1
Generic Conversions for Constructing IND-CCA2 Public-key Encryption in the
Random Oracle Model
Tatsuaki OkamotoNTT
2
Security of Public-Key Cryptosystems
Target One-wayness (OW) : hard to invert Semantically secure (Indistinguishable) (IND) : No partial
information is released Non-malleable (NM ) :
for any non-trivial relation R E(M)→E(R(M))
Attacks Passive attacks (Cosen Plaintext Attacks: CPA) Chosen-ciphertext attacks ( Cosen Ciphertex Attacks:
CCA )
hard
3
Semantic Security (IND : Indistinguishability)
The probability of correctly guessing (b = b’) is negligible
Adv )( bmEc
b’
1,0bm0, m1 : randomly selected
: guess of b
4
Chosen Ciphertext Attack (CCA)
CCA1 (Lunch time attack, Naor-Yung 90) C0 is given to the attacker, after the active attack is complete
d.
CCA2 (Rackoff –Simon 91) C0 is given to the attacker, before the active attack starts.
Ciphertext C0
Information on Plaintext P0
C1, Cn
P1, Pn
Rule:C0≠C1, ,Cn
( )
Public-key
Attacker Decryption oracle
5
Relationships among Security Definitions (1)
Non-malleable (NM)→ Semantically secure (IND)
i.e., NM-CPA → IND-CPA, NM-CCA2 → IND-CCA2)
IND-CCA2→ NM-CCA2
Remark : NM-CPA → IND-CCA1
Conclusion : Strongest security Semantically secure against chosen-ciphertext att
ack 2 IND-CCA2=NM-CCA2
←
6
Relationships among Security Definitions (2)
One-way(OW)
Semantically secure (IND)
Non-malleable(NM)
Passive attack(CPA)
OW-CPA IND-CPA NM-CPA
Active attack (Chosen-ciphertext attack)
(CCA)
CCA1 OW-CCA1 IND-CCA1 NM-CCA1
CCA2 OW-CCA2 IND-CCA2 NM-CCA2
TargetAttack
7
History of Provably Secure Public-key Encryption
1976 1978 1979 1982 1984 1990 1991 1993 1994 1998 2001
DDN(NM-CCA2)
BR(Random oracle model)
Rabin GM(IND-CPA)
DH RSA NY(IND-CCAI)(OW-CPA)
Concept of public-keycryptosystemProposal of various tricks
Provable security (Theory)
Practical scheme in the standard model
CS
Practical approachby random oracle model
BDPR
OAEPRS(IND-CCA2)
8
The plain RSA scheme is not secure in the sense of IND-CCA2
not indistinguishable (IND)deterministic
vulnerable against CCA2random-self-reducibility
Adv DO
C’ = C ・ Re
eCM1
'='M’/R
C
Decryption oracle
=Plaintext of C
Adv nmc eb mod=
b = 0/1:correctly output
{ }1,0∈bm0, m1
9
EC-ElGamal Encryption
elliptic curve point with order Public-key (E, P, W, ) Secret-key xEncryption plaintext m,
bit-wise exclusive-or, (rW)X is the x-coordinate
of rWDecryption
:/ pFE:)( pFEP
PxWZZx R ,/
ZZr R /mWrcPrC X )(, 21 :),( 21 cC ciphertext
XCxcm )( 12
10
The Elliptic Curve ElGamal Scheme Is Not Secure in the Sense of
IND-CCA2 (1)Malleable
amWracc
mWrc
X
X
22
2
'
amm 'Non-trivial relation with m’
=
11
The Elliptic Curve ElGamal Scheme Is Not Secure in the Sense of
IND-CCA2 (2)CCA2 Attack
Adv )',( 21 cC
amm '
),( 21 cC
amm '
DecryptionOracle
acc 22'
12
How to Construct an Encryption Scheme with the Strongest Security (IND-CCA2)
Based on zero-knowledge proofs Dolev-Dwork-Naor (1991) Inefficient
Based on truly random function (random oracle model) Bellare-Rogaway : OAEP (1994)..PKCS#1(Ver.2)1998 Fujisaki-Okamoto (1999) , Pointcheval (2000) Okamoto-Pointcheval : REACT (2001) Practical (using practical one-way functions in place of ra
ndom functions)Practical construction without using a random function Cramer-Shoup (1998)
13
Design Strategy of Practical and Provably Secure Public-key Encryption
Primitive Encryption Function (Trapdoor Function) Example
RSA ElGamal etc
Secure Encryption Scheme Semantically Secure a
gainst Adaptively Chosen Ciphertext Attacks (IND-CCA2)
Conversion Using Hash Functions
(Random Functions)
14
Random Oracle Model(Truly Random Model)
0・・・・ ・・・・00・・・・ ・・・・1
1・・・・ ・・・・1
01011・・・ ・・・010011・・・ ・・・0
011001・・ ・・0
Random oracleRandom function
H
User 1 User 2
x1
xk
H(xk)
H(x1)
2 n
n bits random
Input Output
・・・ H (random oracle/ random function)
H
15
Conversions for the RSA Encryption Function
OAEP (Bellare-Rogaway 1994)OAEP+ (Shoup 2001)SAEP (Boneh 2001)SAEP+ (Boneh 2001)REACT (Okamoto-Pointcheval 2001)
16
OAEP
m 00…0 r
G(r)
s
H(s)
t
( ) :•f
( )tsfC =
ntsC emod
( Example ) RSA-OAEP
G
H
RSA-OAEP : de facto standard format of the RSA encryption ・・・ used in SSL(PKCS#1) and SET
one-way permutation
17
Security of OAEP (FOPS 2001)
OAEP is IND-CCA2 secure under the partial-domain one-wayness assumption in the random oracle model.
