Commit | Line | Data |
---|---|---|
888f8938 MW |
1 | %%% Deniably authenticated asymmetric encryption |
2 | %%% | |
3 | %%% Copyright (c) 2010 Mark Wooding | |
4 | %%% Licence: CC-BY | |
5 | ||
6 | \documentclass{strayman} | |
7 | ||
8 | \usepackage[T1]{fontenc} | |
9 | \usepackage[utf8]{inputenc} | |
10 | \usepackage[palatino, helvetica, courier, maths = cmr]{mdwfonts} | |
11 | \usepackage{mdwtab, mathenv, mdwmath, crypto, mdwref, mdwlist} | |
12 | \usepackage[mdwmargin]{mdwthm} | |
13 | \usepackage{tikz} | |
14 | ||
15 | \usetikzlibrary{fit,positioning,calc} | |
16 | ||
17 | \numberwithin{theorem}{subsection} | |
18 | \numberwithin{equation}{subsection} | |
19 | \numberwithin{figure}{subsection} | |
20 | ||
21 | \title{Deniably authenticated public-key encryption} | |
22 | \author{Mark Wooding} | |
23 | ||
24 | \def\Bin{\Sigma} | |
25 | \def\random{\$} | |
26 | \def\bitsto{\mathop{..}} | |
27 | \let\emptystring\varepsilon | |
28 | \let\emptyset\varnothing | |
29 | \def\textnm#1{\text{\/\normalfont#1\/}} | |
30 | ||
31 | \def\fixme{\marginpar{FIXME}} | |
32 | \def\cn{\fixme\textsuperscript{[\textcolor{blue}{citation needed}]}} | |
33 | ||
34 | \bibliographystyle{mdwalpha} | |
35 | ||
36 | \begin{document} | |
37 | ||
38 | \maketitle | |
39 | ||
40 | \begin{abstract} | |
41 | We consider the notion of \emph{deniably authenticated asymmetric | |
42 | encryption}: briefly, Bob can encrypt a message and send the ciphertext | |
43 | to Alice; Alice (and nobody else other than maybe Bob) can decrypt the | |
44 | message; Alice is convinced that Bob actually sent the message; and nobody | |
45 | can prove this to anyone else. | |
46 | ||
47 | We present formal definitions of security for this new notion, and offer | |
48 | two efficient instantiations. One is a generic construction, using any | |
49 | key-encapsulation mechanism, signature scheme, and symmetric authenticated | |
50 | encryption scheme, but it meets a relatively weak notion of deniability; | |
51 | the other has security based on the computational Diffie--Hellman problem | |
52 | and provides strong deniability, but the security is only proven in the | |
53 | random oracle model. | |
54 | \end{abstract} | |
55 | ||
56 | \newpage | |
57 | \tableofcontents | |
58 | \newpage | |
59 | ||
60 | %%%-------------------------------------------------------------------------- | |
61 | \section{Introduction} | |
62 | \label{sec:intro} | |
63 | ||
64 | \subsection{Authenticated asymmetric encryption} | |
65 | \label{sec:intro.aae} | |
66 | ||
67 | Secure email protocols, such as PGP | |
68 | \cite{Zimmermann:1995:PSC,rfc1991,rfc2440,rfc4880} and S/MIME | |
69 | \cite{rfc2311,rfc2633,rfc3851} attempt to provide both \emph{secrecy} for the | |
70 | messages they handle, and \emph{authenticity}. The former property, | |
71 | informally, means that Bob can send a message to Alice and be confident that | |
72 | nobody else can read it. The latter means that Alice can be confident that | |
73 | the message was really sent by Bob. | |
74 | ||
75 | This is commonly achieved by a generic sign-then-encrypt construction: the | |
76 | message plaintext is signed using a standalone digital-signature algorithm | |
77 | with the sender's private key, and then the message and its signature | |
78 | together are encrypted with the recipient's public key | |
79 | \[ y = E_A([m, S_b(m)]) \] | |
80 | This construction, among others, is analysed by An, Dodis, and Rabin | |
81 | \cite{An:2002:SJS,cryptoeprint:2002:046} and shown to provide formally | |
82 | defined notions of secrecy and authenticity. | |
83 | ||
84 | As noticed by Davis \cite{Davis:2001:DSE}, the sign-then-encrypt approach has | |
85 | some surprising failure modes. For example, Alice can re-encrypt the signed | |
86 | message using, say, Carol's public key, and sent it on: | |
87 | \[ y' = E_C([m, S_b(m)]) \] | |
88 | this can obviously cause confusion if the message doesn't encode the identity | |
89 | of the intended recipient. But there are worse possibilities. For example, | |
90 | if Alice and Bob are having an affair, each signed-and-encrypted | |
91 | \emph{billet-doux} becomes potential blackmail material: Alice might threaten | |
92 | to publish the | |
93 | \[ m, S_b(m) \] | |
94 | if her demands aren't met. If Alice is a journalist and Bob is a source, | |
95 | leaking secrets to her, then the signed leaks are incriminating evidence. | |
96 | ||
97 | The encrypt-then-sign construction makes this sort of `attack' less trivial, | |
98 | but still possible. The signature is applied to a ciphertext encrypted using | |
99 | Alice's public key, so an \emph{unaided} third party should be unable to | |
100 | verify that the ciphertext matches any particular claimed plaintext. But | |
101 | there will usually be some additional information that Alice can publish to | |
102 | show the correlation. For hybrid schemes, where an asymmetric encryption | |
103 | scheme is used to transfer a symmetric key, publishing the symmetric key is | |
104 | usually sufficient. In the case of asymmetric schemes based on trapdoor | |
105 | permutations (e.g., RSA \cite{Rivest:1978:MOD}) she can publish the preimage | |
106 | of the ciphertext. In the case of schemes based on Diffie--Hellman key | |
107 | agreement (e.g., ElGamal's scheme \cite{ElGamal:1985:PKCb} or DLIES | |
108 | \cite{cryptoeprint:1999:007,Abdalla:2001:DHIES,IEEE:2000:1363}) even | |
109 | verifying the shared secret may be hard for third parties (this is the | |
110 | decisional Diffie--Hellman problem), but Alice can additionally publish a | |
111 | noninteractive zero-knowledge proof that the shared secret is | |
112 | correct.\footnote{% | |
113 | We'll work in a group $(G, +)$ with $p = \#G$ prime and generated by $P$. | |
114 | Let $a \inr \gf{p}$ be Alice's private key, with $A = a P$. For ElGamal, | |
115 | Bob encodes his message as $M \in G$, chooses $r \inr \gf{p}$, computes $R | |
116 | = r P$ and $Z = r A$, and sends $(R, Z + M)$ as his ciphertext. Alice can | |
117 | publish $Z$, but must prove that $Z = a R$. We assume a random oracle | |
118 | $H\colon G^2 \to \gf{p}$. She chooses $u \inr \gf{p}$, computes $c = H(u | |
119 | P, u R)$ and $v = u - c a$, and publishes $(Z, c, v)$. To verify, check | |
120 | that $H(v P + c A, v R + c Z) = c$. Completeness is immediate; soundness | |
121 | holds by rewinding and mutating the random oracle -- one obtains a new $c'$ | |
122 | and $v'$ for the same $u$, and can solve for $a$; and the simulator fixes | |
123 | up the random oracle after choosing $v$ at random. The structure of this | |
124 | proof follows \cite{Maurer:2009:UZK}.} % | |
125 | ||
126 | Similarly, `signcryption' schemes \cite{Zheng:1997:DSH} usually provide a | |
127 | `non-repudiation' property. \fixme | |
128 | ||
129 | With this in mind, it seems a shame that most work on asymmetric | |
130 | authentication concentrates on \emph{non-repudiation} -- ensuring that Bob's | |
131 | signature (or equivalent) can be demonstrated to third parties, even without | |
132 | Bob's later cooperation -- or even despite his opposition. | |
133 | ||
134 | \subsection{Related work} | |
135 | \label{sec:intro.related} | |
136 | ||
137 | Dolev, Dwork, and Naor's work \cite{Dolev:1991:NC} on nonmalleable | |
138 | cryptography defines a simple asymmetric authentication protocol. If $m$ is | |
139 | some message that Bob wants Alice to authenticate, he chooses a random string | |
140 | $\rho$, and sends her $(m, \rho)$ encrypted using a nonmalleable encryption | |
141 | scheme under Alice's public key. To authenticate the message~$m$, Alice | |
142 | replies with $\rho$. The authors prove their protocol's security, on the | |
143 | assumption that the encryption is nonmalleable, and comment without proof on | |
144 | the `plausible deniability' that it offers. | |
145 | ||
146 | Dwork, Naor, and Sahai \cite{cryptoeprint:1999:023} address deniability in | |
147 | the context of concurrent zero-knowledge interactive proofs. They improve | |
148 | the \cite{Dolev:1991:NC} protocol, showing that the new version is deniable | |
149 | under \emph{sequential} composition. They also \fixme | |
150 | %%% read this and finish description | |
151 | ||
152 | Di~Raimondo and Gennaro \cite{Raimondo:2005:NAD} \fixme | |
153 | %%% ought to actually read this | |
154 | ||
155 | There is an active literature on the topic of deniably authenticated key | |
156 | exchange, where the participants are confident that they are communicating | |
157 | securely with each other, but are unable to prove this to a third party. | |
158 | Di~Raimondo, Gennaro, and Krawczyk \cite{cryptoeprint:2006:280} define | |
159 | deniably authenticated key exchange and prove deniability properties of some | |
160 | IPSEC subprotocols. | |
161 | ||
162 | The \emph{Off the Record} protocol for instant-messaging systems | |
163 | \cite{Borisov:2004:OTR,Alexander:2007:IUA} provides strong deniability for | |
164 | users, for example by publishing authentication keys at the ends of | |
165 | conversations. The Wrestlers key-exchange protocol | |
166 | \cite{cryptoeprint:2006:386} provides strong deniability, and has been | |
167 | implemented as part of a virtual private network system | |
168 | \cite{Wooding:2001:TrIPE}. | |
169 | ||
170 | Other related concepts include \emph{chameleon signatures} and \emph{ring | |
171 | signatures}. A chameleon signature \cite{cryptoeprint:1998:010} allows a | |
172 | designated recipient to satisfy himself as to the origin of a message, and to | |
173 | create forgeries -- so the recipient is unable to convince third parties that | |
174 | a message is authentic; however, the sender is able to prove a forgery, and a | |
175 | failure to provide such proof may be considered an admission of authenticity. | |
176 | (We shall discuss chameleon signatures further in \ref{sec:deny.weak}.) A | |
177 | ring signature\cn\ allows a sender to `hide' among a set of users -- without | |
178 | their participation -- and sign a message in such a way as to convince a | |
179 | recipient that some member of the set signed it, but with no way to determine | |
180 | which. (This differs from the group signatures of \cite{Chaum:1991:GS} in | |
181 | two respects: firstly, the participants in a group signature scheme are | |
182 | explicitly enrolled into it; and secondly, a group signature scheme includes | |
183 | an authority who can reveal the individual participant who signed a | |
184 | particular message.) | |
185 | ||
186 | All of the deniable protocols described above are fundamentally | |
187 | \emph{interactive}, and therefore unsuitable for use in an encryption scheme. | |
188 | On the other hand, we have an advantage over the designers of plain deniable | |
189 | authentication protocols, since we can assume that both the sender \emph{and} | |
190 | the recipient have public keys. This can be seen to be essential in a | |
191 | non-interactive scheme as follows. If an authentication scheme doesn't | |
192 | somehow identify a specific recipient (or set of recipients) then either | |
193 | everyone can verify authenticity or nobody can. In the latter case, the | |
194 | scheme is useless; in the former, it is undeniable. An interactive protocol | |
195 | can identify the recipient implicitly through the interaction. A | |
196 | non-interactive scheme doesn't have this luxury; the only means remaining is | |
197 | to assume that the recipient knows something -- i.e., a private key. | |
198 | ||
199 | \fixme Naccache \cite{Naccache:2010:ITC} asked | |
200 | \begin{quote} | |
201 | Construct a non-interactive authenticated PKE scheme: | |
202 | \begin{itemize} | |
203 | \item Alice encrypts a message for Bob and mixes with it a secret. | |
204 | \item Bob can ascertain that the message cam from Alice. | |
205 | \item Bob cannot convey this conviction to anybody. | |
206 | \end{itemize} | |
207 | \end{quote} | |
208 | ||
209 | \subsection{Our contribution} | |
210 | \label{sec:intro.contribution} | |
211 | ||
212 | We provide formal definitions for deniably authenticated asymmetric | |
213 | encryption. We give a `strong' definition, which allows a sender to deny | |
214 | convincingly ever having communicated with a recipient, and a `weak' | |
215 | definition, where it may be possible to prove the fact of communication, but | |
216 | not the contents. (This latter definition turns out to be rather | |
217 | complicated.) | |
218 | ||
219 | We also describe simple and efficient schemes which meet these definitions of | |
220 | security. Our weakly deniable scheme is generic: it uses an asymmetric key | |
