Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary

Public Key Encryption (PKE) pk (pk, sk)  KG C = Enc(pk,m) m = Dec(sk,C) PKE = (KG, Enc, Dec) 2

Traditional Security Notions (Data Secrecy) Semantic security – No function of the message is leaked – Equivalent to indistinguishability Non-malleability – Hard to create ciphertext for related messages Chosen plaintext attacks (CPA) Chosen ciphertext attacks (CCA)

Mobile Communication Mobile User Base Station key exchange eavesdropper wants to learn identity of mobile user Enc(pk, message) pk

Secure Auction [Sako’00] First practical auction to hide bid values Keys correspond to bid values A known message is encrypted using the key Hiding a bid value requires hiding the key

(pk, sk) c c c = Enc(pk, m) c Dec(sk’, c) =

Other Guarantees Does the ciphertext hide the key? – Anonymity What happens when decrypting using a different key? – Robustness

ANON-CCA Challenger (pk 0, sk 0 )  KG(1 n ) (pk 1, sk 1 )  KG(1 n ) b  {0,1} pk 0, pk 1 c 1, b 1 Dec(sk b1, c 1 ).... c i, b i Dec(sk bi, c i ) m C=Enc(pk b,m) b’  Adv anon-cca,PKE (A) =|Pr[b’ = b] – ½| is negligible c i+1, b i+1 Dec(sk bi+1, c 1 ).... c q, b q Dec(sk bq, c q )

Weak Robustness (WROB-CCA) M (pk 0, sk 0 )  KG(1 n ) (pk 1, sk 1 )  KG(1 n ) pk 0, pk 1 c i, b i Dec(sk bi, c i ).... Challenger Adv wins if Dec(sk 1, C) ≠, where C = Enc(pk 0,M)

Strong Robustness (SROB-CCA) C (pk 0, sk 0 )  KG(1 n ) (pk 1, sk 1 )  KG(1 n ) pk 0, pk 1 c i, b i Dec(sk bi, c i ).... Challenger Adv wins if Dec(sk 0,C) ≠ and Dec(pk 1,C) ≠

What is Known? Anonymity – Not always satisfied – y = x e mod N for random x – pk 0 = (N 0, e 0 ) pk 1 = (N 1, e 1 ), N 1 > N 0 – If y > N 0 return pk 1 else return pk 0 Robustness – ElGamal is not robust – [pk 0 = (G, p, g, g x ), sk 0 = x], [pk 1 = (G, p, g, g y ), sk 1 = y] – Enc(pk 0, m) = (c 1, c 2 ) = (g r, mg xr ) – m’ = Dec(sk 1, (c 1, c 2 )) = c 2 /c 1 y = mg (x-y)r

What is Known? Anonymous PKE and IBE – [Bellare et al. 2001], [Abdalla et al. 2008] – PKE: DHIES, [Cramer-Shoup’01] – IBE: [Boneh-Franklin’01], [Boyen-Waters’06] Robust PKE and IBE – [Abdalla et al. 2010] Strongly robust IBE: [Boneh-Franklin’01] Weakly robust PKE: DHIES, [Cramer-Shoup’01] Not robust: [Boyen-Waters’06]

Our Contribution Studying anonymity of hybrid encryption – Positive and negative results More efficient transformations for robust encryption schemes – Please see the paper

Question: Given an “anonymous PKE/IBE” and an “anonymous SKE”, is the hybrid encryption scheme also anonymous?

Anonymity of Hybrid Encryption ANON-CPA PKE/IBE + IND-CPA SKE – The hybrid encryption is ANON-CPA [negative] ANON-CCA PKE/IBE + IND-CCA SKE – The hybrid encryption is NOT always ANON-CCA – True if SKE is ANON-CCA or more [positive] (WROB + ANON)-CCA PKE/IBE + AE SKE – The hybrid encryption is ANON-CCA – More evidence that “anonymity” and “robustness” are needed simultaneously

Counter Example (PKE) Start with (WROB + ANON)-CCA PKE 1 – PKE 1 = (KG 1, Enc 1, Dec 1 ) Build PKE 2 = (KG 2, Enc 2, Dec 2 ) – Dec 2 Run Dec 1, if it returns return 0 n Else return what Dec 1 outputs PKE 2 is still ANON-CCA

Counter Example (SKE) We use a key-binding IND-CCA SKE Key-binding SKE = (K, SE, SD) – For any k  K, randomness r, and message m – There is no k’ ≠ k where SD k’ (SE k (m,r)) ≠ PKE 2 + key-binding SKE – Not ANON-CCA

Counter Example m (c 1, c 2 ) = (Enc 2 (pk b,k), SE(k,m)) Challenger (pk 0, sk 0 )  KG(1 n ) (pk 1, sk 1 )  KG(1 n ) b  {0,1} Decryption query under pk 0 for (c 1, SE(0 n,m’)) pk 0, pk 1 If the answer is let b’ = 0, else b’ = 1 b’ 

Counter Example Requiring stronger security notions for SKE does NOT help – If it can be combined with key-binding What about stronger notions for the PKE?

Positive Result Claim: If PKE is (ANON + WROB + IND)-CCA and SKE is a (one-time) authenticated encryption, the hybrid construction is (ANON + IND)-CCA

Game 0 Challenger (pk 0, sk 0 )  KG(1 n ) (pk 1, sk 1 )  KG(1 n ) b  {0,1} pk 0, pk 1 C 1, b 1 Dec(sk b1, C 1 ).... C i, b i Dec(sk bi, C i ) m c* 1 = Enc(pk b,k*) c* 2 = SE(k*,m) b’  Adv anon-cca,PKE (A) =|Pr[b’ = b] – ½| is negligible C i+1, b i+1 Dec(sk b1, C 1 ).... C q, b q Dec(sk bq, C q )

Game 1 Challenger (pk 0, sk 0 )  KG(1 n ) (pk 1, sk 1 )  KG(1 n ) b  {0,1} pk 0, pk 1 m c* 1 = Enc(pk b, k*) c* 2 = SE(k*, m) b’  (c* 1, c 2 ≠ c* 2 ), b SD(k*, c 2 ) Difference in games: decryption error

Game 2 Challenger (pk 0, sk 0 )  KG(1 n ) (pk 1, sk 1 )  KG(1 n ) b  {0,1} pk 0, pk 1 m c* 1 = Enc(pk b,k*) c* 2 = SE(k*,m) b’  (c* 1, c 2 ≠ c* 2 ), 1-b Difference in games: weak robustness of the PKE only if c* 1 decrypts under pk b and pk 1-b

Game 3 Challenger (pk 0, sk 0 )  KG(1 n ) (pk 1, sk 1 )  KG(1 n ) b  {0,1} pk 0, pk 1 m c* 1 = Enc(pk b,k*) c* 2 = SE(k’,m) b’  Difference in games: IND-CCA security of the PKE

Game 4 Challenger (pk 0, sk 0 )  KG(1 n ) (pk 1, sk 1 )  KG(1 n ) b  {0,1} pk 0, pk 1 m c* 1 = Enc(pk b,k*) c* 2 = SE(k’,m) b’  Difference in games: CTXT integrity of the SKE only if a valid ciphertext under k’ is generated (c* 1, c 2 ≠ c* 2 ), {b or 1-b}

Putting Things Together Adv anon-cca (hybrid) < Adv wrob-cca (PKE) + Adv ind-cca (PKE) + Adv ctxt-int (SKE) + Adv anon-cca (PKE) Boneh-Franklin, Cramer-Shoup, DHIES are WROB- CCA Boyen-Waters IBE is not

Summary ANON-CCA PKE + (…) SKE  ANON-CCA hybrid (WROB + ANON)-CCA PKE + AE SKE  ANON- CCA hybrid Is weak-robustness a necessary condition? Is Boyen-Waters (in)secure when used in a hybrid construction?

Thank you

Results on Robustness [Abdalla et al.’10] – Transforming ANON-CCA schemes to robust ones We design more efficient transformations – Refer to the paper

Indentity-based encryption (IBE) id (sk,pk)  PKG C = Enc pk (m) m = Dec sk (C) IBE = (MKG, Enc, Dec) 30 (par, msk)  MKG

IND-CCA Challenger c1c1 (pk, sk)  KG(1 n ) ; b  {0,1} Dec sk (c 1 ).... cici Dec sk (c i ) m 0, m 1 C=Enc pk (m b ) c i+1 Dec sk (c i+1 ).... cqcq Dec sk (c q ) b’  Adv ind-cca,PKE (A) =|Pr[b’ = b] – ½| is negligible 31