On the Selective-Opening Security of DHIES

Size: px

Start display at page:

Download "On the Selective-Opening Security of DHIES"

Melina Floyd
5 years ago
Views:

1 On the Selective-Opening Security of DHIES and other practical encryption schemes UbiCrypt Research Retreat, Schloss Raesfeld: 29.& 30. Sep Felix Heuer, Tibor Jager, Eike Kiltz, Sven Schäge Horst Görtz Institute for IT Security Ruhr University Bochum

2 1 Selective-Opening Security 2 DHIES 3 DHIES is SIM-SO-CPA secure 4 Results SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

3 Selective-Opening Attacks c 1 = Enc pk (m 1 ; r 1 ) c 1 sk c 2. c n c 2 = Enc pk (m 2 ; r 2 ). Image source: xkcd.com c n = Enc pk (m n ; r n ) SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

4 Selective-Opening Attacks c 1 = Enc pk (m 1 ; r 1 ) c 1 sk c 2. c n c 2 = Enc pk (m 2 ; r 2 ). Image source: xkcd.com c n = Enc pk (m n ; r n ) SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

5 SIM-SO-CPA security definition real game (pk,sk) $ Gen(1 κ ) (m 1,...,m n) {0,1} l (r 1,...,r n) $ R c i :=Enc pk (m i ;r i ) pk (c 1,...,c n) A choose ribution I:=I {i} Output: (m 1,...,m n,,i,out A ) Open(i) (m i,r i ) out A compute output out A SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

6 SIM-SO-CPA security definition ideal game (pk,sk) $ Gen(1 κ ) (m 1,...,m n) {0,1} l (r 1,...,r n) $ R c i :=Enc pk (m i ;r i ) pk (c 1,...,c n) S choose ribution I:=I {i} Output: (m 1,...,m n,,i,out S ) Open(i) (m i,r i ) out S compute output out S SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

7 SIM-SO-CPA security definition ideal game (pk,sk) $ Gen(1 κ ) (m 1,...,m n) {0,1} l (r 1,...,r n) $ R c i :=Enc pk (m i ;r i ) pk (c 1,...,c n) S choose ribution I:=I {i} Output: (m 1,...,m n,,i,out S ) Open(i) (m i,r i ) out S compute output out S SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

8 SIM-SO-CPA security definition ideal game (pk,sk) $ Gen(1 κ ) (m 1,...,m n) {0,1} l (r 1,...,r n) $ R c i :=Enc pk (m i ;r i ) pk (c 1,...,c n) S choose ribution I:=I {i} Output: (m 1,...,m n,,i,out S ) Open(i) (m i,r i ) out S compute output out S SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

9 SIM-SO-CPA security definition ideal game S (m 1,...,m n) {0,1} l choose ribution I:=I {i} Open(i) m i Output: (m 1,...,m n,,i,out S ) out S compute output out S SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

10 SIM-SO-CPA security definition Definition 1 (SIM-SO-CPA security) Let PKE be a public key encryption scheme. PKE is SIM-SO-CPA secure if for every PPT adversary A there exists a PPT simulator S := S(A) such that the ributions induced by A run in the real game and S run in the ideal game are computationally ininguishable. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

11 DHIES Let g be a generator of a group of size p, {0, 1} l a message space and H : g {0, 1} l a hash function. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

12 DHIES Let g be a generator of a group of size p, {0, 1} l a message space and H : g {0, 1} l a hash function. Gen x $ Z p X := g x pk := (g, p, X, H) sk := x Return pk SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

13 DHIES Let g be a generator of a group of size p, {0, 1} l a message space and H : g {0, 1} l a hash function. Gen x $ Z p X := g x pk := (g, p, X, H) sk := x Return pk Enc pk (m) $ r Z p c 1 := g r c 2 := H(X r ) m Return (c 1, c 2 ) SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

14 DHIES Let g be a generator of a group of size p, {0, 1} l a message space and H : g {0, 1} l a hash function. Gen x $ Z p X := g x pk := (g, p, X, H) sk := x Return pk Enc pk (m) $ r Z p c 1 := g r c 2 := H(X r ) m Return (c 1, c 2 ) Dec sk (c 1, c 2 ) Return H(c 1 x ) c 2 SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

15 DHIES Let g be a generator of a group of size p, {0, 1} l a message space and H : g {0, 1} l a hash function. Gen x $ Z p X := g x pk := (g, p, X, H) sk := x Return pk Enc pk (m) $ r Z p c 1 := g r c 2 := H(X r ) m Return (c 1, c 2 ) Dec sk (c 1, c 2 ) Return H(c 1 x ) c 2 Notice, that we have to provide A oracle access to H. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

16 SIM-SO-CPA security game for DHIES real game (pk,sk) $ Gen(1 κ ) (r 1,...,r n) $ R (m 1,...,m n) {0,1} l c i :=(g r i,h(x r i ) m i ) I:=I {i} Output: (m 1,...,m n,,i,out A ) pk=(g,p,x) Hash(h) H(h) (c 1,...,c n) Open(i) or Hash(h) (m i,r i ) or H(h) out A A choose ribution compute output out A Notice, that we sample r i in advance. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

17 Theorem 2 The DHIES encryption scheme is SIM-SO-CPA secure in the random oracle model, if the CDH assumption holds. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

18 Theorem 2 The DHIES encryption scheme is SIM-SO-CPA secure in the random oracle model, if the CDH assumption holds. real A ideal S A Usual idea: Proceed in a sequence of games until a simulator can take over and run A on its own. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

19 Theorem 2 The DHIES encryption scheme is SIM-SO-CPA secure in the random oracle model, if the CDH assumption holds. real A ideal S A Our approach: We try to construct a simulator right away to see where we run into pitfalls. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

20 Proof. ideal game S A (pk,sk) $ Gen(1 κ ) (r 1,...,r n) $ R pk=(g,p,x) Hash(h) m i H(h) {0,1} l m i {0,1} l c i :=(g r i,h(x r (c 1,...,c i n) ) m i ) I:=I {i} Open(i) m i Open(i) or Hash(h) (m i,r i ) or H(h) Output: (m i,,i,out A ) out S out A out A SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

21 Proof. ideal game S A (pk,sk) $ Gen(1 κ ) (r 1,...,r n) $ R pk=(g,p,x) Hash(h) m i H(h) {0,1} l m i {0,1} l c i :=(g r i,h(x r (c 1,...,c i n) ) m i ) I:=I {i} Open(i) m i Open(i) or Hash(h) (m i,r i ) or H(h) Output: (m i,,i,out A ) out S out A out A Step 1) Make H(X r i ) m i uniformly random. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

22 Proof. Step 1) Make H(X r i ) m i uniformly random. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

23 Proof. Step 1) Make H(X r i ) m i uniformly random. Abort condition (earlyabort) We abort A if A should query some H(X r i ) before sending. Pr[earlyAbort] negl. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

24 Proof. Step 1) Make H(X r i ) m i uniformly random. Abort condition (earlyabort) We abort A if A should query some H(X r i ) before sending. Pr[earlyAbort] negl. Statistical argument suffices. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

25 Proof. ideal game S A (pk,sk) $ Gen(1 κ ) (r 1,...,r n) $ R pk=(g,p,x) Hash(h) m i H(h) {0,1} l m i {0,1} l c i :=(g r i,h(x r (c 1,...,c i n) ) m i ) I:=I {i} Open(i) m i Open(i) or Hash(h) (m i,r i ) or H(h) Output: (m i,,i,out A ) out S out A out A Step 2) Change encryption SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

26 Proof. ideal game S A (pk,sk) $ Gen(1 κ ) (r 1,...,r n) $ R pk=(g,p,x) Hash(h) m i H(h) $ {0,1} l $ i {0,1} l c i :=(g r (c 1,...,c i n),$ i ) I:=I {i} Open(i) m i Open(i) or Hash(h) (m i,r i ) or H(h) Output: (m i,,i,out A ) out S out A out A Step 2) Change encryption SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

27 Proof. ideal game S A (pk,sk) $ Gen(1 κ ) (r 1,...,r n) $ R pk=(g,p,x) Hash(h) m i H(h) $ {0,1} l $ i {0,1} l c i :=(g r (c 1,...,c i n),$ i ) I:=I {i} Open(i) m i Open(i) or Hash(h) (m i,r i ) or H(h) Output: (m i,,i,out A ) out S out A out A Step 3) How to process Hash(X r i ) queries? SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

28 Proof. ideal game S A (pk,sk) $ Gen(1 κ ) (r 1,...,r n) $ R pk=(g,p,x) Hash(h) m i H(h) $ {0,1} l $ i {0,1} l c i :=(g r (c 1,...,c i n),$ i ) I:=I {i} Open(i) Open(i) or Hash(h) m i H(X r i ):=m i $ i (m i,r i ) or H(h) Output: (m i,,i,out A ) out S out A out A Case 1) A called Open(i) before querying Hash(X r i ). SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

29 Proof. ideal game S A (pk,sk) $ Gen(1 κ ) (r 1,...,r n) $ R pk=(g,p,x) Hash(h) m i H(h) $ {0,1} l $ i {0,1} l c i :=(g r (c 1,...,c i n),$ i ) I:=I {i} Open(i) m i Open(i) or Hash(h) (m i,r i ) or H(h) Output: (m i,,i,out A ) out S out A out A Case 2) A did not called Open(i) before querying Hash(X r i ). SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

30 Proof. ideal game S A (pk,sk) $ Gen(1 κ ) (r 1,...,r n) $ R pk=(g,p,x) Hash(h) m i H(h) $ {0,1} l $ i {0,1} l c i :=(g r (c 1,...,c i n),$ i ) I:=I {i} Open(i) m i Open(i) or Hash(h) (m i,r i ) or H(h) Output: (m i,,i,out A ) out S out A out A Case 2) A did not called Open(i) before querying Hash(X r i ). S can neither call Open(i), SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

31 Proof. ideal game S A (pk,sk) $ Gen(1 κ ) (r 1,...,r n) $ R pk=(g,p,x) Hash(h) m i H(h) $ {0,1} l $ i {0,1} l c i :=(g r (c 1,...,c i n),$ i ) I:=I {i} Open(i) m i Open(i) or Hash(h) (m i,r i ) or H(h) Output: (m i,,i,out A ) out S out A out A Case 2) A did not called Open(i) before querying Hash(X r i ). S can neither call Open(i), nor answer A s query. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

32 Proof. Abort condition (AbortH) We abort A if A calls H(X r i ) and did not call Open(i) before. Pr[AbortH] negl. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

33 Proof. CDH challenger g, p Reduction g, p, U A u, v $ Z p U := g u V := g v U, V c i := (g r i, $ i ) (c 1,...,c n) Open(i)/Hash(h) (m i,r i )/H(h) SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

34 Proof. CDH challenger g, p Reduction g, p, U A u, v $ Z p U := g u V := g v U, V c i := (g r i, $ i ) i $ [n], j $ [q h ] c i := (V, $ i ) (c 1,...,c n) Open(i)/Hash(h) (m i,r i )/H(h) SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

35 Proof. CDH challenger g, p Reduction g, p, U A u, v $ Z p U := g u V := g v U, V c i := (g r i, $ i ) i $ [n], j $ [q h ] c i := (V, $ i ) (c 1,...,c n) Open(i)/Hash(h) U r i Abort on j th query (m i,r i )/H(h) Hash(U r i ) We have to hide our own challenge in the right ciphertext: 1/n SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

36 Proof. CDH challenger g, p Reduction g, p, U A u, v $ Z p U := g u V := g v U, V c i := (g r i, $ i ) i $ [n], j $ [q h ] c i := (V, $ i ) (c 1,...,c n) Open(i)/Hash(h) U r i Abort on j th query (m i,r i )/H(h) Hash(U r i ) We have to hide our own challenge in the right ciphertext: 1/n Have to abort on the right query: 1/q h SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

37 Proof. CDH challenger g, p Reduction g, p, U A u, v $ Z p U := g u V := g v U, V c i := (g r i, $ i ) i $ [n], j $ [q h ] c i := (V, $ i ) (c 1,...,c n) Open(i)/Hash(h) U r i Abort on j th query (m i,r i )/H(h) Hash(U r i ) We have to hide our own challenge in the right ciphertext: 1/n Have to abort on the right query: 1/q h Pr[AbortH] n q h Adv CDH g (B) SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

38 Proof. ideal game S A (pk,sk) $ Gen(1 κ ) (r 1,...,r n) $ R pk=(g,p,x) Hash(h) m i H(h) $ {0,1} l $ i {0,1} l c i :=(g r (c 1,...,c i n),$ i ) I:=I {i} Open(i) Open(i) or Hash(h) m i H(X r i ):=m i $ i (m i,r i ) or H(h) Output: (m i,,i,out A ) out S out A out A SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

39 Results DHIES is SIM-SO-CPA secure in the ROM. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

40 Results DHIES is SIM-SO-CPA secure in the ROM. Actually, DHIES is SIM-SO-CCA secure in the ROM. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

41 Results DHIES is SIM-SO-CPA secure in the ROM. Actually, DHIES is SIM-SO-CCA secure in the ROM. Actually, there is a well known transformation OW-CPA KEM + suf-cma MAC IND-CCA PKE we can proof to achieve SIM-SO-CCA security in the ROM without additional assumptions. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

42 Results DHIES is SIM-SO-CPA secure in the ROM. Actually, DHIES is SIM-SO-CCA secure in the ROM. Actually, there is a well known transformation OW-CPA KEM + suf-cma MAC IND-CCA PKE we can proof to achieve SIM-SO-CCA security in the ROM without additional assumptions. Actually, we (Jager, Schäge) can proof the widely used RSA OAEP to be SIM-SO-CCA secure in the ROM as well. SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

43 Results DHIES is SIM-SO-CPA secure in the ROM. Actually, DHIES is SIM-SO-CCA secure in the ROM. Actually, there is a well known transformation OW-CPA KEM + suf-cma MAC IND-CCA PKE we can proof to achieve SIM-SO-CCA security in the ROM without additional assumptions. Actually, we (Jager, Schäge) can proof the widely used RSA OAEP to be SIM-SO-CCA secure in the ROM as well. SIM-SO-CCA security for free in the ROM Image source: xkcd.com SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

44 Many thanks for your attention! QUESTIONS? SO Security of DHIES Horst Görtz Institute UbiCrypt Research Retreat Schloss Raesfeld: 29.& 30. Sep /16

CPA-Security. Definition: A private-key encryption scheme

CPA-Security. Definition: A private-key encryption scheme CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of