An Uninstantiable An Uninstantiable Random-Oracle-Model Random-Oracle-Model

Scheme for Scheme for a Hybrid-Encryption Problema Hybrid-Encryption Problem

Mihir Bellare Alexandra Boldyreva Adriana Palacio

University of California at San Diego

The Random-Oracle (RO) model [BR93]

• Algorithms of the scheme, as well as the adversary have oracle access to random functions.

• Very popular: there are numerous schemes designed and proven secure in this model.

pkAE (M)

Hah=H(a)

b G Ag=G(b) ..

..

..

Moving to the real world

However, the RO model is an idealized setting. To get a real-world scheme we must instantiate the ROs with real functions.

Instantiation of this scheme via SHA1

pkAE (M)

h=SHA1(a)g=SHA1(b)..

..

..

Instantiation: more generally

pk,L( )1,L2AE (M)

Let F1, F2 be poly-time computable families of functions

h= F1L1(a)

g= F2L2(b)..

..

..

Security of instantiated schemesRO model thesis: If a scheme is proven secure in the RO model, then it remains secure under a suitable instantiation.Question: Is this true?Answer: No.Past work has shown the existence of uninstantiable schemes.

Uninstantiable schemes

1. The scheme satisfies the goal in the RO model

2. No instantiation satisfies the goal in the standard model

Definition. A scheme is uninstantiable (with respect to some cryptographic goal) if

Examples of uninstantiable schemes

Who GoalsCanetti,

Goldreich, Halevi

IND-CPA encryption UF-CMA signatures

Nielsen Non-interactive, non-committing encryption

Goldwasser, Tauman

Signatures via Fiat-Shamir heuristic

Examples of uninstantiable schemes

Who Goals SchemesCanetti,

Goldreich, Halevi

IND-CPA encryption UF-CMA signatures

(practical)Complex, artificial

NielsenNon-interactive, non-committing encryption

(not very practical)Simple, natural

Goldwasser, Tauman

Signatures via Fiat-Shamir heuristic

(practical)Complex, artificial

++

++

++

__

__

__

Reaction

OK, but “in practice”, the RO model thesis is true

John Smi

Euro crypt

Practical RO model thesis: The RO model thesis holds for “natural, practical” schemes for “practical” goals.

Our work

• is simple and natural, and resembles existing RO model schemes.

• is for a practical security goal.• but is uninstantiable.

We present a RO model scheme that

Caveats and impact

• Our result does have artificial aspects as we will see, and should not be taken to indicate that the practical RO model thesis is false.

• But it shows that uninstantiable schemes arise in more practical situations than indicated by previous work.

Plan

• The goal

• The scheme

• The positive result

• The negative result

• Conclusions

Plan

• The goal

• The scheme

• The positive result

• The negative result

• Conclusions

Classical view of asymmetric encryption usage

Sender

Receiver R

M

AS = (AK,AE,AD)

AE CpkR

M

skR

In practice: hybrid approach

Sender Receiver

R

M1

M1 SE C1

KM2

Mn

…

Mn SE Cn

K… …

SK K

SS = (SK,SE,SD)

skR

AS = (AK,AE,AD)

AE C0

pkR

AS + SS = Multi-Message (MM) Hybrid (AS,SS)

Goal: IND-CCA-secure MM-Hybrid Encryption

We can define, in a natural way, IND-CCA security for an MM-hybrid scheme (AS,SS). Certainly, a necessary condition for IND-CCA security of an MM-hybrid (AS,SS) is IND-CCA security of SS. But what do we need from the asymmetric encryption scheme AS?

Easy theorem:

However, the above could be true even if AS satisfies a weaker condition than IND-CCA.

IND-CCA MM-hybrid (AS,SS)

IND-CCA AS Any IND-CCA SS +

=

IND-CCA-preserving asymmetric schemes

What emerges: A new notion of security for asymmetric encryption schemes. Definition: An asymmetric encryption scheme AS is IND-CCA-preserving if

IND-CCA MM-hybrid (AS,SS) AS Any IND-CCA SS + =

Why IND-CCA-preserving schemes?

In particular, an IND-CCA preserving scheme need not even be randomized, since it is used to encrypt random keys.The hope: IND-CCA-preserving schemes more efficient than existing IND-CCA ones. The benefit: Security of encryption in practice at lower cost.

IND-CCA IND-CCA-preserving

Stronger notion Weaker notion

For asymmetric schemes

Summary

Our goal: IND-CCA preserving asymmetric encryption

Plan

• The goal

• The scheme

• The positive result

• The negative result

• Conclusions

Hash ElGamal RO model asymmetric encryption scheme HEG = (AK,AE,AD)

k,q,g x,G

,H( )AD (Y,W)

KG(Yx)WIf gH(K)=Y then Return K else Reject

k,q,g,XH,G( )AE

pk = (k,q,g,X=gx), sk = (k,q,g,x),where q, 2q+1 are primes and g has order q in 2q+1 *

H: {0,1}k q G: 2q+1 {0,1}k*

PG(Xr)rH(K)

(K)

Return (gr,PK)

Note. HEG is deterministic and thus not even IND-CPA!

Plan

• The goal

• The scheme

• The positive result

• The negative result

• Conclusions

Security of Hash ElGamalTheorem 1. Under the Computational Diffie-Hellman assumption (CDH) HEG is IND-CCA-preserving in the RO model.

IND-CCA MM-hybrid (HEG,SS) HEG Any IND-CCA SS + =

HEG is similar to existing schemes GEM, GEM1, GEM2, FO, REACT…

Something almost identical (but randomized) appeared in [BaLeKi00].

Plan

• The goal

• The scheme

• The positive result

• The negative result

• Conclusions

Now, the interesting stuff

Theorem 2 . No instantiation of HEG is IND-CCA-preserving in the standard model.

John Smi

Euro

crypt

I.e. it is IND-CCA preserving in the RO model, but no standard model implementation of it is IND-CCA preserving?

Right! More precisely…

Security of HEG instantiations

k,q,g,X,L 2( )1,LAE (K)

PF2L2(Xr)rF1L1(K)

Return (gr,PK)

Let F1, F2 be poly-time computable families of functions

Theorem 2. For any F1, F2 the above standard model asymmetric encryption scheme is not IND-CCA preserving.

A caveat• Proof of Theorem 2 shows that for every

F1, F2 (poly-time families of functions) THERE EXISTS SS such that (HEG,SS) is not an IND-CCA secure MM-hybrid.

• But SS is an artificial scheme, depending on F1, F2.

• Theorem 2 does not imply that e.g. (HEG,CBC-type SS) is insecure.

• So although HEG is simple and natural, there is some artificiality under the rug.

• A practical goal: IND-CCA preserving encryption

• A simple, natural scheme resembling existing RO schemes: HEG.

• Yet HEG is uninstantiable: its real-world implementation loses the security property.

• And HEG is innocuous looking; one would not suspect any anomalies in advance.

However, we still believe the result is valuable because we have

Let HEG be ANY instantiation of HEG via poly-time computable families of functions.

About the proof of Theorem 2

We present a symmetric encryption scheme SS=(SK,SE,SD), such that

1. SS is IND-CCA secure2. (HEG,SS) is not IND-CCA secure

Key and ciphertext verifiability• Def. An asymmetric encryption scheme is key-verifiable

if there is a poly-time algorithm KV:

1, if pk is a valid public key 0, otherwise KVpk

• Claim. Any instantiation HEG of HEG is key- and ciphertext-verifiable.

• Def. An asymmetric encryption scheme is ciphertext-verifiable if there is a poly-time algorithm CV

1, if C is a valid encryption of M under pk 0, otherwise

CVpkMC

Sound operations since HEG is key- and ciphertext verifiable

SS construction for Proof of Theorem 2

Let SS’=(SK’,SE’,SD’) be any IND-CCA symmetric scheme.

K1 SK’(1k/2)K2 {0,1}k/2

Return K1||K2

SK(1k)

SEK1||K2(M) C’ SE’K2(M)

Parse M as M1||M2

If M1 is a valid pk for HEG and if M2 is a valid HEG ciphertext of K1||K2 under pk Then Return C’||0 else Return C’||1

• We show that SS is IND-CCA.

• In order to show that (HEG,SS) is not IND-CCA we use the fact that HEG is key- and ciphertext-verifiable. The details are in the paper.

• In general: no key- and ciphertext-verifiable scheme is IND-CCA preserving.

Plan

• The goal

• The scheme

• The positive result

• The negative result

• Conclusions

Conclusions• We presented a simple uninstantiable

scheme for a practical goal • We do not suggest one abandon the

RO model. • We do suggest that designers of RO

model schemes pay more attention to the question of instantiation, which is usually entirely neglected.

• Our examples shows that uninstantiable schemes really come up.

Thank you!