Circular-Secure Encryption from Decision Diffie-Hellman Dan Boneh Shai Halevi Mike Hamburg Rafail Ostrovsky

Key Dependent Messages Message may depend on key –Encrypted swap –Encrypted backups Security in this setting does not follow from semantic security –Trivial, pathological counterexamples –Or…

Secure Self-Encryption [BRS’02] H(n||k) H k E k (m) = ( r, H(r||k)  m ) m r←R

Insecure Self-Encryption [HK’07] Encrypt r←R H(r||k) E’ k (k) = ( r, E r (k) ) H k E r (k)

KDM in practice Collaboration: PK A / SK A PK B / SK B E PK B (SK A ) E PK A (SK B )

Circular Encryption [CL’01] A user has n credentials signed by CA: User should not “lend” any of his credentials to a friend Solution [CL’01] : SK 1 SK 2 SK n PK 1 PK 2 PK n … … secret public and signed by CA E PK 1 [SK 2 ], E PK 2 [SK 3 ], …, E PK n [SK 1 ] NY driver license I am Shai

Clique Security E ki (k j ) for all i,j

(C,n)-KDM security [BRS’02] ChallengerAdversary (PK 1,…,PK n ) (F ∈ C, i ∈ {1,…,n}) E PKi [ F(SK 1,…,SK n ) ] or random b*b*

Is ElGamal self-referential secure? Maybe, maybe not Need (g, g x, g r, g rx  x) indist from random Requires a funny assumption! Clique security? Need an even funnier assumption… Our goal: use a standard assumption ( DDH )

Notation Let G be a group of prime order p Using additive notation for G 1-dim vector space over Z p Perform dot products etc. normally (x 1, x 2, x 3 )  (g 1, g 2, g 3 ) = x 1 g 1 + x 2 g 2 + x 3 g 3 g i ∈ G, x i ∈ Z p aka g 1 x1 g 2 x2 g 3 x3

The Result n-Clique Secure for any [poly] n –CPA only –Bounds indpendent of n –More generally, (Affine,n)-Clique Secure Security rests on DDH –Standard model –Weaker assumptions possible, eg D-linear

The System rv m × Encrypt: Secret Key: s ∈ {0,1} ℓ 1 Public Key: v∈Gℓv∈Gℓ -v  s s1s1 Decrypt:  s 1, s 2, …, s ℓ g 1, g 2, …, g ℓ h = 1/(g 1 s1 …g ℓ s ℓ ) g 1 r, g 2 r, …, g ℓ r h r ·m m=(g 1 r ) s1 …(g ℓ r ) sℓ · (h r ·m) =0=m

Theorem Breaking (Affine,n)-Clique-Secure breaks DDH Let’s prove self-referential

Intuition always decrypts to the secret key “ciphertext vectors” (g,1,1,…,1) (1,g,1,…,1) (1,1,1,…,g) Easy to generate “encryption of the secret key”

The Proof r m × Game 0: CPA game

The Proof R Rank 1 + × Indistinguishable: identical ciphertext distrbution Game m r (g 1,…,g ℓ,h) ~ r 1 a 1 (g 1,…,g ℓ,h) + … + r t a t (g 1,…,g ℓ,h)

The Proof R Rank ℓ-1 + × Game m Indistinguishable by DDH 1 a b ab 1 a b c vs.

The Proof R Rank ℓ × 10 Game 3 i-th row of identity mat. Indistinguishable: identical ciphertext distrbution

The Proof R Rank 1 + × Game Random subset-sum of columns Indistinguishable by DDH

The Proof R Rank 1 + × Statistically indistinguishable (using LOHL) Game

The Proof R Rank ℓ + × Indistinguishable by DDH Game

The Proof Indistinguishable: identical ciphertext distrbution Game 7

Follow-up work Camenisch-Chandran-Shoup 2009: CCA security –Apply Naor-Yung/Sahai –For DDH-based scheme, can do it efficiently Applebaum, Cash, Peikert, Sahai 2009: Circular security from LPN/LWE

Questions?