14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University

Size: px

Start display at page:

Download "14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University"

Wesley Garrison
6 years ago
Views:

1 14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption Victor Shoup New York University

2 A Historical Perspective The wild years (mid 70 s-mid 80 s): Diffie-Hellman, RSA, ElGamal The rigorous years (mid 80 s-early 90 s) Definitions, Definitions, Definitions, Definitions,... The practical years (early 90 s-present)

3 Notions of Secure Encryption Semantic Security [GM84] Security Against Non-adaptive Chosen Ciphertext Attack [NY90] Security Against Adaptive Chosen Ciphertext Attack [RS91,DDN91]

4 Semantic Security M = M 0 or M = M 1? Key Generator E D M 0, M 1 C M M 0 or M 1 C E(M ) E Encryption Oracle

5 Non-adaptive Semantic CCA Security Security M = M 0 or M = M 1? E Key Generator D C M M 0, M 1 C M D(C) D M M 0 or M 1 C E(M ) E Decryption Oracle Encryption Oracle

6 Non-adaptive Adaptive Semantic CCA CCA Security M = M 0 or M = M 1? E Key Generator D C M M 0, M 1 C C C M M D(C) D M M 0 or M 1 C E(M ) E D M D(C) Decryption Oracle Encryption Oracle Decryption Oracle

7 Case Study: RSA n RSA modulus e encryption exponent d decryption exponent Encrypt M Z n : Decrypt C Z n : C M e M C d

8 Case Study: RSA n RSA modulus e encryption exponent d decryption exponent Encrypt M Z n : Decrypt C Z n : C M e M C d Not even semantically secure! Compare C to M e 0 and Me 1

9 RSA with Random Padding RSA PKCS#1 padding: padding string 00 M } {{ } M pad C = (M pad ) e

10 Bleichenbacher s Attack on RSA PKCS#1 [B98] C (M pad )e n, e M! C 1 error code d. C k error code

11 Case Study: ElGamal G group of prime order q g generator for G KeyGen: z c Z }{{} q, h g z }{{} D E Encrypt M G: w c Z q a g w e Mh w C (a, e) Decrypt C = (a, e): M e/a z

12 ElGamal Encryption: Security Semantically Secure under DDH (Decisional Diffie-Hellman) (g r, g s, g rs ) (g r, g s, g t ) looks like

13 ElGamal Encryption: Security Semantically Secure under DDH (Decisional Diffie-Hellman) (g r, g s, g rs ) (g r, g s, g t ) looks like Insecure against Adaptive CCA

14 Security Key Gen h G0: Original Game b =?!? z M 0, M 1 C w b c {0, 1} c Z q a g w e M b h w C (a, e )

15 Security Key Gen h b =?!? z M 0, M 1 C w b c {0, 1} c Z q a g w e M b C (a, e ) h w

16 Security h w Key Gen G1: DDH (g w, g z, g w z ) (g w, g z, Random) h b =?!? z M 0, M 1 C w b c {0, 1} c Z q a g w e M b Random C (a, e )

17 CCA against ElGamal C = (g w, M h w ) }{{} a }{{} e h M! C = (a, g e ) z g M

Example: Key Escrow C E(K H(Alice 08-15-04)) E D?!#*$!

18 Example: Key Escrow C E(K H(Alice )) E D?!#*$! C, Michael Moore, reject Bob s Escrow Service

19 Labeled Encryption A label L is input to E and D Security: Adverary submits L, M 0, M 1 to encryption oracle Adversary submits (C, L) to decryption oracle Restriction: (C, L) (C, L )

20 Two Key Construction [NY90,DDN91,S01,L03] Ingredients: NIZK semantically secure PKE Public Key: NIZK reference string public keys and for PKE E L E R Private Key: corresponding private keys D L and D R

21 Two Key Construction [NY90,DDN91,S01,L03] Ingredients: NIZK semantically secure PKE Public Key: NIZK reference string public keys and for PKE E L E R Private Key: corresponding private keys D L and D R

22 Two Key Construction [NY90,DDN91,S01,L03] Encryption of M: (C L, C R, π) where C L = E L (M), C R = E R (M), π is a proof that C L and C R encrypt the same message Decryption of (C L, C R, π): check π output D L (C L )

23 Security G0: Original Game b =?!? Key Gen E L E R D L D R C M M 0, M 1 C C C M (C L, C R, π) C check π M D L (C L ) b c {0, 1} CL E L( ) M b CR E R( M b ) π proof C (CL, C R, π ) (C L, C R, π) C check π M D L (C L )

