Encryption from the Diffie-Hellman assumption Eike Kiltz
Elliptic curve public-key crypto Key-agreement Signatures Encryption Diffie-Hellman 76 passive security ElGamal 84 passive security Hybrid DH (ECDH) MQV active security Hybrid ElGamal (ECIES) active security
Security of Hybrid ElGamal Only few people know Breaking Solving strong Hybrid ElGamal Diffie-Hellman problem in CCA (active) Even in the random-oracle model! Problem 1: Strong DH problem? Computational Diffie-Hellman (CDH) given access to Decisional Diffie-Hellman (DDH) oracle Interactive assumption (or pairings) Problem 2: Random oracle model?
This talk: Encryption from standard Diffie-Hellman assumptions Twin Hybrid ElGamal encryption Security from (standard) CDH problem in the ROM Simple and generic trick Encryption without ROM (if time) Based on Hashed DDH DH Key-agreement: same picture!
More generally HK07 PKE (HDDH) Twin ElGamal (DH) Waters IBE (DH) Hybrid ElGamal (Strong DH) BB short signatures (strong q-bdhi) Gentry s IBE, (q-babbxyz) weaker assumptions/model stronger
ElGamal encryption
Security? Indistinguishability (IND-CPA): Ciphertexts do not reveal any information about plaintext. Indistinguishability against chosen-ciphertext attacks (IND-CCA): As IND-CPA, but the adversary is allowed to ask arbitrary decryption queries.
Diffie-Hellman Assumptions G = prime-order group, g = generator DH g (g x,g y ) := g xy Diffie-Hellman Assumption Given g,x,y, computing DH g (X,Y) is hard Diffie-Hellman predicate DHP g (X,Y,Z) := DH g (X,Y) = Z {0,1}
Hybrid ElGamal Encryption Alice wants to encrypt M to Bob Alice pick random y Y = g y, K = H(Y, X y ) c = K M K = H(Y, Y x ) M = K -1 c Bob PK: X=g x SK: x
Security of ElGamal Assume H is random oracle Then: Hybrid ElGamal IND-CPA secure Diffie-Hellman assumption But not IND-CCA secure!
Hybrid ElGamal Encryption Alice wants to encrypt M to Bob Alice pick random y Y = g y, K = H(Y, X y ) c = E K (M) H: G {0,1} k hash function K = H(Y, Y x ) M = D K (c) (E,D) is symmetric cipher (AES) Bob PK: X=g x SK: x
Hybrid ElGamal Encryption pk: X=g x, H (random IND-CCA oracle), security? sk: x Encrypt(pk,M): pick random y Y=g y, K=H(Y,X y ), c=e K (M) Ciphertext is (Y,c) Decrypt(sk,(Y,c)): K=H(Y,Y x ), M=D K (c)
What a decryption query reveals (Y,Z) G 2 DHP g (X,Y,Z)=? G = prime-order group, g = generator CCA adversary pick random M c :=E H(Z) (M) conclude: Y x = Z M =M PK=X Dec(Y, c) M CCA experiment SK: x PK: X =g x K = H(Y x ) M = D K (c)
Security under DH? PK = (g,x) one decryption query reveals DHP g (X,Y,Z) for arbitrary tuples (Y,Z) G 2 No IND-CCA security under DH Stronger assumption: strong DH assumption
Hierarchy of DH assumptions Diffie-Hellman (DH) Assumption Given g,x,y, computing DH g (X,Y) is hard Strong Diffie-Hellman (SDH) Assumption Given g,x,y, computing DH g (X,Y) with access to DHP g (X,.,.) oracle is hard (Gap Diffie-Hellman Assumption) DH g (X,Y) with access to DHP g (.,.,.) oracle is hard Assumptions: strong Strong/Gap DH weak DLP/DH well-studied un-studied
Security of Hybrid ElGamal Assume H is random oracle (E,D) is CCA secure symmetric cipher Then: Hybrid ElGamal CCA secure [ABR01] Strong Diffie-Hellman assumption
Twin ElGamal (Cash, K., Shoup 08) Encryption from Diffie-Hellman CRYPTO 2007
Twinning Diffie-Hellman Twin Diffie-Hellman Assumption (2DH) Strong 2DH Assumption (interactive) Theorem: strong is weak: DH Strong 2DH Applications: Twin ElGamal Twin Diffie-Hellman Key-exchange Twin Boneh-Franklin IBE,
Twin Diffie-Hellman Assumption 2DH g (X1,X2,Y) := ( DH g (X1,Y), DH g (X2,Y) ) Twin Diffie-Hellman Assumption (2DH): Given X1,X2,Y computing 2DH g (X1,X2,Y) is hard 2DHP g (X1,X2,U,V 1,V 2 ) := 2DH g (X1,X2,U) = (V 1,V 2 ) Strong 2DH assumption: Given X1,X2,Y computing 2DH g (X1,X2,Y) is hard even given access to 2DHP g (X1,X2,.,.,.) oracle
DH strong 2DH Theorem: DH assumption holds if and only if strong 2DH assumption holds clear :
Proof: DH strong 2DH DH adversary pick random r, s. X2 := g r X1 s (X1,Y) (X1,X2,Y) strong 2DH (Z 1,Z 2 ) Z adversary 1 (U,V 1,V 2 ) 2DHP g (X1,X2,U,V 1,V 2 ) = U x1 =V 1 U x2 =V 2 How to simulate 2DHP queries without knowing secret x1=log g (X1),x2=log g (X2)? = DH g (X1,Y)
Correct answer 2DH Oracle Simulation 2DHP(X1,X2,U,V 1,V 2 ) = 1 2DH g (X1,X2,U)=(V 1,V 2 ) Idea: simulated answer U x1 =V 1 and U x2 =V 2 SIM(X1,X2,U,V 1,V 2 ) = 1 U r V 1s =V 2 Trapdoor lemma: Conditioned on any fixed X2 = g r X1 s : 2DHP = SIM with prob. 1-1/ G (over r,s).
Proof of Trapdoor Lemma 2DHP(X1,X2,U,V 1,V 2 ): U x1 = V 1 and U x2 = V 2 SIM (X1,X2,U,V 1,V 2 ): U r V 1 s = V 2 where X2 := g r X1 s (x2 = r+x1s) If 2DHP outputs 1: V 2 = U x2 = U r +x1 s = U r V 1 s SIM outputs 1
Proof of Trapdoor Lemma 2DHP(X1,X2,U,V 1,V 2 ): U x1 = V 1 and U x2 = V 2 SIM (X1,X2,U,V 1,V 2 ): U r V 1 s = V 2 where X2 := g r X1 s (x2 = r+x1s) If 2DHP outputs 0: case 1: U x2 = V 2 and U x1 V 1 V 2 = U x2 = U r +x1 s U r V 1 s SIM outputs 0
Proof of Trapdoor Lemma 2DHP(X1,X2,U,V 1,V 2 ): U x1 = V 1 and U x2 = V 2 SIM (X1,X2,U,V 1,V 2 ): U r V 1 s = V 2 where X2 := g r X1 s (x2 = r+x1s) If 2DHP outputs 0: case 2: U x2 V 2 V 2 = U r V s 1 (V 2 /U x2 ) 1/s =V 1 /U x1 1 SIM outputs 0 with prob 1-1/ G
Trapdoor lemma: simulation almost perfect! Proof: DH strong 2DH AdvDH AdvS2DH Q/ G (Q = #2DHP adversary queries) q.e.d. pick random r, s. X2 := g r X1 s (X1,Y) (X1,X2,Y) strong 2DH (Z 1,Z 2 ) Z adversary 1 = DH g (X1,Y) (U,V 1,V 2 ) 2DHP g (X1,X2,U,V 1,V 2 ) := U r V 1s =V 2
Hybrid ElGamal scheme Secret key: x1, x2 Public key: X1=g x1, X2=g x2, H (r.o.) Encrypt: Y=g y, K=H(Y, X1 y, X2 y ), c=e K (M) Ciphertext is (Y,c) G {0,1} M Decrypt: K=H(Y, Y x1,y x2 ), M=D K (c)
Twin Hybrid ElGamal scheme Secret key: x1, x2 Public key: X1=g x1, X2=g x2, H (r.o.) Encrypt: Y=g y, K=H(Y, X1 y, X2 y ), c=e K (M) Ciphertext is (Y,c) G {0,1} M Decrypt: K=H(Y, Y x1,y x2 ), M=D K (c)
Security of Twin Hybrid ElGamal Assume H is random oracle (E,D) is CCA secure symmetric cipher Then: Twin ElGamal CCA secure same as [ABR01] Strong Twin Diffie- Hellman assumption Diffie-Hellman assumption
Efficiency? Key Size (pk, sk) Encrypt Decrypt Assumption ElGamal (1,1) 2 exp 1 exp Strong DH Twin ElGamal (2,2) 3 exp 1 exp DH
More applications of twinning.
Twinning Boneh and Franklin Strong Bilinear DH (BDH) assumption: Boneh-Franklin IBE [BF01] is CCA secure [LQ05] Theorem: Strong 2BDH assumption BDH Twin Boneh-Franklin: redundancy-free IBE CCA security BDH assumption Also works for Kasahara-Sakai [KS01],
More twinning Non-interactive key exchange [DH76] PAKE [AP05, ] Diffie-Hellman self-corrector [Shoup01] More generally: Technique to upgrade schemes based on strong DH type assumption to schemes based on DH type assumption
Discussion: ROM Proofs for (Twin) ElGamal are in ROM ROM is not sound [CGH98] OAEP/RSA-FDH provable unprovable [DOP05,B07,KP09, ] Cramer-Shoup, Security based on Decisional Diffie-Hellman assumption (DDH) CDH in the ROM vs. DDH in the SM????
Alternatives to CS/KD? Cash, K., Shoup 08: Standard-model encryption from CDH Impractical (uses Goldreich-Levin) Hofheinz, K. 09: Practical standard-model encryption from Factoring Hofheinz-K. 07 Standard-model encryption from Hashed DDH DDH Hashed DDH CDH Relatively practical
Decision DH Assumptions Decision DH Assumption (DDH): Distinguishing (X,Y,DH g (X,Y)) from (X,Y,Z) is hard Hashed Decision DH Assumption (HDDH): H : G {0,1} n = hash function Distinguishing ( X,Y,H(DH g (X,Y)) ) from ( X,Y,Z ) is hard Remarks: DDH Hashed DDH CDH if H is a RO: CDH = HDDH
HK 07 encryption Secret key: Public key: Encrypt: Decrypt: x1, x2, w Z=g z, X1=g x1, X2=g x2 Y 1 =g y, Y 2 =(X1 [Y 1] X2) y, K=H(Z y ), c=e K (M) Ciphertext is (Y 1, Y 2, c) Reject if Y 2 K=H(Y 1z ), M=D K (c) Y 1 x1 [y 1 ] + x2 [Y1] = binary repr. of Y 1
Security of HK07 Assume (E,D) is authenticated symmetric encryption Then: HK07 CCA secure Hashed Diffie-Hellman assumption
Efficiency? Key Size (pk, sk) Encrypt Decrypt Assumption Ciphertext overhead ElGamal (1,1) 2 exp 1 exp SDH (RO) G +mac Twin ElGamal (2,2) 3 exp 1 exp DH (RO) G +mac HK07 (2,2) 3 exp 1 exp HDDH (SM) 2 G +mac
Conclusions Standard ECC system: Hybrid ElGamal (ECIES) IND-CCA security Strong DH assumption (ROM) Alternative 1: Hybrid Twin ElGamal IND-CCA security DH assumption (ROM) Price: one exp. in encryption + one element in PK Alternative 2: HK 07 encryption IND-CCA security HDDH assumption (standard model) CDH assumption (ROM) Price: one more element in ciphertext
Open problems: from strong to weak Twin ElGamal DH HK07 PKE HDDH Sigs w/o ROM from DLP, CDH, factoring,.? Hybrid ElGamal Strong DH BB short signatures strong q-bdhi Gentry s IBE q-abbxyz IBE, HIBE,? weaker assumptions/model stronger
Thank you! Main references [ABR01]:M. Abdalla, M. Bellare, P. Rogaway: The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES. CT-RSA 2001. [CHK07]: D. Cash, E. Kiltz, V. Shoup: The Twin Diffie-Hellman Problem and Applications. EUROCRYPT 2008 & J. of Cryptology 2008. [HK07]: D. Hofheinz, E. Kiltz: Secure Hybrid Encryption from Weakened Key Encapsulation. CRYPTO 2007