On the Selective Opening Security of Practical Public-Key ... the Selective Ope… · sk Image...
Transcript of On the Selective Opening Security of Practical Public-Key ... the Selective Ope… · sk Image...
On the Selective Opening Security ofPractical Public-Key Encryption SchemesPKC 2015, NIST, Maryland: March 30, 2015
Felix Heuer, Tibor Jager, Eike Kiltz, Sven SchägeHorst Görtz Institute for IT SecurityRuhr University Bochum
1 Selective-Opening Security
2 A Generic Transformation for SIM-SO-CCA Security
3 Proof Idea
4 Results
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 2/15
Selective-Opening Attacks
c1 = Encpk(m1; r1)c1
c2 = Encpk(m2; r2)c2
...
...
cn = Encpk(mn; rn)
cn
sk
Image source: xkcd.com
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 3/15
Selective-Opening Attacks
c1 = Encpk(m1; r1)c1
c2 = Encpk(m2; r2)c2
...
...
cn = Encpk(mn; rn)
cn
sk
Image source: xkcd.com
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 3/15
Selective-Opening Attacks
c1 = Encpk(m1; r1)c1
c2 = Encpk(m2; r2)c2
...
...
cn = Encpk(mn; rn)
cn
sk
Image source: xkcd.com
Do the messages of uncorrupted parties remain confidential?
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 3/15
SIM-SO-CCA Security Definition [FHKW10]
real game A
(pk,sk) ← Gen(1κ)pk
D(m1,...,mn) ← D
(r1,...,rn) $← Coinsci :=Encpk(mi ;ri )
(c1,...,cn)
Open(i)I:=I∪{i}
(mi ,ri )
choose distribution D
compute output “outA”outAOutput:
(m1,...,mn,D,I,outA)
Dec oraclec /∈{c1,...,cn}
Decsk(c)
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 4/15
SIM-SO-CCA Security Definition [FHKW10]
real game A
(pk,sk) ← Gen(1κ)pk
D(m1,...,mn) ← D
(r1,...,rn) $← Coinsci :=Encpk(mi ;ri )
(c1,...,cn)
Open(i)I:=I∪{i}
(mi ,ri )
choose distribution D
compute output “outA”outAOutput:
(m1,...,mn,D,I,outA)
Dec oraclec /∈{c1,...,cn}
Decsk(c)
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 5/15
SIM-SO-CCA Security Definition [FHKW10]
ideal game S
(pk,sk) ← Gen(1κ)pk
D(m1,...,mn) ← D
(r1,...,rn) $← Coinsci :=Encpk(mi ;ri )
(c1,...,cn)
Open(i)I:=I∪{i}
(mi ,ri )
choose distribution D
compute output “outS”outSOutput:
(m1,...,mn,D,I,outS)
Dec oraclec /∈{c1,...,cn}
Decsk(c)
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 6/15
SIM-SO-CCA Security Definition [FHKW10]
Definition 1 (SIM-SO-CCA security)A public key encryption scheme is SIM-SO-CCA secure if for every PPTadversary A there exists a PPT simulator S := S(A) such that thedistributions induced by
A run in the real game and S run in the ideal game
are computationally indistinguishable.
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 7/15
Selective Opening vs. Standard Security Notions
• two flavours: IND-based and SIM-based.SIM implies IND, not known to be equivalent.
• IND-SO-CCA stronger security notion than IND-CCA security.[HR14]
• Existing SIM-SO-CCA schemes are very inefficient. [FHKW10],[Hof12], [LP15]
• This work: Certain known constructions give SIM-SO-CCA secu-rity for free in the ROM.
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 8/15
Selective Opening vs. Standard Security Notions
• two flavours: IND-based and SIM-based.SIM implies IND, not known to be equivalent.
• IND-SO-CCA stronger security notion than IND-CCA security.[HR14]
• Existing SIM-SO-CCA schemes are very inefficient. [FHKW10],[Hof12], [LP15]
• This work: Certain known constructions give SIM-SO-CCA secu-rity for free in the ROM.
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 8/15
Selective Opening vs. Standard Security Notions
• two flavours: IND-based and SIM-based.SIM implies IND, not known to be equivalent.
• IND-SO-CCA stronger security notion than IND-CCA security.[HR14]
• Existing SIM-SO-CCA schemes are very inefficient. [FHKW10],[Hof12], [LP15]
• This work: Certain known constructions give SIM-SO-CCA secu-rity for free in the ROM.
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 8/15
Selective Opening vs. Standard Security Notions
• two flavours: IND-based and SIM-based.SIM implies IND, not known to be equivalent.
• IND-SO-CCA stronger security notion than IND-CCA security.[HR14]
• Existing SIM-SO-CCA schemes are very inefficient. [FHKW10],[Hof12], [LP15]
• This work: Certain known constructions give SIM-SO-CCA secu-rity for free in the ROM.
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 8/15
Our Work
SIM-SO-CCA security in the ROM for two well-known transformations:
Part I:
PKE from any one-way PCA secure KEM
Part II:
PKE from OAEP for any partial-domain TP
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 9/15
Our Work
SIM-SO-CCA security in the ROM for two well-known transformations:
Part I:
PKE from any one-way PCA secure KEM
Part II:
PKE from OAEP for any partial-domain TP
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 9/15
“Hashed KEM/DEM Approach”
Let KEM = (KGen,Encap,Decap) be a Key Encapsulation Mechanism,MAC = (Tag,Vrfy) a Message Authentication Code and H a hashfunction. Consider the following PKE:
Gen(1λ)(pk, sk)← KGen(1λ)Return pk
Encpk(m)r $← Coins(k, c (1))← Encappk(r)(ksym, kmac)← H(k)c (2) := m⊕ksym
c (3) := Tagkmac (c (2))Return (c (1), c (2), c (3))
Decsk(c (1), c (2), c (3))k ← Decapsk(c (1))(ksym, kmac)← H(k)if Vrfykmac (c (2), c (3)) = 1
Return c (2)⊕ksym
elseReturn ⊥
– Use RSA KEM under RSA assumption– Use DH KEM under strong DH assumption
Instantiationof DHIES
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 10/15
“Hashed KEM/DEM Approach”
Let KEM = (KGen,Encap,Decap) be a Key Encapsulation Mechanism,MAC = (Tag,Vrfy) a Message Authentication Code and H a hashfunction. Consider the following PKE:
Gen(1λ)(pk, sk)← KGen(1λ)Return pk
Encpk(m)r $← Coins(k, c (1))← Encappk(r)(ksym, kmac)← H(k)c (2) := m⊕ksym
c (3) := Tagkmac (c (2))Return (c (1), c (2), c (3))
Decsk(c (1), c (2), c (3))k ← Decapsk(c (1))(ksym, kmac)← H(k)if Vrfykmac (c (2), c (3)) = 1
Return c (2)⊕ksym
elseReturn ⊥
– Use RSA KEM under RSA assumption– Use DH KEM under strong DH assumption
Instantiationof DHIES
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 10/15
“Hashed KEM/DEM Approach”
Let KEM = (KGen,Encap,Decap) be a Key Encapsulation Mechanism,MAC = (Tag,Vrfy) a Message Authentication Code and H a hashfunction. Consider the following PKE:
Gen(1λ)(pk, sk)← KGen(1λ)Return pk
Encpk(m)r $← Coins(k, c (1))← Encappk(r)(ksym, kmac)← H(k)c (2) := m⊕ksym
c (3) := Tagkmac (c (2))Return (c (1), c (2), c (3))
Decsk(c (1), c (2), c (3))k ← Decapsk(c (1))(ksym, kmac)← H(k)if Vrfykmac (c (2), c (3)) = 1
Return c (2)⊕ksym
elseReturn ⊥
– Use RSA KEM under RSA assumption– Use DH KEM under strong DH assumption
Instantiationof DHIES
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 10/15
“Hashed KEM/DEM Approach”
Let KEM = (KGen,Encap,Decap) be a Key Encapsulation Mechanism,MAC = (Tag,Vrfy) a Message Authentication Code and H a hashfunction. Consider the following PKE:
Gen(1λ)(pk, sk)← KGen(1λ)Return pk
Encpk(m)r $← Coins(k, c (1))← Encappk(r)(ksym, kmac)← H(k)c (2) := m⊕ksym
c (3) := Tagkmac (c (2))Return (c (1), c (2), c (3))
Decsk(c (1), c (2), c (3))k ← Decapsk(c (1))(ksym, kmac)← H(k)if Vrfykmac (c (2), c (3)) = 1
Return c (2)⊕ksym
elseReturn ⊥
– Use RSA KEM under RSA assumption– Use DH KEM under strong DH assumption
Instantiationof DHIES
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 10/15
“Hashed KEM/DEM Approach”
Theorem 2 (SBZ02)The given transformation achieves IND-CCA security in the ROM ifKEM is OW-PCA secure and MAC is sUF-OT-CMA.