221 | encapsulation mechanism, a digital signature scheme, and an authenticated | |
222 | symmetric encryption scheme: security is proven in the standard model. We | |
223 | show that Diffie--Hellman key distribution \cite{Diffie:1976:NDC} is a basis | |
224 | for a strongly deniable authenticated encryption scheme. We describe such a | |
225 | scheme and prove security, assuming the difficulty of the computational | |
226 | Diffie--Hellman problem, in the random oracle model. | |
227 | ||
228 | %%%-------------------------------------------------------------------------- | |
229 | \section{Preliminaries} | |
230 | \label{sec:pre} | |
231 | ||
232 | %% Key encapsulation ROR-CCA | |
233 | %% IND-CCA for symmetric encryption | |
234 | %% Asymmetric authenticated encryption -- outsider IND and UF | |
235 | %% Timing of adversaries includes oracles and loading | |
236 | %% Pseudorandom generator? (Could just assume bigger KEM output) | |
237 | %% Digital signatures EUF-CMA. | |
238 | ||
239 | \subsection{Binary strings and encodings} | |
240 | \label{sec:bin} | |
241 | ||
242 | We write $\Bin = \{ 0, 1 \}$ as the set of binary digits; $\Bin^t$ is the set | |
243 | of $t$-bit strings, and $\Bin^* = \bigcup_{0\le i} \Bin^i$ is the set of all | |
244 | binary strings. We write $\emptystring$ for the empty string. If $m$ is a | |
245 | binary string then $|m|$ is the length of $m$; so $m \in \Bin^{|m|}$, and | |
246 | $|\emptystring| = 0$. If $0 \le i < |m|$ then $m[i]$ is the $i$th bit of | |
247 | $m$. If $m$ and $n$ are two strings then $m \cat n$ is their concatenation; | |
248 | we have $|m \cat n| = |m| + |n|$; $m \cat \emptystring = \emptystring \cat m | |
249 | = m$; and $(m \cat n)[i] = m[i]$ if $i < |m|$ and $n[i - |m|]$ otherwise. If | |
250 | $0 \le i \le j \le |m|$ then $m[i \bitsto j]$ is the substring starting with | |
251 | bit~$i$ and ending before bit~$j$ -- so $|m[i \bitsto j]| = j - i$, $m[i | |
252 | \bitsto j][k] = m[i + k]$, and $m = m[0 \bitsto i] \cat m[i \bitsto j] \cat | |
253 | m[j \bitsto |m|]$. | |
254 | ||
255 | We shall assume the existence of a deterministic, unambiguous encoding of | |
256 | integers, group elements, and other such objects, as bit strings. Rather | |
257 | than build a complicated formalism, we shall simply write $[a, b, c, \ldots]$ | |
258 | as the encoding of items $a$, $b$, $c$, \dots If $n$ is an integer with $0 | |
259 | \le n < 2^k$ then $[n]_k$ is a $k$-bit encoding of $n$. | |
260 | ||
261 | We assume the existence of a distinguished object~$\bot$ (pronounced | |
262 | `bottom'), and a set of \emph{atomic symbols}, written in | |
263 | \cookie{sans-serif}, whose purpose is simply to be distinct from all other | |
264 | objects. | |
265 | ||
266 | \subsection{Algorithms, oracles, and resource bounds} | |
267 | \label{sec:alg} | |
268 | ||
269 | We present algorithms using a fairly standard imperative notation. We write | |
270 | $x \gets \tau$ to mean that variable~$x$ is to be assigned the value of the | |
271 | term~$\tau$. If $S$ is a set, then $x \getsr S$ means that $x$ is to be | |
272 | assigned an element of $S$ chosen uniformly and independently at random. | |
273 | Variables are globally scoped. Indentation is used to indicate the extent of | |
274 | iterated and conditional fragments. | |
275 | ||
276 | We make frequent use of implicit `destructuring' (or `pattern matching') in | |
277 | algorithm descriptions: a tuple (in parentheses, as is conventional) or | |
278 | encoded sequence (in square brackets) containing variables may appear on the | |
279 | left of an assignment, or as a formal argument to a procedure, indicating | |
280 | that the corresponding right-hand-side or actual argument is to be decoded | |
281 | and split up according to the structure of the pattern | |
282 | ||
283 | Oracles provided to algorithms are written as superscripts; the inputs | |
284 | supplied in an oracle query are written as `$\cdot$'. | |
285 | ||
286 | We work throughout in the tradition of concrete security, as initiated in | |
287 | \cite{Bellare:1994:SCB}. We consider adversaries operating under explicit | |
288 | resource bounds of time and numbers of oracle queries, and provide explicit | |
289 | bounds on their success probabilities and advantages. We find that this | |
290 | approach both simplifies presentation -- since we no longer have to deal with | |
291 | families of objects indexed by security parameters or other artificial | |
292 | features of the asymptotic approach -- and provides more practically useful | |
293 | results. (As an aside, we remark that, \cite{Goldreich:1997:FMCa} | |
294 | notwithstanding, it's much easier to derive asymptotic results from concrete | |
295 | ones than \emph{vice versa}.) | |
296 | ||
297 | We make use of the random oracle model, as formalized in | |
298 | \cite{Bellare:1993:ROP}. Rather than give separate definitions for security | |
299 | with random oracles, we shall quietly include a bound $q_H$ on an adversary's | |
300 | random oracle queries when attacking a scheme which uses random oracles. | |
301 | ||
302 | The model of computation used to measure running times is not specified -- or | |
303 | especially important to our results. We do note, however, that running times | |
304 | \emph{include} the time taken by the `game' infrastructure, including any | |
305 | time needed for oracles to compute their results. In order to take into | |
306 | account algorithms which make use of precomputed tables, we also include in | |
307 | the running time a term proportional to the size of the algorithm's | |
308 | description according to the (unspecified) computational model. | |
309 | ||
310 | \subsection{Useful results} | |
311 | \label{sec:handy} | |
312 | ||
313 | The following lemma will be used in our security proofs. | |
314 | ||
315 | \begin{lemma}[Difference lemma \cite{Shoup:2002:OR}] | |
316 | \label{lem:shoup} | |
317 | Let $S$, $T$, and $F$ be events such that | |
318 | \[ \Pr[S \mid \bar{F}] = \Pr[T \mid \bar{F}] \] | |
319 | Then | |
320 | \[ \Pr[S] - \Pr[T] \le \Pr[F] \] | |
321 | \end{lemma} | |
322 | \begin{proof} | |
323 | A simple calculation: | |
324 | \begin{eqnarray*}[rl] | |
325 | \Pr[S] - \Pr[T] | |
326 | & = (\Pr[S \land F] + \Pr[S \land \bar{F}]) - | |
