1 / 31

Anonymity and Robustness in Encryption Schemes

Anonymity and Robustness in Encryption Schemes. Payman Mohassel University of Calgary. Public Key Encryption (PKE). ( pk , sk )  KG. pk. C = Enc( pk,m ). m = Dec( sk,C ). PKE = (KG, Enc, Dec). Traditional Security Notions ( Data Secrecy). Semantic security

edan-schneider
Download Presentation

Anonymity and Robustness in Encryption Schemes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Anonymity and Robustness in Encryption Schemes PaymanMohassel University of Calgary

  2. Public Key Encryption (PKE) (pk, sk)  KG pk C = Enc(pk,m) m = Dec(sk,C) PKE = (KG, Enc, Dec)

  3. Traditional Security Notions(Data Secrecy) • Semantic security • No function of the message is leaked • Equivalent to indistinguishability • Non-malleability • Hard to create ciphertext for related messages • Chosen plaintext attacks (CPA) • Chosen ciphertext attacks (CCA)

  4. Mobile Communication Base Station Mobile User key exchange pk Enc(pk, message) eavesdropper wants to learn identity of mobile user

  5. Secure Auction [Sako’00] • First practical auction to hide bid values • Keys correspond to bid values • A known message is encrypted using the key • Hiding a bid value requires hiding the key

  6. Dec(sk’, c) = c c c = Enc(pk, m) (pk, sk) c

  7. Other Guarantees • Does the ciphertext hide the key? • Anonymity • What happens when decrypting using a different key? • Robustness

  8. ANON-CCA (pk0, sk0)  KG(1n) (pk1, sk1)  KG(1n) b  {0,1} Challenger Dec(skb1, c1) Dec(skbi, ci) Dec(skbi+1, c1) Dec(skbq, cq) C=Enc(pkb,m) pk0, pk1 . . . . . . . . m c1 , b1 ci, bi ci+1 , bi+1 cq, bq b’  Advanon-cca,PKE(A) =|Pr[b’ = b] – ½| is negligible

  9. Weak Robustness (WROB-CCA) (pk0, sk0)  KG(1n) (pk1, sk1)  KG(1n) Challenger Dec(skbi, ci) . . . . M pk0, pk1 ci, bi Adv wins if Dec(sk1, C) ≠ , where C = Enc(pk0,M)

  10. Strong Robustness (SROB-CCA) (pk0, sk0)  KG(1n) (pk1, sk1)  KG(1n) Challenger Dec(skbi, ci) . . . . C pk0, pk1 ci, bi Adv wins if Dec(sk0,C) ≠ and Dec(pk1,C) ≠

  11. What is Known? • Anonymity • Not always satisfied • y = xe mod N for random x • pk0 = (N0, e0) pk1 = (N1, e1), N1 > N0 • If y > N0 return pk1 else return pk0 • Robustness • ElGamal is not robust • [pk0 = (G, p, g, gx), sk0 = x] , [pk1 = (G, p, g, gy), sk1 = y] • Enc(pk0, m) = (c1, c2) = (gr, mgxr) • m’ = Dec(sk1, (c1, c2)) = c2/c1y = mg(x-y)r

  12. What is Known? • Anonymous PKE and IBE • [Bellare et al. 2001], [Abdalla et al. 2008] • PKE: DHIES, [Cramer-Shoup’01] • IBE: [Boneh-Franklin’01], [Boyen-Waters’06] • Robust PKE and IBE • [Abdalla et al. 2010] • Strongly robust IBE: [Boneh-Franklin’01] • Weakly robust PKE: DHIES, [Cramer-Shoup’01] • Not robust: [Boyen-Waters’06]

  13. Our Contribution • Studying anonymity of hybrid encryption • Positive and negative results • More efficient transformations for robust encryption schemes • Computation and ciphertext size • Please see the paper

  14. Question: Given an “anonymous PKE/IBE” and an “anonymous SKE”,is the hybrid encryption scheme also anonymous?

  15. Anonymity of Hybrid Encryption • ANON-CPA PKE/IBE + IND-CPA SKE • The hybrid encryption is ANON-CPA • [negative] ANON-CCA PKE/IBE + IND-CCA SKE • The hybrid encryption is NOT always ANON-CCA • True if SKE is ANON-CCA or more • [positive] (WROB + ANON)-CCA PKE/IBE + AE SKE • The hybrid encryption is ANON-CCA • More evidence that “anonymity” and “robustness” are needed simultaneously

  16. Counter Example (PKE) • Start with (WROB + ANON)-CCA PKE1 • PKE1 = (KG1, Enc1, Dec1) • Build PKE2 = (KG2, Enc2, Dec2) • Dec2 • Run Dec1, if it returns return 0n • Else return what Dec1 outputs • PKE2 is still ANON-CCA

  17. Counter Example (SKE) • We use a key-binding IND-CCA SKE • Key-binding SKE = (K, SE, SD) • For any k  K, randomness r, and message m • There is no k’ ≠ k where SDk’(SEk(m,r)) ≠ • PKE2+ key-binding SKE • Not ANON-CCA

  18. Counter Example (pk0, sk0)  KG(1n) (pk1, sk1)  KG(1n) b  {0,1} Challenger (c1, c2) = (Enc2(pkb,k), SE(k,m)) pk0, pk1 Decryption query under pk0 for (c1, SE(0n,m’)) m b’  If the answer is let b’ = 0, else b’ = 1

  19. Counter Example • Requiring stronger security notion for SKE does NOT help • If it can be combined with key-binding • What about stronger notions for the PKE?

  20. Positive Result Claim: If PKE is (ANON + WROB + IND)-CCA and SKE is a (one-time) authenticated encryption, the hybrid construction is (ANON + IND)-CCA

  21. Game 0 (pk0, sk0)  KG(1n) (pk1, sk1)  KG(1n) b  {0,1} Challenger Dec(skb1, C1) Dec(skbi, Ci) Dec(skb1, C1) Dec(skbq, Cq) c*1 = Enc(pkb,k*) c*2 = SE(k*,m) pk0, pk1 . . . . . . . . m C1 , b1 Ci, bi Ci+1 , bi+1 Cq, bq b’  Advanon-cca,PKE(A) =|Pr[b’ = b] – ½| is negligible

  22. Game 1 (pk0, sk0)  KG(1n) (pk1, sk1)  KG(1n) b  {0,1} Challenger SD(k*, c2) c*1 = Enc(pkb, k*) c*2 = SE(k*, m) pk0, pk1 m (c*1, c2 ≠ c*2), b b’  Difference in games: decryption error

  23. Game 2 (pk0, sk0)  KG(1n) (pk1, sk1)  KG(1n) b  {0,1} Challenger c*1 = Enc(pkb,k*) c*2 = SE(k*,m) pk0, pk1 m (c*1, c2 ≠ c*2), 1-b b’  Difference in games: weak robustness of the PKE only if c*1 decrypts under pkb and pk1-b

  24. Game 3 (pk0, sk0)  KG(1n) (pk1, sk1)  KG(1n) b  {0,1} Challenger c*1 = Enc(pkb,k*) c*2 = SE(k’,m) pk0, pk1 m b’  Difference in games:IND-CCA security of the PKE

  25. Game 4 (pk0, sk0)  KG(1n) (pk1, sk1)  KG(1n) b  {0,1} Challenger c*1 = Enc(pkb,k*) c*2 = SE(k’,m) pk0, pk1 m (c*1, c2 ≠ c*2), {b or 1-b} b’  Difference in games:CTXT integrity of the SKE only if a valid ciphertext under k’ is generated

  26. Putting Things Together • Advanon-cca(hybrid) < Advwrob-cca(PKE) + Advind-cca(PKE) + Advctxt-int(SKE) + Advanon-cca(PKE) • Boneh-Franklin, Cramer-Shoup, DHIES are WROB-CCA • Boyen-Waters IBE is not

  27. Summary • ANON-CCA PKE + (…) SKE  ANON-CCA hybrid • (WROB + ANON)-CCA PKE + AE SKE  ANON-CCA hybrid • Is weak-robustness a necessary condition? • Is Boyen-Waters (in)secure when used in a hybrid construction?

  28. Thank you

  29. Results on Robustness • [Abdalla et al.’10] • Transforming ANON-CCA schemes to robust ones • We design more efficient transformations • Refer to the paper

  30. Indentity-based encryption (IBE) (par, msk) MKG (sk,pk)PKG id C = Encpk(m) m = Decsk(C) IBE = (MKG, Enc, Dec)

  31. IND-CCA (pk, sk) KG(1n) ; b  {0,1} Challenger Decsk(c1) Decsk(ci+1) Decsk(ci) Decsk(cq) C=Encpk(mb) . . . . . . . . m0 , m1 c1 ci+1 ci cq b’  Advind-cca,PKE(A) =|Pr[b’ = b] – ½| is negligible

More Related