Short Paper On the Generic Hardness of DDH-II

Transcription

1 Short Paper On the Generic Hardness of DDH-II Ivan Damgård, Carmit Hazay, Angela Zottarel Abstract. The well known Decisional Diffie-Hellman assumption states that given g, g a and g b, for random a, b, the element g ab is pseudo-random. Canetti in [Can97] introduced a variant of this assumption in which b is still random but a is drawn according to some well-spread distribution. In this paper we prove that his assumption holds in the generic group model and demonstrate its broad applicability in the context of leakage resilient cryptography. 1 Introduction The well known Decisional Diffie-Hellman (DDH) hardness assumption states that given two random group elements g a, g b from a prime order group G, such that g is a generator, it is hard to distinguish g ab from a uniform element in G. This assumption lies in the heart of the security proofs of many cryptographic primitives, most notable the Diffie-Hellman public-key exchange [DH76], ElGamal public-key encryption scheme [Gam85] and Cramer-Shoup cryptosystem [CS98]. It further has many flavors, such as the bilinear [BF01], the linear [BBS04] and the n-linear variants [Sha07,HK07]. In this paper we study the DDH-II assumption which was introduced by Canetti [Can97] for the purpose of obfuscation. The DDH-II assumption states that given a prime order group G and g, g a, g b, where a is drawn from a certain (not necessarily uniform) distribution, with sufficient min-entropy, whereas b is picked uniformly at random, g ab is indistinguishable from a uniform element in G. Our contribution is twofold: (1) we first present a proof of hardness for DDH-II in the generic group model. (2) We discuss new applications in the area of leakage resilient cryptography for which DDH-II is useful. We believe that studying this assumption will enable to explore and simplify the proofs of many cryptographic constructions. Security in the Generic Group Model. Whenever a new assumption is introduced, the first question that is naturally raised is whether this assumption is meaningful or not. Saying differently, can we really be sure that the underlying problem is hard to solve? Clearly, a positive answer would imply a solution to the famous P = N P. The generic group model [Sho97] allows precisely to avoid this catch. In this model, the adversary is restricted to perform just some basic operations (e.g., multiplications and inversions) on given group elements, without exploiting any a priori information about the group internal structure. A proof of hardness in the generic group model does not mean that a problem is hard in the real world, precisely because there is no way from stopping the adversary to use his knowledge about eventual properties of the group. Nevertheless, such a proof can give some evidence regarding the real hardness of an assumption since the only way now to break the assumption is to exploit its special properties and design in a specific group. In general, the generic group model has proven to be a precious tool in investigating new assumptions, and has been used in many different scenarios to establish their meaningfulness; see [Sho97,MW98,Sma01,Den06,Che06,BW07,Wat12] for just few examples. Leakage Resilient Cryptography. Until very recently most of the security proofs were carried out in the so called black-box model [SV98]. In this model, the adversary is only allowed to observe the input/output behavior of the underlying primitive, without having access to the secret state of

2 the system. Unfortunately, physical implementations turned out to be non black-box and various side-channel attacks were proven to compromise severely the integrity of the secret key, rendering vain the security of the system. See [Koc96,BDL97,BS97,KJJ99,QS01] for some examples. Therefore, in the recent years, a significant body of research has been dedicated to new models, more adequate for real world attacks, and the field called leakage resilient cryptography has been initiated. Typically, the leakage obtained by the attacker is formalized by a function h applied on the secret key sk. It is definitely inevitable to restrict the leakage function is some way and, to this end, several different security models have been proposed [CLW06,MR04,AGV09,NS09,DGK + 10]. Amongst these there is a model that restricts the output length of the leakage function (bounded leakage), a model that assumes some residual high min-entropy with respect to the secret key condition on the leakage (entropy-bounded leakage) or a model that assumes that the secret state leaks only during the actual computations (only computational). Known solutions against side-channel attacks range from secret and public-key basic primitives such as encryption and digital signatures, to a wide range of multiparty functionalities (see [MR04,DP08,AGV09,ADW09,DKL09,NS09,FKPR10,DHLAW10,LRW11] and within for additional citations). All these theoretic solutions try to cope with the physical problems rising from weak implementations of cryptographic schemes proven secure in an ideal model. Although leakage resilient cryptography substantially uses theoretic tools, we must keep in mind that the main goal of this recent field is enabling security and privacy in the real world, thus we believe that this work is relevant in the perspective of achieving important tasks as secure storage, implementation of cryptographic primitives in small devices and generally for establishing electronic commerce using cryptographic tools. Applications. In light of the above discussion, we point out that the description of DDH-II structure suggests that it might be useful in the context of leakage resilient cryptography. Let us further elaborate regarding concrete leakage resilient applications that can benefit from this assumption: 1. In the context of leakage resilient secure computation, Damgård et al. introduced in [DHP11] the indistinguishability for k-sources (k-ind) assumption, another variant of DDH that is implied by the DDH-II assumption. Their goal was to design leakage resilient oblivious transfer relying on this hardness assumption. On one hand our result supports the meaningfulness of the security reduction given in [DHP11], as we prove that DDH-II is generically hard to solve. On the other hand, the work of Damgård et al. shows that Canetti s assumption, as well as k-ind assumption, are promising tools for leakage resilient cryptography and can be useful to design particular leakage resilient secure protocols. 2. Another interesting application for the DDH-II assumption is related with leakage resilient public-key encryption schemes (PKE). This question has been studied intensively lately by the cryptographic community [AGV09,BG10,BKKV10,DHLAW10,DGK + 10,NS09]. Nevertheless, almost all of these works solve the leakage resilient PKE problem with the following restrictions applied to the basic semantically secure game [GM82]: (1) leakage is allowed only from the secret key and (2) only prior to the computation of the challenge ciphertext. Two exceptions are the work by Halevi and Lin [HL11] that introduced a new after-the-fact definition where the adversary is allowed to obtain leakage from the secret key even after seeing the challenge, but whose security holds only for plaintexts with sufficiently high min-entropy. Another example is the recent work by Namiki et al. [NTY11] that shows how to construct public-key encryption 2

3 schemes allowing partial leakage from the randomness used by the encryption algorithm; see for more references within [NTY11] regarding papers that examine encryption schemes with non-uniform randomness. In both cases the constructions use randomness extractors. The DDH-II assumption allows us to focus our attention on the later problem of concerning leakage from the randomness. Specifically, consider the ElGamal PKE of which security relies on the DDH assumption. Then, viewing the non-uniform distribution, that originally was considered as side-information about the secret key, as leakage applied to the randomness, it is possible to run the same semantically secure game reduced to the hardness DDH-II. This is carried out due to the symmetry in this assumption. Notice that we can use DDH-II only in the context where we have leakage either from the secret key or from the randomness, but not from both. Nevertheless, it enables to obtain (perhaps, for the first time) a leakage resilient PKE without using any extractors. For settings in which leakage is viewed as a function of the entire secret state (that is, secret key and randomness), we point to the work of Bitansky et al. [BCH12] that demonstrates how leakage from the randomness and the secret key can be seen under a broader point of view. Namely, a public key scheme is defined using a two-party functionality and the leakage is considered as a weaker variant of passive corruption. In particular, they show a tight connection between this very general modeling of leakage and non-committing encryption (used for obtaining adaptively secure communication channels), hinting that building efficient encryption schemes tolerating leakage from both the secret key and randomness may need to rely on stronger tools. Therefore, it is worth studying the scenario where leakage is obtained only from the randomness. Moreover, as [NTY11] points out, dealing with leakage from the randomness is a very delicate and challenging task in itself. In fact, Namiki s et al. work is in a particular KEM/DEM framework that simulates the so-called split model of [DF11], where the internal state is divided into two parts, each handling a different memory part and leaking independently from the other one. In this particular case, DDH-II assumption would fit very easily in the model and would avoid the use of randomness extractors. A different attempt to study the security of ElGamal in the context of leakage resilient cryptography was proposed in [KP10]. This paper considers leakage from the secret key and proves security in the generic group model. We notice that relying on the DDH-II assumption it would be easy to achieve the same security notion for ElGamal. This would be a improvement over the [KP10] PKE, that is constructed over bilinear groups. 3. Finally, the deep connection between DDH-II and the standard Diffie-Hellman assumption suggests that we could also exploit the properties of Canetti s variant for key-exchange protocols. This primitive has its roots in the seminal work of Diffie and Hellman [DH76] and since then has been studied extensively. Given the above structure of DDH-II, the key-exchange [DH76] protocol can be studied in an environment where the secret exponent of one of the end users is compromised. In particular, in the same fashion as before, hardness of DDH-II can imply the security of this protocol in the presence of leakage. Authenticated key agreement, a closely related but stronger primitive, was studied in the leakage resilient setting in [DHLAW10,ADW09,KV09]. These constructions rely on leakage resilient building blocks such as signatures and obtain security against active adversaries. Organization. Our paper contains in Section 2 some basic notions and definitions. In Section 3 we introduce the proof of our main theorem. 3

4 2 Basic Notations For the sake of completeness, we introduce some basic notations and definitions. For a set S we write x S to denote that x is sampled uniformly from S. We use negl to denote a negligible function f : N R, namely a function f such that, for any polynomial p( ) and large enough n, f(n) 1/p(n). 2.1 The ElGamal PKE The El Gamal encryption scheme is a PKE which operates on a cyclic group G of prime order p. Let g denote a random generator in G, then the public and secret keys are G, p, g, h and G, p, g, x where x F p and h = g x. A message m G is encrypted by choosing y F p and the ciphertext is g y, h y m. A ciphertext c = α, β is decrypted as m = β/α x. We use the property that given y = log g α one can reconstruct m = β/h y and hence a party encrypting m can prove knowledge of m by proving knowledge of y. 2.2 Hardness Assumptions Before giving the formal definition of DDH-II, we recall the DDH assumption. Definition 1. Let G be a cyclic group of prime order p. Let g be a generator of G. The Decisional Diffie-Hellman Assumption holds if, for every PPT algorithm A: Pr[A(g, g a, g b, g ab ) = 1] Pr[A(g, g a, g b, g c ) = 1] negl(k) where the probability is taken over the random choice of a, b, c F p. In the following, we specify first Canetti s definition ([Can97]) of well-spread distribution. Definition 2. A distribution ensemble X = {X k } k N is well spread if for any polynomial p( ) and large enough k the maximum probability of an element is smaller than 1/p(k), i.e. max x (Pr[X k = x]) 1/p(k). Definition 3. Let G be a cyclic group of prime order p. Let g be a generator of G. The DDH Assumption II (DDH-II) holds if, for every PPT algorithm A: Pr[A(g, g a, g b, g ab ) = 1] Pr[A(g, g a, g b, g c ) = 1] negl(k) where a is drawn from a well-spread distribution over F p and b, c F p. 3 The Main Theorem In this section we prove our main theorem. Theorem 1. The DDH-II assumption holds in the generic group model. 4

5 Proof. Let A be a polynomial-time generic group adversary. As usual, the generic group model is implemented by choosing a random encoding σ : G {0, 1} m. Normally, instead of working directly with group elements, A takes as input their image under σ. This way, all A can test is string equality. A is also given access to an oracle computing group operation and inversion: taking σ(g 1 ), σ(g 2 ) and returning σ(g 1 g 2 ), similarly for inversion. Finally, we can assume that A submits to the oracle only encodings of elements it had previously received. This is because we can choose m large enough so that the probability of choosing a string that is also in the image of σ is negligible. We consider an algorithm B playing the following game with A. Algorithm B chooses 5 bit strings σ 0,..., σ 4 uniformly in {0, 1} m. Internally, B keeps track of the encoded elements using polynomials in the ring F q [X, Y, T 0, T 1 ] To maintain consistency with the bit strings given to A, B creates a lists L of pairs (F, σ) where F is a polynomial in the ring specified above and σ is the encoding of a group element. The polynomial F represents the exponent of the encoded element. Initially, L is set to {(1, σ 0 ), (X, σ 1 ), (Y, σ 2 ), (T 0, σ 3 ), (T 1, σ 4 )}. Algorithm B starts the game providing A with σ 0,..., σ 4. The simulation of the oracles goes as follows: Group action: Given two strings σ i, σ j relative to elements in G, B recovers the corresponding polynomials F i and F j and computes F i + F j. If F i + F j is already in L, B returns to A the corresponding bit string; otherwise it returns a uniform element σ in {0, 1} m and stores (F i + F j, σ) in L. Inversion: Given an element σ in G, B recovers its internal representation F and computes F. If the polynomial F is already in L, B returns the corresponding bit string; otherwise it returns a uniform string σ and stores ( F, σ) in L. After A queried the oracles, it outputs a bit b. At this point, B chooses a bit b and uniform values x, y, s in F q and sets X = x, Y = y, T b = xy and T 1 b = s. If the simulation provided by B is consistent, it reveals nothing about b. This means that the probability of A guessing the correct value for b is 1/2. The only way in which the simulation could be inconsistent is if, after we choose value for X, Y, T 0, T 1, two different polynomials in L happen to produce the same value. First, we prove that A is unable to cause such a collision on its own. Notice that the substitutions operated in the formal variables are all independent except for T b. Hence, A can cause a collision only producing a multiple of XY. Anyway, notice that L is initially populated with polynomials of degree at most one and that both the group operation and the inversion oracle don t increase the degree of the polynomial. Thus, all polynomials contained in L have degree at most one. This is enough to conclude that A cannot purposely produce a collision. It remains to prove that the probability of a collision happening due to a unlucky choice of values is negligible. In other words, we have to bound the probability that two distinct F i, F j in L evaluate to the same value after the substitution, namely F i (x, y, s) F j (x, y, s) = 0. This reduces to bound the probability of hitting a zero of F i F j. 5

