Security proofs for practical encryption schemes Yiannis Tsiounis, GTE Labs Moti Yung, CertCo LLC

Secure encryption zSemantic Security [GM84, Gol89] yHide all partial information yImmune against a-priori knowledge “Security”: Semantic security:

Semantic security (cont.) “Secure” encryption:or Semantically Secure: (probabilistic) = “Buy” = “Sell” “A-priori” info: (Indistinguishability of encryptions)

Beyond semantic security zChosen ciphertext security [NY90] y“Lunch-time” attack [NY90] yRackoff-Simon attack (adaptive) [RS91] zNon-malleability [DDN91] yInfeasible to create a “related” ciphertext yMessage & sender cannot be altered by man- in-the-middle

(Random oracles) zA “necessary evil” simplification yCollision-freeInformation hiding “Random oracle” QA i i Requires tamper-proof devices, or exponential memory

The big picture Attacks Security Plaintext Awareness BRP+98 EG EG+RO+A

Contributions (cont.) zSemantic security yDirectly from decision Diffie-Hellman yRetaining homomorphic properties yExact analysis of efficiency of the reduction zNon-malleability ydecision D-H + R.O. [PS96] + oracle-related assumption

Preliminaries zElGamal encryption yP = aQ + 1, P,Q primes, |g| = Q yPrivate key: x yPublic key: y = g x (mod P) yE(m) = g k, y k m (m є G Q ) zDecision Diffie-Hellman yP = aQ + 1, P,Q primes, |g| = Q yDistinguish from

Preliminaries (cont.) zSemantic security = indistinguishability of encryptions: It is infeasible to find 2 messages whose encryptions can be distinguished (non- negl. better than random guessing)

ElGamal => decision D-H zAssume we have ElGamal oracle zGiven a triplet decide if it is a D-H triplet (y = g ab ?) 1. Preparation stage: Find two messages that the oracle can distinguish 2. Testing phase: test if the oracle can distinguish between message 1 (or 2) and random messages

Proof (cont.) 3. Decision phase: generator g, public key g bw (w random) zRandomize message 1 (or 2) yCorrectly: E(m) = g u, m (g b ) wu yBased on given triplet E(m’) = (g a ) t g v, m y wt (g b ) wv m’ = m (if y = g ab ), random otherwise zRun oracle on E(m), E(m’) 1. Distinguish? ==> not D-H triplet 2. Else: correct D-H triplet

Decision D-H => ElGamal zGiven decision D-H oracle, find two messages whose ElGamal encryptions can be distinguished zFor any two m, m’: (y = g x ) yE(m 0 ) = g a, m 0 y a, E(m 1 ) = g b, m 1 y b yFeed = (random v) yIf it is a correct triplet, then m 0 =m, else m 0 = m’

Non-malleability zGiven ciphertext C, cannot construct ciphertext C’ such that the plaintexts are related zAll we need is a proof of knowledge of the plaintext yI.e., a proof of knowledge of k in E(m) = g k, y k m yBut, it must be a non-malleable ZK proof: it must be bound to the prover

The non-malleable extension zA Schnorr-type ZK proof of knowledge of k, with the sender’s identity in the challenge (hash) A = [g k, y k m], F = g v, C = k H(ID, g, A, F) + v E(m) = [A, F, C, ID] zRandom oracle is used only as a “trusted beacon” [PS96] - not for information hiding

Security proof 1.We need to verify that semantic security still holds (the knowledge proof does not leak information) 2.Knowledge of k: provided from Schnorr proof 3.Sender-bound: the addition forms a Schnorr signature of ID based on k, which is existentially unforgeable [PS96]

Practical implications: Encryption zElGamal is as secure as [BR94+Can97] zNon-malleability can be added at minimal efficiency costs zIn applications a signature is still needed yOtherwise senders can be impersonated ySignatures using Schnorr-proofs is a smooth addition

Implications: protocols zFirst encryption scheme with homomorphic properties that is semantically secure zAnonymous e-cash: escrowing can be performed based on decision D-H