Course 2-12-1: Advanced Encryptionmabdalla/2-12-1/Course-2-12-1-Lecture5-Part1.pdf · zIf C is...
Transcript of Course 2-12-1: Advanced Encryptionmabdalla/2-12-1/Course-2-12-1-Lecture5-Part1.pdf · zIf C is...
Course 2-12-1: Advanced EncryptionAdvanced Encryption
« Part 1: Robust Encryption»« Part 1: Robust Encryption»
17 O t b 201117 October 2011
Michel AbdallaÉ l l é i & CNRSÉcole normale supérieure & CNRS
Public-key encryption (PKE)
K G tiKey Generation
Secret keySender Receiver
Public key
M C C MDec?Enc
Michel Abdalla 2
Security goals for PKE
Data Privacy• Ciphertext should not reveal any partial
information about the encrypted message
Key privacy (a.k.a. anonymity)• Ciphertext should not reveal any partial
information about the public key under which it was created
Michel Abdalla 3
A practical scenarioSuppose C is a ciphertext obtained by encrypting a message M under public key pk
If C is decrypted using the secret key sk corresponding to pk, then the result is M
However, what happens if C is decrypted using the secret key sk’ corresponding to pk’≠ pk?y p g p p
Robustness: The decryption algorithm should rejectwhenever the wrong decryption key is used
Michel Abdalla 4
Why robustness?
The primary security requirement for public key encryption is data privacyencryption is data privacy
However, a growing number of applications , g g pp(e.g., anonymous channels, electronic voting) also requires anonymityq y y
Our thesis: Anonymity without robustness is i d t f t li tiinadequate for most applications
Michel Abdalla 5
Example 1: Example 1: Auction protocol
Overall goal• Simulate a real-life auction based on sealed
envelopes Correctness• The highest bid should be the winning bid• The highest bid should be the winning bid
Security goals• Only the highest bid should be revealedOnly the highest bid should be revealed• The losing bids should remain secret
Fairness• The scheme should remain secure even in the case of
collusions between an auctioneer and a bidder.
Michel Abdalla 6
Example 1: Example 1: Auction protocol [Sako2000]
Setup• Secret Key: v v Z• Secret Key: v1,…,vN ∈ Zp
• Public Key: g, X1=gv1, ..., XN=gvN, M
Bidding on a value v {1 N}Bidding on a value v ∈ {1,…,N}• C = Enc(Xv,M) = (gr,(Xv)r M)
O i bid (C C )Opening bids (C1,…,CL)• Set i=N and S = {}• F j 1 L if D (C ) M th S S {i}• For j=1,…,L, if Dec(Cj)=M, then S = S ∪ {i}• If S = {}, then i = i-1
Michel Abdalla 7
Example 2: Identity based Example 2: Identity-based encryption [Shamir,BF01]
K
Goal: Allow sender to encrypt messages based on the receiver’s identity
KeySetup
Sender Serverpk msk
ID,MSender
Receiver KeyDerivation
p
EncryptionID
C skDecryption
M
Michel Abdalla 8
M
Can robustness be trivially Can robustness be trivially achieved?
Is robustness implied by existing ti ?notions?
If not, is there an easy way to make an y yencryption scheme robust?What about specific schemes?What about specific schemes?
