1 / 39

A New Paradigm of Hybrid Encryption Scheme

A New Paradigm of Hybrid Encryption Scheme. Kaoru Kurosawa , Ibaraki Univ. Yvo Desmedt , UCL and FSU. C=E( m ). C i ≠C. Decryption Oracle. Adversary. m i. m ??. Chosen Ciphertext Attack. PKE is “IND-CCA”. Cramer-Shoup scheme. The 1 st practical IND-CCA PKE

stacie
Download Presentation

A New Paradigm of Hybrid Encryption Scheme

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa, Ibaraki Univ. Yvo Desmedt, UCL and FSU

  2. C=E(m) Ci ≠C Decryption Oracle Adversary mi m ?? Chosen Ciphertext Attack PKE is “IND-CCA”

  3. Cramer-Shoup scheme • The 1st practical IND-CCA PKE in the standard model • Based on Decisional Diffie-Hellman (DDH) assumption (’98) • Generalized to Projective hash families (’02)

  4. Hybrid Encryption • Typically, E(m) = (PKE(K), SKE(K, m)) • If ElGamal, PKE(K) = (gr, K・yr) • More efficiently, PKE part = gr only K = yr

  5. Key Encapsulation Mechanism(KEM) • The PKE part (PKE(K) or gr) is formalized as KEM by Shoup • CCA-security notion of KEM is also formalizedby Shoup

  6. CCA security of KEM KEM (=PKE(K) or gr) KEMi ≠KEM Decryption Oracle Adversary Ki K ?? KEM is “IND-CCA”

  7. Security of Hybrid Encryption • IND-CCA KEM + IND-CCA SKE IND-CCA Hybrid Encryption scheme

  8. In the standard model • Shoup showed IND-CCA KEM (by using Cramer-Shoup PKE) • As a result, his hybrid encryption scheme is IND-CCA under the DDH assumption

  9. Previously, • It has been believed that KEM must be IND-CCA to obtain IND-CCA Hybrid encryption schemes

  10. In this paper, • We disprove this belief • KEM does not have to be IND-CCA

  11. Discussion • In IND-CCA hybrid encryption, the Dec. oracle returns a message m • In IND-CCA KEM, the Dec. oracle returns a key K of SKE, reveals more information than m CCA-security of KEM is too demanding

  12. Proposed Hybrid Encryption • More efficient than Shoup’s because KEM≠IND-CCA • Nevertheless, it is IND-CCA under the DDH assumption in the standard model.

  13. The only (conceptual) cost • SKE must be ε-rejection secure PrK (any fixed string is rejected) > 1-ε • This property is already satisfied by the SKE which is used in the hybrid construction of Shoup

  14. Proposed scheme • Public-key • Private-key x1, x2, y1, y2

  15. Encryption • r ← random u1 = g1r, u2 = g2r, χ= SKE(K, m) • where v = cr ・drα with α= UOWH(u1, u2) K = H(v) • The ciphertext is (u1, u2, χ) KEM

  16. Comparison of KEM KEM Invalid-KEM Proposed (u1, u2) rejected by SKE Shoup (u1, u2, v) rejected by v • Our KEM ≠IND-CCA and more efficient • Our v is used to generate K of SKE

  17. Decryption of our scheme • For C = (u1, u2, χ), compute α = UOWH(u1, u2), K = H(v) • Decrypt χ under the key K by SKE (Invalid C is rejected by ε-rejection security ofour SKE)

  18. Theorem • The proposed hybrid encryption scheme is IND-CCA under the DDH assumption in the standard model if SKE is IND-CCA and ε-rejection secure

  19. DDH assumption • Let G be a group of a prime order q • Then (g1, g2, g1r, g2r) and (g1, g2, g1r, g2s) are indistinguishable, where r and s are random

  20. Assumption on H • If v is uniformly distributed over G, then K = H(v) is uniformly distributed over {0,1}k, where k is the key-size of SKE • H(v) can be pseudorandom. (Gennaro and Shoup)

  21. One-Time SKE • One-Time SKE is enough for hybrid encryption • In the Def. of IND-CCA, A has access to Dec. oracle only after being given a challenge ciphertext χ

  22. Construction of OT-SKE(Shoup) • For a key K = (K0,K1,K2), let e = PRBG(K0) + m, tag = AXUH(K1,e) + K2 The ciphertext is χ= (e, tag) • This scheme is alreadyε-rejection secure PrK (χ is rejected) > 1-ε because K2 is random ・MAC can be used (Gennaro and Shoup)

  23. Efficiency Comparison with Shoup’s hybrid encryption • Ciphertext is 1 group element shorter • Public-key is also 1 group element shorter • Private-key is |q|-bits shorter • Encryption/Decryption needs 1 exponentiation lesser where we assume H(v) is pseudorandom

  24. Generalization • Cramer and Shoup introduced ε-universal2 Projective Universal Hash (PUH) families • We define a variant, strongly universal2 PUH families

  25. Strongly universal2 • A private-key (x1, x2, y1, y2) is randomly chosen in such a way that • The public-key is • The freedom is 4 – 2 = 2 • We consider the above probability space

  26. (In)Valid KEM • We say that (u1, u2) = (g1r, g2r) is valid and (u1, u2) = (g1r, g2s) is invalid

  27. Decryption of KEM • For (u1, u2) , compute K = H(v), with α = UOWH(u1, u2) • Consider F such that F(u1, u2) = v

  28. Requirement on F • If (u1, u2) is valid, v is uniquely determined by the pk • If (u1, u2) and (u1’, u2’) are both invalid, v and v’ are independently random We say F is Strongly universal2 • Our F is Strongly universal2 since Freedom=2.

  29. Generalized Hybrid Encryption • Our hybrid encryption scheme can be generalized to strongly universal2 PUH families • Concrete schemes can be based on • Quadratic Residuosity assumption • Paillier’s Decision Composite Residuosity assumption

  30. Security proof • Adversary is given a challenge ciphertext (u1, u2, χ(m)) • Replace (u1, u2) by invalid (u1’, u2’) and χ(m) by χ’ = SKE(random K’, m) • (u1, u2, χ) ~(u1’, u2’, χ’) from DDH assump. and strongly universal2

  31. Chosen Ciphertext Attack (u1’, u2’, χ’) (u1, u2,χ)i Decryption Oracle Adversary mi m ??

  32. Dec. query (u1, u2, χ)i • (Type 1) Valid • (Type 2) Invalid and (u1, u2)i = (u1’, u2’) • (Type 3) Invalid and (u1, u2)i ≠ (u1’, u2’)

  33. In Type 3 query • Ki = H(vi) is random because v’ and v_i are independently random from strongly universal_2 • Since Ki is random, χi is reject by SKE with high prob. because our SKE is ε-rejection secure

  34. In Type 2 query • (u1, u2)i = (u1’, u2’) • In this case, χi is decrypted by the same K’ that is used in the challenge ciphertext E’

  35. To summarize, • Type 3 query is rejected • Type 2 query is decrypted by K’ • Type 1 (valid) query is decrypted in the normal way • Consequently, the CCA-attack is reduced to a CCA-attack on SKE as follows

  36. CCA attack on SKE χ’ = SKE(K’, m) χi = SKE(K’, mi) Decryption Oracle Adversary mi m ??

  37. Finally, • Our SKE is CCA-secure • Our hybrid encryption scheme is CCA-secure Q.E.D.

  38. Summary • KEM does not have to be IND-CCA • Our hybrid encryption scheme is more efficient than Shoup’s • Can be generalized to PUH families • Our schemes are IND-CCA in the standard model

  39. Open problem • Can we formalize a weaker condition on KEM than IND-CCA? • It seems impossible because the security of KEM and that of SKE are intertwined (as in our scheme)

More Related