24 Security b =?!? Key Gen E L E R D L D R C M M 0, M 1 C C C M (C L, C R, π) C check π M D L (C L ) b c {0, 1} CL E L( ) M b CR E R( M b ) π proof C (CL, C R, π ) (C L, C R, π) C check π M D L (C L )

25 Security proof G1: Zero Knowledge b =?!? Key Gen E L E R D L D R C M M 0, M 1 C C C M (C L, C R, π) C check π M D L (C L ) b c {0, 1} CL E L( ) M b CR E R( M b ) π fake proof C (CL, C R, π ) (C L, C R, π) C check π M D L (C L )

26 Security b =?!? Key Gen E L E R D L D R C M M 0, M 1 C C C M (C L, C R, π) C check π M D L (C L ) b c {0, 1} CL E L( ) M b CR E R( M b ) π fake proof C (CL, C R, π ) (C L, C R, π) C check π M D L (C L )

27 Security M b G2: Semantic Security (right) b =?!? Key Gen E L E R D L D R C M M 0, M 1 C C C M (C L, C R, π) C check π M D L (C L ) b c {0, 1} CL E L( ) M b CR E R( M 0 ) π fake proof C (CL, C R, π ) (C L, C R, π) C check π M D L (C L )

28 Security b =?!? Key Gen E L E R D L D R C M M 0, M 1 C C C M (C L, C R, π) C check π M D L (C L ) b c {0, 1} CL E L( ) M b CR E R( M 0 ) π fake proof C (CL, C R, π ) (C L, C R, π) C check π M D L (C L )

29 Security D L (C L ) G3: Simulation Soundness b =?!? Key Gen E L E R D C L D R C M 0, M 1 C M M C b c {0, 1} (C L, C R, π) C (C L, C R, π) C CL E L( M b ) check π C check π R E R( M 0 ) π fake proof M D R (C R ) C (CL, C R, M D π ) R (C R )

30 Security b =?!? Key Gen E L E R D C L D R C M 0, M 1 C M M C b c {0, 1} (C L, C R, π) C (C L, C R, π) C CL E L( M b ) check π C check π R E R( M 0 ) π fake proof M D R (C R ) C (CL, C R, M D π ) R (C R )

31 Security M b Key Gen G4: Semantic Security (left) E L E R b =?!? D C L D R C M 0, M 1 C M M C b c {0, 1} (C L, C R, π) C (C L, C R, π) C CL E L( M 0 ) check π C check π R E R( M 0 ) π fake proof M D R (C R ) C (CL, C R, M D π ) R (C R )

32 Security M b Key Gen G4: Semantic Security (left) E L E R b =?!? D C L D R C M 0, M 1 C M M C b c {0, 1} (C L, C R, π) C (C L, C R, π) C CL E L( M 0 ) check π C check π R E R( M 0 ) π fake proof M D R (C R ) C (CL, C R, M D π ) R (C R )

33 Efficient NIZKs General NIZKs are impractical, but... Proofs for special languages Designated verifier proofs

34 Hash Proof Systems L U; for a L, W a = {witnesses for a} W KeyGen (P, V) Proof Function P : L W Π Verification Function V : U Π P, w W a a L V π P(a, w) π V(a)? = π Prover Verifier

35 Completeness: Hash Proof Systems a L, w W a : P(a, w) = V(a) Soundness: L U; for a L, W a = {witnesses for a} W a L : V(a) looks random, given P KeyGen (P, V) Simulation Soundness: Proof Function P : L W Π a, b L with a b : Verification V(b) Function looks random, V : given U ΠV(a) and P P, w W a a L V π P(a, w) π V(a)? = π Prover Verifier

36 Example: Equality of DL G a group of large prime order q g 1, g 2 generators for G w is the witness U = G G, L = {(g w 1, gw 2 ) : w Z q}

37 Example: Equality of DL G g 1, g 2 a group of large prime order q generators for G U = G G, L = {(g w 1, gw 2 ) : w Z q} KeyGen: c x 1, x 2 Z q, c g x 1 }{{} V }{{} P 1 gx 2 2

38 Example: Equality of DL G g 1, g 2 a group of large prime order q generators for G U = G G, L = {(g w 1, gw 2 ) : w Z q} KeyGen: c x 1, x 2 Z q, c g x 1 }{{} V }{{} P 1 gx 2 2 Verification Function: V(a 1, a 2 ) = a x 1 1 ax 2 2

