An Uninstantiable RandomOracleModel Scheme for a HybridEncryption Problem - PowerPoint PPT Presentation

Title: An Uninstantiable RandomOracleModel Scheme for a HybridEncryption Problem


1
An Uninstantiable Random-Oracle-Model Scheme
for a Hybrid-Encryption
Problem
Mihir Bellare ? Alexandra Boldyreva ?
Adriana Palacio University of California at San
Diego
2
The Random-Oracle (RO) model BR93
(M)
..
a
H
hH(a)
..
b
A
G
gG(b)
..

• Algorithms of the scheme, as well as the
  adversary have oracle access to random functions.
• Very popular there are numerous schemes designed
  and proven secure in this model.

3
Moving to the real world
However, the RO model is an idealized setting.
To get a real-world scheme we must instantiate
the ROs with real functions.
4
Instantiation of this scheme via SHA1
(M)
..
hSHA1(a)
..
gSHA1(b)
..
5
Instantiation more generally
Let F1, F2 be poly-time computable families of
functions
(M)
..
h F1L1(a)
..
g F2L2(b)
..
6
Security of instantiated schemes
RO model thesis If a scheme is proven secure in
the RO model, then it remains secure under a
suitable instantiation. Question Is this
true? Answer No. Past work has shown the
existence of uninstantiable schemes.
7
Uninstantiable schemes
Definition. A scheme is uninstantiable (with
respect to some cryptographic goal) if

• The scheme satisfies the goal in the RO model
• No instantiation satisfies the goal in the
  standard model

8
Examples of uninstantiable schemes
9
Examples of uninstantiable schemes
_

_

_

10
Reaction
OK, but in practice, the RO model thesis is true
Practical RO model thesis The RO model thesis
holds for natural, practical schemes for
practical goals.
11
Our work
We present a RO model scheme that

• is simple and natural, and resembles existing RO
  model schemes.
• is for a practical security goal.
• but is uninstantiable.

12
Caveats and impact

• Our result does have artificial aspects as we
  will see, and should not be taken to indicate
  that the practical RO model thesis is false.
• But it shows that uninstantiable schemes arise in
  more practical situations than indicated by
  previous work.

13
Plan

• The goal
• The scheme
• The positive result
• The negative result
• Conclusions

14
Plan

• The goal
• The scheme
• The positive result
• The negative result
• Conclusions

15
Classical view of asymmetric encryption usage
AS (AK,AE,AD)
M
skR
Sender
Receiver R
16
In practice hybrid approach
skR
Sender
Receiver R
17
Goal IND-CCA-secure MM-Hybrid Encryption

• We can define, in a natural way, IND-CCA security
  for an MM-hybrid scheme (AS,SS).
• Certainly, a necessary condition for IND-CCA
  security of an MM-hybrid (AS,SS) is IND-CCA
  security of SS.
• But what do we need from the asymmetric
  encryption scheme AS?

18
Easy theorem However, the above could be
true even if AS satisfies a weaker condition than
IND-CCA.


19
IND-CCA-preserving asymmetric schemes

• What emerges A new notion of security for
  asymmetric encryption schemes.
• Definition An asymmetric encryption scheme AS is
  IND-CCA-preserving if

Any IND-CCA SS

IND-CCA MM-hybrid (AS,SS)
AS
20
Why IND-CCA-preserving schemes?
For asymmetric schemes
IND-CCA
IND-CCA-preserving
In particular, an IND-CCA preserving scheme need
not even be randomized, since it is used to
encrypt random keys. The hope IND-CCA-preserving
schemes more efficient than existing IND-CCA
ones. The benefit Security of encryption in
practice at lower cost.
21
Summary

• Our goal IND-CCA preserving asymmetric encryption

22
Plan

• The goal
• The scheme
• The positive result
• The negative result
• Conclusions