Gen(1λ)(pk, sk)← KGen(1λ)Return pk
Encpk(m)r $← Coins(k, c (1))← Encappk(r)(ksym, kmac)← H(k)c (2) := m⊕ksym
c (3) := Tagkmac (c (2))Return (c (1), c (2), c (3))
Decsk(c (1), c (2), c (3))k ← Decapsk(c (1))(ksym, kmac)← H(k)if Vrfykmac (c (2), c (3)) = 1
Return c (2)⊕ksym
elseReturn ⊥
– Use RSA KEM under RSA assumption– Use DH KEM under strong DH assumption
Instantiationof DHIES
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 10/15
“Hashed KEM/DEM Approach”
Theorem 2 (SBZ02)The given transformation achieves IND-CCA security in the ROM ifKEM is OW-PCA secure and MAC is sUF-OT-CMA.
Gen(1λ)(pk, sk)← KGen(1λ)Return pk
Encpk(m)r $← Coins(k, c (1))← Encappk(r)(ksym, kmac)← H(k)c (2) := m⊕ksym
c (3) := Tagkmac (c (2))Return (c (1), c (2), c (3))
Decsk(c (1), c (2), c (3))k ← Decapsk(c (1))(ksym, kmac)← H(k)if Vrfykmac (c (2), c (3)) = 1
Return c (2)⊕ksym
elseReturn ⊥
– Use RSA KEM under RSA assumption
– Use DH KEM under strong DH assumptionInstantiationof DHIES
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 10/15
“Hashed KEM/DEM Approach”
Theorem 2 (SBZ02)The given transformation achieves IND-CCA security in the ROM ifKEM is OW-PCA secure and MAC is sUF-OT-CMA.
Gen(1λ)(pk, sk)← KGen(1λ)Return pk
Encpk(m)r $← Coins(k, c (1))← Encappk(r)(ksym, kmac)← H(k)c (2) := m⊕ksym
c (3) := Tagkmac (c (2))Return (c (1), c (2), c (3))
Decsk(c (1), c (2), c (3))k ← Decapsk(c (1))(ksym, kmac)← H(k)if Vrfykmac (c (2), c (3)) = 1
Return c (2)⊕ksym
elseReturn ⊥
– Use RSA KEM under RSA assumption– Use DH KEM under strong DH assumption
Instantiationof DHIES
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 10/15
“Hashed KEM/DEM Approach”
Theorem 3 (This work)The same transformation gives rise to a SIM-SO-CCA secure PKE inthe ROM without additional assumptions.
Gen(1λ)(pk, sk)← KGen(1λ)Return pk
Encpk(m)r $← Coins(k, c (1))← Encappk(r)(ksym, kmac)← H(k)c (2) := m⊕ksym
c (3) := Tagkmac (c (2))Return (c (1), c (2), c (3))
Decsk(c (1), c (2), c (3))k ← Decapsk(c (1))(ksym, kmac)← H(k)if Vrfykmac (c (2), c (3)) = 1
Return c (2)⊕ksym
elseReturn ⊥
– Use RSA KEM under RSA assumption– Use DH KEM under strong DH assumption
Instantiationof DHIES
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 10/15
How to Prove SIM-SO-CCA Security
real A ideal S A;
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 11/15
How to Construct a Simulator
ideal S A
pk
DD
(c1, . . . , cn)
Open(i)Open(i)
mi (mi , ri)
outAoutS
(m1, . . . , mn,D, I, outS)
A is allowed to make additional Hash or Dec queries at any time!
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 12/15
How to Construct a Simulator
ideal S A
pk
DD
(c1, . . . , cn)
Open(i)Open(i)
mi (mi , ri)
outAoutS
(m1, . . . , mn,D, I, outS)
A is allowed to make additional Hash or Dec queries at any time!SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 12/15
Possible Tripping Hazards for a Simulator
• S must not make more opening queries than A to learn mi .
• S has to create non-committing “dummy”-encryptions that allowfor later opening to any message.
• Answering Hash or Decryption queries is easy if A called Open(i)earlier.
• However, S has to answer Hash and Decryption queries withoutcommitting to mi if A did not call Open(i) (yet).
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 13/15
Possible Tripping Hazards for a Simulator
• S must not make more opening queries than A to learn mi .• S has to create non-committing “dummy”-encryptions that allowfor later opening to any message.
• Answering Hash or Decryption queries is easy if A called Open(i)earlier.
• However, S has to answer Hash and Decryption queries withoutcommitting to mi if A did not call Open(i) (yet).
