[PPT] - On the Memory-Tightness of Hashed ElGamal Ashrujit Ghoshal Stefano PowerPoint Presentation

SLIDE 1

On the Memory-Tightness of Hashed ElGamal

Ashrujit Ghoshal

University of Washington

Stefano Tessaro

University of Washington

Eurocrypt 2020

SLIDE 2

Security reductions

𝐵 𝐶 = 𝑆!

P

assumption

S

scheme CDH, DDH, DL, factoring … ElGamal, Cramer-Shoup, ECDSA, RSA-OAEP ⋯

➯ ➯

Reduction 𝑆

SLIDE 3

Security reductions

𝐶 = 𝑆! 𝐵

advantage 𝜁!

➯

Reduction 𝑆

time 𝑢! advantage 𝜁" time 𝑢"

SLIDE 4

Tight reductions Goal: tightness ⟹ 𝑢! ≈ 𝑢", 𝜁! ≈ 𝜁"

𝐶 = 𝑆! 𝐵

➯

Time is not the only important resource!

Reduction 𝑆

advantage 𝜁! time 𝑢! advantage 𝜁" time 𝑢"

SLIDE 5

Security reductions: memory perspective [ACFK17]

𝐶 = 𝑆! 𝐵

➯

Reduction 𝑆

advantage 𝜁! time 𝑢! advantage 𝜁" time 𝑢" memory 𝑛! memory 𝑛"

SLIDE 6

Memory-tight reductions [ACFK17] Goal: memory-tightness ⟹ 𝑛! ≈ 𝑛"

𝐶 = 𝑆! 𝐵

Common proof technique: 𝑛! small ⇒ memory-tight reduction

➯

Reduction 𝑆 𝑛" = 𝑛# + 𝑛! uses memory 𝑛!

memory 𝑛! memory 𝑛"

SLIDE 7

Motivation: more memory ⟹ faster solution

Discrete logarithm (DL) in prime fields Goal: security wrt adversary with time 2#$%, memory 2&%

70 160

log(memory) log(time)

156 78 2048

secure not secure memory-tight 𝑆": time 2#$%, memory 2&% non-memory-tight 𝑆": time 2#$%, memory 2#$%

SLIDE 8

Can we always make a reduction memory-tight?

SLIDE 9

This talk: certain reductions cannot be memory-tight, provably

mUFCMA to UFCMA

[ACFK17]

mCRt to CRt

[ACFK17,WMHT18]

mU-mOW to mU-OW

[WMHT18]

Hashed ElGamal

Hashed ElGamal used in practice eg. SECG SEC-1, ISO/IEC 18033-2, IEEE 1363a and ANSI X9.63

Prior work Here

generic concrete scheme

SLIDE 10

Hashed ElGamal KEM

Gen Encap Decap 𝑞𝑙 ← 𝑕$%, 𝑡𝑙

𝑞𝑙

𝐷 ← 𝑕&, 𝐿 ← 𝐼(𝑞𝑙&)

(𝑡𝑙, 𝐷) 𝐿 ← 𝐼 𝐷'(

KEM-CCA security ≡ Oracle Diffie-Hellman assumption [ABR `01]

Group 𝔿, generator 𝑕, order 𝑞

𝑣 ←

$ ℤ*

SLIDE 11

Oracle Diffie-Hellman assumption (ODH)

𝑕+, 𝑕,, 𝐿- 𝐸, 𝑍

𝑬𝒘

𝑐′ Pr 𝑐 = 𝑐. = 1 2 + negl 𝐸, 𝑍 = A𝐼 𝑍, if 𝑍 ≠ 𝑕+ ⊥

therwise

𝑣, 𝑤 ←

$ ℤ*

𝐿% ← 𝐼 𝑕+, , 𝐿# ←

$

0,1 /012 𝑐 ←

$ {0,1}

SLIDE 12

ODH in the random oracle model

𝑕+, 𝑕,, 𝐿- 𝐸, 𝑍

𝑬𝒘

𝑐′ 𝐼 𝑌

𝑰

random oracle

SDH ⟹ ODH [ABR ‘01]

𝑣, 𝑤 ←

$ ℤ*

𝐿% ← 𝐼 𝑕+, , 𝐿# ←

$

0,1 /012 𝑐 ←

$ {0,1}

𝐸, 𝑍 = A𝐼 𝑍, if 𝑍 ≠ 𝑕+ ⊥

therwise

Pr 𝑐 = 𝑐. = 1 2 + negl

SLIDE 13

𝑕+, 𝑕, 𝑃, 𝑌, 𝑍

𝑷𝒘

𝑎 𝑃, 𝑌, 𝑍 = A1 if 𝑍 = 𝑌, 0 otherwise 𝑣, 𝑤 ←

$ ℤ*

Pr 𝑎 = 𝑕+, = negl

Strong Diffie-Hellman assumption (SDH) (aka gap-DH)

SLIDE 14

Strong Diffie-Hellman (SDH) ⟹ ODH [ABR ‘01]

Theorem. ODH-adversary using memory 𝑛!⟹

SDH-adversary using memory 𝑛" 𝑛" = 𝑛! + 𝑃(𝑟# + 𝑟$)

# 𝐼 queries # 𝐸( queries n

t

m e m

r

y

t

i g h t !

SLIDE 15

SDH⇒ODH: the reduction

𝑕+, 𝑕, 𝑕+, 𝑕,, 𝐿 𝐸,(𝑍

3)

𝐼(𝑌3) Fix: use 𝑷𝒘 oracle

𝐵 𝑆

𝐿 ←

$ 0,1 /012

𝒀 𝑰(𝒀) 𝑌# 𝒁 𝑬𝒘(𝒁) 𝑍

#

Main Problem: Consistency! 𝐼 𝑍# = 𝐸#(𝑍)

𝑌3 𝑍

3

SLIDE 16

SDH⇒ODH: the reduction- 𝐸# queries

𝑕+, 𝑕, 𝑕+, 𝑕,, 𝐿 𝐸,(𝑍

3)

𝐵 𝑆

𝐿 ←

$ 0,1 /012

𝒀 𝑰(𝒀) 𝑌# 𝐼(𝑌#) 𝑌3 𝐼 𝑌3 ⋮ ⋮ 𝒁 𝑬𝒘(𝒁) 𝑍

#

𝐸, 𝑍

#

𝑷𝒘

𝑃,(𝑌#, 𝑍

3)

𝑃,(𝑌3, 𝑍

3)

1 𝑍

3

𝐼 𝑌3

𝑷𝒘

𝑃! 𝑌, 𝑍 𝑌! =

? 𝑍

SLIDE 17

SDH⇒ODH: the reduction- 𝐼 queries

𝑕+, 𝑕, 𝑕+, 𝑕,, 𝐿 𝐼(𝑌3)

𝐵 𝑆

𝐿 ←

$ 0,1 /012

𝒀 𝑰(𝒀) 𝑌# 𝐼(𝑌#) 𝒁 𝑬𝒘(𝒁) 𝑍

#

𝐸, 𝑍

#

𝑍

3

𝐸, 𝑍

3

⋮ ⋮

𝑷𝒘

𝑃,(𝑌3, 𝑍

#)

𝑃,(𝑌3, 𝑍

3)

1 𝑃,(𝑕+, 𝑌3) 𝑃, 𝑕+, 𝑌3 = 1 ⇒ return 𝑌3 𝑌3 𝐸, 𝑍

3

𝑷𝒘

𝑃! 𝑌, 𝑍 𝑌! =

? 𝑍

SLIDE 18

Main theorem

Theorem. ∀𝑙 ∃𝑃(𝑙)-query ODH-adv 𝐵∗ s.t.
Adv𝔿

ODH 𝐵∗ ≈ 1 ,

∀ PPT black-box reductions 𝑆 using memory 𝑛,

Adv𝔿 SDH 𝑆"∗ = non−negl ⇒ 𝑛 = Ω(𝑙 log 𝑞) .

Issue: For which groups 𝔿? DL easy in 𝔿 ⇒ memory tight 𝑆 Resolution: 𝑆 only makes black-box access to the group ⇒ generic group model

inefficient

SLIDE 19

Main theorem

Theorem. In the generic group model, ∀𝑙 ∃O(𝑙)-query ODH-

adv 𝐵∗ s.t.

AdvODH 𝐵∗ ≈ 1 ,
∀ PPT black-box reductions 𝑆 using memory 𝑛,

AdvSDH 𝑆!∗ = non−negl ⇒ 𝑛 = Ω(𝑙 log 𝑞) .

no rewinding!

𝑕!

forwarding

𝐵∗ 𝑆

SLIDE 20

Main theorem

Theorem. In the generic group model, ∀𝑙 ∃O(𝑙)-

query ODH-adv 𝐵∗ s.t.

AdvODH 𝐵∗ ≈ 1 ,
∀ PPT restricted black-box reductions 𝑆 using

memory 𝑛, AdvSDH 𝑆"∗ = non−negl ⇒ 𝑛 = Ω(𝑙 log 𝑞) .

SLIDE 21

Constructing 𝐵∗

𝑷𝒘

⋮

Force 𝑆 to complete memory- intensive task brute force to break ODH

utput

random bit R fails R succeeds

⋮

Intuition: 𝐵∗ is useful to 𝑆 only if 𝑆 accomplishes memory-intensive task

𝐵∗ 𝑆

SLIDE 22

Adversary 𝐵∗ 𝐵∗ 𝑆

𝐸, query 𝑕<! 𝑒# 𝐸, query

⋮

𝐼 query ℎ# 𝑕,⋅<" ! 𝐼 query ℎ( 𝑕,⋅<" #

⋮

Answers consistent?

utput random bit

break ODH by brute force yes no 𝑕+, 𝑕,, 𝐿 𝑒( 𝑒? < = ℎ< ∀ 𝑗 ∈ [𝑙] 𝑗#, 𝑗3, ⋯ , 𝑗( ←

$ ℤ*

𝜌 ←

$ 𝑇(

Recall: 𝐸, 𝑍 = 𝐼(𝑍,) 𝑕<#

SLIDE 23

Proof setting 𝐵∗ 𝑆& 𝑆'

𝜌 ←

$ 𝑇(

𝐼 queries ⋮ ⋮ 𝐸, queries 𝑛 bits

𝑷𝒘

Generic group

racle

SLIDE 24

Generic group model [Shoup 97, Maurer 05]

Generic group

racle

𝜏 𝑦 , 𝜏 𝑧 𝜏(𝑦 + 𝑧) 𝜏 𝑦 , 𝜏 𝑧 𝑧 =

? 𝑤 ⋅ 𝑦

𝑷𝒘

𝜏: ℤ# → 0,1 $ 𝑦 ∈ ℤ#: 𝜏 𝑦 ≜ 𝑕%

SLIDE 25

Repeat queries- 1 𝑆& 𝑆'

⋮

𝑷𝒘

Generic group

racle

𝒃𝟐 𝒃𝒍 ⋮ 𝒄𝟐 𝒄𝒍 (∗, 𝒃𝒌) (𝒃𝒋,∗)

Generic group

racle

𝜏 𝑦 , 𝜏 𝑧 𝜏(𝑦 + 𝑧) 𝜏 𝑦 , 𝜏 𝑧 𝑧 =

? 𝑤 ⋅ 𝑦

𝑷𝒘

repeat queries

SLIDE 26

Repeat queries- 2 𝑆& 𝑆'

⋮

𝑷𝒘

Generic group

racle

𝒃𝟐 𝒃𝒍 ⋮ 𝒄𝟐 𝒄𝒍 (∗, 𝒅) 𝒅 ( 𝒅 , ∗ )

Generic group

racle

𝜏 𝑦 , 𝜏 𝑧 𝜏(𝑦 + 𝑧) 𝜏 𝑦 , 𝜏 𝑧 𝑧 =

? 𝑤 ⋅ 𝑦

𝑷𝒘

repeat queries

SLIDE 27

Proof overview

(𝑆#, 𝑆3) answer consistently Many > (

E% repeat queries

Few ≤ (

E% repeat queries

Need 𝒏 = 𝛁(𝒍 𝐦𝐩𝐡 𝐪): intuitive, proof by compression argument, many subtleties Winning adversary against the permutation game Advantage negligible

𝑆" 𝑆# ⋮ 𝒃𝟐 𝒃𝒍 ⋮ 𝒄𝟐 𝒄𝒍

𝑛 bits

SLIDE 28

The reduction’s perspective

𝐵∗

𝑆" 𝑆# 𝜌 ←

$ 𝑇%

⋮ ⋮

𝑷𝒘 Generic group

racle

𝑆& needs to figure out 𝜌 for consistent answers

→Use 𝑃# oracle!

SLIDE 29

Using the 𝑃# oracle

𝑷𝒘 𝑆3 𝑃,(𝒃𝒋, 𝒄𝒌) 𝜌 𝑘 =

? 𝑗

𝑷𝒘 𝑆#

𝑃, 𝒃𝟐

H!𝒃𝟑

H. ⋯ 𝒃𝒍

H#, 𝒄𝟐 J!𝒄𝟑

J. ⋯ 𝒄𝒍

J#

𝑦?(#)𝑦?(3) ⋯ 𝑦?(() =

? 𝑧#𝑧3 ⋯ 𝑧(

Permutation game captures exactly this setting, combinatorially

𝑆" 𝑆# ⋮ 𝒃𝟐 𝒃𝒍 ⋮ 𝒄𝟐 𝒄𝒍

𝒃𝝆 𝒋

𝒘

= 𝒄𝒋

SLIDE 30

Permutation game (PG)

𝑃(𝑦 ∈ ℤ*

(, 𝑧 ∈ ℤ* ()

𝜌′ 𝑃 𝑦, 𝑧 = A1 if 𝑦?(#)𝑦?(3) ⋯ 𝑦? ( = 𝑧#𝑧3 ⋯ 𝑧( 0 otherwise. 𝜌 ←

$ 𝑇(

AdvPG 𝐵 = Pr[𝜌. = 𝜌] 𝑷

Lemma: If (𝑦', 𝑧'),⋯,(𝑦(, 𝑧() are the queries by 𝐵 that return 1 and rank 𝑦', ⋯ , 𝑦( ≤

) *+ , then,

AdvPG 𝐵 = negl .

𝐵

𝑆#, 𝑆3 make few repeat queries ⇒ 𝐵 of this form that wins PG if (𝑆#, 𝑆3) answer consistently 𝑦 = 𝑦#𝑦3 ⋯ 𝑦( 𝑧 = 𝑧#𝑧3 ⋯ 𝑧(

SLIDE 31

Conclusions

Impossibility result for a scheme with algebraic structure
Impossibility result can be “bypassed”
Memory-tight reduction in the Algebraic Group Model [FKL18]

Adv sends a representation of the group elements for every query

Concurrent work [Bhattacharya 20] complements our result

Different Hashed ElGamal variant, pairings

SLIDE 32

Open problems

Memory lower bound for rewinding 𝑆?

Our conjecture: 𝑛 = Ω(𝑙 log 𝑙)

Separation for “memory-adaptive” reduction?
Memory lower bound for concrete schemes without the generic

group model?

Memory lower bounds for other concrete schemes?

SLIDE 33