mihir bellare alexandra boldyreva adriana palacio
DESCRIPTION
An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem. Mihir Bellare Alexandra Boldyreva Adriana Palacio U niversity of C alifornia at S an D iego. The Random-Oracle (RO) model [BR93]. (M). a. H. h=H(a). b. A. G. g=G(b). - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/1.jpg)
An Uninstantiable An Uninstantiable Random-Oracle-Model Random-Oracle-Model
Scheme for Scheme for a Hybrid-Encryption Problema Hybrid-Encryption Problem
Mihir Bellare Alexandra Boldyreva Adriana Palacio
University of California at San Diego
![Page 2: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/2.jpg)
The Random-Oracle (RO) model [BR93]
• Algorithms of the scheme, as well as the adversary have oracle access to random functions.
• Very popular: there are numerous schemes designed and proven secure in this model.
pkAE (M)
Hah=H(a)
b G Ag=G(b) ..
..
..
![Page 3: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/3.jpg)
Moving to the real world
However, the RO model is an idealized setting. To get a real-world scheme we must instantiate the ROs with real functions.
![Page 4: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/4.jpg)
Instantiation of this scheme via SHA1
pkAE (M)
h=SHA1(a)g=SHA1(b)..
..
..
![Page 5: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/5.jpg)
Instantiation: more generally
pk,L( )1,L2AE (M)
Let F1, F2 be poly-time computable families of functions
h= F1L1(a)
g= F2L2(b)..
..
..
![Page 6: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/6.jpg)
Security of instantiated schemesRO model thesis: If a scheme is proven secure in the RO model, then it remains secure under a suitable instantiation.Question: Is this true?Answer: No.Past work has shown the existence of uninstantiable schemes.
![Page 7: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/7.jpg)
Uninstantiable schemes
1. The scheme satisfies the goal in the RO model
2. No instantiation satisfies the goal in the standard model
Definition. A scheme is uninstantiable (with respect to some cryptographic goal) if
![Page 8: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/8.jpg)
Examples of uninstantiable schemes
Who GoalsCanetti,
Goldreich, Halevi
IND-CPA encryption UF-CMA signatures
Nielsen Non-interactive, non-committing encryption
Goldwasser, Tauman
Signatures via Fiat-Shamir heuristic
![Page 9: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/9.jpg)
Examples of uninstantiable schemes
Who Goals SchemesCanetti,
Goldreich, Halevi
IND-CPA encryption UF-CMA signatures
(practical)Complex, artificial
NielsenNon-interactive, non-committing encryption
(not very practical)Simple, natural
Goldwasser, Tauman
Signatures via Fiat-Shamir heuristic
(practical)Complex, artificial
++
++
++
__
__
__
![Page 10: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/10.jpg)
Reaction
OK, but “in practice”, the RO model thesis is true
John Smi
Euro crypt
Practical RO model thesis: The RO model thesis holds for “natural, practical” schemes for “practical” goals.
![Page 11: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/11.jpg)
Our work
• is simple and natural, and resembles existing RO model schemes.
• is for a practical security goal.• but is uninstantiable.
We present a RO model scheme that
![Page 12: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/12.jpg)
Caveats and impact
• Our result does have artificial aspects as we will see, and should not be taken to indicate that the practical RO model thesis is false.
• But it shows that uninstantiable schemes arise in more practical situations than indicated by previous work.
![Page 13: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/13.jpg)
Plan
• The goal
• The scheme
• The positive result
• The negative result
• Conclusions
![Page 14: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/14.jpg)
Plan
• The goal
• The scheme
• The positive result
• The negative result
• Conclusions
![Page 15: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/15.jpg)
Classical view of asymmetric encryption usage
Sender
Receiver R
M
AS = (AK,AE,AD)
AE CpkR
M
skR
![Page 16: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/16.jpg)
In practice: hybrid approach
Sender Receiver
R
M1
M1 SE C1
KM2
Mn
…
Mn SE Cn
K… …
SK K
SS = (SK,SE,SD)
skR
AS = (AK,AE,AD)
AE C0
pkR
AS + SS = Multi-Message (MM) Hybrid (AS,SS)
![Page 17: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/17.jpg)
Goal: IND-CCA-secure MM-Hybrid Encryption
We can define, in a natural way, IND-CCA security for an MM-hybrid scheme (AS,SS). Certainly, a necessary condition for IND-CCA security of an MM-hybrid (AS,SS) is IND-CCA security of SS. But what do we need from the asymmetric encryption scheme AS?
![Page 18: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/18.jpg)
Easy theorem:
However, the above could be true even if AS satisfies a weaker condition than IND-CCA.
IND-CCA MM-hybrid (AS,SS)
IND-CCA AS Any IND-CCA SS +
=
![Page 19: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/19.jpg)
IND-CCA-preserving asymmetric schemes
What emerges: A new notion of security for asymmetric encryption schemes. Definition: An asymmetric encryption scheme AS is IND-CCA-preserving if
IND-CCA MM-hybrid (AS,SS) AS Any IND-CCA SS + =
![Page 20: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/20.jpg)
Why IND-CCA-preserving schemes?
In particular, an IND-CCA preserving scheme need not even be randomized, since it is used to encrypt random keys.The hope: IND-CCA-preserving schemes more efficient than existing IND-CCA ones. The benefit: Security of encryption in practice at lower cost.
IND-CCA IND-CCA-preserving
Stronger notion Weaker notion
For asymmetric schemes
![Page 21: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/21.jpg)
Summary
Our goal: IND-CCA preserving asymmetric encryption
![Page 22: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/22.jpg)
Plan
• The goal
• The scheme
• The positive result
• The negative result
• Conclusions
![Page 23: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/23.jpg)
Hash ElGamal RO model asymmetric encryption scheme HEG = (AK,AE,AD)
k,q,g x,G
,H( )AD (Y,W)
KG(Yx)WIf gH(K)=Y then Return K else Reject
k,q,g,XH,G( )AE
pk = (k,q,g,X=gx), sk = (k,q,g,x),where q, 2q+1 are primes and g has order q in 2q+1 *
H: {0,1}k q G: 2q+1 {0,1}k*
PG(Xr)rH(K)
(K)
Return (gr,PK)
Note. HEG is deterministic and thus not even IND-CPA!
![Page 24: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/24.jpg)
Plan
• The goal
• The scheme
• The positive result
• The negative result
• Conclusions
![Page 25: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/25.jpg)
Security of Hash ElGamalTheorem 1. Under the Computational Diffie-Hellman assumption (CDH) HEG is IND-CCA-preserving in the RO model.
IND-CCA MM-hybrid (HEG,SS) HEG Any IND-CCA SS + =
![Page 26: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/26.jpg)
HEG is similar to existing schemes GEM, GEM1, GEM2, FO, REACT…
Something almost identical (but randomized) appeared in [BaLeKi00].
![Page 27: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/27.jpg)
Plan
• The goal
• The scheme
• The positive result
• The negative result
• Conclusions
![Page 28: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/28.jpg)
Now, the interesting stuff
Theorem 2 . No instantiation of HEG is IND-CCA-preserving in the standard model.
John Smi
Euro
crypt
I.e. it is IND-CCA preserving in the RO model, but no standard model implementation of it is IND-CCA preserving?
Right! More precisely…
![Page 29: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/29.jpg)
Security of HEG instantiations
k,q,g,X,L 2( )1,LAE (K)
PF2L2(Xr)rF1L1(K)
Return (gr,PK)
Let F1, F2 be poly-time computable families of functions
Theorem 2. For any F1, F2 the above standard model asymmetric encryption scheme is not IND-CCA preserving.
![Page 30: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/30.jpg)
A caveat• Proof of Theorem 2 shows that for every
F1, F2 (poly-time families of functions) THERE EXISTS SS such that (HEG,SS) is not an IND-CCA secure MM-hybrid.
• But SS is an artificial scheme, depending on F1, F2.
• Theorem 2 does not imply that e.g. (HEG,CBC-type SS) is insecure.
• So although HEG is simple and natural, there is some artificiality under the rug.
![Page 31: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/31.jpg)
• A practical goal: IND-CCA preserving encryption
• A simple, natural scheme resembling existing RO schemes: HEG.
• Yet HEG is uninstantiable: its real-world implementation loses the security property.
• And HEG is innocuous looking; one would not suspect any anomalies in advance.
However, we still believe the result is valuable because we have
![Page 32: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/32.jpg)
Let HEG be ANY instantiation of HEG via poly-time computable families of functions.
About the proof of Theorem 2
We present a symmetric encryption scheme SS=(SK,SE,SD), such that
1. SS is IND-CCA secure2. (HEG,SS) is not IND-CCA secure
![Page 33: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/33.jpg)
Key and ciphertext verifiability• Def. An asymmetric encryption scheme is key-verifiable
if there is a poly-time algorithm KV:
1, if pk is a valid public key 0, otherwise KVpk
• Claim. Any instantiation HEG of HEG is key- and ciphertext-verifiable.
• Def. An asymmetric encryption scheme is ciphertext-verifiable if there is a poly-time algorithm CV
1, if C is a valid encryption of M under pk 0, otherwise
CVpkMC
![Page 34: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/34.jpg)
Sound operations since HEG is key- and ciphertext verifiable
SS construction for Proof of Theorem 2
Let SS’=(SK’,SE’,SD’) be any IND-CCA symmetric scheme.
K1 SK’(1k/2)K2 {0,1}k/2
Return K1||K2
SK(1k)
SEK1||K2(M) C’ SE’K2(M)
Parse M as M1||M2
If M1 is a valid pk for HEG and if M2 is a valid HEG ciphertext of K1||K2 under pk Then Return C’||0 else Return C’||1
![Page 35: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/35.jpg)
• We show that SS is IND-CCA.
• In order to show that (HEG,SS) is not IND-CCA we use the fact that HEG is key- and ciphertext-verifiable. The details are in the paper.
• In general: no key- and ciphertext-verifiable scheme is IND-CCA preserving.
![Page 36: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/36.jpg)
Plan
• The goal
• The scheme
• The positive result
• The negative result
• Conclusions
![Page 37: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/37.jpg)
Conclusions• We presented a simple uninstantiable
scheme for a practical goal • We do not suggest one abandon the
RO model. • We do suggest that designers of RO
model schemes pay more attention to the question of instantiation, which is usually entirely neglected.
• Our examples shows that uninstantiable schemes really come up.
![Page 38: Mihir Bellare Alexandra Boldyreva Adriana Palacio](https://reader035.vdocuments.site/reader035/viewer/2022062521/56815971550346895dc6b36c/html5/thumbnails/38.jpg)
Thank you!