Circular-Secure Encryption
from Decision Diffie-Hellman
Dan Boneh
Shai Halevi
Mike Hamburg
Rafail Ostrovsky
Key Dependent Messages
• Message may depend on key
– Encrypted swap
– Encrypted backups
• Security in this setting does not follow from
semantic security
– Trivial, pathological counterexamples
– Or…
Secure Self-Encryption [BRS’02]
k
m
H
r←R
H(n||k)
Ek(m) = (r, H(r||k)  m)
Insecure Self-Encryption [HK’07]
k
H
r←R
Encrypt
H(r||k)
E’k(k) = ( r, Er(k) )
Er(k)
KDM in practice
• Collaboration:
EPKB(SKA)
EPKA(SKB)
PKA / SKA
PKB / SKB
Circular Encryption [CL’01]
• A user has n credentials signed by CA:
SK1
SK2
…
SKn
PK1
PK2
…
PKn
I am Shai
secret
public and
signed by CA
NY driver
license
• User should not “lend” any of his credentials to a friend
• Solution [CL’01] :
EPK1[SK2] ,
EPK2[SK3] , … , EPKn[SK1]
Clique Security
Eki(kj) for all i,j
(C,n)-KDM security [BRS’02]
Challenger
Adversary
(PK1,…,PKn)
(F∈C, i∈{1,…,n})
EPKi[F(SK1,…,SKn)]
or random
b*
Is ElGamal self-referential secure?
• Maybe, maybe not
• Need (g, gx, gr, grxx) indist from random
Requires a funny assumption!
• Clique security? Need an even funnier assumption…
• Our goal: use a standard assumption ( DDH )
Notation
• Let G be a group of prime order p
• Using additive notation for G
1-dim vector space over Zp
aka
g1x1 g2x2 g3x3
• Perform dot products etc. normally
(x1, x2, x3)  (g1, g2, g3) = x1g1 + x2g2 + x3g3
gi ∈ G, xi ∈ Zp
The Result
• n-Clique Secure for any [poly] n
– CPA only
– Bounds indpendent of n
– More generally, (Affine,n)-Clique Secure
• Security rests on DDH
– Standard model
– Weaker assumptions possible, eg D-linear
The System
s1, s2, …, sℓ
s∈{0,1}ℓ
Secret Key:
g1, g2, …, gℓ
h = 1/(g1s1…gℓsℓ)
-v  s
v∈Gℓ
Public Key:
Encrypt:
1
r
×
g1r, g2r, …, gℓr
hr·m
+ 0 0 0 0 0 m
v

m=(g1r)s1…(gℓr)sℓ · (hr·m)
Decrypt:
s
1
=0

s
1
=m
Theorem
Breaking (Affine,n)-Clique-Secure breaks DDH
Let’s prove self-referential
Intuition
(g,1,1,…,1)
Easy
to generate
“encryption of the secret key”
1
1
“ciphertext vectors”
(1,g,1,…,1)
0
1
0
(1,1,1,…,g)
1
1
always decrypts to the secret key
The Proof
Game 0: CPA game
r
×
+ 0 0 0 0 0 m
The Proof
Game 1
R
×
Rank 1
+ 0 0 0 0 0 m
Indistinguishable: identical ciphertext distrbution
r (g1,…,gℓ,h) ~ r1 a1(g1,…,gℓ,h) + … + rt at(g1,…,gℓ,h)
The Proof
Game 2
R
×
Rank ℓ-1
+ 0 0 0 0 0 m
Indistinguishable by DDH
1 a
1 a
vs.
b ab
b c
The Proof
Game 3
i-th row of identity mat.
R
×
Rank ℓ-1
+ 0 0 0 1 0 0
Indistinguishable: identical ciphertext distrbution
The Proof
Game 4
R
×
Rank 1
Random subset-sum of
columns
+ 0 0 0 1 0 0
Indistinguishable by DDH
The Proof
Game 5
R
×
Rank 1
+ 0 0 0 1 0 0
Statistically indistinguishable (using LOHL)
The Proof
Game 6
R
×
Rank ℓ
+ 0 0 0 1 0 0
Indistinguishable by DDH
The Proof
Game 7
Indistinguishable: identical ciphertext distrbution
Follow-up work
• Camenisch-Chandran-Shoup 2009:
CCA security
– Apply Naor-Yung/Sahai
– For DDH-based scheme, can do it efficiently
• Applebaum, Cash, Peikert, Sahai 2009:
Circular security from LPN/LWE
Questions?