Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Similar documents
Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Applied cryptography

Identity-based encryption

Provable security. Michel Abdalla

G Advanced Cryptography April 10th, Lecture 11

Simple SK-ID-KEM 1. 1 Introduction

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

Efficient Identity-based Encryption Without Random Oracles

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

Secure and Practical Identity-Based Encryption

REMARKS ON IBE SCHEME OF WANG AND CAO

Boneh-Franklin Identity Based Encryption Revisited

Secure Certificateless Public Key Encryption without Redundancy

Lecture 7: Boneh-Boyen Proof & Waters IBE System

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

1 Number Theory Basics

Pairing-Based Cryptography An Introduction

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Advanced Cryptography 1st Semester Public Encryption

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

A Strong Identity Based Key-Insulated Cryptosystem

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

An Introduction to Pairings in Cryptography

Cryptography from Pairings

On The Security of The ElGamal Encryption Scheme and Damgård s Variant

Type-based Proxy Re-encryption and its Construction

Efficient Identity-Based Encryption Without Random Oracles

CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS

Recent Advances in Identity-based Encryption Pairing-based Constructions

Searchable encryption & Anonymous encryption

Gentry IBE Paper Reading

Efficient Selective Identity-Based Encryption Without Random Oracles

RSA-OAEP and Cramer-Shoup

Hierarchical identity-based encryption

ASYMMETRIC ENCRYPTION

Lecture Note 3 Date:

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman

ECS 189A Final Cryptography Spring 2011

2 Message authentication codes (MACs)

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

Public Key Cryptography

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

Post-quantum security models for authenticated encryption

Lecture 17: Constructions of Public-Key Encryption

Certificateless Signcryption without Pairing

Chosen-Ciphertext Security without Redundancy

The Cramer-Shoup Cryptosystem

Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles

5.4 ElGamal - definition

Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Short Exponent Diffie-Hellman Problems

Introduction to Cybersecurity Cryptography (Part 4)

Efficient Smooth Projective Hash Functions and Applications

An efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing

On the security of Jhanwar-Barua Identity-Based Encryption Scheme

Short Signatures Without Random Oracles

Introduction to Elliptic Curve Cryptography

CS 6260 Applied Cryptography

A Novel Strong Designated Verifier Signature Scheme without Random Oracles

Introduction to Cybersecurity Cryptography (Part 4)

A New Paradigm of Hybrid Encryption Scheme

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Schnorr Signature. Schnorr Signature. October 31, 2012

Notes for Lecture 17

2 Preliminaries 2.1 Notations Z q denotes the set of all congruence classes modulo q S denotes the cardinality of S if S is a set. If S is a set, x R

Week : Public Key Cryptosystem and Digital Signatures

Chapter 11. Asymmetric Encryption Asymmetric encryption schemes

Recent Advances in Identity-based Encryption Pairing-free Constructions

Fully Secure (Doubly-)Spatial Encryption under Simpler Assumptions

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Public-Key Encryption: ElGamal, RSA, Rabin

Post-Quantum Security of the Fujisaki-Okamoto (FO) and OAEP Transforms

Modern symmetric-key Encryption

The k-bdh Assumption Family: Bilinear Cryptography from Progressively Weaker Assumptions

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Advanced Topics in Cryptography

Advanced Cryptography 03/06/2007. Lecture 8

Computational security & Private key encryption

CPA-Security. Definition: A private-key encryption scheme

An Efficient ID-based Digital Signature with Message Recovery Based on Pairing

ON CIPHERTEXT UNDETECTABILITY. 1. Introduction

Analysis of Random Oracle Instantiation Scenarios for OAEP and other Practical Schemes

T Advanced Course in Cryptology. March 28 th, ID-based authentication frameworks and primitives. Mikko Kiviharju

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Generic Constructions of Identity-Based and Certicateless KEMs K. Bentahar, P. Farshim, J. Malone-Lee and N.P. Smart Dept. Computer Science, Universit

Lecture 1: Introduction to Public key cryptography

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Multi-key Hierarchical Identity-Based Signatures

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)

Introduction to Cryptography. Lecture 8

Automatic, computational proof of EKE using CryptoVerif

New Anonymity Notions for Identity-Based Encryption

Lesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search

Transcription:

The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key Cryptography Asymmetric cryptography Encryption Signature Encryption guarantees privacy Signature guarantees authentication, and even non-repudiation by the sender

Strong Security Notions Signature Existential Unforgeability under Chosen-Message Attacks An adversary, allowed to ask for signature on any message of its choice, cannot generate a new valid message-signature pair One can prove that: if an adversary is able to break the cryptographic scheme then one can break the underlying problem (integer factoring, discrete logarithm, 3-SAT, etc) Encryption Semantic Security against Chosen-Ciphertext Attacks An adversary that chooses 2 messages, and receives the encryption of one of them, is not able to guess which message has been encrypted, even if it is able to ask for decryption of any ciphertext of its choice (except the challenge ciphertext) hard instance solution 5/39 6/39 Direct Reduction Game-based Methodology Unfortunately Security may rely on several assumptions Proving that the view of the adversary, generated by the simulator, in the reduction is the same as in the real attack game is not easy to do in such a one big step Illustration: OAEP [Bellare-Rogaway EC 94] Reduction proven indistinguishable for an IND-CCA adversary (actually IND-CCA1, and not IND-CCA2) but widely believed for IND-CCA2, without any further analysis of the reduction The direct-reduction methodology [Shoup - Crypto 01] Shoup showed the gap for IND-CCA2, under the OWP Granted his new game-based methodology [Fujisaki-Okamoto-Pointcheval-Stern Crypto 01] FOPS proved the security for IND-CCA2, under the PD-OWP Using the game-based methodology

Sequence of Games Real Attack Game The adversary plays a game, against a challenger (security notion) 9/39 10/39 Sequence of Games Sequence of Games Simulation The adversary plays a game, against a sequence of simulators Simulation The adversary plays a game, against a sequence of simulators

Sequence of Games Output Simulation The adversary plays a game, against a sequence of simulators The output of the simulator in Game 1 is related to the output of the challenger in Game 0 (adversary s winning probability) The output of the simulator in Game 3 is easy to evaluate (e.g. always zero, always 1, probability of one-half) The gaps (Game 1 Game 2, Game 2 Game 3, etc) are clearly identified with specific events 13/39 14/39 Two Simulators Two Distributions perfectly identical behaviors different behaviors, only if event Ev happens Ev is negligible Ev is non-negligible [Hop-S-Perfect] [Hop-S-Negl] [Hop-S-Non-Negl] perfectly identical input distributions different distributions statistically close computationally close [Hop-D-Perfect] [Hop-D-Stat] [Hop-D-Comp] and independent of the output in Game A Simulator B stops in case of event Ev

Two Simulations Two Simulations Identical behaviors: Pr[Game A ] Pr[Game B ] = 0 The behaviors differ only if Ev happens: Ev is negligible, one can ignore it Shoup s Lemma: Pr[Game A] Pr[Game B] Pr[Ev] Pr[Game A] Pr[Game B] = Pr[Game A Ev] Pr[Ev] + Pr[Game A Ev] Pr[ Ev] Pr[Game B Ev] Pr[Ev] Pr[Game B Ev] Pr[ Ev] = (Pr[Game A Ev] Pr[Game B Ev]) Pr[Ev] +(Pr[Game A Ev] Pr[Game B Ev]) Pr[ Ev] 1 Pr[Ev] + 0 Pr[ Ev] Pr[Ev] Ev is non-negligible and independent of the output in Game A, Simulator B stops, in case of event Ev Identical behaviors: Pr[Game A ] Pr[Game B ] = 0 The behaviors differ only if Ev happens: Ev is negligible, one can ignore it Ev is non-negligible and independent of the output in Game A, Simulator B stops and outputs 0, in case of event Ev: Pr[Game B] = Pr[Game B Ev] Pr[Ev] + Pr[Game B Ev] Pr[ Ev] = 0 Pr[Ev] + Pr[Game A Ev] Pr[ Ev] = Pr[Game A] Pr[ Ev] Simulator B stops and flips a coin, in case of event Ev: Pr[Game B] = Pr[Game B Ev] Pr[Ev] + Pr[Game B Ev] Pr[ Ev] = 1 2 Pr[Ev] + Pr[Game A Ev] Pr[ Ev] = 1 2 + (Pr[Game A] 1 2 ) Pr[ Ev] 17/39 18/39 Two Simulations Two Distributions Identical behaviors: Pr[Game A ] Pr[Game B ] = 0 The behaviors differ only if Ev happens: Ev is negligible, one can ignore it Ev is non-negligible and independent of the output in Game A, Simulator B stops in case of event Ev Event Ev Either Ev is negligible, or the output is independent of Ev For being able to stop simulation B in case of event Ev, this event must be efficiently detectable For evaluating Pr[Ev], one re-iterates the above process, with an initial game that outputs 1 when event Ev happens Pr[Game A ] Pr[Game B ] Adv(D oracles )

Two Distributions Pr[Game A ] Pr[Game B ] Adv(D oracles ) For identical/statistically close distributions, for any oracle: Pr[Game A ] Pr[Game B ] = Dist(Distrib A, Distrib B ) = negl() For computationally close distributions, in general, we need to exclude additional oracle access: Pr[Game A ] Pr[Game B ] Adv Distrib (t) where t is the computational time of the distinguisheur 21/39 22/39 Bilinear Maps Gap Groups Bilinear Maps Bilinear Diffie-Hellman Problems (Pairing Setting) Let G1 and G2 be two cyclic groups of prime order p Let g1 and g2 be generators of G1 and G2 respectively Let e : G1 G2 G T, be a bilinear map (Admissible Bilinear Map) Let (p, G1, g1, G2, g2, G T, e) be a pairing setting, with e : G1 G2 G T a non-degenerated bilinear map Bilinear: for any g G1, h G2 and u, v Z, Non-degenerated: e(g1, g2) 1 e(g u, h v ) = e(g, h) uv We focus on the symmetric case: G1 = G2 = G Diffie-Hellman Problems CDH in G: Given g, g a, g b G, compute g ab DDH in G: Given g, g a, g b, g c G, decide whether c = ab or not CDH can be hard to solve, but DDH is easy in gap-groups Bilinear Diffie-Hellman Problems CBDH in G: Given g, g a, g b, g c G, compute e(g, g) abc DBDH in G: Given g, g a, g b, g c G and h G T, decide whether h? = e(g, g) abc

Identity-Based Cryptography [Shamir Crypto 84] Public-Key Cryptography Each user ID owns a public key pk a certificate that guarantees the link between ID and pk a private key sk, related to pk One has to access a dictionary in order to get pk, the public key of ID, together with the certificate, in order to encrypt a message to ID Identity-Based Cryptography Each user ID owns a private key sk, related to ID the public key pk is indeed ID itself 25/39 26/39 Identity-Based Encryption Security Model: IND ID CCA Setup The authority generates a master secret key msk, and publishes the public parameters, PK Extraction Given an identity ID, the authority computes the private key sk granted the master secret key msk Encryption Any one can encrypt a message m to a user ID using only m, ID and the public parameters PK Decryption Given a ciphertext, user ID can recover the plaintext, with sk (IND ID CCA Security) A receives the global parameters A asks any extraction-query, and any decryption-query A outputs a target identity ID and two messages (m0, m1) The challenger flips a bit b, and encrypts m b for ID into c A asks any extraction-query, and any decryption-query A outputs its guess b for b Restriction: ID never asked to the extraction oracle, and (ID, c ) never asked to the decryption oracle. CPA: no decryption-oracle access Adv ind id cca = 2 Pr[b = b] 1

Identity-Based Encryption [Boneh-Franklin Crypto 01] BF IBE (Cont d) Setup The authority sets up a gap-group framework: a group G of prime order p, with a generator g, equipped with an admissible bilinear map e : G G G T It selects a master secret key msk = s Zp It publishes the public parameters: PK = (p, G, e, g, P = g s ) Extraction Given an identity ID, the authority computes the private key sk = H(ID) s Note that sk is a BLS signature of ID: e(sk, g) = e(h(id), P) Encryption In order to encrypt a message m to a user ID one chooses a random r Zp computes A = g r and K = e(p, H(ID) r ) sends (A, B = K m) K = e(p, H(ID) r ) = e(g s, H(ID) r ) = e(g r, H(ID) s ) = e(a, sk) Decryption Upon reception of (A, B), user ID computes K = e(a, sk) gets m = B/K 29/39 30/39 BF IBE Security Analysis Real Attack Game Theorem The BF IBE is IND ID CPA secure under the DBDH problem, in the random oracle model By masking m with H(K ): B = m H(K ), the BF IBE is IND ID CPA secure under the CBDH problem, in the random oracle model Theorem The BLS signature achieves EUF CMA security, under the CDH assumption in G, in the Random Oracle Model Random Oracle Setup Oracle H(ID): M R G, output M Setup(): msk R Zp, P = g msk Extraction Oracle Ext(ID): M = H(ID), output sk = M msk

Simulations Game0: use of the oracles Setup, Ext, and H Game1: use of the simulation of the Random Oracle Simulation of H H(ID): µ R Zp, output M = g µ = Hop-D-Perfect: Pr[Game1] = Pr[Game0] Game2: use of the simulation of the Extraction Oracle Simulation of Ext Ext(ID): find µ such that M = H(ID) = g µ, output sk = P µ = Hop-S-Perfect: Pr[Game2] = Pr[Game1] H-Query Selection R Game3: random index t {1,..., q H } Event Ev If the t-th query to H is not the challence ID We stop the game and flip a coin if Ev happens = Hop-S-Non-Negl Pr[Game3] = 1 ( 2 + Pr[Game2] 1 ) Pr[ Ev] Pr[Ev] = 1 1/q H 2 Pr[Game3] = 1 ( 2 + Pr[Game2] 1 ) 1 2 q H 33/39 34/39 Challenge ID Challenge Ciphertext Game4: True DBDH instance (g, g α, g β, g γ ) with h = e(g, g) αβγ Use of the simulation of the Setup Oracle Simulation of Setup Setup(): set P g α Modification of the simulation of the Random Oracle Simulation of H If this is the t-th query, H(ID): M g β, output M Difference for the t-th simulation of the random oracle: we cannot extract the secret key. Since this is the challenge ID, it cannot be queried to the extraction oracle: = Hop-D-Perfect: Pr[Game4] = Pr[Game3] Game5: True DBDH instance (g, g α, g β, g γ ) with h = e(g, g) αβγ We have set P g α, and for the t-th query to H: M = g β Ciphertext Set A g γ and K h to generate the encryption of m b under ID = Hop-D-Perfect: Pr[Game5] = Pr[Game4] Game6: Random DBDH instance (g, g α, g β, g γ ) with h R G T = Hop-D-Comp: Pr[Game6] Pr[Game5] Adv dbdh (t + q H τe)

Conclusion In this last Game6, it is clear that Pr[Game6] = 1 2 Pr[Game6] Pr[Game5] Adv dbdh (t + q H τe) Pr[Game5] = Pr[Game4] Pr[Game4] = Pr[Game3] Pr[Game3] = 1 2 + (Pr[Game2] 1 2 ) 1 q H Pr[Game2] = Pr[Game1] Pr[Game1] = Pr[Game0] Pr[Game0] = 1 2 + Advind id cpa (A) Adv ind id cpa (A) q H Adv dbdh (t + q H τe) 37/39 38/39 Conclusion Conclusion The game-based methodology uses a sequence of games The transition hops are simple easy to check It leads to easy-to-read and easy-to-verify security proofs: Some mistakes have been found granted this methodology Some security analyses became possible to handle This approach can be automized [Analysis of OAEP] [Analysis of EKE] [CryptoVerif]

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback