Strong Security Models for Public-Key Encryption Schemes

Transcription

1 Strong Security Models for Public-Key Encryption Schemes Pooya Farshim (Joint Work with Manuel Barbosa) Information Security Group, Royal Holloway, University of London, Egham TW20 0EX, United Kingdom. ACISP 2010, Sydney 5 July 2010

2 Outline Strong Security Background and Motivation Four Strong Security Models Relations Among Notions A Strongly Secure Scheme Extractor-Based Notions Strong Plaintext Awareness Secret Key Awareness Schemes: First Steps Summary

3 Part I Strong Security

4 Public-Key Encryption and IND-CCA2 Syntax: Setup(1 k ): Generates common (domain) parameters I Gen(I): Generates a key pair (SK, PK) Enc(m, PK): Outputs a ciphertext c Dec(c, PK, SK): Recovers the message m Security IND-CCA2: It should be infeasible to distinguish which of two chosen messages (m 0, m 1 ) is encrypted within a ciphertext c even with the help of an oracle which decrypts any ciphertext c.

5 Non-Malleability Non-Malleability (NM): Adversary is given (PK, c), where c encrypts m. The goal is to come up with a related c encrypting m : R(m, m ) = T, Relation R should be interesting : it doesn t hold for a random m (and a fixed m). Meanwhile A can ask for decryptions (NM-CCA2).

6 Brief History of Non-Malleability DDN00 Introduced non-malleability in the simulation paradigm (1991). BDPR98 Formulated it as a comparison-based notion and studied its relation to IND-CCA2. BS06 Established equivalence between simulation- and comparison-based notions of non-malleability (revision of [BS99]). PSV07 Studied non-malleability more carefully: -allowing vs. -disallowing relations. Effect of message space: {0, 1}, finite, etc. Composability of notions: single multi? Where V=Vaikuntanathan.

7 Complete Non-Malleability Introduced by Fischlin (ICALP 05). Allows tampering with the public key. Adversary outputs a related ciphertext/public key pair. CS and RSA-OAEP are not completely non-malleable. RSA-OAEP: replace e by 3e and c with c 3. RSA-OAEP: bind PK to the ciphertext by hashing it with m. Technique similar to those in certificateless encryption schemes. Hard to construct in the standard model Technically: with respect to black-box simulators. Ventre and Visconti (PKC 08) gave a comparison-based definition. Showed equivalence under some technical conditions. They also give a NIZKPK-based scheme.

8 Why Consider Complete Non-Malleability? Commitment scheme: Sender sends a commitment com(m) to receiver. Sender later de-commitments by revealing a dec Hiding: receiver cannot see what s inside com Binding: sender cannot de-commit to m m. Non-malleable: hard to construct a related com(m ) Generic construction through encryption schemes: com(m) = (PK, Enc(m, PK; r)) where (SK, PK) $ Gen() dec = (m, r) or (m, SK) Gives a NM commitment if encryption is completely NM.

9 Strong Decryption Oracle Recall in IND-CCAx model, adversary has access to: which returns Dec(c, PK, SK). Decrypt(c) Introduce a strong decryption oracle: SDecrypt V (c, PK) Returns the message encapsulated by c as defined by validity criterion V. ( ) V(c, PK, m, r):= c =? Enc(m, PK; r) ( ) V (c, PK, m, r):= (SK, PK) =? Gen(r) m =? Dec(c, SK, PK).

10 Strong and Parallel CCA: IND-SCCAx Run A on (I, PK) SDecrypt (x = 1, 2) A returns m 0, m 1 Resume A on c := Enc(m 0, PK) Run A on (I, PK) SDecrypt (x = 1, 2) A returns m 0, m 1 Resume A on c := Enc(m 1, PK) SDecrypt except c (x = 2) A returns a bit b Return b SDecrypt except c (x = 2) A returns a bit b Return b Adv ind-sccax Π (A):=Pr [ IND-SCCAx A 0,Π T] Pr [ IND-SCCAx A 1,Π T]

11 Strong and Parallel CCA: IND-SCCAx/ SPCAx Run A on (I, PK) SDecrypt (x = 1, 2) A returns m 0, m 1 Resume A on c := Enc(m 0, PK) PSDecrypt(c 1,PK 1,...) except c SDecrypt except c (x = 2) A returns a bit b Return b Run A on (I, PK) SDecrypt (x = 1, 2) A returns m 0, m 1 Resume A on c := Enc(m 1, PK) PSDecrypt(c 1,PK 1,...) except c SDecrypt except c (x = 2) A returns a bit b Return b Adv ind-sccax Π (A):=Pr [ IND-SCCAx A 0,Π T] Pr [ IND-SCCAx A 1,Π T] Note: Security models match at x = 2.

12 Simulation-Based Complete NM: SNM-SCCAx Real A in real world vs. Ideal assisted S in ideal world Run A on (I, PK) SDecrypt (x = 1, 2) A returns M; m $ M Resume A on c := Enc(m,PK) SDecrypt except c (x = 2) A returns (PK, c, st R ) m SDecrypt(c, PK ) & Ret. R(I,m,m,PK,PK,c,M,st R ) For all R and for all A, there is an S: Run S on (I, PK) SDecrypt (x = 1, 2 if Assed) S returns M; m $ M Resume S SDecrypt (x = 2 if Assed) S returns (PK, c, st R ) m SDecrypt(c, PK ) & Ret. R(I,m,m,PK,PK,c,M,st R ) Adv snm-sccax Π,R,S (A) := Pr [ Real-SNM-SCCAx A Π,R T] Pr [ Ideal-SNM-SCCAx S Π,R T] Remark: In [Fis05] the oracles are Decrypt and final SDecrypt is for a specific V.

13 Comparison-Based Complete NM: CNM-SCCAx Run A on (I, PK) SDecrypt (x = 1, 2) Run A on (I, PK) SDecrypt (x = 1, 2) A returns M; m 0, m 1 $ M A returns M; m 0, m 1 $ M Resume A on c := Enc(m 0, PK) SDecrypt except c (x = 2) A returns (PK, c, R, st R ) m SDecrypt(c, PK ) & Ret. R(I,m 0,m,PK,PK,c,M,st R ) For all R, for all A: Resume A on c := Enc(m 0, PK) SDecrypt except c (x = 2) A returns (PK, c, R, st R ) m SDecrypt(c, PK ) & Ret. R(I,m 1,m,PK,PK,c,st R ) Adv cnm-sccax Π,R (A) := Pr [ CNM-SCCAx A 0,Π,R T] Pr [ CNM-SCCAx A 1,Π,R T] Remark: In [VV05] the oracles are Decrypt and V is fixed. Equiv. with non-assed simulator for lacking" relations not depending on PK.

14 Equivalence Theorem 1 IND-SPCAx CNM-SCCAx. 2 CNM-SCCAx SNM-SCCAx. 3 SNM-SCCAx IND-SPCAx. for assisted simulators. PSDecrypt captures the implicit decryption" in NM. The above self-compose as SPCAx does (standard hybrid argument). The equivalence theorem shows strong security models are relevant to practice. (c.f. strong models in certificateless cryptography).

15 IND-SCCA2 Scheme from [DLP08] procedure Setup GP,H,n (): k $ Key(); (α, β, u 0,..., u n) $ G G n+2 I (GP, H k, α, β, u 0,..., u n) Return I procedure Gen(): x $ Z p; X g x ; Y α x PK (X, Y ); SK x Return (SK, PK) procedure Enc(m, PK): $ t Z p; (X, Y ) PK If e(x, α) e(g, Y ) Return C 1 m e(y, β t ); C 2 α t w H k (C 1, C 2, PK) C 3 WH(w) t c (C 1, C 2, C 3 ) Return c procedure Dec(c, SK, PK): (X, Y ) PK If g SK X α SK Y Return (C 1, C 2, C 3 ) c w H k (C 1, C 2, PK) If e(c 2, WH(w)) e(α, C 3 ) Return m C 1 /e(c 2, β x ) Return m Theorem DBDH CR IND-SCCA2. Proof: As in [DLP08] but used modifications of [BR09] to avoid artificial aborts. Waters hash is programmed in a way which permits recovering ephemeral key.

16 Part II Extractor-Based Notions

17 Intuition: When does a machine know something? A knows m if it can output m. But A has a specified I/O behaviour so: A knows m if it can be tweaked to output m. A knows m if there is a K which gets the same view (inputs and coins of A) and outputs m. Adapt this to an environment" where A s view include various I/O pairs from different oracles. Two worlds: 1st world: m is computed properly. 2nd world: m is computed using K. These should be indistinguishable. Application: If a machine already knows the plaintext encapsulated within ciphertext of its choice the decryption oracle is of no help.

18 Plaintext Awareness: PAx where x = 1 or x = 2 Run A(I, PK) in one of two possible environments: Dec World: access to Decrypt returning Dec(, SK) Ext World: access to Decrypt returning K(, View[A]). Both worlds: Access to Enc(P(Q), PK) if x = 2. P allows A to obtain ciphertexts with unknown plaintexts in a controlled way". No Decrypt in IND-CCA1 after challenge phase. The behaviours should be indistinguishable: D(A s output in Dec P World) D(A s output in Ext P,K World) Theorem (BP04) PAx IND-CPA IND-CCAx. Proof: Adversary already knows the decryption through K.