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 13/15
Possible Tripping Hazards for a Simulator
• S must not make more opening queries than A to learn mi .• S has to create non-committing “dummy”-encryptions that allowfor later opening to any message.
• Answering Hash or Decryption queries is easy if A called Open(i)earlier.
• However, S has to answer Hash and Decryption queries withoutcommitting to mi if A did not call Open(i) (yet).
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 13/15
Possible Tripping Hazards for a Simulator
• S must not make more opening queries than A to learn mi .• S has to create non-committing “dummy”-encryptions that allowfor later opening to any message.
• Answering Hash or Decryption queries is easy if A called Open(i)earlier.
• However, S has to answer Hash and Decryption queries withoutcommitting to mi if A did not call Open(i) (yet).
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 13/15
Tweaking A in a Sequence of Games
G0: real SIM-SO-CCA game.
G1: Abort if A queries H(ki) or Dec(c (1)i , ·, ·)
before sending D.G2: Replace c (2)
i with uniform randomness.G3: Abort if A issues a valid decryption query
Dec(c (1)i , ·, ·) and H(ki) is not yet defined.
G4: Abort if A queries H(ki).G5: ideal SIM-SO-CCA game.
Encpk(mi)ri
$← Coins(ki , c (1)
i )← Encappk(ri)(ksym
i , kmaci )← H(ki)
c (2)i := mi⊕ksym
ic (3)
i := Tagkmaci
(c (2)i )
Return (c (1)i , c (2)
i , c (3)i )
G0
G1≈sstatisticalargument
G2= G3
MAC security
≈c G4
KEM security
≈cOracle patchingtechnique. [CS03](Needs PCA KEM)
G5=
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 14/15
Tweaking A in a Sequence of Games
G0: real SIM-SO-CCA game.G1: Abort if A queries H(ki) or Dec(c (1)
i , ·, ·)before sending D.
G2: Replace c (2)i with uniform randomness.
G3: Abort if A issues a valid decryption queryDec(c (1)
i , ·, ·) and H(ki) is not yet defined.G4: Abort if A queries H(ki).G5: ideal SIM-SO-CCA game.
Encpk(mi)ri
$← Coins(ki , c (1)
i )← Encappk(ri)(ksym
i , kmaci )← H(ki)
c (2)i := mi⊕ksym
ic (3)
i := Tagkmaci
(c (2)i )
Return (c (1)i , c (2)
i , c (3)i )
G0 G1
≈sstatisticalargument
G2= G3
MAC security
≈c G4
KEM security
≈cOracle patchingtechnique. [CS03](Needs PCA KEM)
G5=
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 14/15
Tweaking A in a Sequence of Games
G0: real SIM-SO-CCA game.G1: Abort if A queries H(ki) or Dec(c (1)
i , ·, ·)before sending D.
G2: Replace c (2)i with uniform randomness.
G3: Abort if A issues a valid decryption queryDec(c (1)
i , ·, ·) and H(ki) is not yet defined.G4: Abort if A queries H(ki).G5: ideal SIM-SO-CCA game.
Encpk(mi)ri
$← Coins(ki , c (1)
i )← Encappk(ri)(ksym
i , kmaci )← H(ki)
c (2)i := mi⊕ksym
ic (3)
i := Tagkmaci
(c (2)i )
Return (c (1)i , c (2)
i , c (3)i )
G0 G1≈sstatisticalargument
G2= G3
MAC security
≈c G4
KEM security
≈cOracle patchingtechnique. [CS03](Needs PCA KEM)
G5=
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 14/15
Tweaking A in a Sequence of Games
G0: real SIM-SO-CCA game.G1: Abort if A queries H(ki) or Dec(c (1)
i , ·, ·)before sending D.
G2: Replace c (2)i with uniform randomness.
G3: Abort if A issues a valid decryption queryDec(c (1)
i , ·, ·) and H(ki) is not yet defined.G4: Abort if A queries H(ki).G5: ideal SIM-SO-CCA game.
Encpk(mi)ri
$← Coins(ki , c (1)
i )← Encappk(ri)(ksym
i , kmaci )← H(ki)
c (2)i := uniform
c (3)i := Tagkmac
i(c (2)
i )Return (c (1)
i , c (2)i , c (3)
i )
G0 G1≈sstatisticalargument
G2
= G3
MAC security
≈c G4
KEM security
≈cOracle patchingtechnique. [CS03](Needs PCA KEM)
G5=
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 14/15
Tweaking A in a Sequence of Games
G0: real SIM-SO-CCA game.G1: Abort if A queries H(ki) or Dec(c (1)
i , ·, ·)before sending D.
G2: Replace c (2)i with uniform randomness.
G3: Abort if A issues a valid decryption queryDec(c (1)
i , ·, ·) and H(ki) is not yet defined.G4: Abort if A queries H(ki).G5: ideal SIM-SO-CCA game.
Encpk(mi)ri
$← Coins(ki , c (1)
i )← Encappk(ri)(ksym
i , kmaci )← H(ki)
c (2)i := uniform
c (3)i := Tagkmac
i(c (2)
i )Return (c (1)
i , c (2)i , c (3)
i )
G0 G1≈sstatisticalargument
G2=
G3
MAC security
≈c G4
KEM security
≈cOracle patchingtechnique. [CS03](Needs PCA KEM)
G5=
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 14/15
Tweaking A in a Sequence of Games
G0: real SIM-SO-CCA game.G1: Abort if A queries H(ki) or Dec(c (1)
i , ·, ·)before sending D.
G2: Replace c (2)i with uniform randomness.
G3: Abort if A issues a valid decryption queryDec(c (1)
i , ·, ·) and H(ki) is not yet defined.G4: Abort if A queries H(ki).G5: ideal SIM-SO-CCA game.
Encpk(mi)ri
$← Coins(ki , c (1)
i )← Encappk(ri)(ksym
i , kmaci )← H(ki)
c (2)i := uniform
c (3)i := Tagkmac
i(c (2)
i )Return (c (1)
i , c (2)i , c (3)
i )
G0 G1≈sstatisticalargument
G2=
How to answer Hash or Decryption queries?Assume A makes a valid Dec(c (1)
i , ·, ·) query:
Case 1:H(ki) is not definedCase 2:H(ki) is defined
; kmaci still uniform,use MAC security G3
; A decapsulated c (1)i ,
use KEM security G4
G3
MAC security
≈c G4
KEM security
≈cOracle patchingtechnique. [CS03](Needs PCA KEM)
G5=
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 14/15
Tweaking A in a Sequence of Games
G0: real SIM-SO-CCA game.G1: Abort if A queries H(ki) or Dec(c (1)
i , ·, ·)before sending D.
G2: Replace c (2)i with uniform randomness.
G3: Abort if A issues a valid decryption queryDec(c (1)
i , ·, ·) and H(ki) is not yet defined.G4: Abort if A queries H(ki).G5: ideal SIM-SO-CCA game.
Encpk(mi)ri
$← Coins(ki , c (1)
i )← Encappk(ri)(ksym
i , kmaci )← H(ki)
c (2)i := uniform
c (3)i := Tagkmac
i(c (2)
i )Return (c (1)
i , c (2)i , c (3)
i )
G0 G1≈sstatisticalargument
G2=
How to answer Hash or Decryption queries?Assume A makes a valid Dec(c (1)
i , ·, ·) query:
Case 1:H(ki) is not defined
Case 2:H(ki) is defined
; kmaci still uniform,use MAC security G3
; A decapsulated c (1)i ,
use KEM security G4
G3
MAC security
≈c G4
KEM security
≈cOracle patchingtechnique. [CS03](Needs PCA KEM)
G5=
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 14/15
Tweaking A in a Sequence of Games
G0: real SIM-SO-CCA game.G1: Abort if A queries H(ki) or Dec(c (1)
i , ·, ·)before sending D.
G2: Replace c (2)i with uniform randomness.
G3: Abort if A issues a valid decryption queryDec(c (1)
i , ·, ·) and H(ki) is not yet defined.G4: Abort if A queries H(ki).G5: ideal SIM-SO-CCA game.
Encpk(mi)ri
$← Coins(ki , c (1)
i )← Encappk(ri)(ksym
i , kmaci )← H(ki)
c (2)i := uniform
c (3)i := Tagkmac
i(c (2)
i )Return (c (1)
i , c (2)i , c (3)
i )
G0 G1≈sstatisticalargument
G2=
How to answer Hash or Decryption queries?Assume A makes a valid Dec(c (1)
i , ·, ·) query:
Case 1:H(ki) is not definedCase 2:H(ki) is defined
; kmaci still uniform,use MAC security G3
; A decapsulated c (1)i ,
use KEM security G4
G3
MAC security
≈c G4
KEM security
≈cOracle patchingtechnique. [CS03](Needs PCA KEM)
G5=
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 14/15
Tweaking A in a Sequence of Games
G0: real SIM-SO-CCA game.G1: Abort if A queries H(ki) or Dec(c (1)
i , ·, ·)before sending D.
