Naor-Yung Paradigm with Shared Randomness and Applications Silvio - - PowerPoint PPT Presentation

Naor-Yung Paradigm with Shared Randomness and Applications

Silvio Biagioni1 Daniel Masny2 Daniele Venturi3

1Department of Information Engineering, Sapienza University or Rome, Rome, Italy 2Horst-Görtz Institute for IT Security, Ruhr-Universität Bochum, Bochum, Germany 3Department of Information Engineering and Computer Science, University of Trento, Trento, Italy

10th Conference on Security and Cryptography for Networks August 31 - September 2, 2016, Amalfi, Italy

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

Public Key Encryption

pk (pk,sk) c ← Enc(pk, m; r) r is the randomness m = Dec(sk, c)

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 2 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

Key-Dependent Message Attacks

An adversary might be able to see ciphertexts encrypting messages related to the secret key

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 3 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

Key-Dependent Message Attacks

An adversary might be able to see ciphertexts encrypting messages related to the secret key

Applications

careless key management fully homomorphic encryption bootstrapping transformation anonymous credential system a KDM secure encryption is used to discourage delegation of credentials disk encryption utilities the disk encryption key may end up being stored in the page files and thus is encrypted along with the disc content

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 3 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

F-KDM CPA and CCA security

b, pk (pk, sk) b R ← {0, 1} pk KDM Oracle

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 4 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

F-KDM CPA and CCA security

b, pk f ∈ F Enc(pk, mb; r) (pk, sk) b R ← {0, 1} m0 = 0, m1 = f (sk) pk KDM Oracle

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 4 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

F-KDM CPA and CCA security

b, pk f ∈ F Enc(pk, mb; r) (pk, sk) b R ← {0, 1} m0 = 0, m1 = f (sk) pk b′ b′ = b KDM Oracle

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 4 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

F-KDM CPA and CCA security

b, pk sk ci mi f ∈ F Enc(pk, mb; r) (pk, sk) b R ← {0, 1} m0 = 0, m1 = f (sk) pk b′ b′ = b KDM Oracle Decryption Oracle

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 4 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

Naor-Yung Theorem (Camenisch, Chandran, Shoup)

c = Enc(pk, m; r) c′ = Enc(pk′, m; r ′) ¯ pk = (pk, pk′), ¯ sk = sk π Both c and c′ encrypt m ¯ c = (c, c′, π)

Theorem (NY, Independent Randomness)

F-KDM-CPA + simulation sound NIZK ⇒ F-KDM-CCA To decrypt we need only one secret key! Originally it was designed to prove only CCA security from CPA The two encryptions use independent randomnesses r, r ′

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 5 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

Our Contributions

1 Twist of Naor-Young leading to more efficient concrete

instantiations

2 First PKE scheme whose KDM-CPA security

based on instances of the Subset Sum problem (robustness to quantum attacks)

3 Concrete instantiations from Decisional Diffie-Hellman,

Quadratic Residuosity, Subset Sum with 50% gain in communication complexity

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 6 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

Twist of Naor-Yung

c = Enc(pk, m; r ∗) c′ = Enc(pk′, m; r ∗) ¯ pk = (pk, pk′), ¯ sk = sk π Both c and c′ encrypt m ¯ c = (c, c′, π) Natural idea: have c and c′ share the same randomness r ∗ Leads to a more efficient design of the NIZK

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 7 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

Twist of Naor-Yung

c = Enc(pk, m; r ∗) c′ = Enc(pk′, m; r ∗) ¯ pk = (pk, pk′), ¯ sk = sk π Both c and c′ encrypt m ¯ c = (c, c′, π) Natural idea: have c and c′ share the same randomness r ∗ Leads to a more efficient design of the NIZK

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 7 of 16

Question

When and under which conditions does it work?

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

Randomness Fusion

c = Enc(pk, m; r) c′ = Enc(pk′, m′; r ′)

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 8 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

Randomness Fusion

c = Enc(pk, m; r) c′ = Enc(pk′, m′; r ′) Rand(·) aux := (pk, pk′, sk′, r ′, m′) (ˆ c, ˆ c′)

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 8 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

Randomness Fusion

c = Enc(pk, m; r) c′ = Enc(pk′, m′; r ′) Rand(·) aux := (pk, pk′, sk′, r ′, m′) (ˆ c, ˆ c′) (c∗ = Enc(pk, m; r ∗), c

′∗ = Enc(pk′, m; r ∗))

≈S

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 8 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

