A Brief History of Provable Security and PKE - PowerPoint PPT Presentation

1 / 41
About This Presentation
Title:

A Brief History of Provable Security and PKE

Description:

Confidentiality means that an attacker ... [Canetti-Halevi-Katz, 2004] ... [Boneh-Katz, 2005] is a signature-identity scheme similar to the CHK transform. ... – PowerPoint PPT presentation

Number of Views:28
Avg rating:3.0/5.0
Slides: 42
Provided by: alexand83
Category:

less

Transcript and Presenter's Notes

Title: A Brief History of Provable Security and PKE


1
A Brief History of Provable Security and PKE
  • Alex Dent
  • Information Security Group
  • Royal Holloway, University of London

2
A Provable Timeline
  • Late 1970s First secure schemes
  • 1980s Definitions
  • 1990s Random oracle model schemes
  • Late 1990s Double and add schemes
  • NIZK proof schemes
  • Cramer-Shoup encryption
  • 2000s Signatures and identities
  • 2000s Extracting the truth

3
Definitions
  • Confidentiality means that an attacker cannot
    find any information about a plaintext from a
    ciphertext.
  • Semantic security captures this notion.

4
Definitions
  • IND-CPA is equivalent to semantic security
    Goldwasser-Micali, 1984.

5
Definitions
  • Attacker wins if b b'
  • Advantage of an attacker is
  • Pr b b' - ½

m0
b ? 0,1 C Enc(pk,mb)
C
pk
b'
m1
6
Definitions
  • IND-CCA1 security Allows access to a decryption
    oracle before the challenge ciphertext is issued
    Naor-Yung, 1990.

7
Definitions
  • IND-CCA2 security Allow access to a decryption
    oracle before and after the challenge ciphertext
    is issued.
  • Rackoff-Simon, 1991

8
Definitions
  • Advantage of an attacker is
  • Pr b b' - ½

m Dec(sk,C)
m Dec(sk,C)
C
C
m
m
(C ? C)
m0
b ? 0,1 C Enc(pk,mb)
C
pk
b'
m1
9
Definitions
  • Why is this such a difficult notion of security
    to achieve?

10
Definitions
  • Decryption oracle has to be consistent.
  • Trivial oracle queries.

Simulated Decryption Oracle
C
m
C
m
Simulated Ciphertext
m0
C
Solution
b
Problem
pk
m1
11
Random Oracle Model
  • The random oracle methodology models hash
    functions as random functions.
  • Bellare-Rogaway, 1993
  • Enables security proofs for very efficient
    schemes such as ECIES and RSA-OAEP.

12
Random Oracle Model
  • There exists schemes that are secure in the
    random oracle model, but insecure when used with
    any hash function.
  • Canetti-Goldreich-Halevi, 1998

13
Double and Add Schemes
  • A series of schemes prove security by encrypting
    a message twice with a weak scheme and adding a
    checksum.
  • Principle proposed by Naor and Yung.
  • IND-CCA2 version of the
  • scheme given in Sahai, 1999
  • Checksum is NIZK proof.

14
Double and Add Schemes
  • Non-interactive zero-knowledge (NIZK) proof that
    two ciphertexts encrypt the same message.

Public value s
Proof p
Message and coins
15
Double and Add Schemes
  • Zero knowledge it must be possible to choose s
    in such a way that there is a trapdoor t which
    allows false proofs.

Public value s
Private value t
Proof p
Proof p
Message and coins
Any two ciphertexts
16
Double and Add Schemes
  • Simulation sound it must not be possible to find
    a false proof (given only s) even if you have
    seen one false proof.

Public value s
Private value t
Proof p
Proof p
Message and coins
Any two ciphertexts
17
Double and Add Schemes
m
  • Use an IND-CPA scheme (G ,E ,D ).
  • Public key is (pk1,pk2,s).
  • Private key is sk1.
  • To decrypt
  • Check proof
  • Decrypt C1.

E
E
NIZK
pk1
pk2
s
C1
p
C2
18
Double and Add Schemes
  • This scheme is theoretical.
  • The NIZK is impractical (very long output and
    time consuming to compute).
  • However, it does show that public key encryption
    exists as long as trapdoor one-way permutations
    exist.

19
Double and Add Schemes
  • The Cramer-Shoup scheme was the first practical
    and provably secure scheme.
  • Cramer-Shoup, 1998

20
Double and Add Schemes
  • The Cramer-Shoup encryption scheme works on the
    same principles as Sahai.
  • Key generation
  • g, g' ? G
  • x1,x2,y1,y2,z ? Zp
  • h ? gz
  • e ? gx1g'x2
  • f ? gy1g'y2
  • pk (g,g',h,e,f)
  • sk (x1,x2,y1,y2,z)
  • Encrypt
  • r ? Zp
  • a ? gr
  • a' ? g'r
  • c ? hr m
  • v ? Hash(a,a',c)
  • d ? er frv
  • C (a,a',c,d)

21
Double and Add Schemes
  • Start with a version of ElGamal
  • ElGamal is passively secure under the DDH
    assumption.
  • Publicly known, random element h ? G.
  • Key generation
  • z ? Zp
  • g ? h1/z
  • pk g
  • sk z
  • Encrypt
  • r ? Zp
  • a ? gr
  • c ? hr m
  • C (a,c)

22
Double and Add Schemes
  • We need to encrypt twice under independent public
    keys.
  • Key generation
  • z, z' ? Zp
  • g ? h1/z
  • g' ? h1/z'
  • pk (g,g')
  • sk (z,z')
  • Encrypt
  • r, r' ? Zp
  • a ? gr
  • c ? hr m
  • a' ? g'r'
  • c' ? hr' m
  • C (a,c,a',c')

23
Double and Add Schemes
  • However, a paper by Bellare-Boldyreva-Staddon,
    2003 says we can reuse the random value r
    without losing security.