19 Strong Plaintext Awareness: SPAx Replace Decrypt with SDecrypt. Run A(I, PK) in one of two possible environments: Dec World: access to SDecrypt Ext World: access to SDecrypt returning K(, View[A]). Both worlds: Access to Enc(P(Q), PK) if x = 2. The behaviours should be indistinguishable: D(A s output in Dec P World) D(A s output in Ext P,K World) Theorem SPAx IND-CPA IND-SCCAx.

20 SPAx and Complete Non-Malleability Theorem SPAx SNM-CPA Non-Assed SNM-SCCAx. But: Theorem (Fischlin) In the standard model, completely non-malleable schemes with respect to non-assisted black-box simulators do not exist. So: Strong plaintext awareness, being a non-black-box notion, allows one to go beyond this black-box simulation barrier: plaintext awareness is more relevant in the strong setting.

21 Invert and Chosen-Ciphertext Attacks: IND-ICAx Intuition: One way to achieve SPA is to require that any adversary which comes up with a PK, knows the SK. Working towards this goal: Replace SDecrypt with oracle: Returns SK for PK. Invert(PK) Bring back Decrypt (for challenge PK). Theorem IND-ICAx IND-SCCAx Proof: Use Invert and Decrypt to simulate SDecrypt.

22 Secret Key Awareness: SKAx Definitional approach is similar to SPA: Run A(I, PK) in two environments: The Inv world: access to Invert The Ext world: access to a secret key extractor K Access to a Decrypt oracle. Access to Enc(P(Q), PK) (x = 2). The behaviours should be indistinguishable: For all A, there exists a K s.t. for all P and D: D(A s output in Dec P World) D(A s output in Ext P,K World) Theorem SKAx IND-CCAx IND-ICAx.

23 Remarks Get complete non-malleability with non-assed simulators. Non-malleability of commitment holds wrt opening SK (simulator should be provided with SK). Not the case for SPA: need randomness awareness". (schemes from lossy TDFs?) Also: there is a natural interaction with SPA and PA: Theorem SKAx PAx SPAx. Proof: Replace oracles by extractors one at a time.

24 Schemes: Generic Technique in ROM Transformation: Attach H(SK, PK) to public keys. Transformation does not affect the security of the original scheme. Public keys are invalid with high prob. unless SK queried to H. When applied to RSA-OAEP, allows us to achieve a stronger result: [Fis05] only considered A which return a valid PK.

25 Schemes: Generic Technique in Standard Model Let Π be such that its Gen = Enc of some Π PK : Secret key is a random message Public key is the corresponding ciphertext. (Actually better to consider a KEM). Suppose Π PK is PA2 wrt P which returns a random m. Then Π is SKA0. Remark: Restriction on P necessary: else as in [TO08b] we get IND keys which is not possible.

26 Schemes: The Knowledge of Factor Assumption The only way to come up with a number of the form P 2 Q is to choose a P and a Q and compute P 2 Q. In other words: any adversary which comes up with P 2 Q must know P and Q. Not the case for RSA numbers: probability that a random 2k-bit number is of the form PQ is roughly: (2 k /k) 2 (2 2k ) = 1 k 2 which is not negligible.

27 Schemes in Standard model RSA-based encryption with a fixed encryption exponent (e = ) satisfies SKA0 (vanilla-flavoured SKA). To get IND-SCCA1 security: RSA-CCA1" assumption: add a phase-1 (partial) Root oracle. Gives IND-CCA1 after some padding (short messages). KFA-CCA1" assumption: add a (partial) Root oracle to above. Gives SKA1 Then RSA-CCA1" + KFA-CCA1" gives IND-SCCA1. Can also build extractable one-way function [CD08,CD09].

28 Summary Defined strong decryption oracles Proved equivalence between strong security notions Gave a strongly secure scheme Formulated strong PA and secret key awareness (SKA) Proved they lead to expected results Introduced knowledge of factorisation assumption Discussed ways to build SPA and SKA schemes

29 The End IND-SPCA1 CNM-SCCA1 SNM-SCCA1 = IND-SCCA1 = SPA1 IND-CPA IND-SPCA2 IND-SCCA2 = SPA2 IND-CPA CNM-SCCA2 SNM-SCCA2 SKA2 PA2 IND-CPA IND-ICA2 = SKA2 IND-CCA2 Thank you for your attention. Questions/Comments?