Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN 2012 IMI Crypto Seminar

One day in a class, Alice Student 1Student 2Student 3 ・・・

One day in a class, Alice Student 1Student 2Student 3 ・・・ The class “Introduction to Cryptography”

One day in a class, Alice Student 1Student 2Student 3 ・・・ The class “Introduction to Cryptography” The final exam has finished.

One day in a class, Alice Student 1Student 2Student 3 ・・・ Do you understand public-key encryption ?

One day in a class, Alice Student 1Student 2Student 3 ・・・ Yes ! Do you understand public-key encryption ?

One day in a class, Alice Student 1Student 2Student 3 ・・・ Good ! So, I’ll send your grades by PKE.

One day in a class, Alice Student 1Student 2Student 3 ・・・ Good ! So, I’ll send your grades by PKE. Please send me your public keys. All right ?

One day in a class, Alice Student 1Student 2Student 3 ・・・ Yes ! Good ! So, I’ll send your grades by PKE. Please send me your public keys. All right ?

One day in a class, Alice

One day in a class, Alice Although I said so, it is troublesome to encrypt all the grades.

One day in a class, Alice But, since I promised to use PKE, I have to do… Although I said so, it is troublesome to encrypt all the grades.

One day in a class, Alice But, since I promised to use PKE, I have to do… What happened ? Although I said so, it is troublesome to encrypt all the grades.

What happened is … Alice Student 1Student 2Student 3 ・・・ Grades: m 1, m 2, m 3, …

What happened is … Alice Student 1Student 2Student 3 ・・・ pk 1 pk 2 pk 3 ・・・ Grades: m 1, m 2, m 3, …

What happened is … Alice Student 1Student 2Student 3 ・・・ pk 1 pk 2 pk 3 ・・・ Grades: m 1, m 2, m 3, … PKs: pk 1, pk 2, pk 3, …

What happened is … Alice Student 1Student 2Student 3 ・・・ pk 1 pk 2 pk 3 ・・・ Grades: m 1, m 2, m 3, … PKs: pk 1, pk 2, pk 3, … It’s troublesome to encrypt honestly…

What happened is … Alice Student 1Student 2Student 3 ・・・ pk 1 pk 2 pk 3 ・・・ Grades: m 1, m 2, m 3, … PKs: pk 1, pk 2, pk 3, … It’s troublesome to encrypt honestly… Wait !

What happened is … Alice Student 1Student 2Student 3 ・・・ pk 1 pk 2 pk 3 ・・・ Grades: m 1, m 2, m 3, … PKs: pk 1, pk 2, pk 3, … The grades are personal information for students. Their security is not my concern.

What happened is … Alice Student 1Student 2Student 3 ・・・ pk 1 pk 2 pk 3 ・・・ Grades: m 1, m 2, m 3, … PKs: pk 1, pk 2, pk 3, … Want to cut corners… The grades are personal information for students. Their security is not my concern.

What happened is … Alice Student 1Student 2Student 3 ・・・ pk 1 pk 2 pk 3 ・・・ Grades: m 1, m 2, m 3, … PKs: pk 1, pk 2, pk 3, …

What happened is … Alice Student 1Student 2Student 3 ・・・ pk 1 pk 2 pk 3 ・・・ Grades: m 1, m 2, m 3, … PKs: pk 1, pk 2, pk 3, … Encrypt by using all-zero string as randomness CTs: c 1, c 2, c 3, …

What happened is … Alice Student 1Student 2Student 3 ・・・ pk 1 pk 2 pk 3 ・・・ Grades: m 1, m 2, m 3, … PKs: pk 1, pk 2, pk 3, … Encrypt by using all-zero string as randomness CTs: c 1, c 2, c 3, … c1c1 c2c2 c3c3 ・・・

What happened is … Alice Student 1Student 2Student 3 ・・・ pk 1 pk 2 pk 3 ・・・ Grades: m 1, m 2, m 3, … PKs: pk 1, pk 2, pk 3, … Grades were not sent securely ! Encrypt by using all-zero string as randomness CTs: c 1, c 2, c 3, … c1c1 c2c2 c3c3 ・・・

The lesson from this example

If some party in cryptographic protocols (PKE) 1. is not concerned about the security 2. is not willing to do a costly task (generating randomness)  The security can be compromised

The lesson from this example If some party in cryptographic protocols (PKE) 1. is not concerned about the security 2. is not willing to do a costly task (generating randomness)  The security can be compromised The reason is that Alice is “lazy”

