A Brief History of Provable Security and PKE
description
Transcript of A Brief History of Provable Security and PKE
A Brief History of Provable Security and PKE
Alex Dent
Information Security Group
Royal Holloway, University of London
A Provable Timeline
• Late 1970s: First secure schemes
• 1980s: Definitions
• 1990s: Random oracle model schemes
• Late 1990s: “Double and add” schemes– NIZK proof schemes– Cramer-Shoup encryption
• 2000s: Signatures and identities
• 2000s: Extracting the truth
Definitions
• Confidentiality means that an attacker cannot find any information about a plaintext from a ciphertext.
• Semantic security captures this notion.
Definitions
• IND-CPA is equivalent to semantic security [Goldwasser-Micali, 1984].
Definitions
pk
m0
m1
b ← {0,1}
C* = Enc(pk,mb)
C*b′
• Attacker wins if b = b′
• Advantage of an attacker is:
| Pr[ b = b′ ] - ½ |
Definitions
• IND-CCA1 security: Allows access to a decryption oracle before the challenge ciphertext is issued [Naor-Yung, 1990].
Definitions
• IND-CCA2 security: Allow access to a decryption oracle before and after the challenge ciphertext is issued.
[Rackoff-Simon, 1991]
Definitions
pk
m0
m1
b ← {0,1}
C* = Enc(pk,mb)
C*b′
C m
m = Dec(sk,C)
(C ≠ C*)m
m = Dec(sk,C)
C
• Advantage of an attacker is:
| Pr[ b = b′ ] - ½ |
Definitions
• Why is this such a difficult notion of security to achieve?
Definitions
• Decryption oracle has to be “consistent”.
• Trivial oracle queries.
pk
C m
Simulated Decryption Oracle
m0
m1
C*
C m
b´SimulatedCiphertext
Problem Solution
Random Oracle Model
• The random oracle methodology models hash functions as random functions.
[Bellare-Rogaway, 1993]
• Enables security proofs for very efficient schemes such as ECIES and RSA-OAEP.
Random Oracle Model
• There exists schemes that are secure in the random oracle model, but insecure when used with any hash function.
[Canetti-Goldreich-Halevi, 1998]
“Double and Add” Schemes
• A series of schemes prove security by encrypting a message twice with a weak scheme and adding a “checksum”.
• Principle proposed by Naor and Yung.
• IND-CCA2 version of the
scheme given in [Sahai, 1999]
• “Checksum” is NIZK proof.
“Double and Add” Schemes
• Non-interactive zero-knowledge (NIZK) proof that two ciphertexts encrypt the same message.
Public value: σ
Message and coins
Proof π
“Double and Add” Schemes
• Zero knowledge: it must be possible to choose σ in such a way that there is a trapdoor τ which allows “false” proofs.
Public value: σ
Message and coins
Proof π
Private value: τ
Any two ciphertexts
Proof π
“Double and Add” Schemes
• Simulation sound: it must not be possible to find a false proof (given only σ) even if you have seen one false proof.
Public value: σ
Message and coins
Proof π
Private value: τ
Any two ciphertexts
Proof π
“Double and Add” Schemes
• Use an IND-CPA scheme (G ,E ,D ).
• Public key is (pk1,pk2,σ).
• Private key is sk1.
• To decrypt:– Check proof
– Decrypt C1.
E E NIZK
m
C1 πC2
pk1 pk2 σ
“Double and Add” Schemes
• This scheme is theoretical.
• The NIZK is impractical (very long output and time consuming to compute).
• However, it does show that public key encryption exists as long as trapdoor one-way permutations exist.
“Double and Add” Schemes
• The Cramer-Shoup scheme was the first practical and provably secure scheme.
[Cramer-Shoup, 1998]
“Double and Add” Schemes
• The Cramer-Shoup encryption scheme works on the same principles as Sahai.
• Key generation:– g, g′ ← G
– x1,x2,y1,y2,z ← Zp
– h ← gz
– e ← gx1·g′x2
– f ← gy1·g′y2
– pk = (g,g′,h,e,f)
– sk = (x1,x2,y1,y2,z)
• Encrypt:– r ← Zp
– a ← gr
– a′ ← g′r
– c ← hr ·m– v ← Hash(a,a′,c)– d ← er · frv
– C = (a,a′,c,d)
“Double and Add” Schemes
• Start with a version of ElGamal
• ElGamal is passively secure under the DDH assumption.
• Publicly known, random element h ← G. • Key generation:
– z ← Zp
– g ← h1/z
– pk = g– sk = z
• Encrypt:– r ← Zp
– a ← gr
– c ← hr ·m– C = (a,c)
“Double and Add” Schemes
• We need to encrypt twice under independent public keys.
• Key generation:– z, z′ ← Zp
– g ← h1/z
– g′ ← h1/z′
– pk = (g,g′)– sk = (z,z′)
• Encrypt:– r, r′ ← Zp
– a ← gr
– c ← hr ·m– a′ ← g′r′
– c′ ← hr′ ·m– C = (a,c,a′,c′)
“Double and Add” Schemes
• However, a paper by [Bellare-Boldyreva-Staddon, 2003] says we can reuse the random value r without losing security.
“Double and Add” Schemes
• However, a paper by [Bellare-Boldyreva-Staddon, 2003] says we can reuse the random value r without losing security.
• Key generation:– z, z′ ← Zp
– g ← h1/z
– g′ ← h1/z′
– pk = (g,g′)– sk = (z,z′)
• Encrypt:– r ← Zp
– a ← gr
– c ← hr ·m– a′ ← g′r
– c′ ← hr ·m– C = (a,c,a′,c′)
“Double and Add” Schemes
• However, now c and c′ are the same value
• Key generation:– z, z′ ← Zp
– g ← h1/z
– g′ ← h1/z′
– pk = (g,g′)– sk = (z,z′)
• Encrypt:– r ← Zp
– a ← gr
– c ← hr ·m– a′ ← g′r
– C = (a,c,a′)
“Double and Add” Schemes
• Now, the value z′ is never used and so we can remove it.
• Key generation:– z ← Zp
– g ← h1/z
– g′ ← G– pk = (g,g′)– sk = z
• Encrypt:– r ← Zp
– a ← gr
– c ← hr ·m– a′ ← g′r
– C = (a,c,a′)
“Double and Add” Schemes
• And if we just tidy up a bit, then we get…
• (I’m hiding a few things here!)
• Key generation:– g, g′ ← G
– z ← Zp
– h ← gz
– pk = (g,g′,h)– sk = z
• Encrypt:– r ← Zp
– a ← gr
– a′ ← g′r
– c ← hr ·m– C = (a,a′,c)
“Double and Add” Schemes
• However, this is over half the Cramer-Shoup scheme:• Key generation:
– g, g′ ← G
– z ← Zp
– h ← gz
– pk = (g,g′,h)– sk = z
• Key generation:– g, g′ ← G
– x1,x2,y1,y2,z ← Zp
– h ← gz
– e ← gx1·g′x2
– f ← gy1·g′y2
– pk = (g,g′,h,e,f)
– sk = (x1,x2,y1,y2,z)
“Double and Add” Schemes
• However, this is over half the Cramer-Shoup scheme:• Encrypt:
– r ← Zp
– a ← gr
– a′ ← g′r
– c ← hr ·m– C = (a,a′,c)
• Encrypt:– r ← Zp
– a ← gr
– a′ ← g′r
– c ← hr ·m– v ← Hash(a,a′,c)– d ← er · frv
– C = (a,a′,c,d)
“Double and Add” Schemes
• So this fits the Sahai mold providing d acts like a NIZK.
• In the proof, it is shown the d can be faked if you know x1,x2,y1,y2.
• In the proof, it is shown that if a = gr and a′ = g′r′ then the decryption algorithm will reject.
• Encrypt:– r ← Zp
– a ← gr
– a′ ← g′r
– c ← hr ·m– v ← Hash(a,a′,c)– d ← er · frv
– C = (a,a′,c,d)
Signatures and Identites
• It is possible to turn a passively secure identity-based encryption scheme into a secure public-key encryption scheme.
[Canetti-Halevi-Katz, 2004]
Signatures and Identites
• It is possible to turn a passively secure identity-based encryption scheme into a secure public-key encryption scheme.
[Canetti-Halevi-Katz, 2004]
• A little odd that it took the development of identity-based encryption before we got new public-key encryption schemes.
Extracting the Truth
• Plaintext awareness is a property of an encryption scheme that says that the only way to create a valid ciphertext is to generate a plaintext and encrypt it.
• So, if an attacker generates a valid ciphertext, then it must know the underlying message.
• Hence, a decryption oracle is no help.
Extracting the Truth
• It’s difficult to say what it means for an attacker (computer) to “know” something.
• The definitions are complex.
• All known proofs rely on the random oracle model, an unrealistic architecture, or suspect “extractor” assumptions.
• The subject for another lecture…
Extracting the Truth
• The idea was first given a full formal treatment in [Bellare-Desai-Pointcheval-Rogaway, 1998].
Extracting the Truth
• The idea was first given a full formal treatment in [Bellare-Desai-Pointcheval-Rogaway, 1998].
• However, this definition could only be achieved in the random oracle model.
Extracting the Truth
• [Herzog-Liskov-Micali, 2003] gave a new interpretation of the problem, but it needed an unrealistic architecture.
• The first fully satisfactory definition for plaintext awareness in the standard model was given by [Bellare-Palacio, 2004]
Extracting the Truth
• The Cramer-Shoup scheme was the first to be proven plaintext aware [Dent, 2006]
• Cramer-Shoup and Kurosawa-Desmedt “hash proof system” schemes can be shown to be plaintext aware [Birkett-Dent].
Where are we now?
• [Boneh-Katz, 2005] is a signature-identity scheme similar to the CHK transform.– Transform efficiency overhead is minimal.– Still requires a passively secure IBE scheme
• [Hofheinz-Kiltz, 2007] mixes Cramer-Shoup and IBE techniques.– 2.5 exponentiations for encryption– 1.5 exponentiations for decryption
Conclusions
• None of the approaches really work…– Use the random oracle model– Or they intrinsically require two operations– Or they use weak “extractor” assumptions
• New approach is needed if we’re going to prove the ultra-high-speed schemes secure.
• Plenty missing from this presentation
Questions?