On the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups

Transcription

1 On the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups Goichiro Hanaoka, Takahiro Matsuda, Jacob C.N. Schuldt Research Institute for Secure Systems (RISEC) National Institute of Advanced Industrial Science and Technology (AIST) CRYPTO 12 23/8/2012

2 Public Key Encryption The construction of efficient and (IND-CCA) secure public key encryption has been a successful research area Practical and efficient design approach: hybrid encryption A public key encryption scheme is constructed from two components: 1. A key encapsulation mechanism (KEM) 2. A data encapsulation mechanism (DEM) 2

3 Hybrid Encryption Key encapsulation mechanism: 1 pk (sk, c) KG Enc Dec (pk, sk) Data encapsulation mechanism: (c, K) K/? (K, m) DEnc c 0 (c 0, K) DDec m 3

4 Hybrid Encryption Key encapsulation mechanism: 1 pk (sk, c) KG Enc Dec (pk, sk) (c, K) K/? Data encapsulation mechanism: Security (K, m) IND-CCA secure encryption is achieved by 1. IND-CCA DEnc KEM c 0 + IND-OT-CCA (c 0, K) DEM DDec m 2. Constrained IND-CCA KEM + AE-OT DEM 3

5 Efficient Key Encapsulation Mechanisms We focus on the problem of minimizing ciphertext overhead A number of very efficient KEMs already exist in the standard model Scheme Security Assumption Overhead [CS03] IND-CCA DDH 3 [HaKu08] IND-CCA CDH 3 [KD04] Constrained IND-CCA DDH 2 [HoKi07] Constrained IND-CCA DDH 2 [HaKu08] Constrained IND-CCA DDH 2 [Kiltz07] IND-CCA GHDH 2 [BMW05] IND-CCA DBDH 2 [CHH+07] Bounded IND-q-CCA DDH 1 G G G G G G G G 4

6 Motivating Question Question Is it possible to construct a KEM with a ciphertext overhead of less than two group elements that achieves IND-CCA security in the standard model? 5

7 The Cramer-Shoup KEM [CS03] KG : pk =(g, h, g x 1 h y 1, g x 2 h y 2, g z ) sk =(x 1, x 2, y 1, y 2, z) Enc : Let pk =(g, h, X, Y, Z) c =(g r, h r,(x Y ) r ) K = Z r = H(g r, h r ) Dec : c =(c 1, c 2, c 3 ) Let If c x 1+y 1 1 c x 2+y 2 2 = c 3 Otherwise return? return K = c z 1 6

8 The Cramer-Shoup KEM [CS03] KG : pk =(g, h, g x 1 h y 1, g x 2 h y 2, g z ) sk =(x 1, x 2, y 1, y 2, z) Enc : Let pk =(g, h, X, Y, Z) c =(g r, h r, H 0 ((X Y ) r )) = H(g r, h r ) K = Z r Dec : Let c =(c 1, c 2, c 3 ) If H 0 (c x 1+y 1 1 c x 2+y 2 2 ) = c 3 return K = c z 1 Otherwise return? 7

9 The Hofheinz-Kiltz KEM [HK07] KG : pk =(g, g x, g y, g z ) sk =(x, y, z) Enc : Let pk =(g, X, Y, Z) c =(g r,(x Y ) r ) K = Z r = H(g r ) Dec : Let If c =(c 1, c 2 ) c x +y 1 = c 2 K = c z 1 Otherwise return? return 8

10 The Hofheinz-Kiltz KEM [HK07] KG : pk =(g, g x, g y, g z ) sk =(x, y, z) Enc : Let pk =(g, X, Y, Z) c =(g r, H 0 ((X Y ) r )) = H(g r ) K = Z r Dec : Let c =(c 1, c 2 ) If H 0 (c x +y 1 ) = c 2 return K = c z 1 Otherwise return? 9

11 Main Result We show that There is no algebraic black-box reduction from the OW-CCA security of a class of KEMs with ciphertexts consisting of a single group element and a string, to the hardness of a non-interactive problem 10

12 A Class of Efficient Key Encapsulation Mechanisms We consider a class Kof KEMs defined in a prime order group G with the following additional properties: 1. Public key: pk =(X 1,...,X n, aux) 2 G n {0, 1} (y i = log g X i ) 2. Encapsulation: C =(c, d) =(g r, f (pk, r)) 2 G {0, 1} ny K = g f 0(pk,r) i=1 X f i (pk,r) i 3. Decapsulated key: K = g 0 (pk,c,y 1,...,y n ) c 1 (pk,c,y 1,...,y n ) where i(pk, C, y 1,...,y n )= i,1 (pk, C) y i,n (pk, C) y n s.t. d = 2 (pk, c, y 1,...,y n ) 11

13 OW-CCA Security for KEMs Decapsulation sk c K/? pk K 0 c (c, K ) Enc(pk) K/? c 6= c Decapsulation sk Adv OW-CCA ( ) = Pr[K 0 = K ] 12

