Upload
aldous-weaver
View
222
Download
0
Embed Size (px)
Citation preview
Circular-Secure Encryption from Decision Diffie-Hellman
Dan BonehShai Halevi
Mike HamburgRafail Ostrovsky
Key Dependent Messages
• Message may depend on key– Encrypted swap– Encrypted backups
• Security in this setting does not follow from semantic security– Trivial, pathological counterexamples– Or…
Secure Self-Encryption [BRS’02]
H(n||k)
H
k
Ek(m) = (r, H(r||k) m)
m
r←R
Insecure Self-Encryption [HK’07]
Encryptr←R H(r||k)
E’k(k) = ( r, Er(k) )
Hk
Er(k)
KDM in practice
• Collaboration:
PKA / SKAPKB / SKB
EPKB(SKA)
EPKA(SKB)
Circular Encryption [CL’01]
• A user has n credentials signed by CA:
• User should not “lend” any of his credentials to a friend
• Solution [CL’01] :
SK1 SK2 SKn
PK1 PK2 PKn
…
…
secret
public andsigned by CA
EPK1[SK2] , EPK2
[SK3] , … , EPKn[SK1]
NY driver license
I am Shai
Clique Security
Eki(kj) for all i,j
(C,n)-KDM security [BRS’02]Challenger Adversary
(PK1,…,PKn)
(F∈C, i∈{1,…,n})
EPKi[F(SK1,…,SKn)]or random
b*
Is ElGamal self-referential secure?
• Maybe, maybe not
• Need (g, gx, gr, grxx) indist from random
Requires a funny assumption!
• Clique security? Need an even funnier assumption…
• Our goal: use a standard assumption ( DDH )
Notation
• Let G be a group of prime order p
• Using additive notation for G1-dim vector space over Zp
• Perform dot products etc. normally
(x1, x2, x3) (g1, g2, g3) = x1g1 + x2g2 + x3g3
gi ∈ G, xi ∈ Zp
aka g1
x1 g2x2 g3
x3
The Result
• n-Clique Secure for any [poly] n– CPA only– Bounds indpendent of n– More generally, (Affine,n)-Clique Secure
• Security rests on DDH– Standard model– Weaker assumptions possible, eg D-linear
The System
r v + 0 0 0 0 0 m×Encrypt:
Secret Key: s∈{0,1}ℓ 1
Public Key: v∈Gℓ -v s
s 1 s 1Decrypt:
s1, s2, …, sℓ
g1, g2, …, gℓ h = 1/(g1s1…gℓ
sℓ)
g1r, g2
r, …, gℓr hr·m
m=(g1r)s1…(gℓ
r)sℓ · (hr·m)
=0 =m
Theorem
Breaking (Affine,n)-Clique-Secure breaks DDH
Let’s prove self-referential
Intuition
1
101
01
1
always decrypts to the secret key
“ciphertext vectors”
(g,1,1,…,1)
(1,g,1,…,1)
(1,1,1,…,g)
Easy to generate “encryption of the secret key”
The Proof
r + 0 0 0 0 0 m×
Game 0: CPA game
The Proof
R Rank 1 +×
Indistinguishable: identical ciphertext distrbution
Game 1
0 0 0 0 0 m
r (g1,…,gℓ,h) ~ r1 a1(g1,…,gℓ,h) + … + rt at(g1,…,gℓ,h)
The Proof
R Rank ℓ-1 +×
Game 2
0 0 0 0 0 m
Indistinguishable by DDH
1 ab ab
1 ab c
vs.
The Proof
R Rank ℓ-1 + 0 0 0× 1 0 0
Game 3
i-th row of identity mat.
Indistinguishable: identical ciphertext distrbution
The Proof
R Rank 1 +×
Game 4
0 0 0 1 0 0
Random subset-sum of columns
Indistinguishable by DDH
The Proof
R Rank 1 +×
Statistically indistinguishable (using LOHL)
Game 5
0 0 0 1 0 0
The Proof
R Rank ℓ +×
Indistinguishable by DDH
Game 6
0 0 0 1 0 0
The Proof
Indistinguishable: identical ciphertext distrbution
Game 7
Follow-up work
• Camenisch-Chandran-Shoup 2009:CCA security– Apply Naor-Yung/Sahai – For DDH-based scheme, can do it efficiently
• Applebaum, Cash, Peikert, Sahai 2009: Circular security from LPN/LWE
Questions?