Security proofs for practical encryption schemes - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Security proofs for practical encryption schemes

Description:

Infeasible to create a 'related' ciphertext ... a Schnorr signature of ID based on k, which is existentially unforgeable [PS96] ... – PowerPoint PPT presentation

Number of Views:40
Avg rating:3.0/5.0
Slides: 18
Provided by: yian9
Category:

less

Transcript and Presenter's Notes

Title: Security proofs for practical encryption schemes


1
Security proofs for practical encryption schemes
  • Yiannis Tsiounis, GTE Labs
  • Moti Yung, CertCo LLC

2
Secure encryption
  • Semantic Security GM84, Gol89
  • Hide all partial information
  • Immune against a-priori knowledge

3
Semantic security (cont.)
(Indistinguishability of encryptions)
4
Beyond semantic security
  • Chosen ciphertext security NY90
  • Lunch-time attack NY90
  • Rackoff-Simon attack (adaptive) RS91
  • Non-malleability DDN91
  • Infeasible to create a related ciphertext
  • Message sender cannot be altered by
    man-in-the-middle

5
(Random oracles)
  • A necessary evil simplification
  • Collision-free Information hiding

Random oracle
Q
A
i
i
Requires tamper-proof devices, or exponential
memory
6
The big picture
EG
EGROA
7
Contributions (cont.)
  • Semantic security
  • Directly from decision Diffie-Hellman
  • Retaining homomorphic properties
  • Exact analysis of efficiency of the reduction
  • Non-malleability
  • decision D-H R.O. PS96 oracle-related
    assumption

8
Preliminaries
  • ElGamal encryption
  • P aQ 1, P,Q primes, g Q
  • Private key x
  • Public key y gx (mod P)
  • E(m) gk, yk m (m ? GQ)
  • Decision Diffie-Hellman
  • P aQ 1, P,Q primes, g Q
  • Distinguish lt ga, gb, gabgt from ltga, gb, gc gt

9
Preliminaries (cont.)
  • Semantic security indistinguishability of
    encryptions
  • It is infeasible to find 2 messages whose
    encryptions can be distinguished (non-negl.
    better than random guessing)

10
ElGamal gt decision D-H
  • Assume we have ElGamal oracle
  • Given a triplet ltga, gb, y gt decide if it is a
    D-H triplet (y gab ?)
  • 1. Preparation stage Find two messages that the
    oracle can distinguish
  • 2. Testing phase test if the oracle can
    distinguish between message 1 (or 2) and random
    messages

11
Proof (cont.)
  • 3. Decision phase generator g, public key gbw (w
    random)
  • Randomize message 1 (or 2)
  • Correctly E(m) gu , m (gb)wu
  • Based on given triplet ltga, gb, y gt E(m)
    (ga)t g v , m ywt (gb)wv
  • m m (if y gab), random otherwise
  • Run oracle on E(m), E(m)
  • 1. Distinguish? gt not D-H triplet
  • 2. Else correct D-H triplet

12
Decision D-H gt ElGamal
  • Given decision D-H oracle, find two messages
    whose ElGamal encryptions can be distinguished
  • For any two m, m (y gx)
  • E(m0) ga, m0 ya , E(m1) gb, m1 yb
  • Feed ltga, y gv , ya m0 gav /mgt lt ga, gxv ,
    g(xv)a m0/mgt (random v)
  • If it is a correct triplet, then m0m , else m0
    m

13
Non-malleability
  • Given ciphertext C, cannot construct ciphertext
    C such that the plaintexts are related
  • All we need is a proof of knowledge of the
    plaintext
  • I.e., a proof of knowledge of k in E(m) gk,
    yk m
  • But, it must be a non-malleable ZK proof it must
    be bound to the prover

14
The non-malleable extension
  • A Schnorr-type ZK proof of knowledge of k, with
    the senders identity in the challenge (hash)
  • A gk, yk m, F gv, C k H(ID, g, A, F) v
  • E(m) A, F, C, ID
  • Random oracle is used only as a trusted beacon
    PS96 - not for information hiding

15
Security proof
  • 1. We need to verify that semantic security still
    holds (the knowledge proof does not leak
    information)
  • 2. Knowledge of k provided from Schnorr proof
  • 3. Sender-bound the addition forms a Schnorr
    signature of ID based on k, which is
    existentially unforgeable PS96

16
Practical implications Encryption
  • ElGamal is as secure as BR94Can97
  • Non-malleability can be added at minimal
    efficiency costs
  • In applications a signature is still needed
  • Otherwise senders can be impersonated
  • Signatures using Schnorr-proofs is a smooth
    addition

17
Implications protocols
  • First encryption scheme with homomorphic
    properties that is semantically secure
  • Anonymous e-cash escrowing can be performed
    based on decision D-H
Write a Comment
User Comments (0)
About PowerShow.com