The lesson from this example If some party in cryptographic protocols (PKE) 1. is not concerned about the security 2. is not willing to do a costly task (generating randomness)  The security can be compromised The reason is that Alice is “lazy” Traditional crypto did not consider lazy parties

The lesson from this example If some party in cryptographic protocols (PKE) 1. is not concerned about the security 2. is not willing to do a costly task (generating randomness)  The security can be compromised The reason is that Alice is “lazy” Traditional crypto did not consider lazy parties Many people tend to be lazy in the real life…  Need secure protocols even for lazy parties

Our results Define the security of PKE for lazy parties Lazy parties as rational players Construct secure PKEs for lazy parties

Practical motivation Lazy parties is an example of protocols that may not work if players behave in their own interests The problem of lazy parties reveals the motivation of using bad randomness in PKE Secure PKEs for lazy parties  Secure PKEs for which users have an incentive to use good randomness

Lazy parties in PKE Sender (S) and Receiver (R) are lazy Lazy S (and R) (1) wants to securely transmit msgs in M S (and M R ) (2) doesn’t want to generate costly randomness Choose (a) Costly true randomness (Good randomness) or (b) Zero-cost fixed string (Bad randomness) Define a game between S, R, and an adversary (Adv) A variant of usual CPA game Lazy parties behave to maximize their payoffs The goal is to design PKE secure for m ∈ M S ∪ M R

CPA Game Challenge Dealer Adv. SenderReceiver c  Enc pk (m b ; r S ) 3. b  R {0,1} pk c mbmb Enc Dealer Gen Dealer 1. G/B pk, sk 4. G/B c 1-b. If R chose B, r R  A(1 k ) c m 0, m 1 mbmb 2. (m 0, m 1 )  A(pk) 5. Output b’  A(c) (pk, sk)  Gen(1 k ; r R ) 1-a. If R chose G, r R  Samp(Gen) 4-a. If S chose G, r S  Samp(Enc) 4-b. If S chose B r R  A

Remarks on CPA Game We define the game more generally Sender may run Gen algorithm Encryption may be interactive Output of the Game: Out = (Win, Val S, Val R, Num S, Num R ) Win = 1 if b = b’, 0 otherwise Val w = 1 if m ∈ M w, 0 otherwise Num w : #{ G output by w : w ∈ {S, R} }

Payoff function Payoff when the output of CPA game is Out = (Win, Val S, Val R, Num S, Num R ) u w (Out) = (-α w )WinVal w + (-β w )Num w α w, β w > 0 are real numbers α w /2 > q w β w is assumed ． q w : Maximum of Num w Costly good randomness is worth for achieving the security Payoff when following the pair of strategies (σ S, σ R ) U w (σ S, σ R ) = min E[u w (Out)] min is taken over all Advs, message spaces M S, M R

Security of PKE for lazy parties For PKE scheme Π, strategies (σ S, σ R ), (Π, σ S, σ R ) is CPA secure with (strict) Nash equilibrium 1. If players follow (σ S, σ R ), then for any adversary, message spaces M S, M R, Pr[Win(Val S + Val R ) ≠ 0] ≤ 1/2 + negl(k) 2. (σ S, σ R ) is a (strict) Nash equilibrium

Solution concepts (σ S, σ R ) is a Nash equilibrium : For any w ∈ {S, R} and σ w ’, U w (σ S *, σ R * ) ≤ U w (σ S, σ R ) + negl(k) where (σ S *, σ R * ) = (σ S ’, σ R ) if w = S (σ S, σ R ’) otherwise (σ S, σ R ) is a strict Nash equilibrium : 1. (σ S, σ R ) is a Nash equilibrium 2. For any w ∈ {S, R} and σ w ’ ≠ σ w, U w (σ S *, σ R * ) ≤ U w (σ S, σ R ) – 1/k c where c is a constant

First observation (Impossibility results) Sender must generate a secret key A game for distinguishing m 0, m 1 ∈ M R \ M S  S uses Bad randomness  Adv can correctly distinguish since Adv knows all the inputs to S except m b Encryption must be interactive A game for distinguishing (m 0, m 0 ) and (m 0, m 1 ) for m 0, m 1 ∈ M R \ M S  S uses Bad randomness  Adv can correctly distinguish if two msgs were encrypted by same randomness

Secure PKE for lazy parties (1. Basic setting) Two-round PKE Π two Idea: R generates randomness for encryption R follows since doesn’t know whether m ∈ M R Sender Receiver c2c2 Encryption (pk S, sk S )  Gen(1 k ; r 1 S ) pk S c 1  Enc(pk S, r 2 R ; r 3 R ) c1c1 r 2 R  Dec(sk S, c 1 ) c 2 = m r 2 R m = c 2 r 2 R Key Generation r 2 R  R U

A problem of Π two : If R knows that m ∈ M R, R uses Bad randomness ( m ∈ M S \ M R is not sent securely ) Secure PKE for lazy parties (1. Basic setting)

R may know whether m ∈ M R Secure PKE for lazy parties (2. R knows additional information)

R may know whether m ∈ M R Three-round PKE Π three Idea: Key agreement to share randomness Shared randomness is Good if S or R uses Good Use the shared randomness for encryption Secure PKE for lazy parties (2. R knows additional information)

Three-round PKE Π three Sender Receiver c 2, c 3 Encryption r = r 2 R r 2 S (= r L ◦ r R ) (pk R, sk R )  Gen(1 k ; r 1 R ) pk R (pk S, sk S )  Gen(1 k ; r 1 S ) pk S c 1  Enc(pk S, r 2 R ; r 3 R ) c1c1 r 2 R  Dec(sk S, c 1 ) c 2  Enc(pk R, r 2 S ; r 3 S ) r 2 S  Dec(sk R, c 2 ) r = r 2 R r 2 S (= r L ◦ r R ) c 4  Enc(pk S, m; r R ) c4c4 c 3  Enc(pk R, m; r L ) m  Dec(sk R, c 3 ) Key Generation r 2 R  R U r 2 S  R U

Non-interactive PKE for lazy parties

Additional assumption: Players don’t want to reveal their secret keys

Non-interactive PKE for lazy parties Additional assumption: Players don’t want to reveal their secret keys Singcryption scheme is secure for lazy parties if signing key (secret key) can be computed from ciphertext and randomness  S uses Good to avoid revealing secret key

Conclusions “Lazy parties” may compromise the security An example of protocols that may not work if players behave in their own interests Our results Define the security of PKE for lazy parties Construct secure PKEs for lazy parties

Conclusions “Lazy parties” may compromise the security An example of protocols that may not work if players behave in their own interests Our results Define the security of PKE for lazy parties Construct secure PKEs for lazy parties Thank you

Lazy parties (1) They are not concerned about the security in a certain situation (2) They are unwilling to do a costly task, although they behave in an honest-looking way Costly task: Ex. random generation (computation is costly) increasing # rounds to finish (time is costly) Honest-looking behavior: Ex. using all-zero string as randomness

A problem of Π three If both S and R knows that m ∈ M S ∩ M R, it’s difficult to determine which of S/R uses Good Exits two different (strict) Nash strategies

A problem of Π three If both S and R knows that m ∈ M S ∩ M R, it’s difficult to determine which of S/R uses Good Exits two different (strict) Nash strategies Solution: R uses the all-zero string as randomness in Enc if R knows m ∈ M S ∩ M R All-zero string is a signal to R

The security proof of Π three (a) r = r 2 R r 2 S is Good if S or R uses Good (b) m ∈ M S M R can be guessed from c 4 (c) m ∈ M R M S can be guessed from c 3 Key Gen （ S ） Key Gen （ R ） Enc （ S ） Enc （ R ） Security Good - ✓ - ✓ Bad---No -Bad--No (a) (b) (c)

CPA Game Challenge Dealer Adv. SenderReceiver c  Enc pk (m b ; r S ) 3. b  R {0,1} pk c mbmb Enc Deale Gen Dealer 1. G/B pk, sk 4. G/B c aux R aux S c m 0, m 1 mbmb ⊥ if G r S if B aux S ＝ 2. (m 0, m 1 )  A 1 (pk, aux R ) 5. Output b’  A 2 (c, aux S ) Pr[ b = b’ ] ≤ 1/2 + negl(k) (pk, sk)  Gen(1 k ; r R ) ⊥ if G r R if B aux R ＝

Impossibility results Proposition 1. If Sender does not have a secret key, then the scheme is not CPA secure with Nash equilibrium A game for distinguishing m 0, m 1 ∈ M R \ M S  S uses Bad randomness  Adv can correctly distinguish since Adv knows all the inputs to S except m b  Sender must generate a secret key