Michel Abdalla 9
Our resultsNegative results• Robustness is not implied by existing notions such as p y g
privacy or anonymity under chosen-ciphertext attacks• Adding redundancy to plaintext (e.g., encrypting PK
and M) does not work in general) g
Positive results• There exists a general transform that makes anyThere exists a general transform that makes any
existing PKE and IBE schemes robust without sacrificing their anonymity
• Some existing schemes (e g Boneh-Franklin) can beSome existing schemes (e.g., Boneh-Franklin) can be proven robust
Michel Abdalla 10
Plan
Security notionsRedundancy-based transformA commitment-based transformA commitment-based transformRobustness of specific schemesApplications to searchable encryptionConcluding remarksConcluding remarks
Michel Abdalla 11
IND CCA: privacy against IND-CCA: privacy against chosen-ciphertext attack [BF01]
pkid1,…,idq
Adversary ski ←KD(msk,idi)sk1,…,skq
m0, m1, id*∉{id1, ,idq}m0, m1, id ∉{id1,…,idq}b← {0,1}C* ← E(pk, id*,mb)C*
(id C ) (id C )(id1,C1),…,(idq’,Cq’)
m1,…,mq’If (idi,Ci)≠(id*,C*)mi ←D(KD(msk,idi),Ci)
b’ b’ = b?Win
Lose
YES
Michel Abdalla 12
LoseNO
ANO CCA: Anonymity against ANO-CCA: Anonymity against chosen-ciphertext attack
pkid2,…,idq
Adversary
2, , q
ski ← KD(msk,idi)sk2,…,skq
m*, id0,id1∉{id2,…,idq}b← {0,1}C ← E(pk, idb, m*)C*
skq+1,…,skq’
(id1,C1),…,(idq’,Cq’) If idi∉{id0,id1} or Ci≠C*
mi ←D(KD(msk,idi),Ci)
b’ b’ b?WinYES
Michel Abdalla 13
b b’ = b?LoseNO
Robust encryption
Weak robustness (WROB)• Security w r t honestly generated ciphertexts• Security w.r.t. honestly generated ciphertexts• Adversary’s goal is to find a message m and identities
id0 and id1 such that D(skid1,E(pk,id0,m)) ≠ ⊥id0 and id1 such that D(skid1,E(pk,id0,m)) ≠ ⊥
Strong robustness (SROB)• Security w.r.t. maliciously generated ciphertexts• Adversary’s goal is to find a ciphertext C and identities
id and id such that D(sk C) ≠ ⊥ and D(sk C) ≠ ⊥id0 and id1 such that D(skid0,C) ≠ ⊥ and D(skid1,C) ≠ ⊥
Michel Abdalla 14
WROB CCA W k b t WROB-CCA: Weak robustness against chosen-ciphertext attack
A scheme is WROB-CCA secure when, given a master public-key pk:a master public key pk:• An adversary cannot generate a message
m* and two identities id0 and id1 such that D( k E( k id *)) ⊥D(skid1,E(pk,id0,m*)) ≠ ⊥
• Even when it’s allowed to see secret keys skid=KD(msk,id) for identities id≠{id0,id1}
• And the decryption m’=D(skID,C’)And the decryption m D(skID,C )for ciphertexts C’ and identities id(C’≠C* when id∈{id0,id1})
Michel Abdalla 15
WROB CCA W k b t WROB-CCA: Weak robustness against chosen-ciphertext attack
pkidi id
Adversary
idi,…,idq
ski ← KD(msk,idi)sk1,…,skq
(C1,id1),…,(Cq’,idq’)
mi ←D(KD(msk,idi),Ci))m1,…,mq’
WinYESid0,id1,m*
Win
Lose
YES
NOD(skid1,E(pk,id0,m*))
≠ ⊥?
Michel Abdalla 16
SROB CCA St b t SROB-CCA: Strong robustness against chosen-ciphertext attack
A scheme is SROB-CCA secure when, given a master public-key pk:master public key pk:• Adversary cannot generate a ciphertext
C* and two identities id0 and id1 such that D( k C’) ⊥ d D( k C’) ⊥ i lt lD(skid0,C’) ≠ ⊥ and D(skid1,C’) ≠ ⊥ simultaneously
• Even when it’s allowed to see secret keys skid=KD(msk,id) for identities id≠{id0,id1}
• And the decryption m’=D(skid,C’)And the decryption m D(skid,C )for ciphertexts C’ and identities id(C’≠C* when id∈{id0,id1})
Michel Abdalla 17
SROB CCA St b t SROB-CCA: Strong robustness against chosen-ciphertext attack
pkid1 id
Adversary
id1,…,idq
ski ← KD(msk,idi)sk1,…,skq
(C1,id1),…,(Cq’,idq’)
mi ←D(KD(msk,idi),Ci))m1,…,mq’
WinYESD(sk C*)id0,id1,C*
Win
Lose
YES
NO
D(skid0,C )≠ ⊥ ≠
D(skid1,C*)?
