Security proofs for practical encryption schemes

1
Security proofs for practical encryption schemes

• Yiannis Tsiounis, GTE Labs
• Moti Yung, CertCo LLC

2
Secure encryption

• Semantic Security GM84, Gol89
• Hide all partial information
• Immune against a-priori knowledge

3
Semantic security (cont.)
(Indistinguishability of encryptions)
4
Beyond semantic security

• Chosen ciphertext security NY90
• Lunch-time attack NY90
• Rackoff-Simon attack (adaptive) RS91
• Non-malleability DDN91
• Infeasible to create a related ciphertext
• Message sender cannot be altered by
  man-in-the-middle

5
(Random oracles)

• A necessary evil simplification
• Collision-free Information hiding

Random oracle
Q
A
i
i
Requires tamper-proof devices, or exponential
memory
6
The big picture
EG
EGROA
7
Contributions (cont.)

• Semantic security
• Directly from decision Diffie-Hellman
• Retaining homomorphic properties
• Exact analysis of efficiency of the reduction
• Non-malleability
• decision D-H R.O. PS96 oracle-related
  assumption

8
Preliminaries

• ElGamal encryption
• P aQ 1, P,Q primes, g Q
• Private key x
• Public key y gx (mod P)
• E(m) gk, yk m (m ? GQ)
• Decision Diffie-Hellman
• P aQ 1, P,Q primes, g Q
• Distinguish lt ga, gb, gabgt from ltga, gb, gc gt

9
Preliminaries (cont.)

• Semantic security indistinguishability of
  encryptions
• It is infeasible to find 2 messages whose
  encryptions can be distinguished (non-negl.
  better than random guessing)

10
ElGamal gt decision D-H

• Assume we have ElGamal oracle
• Given a triplet ltga, gb, y gt decide if it is a
  D-H triplet (y gab ?)
• 1. Preparation stage Find two messages that the
  oracle can distinguish
• 2. Testing phase test if the oracle can
  distinguish between message 1 (or 2) and random
  messages

11
Proof (cont.)

• 3. Decision phase generator g, public key gbw (w
  random)
• Randomize message 1 (or 2)
• Correctly E(m) gu , m (gb)wu
• Based on given triplet ltga, gb, y gt E(m)
  (ga)t g v , m ywt (gb)wv
• m m (if y gab), random otherwise
• Run oracle on E(m), E(m)
• 1. Distinguish? gt not D-H triplet
• 2. Else correct D-H triplet

12
Decision D-H gt ElGamal

• Given decision D-H oracle, find two messages
  whose ElGamal encryptions can be distinguished
• For any two m, m (y gx)
• E(m0) ga, m0 ya , E(m1) gb, m1 yb
• Feed ltga, y gv , ya m0 gav /mgt lt ga, gxv ,
  g(xv)a m0/mgt (random v)
• If it is a correct triplet, then m0m , else m0
  m

13
Non-malleability

• Given ciphertext C, cannot construct ciphertext
  C such that the plaintexts are related
• All we need is a proof of knowledge of the
  plaintext
• I.e., a proof of knowledge of k in E(m) gk,
  yk m
• But, it must be a non-malleable ZK proof it must
  be bound to the prover

14
The non-malleable extension

• A Schnorr-type ZK proof of knowledge of k, with
  the senders identity in the challenge (hash)
• A gk, yk m, F gv, C k H(ID, g, A, F) v
• E(m) A, F, C, ID
• Random oracle is used only as a trusted beacon
  PS96 - not for information hiding

15
Security proof

• 1. We need to verify that semantic security still
  holds (the knowledge proof does not leak
  information)
• 2. Knowledge of k provided from Schnorr proof
• 3. Sender-bound the addition forms a Schnorr
  signature of ID based on k, which is
  existentially unforgeable PS96

16
Practical implications Encryption

• ElGamal is as secure as BR94Can97
• Non-malleability can be added at minimal
  efficiency costs
• In applications a signature is still needed
• Otherwise senders can be impersonated
• Signatures using Schnorr-proofs is a smooth
  addition

17
Implications protocols

• First encryption scheme with homomorphic
  properties that is semantically secure
• Anonymous e-cash escrowing can be performed
  based on decision D-H