39 Example: Equality of DL G g 1, g 2 a group of large prime order q generators for G U = G G, L = {(g w 1, gw 2 ) : w Z q} KeyGen: c x 1, x 2 Z q, c g x 1 }{{} V }{{} P 1 gx 2 2 Proof Function: for (a 1, a 2 ) L with witness w, P(a 1, a 2 ; w) = c w Verification Function: V(a 1, a 2 ) = a x 1 1 ax 2 2

40 Example: Equality of DL G a group of large prime order q g 1, g 2 generators for G U = G G, L = {(g w 1, gw 2 ) : w Z q} KeyGen: x 1, x 2 c Z q, c g x 1 c y }{{} 1, y 2 Z q, }{{} d g y 1 V P 1 gx gy 2 2 Simulation Soundness Proof Function: for (a 1, a 2 ) L with witness w, d wh(a 1,a 2 ) P(a 1, a 2 ; w) = c w Verification Function: V(a 1, a 2 ) = a x 1 1 ax 2 2 (a y 1 1 ay 2 2 )H(a 1,a 2 )

41 From Hash Proofs to CCA Security Efficient Semantically Secure PKE Efficient Hash Proof for Plaintext Equality + Two Key Construction Efficient and CCA Secure Encryption

42 Example: Equal ElGamal Plaintexts C 1 = (a 1, e 1 ) = (g w 1, h w 1 C 2 = (a 2, e 2 ) = (g w 2, h w 1 M) 2 2 M) Simulation Soundness c 1 g x 1 h x 3 d c 1 1 g y 1 h y 3 1 x 1, x 2, x 3, y } {{ 1, y 2, y Z } 3 q c 2 g x 2 h x 3 2 d 2 g y 2 h y 3 2 V } {{ } P V(C 1, C 2 ) = a x 1 1 ax 2 2 f x 3 P(C 1, C 2 ; w 1, w 2 ) = c w 1 1 cw 2 2 where f = e 1 /e 2, (a y 1 1 ay 2 2 f y 3 ) α (d w 1 1 dw 2 2 )α α = H(C 1, C 2 )

43 Improvements and Extensions More efficient schemes [CS98,S00,KD04] Extensions [CS02]: Quadratic Residuosity Paillier s Decisional Composite Residuosity

44 Standards: ISO RSA-OAEP Hybrid Encryption Schemes: RSA based ElGamal based

45 A Hybrid Encryption Paradigm Secure Key Encapsulation + Secure Data Encapsulation Secure Hybrid Encryption

46 A Hybrid Encryption Paradigm Secure Key Encapsulation + Secure Data Encapsulation Secure Hybrid Encryption

47 A Hybrid Encryption Paradigm E KEM C KEM D KEM K K Key Encapsulation Mechanism (KEM) Security: K looks random after a CCA

48 A Hybrid Encryption Paradigm E KEM C KEM D KEM K K Key Encapsulation Mechanism (KEM) Security: K looks random after a CCA

49 A Hybrid Encryption Paradigm Data Encapsulation Mechanism (DEM) Security: M is hidden after a CCA Implementation: Encrypt then MAC, OCB Mode K K M E DEM C DEM L D DEM M

50 A Hybrid Encryption Paradigm Data Encapsulation Mechanism (DEM) Security: M is hidden after a CCA Implementation: Encrypt then MAC, OCB Mode K K M E DEM C DEM L D DEM M

51 A Hybrid Encryption Paradigm E KEM C KEM D KEM K K M E DEM C DEM L D DEM M Secure KEM + Secure DEM = Secure Hybrid

52 RSA KEM n RSA modulus e encryption exponent d decryption exponent Encrypt: w c Z n a w e K KDF(w) C a Decrypt C = a: w a d K KDF(w)

53 secure in ROM under RSA RSA KEM n RSA modulus e encryption exponent d decryption exponent Encrypt: w c Z n a w e K KDF(w) C a Decrypt C = a: w a d K KDF(w)

54 ElGamal KEM G a group of large prime order q g generator for G D E { { z c Z q, h g z Encrypt: w c Z q, a g w K KDF(h w ) C a Decrypt C = a: [ check 1 = a q ] K KDF(a z )

55 secure in ROM under GapDH ElGamal KEM G a group of large prime order q g generator for G D E { { z c Z q, h g z Encrypt: w c Z q, a g w K KDF(h w ) C a Decrypt C = a: [ check 1 = a q ] K KDF(a z )

56 Hash Proof KEM G g 1 D E a group of large prime order q { { generator for G t, x, y, z c Z q, g 2 g t 1, c gx 1, d gy 1, h gz 1 Encrypt: w c Z q, a 1 g w 1, a 2 g w 2 v c w d wh(a 1,a 2 ) K KDF(h w ) C (a 1, a 2, v) Decrypt (a 1, a 2, v): [ 1 = a q 1 ] check a 2 = a t 1 v = a x+yh(a 1,a 2 ) 1 K KDF(a z 1 )

57 secure under DDH Hash Proof KEM G g 1 D E a group of large prime order q { { generator for G t, x, y, z c Z q, g 2 g t 1, c gx 1, d gy 1, h gz 1 Encrypt: w c Z q, a 1 g w 1, a 2 g w 2 v c w d wh(a 1,a 2 ) K KDF(h w ) C (a 1, a 2, v) Decrypt (a 1, a 2, v): [ 1 = a q 1 ] check a 2 = a t 1 v = a x+yh(a 1,a 2 ) 1 K KDF(a z 1 )

58 secure under DDH Hash Proof KEM no less secure than ElGamal KEM G g 1 D E a group of large prime order q { { generator for G t, x, y, z c Z q, g 2 g t 1, c gx 1, d gy 1, h gz 1 Encrypt: w c Z q, a 1 g w 1, a 2 g w 2 v c w d wh(a 1,a 2 ) K KDF(h w ) C (a 1, a 2, v) Decrypt (a 1, a 2, v): [ 1 = a q 1 ] check a 2 = a t 1 v = a x+yh(a 1,a 2 ) 1 K KDF(a z 1 )

59 secure under DDH Hash Proof KEM no less secure than ElGamal KEM G g 1 D E a group of large prime order q { { generator for G secure in ROM under CDH t, x, y, z c Z q, g 2 g t 1, c gx 1, d gy 1, h gz 1 Encrypt: w c Z q, a 1 g w 1, a 2 g w 2 v c w d wh(a 1,a 2 ) K KDF(h w ) C (a 1, a 2, v) Decrypt (a 1, a 2, v): [ 1 = a q 1 ] check a 2 = a t 1 v = a x+yh(a 1,a 2 ) 1 K KDF(a z 1 )

60 secure under DDH Hash Proof KEM no less secure than ElGamal KEM G g 1 D E a group of large prime order q { { generator for G secure in ROM under CDH exponentiation with pre-processing t, x, y, z c Z q, g 2 g t 1, c gx 1, d gy 1, h gz 1 Encrypt: w c Z q, a 1 g w 1, a 2 g w 2 v c w d wh(a 1,a 2 ) K KDF(h w ) C (a 1, a 2, v) Decrypt (a 1, a 2, v): [ 1 = a q 1 ] check a 2 = a t 1 v = a x+yh(a 1,a 2 ) 1 K KDF(a z 1 )

61 secure under DDH Hash Proof KEM no less secure than ElGamal KEM G g 1 D E a group of large prime order q { { generator for G t, x, y, z c Z q, secure in ROM under CDH exponentiation with pre-processing confounds patent lawyers g 2 g t 1, c gx 1, d gy 1, h gz 1 Encrypt: w c Z q, a 1 g w 1, a 2 g w 2 v c w d wh(a 1,a 2 ) K KDF(h w ) C (a 1, a 2, v) Decrypt (a 1, a 2, v): [ 1 = a q 1 ] check a 2 = a t 1 v = a x+yh(a 1,a 2 ) 1 K KDF(a z 1 )

62 And now for something completely different... [CHK04, BB04] CCA Secure Encryption using elliptic curves, equipped with bilinear maps Different assumptions and techniques Hashed decisional (or even computational) assumption Distribute decryption service, without interaction (Improves [CG99])

63 Conclusions Adaptive CCA security is now widely accepted as the right definition Demanded by standards bodies Science fiction is becoming reality Progress continues!

64 Conclusions Adaptive CCA security is now widely Thanks for Listening! accepted as the right definition Demanded by standards bodies Science fiction is becoming reality Progress continues!

G Advanced Cryptography April 10th, Lecture 11

G Advanced Cryptography April 10th, Lecture 11 G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems