Cryptography

Cryptography Lecture 11 ArpitaPatra

Generic Results in PK World CPA Security CCA Security = GenHyb Gen Bit Encryption Many-bit Encryption Bit Encryption Many-Bit Encryption DecHyb EncHyb  CPA-secure KEM Decaps Encaps  CCA-secure KEM Hyb CPA-secure Hyb CCA-secure SKE COA-secure SKE pk SKE CCA-secure SKE k c m sk EncSKE DecSKE (c, cSKE) k c m cSKE SKE = (GenSKE, EncSKE, DecSKE)  = (Gen, Encaps, Decaps) cSKE Hyb = (GenHyb, EncHyb, DecHyb)

Constructions for PK World CPA Security CCA Security = GenHyb Gen Instantiation: DDH + CR Hash based Cramer-Shoup Scheme (first ever CCA secure under standard assumption ) PKE Instantiation: DDH based El Gamal DecHyb EncHyb KEM Instantiation: HDH based variation of El Gamal KEM Instantiation: ODH based (the same) variation of El Gamal Decaps Encaps pk k Variant ElGamal KEM Variant El Gamal KEM c m sk Hyb CPA-secure Hyb CCA-secure EncSKE DecSKE (c, cSKE) CPA-secure SKE + sCMA MAC PRG-based SKE k c m cSKE SKE = (GenSKE, EncSKE, DecSKE)  = (Gen, Encaps, Decaps) cSKE Hyb = (GenHyb, EncHyb, DecHyb)

CCA Security for KEM CCA experiment  = (Gen, Encaps, Decaps) b = b’ cca (c,k)  Encapspk(1n) b  {0, 1} b  b’ KEM (n) Also have to give Decapssk(.) service to the attacker A,  k’  k if b=0  uniform random string, b =1 pk PPT A (c,k’) b’  {0, 1} pk, sk I can break  Let me verify (Attacker’s guess about encapsulated key) Game Output 0 --- attacker lost 1 --- attacker won cca Pr = 1 ½ + negl(n) Gen(1n) KEM (n)   is CPA-secure if for every PPT attacker A, the probability that A wins the experiment is at most negligibly better than ½ A, 

El Gamal like KEM Gen(1n) (G, o, q, g) h = gx. For random x pk= (G,o,q,g,h), sk = x Gen(1n) (G, o, q, g) h = gx. For random x pk= (G,o,q,g,h,H), sk = x Encpk(m) c1 = gy for random y c2 = hy.. m c= (c1,c2) Encapspk(1n) c= gy for random y k = H(hy)=H(gxy.) (c,k) Decsk(c) c2 / (c1)x = c2 . [(c1)x]-1 Decapssk(c) k = H(cx )= H(gxy) - Need to choose m randomly • No need of that • No Multiplication, • hashing - Multiplication - Ciphertext= 2 elements - Ciphertext= 1 element • No Multiplication, • hashing - Multiplication Security: ?? Security: DDH Assumption

El Gamal like KEM Gen(1n) (G, o, q, g) h = gx. For random x pk= (G,o,q,g,h,H), sk = x Encapspk(1n) c= gy for random y k = H(hy)=H(gxy.) (c,k) Decsk(c) k = H(cx )= H(gxy) ODH (Oracle Diffie-Hellman) Assumption ODH problem is hard relative to (G, o) and hash function H: G -> {0,1}m if for every PPT A, (it is hard to distinguish H(gxy)from a random string {0,1}m even given gx, gyAND an oracle Oy(X): = H(Xy); anything other than gx can be quired) ): - | |  negl() Pr[Aoy(.) (G, o, q, g, gx, gy, r ) = 1] Pr[Aoy(.)(G, o, q, g, gx, gy, H(gxy )) = 1] ODH assumption is just the belief that there exist a group and hash function H so that the above is true. It is stronger than HDH. Theorem: ODH assumption holds   is a CCA-secure KEM

Construction of Hybrid CCA-secure PKE = GenHyb Gen DecHyb EncHyb Decaps Encaps k m pk EncSKE c DecSKE sk (c, cSKE) k c  = (Gen, Encaps, Decaps) m cSKE SKE = (GenSKE, EncSKE, DecSKE) cSKE Hyb = (GenHyb, EncHyb, DecHyb) CCA Secure SKE - CPA Secure SKE + Strong CMA Secure MAC CCA Secure  - Oracle Function assumption (ODH) DHIES (Diffie-Hellman Integrated Encryption Scheme)- – ISO/IEC 18033-2

