A ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION
|
|
- Anne Lawson
- 6 years ago
- Views:
Transcription
1 A ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION Joana Treger ANSSI, France. Session ID: CRYP-W21 Session Classification: Advanced
2 ELGAMAL ENCRYPTION & BASIC CONCEPTS
3 CDH / DDH Computational Diffie-Hellman Assumption : G generator of finite cyclic group G. For all efficient algorithms A : Pr A(Ga, Gb ) = Gab is at most negligible. Decisional Diffie-Hellman Assumption : G generator of finite cyclic group G. For all efficient algorithms A : Pr A(Ga, Gb, C) = 1 is at most negligible. Pr A(Ga, Gb, Gab ) = 1
4 ELGAMAL PUBLIC KEY ENCRYPTION SCHEME [ElGamal84] G is the generator of some finite cyclic group G of prime order p. Encryption [ Decryption ] [ pk : X = Gx r $ Zp* R Gr { Y { R0 MX Output : pk : X = Gx, sk : x r = (Y, R) ] Rx Output : M = Y /R0
5 IND-CPA / IND-CCA2 IND CPA Game b CCA2 Game M0, M1 M0, M1 b IND A? b =b b b A? b = b IND-CCA2 security: strongest security notion. O O
6 SECURITY OF ELGAMAL [TsiounisYung98] ElGamal is IND-CPA under DDH. ElGamal is not IND-CCA2. It is malleable: it s easy to transform a ciphertext into another one that decrypts to a related plaintext. An IND-CCA2 attacker can ask for a decryption to win the game. M0, M1 (Yb, R) A (ZYb, R) Mb Z O
7 HOW TO TWEAK ELGAMAL ENCRYPTION TO REACH IND-CCA2 SECURITY?
8 TWO OPTIONS 1st option: Include hashing [AbdallaBellareRogaway01] Example: DHIES - R is hashed through some random oracle to create a symmetric key used to encrypt the message. k = H(R, R0 ). The resulting scheme is no longer malleable. It requires a symmetric cipher. 2nd option: Add a non interactive proof of knowledge. Example: Schnorr Signed ElGamal (SS-EG) - Add a Schnorr signature as a PoK of r. [Jakobsson98] [TsiounisYung98]
9 PLAINTEXT-AWARENESS [BellareRogaway94] [BelDesaiPointchRog98] ROM-PA for a public-key encryption scheme: C LH, L, P Output: Dec( ) C : efficient ciphertext creator. P: efficient plaintext extractor.
10 PLAINTEXT-AWARENESS & IND-CCA2 SECURITY [BelDesaiPointchRog98] Intuitively The only way to produce a valid ciphertext is to apply the encryption algorithm to a public key and a message, rendering a decryption oracle available to an IND-CCA2 adversary useless. PA & IND-CCA2? ( IND-CPA + PA IND-CCA2
11 LIMITATIONS OF SS-EG So... Adding a Schnorr signature to ElGamal encryption would render the scheme IND-CCA2. However... No proof that SS-EG reaches IND-CCA2 security in the ROM; SS-EG is not plaintext-aware. [SeurinT13]
12 SCHNORR SIGNED ELGAMAL ENCRYPTION Decryption Encryption [ pk : X = Gx ] r, a $ Zp* R Gr, A Y M Xr { c [ Ga H(Y, R, A) s = a + cr Output : = (Y, R, s, c) pk : X = Gx sk : x { R0 A Rx Gs R ] c? c= H(Y, R, A) Output : M = Y /R0
13 SS-EG IS NOT PLAINTEXT AWARE [SeurinT13] Sketch of the proof: Assume it is ROM-PA secure and build a reduction that solves the CDH problem. (X = Gx, R = Gr ) R s, c $ Zp* Y $G A = Gs R c H(Y, R, A) = c L =; LH = ((Y, R, A), c) = (Y, R, s, c) Output: Gxr = Y /M M P pk : X = Gx
14 CPS-EG: A NEW VARIANT OF SIGNED ELGAMAL ENCRYPTION
15 Chaum Pedersen Signed ElGamal Add a CP signature as a PoK of a DL equality : logg(r)=logx(r ). [SeurinT13] CPS-EG - Definition Encryption [ pk : X = Gx Decryption ] r, a $ Zp* R Gr, A Y M Xr { c [ Ga, A0 Xa { R0 c 0 r 0 H(Y, R, R = X, A, A ) s = a + cr Output : pk : X = Gx sk : x = (Y, R, A, s) Rx, A0 ] Ax H(Y, R, R0, A, A0 )? Gs = ARc? Xs = A0 R0c Output : M = Y /R0
16 COMPARISON - EFFICIENCY Scheme pub., sec. key size exponen./ encryption exponen./ decryption ciphertext size ElGamal G, p 2 1 2G SS-EG G, p 3 2 2G+2p TDH-1 G, p 3 (+ 2 online) 3 3G+2p TDH-2 G, 2p 5 3 3G+2p CPS-EG G, p 4 4 3G+p [ShoupGen02]
17 CPS-EG REACHES IND-CCA2 SECURITY LH L = (Y, R, A, s) P Output: M = Y /R0 or?... c1 c2... LH CPS-EG is IND-CPA. CPS-EG is ROM-PA: (Y, R,, A, )? [SeurinT13] (? A = Gs R ci? A0 = X s R 0 Output: (Y, R, R0, A, A0 ) or ; ci
18 CAUTION Caution when relying on Chaum & Pedersen s signature: If one uses the pair (s,c) in the ciphertext instead of (A,s) the scheme does not remain IND-CPA. [Poettering] c = H(Y, R, R0, A, A0 ), R0 = Y /Mb. Part of the ciphertext M0, M1 known to the attacker. The attacker tries both values for R. A0 is deduced from R0, s, c and X : A0 = X s R0 c. It simply needs to test the two hash queries corresponding to the two possible values for R. This defect is avoided when using the pair (A,s). [SeurinT13-Full]
19 CPS-EG IS ANONYMOUS & STRONGLY ROBUST Anonymity [BellareBoldyrevaDesaiPointcheval01] A ciphertext does not reveal the public key under which it was created. CPS-EG is ANON-CCA2 under the DDH. Strong Robustness [AbdallaBellareNeven10] Hard to create a ciphertext that decrypts to a valid plaintext under 2 different secret keys. CPS-EG is SROB-CCA when H is a collisionresistant hash function.
20 COMPARISON - SECURITY Scheme IND-CCA2 under ElGamal (CPA under DDH) SS-EG ~ GGM TDH-1 DDH TDH-2 DDH CPS-EG DDH ANON+SROB
21 TO SUM UP New variant of signed ElGamal encryption : CPS-EG IND-CCA2-secure (plaintext-aware) under DDH assumption; Reaches CCA2-anonymity and strong robustness. There exists a hybrid version of CPS-EG. Full (and revised) version of this paper: Eprint #2012/649. [SeurinT13-Full]
22 THANKS
23 ADDITIONAL SLIDES
24 ELGAMAL
25 ELGAMAL: IND-CPA UNDER DDH Sketch of the proof: [TsiounisYung98] Reduction solving the DDH prob. from an IND-CPA attacker. (X = Gx, R = Gr, R0 ) pk R b $ X {0, 1} Output: b == b M0, M1 (Mb R0, R) b A
26 DHIES
27 1ST OPTION: HASHED VARIANT Example: DHIES [AbdallaBellareRogaway01] Encryption [ Decryption ] pk : X = Gx r $ Zp R Gr, R0 = X r { [ pk : X = Gx sk : x 0 k = H(R, R ) Output : = (R, c = Ek (M )) { ] R0 Rx k = H(R, R0 ) Output : M = Dk (c) The resulting scheme is no longer malleable. It requires a symmetric cipher.
28 SECURITY OF DHIES Strong Diffie-Hellman Assumption It is hard to compute DH(Y,X), even when additional access to a decision oracle is given, which on input (Z,T) returns 1 if DH(X,Z)=T and 0 otherwise.
29 LEMMA
30 CPS-EG - USEFUL LEMMA Fix X = Gx, x 2 Fp. Let R = Gr, R0, A = Ga, A0 2 G be four group elements such that r, a 6= 0 mod p, and R0 6= Rx or A0 6= Ax. Then there is at most one integer c 2 Zp such that there exists s 2 Zp satisfying both Gs = ARc and X s = A0 R0c.
31 NO PROOF OF IND-CCA2 SECURITY FOR SS-EG
32 SCHNORR SIGNATURES & FORKING LEMMA Schnorr signatures are not online-extractable Suppose there exists a forger and build a reduction that solves the DL problem. The reduction has to rewind the forger to obtain two signatures of the same message under the same public key. s R=G Y c s0 =G Y s s0 dlog(y ) = c c0 c0
33 NO PROOF THAT SS-EG IS IND-CCA2 IND-CCA2 security & SS-EG Schnorr signatures are not online-extractable. Setting: We consider a(ny) reduction that would use an IND-CCA2 adversary. The reduction has to answer hash queries and decryption queries. Possible for the adversary to construct a list of specific ciphertexts and hash queries, where one ciphert./h. query is obtained from the previous ones. If the attacker then sends its list of queries to the reduction, in the exact reverse order, then the reduction has to rewind the forger exponentially.
34 ROBUSTNESS AND ANONYMITY
35 WEAK ROBUSTNESS AND STRONG ROBUSTNESS Strong and Weak Robustness [AbdallaBellareNeven10] Definition [Weak robustness]: Hard to create a ciphertext that decrypts under 2 different secret keys. Definition [Strong Robustness]: Hard to produce a plaintext that, once encrypted under some public key, decrypts to a valid plaintext under another secret key. Robustness can always be achieved How? Append public key of the receiver to the ciphertext.
36 ROBUSTNESS COMBINED WITH ANONYMITY Robustness: Definition [Robustness]: Hard to create a ciphertext that decrypts under 2 different secret keys. Anonymity: Definition [Anonymity]: A ciphertext does not reveal the public key under which it was created. Anonymity + Robustness: Help make encryption more resistant to misuse. Ex. Anonymously send a ciphertext to a particular target of a larger group. Who s the target? Solution: Robustness. First solution for robustness not ok.
37 HYBRID VARIANT HCPS-EG
38 HYBRID VERSION
39 PROPERTIES OF HCPS-EG IND-CCA2 secure in the ROM under CDH. Using the weakest form of security for the data encapsulation mechanism (DEM): ciphertext indistinguishability under one-time attacks (IND-OT). Example: With AES in counter mode. Anonymous against CCA2-attacks under CDH. Strongly robust.
40 Efficient Public Key Cryptosystem Resilient to Key Leakage Chosen Ciphertext Attacks Shengli Liu 1, Jian Weng 2 and Yunlei Zhao 3 1 Shanghai Jiao Tong University (slliu@sjtu.edu.cn) 2 Jinan University(cryptjweng@gmail.com) 3 Fudan University(ylzhao@fudan.edu.cn) Liu, Weng and Zhao Efficient KL-CS-PKE Slide 1 of 40
41 Introduction and Motivation Liu, Weng and Zhao Efficient KL-CS-PKE Slide 2 of 40
42 Introduction to leakage-resilient PKE IND-CCA2 security assumes that the secret key sk is totally randomly distributed, i.e., Entropy(sk) = sk. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 3 of 40
43 Introduction to leakage-resilient PKE IND-CCA2 security assumes that the secret key sk is totally randomly distributed, i.e., Entropy(sk) = sk. Side-channel attack, i.e., memory attacks, may leak information about the secret key sk, i.e., Entropy(sk) sk. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 3 of 40
44 Introduction to leakage-resilient PKE IND-CCA2 security assumes that the secret key sk is totally randomly distributed, i.e., Entropy(sk) = sk. Side-channel attack, i.e., memory attacks, may leak information about the secret key sk, i.e., Entropy(sk) sk. Leakage-resilient public key encryption (PKE) schemes are designed to resist key leakage. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 3 of 40
45 Introduction to leakage-resilient PKE IND-CCA2 security assumes that the secret key sk is totally randomly distributed, i.e., Entropy(sk) = sk. Side-channel attack, i.e., memory attacks, may leak information about the secret key sk, i.e., Entropy(sk) sk. Leakage-resilient public key encryption (PKE) schemes are designed to resist key leakage. We will consider IND-CCA2 security in bounded key-leakage model, where the total amount of leaked information about the key is bounded by some parameter λ (bits). Liu, Weng and Zhao Efficient KL-CS-PKE Slide 3 of 40
46 Related Works In 2005, Akavia et.al.[agv09] showed that the lattice-based PKE scheme proposed by Regev [R05] is resilient to any leakage of L/polylog(L) bits, with L the bit length of the secret key. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 4 of 40
47 Related Works In 2005, Akavia et.al.[agv09] showed that the lattice-based PKE scheme proposed by Regev [R05] is resilient to any leakage of L/polylog(L) bits, with L the bit length of the secret key. In 2009, Noar and Segev [NS09] suggested that any PKE based on hash proof systems [CS02] can be made secure against chosen-plaintext key leakage attacks (IND-KL-CPA) with help of randomness extractors. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 4 of 40
48 Related Works In 2005, Akavia et.al.[agv09] showed that the lattice-based PKE scheme proposed by Regev [R05] is resilient to any leakage of L/polylog(L) bits, with L the bit length of the secret key. In 2009, Noar and Segev [NS09] suggested that any PKE based on hash proof systems [CS02] can be made secure against chosen-plaintext key leakage attacks (IND-KL-CPA) with help of randomness extractors. For chosen-ciphertext key leakage attacks (IND-KL-CCA2), Naorand Segev [NS09] proved that Noar-Yung s double encryption paradigm works as well. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 4 of 40
49 Related Works In 2005, Akavia et.al.[agv09] showed that the lattice-based PKE scheme proposed by Regev [R05] is resilient to any leakage of L/polylog(L) bits, with L the bit length of the secret key. In 2009, Noar and Segev [NS09] suggested that any PKE based on hash proof systems [CS02] can be made secure against chosen-plaintext key leakage attacks (IND-KL-CPA) with help of randomness extractors. For chosen-ciphertext key leakage attacks (IND-KL-CCA2), Naorand Segev [NS09] proved that Noar-Yung s double encryption paradigm works as well. IND-KL-CPA secure PKE1 + IND-KL-CPA secure PKE2 + NIZK Liu, Weng and Zhao Efficient KL-CS-PKE Slide 4 of 40
50 Related Works In 2005, Akavia et.al.[agv09] showed that the lattice-based PKE scheme proposed by Regev [R05] is resilient to any leakage of L/polylog(L) bits, with L the bit length of the secret key. In 2009, Noar and Segev [NS09] suggested that any PKE based on hash proof systems [CS02] can be made secure against chosen-plaintext key leakage attacks (IND-KL-CPA) with help of randomness extractors. For chosen-ciphertext key leakage attacks (IND-KL-CCA2), Naorand Segev [NS09] proved that Noar-Yung s double encryption paradigm works as well. IND-KL-CPA secure PKE1 + IND-KL-CPA secure PKE2 + NIZK Liu, Weng and Zhao Efficient KL-CS-PKE Slide 4 of 40
51 Related Works In 2005, Akavia et.al.[agv09] showed that the lattice-based PKE scheme proposed by Regev [R05] is resilient to any leakage of L/polylog(L) bits, with L the bit length of the secret key. In 2009, Noar and Segev [NS09] suggested that any PKE based on hash proof systems [CS02] can be made secure against chosen-plaintext key leakage attacks (IND-KL-CPA) with help of randomness extractors. For chosen-ciphertext key leakage attacks (IND-KL-CCA2), Naorand Segev [NS09] proved that Noar-Yung s double encryption paradigm works as well. IND-KL-CPA secure PKE1 + IND-KL-CPA secure PKE2 + NIZK IND-KL-CCA2 secure PKE Liu, Weng and Zhao Efficient KL-CS-PKE Slide 4 of 40
52 Related Works In 2005, Akavia et.al.[agv09] showed that the lattice-based PKE scheme proposed by Regev [R05] is resilient to any leakage of L/polylog(L) bits, with L the bit length of the secret key. In 2009, Noar and Segev [NS09] suggested that any PKE based on hash proof systems [CS02] can be made secure against chosen-plaintext key leakage attacks (IND-KL-CPA) with help of randomness extractors. For chosen-ciphertext key leakage attacks (IND-KL-CCA2), Naorand Segev [NS09] proved that Noar-Yung s double encryption paradigm works as well. IND-KL-CPA secure PKE1 + IND-KL-CPA secure PKE2 + NIZK IND-KL-CCA2 secure PKE The key leakage λ is also up to L(1 o(1)). Liu, Weng and Zhao Efficient KL-CS-PKE Slide 4 of 40
53 In 2010, Dodis et.al. [DHLW10] exploited more efficient ways to achieve IND-KL-CCA2 security. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 5 of 40
54 In 2010, Dodis et.al. [DHLW10] exploited more efficient ways to achieve IND-KL-CCA2 security. They proposed a new concept of true-simulation extractable NIZK arguments, and gave a construction of IND-KL-CCA2-secure PKE from an IND-KL-CPA secure one together with a strong f -true-simulation extractable NIZK argument. The key leakage λ is also up to L(1 o(1)). Liu, Weng and Zhao Efficient KL-CS-PKE Slide 5 of 40
