anonymity and robustness in encryption schemes
DESCRIPTION
Anonymity and Robustness in Encryption Schemes. Payman Mohassel University of Calgary. Public Key Encryption (PKE). ( pk , sk ) KG. pk. C = Enc( pk,m ). m = Dec( sk,C ). PKE = (KG, Enc, Dec). Traditional Security Notions ( Data Secrecy). Semantic security - PowerPoint PPT PresentationTRANSCRIPT
Anonymity and Robustness in
Encryption Schemes
Payman MohasselUniversity of Calgary
2
Public Key Encryption (PKE)
pk(pk, sk) KG
C = Enc(pk,m)
m = Dec(sk,C)
PKE = (KG, Enc, Dec)
Traditional Security Notions(Data Secrecy)
• Semantic security– No function of the message is leaked– Equivalent to indistinguishability
• Non-malleability– Hard to create ciphertext for related messages
• Chosen plaintext attacks (CPA)• Chosen ciphertext attacks (CCA)
Mobile Communication
Mobile User
Base Station
key exchange
eavesdropper wants to learn identity of mobile user
Enc(pk, message) pk
Secure Auction [Sako’00]
• First practical auction to hide bid values
• Keys correspond to bid values• A known message is encrypted using the key• Hiding a bid value requires hiding the key
(pk, sk)
c
c
c = Enc(pk, m)
c
Dec(sk’, c) =
Other Guarantees
• Does the ciphertext hide the key?– Anonymity
• What happens when decrypting using a different key?– Robustness
ANON-CCA
Challenger
(pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1}
pk0, pk1
c1 , b1
Dec(skb1, c1)
. . . .
ci , bi
Dec(skbi, ci)
m
C=Enc(pkb ,m)
b’
Advanon-cca,PKE(A) =|Pr[b’ = b] – ½| is negligible
ci+1 , bi+1
Dec(skbi+1, c1)
. . . .
cq, bq
Dec(skbq, cq)
Weak Robustness (WROB-CCA)
M
(pk0, sk0) KG(1n) (pk1, sk1) KG(1n)
pk0, pk1
ci , bi
Dec(skbi, ci)
. . . .
Challenger
Adv wins if Dec(sk1, C) ≠ , where C = Enc(pk0,M)
Strong Robustness (SROB-CCA)
C
(pk0, sk0) KG(1n) (pk1, sk1) KG(1n)
pk0, pk1
ci , bi
Dec(skbi, ci)
. . . .
Challenger
Adv wins if Dec(sk0,C) ≠ and Dec(pk1,C) ≠
What is Known?
• Anonymity– Not always satisfied– y = xe mod N for random x– pk0 = (N0, e0) pk1 = (N1, e1), N1 > N0
– If y > N0 return pk1 else return pk0
• Robustness– ElGamal is not robust– [pk0 = (G, p, g, gx) , sk0 = x] , [pk1 = (G, p, g, gy), sk1 = y]
– Enc(pk0, m) = (c1, c2) = (gr , mgxr)
– m’ = Dec(sk1, (c1, c2)) = c2/c1y = mg(x-y)r
What is Known?
• Anonymous PKE and IBE– [Bellare et al. 2001], [Abdalla et al. 2008]– PKE: DHIES, [Cramer-Shoup’01]– IBE: [Boneh-Franklin’01], [Boyen-Waters’06]
• Robust PKE and IBE– [Abdalla et al. 2010]• Strongly robust IBE: [Boneh-Franklin’01]• Weakly robust PKE: DHIES, [Cramer-Shoup’01]• Not robust: [Boyen-Waters’06]
Our Contribution
• Studying anonymity of hybrid encryption– Positive and negative results
• More efficient transformations for robust encryption schemes– Computation and ciphertext size– Please see the paper
Question: Given an “anonymous PKE/IBE” and an “anonymous SKE”, is the hybrid encryption scheme also anonymous?