Main Theorem

Theorem (NY, shared randomness)

Randomness Fusion + F-KDM-CPA + Simulation Sound NIZK ⇒ F-KDM-CCA Extensions: Effective also for CCA security It also works in the setting of key-leakage (security of PKE against side-channel attacks)

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 9 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

ElGamal and Randomness Fusion

(G, q, g) cyclic group of prime order q with generator g pk = h = gx ∈ G , sk = x (c1, c2) := Enc(pk, m; r) = (gr, hr · m)

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 10 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

ElGamal and Randomness Fusion

(G, q, g) cyclic group of prime order q with generator g pk = h = gx ∈ G , sk = x (c1, c2) := Enc(pk, m; r) = (gr, hr · m) first encryption: h = gx , c = (c1, c2) = (gr, hrm) second encryption: h′ = gx′, x′ = sk′, c′ = (c′

1, c′ 2) = (gr′, h′r′m′), Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 10 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

ElGamal and Randomness Fusion

(G, q, g) cyclic group of prime order q with generator g pk = h = gx ∈ G , sk = x (c1, c2) := Enc(pk, m; r) = (gr, hr · m) first encryption: h = gx , c = (c1, c2) = (gr, hrm) second encryption: h′ = gx′, x′ = sk′, c′ = (c′

1, c′ 2) = (gr′, h′r′m′),

Randomness Fusion

1

c∗

1 = c∗′ 1 = c1c′ 1

2

c∗

2 = (hrm)hr ′

3

c∗′

2 = c′ 2(gr)x′ Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 10 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

ElGamal and Randomness Fusion

(G, q, g) cyclic group of prime order q with generator g pk = h = gx ∈ G , sk = x (c1, c2) := Enc(pk, m; r) = (gr, hr · m) first encryption: h = gx , c = (c1, c2) = (gr, hrm) second encryption: h′ = gx′, x′ = sk′, c′ = (c′

1, c′ 2) = (gr′, h′r′m′),

Randomness Fusion

1

c∗

1 = c∗′ 1 = c1c′ 1

2

c∗

2 = (hrm)hr ′

3

c∗′

2 = c′ 2(gr)x′ Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 10 of 16

Easy to show that c∗

1 and c∗ 2

are statistically close to fresh encryptions with randomness r ∗ = r + r ′

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

ElGamal NIZK

statement x := (h, (c1, c2), h′, (c′

1, c′ 2))

witness ω := (r, r ′) α := (α1, α2, α3) = (gs, gs′, hs · (h′)s′) β ← Zq γ := (γ1, γ2) = (s − βr, s′ + βr ′)

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 11 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

ElGamal NIZK

statement x := (h, (c1, c2), h′, (c′

1, c′ 2))

witness ω := (r, r ′) α := (α1, α2, α3) = (gs, gs′, hs · (h′)s′) β ← Zq γ := (γ1, γ2) = (s − βr, s′ + βr ′) β := H(x||α) to obtain π = (α, γ) via Fiat-Shamir [FS86]

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 11 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

ElGamal NIZK

statement x := (h, (c1, c2), h′, (c′

1, c′ 2))

witness ω := (r, r’) α := (α1, α2, α3) = (gs, gs′, hs · (h′)ss′) β ← Zq γ := (γ1, γ2) = (s − βr, s′ + βr ′) β := H(x||α) to obtain π = (α, γ) via Fiat-Shamir [FS86]

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 11 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

ElGamal NIZK

statement x := (h, (c1, c2), h′, (c′

1, c′ 2))

witness ω := (r, r’) α := (α1, α2, α3) = (gs, gs′, hs · (h′)ss′) β ← Zq γ := (γ1, γ2) = (s − βr, s′ + βr ′) β := H(x||α) to obtain π = (α, γ) via Fiat-Shamir [FS86]

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 11 of 16

Improvement

6 group elements instead of 9 group elements (33% gain) In the paper: Concrete instantiations for KDM security based on DDH, QR, Subset Sum with 50% gain in ciphertext size

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

Subset Sum

s ∈ {0, 1}n, a ∈ Zn

q

a

• s ≡ t mod q

Original Subset Sum

(a, t, s) ← SS(n, q) (a, t) ≈S (a, u), where u is random in Zq log(q) O(1/ log(n)) δ = n/ log(q)

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 12 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

Subset Sum

s ∈ {0, 1}n, a ∈ Zn

q

q := pm A s ≡ t mod p

SS as LWE (Lyubashevsky, Palacio, Segev)

(A, t, s) ← SS(n, q) A ∈ Zm×n

p

t := A · s + e(A, s) (deterministic noise) m log(p) m ≈ n2 O(1/ log(n)) δ = n/(m log(p))

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 12 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

Subset Sum

s ∈ {0, 1}n, a ∈ Zn

q

q := pm A s ≡ t mod p

SS as LWE (Lyubashevsky, Palacio, Segev)

(A, t, s) ← SS(n, q) A ∈ Zm×n

p

t := A · s + e(A, s) (deterministic noise) m log(p) m ≈ n2 O(1/ log(n)) δ = n/(m log(p))

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 12 of 16

Example

p = 10 , m = n = 3 a = (738, 916, 375) s = (0, 1, 1) a · s mod 103 = 916 + 375 mod 103 = 291 written in base p:

  

7 9 3 3 1 7 8 6 5

     

1 1

   +   

1

   =   

2 9 1

  

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

Subset Sum

s ∈ {0, 1}n, a ∈ Zn

q

q := pm A s ≡ t mod p

SS as LWE (Lyubashevsky, Palacio, Segev)

(A, t, s) ← SS(n, q) A ∈ Zm×n

p

t := A · s + e(A, s) (deterministic noise) m log(p) m ≈ n2 O(1/ log(n)) δ = n/(m log(p))

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 12 of 16

Example

p = 10 , m = n = 3 a = (738, 916, 375) s = (0, 1, 1) a · s mod 103 = 916 + 375 mod 103 = 291 written in base p:

  

7 9 3 3 1 7 8 6 5

     

1 1

   +   

1

   =   

2 9 1

  

Crypto from Subset Sum

PRG and UOWHFs [IN96] CPA and CCA secure PKE [LPS10,FMV16]

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

Our Subset Sum Based Scheme

C1

R

• A

R ←$ [−⌊√p/2⌋, ⌊√p/2⌋]ℓ×m

c2

R

• t + m ⌊ p

2⌋

A pk := t , s sk :=

Decryption of (C1, c2)

c2 − C1

• s ≡ ⌊m⌉2 mod p

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 13 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

F-KDM CPA Security of the Scheme

Faff := {f : f (s) := F · s + f }, F ∈ Zℓ×n

2

, f ∈ Zℓ

2

C1

R

• A

c2

R

• t +

F ⌊ p

2⌋ s + f ⌊ p 2⌋

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 14 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

F-KDM CPA Security of the Scheme

Faff := {f : f (s) := F · s + f }, F ∈ Zℓ×n

2

, f ∈ Zℓ

2

C1

R

• A

− F ⌊ p

2⌋

c2

R

• t +

f ⌊ p

2⌋

G0 → G1 Indistinguishability due to Leftover-Hash Lemma

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 14 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

F-KDM CPA Security of the Scheme

Faff := {f : f (s) := F · s + f }, F ∈ Zℓ×n

2

, f ∈ Zℓ

2

C1

R

• A

− F ⌊ p

2⌋

c2

R

• u +

f ⌊ p

2⌋

G0 → G1 Indistinguishability due to Leftover-Hash Lemma G1 → G2 Indistinguishability due to Subset Sum Assumption

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 14 of 16

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

F-KDM CPA Security of the Scheme

Faff := {f : f (s) := F · s + f }, F ∈ Zℓ×n

2

, f ∈ Zℓ

2

C1

R

• A

c2

R

• t

G0 → G1 Indistinguishability due to Leftover-Hash Lemma G1 → G2 Indistinguishability due to Subset Sum Assumption G2 → G3 Indistinguishability due to Leftover-Hash Lemma and Subset Sum Assumption

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 14 of 16

KDM Security Amplification

From affine functions to all functions computable in some fixed polynomial time [Applebaum11]

Thank You!

Introduction Our Contributions Main Theorem KDM-CPA PKE Thank You! Contents

Contents

1

Introduction Public Key Encryption Key-Dependent Message Attacks F-KDM CPA and CCA security Naor-Yung Theorem

2

Our Contributions Twist of Naor-Yung Randomness Fusion

3

Main Theorem Main Theorem ElGamal and Randomness Fusion ElGamal NIZK

4

KDM-CPA PKE Subset Sum Our Subset Sum Based Scheme F-KDM CPA Security of the Scheme

5

Thank You!

6

Contents

Naor-Yung Paradigm with Shared Randomness and Applications September 20, 2016 16 of 16