course 2-12-1: advanced encryptionmabdalla/2-12-1/course-2-12-1-lecture5-part1.pdf · zif c is...

Course 2-12-1: Advanced EncryptionAdvanced Encryption

« Part 1: Robust Encryption»« Part 1: Robust Encryption»

17 O t b 201117 October 2011

Michel AbdallaÉ l l é i & CNRSÉcole normale supérieure & CNRS

Public-key encryption (PKE)

K G tiKey Generation

Secret keySender Receiver

Public key

M C C MDec?Enc

Michel Abdalla 2

Security goals for PKE

Data Privacy• Ciphertext should not reveal any partial

information about the encrypted message

Key privacy (a.k.a. anonymity)• Ciphertext should not reveal any partial

information about the public key under which it was created

Michel Abdalla 3

A practical scenarioSuppose C is a ciphertext obtained by encrypting a message M under public key pk

If C is decrypted using the secret key sk corresponding to pk, then the result is M

However, what happens if C is decrypted using the secret key sk’ corresponding to pk’≠ pk?y p g p p

Robustness: The decryption algorithm should rejectwhenever the wrong decryption key is used

Michel Abdalla 4

Why robustness?

The primary security requirement for public key encryption is data privacyencryption is data privacy

However, a growing number of applications , g g pp(e.g., anonymous channels, electronic voting) also requires anonymityq y y

Our thesis: Anonymity without robustness is i d t f t li tiinadequate for most applications

Michel Abdalla 5

Example 1: Example 1: Auction protocol

Overall goal• Simulate a real-life auction based on sealed

envelopes Correctness• The highest bid should be the winning bid• The highest bid should be the winning bid

Security goals• Only the highest bid should be revealedOnly the highest bid should be revealed• The losing bids should remain secret

Fairness• The scheme should remain secure even in the case of

collusions between an auctioneer and a bidder.

Michel Abdalla 6

Example 1: Example 1: Auction protocol [Sako2000]

Setup• Secret Key: v v Z• Secret Key: v1,…,vN ∈ Zp

• Public Key: g, X1=gv1, ..., XN=gvN, M

Bidding on a value v {1 N}Bidding on a value v ∈ {1,…,N}• C = Enc(Xv,M) = (gr,(Xv)r M)

O i bid (C C )Opening bids (C1,…,CL)• Set i=N and S = {}• F j 1 L if D (C ) M th S S {i}• For j=1,…,L, if Dec(Cj)=M, then S = S ∪ {i}• If S = {}, then i = i-1

Michel Abdalla 7

Example 2: Identity based Example 2: Identity-based encryption [Shamir,BF01]

K

Goal: Allow sender to encrypt messages based on the receiver’s identity

KeySetup

Sender Serverpk msk

ID,MSender

Receiver KeyDerivation

p

EncryptionID

C skDecryption

M

Michel Abdalla 8

M

Can robustness be trivially Can robustness be trivially achieved?

Is robustness implied by existing ti ?notions?

If not, is there an easy way to make an y yencryption scheme robust?What about specific schemes?What about specific schemes?

Michel Abdalla 9

Our resultsNegative results• Robustness is not implied by existing notions such as p y g

privacy or anonymity under chosen-ciphertext attacks• Adding redundancy to plaintext (e.g., encrypting PK

and M) does not work in general) g

Positive results• There exists a general transform that makes anyThere exists a general transform that makes any

existing PKE and IBE schemes robust without sacrificing their anonymity

• Some existing schemes (e g Boneh-Franklin) can beSome existing schemes (e.g., Boneh-Franklin) can be proven robust

Michel Abdalla 10

Plan

Security notionsRedundancy-based transformA commitment-based transformA commitment-based transformRobustness of specific schemesApplications to searchable encryptionConcluding remarksConcluding remarks

