Public-key Encryption in a Multi

Download Report

Transcript Public-key Encryption in a Multi 

An Uninstantiable
Random-Oracle-Model
Scheme for
a Hybrid-Encryption Problem
Mihir Bellare  Alexandra Boldyreva  Adriana Palacio
University of California at San Diego
The Random-Oracle (RO) model [BR93]
AEpk(M)
..
a
h=H(a)
H
b
g=G(b)
G
..
A
..
• Algorithms of the scheme, as well as the
adversary have oracle access to random functions.
• Very popular: there are numerous schemes
designed and proven secure in this model.
Moving to the real world
However, the RO model is an idealized
setting.
To get a real-world scheme we must
instantiate the ROs with real functions.
Instantiation of this scheme via SHA1
AEpk(M)
..
h=SHA1(a)
..
g=SHA1(b)
..
Instantiation: more generally
Let F1, F2 be poly-time computable families of functions
AE(pk,L1,L2) (M)
..
h= F1L1(a)
..
g= F2L2(b)
..
Security of instantiated schemes
RO model thesis: If a scheme is proven secure
in the RO model, then it remains secure under a
suitable instantiation.
Question: Is this true?
Answer: No.
Past work has shown the existence of
uninstantiable schemes.
Uninstantiable schemes
Definition. A scheme is uninstantiable (with respect
to some cryptographic goal) if
1. The scheme satisfies the goal in the RO model
2. No instantiation satisfies the goal in the
standard model
Examples of uninstantiable schemes
Who
Canetti,
Goldreich,
Halevi
Goals
IND-CPA encryption
UF-CMA signatures
Nielsen
Non-interactive, noncommitting encryption
Goldwasser,
Tauman
Signatures via FiatShamir heuristic
Examples of uninstantiable schemes
Who
Canetti,
Goldreich,
Halevi
Goals
IND-CPA encryption
UF-CMA signatures
(practical)
+
Nielsen
Non-interactive, noncommitting encryption
(not very practical) _
Goldwasser,
Tauman
Signatures via FiatShamir heuristic
(practical)
+
Schemes
Complex,
artificial
_
Simple, natural
+
Complex,
artificial
_
Reaction
OK, but “in practice”, the RO model thesis is true
Euro
crypt
Practical RO model thesis: The RO model
thesis holds for “natural, practical” schemes
for “practical” goals.
Our work
We present a RO model scheme that
•
is simple and natural, and resembles
existing RO model schemes.
•
is for a practical security goal.
•
but is uninstantiable.
Caveats and impact
•
•
Our result does have artificial aspects as
we will see, and should not be taken to
indicate that the practical RO model
thesis is false.
But it shows that uninstantiable schemes
arise in more practical situations than
indicated by previous work.
Plan
• The goal
• The scheme
• The positive result
• The negative result
• Conclusions
Plan
• The goal
• The scheme
• The positive result
• The negative result
• Conclusions
Classical view of asymmetric encryption usage
AS = (AK,AE,AD)
pkR
M
Sender
M
AE
C
skR
Receiver R
In practice: hybrid approach
SS = (SK,SE,SD)
AS = (AK,AE,AD)
pkR
M1
SK
K
K
M2
M1
Sender
AE
C0
Mn
SE
C1
skR
K
Mn
SE
Cn
Receiver R
AS + SS = Multi-Message (MM) Hybrid (AS,SS)
Goal: IND-CCA-secure MM-Hybrid Encryption
We can define, in a natural way, IND-CCA security
for an MM-hybrid scheme (AS,SS).
Certainly, a necessary condition for IND-CCA
security of an MM-hybrid (AS,SS) is IND-CCA
security of SS.
But what do we need from the asymmetric
encryption scheme AS?
Easy theorem:
IND-CCA AS
+ Any IND-CCA SS
= IND-CCA MM-hybrid (AS,SS)
However, the above could be true even if AS
satisfies a weaker condition than IND-CCA.
IND-CCA-preserving asymmetric schemes
What emerges: A new notion of security for
asymmetric encryption schemes.
Definition: An asymmetric encryption scheme AS is
IND-CCA-preserving if
AS + Any IND-CCA SS = IND-CCA MM-hybrid (AS,SS)
Why IND-CCA-preserving schemes?
For asymmetric schemes
IND-CCA
Stronger notion
IND-CCA-preserving
Weaker notion
In particular, an IND-CCA preserving scheme need not even
be randomized, since it is used to encrypt random keys.
The hope: IND-CCA-preserving schemes more efficient than
existing IND-CCA ones.