Michel Abdalla 18
Relation with existing notions
Theorem: There are IBE schemes which are IND CCA and ANO CCA but not WROBIND-CCA and ANO-CCA, but not WROB-CCA
Proof: Given IBE = (S,KD,E,D),Given IBE (S,KD,E,D), build IBE’ = (S,KD,E,D’) where• D’(skid,C)D (skid,C)
x = D(skid,C)If x≠⊥ return x else return 0l
Michel Abdalla 19
Plan
Security notionsRedundancy-based transformA commitment-based transformA commitment-based transformRobustness of specific schemesApplications to searchable encryptionConcluding remarksConcluding remarks
Michel Abdalla 20
Redundancy-based transformsIdea: Add redundancy to plaintext and check upon decryption if redundancy is presentupon decryption if redundancy is present
Intuition: Decryption under the wrong key should look random hence redundancy wouldshould look random, hence redundancy would be rarely present
Examples of redundancy• Fixed string: Epk(id,m||0l)• P bli k d id i E (id || k||id)• Public key and identity: Epk(id,m||pk||id)• Hash of message and identity: Epk(id,m||H(m||id))
Michel Abdalla 21
Redundancy codesA redundancy code R=(RK,RC,RV) is a triple of algorithms where• RK generates a redundancy key k• RC(k,x) computes a redundancy r for input x and key k• RV(k,x,r) checks validity of r for input x and key k ( ) y p y• For all x and k, RV(k,x,RC(k,x))=1
Examples• RC(k,(pk,id,m)) = 0l
• RC(k,(pk,id,m)) = pk || id• RC(k,(pk,id,m)) = H(k,pk||id||m)( ,(p , , )) ( ,p || || )
R is said to be unkeyed when k=ε
Michel Abdalla 22
Redundancy-based transformLet R=(RK,RC,RV) be a redundancy code
L t IBE (S KD E D) b IBE hLet IBE = (S,KD,E,D) be an IBE scheme
Transform outputs IBE’= (S’,KD,E’,D’) p ( , , , )where:• S’
(msk pk)←S; k←RK; Return (msk (pk k))(msk,pk)←S; k←RK; Return (msk,(pk,k))• E’((pk||k), id, m) = E(pk, id, m||RC(k,pk||id||m))• D’(skid,C’)( id, )
m || r ← D(skid,C’)If RV(k,pk||id||m,r)=1 then return m else return ⊥
Michel Abdalla 23
Redundancy codes and Redundancy codes and weak robustness
Theorem 1: There exist IBE schemes IBEsuch that for any non keyed redundancy codesuch that, for any non-keyed redundancy code R (i.e., k=ε), the resulting IBE scheme IBE’ is not WROB-CCAnot WROB-CCA.
Theorem 2: Let R=(RK RC RV) where RKTheorem 2: Let R=(RK,RC,RV) where RKreturns k∈{0,1}κ and RC(k,(pk,id,m)) = k. If the underlying IBE scheme IBE is IND-CCA thenunderlying IBE scheme IBE is IND-CCA, then the resulting IBE scheme IBE’ is WROB-CCA.
Michel Abdalla 24
WROB counter example for WROB counter example for unkeyed redundancy codes
Let IBE*=(S*,KD*,E*,D*) be an IND-CCAd ANO CCA IBE hand ANO-CCA IBE scheme
Build IBE=(S* KD* E* D) whereBuild IBE=(S ,KD ,E ,D) where- D(skid, C)
D*( k C)m ←D*(skid,C)If m≠⊥, return mElse return m* || RC(ε,pk||id||m*;0l)
Michel Abdalla 25
Redundancy codes and Redundancy codes and strong robustness
Theorem: There exist IBE schemes IBEh th t f d d d Rsuch that, for any redundancy code R
(even keyed ones), the resulting IBE scheme IBE’ is not SROB-CCA.
Michel Abdalla 26
SROB counter example
Let IBE*=(S*,KD*,E*,D*) be an IND-CCA and ANO CCA IBE schemeANO-CCA IBE scheme
Build IBE=(S*,KD*,E,D) where( , , , )- E(pk,id,m) = 1 || E*(pk,id||m)- D(skid,b||C)( id || )If b=1, then return D*(sk,C)Else return m* || RC(C,pk||id||m*;0l)
Ciphertext C’=0||k is valid for any identity
Michel Abdalla 27
Plan
Security notionsRedundancy-based transformA commitment-based transformA commitment-based transformRobustness of specific schemesApplications to searchable encryptionConcluding remarksConcluding remarks
Michel Abdalla 28
Commitment schemes
A commitment scheme CMT=(PG,Com,Open)is a triple of algorithms whereis a triple of algorithms where• PG returns common parameters pars• Com(pars x) computes a commitment com for x andCom(pars,x) computes a commitment com for x and
the decommitment key dec• Open(pars,com,dec) returns either x or ⊥p (p , , )
Correctness• ∀x, ∀pars ∈ PG, ∀(com,dec) ∈ Com(pars,x):∀x, ∀pars ∈ PG, ∀(com,dec) ∈ Com(pars,x):
Open(pars,com,dec) = x
Michel Abdalla 29
Commitment security propertiesHiding• cpars ← PG; b ← {0,1}• (x0,x1) ← Adversary(cpars)• (com,dec) ← Com(cpars,xb)• b’ ← Adversary(com)y( )• If (b=b’) then return 1 else return 0
Binding• cpars ← PG;• (com,dec0,dec1) ← Adversary(cpars)• x0 ← Open(cpars,com,dec0)0 0• x1 ← Open(cpars,com,dec1)• If (x0≠x1 and x0≠⊥ and x1≠⊥) then return 1 else return 0
Michel Abdalla 30
A commitment-based transform
Idea: Add a commitment of the identity to the ciphertext and encryptto the ciphertext and encrypt decommitment key together with messagemessage
Intuition: When decrypting with the yp gwrong key, the probability that the decommitment key will open the y pcommitment correctly is negligible
Michel Abdalla 31
The commit-identity transform
Given CMT = (CPG, Com, Open) and IBE = (S KD E D) we can construct a strongly robust IBE(S,KD,E,D), we can construct a strongly robust IBE scheme IBE’=(S’,KD’,E’,D’) as follows:
S’(1k) E ((pk cpars) id m)S’(1k)(pk,msk) ← S(1k)cpars ← CPG(1k)
E ((pk,cpars),id, m)(com,dec) ← Com (cpars,id)C ← E (pk, id, m||dec)
pk’ ← (pk,cpars)return (pk’,msk)
return (com,C)
D ((pk,cpars),id, sk,(com,C))KD ((pk,cpars),msk,id)
sk ← KD(pk,msk,id)return (sk)
((p , p ), , ,( , ))m || dec ← D(mpk,id,sk,C)If Open(cpars,com,dec)=id
then return m else ⊥
Michel Abdalla 32
return (sk) then return m else ⊥
Robustness of resulting IBE
Theorem: If the commitment scheme CMT is binding then IBE’ is SROB-CCAbinding, then IBE is SROB CCA.
Proof:• BindingAdversary(cpars)
- (msk,pk)←S(1k)- (id0,id1,(com,C)) ← RobustAdversaryKD,D(cpars,pk)( 0, 1,( , )) y ( p ,p )
Answer KD and D queries using msk- skb ←KD(msk,idb) for b=0,1 - (mb decb) ←D(cpars pk skb C) for b=0 1(mb,decb) ←D(cpars,pk,skb,C) for b 0,1- Return (com,dec0,dec1)
Michel Abdalla 33
Transform is CPA-preserving
Theorem• If the IBE scheme IBE is IND-CPA, then IBE’
is IND-CPA.
• If IBE is ANO-CPA and IND-CPA and the commitment scheme CMT is hiding then IBE’commitment scheme CMT is hiding, then IBE’is ANO-CPA.
Michel Abdalla 34
Transform is CCA-preserving
Theorem• If IBE is IND-CCA and the commitment
scheme CMT has the uniqueness property, q p p y,then IBE’ is IND-CCA.
• If IBE is ANO CCA IND CCA and WROB• If IBE is ANO-CCA, IND-CCA, and WROB-CCA and CMT is hiding and has the uniqueness property then IBE’ is ANO-CCAuniqueness property, then IBE is ANO-CCA.
Michel Abdalla 35
An additional security property
Uniqueness• ∀ cpars PG• ∀ cpars ∈ PG, • ∀ x ∈ {0,1}*
• ∀ (com dec) ∈ Com(cpars x)∀ (com,dec) ∈ Com(cpars,x)• ∀ com≠com’
Open(cpars,com’,dec)=⊥Open(cpars,com ,dec) ⊥
This is true when dec is the randomness used by committing algorithm Com
Michel Abdalla 36
Plan
Security notionsRedundancy-based transformA commitment-based transformA commitment-based transformRobustness of specific schemesApplications to searchable encryptionConcluding remarksConcluding remarks
Michel Abdalla 37
ElGamal encryption schemeSecret Key: v Public Key: g, gv
u
Ephemeral Key
g gv MessageGenerator Public Key Plaintext
Exponentiation ExponentiationExponentiation Exponentiation
guv Multiplication
gu Message • guv
Michel Abdalla 38
g
The DHIES Scheme
Secret Key: v Public Key: g, gv
Messageg u gvEphemeral KeyGenerator Public Key Plaintext
Exponentiation Exponentiation
guv
HSymmetricEncryptionH
MacKey
yp
EncKey
MAC
Michel Abdalla 39
gu Tag EncM
Cramer-Shoup encryption
PG(1k)K ← Keys(H); w ←Z *
KG (pars)x x y y z z ←ZK ← Keys(H); w ←Zp
g1←G*; g2 ←g1w
pars ← (g1,g2,K)
x1,x2,y1,y2,z1,z2←Zpe←g1
x1g2x2; f←g1
y1g2y2
h←g1z1g2
z2
Return (pk=(e f h) sk=(x x y y z z ))
ENC ((g1,g2,K), (e,f,h), M)Z *
Dec ((g1,g2,K),(e,f,h),(x1,x2,y1,y2,z1,z2),C)( d) C
Return (pk=(e,f,h), sk=(x1,x2,y1,y2,z1,z2))
u ← Zp*
a1 ← g1u; a2←g2
u
b ← hu
c ← b ° M
(a1, a2, c, d) ← Cv ← H(K,(a1,a2,c))M ← c a1
-z1a2-z2
If d ≠ a x1+y1v a x2+y2v then M ← ⊥c ← b ° Mv ← H(K,(a1,a2,c))d ← eu fuv
C ← (a a c d)
If d ≠ a1x1+y1v a2
x2+y2v then M ← ⊥If a1= 1 then M ← ⊥Return M
Michel Abdalla 40
C ← (a1, a2, c, d)
Robustness of Cramer-ShoupTheorem: If the hash function family is pre-image resistant then the Cramer-Shoupimage resistant, then the Cramer Shoupencryption scheme is SROB-CCA
Proof idea:Proof idea:• First show that it is safe to reject any ciphertext
(a1,a2,c,d) such that a2 ≠ a1w(a1,a2,c,d) suc t at a2 a1
• If ciphertext is valid under pk0 and pk1, then v=H(K,(a1,a2,c)) must satisfy
v(y01+wy02-y11-wy12) + (x01+wx02-x11-wx12) = 0
Michel Abdalla 41
Boneh-Franklin IBE scheme
S (1k) KD (msk ID)S (1 )pk ← (1k,P,sP,G1,G2,p,e)msk ← (s,pk)
KD (msk, ID)sk ← (pk, sH1(ID))
E (pk, id, m)x ← {0,1}k
r ← H (x m)
Decryption (sk, C=(c1,c2,c3))T ← e(c1,sH1(ID))K H (T)r ← H3(x,m)
T ← e(sP,H1(id))r
K ← H2(T)c ← rP
K ← H2(T)x ← K ⊕ c2m ← c3 ⊕ H4(x)r ← H (x m)c1 ← rP
c2 ← x⊕ Kc3 ← m ⊕ H4(x)C ← (rP c)
