Presentation on theme: "1 Generic Conversions for Constructing IND-CCA2 Public-key Encryption in the Random Oracle Model Tatsuaki Okamoto NTT."— Presentation transcript:
1 Generic Conversions for Constructing IND-CCA2 Public-key Encryption in the Random Oracle Model Tatsuaki Okamoto NTT
2 Security of Public-Key Cryptosystems Target One-wayness (OW) : hard to invert Semantically secure (Indistinguishable) (IND) : No partial information is released Non-malleable (NM ） : for any non-trivial relation R E(M)→E(R(M)) Attacks Passive attacks (Cosen Plaintext Attacks: CPA) Chosen-ciphertext attacks （ Cosen Ciphertex Attacks: CCA ） hard
3 Semantic Security (IND : Indistinguishability) The probability of correctly guessing (b = b ’ ) is negligible Adv b’ m 0, m 1 : randomly selected : guess of
4 Chosen Ciphertext Attack (CCA) CCA1 (Lunch time attack, Naor-Yung 90) C 0 is given to the attacker, after the active attack is completed. CCA2 (Rackoff – Simon 91) C 0 is given to the attacker, before the active attack starts. Ciphertext C 0 Information on Plaintext P 0 C 1, C n P 1, P n Rule: C 0 ≠C 1,,C n () Public-key Attacker Decryption oracle
7 History of Provably Secure Public-key Encryption 1976 1978 1979 1982 1984 1990 1991 1993 1994 1998 2001 DDN (NM-CCA2) BR (Random oracle model) Rabin GM (IND-CPA) DH RSA NY (IND-CCAI) (OW-CPA) Concept of public-key cryptosystem Proposal of various tricks Provable security (Theory) Practical scheme in the standard model CS Practical approach by random oracle model BDPR OAEPRS (IND-CCA2)
8 The plain RSA scheme is not secure in the sense of IND-CCA2 not indistinguishable (IND) deterministic vulnerable against CCA2 random-self-reducibility Adv DO C’ ＝ C ・ R e M’/R C Decryption oracle =Plaintext of C Adv b ＝ 0/1:correctly output m 0, m 1
9 EC-ElGamal Encryption elliptic curve point with order Public-key (E, P, W, ) Secret-key x Encryption plaintext m, bit-wise exclusive-or, (rW) X is the x -coordinate of rW Decryption ciphertext
10 The Elliptic Curve ElGamal Scheme Is Not Secure in the Sense of IND-CCA2 (1) Malleable Non-trivial relation with m’ =
11 The Elliptic Curve ElGamal Scheme Is Not Secure in the Sense of IND-CCA2 (2) CCA2 Attack Adv Decryption Oracle
12 How to Construct an Encryption Scheme with the Strongest Security (IND-CCA2) Based on zero-knowledge proofs Dolev-Dwork-Naor (1991) Inefficient Based on truly random function (random oracle model) Bellare-Rogaway : OAEP (1994)..PKCS#1(Ver.2)1998 Fujisaki-Okamoto (1999), Pointcheval (2000) Okamoto-Pointcheval : REACT (2001) Practical (using practical one-way functions in place of random functions) Practical construction without using a random function Cramer-Shoup (1998)
13 Design Strategy of Practical and Provably Secure Public-key Encryption Primitive Encryption Function (Trapdoor Function) Example RSA ElGamal etc Secure Encryption Scheme Semantically Secure against Adaptively Chosen Ciphertext Attacks (IND-CCA2) Conversion Using Hash Functions (Random Functions)
14 Random Oracle Model (Truly Random Model) ０・・・・ ・・・・０ ０・・・・ ・・・・１ １・・・・ ・・・・１ ０１０１１・・・ ・・・０ １００１１・・・ ・・・０ ０１１００１・・ ・・０ Random oracle Random function H User 1 User 2 x1x1 xkxk H(xk)H(xk) H(x1)H(x1) ２n２n n bits random Input Output ・・・ H (random oracle/ random function) H
15 Conversions for the RSA Encryption Function OAEP (Bellare-Rogaway 1994) OAEP+ (Shoup 2001) SAEP (Boneh 2001) SAEP+ (Boneh 2001) REACT (Okamoto-Pointcheval 2001)
16 OAEP m00…0r G(r)G(r) s H(s)H(s) t （ Example ） RSA-OAEP G H RSA-OAEP ： de facto standard format of the RSA encryption ・・・ used in SSL(PKCS#1) and SET one-way permutation
17 Security of OAEP (FOPS 2001) OAEP is IND-CCA2 secure under the partial-domain one-wayness assumption in the random oracle model. RSA-OAEP is IND-CCA2 secure under the RSA assumption in the random oracle model. The reduction efficiency (to the RSA inversion) is less than that of the optimal case.
18 OAEP+ mF(m||r)r G(r)G(r) s H(s)H(s) t （ Example ） RSA-OAEP+ G H one-way permutation
20 Comparison of the RSA Family SchemesSecurityAssumptionReduction Efficiency Provable Hybrid Usage Number- Theoretic Functio nal RSA-OAEPIND-CCA2RSAROM * No RSA-OAEP+IND-CCA2RSAROM * No RSA-SAEP (low exponent) IND-CCA2 RSA with low exponent ROM * * * No RSA-REACTIND-CCA2RSAROM * * * Yes
27 Security of REACT f is Gap-one way G and H are random oracles （ SymE is semantically secure against passive attacks ） AsymE is IND-CCA2
28 A Typical Usage of REACT Session key 暗号 復号 IND-CCA2 is guaranteed in total.
29 Inverting Problems relation x→y s.t. f (x, y)=1 f (x, y)=1 y x
30 R -decision problems ( x,y ) decide whether R ( f, x, y )=1 (Examples) (e,g., decision DH ) (e,g., quadratic residuosity) z is even when z with f (x,z) is uniquely determined. (e,g., lsb of RSA) s.t.
31 Gap problems (R-gap problems) R-decision problem Oracle R-decision problem Oracle or x x y y s.t.
32 Duality of Gap and Decision problems R-gap problem of f is tractable ⇒ inverting problem of f = R-decision problem of f R-decision problem of is tractable ⇒ inverting problem of f = R-gap problem of f (e.g., f : RSA function; ) reducible to each other
33 Relationship among the Assumptions Decisional Assumption Gap- One-way Assumption Gap- One-way Assumption Dual
34 Relationship among the DH Assumptions Decision DH Assumption Gap DH Assumption DH Assumption Dual
42 Security of EC-ACE-KEM （１） EC-DDH h ： Universal One-Way Hash Function (UOWHF) EC-ACE is IND-CCA2 （２） EC-DH h ： Random Oracle EC-ACE is IND-CCA2
43 PSEC-KEM (revised by Shoup based on PSEC- 2) Encryption Ciphertext (R, v) Decryption
44 Security of PSEC-KEM EC-DH h,g ： Random Oracle PSEC-KEM is IND-CCA2
45 Comparison of the EC-ElGamal Family SchemeSecurity AssumptionPerformance Number- Theoretic Functional Enc.Dec. PSEC-2IND-CCA2EC-DHRandom oracle Security of SymE 22 PSEC-3IND-CCA2EC-GDHRandom oracle Security of SymE 21 ECIES ’ IND-CCA2EC-GDHRandom oracle, Security of SymE and Mac 21 EC-ACE-KEM （ + SymE, Mac ） IND-CCA2EC-DDHUniversal One-way Hash, Security of SymE and Mac 53 PSEC-KEM （ + SymE, Mac ） IND-CCA2EC-DHRandom oracle Security of SymE and Mac 22 The above numbers are those of EC-addition operations
46 Conclusion Simple RSA and (EC)ElGamal are not secure against active attacks Several practical(efficient) conversions are proposed to realize the strongest level of security (IND-CCA2) based on any primitive encryption functions such as RSA and (EC) ElGamal.