Naor-Yung Paradigm with Shared Randomness and Applications Silvio - PowerPoint PPT Presentation

Naor-Yung Paradigm with Shared Randomness and Applications Silvio Biagioni 1 Daniel Masny 2 Daniele Venturi 3 1 Department of Information Engineering, Sapienza University or Rome, Rome, Italy 2 Horst-Görtz Institute for IT Security, Ruhr-Universität Bochum, Bochum, Germany 3 Department of Information Engineering and Computer Science, University of Trento, Trento, Italy 10th Conference on Security and Cryptography for Networks August 31 - September 2, 2016, Amalfi, Italy

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents Public Key Encryption c ← Enc ( pk , m ; r ) r is the randomness (pk,sk) pk m = Dec ( sk , c ) Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 2 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents Key-Dependent Message Attacks An adversary might be able to see ciphertexts encrypting messages related to the secret key Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 3 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents Key-Dependent Message Attacks An adversary might be able to see ciphertexts encrypting messages related to the secret key Applications careless key management fully homomorphic encryption bootstrapping transformation anonymous credential system a KDM secure encryption is used to discourage delegation of credentials disk encryption utilities the disk encryption key may end up being stored in the page files and thus is encrypted along with the disc content Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 3 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents F -KDM CPA and CCA security KDM Oracle b , pk ( pk , sk ) b R ← { 0 , 1 } pk Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 4 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents F -KDM CPA and CCA security KDM Oracle m 0 = 0 , m 1 = f ( sk ) b , pk ( pk , sk ) Enc ( pk , m b ; r ) f ∈ F b R ← { 0 , 1 } pk Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 4 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents F -KDM CPA and CCA security KDM Oracle m 0 = 0 , m 1 = f ( sk ) b , pk ( pk , sk ) Enc ( pk , m b ; r ) f ∈ F b R ← { 0 , 1 } pk b ′ b ′ = b Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 4 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents F -KDM CPA and CCA security KDM Oracle Decryption Oracle m 0 = 0 , m 1 = f ( sk ) b , pk ( pk , sk ) Enc ( pk , m b ; r ) sk f ∈ F b R ← { 0 , 1 } m i c i pk b ′ b ′ = b Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 4 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents Naor-Yung Theorem (Camenisch, Chandran, Shoup) pk = ( pk , pk ′ ), ¯ ¯ sk = sk c ′ = Enc ( pk ′ , m ; r ′ ) c = Enc ( pk , m ; r ) Both c and c ′ encrypt m π c = ( c , c ′ , π ) ¯ Theorem (NY, Independent Randomness) F -KDM-CPA + simulation sound NIZK ⇒ F -KDM-CCA To decrypt we need only one secret key! Originally it was designed to prove only CCA security from CPA The two encryptions use independent randomnesses r , r ′ Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 5 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents Our Contributions 1 Twist of Naor-Young leading to more efficient concrete instantiations 2 First PKE scheme whose KDM-CPA security based on instances of the Subset Sum problem (robustness to quantum attacks) 3 Concrete instantiations from Decisional Diffie-Hellman, Quadratic Residuosity, Subset Sum with 50% gain in communication complexity Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 6 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents Twist of Naor-Yung pk = ( pk , pk ′ ), ¯ ¯ sk = sk c ′ = Enc ( pk ′ , m ; r ∗ ) c = Enc ( pk , m ; r ∗ ) Both c and c ′ encrypt m π ¯ c = ( c , c ′ , π ) Natural idea: have c and c ′ share the same randomness r ∗ Leads to a more efficient design of the NIZK Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 7 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents Twist of Naor-Yung pk = ( pk , pk ′ ), ¯ ¯ sk = sk c ′ = Enc ( pk ′ , m ; r ∗ ) c = Enc ( pk , m ; r ∗ ) Both c and c ′ encrypt m π Question ¯ c = ( c , c ′ , π ) When and under which conditions does it work? Natural idea: have c and c ′ share the same randomness r ∗ Leads to a more efficient design of the NIZK Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 7 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents Randomness Fusion c ′ = Enc ( pk ′ , m ′ ; r ′ ) c = Enc ( pk , m ; r ) Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 8 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents Randomness Fusion c ′ = Enc ( pk ′ , m ′ ; r ′ ) c = Enc ( pk , m ; r ) Rand ( · ) aux := ( pk , pk ′ , sk ′ , r ′ , m ′ ) c ′ ) (ˆ c , ˆ Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 8 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents Randomness Fusion c ′ = Enc ( pk ′ , m ′ ; r ′ ) c = Enc ( pk , m ; r ) Rand ( · ) aux := ( pk , pk ′ , sk ′ , r ′ , m ′ ) c ′ ) (ˆ c , ˆ ≈ S ( c ∗ = Enc ( pk , m ; r ∗ ) , c ′ ∗ = Enc ( pk ′ , m ; r ∗ )) Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 8 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents Main Theorem Theorem (NY, shared randomness) Randomness Fusion + F -KDM-CPA + Simulation Sound NIZK ⇒ F -KDM-CCA Extensions: Effective also for CCA security It also works in the setting of key-leakage (security of PKE against side-channel attacks) Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 9 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents ElGamal and Randomness Fusion ( G , q , g ) cyclic group of prime order q with generator g pk = h = g x ∈ G , sk = x ( c 1 , c 2 ) := Enc ( pk , m ; r ) = ( g r , h r · m ) Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 10 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents ElGamal and Randomness Fusion ( G , q , g ) cyclic group of prime order q with generator g first encryption: h = g x , pk = h = g x ∈ G , sk = x c = ( c 1 , c 2 ) = ( g r , h r m ) ( c 1 , c 2 ) := Enc ( pk , m ; r ) = ( g r , h r · m ) second encryption: h ′ = g x ′ , x ′ = sk ′ , c ′ = ( c ′ 2 ) = ( g r ′ , h ′ r ′ m ′ ), 1 , c ′ Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 10 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents ElGamal and Randomness Fusion ( G , q , g ) cyclic group of prime order q with generator g first encryption: h = g x , pk = h = g x ∈ G , sk = x c = ( c 1 , c 2 ) = ( g r , h r m ) ( c 1 , c 2 ) := Enc ( pk , m ; r ) = ( g r , h r · m ) second encryption: h ′ = g x ′ , x ′ = sk ′ , c ′ = ( c ′ 2 ) = ( g r ′ , h ′ r ′ m ′ ), 1 , c ′ Randomness Fusion c ∗ 1 = c ∗′ 1 = c 1 c ′ 1 1 2 = ( h r m ) h r ′ c ∗ 2 2 ( g r ) x ′ c ∗′ 2 = c ′ 3 Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 10 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents ElGamal and Randomness Fusion ( G , q , g ) cyclic group of prime order q with generator g first encryption: h = g x , pk = h = g x ∈ G , sk = x c = ( c 1 , c 2 ) = ( g r , h r m ) ( c 1 , c 2 ) := Enc ( pk , m ; r ) = ( g r , h r · m ) second encryption: h ′ = g x ′ , x ′ = sk ′ , c ′ = ( c ′ 2 ) = ( g r ′ , h ′ r ′ m ′ ), 1 , c ′ Randomness Fusion c ∗ 1 = c ∗′ 1 = c 1 c ′ 1 Easy to show that c ∗ 1 and c ∗ 1 2 2 = ( h r m ) h r ′ c ∗ 2 are statistically close to fresh encryptions 2 ( g r ) x ′ c ∗′ 2 = c ′ 3 with randomness r ∗ = r + r ′ Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 10 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents ElGamal NIZK statement x := ( h , ( c 1 , c 2 ) , h ′ , ( c ′ 1 , c ′ witness ω := ( r , r ′ ) 2 )) α := ( α 1 , α 2 , α 3 ) = ( g s , g s ′ , h s · ( h ′ ) s ′ ) β ← Z q γ := ( γ 1 , γ 2 ) = ( s − β r , s ′ + β r ′ ) Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 11 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents ElGamal NIZK statement x := ( h , ( c 1 , c 2 ) , h ′ , ( c ′ 1 , c ′ witness ω := ( r , r ′ ) 2 )) α := ( α 1 , α 2 , α 3 ) = ( g s , g s ′ , h s · ( h ′ ) s ′ ) β ← Z q γ := ( γ 1 , γ 2 ) = ( s − β r , s ′ + β r ′ ) β := H ( x || α ) to obtain π = ( α, γ ) via Fiat-Shamir [FS86] Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 11 of 16