14 Non-interactive Problems A non-interactive problem in a group is given by =(g, p, G) (x, y, w) y I V U (y, w) >/? x Hardness of a non-interactive problem y PPTA x wins if V(x, y, w) => Adv NIP P ( ) = Pr[ wins] Pr[U wins] P is hard if Adv NIP P ( ) < neg( ) 8 13

15 Non-interactive Problems A non-interactive problem in a group is given by =(g, p, G) (x, y, w) y I V U (y, w) >/? x Hardness of a non-interactive problem y PPTA wins if V(x, y, w) => x Captured problems: Adv NIP P ( ) = Pr[ wins] Pr[U wins] DDH, CDH, q-sdh, q-abdhe, IND-CPA, P is hard if Adv NIP... P ( ) < neg( ) 8 13

16 Black-box Reductions There is a black-box reduction from the OW-CCA security of a KEM non-interactive problem P if to a Oracle PPTA Any Adv OW-CCA ( ) > neg( ) 9 8 ) Adv NIP P ( ) > neg( ) This is a fully black-box reduction in the terminology by Reingold et al. [RTV04] 14

17 Algebraic Algorithms Defined via the existence of an extractor (X 1,...,X n ; r) (X 1,...,X n ; r) 9 such that ny i=1 X y i i = Y Y (y 1,...,y n ) The security reductions of existing KEMs defined in prime order groups are all algebraic. 15

18 Main Theorem Theorem 8 2K 8P 2 NIP Alg + BB P is hard ) OW-CCA P 16

19 Oracle Separation Lemma Assume there exists an oracle distribution such that 8 2K 9 Alg PPTA s.t. E h i Adv OW-CCA ( ) > neg and 8P 2 NIP E 8 Alg PPTA 9 h i Adv NIP P ( ) PPTA PPTA s.t. < Adv NIP P ( )+Adv DL ( ) Alg + BB Then, 8 2K and 8P 2 NIP, if P hard: OW-CCA P 17

20 Additional Observations 18

21 Additional Observations Looking at the details of the proofs yields a few additional insights The KEM attacker constructed in the proof only requires n decryption queries for a KEM with n group elements in the public key Corollary 8 2K 8P 2 NIP P is hard + pk 2{0, 1} G n BB + Alg ) OW-n-CCA P 18

22 Additional Observations Looking at the details of the proofs yields a few additional insights The KEM attacker constructed in the proof only requires n decryption queries for a KEM with n group elements in the public key Adaptive decryption queries are not required -- one parallel query is sufficient Corollary 8 Corollary 2K 8P 2 NIP BB + Alg 8P is 2K hard8p 2 NIP BB + Alg + ) OW-n-CCA P pk 2{0, P 1} is hard G n ) NM-CPA P 18

23 Programmable Hash Functions 19

24 Programmable Hash Functions Programmable hash functions Introduced by Hofheinz and Kiltz [HK08] Provides programmability in the standard model Main application: short signatures 19

25 Programmable Hash Functions Programmable hash functions Introduced by Hofheinz and Kiltz [HK08] Provides programmability in the standard model Main application: short signatures Based on an algebraic (poly, 1)-programmable hash function, we can construct a KEM which Is IND-CCA secure based on the DDH problem Has an algebraic black-box security reduction Has a ciphertext overhead of a single group element 19

26 Programmable Hash Functions Programmable hash functions Introduced by Hofheinz and Kiltz [HK08] Provides programmability in the standard model Main application: short signatures Based on an algebraic (poly, 1)-programmable hash function, we can construct a KEM which Corollary Is IND-CCA secure 8k 2based N there on exists the DDH no algebraic problem Has an algebraic (poly,k)-programmable black-box security reduction hash function in prime order groups Has a ciphertext overhead of a single group element 19

27 Programmable Hash Functions Programmable hash functions Introduced by Hofheinz and Kiltz [HK08] Provides programmability in the standard model Main application: short signatures Based on an algebraic (poly, 1)-programmable hash function, we can construct a KEM which Corollary Is IND-CCA secure 8k 2based N there on exists the DDH no algebraic problem Corollary Has an algebraic (poly,k)-programmable black-box security reduction hash function 8n, k 2 N in prime there order exists groups no algebraic Has a ciphertext (n,k)-programmable overhead of a single hash function group element with apple 2{0, 1} G m m apple n in prime order groups 19

28 Summary We have shown that There exists no algebraic black-box reduction from the OW-CCA security of a class of efficient KEMs to a non-interactive problem Certain types of programmable hash functions cannot be constructed in prime order groups Open problems (Im)possible to construct an IND-CCA secure KEM without pairings based on a non-interactive assumption and with two group element encapsulations? Possible to extend results to constrained CCA security? Possible to make any conclusions about schemes relying on key derivation functions? 20

29 Thank you! 21