On the Selective Opening Security of Practical Public-Key ... the Selective Ope… · sk Image source: xkcd.com SOSecurityofPKESchemes|HorstGörtzInstitute|PKC2015,NIST|Maryland:

On the Selective Opening Security ofPractical Public-Key Encryption SchemesPKC 2015, NIST, Maryland: March 30, 2015

Felix Heuer, Tibor Jager, Eike Kiltz, Sven SchägeHorst Görtz Institute for IT SecurityRuhr University Bochum

1 Selective-Opening Security

2 A Generic Transformation for SIM-SO-CCA Security

3 Proof Idea

4 Results

SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 2/15

Selective-Opening Attacks

c1 = Encpk(m1; r1)c1


...

...

cn = Encpk(mn; rn)

cn

sk

Image source: xkcd.com





...

...

cn = Encpk(mn; rn)

cn

sk






...

...

cn = Encpk(mn; rn)

cn

sk


Do the messages of uncorrupted parties remain confidential?


SIM-SO-CCA Security Definition [FHKW10]

real game A

(pk,sk) ← Gen(1κ)pk

D(m1,...,mn) ← D

(r1,...,rn) $← Coinsci :=Encpk(mi ;ri )

(c1,...,cn)

Open(i)I:=I∪{i}

(mi ,ri )

choose distribution D

compute output “outA”outAOutput:

(m1,...,mn,D,I,outA)

Dec oraclec /∈{c1,...,cn}

Decsk(c)



real game A


D(m1,...,mn) ← D


(c1,...,cn)

Open(i)I:=I∪{i}

(mi ,ri )


compute output “outA”outAOutput:

(m1,...,mn,D,I,outA)


Decsk(c)



ideal game S


D(m1,...,mn) ← D


(c1,...,cn)

Open(i)I:=I∪{i}

(mi ,ri )


compute output “outS”outSOutput:

(m1,...,mn,D,I,outS)


Decsk(c)



Definition 1 (SIM-SO-CCA security)A public key encryption scheme is SIM-SO-CCA secure if for every PPTadversary A there exists a PPT simulator S := S(A) such that thedistributions induced by

A run in the real game and S run in the ideal game

are computationally indistinguishable.


Selective Opening vs. Standard Security Notions

• two flavours: IND-based and SIM-based.SIM implies IND, not known to be equivalent.

• IND-SO-CCA stronger security notion than IND-CCA security.[HR14]

• Existing SIM-SO-CCA schemes are very inefficient. [FHKW10],[Hof12], [LP15]

• This work: Certain known constructions give SIM-SO-CCA secu-rity for free in the ROM.




















Our Work

SIM-SO-CCA security in the ROM for two well-known transformations:

Part I:

PKE from any one-way PCA secure KEM

Part II:

PKE from OAEP for any partial-domain TP


Our Work

SIM-SO-CCA security in the ROM for two well-known transformations:

Part I:

PKE from any one-way PCA secure KEM

Part II:

PKE from OAEP for any partial-domain TP


“Hashed KEM/DEM Approach”

Let KEM = (KGen,Encap,Decap) be a Key Encapsulation Mechanism,MAC = (Tag,Vrfy) a Message Authentication Code and H a hashfunction. Consider the following PKE:

Gen(1λ)(pk, sk)← KGen(1λ)Return pk

Encpk(m)r $← Coins(k, c (1))← Encappk(r)(ksym, kmac)← H(k)c (2) := m⊕ksym

c (3) := Tagkmac (c (2))Return (c (1), c (2), c (3))

Decsk(c (1), c (2), c (3))k ← Decapsk(c (1))(ksym, kmac)← H(k)if Vrfykmac (c (2), c (3)) = 1

Return c (2)⊕ksym

elseReturn ⊥

– Use RSA KEM under RSA assumption– Use DH KEM under strong DH assumption

Instantiationof DHIES








Return c (2)⊕ksym

elseReturn ⊥










Return c (2)⊕ksym

elseReturn ⊥










Return c (2)⊕ksym

elseReturn ⊥





Theorem 2 (SBZ02)The given transformation achieves IND-CCA security in the ROM ifKEM is OW-PCA secure and MAC is sUF-OT-CMA.





Return c (2)⊕ksym

elseReturn ⊥










Return c (2)⊕ksym

elseReturn ⊥

– Use RSA KEM under RSA assumption

– Use DH KEM under strong DH assumptionInstantiationof DHIES








Return c (2)⊕ksym

elseReturn ⊥





Theorem 3 (This work)The same transformation gives rise to a SIM-SO-CCA secure PKE inthe ROM without additional assumptions.





Return c (2)⊕ksym

elseReturn ⊥




How to Prove SIM-SO-CCA Security

real A ideal S A;


How to Construct a Simulator

ideal S A

pk

DD

(c1, . . . , cn)

Open(i)Open(i)

mi (mi , ri)

outAoutS

(m1, . . . , mn,D, I, outS)

A is allowed to make additional Hash or Dec queries at any time!


How to Construct a Simulator

ideal S A

pk

DD

(c1, . . . , cn)

Open(i)Open(i)

mi (mi , ri)

outAoutS

(m1, . . . , mn,D, I, outS)

A is allowed to make additional Hash or Dec queries at any time!SO Security of PKE Schemes|Horst Görtz Institute|PKC 2015, NIST|Maryland: March 30, 2015 12/15

Possible Tripping Hazards for a Simulator

• S must not make more opening queries than A to learn mi .

• S has to create non-committing “dummy”-encryptions that allowfor later opening to any message.

• Answering Hash or Decryption queries is easy if A called Open(i)earlier.

• However, S has to answer Hash and Decryption queries withoutcommitting to mi if A did not call Open(i) (yet).



• S must not make more opening queries than A to learn mi .• S has to create non-committing “dummy”-encryptions that allowfor later opening to any message.














Tweaking A in a Sequence of Games

G0: real SIM-SO-CCA game.

G1: Abort if A queries H(ki) or Dec(c (1)i , ·, ·)

before sending D.G2: Replace c (2)

i with uniform randomness.G3: Abort if A issues a valid decryption query

Dec(c (1)i , ·, ·) and H(ki) is not yet defined.

G4: Abort if A queries H(ki).G5: ideal SIM-SO-CCA game.

Encpk(mi)ri

$← Coins(ki , c (1)

i )← Encappk(ri)(ksym

i , kmaci )← H(ki)

c (2)i := mi⊕ksym

ic (3)

i := Tagkmaci

(c (2)i )

Return (c (1)i , c (2)

i , c (3)i )

G0

G1≈sstatisticalargument

G2= G3

MAC security

≈c G4

KEM security

≈cOracle patchingtechnique. [CS03](Needs PCA KEM)

G5=



G0: real SIM-SO-CCA game.G1: Abort if A queries H(ki) or Dec(c (1)

i , ·, ·)before sending D.

G2: Replace c (2)i with uniform randomness.

G3: Abort if A issues a valid decryption queryDec(c (1)

i , ·, ·) and H(ki) is not yet defined.G4: Abort if A queries H(ki).G5: ideal SIM-SO-CCA game.

Encpk(mi)ri




c (2)i := mi⊕ksym

ic (3)

i := Tagkmaci

(c (2)i )


i , c (3)i )

G0 G1

≈sstatisticalargument

G2= G3

MAC security

≈c G4

KEM security


G5=








Encpk(mi)ri




c (2)i := mi⊕ksym

ic (3)

i := Tagkmaci

(c (2)i )


i , c (3)i )

G0 G1≈sstatisticalargument

G2= G3

MAC security

≈c G4

KEM security


G5=








Encpk(mi)ri




c (2)i := uniform

c (3)i := Tagkmac

i(c (2)

i )Return (c (1)

i , c (2)i , c (3)

i )


G2

= G3

MAC security

≈c G4

KEM security


G5=








Encpk(mi)ri




c (2)i := uniform

c (3)i := Tagkmac

i(c (2)

i )Return (c (1)

i , c (2)i , c (3)

i )


G2=

G3

MAC security

≈c G4

KEM security


G5=








Encpk(mi)ri




c (2)i := uniform

c (3)i := Tagkmac

i(c (2)

i )Return (c (1)

i , c (2)i , c (3)

i )


G2=

How to answer Hash or Decryption queries?Assume A makes a valid Dec(c (1)

i , ·, ·) query:

Case 1:H(ki) is not definedCase 2:H(ki) is defined

; kmaci still uniform,use MAC security G3

; A decapsulated c (1)i ,

use KEM security G4

G3

MAC security

≈c G4

KEM security


G5=








Encpk(mi)ri




c (2)i := uniform

c (3)i := Tagkmac

i(c (2)

i )Return (c (1)

i , c (2)i , c (3)

i )


G2=


i , ·, ·) query:

Case 1:H(ki) is not defined

Case 2:H(ki) is defined



use KEM security G4

G3

MAC security

≈c G4

KEM security


G5=








Encpk(mi)ri




c (2)i := uniform

c (3)i := Tagkmac

i(c (2)

i )Return (c (1)

i , c (2)i , c (3)

i )


G2=


i , ·, ·) query:




use KEM security G4

G3

MAC security

≈c G4

KEM security


G5=








Encpk(mi)ri




c (2)i := uniform

c (3)i := Tagkmac

i(c (2)

i )Return (c (1)

i , c (2)i , c (3)

i )


G2=


i , ·, ·) query:




use KEM security G4

G3

MAC security

≈c G4

KEM security


G5=








Encpk(mi)ri




c (2)i := uniform

c (3)i := Tagkmac

i(c (2)

i )Return (c (1)

i , c (2)i , c (3)

i )


G2=


i , ·, ·) query:




use KEM security G4

G3

MAC security

≈c G4

KEM security


G5=








Encpk(mi)ri




c (2)i := uniform

c (3)i := Tagkmac

i(c (2)

i )Return (c (1)

i , c (2)i , c (3)

i )


G2=

G3

MAC security

≈c G4

KEM security


G5=







i , ·, ·) and H(ki) is not yet defined.


Encpk(mi)ri




c (2)i := uniform

c (3)i := Tagkmac

i(c (2)

i )Return (c (1)

i , c (2)i , c (3)

i )


G2= G3

MAC security

≈c G4

KEM security


G5=







i , ·, ·) and H(ki) is not yet defined.


Encpk(mi)ri




c (2)i := uniform

c (3)i := Tagkmac

i(c (2)

i )Return (c (1)

i , c (2)i , c (3)

i )


G2= G3

MAC security

≈c

G4

KEM security


G5=







i , ·, ·) and H(ki) is not yet defined.G4: Abort if A queries H(ki).

G5: ideal SIM-SO-CCA game.

Encpk(mi)ri




c (2)i := uniform

c (3)i := Tagkmac

i(c (2)

i )Return (c (1)

i , c (2)i , c (3)

i )


G2= G3

MAC security

≈c G4

KEM security


G5=









Encpk(mi)ri




c (2)i := uniform

c (3)i := Tagkmac

i(c (2)

i )Return (c (1)

i , c (2)i , c (3)

i )


G2= G3

MAC security

≈c G4

KEM security

≈c

Oracle patchingtechnique. [CS03](Needs PCA KEM)

G5=









Encpk(mi)ri




c (2)i := uniform

c (3)i := Tagkmac

i(c (2)

i )Return (c (1)

i , c (2)i , c (3)

i )


G2= G3

MAC security

≈c G4

KEM security


G5=








Encpk(mi)ri




c (2)i := uniform

c (3)i := Tagkmac

i(c (2)

i )Return (c (1)

i , c (2)i , c (3)

i )


G2= G3

MAC security

≈c G4

KEM security


G5

=








Encpk(mi)ri




c (2)i := uniform

c (3)i := Tagkmac

i(c (2)

i )Return (c (1)

i , c (2)i , c (3)

i )


G2= G3

MAC security

≈c G4

KEM security


G5=


Summary

• SIM-SO-CCA secure PKE from generic construction in the ROM

• No additional assumptions compared to proof for IND-CCA security• Employs OT-MAC – can be constructed information-theoretically• Can be instantiated with any OW-PCA secure KEM, such as RSAKEM or DH KEM, latter gives instantiation of DHIES.

• Same proof-ideas can be applied to prove RSA-OAEP SIM-SO-CCA secure in the ROM.

Certain tranformations give SIM-SO-CCAsecurity for free in the ROM


Thank you!


Summary

• SIM-SO-CCA secure PKE from generic construction in the ROM• No additional assumptions compared to proof for IND-CCA security

• Employs OT-MAC – can be constructed information-theoretically• Can be instantiated with any OW-PCA secure KEM, such as RSAKEM or DH KEM, latter gives instantiation of DHIES.




Thank you!


Summary

• SIM-SO-CCA secure PKE from generic construction in the ROM• No additional assumptions compared to proof for IND-CCA security• Employs OT-MAC – can be constructed information-theoretically

• Can be instantiated with any OW-PCA secure KEM, such as RSAKEM or DH KEM, latter gives instantiation of DHIES.




Thank you!


Summary

• SIM-SO-CCA secure PKE from generic construction in the ROM• No additional assumptions compared to proof for IND-CCA security• Employs OT-MAC – can be constructed information-theoretically• Can be instantiated with any OW-PCA secure KEM, such as RSAKEM or DH KEM, latter gives instantiation of DHIES.




Thank you!


Summary





Thank you!


Summary





Thank you!


Summary





Thank you!


Documents

On the Selective Opening Security of Practical Public-Key ... the Selective Ope… · sk Image source: xkcd.com SOSecurityofPKESchemes|HorstGörtzInstitute|PKC2015,NIST|Maryland: