Easy Verifiable Primitives and Practical Public Key Cryptosystems
David Galindo2003, Lecture Notes in Computer Science
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
At Crypto'99, Fujisaki and Okamoto [8] presented a nice generic transformation from weak asymmetric and symmetric schemes into an IND-CCA hybrid encryption scheme in the Random Oracle Model. Two specific candidates for standardization were designed from this transformation: PSEC-2 [14] and EPOC-2 [7], based on El Gamal and Okamoto-Uchiyama primitives, respectively. Since then, several cryptanalysis of EPOC have been published, one in the Chosen Ciphertext Attack game, and others making use of a poor implementation that is vulnerable to reject timing attacks. The aim of this work is to prevent such attacks from generic transformation by identifying the properties that an asymmetric scheme must have in order to obtain a secure hybrid scheme. To achieve this, some ambiguities in the proof of the generic transformation [8] which could lead to false claims are described. As a result, the original conversion is modified and the class of asymmetric primitives that can be used is shortened. Secondly, the concept of Easy Verifiable Primitive is formalized, showing its connection with Gap problems. Using these ideas, a new security proof for the modified transformation is given. The good news is that the reduction is tight, improving the concrete security claimed in the original work for the Easy Verifiable Primitives. For the rest of primitives, the concrete security is improved at the cost of stronger assumptions. Finally, the new conversion's resistance to reject timing attacks is addressed.
Related papers
Fujisaki-Okamoto hybrid encryption revisited
International Journal of Information Security, 2005
At Crypto’99, Fujisaki and Okamoto [11] presented a generic transformation from weak secure asymmetric and symmetric schemes into an IND-CCA hybrid encryption scheme in the Random Oracle Model, which has been extensively used in several cryptographic scenarios. The work we present here forms part of the careful revision of the provable security techniques initiated by Shoup in [25] insofar as we find some ambiguities in the proof of this generic conversion, which can lead to false claims. Consequently, the original conversion is modified and the class of asymmetric primitives that can be used is shortened. Furthermore, the concept of easily verifiable primitive is formalized, showing its connection with the gap problems introduced in [18]. Using these ideas, a completely new security proof for the modified transformation is given, which is phrased using currently widely accepted techniques. The reduction thereby obtained turns out to be tight, enhancing the concrete security claimed in the original work for the easily verifiable primitives. For the remaining primitives, the concrete security is improved at the cost of stronger assumptions. Finally, the resistance of the new conversion against reject timing attacks is addressed.
A New Security Definition for Public Key Encryption Schemes and Its Applications
The strongest security definition for public key encryption (PKE) schemes is indistinguishability against adaptive chosen ciphertext attacks (IND-CCA). A practical IND-CCA secure PKE scheme in the standard model is well-known to be difficult to construct given the fact that there are only a few such kind of PKE schemes available. From another perspective, we observe that for a large class of PKE-based applications, although IND-CCA security is sufficient, it is not a necessary requirement. Examples are Key Encapsulation Mechanism (KEM), MT-authenticator, providing pseudorandomness with a-priori information, and so on. This observation leads us to propose a slightly weaker version of IND-CCA, which requires ciphertexts of two randomly selected messages are indistinguishable under chosen ciphertext attacks. Under this new security notion, we show that highly efficient schemes proven secure in the standard model can be built in a straightforward way. We also demonstrate that such a security definition is already sufficient for the applications above.
Automated Proofs for Asymmetric Encryption: First results in the random oracle model
2008
Chosen-ciphertext security is by now a standard security property for asymmetric encryption. Many generic constructions for building secure cryptosystems from primitives with lower level of security have been proposed. Providing security proofs has also become standard practice. There is, however, a lack of automated verification procedures that analyse such cryptosystems and provide security proofs. This paper presents an automated procedure for analysing generic asymmetric encryption schemes in the random oracle model. It has been applied to several examples of encryption schemes. *
On the Necessity of Strong Assumptions for the Security of a Class of Asymmetric Encryption Schemes
2002
Recently various public key encryption schemes such as DHIES by Abdalla, Bellare and Rogaway and REACT by Okamoto and Pointcheval, whose security against adaptive chosen ciphertext attack (CCA) is based on the Gap problems, have been proposed. Although the Gap problems were proved to be a sufficient assumption for those schemes to be secure against adaptive chosen-cipertext attack, a necessary condition for CCA security of those schemes has not been explicitly discussed. In this paper we clarify the necessary condition for CCA security of those schemes. Namely we prove (in the random oracle model) that the Gap Diffie-Hellman is not only sufficient, but also a necessary assumption for the CCA security of DHIES and Diffie-Hellman version of REACT. We also show that our result applies to a wider class of public key encryption schemes. Furthermore we show that our result implies the equivalence, in the random oracle model, between ‘Strong Diffie-Hellman’ and ‘Oracle Diffie-Hellman’ assumptions proposed by Abdalla, Bellare and Rogaway. Our results may be used as criteria for distinguishing public key encryption schemes whose CCA security is based on strong assumptions (such as Gap Diffie-Hellman) from those schemes based on weaker ones (such as Computational Diffie-Hellman).
Secure Integration of Asymmetric and Symmetric Encryption Schemes
Journal of Cryptology, 2011
This paper presents a generic conversion from weak asymmetric and symmetric encryption schemes to an asymmetric encryption scheme that is chosenciphertext secure in the random oracle model. Our conversion is the first generic transformation from an arbitrary one-way asymmetric encryption scheme to a chosenciphertext secure asymmetric encryption scheme in the random oracle model. Key words. Asymmetric and symmetric (or public-key and private-key) encryptions, Generic conversion, Indistinguishability against chosen ciphertext attacks (IND-CCA), Random oracle model, Security proof. * This is the full version of the paper [18] by fixing bugs and providing a clean, formal proof associated with a better security bound.
A Practical Public Key Cryptosystem from Paillier and Rabin Schemes
2003
We propose a practical scheme based on factoring and semantically secure (IND-CPA) in the standard model. The scheme is obtained from a modi.cation of the so called RSA-Paillier [5] scheme. This modification is reminiscent of the ones applied by Rabin [22] and Williams [25] to the well-known RSA cryptosystem. Thanks to the special properties of such schemes, we obtain efficiency similar to that of RSA cryptosystem, provably secure encryption (since recovering plaintext from ciphertext is as hard as factoring) and indistinguishability against plaintext attacks. We also construct a new trapdoor permutation based on factoring, which has interest on its own. Semantic security of the scheme is based on an appropiate decisional assumption, named as Decisional Small 2e-Residues assumption. The robustness of this assumption is also discussed. Compared to Okamoto-Uchiyama's scheme [18], the previous IND-CPA cryptosystem in the standard model with onewayness based on factoring, our scheme is drastically more efficient in encryption, and presents higher bandwith, achieving the same expansion factor as Paillier or El Gamal schemes. We believe the new scheme could be an interesting starting point to develop efficient IND-CCA schemes in the standard model with one-wayness based on factoring.
Improved convertible authenticated encryption scheme with provable security
Information Processing Letters, 2011
Convertible authenticated encryption (CAE) schemes allow a signer to produce an authenticated ciphertext such that only a designated recipient can decrypt it and verify the recovered signature. The conversion property further enables the designated recipient to reveal an ordinary signature for dealing with a later dispute over repudiation. Based on the ElGamal cryptosystem, in 2009, Lee et al. proposed a CAE scheme with only heuristic security analyses. In this paper, we will demonstrate that their scheme is vulnerable to the chosen-plaintext attack and then further propose an improved variant. Additionally, in the random oracle model, we prove that the improved scheme achieves confidentiality against indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2) and unforgeability against existential forgery under adaptive chosen-message attacks (EF-CMA).
An uninstantiable random-oracle-model scheme for a hybrid-encryption problem
2004
We present a simple, natural random-oracle (RO) model scheme, for a practical goal, that is uninstantiable, meaning is proven in the RO model to meet its goal yet admits no standardmodel instantiation that meets this goal. The goal in question is IND-CCA-preserving asymmetric encryption which formally captures security of the most common practical usage of asymmetric encryption, namely to transport a symmetric key in such a way that symmetric encryption under the latter remains secure. The scheme is an ElGamal variant, called Hash ElGamal, that resembles numerous existing RO-model schemes, and on the surface shows no evidence of its anomalous properties. More generally, we show that a certain goal, that we call key-verifiable, ciphertext-verifiable IND-CCA-preserving asymmetric encryption, is achievable in the RO model (by Hash ElGamal in particular) but unachievable in the standard model. This helps us better understand the source of the anomalies in Hash ElGamal and also lifts our uninstantiability result from being about a specific scheme to being about a primitive or goal. These results extend our understanding of the gap between the standard and RO models, and bring concerns raised by previous work closer to practice by indicating that the problem of RO-model schemes admitting no secure instantiation can arise in domains where RO schemes are commonly designed.
Public-Key Cryptography Theory and Practice
Viele haben auf die eine oder andere Weise dazu beigetragen, dass diese Dissertation so entstehen konnte, wie sie nun vorliegt. Der Versuch einer vollständigen Aufzählung müsste scheitern; hier seien zunächst die erwähnt, die nicht mit Namen genannt werden können, weil sie als anonyme Gutachter für Konferenzen tätig waren und dabei Anregungen zur Darstellung einiger der hier präsentierten Ergebnisse beigetragen haben. Außerdem zu nennen ist David Hopwood, der in einer früheren Fassung der Ausführungen zur beweisbaren Sicherheit des Mix-Verfahrens (hier in Abschnitt 4.2) eine Lücke aufgespürt hat. Prof. Johannes Buchmann hat es auf bemerkenswerte Weise verstanden, die Arbeitsbedingungen zu schaffen, in denen diese Dissertation gedeihen konnte, und hat wertvolle Anregungen geliefert. Auch alle anderen am Fachgebiet Theoretische Informatik hatten teil daran, eine angenehme und fruchtbare Arbeitsatmosphäre zu schaffen. Danke!
Public-key encryption with non-interactive opening: New constructions and stronger definitions
Progress in Cryptology …, 2010
Public-key encryption schemes with non-interactive opening (PKENO) allow a receiver to non-interactively convince third parties that a ciphertext decrypts to a given plaintext or, alternatively, that such a ciphertext is invalid. Two practical generic constructions for PKENO have been proposed so far, starting from either identity-based encryption or public-key encryption with witness-recovering decryption (PKEWR). We show that the known transformation from PKEWR to PKENO fails to provide chosen-ciphertext security; only the transformation from identity-based encryption remains thus valid. Next, we prove that PKENO can alternatively be built out of robust non-interactive threshold public-key cryptosystems, a primitive that differs from identitybased encryption. Using the new transformation, we construct two efficient PKENO schemes: one based on the Decisional Diffie-Hellman assumption (in the Random-Oracle Model) and one based on the Decisional Linear assumption (in the standard model). Last but not least, we propose new applications of PKENO in protocol design. Motivated by these applications, we reconsider proof soundness for PKENO and put forward new definitions that are stronger than those considered so far. We give a taxonomy of all definitions and demonstrate them to be satisfiable.
Related papers
Towards automated proofs for asymmetric encryption schemes in the random oracle model
Proceedings of the 15th ACM conference on Computer and communications security - CCS '08, 2008
Chosen-ciphertext security is by now a standard security property for asymmetric encryption. Many generic constructions for building secure cryptosystems from primitives with lower level of security have been proposed. Providing security proofs has also become standard practice. There is, however, a lack of automated verification procedures that analyze such cryptosystems and provide security proofs. This paper presents an automated procedure for analyzing generic asymmetric encryption schemes in the random oracle model. This procedure has been applied to several examples of encryption schemes among which the construction of Bellare-
Public-Key Encryption with Random Oracles
Introduction to Security Reduction, 2018
In this chapter, we mainly use a variant of ElGamal encryption to introduce how to prove the security of encryption schemes under computational hardness assumptions. The basic scheme is called the hashed ElGamal scheme [1]. The twin ElGamal scheme and the iterated ElGamal scheme are from [29] and [55], respectively, and introduce two totally different approaches for addressing the reduction loss of finding a correct solution from hash queries. The ElGamal encryption scheme with CCA security is introduced using the Fujisaki-Okamoto transformation [42]. The given schemes and/or proofs may be different from the original ones. 7.1 Hashed ElGamal Scheme SysGen: The system parameter generation algorithm takes as input a security parameter λ. It chooses a cyclic group (G, p, g), selects a cryptographic hash function H : {0, 1} * → {0, 1} n , and returns the system parameters SP = (G, p, g, H). KeyGen: The key generation algorithm takes as input the system parameters SP. It randomly chooses α ∈ Z p , computes g 1 = g α , and returns a public/secret key pair (pk, sk) as follows: pk = g 1 , sk = α. Encrypt: The encryption algorithm takes as input a message m ∈ {0, 1} n , the public key pk, and the system parameters SP. It chooses a random number r ∈ Z p and returns the ciphertext CT as CT = (C 1 ,C 2) = g r , H(g r 1) ⊕ m .
Efficient Public-Key Cryptosystems Provably Secure Against Active Adversaries
Lecture Notes in Computer Science, 1999
This paper proposes two new public-key cryptosystems semantically secure against adaptive chosen-ciphertext attacks. Inspired from a recently discovered trapdoor technique based on composite-degree residues, our converted encryption schemes are proven, in the random oracle model, secure against active adversaries (NM-CCA2) under the assumptions that the Decision Composite Residuosity and Decision Partial Discrete Logarithms problems are intractable. We make use of specific techniques that differ from Bellare-Rogaway or Fujisaki-Okamoto conversion methods. Our second scheme is specifically designed to be efficient for decryption and could provide an elegant alternative to OAEP.
Efficient Public-Key Cryptography in the Presence of Key Leakage
2010
We study the design of cryptographic primitives resistant to a large class of side-channel attacks, called “memory attacks”, where an attacker can repeatedly and adaptively learn information about the secret key, subject only to the constraint that the overall amount of such information is bounded by some parameter ℓ. Although the study of such primitives was initiated only recently by Akavia et al. [2], subsequent work already produced many such “leakage-resilient” primitives [48,4,42], including signature, encryption, identification (ID) and authenticated key agreement (AKA) schemes. Unfortunately, every existing scheme, — for any of the four fundamental primitives above, — fails to satisfy at least one of the following desirable properties: Efficiency. While the construction may be generic, it should have some efficient instantiations, based on standard cryptographic assumptions, and without relying on random oracles. Strong Security. The construction should satisfy the strongest possible definition of security (even in the presence of leakage). For example, encryption schemes should be secure against chosen ciphertext attack (CCA), while signatures should be existentially unforgeable. Leakage Flexibility. It should be possible to set the scheme parameters so that the leakage bound ℓ can come arbitrarily close to the secret-key size. In this work we design the first signature, encryption, ID and AKA schemes which overcome these limitations, and satisfy all the properties above. Moreover, all our constructions are generic, in several cases elegantly simplifying and generalizing the prior constructions (which did not have any efficient instantiations). We also introduce several tools of independent interest, such as the abstraction (and constructions) of true-simulation extractable NIZK arguments, and a new deniable DH-based AKA protocol based on any CCA-secure encryption.
Efficient Public-Key Cryptosystems Provably Secure Against Active Adversaries (Published in K.Y. Lam and E. Okamoto, Eds., Advances in Cryptology - ASIACRYPT '99, vol. 1716 of Lecture Notes in Computer Science, pp. 165-179, Springer-Verlag, 1999
This paper presents a weakness in the key schedule of the AES candidate HPC (Hasty Pudding Cipher). It is shown that for the HPC version with a 128-bit key, 1 in 256 keys is weak in the sense that it has 2 30 equivalent keys. An efficient algorithm is proposed to construct these weak keys and the corresponding equivalent keys. If a weak key is used, it can be recovered by exhaustive search trying only 2 89 keys on average. This is an improvement by a factor of 2 38 over a normal exhaustive key search, which requires on average 2 127 attempts. The weakness also implies that HPC cannot be used in standard constructions for hash functions based on block ciphers. The analysis is extended to HPC with a 192-bit key and a 256-bit key, with similar results. For some other key lengths, all keys are shown to be weak. An example of this is the HPC variant with a 56-bit user key and block length of 128 bits, which can be broken in 2 31 attempts on average.
Generalized public-key cryptography with tight security
Information Sciences, 2019
Tightly secure public-key cryptographic schemes enjoy the advantage that the selection of the security parameter can be optimal to achieve a certain security level. Security models in the multiuser setting with corruptions (MU-C) consider more realistic threats in practice. Many efforts have been devoted to constructing tightly MU-C secure schemes. To date, we have many concrete constructions. Nevertheless, the study on how to generally achieve tight security in public-key cryptography remains lacking. In this paper, we take an insight into the key generations in public-key cryptography. We first generalize the key generation algorithms of traditional schemes and discuss the requirements of achieving tight security. We notice that for some schemes (e.g. key-unique schemes), these requirements inherently cannot be satisfied and hence these schemes cannot achieve tight security. This is in accordance with the impossibility results of tight reductions by Bader et al. (EUROCRYPT 2016). To further study possible constructions, we extend the key generations of public-key cryptographic schemes to obtain a different framework. To demonstrate its applications, we illustrate how to construct tightly secure key-unique schemes under the extended framework. This circumvents the impossibility results of tight security for key-unique schemes.
Improved Cryptanalysis of Provable Certificateless Generalized Signcryption
International Journal of Advanced Computer Science and Applications, 2019
Certificateless generalized signcryption adaptively work as certificateless signcryption, signature or encryption scheme having single algorithm for suitable storage-constrained environments. Recently, Zhou et al. proposed a novel Certificates generalized scheme, and proved its ciphertext indistinguishability under adaptive chosen ciphertext attacks (IND-CCA2) using Gap Bi-linear Diffie-Hellman and Computational Diffie-Hellman assumption as well as proved existential unforgeability against chosen message attacks (EUF-CMA) using the Gap Bi-linear Diffie-Hellman and Computational Diffie-Hellman assumption in random oracle model. In this paper, we analyzed Zhou et al. scheme and unfortunately proved IND-CCA2 insecure in encryption and signcryption modes in defined security model. We also present a practical and improved scheme, provable secure in random oracle model.
Automated Proofs for Asymmetric Encryption
Journal of Automated Reasoning, 2011
Many generic constructions for building secure cryptosystems from primitives with lower level of security have been proposed. Providing security proofs has also become standard practice. There is, however, a lack of automated verification procedures that analyze such cryptosystems and provide security proofs. In this paper, we present a sound and automated procedure that allows us to verify that a generic asymmetric encryption scheme is secure against chosen-plaintext attacks in the random oracle model. It has been applied to several examples of encryption schemes among which the construction of Bellare-
Secret-key cryptography from ideal primitives: A systematic overview
2015 IEEE Information Theory Workshop (ITW), 2015
Secret-key constructions are often proved secure in a model where one or more underlying components are replaced by an idealized oracle accessible to the attacker. This model gives rise to information-theoretic security analyses, and several advances have been made in this area over the last few years. This paper provides a systematic overview of what is achievable in this model, and how existing works fit into this view. Index Terms-Cryptography, provable security, ideal-primitive model.
Strength of two data encryption standard implementations under timing attacks
ACM Transactions on Information and System Security, 1999
We formally study the notion of a joint signature and encryption in the public-key setting. We refer to this primitive as signcryption, adapting the terminology of . We present two de£nitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of the system. We then examine generic sequential composition methods of building signcryption from a signature and encryption scheme. Contrary to what recent results in the symmetric setting might lead one to expect, we show that classical "encrypt-then-sign" (EtS) and "sign-then-encrypt" (StE) methods are both secure composition methods in the public-key setting. We also present a new composition method which we call "commit-then-encryptand-sign" (CtE&S). Unlike the generic sequential composition methods, CtE&S applies the expensive signature and encryption operations in parallel, which could imply a gain in ef£ciency over the StE and EtS schemes. We also show that the new CtE&S method elegantly combines with the recent "hash-sign-switch" technique of , leading to ef£cient on-line/off-line signcryption. Finally and of independent interest, we discuss the de£nitional inadequacy of the standard notion of chosen ciphertext (CCA2) security. We suggest a natural and very slight relaxation of CCA2-security, which we call generalized CCA2security (gCCA2). We show that gCCA2-security suf£ces for all known uses of CCA2-secure encryption, while no longer suffering from the de£nitional shortcomings of the latter.
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.