Circular-Secure Encryption from Decision Diffie-Hellman

Dan BonehShai Halevi

Mike HamburgRafail Ostrovsky

Key Dependent Messages

• Message may depend on key– Encrypted swap– Encrypted backups

• Security in this setting does not follow from semantic security– Trivial, pathological counterexamples– Or…

Secure Self-Encryption [BRS’02]

H(n||k)

H

k

Ek(m) = (r, H(r||k) m)

m

r←R

Insecure Self-Encryption [HK’07]

Encryptr←R H(r||k)

E’k(k) = ( r, Er(k) )

Hk

Er(k)

KDM in practice

• Collaboration:

PKA / SKAPKB / SKB

EPKB(SKA)

EPKA(SKB)

Circular Encryption [CL’01]

• A user has n credentials signed by CA:

• User should not “lend” any of his credentials to a friend

• Solution [CL’01] :

SK1 SK2 SKn

PK1 PK2 PKn

…

…

secret

public andsigned by CA

EPK1[SK2] , EPK2

[SK3] , … , EPKn[SK1]

NY driver license

I am Shai

Clique Security

Eki(kj) for all i,j

(C,n)-KDM security [BRS’02]Challenger Adversary

(PK1,…,PKn)

(F∈C, i∈{1,…,n})

EPKi[F(SK1,…,SKn)]or random

b*

Is ElGamal self-referential secure?

• Maybe, maybe not

• Need (g, gx, gr, grxx) indist from random

Requires a funny assumption!

• Clique security? Need an even funnier assumption…

• Our goal: use a standard assumption ( DDH )

Notation

• Let G be a group of prime order p

• Using additive notation for G1-dim vector space over Zp

• Perform dot products etc. normally

(x1, x2, x3) (g1, g2, g3) = x1g1 + x2g2 + x3g3

gi ∈ G, xi ∈ Zp

aka g1

x1 g2x2 g3

x3

The Result

• n-Clique Secure for any [poly] n– CPA only– Bounds indpendent of n– More generally, (Affine,n)-Clique Secure

• Security rests on DDH– Standard model– Weaker assumptions possible, eg D-linear

The System

r v + 0 0 0 0 0 m×Encrypt:

Secret Key: s∈{0,1}ℓ 1

Public Key: v∈Gℓ -v s

s 1 s 1Decrypt:

s1, s2, …, sℓ

g1, g2, …, gℓ h = 1/(g1s1…gℓ

sℓ)

g1r, g2

r, …, gℓr hr·m

m=(g1r)s1…(gℓ

r)sℓ · (hr·m)

=0 =m

Theorem

Breaking (Affine,n)-Clique-Secure breaks DDH

Let’s prove self-referential

Intuition

1

101

01

1

always decrypts to the secret key

“ciphertext vectors”

(g,1,1,…,1)

(1,g,1,…,1)

(1,1,1,…,g)

Easy to generate “encryption of the secret key”

The Proof

r + 0 0 0 0 0 m×

Game 0: CPA game

The Proof

R Rank 1 +×

Indistinguishable: identical ciphertext distrbution

Game 1

0 0 0 0 0 m

r (g1,…,gℓ,h) ~ r1 a1(g1,…,gℓ,h) + … + rt at(g1,…,gℓ,h)

The Proof

R Rank ℓ-1 +×

Game 2

0 0 0 0 0 m

Indistinguishable by DDH

1 ab ab

1 ab c

vs.

The Proof

R Rank ℓ-1 + 0 0 0× 1 0 0

Game 3

i-th row of identity mat.

Indistinguishable: identical ciphertext distrbution

The Proof

R Rank 1 +×

Game 4

0 0 0 1 0 0

Random subset-sum of columns

Indistinguishable by DDH

The Proof

R Rank 1 +×

Statistically indistinguishable (using LOHL)

Game 5

0 0 0 1 0 0

The Proof

R Rank ℓ +×

Indistinguishable by DDH

Game 6

0 0 0 1 0 0

The Proof

Indistinguishable: identical ciphertext distrbution

Game 7

Follow-up work

• Camenisch-Chandran-Shoup 2009:CCA security– Apply Naor-Yung/Sahai – For DDH-based scheme, can do it efficiently

• Applebaum, Cash, Peikert, Sahai 2009: Circular security from LPN/LWE

Questions?