Michel Abdalla 11

IND CCA: privacy against IND-CCA: privacy against chosen-ciphertext attack [BF01]

pkid1,…,idq

Adversary ski ←KD(msk,idi)sk1,…,skq

m0, m1, id*∉{id1, ,idq}m0, m1, id ∉{id1,…,idq}b← {0,1}C* ← E(pk, id*,mb)C*

(id C ) (id C )(id1,C1),…,(idq’,Cq’)

m1,…,mq’If (idi,Ci)≠(id*,C*)mi ←D(KD(msk,idi),Ci)

b’ b’ = b?Win

Lose

YES

Michel Abdalla 12

LoseNO

ANO CCA: Anonymity against ANO-CCA: Anonymity against chosen-ciphertext attack

pkid2,…,idq

Adversary

2, , q

ski ← KD(msk,idi)sk2,…,skq

m*, id0,id1∉{id2,…,idq}b← {0,1}C ← E(pk, idb, m*)C*

skq+1,…,skq’

(id1,C1),…,(idq’,Cq’) If idi∉{id0,id1} or Ci≠C*

mi ←D(KD(msk,idi),Ci)

b’ b’ b?WinYES

Michel Abdalla 13

b b’ = b?LoseNO

Robust encryption

Weak robustness (WROB)• Security w r t honestly generated ciphertexts• Security w.r.t. honestly generated ciphertexts• Adversary’s goal is to find a message m and identities

id0 and id1 such that D(skid1,E(pk,id0,m)) ≠ ⊥id0 and id1 such that D(skid1,E(pk,id0,m)) ≠ ⊥

Strong robustness (SROB)• Security w.r.t. maliciously generated ciphertexts• Adversary’s goal is to find a ciphertext C and identities

id and id such that D(sk C) ≠ ⊥ and D(sk C) ≠ ⊥id0 and id1 such that D(skid0,C) ≠ ⊥ and D(skid1,C) ≠ ⊥

Michel Abdalla 14

WROB CCA W k b t WROB-CCA: Weak robustness against chosen-ciphertext attack

A scheme is WROB-CCA secure when, given a master public-key pk:a master public key pk:• An adversary cannot generate a message

m* and two identities id0 and id1 such that D( k E( k id *)) ⊥D(skid1,E(pk,id0,m*)) ≠ ⊥

• Even when it’s allowed to see secret keys skid=KD(msk,id) for identities id≠{id0,id1}

• And the decryption m’=D(skID,C’)And the decryption m D(skID,C )for ciphertexts C’ and identities id(C’≠C* when id∈{id0,id1})

Michel Abdalla 15

WROB CCA W k b t WROB-CCA: Weak robustness against chosen-ciphertext attack

pkidi id

Adversary

idi,…,idq

ski ← KD(msk,idi)sk1,…,skq

(C1,id1),…,(Cq’,idq’)

mi ←D(KD(msk,idi),Ci))m1,…,mq’

WinYESid0,id1,m*

Win

Lose

YES

NOD(skid1,E(pk,id0,m*))

≠ ⊥?

Michel Abdalla 16

SROB CCA St b t SROB-CCA: Strong robustness against chosen-ciphertext attack

A scheme is SROB-CCA secure when, given a master public-key pk:master public key pk:• Adversary cannot generate a ciphertext

C* and two identities id0 and id1 such that D( k C’) ⊥ d D( k C’) ⊥ i lt lD(skid0,C’) ≠ ⊥ and D(skid1,C’) ≠ ⊥ simultaneously

• Even when it’s allowed to see secret keys skid=KD(msk,id) for identities id≠{id0,id1}

• And the decryption m’=D(skid,C’)And the decryption m D(skid,C )for ciphertexts C’ and identities id(C’≠C* when id∈{id0,id1})

Michel Abdalla 17

SROB CCA St b t SROB-CCA: Strong robustness against chosen-ciphertext attack

pkid1 id

Adversary

id1,…,idq

ski ← KD(msk,idi)sk1,…,skq

(C1,id1),…,(Cq’,idq’)

mi ←D(KD(msk,idi),Ci))m1,…,mq’

WinYESD(sk C*)id0,id1,C*

Win

Lose

YES

NO

D(skid0,C )≠ ⊥ ≠

D(skid1,C*)?

Michel Abdalla 18

Relation with existing notions

Theorem: There are IBE schemes which are IND CCA and ANO CCA but not WROBIND-CCA and ANO-CCA, but not WROB-CCA

Proof: Given IBE = (S,KD,E,D),Given IBE (S,KD,E,D), build IBE’ = (S,KD,E,D’) where• D’(skid,C)D (skid,C)

x = D(skid,C)If x≠⊥ return x else return 0l

Michel Abdalla 19

Plan

Security notionsRedundancy-based transformA commitment-based transformA commitment-based transformRobustness of specific schemesApplications to searchable encryptionConcluding remarksConcluding remarks

Michel Abdalla 20

Redundancy-based transformsIdea: Add redundancy to plaintext and check upon decryption if redundancy is presentupon decryption if redundancy is present

Intuition: Decryption under the wrong key should look random hence redundancy wouldshould look random, hence redundancy would be rarely present

Examples of redundancy• Fixed string: Epk(id,m||0l)• P bli k d id i E (id || k||id)• Public key and identity: Epk(id,m||pk||id)• Hash of message and identity: Epk(id,m||H(m||id))

Michel Abdalla 21

Redundancy codesA redundancy code R=(RK,RC,RV) is a triple of algorithms where• RK generates a redundancy key k• RC(k,x) computes a redundancy r for input x and key k• RV(k,x,r) checks validity of r for input x and key k ( ) y p y• For all x and k, RV(k,x,RC(k,x))=1

Examples• RC(k,(pk,id,m)) = 0l

• RC(k,(pk,id,m)) = pk || id• RC(k,(pk,id,m)) = H(k,pk||id||m)( ,(p , , )) ( ,p || || )

R is said to be unkeyed when k=ε

Michel Abdalla 22

Redundancy-based transformLet R=(RK,RC,RV) be a redundancy code

L t IBE (S KD E D) b IBE hLet IBE = (S,KD,E,D) be an IBE scheme

Transform outputs IBE’= (S’,KD,E’,D’) p ( , , , )where:• S’

(msk pk)←S; k←RK; Return (msk (pk k))(msk,pk)←S; k←RK; Return (msk,(pk,k))• E’((pk||k), id, m) = E(pk, id, m||RC(k,pk||id||m))• D’(skid,C’)( id, )

m || r ← D(skid,C’)If RV(k,pk||id||m,r)=1 then return m else return ⊥

Michel Abdalla 23

Redundancy codes and Redundancy codes and weak robustness

Theorem 1: There exist IBE schemes IBEsuch that for any non keyed redundancy codesuch that, for any non-keyed redundancy code R (i.e., k=ε), the resulting IBE scheme IBE’ is not WROB-CCAnot WROB-CCA.

Theorem 2: Let R=(RK RC RV) where RKTheorem 2: Let R=(RK,RC,RV) where RKreturns k∈{0,1}κ and RC(k,(pk,id,m)) = k. If the underlying IBE scheme IBE is IND-CCA thenunderlying IBE scheme IBE is IND-CCA, then the resulting IBE scheme IBE’ is WROB-CCA.

Michel Abdalla 24

WROB counter example for WROB counter example for unkeyed redundancy codes

Let IBE*=(S*,KD*,E*,D*) be an IND-CCAd ANO CCA IBE hand ANO-CCA IBE scheme

Build IBE=(S* KD* E* D) whereBuild IBE=(S ,KD ,E ,D) where- D(skid, C)

D*( k C)m ←D*(skid,C)If m≠⊥, return mElse return m* || RC(ε,pk||id||m*;0l)

Michel Abdalla 25

Redundancy codes and Redundancy codes and strong robustness

Theorem: There exist IBE schemes IBEh th t f d d d Rsuch that, for any redundancy code R

(even keyed ones), the resulting IBE scheme IBE’ is not SROB-CCA.

Michel Abdalla 26

SROB counter example

Let IBE*=(S*,KD*,E*,D*) be an IND-CCA and ANO CCA IBE schemeANO-CCA IBE scheme

Build IBE=(S*,KD*,E,D) where( , , , )- E(pk,id,m) = 1 || E*(pk,id||m)- D(skid,b||C)( id || )If b=1, then return D*(sk,C)Else return m* || RC(C,pk||id||m*;0l)

Ciphertext C’=0||k is valid for any identity

Michel Abdalla 27

Plan

Security notionsRedundancy-based transformA commitment-based transformA commitment-based transformRobustness of specific schemesApplications to searchable encryptionConcluding remarksConcluding remarks

Michel Abdalla 28

Commitment schemes

A commitment scheme CMT=(PG,Com,Open)is a triple of algorithms whereis a triple of algorithms where• PG returns common parameters pars• Com(pars x) computes a commitment com for x andCom(pars,x) computes a commitment com for x and

the decommitment key dec• Open(pars,com,dec) returns either x or ⊥p (p , , )

Correctness• ∀x, ∀pars ∈ PG, ∀(com,dec) ∈ Com(pars,x):∀x, ∀pars ∈ PG, ∀(com,dec) ∈ Com(pars,x):

Open(pars,com,dec) = x

Michel Abdalla 29

Commitment security propertiesHiding• cpars ← PG; b ← {0,1}• (x0,x1) ← Adversary(cpars)• (com,dec) ← Com(cpars,xb)• b’ ← Adversary(com)y( )• If (b=b’) then return 1 else return 0

Binding• cpars ← PG;• (com,dec0,dec1) ← Adversary(cpars)• x0 ← Open(cpars,com,dec0)0 0• x1 ← Open(cpars,com,dec1)• If (x0≠x1 and x0≠⊥ and x1≠⊥) then return 1 else return 0

Michel Abdalla 30

A commitment-based transform

Idea: Add a commitment of the identity to the ciphertext and encryptto the ciphertext and encrypt decommitment key together with messagemessage

Intuition: When decrypting with the yp gwrong key, the probability that the decommitment key will open the y pcommitment correctly is negligible

Michel Abdalla 31

The commit-identity transform

Given CMT = (CPG, Com, Open) and IBE = (S KD E D) we can construct a strongly robust IBE(S,KD,E,D), we can construct a strongly robust IBE scheme IBE’=(S’,KD’,E’,D’) as follows:

S’(1k) E ((pk cpars) id m)S’(1k)(pk,msk) ← S(1k)cpars ← CPG(1k)

E ((pk,cpars),id, m)(com,dec) ← Com (cpars,id)C ← E (pk, id, m||dec)

pk’ ← (pk,cpars)return (pk’,msk)

return (com,C)

D ((pk,cpars),id, sk,(com,C))KD ((pk,cpars),msk,id)

sk ← KD(pk,msk,id)return (sk)

((p , p ), , ,( , ))m || dec ← D(mpk,id,sk,C)If Open(cpars,com,dec)=id

then return m else ⊥

Michel Abdalla 32

return (sk) then return m else ⊥

Robustness of resulting IBE

Theorem: If the commitment scheme CMT is binding then IBE’ is SROB-CCAbinding, then IBE is SROB CCA.

Proof:• BindingAdversary(cpars)

- (msk,pk)←S(1k)- (id0,id1,(com,C)) ← RobustAdversaryKD,D(cpars,pk)( 0, 1,( , )) y ( p ,p )

Answer KD and D queries using msk- skb ←KD(msk,idb) for b=0,1 - (mb decb) ←D(cpars pk skb C) for b=0 1(mb,decb) ←D(cpars,pk,skb,C) for b 0,1- Return (com,dec0,dec1)

Michel Abdalla 33

Transform is CPA-preserving

Theorem• If the IBE scheme IBE is IND-CPA, then IBE’

is IND-CPA.

• If IBE is ANO-CPA and IND-CPA and the commitment scheme CMT is hiding then IBE’commitment scheme CMT is hiding, then IBE’is ANO-CPA.

Michel Abdalla 34

Transform is CCA-preserving

Theorem• If IBE is IND-CCA and the commitment

scheme CMT has the uniqueness property, q p p y,then IBE’ is IND-CCA.

• If IBE is ANO CCA IND CCA and WROB• If IBE is ANO-CCA, IND-CCA, and WROB-CCA and CMT is hiding and has the uniqueness property then IBE’ is ANO-CCAuniqueness property, then IBE is ANO-CCA.

Michel Abdalla 35

An additional security property

Uniqueness• ∀ cpars PG• ∀ cpars ∈ PG, • ∀ x ∈ {0,1}*

• ∀ (com dec) ∈ Com(cpars x)∀ (com,dec) ∈ Com(cpars,x)• ∀ com≠com’

Open(cpars,com’,dec)=⊥Open(cpars,com ,dec) ⊥

This is true when dec is the randomness used by committing algorithm Com

Michel Abdalla 36

Plan

Security notionsRedundancy-based transformA commitment-based transformA commitment-based transformRobustness of specific schemesApplications to searchable encryptionConcluding remarksConcluding remarks

Michel Abdalla 37

ElGamal encryption schemeSecret Key: v Public Key: g, gv

u

Ephemeral Key

g gv MessageGenerator Public Key Plaintext

Exponentiation ExponentiationExponentiation Exponentiation

guv Multiplication

gu Message • guv

Michel Abdalla 38

g

The DHIES Scheme

Secret Key: v Public Key: g, gv

Messageg u gvEphemeral KeyGenerator Public Key Plaintext

Exponentiation Exponentiation

guv

HSymmetricEncryptionH

MacKey

yp

EncKey

MAC

Michel Abdalla 39

gu Tag EncM

Cramer-Shoup encryption

PG(1k)K ← Keys(H); w ←Z *

KG (pars)x x y y z z ←ZK ← Keys(H); w ←Zp

g1←G*; g2 ←g1w

pars ← (g1,g2,K)

x1,x2,y1,y2,z1,z2←Zpe←g1

x1g2x2; f←g1

y1g2y2

h←g1z1g2

z2

Return (pk=(e f h) sk=(x x y y z z ))

ENC ((g1,g2,K), (e,f,h), M)Z *

Dec ((g1,g2,K),(e,f,h),(x1,x2,y1,y2,z1,z2),C)( d) C

Return (pk=(e,f,h), sk=(x1,x2,y1,y2,z1,z2))

u ← Zp*

a1 ← g1u; a2←g2

u

b ← hu

c ← b ° M

(a1, a2, c, d) ← Cv ← H(K,(a1,a2,c))M ← c a1

-z1a2-z2

If d ≠ a x1+y1v a x2+y2v then M ← ⊥c ← b ° Mv ← H(K,(a1,a2,c))d ← eu fuv

C ← (a a c d)

If d ≠ a1x1+y1v a2

x2+y2v then M ← ⊥If a1= 1 then M ← ⊥Return M

Michel Abdalla 40

C ← (a1, a2, c, d)

Robustness of Cramer-ShoupTheorem: If the hash function family is pre-image resistant then the Cramer-Shoupimage resistant, then the Cramer Shoupencryption scheme is SROB-CCA

Proof idea:Proof idea:• First show that it is safe to reject any ciphertext

(a1,a2,c,d) such that a2 ≠ a1w(a1,a2,c,d) suc t at a2 a1

• If ciphertext is valid under pk0 and pk1, then v=H(K,(a1,a2,c)) must satisfy

v(y01+wy02-y11-wy12) + (x01+wx02-x11-wx12) = 0

Michel Abdalla 41

Boneh-Franklin IBE scheme

S (1k) KD (msk ID)S (1 )pk ← (1k,P,sP,G1,G2,p,e)msk ← (s,pk)

KD (msk, ID)sk ← (pk, sH1(ID))

E (pk, id, m)x ← {0,1}k

r ← H (x m)

Decryption (sk, C=(c1,c2,c3))T ← e(c1,sH1(ID))K H (T)r ← H3(x,m)

T ← e(sP,H1(id))r

K ← H2(T)c ← rP

K ← H2(T)x ← K ⊕ c2m ← c3 ⊕ H4(x)r ← H (x m)c1 ← rP

c2 ← x⊕ Kc3 ← m ⊕ H4(x)C ← (rP c)

r ← H3(x,m)If c1 ≠ rP, then return ⊥Else return m

Michel Abdalla 42

C ← (rP, c)

Robustness of Boneh-Franklin

Theorem: If the hash functions H1, H2, H d H d l thH3, and H4 are random oracles, then the Boneh-Franklin IBE scheme is SROB-CCA

Michel Abdalla 43

Plan

Security notionsRedundancy-based transformA commitment-based transformA commitment-based transformRobustness of specific schemesApplications to searchable encryptionConcluding remarksConcluding remarks

Michel Abdalla 44

Searchable Encryption Searchable Encryption [BDOP04]

Suppose Bob sends an encrypted email to Alice

Ali ’ il t t t t t if th ilAlice’s email gateway may want to test if the email contains the word “urgent”, so that it could route the email accordingly

Still, Alice does not want the gateway to be able to decrypt her messages

Public-key encryption with keyword search (PEKS): Enable gateway to test whether a given keyword is

t i th il ith t l i thi l b tpresent in the email without learning anything else about the email

Michel Abdalla 45

Searchable Encryption: UsageBob encrypt his email using a standard public-key encryption scheme PKEkey encryption scheme PKEHe then appends the public-key encryption with keyword search (PEKS) of each keywordy ( ) y

Enc(PKAlice,Email) || PEKS(PKAlice,W1) || … || PEKS(PKAlice,Wm)

Main property: Alice can give the gateway a trapdoor tw that allows it to test whether Wi=W p w ifor i=1,…,m

Michel Abdalla 46

PEKS P bli k ti ith PEKS: Public-key encryption with keyword search [BDOP04]

Goal: Allow gateway to test for the presence of keywords in ciphertexts

KeyGeneration

Receiverpk sk

w’

Sender Receiver

Trapdoor

Gatewaypk

PEKS w

C T

p

C TwTest

YES (1) / NO (0)

Michel Abdalla 47

YES (1) / NO (0)

An IBE-based scheme [BDOP04]

PEKS(KeyGen, PEKS, Trapdoor, Test)

IBE(Setup, KeyDer, Enc, Dec)(KeyGen, PEKS, Trapdoor, Test) (Setup, KeyDer, Enc, Dec)

pk pk

sk msk

Keyword w Identity wKeyword w Identity w

Trapdoor tw User secret key skw

PEKS (pk, w) C ← Enc (pk, w, 0k)

Test (t C) Dec (t C)= 0k ?

Michel Abdalla 48

Test (tw, C) Dec (tw, C)= 0k ?

Security and Consistency of Security and Consistency of IBE-2-PEKS transformation

Theorem 1: If IBE is ANO-ATK-secure, th PEKS IBE 2 PEKS[IBE] i INDthen PEKS=IBE-2-PEKS[IBE] is IND-ATK-secure for ATK∈{CPA,CCA}.

Theorem 2: If IBE is WROB-CPA-Theorem 2: If IBE is WROB CPAsecure, then PEKS=IBE-2-PEKS[IBE] is computationally consistentcomputationally consistent.

Michel Abdalla 49

Concluding remarksRobustness is extremely important for the correctness of several applicationspp• E.g., anonymous broadcast, auctions, PEKS

Robustness has been considered informally in ythe cryptographic community for a while• This work makes it explicit and provides formal definitions

for itfor it

Contrary to what seems intuitive, natural ways to confer robustness (e.g., adding redundancy) fail( g , g y)See Cryptology ePrint archive, Report 2008/440

Michel Abdalla 50