327 | (\Pr[T \land F] + \Pr[T \land \bar{F}]) \\ | |
328 | & = (\Pr[S \land F] - \Pr[T \land F]) + | |
329 | \Pr[\bar{F}] (\Pr[S \mid \bar{F}] - \Pr[T \mid \bar{F}]) \\ | |
330 | & \le \Pr[F] \eqnumber[\qed] | |
331 | \end{eqnarray*} | |
332 | \end{proof} | |
333 | ||
334 | %%%-------------------------------------------------------------------------- | |
335 | \section{Definitions} | |
336 | \label{sec:defs} | |
337 | ||
338 | This section presents our formal definitions for the structure and security | |
339 | properties of the cryptographic objects we'll be dealing with in the paper. | |
340 | Most of the definitions are fairly standard; the only slightly unusual aspect | |
341 | is that we deal with \emph{concrete} security, with explicit resource and | |
342 | probability bounds, rather than asymptotic notions. Therefore we don't need | |
343 | to mention an explicit security parameter or deal with ensembles of | |
344 | probability distributions. | |
345 | ||
346 | We strongly prefer the concrete security treatment. Asymptotic results | |
347 | follow as trivial corollaries of our main results; but deriving concrete | |
348 | security definitions and results from asymptotic statements is decidedly | |
349 | nontrivial. | |
350 | ||
351 | \subsection{Diffie--Hellman problems} | |
352 | \label{sec:dh} | |
353 | ||
354 | Throughout this section, let $(G, +)$ be a (necessarily cyclic) group of | |
355 | prime order, written additively; let $p = \#G$ be its order, and let $P$ be a | |
356 | generator of $G$. In order to simplify notation, we shall think of $G$ as | |
357 | being a $\gf{p}$-vector space; group elements (vectors) will be given | |
358 | uppercase letters, while elements of $\gf{p}$ (scalars) will be given | |
359 | lowercase letters. | |
360 | ||
361 | The computational Diffie--Hellman problem in $G$ is to determine $x y P$ | |
362 | given only $x P$ and $y P$. The problem is named after the authors of | |
363 | \cite{Diffie:1976:NDC}, whose key distribution scheme relies on the | |
364 | difficulty of this problem in the group $\gf{p}^*$ of units in a prime finite | |
365 | field. | |
366 | ||
367 | More formally, we use the following definition. | |
368 | ||
369 | \begin{definition}[Computational Diffie--Hellman] | |
370 | \label{def:cdh} | |
371 | ||
372 | If $A$ is any algorithm, then its \emph{advantage} in solving the | |
373 | computational Diffie--Hellman problem (CDH) in $G$ is given by | |
374 | \[ \Adv{cdh}{G}(A) = | |
375 | \Pr[\textrm{$x \getsr \gf{p}$; $y \getsr \gf{p}$} : | |
376 | A(x P, y P) = x y P] | |
377 | \] | |
378 | The CDH insecurity function of $G$ is then | |
379 | \[ \InSec{cdh}(G; t) = \max_A \Adv{cdh}{G}(A) \] | |
380 | where the maximum is taken over all algorithms~$A$ completing the game in | |
381 | time~$t$. | |
382 | \end{definition} | |
383 | ||
384 | We shall also make use of the \emph{twin Diffie--Hellman} problem | |
385 | \cite{cryptoeprint:2008:067}: given $x P$, $x' P$ and $y P$, to find $x y P$ | |
386 | and $x' y P$, given an oracle which can decide, given $(U, V, V')$, whether | |
387 | $V = x U$ and $V' = x' U$. | |
388 | ||
389 | \begin{definition}[Twin Diffie--Hellman] | |
390 | \label{def:2dh} | |
391 | ||
392 | An algorithm $A$'s ability to solve the twin Diffie--Hellman problem in a | |
393 | group~$G$ is measured using the following game. | |
394 | \begin{program} | |
395 | $\Game{2dh}{G}(A)$: \+ \\ | |
396 | $x \getsr \gf{p}$; | |
397 | $x' \getsr \gf{p}$; | |
398 | $y \getsr \gf{p}$; \\ | |
399 | $(Z, Z') \gets A^{\id{2dhp}(\cdot, \cdot, \cdot)}(x P, x' P, y P)$; \\ | |
400 | \IF $Z = x y P \land Z' = x' y P$ \THEN \RETURN $1$ \ELSE \RETURN $0$; | |
401 | \- \\[\medskipamount] | |
402 | $\id{2dhp}(U, V, V')$: \+ \\ | |
403 | \IF $V = x U \land V' = x' U$ \THEN \RETURN $1$ \ELSE \RETURN $0$; | |
404 | \end{program} | |
405 | If $A$ is any algorithm, then its \emph{advantage} in solving the twin | |
406 | Diffie--Hellman problem (2DH) in $G$ is given by | |
407 | \[ \Adv{2dh}{G}(A) = \Pr[\Game{2dh}{G}(A) = 1] \] | |
408 | Finally, the 2DH insecurity function of ~$H$ is given by | |
409 | \[ \InSec{2dh}(G; t, q) = \max_A \Adv{2dh}{G}(A) \] | |
410 | where the maximum is taken over all algorithms~$A$ completing the game in | |
411 | time~$t$ and making at most~$q$ queries to the \id{2dhp} oracle. | |
412 | \end{definition} | |
413 | ||
414 | This all seems rather artificial; but \cite{cryptoeprint:2008:067} relates | |
415 | 2DH security tightly to plain CDH security. The main trick is as follows. | |
416 | \begin{lemma}[Detecting 2DH triples] | |
417 | \label{lem:2dh-detect} | |
418 | ||
419 | Let $G$ be a cyclic group generated by~$P$, with prime order $p = \#G$. | |
420 | Let $X \in G$ be any group element; let $r$ and $s$ be any elements of | |
421 | $\gf{p}$, and set $X' = r P + s X$. If $Y = y P$ for some $y \in \gf{p}$, | |
422 | and $Z$, $Z'$ are two further group elements, then | |
423 | \begin{enumerate} | |
424 | \item if $Z = y X$, then and $Z' = y X'$ if and only if $Z' = r Y + s Z$; | |
425 | and, conversely, | |
426 | \item if $Z \ne y X$ then there is precisely one possible value of $s$ for | |
427 | which $Z' = y Y + s Z$. | |
428 | \end{enumerate} | |
429 | \end{lemma} | |
430 | \begin{proof} | |
431 | For the first statement, suppose that $Z = y X$; then $y X' = y (r P + s X) | |
432 | = r (y P) + s (y X) = r Y + s Z$. For the second, suppose now that $Z \ne | |
433 | y X$, but | |
434 | \[ Z' = r Y + s Z \] | |
435 | holds anyway. We already have $X' = r P + s X$, so | |
436 | \[ y X' = r Y + s y X \] | |
437 | Subtracting the latter equation from the former gives | |
438 | \[ Z' - y X' = s (Z - y X) \] | |
439 | Since $Z - y X \ne 0$, it generates $G$; hence there is a single satisfying | |
440 | $s \in \gf{p}$ as claimed. | |
441 | \end{proof} | |
442 | ||
443 | \begin{theorem}[$\textrm{CDH} \Leftrightarrow \textrm{2DH}$] | |
444 | \label{th:cdh-2dh} | |
445 | ||
446 | Let $G$ be a cyclic group with prime order; then | |
447 | \[ \InSec{cdh}(G; t) \le | |
448 | \InSec{2dh}(G; t, q) \le | |
449 | \InSec{cdh}(G; t + t') + \frac{q}{\#G} \] | |
450 | where $t'$ is the time taken to perform two scalar multiplications and an | |
451 | addition in $G$. | |
452 | \end{theorem} | |
453 | \begin{proof} | |
454 | The first inequality is obvious. For the second, suppose that $A$ is any | |