G2: Replace c (2)i with uniform randomness.
G3: Abort if A issues a valid decryption queryDec(c (1)
i , ·, ·) and H(ki) is not yet defined.G4: Abort if A queries H(ki).G5: ideal SIM-SO-CCA game.
Encpk(mi)ri
$← Coins(ki , c (1)
i )← Encappk(ri)(ksym
i , kmaci )← H(ki)
c (2)i := uniform
c (3)i := Tagkmac
i(c (2)
i )Return (c (1)
i , c (2)i , c (3)
i )
G0 G1≈sstatisticalargument
G2=
How to answer Hash or Decryption queries?Assume A makes a valid Dec(c (1)
i , ·, ·) query:
Case 1:H(ki) is not definedCase 2:H(ki) is defined
; kmaci still uniform,use MAC security G3
; A decapsulated c (1)i ,
use KEM security G4
G3
MAC security
≈c G4
KEM security
≈cOracle patchingtechnique. [CS03](Needs PCA KEM)
G5=
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 14/15
Tweaking A in a Sequence of Games
G0: real SIM-SO-CCA game.G1: Abort if A queries H(ki) or Dec(c (1)
i , ·, ·)before sending D.
G2: Replace c (2)i with uniform randomness.
G3: Abort if A issues a valid decryption queryDec(c (1)
i , ·, ·) and H(ki) is not yet defined.G4: Abort if A queries H(ki).G5: ideal SIM-SO-CCA game.
Encpk(mi)ri
$← Coins(ki , c (1)
i )← Encappk(ri)(ksym
i , kmaci )← H(ki)
c (2)i := uniform
c (3)i := Tagkmac
i(c (2)
i )Return (c (1)
i , c (2)i , c (3)
i )
G0 G1≈sstatisticalargument
G2=
How to answer Hash or Decryption queries?Assume A makes a valid Dec(c (1)
i , ·, ·) query:
Case 1:H(ki) is not definedCase 2:H(ki) is defined
; kmaci still uniform,use MAC security G3
; A decapsulated c (1)i ,
use KEM security G4
G3
MAC security
≈c G4
KEM security
≈cOracle patchingtechnique. [CS03](Needs PCA KEM)
G5=
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 14/15
Tweaking A in a Sequence of Games
G0: real SIM-SO-CCA game.G1: Abort if A queries H(ki) or Dec(c (1)
i , ·, ·)before sending D.
G2: Replace c (2)i with uniform randomness.
G3: Abort if A issues a valid decryption queryDec(c (1)
i , ·, ·) and H(ki) is not yet defined.G4: Abort if A queries H(ki).G5: ideal SIM-SO-CCA game.
Encpk(mi)ri
$← Coins(ki , c (1)
i )← Encappk(ri)(ksym
i , kmaci )← H(ki)
c (2)i := uniform
c (3)i := Tagkmac
i(c (2)
i )Return (c (1)
i , c (2)i , c (3)
i )
G0 G1≈sstatisticalargument
G2=
G3
MAC security
≈c G4
KEM security
≈cOracle patchingtechnique. [CS03](Needs PCA KEM)
G5=
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 14/15
Tweaking A in a Sequence of Games
G0: real SIM-SO-CCA game.G1: Abort if A queries H(ki) or Dec(c (1)
i , ·, ·)before sending D.
G2: Replace c (2)i with uniform randomness.
G3: Abort if A issues a valid decryption queryDec(c (1)
i , ·, ·) and H(ki) is not yet defined.
G4: Abort if A queries H(ki).G5: ideal SIM-SO-CCA game.
Encpk(mi)ri
$← Coins(ki , c (1)
i )← Encappk(ri)(ksym
i , kmaci )← H(ki)
c (2)i := uniform
c (3)i := Tagkmac
i(c (2)
i )Return (c (1)
i , c (2)i , c (3)
i )
G0 G1≈sstatisticalargument
G2= G3
MAC security
≈c G4
KEM security
≈cOracle patchingtechnique. [CS03](Needs PCA KEM)
G5=
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 14/15
Tweaking A in a Sequence of Games
G0: real SIM-SO-CCA game.G1: Abort if A queries H(ki) or Dec(c (1)
i , ·, ·)before sending D.
G2: Replace c (2)i with uniform randomness.
G3: Abort if A issues a valid decryption queryDec(c (1)
i , ·, ·) and H(ki) is not yet defined.
G4: Abort if A queries H(ki).G5: ideal SIM-SO-CCA game.
Encpk(mi)ri
$← Coins(ki , c (1)
i )← Encappk(ri)(ksym
i , kmaci )← H(ki)
c (2)i := uniform
c (3)i := Tagkmac
i(c (2)
i )Return (c (1)
i , c (2)i , c (3)
i )
G0 G1≈sstatisticalargument
G2= G3
MAC security
≈c
G4
KEM security
≈cOracle patchingtechnique. [CS03](Needs PCA KEM)
G5=
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 14/15
Tweaking A in a Sequence of Games
G0: real SIM-SO-CCA game.G1: Abort if A queries H(ki) or Dec(c (1)
i , ·, ·)before sending D.
G2: Replace c (2)i with uniform randomness.
G3: Abort if A issues a valid decryption queryDec(c (1)
i , ·, ·) and H(ki) is not yet defined.G4: Abort if A queries H(ki).
G5: ideal SIM-SO-CCA game.
Encpk(mi)ri
$← Coins(ki , c (1)
i )← Encappk(ri)(ksym
i , kmaci )← H(ki)
c (2)i := uniform
c (3)i := Tagkmac
i(c (2)
i )Return (c (1)
i , c (2)i , c (3)
i )
G0 G1≈sstatisticalargument
G2= G3
MAC security
≈c G4
KEM security
≈cOracle patchingtechnique. [CS03](Needs PCA KEM)
G5=
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 14/15
Tweaking A in a Sequence of Games
G0: real SIM-SO-CCA game.G1: Abort if A queries H(ki) or Dec(c (1)
i , ·, ·)before sending D.
G2: Replace c (2)i with uniform randomness.
G3: Abort if A issues a valid decryption queryDec(c (1)
i , ·, ·) and H(ki) is not yet defined.G4: Abort if A queries H(ki).
G5: ideal SIM-SO-CCA game.
Encpk(mi)ri
$← Coins(ki , c (1)
i )← Encappk(ri)(ksym
i , kmaci )← H(ki)
c (2)i := uniform
c (3)i := Tagkmac
i(c (2)
i )Return (c (1)
i , c (2)i , c (3)
i )
G0 G1≈sstatisticalargument
G2= G3
MAC security
≈c G4
KEM security
≈c
Oracle patchingtechnique. [CS03](Needs PCA KEM)
G5=
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 14/15
Tweaking A in a Sequence of Games
G0: real SIM-SO-CCA game.G1: Abort if A queries H(ki) or Dec(c (1)
i , ·, ·)before sending D.
G2: Replace c (2)i with uniform randomness.
G3: Abort if A issues a valid decryption queryDec(c (1)
i , ·, ·) and H(ki) is not yet defined.G4: Abort if A queries H(ki).
G5: ideal SIM-SO-CCA game.
Encpk(mi)ri
$← Coins(ki , c (1)
i )← Encappk(ri)(ksym
i , kmaci )← H(ki)
c (2)i := uniform
c (3)i := Tagkmac
i(c (2)
i )Return (c (1)
i , c (2)i , c (3)
i )
G0 G1≈sstatisticalargument
G2= G3
MAC security
≈c G4
KEM security
≈cOracle patchingtechnique. [CS03](Needs PCA KEM)
G5=
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 14/15
Tweaking A in a Sequence of Games
G0: real SIM-SO-CCA game.G1: Abort if A queries H(ki) or Dec(c (1)
i , ·, ·)before sending D.
G2: Replace c (2)i with uniform randomness.
G3: Abort if A issues a valid decryption queryDec(c (1)
i , ·, ·) and H(ki) is not yet defined.G4: Abort if A queries H(ki).G5: ideal SIM-SO-CCA game.
Encpk(mi)ri
$← Coins(ki , c (1)
i )← Encappk(ri)(ksym
i , kmaci )← H(ki)
c (2)i := uniform
c (3)i := Tagkmac
i(c (2)
i )Return (c (1)
i , c (2)i , c (3)
i )
G0 G1≈sstatisticalargument
G2= G3
MAC security
≈c G4
KEM security
≈cOracle patchingtechnique. [CS03](Needs PCA KEM)
G5
=
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 14/15
Tweaking A in a Sequence of Games
G0: real SIM-SO-CCA game.G1: Abort if A queries H(ki) or Dec(c (1)
i , ·, ·)before sending D.
G2: Replace c (2)i with uniform randomness.
G3: Abort if A issues a valid decryption queryDec(c (1)
i , ·, ·) and H(ki) is not yet defined.G4: Abort if A queries H(ki).G5: ideal SIM-SO-CCA game.
Encpk(mi)ri
$← Coins(ki , c (1)
i )← Encappk(ri)(ksym
i , kmaci )← H(ki)
c (2)i := uniform
c (3)i := Tagkmac
i(c (2)
i )Return (c (1)
i , c (2)i , c (3)
i )
G0 G1≈sstatisticalargument
G2= G3
MAC security
≈c G4
KEM security
≈cOracle patchingtechnique. [CS03](Needs PCA KEM)
G5=
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 14/15
Summary
• SIM-SO-CCA secure PKE from generic construction in the ROM
• No additional assumptions compared to proof for IND-CCA security• Employs OT-MAC – can be constructed information-theoretically• Can be instantiated with any OW-PCA secure KEM, such as RSAKEM or DH KEM, latter gives instantiation of DHIES.
• Same proof-ideas can be applied to prove RSA-OAEP SIM-SO-CCA secure in the ROM.
Certain tranformations give SIM-SO-CCAsecurity for free in the ROM
Image source: xkcd.com
Thank you!
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 15/15
Summary
• SIM-SO-CCA secure PKE from generic construction in the ROM• No additional assumptions compared to proof for IND-CCA security
• Employs OT-MAC – can be constructed information-theoretically• Can be instantiated with any OW-PCA secure KEM, such as RSAKEM or DH KEM, latter gives instantiation of DHIES.
• Same proof-ideas can be applied to prove RSA-OAEP SIM-SO-CCA secure in the ROM.
Certain tranformations give SIM-SO-CCAsecurity for free in the ROM
Image source: xkcd.com
Thank you!
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 15/15
Summary
• SIM-SO-CCA secure PKE from generic construction in the ROM• No additional assumptions compared to proof for IND-CCA security• Employs OT-MAC – can be constructed information-theoretically
• Can be instantiated with any OW-PCA secure KEM, such as RSAKEM or DH KEM, latter gives instantiation of DHIES.
• Same proof-ideas can be applied to prove RSA-OAEP SIM-SO-CCA secure in the ROM.
Certain tranformations give SIM-SO-CCAsecurity for free in the ROM
Image source: xkcd.com
Thank you!
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 15/15
Summary
• SIM-SO-CCA secure PKE from generic construction in the ROM• No additional assumptions compared to proof for IND-CCA security• Employs OT-MAC – can be constructed information-theoretically• Can be instantiated with any OW-PCA secure KEM, such as RSAKEM or DH KEM, latter gives instantiation of DHIES.
• Same proof-ideas can be applied to prove RSA-OAEP SIM-SO-CCA secure in the ROM.
Certain tranformations give SIM-SO-CCAsecurity for free in the ROM
Image source: xkcd.com
Thank you!
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 15/15
Summary
• SIM-SO-CCA secure PKE from generic construction in the ROM• No additional assumptions compared to proof for IND-CCA security• Employs OT-MAC – can be constructed information-theoretically• Can be instantiated with any OW-PCA secure KEM, such as RSAKEM or DH KEM, latter gives instantiation of DHIES.
• Same proof-ideas can be applied to prove RSA-OAEP SIM-SO-CCA secure in the ROM.
Certain tranformations give SIM-SO-CCAsecurity for free in the ROM
Image source: xkcd.com
Thank you!
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 15/15
Summary
• SIM-SO-CCA secure PKE from generic construction in the ROM• No additional assumptions compared to proof for IND-CCA security• Employs OT-MAC – can be constructed information-theoretically• Can be instantiated with any OW-PCA secure KEM, such as RSAKEM or DH KEM, latter gives instantiation of DHIES.
• Same proof-ideas can be applied to prove RSA-OAEP SIM-SO-CCA secure in the ROM.
Certain tranformations give SIM-SO-CCAsecurity for free in the ROM
Image source: xkcd.com
Thank you!
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 15/15
Summary
• SIM-SO-CCA secure PKE from generic construction in the ROM• No additional assumptions compared to proof for IND-CCA security• Employs OT-MAC – can be constructed information-theoretically• Can be instantiated with any OW-PCA secure KEM, such as RSAKEM or DH KEM, latter gives instantiation of DHIES.
• Same proof-ideas can be applied to prove RSA-OAEP SIM-SO-CCA secure in the ROM.
Certain tranformations give SIM-SO-CCAsecurity for free in the ROM
Image source: xkcd.com
Thank you!
SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 15/15