DHIES- – ISO/IEC 18033-2 (G, o, q, g) h = gx. For random x H: G  {0,1}2n pk= (G,o,q,g,h,H), sk = x  (CCA) = (Gen, Encaps, Decaps) = GenHyb SKE (CPA) = (GenSKE, EncSKE, DecSKE) MAC (sCMA)= (GenMAC, Mac, Vrfy) Hyb (CCA) = (GenHyb, EncHyb, DecHyb) EncHyb DecHyb sk c k = H(cx) = H(gxy) c= gy for random y k = H(hy)=H(gxy.) pk (c, cSKE=(cCPA,tMAC)) c k k k=kE|| kM k=kE|| kM cSKE kE kM kE kE cCPA tMAC m (cCPA, tMAC) EncCPA MacsCMA VrfysCMA DecCPA cCPA Yes m m CCA Secure SKE - CPA Secure SKE + Strong CMA Secure MAC CCA Secure  - Number theoretic assumption + Hash Function (ODH)

DHIES (Term Paper) Michel Abdalla, Mihir Bellare, Phillip Rogaway: The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES.CT-RSA 2001: 143-158

Cramer-Shoup Cryptosystem Ronald Cramer, Victor Shoup: A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack.CRYPTO 1998: 13-25

Cramer-Shoup Cryptosystem- Route map Another Look at DDH Assumption/ An alternative Formulation CPA Secure Scheme (different from El Gamal) CCA1 Secure Scheme + Collision-Resistant Hash Function CCA Secure Scheme

Another Look at DDH (G,o,q,g) – Group of Prime Order q (g0, g1, g0y, g1y ) (g0, g1, g0y, g1y’ ) - - | | | |  negl()  negl() Pr[A(g0, g1, g0r, g1r’ ) = 1] Pr[A(g, gx, gy, gz ) = 1] Pr[A(g, gx, gy, gxy ) = 1] Pr[A(g0, g1, g0r, g1r ) = 1]

Randomization Function Input Output (g0, g1, h0, h1) Random (x,y) from Zq u = g0x. g1y Way 1: Given x, y, h0 ,h1 v = h0x. h1y Way 2: Given r, u Case I (g0, g1, h0 = g0r, h1 = g1r): Claim: ur= v Proof: ur = (g0x. g1y)r= h0x. h1y = v Case II (g0, g1, h0 = g0r, h1 = g1r’ ): Claim: An all powerful adv A can guess v with probability at most 1/|G|, even given (g0, g1, h0, h1, u). Proof: A can compute r, r’, α (where g1 = g0α) and discrete log of u (say R) u = g0R = (g0x. g1y)= g0x +αy x +αy = R --- (1) v = h0x. h1y = g0rx. g1r’y = g0rx +αr’y rx +αr’y is linearly independent of x +αy For every guess R’ of this value rx+αr’y, there exist a pair of unique values for x,y satisfying equation (1)

CPA Secure Scheme Gen(1n) (G, o, q, g0,g1) Random (x,y) from Zq u = g0x. g1y pk= (G,o,q, g0,g1, u), sk = (x,y) Encpk(m) Random rfrom Zq h0 = g0r, h1 = g1r c= ur.m = v.m (Way2) (h0, h1 , c) Decsk = (x,y)(h0, h1 , c) v = h0x. h1y (Way1) m = c/v m0, m1 , |m0| = |m1| Theorem. If DDH is hard, then  is a CPA-secure scheme. Proof: Assume  is not CPA-secure cpa Let us run PubK (n) A, p(n): A,  D A DDH or non-DDH tuple? cpa Pr = 1 pk = (G,o,q,g0, g1,u) ½ + 1/p(n) PubK (n) > (G,o,q,g0, g1, h0, h1) Random (x,y) from Zq u = g0x. g1y A,  (h0, h1 , c) b’  {0, 1} c = h0x. h1y . mb

CPA Secure Scheme Gen(1n) (G, o, q, g0,g1) Random (x,y) from Zq u = g0x. g1y pk= (G,o,q, g0,g1, u), sk = (x,y) Encpk(m) Random rfrom Zq h0 = g0r, h1 = g1r c= ur.m = v.m (Way2) (h0, h1 , c) Decsk = (x,y)(h0, h1 , c) v = h0x. h1y (Way1) m = c/v m0, m1 , |m0| = |m1| Theorem. If DDH is hard, then  is a CPA-secure scheme. Proof: Assume  is not CPA-secure cpa Let us run PubK (n) A, p(n): A,  D A DDH Tuple cpa Pr = 1 pk = (G,o,q, g0, g1,u) ½ + 1/p(n) PubK (n) > (G,o,q,g0, g1, h0 = g0r, h1 = g1r) Random (x,y) from Zq u = g0x. g1y A,  (h0, h1 , c) h0x. h1y = g0rx. g1ry = ur b’  {0, 1} c = h0x. h1y . mb

CPA Secure Scheme Gen(1n) (G, o, q, g0,g1) Random (x,y) from Zq u = g0x. g1y pk= (G,o,q, g0,g1, u), sk = (x,y) Encpk(m) Random rfrom Zq h0 = g0r, h1 = g1r c= ur.m = v.m (Way2) (h0, h1 , c) Decsk = (x,y)(h0, h1 , c) v = h0x. h1y (Way1) m = c/v m0, m1 , |m0| = |m1| Theorem. If DDH is hard, then  is a CPA-secure scheme. Proof: Assume  is not CPA-secure cpa Let us run PubK (n) A, p(n): A,  D A Non-DDH Tuple cpa cpa Pr Pr = 1 = 1 pk = (G,o,q, g0, g1,u) ½ ½ + 1/p(n) PubK (n) PubK (n) > = (G,o,q,g0, g1, h0 = g0r, h1 = g1r’) Random (x,y) from Zq u = g0x. g1y A,  A,  (h0, h1 , c) h0x. h1y is uniformly random element b’  {0, 1} c = h0x. h1y . mb

CPA Secure Scheme Gen(1n) (G, o, q, g0,g1) Random (x,y) from Zq u = g0x. g1y pk= (G,o,q, g0,g1, u), sk = (x,y) Encpk(m) Random rfrom Zq h0 = g0r, h1 = g1r c= ur.m = v.m (Way2) (h0, h1 , c) Decsk = (x,y)(h0, h1 , c) v = h0x. h1y (Way1) m = c/v m0, m1 , |m0| = |m1| Theorem. If DDH is hard, then  is a CPA-secure scheme. Proof: Assume  is not CPA-secure cpa Let us run PubK (n) A, p(n): A,  = = > - 1/p(n) Pr [D(non-DDH tuple) = 1] Pr [D(DDH tuple) = 1] D A DDH or non-DDH tuple? cpa cpa Pr Pr = 1 = 1 pk = (G,o,q, g0, g1,u) ½ + 1/p(n) ½ PubK (n) PubK (n) > = (G,o,q,g0, g1, h0, h1) Random (x,y) from Zq u = g0x. g1y A,  A,  (h0, h1 , c) 1 if b = b’ 0 otherwise b’  {0, 1} c = h0x. h1y . mb

Why NOT El Gamal? Gen(1n) (G, o, q, g) Random x from Zq, h = gx pk= (G,o,q, g0, h), sk = x Encpk(m) c1 = gy for random y c2 = gxy.. m Decsk(c) c2 / (c1)x = c2 . [(c1)x]-1 m0, m1 , |m0| = |m1| Theorem. If DDH is hard, then  is a CPA-secure scheme. Proof: Assume  is not CPA-secure cpa Let us run PubK (n) A, p(n): A,  = = - > Pr [D(DDH tuple) = 1] Pr [D(non-DDH tuple) = 1] 1/p(n) The secret key is not with the reduction and so cannot provide DO service to A! DDH or non-DDH tuple? cpa cpa Pr Pr = 1 = 1 pk = (G,o,q,g,gx) ½ ½ + 1/p(n) PubK (n) PubK (n) > = (G,o,q,g, gx, gy, gz) D A A,  A,  c = (gy, gz.mb) 1 if b = b’ 0 otherwise b’  {0, 1} b

Is the Scheme CCA secure? Gen(1n) (G, o, q, g0,g1) Random (x,y) from Zq u = g0x. g1y pk= (G,o,q, g0,g1, u), sk = (x,y) Encpk(m) Random rfrom Zq h0 = g0r, h1 = g1r c= ur.m = v.m (Way2) (h0, h1 , c) Decsk = (x,y)(h0, h1 , c) v = h0x. h1y (Way1) m = c/v It is malleable. Not CCA Secure

Is the Scheme CCA1 secure? Gen(1n) (G, o, q, g0,g1) Random (x,y) from Zq u = g0x. g1y pk= (G,o,q, g0,g1, u), sk = (x,y) Encpk(m) Random rfrom Zq h0 = g0r, h1 = g1r c= ur.m = v.m (Way2) (h0, h1 , c) Decsk = (x,y)(h0, h1 , c) v = h0x. h1y (Way1) m = c/v m0, m1 , |m0| = |m1| Theorem. If DDH is hard, then  is a CPA-secure scheme. Proof: Assume  is not CPA-secure A, p(n): = = > - 1/p(n) Pr [D(non-DDH tuple) = 1] Pr [D(DDH tuple) = 1] pk = (G,o,q, g0, g1,u) D A DDH or non-DDH tuple? cpa cpa Pr Pr = 1 = 1 Decryption query ½ ½ + 1/p(n) PubK (n) PubK (n) = > (G,o,q,g0, g1, h0, h1) Random (x,y) from Zq u = g0x. g1y A,  Au, (h0, h1 , c) 1 if b = b’ 0 otherwise b’  {0, 1} c = h0x. h1y . mb

