Slide - Cristina Onete

Download Report

Transcript Slide - Cristina Onete 

Key-Indistinguishability and Robustness.
Anonymous Encryption.
Rennes, 07/11/2014
CIDRE/
INRIA
Cristina Onete
[email protected]
 What is anonymity?
Anonymous: from “anonymos” (Greek)“, meaning “nameless”:
“without any name ackowledged, whose name is withheld. Lacking
individuality, unique character, or distinction”
English Dictionary, Dictionary.com
Anonyme/anonymat: du grec “anonymos”, ce qui veut dire “sans
nom” : se dit de quelqu’un dont on ignore le nom, la qualité de ce
qui est sans nom ou sans renommée.
Larousse, www.larousse.fr; Wikipedia, fr.wikipedia.org
Cristina Onete ||
07/11/2014
||
2
 Encryption
B
B
Amélie
Baptiste
 Security guarantees:
• Message confidentiality: ciphertext hides plaintext
𝑝𝑘
𝑐 = Enc𝑝𝑘 (𝑚)
𝑚
𝑠𝑘
Random-looking
Cristina Onete ||
07/11/2014
||
3
 Encryption
𝑚 = "𝐻𝑒𝑙𝑙𝑜 𝑤𝑜𝑟𝑙𝑑! "
Encrypted with 2048-bit RSA key
-----BEGIN PGP MESSAGE----wcBMAxDZjxP1noe7AQf+M0T6qNMgf7I2T0ADeUdwmx4J9uxGBFdptH0
RPOGbwLIeGjcKG6PZpemKCtu5iRVCfgE/iMBvE0bxMIWaesxBawBElm3R
L8PZ6ZjREWYgDfNJmazpDCraLXnSNJEFVxRkQWApUfw2QMLGf0OVMj5
CRpkd/XjHaMkNEfe+F6M2tUxuxpzdTEMGWxZ+ESrP/gACxTTy3ewm7xl
uztdXaracw7RV1UbpM4+9UPBce1kIzPn68w7uIOEZvhEGPeipLAKL8FC3J
C9+rAEbDXf+nGZiRPyFQuJn2Pz3Cv+IxZ43hDsSctjLvxUxVMNCEz3QcR
mpPXN6h5f7TTFFN2fMdRwOrdJEAdaJt3aE5I5ssJlfxJzBDH1dc8eVfH2d7
9AAUo6chn25kyGQRUvtYfto057ae5Jvl8mpipy37wZKIuKK52D57VNW1x
A==2X4l
-----END PGP MESSAGE----Cristina Onete ||
07/11/2014
||
4
 Plaintext Security
 Plaintext-hiding:
• The attacker can’t get the full plaintext
B
B
 What if the message space is small?
Cristina Onete ||
07/11/2014
||
5
 Plaintext Security
 Ciphertext Indistinguishability (IND-CCA)
B
B
1/2
?? ?
1/2
 Not even 1 bit of the message is leaked!
Cristina Onete ||
07/11/2014
||
6
 Plaintext Security
Plaintext Space
Ciphertext Space
B
Cristina Onete ||
07/11/2014
||
7
 Goal: receiver anonymity
 Make ciphertext hide the receiver
B
𝑐 = Enc𝑝𝑘 (𝑚)
Baptiste
𝑚
Amélie
Charles
?? ?
Cristina Onete ||
07/11/2014
||
8
 Contents
 Key Indistinguishability
• IK-CCA
• IND-CCA vs. IK-CCA
• IK-CCA of RSA and ElGamal-based systems
 Robustness of Encryption
• Weak and Strong Robustness
• Robustness of RSA and ElGamal
• WROB- and SROB encryption schemes
 Receiver-anonymous encryption
• Construction and limitations
 Key-(in)distinguishability
B
𝑐 = Enc𝑝𝑘 (𝑚)
Baptiste
𝑚
Amélie
Charles
 Ciphertext hides the message
 Does it also hide the recipient (the pk used for encryption)?
