Anonymity and Robustness
in
Encryption Schemes
Payman Mohassel
University of Calgary
Public Key Encryption (PKE)
(pk, sk)  KG
pk
C = Enc(pk,m)
m = Dec(sk,C)
PKE = (KG, Enc, Dec)
2
Traditional Security Notions
(Data Secrecy)
• Semantic security
– No function of the message is leaked
– Equivalent to indistinguishability
• Non-malleability
– Hard to create ciphertext for related messages
• Chosen plaintext attacks (CPA)
• Chosen ciphertext attacks (CCA)
Mobile Communication
Base Station
key exchange
Mobile User
Enc(pk, message)
eavesdropper wants to learn identity of mobile user
pk
Secure Auction [Sako’00]
• First practical auction to hide bid values
• Keys correspond to bid values
• A known message is encrypted using the key
• Hiding a bid value requires hiding the key
Dec(sk’, c) =
c
c
c = Enc(pk, m)
(pk, sk)
c
Other Guarantees
• Does the ciphertext hide the key?
– Anonymity
• What happens when decrypting using a
different key?
– Robustness
ANON-CCA
(pk0, sk0)  KG(1n)
(pk1, sk1)  KG(1n)
b  {0,1}
Challenger
Dec(skb1, c1)
Dec(skbi, ci)
Dec(skbi+1, c1) Dec(skbq, cq)
C=Enc(pkb ,m)
pk0, pk1
. . . .
. . . .
m
c1 , b1
ci , bi
ci+1 , bi+1
cq, bq
b’ 
Advanon-cca,PKE(A) =|Pr[b’ = b] – ½| is negligible
Weak Robustness (WROB-CCA)
(pk0, sk0)  KG(1n)
(pk1, sk1)  KG(1n)
Challenger
Dec(skbi, ci)
. . . .
pk0, pk1
M
ci , bi
Adv wins if Dec(sk1, C) ≠
, where C = Enc(pk0,M)
Strong Robustness (SROB-CCA)
(pk0, sk0)  KG(1n)
(pk1, sk1)  KG(1n)
Challenger
Dec(skbi, ci)
. . . .
pk0, pk1
C
ci , bi
Adv wins if Dec(sk0,C) ≠
and Dec(pk1,C) ≠
What is Known?
• Anonymity
–
–
–
–
Not always satisfied
y = xe mod N for random x
pk0 = (N0, e0) pk1 = (N1, e1), N1 > N0
If y > N0 return pk1 else return pk0
• Robustness
–
–
–
–
ElGamal is not robust
[pk0 = (G, p, g, gx) , sk0 = x] , [pk1 = (G, p, g, gy), sk1 = y]
Enc(pk0, m) = (c1, c2) = (gr , mgxr)
m’ = Dec(sk1, (c1, c2)) = c2/c1y = mg(x-y)r
What is Known?
• Anonymous PKE and IBE
– [Bellare et al. 2001], [Abdalla et al. 2008]
– PKE: DHIES, [Cramer-Shoup’01]
– IBE: [Boneh-Franklin’01], [Boyen-Waters’06]
• Robust PKE and IBE
– [Abdalla et al. 2010]
• Strongly robust IBE: [Boneh-Franklin’01]
• Weakly robust PKE: DHIES, [Cramer-Shoup’01]
• Not robust: [Boyen-Waters’06]
Our Contribution
• Studying anonymity of hybrid encryption
– Positive and negative results
• More efficient transformations for robust
encryption schemes
– Computation and ciphertext size
– Please see the paper
Question: Given an “anonymous PKE/IBE”
and an “anonymous SKE”, is the hybrid
encryption scheme also anonymous?
Anonymity of Hybrid Encryption
• ANON-CPA PKE/IBE + IND-CPA SKE
– The hybrid encryption is ANON-CPA
• [negative] ANON-CCA PKE/IBE + IND-CCA SKE
– The hybrid encryption is NOT always ANON-CCA
– True if SKE is ANON-CCA or more
• [positive] (WROB + ANON)-CCA PKE/IBE + AE SKE
– The hybrid encryption is ANON-CCA
– More evidence that “anonymity” and “robustness”
are needed simultaneously
Counter Example (PKE)
• Start with (WROB + ANON)-CCA PKE1
– PKE1 = (KG1, Enc1, Dec1)
• Build PKE2 = (KG2, Enc2, Dec2)
– Dec2
• Run Dec1, if it returns
return 0n
• Else return what Dec1 outputs
• PKE2 is still ANON-CCA
Counter Example (SKE)
• We use a key-binding IND-CCA SKE
• Key-binding SKE = (K, SE, SD)
– For any k  K, randomness r, and message m
– There is no k’ ≠ k where SDk’(SEk(m,r)) ≠
• PKE2 + key-binding SKE
– Not ANON-CCA
Counter Example
(pk0, sk0)  KG(1n)
(pk1, sk1)  KG(1n)
b  {0,1}
Challenger
(c1, c2) = (Enc2(pkb,k), SE(k,m))
pk0, pk1
Decryption query under pk0
for (c1, SE(0n,m’))
m
b’ 
If the answer is
let b’ = 0, else b’ = 1
Counter Example
• Requiring stronger security notion for SKE
does NOT help
– If it can be combined with key-binding
• What about stronger notions for the PKE?
Positive Result
Claim: If PKE is (ANON + WROB + IND)-CCA and
SKE is a (one-time) authenticated encryption,
the hybrid construction is (ANON + IND)-CCA
Game 0
(pk0, sk0)  KG(1n)
(pk1, sk1)  KG(1n)
b  {0,1}
Challenger
Dec(skb1, C1)
Dec(skbi, Ci)
pk0, pk1
c*1 = Enc(pkb,k*)
c*2 = SE(k*,m)
Dec(skb1, C1)
. . . .
C1 , b 1
Ci , b i
Dec(skbq, Cq)
. . . .
m
Ci+1 , bi+1
Cq , b q
b’ 
Advanon-cca,PKE(A) =|Pr[b’ = b] – ½| is negligible
Game 1
(pk0, sk0)  KG(1n)
(pk1, sk1)  KG(1n)
b  {0,1}
Challenger
c*1 = Enc(pkb, k*)
c*2 = SE(k*, m)
pk0, pk1
m
SD(k*, c2)
(c*1, c2 ≠ c*2), b
b’ 
Difference in games: decryption error
Game 2
(pk0, sk0)  KG(1n)
(pk1, sk1)  KG(1n)
b  {0,1}
Challenger
c*1 = Enc(pkb ,k*)
c*2 = SE(k*,m)
pk0, pk1
m
(c*1, c2 ≠ c*2), 1-b
b’ 
Difference in games: weak robustness of the PKE
only if c*1 decrypts under pkb and pk1-b
Game 3
(pk0, sk0)  KG(1n)
(pk1, sk1)  KG(1n)
b  {0,1}
Challenger
c*1 = Enc(pkb ,k*)
c*2 = SE(k’,m)
pk0, pk1
m
b’ 
Difference in games: IND-CCA security of the PKE
Game 4
(pk0, sk0)  KG(1n)
(pk1, sk1)  KG(1n)
b  {0,1}
Challenger
c*1 = Enc(pkb ,k*)
c*2 = SE(k’,m)
pk0, pk1
m
(c*1, c2 ≠ c*2), {b or 1-b}
b’ 
Difference in games: CTXT integrity of the SKE
only if a valid ciphertext under k’ is generated
Putting Things Together
• Advanon-cca(hybrid) <
Advwrob-cca(PKE)
+ Advind-cca(PKE)
+ Advctxt-int(SKE)
+ Advanon-cca(PKE)
• Boneh-Franklin, Cramer-Shoup, DHIES are WROBCCA
• Boyen-Waters IBE is not
Summary
• ANON-CCA PKE + (…) SKE  ANON-CCA hybrid
• (WROB + ANON)-CCA PKE + AE SKE  ANONCCA hybrid
• Is weak-robustness a necessary condition?
• Is Boyen-Waters (in)secure when used in a
hybrid construction?
Thank you
Results on Robustness
• [Abdalla et al.’10]
– Transforming ANON-CCA schemes to robust ones
• We design more efficient transformations
– Refer to the paper
Indentity-based encryption (IBE)
(par, msk) MKG
(sk,pk)PKG
id
C = Encpk(m)
m = Decsk(C)
IBE = (MKG, Enc, Dec)
30
IND-CCA
(pk, sk) KG(1n) ; b  {0,1}
Challenger
Decsk(c1)
Decsk(ci+1)
Decsk(ci)
Decsk(cq)
C=Encpk(mb)
. . . .
. . . .
m0 , m1
c1
ci+1
ci
cq
b’ 
Advind-cca,PKE(A) =|Pr[b’ = b] – ½| is negligible
31