RSA-OAEP is IND-CCA2 secure under the RSA assumption in the random oracle model. The reduction efficiency (to the RSA inversion) is less than that of the optimal case.
18
OAEP+
m F(m||r) r
G(r)
s
H(s)
t
( ) :•f
( )tsfC =
ntsC emod
( Example ) RSA-OAEP+
G
H
one-way permutation
19
RSA-REACT (Hybrid Encryption)
)(=
)),((=mod=
213
2
1
mrCCHC
mrGSymEncCnrC e
)(),(),(),(
padtimeonemkmkSymEncmkAESmkSymEnc
(ex)
20
Comparison of the RSA FamilySchemes Security Assumption Reduction
EfficiencyProvable Hybrid Usage
Number-Theoretic
Functional
RSA-OAEP IND-CCA2 RSA ROM * No
RSA-OAEP+ IND-CCA2 RSA ROM * * No
RSA-SAEP (low exponent)
IND-CCA2RSA with
low exponent
ROM * * * No
RSA-REACT IND-CCA2 RSA ROM * * * Yes
21
IND-CCA2 Conversions for (Elliptic Curve) ElGamal Encryption
FO-1 FO-2Pointcheval REACT DHAES / ECIESCS ( ACE) PSEC-KEMACE-KEM
(Fujisaki-Okamoto: PKC 1999)(Fujisaki-Okamoto: Crypto 1999)(Pointcheval 2000)(Okamoto-Pointcheval 2001)(Abdala-Bellare-Rogaway 1999)(Cramer-Shoup 1998)(Shoup + Fujisaki-Okamoto 2001)(Shoup 2001)
(Remark: OAEP, OAEP+, SAEP, SAEP+ cannot be applied for Probabilistic Encryption Schemes such as ElGamal
22
FO-1/2
FO-1
FO-2
rxf , ( )( )rmHrmfC ,=Check in decryption ( )( )rmHrmfC ,=
rxf , ( )( )rmHrfC ,=1
)),((=2 mrGSymEncC
))(,(=1 rmHrfC?
?
Check in decryption
23
FO-2 : Applied to EC-ElGamal…PSEC-2
: plaintext
ciphertext
rLenRr 0,1m
PrmhR WrmhQ
mrgSymEncxrRccCc Q ,,,,, 321 (Ex.1) mrgmrgSymEnc ,
( )( ) ( )( )mrgAESmrgSymEnc ,=,(Ex.2)one-time pad
block-cipher
24
Decryption of PSEC-2
Check
1CxQ
Yes
No
null string
Qxcr 2
3,crgSymDecm
m
PrmhC 1?
25
Security of PSEC-2
EC-DH AssumptionSymEnc : semantically secure against passive attackg, h : random oracle
PSEC-2 is IND-CCA2
26
REACT
rxf , rRfC ,1
mRGSymEC ,2
),,,(= 213 mRCCHCCheck in decryption?
( )mRCCHC ,,,= 213
27
Security of REACT
f is Gap-one wayG and H are random oracles( SymE is semantically secure against pas
sive attacks ) AsymE is IND-CCA2
321 CCCAsymErxf ,,,
28
A Typical Usage of REACT
rRfc ,1A B
R RSession key
暗号 復号
121 mKESymc ,
121131 mRccHc ,,,
k2k mKESymc ,
kk mRccHc ,,, 213k
kk mmKSymEccc ,,,,, 12212
kk mmRccHccc ,,,,,',, 1213313
IND-CCA2 is guaranteed in total.