55 In 2010, Dodis et.al. [DHLW10] exploited more efficient ways to achieve IND-KL-CCA2 security. They proposed a new concept of true-simulation extractable NIZK arguments, and gave a construction of IND-KL-CCA2-secure PKE from an IND-KL-CPA secure one together with a strong f -true-simulation extractable NIZK argument. The key leakage λ is also up to L(1 o(1)). IND-KL-CPA secure PKE + strong f -true-simulation extractable NIZK Liu, Weng and Zhao Efficient KL-CS-PKE Slide 5 of 40
56 In 2010, Dodis et.al. [DHLW10] exploited more efficient ways to achieve IND-KL-CCA2 security. They proposed a new concept of true-simulation extractable NIZK arguments, and gave a construction of IND-KL-CCA2-secure PKE from an IND-KL-CPA secure one together with a strong f -true-simulation extractable NIZK argument. The key leakage λ is also up to L(1 o(1)). IND-KL-CPA secure PKE + strong f -true-simulation extractable NIZK Liu, Weng and Zhao Efficient KL-CS-PKE Slide 5 of 40
57 In 2010, Dodis et.al. [DHLW10] exploited more efficient ways to achieve IND-KL-CCA2 security. They proposed a new concept of true-simulation extractable NIZK arguments, and gave a construction of IND-KL-CCA2-secure PKE from an IND-KL-CPA secure one together with a strong f -true-simulation extractable NIZK argument. The key leakage λ is also up to L(1 o(1)). IND-KL-CPA secure PKE + strong f -true-simulation extractable NIZK IND-KL-CCA2 secure PKE Liu, Weng and Zhao Efficient KL-CS-PKE Slide 5 of 40
58 In 2010, Dodis et.al. [DHLW10] exploited more efficient ways to achieve IND-KL-CCA2 security. They proposed a new concept of true-simulation extractable NIZK arguments, and gave a construction of IND-KL-CCA2-secure PKE from an IND-KL-CPA secure one together with a strong f -true-simulation extractable NIZK argument. The key leakage λ is also up to L(1 o(1)). IND-KL-CPA secure PKE + strong f -true-simulation extractable NIZK IND-KL-CCA2 secure PKE The key leakage λ is also up to L(1 o(1)). Liu, Weng and Zhao Efficient KL-CS-PKE Slide 5 of 40
59 Practical PKE with IND-KL-CCA2 Security The variant of Cramer-Shoup cryptosystem ( KL-CS-PKE ) presented by Naor-Segev [NS,CRYPTO09] is the most practical one. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 6 of 40
60 Practical PKE with IND-KL-CCA2 Security The variant of Cramer-Shoup cryptosystem ( KL-CS-PKE ) presented by Naor-Segev [NS,CRYPTO09] is the most practical one. x 1, x 2, y 1, y 2 }{{} c }{{} d z 1, z 2 }{{} h Liu, Weng and Zhao Efficient KL-CS-PKE Slide 6 of 40
61 Practical PKE with IND-KL-CCA2 Security The variant of Cramer-Shoup cryptosystem ( KL-CS-PKE ) presented by Naor-Segev [NS,CRYPTO09] is the most practical one. x 1, x 2, y 1, y 2 }{{} c }{{} d z 1, z }{{} 2 h Liu, Weng and Zhao Efficient KL-CS-PKE Slide 6 of 40
62 Practical PKE with IND-KL-CCA2 Security The variant of Cramer-Shoup cryptosystem ( KL-CS-PKE ) presented by Naor-Segev [NS,CRYPTO09] is the most practical one. x 1, x 2, y 1, y 2 }{{} c }{{} d consistence check z 1, z }{{} 2 h one-time key Liu, Weng and Zhao Efficient KL-CS-PKE Slide 6 of 40
63 Practical PKE with IND-KL-CCA2 Security The variant of Cramer-Shoup cryptosystem ( KL-CS-PKE ) presented by Naor-Segev [NS,CRYPTO09] is the most practical one. x 1, x 2, y 1, y 2 }{{} c }{{} d consistence check z 1, z }{{} 2 h one-time key Encryption u 1 = g r 1, u 2 = g r 2, r Z q, s {0, 1} t ; e = M Ext(h r, s); Decryption α = T(u 1, u 2, e, s); If v u x 1+y 1 α 1 u x 2+y 2 α 2, output ; α = T(u 1, u 2, e, s); v = c r d rα ; otherwise M = e Ext(u z 1 1 u z 2 2, s); Output (u 1, u 2, s, e, v). Output M. Figure: The KL-CS-PKE Scheme by Naor-Segev. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 6 of 40
64 Practical PKE with IND-KL-CCA2 Security The variant of Cramer-Shoup cryptosystem ( KL-CS-PKE ) presented by Naor-Segev [NS,CRYPTO09] is the most practical one. x 1, x 2, y 1, y 2 }{{} c }{{} d consistence check z 1, z }{{} 2 h one-time key Encryption u 1 = g r 1, u 2 = g r 2, r Z q, s {0, 1} t ; e = M Ext(h r, s); Decryption α = T(u 1, u 2, e, s); If v u x 1+y 1 α 1 u x 2+y 2 α 2, output ; α = T(u 1, u 2, e, s); v = c r d rα ; otherwise M = e Ext(u z 1 1 u z 2 2, s); Output (u 1, u 2, s, e, v). Output M. Figure: The KL-CS-PKE Scheme by Naor-Segev. It uses extractors to deal with key leakage. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 6 of 40
65 Liu, Weng and Zhao Efficient KL-CS-PKE Slide 7 of 40
66 Undesirable dependency between λ and m: λ + m log 2 q ω(log κ). Liu, Weng and Zhao Efficient KL-CS-PKE Slide 7 of 40
67 Undesirable dependency between λ and m: λ + m log 2 q ω(log κ). m is the bit length of plaintext; Liu, Weng and Zhao Efficient KL-CS-PKE Slide 7 of 40
68 Undesirable dependency between λ and m: λ + m log 2 q ω(log κ). m is the bit length of plaintext; q is the order of the group that CS is based. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 7 of 40
69 Undesirable dependency between λ and m: λ + m log 2 q ω(log κ). m is the bit length of plaintext; q is the order of the group that CS is based. Naor and Segev noted this and called for further refinement. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 7 of 40
70 Our contributions Liu, Weng and Zhao Efficient KL-CS-PKE Slide 8 of 40
71 Our contributions As a response to the calling-for of Naor and Segev [NS09], this work answers the open question proposed in [NS09], and follows a new technical line. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 8 of 40
72 Our contributions As a response to the calling-for of Naor and Segev [NS09], this work answers the open question proposed in [NS09], and follows a new technical line. Our proposal is almost efficient as the CS-PKE, and we show it is λ log q ω(log κ) leakage resilient. In addition, it has the following two advantages: Liu, Weng and Zhao Efficient KL-CS-PKE Slide 8 of 40
73 Our contributions As a response to the calling-for of Naor and Segev [NS09], this work answers the open question proposed in [NS09], and follows a new technical line. Our proposal is almost efficient as the CS-PKE, and we show it is λ log q ω(log κ) leakage resilient. In addition, it has the following two advantages: The plaintext space is the group G, enjoying a constant size q. It is independent of the leakage parameter λ. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 8 of 40
74 Our contributions As a response to the calling-for of Naor and Segev [NS09], this work answers the open question proposed in [NS09], and follows a new technical line. Our proposal is almost efficient as the CS-PKE, and we show it is λ log q ω(log κ) leakage resilient. In addition, it has the following two advantages: The plaintext space is the group G, enjoying a constant size q. It is independent of the leakage parameter λ. The security reduction is tighter than that of KL-CS-PKE [NS09]. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 8 of 40
75 Preliminaries Liu, Weng and Zhao Efficient KL-CS-PKE Slide 9 of 40
76 Statistical Distance, Min-Entropy, and Leftover Hash Lemma Definition Let X be a random variable, which takes value from a finite set X. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 10 of 40
77 Statistical Distance, Min-Entropy, and Leftover Hash Lemma Definition Let X be a random variable, which takes value from a finite set X. The guessing probability of X is defined as P g (X) = max x X Pr[X = x]. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 10 of 40
78 Statistical Distance, Min-Entropy, and Leftover Hash Lemma Definition Let X be a random variable, which takes value from a finite set X. The guessing probability of X is defined as P g (X) = max x X Pr[X = x]. The min entropy of X is defined as H (X) := log P g (X). The average min-entropy of X given Y is defined as the logarithm of the average guessing probability of X given Y, i.e., ( ) H (X Y ) := log E y Y [2 H (X Y =y) ]. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 10 of 40
