Presentation is loading. Please wait.

Presentation is loading. Please wait.

Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary."— Presentation transcript:

1 Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary

2 Public Key Encryption (PKE) pk (pk, sk)  KG C = Enc(pk,m) m = Dec(sk,C) PKE = (KG, Enc, Dec) 2

3 Traditional Security Notions (Data Secrecy) Semantic security – No function of the message is leaked – Equivalent to indistinguishability Non-malleability – Hard to create ciphertext for related messages Chosen plaintext attacks (CPA) Chosen ciphertext attacks (CCA)

4 Mobile Communication Mobile User Base Station key exchange eavesdropper wants to learn identity of mobile user Enc(pk, message) pk

5 Secure Auction [Sako’00] First practical auction to hide bid values Keys correspond to bid values A known message is encrypted using the key Hiding a bid value requires hiding the key

6 (pk, sk) c c c = Enc(pk, m) c Dec(sk’, c) =

7 Other Guarantees Does the ciphertext hide the key? – Anonymity What happens when decrypting using a different key? – Robustness

8 ANON-CCA Challenger (pk 0, sk 0 )  KG(1 n ) (pk 1, sk 1 )  KG(1 n ) b  {0,1} pk 0, pk 1 c 1, b 1 Dec(sk b1, c 1 ).... c i, b i Dec(sk bi, c i ) m C=Enc(pk b,m) b’  Adv anon-cca,PKE (A) =|Pr[b’ = b] – ½| is negligible c i+1, b i+1 Dec(sk bi+1, c 1 ).... c q, b q Dec(sk bq, c q )

9 Weak Robustness (WROB-CCA) M (pk 0, sk 0 )  KG(1 n ) (pk 1, sk 1 )  KG(1 n ) pk 0, pk 1 c i, b i Dec(sk bi, c i ).... Challenger Adv wins if Dec(sk 1, C) ≠, where C = Enc(pk 0,M)

10 Strong Robustness (SROB-CCA) C (pk 0, sk 0 )  KG(1 n ) (pk 1, sk 1 )  KG(1 n ) pk 0, pk 1 c i, b i Dec(sk bi, c i ).... Challenger Adv wins if Dec(sk 0,C) ≠ and Dec(pk 1,C) ≠

11 What is Known? Anonymity – Not always satisfied – y = x e mod N for random x – pk 0 = (N 0, e 0 ) pk 1 = (N 1, e 1 ), N 1 > N 0 – If y > N 0 return pk 1 else return pk 0 Robustness – ElGamal is not robust – [pk 0 = (G, p, g, g x ), sk 0 = x], [pk 1 = (G, p, g, g y ), sk 1 = y] – Enc(pk 0, m) = (c 1, c 2 ) = (g r, mg xr ) – m’ = Dec(sk 1, (c 1, c 2 )) = c 2 /c 1 y = mg (x-y)r

12 What is Known? Anonymous PKE and IBE – [Bellare et al. 2001], [Abdalla et al. 2008] – PKE: DHIES, [Cramer-Shoup’01] – IBE: [Boneh-Franklin’01], [Boyen-Waters’06] Robust PKE and IBE – [Abdalla et al. 2010] Strongly robust IBE: [Boneh-Franklin’01] Weakly robust PKE: DHIES, [Cramer-Shoup’01] Not robust: [Boyen-Waters’06]

13 Our Contribution Studying anonymity of hybrid encryption – Positive and negative results More efficient transformations for robust encryption schemes – Please see the paper

14 Question: Given an “anonymous PKE/IBE” and an “anonymous SKE”, is the hybrid encryption scheme also anonymous?

15 Anonymity of Hybrid Encryption ANON-CPA PKE/IBE + IND-CPA SKE – The hybrid encryption is ANON-CPA [negative] ANON-CCA PKE/IBE + IND-CCA SKE – The hybrid encryption is NOT always ANON-CCA – True if SKE is ANON-CCA or more [positive] (WROB + ANON)-CCA PKE/IBE + AE SKE – The hybrid encryption is ANON-CCA – More evidence that “anonymity” and “robustness” are needed simultaneously

16 Counter Example (PKE) Start with (WROB + ANON)-CCA PKE 1 – PKE 1 = (KG 1, Enc 1, Dec 1 ) Build PKE 2 = (KG 2, Enc 2, Dec 2 ) – Dec 2 Run Dec 1, if it returns return 0 n Else return what Dec 1 outputs PKE 2 is still ANON-CCA

17 Counter Example (SKE) We use a key-binding IND-CCA SKE Key-binding SKE = (K, SE, SD) – For any k  K, randomness r, and message m – There is no k’ ≠ k where SD k’ (SE k (m,r)) ≠ PKE 2 + key-binding SKE – Not ANON-CCA

18 Counter Example m (c 1, c 2 ) = (Enc 2 (pk b,k), SE(k,m)) Challenger (pk 0, sk 0 )  KG(1 n ) (pk 1, sk 1 )  KG(1 n ) b  {0,1} Decryption query under pk 0 for (c 1, SE(0 n,m’)) pk 0, pk 1 If the answer is let b’ = 0, else b’ = 1 b’ 

19 Counter Example Requiring stronger security notions for SKE does NOT help – If it can be combined with key-binding What about stronger notions for the PKE?

20 Positive Result Claim: If PKE is (ANON + WROB + IND)-CCA and SKE is a (one-time) authenticated encryption, the hybrid construction is (ANON + IND)-CCA

21 Game 0 Challenger (pk 0, sk 0 )  KG(1 n ) (pk 1, sk 1 )  KG(1 n ) b  {0,1} pk 0, pk 1 C 1, b 1 Dec(sk b1, C 1 ).... C i, b i Dec(sk bi, C i ) m c* 1 = Enc(pk b,k*) c* 2 = SE(k*,m) b’  Adv anon-cca,PKE (A) =|Pr[b’ = b] – ½| is negligible C i+1, b i+1 Dec(sk b1, C 1 ).... C q, b q Dec(sk bq, C q )

22 Game 1 Challenger (pk 0, sk 0 )  KG(1 n ) (pk 1, sk 1 )  KG(1 n ) b  {0,1} pk 0, pk 1 m c* 1 = Enc(pk b, k*) c* 2 = SE(k*, m) b’  (c* 1, c 2 ≠ c* 2 ), b SD(k*, c 2 ) Difference in games: decryption error

23 Game 2 Challenger (pk 0, sk 0 )  KG(1 n ) (pk 1, sk 1 )  KG(1 n ) b  {0,1} pk 0, pk 1 m c* 1 = Enc(pk b,k*) c* 2 = SE(k*,m) b’  (c* 1, c 2 ≠ c* 2 ), 1-b Difference in games: weak robustness of the PKE only if c* 1 decrypts under pk b and pk 1-b

24 Game 3 Challenger (pk 0, sk 0 )  KG(1 n ) (pk 1, sk 1 )  KG(1 n ) b  {0,1} pk 0, pk 1 m c* 1 = Enc(pk b,k*) c* 2 = SE(k’,m) b’  Difference in games: IND-CCA security of the PKE

25 Game 4 Challenger (pk 0, sk 0 )  KG(1 n ) (pk 1, sk 1 )  KG(1 n ) b  {0,1} pk 0, pk 1 m c* 1 = Enc(pk b,k*) c* 2 = SE(k’,m) b’  Difference in games: CTXT integrity of the SKE only if a valid ciphertext under k’ is generated (c* 1, c 2 ≠ c* 2 ), {b or 1-b}

26 Putting Things Together Adv anon-cca (hybrid) < Adv wrob-cca (PKE) + Adv ind-cca (PKE) + Adv ctxt-int (SKE) + Adv anon-cca (PKE) Boneh-Franklin, Cramer-Shoup, DHIES are WROB- CCA Boyen-Waters IBE is not

27 Summary ANON-CCA PKE + (…) SKE  ANON-CCA hybrid (WROB + ANON)-CCA PKE + AE SKE  ANON- CCA hybrid Is weak-robustness a necessary condition? Is Boyen-Waters (in)secure when used in a hybrid construction?

28 Thank you

29 Results on Robustness [Abdalla et al.’10] – Transforming ANON-CCA schemes to robust ones We design more efficient transformations – Refer to the paper

30 Indentity-based encryption (IBE) id (sk,pk)  PKG C = Enc pk (m) m = Dec sk (C) IBE = (MKG, Enc, Dec) 30 (par, msk)  MKG

31 IND-CCA Challenger c1c1 (pk, sk)  KG(1 n ) ; b  {0,1} Dec sk (c 1 ).... cici Dec sk (c i ) m 0, m 1 C=Enc pk (m b ) c i+1 Dec sk (c i+1 ).... cqcq Dec sk (c q ) b’  Adv ind-cca,PKE (A) =|Pr[b’ = b] – ½| is negligible 31

Download ppt "Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary."

Similar presentations

ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
Anonymity-preserving Public-Key Encryption Markulf Kohlweiss Ueli Maurer, Cristina Onete, Björn Tackmann, and Daniele Venturi PETS 2013.

Anonymity-preserving Public-Key Encryption Markulf Kohlweiss Ueli Maurer, Cristina Onete, Björn Tackmann, and Daniele Venturi PETS 2013.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.

New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
Hybrid Signcryption with Insider Security Alexander W. Dent.

Hybrid Signcryption with Insider Security Alexander W. Dent.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Cryptography Lecture 9 Arpita Patra.

Cryptography Lecture 9 Arpita Patra.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
 Cristina Onete || 25/09/2014 || 1 TD – Cryptography 25 Sept: Public Key Encryption + RSA 02 Oct: RSA Continued 09 Oct: NO TD 16 Oct: Digital Signatures.

 Cristina Onete || 25/09/2014 || 1 TD – Cryptography 25 Sept: Public Key Encryption + RSA 02 Oct: RSA Continued 09 Oct: NO TD 16 Oct: Digital Signatures.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.

1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Identity Based Encryption

Identity Based Encryption
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Topics in Cryptography Lecture 4 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.

Topics in Cryptography Lecture 4 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

Similar presentations

Ads by Google