Presentation is loading. Please wait.

Presentation is loading. Please wait.

A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa, Ibaraki Univ. Yvo Desmedt, UCL and FSU.

Published bySarah Bridges Modified over 9 years ago

Similar presentations

Presentation on theme: "A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa, Ibaraki Univ. Yvo Desmedt, UCL and FSU."— Presentation transcript:

1 A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa, Ibaraki Univ. Yvo Desmedt, UCL and FSU

2 Chosen Ciphertext Attack C=E(m) Adversary Decryption Oracle m ?? C i ≠C mimi PKE is “IND-CCA”

3 Cramer-Shoup scheme The 1 st practical IND-CCA PKE in the standard model Based on Decisional Diffie-Hellman (DDH) assumption (’98) Generalized to Projective hash families (’02)

4 Hybrid Encryption Typically, E(m) = (PKE(K), SKE(K, m)) If ElGamal, PKE(K) = (g r, K ・ y r ) More efficiently, PKE part = g r only K = y r

5 Key Encapsulation Mechanism (KEM) The PKE part (PKE(K) or g r ) is formalized as KEM by Shoup CCA-security notion of KEM is also formalized by Shoup

6 CCA security of KEM KEM (=PKE(K) or g r ) Adversary Decryption Oracle K ?? KEM i ≠KEM KiKi KEM is “IND-CCA”

7 Security of Hybrid Encryption IND-CCA KEM + IND-CCA SKE IND-CCA Hybrid Encryption scheme

8 In the standard model Shoup showed IND-CCA KEM (by using Cramer-Shoup PKE) As a result, his hybrid encryption scheme is IND-CCA under the DDH assumption

9 Previously, It has been believed that KEM must be IND-CCA to obtain IND-CCA Hybrid encryption schemes

10 In this paper, We disprove this belief KEM does not have to be IND-CCA

11 Discussion In IND-CCA hybrid encryption, the Dec. oracle returns a message m In IND-CCA KEM, the Dec. oracle returns a key K of SKE, reveals more information than m CCA-security of KEM is too demanding

12 Proposed Hybrid Encryption More efficient than Shoup’s because KEM≠IND-CCA Nevertheless, it is IND-CCA under the DDH assumption in the standard model.

13 The only (conceptual) cost SKE must be ε-rejection secure Pr K (any fixed string is rejected) > 1-ε This property is already satisfied by the SKE which is used in the hybrid construction of Shoup

14 Proposed scheme Public-key Private-key x 1, x 2, y 1, y 2

15 Encryption r ← random u 1 = g 1 r, u 2 = g 2 r, χ= SKE(K, m) where v = c r ・ d rα with α= UOWH(u 1, u 2 ) K = H(v) The ciphertext is (u 1, u 2, χ) KEM

16 Comparison of KEM KEM Invalid-KEM Proposed (u 1, u 2 ) rejected by SKE Shoup (u 1, u 2, v) rejected by v Our KEM ≠IND-CCA and more efficient Our v is used to generate K of SKE

17 Decryption of our scheme For C = (u 1, u 2, χ), compute α = UOWH(u 1, u 2 ), K = H(v) Decrypt χ under the key K by SKE (Invalid C is rejected by ε-rejection security of our SKE)

18 Theorem The proposed hybrid encryption scheme is IND-CCA under the DDH assumption in the standard model if SKE is IND-CCA and ε-rejection secure

19 DDH assumption Let G be a group of a prime order q Then (g 1, g 2, g 1 r, g 2 r ) and (g 1, g 2, g 1 r, g 2 s ) are indistinguishable, where r and s are random

20 Assumption on H If v is uniformly distributed over G, then K = H(v) is uniformly distributed over {0,1} k, where k is the key-size of SKE H(v) can be pseudorandom. (Gennaro and Shoup)

21 One-Time SKE One-Time SKE is enough for hybrid encryption In the Def. of IND-CCA, A has access to Dec. oracle only after being given a challenge ciphertext χ

22 Construction of OT-SKE (Shoup) For a key K = (K 0,K 1,K 2 ), let e = PRBG(K 0 ) + m, tag = AXUH(K 1,e) + K 2 The ciphertext is χ= (e, tag) This scheme is alreadyε-rejection secure Pr K (χ is rejected) > 1-ε because K 2 is random ・ MAC can be used (Gennaro and Shoup)

23 Efficiency Comparison with Shoup’s hybrid encryption Ciphertext is 1 group element shorter Public-key is also 1 group element shorter Private-key is |q|-bits shorter Encryption/Decryption needs 1 exponentiation lesser where we assume H(v) is pseudorandom

24 Generalization Cramer and Shoup introduced ε-universal 2 Projective Universal Hash (PUH) families We define a variant, strongly universal 2 PUH families

25 Strongly universal 2 A private-key (x 1, x 2, y 1, y 2 ) is randomly chosen in such a way that –The public-key is –The freedom is 4 – 2 = 2 –We consider the above probability space

26 (In)Valid KEM We say that (u 1, u 2 ) = (g 1 r, g 2 r ) is valid and (u 1, u 2 ) = (g 1 r, g 2 s ) is invalid

27 Decryption of KEM For (u 1, u 2 ), compute K = H(v), with α = UOWH(u 1, u 2 ) Consider F such that F(u 1, u 2 ) = v

28 Requirement on F If (u 1, u 2 ) is valid, v is uniquely determined by the pk If (u 1, u 2 ) and (u 1 ’, u 2 ’) are both invalid, v and v’ are independently random We say F is Strongly universal 2 Our F is Strongly universal 2 since Freedom=2.

29 Generalized Hybrid Encryption Our hybrid encryption scheme can be generalized to strongly universal 2 PUH families Concrete schemes can be based on –Quadratic Residuosity assumption –Paillier’s Decision Composite Residuosity assumption

30 Security proof Adversary is given a challenge ciphertext (u 1, u 2, χ(m)) Replace (u 1, u 2 ) by invalid (u 1 ’, u 2 ’) and χ(m) by χ’ = SKE(random K’, m) (u 1, u 2, χ) ~ (u 1 ’, u 2 ’, χ’) from DDH assump. and strongly universal 2

31 Chosen Ciphertext Attack (u 1 ’, u 2 ’, χ’) Adversary Decryption Oracle m ?? (u 1, u 2,χ) i mimi

32 Dec. query (u 1, u 2, χ) i (Type 1) Valid (Type 2) Invalid and (u 1, u 2 ) i = (u 1 ’, u 2 ’) (Type 3) Invalid and (u 1, u 2 ) i ≠ (u 1 ’, u 2 ’)

33 In Type 3 query K i = H(v i ) is random because v’ and v_i are independently random from strongly universal_2 Since K i is random, χ i is reject by SKE with high prob. because our SKE is ε-rejection secure

34 In Type 2 query (u 1, u 2 ) i = (u 1 ’, u 2 ’) In this case, χ i is decrypted by the same K’ that is used in the challenge ciphertext E’

35 To summarize, Type 3 query is rejected Type 2 query is decrypted by K’ Type 1 (valid) query is decrypted in the normal way Consequently, the CCA-attack is reduced to a CCA-attack on SKE as follows

36 CCA attack on SKE χ’ = SKE(K’, m) Adversary Decryption Oracle m ?? χ i = SKE(K’, m i ) mimi

37 Finally, Our SKE is CCA-secure Our hybrid encryption scheme is CCA-secure Q.E.D.

38 Summary KEM does not have to be IND-CCA Our hybrid encryption scheme is more efficient than Shoup’s Can be generalized to PUH families Our schemes are IND-CCA in the standard model

39 Open problem Can we formalize a weaker condition on KEM than IND-CCA? It seems impossible because the security of KEM and that of SKE are intertwined (as in our scheme)

Download ppt "A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa, Ibaraki Univ. Yvo Desmedt, UCL and FSU."

Similar presentations

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.

Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
Hybrid Signcryption with Insider Security Alexander W. Dent.

Hybrid Signcryption with Insider Security Alexander W. Dent.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
7. Asymmetric encryption-

7. Asymmetric encryption-
1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.

1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

Similar presentations

Ads by Google