79 Statistical Distance, Min-Entropy, and Leftover Hash Lemma Definition Let X be a random variable, which takes value from a finite set X. The guessing probability of X is defined as P g (X) = max x X Pr[X = x]. The min entropy of X is defined as H (X) := log P g (X). The average min-entropy of X given Y is defined as the logarithm of the average guessing probability of X given Y, i.e., ( ) H (X Y ) := log E y Y [2 H (X Y =y) ]. The statistic distance of two distributions of variable X and Y is defined as SD(X, Y ) = 1 Pr[X = a] Pr[Y = a]. 2 a X Liu, Weng and Zhao Efficient KL-CS-PKE Slide 10 of 40
80 Statistical Distance, Min-Entropy, and Leftover Hash Lemma Definition Let X be a random variable, which takes value from a finite set X. The guessing probability of X is defined as P g (X) = max x X Pr[X = x]. The min entropy of X is defined as H (X) := log P g (X). The average min-entropy of X given Y is defined as the logarithm of the average guessing probability of X given Y, i.e., ( ) H (X Y ) := log E y Y [2 H (X Y =y) ]. The statistic distance of two distributions of variable X and Y is defined as SD(X, Y ) = 1 Pr[X = a] Pr[Y = a]. 2 a X Liu, Weng and Zhao Efficient KL-CS-PKE Slide 10 of 40
81 Universal Hash and Examples Definition (Universal hash functions) A family of functions {H k : X Y, k K} is universal if for all x 1 x 2 with x 1, x 2 X. Pr k K [H k (x 1 ) = H k (x 2 )] 1 Y. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 11 of 40
82 Universal Hash and Examples Definition (Universal hash functions) A family of functions {H k : X Y, k K} is universal if for all x 1 x 2 with x 1, x 2 X. Pr k K [H k (x 1 ) = H k (x 2 )] 1 Y. Shoup05 : Universal hash {H k1,k 2,,k l : F l+1 q F q, k i F q, i = 1, 2,, l} H k1,k 2,,k l (x 0, x 1,, x l ) = x 0 + k 1 x k l x l. All operations are in the prime field F q. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 11 of 40
83 Universal Hash and Examples Definition (Universal hash functions) A family of functions {H k : X Y, k K} is universal if for all x 1 x 2 with x 1, x 2 X. Pr k K [H k (x 1 ) = H k (x 2 )] 1 Y. Shoup05 : Universal hash {H k1,k 2,,k l : F l+1 q F q, k i F q, i = 1, 2,, l} H k1,k 2,,k l (x 0, x 1,, x l ) = x 0 + k 1 x k l x l. All operations are in the prime field F q. Let G be a multiplicative group of prime order q with generator g. Then (Z q, +) = (G, ) with bijection x g x. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 11 of 40
84 Universal Hash and Examples Definition (Universal hash functions) A family of functions {H k : X Y, k K} is universal if for all x 1 x 2 with x 1, x 2 X. Pr k K [H k (x 1 ) = H k (x 2 )] 1 Y. Shoup05 : Universal hash {H k1,k 2,,k l : F l+1 q F q, k i F q, i = 1, 2,, l} H k1,k 2,,k l (x 0, x 1,, x l ) = x 0 + k 1 x k l x l. All operations are in the prime field F q. Let G be a multiplicative group of prime order q with generator g. Then (Z q, +) = (G, ) with bijection x g x. The family {H k1,k 2,,k l : G l+1 G, k i Z q, i = 1, 2,, l} is universal, where H k1,k 2,,k l (g 0, g 1,, g l ) = g 0 g k gk l l (= g x0+k1x1+ +k lx l ), with g i = g xi for i = 0, 1,, l. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 11 of 40
85 Leftover Hash Lemma[Dodis08] Lemma Assume {H k : X Y} k K is a family of universal hash functions. For any random variables X X, Z Z, and K K, SD((H k (X), K), (U Y, K)) 1 Pc (X) Y H (X) Y, and SD((H k (X), K, Z), (U Y, K, Z)) H (X Z) Y, where U Y denotes a uniform distribution over Y. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 12 of 40
86 Extractors with Universal Hashing [Dodis08] Liu, Weng and Zhao Efficient KL-CS-PKE Slide 13 of 40
87 IND-KL-CCA2 Security KL-CCA2 Game: Adversary A v.s. its environment Setup A queries the key generation oracle. The key generation oracle computes (PK,SK) and responds with PK. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 14 of 40
88 IND-KL-CCA2 Security KL-CCA2 Game: Adversary A v.s. its environment Setup A queries the key generation oracle. The key generation oracle computes (PK,SK) and responds with PK. Morning Besides normal queries to decryption oracle Dec(sk, ), A is also allowed to make queries to a key-leakage oracle KL(sk), as follows: A can adaptively query the oracle KL(sk) with any function f i, i 1, and then gets back f i (sk). Liu, Weng and Zhao Efficient KL-CS-PKE Slide 14 of 40
89 IND-KL-CCA2 Security KL-CCA2 Game: Adversary A v.s. its environment Setup A queries the key generation oracle. The key generation oracle computes (PK,SK) and responds with PK. Morning Besides normal queries to decryption oracle Dec(sk, ), A is also allowed to make queries to a key-leakage oracle KL(sk), as follows: A can adaptively query the oracle KL(sk) with any function f i, i 1, and then gets back f i (sk). Noon A submits two messages (M 0, M 1 ) of equal length to the encryption oracle. The encryption oracle picks a random bit σ {0, 1} and responds with the target" ciphertext ψ = Encrypt(PK, m σ ). Liu, Weng and Zhao Efficient KL-CS-PKE Slide 14 of 40
90 IND-KL-CCA2 Security KL-CCA2 Game: Adversary A v.s. its environment Setup A queries the key generation oracle. The key generation oracle computes (PK,SK) and responds with PK. Morning Besides normal queries to decryption oracle Dec(sk, ), A is also allowed to make queries to a key-leakage oracle KL(sk), as follows: A can adaptively query the oracle KL(sk) with any function f i, i 1, and then gets back f i (sk). Noon A submits two messages (M 0, M 1 ) of equal length to the encryption oracle. The encryption oracle picks a random bit σ {0, 1} and responds with the target" ciphertext ψ = Encrypt(PK, m σ ). Afternoon A continues to query the decryption oracle with arbitrary ciphertext ψ under the restriction: ψ ψ, but the KL(sk) oracle access is denied in the afternoon. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 14 of 40
91 IND-KL-CCA2 Security KL-CCA2 Game: Adversary A v.s. its environment Setup A queries the key generation oracle. The key generation oracle computes (PK,SK) and responds with PK. Morning Besides normal queries to decryption oracle Dec(sk, ), A is also allowed to make queries to a key-leakage oracle KL(sk), as follows: A can adaptively query the oracle KL(sk) with any function f i, i 1, and then gets back f i (sk). Noon A submits two messages (M 0, M 1 ) of equal length to the encryption oracle. The encryption oracle picks a random bit σ {0, 1} and responds with the target" ciphertext ψ = Encrypt(PK, m σ ). Afternoon A continues to query the decryption oracle with arbitrary ciphertext ψ under the restriction: ψ ψ, but the KL(sk) oracle access is denied in the afternoon. Guess A outputs a guess bit ˆσ {0, 1}. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 14 of 40
92 IND-KL-CCA2 Security KL-CCA2 Game: Adversary A v.s. its environment Setup A queries the key generation oracle. The key generation oracle computes (PK,SK) and responds with PK. Morning Besides normal queries to decryption oracle Dec(sk, ), A is also allowed to make queries to a key-leakage oracle KL(sk), as follows: A can adaptively query the oracle KL(sk) with any function f i, i 1, and then gets back f i (sk). Noon A submits two messages (M 0, M 1 ) of equal length to the encryption oracle. The encryption oracle picks a random bit σ {0, 1} and responds with the target" ciphertext ψ = Encrypt(PK, m σ ). Afternoon A continues to query the decryption oracle with arbitrary ciphertext ψ under the restriction: ψ ψ, but the KL(sk) oracle access is denied in the afternoon. Guess A outputs a guess bit ˆσ {0, 1}. The KL-CCA advantage of A against a PKE scheme: Adv A = Pr[σ = ˆσ] 1/2. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 14 of 40
93 Overview of KL-CS-PKE by Naor and Segev [CRYPTO09] Key Generation A group (G, q, g). T: TCR hash function. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 15 of 40
94 Overview of KL-CS-PKE by Naor and Segev [CRYPTO09] Key Generation A group (G, q, g). T: TCR hash function. { secret key: x1, x 2, y 1, y 2, z 1, z 2 R Z q public key: c = g x1 1 gx2 2, d = gy1 1 gy2 2, h = gz1 1 gz2 2. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 15 of 40