24
Double and Add Schemes
  • However, a paper by Bellare-Boldyreva-Staddon,
    2003 says we can reuse the random value r
    without losing security.
  • Key generation
  • z, z' ? Zp
  • g ? h1/z
  • g' ? h1/z'
  • pk (g,g')
  • sk (z,z')
  • Encrypt
  • r ? Zp
  • a ? gr
  • c ? hr m
  • a' ? g'r
  • c' ? hr m
  • C (a,c,a',c')

25
Double and Add Schemes
  • However, now c and c' are the same value
  • Key generation
  • z, z' ? Zp
  • g ? h1/z
  • g' ? h1/z'
  • pk (g,g')
  • sk (z,z')
  • Encrypt
  • r ? Zp
  • a ? gr
  • c ? hr m
  • a' ? g'r
  • C (a,c,a')

26
Double and Add Schemes
  • Now, the value z' is never used and so we can
    remove it.
  • Key generation
  • z ? Zp
  • g ? h1/z
  • g' ? G
  • pk (g,g')
  • sk z
  • Encrypt
  • r ? Zp
  • a ? gr
  • c ? hr m
  • a' ? g'r
  • C (a,c,a')

27
Double and Add Schemes
  • And if we just tidy up a bit, then we get
  • (Im hiding a few things here!)
  • Key generation
  • g, g' ? G
  • z ? Zp
  • h ? gz
  • pk (g,g',h)
  • sk z
  • Encrypt
  • r ? Zp
  • a ? gr
  • a' ? g'r
  • c ? hr m
  • C (a,a',c)

28
Double and Add Schemes
  • However, this is over half the Cramer-Shoup
    scheme
  • Key generation
  • g, g' ? G
  • z ? Zp
  • h ? gz
  • pk (g,g',h)
  • sk z
  • Key generation
  • g, g' ? G
  • x1,x2,y1,y2,z ? Zp
  • h ? gz
  • e ? gx1g'x2
  • f ? gy1g'y2
  • pk (g,g',h,e,f)
  • sk (x1,x2,y1,y2,z)

29
Double and Add Schemes
  • However, this is over half the Cramer-Shoup
    scheme
  • Encrypt
  • r ? Zp
  • a ? gr
  • a' ? g'r
  • c ? hr m
  • C (a,a',c)
  • Encrypt
  • r ? Zp
  • a ? gr
  • a' ? g'r
  • c ? hr m
  • v ? Hash(a,a',c)
  • d ? er frv
  • C (a,a',c,d)

30
Double and Add Schemes
  • So this fits the Sahai mold providing d acts like
    a NIZK.
  • In the proof, it is shown the d can be faked if
    you know x1,x2,y1,y2.
  • In the proof, it is shown that if a gr and a'
    g'r' then the decryption algorithm will reject.
  • Encrypt
  • r ? Zp
  • a ? gr
  • a' ? g'r
  • c ? hr m
  • v ? Hash(a,a',c)
  • d ? er frv
  • C (a,a',c,d)

31
Signatures and Identites
  • It is possible to turn a passively secure
    identity-based encryption scheme into a secure
    public-key encryption scheme.
  • Canetti-Halevi-Katz, 2004

32
Signatures and Identites
  • It is possible to turn a passively secure
    identity-based encryption scheme into a secure
    public-key encryption scheme.
  • Canetti-Halevi-Katz, 2004
  • A little odd that it took the development of
    identity-based encryption before we got new
    public-key encryption schemes.

33
Extracting the Truth
  • Plaintext awareness is a property of an
    encryption scheme that says that the only way to
    create a valid ciphertext is to generate a
    plaintext and encrypt it.
  • So, if an attacker generates a valid ciphertext,
    then it must know the underlying message.
  • Hence, a decryption oracle is no help.

34
Extracting the Truth
  • Its difficult to say what it means for an
    attacker (computer) to know something.
  • The definitions are complex.
  • All known proofs rely on the random oracle model,
    an unrealistic architecture, or suspect
    extractor assumptions.
  • The subject for another lecture

35
Extracting the Truth
  • The idea was first given a full formal treatment
    in Bellare-Desai-Pointcheval-Rogaway, 1998.

36
Extracting the Truth
  • The idea was first given a full formal treatment
    in Bellare-Desai-Pointcheval-Rogaway, 1998.
  • However, this definition could only be achieved
    in the random oracle model.

37
Extracting the Truth
  • Herzog-Liskov-Micali, 2003 gave a new
    interpretation of the problem, but it needed an
    unrealistic architecture.
  • The first fully satisfactory definition for
    plaintext awareness in the standard model was
    given by Bellare-Palacio, 2004

38
Extracting the Truth
  • The Cramer-Shoup scheme was the first to be
    proven plaintext aware Dent, 2006
  • Cramer-Shoup and Kurosawa-Desmedt hash proof
    system schemes can be shown to be plaintext
    aware Birkett-Dent.

39
Where are we now?
  • Boneh-Katz, 2005 is a signature-identity scheme
    similar to the CHK transform.
  • Transform efficiency overhead is minimal.
  • Still requires a passively secure IBE scheme
  • Hofheinz-Kiltz, 2007 mixes Cramer-Shoup and IBE
    techniques.
  • 2.5 exponentiations for encryption
  • 1.5 exponentiations for decryption

40
Conclusions
  • None of the approaches really work
  • Use the random oracle model
  • Or they intrinsically require two operations
  • Or they use weak extractor assumptions
  • New approach is needed if were going to prove
    the ultra-high-speed schemes secure.
  • Plenty missing from this presentation

41
Questions?
Write a Comment
User Comments (0)
About PowerShow.com