG(Xr) Return (gr,PK) Note.HEG is deterministic and thus not even IND-CPA!

  24. Plan • The goal • The scheme • The positive result • The negative result • Conclusions

  25. Security of Hash ElGamal Theorem 1.Under the Computational Diffie-Hellman assumption (CDH) HEG is IND-CCA-preserving in the RO model. = + Any IND-CCA SS IND-CCAMM-hybrid(HEG,SS) HEG

  26. HEG is similar to existing schemes GEM, GEM1, GEM2, FO, REACT… Something almost identical (but randomized) appeared in [BaLeKi00].

  27. Plan • The goal • The scheme • The positive result • The negative result • Conclusions

  28. John Smi Euro crypt Now, the interesting stuff Theorem 2 .No instantiation of HEG is IND-CCA-preserving in the standard model. I.e. it is IND-CCA preserving in the RO model, but no standard model implementation of it is IND-CCA preserving? Right! More precisely…

  29. Security of HEG instantiations Let F1, F2 be poly-time computable families of functions Theorem 2. For any F1, F2 the above standard model asymmetric encryption scheme is not IND-CCA preserving. (K) rF1L1(K) PF2L2(Xr) Return (gr,PK)

  30. A caveat • Proof of Theorem 2 shows that for every F1, F2 (poly-time families of functions) THERE EXISTSSS such that (HEG,SS) is not an IND-CCA secure MM-hybrid. • But SS is an artificial scheme, depending on F1, F2. • Theorem 2 does not imply that e.g. (HEG,CBC-type SS) is insecure. • So although HEG is simple and natural, there is some artificiality under the rug.

  31. However, we still believe the result is valuable because we have • A practical goal: IND-CCA preserving encryption • A simple, natural scheme resembling existing RO schemes: HEG. • Yet HEG is uninstantiable: its real-world implementation loses the security property. • And HEG is innocuous looking; one would not suspect any anomalies in advance.

  32. About the proof of Theorem 2 Let HEG be ANY instantiation of HEG via poly-time computable families of functions. • We present a symmetric encryption scheme SS=(SK,SE,SD), such that • SS is IND-CCA secure • (HEG,SS) is not IND-CCA secure

  33. Def. An asymmetric encryption scheme is ciphertext-verifiable if there is a poly-time algorithm CV pk 1, if C is a valid encryption of M under pk 0, otherwise M CV C • Claim. Anyinstantiation HEG of HEG is key- and ciphertext-verifiable. Key and ciphertext verifiability • Def. An asymmetric encryption scheme is key-verifiable if there is a poly-time algorithm KV: 1, if pk is a valid public key 0, otherwise pk KV

  34. Sound operations sinceHEG is key- and ciphertext verifiable SS construction for Proof of Theorem 2 Let SS’=(SK’,SE’,SD’) be any IND-CCA symmetric scheme. SEK1||K2(M) SK(1k) K1 SK’(1k/2) K2 {0,1}k/2 Return K1||K2 C’ SE’K2(M) Parse M as M1||M2 If M1 is a valid pk for HEG and if M2 is a valid HEG ciphertext of K1||K2 under pk Then Return C’||0 else Return C’||1

  35. We show that SS is IND-CCA. • In order to show that (HEG,SS) is not IND-CCA we use the fact that HEG is key- and ciphertext-verifiable. The details are in the paper. • In general: no key- and ciphertext-verifiable scheme is IND-CCA preserving.

  36. Plan • The goal • The scheme • The positive result • The negative result • Conclusions

  37. Conclusions • We presented a simple uninstantiable scheme for a practical goal • We do not suggest one abandon the RO model. • We do suggest that designers of RO model schemes pay more attention to the question of instantiation, which is usually entirely neglected. • Our examples shows that uninstantiable schemes really come up.

  38. Thank you!

More Related