Security proofs for practical encryption schemes Yiannis Tsiounis

Security proofs for practical encryption schemes Yiannis Tsiounis, GTE Labs Moti Yung, Cert. Co LLC

Secure encryption z. Semantic Security [GM 84, Gol 89] y. Hide all partial information y. Immune against a-priori knowledge “Security”: Semantic security:

Semantic security (cont. ) (Indistinguishability of encryptions) = “Buy” “A-priori” info: = “Sell” “Secure” encryption: Semantically Secure: (probabilistic) or

Beyond semantic security z. Chosen ciphertext security [NY 90] y“Lunch-time” attack [NY 90] y. Rackoff-Simon attack (adaptive) [RS 91] z. Non-malleability [DDN 91] y. Infeasible to create a “related” ciphertext y. Message & sender cannot be altered by manin-the-middle

(Random oracles) z. A “necessary evil” simplification y. Collision-free Information hiding “Random oracle” Q i Ai Requires tamper-proof devices, or exponential memory

The big picture Attacks Security EG BRP+98 Plaintext Awareness EG+RO+A

Contributions (cont. ) z. Semantic security y. Directly from decision Diffie-Hellman y. Retaining homomorphic properties y. Exact analysis of efficiency of the reduction z. Non-malleability ydecision D-H + R. O. [PS 96] + oracle-related assumption

Preliminaries z. El. Gamal encryption y. P = a. Q + 1, P, Q primes, |g| = Q y. Private key: x y. Public key: y = gx (mod P) y. E(m) = gk, yk m (m є GQ) z. Decision Diffie-Hellman y. P = a. Q + 1, P, Q primes, |g| = Q y. Distinguish < ga, gb, gab> from

Preliminaries (cont. ) z. Semantic security = indistinguishability of encryptions: It is infeasible to find 2 messages whose encryptions can be distinguished (nonnegl. better than random guessing)

El. Gamal => decision D-H z. Assume we have El. Gamal oracle z. Given a triplet decide if it is a D-H triplet (y = gab ? ) 1. Preparation stage: Find two messages that the oracle can distinguish 2. Testing phase: test if the oracle can distinguish between message 1 (or 2) and random messages

Proof (cont. ) 3. Decision phase: generator g, public key gbw (w random) z. Randomize message 1 (or 2) y. Correctly: E(m) = gu , m (gb)wu y. Based on given triplet E(m’) = (ga)t g v , m ywt (gb)wv m’ = m (if y = gab), random otherwise z. Run oracle on E(m), E(m’) 1. Distinguish? ==> not D-H triplet 2. Else: correct D-H triplet

Decision D-H => El. Gamal z. Given decision D-H oracle, find two messages whose El. Gamal encryptions can be distinguished z. For any two m, m’: (y = gx) y. E(m 0) = ga, m 0 ya , E(m 1) = gb, m 1 yb y. Feed = < ga, gx+v , g(x+v)a m 0/m> (random v) y. If it is a correct triplet, then m 0=m , else m 0 = m’

Non-malleability z. Given ciphertext C, cannot construct ciphertext C’ such that the plaintexts are related z. All we need is a proof of knowledge of the plaintext y. I. e. , a proof of knowledge of k in E(m) = gk, yk m y. But, it must be a non-malleable ZK proof: it must be bound to the prover

The non-malleable extension z. A Schnorr-type ZK proof of knowledge of k, with the sender’s identity in the challenge (hash) A = [gk, yk m], F = gv, C = k H(ID, g, A, F) + v E(m) = [A, F, C, ID] z. Random oracle is used only as a “trusted beacon” [PS 96] - not for information hiding

Security proof 1. We need to verify that semantic security still holds (the knowledge proof does not leak information) 2. Knowledge of k: provided from Schnorr proof 3. Sender-bound: the addition forms a Schnorr signature of ID based on k, which is existentially unforgeable [PS 96]

Practical implications: Encryption z. El. Gamal is as secure as [BR 94+Can 97] z. Non-malleability can be added at minimal efficiency costs z. In applications a signature is still needed y. Otherwise senders can be impersonated y. Signatures using Schnorr-proofs is a smooth addition

Implications: protocols z. First encryption scheme with homomorphic properties that is semantically secure z. Anonymous e-cash: escrowing can be performed based on decision D-H