A Brief History of Provable Security and PKE

1
A Brief History of Provable Security and PKE

• Alex Dent
• Information Security Group
• Royal Holloway, University of London

2
A Provable Timeline

• Late 1970s First secure schemes
• 1980s Definitions
• 1990s Random oracle model schemes
• Late 1990s Double and add schemes
• NIZK proof schemes
• Cramer-Shoup encryption
• 2000s Signatures and identities
• 2000s Extracting the truth

3
Definitions

• Confidentiality means that an attacker cannot
  find any information about a plaintext from a
  ciphertext.
• Semantic security captures this notion.

4
Definitions

• IND-CPA is equivalent to semantic security
  Goldwasser-Micali, 1984.

5
Definitions

• Attacker wins if b b'
• Advantage of an attacker is
• Pr b b' - ½

m0
b ? 0,1 C Enc(pk,mb)
C
pk
b'
m1
6
Definitions

• IND-CCA1 security Allows access to a decryption
  oracle before the challenge ciphertext is issued
  Naor-Yung, 1990.

7
Definitions

• IND-CCA2 security Allow access to a decryption
  oracle before and after the challenge ciphertext
  is issued.
• Rackoff-Simon, 1991

8
Definitions

• Advantage of an attacker is
• Pr b b' - ½

m Dec(sk,C)
m Dec(sk,C)
C
C
m
m
(C ? C)
m0
b ? 0,1 C Enc(pk,mb)
C
pk
b'
m1
9
Definitions

• Why is this such a difficult notion of security
  to achieve?

10
Definitions

• Decryption oracle has to be consistent.
• Trivial oracle queries.

Simulated Decryption Oracle
C
m
C
m
Simulated Ciphertext
m0
C
Solution
b
Problem
pk
m1
11
Random Oracle Model

• The random oracle methodology models hash
  functions as random functions.
• Bellare-Rogaway, 1993
• Enables security proofs for very efficient
  schemes such as ECIES and RSA-OAEP.

12
Random Oracle Model

• There exists schemes that are secure in the
  random oracle model, but insecure when used with
  any hash function.
• Canetti-Goldreich-Halevi, 1998

13
Double and Add Schemes

• A series of schemes prove security by encrypting
  a message twice with a weak scheme and adding a
  checksum.
• Principle proposed by Naor and Yung.
• IND-CCA2 version of the
• scheme given in Sahai, 1999
• Checksum is NIZK proof.

14
Double and Add Schemes

• Non-interactive zero-knowledge (NIZK) proof that
  two ciphertexts encrypt the same message.

Public value s
Proof p
Message and coins
15
Double and Add Schemes

• Zero knowledge it must be possible to choose s
  in such a way that there is a trapdoor t which
  allows false proofs.

Public value s
Private value t
Proof p
Proof p
Message and coins
Any two ciphertexts
16
Double and Add Schemes

• Simulation sound it must not be possible to find
  a false proof (given only s) even if you have
  seen one false proof.

Public value s
Private value t
Proof p
Proof p
Message and coins
Any two ciphertexts
17
Double and Add Schemes
m

• Use an IND-CPA scheme (G ,E ,D ).
• Public key is (pk1,pk2,s).
• Private key is sk1.
• To decrypt
• Check proof
• Decrypt C1.

E
E
NIZK
pk1
pk2
s
C1
p
C2
18
Double and Add Schemes

• This scheme is theoretical.
• The NIZK is impractical (very long output and
  time consuming to compute).
• However, it does show that public key encryption
  exists as long as trapdoor one-way permutations
  exist.

19
Double and Add Schemes

• The Cramer-Shoup scheme was the first practical
  and provably secure scheme.
• Cramer-Shoup, 1998

20
Double and Add Schemes

• The Cramer-Shoup encryption scheme works on the
  same principles as Sahai.

• Key generation
• g, g' ? G
• x1,x2,y1,y2,z ? Zp
• h ? gz
• e ? gx1g'x2
• f ? gy1g'y2
• pk (g,g',h,e,f)
• sk (x1,x2,y1,y2,z)

• Encrypt
• r ? Zp
• a ? gr
• a' ? g'r
• c ? hr m
• v ? Hash(a,a',c)
• d ? er frv
• C (a,a',c,d)

21
Double and Add Schemes

• Start with a version of ElGamal
• ElGamal is passively secure under the DDH
  assumption.
• Publicly known, random element h ? G.

• Key generation
• z ? Zp
• g ? h1/z
• pk g
• sk z

• Encrypt
• r ? Zp
• a ? gr
• c ? hr m
• C (a,c)

22
Double and Add Schemes

• We need to encrypt twice under independent public
  keys.

• Key generation
• z, z' ? Zp
• g ? h1/z
• g' ? h1/z'
• pk (g,g')
• sk (z,z')

• Encrypt
• r, r' ? Zp
• a ? gr
• c ? hr m
• a' ? g'r'
• c' ? hr' m
• C (a,c,a',c')

23
Double and Add Schemes

• However, a paper by Bellare-Boldyreva-Staddon,
  2003 says we can reuse the random value r
  without losing security.

24
Double and Add Schemes

• However, a paper by Bellare-Boldyreva-Staddon,
  2003 says we can reuse the random value r
  without losing security.

• Key generation
• z, z' ? Zp
• g ? h1/z
• g' ? h1/z'
• pk (g,g')
• sk (z,z')

• Encrypt
• r ? Zp
• a ? gr
• c ? hr m
• a' ? g'r
• c' ? hr m
• C (a,c,a',c')

25
Double and Add Schemes

• However, now c and c' are the same value

• Key generation
• z, z' ? Zp
• g ? h1/z
• g' ? h1/z'
• pk (g,g')
• sk (z,z')

• Encrypt
• r ? Zp
• a ? gr
• c ? hr m
• a' ? g'r
• C (a,c,a')

26
Double and Add Schemes

• Now, the value z' is never used and so we can
  remove it.

• Key generation
• z ? Zp
• g ? h1/z
• g' ? G
• pk (g,g')
• sk z

• Encrypt
• r ? Zp
• a ? gr
• c ? hr m
• a' ? g'r
• C (a,c,a')

27
Double and Add Schemes

• And if we just tidy up a bit, then we get
• (Im hiding a few things here!)

• Key generation
• g, g' ? G
• z ? Zp
• h ? gz
• pk (g,g',h)
• sk z

• Encrypt
• r ? Zp
• a ? gr
• a' ? g'r
• c ? hr m
• C (a,a',c)

28
Double and Add Schemes

• However, this is over half the Cramer-Shoup
  scheme

• Key generation
• g, g' ? G
• z ? Zp
• h ? gz
• pk (g,g',h)
• sk z

• Key generation
• g, g' ? G
• x1,x2,y1,y2,z ? Zp
• h ? gz
• e ? gx1g'x2
• f ? gy1g'y2
• pk (g,g',h,e,f)
• sk (x1,x2,y1,y2,z)

29
Double and Add Schemes

• However, this is over half the Cramer-Shoup
  scheme

• Encrypt
• r ? Zp
• a ? gr
• a' ? g'r
• c ? hr m
• C (a,a',c)

• Encrypt
• r ? Zp
• a ? gr
• a' ? g'r
• c ? hr m
• v ? Hash(a,a',c)
• d ? er frv
• C (a,a',c,d)

30
Double and Add Schemes

• So this fits the Sahai mold providing d acts like
  a NIZK.
• In the proof, it is shown the d can be faked if
  you know x1,x2,y1,y2.
• In the proof, it is shown that if a gr and a'
  g'r' then the decryption algorithm will reject.

• Encrypt
• r ? Zp
• a ? gr
• a' ? g'r
• c ? hr m
• v ? Hash(a,a',c)
• d ? er frv
• C (a,a',c,d)

31
Signatures and Identites

• It is possible to turn a passively secure
  identity-based encryption scheme into a secure
  public-key encryption scheme.
• Canetti-Halevi-Katz, 2004

32
Signatures and Identites

• It is possible to turn a passively secure
  identity-based encryption scheme into a secure
  public-key encryption scheme.
• Canetti-Halevi-Katz, 2004
• A little odd that it took the development of
  identity-based encryption before we got new
  public-key encryption schemes.

33
Extracting the Truth

• Plaintext awareness is a property of an
  encryption scheme that says that the only way to
  create a valid ciphertext is to generate a
  plaintext and encrypt it.
• So, if an attacker generates a valid ciphertext,
  then it must know the underlying message.
• Hence, a decryption oracle is no help.

34
Extracting the Truth

• Its difficult to say what it means for an
  attacker (computer) to know something.
• The definitions are complex.
• All known proofs rely on the random oracle model,
  an unrealistic architecture, or suspect
  extractor assumptions.
• The subject for another lecture

35
Extracting the Truth

• The idea was first given a full formal treatment
  in Bellare-Desai-Pointcheval-Rogaway, 1998.

36
Extracting the Truth

• The idea was first given a full formal treatment
  in Bellare-Desai-Pointcheval-Rogaway, 1998.
• However, this definition could only be achieved
  in the random oracle model.

37
Extracting the Truth

• Herzog-Liskov-Micali, 2003 gave a new
  interpretation of the problem, but it needed an
  unrealistic architecture.
• The first fully satisfactory definition for
  plaintext awareness in the standard model was
  given by Bellare-Palacio, 2004

38
Extracting the Truth

• The Cramer-Shoup scheme was the first to be
  proven plaintext aware Dent, 2006
• Cramer-Shoup and Kurosawa-Desmedt hash proof
  system schemes can be shown to be plaintext
  aware Birkett-Dent.

39
Where are we now?

• Boneh-Katz, 2005 is a signature-identity scheme
  similar to the CHK transform.
• Transform efficiency overhead is minimal.
• Still requires a passively secure IBE scheme
• Hofheinz-Kiltz, 2007 mixes Cramer-Shoup and IBE
  techniques.
• 2.5 exponentiations for encryption
• 1.5 exponentiations for decryption

40
Conclusions

• None of the approaches really work
• Use the random oracle model
• Or they intrinsically require two operations
• Or they use weak extractor assumptions
• New approach is needed if were going to prove
  the ultra-high-speed schemes secure.
• Plenty missing from this presentation

41
Questions?