Not necessarily! Counterexample: take 𝑐 ≔ (𝑝𝑘, Enc𝑝𝑘 (𝑚))
Cristina Onete ||
07/11/2014
||
10
 Key-(in)distinguishability
 Goal: ciphertext hides the key under which it was created
B
B C
B
?? ?
B
1/2
1/2
C
 IK-CCA: Can’t tell whether it was one key or the other
Cristina Onete ||
07/11/2014
||
11
 IND-CCA, but not IK-CCA
Plaintext Space
Ciphertext Space
B
C
Cristina Onete ||
07/11/2014
||
12
 IND-CCA and IK-CCA
Plaintext Space
Ciphertext Space
B
C
Cristina Onete ||
07/11/2014
||
13
 RSA is not IK-CCA
 Textbook RSA:
• Key Generation:
Primes 𝑝, 𝑞 of size 𝑙. Define 𝑁 = 𝑝𝑞, 𝜑 𝑁 = (𝑝 − 1)(𝑞 − 1)
Public key: choose 𝑒 s.t. 𝐺𝐶𝐷 𝑒, 𝜑 𝑁
= 1. Now 𝑝𝑘 = (𝑁, 𝑒)
Secret key: find inverse 𝑑 of 𝑒: 𝑑𝑒 = 1 𝑚𝑜𝑑 𝜑 𝑁 . Now 𝑠𝑘 = 𝑑
• Encryption (using pk = (e, N)):
𝑐 ≔ 𝐸𝑛𝑐𝑝𝑘 𝑚 = 𝑚𝑒 (𝑚𝑜𝑑 𝑁)
• Decryption (using sk = d):
𝑚 ≔ 𝐷𝑒𝑐𝑠𝑘 𝑐 = 𝑐 𝑑 (𝑚𝑜𝑑 𝑁)
Cristina Onete ||
07/11/2014
||
14
 RSA is not IK-CCA
 Case I: Moduli of different length
• 𝑝𝑘1 = (𝑁1 , 𝑒1 ) , with length 𝑁1 = 𝑙1 (say 512 bits)
• 𝑝𝑘2 = (𝑁2 , 𝑒2 ) , with length 𝑁2 = 𝑙2 (say 1024 bits)
• 𝑇ℎ𝑒𝑛 𝑎𝑛 𝑒𝑛𝑐𝑟𝑦𝑝𝑡𝑖𝑜𝑛 𝑢𝑛𝑑𝑒𝑟 𝑝𝑘1 𝑤𝑖𝑙𝑙 𝑏𝑒 512 𝑏𝑖𝑡𝑠, 𝑤ℎ𝑖𝑙𝑒 𝑎𝑛 𝑒𝑛 −
𝑐𝑟𝑦𝑝𝑡𝑖𝑜𝑛 𝑢𝑛𝑑𝑒𝑟 𝑝𝑘2 𝑤𝑖𝑙𝑙 𝑏𝑒 1024 𝑏𝑖𝑡𝑠 𝑙𝑜𝑛𝑔
• When Adv. gives a message m and the two pk’s, she
just needs to look at the length of the outcome
Cristina Onete ||
07/11/2014
||
15
 RSA is not IK-CCA
 Case II: Moduli of same length
• 𝑝𝑘1 = (𝑁1 , 𝑒1 )
• 𝑝𝑘2 = (𝑁2 , 𝑒2 )
• Let 𝑁1 > 𝑁2
• 𝑇ℎ𝑒𝑛 𝑎𝑛 𝑒𝑛𝑐𝑟𝑦𝑝𝑡𝑖𝑜𝑛 𝑢𝑛𝑑𝑒𝑟 𝑝𝑘2 𝑤𝑖𝑙𝑙 𝑏𝑒 𝑠𝑚𝑎𝑙𝑙𝑒𝑟 𝑡ℎ𝑎𝑛 𝑁2 , 𝑤ℎ𝑖𝑙𝑒
𝑎𝑛 𝑒𝑛𝑐𝑟𝑦𝑝𝑡𝑖𝑜𝑛 𝑢𝑛𝑑𝑒𝑟 𝑝𝑘1 𝑐𝑎𝑛 𝑏𝑒 𝑙𝑎𝑟𝑔𝑒𝑟 𝑡ℎ𝑎𝑛 𝑁2
• Because the encryption of any message m has to
cover the output space well:
Prob 𝐸𝑛𝑐𝑝𝑘1 𝑚 > 𝑁2 is significant
Cristina Onete ||
07/11/2014
||
16
 ElGamal is IK-CCA
 Textbook ElGamal:
• Key Generation:
Prime 𝑞 of size 𝑙 s.t. 2q + 1 also prime. Let G𝑞 = < 𝑔 >
Secret key: choose 𝑠𝑘 ∈ {1, … 𝑞 − 1}.
