1 Generic Conversions for Constructing IND-CCA2 Public-key Encryption in the Random Oracle Model Tatsuaki Okamoto NTT
2 Security of Public-Key Cryptosystems Target One-wayness (OW) : hard to invert Semantically secure (Indistinguishable) (IND) : No partial information is released Non-malleable (NM ) : for any non-trivial relation R E(M)→E(R(M)) Attacks Passive attacks (Cosen Plaintext Attacks: CPA) Chosen-ciphertext attacks ( Cosen Ciphertex Attacks: CCA ) hard
3 Semantic Security (IND : Indistinguishability) The probability of correctly guessing (b = b ’ ) is negligible Adv b’ m 0, m 1 : randomly selected : guess of
4 Chosen Ciphertext Attack (CCA) CCA1 (Lunch time attack, Naor-Yung 90) C 0 is given to the attacker, after the active attack is completed. CCA2 (Rackoff – Simon 91) C 0 is given to the attacker, before the active attack starts. Ciphertext C 0 Information on Plaintext P 0 C 1, C n P 1, P n Rule: C 0 ≠C 1,,C n () Public-key Attacker Decryption oracle
5 Relationships among Security Definitions (1) Non-malleable (NM) → Semantically secure (IND) i.e., NM-CPA → IND-CPA, NM-CCA2 → IND-CCA2) IND-CCA2 → NM-CCA2 Remark : NM-CPA → IND-CCA1 Conclusion : Strongest security Semantically secure against chosen-ciphertext attack 2 IND-CCA2=NM-CCA2 ←
6 Relationships among Security Definitions (2) One-way (OW) Semantically secure (IND) Non-malleable (NM) Passive attack (CPA) OW-CPAIND-CPANM-CPA Active attack (Chosen- ciphertext attack) (CCA) CCA1OW-CCA1IND-CCA1NM-CCA1 CCA2OW-CCA2IND-CCA2NM-CCA2 Target Attack
7 History of Provably Secure Public-key Encryption DDN (NM-CCA2) BR (Random oracle model) Rabin GM (IND-CPA) DH RSA NY (IND-CCAI) (OW-CPA) Concept of public-key cryptosystem Proposal of various tricks Provable security (Theory) Practical scheme in the standard model CS Practical approach by random oracle model BDPR OAEPRS (IND-CCA2)
8 The plain RSA scheme is not secure in the sense of IND-CCA2 not indistinguishable (IND) deterministic vulnerable against CCA2 random-self-reducibility Adv DO C’ = C ・ R e M’/R C Decryption oracle =Plaintext of C Adv b = 0/1:correctly output m 0, m 1
9 EC-ElGamal Encryption elliptic curve point with order Public-key (E, P, W, ) Secret-key x Encryption plaintext m, bit-wise exclusive-or, (rW) X is the x -coordinate of rW Decryption ciphertext
10 The Elliptic Curve ElGamal Scheme Is Not Secure in the Sense of IND-CCA2 (1) Malleable Non-trivial relation with m’ =
11 The Elliptic Curve ElGamal Scheme Is Not Secure in the Sense of IND-CCA2 (2) CCA2 Attack Adv Decryption Oracle
12 How to Construct an Encryption Scheme with the Strongest Security (IND-CCA2) Based on zero-knowledge proofs Dolev-Dwork-Naor (1991) Inefficient Based on truly random function (random oracle model) Bellare-Rogaway : OAEP (1994)..PKCS#1(Ver.2)1998 Fujisaki-Okamoto (1999), Pointcheval (2000) Okamoto-Pointcheval : REACT (2001) Practical (using practical one-way functions in place of random functions) Practical construction without using a random function Cramer-Shoup (1998)
13 Design Strategy of Practical and Provably Secure Public-key Encryption Primitive Encryption Function (Trapdoor Function) Example RSA ElGamal etc Secure Encryption Scheme Semantically Secure against Adaptively Chosen Ciphertext Attacks (IND-CCA2) Conversion Using Hash Functions (Random Functions)
14 Random Oracle Model (Truly Random Model) 0・・・・ ・・・・0 0・・・・ ・・・・1 1・・・・ ・・・・1 01011・・・ ・・・0 10011・・・ ・・・0 011001・・ ・・0 Random oracle Random function H User 1 User 2 x1x1 xkxk H(xk)H(xk) H(x1)H(x1) 2n2n n bits random Input Output ・・・ H (random oracle/ random function) H
15 Conversions for the RSA Encryption Function OAEP (Bellare-Rogaway 1994) OAEP+ (Shoup 2001) SAEP (Boneh 2001) SAEP+ (Boneh 2001) REACT (Okamoto-Pointcheval 2001)
16 OAEP m00…0r G(r)G(r) s H(s)H(s) t ( Example ) RSA-OAEP G H RSA-OAEP : de facto standard format of the RSA encryption ・・・ used in SSL(PKCS#1) and SET one-way permutation
17 Security of OAEP (FOPS 2001) OAEP is IND-CCA2 secure under the partial-domain one-wayness assumption in the random oracle model. RSA-OAEP is IND-CCA2 secure under the RSA assumption in the random oracle model. The reduction efficiency (to the RSA inversion) is less than that of the optimal case.
18 OAEP+ mF(m||r)r G(r)G(r) s H(s)H(s) t ( Example ) RSA-OAEP+ G H one-way permutation
19 RSA-REACT (Hybrid Encryption) (ex)
20 Comparison of the RSA Family SchemesSecurityAssumptionReduction Efficiency Provable Hybrid Usage Number- Theoretic Functio nal RSA-OAEPIND-CCA2RSAROM * No RSA-OAEP+IND-CCA2RSAROM * No RSA-SAEP (low exponent) IND-CCA2 RSA with low exponent ROM * * * No RSA-REACTIND-CCA2RSAROM * * * Yes
21 IND-CCA2 Conversions for (Elliptic Curve) ElGamal Encryption FO-1 FO-2 Pointcheval REACT DHAES / ECIES CS ( ACE) PSEC-KEM ACE-KEM (Fujisaki-Okamoto: PKC 1999) (Fujisaki-Okamoto: Crypto 1999) (Pointcheval 2000) (Okamoto-Pointcheval 2001) (Abdala-Bellare-Rogaway 1999) (Cramer-Shoup 1998) (Shoup + Fujisaki-Okamoto 2001) (Shoup 2001) (Remark: OAEP, OAEP+, SAEP, SAEP+ cannot be applied for Probabilistic Encryption Schemes such as ElGamal
22 FO-1/2 FO-1 FO-2 Check in decryption ? ?
23 FO-2 : Applied to EC-ElGamal … PSEC-2 : plaintext ciphertext (Ex.1) (Ex.2) one-time pad block-cipher
24 Decryption of PSEC-2 Check Yes No null string ?
25 Security of PSEC-2 EC-DH Assumption SymEnc : semantically secure against passive attack g, h : random oracle PSEC-2 is IND-CCA2
26 REACT Check in decryption ?
27 Security of REACT f is Gap-one way G and H are random oracles ( SymE is semantically secure against passive attacks ) AsymE is IND-CCA2
28 A Typical Usage of REACT Session key 暗号 復号 IND-CCA2 is guaranteed in total.
29 Inverting Problems relation x→y s.t. f (x, y)=1 f (x, y)=1 y x
30 R -decision problems ( x,y ) decide whether R ( f, x, y )=1 (Examples) (e,g., decision DH ) (e,g., quadratic residuosity) z is even when z with f (x,z) is uniquely determined. (e,g., lsb of RSA) s.t.
31 Gap problems (R-gap problems) R-decision problem Oracle R-decision problem Oracle or x x y y s.t.
32 Duality of Gap and Decision problems R-gap problem of f is tractable ⇒ inverting problem of f = R-decision problem of f R-decision problem of is tractable ⇒ inverting problem of f = R-gap problem of f (e.g., f : RSA function; ) reducible to each other
33 Relationship among the Assumptions Decisional Assumption Gap- One-way Assumption Gap- One-way Assumption Dual
34 Relationship among the DH Assumptions Decision DH Assumption Gap DH Assumption DH Assumption Dual
35 EC-ElGamal-REACT : PSEC-3 : plaintext ciphertext
36 Decryption of PSEC- 3 Check Yes No null string ?
37 Security of PSEC-3 EC-GapDH ( GDH) Assumption SymEnc : semantically secure against passive attack g, h : random oracle PSEC-3 is IND-CCA2
38 ECIES ’ (modified by Shoup) Encryption r : random Decryption Check ?
39 Security of ECIES ’ Gap-EDH assumption SymEnc : semantically secure against passive attack Mac : secure g : random oracle ECIES’ is IND-CCA2
40 EC-ACE-KEM (1) Public-key Secret-key w, x, y, z Encryption Ciphertext : Shared key :
41 EC-ACE-KEM (2) Decryption check ? ?
42 Security of EC-ACE-KEM (1) EC-DDH h : Universal One-Way Hash Function (UOWHF) EC-ACE is IND-CCA2 (2) EC-DH h : Random Oracle EC-ACE is IND-CCA2
43 PSEC-KEM (revised by Shoup based on PSEC- 2) Encryption Ciphertext (R, v) Decryption
44 Security of PSEC-KEM EC-DH h,g : Random Oracle PSEC-KEM is IND-CCA2
45 Comparison of the EC-ElGamal Family SchemeSecurity AssumptionPerformance Number- Theoretic Functional Enc.Dec. PSEC-2IND-CCA2EC-DHRandom oracle Security of SymE 22 PSEC-3IND-CCA2EC-GDHRandom oracle Security of SymE 21 ECIES ’ IND-CCA2EC-GDHRandom oracle, Security of SymE and Mac 21 EC-ACE-KEM ( + SymE, Mac ) IND-CCA2EC-DDHUniversal One-way Hash, Security of SymE and Mac 53 PSEC-KEM ( + SymE, Mac ) IND-CCA2EC-DHRandom oracle Security of SymE and Mac 22 The above numbers are those of EC-addition operations
46 Conclusion Simple RSA and (EC)ElGamal are not secure against active attacks Several practical(efficient) conversions are proposed to realize the strongest level of security (IND-CCA2) based on any primitive encryption functions such as RSA and (EC) ElGamal.