Encryption from the Diffie-Hellman assumption. Eike Kiltz

Similar documents
The Twin Diffie-Hellman Problem and Applications

Efficient chosen ciphertext secure PKE scheme with short ciphertext

The Twin Diffie-Hellman Problem and Applications

IND-CCA2 secure cryptosystems, Dan Bogdanov

The ElGamal Public- key System

Brief Introduction to Provable Security

Weak adaptive chosen ciphertext secure hybrid encryption scheme

REMOVE KEY ESCROW FROM THE IDENTITY-BASED ENCRYPTION SYSTEM

Introduction to Cryptography Lecture 7

Security of Cryptosystems

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

Lecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model

Introduction to Security Reduction

A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks

A New Hierarchical ID-Based Cryptosystem and CCA-Secure PKE

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Remove Key Escrow from The Identity-Based Encryption System

CS408 Cryptography & Internet Security

Certificateless Onion Routing

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

An Efficient ID-KEM Based On The Sakai Kasahara Key Construction

Introduction to Cryptography Lecture 7

Lecture 15: Public Key Encryption: I

CS 395T. Formal Model for Secure Key Exchange

Simple and Efficient Threshold Cryptosystem from the Gap Diffie-Hellman Group

Stateful Key Encapsulation Mechanism

Cryptography. Andreas Hülsing. 6 September 2016

Direct Chosen Ciphertext Security from Identity-Based Techniques

Generic Transformation of a CCA2-Secure Public-Key Encryption Scheme to an eck-secure Key Exchange Protocol in the Standard Model

CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS

Public-Key Encryption

Miniature CCA2 PK Encryption : Tight Security Without Redundancy

An IBE Scheme to Exchange Authenticated Secret Keys

The Exact Security of a Stateful IBE and New Compact Stateful PKE Schemes

Advanced Cryptography 1st Semester Symmetric Encryption

Introduction to Cryptography. Lecture 6

On the Security of a Certificateless Public-Key Encryption

Introduction to Public-Key Cryptography

PSEC{3: Provably Secure Elliptic Curve. Encryption Scheme { V3. (Submission to P1363a)

Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing

If DDH is secure then ElGamal is also secure w.r.t IND-CPA

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Cryptographic Systems

Cryptography. Lecture 12. Arpita Patra

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Improved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption

RSA. Public Key CryptoSystem

Identity Based Encryption: An Overview

Identity-Based Cryptography

Applied Cryptography and Computer Security CSE 664 Spring 2018

Secure Cryptographic Workflow in the Standard Model

Random Oracle Reducibility

Encryption 2. Tom Chothia Computer Security: Lecture 3

SECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY

Notes for Lecture 14

Cryptographic Hash Functions

Secure Conjunctive Keyword Searches For Unstructured Text

Non-Interactive Key Exchange

Group-based Proxy Re-encryption Scheme Secure against Chosen Ciphertext Attack

RFID Authentication: Security, Privacy and the Real World

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

CSC/ECE 774 Advanced Network Security

Public-Key Cryptography

Realizing Stateful Public Key Encryption in Wireless Sensor Network

Oblivious Signature-Based Envelope

Public key encryption: definitions and security

Symmetric Encryption 2: Integrity

Efficient Re-Keyed Encryption Schemes for Secure Communications

Asymmetric Primitives. (public key encryptions and digital signatures)

Hash Proof Systems and Password Protocols

An Efficient Certificateless Proxy Re-Encryption Scheme without Pairing

Lecture Note 05 Date:

Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7

An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem

Identity-Based Encryption from the Weil Pairing

A Designer s Guide to KEMs. Errata List

CSC 774 Network Security

Other Topics in Cryptography. Truong Tuan Anh

Privacy, Discovery, and Authentication for the Internet of Things

Chosen-Ciphertext Security from Tag-Based Encryption

CSE 127: Computer Security Cryptography. Kirill Levchenko

Reducing security overhead for mobile networks

Constructing Certificateless Encryption and ID-Based Encryption from ID-Based Key Agreement

Overview. Recall Basic Idea. CSC 580 Cryptography and Computer Security. March 9, 2017

A Closer Look at Anonymity and Robustness in Encryption Schemes

OAEP 3-Round A Generic and Secure Asymmetric Encryption Padding. Asiacrypt '04 Jeju Island - Korea

