A Brief History of Provable
Security and PKE
Alex Dent
Information Security Group
Royal Holloway, University of London
A Provable Timeline
•
•
•
•
Late 1970s: First secure schemes
1980s: Definitions
1990s: Random oracle model schemes
Late 1990s: “Double and add” schemes
– NIZK proof schemes
– Cramer-Shoup encryption
• 2000s: Signatures and identities
• 2000s: Extracting the truth
Definitions
• Confidentiality means that an attacker
cannot find any information about a
plaintext from a ciphertext.
• Semantic security captures this notion.
Definitions
• IND-CPA is equivalent to semantic security
[Goldwasser-Micali, 1984].
Definitions
• Attacker wins if b = b′
• Advantage of an attacker is:
| Pr[ b = b′ ] - ½ |
m0
pk
m1
b ← {0,1}
C* = Enc(pk,mb)
C*
b′
Definitions
• IND-CCA1 security: Allows access to a
decryption oracle before the challenge
ciphertext is issued [Naor-Yung, 1990].
Definitions
• IND-CCA2 security: Allow access to a
decryption oracle before and after the
challenge ciphertext is issued.
[Rackoff-Simon, 1991]
Definitions
• Advantage of an attacker is:
| Pr[ b = b′ ] - ½ |
m = Dec(sk,C)
C
C
(C ≠ C*)
m
m0
pk
m = Dec(sk,C)
m1
b ← {0,1}
C* = Enc(pk,mb)
C*
m
b′
Definitions
• Why is this such a difficult notion of
security to achieve?
Definitions
• Decryption oracle has to be “consistent”.
• Trivial oracle queries.
Simulated Decryption Oracle
C
Problem
C
m
m0
pk
m1
Simulated
Ciphertext
C*
m
b´
Solution
Random Oracle Model
• The random oracle methodology models
hash functions as random functions.
[Bellare-Rogaway, 1993]
• Enables security proofs for very efficient
schemes such as ECIES and RSA-OAEP.
Random Oracle Model
• There exists schemes that are secure in
the random oracle model, but insecure
when used with any hash function.
[Canetti-Goldreich-Halevi, 1998]
“Double and Add” Schemes
• A series of schemes prove security by
encrypting a message twice with a weak
scheme and adding a “checksum”.
• Principle proposed by Naor and Yung.
• IND-CCA2 version of the
scheme given in [Sahai, 1999]
• “Checksum” is NIZK proof.
“Double and Add” Schemes
• Non-interactive zero-knowledge (NIZK)
proof that two ciphertexts encrypt the
same message.
Public value: σ
Proof π
Message and coins
“Double and Add” Schemes
• Zero knowledge: it must be possible to
choose σ in such a way that there is a
trapdoor τ which allows “false” proofs.
Public value: σ
Private value: τ
Proof π
Proof π
Message and coins
Any two ciphertexts
“Double and Add” Schemes
• Simulation sound: it must not be possible
to find a false proof (given only σ) even if
you have seen one false proof.
Public value: σ
Private value: τ
Proof π
Proof π
Message and coins
Any two ciphertexts
“Double and Add” Schemes
m
• Use an IND-CPA
scheme (G ,E ,D ).
pk1
E
C1
pk2
E
C2
σ
NIZK
π
• Public key is
(pk1,pk2,σ).
• Private key is sk1.
• To decrypt:
– Check proof
– Decrypt C1.
“Double and Add” Schemes
• This scheme is theoretical.
• The NIZK is impractical (very long output
and time consuming to compute).
• However, it does show that public key
encryption exists as long as trapdoor oneway permutations exist.
“Double and Add” Schemes
• The Cramer-Shoup scheme was the first
practical and provably secure scheme.
[Cramer-Shoup, 1998]
“Double and Add” Schemes
• The Cramer-Shoup encryption scheme
works on the same principles as Sahai.
• Key generation:
–
–
–
–
–
–
–
g, g′ ← G
x1,x2,y1,y2,z ← Zp
h ← gz
e ← gx1·g′x2
f ← gy1·g′y2
pk = (g,g′,h,e,f)
sk = (x1,x2,y1,y2,z)
• Encrypt:
–
–
–
–
–
–
–
r ← Zp
a ← gr
a′ ← g′r
c ← hr ·m
v ← Hash(a,a′,c)
d ← er · frv
C = (a,a′,c,d)
“Double and Add” Schemes
• Start with a version of ElGamal
• ElGamal is passively secure under the
DDH assumption.
• Publicly known, random element h ← G.
• Key generation:
–
–
–
–
z ← Zp
g ← h1/z
pk = g
sk = z
• Encrypt:
–
–
–
–
r ← Zp
a ← gr
c ← hr ·m
C = (a,c)
“Double and Add” Schemes
• We need to encrypt twice under
independent public keys.
• Key generation:
–
–
–
–
–
z, z′ ← Zp
g ← h1/z
g′ ← h1/z′
pk = (g,g′)
sk = (z,z′)
• Encrypt:
–
–
–
–
–
–
r, r′ ← Zp
a ← gr
c ← hr ·m
a′ ← g′r′
c′ ← hr′ ·m
C = (a,c,a′,c′)
“Double and Add” Schemes
• However, a paper by [Bellare-BoldyrevaStaddon, 2003] says we can reuse the
random value r without losing security.
“Double and Add” Schemes
• However, a paper by [Bellare-BoldyrevaStaddon, 2003] says we can reuse the
random value r without losing security.