r ← H3(x,m)If c1 ≠ rP, then return ⊥Else return m
Michel Abdalla 42
C ← (rP, c)
Robustness of Boneh-Franklin
Theorem: If the hash functions H1, H2, H d H d l thH3, and H4 are random oracles, then the Boneh-Franklin IBE scheme is SROB-CCA
Michel Abdalla 43
Plan
Security notionsRedundancy-based transformA commitment-based transformA commitment-based transformRobustness of specific schemesApplications to searchable encryptionConcluding remarksConcluding remarks
Michel Abdalla 44
Searchable Encryption Searchable Encryption [BDOP04]
Suppose Bob sends an encrypted email to Alice
Ali ’ il t t t t t if th ilAlice’s email gateway may want to test if the email contains the word “urgent”, so that it could route the email accordingly
Still, Alice does not want the gateway to be able to decrypt her messages
Public-key encryption with keyword search (PEKS): Enable gateway to test whether a given keyword is
t i th il ith t l i thi l b tpresent in the email without learning anything else about the email
Michel Abdalla 45
Searchable Encryption: UsageBob encrypt his email using a standard public-key encryption scheme PKEkey encryption scheme PKEHe then appends the public-key encryption with keyword search (PEKS) of each keywordy ( ) y
Enc(PKAlice,Email) || PEKS(PKAlice,W1) || … || PEKS(PKAlice,Wm)
Main property: Alice can give the gateway a trapdoor tw that allows it to test whether Wi=W p w ifor i=1,…,m
Michel Abdalla 46
PEKS P bli k ti ith PEKS: Public-key encryption with keyword search [BDOP04]
Goal: Allow gateway to test for the presence of keywords in ciphertexts
KeyGeneration
Receiverpk sk
w’
Sender Receiver
Trapdoor
Gatewaypk
PEKS w
C T
p
C TwTest
YES (1) / NO (0)
Michel Abdalla 47
YES (1) / NO (0)
An IBE-based scheme [BDOP04]
PEKS(KeyGen, PEKS, Trapdoor, Test)
IBE(Setup, KeyDer, Enc, Dec)(KeyGen, PEKS, Trapdoor, Test) (Setup, KeyDer, Enc, Dec)
pk pk
sk msk
Keyword w Identity wKeyword w Identity w
Trapdoor tw User secret key skw
PEKS (pk, w) C ← Enc (pk, w, 0k)
Test (t C) Dec (t C)= 0k ?
Michel Abdalla 48
Test (tw, C) Dec (tw, C)= 0k ?
Security and Consistency of Security and Consistency of IBE-2-PEKS transformation
Theorem 1: If IBE is ANO-ATK-secure, th PEKS IBE 2 PEKS[IBE] i INDthen PEKS=IBE-2-PEKS[IBE] is IND-ATK-secure for ATK∈{CPA,CCA}.
Theorem 2: If IBE is WROB-CPA-Theorem 2: If IBE is WROB CPAsecure, then PEKS=IBE-2-PEKS[IBE] is computationally consistentcomputationally consistent.
Michel Abdalla 49
Concluding remarksRobustness is extremely important for the correctness of several applicationspp• E.g., anonymous broadcast, auctions, PEKS
Robustness has been considered informally in ythe cryptographic community for a while• This work makes it explicit and provides formal definitions
for itfor it
Contrary to what seems intuitive, natural ways to confer robustness (e.g., adding redundancy) fail( g , g y)See Cryptology ePrint archive, Report 2008/440
Michel Abdalla 50