23
Hash ElGamal RO model asymmetric encryption
scheme HEG (AK,AE,AD)
pk (k,q,g,Xgx), sk (k,q,g,x),

where q, 2q1 are primes and g has order q in
?2q1
(Y,W)
(K)
K?G(Yx)?W If gH(K)Y then Return K else
Reject
r?H(K)
P?G(Xr)
Return (gr,P?K)
Note. HEG is deterministic and thus not even
IND-CPA!
24
Plan

• The goal
• The scheme
• The positive result
• The negative result
• Conclusions

25
Security of Hash ElGamal
Theorem 1. Under the Computational Diffie-Hellman
assumption (CDH) HEG is IND-CCA-preserving in the
RO model.

IND-CCA MM-hybrid (HEG,SS)
Any IND-CCA SS

HEG
26
HEG is similar to existing schemes GEM, GEM1,
GEM2, FO, REACT
Something almost identical (but randomized)
appeared in BaLeKi00.
27
Plan

• The goal
• The scheme
• The positive result
• The negative result
• Conclusions

28
Now, the interesting stuff

• Theorem 2 . No instantiation of HEG is
  IND-CCA-preserving in the standard model.

I.e. it is IND-CCA preserving in the RO model,
but no standard model implementation of it is
IND-CCA preserving?
Right! More precisely
29
Security of HEG instantiations
Let F1, F2 be poly-time computable families of
functions
(K)
r?F1L1(K)
P?F2L2(Xr)
Return (gr,P?K)

• Theorem 2. For any F1, F2 the above standard
  model asymmetric encryption scheme is not IND-CCA
  preserving.

30
A caveat

• Proof of Theorem 2 shows that for every F1, F2
  (poly-time families of functions) THERE EXISTS SS
  such that (HEG,SS) is not an IND-CCA secure
  MM-hybrid.
• But SS is an artificial scheme, depending on
  F1, F2.
• Theorem 2 does not imply that e.g. (HEG,CBC-type
  SS) is insecure.
• So although HEG is simple and natural, there is
  some artificiality under the rug.

31
However, we still believe the result is valuable
because we have

• A practical goal IND-CCA preserving encryption
• A simple, natural scheme resembling existing RO
  schemes HEG.
• Yet HEG is uninstantiable its real-world
  implementation loses the security property.
• And HEG is innocuous looking one would not
  suspect any anomalies in advance.

32
About the proof of Theorem 2

• Let HEG be ANY instantiation of HEG via poly-time
  computable families of functions.

• We present a symmetric encryption scheme
  SS(SK,SE,SD), such that
• SS is IND-CCA secure
• (HEG,SS) is not IND-CCA secure

33
Key and ciphertext verifiability

• Def. An asymmetric encryption scheme is
  key-verifiable if there is a poly-time algorithm
  KV

1, if pk is a valid public key 0, otherwise
pk
KV
34
SS construction for Proof of Theorem 2
Let SS(SK,SE,SD) be any IND-CCA symmetric
scheme.
SEK1K2(M)
SK(1k)
K1 ? SK(1k/2) K2 ?0,1k/2 Return K1K2
C ? SEK2(M) Parse M as M1M2 If M1 is a valid
pk for HEG and if M2 is a valid HEG ciphertext of
K1K2 under pk Then Return C0 else Return
C1
35

• We show that SS is IND-CCA.
• In order to show that (HEG,SS) is not IND-CCA we
  use the fact that HEG is key- and
  ciphertext-verifiable. The details are in the
  paper.
• In general no key- and ciphertext-verifiable
  scheme is IND-CCA preserving.

36
Plan

• The goal
• The scheme
• The positive result
• The negative result
• Conclusions

37
Conclusions

• We presented a simple uninstantiable scheme for a
  practical goal
• We do not suggest one abandon the RO model.
• We do suggest that designers of RO model schemes
  pay more attention to the question of
  instantiation, which is usually entirely
  neglected.
• Our examples shows that uninstantiable schemes
  really come up.

38

• Thank you!