Notions of Public-Key Encryptions

Xuhua Dingxhding@ics.uci.edu

Outline

• Introduction

• Preliminaries

• Notions For Security

• Some Well-known Examples

• Encryption in Multi-User Setting

Introduction• Goals of Public-key Encryption:

– to provide privacy or confidentiality– no data origin authentication or data integrity

• Primary objective of attacks:– systematically recover plaintext from ciphertext

Question: Is it adequate to model the realistic attacks?

Preliminaries• Provable Security:

– The security of scheme A is reduced to scheme B iff given an efficient algorithm to break B, one can efficiently break A.

• Some well-know intractable problems (primitives)– Factorization– Discrete log– RSA problem– Strong RSA problem– Square root– Computational Diffie-Hellman problem– Decision Diffie-Hellman problem

Random Oracle

• What is the Random Oracle?– A public “black box” which, on input string x, return a

random string R(x) of some appropriate length• What is the meaning of “secure in RO model”?

– proven security against generic attack– heuristically, no non-generic attack against “natural”

schemes.• Limitations: heuristic proof of security

– breaking the scheme ≠ breaking the underlying intractability assumption

– breaking the scheme ≠ finding weakness in hash functions

Attacker’s Algorithm:

• Two Stages (A1, A2)– Stage I: Given the pk, seeks and outputs test

instance; (may output information to A2 )– Stage II: Given a challenge ciphertext. The purpose of each stage, and the meaning of

pass the challenge depend on the adversarial goal.

• Both A1 and A2 are polynomial probabilistic algorithms

Attack Models II

• CPA: Chosen Plaintext Attack• Plaintext Checking Attack• Validity Checking Attack• CCA-1: Non-adaptive Chosen Ciphertext Attack

(lunch time attack)• CCA-2: Adaptive Chosen Ciphertext Attack

CPA CCA-1 CCA-2

Notions of Security

• Plaintext recovery

• Semantic Security

• Indistinguishability (by Goldwasser and Micali)

• Non-malleability (by Dolev, Dwork, and Naor)

• Plaintext Awareness (by Bellare and Rogaway)

Indistinguishability

m0, m1

b∈R{0,1}

PKE(pk, sk)

Challenge: C=E(mb)

Guess b?

The adversary win if he guess b correctly with a probability significantly greater than 1/2

Non-malleability

PKE(pk, sk)

Challenge: y=Epk(x), x ∈R M

Outputs: relation R and a vector y.Succeed if R(x, x) where x =Dsk(y), y∉ y with higher probability than R(x’, x), for random x’ from M

Sampling message space M

NOTE: M is valid if |x|=|x’| for any x,x’ that are given non-zero probability in M

Plaintext Awareness in the Random Oracle Model

Random oracle H

Encryption oracle Epk

H

xi

yi

Eve

outputs y

H queries/answers

{yi}, y, pkPlaintext extractor K

x = DskH(y)?

x

Six Notions of Security

Goals

IND

NM

CPA

CCA1

CCA2

Attacks

IND-CPAIND-CCA1IND-CCA2

NM-CPANM-CCA1NM-CCA2

Relations

NM-CPA

IND-CPA

NM-CCA1

IND-CCA1

NM-CCA2

IND-CCA2

A B: proven that meeting notion A implies meeting B

A B: proven that meeting notion A implies not meeting B

NOTE: A implies B iff there is a path from A to B

PA

Exemplary Schemes I

• RSA/OAEP is IND-CCA2 in RO (RSA is NOT) under the RSA assumption

• Encryption: m∈{0,1}n, r ←R{0,1}k0, compute s=(m||0k1)⊕G(r), t=r ⊕H(s). c=RSA-EN(m)

• Decryption: (s,t)=RSA-DE(c), r=t⊕H(s), M=s ⊕G(r). Check the format of M

• RSA can replaced by any trapdoor permutation function

RSA-OAEP: PKCS1v.2.1

00MGF ⊕

maskedSeed

Seed

DB

maskedDB00

⊕ MGF

OAEP Encoding

EM

El Gamal Encryption

• El Gamal Encryption– x,y=g^x mod p

– encrypt m: γ =g^k, δ =my^k , c= (γ, δ), k is a random integer

– decrypt c: m=γ^{-x}δ

• Semantic security ≡ Decision Diffie-Hellman

• Secure against chosen-plaintext attack

• Insecure against adaptive chosen-ciphertext attack

Exemplary Schemes III• Cramer-Shoup Encryption: IND-CCA2• Key Generation

– private: x1,x2,y1,y2,z in group G with prime order q– public: c=g1

x1g2x2, d=g1

x1g2x2, h=g1

z

• Encryption: u1=g1r, u2=g2

r, e=hrm, w=H(u1,u2,e), v=crdrw. Output (u1,u2,e,v)

• Decryption:– check if u1

x1+wy1u2x2+wy2 = v

– m= e/u1z

• Assumptions: DDH and universal one-way family of hash functions

Håstad Attack on RSA

N1, 3

N2, 3

N3, 3

y1=m3 mod N1

y2=m3 mod N2

y3=m3 mod N3

I can compute m3 mod N1N2N3,

but, m3 < N1N2N3, so….

Sender

IND in Multi-user Setting

any m0, m1

same b∈R{0,1}for all oracles queries

PKE(pk, sk)

Challenge: C=E(mb)

Guess b?

The adversary win if he guess b correctly with a probability significantly greater than 1/2

General Reduction

• An Encryption scheme in the multi-user setting is semantically secure as it in the single-user setting.

• The reduction is in polynormialAdv1(t’,qe) ≤ qenAdvn(t), t’=t+O(log(qen))

where qe is the number of allowed encryption operations, t’ and t are the running time.

Immediate Impact on Practice

• Generally, security degrades linearly as new users join and as the users encrypt more data.

• For ElGamal, the bound is 2Advddh

• For Cramer-Shoup, the bound is 2(Advddh++AdvH)