Public key: 𝑝𝑘 = 𝑔 𝑠𝑘 (𝑚𝑜𝑑 𝑞)
• Encryption:
Choose random 𝑟 ∈ {1, … , 𝑞 − 1}. Set 𝑐1 ≔ 𝑔𝑟 (𝑚𝑜𝑑 𝑞)
Set 𝑐2 ≔ 𝑚 𝑝𝑘 𝑟 (𝑚𝑜𝑑 𝑞).
Send: 𝑐 = (𝑐1 , 𝑐2 )
• Decryption:
Compute: 𝑚 = 𝑐2 / 𝑐1𝑠𝑘 (𝑚𝑜𝑑 𝑞)
Cristina Onete ||
07/11/2014
||
17
 ElGamal is IK-CCA
 Intuition:
• All pk’s in the same group
• All ciphertexts are of the same length and format
• Given 𝑝𝑘1 , the encryption of 𝑚 is:
𝑟
𝑐 = (𝑔𝑟1 , 𝑚 𝑝𝑘11 )
• Given 𝑝𝑘2 , the encryption of 𝑚 is:
𝑟
𝑐 = (𝑔𝑟2 , 𝑚 𝑝𝑘22 )
• Output is identically distributed
Cristina Onete ||
07/11/2014
||
18
 Contents
 Key Indistinguishability
• IK-CCA
• IND-CCA vs. IK-CCA
• IK-CCA of RSA and ElGamal-based systems
 Robustness of Encryption
• Weak and Strong Robustness
• Robustness of RSA and ElGamal
• WROB- and SROB encryption schemes
 Receiver-anonymous encryption
• Construction and limitations
 Weak and Strong Robustness
 What happens if we get someone else’s ciphertext?
• Theory: you can’t decrypt it
• Security: you can’t recover the message
• Practice: you’ll recover a nonsense message
B
Baptiste
Charles
 Robustness: can’t decrypt other ciphertexts
Cristina Onete ||
07/11/2014
||
20
 Why do we care?
 Our goal: receiver anonymity
B
𝑐 = Enc𝑝𝑘 (𝑚)
Baptiste
𝑚
Amélie
Charles
?? ?
Cristina Onete ||
07/11/2014
||
21
 Why do we care?
 Setting:
• Amélie wants to send 𝑚 to Baptiste anonymously
• She encrypts 𝑚 under Baptiste’s public key, then
broadcasts the ciphertext to multiple receivers
• How do the receivers know whether the ciphertext
was for them or not?