6 Recall the the Schwartz Zippel lemma says that, if f is a degree d polynomial in F p [X 1,..., X n ] and S F p then Pr[f(x 1,..., x n ) = 0] d S where x 1,..., x n are chosen uniformly from S. Now, let H (X ) = log (max x (Pr[X k = x])) be the min-entropy of the distribution ensemble X = {X k } k N. Then, given fixed x 2,..., x n F p Pr [f(x, x 2,..., x n ) = 0] x X d 2 H (X ) Going back to our case, we have that Pr [(F j F i )(x, y, s) = 0] = Pr [(F j F i )(x, Y, S) Y = y, S = s]pr[y = y, S = s] x X x X y,s F p y,s y,s 1 = Pr x X 2 H (X ) = max (Pr[X k = x]) x 1 Pr[Y = y, S = s] 2H (X ) Since by assumption the distribution X is well-spread, we have that, for any polynomial p and large enough k, the probability of a collision is less or equal than 1/p(k), which means precisely that the probability of a collision is negligible. This concludes the proof of the theorem. 4 Future Directions The particular form of the DDH-II assumption implies that it can be possible to release some partial information about the exponent and still being able to prove security. This assumption seems to have much potential but also must be employed carefully. For instance, it is important to note that standard hybrid arguments do not immediately hold here as in the standard setting (without considering leakage). We thus propose to further study this assumption and in particular to examine its benefits in leakage resilient cryptography. Specifically, it would be very interesting to show a construction of a PKE scheme that allows leakage from the randomness before, as well as after, the challenge ciphertext is produced. The DDH- II assumption takes one step in this direction as it enables to obtain leakage from the randomness of the challenge ciphertext (but not from the secret key) when instantiating the PKE with ElGamal. In addition, we suggest to examine another variant of DDH, also proposed by Canetti [Can97], where instead of handing g a, the adversary sees f(a) for some uninvertible function. This assumption could be useful in the auxiliary input leakage setting. References [ADW09] Joël Alwen, Yevgeniy Dodis, and Daniel Wichs. Leakage-resilient public-key cryptography in the bounded-retrieval model. In CRYPTO, pages 36 54,

7 [AGV09] Adi Akavia, Shafi Goldwasser, and Vinod Vaikuntanathan. Simultaneous hardcore bits and cryptography against memory attacks. In TCC, pages , [BBS04] Dan Boneh, Xavier Boyen, and Hovav Shacham. Short group signatures. In CRYPTO, pages 41 55, [BCH12] Nir Bitansky, Ran Canetti, and Shai Halevi. Leakage-tolerant interactive protocols. In TCC, pages , [BDL97] Dan Boneh, Richard A. DeMillo, and Richard J. Lipton. On the importance of checking cryptographic protocols for faults (extended abstract). In EUROCRYPT, pages 37 51, [BF01] Dan Boneh and Matthew K. Franklin. Identity-based encryption from the weil pairing. In CRYPTO, pages , [BG10] Zvika Brakerski and Shafi Goldwasser. Circular and leakage resilient public-key encryption under subgroup indistinguishability - (or: Quadratic residuosity strikes back). In CRYPTO, pages 1 20, [BKKV10] Zvika Brakerski, Yael Tauman Kalai, Jonathan Katz, and Vinod Vaikuntanathan. Overcoming the hole in the bucket: Public-key cryptography resilient to continual memory leakage. In FOCS, pages , [BS97] Eli Biham and Adi Shamir. Differential fault analysis of secret key cryptosystems. In CRYPTO, pages , [BW07] Xavier Boyen and Brent Waters. Full-domain subgroup hiding and constant-size group signatures. In Public Key Cryptography, pages 1 15, [Can97] Ran Canetti. Towards realizing random oracles: Hash functions that hide all partial information. In CRYPTO, pages , [Che06] Jung Hee Cheon. Security analysis of the strong diffie-hellman problem. In EUROCRYPT, pages 1 11, [CLW06] Giovanni Di Crescenzo, Richard J. Lipton, and Shabsi Walfish. Perfectly secure password protocols in the bounded retrieval model. In TCC, pages , [CS98] Ronald Cramer and Victor Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In CRYPTO, pages 13 25, [Den06] Alexander W. Dent. The hardness of the dhk problem in the generic group model. IACR Cryptology eprint Archive, 2006:156, [DF11] Stefan Dziembowski and Sebastian Faust. Leakage-resilient cryptography from the inner-product extractor. In ASIACRYPT, pages , [DGK + 10] Yevgeniy Dodis, Shafi Goldwasser, Yael Tauman Kalai, Chris Peikert, and Vinod Vaikuntanathan. Public-key encryption schemes with auxiliary inputs. In TCC, pages , [DH76] Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, 22(6): , [DHLAW10] Yevgeniy Dodis, Kristiyan Haralambiev, Adriana López-Alt, and Daniel Wichs. Efficient public-key cryptography in the presence of key leakage. In ASIACRYPT, pages , [DHP11] Ivan Damgård, Carmit Hazay, and Arpita Patra. Leakage resilient secure two-party computation. IACR Cryptology eprint Archive, 2011:256, [DKL09] Yevgeniy Dodis, Yael Tauman Kalai, and Shachar Lovett. On cryptography with auxiliary input. In STOC, pages , [DP08] Stefan Dziembowski and Krzysztof Pietrzak. Leakage-resilient cryptography. In FOCS, pages , [FKPR10] Sebastian Faust, Eike Kiltz, Krzysztof Pietrzak, and Guy N. Rothblum. Leakage-resilient signatures. In [Gam85] TCC, pages , Taher El Gamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, 31(4): , [GM82] Shafi Goldwasser and Silvio Micali. Probabilistic encryption and how to play mental poker keeping secret all partial information. In STOC, pages , [HK07] Dennis Hofheinz and Eike Kiltz. Secure hybrid encryption from weakened key encapsulation. In CRYPTO, pages , [HL11] Shai Halevi and Huijia Lin. After-the-fact leakage in public-key encryption. In TCC, pages , [KJJ99] Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. Differential power analysis. In CRYPTO, pages , [Koc96] Paul C. Kocher. Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems. In CRYPTO, pages ,

8 [KP10] Eike Kiltz and Krzysztof Pietrzak. Leakage resilient elgamal encryption. In ASIACRYPT, pages , [KV09] Jonathan Katz and Vinod Vaikuntanathan. Signature schemes with bounded leakage resilience. In ASIACRYPT, pages , [LRW11] Allison B. Lewko, Yannis Rouselakis, and Brent Waters. Achieving leakage resilience through dual system encryption. In TCC, pages 70 88, [MR04] Silvio Micali and Leonid Reyzin. Physically observable cryptography (extended abstract). In TCC, pages , [MW98] Ueli M. Maurer and Stefan Wolf. Lower bounds on generic algorithms in groups. In EUROCRYPT, pages 72 84, [NS09] Moni Naor and Gil Segev. Public-key cryptosystems resilient to key leakage. IACR Cryptology eprint Archive, 2009:105, [NTY11] Hitoshi Namiki, Keisuke Tanaka, and Kenji Yasunaga. Randomness leakage in the kem/dem framework. In ProvSec, pages , [QS01] Jean-Jacques Quisquater and David Samyde. Electromagnetic analysis (ema): Measures and countermeasures for smart cards. In E-smart, pages , [Sha07] Hovav Shacham. A cramer-shoup encryption scheme from the linear assumption and from progressively weaker linear variants. IACR Cryptology eprint Archive, 2007:74, [Sho97] Victor Shoup. Lower bounds for discrete logarithms and related problems. In EUROCRYPT, pages , [Sma01] Nigel P. Smart. The exact security of ecies in the generic group model. In IMA Int. Conf., pages 73 84, [SV98] Claus-Peter Schnorr and Serge Vaudenay. The black-box model for cryptographic primitives. J. Cryptology, 11(2): , [Wat12] Brent Waters. Functional encryption for regular languages. In CRYPTO, pages ,