Post on 21-Mar-2016
description
An Uninstantiable An Uninstantiable Random-Oracle-Model Random-Oracle-Model
Scheme for Scheme for a Hybrid-Encryption Problema Hybrid-Encryption Problem
Mihir Bellare Alexandra Boldyreva Adriana Palacio
University of California at San Diego
The Random-Oracle (RO) model [BR93]
• Algorithms of the scheme, as well as the adversary have oracle access to random functions.
• Very popular: there are numerous schemes designed and proven secure in this model.
pkAE (M)
Hah=H(a)
b G Ag=G(b) ..
..
..
Moving to the real world
However, the RO model is an idealized setting. To get a real-world scheme we must instantiate the ROs with real functions.
Instantiation of this scheme via SHA1
pkAE (M)
h=SHA1(a)g=SHA1(b)..
..
..
Instantiation: more generally
pk,L( )1,L2AE (M)
Let F1, F2 be poly-time computable families of functions
h= F1L1(a)
g= F2L2(b)..
..
..
Security of instantiated schemesRO model thesis: If a scheme is proven secure in the RO model, then it remains secure under a suitable instantiation.Question: Is this true?Answer: No.Past work has shown the existence of uninstantiable schemes.
Uninstantiable schemes
1. The scheme satisfies the goal in the RO model
2. No instantiation satisfies the goal in the standard model
Definition. A scheme is uninstantiable (with respect to some cryptographic goal) if
Examples of uninstantiable schemes
Who GoalsCanetti,
Goldreich, Halevi
IND-CPA encryption UF-CMA signatures
Nielsen Non-interactive, non-committing encryption
Goldwasser, Tauman
Signatures via Fiat-Shamir heuristic
Examples of uninstantiable schemes
Who Goals SchemesCanetti,
Goldreich, Halevi
IND-CPA encryption UF-CMA signatures
(practical)Complex, artificial
NielsenNon-interactive, non-committing encryption
(not very practical)Simple, natural
Goldwasser, Tauman
Signatures via Fiat-Shamir heuristic
(practical)Complex, artificial
++
++
++
__
__
__
Reaction
OK, but “in practice”, the RO model thesis is true
John Smi
Euro crypt
Practical RO model thesis: The RO model thesis holds for “natural, practical” schemes for “practical” goals.
Our work
• is simple and natural, and resembles existing RO model schemes.
• is for a practical security goal.• but is uninstantiable.
We present a RO model scheme that
Caveats and impact
• Our result does have artificial aspects as we will see, and should not be taken to indicate that the practical RO model thesis is false.
• But it shows that uninstantiable schemes arise in more practical situations than indicated by previous work.
Plan
• The goal
• The scheme
• The positive result
• The negative result
• Conclusions
Plan
• The goal
• The scheme
• The positive result
• The negative result
• Conclusions
Classical view of asymmetric encryption usage
Sender
Receiver R
M
AS = (AK,AE,AD)
AE CpkR
M
skR
In practice: hybrid approach
Sender Receiver
R
M1
M1 SE C1
KM2
Mn
…
Mn SE Cn
K… …
SK K
SS = (SK,SE,SD)
skR
AS = (AK,AE,AD)
AE C0
pkR
AS + SS = Multi-Message (MM) Hybrid (AS,SS)
Goal: IND-CCA-secure MM-Hybrid Encryption
We can define, in a natural way, IND-CCA security for an MM-hybrid scheme (AS,SS). Certainly, a necessary condition for IND-CCA security of an MM-hybrid (AS,SS) is IND-CCA security of SS. But what do we need from the asymmetric encryption scheme AS?
Easy theorem:
However, the above could be true even if AS satisfies a weaker condition than IND-CCA.
IND-CCA MM-hybrid (AS,SS)
IND-CCA AS Any IND-CCA SS +
=
IND-CCA-preserving asymmetric schemes
What emerges: A new notion of security for asymmetric encryption schemes. Definition: An asymmetric encryption scheme AS is IND-CCA-preserving if
IND-CCA MM-hybrid (AS,SS) AS Any IND-CCA SS + =
Why IND-CCA-preserving schemes?
In particular, an IND-CCA preserving scheme need not even be randomized, since it is used to encrypt random keys.The hope: IND-CCA-preserving schemes more efficient than existing IND-CCA ones. The benefit: Security of encryption in practice at lower cost.
IND-CCA IND-CCA-preserving
Stronger notion Weaker notion
For asymmetric schemes
Summary
Our goal: IND-CCA preserving asymmetric encryption
Plan
• The goal
• The scheme
• The positive result
• The negative result
• Conclusions
Hash ElGamal RO model asymmetric encryption scheme HEG = (AK,AE,AD)
k,q,g x,G
,H( )AD (Y,W)
KG(Yx)WIf gH(K)=Y then Return K else Reject
k,q,g,XH,G( )AE
pk = (k,q,g,X=gx), sk = (k,q,g,x),where q, 2q+1 are primes and g has order q in 2q+1 *
H: {0,1}k q G: 2q+1 {0,1}k*
PG(Xr)rH(K)
(K)
Return (gr,PK)
Note. HEG is deterministic and thus not even IND-CPA!
Plan
• The goal
• The scheme
• The positive result
• The negative result
• Conclusions
Security of Hash ElGamalTheorem 1. Under the Computational Diffie-Hellman assumption (CDH) HEG is IND-CCA-preserving in the RO model.
IND-CCA MM-hybrid (HEG,SS) HEG Any IND-CCA SS + =
HEG is similar to existing schemes GEM, GEM1, GEM2, FO, REACT…
Something almost identical (but randomized) appeared in [BaLeKi00].
Plan
• The goal
• The scheme
• The positive result
• The negative result
• Conclusions
Now, the interesting stuff
Theorem 2 . No instantiation of HEG is IND-CCA-preserving in the standard model.
John Smi
Euro
crypt
I.e. it is IND-CCA preserving in the RO model, but no standard model implementation of it is IND-CCA preserving?
Right! More precisely…
Security of HEG instantiations
k,q,g,X,L 2( )1,LAE (K)
PF2L2(Xr)rF1L1(K)
Return (gr,PK)
Let F1, F2 be poly-time computable families of functions
Theorem 2. For any F1, F2 the above standard model asymmetric encryption scheme is not IND-CCA preserving.
A caveat• Proof of Theorem 2 shows that for every
F1, F2 (poly-time families of functions) THERE EXISTS SS such that (HEG,SS) is not an IND-CCA secure MM-hybrid.
• But SS is an artificial scheme, depending on F1, F2.
• Theorem 2 does not imply that e.g. (HEG,CBC-type SS) is insecure.
• So although HEG is simple and natural, there is some artificiality under the rug.
• A practical goal: IND-CCA preserving encryption
• A simple, natural scheme resembling existing RO schemes: HEG.
• Yet HEG is uninstantiable: its real-world implementation loses the security property.
• And HEG is innocuous looking; one would not suspect any anomalies in advance.
However, we still believe the result is valuable because we have
Let HEG be ANY instantiation of HEG via poly-time computable families of functions.
About the proof of Theorem 2
We present a symmetric encryption scheme SS=(SK,SE,SD), such that
1. SS is IND-CCA secure2. (HEG,SS) is not IND-CCA secure
Key and ciphertext verifiability• Def. An asymmetric encryption scheme is key-verifiable
if there is a poly-time algorithm KV:
1, if pk is a valid public key 0, otherwise KVpk
• Claim. Any instantiation HEG of HEG is key- and ciphertext-verifiable.
• Def. An asymmetric encryption scheme is ciphertext-verifiable if there is a poly-time algorithm CV
1, if C is a valid encryption of M under pk 0, otherwise
CVpkMC
Sound operations since HEG is key- and ciphertext verifiable
SS construction for Proof of Theorem 2
Let SS’=(SK’,SE’,SD’) be any IND-CCA symmetric scheme.
K1 SK’(1k/2)K2 {0,1}k/2
Return K1||K2
SK(1k)
SEK1||K2(M) C’ SE’K2(M)
Parse M as M1||M2
If M1 is a valid pk for HEG and if M2 is a valid HEG ciphertext of K1||K2 under pk Then Return C’||0 else Return C’||1
• We show that SS is IND-CCA.
• In order to show that (HEG,SS) is not IND-CCA we use the fact that HEG is key- and ciphertext-verifiable. The details are in the paper.
• In general: no key- and ciphertext-verifiable scheme is IND-CCA preserving.
Plan
• The goal
• The scheme
• The positive result
• The negative result
• Conclusions
Conclusions• We presented a simple uninstantiable
scheme for a practical goal • We do not suggest one abandon the
RO model. • We do suggest that designers of RO
model schemes pay more attention to the question of instantiation, which is usually entirely neglected.
• Our examples shows that uninstantiable schemes really come up.
Thank you!