Is the Scheme CCA1 secure? Gen(1n) (G, o, q, g0,g1) Random (x,y) from Zq u = g0x. g1y pk= (G,o,q, g0,g1, u), sk = (x,y) Encpk(m) Random rfrom Zq h0 = g0r, h1 = g1r c= ur.m = v.m (Way2) (h0, h1 , c) Decsk = (x,y)(h0, h1 , c) v = h0x. h1y (Way1) m = c/v Claim. Just one decryption query is enough for an unbounded powerful adversary Au to know x,y and guess b with probability 1. Proof: Au can compute discrete log of u & g1, say R & α x +αy = R --- (1) u = g0R = (g0x. g1y)= g0x +αy Au need another (linearly) independent equation on x and y to recover them. Can Decryption Query help? pk = (G,o,q, g0, g1,u) D Au DQ: (h0, h1 , c) Random (x,y) from Zq u = g0x. g1y

Is the Scheme CCA1 secure? Gen(1n) (G, o, q, g0,g1) Random (x,y) from Zq u = g0x. g1y pk= (G,o,q, g0,g1, u), sk = (x,y) Encpk(m) Random rfrom Zq h0 = g0r, h1 = g1r c= ur.m = v.m (Way2) (h0, h1 , c) Decsk = (x,y)(h0, h1 , c) v = h0x. h1y (Way1) m = c/v Claim. Just one decryption query is enough for an unbounded powerful adversary to know x,y and guess b with probability 1. Proof: Au can compute discrete log of u & g1, say R & α x +αy = R --- (1) u = g0R = (g0x. g1y)= g0x +αy Au need another (linearly) independent equation on x and y to recover them. Can Decryption Query help? c/m = v = g0R’ = (h0x. h1y)= g0rx +rαy (linearly) Dependent  No use rx +rαy = R’ --- (2) pk = (G,o,q, g0, g1,u) D Au DQ: (h0 = g0r, h1 = g1r, c) Random (x,y) from Zq u = g0x. g1y m

Is the Scheme CCA1 secure? Gen(1n) (G, o, q, g0,g1) Random (x,y) from Zq u = g0x. g1y pk= (G,o,q, g0,g1, u), sk = (x,y) Encpk(m) Random rfrom Zq h0 = g0r, h1 = g1r c= ur.m = v.m (Way2) (h0, h1 , c) Decsk = (x,y)(h0, h1 , c) v = h0x. h1y (Way1) m = c/v Claim. Just one decryption query is enough for an unbounded powerful adversary to know x,y and guess b with probability 1. Proof: Au can compute discrete log of u & g1, say R & α x +αy = R --- (1) u = g0R = (g0x. g1y)= g0x +αy Au need another (linearly) independent equation on x and y to recover them. Can Decryption Query help? c/m = v = g0R’ = (h0x. h1y)= g0rx +r’αy (linearly) independent  rx +r’αy = R’ --- (2) Solving (1) & (2) gives the secret key (x,y) cpa Pr = 1 PubK (n) = 1 pk = (G,o,q, g0, g1,u) Au, D Au DQ: (h0 = g0r, h1 = g1r’, c) Random (x,y) from Zq u = g0x. g1y m

CPA Secure Scheme Gen(1n) (G, o, q, g0,g1) Random (x,y) from Zq u = g0x. g1y pk= (G,o,q, g0,g1, u), sk = (x,y) Encpk(m) Random rfrom Zq h0 = g0r, h1 = g1r c= ur.m = v.m (Way2) (h0, h1 , c) Decsk = (x,y)(h0, h1 , c) v = h0x. h1y (Way1) m = c/v m0, m1 , |m0| = |m1| Theorem. If DDH is hard, then  is a CPA-secure scheme. Proof: Assume  is not CPA-secure cpa Let us run PubK (n) A, p(n): A,  = = > Illegal Decryption Query: (g0r, g1r’, c) A checking mechanism in Dec so that illegal queries will be REJECTED with very high probability - 1/p(n) Pr [D(non-DDH tuple) = 1] Pr [D(DDH tuple) = 1] D A DDH or non-DDH tuple? cpa cpa Pr Pr = 1 = 1 pk = (G,o,q, g0, g1,u) ½ ½ + 1/p(n) PubK (n) PubK (n) = > (G,o,q,g0, g1, h0, h1) Random (x,y) from Zq u = g0x. g1y A,  A,  (h0, h1 , c) 1 if b = b’ 0 otherwise b’  {0, 1} c = h0x. h1y . mb

CCA1 Scheme Encpk(m) Random rfrom Zq h0 = g0r, h1 = g1r c= ur.m = v.m ; f = er(Way2) (h0, h1 , c, f) Gen(1n) (G, o, q, g0,g1) Random (x,y,x’,y’) from Zq u = g0x g1y e = g0x’ g1y’ pk= (G,o,q, g0,g1,u,e), sk = (x,y,x’,y’) Decsk = (x,y,x’,y’)(h0, h1 , c, f) f = h0x’ h1y’ (Way1) ?? v = h0x h1y (Way1) m = c/v Claim. An unbounded powerful adversary computes (x,y) except with neg. probability. Therefore it can guess bit b with probability no better than ½ + negl(.). Proof: Au can compute discrete log of u, e g1, say R, S & α u = g0R = (g0x g1y)= g0x +αy x +αy = R -(1) e = g0S = (g0x’ g1y’)= g0x’ +αy’ x’ +αy’ = S -(2) What if Au can guess f so that f = h0x’ h1y’ ?? Do you see the disaster??????? f = g0S’ = (h0x’h1y’)= g0rx +r’αy (linearly) independent of (2) rx’ +r’αy’ = S’ --- (3) c/m = v = g0R’ = (h0x. h1y)= g0rx +r’αy (linearly) independent of (1) rx +r’αy = R’ --- (4) cpa Pr = 1 PubK (n) = 1 Solving (1) & (4) gives the secret key (x,y) D Au pk = (G,o,q, g0, g1,u,e) Au, Random (x,y,x’,y’) from Zq u = g0x g1y e = g0x’ g1y’ f = h0x’ h1y’ ?? If yes, then send m DQ: (h0=g0r, h1=g1r’, c, f) m

Security Proof of CCA1 Scheme Encpk(m) Random rfrom Zq h0 = g0r, h1 = g1r c= ur.m = v.m ; f = er(Way2) (h0, h1 , c, f) Gen(1n) (G, o, q, g0,g1) Random (x,y,x’,y’) from Zq u = g0x g1y e = g0x’ g1y’ pk= (G,o,q, g0,g1,u,e), sk = (x,y,x’,y’) Decsk = (x,y,x’,y’)(h0, h1 , c, f) f = h0x’ h1y’ (Way1) ?? v = h0x h1y (Way1) m = c/v Claim. An unbounded powerful adversary computes (x,y) except with neg. probability. Therefore it can guess bit b with probability no better than ½ + negl(.). Proof: Au can compute discrete log of u & g1, say R & α x +αy = R --- (1) u = g0R = (g0x g1y)= g0x +αy Yes! It does. Au knows its chosen value in the first DQ is NOT a possibility. Next time it can guess f from G minus that value x’ +αy’ = S --- (2) e = g0S = (g0x’ g1y’)= g0x’ +αy’ What is the prob of Au guessing f so that f = h0x’ h1y’ = g0rx +αr’yin his FIRST DQ Recall that h0x’ h1y’ is uniformly random for Au even given (g0, g1, h0=g0r, h1=g1r’ , e) Pr[Au succeeds in first DQ] = 1/|G| --- negligible D Au pk = (G,o,q, g0, g1,u,e) But Au can make polynomials many attempts say, t many. Random (x,y,x’,y’) from Zq u = g0x g1y e = g0x’ g1y’ f = h0x’ h1y’ ?? If yes, then send m DQ: (h0=g0r, h1=g1r’, c, f) Does getting rejected in the first DQ help in succeeding second DQ? m

Security Proof of CCA1 Scheme Encpk(m) Random rfrom Zq h0 = g0r, h1 = g1r c= ur.m = v.m ; f = er(Way2) (h0, h1 , c, f) Gen(1n) (G, o, q, g0,g1) Random (x,y,x’,y’) from Zq u = g0x g1y e = g0x’ g1y’ pk= (G,o,q, g0,g1,u,e), sk = (x,y,x’,y’) Decsk = (x,y,x’,y’)(h0, h1 , c, f) f = h0x’ h1y’ (Way1) ?? v = h0x h1y (Way1) m = c/v Claim. An unbounded powerful adversary computes (x,y) except with neg. probability. Therefore it can guess bit b with probability no better than ½ + negl(.). Proof: Au can compute discrete log of u & g1, say R & α x +αy = R --- (1) u = g0R = (g0x g1y)= g0x +αy x’ +αy’ = S --- (2) e = g0S = (g0x’ g1y’)= g0x’ +αy’ What is the prob of Au guessing f so that f = h0x’ h1y’ = g0rx +αr’yin his SECOND DQ Pr[Au succeeds in second DQ] = 1 / (|G|-1) - negligible D Au pk = (G,o,q, g0, g1,u,e) Random (x,y,x’,y’) from Zq u = g0x g1y e = g0x’ g1y’ f = h0x’ h1y’ ?? If yes, then send m DQ: (h0=g0r, h1=g1r’, c, f) m

Security Proof of CCA1 Scheme Encpk(m) Random rfrom Zq h0 = g0r, h1 = g1r c= ur.m = v.m ; f = er(Way2) (h0, h1 , c, f) Gen(1n) (G, o, q, g0,g1) Random (x,y,x’,y’) from Zq u = g0x g1y e = g0x’ g1y’ pk= (G,o,q, g0,g1,u,e), sk = (x,y,x’,y’) Decsk = (x,y,x’,y’)(h0, h1 , c, f) f = h0x’ h1y’ (Way1) ?? v = h0x h1y (Way1) m = c/v Claim. An unbounded powerful adversary computes (x,y) except with neg. probability. Therefore it can guess bit b with probability no better than ½ + negl(.). Proof: Au can compute discrete log of u & g1, say R & α x +αy = R --- (1) u = g0R = (g0x g1y)= g0x +αy x’ +αy’ = S --- (2) e = g0S = (g0x’ g1y’)= g0x’ +αy’ What is the prob of Au guessing f so that f = h0x’ h1y’ = g0rx +αr’yin his tth DQ (t is the upper bound on the number of DQs) Pr[Au succeeds in tth DQ] = 1 / (|G|-t) - negligible cpa Pr = 1 ≤ ½ + negl(.) PubK (n) Pr[Au succeeds in one of t DQs] ≤ t / (|G|-t) - negligible D Au pk = (G,o,q, g0, g1,u,e) Au, Random (x,y,x’,y’) from Zq u = g0x g1y e = g0x’ g1y’ f = h0x’ h1y’ ?? If yes, then send m DQ: (h0=g0r, h1=g1r’, c, f) m

Is the Scheme CCA-secure? Encpk(m) Random rfrom Zq h0 = g0r, h1 = g1r c= ur.m = v.m ; f = er(Way2) (h0, h1 , c, f) Gen(1n) (G, o, q, g0,g1) Random (x,y,x’,y’) from Zq u = g0x g1y e = g0x’ g1y’ pk= (G,o,q, g0,g1,u,e), sk = (x,y,x’,y’) Decsk = (x,y,x’,y’)(h0, h1 , c, f) f = h0x’ h1y’ (Way1) ?? v = h0x h1y (Way1) m = c/v Claim. Just one DQ in post-challenge phase is enough for an unbounded powerful adversary to compute (x,y) completely and guess bit b with probability 1. Proof: Au can compute discrete log of u & g1, say R & α x +αy = R --- (1) u = g0R = (g0x g1y)= g0x +αy x’ +αy’ = S --- (2) e = g0S = (g0x’ g1y’)= g0x’ +αy’ What is the prob of Au guessing f so that f = h0x’ h1y’ = g0rx +αr’yin his tth DQ (t is the upper bound on the number of DQs) Pr[Au succeeds in tth DQ] = 1 / (|G|-t) - negligible cpa Pr = 1 ≤ ½ + negl(.) PubK (n) Pr[Au succeeds in one of t DQs] ≤ t / (|G|-t) - negligible D Au pk = (G,o,q, g0, g1,u,e) Au, Random (x,y,x’,y’) from Zq u = g0x g1y e = g0x’ g1y’ f = h0x’ h1y’ ?? If yes, then send m DQ: (h0=g0r, h1=g1r’, c, f) m

Is the Scheme CCA-secure? Encpk(m) Random rfrom Zq h0 = g0r, h1 = g1r c= ur.m = v.m ; f = er(Way2) (h0, h1 , c, f) Gen(1n) (G, o, q, g0,g1) Random (x,y,x’,y’) from Zq u = g0x g1y e = g0x’ g1y’ pk= (G,o,q, g0,g1,u,e), sk = (x,y,x’,y’) Decsk = (x,y,x’,y’)(h0, h1 , c, f) f = h0x’ h1y’ (Way1) ?? v = h0x h1y (Way1) m = c/v m0, m1 , |m0| = |m1| Claim. Just one DQ in post-challenge phase is enough for an unbounded powerful adversary to compute (x,y) completely and guess bit b with probability 1. Proof: Au can compute discrete log of u & g1, say R & α We need to ensure Au can not make illegal DQ and get DO service even after seeing the challenge ciphertext. x +αy = R --- (1) u = g0R = (g0x g1y)= g0x +αy x’ +αy’ = S --- (2) e = g0S = (g0x’ g1y’)= g0x’ +αy’ We are now considering the case when D received a non-DDH tuple (g0, g1, h*0, h*1) and so h*0=g0r, h*1=g1r’ Increase the no. of variables??? f* = g0S* = (h0x’h1y’)= g0rx +r’αy (linearly) independent of (2) rx’ +r’αy’ = S* --- (3) cpa Pr = 1 Solving (2) & (3) gives (x’,y’) = 1 PubK (n) D Au pk = (G,o,q, g0, g1,u,e) Au, Now Au can make illegal DQ in post-challenge phase and still pass the verification and get m and discover (x,y) Random (x,y,x’,y’) from Zq u = g0x g1y e = g0x’ g1y’ (h*0, h*1 , c*, f*) c = h0x h1y . mb f = h0x’h1y’

Is the Scheme CCA-secure? Encpk(m) Random rfrom Zq h0 = g0r, h1 = g1r c= ur.m = v.m ; f = er;l = kr(Way2) (h0, h1 , c, f, l) Gen(1n) (G, o, q, g0,g1) Random (x,y,x’,y’, x’’, y’’ ) from Zq u = g0x g1y e = g0x’ g1y’ k = g0x’’g1y’’ pk= (G,o,q, g0,g1,u,e,k), sk = (x,y,x’,y’,x’’,y’’) Decsk = (x,y,x’,y’,,x’’,y’’)(h0, h1,c,f,l) f = h0x’ h1y’ (Way1) ?? l= h0x’’h1y’’ (Way1) ?? v = h0x h1y (Way1) m = c/v m0, m1 , |m0| = |m1| Does above help? Proof: Au can compute discrete log of u & g1, say R & α x +αy = R - (1) u = g0R = (g0x g1y)= g0x +αy x’ +αy’ = S - (2) f* = g0S* = (h0x’h1y’)= g0rx’ +r’αy’ rx’ +r’αy’ = S* - (4) e = g0S = (g0x’ g1y’)= g0x’ +αy’ x’’ +αy’’ = T - (3) l* = g0T* = (h0x’’h1y’’)= g0rx’’ +r’αy’’ rx’’ +r’αy’’ = T’* - (5) k = g0T = (g0x’’ g1y’’)= g0x’’ +αy’’ We are now considering the case when D received a non-DDH tuple (g0, g1, h*0, h*1) and so h*0=g0r, h*1=g1r’ Now Au can make illegal DQ in post-challenge phase and still pass the verification and get m and discover (x,y) D Au pk = (G,o,q, g0, g1,u,e,k) Adding more variable in the above way does not help. Random (x,y,x’,y’) from Zq u = g0x g1y e = g0x’ g1y’ (h*0, h*1 , c*, f*,l*) c = h0x h1y . mb f = h0x’h1y’

Is the Scheme CCA-secure? Encpk(m) Random rfrom Zq h0 = g0r, h1 = g1r c= ur.m = v.m ; f = erkr(Way2) (h0, h1 , c, f) Gen(1n) (G, o, q, g0,g1) Random (x,y,x’,y’, x’’, y’’ ) from Zq u = g0x g1y e = g0x’ g1y’ k = g0x’’g1y’’ pk= (G,o,q, g0,g1,u,e,k), sk = (x,y,x’,y’,x’’,y’’) Decsk = (x,y,x’,y’,x’’,y’’),(h0,h1 ,c,f) f = h0x’+x’’ h1y’+y’’ ?? v = h0x h1y (Way1) m = c/v m0, m1 , |m0| = |m1| Does above help? Proof: x +αy = R - (1) u = g0R = (g0x g1y)= g0x +αy x’ +αy’ = S - (2) f* = g0S* = (h0x’+x’’h1y’+y’’)= g0r(x’+x’’) +r’α(y’ + y’’) e = g0S = (g0x’ g1y’)= g0x’ +αy’ x’’ +αy’’ = T - (3) k = g0T = (g0x’’ g1y’’)= g0x’’ +αy’’ r(x’ + x’’) + r’α(y’ + y’’) = S* - (4) From (2), (3) & (4), Au can compute (x’ + x’’) and (y’ + y’’) and that’s enough to make an illegal DQ in post-challenge phase and still pass the verification and get m and discover (x,y). D Au pk = (G,o,q, g0, g1,u,e,k) Adding more variable in the above way does not help. Random (x,y,x’,y’) from Zq u = g0x g1y e = g0x’ g1y’ (h*0, h*1 , c*, f*) c = h0x h1y . mb f = h0x’h1y’

Is the Scheme CCA-secure? Encpk(m) Random rfrom Zq h0 = g0r, h1 = g1r c= ur.m = v.m ; f = erkβr β = H(h0, h1 , c) (h0, h1 , c, f) Gen(1n) (G, o, q, g0,g1) Random (x,y,x’,y’, x’’, y’’ ) from Zq u = g0x g1y e = g0x’ g1y’ k = g0x’’g1y’’ pk= (G,o,q, g0,g1,u,e,k, H), sk = (x,y,x’,y’,x’’,y’’) Decsk = (x,y,x’,y’,x’’,y’’)(h0,h1,c,f) β = H(h0, h1 , c) f = h0x’ + βx’’ h1y’ + βy’’ ?? v = h0x h1y m = c/v m0, m1 , |m0| = |m1| Does above help? Proof: x +αy = R - (1) u = g0R = (g0x g1y)= g0x +αy x’ +αy’ = S - (2) f* = g0S’ = (h0x’ + βx’’h1y’ + βy’’)= g0r(x’ + βx’’) +r’α(y’ + βy’’) e = g0S = (g0x’ g1y’)= g0x’ +αy’ x’’ +αy’’ = T - (3) k = g0T = (g0x’’ g1y’’)= g0x’’ +αy’’ r(x’ + βx’’) + r’α(y’ + βy’’) = S’ - (4) From (2), (3) & (4), Au can compute (x’ + βx’’) and (y’ + βy’’) BUT…… …….to make an illegal DQ in post-challenge phase Au must find a collision for H i.eh’0, h’1 , c’ such that β = H(h’0, h’1 , c’) because….. D Au pk = (G,o,q, g0, g1,u,e,k) …….he is not allowed to submit the challenge ciphertext to DO Random (x,y,x’,y’) from Zq u = g0x g1y e = g0x’ g1y’ (h*0, h*1 , c*, f*) c = h0x h1y . mb f = h0x’h1y’

The Cramer-Shoup Cryptosystem Encpk(m) Random rfrom Zq h0 = g0r, h1 = g1r c= ur.m = v.m ; f = erkβr β = H(h0, h1 , c) (h0, h1 , c, f) Gen(1n) (G, o, q, g0,g1) Random (x,y,x’,y’, x’’, y’’ ) from Zq u = g0x g1y e = g0x’ g1y’ k = g0x’’g1y’’ pk= (G,o,q, g0,g1,u,e,k, H), sk = (x,y,x’,y’,x’’,y’’) Decsk = (x,y,x’,y’,x’’,y’’)(h0,h1,c,f) β = H(h0, h1 , c) f = h0x’ + βx’’ h1y’ + βy’’ ?? v = h0x h1y m = c/v m0, m1 , |m0| = |m1| Theorem. If DDH is hard + H is CR HF, then  is a CCA-secure scheme. Case I: If (h0, h1 , c) = (h*0, h*1 , c*) and f* ≠ f  D will reject Case II: If (h0, h1 , c) ≠ (h*0, h*1 , c*) and f* = f [i.e. H(h0, h1 , c) = H(h*0, h*1 , c*) ] A has found collision but since H is CR, this happens with negl probability pk = (G,o,q, g0, g1,u,e,k) D (h0, h1 , c, f) A DDH or non-DDH tuple? Reject (if verification fails) (G,o,q,g0, g1, h0, h1) Random (x,y,x’,y’,x’’,y’’) Compute u,e,k (h*0, h*1 , c*, f*) c*= h0xh1ymband f* (h0, h1 , c, f) 1 if b = b’ 0 otherwise Reject (if verification fails) b’  {0, 1}

The Cramer-Shoup Cryptosystem Encpk(m) Random rfrom Zq h0 = g0r, h1 = g1r c= ur.m = v.m ; f = erkβr β = H(h0, h1 , c) (h0, h1 , c, f) Gen(1n) (G, o, q, g0,g1) Random (x,y,x’,y’, x’’, y’’ ) from Zq u = g0x g1y e = g0x’ g1y’ k = g0x’’g1y’’ pk= (G,o,q, g0,g1,u,e,k, H), sk = (x,y,x’,y’,x’’,y’’) Decsk = (x,y,x’,y’,x’’,y’’)(h0,h1,c,f) β = H(h0, h1 , c) f = h0x’ + βx’’ h1y’ + βy’’ ?? v = h0x h1y m = c/v m0, m1 , |m0| = |m1| Theorem. If DDH is hard + H is CR HF, then  is a CCA-secure scheme. Case III: H(h0, h1 , c) ≠ H(h*0, h*1 , c*) ]: There is a possibility that it is a valid ciphertext. But it can happen by sheer luck. We can have four INDEPENDENT constraints on x’,y’.x’’.y’’ : (1) e (2) k (3) challenge cipher (4) DO => Breaking security But before making DO query A had only three constraints and so finding an matching f for the DO can be donewithprob at most 1/|G| pk = (G,o,q, g0, g1,u,e,k) D (h0, h1 , c, f) A DDH or non-DDH tuple? Reject (if verification fails) (G,o,q,g0, g1, h0, h1) Random (x,y,x’,y’,x’’,y’’) Compute u,e,k (h*0, h*1 , c*, f*) c*= h0xh1ymband f* (h0, h1 , c, f) 1 if b = b’ 0 otherwise Reject (if verification fails) b’  {0, 1}

Public Key Summary Primitives Security Notions Assumptions CPA >> Close Relatives of DL assumptions- CDH, DDH, HDH, ODH PKE CCA >> RSA Assumption (Padded RSA, RSA OAEP) Adaptive Attack (Non-committing Encryption) KEM >> Factoring assumptions (Rabin Cryptosystem) >> Quadratic Residuacity Assumptions (Micali-Goldwasser) Selective Opening Attack >> Decisional Composite Residuacity (DCR) Assumptions (Paillier) Hybrid Encryption (Deniable Encryption) >> Lattice-based Assumptions LWE, LPN (Regev) Many more assumptions

Cryptography

Cryptography

Presentation Transcript

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

CRYPTOGRAPHY

Cryptography

Cryptography

CRYPTOGRAPHY

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography