A Brief History of Provable Security and PKE

A Brief History of Provable Security and PKE

Alex Dent

Information Security Group

Royal Holloway, University of London

A Provable Timeline

• Late 1970s: First secure schemes

• 1980s: Definitions

• 1990s: Random oracle model schemes

• Late 1990s: “Double and add” schemes– NIZK proof schemes– Cramer-Shoup encryption

• 2000s: Signatures and identities

• 2000s: Extracting the truth

Definitions

• Confidentiality means that an attacker cannot find any information about a plaintext from a ciphertext.

• Semantic security captures this notion.

Definitions

• IND-CPA is equivalent to semantic security [Goldwasser-Micali, 1984].

Definitions

pk

m0

m1

b ← {0,1}

C* = Enc(pk,mb)

C*b′

• Attacker wins if b = b′

• Advantage of an attacker is:

| Pr[ b = b′ ] - ½ |

Definitions

• IND-CCA1 security: Allows access to a decryption oracle before the challenge ciphertext is issued [Naor-Yung, 1990].

Definitions

• IND-CCA2 security: Allow access to a decryption oracle before and after the challenge ciphertext is issued.

[Rackoff-Simon, 1991]

Definitions

pk

m0

m1

b ← {0,1}

C* = Enc(pk,mb)

C*b′

C m

m = Dec(sk,C)

(C ≠ C*)m

m = Dec(sk,C)

C

• Advantage of an attacker is:

| Pr[ b = b′ ] - ½ |

Definitions

• Why is this such a difficult notion of security to achieve?

Definitions

• Decryption oracle has to be “consistent”.

• Trivial oracle queries.

pk

C m

Simulated Decryption Oracle

m0

m1

C*

C m

b´SimulatedCiphertext

Problem Solution

Random Oracle Model

• The random oracle methodology models hash functions as random functions.

[Bellare-Rogaway, 1993]

• Enables security proofs for very efficient schemes such as ECIES and RSA-OAEP.

Random Oracle Model

• There exists schemes that are secure in the random oracle model, but insecure when used with any hash function.

[Canetti-Goldreich-Halevi, 1998]

“Double and Add” Schemes

• A series of schemes prove security by encrypting a message twice with a weak scheme and adding a “checksum”.

• Principle proposed by Naor and Yung.

• IND-CCA2 version of the

scheme given in [Sahai, 1999]

• “Checksum” is NIZK proof.


• Non-interactive zero-knowledge (NIZK) proof that two ciphertexts encrypt the same message.

Public value: σ

Message and coins

Proof π


• Zero knowledge: it must be possible to choose σ in such a way that there is a trapdoor τ which allows “false” proofs.

Public value: σ

Message and coins

Proof π

Private value: τ

Any two ciphertexts

Proof π


• Simulation sound: it must not be possible to find a false proof (given only σ) even if you have seen one false proof.

Public value: σ

Message and coins

Proof π

Private value: τ

Any two ciphertexts

Proof π


• Use an IND-CPA scheme (G ,E ,D ).

• Public key is (pk1,pk2,σ).

• Private key is sk1.

• To decrypt:– Check proof

– Decrypt C1.

E E NIZK

m

C1 πC2

pk1 pk2 σ


• This scheme is theoretical.

• The NIZK is impractical (very long output and time consuming to compute).

• However, it does show that public key encryption exists as long as trapdoor one-way permutations exist.


• The Cramer-Shoup scheme was the first practical and provably secure scheme.

[Cramer-Shoup, 1998]


• The Cramer-Shoup encryption scheme works on the same principles as Sahai.

• Key generation:– g, g′ ← G

– x1,x2,y1,y2,z ← Zp

– h ← gz

– e ← gx1·g′x2

– f ← gy1·g′y2

– pk = (g,g′,h,e,f)

– sk = (x1,x2,y1,y2,z)

• Encrypt:– r ← Zp

– a ← gr

– a′ ← g′r

– c ← hr ·m– v ← Hash(a,a′,c)– d ← er · frv

– C = (a,a′,c,d)


• Start with a version of ElGamal

• ElGamal is passively secure under the DDH assumption.

• Publicly known, random element h ← G. • Key generation:

– z ← Zp

– g ← h1/z

– pk = g– sk = z


– a ← gr

– c ← hr ·m– C = (a,c)


• We need to encrypt twice under independent public keys.

• Key generation:– z, z′ ← Zp

– g ← h1/z

– g′ ← h1/z′

– pk = (g,g′)– sk = (z,z′)

• Encrypt:– r, r′ ← Zp

– a ← gr

– c ← hr ·m– a′ ← g′r′

– c′ ← hr′ ·m– C = (a,c,a′,c′)


• However, a paper by [Bellare-Boldyreva-Staddon, 2003] says we can reuse the random value r without losing security.


• However, a paper by [Bellare-Boldyreva-Staddon, 2003] says we can reuse the random value r without losing security.


– g ← h1/z

– g′ ← h1/z′

– pk = (g,g′)– sk = (z,z′)


– a ← gr

– c ← hr ·m– a′ ← g′r

– c′ ← hr ·m– C = (a,c,a′,c′)


• However, now c and c′ are the same value


– g ← h1/z

– g′ ← h1/z′

– pk = (g,g′)– sk = (z,z′)


– a ← gr

– c ← hr ·m– a′ ← g′r

– C = (a,c,a′)


• Now, the value z′ is never used and so we can remove it.

• Key generation:– z ← Zp

– g ← h1/z

– g′ ← G– pk = (g,g′)– sk = z


– a ← gr

– c ← hr ·m– a′ ← g′r

– C = (a,c,a′)


• And if we just tidy up a bit, then we get…

• (I’m hiding a few things here!)


– z ← Zp

– h ← gz

– pk = (g,g′,h)– sk = z


– a ← gr

– a′ ← g′r

– c ← hr ·m– C = (a,a′,c)


• However, this is over half the Cramer-Shoup scheme:• Key generation:

– g, g′ ← G

– z ← Zp

– h ← gz

– pk = (g,g′,h)– sk = z


– x1,x2,y1,y2,z ← Zp

– h ← gz

– e ← gx1·g′x2

– f ← gy1·g′y2

– pk = (g,g′,h,e,f)

– sk = (x1,x2,y1,y2,z)


• However, this is over half the Cramer-Shoup scheme:• Encrypt:

– r ← Zp

– a ← gr

– a′ ← g′r

– c ← hr ·m– C = (a,a′,c)


– a ← gr

– a′ ← g′r


– C = (a,a′,c,d)


• So this fits the Sahai mold providing d acts like a NIZK.

• In the proof, it is shown the d can be faked if you know x1,x2,y1,y2.

• In the proof, it is shown that if a = gr and a′ = g′r′ then the decryption algorithm will reject.


– a ← gr

– a′ ← g′r


– C = (a,a′,c,d)

Signatures and Identites

• It is possible to turn a passively secure identity-based encryption scheme into a secure public-key encryption scheme.

[Canetti-Halevi-Katz, 2004]

Signatures and Identites

• It is possible to turn a passively secure identity-based encryption scheme into a secure public-key encryption scheme.

[Canetti-Halevi-Katz, 2004]

• A little odd that it took the development of identity-based encryption before we got new public-key encryption schemes.

Extracting the Truth

• Plaintext awareness is a property of an encryption scheme that says that the only way to create a valid ciphertext is to generate a plaintext and encrypt it.

• So, if an attacker generates a valid ciphertext, then it must know the underlying message.

• Hence, a decryption oracle is no help.


• It’s difficult to say what it means for an attacker (computer) to “know” something.

• The definitions are complex.

• All known proofs rely on the random oracle model, an unrealistic architecture, or suspect “extractor” assumptions.

• The subject for another lecture…


• The idea was first given a full formal treatment in [Bellare-Desai-Pointcheval-Rogaway, 1998].


• The idea was first given a full formal treatment in [Bellare-Desai-Pointcheval-Rogaway, 1998].

• However, this definition could only be achieved in the random oracle model.


• [Herzog-Liskov-Micali, 2003] gave a new interpretation of the problem, but it needed an unrealistic architecture.

• The first fully satisfactory definition for plaintext awareness in the standard model was given by [Bellare-Palacio, 2004]


• The Cramer-Shoup scheme was the first to be proven plaintext aware [Dent, 2006]

• Cramer-Shoup and Kurosawa-Desmedt “hash proof system” schemes can be shown to be plaintext aware [Birkett-Dent].

Where are we now?

• [Boneh-Katz, 2005] is a signature-identity scheme similar to the CHK transform.– Transform efficiency overhead is minimal.– Still requires a passively secure IBE scheme

• [Hofheinz-Kiltz, 2007] mixes Cramer-Shoup and IBE techniques.– 2.5 exponentiations for encryption– 1.5 exponentiations for decryption

Conclusions

• None of the approaches really work…– Use the random oracle model– Or they intrinsically require two operations– Or they use weak “extractor” assumptions

• New approach is needed if we’re going to prove the ultra-high-speed schemes secure.

• Plenty missing from this presentation

Questions?

A Brief History of Provable Security and PKE

Documents

coinsproof double

security proofs

random oracle modelthere

definitionsdecryption

ciphertextsproof double

public value

definitionsindcca2 security

difficult notion of