95 Overview of KL-CS-PKE by Naor and Segev [CRYPTO09] Key Generation A group (G, q, g). T: TCR hash function. { secret key: x1, x 2, y 1, y 2, z 1, z 2 R Z q public key: c = g x1 1 gx2 2, d = gy1 1 gy2 2, h = gz1 1 gz2 2. PK = (G, q, g, T, c, d, h), SK = (x 1, x 2, y 1, y 2, z 1, z 2 ). Liu, Weng and Zhao Efficient KL-CS-PKE Slide 15 of 40
96 Overview of KL-CS-PKE by Naor and Segev [CRYPTO09] Key Generation A group (G, q, g). T: TCR hash function. { secret key: x1, x 2, y 1, y 2, z 1, z 2 R Z q public key: c = g x1 1 gx2 2, d = gy1 1 gy2 2, h = gz1 1 gz2 2. PK = (G, q, g, T, c, d, h), SK = (x 1, x 2, y 1, y 2, z 1, z 2 ). Encryption u 1 = g r 1, u 2 = g r 2, r Z q, s {0, 1} t ; e = M Ext(h r, s); Decryption α = T(u 1, u 2, e, s); If v u x 1+y 1 α 1 u x 2+y 2 α 2, output ; α = T(u 1, u 2, e, s); v = c r d rα ; otherwise M = e Ext(u z 1 1 u z 2 2, s); Output (u 1, u 2, s, e, v). Output M. Figure: The KL-CS-PKE Scheme by Naor-Segev. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 15 of 40
97 Overview of KL-CS-PKE by Naor and Segev [CRYPTO09] The key leakage of CS-PKE brings two effects: Liu, Weng and Zhao Efficient KL-CS-PKE Slide 16 of 40
98 Overview of KL-CS-PKE by Naor and Segev [CRYPTO09] The key leakage of CS-PKE brings two effects: The information leakage related to (x 1, x 2, y 1, y 2) makes the security reduction looser than that of CS-PKE. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 16 of 40
99 Overview of KL-CS-PKE by Naor and Segev [CRYPTO09] The key leakage of CS-PKE brings two effects: The information leakage related to (x 1, x 2, y 1, y 2) makes the security reduction looser than that of CS-PKE. The information leakage related to (z 1, z 2) makes it unsuitable to mask the plaintext directly. Naor and Segev employed an extractor Ext to distill a random shorter key from the ephemeral key u z 1 1 u z 2 2 that is in turn used to mask the plaintext. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 16 of 40
100 Overview of KL-CS-PKE by Naor and Segev [CRYPTO09] The key leakage of CS-PKE brings two effects: The information leakage related to (x 1, x 2, y 1, y 2) makes the security reduction looser than that of CS-PKE. The information leakage related to (z 1, z 2) makes it unsuitable to mask the plaintext directly. Naor and Segev employed an extractor Ext to distill a random shorter key from the ephemeral key u z 1 1 u z 2 2 that is in turn used to mask the plaintext. m log 2 q λ ω(log κ). Liu, Weng and Zhao Efficient KL-CS-PKE Slide 16 of 40
101 Our Proposal Liu, Weng and Zhao Efficient KL-CS-PKE Slide 17 of 40
102 New Idea and Key Observation The new idea is that all the three parts of secret key, namely (x 1, x 2 ), (y 1, y 2 ) and (z 1, z 2 ), are involved both in the ciphertext consistence check and the random distillation to mask plaintexts. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 18 of 40
103 New Idea and Key Observation The new idea is that all the three parts of secret key, namely (x 1, x 2 ), (y 1, y 2 ) and (z 1, z 2 ), are involved both in the ciphertext consistence check and the random distillation to mask plaintexts. The key observation is: The three parts of secret key altogether imply larger average min-entropy, even conditioned on all the leaked information bounded by λ log q ω(log κ). Larger min-entropy implies more randomness can be distilled. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 18 of 40
104 New Idea and Key Observation The new idea is that all the three parts of secret key, namely (x 1, x 2 ), (y 1, y 2 ) and (z 1, z 2 ), are involved both in the ciphertext consistence check and the random distillation to mask plaintexts. The key observation is: The three parts of secret key altogether imply larger average min-entropy, even conditioned on all the leaked information bounded by λ log q ω(log κ). Larger min-entropy implies more randomness can be distilled. On the other hand, we use a special universal hash function (i.e., H s(a, b) = a b s, for a, b G and s Z q) as an extractor, where a = (cd) r and b = h r for r Z q with our proposal, which allows plaintext space to be G, and makes the security proof neat and tighter. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 18 of 40
105 New Idea and Key Observation The new idea is that all the three parts of secret key, namely (x 1, x 2 ), (y 1, y 2 ) and (z 1, z 2 ), are involved both in the ciphertext consistence check and the random distillation to mask plaintexts. The key observation is: The three parts of secret key altogether imply larger average min-entropy, even conditioned on all the leaked information bounded by λ log q ω(log κ). Larger min-entropy implies more randomness can be distilled. On the other hand, we use a special universal hash function (i.e., H s(a, b) = a b s, for a, b G and s Z q) as an extractor, where a = (cd) r and b = h r for r Z q with our proposal, which allows plaintext space to be G, and makes the security proof neat and tighter. The actual design of our proposal was also carefully guided by the underlying analysis, particularly for ensuring non-zero matrix determinant. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 18 of 40
106 Overview of Our Proposal Encryption u 1 = g r 1, u 2 = g r 2, r, s Z q; α = T(u 1, u 2, e, s); e = M (cd) r h rs ; α = T(u 1, u 2, e, s); v = (c h) r d rα ; Decryption If v u x1+y1α+z1 1 u x2+y2α+z2 2, outpu otherwise Output (u 1, u 2, s, e, v) Output M. Figure: Our proposal M = e u (x1+y1+z1s) 1 u (x2+y2+z2s 2 Liu, Weng and Zhao Efficient KL-CS-PKE Slide 19 of 40
107 Proof Outline Liu, Weng and Zhao Efficient KL-CS-PKE Slide 20 of 40
108 Main Theorem Theorem The above scheme is (log q, λ, ɛ)-ind-kl-cca2 secure public key encryption scheme. Here q is the prime order of the group G that PKE is based on, λ log q ω(log κ) (more precisely, λ log q 2 log 1 2λ/2 1 δ + 2 where δ = q )) and ɛ Adv DDH (κ) + Adv TCR (κ) + 2λ Q(κ) q Q(κ) + 2λ/2 1 q, where Q(κ) is the number of decryption queries. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 21 of 40
109 Main Theorem Theorem The above scheme is (log q, λ, ɛ)-ind-kl-cca2 secure public key encryption scheme. Here q is the prime order of the group G that PKE is based on, λ log q ω(log κ) (more precisely, λ log q 2 log 1 2λ/2 1 δ + 2 where δ = q )) and ɛ Adv DDH (κ) + Adv TCR (κ) + 2λ Q(κ) q Q(κ) + 2λ/2 1 q, where Q(κ) is the number of decryption queries. Plaintext length m = log q; Liu, Weng and Zhao Efficient KL-CS-PKE Slide 21 of 40
110 Main Theorem Theorem The above scheme is (log q, λ, ɛ)-ind-kl-cca2 secure public key encryption scheme. Here q is the prime order of the group G that PKE is based on, λ log q ω(log κ) (more precisely, λ log q 2 log 1 2λ/2 1 δ + 2 where δ = q )) and ɛ Adv DDH (κ) + Adv TCR (κ) + 2λ Q(κ) q Q(κ) + 2λ/2 1 q, where Q(κ) is the number of decryption queries. Plaintext length m = log q; Leakage parameter λ = log q o(1). Liu, Weng and Zhao Efficient KL-CS-PKE Slide 21 of 40
111 Security Proof We proceed with a series of games played between a simulator D and an adversary A, and show that Game i and Game i + 1 are indistinguishable except with negligible probability, i = 0, 1, 2, 3, 4, 5. We define S i as the event that the adversary A outputs a correct guess of b. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 22 of 40
112 Security Proof We proceed with a series of games played between a simulator D and an adversary A, and show that Game i and Game i + 1 are indistinguishable except with negligible probability, i = 0, 1, 2, 3, 4, 5. We define S i as the event that the adversary A outputs a correct guess of b. Game 0: The original KL-CCA2 game. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 22 of 40
113 Security Proof We proceed with a series of games played between a simulator D and an adversary A, and show that Game i and Game i + 1 are indistinguishable except with negligible probability, i = 0, 1, 2, 3, 4, 5. We define S i as the event that the adversary A outputs a correct guess of b. Game 0: The original KL-CCA2 game. Game 1: The same as Game 0 except for the generation of the challenge ciphertext ψ. In this game, the simulator generates the target ciphertext ψ = (u 1, u 2, e, s, v ) with its secret key SK as follows. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 22 of 40
114 Security Proof We proceed with a series of games played between a simulator D and an adversary A, and show that Game i and Game i + 1 are indistinguishable except with negligible probability, i = 0, 1, 2, 3, 4, 5. We define S i as the event that the adversary A outputs a correct guess of b. Game 0: The original KL-CCA2 game. Game 1: The same as Game 0 except for the generation of the challenge ciphertext ψ. In this game, the simulator generates the target ciphertext ψ = (u1, u2, e, s, v ) with its secret key SK as follows. e = M u (x1+y1+z1s) 1 u (x2+y2+z2s) 2 = M (cd) r h rs ; Liu, Weng and Zhao Efficient KL-CS-PKE Slide 22 of 40
115 Security Proof We proceed with a series of games played between a simulator D and an adversary A, and show that Game i and Game i + 1 are indistinguishable except with negligible probability, i = 0, 1, 2, 3, 4, 5. We define S i as the event that the adversary A outputs a correct guess of b. Game 0: The original KL-CCA2 game. Game 1: The same as Game 0 except for the generation of the challenge ciphertext ψ. In this game, the simulator generates the target ciphertext ψ = (u1, u2, e, s, v ) with its secret key SK as follows. e = M u (x1+y1+z1s) 1 u (x2+y2+z2s) 2 = M (cd) r h rs ; v = u x1+y1α+z1 1 u x2+y2α+z2 2 = (c h) r d rα. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 22 of 40
116 Security Proof We proceed with a series of games played between a simulator D and an adversary A, and show that Game i and Game i + 1 are indistinguishable except with negligible probability, i = 0, 1, 2, 3, 4, 5. We define S i as the event that the adversary A outputs a correct guess of b. Game 0: The original KL-CCA2 game. Game 1: The same as Game 0 except for the generation of the challenge ciphertext ψ. In this game, the simulator generates the target ciphertext ψ = (u1, u2, e, s, v ) with its secret key SK as follows. e = M u (x1+y1+z1s) 1 u (x2+y2+z2s) 2 = M (cd) r h rs ; v = u x1+y1α+z1 1 u x2+y2α+z2 2 = (c h) r d rα. The change is only conceptual, and thus Pr[S 1 ] = Pr[S 0 ]. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 22 of 40
117 Game 2: Same as Game 1 except for the generation of the challenge ciphertext C = (u1, u2, e, s, v ), where u1 = g r 1 1, u 2 = g r 2 2, with r 1, r2 chosen uniformly at random from Z q. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 23 of 40
118 Game 2: Same as Game 1 except for the generation of the challenge ciphertext C = (u1, u2, e, s, v ), where u1 = g r 1 1, u 2 = g r 2 2, with r 1, r2 chosen uniformly at random from Z q. In Game 1: (g 1, g 2, u 1, u 2) is a DDH tuple, i.e, u 1 = g r 1, u 2 = g r 2. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 23 of 40
119 Game 2: Same as Game 1 except for the generation of the challenge ciphertext C = (u1, u2, e, s, v ), where u1 = g r 1 1, u 2 = g r 2 2, with r 1, r2 chosen uniformly at random from Z q. In Game 1: (g 1, g 2, u 1, u 2) is a DDH tuple, i.e, u 1 = g r 1, u 2 = g r 2. In Game 2: (g 1, g 2, u 1, u 2) is a random tuple, i.e, u 1 = g r 1 1, u 2 = g r 2 2. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 23 of 40
120 Game 2: Same as Game 1 except for the generation of the challenge ciphertext C = (u1, u2, e, s, v ), where u1 = g r 1 1, u 2 = g r 2 2, with r 1, r2 chosen uniformly at random from Z q. In Game 1: (g 1, g 2, u 1, u 2) is a DDH tuple, i.e, u 1 = g r 1, u 2 = g r 2. In Game 2: (g 1, g 2, u 1, u 2) is a random tuple, i.e, u 1 = g r 1 1, u 2 = g r 2 2. By the DDH assumption, Pr[S 2 ] Pr[S 1 ] is negligible. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 23 of 40
121 Game 3: Same as Game 2 except that the simulator applies a special rejection rule. Let F denote the event that there exists a decryption query of the form C = (u 1, u 2, e, s, v) such that C C but T(u 1, u 2, e, s) = T(u 1, u 2, e, s ), which means a hash collision occurs. The simulator D rejects the corresponding queried ciphertext C when F occurs. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 24 of 40
122 Game 3: Same as Game 2 except that the simulator applies a special rejection rule. Let F denote the event that there exists a decryption query of the form C = (u 1, u 2, e, s, v) such that C C but T(u 1, u 2, e, s) = T(u 1, u 2, e, s ), which means a hash collision occurs. The simulator D rejects the corresponding queried ciphertext C when F occurs. By the TCR property of T, Pr[S 3 ] Pr[S 2 ] is negligible. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 24 of 40
123 Game 4: Same as Game 3, except that the simulator applies a special rejection rule. If A asks for decryption of an invalid ciphertext C = (u 1, u 2, e, s, v), i.e., (g 1, g 2, u 1, u 2 ) is not a DDH tuple, the simulator D rejects with and the game aborts. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 25 of 40
124 Game 4: Same as Game 3, except that the simulator applies a special rejection rule. If A asks for decryption of an invalid ciphertext C = (u 1, u 2, e, s, v), i.e., (g 1, g 2, u 1, u 2 ) is not a DDH tuple, the simulator D rejects with and the game aborts. In Game 3: C = (u 1, u 2, e, s, v) is rejected if it is not consistent, i.e., v u x1+y1α 1 u x2+y2α 2. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 25 of 40
125 Game 4: Same as Game 3, except that the simulator applies a special rejection rule. If A asks for decryption of an invalid ciphertext C = (u 1, u 2, e, s, v), i.e., (g 1, g 2, u 1, u 2 ) is not a DDH tuple, the simulator D rejects with and the game aborts. In Game 3: C = (u 1, u 2, e, s, v) is rejected if it is not consistent, i.e., v u x1+y1α 1 u x2+y2α 2. In Game 4: C = (u 1, u 2, e, s, v) is rejected if it is not consistent, i.e. (log g1 u 1 log g2 u 2 ). Liu, Weng and Zhao Efficient KL-CS-PKE Slide 25 of 40
126 Game 4: Same as Game 3, except that the simulator applies a special rejection rule. If A asks for decryption of an invalid ciphertext C = (u 1, u 2, e, s, v), i.e., (g 1, g 2, u 1, u 2 ) is not a DDH tuple, the simulator D rejects with and the game aborts. In Game 3: C = (u 1, u 2, e, s, v) is rejected if it is not consistent, i.e., v u x1+y1α 1 u x2+y2α 2. In Game 4: C = (u 1, u 2, e, s, v) is rejected if it is not consistent, i.e. (log g1 u 1 log g2 u 2 ). Let F be the event that D outputs for a consistent but valid ciphertext, we have: Pr[S 4 F ] Pr[S 3 F ] Pr[F ], Pr[S 4 ] Pr[S 3 ] Pr[F ]. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 25 of 40
127 Game 4: Same as Game 3, except that the simulator applies a special rejection rule. If A asks for decryption of an invalid ciphertext C = (u 1, u 2, e, s, v), i.e., (g 1, g 2, u 1, u 2 ) is not a DDH tuple, the simulator D rejects with and the game aborts. In Game 3: C = (u 1, u 2, e, s, v) is rejected if it is not consistent, i.e., v u x1+y1α 1 u x2+y2α 2. In Game 4: C = (u 1, u 2, e, s, v) is rejected if it is not consistent, i.e. (log g1 u 1 log g2 u 2 ). Let F be the event that D outputs for a consistent but valid ciphertext, we have: Pr[S 4 F ] Pr[S 3 F ] Pr[F ], Pr[S 4 ] Pr[S 3 ] Pr[F ]. Below, we analyze the probability that the event F occurs. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 25 of 40
128 Analyzing the Event F Let β = log g1 g 2. Firstly, note that by submitting valid ciphertexts to the decryption oracle, the adversary only learns linear combinations of the constraints log g1 c = x 1 + βx 2, log g1 d = y 1 + βy 2 and log g1 h = z 1 + βz 2, which are already known from the public-keys. Also note that q, g 1, g 2, T, u 1, u 2, s, σ all are independent of the secret key. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 26 of 40