 Robust encryption:
• If 𝑚 was encrypted for someone else, the ciphertext
decrypts to an error symbol
Cristina Onete ||
07/11/2014
||
22
 Weak Robustness
 Honestly encrypted ciphertext is robust
B
B C
B
Cristina Onete ||
07/11/2014
||
23
 Strong Robustness
 Adversary-chosen ciphertext is robust
B
B C
B
At most 1 decryption
Cristina Onete ||
07/11/2014
||
24
 RSA and ElGamal not robust
RSA Encryption
 Encryption
 Encryption
𝑐 ≔ 𝐸𝑛𝑐𝑝𝑘 𝑚 = 𝑚𝑒 (𝑚𝑜𝑑 𝑁)
 Decryption (with 𝑑)
𝑚 ≔ 𝐷𝑒𝑐𝑠𝑘 𝑐 = 𝑐 𝑑 (𝑚𝑜𝑑 𝑁)
 Decryption (with 𝑑′)
′
ElGamal Encryption
′
𝑐 𝑑 𝑚𝑜𝑑 𝑁 = 𝑚𝑒𝑑 𝑚𝑜𝑑 𝑁
= 𝑚′
𝑐 = 𝑐1 , 𝑐2 = (𝑔𝑟 , 𝑚 𝑝𝑘 𝑟 )
 Decryption (with 𝑠𝑘)
𝑚 = 𝑐2 𝑐1𝑠𝑘 (𝑚𝑜𝑑 𝑞)
 Decryption (with 𝑠𝑘′)
𝑐2 / 𝑐1𝑠𝑘
′
𝑚𝑜𝑑 𝑞 = 𝑚 𝑔 𝑠𝑘 𝑟 /𝑔𝑟 𝑠𝑘
= 𝑚 𝑔𝑟(𝑠𝑘 − 𝑠𝑘
;
′)
= 𝑚′
Cristina Onete ||
07/11/2014
||
25
 Strongly Robust Encryption
 Modified Cramer-Shoup (finite fields)
• Setting: cyclic group G𝑞 of prime order 𝑞
two generators 𝑔1 and 𝑔2 of G𝑞
choose random 𝐾 ←𝑅 Keys𝐻𝑎𝑠ℎ
• Key generation: pick 𝒙𝟏 , 𝒙𝟐 , 𝒚𝟏 , 𝒚𝟐 , 𝒛𝟏 , 𝒛𝟐 ←𝑅 {0 … 𝑞 − 1}
𝑥
𝑥
𝑦
𝑦
𝑧
𝑧
set 𝒆 = 𝑔1 1 𝑔2 2 , 𝒇 = 𝑔1 1 𝑔2 2 , 𝒉 = 𝑔1 1 𝑔22
• Encrypt 𝑀: pick 𝑢 ←𝑅 {1 … 𝑞 − 1}, set 𝒂𝟏 ≔ 𝑔1𝑢 , 𝒂𝟐 ≔ 𝑔2𝑢
set 𝒄 ≔ 𝑀 ℎ𝑢 , 𝑣 ≔ 𝐻(𝐾; 𝑎1 𝑎2 𝑐), 𝒅 ≔ 𝑒 𝑢 𝑓 𝑢𝑣
−𝑧
−𝑧2
• Decrypt (𝑎1 , 𝑎2 , 𝑐, 𝑑): do 𝑣 = 𝐻(𝐾; 𝑎1 𝑎2 𝑐), 𝑀 = 𝑐 𝑎1 1 𝑎2
𝑥 +𝑣 𝑦1 𝑥2 +𝑣 𝑦2
𝑎2
if 𝑎1 ≠ 1 or 𝑑 ≠ 𝑎1 1
Cristina Onete ||
set 𝑀 = ∎
07/11/2014
||
26
 Contents
 Key Indistinguishability
• IK-CCA
• IND-CCA vs. IK-CCA
• IK-CCA of RSA and ElGamal-based systems
 Robustness of Encryption
• Weak and Strong Robustness
• Robustness of RSA and ElGamal
• WROB- and SROB encryption schemes
 Receiver-anonymous encryption
• Construction and limitations
 Receiver-anonymous encryption
 Our goal: receiver anonymity
B
𝑐 = Enc𝑝𝑘 (𝑚)
Baptiste
𝑚
Amélie
Charles
?? ?
Cristina Onete ||
07/11/2014
||
28
 Construction & Limitations
 Use IK-CCA and SROB encryption
• Adversary won’t know whom a ciphertext is for
B
𝑐 = Enc𝑝𝑘 (𝑚)
Baptiste
𝑚
Amélie
?? ?
Charles
Cristina Onete ||
07/11/2014
||
29
 Construction & Limitations
 Use IK-CCA and SROB encryption
• What if the adversary waits for an answer?
B
𝑐 = Enc𝑝𝑘 (𝑚)
Baptiste
𝑚
Amélie
Charles
Cristina Onete ||
07/11/2014
||
30
 Constructions & Limitations
 Use “onion” routing – use routers to encrypt and
send messages between sender and receiver
Source: cdn.arstechnica.net
Cristina Onete ||
07/11/2014
||
31
 MRI students: papers
• Karame, Androulaki, Capkun: “Two Bitcoins at the
Price of One? Double-spending attacks on fast payments in Bitcoin”
https://eprint.iacr.org/2012/248.pdf
• Burmester, Desmedt: “A Secure and Efficient Conference Key Distribution System”
http://www.cs.fsu.edu/~langley/Eurocrypt/euro-pre.pdf
• Sarkar, Fitzgerald: “Attacks on SSL. A comprehensive study of BEAST, CRIME, TIME, BREACH, LUCKY
13 & RC4 biases”
https://www.isecpartners.com/media/106031/ssl_attacks_survey.pdf
Cristina Onete ||
07/11/2014
||
32
 MRI students: papers
• BSI: “Advanced Security Mechanisms for MachineReadable Travel Documents – Part 2”
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publ
ications/TechGuidelines/TR03110/TR03110_v2.1_P2pdf.pdf;jsessionid=A06695D3F0DCA020B98B4
CAC8946CD13.2_cid294?__blob=publicationFile
• Bordes: “BitLocker”
https://www.sstic.org/media/SSTIC2011/SSTICactes/bitlocker/SSTIC2011-Article-bitlocker-bordes.pdf
• Fluhrer, Matin, Shamir: “Weaknesses in the Key Scheduling Algorithm of RC4”
http://merlot.usc.edu/cs531-s11/papers/Fluhrer01a.pdf
Cristina Onete ||
07/11/2014
||
33
 MRI students: papers
• Montalvo, Defrance, Lefebvre, Le Scouarnec, Pérez:
“Système de stockage-en-ligne avec confidentialité des
données personnelles”
https://www.sstic.org/media/SSTIC2011/SSTIC-actes/
systeme_de_stockage-en-ligne_de_photos_avec_confid/
SSTIC2011-Article-systeme_de_stockage-en-ligne_de_photos_
avec_confidentialite_des_donnees_personnelles-montalvo.pdf
• Marechal: “État de l’art sur le cassage de mots de
passe”
https://www.sstic.org/media/SSTIC2007/SSTICactes/Etat_de_l_art_cassage_de_mots_de_passe/SSTIC2007Article-Etat_de_l_art_cassage_de_mots_de_passe-marechal.pdf
Cristina Onete ||
07/11/2014
||
34
 MRI students: papers
• Shi, Chan, Stefanov, Li: “Oblivious RAM with O((log
N)3) Worse-Case Cost”
https://eprint.iacr.org/2011/407.pdf
• Curtmola, Garay, Kamara, Ostrovsky: “Searchable
Symmetric Encryption: Improved Definitions and
Efficient Constructions”
http://eprint.iacr.org/2006/210.pdf
• Dodis, Pointcheval, Ruhault, Vergnaud, Wichs: “Security Analysis of Pseudo-Random Number Generators
with Input: /dev/random is not robust”
https://eprint.iacr.org/2013/338.pdf
Cristina Onete ||
07/11/2014
||
35
 MRI students: papers
• Bellare, Paterson, Rogaway: “Security of Symmetric
Encryption against Mass Surveillance”
https://eprint.iacr.org/2014/438.pdf
Cristina Onete ||
07/11/2014
||
36
Thanks!
CIDRE/
INRIA