RGK RGK G G
29
Inverting Problems
relation x→y s.t. f (x, y)=1
{ } { } { }1,0→1,0×1,0: **f
f (x, y)=1
y
x
30
R-decision problems
(x,y) decide whether R( f, x, y)=1 (Examples)
(e,g., decision DH )
(e,g., quadratic residuosity)
z is even when z with f (x,z) is uniquely determined. (e,g., lsb of RSA)
1),,(3 xfR
1),(⇔1)⊥,,( ∃2 zxfzxfR
1),(⇔1),,(1 yxfyxfR
s.t.
31
Gap problems (R-gap problems)
R-decision problemOracle
),( ** yx ),,( ** yxfR )⊥,,( *xfR
1=),( yxf
orx y
*xor
s.t.
32
Duality of Gap and Decision problemsR-gap problem of f is tractable
⇒ inverting problem of f = R-decision problem of f
R-decision problem of is tractable⇒ inverting problem of f = R-gap problem of f
(e.g., f : RSA function; )
reducible to each other
reducible to each other
2: RR
33
Relationship among the Assumptions
Decisional Assumption Gap- One-way Assumption
One-way Assumption
Dual
34
Relationship among the DH Assumptions
Decision DH Assumption Gap DH Assumption
DH Assumption
Dual
35
EC-ElGamal-REACT : PSEC-3
: plaintext
ciphertext
{ } { }qLenRR ur 1,0∈,pZ/Z∈ *
m
PrR WrT
muccChmugSymEncxuR
cccCc
T 321
4321
,,,,
,,,
36
Decryption of PSEC- 3
Check
1CxT
Yes
Nonull string
Txcu 2
3,cugSymDecm
m
( )muccChC 3214 =?
37
Security of PSEC-3
EC-GapDH ( GDH) AssumptionSymEnc : semantically secure against passive attackg, h : random oracle
PSEC-3 is IND-CCA2
38
ECIES’(modified by Shoup)
Encryption r : random
Decryption Check
23
2
1
,',
ckMacCmkSymEncC
PrC
WrCgkkK 1'
11' CxCgkkK 23 ,' ckMacc
2,ckSymDecm
?
39
Security of ECIES’
Gap-EDH assumptionSymEnc : semantically secure against passive attackMac : secureg : random oracle
ECIES’ is IND-CCA2
40
EC-ACE-KEM (1)
Public-key
Secret-key w, x, y, zEncryption
Ciphertext : Shared key :
1
1
1
12
GzHGyDGxC
GwG
DrCrV
UUhGrUGrU
r
21
22
11
random:
HrUgkkK
VUUC
1
21
'
,,
41
EC-ACE-KEM (2)Decryption
11' UzUgkkK
check
VUtUUw
yxt
UUh
1
21
21
??
42
Security of EC-ACE-KEM
(1) EC-DDH h : Universal One-Way Hash Function (UOWHF) EC-ACE is IND-CCA2
(2) EC-DH h : Random Oracle EC-ACE is IND-CCA2
43
PSEC-KEM(revised by Shoup based on PSEC-
2)Encryption
Ciphertext (R, v)
Decryption
)(
)(
random:
sgKr
QRhsvWrQPrR
r
?
)(
)(
PrRcheck
sgKr
QRhvsRxQ
44
Security of PSEC-KEM
EC-DHh,g : Random Oracle
PSEC-KEM is IND-CCA2
45
Comparison of the EC-ElGamal Family
Scheme Security Assumption Performance
Number-Theoretic Functional Enc. Dec.
PSEC-2 IND-CCA2 EC-DH Random oracle Security of SymE
2 2
PSEC-3 IND-CCA2 EC-GDH Random oracle Security of SymE
2 1
ECIES’ IND-CCA2 EC-GDH Random oracle, Security of SymE and Mac 2 1
EC-ACE-KEM( +SymE, Mac )
IND-CCA2 EC-DDH Universal One-way Hash, Security of SymE and Mac 5 3
PSEC-KEM( +SymE, Mac )
IND-CCA2 EC-DH Random oracleSecurity of SymE and Mac 2 2
The above numbers are those of EC-addition operations
46
Conclusion
Simple RSA and (EC)ElGamal are not secure against active attacksSeveral practical(efficient) conversions are proposed to realize the strongest level of security (IND-CCA2) based on any primitive encryption functions such as RSA and (EC) ElGamal.