The benefit: Security of encryption in practice at lower cost.
Summary
Our goal: IND-CCA preserving
asymmetric encryption
Plan
• The goal
• The scheme
• The positive result
• The negative result
• Conclusions
Hash ElGamal RO model asymmetric
encryption scheme HEG = (AK,AE,AD)
pk = (k,q,g,X=gx), sk = (k,q,g,x),
*
where q, 2q+1 are primes and g has order q in 2q+1
H: {0,1}k  q
(K)
AEH,G
(k,q,g,X)
rH(K)
PG(Xr)
Return (gr,PK)
*
G: 2q+1
 {0,1}k
,G
(Y,W)
ADH(k,q,g
,x)
KG(Yx)W
If gH(K)=Y then Return K
else Reject
Note. HEG is deterministic and thus not even IND-CPA!
Plan
• The goal
• The scheme
• The positive result
• The negative result
• Conclusions
Security of Hash ElGamal
Theorem 1. Under the Computational DiffieHellman assumption (CDH) HEG is IND-CCApreserving in the RO model.
HEG + Any IND-CCA SS = IND-CCA MM-hybrid (HEG,SS)
HEG is similar to existing schemes GEM,
GEM1, GEM2, FO, REACT…
Something almost identical (but
randomized) appeared in [BaLeKi00].
Plan
• The goal
• The scheme
• The positive result
• The negative result
• Conclusions
Now, the interesting stuff
Theorem 2 . No instantiation of HEG is
IND-CCA-preserving in the standard model.
I.e. it is IND-CCA preserving in the
RO model, but no standard model
implementation of it is IND-CCA
preserving?
Right! More precisely…
Security of HEG instantiations
Let F1, F2 be poly-time computable families of functions
AE(k,q,g,X,L1,L2) (K)
rF1L1(K)
PF2L2(Xr)
Return (gr,PK)
Theorem 2. For any F1, F2 the above
standard model asymmetric encryption
scheme is not IND-CCA preserving.
A caveat
• Proof of Theorem 2 shows that for every F1, F2
(poly-time families of functions) THERE EXISTS
SS such that (HEG,SS) is not an IND-CCA secure
MM-hybrid.
• But SS is an artificial scheme, depending on
F1, F2.
• Theorem 2 does not imply that e.g. (HEG,CBC-
type SS) is insecure.
• So although HEG is simple and natural, there is
some artificiality under the rug.
However, we still believe the result is valuable
because we have
•
A practical goal: IND-CCA preserving
encryption
•
A simple, natural scheme resembling existing
RO schemes: HEG.
•
Yet HEG is uninstantiable: its real-world
implementation loses the security property.
•
And HEG is innocuous looking; one would not
suspect any anomalies in advance.
About the proof of Theorem 2
Let HEG be ANY instantiation of HEG via poly-time
computable families of functions.
We present a symmetric encryption scheme
SS=(SK,SE,SD), such that
1. SS is IND-CCA secure
2. (HEG,SS) is not IND-CCA secure
Key and ciphertext verifiability
• Def. An asymmetric encryption scheme is key-verifiable
if there is a poly-time algorithm KV:
pk KV 1, if pk is a valid public key
0, otherwise
• Def. An asymmetric encryption scheme is ciphertextverifiable if there is a poly-time algorithm CV
pk
M CV 1, if C is a valid encryption of M under pk
0, otherwise
C
• Claim. Any instantiation HEG of HEG is key- and
ciphertext-verifiable.
SS construction for Proof of Theorem 2
Let SS’=(SK’,SE’,SD’) be any IND-CCA symmetric scheme.
SK(1k)
SEK1||K2(M)
K1  SK’(1k/2)
C’  SE’K2(M)
K2 {0,1}k/2
Parse M as M1||M2
Return K1||K2
If M1 is a valid pk for HEG and if M2 is a
valid HEG ciphertext of K1||K2 under pk
Then Return C’||0 else Return C’||1
Sound operations since HEG is key- and
ciphertext verifiable
• We show that SS is IND-CCA.
• In order to show that (HEG,SS) is not
IND-CCA we use the fact that HEG is
key- and ciphertext-verifiable. The
details are in the paper.
• In general: no key- and ciphertextverifiable scheme is IND-CCA
preserving.
Plan
• The goal
• The scheme
• The positive result
• The negative result
• Conclusions
Conclusions
• We presented a simple uninstantiable
scheme for a practical goal
• We do not suggest one abandon the RO
model.
• We do suggest that designers of RO
model schemes pay more attention to the
question of instantiation, which is usually
entirely neglected.
• Our examples shows that uninstantiable
schemes really come up.
Thank you!