Hierarchical Identity-Based Online/Offline Encryption

Constructing Efficient PAKE Protocols from Identity-Based KEM/DEM

Homomorphic Encryption

Tuesday, January 17, 17. Crypto - mini lecture 1

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Grenzen der Kryptographie

Part VI. Public-key cryptography

Trustworthy Computing under Identity-Based Encryption

Security Analysis and Modification of ID-Based Encryption with Equality Test from ACISP 2017

Lecture 20: Public-key Encryption & Hybrid Encryption. Public-key Encryption

Randomness Extractors. Secure Communication in Practice. Lecture 17

Cryptographically Secure Bloom-Filters

Hash Functions, Public-Key Encryption CMSC 23200/33250, Autumn 2018, Lecture 6

Transcription:

Encryption from the Diffie-Hellman assumption Eike Kiltz

Elliptic curve public-key crypto Key-agreement Signatures Encryption Diffie-Hellman 76 passive security ElGamal 84 passive security Hybrid DH (ECDH) MQV active security Hybrid ElGamal (ECIES) active security

Security of Hybrid ElGamal Only few people know Breaking Solving strong Hybrid ElGamal Diffie-Hellman problem in CCA (active) Even in the random-oracle model! Problem 1: Strong DH problem? Computational Diffie-Hellman (CDH) given access to Decisional Diffie-Hellman (DDH) oracle Interactive assumption (or pairings) Problem 2: Random oracle model?

This talk: Encryption from standard Diffie-Hellman assumptions Twin Hybrid ElGamal encryption Security from (standard) CDH problem in the ROM Simple and generic trick Encryption without ROM (if time) Based on Hashed DDH DH Key-agreement: same picture!

More generally HK07 PKE (HDDH) Twin ElGamal (DH) Waters IBE (DH) Hybrid ElGamal (Strong DH) BB short signatures (strong q-bdhi) Gentry s IBE, (q-babbxyz) weaker assumptions/model stronger

ElGamal encryption

Security? Indistinguishability (IND-CPA): Ciphertexts do not reveal any information about plaintext. Indistinguishability against chosen-ciphertext attacks (IND-CCA): As IND-CPA, but the adversary is allowed to ask arbitrary decryption queries.

Diffie-Hellman Assumptions G = prime-order group, g = generator DH g (g x,g y ) := g xy Diffie-Hellman Assumption Given g,x,y, computing DH g (X,Y) is hard Diffie-Hellman predicate DHP g (X,Y,Z) := DH g (X,Y) = Z {0,1}

Hybrid ElGamal Encryption Alice wants to encrypt M to Bob Alice pick random y Y = g y, K = H(Y, X y ) c = K M K = H(Y, Y x ) M = K -1 c Bob PK: X=g x SK: x

Security of ElGamal Assume H is random oracle Then: Hybrid ElGamal IND-CPA secure Diffie-Hellman assumption But not IND-CCA secure!

Hybrid ElGamal Encryption Alice wants to encrypt M to Bob Alice pick random y Y = g y, K = H(Y, X y ) c = E K (M) H: G {0,1} k hash function K = H(Y, Y x ) M = D K (c) (E,D) is symmetric cipher (AES) Bob PK: X=g x SK: x

Hybrid ElGamal Encryption pk: X=g x, H (random IND-CCA oracle), security? sk: x Encrypt(pk,M): pick random y Y=g y, K=H(Y,X y ), c=e K (M) Ciphertext is (Y,c) Decrypt(sk,(Y,c)): K=H(Y,Y x ), M=D K (c)

What a decryption query reveals (Y,Z) G 2 DHP g (X,Y,Z)=? G = prime-order group, g = generator CCA adversary pick random M c :=E H(Z) (M) conclude: Y x = Z M =M PK=X Dec(Y, c) M CCA experiment SK: x PK: X =g x K = H(Y x ) M = D K (c)

Security under DH? PK = (g,x) one decryption query reveals DHP g (X,Y,Z) for arbitrary tuples (Y,Z) G 2 No IND-CCA security under DH Stronger assumption: strong DH assumption

Hierarchy of DH assumptions Diffie-Hellman (DH) Assumption Given g,x,y, computing DH g (X,Y) is hard Strong Diffie-Hellman (SDH) Assumption Given g,x,y, computing DH g (X,Y) with access to DHP g (X,.,.) oracle is hard (Gap Diffie-Hellman Assumption) DH g (X,Y) with access to DHP g (.,.,.) oracle is hard Assumptions: strong Strong/Gap DH weak DLP/DH well-studied un-studied

Security of Hybrid ElGamal Assume H is random oracle (E,D) is CCA secure symmetric cipher Then: Hybrid ElGamal CCA secure [ABR01] Strong Diffie-Hellman assumption

Twin ElGamal (Cash, K., Shoup 08) Encryption from Diffie-Hellman CRYPTO 2007

Twinning Diffie-Hellman Twin Diffie-Hellman Assumption (2DH) Strong 2DH Assumption (interactive) Theorem: strong is weak: DH Strong 2DH Applications: Twin ElGamal Twin Diffie-Hellman Key-exchange Twin Boneh-Franklin IBE,

Twin Diffie-Hellman Assumption 2DH g (X1,X2,Y) := ( DH g (X1,Y), DH g (X2,Y) ) Twin Diffie-Hellman Assumption (2DH): Given X1,X2,Y computing 2DH g (X1,X2,Y) is hard 2DHP g (X1,X2,U,V 1,V 2 ) := 2DH g (X1,X2,U) = (V 1,V 2 ) Strong 2DH assumption: Given X1,X2,Y computing 2DH g (X1,X2,Y) is hard even given access to 2DHP g (X1,X2,.,.,.) oracle

DH strong 2DH Theorem: DH assumption holds if and only if strong 2DH assumption holds clear :

Proof: DH strong 2DH DH adversary pick random r, s. X2 := g r X1 s (X1,Y) (X1,X2,Y) strong 2DH (Z 1,Z 2 ) Z adversary 1 (U,V 1,V 2 ) 2DHP g (X1,X2,U,V 1,V 2 ) = U x1 =V 1 U x2 =V 2 How to simulate 2DHP queries without knowing secret x1=log g (X1),x2=log g (X2)? = DH g (X1,Y)

Correct answer 2DH Oracle Simulation 2DHP(X1,X2,U,V 1,V 2 ) = 1 2DH g (X1,X2,U)=(V 1,V 2 ) Idea: simulated answer U x1 =V 1 and U x2 =V 2 SIM(X1,X2,U,V 1,V 2 ) = 1 U r V 1s =V 2 Trapdoor lemma: Conditioned on any fixed X2 = g r X1 s : 2DHP = SIM with prob. 1-1/ G (over r,s).

Proof of Trapdoor Lemma 2DHP(X1,X2,U,V 1,V 2 ): U x1 = V 1 and U x2 = V 2 SIM (X1,X2,U,V 1,V 2 ): U r V 1 s = V 2 where X2 := g r X1 s (x2 = r+x1s) If 2DHP outputs 1: V 2 = U x2 = U r +x1 s = U r V 1 s SIM outputs 1

Proof of Trapdoor Lemma 2DHP(X1,X2,U,V 1,V 2 ): U x1 = V 1 and U x2 = V 2 SIM (X1,X2,U,V 1,V 2 ): U r V 1 s = V 2 where X2 := g r X1 s (x2 = r+x1s) If 2DHP outputs 0: case 1: U x2 = V 2 and U x1 V 1 V 2 = U x2 = U r +x1 s U r V 1 s SIM outputs 0

Proof of Trapdoor Lemma 2DHP(X1,X2,U,V 1,V 2 ): U x1 = V 1 and U x2 = V 2 SIM (X1,X2,U,V 1,V 2 ): U r V 1 s = V 2 where X2 := g r X1 s (x2 = r+x1s) If 2DHP outputs 0: case 2: U x2 V 2 V 2 = U r V s 1 (V 2 /U x2 ) 1/s =V 1 /U x1 1 SIM outputs 0 with prob 1-1/ G

Trapdoor lemma: simulation almost perfect! Proof: DH strong 2DH AdvDH AdvS2DH Q/ G (Q = #2DHP adversary queries) q.e.d. pick random r, s. X2 := g r X1 s (X1,Y) (X1,X2,Y) strong 2DH (Z 1,Z 2 ) Z adversary 1 = DH g (X1,Y) (U,V 1,V 2 ) 2DHP g (X1,X2,U,V 1,V 2 ) := U r V 1s =V 2

Hybrid ElGamal scheme Secret key: x1, x2 Public key: X1=g x1, X2=g x2, H (r.o.) Encrypt: Y=g y, K=H(Y, X1 y, X2 y ), c=e K (M) Ciphertext is (Y,c) G {0,1} M Decrypt: K=H(Y, Y x1,y x2 ), M=D K (c)

Twin Hybrid ElGamal scheme Secret key: x1, x2 Public key: X1=g x1, X2=g x2, H (r.o.) Encrypt: Y=g y, K=H(Y, X1 y, X2 y ), c=e K (M) Ciphertext is (Y,c) G {0,1} M Decrypt: K=H(Y, Y x1,y x2 ), M=D K (c)

Security of Twin Hybrid ElGamal Assume H is random oracle (E,D) is CCA secure symmetric cipher Then: Twin ElGamal CCA secure same as [ABR01] Strong Twin Diffie- Hellman assumption Diffie-Hellman assumption

Efficiency? Key Size (pk, sk) Encrypt Decrypt Assumption ElGamal (1,1) 2 exp 1 exp Strong DH Twin ElGamal (2,2) 3 exp 1 exp DH

More applications of twinning.

Twinning Boneh and Franklin Strong Bilinear DH (BDH) assumption: Boneh-Franklin IBE [BF01] is CCA secure [LQ05] Theorem: Strong 2BDH assumption BDH Twin Boneh-Franklin: redundancy-free IBE CCA security BDH assumption Also works for Kasahara-Sakai [KS01],

More twinning Non-interactive key exchange [DH76] PAKE [AP05, ] Diffie-Hellman self-corrector [Shoup01] More generally: Technique to upgrade schemes based on strong DH type assumption to schemes based on DH type assumption

Discussion: ROM Proofs for (Twin) ElGamal are in ROM ROM is not sound [CGH98] OAEP/RSA-FDH provable unprovable [DOP05,B07,KP09, ] Cramer-Shoup, Security based on Decisional Diffie-Hellman assumption (DDH) CDH in the ROM vs. DDH in the SM????

Alternatives to CS/KD? Cash, K., Shoup 08: Standard-model encryption from CDH Impractical (uses Goldreich-Levin) Hofheinz, K. 09: Practical standard-model encryption from Factoring Hofheinz-K. 07 Standard-model encryption from Hashed DDH DDH Hashed DDH CDH Relatively practical

Decision DH Assumptions Decision DH Assumption (DDH): Distinguishing (X,Y,DH g (X,Y)) from (X,Y,Z) is hard Hashed Decision DH Assumption (HDDH): H : G {0,1} n = hash function Distinguishing ( X,Y,H(DH g (X,Y)) ) from ( X,Y,Z ) is hard Remarks: DDH Hashed DDH CDH if H is a RO: CDH = HDDH

HK 07 encryption Secret key: Public key: Encrypt: Decrypt: x1, x2, w Z=g z, X1=g x1, X2=g x2 Y 1 =g y, Y 2 =(X1 [Y 1] X2) y, K=H(Z y ), c=e K (M) Ciphertext is (Y 1, Y 2, c) Reject if Y 2 K=H(Y 1z ), M=D K (c) Y 1 x1 [y 1 ] + x2 [Y1] = binary repr. of Y 1

Security of HK07 Assume (E,D) is authenticated symmetric encryption Then: HK07 CCA secure Hashed Diffie-Hellman assumption

Efficiency? Key Size (pk, sk) Encrypt Decrypt Assumption Ciphertext overhead ElGamal (1,1) 2 exp 1 exp SDH (RO) G +mac Twin ElGamal (2,2) 3 exp 1 exp DH (RO) G +mac HK07 (2,2) 3 exp 1 exp HDDH (SM) 2 G +mac

Conclusions Standard ECC system: Hybrid ElGamal (ECIES) IND-CCA security Strong DH assumption (ROM) Alternative 1: Hybrid Twin ElGamal IND-CCA security DH assumption (ROM) Price: one exp. in encryption + one element in PK Alternative 2: HK 07 encryption IND-CCA security HDDH assumption (standard model) CDH assumption (ROM) Price: one more element in ciphertext

Open problems: from strong to weak Twin ElGamal DH HK07 PKE HDDH Sigs w/o ROM from DLP, CDH, factoring,.? Hybrid ElGamal Strong DH BB short signatures strong q-bdhi Gentry s IBE q-abbxyz IBE, HIBE,? weaker assumptions/model stronger

Thank you! Main references [ABR01]:M. Abdalla, M. Bellare, P. Rogaway: The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES. CT-RSA 2001. [CHK07]: D. Cash, E. Kiltz, V. Shoup: The Twin Diffie-Hellman Problem and Applications. EUROCRYPT 2008 & J. of Cryptology 2008. [HK07]: D. Hofheinz, E. Kiltz: Secure Hybrid Encryption from Weakened Key Encapsulation. CRYPTO 2007

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback