Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Brief History of Provable Security and PKE Alex Dent Information Security Group Royal Holloway, University of London.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "A Brief History of Provable Security and PKE Alex Dent Information Security Group Royal Holloway, University of London."— Presentation transcript:

1 A Brief History of Provable Security and PKE Alex Dent Information Security Group Royal Holloway, University of London

2 A Provable Timeline Late 1970s: First secure schemes 1980s: Definitions 1990s: Random oracle model schemes Late 1990s: “Double and add” schemes –NIZK proof schemes –Cramer-Shoup encryption 2000s: Signatures and identities 2000s: Extracting the truth

3 Definitions Confidentiality means that an attacker cannot find any information about a plaintext from a ciphertext. Semantic security captures this notion.

4 Definitions IND-CPA is equivalent to semantic security [Goldwasser-Micali, 1984].

5 Definitions pk m0m0 m1m1 b ← {0,1} C* = Enc(pk,m b ) C* b′b′ Attacker wins if b = b′ Advantage of an attacker is: | Pr[ b = b′ ] - ½ |

6 Definitions IND-CCA1 security: Allows access to a decryption oracle before the challenge ciphertext is issued [Naor-Yung, 1990].

7 Definitions IND-CCA2 security: Allow access to a decryption oracle before and after the challenge ciphertext is issued. [Rackoff-Simon, 1991]

8 Definitions pk m0m0 m1m1 b ← {0,1} C* = Enc(pk,m b ) C* b′b′ Cm m = Dec(sk,C) (C ≠ C*) m m = Dec(sk,C) C Advantage of an attacker is: | Pr[ b = b′ ] - ½ |

9 Definitions Why is this such a difficult notion of security to achieve?

10 Definitions Decryption oracle has to be “consistent”. Trivial oracle queries. pk Cm Simulated Decryption Oracle m0m0 m1m1 C* Cm b´b´ Simulated Ciphertext Problem Solution

11 Random Oracle Model The random oracle methodology models hash functions as random functions. [Bellare-Rogaway, 1993] Enables security proofs for very efficient schemes such as ECIES and RSA-OAEP.

12 Random Oracle Model There exists schemes that are secure in the random oracle model, but insecure when used with any hash function. [Canetti-Goldreich-Halevi, 1998]

13 “Double and Add” Schemes A series of schemes prove security by encrypting a message twice with a weak scheme and adding a “checksum”. Principle proposed by Naor and Yung. IND-CCA2 version of the scheme given in [Sahai, 1999] “Checksum” is NIZK proof.

14 “Double and Add” Schemes Non-interactive zero-knowledge (NIZK) proof that two ciphertexts encrypt the same message. Public value: σ Message and coins Proof π

15 “Double and Add” Schemes Zero knowledge: it must be possible to choose σ in such a way that there is a trapdoor τ which allows “false” proofs. Public value: σ Message and coins Proof π Private value: τ Any two ciphertexts Proof π

16 “Double and Add” Schemes Simulation sound: it must not be possible to find a false proof (given only σ) even if you have seen one false proof. Public value: σ Message and coins Proof π Private value: τ Any two ciphertexts Proof π

17 “Double and Add” Schemes Use an IND-CPA scheme ( G, E, D ). Public key is (pk 1,pk 2,σ). Private key is sk 1. To decrypt: –Check proof –Decrypt C 1. EE NIZK m C1C1 πC2C2 pk 1 pk 2 σ

18 “Double and Add” Schemes This scheme is theoretical. The NIZK is impractical (very long output and time consuming to compute). However, it does show that public key encryption exists as long as trapdoor one- way permutations exist.

19 “Double and Add” Schemes The Cramer-Shoup scheme was the first practical and provably secure scheme. [Cramer-Shoup, 1998]

20 “Double and Add” Schemes The Cramer-Shoup encryption scheme works on the same principles as Sahai. Key generation: –g, g′ ← G –x 1,x 2,y 1,y 2,z ← Z p –h ← g z –e ← g x1 ·g′ x2 –f ← g y1 ·g′ y2 –pk = (g,g′,h,e,f) –sk = (x 1,x 2,y 1,y 2,z) Encrypt: –r ← Z p –a ← g r –a′ ← g′ r –c ← h r ·m –v ← Hash(a,a′,c) –d ← e r · f rv –C = (a,a′,c,d)

21 “Double and Add” Schemes Start with a version of ElGamal ElGamal is passively secure under the DDH assumption. Publicly known, random element h ← G. Key generation: –z ← Z p –g ← h 1/z –pk = g –sk = z Encrypt: –r ← Z p –a ← g r –c ← h r ·m –C = (a,c)

22 “Double and Add” Schemes We need to encrypt twice under independent public keys. Key generation: –z, z′ ← Z p –g ← h 1/z –g′ ← h 1/z′ –pk = (g,g′) –sk = (z,z′) Encrypt: –r, r′ ← Z p –a ← g r –c ← h r ·m –a′ ← g′ r′ –c′ ← h r′ ·m –C = (a,c,a′,c′)

23 “Double and Add” Schemes However, a paper by [Bellare-Boldyreva- Staddon, 2003] says we can reuse the random value r without losing security.

24 “Double and Add” Schemes However, a paper by [Bellare-Boldyreva- Staddon, 2003] says we can reuse the random value r without losing security. Key generation: –z, z′ ← Z p –g ← h 1/z –g′ ← h 1/z′ –pk = (g,g′) –sk = (z,z′) Encrypt: –r ← Z p –a ← g r –c ← h r ·m –a′ ← g′ r –c′ ← h r ·m –C = (a,c,a′,c′)

25 “Double and Add” Schemes However, now c and c′ are the same value Key generation: –z, z′ ← Z p –g ← h 1/z –g′ ← h 1/z′ –pk = (g,g′) –sk = (z,z′) Encrypt: –r ← Z p –a ← g r –c ← h r ·m –a′ ← g′ r –C = (a,c,a′)

26 “Double and Add” Schemes Now, the value z′ is never used and so we can remove it. Key generation: –z ← Z p –g ← h 1/z –g′ ← G –pk = (g,g′) –sk = z Encrypt: –r ← Z p –a ← g r –c ← h r ·m –a′ ← g′ r –C = (a,c,a′)

27 “Double and Add” Schemes And if we just tidy up a bit, then we get… (I’m hiding a few things here!) Key generation: –g, g′ ← G –z ← Z p –h ← g z –pk = (g,g′,h) –sk = z Encrypt: –r ← Z p –a ← g r –a′ ← g′ r –c ← h r ·m –C = (a,a′,c)

28 “Double and Add” Schemes However, this is over half the Cramer- Shoup scheme: Key generation: –g, g′ ← G –z ← Z p –h ← g z –pk = (g,g′,h) –sk = z Key generation: –g, g′ ← G –x 1,x 2,y 1,y 2,z ← Z p –h ← g z –e ← g x1 ·g′ x2 –f ← g y1 ·g′ y2 –pk = (g,g′,h,e,f) –sk = (x 1,x 2,y 1,y 2,z)

29 “Double and Add” Schemes However, this is over half the Cramer- Shoup scheme: Encrypt: –r ← Z p –a ← g r –a′ ← g′ r –c ← h r ·m –C = (a,a′,c) Encrypt: –r ← Z p –a ← g r –a′ ← g′ r –c ← h r ·m –v ← Hash(a,a′,c) –d ← e r · f rv –C = (a,a′,c,d)

30 “Double and Add” Schemes So this fits the Sahai mold providing d acts like a NIZK. In the proof, it is shown the d can be faked if you know x 1,x 2,y 1,y 2. In the proof, it is shown that if a = g r and a′ = g′ r′ then the decryption algorithm will reject. Encrypt: –r ← Z p –a ← g r –a′ ← g′ r –c ← h r ·m –v ← Hash(a,a′,c) –d ← e r · f rv –C = (a,a′,c,d)

31 Signatures and Identites It is possible to turn a passively secure identity-based encryption scheme into a secure public-key encryption scheme. [Canetti-Halevi-Katz, 2004]

32 Signatures and Identites It is possible to turn a passively secure identity-based encryption scheme into a secure public-key encryption scheme. [Canetti-Halevi-Katz, 2004] A little odd that it took the development of identity-based encryption before we got new public-key encryption schemes.

33 Extracting the Truth Plaintext awareness is a property of an encryption scheme that says that the only way to create a valid ciphertext is to generate a plaintext and encrypt it. So, if an attacker generates a valid ciphertext, then it must know the underlying message. Hence, a decryption oracle is no help.

34 Extracting the Truth It’s difficult to say what it means for an attacker (computer) to “know” something. The definitions are complex. All known proofs rely on the random oracle model, an unrealistic architecture, or suspect “extractor” assumptions. The subject for another lecture…

35 Extracting the Truth The idea was first given a full formal treatment in [Bellare-Desai-Pointcheval- Rogaway, 1998].

36 Extracting the Truth The idea was first given a full formal treatment in [Bellare-Desai-Pointcheval- Rogaway, 1998]. However, this definition could only be achieved in the random oracle model.

37 Extracting the Truth [Herzog-Liskov-Micali, 2003] gave a new interpretation of the problem, but it needed an unrealistic architecture. The first fully satisfactory definition for plaintext awareness in the standard model was given by [Bellare-Palacio, 2004]

38 Extracting the Truth The Cramer-Shoup scheme was the first to be proven plaintext aware [Dent, 2006] Cramer-Shoup and Kurosawa-Desmedt “hash proof system” schemes can be shown to be plaintext aware [Birkett-Dent].

39 Where are we now? [Boneh-Katz, 2005] is a signature-identity scheme similar to the CHK transform. –Transform efficiency overhead is minimal. –Still requires a passively secure IBE scheme [Hofheinz-Kiltz, 2007] mixes Cramer- Shoup and IBE techniques. –2.5 exponentiations for encryption –1.5 exponentiations for decryption

40 Conclusions None of the approaches really work… –Use the random oracle model –Or they intrinsically require two operations –Or they use weak “extractor” assumptions New approach is needed if we’re going to prove the ultra-high-speed schemes secure. Plenty missing from this presentation

41 Questions?

Download ppt "A Brief History of Provable Security and PKE Alex Dent Information Security Group Royal Holloway, University of London."

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.

Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.

New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
Hybrid Signcryption with Insider Security Alexander W. Dent.

Hybrid Signcryption with Insider Security Alexander W. Dent.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.
1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.

1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.

Similar presentations

Ads by Google