129 Analyzing the Event F Let β = log g1 g 2. Firstly, note that by submitting valid ciphertexts to the decryption oracle, the adversary only learns linear combinations of the constraints log g1 c = x 1 + βx 2, log g1 d = y 1 + βy 2 and log g1 h = z 1 + βz 2, which are already known from the public-keys. Also note that q, g 1, g 2, T, u 1, u 2, s, σ all are independent of the secret key. From the view of the attack and the λ-bit key leakage, what can be learnt about the secret-keys can be formulated by the following equations, where Liu, Weng and Zhao Efficient KL-CS-PKE Slide 26 of 40
130 Analyzing the Event F Let β = log g1 g 2. Firstly, note that by submitting valid ciphertexts to the decryption oracle, the adversary only learns linear combinations of the constraints log g1 c = x 1 + βx 2, log g1 d = y 1 + βy 2 and log g1 h = z 1 + βz 2, which are already known from the public-keys. Also note that q, g 1, g 2, T, u 1, u 2, s, σ all are independent of the secret key. From the view of the attack and the λ-bit key leakage, what can be learnt about the secret-keys can be formulated by the following equations, where log g1 c = x 1 + βx 2 log g1 d = y 1 + βy 2 log g1 h = z 1 + βz 2 log g1 v = r1 x 1 + r2 βx 2 + α r1 y 1 + α r2 βy 2 + r1 z 1 + r2 βz 2 log g1 e /M b = r1 x 1 + r2 βx 2 + r1 y 1 + r2 βy 2 + s r1 z 1 + s r2 βz 2 ; λ-bit leakage of (x 1, x 2, y 1, y 2, z 1, z 2 ). Liu, Weng and Zhao Efficient KL-CS-PKE Slide 26 of 40
131 As the secret key elements (x 1, x 2, y 1, y 2, z 1, z 2 ) are uniformly chosen from Z 6 q, according to the average min-entropy theory, we have H ((x 1, x 2, y 1, y 2, z 1, z 2 ) c, d, h, C, M b, λ-leakage) = H ((x 1, x 2, y 1, y 2, z 1, z 2 ) c, d, h, u 1, u 2, s, v, e /M b, λ-leakage) = H ((x 1, x 2, y 1, y 2, z 1, z 2 ) c, d, h, v, e /M b, λ-leakage) (1) log q λ. (2) Liu, Weng and Zhao Efficient KL-CS-PKE Slide 27 of 40
132 As the secret key elements (x 1, x 2, y 1, y 2, z 1, z 2 ) are uniformly chosen from Z 6 q, according to the average min-entropy theory, we have H ((x 1, x 2, y 1, y 2, z 1, z 2 ) c, d, h, C, M b, λ-leakage) = H ((x 1, x 2, y 1, y 2, z 1, z 2 ) c, d, h, u 1, u 2, s, v, e /M b, λ-leakage) = H ((x 1, x 2, y 1, y 2, z 1, z 2 ) c, d, h, v, e /M b, λ-leakage) (1) log q λ. Let C = (u 1, u 2, e, s, v) be the first invalid ciphertext submitted by A. Let r 1 = log g1 u 1 and r 2 = log g1 u 2, then r 1 r 2. We must have: (2) log g1 c = x 1 + βx 2 ; log g1 d = y 1 + βy 2 ; log g1 h = z 1 + βz 2 ; log g1 v = r1 x 1 + r2 βx 2 + α r1 y 1 + α r2 βy 2 + r1 z 1 + r2 βz 2 ; log g1 e /M b = r1 x 1 + r2 βx 2 + r1 y 1 + r2 βy 2 + s r1 z 1 + s r2 βz 2 ; log g1 v = r 1 x 1 + r 2 βx 2 + αr 1 y 1 + αr 2 βy 2 + r 1 z 1 + r 2 βz 2. (3) Liu, Weng and Zhao Efficient KL-CS-PKE Slide 27 of 40
133 Let A= into: 1 β β β r1 r2 β α r1 α r2 β r1 r2 β r1 r2 β r1 r2 β s r1 s r2 β r 1 r 2 β αr 1 αr 2 β r 1 r 2 β 1 β β β r1 r2 β α r1 α r2 β r1 r2 β r1 r2 β r1 r2 β s r1 s r2 β r 1 r 2 β αr 1 αr 2 β r 1 r 2 β x 1 x 2 y 1 y 2 z 1 z 2. This is distilled = log g1 c log g1 d log g1 h log g1 v log g1 e /M b log g1 v (4). Liu, Weng and Zhao Efficient KL-CS-PKE Slide 28 of 40
134 Let A= into: 1 β β β r1 r2 β α r1 α r2 β r1 r2 β r1 r2 β r1 r2 β s r1 s r2 β r 1 r 2 β αr 1 αr 2 β r 1 r 2 β 1 β β β r1 r2 β α r1 α r2 β r1 r2 β r1 r2 β r1 r2 β s r1 s r2 β r 1 r 2 β αr 1 αr 2 β r 1 r 2 β The determinant of matrix A is given by x 1 x 2 y 1 y 2 z 1 z 2. This is distilled = det(a) = β 3 (r 1 r 2 ) 2 (r 1 r 2 )(α α)(s 1). log g1 c log g1 d log g1 h log g1 v log g1 e /M b log g1 v (4). Then det(a) 0 except with a negligible probability 1/q. Hence Eq. (4) is an injective function. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 28 of 40
135 An injective function preserves its min-entropy. Then H ((x 1, x 2, y 1, y 2, z 1, z 2 ) c, d, h, C, M b, λ-leakage) = H ((c, d, h, v, e /M b, v) c, d, h, C, M b, λ-leakage) = H (v c, d, h, C, M b, λ-leakage) log q λ. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 29 of 40
A Robust and Plaintext-Aware Variant of Signed ElGamal Encryption
A Robust and Plaintext-Aware Variant of Signed ElGamal Encryption Yannick Seurin and Joana Treger ANSSI, Paris, France yannick.seurin@m4x.org,joana.marim@ssi.gouv.fr Revised, 24 February 2013 Abstract.
More informationA New Paradigm of Hybrid Encryption Scheme
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa 1 and Yvo Desmedt 2 1 Ibaraki University, Japan kurosawa@cis.ibaraki.ac.jp 2 Dept. of Computer Science, University College London, UK, and Florida
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationLeakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter
Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Baodong Qin Shengli Liu October 9, 2013 Abstract We present a new generic construction
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationEfficient chosen ciphertext secure identity-based encryption against key leakage attacks
SECURITY AND COMMUNICATION NETWORKS Security Comm Networks 26; 9:47 434 Published online 2 February 26 in Wiley Online Library (wileyonlinelibrarycom) DOI: 2/sec429 RESEARCH ARTICLE Efficient chosen ciphertext
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationA New Variant of the Cramer-Shoup KEM Secure against Chosen Ciphertext Attack
A New Variant of the Cramer-Shoup KEM Secure against Chosen Ciphertext Attack Joonsang Baek 1 Willy Susilo 2 Joseph K. Liu 1 Jianying Zhou 1 1 Institute for Infocomm Research, Singapore 2 University of
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationOn The Security of The ElGamal Encryption Scheme and Damgård s Variant
On The Security of The ElGamal Encryption Scheme and Damgård s Variant J. Wu and D.R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada {j32wu,dstinson}@uwaterloo.ca
More informationDiscrete logarithm and related schemes
Discrete logarithm and related schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Discrete logarithm problem examples, equivalent
More informationAdvanced Topics in Cryptography
Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1 Related papers Lecture notes of Moni Naor,
More information14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University
14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption Victor Shoup New York University A Historical Perspective The wild years (mid 70 s-mid 80 s): Diffie-Hellman, RSA, ElGamal The
More informationRSA-OAEP and Cramer-Shoup
RSA-OAEP and Cramer-Shoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T-79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSA-OAEP Preliminaries for the proof Proof of IND-CCA2 security
More informationThe Cramer-Shoup Cryptosystem
The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive
More informationLecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko
CMSC 858K Advanced Topics in Cryptography February 26, 2004 Lecturer: Jonathan Katz Lecture 10 Scribe(s): Jeffrey Blank Chiu Yuen Koo Nikolai Yakovenko 1 Summary We had previously begun to analyze the
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More information5.4 ElGamal - definition
5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is
More informationPublic-Key Cryptosystems Resilient to Key Leakage
Public-Key Cryptosystems Resilient to Key Leakage Moni Naor Gil Segev Abstract Most of the work in the analysis of cryptographic schemes is concentrated in abstract adversarial models that do not capture
More informationSimple SK-ID-KEM 1. 1 Introduction
1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationOn the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups
On the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups Goichiro Hanaoka, Takahiro Matsuda, Jacob C.N. Schuldt Research Institute for Secure Systems (RISEC)
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup October 12, 2001 Abstract We present several new and fairly practical public-key
More informationStrong Security Models for Public-Key Encryption Schemes
Strong Security Models for Public-Key Encryption Schemes Pooya Farshim (Joint Work with Manuel Barbosa) Information Security Group, Royal Holloway, University of London, Egham TW20 0EX, United Kingdom.
