Encryption from the Diffie-Hellman assumption. Eike Kiltz

Transcription

1 Encryption from the Diffie-Hellman assumption Eike Kiltz

2 Elliptic curve public-key crypto Key-agreement Signatures Encryption Diffie-Hellman 76 passive security ElGamal 84 passive security Hybrid DH (ECDH) MQV active security Hybrid ElGamal (ECIES) active security

3 Security of Hybrid ElGamal Only few people know Breaking Solving strong Hybrid ElGamal Diffie-Hellman problem in CCA (active) Even in the random-oracle model! Problem 1: Strong DH problem? Computational Diffie-Hellman (CDH) given access to Decisional Diffie-Hellman (DDH) oracle Interactive assumption (or pairings) Problem 2: Random oracle model?

4 This talk: Encryption from standard Diffie-Hellman assumptions Twin Hybrid ElGamal encryption Security from (standard) CDH problem in the ROM Simple and generic trick Encryption without ROM (if time) Based on Hashed DDH DH Key-agreement: same picture!

5 More generally HK07 PKE (HDDH) Twin ElGamal (DH) Waters IBE (DH) Hybrid ElGamal (Strong DH) BB short signatures (strong q-bdhi) Gentry s IBE, (q-babbxyz) weaker assumptions/model stronger

6 ElGamal encryption

7 Security? Indistinguishability (IND-CPA): Ciphertexts do not reveal any information about plaintext. Indistinguishability against chosen-ciphertext attacks (IND-CCA): As IND-CPA, but the adversary is allowed to ask arbitrary decryption queries.

8 Diffie-Hellman Assumptions G = prime-order group, g = generator DH g (g x,g y ) := g xy Diffie-Hellman Assumption Given g,x,y, computing DH g (X,Y) is hard Diffie-Hellman predicate DHP g (X,Y,Z) := DH g (X,Y) = Z {0,1}

9 Hybrid ElGamal Encryption Alice wants to encrypt M to Bob Alice pick random y Y = g y, K = H(Y, X y ) c = K M K = H(Y, Y x ) M = K -1 c Bob PK: X=g x SK: x

10 Security of ElGamal Assume H is random oracle Then: Hybrid ElGamal IND-CPA secure Diffie-Hellman assumption But not IND-CCA secure!

11 Hybrid ElGamal Encryption Alice wants to encrypt M to Bob Alice pick random y Y = g y, K = H(Y, X y ) c = E K (M) H: G {0,1} k hash function K = H(Y, Y x ) M = D K (c) (E,D) is symmetric cipher (AES) Bob PK: X=g x SK: x

12 Hybrid ElGamal Encryption pk: X=g x, H (random IND-CCA oracle), security? sk: x Encrypt(pk,M): pick random y Y=g y, K=H(Y,X y ), c=e K (M) Ciphertext is (Y,c) Decrypt(sk,(Y,c)): K=H(Y,Y x ), M=D K (c)

13 What a decryption query reveals (Y,Z) G 2 DHP g (X,Y,Z)=? G = prime-order group, g = generator CCA adversary pick random M c :=E H(Z) (M) conclude: Y x = Z M =M PK=X Dec(Y, c) M CCA experiment SK: x PK: X =g x K = H(Y x ) M = D K (c)

14 Security under DH? PK = (g,x) one decryption query reveals DHP g (X,Y,Z) for arbitrary tuples (Y,Z) G 2 No IND-CCA security under DH Stronger assumption: strong DH assumption

15 Hierarchy of DH assumptions Diffie-Hellman (DH) Assumption Given g,x,y, computing DH g (X,Y) is hard Strong Diffie-Hellman (SDH) Assumption Given g,x,y, computing DH g (X,Y) with access to DHP g (X,.,.) oracle is hard (Gap Diffie-Hellman Assumption) DH g (X,Y) with access to DHP g (.,.,.) oracle is hard Assumptions: strong Strong/Gap DH weak DLP/DH well-studied un-studied

16 Security of Hybrid ElGamal Assume H is random oracle (E,D) is CCA secure symmetric cipher Then: Hybrid ElGamal CCA secure [ABR01] Strong Diffie-Hellman assumption

17 Twin ElGamal (Cash, K., Shoup 08) Encryption from Diffie-Hellman CRYPTO 2007

18 Twinning Diffie-Hellman Twin Diffie-Hellman Assumption (2DH) Strong 2DH Assumption (interactive) Theorem: strong is weak: DH Strong 2DH Applications: Twin ElGamal Twin Diffie-Hellman Key-exchange Twin Boneh-Franklin IBE,

19 Twin Diffie-Hellman Assumption 2DH g (X1,X2,Y) := ( DH g (X1,Y), DH g (X2,Y) ) Twin Diffie-Hellman Assumption (2DH): Given X1,X2,Y computing 2DH g (X1,X2,Y) is hard 2DHP g (X1,X2,U,V 1,V 2 ) := 2DH g (X1,X2,U) = (V 1,V 2 ) Strong 2DH assumption: Given X1,X2,Y computing 2DH g (X1,X2,Y) is hard even given access to 2DHP g (X1,X2,.,.,.) oracle

20 DH strong 2DH Theorem: DH assumption holds if and only if strong 2DH assumption holds clear :

21 Proof: DH strong 2DH DH adversary pick random r, s. X2 := g r X1 s (X1,Y) (X1,X2,Y) strong 2DH (Z 1,Z 2 ) Z adversary 1 (U,V 1,V 2 ) 2DHP g (X1,X2,U,V 1,V 2 ) = U x1 =V 1 U x2 =V 2 How to simulate 2DHP queries without knowing secret x1=log g (X1),x2=log g (X2)? = DH g (X1,Y)

22 Correct answer 2DH Oracle Simulation 2DHP(X1,X2,U,V 1,V 2 ) = 1 2DH g (X1,X2,U)=(V 1,V 2 ) Idea: simulated answer U x1 =V 1 and U x2 =V 2 SIM(X1,X2,U,V 1,V 2 ) = 1 U r V 1s =V 2 Trapdoor lemma: Conditioned on any fixed X2 = g r X1 s : 2DHP = SIM with prob. 1-1/ G (over r,s).

23 Proof of Trapdoor Lemma 2DHP(X1,X2,U,V 1,V 2 ): U x1 = V 1 and U x2 = V 2 SIM (X1,X2,U,V 1,V 2 ): U r V 1 s = V 2 where X2 := g r X1 s (x2 = r+x1s) If 2DHP outputs 1: V 2 = U x2 = U r +x1 s = U r V 1 s SIM outputs 1

24 Proof of Trapdoor Lemma 2DHP(X1,X2,U,V 1,V 2 ): U x1 = V 1 and U x2 = V 2 SIM (X1,X2,U,V 1,V 2 ): U r V 1 s = V 2 where X2 := g r X1 s (x2 = r+x1s) If 2DHP outputs 0: case 1: U x2 = V 2 and U x1 V 1 V 2 = U x2 = U r +x1 s U r V 1 s SIM outputs 0

25 Proof of Trapdoor Lemma 2DHP(X1,X2,U,V 1,V 2 ): U x1 = V 1 and U x2 = V 2 SIM (X1,X2,U,V 1,V 2 ): U r V 1 s = V 2 where X2 := g r X1 s (x2 = r+x1s) If 2DHP outputs 0: case 2: U x2 V 2 V 2 = U r V s 1 (V 2 /U x2 ) 1/s =V 1 /U x1 1 SIM outputs 0 with prob 1-1/ G

26 Trapdoor lemma: simulation almost perfect! Proof: DH strong 2DH AdvDH AdvS2DH Q/ G (Q = #2DHP adversary queries) q.e.d. pick random r, s. X2 := g r X1 s (X1,Y) (X1,X2,Y) strong 2DH (Z 1,Z 2 ) Z adversary 1 = DH g (X1,Y) (U,V 1,V 2 ) 2DHP g (X1,X2,U,V 1,V 2 ) := U r V 1s =V 2

27 Hybrid ElGamal scheme Secret key: x1, x2 Public key: X1=g x1, X2=g x2, H (r.o.) Encrypt: Y=g y, K=H(Y, X1 y, X2 y ), c=e K (M) Ciphertext is (Y,c) G {0,1} M Decrypt: K=H(Y, Y x1,y x2 ), M=D K (c)

28 Twin Hybrid ElGamal scheme Secret key: x1, x2 Public key: X1=g x1, X2=g x2, H (r.o.) Encrypt: Y=g y, K=H(Y, X1 y, X2 y ), c=e K (M) Ciphertext is (Y,c) G {0,1} M Decrypt: K=H(Y, Y x1,y x2 ), M=D K (c)

29 Security of Twin Hybrid ElGamal Assume H is random oracle (E,D) is CCA secure symmetric cipher Then: Twin ElGamal CCA secure same as [ABR01] Strong Twin Diffie- Hellman assumption Diffie-Hellman assumption

30 Efficiency? Key Size (pk, sk) Encrypt Decrypt Assumption ElGamal (1,1) 2 exp 1 exp Strong DH Twin ElGamal (2,2) 3 exp 1 exp DH

31 More applications of twinning.

32 Twinning Boneh and Franklin Strong Bilinear DH (BDH) assumption: Boneh-Franklin IBE [BF01] is CCA secure [LQ05] Theorem: Strong 2BDH assumption BDH Twin Boneh-Franklin: redundancy-free IBE CCA security BDH assumption Also works for Kasahara-Sakai [KS01],

33 More twinning Non-interactive key exchange [DH76] PAKE [AP05, ] Diffie-Hellman self-corrector [Shoup01] More generally: Technique to upgrade schemes based on strong DH type assumption to schemes based on DH type assumption

34 Discussion: ROM Proofs for (Twin) ElGamal are in ROM ROM is not sound [CGH98] OAEP/RSA-FDH provable unprovable [DOP05,B07,KP09, ] Cramer-Shoup, Security based on Decisional Diffie-Hellman assumption (DDH) CDH in the ROM vs. DDH in the SM????

35 Alternatives to CS/KD? Cash, K., Shoup 08: Standard-model encryption from CDH Impractical (uses Goldreich-Levin) Hofheinz, K. 09: Practical standard-model encryption from Factoring Hofheinz-K. 07 Standard-model encryption from Hashed DDH DDH Hashed DDH CDH Relatively practical

36 Decision DH Assumptions Decision DH Assumption (DDH): Distinguishing (X,Y,DH g (X,Y)) from (X,Y,Z) is hard Hashed Decision DH Assumption (HDDH): H : G {0,1} n = hash function Distinguishing ( X,Y,H(DH g (X,Y)) ) from ( X,Y,Z ) is hard Remarks: DDH Hashed DDH CDH if H is a RO: CDH = HDDH

37 HK 07 encryption Secret key: Public key: Encrypt: Decrypt: x1, x2, w Z=g z, X1=g x1, X2=g x2 Y 1 =g y, Y 2 =(X1 [Y 1] X2) y, K=H(Z y ), c=e K (M) Ciphertext is (Y 1, Y 2, c) Reject if Y 2 K=H(Y 1z ), M=D K (c) Y 1 x1 [y 1 ] + x2 [Y1] = binary repr. of Y 1

38 Security of HK07 Assume (E,D) is authenticated symmetric encryption Then: HK07 CCA secure Hashed Diffie-Hellman assumption

39 Efficiency? Key Size (pk, sk) Encrypt Decrypt Assumption Ciphertext overhead ElGamal (1,1) 2 exp 1 exp SDH (RO) G +mac Twin ElGamal (2,2) 3 exp 1 exp DH (RO) G +mac HK07 (2,2) 3 exp 1 exp HDDH (SM) 2 G +mac

40 Conclusions Standard ECC system: Hybrid ElGamal (ECIES) IND-CCA security Strong DH assumption (ROM) Alternative 1: Hybrid Twin ElGamal IND-CCA security DH assumption (ROM) Price: one exp. in encryption + one element in PK Alternative 2: HK 07 encryption IND-CCA security HDDH assumption (standard model) CDH assumption (ROM) Price: one more element in ciphertext

41 Open problems: from strong to weak Twin ElGamal DH HK07 PKE HDDH Sigs w/o ROM from DLP, CDH, factoring,.? Hybrid ElGamal Strong DH BB short signatures strong q-bdhi Gentry s IBE q-abbxyz IBE, HIBE,? weaker assumptions/model stronger

42 Thank you! Main references [ABR01]:M. Abdalla, M. Bellare, P. Rogaway: The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES. CT-RSA [CHK07]: D. Cash, E. Kiltz, V. Shoup: The Twin Diffie-Hellman Problem and Applications. EUROCRYPT 2008 & J. of Cryptology [HK07]: D. Hofheinz, E. Kiltz: Secure Hybrid Encryption from Weakened Key Encapsulation. CRYPTO 2007