1 / 17

Security proofs for practical encryption schemes

Security proofs for practical encryption schemes. Yiannis Tsiounis, GTE Labs Moti Yung, CertCo LLC. “Security”:. Semantic security:. Secure encryption. Semantic Security [GM84, Gol89] Hide all partial information Immune against a-priori knowledge. = “Buy”. “A-priori” info:. = “Sell”.

rosalie
Download Presentation

Security proofs for practical encryption schemes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security proofs for practical encryption schemes Yiannis Tsiounis, GTE Labs Moti Yung, CertCo LLC

  2. “Security”: Semantic security: Secure encryption • Semantic Security [GM84, Gol89] • Hide all partial information • Immune against a-priori knowledge

  3. = “Buy” “A-priori” info: = “Sell” “Secure” encryption: or Semantically Secure: (probabilistic) Semantic security (cont.) (Indistinguishability of encryptions)

  4. Beyond semantic security • Chosen ciphertext security [NY90] • “Lunch-time” attack [NY90] • Rackoff-Simon attack (adaptive) [RS91] • Non-malleability [DDN91] • Infeasible to create a “related” ciphertext • Message & sender cannot be altered by man-in-the-middle

  5. (Random oracles) • A “necessary evil” simplification • Collision-freeInformation hiding “Random oracle” Q A i i Requires tamper-proof devices, or exponential memory

  6. Attacks Security BRP+98 Plaintext Awareness The big picture EG EG+RO+A

  7. Contributions (cont.) • Semantic security • Directly from decision Diffie-Hellman • Retaining homomorphic properties • Exact analysis of efficiency of the reduction • Non-malleability • decision D-H + R.O. [PS96] + oracle-related assumption

  8. Preliminaries • ElGamal encryption • P = aQ + 1, P,Q primes, |g| = Q • Private key: x • Public key: y = gx (mod P) • E(m) = gk, yk m (m є GQ) • Decision Diffie-Hellman • P = aQ + 1, P,Q primes, |g| = Q • Distinguish < ga, gb, gab> from <ga, gb, gc >

  9. Preliminaries (cont.) • Semantic security = indistinguishability of encryptions: It is infeasible to find 2 messages whose encryptions can be distinguished (non-negl. better than random guessing)

  10. ElGamal => decision D-H • Assume we have ElGamal oracle • Given a triplet <ga, gb, y> decide if it is a D-H triplet (y = gab ?) 1. Preparation stage: Find two messages that the oracle can distinguish 2. Testing phase: test if the oracle can distinguish between message 1 (or 2) and random messages

  11. Proof (cont.) 3. Decision phase: generator g, public key gbw (w random) • Randomize message 1 (or 2) • Correctly: E(m) = gu , m (gb)wu • Based on given triplet <ga, gb, y>E(m’) = (ga)t g v , m ywt (gb)wv m’ = m (if y = gab), random otherwise • Run oracle on E(m), E(m’) 1. Distinguish? ==> not D-H triplet 2. Else: correct D-H triplet

  12. Decision D-H => ElGamal • Given decision D-H oracle, find two messages whose ElGamal encryptions can be distinguished • For any two m, m’: (y = gx) • E(m0) = ga, m0 ya , E(m1) = gb, m1 yb • Feed <ga, y gv , [ya m0] gav /m> =< ga, gx+v , g(x+v)a m0/m> (random v) • If it is a correct triplet, then m0=m , else m0 = m’

  13. Non-malleability • Given ciphertext C, cannot construct ciphertext C’ such that the plaintexts are related • All we need is a proof of knowledge of the plaintext • I.e., a proof of knowledge of k in E(m) = gk, yk m • But, it must be a non-malleable ZK proof: it must be bound to the prover

  14. The non-malleable extension • A Schnorr-type ZK proof of knowledge of k, with the sender’s identity in the challenge (hash) A = [gk, yk m], F = gv, C = k H(ID, g, A, F) + v E(m) = [A, F, C, ID] • Random oracle is used only as a “trusted beacon” [PS96] - not for information hiding

  15. Security proof 1. We need to verify that semantic security still holds (the knowledge proof does not leak information) 2. Knowledge of k: provided from Schnorr proof 3. Sender-bound: the addition forms a Schnorr signature of ID based on k, which is existentially unforgeable [PS96]

  16. Practical implications: Encryption • ElGamal is as secure as [BR94+Can97] • Non-malleability can be added at minimal efficiency costs • In applications a signature is still needed • Otherwise senders can be impersonated • Signatures using Schnorr-proofs is a smooth addition

  17. Implications: protocols • First encryption scheme with homomorphic properties that is semantically secure • Anonymous e-cash: escrowing can be performed based on decision D-H

More Related