170 likes | 332 Views
Security proofs for practical encryption schemes. Yiannis Tsiounis, GTE Labs Moti Yung, CertCo LLC. “Security”:. Semantic security:. Secure encryption. Semantic Security [GM84, Gol89] Hide all partial information Immune against a-priori knowledge. = “Buy”. “A-priori” info:. = “Sell”.
E N D
Security proofs for practical encryption schemes Yiannis Tsiounis, GTE Labs Moti Yung, CertCo LLC
“Security”: Semantic security: Secure encryption • Semantic Security [GM84, Gol89] • Hide all partial information • Immune against a-priori knowledge
= “Buy” “A-priori” info: = “Sell” “Secure” encryption: or Semantically Secure: (probabilistic) Semantic security (cont.) (Indistinguishability of encryptions)
Beyond semantic security • Chosen ciphertext security [NY90] • “Lunch-time” attack [NY90] • Rackoff-Simon attack (adaptive) [RS91] • Non-malleability [DDN91] • Infeasible to create a “related” ciphertext • Message & sender cannot be altered by man-in-the-middle
(Random oracles) • A “necessary evil” simplification • Collision-freeInformation hiding “Random oracle” Q A i i Requires tamper-proof devices, or exponential memory
Attacks Security BRP+98 Plaintext Awareness The big picture EG EG+RO+A
Contributions (cont.) • Semantic security • Directly from decision Diffie-Hellman • Retaining homomorphic properties • Exact analysis of efficiency of the reduction • Non-malleability • decision D-H + R.O. [PS96] + oracle-related assumption
Preliminaries • ElGamal encryption • P = aQ + 1, P,Q primes, |g| = Q • Private key: x • Public key: y = gx (mod P) • E(m) = gk, yk m (m є GQ) • Decision Diffie-Hellman • P = aQ + 1, P,Q primes, |g| = Q • Distinguish < ga, gb, gab> from <ga, gb, gc >
Preliminaries (cont.) • Semantic security = indistinguishability of encryptions: It is infeasible to find 2 messages whose encryptions can be distinguished (non-negl. better than random guessing)
ElGamal => decision D-H • Assume we have ElGamal oracle • Given a triplet <ga, gb, y> decide if it is a D-H triplet (y = gab ?) 1. Preparation stage: Find two messages that the oracle can distinguish 2. Testing phase: test if the oracle can distinguish between message 1 (or 2) and random messages
Proof (cont.) 3. Decision phase: generator g, public key gbw (w random) • Randomize message 1 (or 2) • Correctly: E(m) = gu , m (gb)wu • Based on given triplet <ga, gb, y>E(m’) = (ga)t g v , m ywt (gb)wv m’ = m (if y = gab), random otherwise • Run oracle on E(m), E(m’) 1. Distinguish? ==> not D-H triplet 2. Else: correct D-H triplet
Decision D-H => ElGamal • Given decision D-H oracle, find two messages whose ElGamal encryptions can be distinguished • For any two m, m’: (y = gx) • E(m0) = ga, m0 ya , E(m1) = gb, m1 yb • Feed <ga, y gv , [ya m0] gav /m> =< ga, gx+v , g(x+v)a m0/m> (random v) • If it is a correct triplet, then m0=m , else m0 = m’
Non-malleability • Given ciphertext C, cannot construct ciphertext C’ such that the plaintexts are related • All we need is a proof of knowledge of the plaintext • I.e., a proof of knowledge of k in E(m) = gk, yk m • But, it must be a non-malleable ZK proof: it must be bound to the prover
The non-malleable extension • A Schnorr-type ZK proof of knowledge of k, with the sender’s identity in the challenge (hash) A = [gk, yk m], F = gv, C = k H(ID, g, A, F) + v E(m) = [A, F, C, ID] • Random oracle is used only as a “trusted beacon” [PS96] - not for information hiding
Security proof 1. We need to verify that semantic security still holds (the knowledge proof does not leak information) 2. Knowledge of k: provided from Schnorr proof 3. Sender-bound: the addition forms a Schnorr signature of ID based on k, which is existentially unforgeable [PS96]
Practical implications: Encryption • ElGamal is as secure as [BR94+Can97] • Non-malleability can be added at minimal efficiency costs • In applications a signature is still needed • Otherwise senders can be impersonated • Signatures using Schnorr-proofs is a smooth addition
Implications: protocols • First encryption scheme with homomorphic properties that is semantically secure • Anonymous e-cash: escrowing can be performed based on decision D-H