1 / 46

Generic Conversions for Constructing IND-CCA2 Public-key Encryption in the Random Oracle Model

Generic Conversions for Constructing IND-CCA2 Public-key Encryption in the Random Oracle Model. Tatsuaki Okamoto NTT. Security of Public-Key Cryptosystems. Target One-wayness (OW) : hard to invert Semantically secure (Indistinguishable) (IND) : No partial information is released

gerd
Download Presentation

Generic Conversions for Constructing IND-CCA2 Public-key Encryption in the Random Oracle Model

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Generic Conversions for Constructing IND-CCA2 Public-key Encryption in the Random Oracle Model Tatsuaki Okamoto NTT

  2. Security of Public-Key Cryptosystems • Target • One-wayness (OW) : hard to invert • Semantically secure (Indistinguishable) (IND) : No partial information is released • Non-malleable (NM): for any non-trivial relation R E(M)→E(R(M)) • Attacks • Passive attacks (Cosen Plaintext Attacks: CPA) • Chosen-ciphertext attacks(Cosen Ciphertex Attacks: CCA) hard

  3. Semantic Security (IND : Indistinguishability) The probability of correctly guessing (b = b’) is negligible m0, m1 : randomly selected Adv : guess of b’

  4. Chosen Ciphertext Attack (CCA) CiphertextC0 Public-key C1, Cn Attacker Decryption oracle Rule: C0≠C1, ,Cn ( ) Information on PlaintextP0 P1, Pn • CCA1 (Lunch time attack, Naor-Yung 90) • C0 is given to the attacker, after the active attack is completed. • CCA2 (Rackoff –Simon 91) • C0 is given to the attacker, before the active attack starts.

  5. Relationships among Security Definitions (1) • Non-malleable (NM) → Semantically secure (IND) • i.e., NM-CPA → IND-CPA, NM-CCA2 → IND-CCA2) • IND-CCA2 → NM-CCA2 • Remark : NM-CPA → IND-CCA1 • Conclusion : Strongest security • Semantically secure against chosen-ciphertext attack 2 • IND-CCA2=NM-CCA2 ←

  6. Relationships among Security Definitions (2) Target Attack

  7. History of Provably Secure Public-key Encryption 19761978 1979 1982 19841990 199119931994 1998 2001 DDN NY BR BDPR DH Rabin RSA GM (NM-CCA2) (Random oracle model) (OW-CPA) (IND-CPA) (IND-CCAI) RS OAEP CS (IND-CCA2) Concept of public-key cryptosystem Proposal of various tricks Provable security (Theory) Practical approach by random oracle model Practical scheme in the standard model

  8. m0, m1 Adv b=0/1:correctly output C C’=C・ Re DO Adv Decryption oracle M’/R =Plaintext of C The plain RSA scheme is not secure in the sense of IND-CCA2 • not indistinguishable (IND) deterministic • vulnerable against CCA2 random-self-reducibility

  9. EC-ElGamal Encryption • elliptic curve • point with order • Public-key (E, P, W, ) Secret-keyx • Encryptionplaintextm, • bit-wise exclusive-or, (rW)X is the x-coordinate of rW • Decryption ciphertext

  10. The Elliptic Curve ElGamal Scheme Is Not Secure in the Sense ofIND-CCA2 (1) • Malleable = m’ Non-trivial relation with

  11. The Elliptic Curve ElGamal Scheme Is Not Secure in the Sense ofIND-CCA2 (2) • CCA2 Attack Adv Decryption Oracle

  12. How to Construct an Encryption Scheme with the Strongest Security (IND-CCA2) • Based on zero-knowledge proofs • Dolev-Dwork-Naor (1991) • Inefficient • Based on truly random function (random oracle model) • Bellare-Rogaway : OAEP (1994)..PKCS#1(Ver.2)1998 • Fujisaki-Okamoto (1999) , Pointcheval (2000) • Okamoto-Pointcheval : REACT (2001) • Practical (using practical one-way functions in place of random functions) • Practical construction without using a random function • Cramer-Shoup (1998)

  13. Primitive Encryption Function (Trapdoor Function) Example RSA ElGamal etc Secure Encryption Scheme Semantically Secure against Adaptively Chosen Ciphertext Attacks (IND-CCA2) Design Strategy of Practical and Provably Secure Public-key Encryption Conversion Using Hash Functions (Random Functions)

  14. Random Oracle Model(Truly Random Model) Output Input 0・・・・    ・・・・0 0・・・・    ・・・・1 1・・・・    ・・・・1 01011・・・ ・・・0 10011・・・ ・・・0 011001・・  ・・0 ・・・H(random oracle/ random function) 2n H n bits random Random oracle Random function H x1 H(xk) xk H(x1) User 1 User 2

  15. Conversions for the RSA Encryption Function • OAEP(Bellare-Rogaway 1994) • OAEP+ (Shoup 2001) • SAEP (Boneh 2001) • SAEP+ (Boneh 2001) • REACT (Okamoto-Pointcheval 2001)

  16. OAEP RSA-OAEP:de facto standard format of the RSA encryption ・・・used in SSL(PKCS#1) and SET m 00…0 r G G(r) H(s) H s t one-way permutation (Example) RSA-OAEP

  17. Security of OAEP (FOPS 2001) • OAEP is IND-CCA2 secure under the partial-domain one-wayness assumption in the random oracle model. • RSA-OAEP is IND-CCA2 secure under the RSA assumption in the random oracle model. The reduction efficiency (to the RSA inversion) is less than that of the optimal case.

  18. OAEP+ m F(m||r) r G G(r) H(s) H s t one-way permutation (Example) RSA-OAEP+

  19. RSA-REACT (Hybrid Encryption) (ex)

  20. Comparison of the RSA Family

  21. FO-1 FO-2 Pointcheval REACT DHAES / ECIES CS(ACE) PSEC-KEM ACE-KEM (Fujisaki-Okamoto: PKC 1999) (Fujisaki-Okamoto: Crypto 1999) (Pointcheval 2000) (Okamoto-Pointcheval 2001) (Abdala-Bellare-Rogaway 1999) (Cramer-Shoup 1998) (Shoup + Fujisaki-Okamoto 2001) (Shoup 2001) IND-CCA2 Conversions for (Elliptic Curve) ElGamal Encryption (Remark: OAEP, OAEP+, SAEP, SAEP+ cannot be applied for Probabilistic Encryption Schemes such as ElGamal

  22. FO-1/2 • FO-1 • FO-2 ? Check in decryption ? Check in decryption

  23. FO-2:Applied to EC-ElGamal…PSEC-2 • : plaintext • ciphertext (Ex.1) one-time pad (Ex.2) block-cipher

  24. Decryption of PSEC-2 • Check ? Yes No null string

  25. Security of PSEC-2 • EC-DH Assumption • SymEnc:semantically secure against passive attack • g, h:random oracle PSEC-2 is IND-CCA2

  26. REACT ? Check in decryption

  27. Security of REACT • f is Gap-one way • G and H are random oracles • (SymE is semantically secure against passive attacks) AsymE is IND-CCA2

  28. A Typical Usage of REACT 復号 暗号 Session key IND-CCA2 is guaranteed in total.

  29. Inverting Problems • relation • x→y s.t. f (x, y)=1 f (x, y)=1 y x

  30. R-decision problems • (x,y) decide whether R( f, x, y)=1 • (Examples) • (e,g., decision DH ) (e,g., quadratic residuosity) • z is even when z with f (x,z) is uniquely determined. (e,g., lsb of RSA) s.t.

  31. Gap problems (R-gap problems) y x s.t. or or R-decision problem Oracle

  32. Duality of Gap and Decision problems • R-gap problem of f is tractable ⇒inverting problem of f = R-decision problem of f • R-decision problem of is tractable ⇒inverting problem of f = R-gap problem of f (e.g., f : RSA function; ) reducible to each other reducible to each other

  33. Relationship among the Assumptions Dual Gap- One-way Assumption Decisional Assumption One-way Assumption

  34. Relationship among the DH Assumptions Dual Gap DH Assumption Decision DH Assumption DH Assumption

  35. EC-ElGamal-REACT: PSEC-3 • : plaintext • ciphertext

  36. Decryption of PSEC- 3 • Check ? Yes No null string

  37. Security of PSEC-3 • EC-GapDH(GDH) Assumption • SymEnc:semantically secure against passive attack • g, h:random oracle PSEC-3 is IND-CCA2

  38. ECIES’(modified by Shoup) • Encryption • r : random • Decryption • Check ?

  39. Security of ECIES’ • Gap-EDH assumption • SymEnc:semantically secure against passive attack • Mac:secure • g:random oracle ECIES’isIND-CCA2

  40. EC-ACE-KEM (1) • Public-key • Secret-key w, x, y, z • Encryption • Ciphertext: • Shared key:

  41. ? ? EC-ACE-KEM (2) • Decryption check

  42. Security of EC-ACE-KEM • (1) • EC-DDH • h:Universal One-Way Hash Function (UOWHF) • EC-ACE is IND-CCA2 • (2) • EC-DH • h:Random Oracle • EC-ACE is IND-CCA2

  43. PSEC-KEM(revised by Shoup based on PSEC-2) • Encryption • Ciphertext(R, v) • Decryption

  44. Security of PSEC-KEM • EC-DH • h,g:Random Oracle PSEC-KEM is IND-CCA2

  45. Comparison of the EC-ElGamal Family The above numbers are those of EC-addition operations

  46. Conclusion • Simple RSA and (EC)ElGamal are not secure against active attacks • Several practical(efficient) conversions are proposed to realize the strongest level of security (IND-CCA2) based on any primitive encryption functions such as RSA and (EC) ElGamal.

More Related