anonymity and robustness in encryption schemes payman mohassel university of calgary
Post on 21-Dec-2015
217 views
TRANSCRIPT
![Page 1: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/1.jpg)
Anonymity and Robustness in
Encryption Schemes
Payman MohasselUniversity of Calgary
![Page 2: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/2.jpg)
2
Public Key Encryption (PKE)
pk(pk, sk) KG
C = Enc(pk,m)
m = Dec(sk,C)
PKE = (KG, Enc, Dec)
![Page 3: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/3.jpg)
Traditional Security Notions(Data Secrecy)
• Semantic security– No function of the message is leaked– Equivalent to indistinguishability
• Non-malleability– Hard to create ciphertext for related messages
• Chosen plaintext attacks (CPA)• Chosen ciphertext attacks (CCA)
![Page 4: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/4.jpg)
Mobile Communication
Mobile User
Base Station
key exchange
eavesdropper wants to learn identity of mobile user
Enc(pk, message) pk
![Page 5: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/5.jpg)
Secure Auction [Sako’00]
• First practical auction to hide bid values
• Keys correspond to bid values• A known message is encrypted using the key• Hiding a bid value requires hiding the key
![Page 6: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/6.jpg)
(pk, sk)
c
c
c = Enc(pk, m)
c
Dec(sk’, c) =
![Page 7: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/7.jpg)
Other Guarantees
• Does the ciphertext hide the key?– Anonymity
• What happens when decrypting using a different key?– Robustness
![Page 8: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/8.jpg)
ANON-CCA
Challenger
(pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1}
pk0, pk1
c1 , b1
Dec(skb1, c1)
. . . .
ci , bi
Dec(skbi, ci)
m
C=Enc(pkb ,m)
b’
Advanon-cca,PKE(A) =|Pr[b’ = b] – ½| is negligible
ci+1 , bi+1
Dec(skbi+1, c1)
. . . .
cq, bq
Dec(skbq, cq)
![Page 9: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/9.jpg)
Weak Robustness (WROB-CCA)
M
(pk0, sk0) KG(1n) (pk1, sk1) KG(1n)
pk0, pk1
ci , bi
Dec(skbi, ci)
. . . .
Challenger
Adv wins if Dec(sk1, C) ≠ , where C = Enc(pk0,M)
![Page 10: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/10.jpg)
Strong Robustness (SROB-CCA)
C
(pk0, sk0) KG(1n) (pk1, sk1) KG(1n)
pk0, pk1
ci , bi
Dec(skbi, ci)
. . . .
Challenger
Adv wins if Dec(sk0,C) ≠ and Dec(pk1,C) ≠
![Page 11: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/11.jpg)
What is Known?
• Anonymity– Not always satisfied– y = xe mod N for random x– pk0 = (N0, e0) pk1 = (N1, e1), N1 > N0
– If y > N0 return pk1 else return pk0
• Robustness– ElGamal is not robust– [pk0 = (G, p, g, gx) , sk0 = x] , [pk1 = (G, p, g, gy), sk1 = y]
– Enc(pk0, m) = (c1, c2) = (gr , mgxr)
– m’ = Dec(sk1, (c1, c2)) = c2/c1y = mg(x-y)r
![Page 12: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/12.jpg)
What is Known?
• Anonymous PKE and IBE– [Bellare et al. 2001], [Abdalla et al. 2008]– PKE: DHIES, [Cramer-Shoup’01]– IBE: [Boneh-Franklin’01], [Boyen-Waters’06]
• Robust PKE and IBE– [Abdalla et al. 2010]• Strongly robust IBE: [Boneh-Franklin’01]• Weakly robust PKE: DHIES, [Cramer-Shoup’01]• Not robust: [Boyen-Waters’06]
![Page 13: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/13.jpg)
Our Contribution
• Studying anonymity of hybrid encryption– Positive and negative results
• More efficient transformations for robust encryption schemes– Please see the paper
![Page 14: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/14.jpg)
Question: Given an “anonymous PKE/IBE” and an “anonymous SKE”, is the hybrid encryption scheme also anonymous?
![Page 15: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/15.jpg)
Anonymity of Hybrid Encryption
• ANON-CPA PKE/IBE + IND-CPA SKE– The hybrid encryption is ANON-CPA
• [negative] ANON-CCA PKE/IBE + IND-CCA SKE– The hybrid encryption is NOT always ANON-CCA– True if SKE is ANON-CCA or more
• [positive] (WROB + ANON)-CCA PKE/IBE + AE SKE– The hybrid encryption is ANON-CCA– More evidence that “anonymity” and “robustness”
are needed simultaneously
![Page 16: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/16.jpg)
Counter Example (PKE)
• Start with (WROB + ANON)-CCA PKE1
– PKE1 = (KG1, Enc1, Dec1)
• Build PKE2 = (KG2, Enc2, Dec2) – Dec2 • Run Dec1, if it returns return 0n
• Else return what Dec1 outputs
• PKE2 is still ANON-CCA
![Page 17: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/17.jpg)
Counter Example (SKE)
• We use a key-binding IND-CCA SKE• Key-binding SKE = (K, SE, SD)– For any k K, randomness r, and message m– There is no k’ ≠ k where SDk’(SEk(m,r)) ≠
• PKE2 + key-binding SKE– Not ANON-CCA
![Page 18: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/18.jpg)
Counter Example
m
(c1, c2) = (Enc2(pkb,k), SE(k,m))
Challenger
(pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1}
Decryption query under pk0
for (c1, SE(0n,m’))
pk0, pk1
If the answer is let b’ = 0, else b’ = 1
b’
![Page 19: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/19.jpg)
Counter Example
• Requiring stronger security notions for SKE does NOT help– If it can be combined with key-binding
• What about stronger notions for the PKE?
![Page 20: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/20.jpg)
Positive Result
Claim: If PKE is (ANON + WROB + IND)-CCA and SKE is a (one-time) authenticated encryption, the hybrid construction is (ANON + IND)-CCA
![Page 21: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/21.jpg)
Game 0
Challenger
(pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1}
pk0, pk1
C1 , b1
Dec(skb1, C1)
. . . .
Ci , bi
Dec(skbi, Ci)
m
c*1 = Enc(pkb,k*)c*2 = SE(k*,m)
b’
Advanon-cca,PKE(A) =|Pr[b’ = b] – ½| is negligible
Ci+1 , bi+1
Dec(skb1, C1)
. . . .
Cq, bq
Dec(skbq, Cq)
![Page 22: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/22.jpg)
Game 1
Challenger
(pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1}
pk0, pk1
m
c*1 = Enc(pkb, k*)c*2 = SE(k*, m)
b’
(c*1, c2 ≠ c*2), b
SD(k*, c2)
Difference in games: decryption error
![Page 23: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/23.jpg)
Game 2
Challenger
(pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1}
pk0, pk1
m
c*1 = Enc(pkb ,k*)c*2 = SE(k*,m)
b’
(c*1, c2 ≠ c*2), 1-b
Difference in games: weak robustness of the PKE only if c*1 decrypts under pkb and pk1-b
![Page 24: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/24.jpg)
Game 3
Challenger
(pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1}
pk0, pk1
m
c*1 = Enc(pkb ,k*)c*2 = SE(k’,m)
b’
Difference in games: IND-CCA security of the PKE
![Page 25: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/25.jpg)
Game 4
Challenger
(pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1}
pk0, pk1
m
c*1 = Enc(pkb ,k*)c*2 = SE(k’,m)
b’
Difference in games: CTXT integrity of the SKE only if a valid ciphertext under k’ is generated
(c*1, c2 ≠ c*2), {b or 1-b}
![Page 26: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/26.jpg)
Putting Things Together
• Advanon-cca(hybrid) <
Advwrob-cca(PKE)
+ Advind-cca(PKE)
+ Advctxt-int(SKE)
+ Advanon-cca(PKE)
• Boneh-Franklin, Cramer-Shoup, DHIES are WROB-CCA• Boyen-Waters IBE is not
![Page 27: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/27.jpg)
Summary
• ANON-CCA PKE + (…) SKE ANON-CCA hybrid
• (WROB + ANON)-CCA PKE + AE SKE ANON-CCA hybrid
• Is weak-robustness a necessary condition?• Is Boyen-Waters (in)secure when used in a
hybrid construction?
![Page 28: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/28.jpg)
Thank you
![Page 29: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/29.jpg)
Results on Robustness
• [Abdalla et al.’10]– Transforming ANON-CCA schemes to robust ones
• We design more efficient transformations– Refer to the paper
![Page 30: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/30.jpg)
30
Indentity-based encryption (IBE)
id
(sk,pk)PKG
C = Encpk(m)
m = Decsk(C)
IBE = (MKG, Enc, Dec)
(par, msk) MKG
![Page 31: Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary](https://reader030.vdocument.in/reader030/viewer/2022032522/56649d6d5503460f94a4d10d/html5/thumbnails/31.jpg)
31
IND-CCA
Challenger
c1
(pk, sk) KG(1n) ; b {0,1}
Decsk(c1)
. . . .
ci
Decsk(ci)
m0 , m1
C=Encpk(mb)
ci+1
Decsk(ci+1)
. . . .
cq
Decsk(cq)
b’
Advind-cca,PKE(A) =|Pr[b’ = b] – ½| is negligible