• Key generation:
–
–
–
–
–
z, z′ ← Zp
g ← h1/z
g′ ← h1/z′
pk = (g,g′)
sk = (z,z′)
• Encrypt:
–
–
–
–
–
–
r ← Zp
a ← gr
c ← hr ·m
a′ ← g′r
c′ ← hr ·m
C = (a,c,a′,c′)
“Double and Add” Schemes
• However, now c and c′ are the same value
• Key generation:
–
–
–
–
–
z, z′ ← Zp
g ← h1/z
g′ ← h1/z′
pk = (g,g′)
sk = (z,z′)
• Encrypt:
–
–
–
–
–
r ← Zp
a ← gr
c ← hr ·m
a′ ← g′r
C = (a,c,a′)
“Double and Add” Schemes
• Now, the value z′ is never used and so we
can remove it.
• Key generation:
–
–
–
–
–
z ← Zp
g ← h1/z
g′ ← G
pk = (g,g′)
sk = z
• Encrypt:
–
–
–
–
–
r ← Zp
a ← gr
c ← hr ·m
a′ ← g′r
C = (a,c,a′)
“Double and Add” Schemes
• And if we just tidy up a bit, then we get…
• (I’m hiding a few things here!)
• Key generation:
–
–
–
–
–
g, g′ ← G
z ← Zp
h ← gz
pk = (g,g′,h)
sk = z
• Encrypt:
–
–
–
–
–
r ← Zp
a ← gr
a′ ← g′r
c ← hr ·m
C = (a,a′,c)
“Double and Add” Schemes
• However, this is over half the CramerShoup scheme:
• Key generation:
–
–
–
–
–
g, g′ ← G
z ← Zp
h ← gz
pk = (g,g′,h)
sk = z
• Key generation:
–
–
–
–
–
–
–
g, g′ ← G
x1,x2,y1,y2,z ← Zp
h ← gz
e ← gx1·g′x2
f ← gy1·g′y2
pk = (g,g′,h,e,f)
sk = (x1,x2,y1,y2,z)
“Double and Add” Schemes
• However, this is over half the CramerShoup scheme:
• Encrypt:
–
–
–
–
–
r ← Zp
a ← gr
a′ ← g′r
c ← hr ·m
C = (a,a′,c)
• Encrypt:
–
–
–
–
–
–
–
r ← Zp
a ← gr
a′ ← g′r
c ← hr ·m
v ← Hash(a,a′,c)
d ← er · frv
C = (a,a′,c,d)
“Double and Add” Schemes
• So this fits the Sahai
mold providing d acts like • Encrypt:
a NIZK.
– r ← Zp
– a ← gr
• In the proof, it is shown
– a′ ← g′r
the d can be faked if you
know x1,x2,y1,y2.
– c ← hr ·m
– v ← Hash(a,a′,c)
• In the proof, it is shown
– d ← er · frv
that if a = gr and a′ = g′r′
– C = (a,a′,c,d)
then the decryption
algorithm will reject.
Signatures and Identites
• It is possible to turn a passively secure
identity-based encryption scheme into a
secure public-key encryption scheme.
[Canetti-Halevi-Katz, 2004]
Signatures and Identites
• It is possible to turn a passively secure
identity-based encryption scheme into a
secure public-key encryption scheme.
[Canetti-Halevi-Katz, 2004]
• A little odd that it took the development of
identity-based encryption before we got
new public-key encryption schemes.
Extracting the Truth
• Plaintext awareness is a property of an
encryption scheme that says that the only
way to create a valid ciphertext is to
generate a plaintext and encrypt it.
• So, if an attacker generates a valid
ciphertext, then it must know the
underlying message.
• Hence, a decryption oracle is no help.
Extracting the Truth
• It’s difficult to say what it means for an
attacker (computer) to “know” something.
• The definitions are complex.
• All known proofs rely on the random oracle
model, an unrealistic architecture, or
suspect “extractor” assumptions.
• The subject for another lecture…
Extracting the Truth
• The idea was first given a full formal
treatment in [Bellare-Desai-PointchevalRogaway, 1998].
Extracting the Truth
• The idea was first given a full formal
treatment in [Bellare-Desai-PointchevalRogaway, 1998].
• However, this definition could only be
achieved in the random oracle model.
Extracting the Truth
• [Herzog-Liskov-Micali, 2003] gave a new
interpretation of the problem, but it needed
an unrealistic architecture.
• The first fully satisfactory definition for
plaintext awareness in the standard model
was given by [Bellare-Palacio, 2004]
Extracting the Truth
• The Cramer-Shoup scheme was the first
to be proven plaintext aware [Dent, 2006]
• Cramer-Shoup and Kurosawa-Desmedt
“hash proof system” schemes can be
shown to be plaintext aware [Birkett-Dent].
Where are we now?
• [Boneh-Katz, 2005] is a signature-identity
scheme similar to the CHK transform.
– Transform efficiency overhead is minimal.
– Still requires a passively secure IBE scheme
• [Hofheinz-Kiltz, 2007] mixes CramerShoup and IBE techniques.
– 2.5 exponentiations for encryption
– 1.5 exponentiations for decryption
Conclusions
• None of the approaches really work…
– Use the random oracle model
– Or they intrinsically require two operations
– Or they use weak “extractor” assumptions
• New approach is needed if we’re going to
prove the ultra-high-speed schemes
secure.
• Plenty missing from this presentation
Questions?