Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary

Anonymity and Robustness in

Encryption Schemes

Payman MohasselUniversity of Calgary

2

Public Key Encryption (PKE)

pk(pk, sk) KG

C = Enc(pk,m)

m = Dec(sk,C)

PKE = (KG, Enc, Dec)

Traditional Security Notions(Data Secrecy)

• Semantic security– No function of the message is leaked– Equivalent to indistinguishability

• Non-malleability– Hard to create ciphertext for related messages

• Chosen plaintext attacks (CPA)• Chosen ciphertext attacks (CCA)

Mobile Communication

Mobile User

Base Station

key exchange

eavesdropper wants to learn identity of mobile user

Enc(pk, message) pk

Secure Auction [Sako’00]

• First practical auction to hide bid values

• Keys correspond to bid values• A known message is encrypted using the key• Hiding a bid value requires hiding the key

(pk, sk)

c

c

c = Enc(pk, m)

c

Dec(sk’, c) =

Other Guarantees

• Does the ciphertext hide the key?– Anonymity

• What happens when decrypting using a different key?– Robustness

ANON-CCA

Challenger

(pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1}

pk0, pk1

c1 , b1

Dec(skb1, c1)

. . . .

ci , bi

Dec(skbi, ci)

m

C=Enc(pkb ,m)

b’

Advanon-cca,PKE(A) =|Pr[b’ = b] – ½| is negligible

ci+1 , bi+1

Dec(skbi+1, c1)

. . . .

cq, bq

Dec(skbq, cq)

Weak Robustness (WROB-CCA)

M

(pk0, sk0) KG(1n) (pk1, sk1) KG(1n)

pk0, pk1

ci , bi

Dec(skbi, ci)

. . . .

Challenger

Adv wins if Dec(sk1, C) ≠ , where C = Enc(pk0,M)

Strong Robustness (SROB-CCA)

C

(pk0, sk0) KG(1n) (pk1, sk1) KG(1n)

pk0, pk1

ci , bi

Dec(skbi, ci)

. . . .

Challenger

Adv wins if Dec(sk0,C) ≠ and Dec(pk1,C) ≠

What is Known?

• Anonymity– Not always satisfied– y = xe mod N for random x– pk0 = (N0, e0) pk1 = (N1, e1), N1 > N0

– If y > N0 return pk1 else return pk0

• Robustness– ElGamal is not robust– [pk0 = (G, p, g, gx) , sk0 = x] , [pk1 = (G, p, g, gy), sk1 = y]

– Enc(pk0, m) = (c1, c2) = (gr , mgxr)

– m’ = Dec(sk1, (c1, c2)) = c2/c1y = mg(x-y)r

What is Known?

• Anonymous PKE and IBE– [Bellare et al. 2001], [Abdalla et al. 2008]– PKE: DHIES, [Cramer-Shoup’01]– IBE: [Boneh-Franklin’01], [Boyen-Waters’06]

• Robust PKE and IBE– [Abdalla et al. 2010]• Strongly robust IBE: [Boneh-Franklin’01]• Weakly robust PKE: DHIES, [Cramer-Shoup’01]• Not robust: [Boyen-Waters’06]

Our Contribution

• Studying anonymity of hybrid encryption– Positive and negative results

• More efficient transformations for robust encryption schemes– Please see the paper

Question: Given an “anonymous PKE/IBE” and an “anonymous SKE”, is the hybrid encryption scheme also anonymous?

Anonymity of Hybrid Encryption

• ANON-CPA PKE/IBE + IND-CPA SKE– The hybrid encryption is ANON-CPA

• [negative] ANON-CCA PKE/IBE + IND-CCA SKE– The hybrid encryption is NOT always ANON-CCA– True if SKE is ANON-CCA or more

• [positive] (WROB + ANON)-CCA PKE/IBE + AE SKE– The hybrid encryption is ANON-CCA– More evidence that “anonymity” and “robustness”

are needed simultaneously

Counter Example (PKE)

• Start with (WROB + ANON)-CCA PKE1

– PKE1 = (KG1, Enc1, Dec1)

• Build PKE2 = (KG2, Enc2, Dec2) – Dec2 • Run Dec1, if it returns return 0n

• Else return what Dec1 outputs

• PKE2 is still ANON-CCA

Counter Example (SKE)

• We use a key-binding IND-CCA SKE• Key-binding SKE = (K, SE, SD)– For any k K, randomness r, and message m– There is no k’ ≠ k where SDk’(SEk(m,r)) ≠

• PKE2 + key-binding SKE– Not ANON-CCA

Counter Example

m

(c1, c2) = (Enc2(pkb,k), SE(k,m))

Challenger

(pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1}

Decryption query under pk0

for (c1, SE(0n,m’))

pk0, pk1

If the answer is let b’ = 0, else b’ = 1

b’

Counter Example

• Requiring stronger security notions for SKE does NOT help– If it can be combined with key-binding

• What about stronger notions for the PKE?

Positive Result

Claim: If PKE is (ANON + WROB + IND)-CCA and SKE is a (one-time) authenticated encryption, the hybrid construction is (ANON + IND)-CCA

Game 0

Challenger

(pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1}

pk0, pk1

C1 , b1

Dec(skb1, C1)

. . . .

Ci , bi

Dec(skbi, Ci)

m

c*1 = Enc(pkb,k*)c*2 = SE(k*,m)

b’

Advanon-cca,PKE(A) =|Pr[b’ = b] – ½| is negligible

Ci+1 , bi+1

Dec(skb1, C1)

. . . .

Cq, bq

Dec(skbq, Cq)

Game 1

Challenger

(pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1}

pk0, pk1

m

c*1 = Enc(pkb, k*)c*2 = SE(k*, m)

b’

(c*1, c2 ≠ c*2), b

SD(k*, c2)

Difference in games: decryption error

Game 2

Challenger

(pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1}

pk0, pk1

m

c*1 = Enc(pkb ,k*)c*2 = SE(k*,m)

b’

(c*1, c2 ≠ c*2), 1-b

Difference in games: weak robustness of the PKE only if c*1 decrypts under pkb and pk1-b

Game 3

Challenger

(pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1}

pk0, pk1

m

c*1 = Enc(pkb ,k*)c*2 = SE(k’,m)

b’

Difference in games: IND-CCA security of the PKE

Game 4

Challenger

(pk0, sk0) KG(1n) (pk1, sk1) KG(1n) b {0,1}

pk0, pk1

m

c*1 = Enc(pkb ,k*)c*2 = SE(k’,m)

b’

Difference in games: CTXT integrity of the SKE only if a valid ciphertext under k’ is generated

(c*1, c2 ≠ c*2), {b or 1-b}

Putting Things Together

• Advanon-cca(hybrid) <

Advwrob-cca(PKE)

+ Advind-cca(PKE)

+ Advctxt-int(SKE)

+ Advanon-cca(PKE)

• Boneh-Franklin, Cramer-Shoup, DHIES are WROB-CCA• Boyen-Waters IBE is not

Summary

• ANON-CCA PKE + (…) SKE ANON-CCA hybrid

• (WROB + ANON)-CCA PKE + AE SKE ANON-CCA hybrid

• Is weak-robustness a necessary condition?• Is Boyen-Waters (in)secure when used in a

hybrid construction?

Thank you

Results on Robustness

• [Abdalla et al.’10]– Transforming ANON-CCA schemes to robust ones

• We design more efficient transformations– Refer to the paper

30

Indentity-based encryption (IBE)

id

(sk,pk)PKG

C = Encpk(m)

m = Decsk(C)

IBE = (MKG, Enc, Dec)

(par, msk) MKG

31

IND-CCA

Challenger

c1

(pk, sk) KG(1n) ; b {0,1}

Decsk(c1)

. . . .

ci

Decsk(ci)

m0 , m1

C=Encpk(mb)

ci+1

Decsk(ci+1)

. . . .

cq

Decsk(cq)

b’

Advind-cca,PKE(A) =|Pr[b’ = b] – ½| is negligible