Anonymity of Hybrid Encryption
• ANON-CPA PKE/IBE + IND-CPA SKE– The hybrid encryption is ANON-CPA
• [negative] ANON-CCA PKE/IBE + IND-CCA SKE– The hybrid encryption is NOT always ANON-CCA– True if SKE is ANON-CCA or more
• [positive] (WROB + ANON)-CCA PKE/IBE + AE SKE– The hybrid encryption is ANON-CCA– More evidence that “anonymity” and “robustness”
are needed simultaneously
Counter Example (PKE)
• Start with (WROB + ANON)-CCA PKE1
– PKE1 = (KG1, Enc1, Dec1)
• Build PKE2 = (KG2, Enc2, Dec2) – Dec2 • Run Dec1, if it returns return 0n
• Else return what Dec1 outputs
• PKE2 is still ANON-CCA
Counter Example (SKE)
• We use a key-binding IND-CCA SKE• Key-binding SKE = (K, SE, SD)– For any k K, randomness r, and message m– There is no k’ ≠ k where SDk’(SEk(m,r)) ≠
• PKE2 + key-binding SKE– Not ANON-CCA
Counter Example
m
(c1, c2) = (Enc2(pkb,k), SE(k,m))
Challenger
(pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1}
Decryption query under pk0
for (c1, SE(0n,m’))
pk0, pk1
If the answer is let b’ = 0, else b’ = 1
b’
Counter Example
• Requiring stronger security notion for SKE does NOT help– If it can be combined with key-binding
• What about stronger notions for the PKE?
Positive Result
Claim: If PKE is (ANON + WROB + IND)-CCA and SKE is a (one-time) authenticated encryption, the hybrid construction is (ANON + IND)-CCA
Game 0
Challenger
(pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1}
pk0, pk1
C1 , b1
Dec(skb1, C1)
. . . .
Ci , bi
Dec(skbi, Ci)
m
c*1 = Enc(pkb,k*)c*2 = SE(k*,m)
b’
Advanon-cca,PKE(A) =|Pr[b’ = b] – ½| is negligible
Ci+1 , bi+1
Dec(skb1, C1)
. . . .
Cq, bq
Dec(skbq, Cq)
Game 1
Challenger
(pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1}
pk0, pk1
m
c*1 = Enc(pkb, k*)c*2 = SE(k*, m)
b’
(c*1, c2 ≠ c*2), b
SD(k*, c2)
Difference in games: decryption error
Game 2
Challenger
(pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1}
pk0, pk1
m
c*1 = Enc(pkb ,k*)c*2 = SE(k*,m)
b’
(c*1, c2 ≠ c*2), 1-b
Difference in games: weak robustness of the PKE only if c*1 decrypts under pkb and pk1-b
Game 3
Challenger
(pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1}
pk0, pk1
m
c*1 = Enc(pkb ,k*)c*2 = SE(k’,m)
b’
Difference in games: IND-CCA security of the PKE
Game 4
Challenger
(pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1}
pk0, pk1
m
c*1 = Enc(pkb ,k*)c*2 = SE(k’,m)
b’
Difference in games: CTXT integrity of the SKE only if a valid ciphertext under k’ is generated
(c*1, c2 ≠ c*2), {b or 1-b}
Putting Things Together
• Advanon-cca(hybrid) <
Advwrob-cca(PKE)
+ Advind-cca(PKE)
+ Advctxt-int(SKE)
+ Advanon-cca(PKE)
• Boneh-Franklin, Cramer-Shoup, DHIES are WROB-CCA• Boyen-Waters IBE is not
Summary
• ANON-CCA PKE + (…) SKE ANON-CCA hybrid
• (WROB + ANON)-CCA PKE + AE SKE ANON-CCA hybrid
• Is weak-robustness a necessary condition?• Is Boyen-Waters (in)secure when used in a
hybrid construction?
Thank you
Results on Robustness
• [Abdalla et al.’10]– Transforming ANON-CCA schemes to robust ones
• We design more efficient transformations– Refer to the paper
30
Indentity-based encryption (IBE)
id
(sk,pk)PKG
C = Encpk(m)
m = Decsk(C)
IBE = (MKG, Enc, Dec)
(par, msk) MKG
31
IND-CCA
Challenger
c1
(pk, sk) KG(1n) ; b {0,1}
Decsk(c1)
. . . .
ci
Decsk(ci)
m0 , m1
C=Encpk(mb)
ci+1
Decsk(ci+1)
. . . .
cq
Decsk(cq)
b’
Advind-cca,PKE(A) =|Pr[b’ = b] – ½| is negligible