320 likes | 469 Views
Anonymity and Robustness in Encryption Schemes. Payman Mohassel University of Calgary. Public Key Encryption (PKE). ( pk , sk ) KG. pk. C = Enc( pk,m ). m = Dec( sk,C ) . PKE = (KG, Enc, Dec). Traditional Security Notions ( Data Secrecy). Semantic security
E N D
Anonymity and Robustness in Encryption Schemes PaymanMohassel University of Calgary
Public Key Encryption (PKE) (pk, sk) KG pk C = Enc(pk,m) m = Dec(sk,C) PKE = (KG, Enc, Dec)
Traditional Security Notions(Data Secrecy) • Semantic security • No function of the message is leaked • Equivalent to indistinguishability • Non-malleability • Hard to create ciphertext for related messages • Chosen plaintext attacks (CPA) • Chosen ciphertext attacks (CCA)
Mobile Communication Base Station Mobile User key exchange pk Enc(pk, message) eavesdropper wants to learn identity of mobile user
Secure Auction [Sako’00] • First practical auction to hide bid values • Keys correspond to bid values • A known message is encrypted using the key • Hiding a bid value requires hiding the key
Dec(sk’, c) = c c c = Enc(pk, m) (pk, sk) c
Other Guarantees • Does the ciphertext hide the key? • Anonymity • What happens when decrypting using a different key? • Robustness
ANON-CCA (pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1} Challenger Dec(skb1, c1) Dec(skbi, ci) Dec(skbi+1, c1) Dec(skbq, cq) C=Enc(pkb,m) pk0, pk1 . . . . . . . . m c1 , b1 ci, bi ci+1 , bi+1 cq, bq b’ Advanon-cca,PKE(A) =|Pr[b’ = b] – ½| is negligible
Weak Robustness (WROB-CCA) (pk0, sk0) KG(1n) (pk1, sk1) KG(1n) Challenger Dec(skbi, ci) . . . . M pk0, pk1 ci, bi Adv wins if Dec(sk1, C) ≠ , where C = Enc(pk0,M)
Strong Robustness (SROB-CCA) (pk0, sk0) KG(1n) (pk1, sk1) KG(1n) Challenger Dec(skbi, ci) . . . . C pk0, pk1 ci, bi Adv wins if Dec(sk0,C) ≠ and Dec(pk1,C) ≠
What is Known? • Anonymity • Not always satisfied • y = xe mod N for random x • pk0 = (N0, e0) pk1 = (N1, e1), N1 > N0 • If y > N0 return pk1 else return pk0 • Robustness • ElGamal is not robust • [pk0 = (G, p, g, gx), sk0 = x] , [pk1 = (G, p, g, gy), sk1 = y] • Enc(pk0, m) = (c1, c2) = (gr, mgxr) • m’ = Dec(sk1, (c1, c2)) = c2/c1y = mg(x-y)r
What is Known? • Anonymous PKE and IBE • [Bellare et al. 2001], [Abdalla et al. 2008] • PKE: DHIES, [Cramer-Shoup’01] • IBE: [Boneh-Franklin’01], [Boyen-Waters’06] • Robust PKE and IBE • [Abdalla et al. 2010] • Strongly robust IBE: [Boneh-Franklin’01] • Weakly robust PKE: DHIES, [Cramer-Shoup’01] • Not robust: [Boyen-Waters’06]
Our Contribution • Studying anonymity of hybrid encryption • Positive and negative results • More efficient transformations for robust encryption schemes • Computation and ciphertext size • Please see the paper
Question: Given an “anonymous PKE/IBE” and an “anonymous SKE”,is the hybrid encryption scheme also anonymous?
Anonymity of Hybrid Encryption • ANON-CPA PKE/IBE + IND-CPA SKE • The hybrid encryption is ANON-CPA • [negative] ANON-CCA PKE/IBE + IND-CCA SKE • The hybrid encryption is NOT always ANON-CCA • True if SKE is ANON-CCA or more • [positive] (WROB + ANON)-CCA PKE/IBE + AE SKE • The hybrid encryption is ANON-CCA • More evidence that “anonymity” and “robustness” are needed simultaneously
Counter Example (PKE) • Start with (WROB + ANON)-CCA PKE1 • PKE1 = (KG1, Enc1, Dec1) • Build PKE2 = (KG2, Enc2, Dec2) • Dec2 • Run Dec1, if it returns return 0n • Else return what Dec1 outputs • PKE2 is still ANON-CCA
Counter Example (SKE) • We use a key-binding IND-CCA SKE • Key-binding SKE = (K, SE, SD) • For any k K, randomness r, and message m • There is no k’ ≠ k where SDk’(SEk(m,r)) ≠ • PKE2+ key-binding SKE • Not ANON-CCA
Counter Example (pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1} Challenger (c1, c2) = (Enc2(pkb,k), SE(k,m)) pk0, pk1 Decryption query under pk0 for (c1, SE(0n,m’)) m b’ If the answer is let b’ = 0, else b’ = 1
Counter Example • Requiring stronger security notion for SKE does NOT help • If it can be combined with key-binding • What about stronger notions for the PKE?
Positive Result Claim: If PKE is (ANON + WROB + IND)-CCA and SKE is a (one-time) authenticated encryption, the hybrid construction is (ANON + IND)-CCA
Game 0 (pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1} Challenger Dec(skb1, C1) Dec(skbi, Ci) Dec(skb1, C1) Dec(skbq, Cq) c*1 = Enc(pkb,k*) c*2 = SE(k*,m) pk0, pk1 . . . . . . . . m C1 , b1 Ci, bi Ci+1 , bi+1 Cq, bq b’ Advanon-cca,PKE(A) =|Pr[b’ = b] – ½| is negligible
Game 1 (pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1} Challenger SD(k*, c2) c*1 = Enc(pkb, k*) c*2 = SE(k*, m) pk0, pk1 m (c*1, c2 ≠ c*2), b b’ Difference in games: decryption error
Game 2 (pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1} Challenger c*1 = Enc(pkb,k*) c*2 = SE(k*,m) pk0, pk1 m (c*1, c2 ≠ c*2), 1-b b’ Difference in games: weak robustness of the PKE only if c*1 decrypts under pkb and pk1-b
Game 3 (pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1} Challenger c*1 = Enc(pkb,k*) c*2 = SE(k’,m) pk0, pk1 m b’ Difference in games:IND-CCA security of the PKE
Game 4 (pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1} Challenger c*1 = Enc(pkb,k*) c*2 = SE(k’,m) pk0, pk1 m (c*1, c2 ≠ c*2), {b or 1-b} b’ Difference in games:CTXT integrity of the SKE only if a valid ciphertext under k’ is generated
Putting Things Together • Advanon-cca(hybrid) < Advwrob-cca(PKE) + Advind-cca(PKE) + Advctxt-int(SKE) + Advanon-cca(PKE) • Boneh-Franklin, Cramer-Shoup, DHIES are WROB-CCA • Boyen-Waters IBE is not
Summary • ANON-CCA PKE + (…) SKE ANON-CCA hybrid • (WROB + ANON)-CCA PKE + AE SKE ANON-CCA hybrid • Is weak-robustness a necessary condition? • Is Boyen-Waters (in)secure when used in a hybrid construction?
Results on Robustness • [Abdalla et al.’10] • Transforming ANON-CCA schemes to robust ones • We design more efficient transformations • Refer to the paper
Indentity-based encryption (IBE) (par, msk) MKG (sk,pk)PKG id C = Encpk(m) m = Decsk(C) IBE = (MKG, Enc, Dec)
IND-CCA (pk, sk) KG(1n) ; b {0,1} Challenger Decsk(c1) Decsk(ci+1) Decsk(ci) Decsk(cq) C=Encpk(mb) . . . . . . . . m0 , m1 c1 ci+1 ci cq b’ Advind-cca,PKE(A) =|Pr[b’ = b] – ½| is negligible