More informationNon-malleability under Selective Opening Attacks: Implication and Separation
Non-malleability under Selective Opening Attacks: Implication and Separation Zhengan Huang 1, Shengli Liu 1, Xianping Mao 1, and Kefei Chen 2,3 1. Department of Computer Science and Engineering, Shanghai
More informationON CIPHERTEXT UNDETECTABILITY. 1. Introduction
Tatra Mt. Math. Publ. 41 (2008), 133 151 tm Mathematical Publications ON CIPHERTEXT UNDETECTABILITY Peter Gaži Martin Stanek ABSTRACT. We propose a novel security notion for public-key encryption schemes
More informationStructure Preserving CCA Secure Encryption
Structure Preserving CCA Secure Encryption presented by ZHANG Tao 1 / 9 Introduction Veriable Encryption enable validity check of the encryption (Camenisch et al. @ CRYPTO'03): veriable encryption of discrete
More informationEfficient Identity-based Encryption Without Random Oracles
Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationLeakage Resilient ElGamal Encryption
Asiacrypt 2010, December 9th, Singapore Outline 1 Hybrid Encryption, the KEM/DEM framework 2 ElGamal KEM 3 Leakage Resilient Crypto Why? How? Other models? 4 Leakage Resilient ElGamal CCA1 secure KEM (Key
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationA Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack
A Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack Huafei Zhu InfoComm Security Department, Institute for InfoComm Research. 21 Heng Mui Keng
More informationOn the CCA1-Security of Elgamal and Damgård s Elgamal
On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010 Outline I Motivation 1 Motivation 2 3 Motivation Three well-known security requirements
More informationLecture 7: Boneh-Boyen Proof & Waters IBE System
CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system,
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationAdaptive partitioning. Dennis Hofheinz (KIT, Karlsruhe)
Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Public-Key Encryption Accepted security
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 60 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4
More informationEfficient Public-Key Cryptography in the Presence of Key Leakage
Efficient Public-Key Cryptography in the Presence of Key Leakage Yevgeniy Dodis Kristiyan Haralambiev Adriana López-Alt Daniel Wichs August 17, 2010 Abstract We study the design of cryptographic primitives
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationStronger Public Key Encryption Schemes
Stronger Public Key Encryption Schemes Withstanding RAM Scraper Like Attacks Prof. C.Pandu Rangan Professor, Indian Institute of Technology - Madras, Chennai, India-600036. C.Pandu Rangan (IIT Madras)
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationKurosawa-Desmedt Key Encapsulation Mechanism, Revisited and More
Kurosawa-Desmedt Key Encapsulation Mechanism, Revisited and More Kaoru Kurosawa 1 and Le Trieu Phong 1 Ibaraki University, Japan kurosawa@mx.ibaraki.ac.jp NICT, Japan phong@nict.go.jp Abstract. While the
More informationLossy Trapdoor Functions and Their Applications
Lossy Trapdoor Functions and Their Applications Chris Peikert SRI International Brent Waters SRI International August 29, 2008 Abstract We propose a general cryptographic primitive called lossy trapdoor
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationThe Twin Diffie-Hellman Problem and Applications
The Twin Diffie-Hellman Problem and Applications David Cash 1 Eike Kiltz 2 Victor Shoup 3 February 10, 2009 Abstract We propose a new computational problem called the twin Diffie-Hellman problem. This
More informationCONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS
CONSRUCIONS SECURE AGAINS RECEIVER SELECIVE OPENING AND CHOSEN CIPHEREX AACKS Dingding Jia, Xianhui Lu, Bao Li jiadingding@iie.ac.cn C-RSA 2017 02-17 Outline Background Motivation Our contribution Existence:
More informationChosen-Ciphertext Security without Redundancy
This is the full version of the extended abstract which appears in Advances in Cryptology Proceedings of Asiacrypt 03 (30 november 4 december 2003, Taiwan) C. S. Laih Ed. Springer-Verlag, LNCS 2894, pages
More informationKDM-CCA Security from RKA Secure Authenticated Encryption
KDM-CCA Security from RKA Secure Authenticated Encryption Xianhui Lu 1,2, Bao Li 1,2, Dingding Jia 1,2 1. Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, Beijing,
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationLecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]
CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationStandard versus Selective Opening Security: Separation and Equivalence Results
Standard versus Selective Opening Security: Separation and Equivalence Results Dennis Hofheinz and Andy Rupp Karlsruhe Institute of Technology, Germany {dennis.hofheinz,andy.rupp}@kit.edu Supported by
More information2 Preliminaries 2.1 Notations Z q denotes the set of all congruence classes modulo q S denotes the cardinality of S if S is a set. If S is a set, x R
A Public Key Encryption In Standard Model Using Cramer-Shoup Paradigm Mahabir Prasad Jhanwar and Rana Barua mahabir r, rana@isical.ac.in Stat-Math Unit Indian Statistical Institute Kolkata, India Abstract.
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More informationTwo-Round PAKE from Approximate SPH and Instantiations from Lattices
Two-Round PAKE from Approximate SPH and Instantiations from Lattices Jiang Zhang 1 and Yu Yu 2,1,3 1 State Key Laboratory of Cryptology, P.O. Box 5159, Beijing 100878, China 2 Department of Computer Science
More informationAdvanced Cryptography 03/06/2007. Lecture 8
Advanced Cryptography 03/06/007 Lecture 8 Lecturer: Victor Shoup Scribe: Prashant Puniya Overview In this lecture, we will introduce the notion of Public-Key Encryption. We will define the basic notion
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationType-based Proxy Re-encryption and its Construction
Type-based Proxy Re-encryption and its Construction Qiang Tang Faculty of EWI, University of Twente, the Netherlands q.tang@utwente.nl Abstract. Recently, the concept of proxy re-encryption has been shown
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationBoneh-Franklin Identity Based Encryption Revisited
Boneh-Franklin Identity Based Encryption Revisited David Galindo Institute for Computing and Information Sciences Radboud University Nijmegen P.O.Box 9010 6500 GL, Nijmegen, The Netherlands. d.galindo@cs.ru.nl
More informationChosen-Ciphertext Security from Subset Sum
Chosen-Ciphertext Security from Subset Sum Sebastian Faust 1, Daniel Masny 1, and Daniele Venturi 2 1 Horst-Görtz Institute for IT Security and Faculty of Mathematics, Ruhr-Universität Bochum, Bochum,
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationPAPER An Identification Scheme with Tight Reduction
IEICE TRANS. FUNDAMENTALS, VOL.Exx A, NO.xx XXXX 200x PAPER An Identification Scheme with Tight Reduction Seiko ARITA, Member and Natsumi KAWASHIMA, Nonmember SUMMARY There are three well-known identification
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationPractical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles
Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles Man Ho Au 1, Joseph K. Liu 2, Tsz Hon Yuen 3, and Duncan S. Wong 4 1 Centre for Information Security Research
More informationSecurity Analysis of an Identity-Based Strongly Unforgeable Signature Scheme
Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme Kwangsu Lee Dong Hoon Lee Abstract Identity-based signature (IBS) is a specific type of public-key signature (PKS) where any
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationSecure Certificateless Public Key Encryption without Redundancy
Secure Certificateless Public Key Encryption without Redundancy Yinxia Sun and Futai Zhang School of Mathematics and Computer Science Nanjing Normal University, Nanjing 210097, P.R.China Abstract. Certificateless
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationarxiv: v2 [cs.cr] 14 Feb 2018
Code-based Key Encapsulation from McEliece s Cryptosystem Edoardo Persichetti arxiv:1706.06306v2 [cs.cr] 14 Feb 2018 Florida Atlantic University Abstract. In this paper we show that it is possible to extend
More informationOn the Selective-Opening Security of DHIES
On the Selective-Opening Security of DHIES and other practical encryption schemes UbiCrypt Research Retreat, Schloss Raesfeld: 29.& 30. Sep. 2014 Felix Heuer, Tibor Jager, Eike Kiltz, Sven Schäge Horst
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationREMARKS ON IBE SCHEME OF WANG AND CAO
REMARKS ON IBE SCEME OF WANG AND CAO Sunder Lal and Priyam Sharma Derpartment of Mathematics, Dr. B.R.A.(Agra), University, Agra-800(UP), India. E-mail- sunder_lal@rediffmail.com, priyam_sharma.ibs@rediffmail.com
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,
More informationHow to Encrypt with the LPN Problem
How to Encrypt with the LPN Problem Henri Gilbert, Matt Robshaw, and Yannick Seurin ICALP 2008 July 9, 2008 Orange Labs the context the authentication protocol HB + by Juels and Weis [JW05] recently renewed
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationLecture 7: ElGamal and Discrete Logarithms
Lecture 7: ElGamal and Discrete Logarithms Johan Håstad, transcribed by Johan Linde 2006-02-07 1 The discrete logarithm problem Recall that a generator g of a group G is an element of order n such that
More informationEfficient Constructions of Deterministic Encryption from Hybrid Encryption and Code-Based PKE
Efficient Constructions of Deterministic Encryption from Hybrid Encryption and Code-Based PKE Yang Cui 1,2, Kirill Morozov 1, Kazukuni Kobara 1,2, and Hideki Imai 1,2 1 Research Center for Information
More informationChosen-Ciphertext Security (I)
Chosen-Ciphertext Security (I) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (I) Fall 2018 1 / 20 Recall: Public-Key Encryption Syntax: Genp1
More information