455 | algorithm for solving 2DH in~$G$. Let $p = \#G$. We define algorithm~$B$ | |
456 | as follows. | |
457 | \begin{program} | |
458 | $B(X, Y)$: \+ \\ | |
459 | $r \getsr \gf{p}$; | |
460 | $s \getsr \gf{p}$; | |
461 | $X' \gets r P + s X$; \\ | |
462 | $(Z, Z') \gets A^{\id{2dhp}'(\cdot, \cdot, \cdot)}(X, X', Y)$; \\ | |
463 | \IF $\id{2dhp}'(Y, Z, Z') = 1$ \THEN \RETURN $Z$ \ELSE \RETURN $\bot$; | |
464 | \- \\[\medskipamount] | |
465 | $\id{2dhp}'(U, V, V')$: \+ \\ | |
466 | \IF $V' = r U + s V$ \THEN \RETURN $1$ \ELSE \RETURN $0$; | |
467 | \end{program} | |
468 | If $A$ runs in time $t$, then $B$ runs in time~$t + t'$ as stated: while | |
469 | $\id{2dhp}'$ works differently from $\id{2dhp}$, the simultaneous | |
470 | multiplication in the former can be done more efficiently than the two | |
471 | separate multiplications in the latter; so the only overhead is in the | |
472 | additional setup. | |
473 | ||
474 | We have $r$ uniform on $\gf{p}$ and independent of $s$, so $\Pr[X' = A] = | |
475 | \Pr[r P = A - s X] = 1/p$ for any constant~$A$, so $X'$ is uniform on $G$ | |
476 | and independent of~$s$. By \xref{lem:2dh-detect}, there are at most $q$ | |
477 | values of $s$ which would cause $\id{2dhp}'$ to give an incorrect answer. | |
478 | The theorem follows. | |
479 | \end{proof} | |
480 | ||
481 | \subsection{Symmetric encryption} | |
482 | \label{sec:se} | |
483 | ||
484 | We shall require a symmetric encryption scheme; the syntax of such schemes is | |
485 | straightforward. The only slightly unusual feature of our definition is that | |
486 | we require the key space to be a set of binary strings of a given length: | |
487 | this will be important in what follows. | |
488 | ||
489 | \begin{definition}[Symmetric encryption syntax] | |
490 | \label{def:se-syntax} | |
491 | ||
492 | A \emph{symmetric encryption scheme} is a triple $\Pi_\textnm{se} = (k, E, | |
493 | D)$, where $k \ge 0$ is a nonnegative integer, and $E$ and $D$ are (maybe | |
494 | randomized) algorithms, as follows. | |
495 | \begin{itemize} | |
496 | \item The \emph{encryption algorithm}~$E$ accepts a key $K \in \Bin^k$ and | |
497 | a message $m \in \Bin^*$, and outputs a ciphertext $c \gets E_K(m)$. | |
498 | \item The \emph{decryption algorithm}~$D$ accepts a key $K \in \Bin^k$ and | |
499 | a ciphertext $c$, and outputs $m = D_K(c)$ which is either a message $m | |
500 | \in \Bin^*$ or the distinguished symbol~$\bot$. This decryption | |
501 | algorithm must be such that, for all $K \in \Bin^*$, and all messages $m | |
502 | \in \Bin^*$, if $c$ is any output of $E_K(m)$ then $D_K(c)$ outputs | |
503 | $m$. \qed | |
504 | \end{itemize} | |
505 | \end{definition} | |
506 | ||
507 | We define two security notions for symmetric encryption. | |
508 | ||
509 | Our notion of secrecy is \emph{indistinguishability under chosen-ciphertext | |
510 | attack} (IND-CCA). We choose a random key~$K$ for the symmetric encryption | |
511 | scheme and provide the adversary with two oracles: an encryption oracle which | |
512 | accepts two messages $m_0$ and $m_1$ of the same length, consistently chooses | |
513 | either $m_0$ or $m_1$, encrypts it using the key~$K$, and returns the | |
514 | resulting ciphertext $y = E_K(m_b)$; and a decryption oracle which accepts a | |
515 | ciphertext and returns the corresponding plaintext or an indication that the | |
516 | ciphertext was malformed. The scheme is considered secure if no adversary | |
517 | playing this game can determine whether the encryption oracle is encrypting | |
518 | $m_0$ or $m_1$. Since the game would be trivial if the adversary could ask | |
519 | for decryption of ciphertexts returned by the encryption oracle, we forbid | |
520 | (only) this. | |
521 | ||
522 | Our notion of authenticity is \emph{integrity of ciphertexts} (INT-CTXT). | |
523 | We choose a random key~$K$, and provide the adversary with two oracles: an | |
524 | encryption oracle which encrypts a message provided as input and returns the | |
525 | resulting ciphertext; and a decryption oracle which decrypts the ciphertext | |
526 | provided as input and returns the plaintext or an indication that the | |
527 | ciphertext was invalid. The scheme is considered security if no adversary | |
528 | playing this game can query its decryption oracle on a valid ciphertext which | |
529 | wasn't returned by the encryption oracle. | |
530 | ||
531 | These notions are standard; we take them from | |
532 | \cite{Bellare:2000:AER,cryptoeprint:2000:025}. Rogaway | |
533 | \cite{cryptoeprint:2006:221} presents a rather more convenient definition | |
534 | which combines both secrecy and authenticity into a single notion; this | |
535 | definition is stronger than we need because it requires that ciphertexts be | |
536 | indistinguishable from random data, rather than merely other ciphertexts. | |
537 | ||
538 | \begin{definition}[Symmetric encryption security] | |
539 | \label{def:se-security} | |
540 | ||
541 | Let $\Pi = (k, E, D)$ be a symmetric encryption scheme. An adversary~$A$'s | |
542 | ability to attack the security of $\Pi$ is measured using the following | |
543 | games. | |
544 | ||
545 | \begin{program} | |
546 | $\Game{ind-cca-$b$}{\Pi}(A)$: \+ \\ | |
547 | $K \getsr \Bin^k$; \\ | |
548 | $b' \gets A^{E_K(\id{lr}(\cdot, \cdot)), D_K(\cdot)}$; \\ | |
549 | \RETURN $b'$; | |
550 | \next | |
551 | $\id{lr}(m_0, m_1)$: \+ \\ | |
552 | \RETURN $m_b$; | |
553 | \newline | |
554 | $\Game{int-ctxt}{\Pi}(A)$: \+ \\ | |
555 | $K \getsr \Bin^k$; \\ | |
556 | $Y \gets \emptyset$; $w \gets 0$; \\ | |
557 | $A^{\id{encrypt}(\cdot), \id{decrypt}(\cdot)}$; \\ | |
558 | \RETURN $w$; \- | |
559 | \next | |
560 | $\id{encrypt}(m)$: \+ \\ | |
561 | $y \gets E_K(m)$; \\ | |
562 | $Y \gets Y \cup \{ y \}$; \\ | |
563 | \RETURN $y$; \- | |
564 | \next | |
565 | $\id{decrypt}(y)$: \+ \\ | |
566 | $m \gets D_K(y)$; \\ | |
567 | \IF $m \ne \bot \land y \notin Y$ \THEN $w \gets 1$; \\ | |
568 | \RETURN $m$; \- | |
569 | \end{program} | |
570 | ||
571 | In the IND-CCA games, we require that the two messages $m_0$ and $m_1$ | |
572 | passed to the encryption oracle have the same length, and that the | |
573 | adversary not query its decryption oracle on any ciphertext produced by the | |
574 | encryption oracle. | |
575 | ||
576 | The adversary's \emph{advantage} in these games is defined as follows. | |
577 | \begin{eqnarray*}[c] | |
578 | \Adv{ind-cca}{\Pi}(A) = | |
579 | \Pr[\Game{ind-cca-$1$}{\Pi}(A) = 1] - | |
580 | \Pr[\Game{ind-cca-$0$}{\Pi}(A) = 1] | |
581 | \\[\medskipamount] | |
582 | \Adv{int-ctxt}{\Pi}(A) = | |
583 | \Pr[\Game{int-ctxt}{\Pi}(A) = 1] | |
584 | \end{eqnarray*} | |
585 | ||
586 | Finally, the IND-CCA and INT-CTXT insecurity functions of $\Pi$ are given | |
587 | by | |
588 | \begin{eqnarray*}[c] | |
589 | \InSec{ind-cca}(\Pi; t, q_E, q_D) = \max_A \Adv{ind-cca}{\Pi}(A) | |
590 | \\[\medskipamount] | |
591 | \InSec{int-ctxt}(\Pi; t, q_E, q_D) = \max_A \Adv{int-ctxt}{\Pi}(A) | |
592 | \end{eqnarray*} | |
593 | where the maxima are taken over all adversaries~$A$ completing the game in | |
594 | time~$t$ and making at most $q_E$ and $q_D$ queries to their encryption and | |
595 | decryption oracles, respectively. | |
596 | \end{definition} | |
597 | ||
598 | In fact, our constructions only require security against a single | |
599 | chosen-plaintext query in order to achieve the usual notions of | |
600 | indistinguishability and authenticity (\xref{sec:aae}). However, in order to | |
601 | prove deniability we shall have need to encrypt additional messages under the | |
602 | same key, and it would be a shame to lose secrecy or authenticity as a | |
603 | consequence. | |
604 | ||
605 | Symmetric encryption schemes according to this definition can easily be | |
606 | constructed using a generic `encrypt-then-authenticate' approach using a | |
607 | symmetric encryption scheme secure against chosen-plaintext attack and a | |
608 | message authentication code (MAC) secure against `strong' forgery under | |
609 | chosen-message attack.\footnote{% | |
610 | Such schemes may fail to meet Rogaway's stronger definition because MAC | |
611 | tags need not be indistinguishable from random data.} % | |
612 | Alternatively, there are dedicated schemes based on block ciphers, such as | |
613 | OCB~\cite{Rogaway:2002:AEA,Rogaway:2001:OCB,cryptoeprint:2001:026}, | |
614 | CCM~\cite{rfc3610,Dworkin:2003:DRB} (but note \cite{cryptoeprint:2003:070}) | |
615 | and GCM~\cite{McGrew:2004:SPG}. | |
616 | ||
617 | \subsection{Key encapsulation mechanisms} | |
618 | \label{sec:kem} | |
619 | ||
620 | A \emph{key encapsulation mechanism}, or KEM, is an asymmetric cryptographic | |
621 | scheme for transferring a short random secret (e.g., a symmetric key) to a | |
622 | recipient. It differs from asymmetric encryption in that the KEM is | |
623 | responsible for choosing the random string as part of its operation, rather | |
624 | than having it be an input. This makes efficient constructions simpler and | |
625 | more efficient, and makes security reductions more efficient (and hence more | |
626 | meaningful). | |
627 | ||
628 | ElGamal's encryption scheme \cite{ElGamal:1985:PKCb} be seen, with copious | |
629 | hindsight, as consisting of a KEM based on the Diffie--Hellman problem | |
630 | combined with a symmetric encryption using the same group operation as a | |
631 | one-time pad. Zheng and Seberry \cite{Zheng:1993:PAA}, inspired by | |
632 | Damg\aa{}rd's `modified ElGamal' scheme \cite{Damgaard:1991:TPP}, present a | |
633 | number of constructions (without proofs) of asymmetric encryption schemes | |
634 | secure against adaptive chosen-ciphertext attacks. The DHIES scheme of | |
635 | Abdalla, Bellare, and Rogaway | |
636 | \cite{cryptoeprint:1999:007,Abdalla:2001:DHIES}, standardized in | |
637 | \cite{IEEE:2000:1363}), uses a hash function to derive a symmetric key from | |
638 | the Diffie--Hellman shared secret; they prove security against | |
639 | chosen-ciphertext attack. Finally, Shoup \cite{cryptoeprint:2001:112} | |
640 | formalizes the notion of a key-encapsulation, and describes one (RSA-KEM, | |
641 | formerly `Simple RSA') based on the RSA primitive \cite{Rivest:1978:MOD}. | |
642 | ||
643 | \begin{definition}[Key encapsulation mechanism syntax] | |
644 | \label{def:kem-syntax} | |
645 | ||
646 | A \emph{key encapsulation mechanism} is a quadruple $\Pi_\textnm{kem} = | |
647 | (\ell, G, E, D)$ where $\ell \ge 0$ is a non-negative integer, and $G$, $E$ | |
648 | and $D$ are (maybe randomized) algorithms, as follows. | |
649 | \begin{itemize} | |
650 | \item The \emph{key-generation algorithm} $G$ accepts no parameters and | |
651 | outputs a pair $(x, X) \gets G()$. We call $x$ the \emph{private key} | |
652 | and $X$ the \emph{public key}. | |
653 | \item The \emph{encapsulation algorithm} $E$ accepts a public key $X$ and | |
654 | outputs a pair $(K, u) \gets E_X()$ where $K \in \Bin^\ell$ is a bit | |
655 | string, and $u$ is a `clue'. | |
656 | \item The \emph{decapsulation algorithm} $D$ accepts a private key $x$ and | |
657 | a clue $u$, and outputs $K \gets D_x(u)$ which is either a string $K \in | |
658 | \Bin^\ell$ or the distinguished symbol $\bot$. The decapsulation | |
659 | algorithm must be such that if $(x, X)$ is any pair of keys produced by | |
660 | $G$, and $(K, u)$ is any key/clue pair output by $E_X()$, then $D_x(u)$ | |
661 | outputs $K$. \qed | |
662 | \end{itemize} | |
663 | \end{definition} | |
664 | ||
665 | Our notion of security is indistinguishability from random under | |
666 | chosen-ciphertext attack (IND-CCA). We generate a key pair, and invoke the | |
667 | encapsulation algorithm on the public key. The adversary is provided with | |
668 | the resulting KEM clue and an $\ell$-bit string. It may query an oracle | |
669 | which accepts a clue as input and returns the result of applying the | |
670 | decapsulation algorithm to it using the private key. The scheme is | |
671 | considered secure if the adversary cannot determine whether its input string | |
672 | was the output of the key encapsulation algorithm, or generated uniformly at | |
673 | random and independently. Since this game can be won easily if the adversary | |
674 | is permitted query its decapsulation oracle on its input clue, we forbid | |
675 | (only) this. | |
676 | ||
677 | \begin{definition}[Key encapsulation mechanism security] | |
678 | \label{def:kem-security} | |
679 | ||
680 | Let $\Pi = (\ell, G, E, D)$ be a key encapsulation mechanism. We measure | |
681 | an adversary~$A$'s ability to attack $\Pi$ using the following games. | |
682 | \begin{program} | |
683 | $\Game{ind-cca-$b$}{\Pi}(A)$: \+ \\ | |
684 | $(x, X) \gets G()$; \\ | |
685 | $K_0 \getsr \Bin^\ell$; \\ | |
686 | $(K_1, u) \gets E_X()$; \\ | |
687 | $b' \gets A^{D_x(\cdot)}(K_b, u)$; \\ | |
688 | \RETURN $b'$; | |
689 | \end{program} | |
690 | In these games, the adversary is forbidden from querying its decapsulation | |
691 | oracle at the challenge clue $u$. | |
692 | ||
693 | The adversary's IND-CCA \emph{advantage} is measured by | |
694 | \[ \Adv{ind-cca}{\Pi}(A) = | |
695 | \Pr[\Game{ind-cca-$1$}{\Pi}(A) = 1] - | |
696 | \Pr[\Game{ind-cca-$0$}{\Pi}(A) = 1] | |
697 | \] | |
698 | Finally, the IND-CCA insecurity function of $\Pi$ is defined by | |
699 | \[ \InSec{ind-cca}(\Pi; t, q_D) = \max_A \Adv{ind-cca}{\Pi}(A) \] | |
700 | where the maximum is taken over all adversaries~$A$ completing the game in | |
701 | time~$t$ and making at most $q_D$ queries to their decapsulation oracles. | |
702 | \end{definition} | |
703 | ||
704 | \subsection{Digital signatures} | |
705 | \label{sec:sig} | |
706 | ||
707 | Our definition for digital signatures is, more specifically, for signature | |
708 | schemes with appendix: the signing algorithm produces a signature, | |
709 | and the verification algorithm requires both the signature and the original | |
710 | message in order to function. | |
711 | ||
712 | \begin{definition}[Digital signature syntax] | |
713 | \label{def:sig-syntax} | |
714 | ||
715 | A \emph{digital signature scheme} is a triple $\Pi_\textnm{sig} = (G, S, | |
716 | V)$ of (maybe randomized) algorithms, as follows. | |
717 | \begin{itemize} | |
718 | \item The \emph{key-generation algorithm} $G$ accepts no parameters and | |
719 | outputs a pair $(x, X) \gets G()$. We call $x$ the \emph{private key} | |
720 | and $X$ the \emph{public key}. | |
721 | \item The \emph{signature algorithm} $S$ accepts a private key~$x$ and a | |
722 | message~$m \in \Bin^*$, and outputs a signature~$\sigma \gets S_x(m)$. | |
723 | \item The \emph{verification algorithm} $V$ accepts a public key~$X$, a | |
724 | message~$m \in \Bin^*$, and a signature~$\sigma$, and outputs a bit $b | |
725 | \gets V_X(m, \sigma)$ subject to the condition that, if $(x, X)$ is any | |
726 | key pair output by $G$, $m \in \Bin^*$ is any message, and $\sigma$ is | |
727 | any signature output by $S_x(m)$, then $V_X(m, \sigma)$ outputs $1$. | |
728 | \qed | |
729 | \end{itemize} | |
730 | \end{definition} | |
731 | ||
732 | Our notion of security for digital signatures is \emph{existential | |
733 | unforgeability under chosen-message attack} (EUF-CMA). It is essentially | |
734 | that of \cite{Goldwasser:1988:DSS}, modified to measure concrete security. | |
735 | We provide the adversary with a public key and a signing oracle which signs | |
736 | input messages using the corresponding private key. The scheme is considered | |
737 | secure if no adversary can output a valid message/signature pair for a | |
738 | message distinct from the adversary's signing queries. | |
739 | ||
740 | \begin{definition}[Digital signature security] | |
741 | \label{def:sig-security} | |
742 | ||
743 | Let $\Pi = (G, S, V)$ be a digital signature scheme. The \emph{advantage} | |
744 | of an adversary~$A$'s ability to attack $\Pi$ is given by | |
745 | \[ \Adv{euf-cma}{\Pi}(A) = \Pr[\textrm{ | |
746 | $(x, X) \gets G()$; | |
747 | $(m, \sigma) \gets A^{S_x(\cdot)}$ | |
748 | } : V_X(m, \sigma) = 1] | |
749 | \] | |
750 | where the adversary is forbidden from returning a message~$m$ if it queried | |
751 | its signing oracle~$S_x(\cdot)$ at $m$. | |
752 | ||
753 | The EUF-CMA \emph{insecurity function} of $\Pi$ is given by | |
754 | \[ \InSec{euf-cma}(\Pi; t, q) = \max_A \Adv{euf-cma}{\Pi}(A) \] | |
755 | where the maximum is taken over all adversaries~$A$ completing the game in | |
756 | time~$t$ and issuing at most $q$ signing-oracle queries. | |
757 | \end{definition} | |
758 | ||
759 | This notion is weaker than it might be. A possible strengthening would be to | |
760 | allow the adversary to return a pair~$(m, \sigma')$ even if it made a signing | |
761 | query for $m$, as long as the signing oracle didn't return the | |
762 | signature~$\sigma'$. We shall not require this stronger definition. | |
763 | ||
764 | \subsection{Authenticated asymmetric encryption} | |
765 | \label{sec:aae} | |
766 | ||
767 | Our definitions for authenticated asymmetric encryption are based on those of | |
768 | \cite{Baek:2007:FPS}. | |
769 | ||
770 | \begin{definition}[Authenticated asymmetric encryption syntax] | |
771 | \label{def:aae-syntax} | |
772 | ||
773 | An \emph{authenticated asymmetric encryption scheme} is a triple | |
774 | $\Pi_\textnm{aae} = (G, E, D)$ of (maybe randomized) algorithms, as | |
775 | follows. | |
776 | \begin{itemize} | |
777 | \item The \emph{key-generation algorithm} $G$ accepts no parameters and | |
778 | outputs a pair $(x, X) \gets G()$. We call $x$ the \emph{private key} | |
779 | and $X$ the \emph{public key}. | |
780 | \item The \emph{encryption algorithm} $E$ accepts a private key~$x$, a | |
781 | public key~$Y$, and a message $m \in \Bin^*$, and outputs a ciphertext $c | |
782 | \gets E_x(Y, m)$. | |
783 | \item The \emph{decryption algorithm} $D$ accepts a private key~$x$, a | |
784 | public key~$Y$ and a ciphertext~$c$, and outputs a result~$m \gets D_x(Y, | |
785 | c)$ which is either a message $m \in \Bin^*$ or the distinguished | |
786 | symbol~$\bot$. The decryption algorithm must be such that if $(x, X)$ | |
787 | and $(y, Y)$ are any two pairs of keys produced by $G$, $m$ is any | |
788 | message, and $c$ is any output of $E_x(Y, m)$, then $D_y(X, m)$ outputs | |
789 | $m$. \qed | |
790 | \end{itemize} | |
791 | \end{definition} | |
792 | ||
793 | Our security notion for secrecy is \emph{indistinguishability under outsider | |
794 | chosen-ciphertext attack} (IND-OCCA). We generate a key pair each for two | |
795 | participants, a `sender' and a `recipient'. The adversary is given the two | |
796 | public keys and provided with two oracles: an encryption oracle, which | |
797 | accepts a message and a public key, and encrypts the message using the public | |
798 | key and the sender's private key, returning the resulting ciphertext; and a | |
799 | decryption oracle, which accepts a ciphertext and a public key, and decrypts | |
800 | the ciphertext using the recipient's private key and checks it against the | |
801 | given public key, returning either the resulting plaintext or an indication | |
802 | that the decryption failed. The adversary runs in two stages: in the first | |
803 | `find' stage, it chooses two messages $m_0$ and $m_1$ of equal lengths and | |
804 | returns them; one of these messages is encrypted by the sender using the | |
805 | recipient's public key. The adversary's second stage is given the resulting | |
806 | `challenge' ciphertext. The scheme is considered secure if no adversary can | |
807 | determine which of its messages was encrypted. Since this is trivial if the | |
808 | adversary queries its decryption oracle with the challenge ciphertext and the | |
809 | sender's public key, (only) this is forbidden. The resulting game is | |
810 | precisely \cite{Baek:2007:FPS}'s `FSO/FUO-IND-CCA2', which corresponds to | |
811 | \cite{An:2002:SJS}'s notion of `multi-user outsider privacy'. A similar | |
812 | `insider security' notion would provide the adversary with the sender's | |
813 | private key. We prefer outsider security: the idea that we must prevent | |
814 | Alice from decrypting the message she just encrypted to send to Bob seems | |
815 | unnecessary. | |
816 | ||
817 | Our security notion for authenticity is \emph{unforgeability under outsider | |
818 | chosen-message attack} (UF-OCMA). Again, we generate sender and recipient | |
819 | keys, and the adversary is given the same two oracles. This time, the | |
820 | adversary's task is to submit to the decryption oracle a ciphertext which it | |
821 | accepts as being constructed by the sender, but is not equal to any | |
822 | ciphertext returned by the encryption oracle. This notion is strictly weaker | |
823 | than \cite{Baek:2007:FPS}'s FSO-UF-CMA, since it corresponds to | |
824 | \cite{An:2002:SJS,cryptoeprint:2002:046}'s `multi-user outsider | |
825 | authenticity', whereas FSO-UF-CMA corresponds to `multi-user \emph{insider} | |
826 | authenticity'. This weakening of security is a necessary consequence of our | |
827 | deniability requirements: we \emph{want} Alice to be able to forge messages | |
828 | that appear to be sent to her by Bob: see \xref{sec:deny.insider}. On the | |
829 | other hand, we allow the adversary to make multiple decryption queries; this | |
830 | makes a difference to our quantitative results. | |
831 | ||
832 | \begin{definition}[Authenticated asymmetric encryption scheme security] | |
833 | \label{def:aae-security} | |
834 | ||
835 | Let $\Pi = (G, E, D)$ be an asymmetric authenticated encryption scheme. An | |
836 | adversary $A$'s ability to attack the security of $\Pi$ is measured by the | |
837 | following games. | |
838 | ||
839 | \begin{program} | |
840 | $\Game{ind-occa-$b$}{\Pi}(A)$: \+ \\ | |
841 | $(x, X) \gets G()$; | |
842 | $(y, Y) \gets G()$; \\ | |
843 | $(m_0, m_1, s) \gets | |
844 | A^{E_x(\cdot, \cdot), D_y(\cdot, \cdot)}(\cookie{find}, X, Y)$; \\ | |
845 | $c^* \gets E_x(Y, m_b)$; \\ | |
846 | $b' \gets | |
847 | A^{E_x(\cdot, \cdot), D_y(\cdot, \cdot)}(\cookie{guess}, c^*, s)$; \\ | |
848 | \RETURN $b'$; \- | |
849 | \\[\medskipamount] | |
850 | $\Game{uf-ocma}{\Pi}(A)$: \+ \\ | |
851 | $w \gets 0$; | |
852 | $\mathcal{C} \gets \emptyset$; \\ | |
853 | $(x, X) \gets G()$; | |
854 | $(y, Y) \gets G()$; \\ | |
855 | $A^{\id{enc}(\cdot, \cdot), \id{dec}}(X, Y)$; \\ | |
856 | \RETURN $w$; \- | |
857 | \next | |
858 | $\id{enc}(Z, m)$: \+ \\ | |
859 | $c \gets E_x(Z, m)$; \\ | |
860 | \IF $Z = Y$ \THEN $\mathcal{C} \gets \mathcal{C} \cup \{ c \}$; \\ | |
861 | \RETURN $c$; \- | |
862 | \\[\medskipamount] | |
863 | $\id{dec}(Z, c)$: \+ \\ | |
864 | $m \gets D_y(Z, c)$; \\ | |
865 | \IF $Z = X \land m \ne \bot \land c \notin \mathcal{C}$ \THEN | |
866 | $w \gets 1$; \\ | |
867 | \RETURN $m$; \- | |
868 | \end{program} | |
869 | ||
870 | In the IND-OCCA games $\Game{ind-occa-$b$}{\Pi}$, the adversary is | |
871 | forbidden from querying its decryption oracle $D_y(\cdot, \cdot)$ on the | |
872 | pair $(X, c^*)$; in the UF-OCMA game $\Game{uf-ocma}{\Pi}$, the adversary | |
873 | is forbidden from returning any ciphertext $c$ that it obtained by querying | |
874 | its encryption oracle~$E_x(\cdot, \cdot)$. | |
875 | ||
876 | The adversary's \emph{advantage} in these games is measured as follows. | |
877 | \begin{eqnarray*}[c] | |
878 | \Adv{ind-occa}{\Pi}(A) = | |
879 | \Pr[\Game{ind-occa-$1$}{\Pi}(A) = 1] - | |
880 | \Pr[\Game{ind-occa-$0$}{\Pi}(A) = 1] | |
881 | \\[\medskipamount] | |
882 | \Adv{uf-ocma}{\Pi}(A) = | |
883 | \Pr[\Game{uf-ocma}{\Pi}(A) = 1] | |
884 | \end{eqnarray*} | |
885 | Finally, the IND-CCA and OUF-CMA insecurity functions of $\Pi$ are given by | |
886 | \begin{eqnarray*}[c] | |
887 | \InSec{ind-occa}(\Pi; t, q_E, q_D) = \max_A \Adv{ind-occa}{\Pi}(A) | |
888 | \\[\medskipamount] | |
889 | \InSec{uf-ocma}(\Pi; t, q_E, q_D) = \max_A \Adv{uf-ocma}{\Pi}(A) | |
890 | \end{eqnarray*} | |
891 | where the maxima are taken over all adversaries~$A$ completing the game in | |
892 | time~$t$ and making at most $q_E$ and $q_D$ queries to their encryption and | |
893 | decryption oracles, respectively. | |
894 | \end{definition} | |
895 | ||
896 | %%%-------------------------------------------------------------------------- | |
897 | \section{Defining deniably authenticated encryption} | |
898 | \label{sec:deny} | |
899 | ||
900 | The basic intuition behind deniably authenticated encryption is fairly clear. | |
901 | If Bob sends a message Alice, then she shouldn't later be able to convince a | |
902 | third party -- Justin, say -- that Bob actually sent it. Of course, we're | |
903 | considering encrypted messages, so Alice will have to send something other | |
904 | than just the message to Justin if he's to be convinced of anything. | |
905 | (Otherwise Justin is able to compromise the indistinguishability of the | |
906 | encryption scheme.) | |
907 | ||
908 | This intuition seems fairly clear; but, as we shall see, the notion of | |
909 | deniably authenticated encryption is somewhat slippery to formalize. | |
910 | ||
911 | \subsection{An attempt at a formal definition} | |
912 | \label{sec:deny.first} | |
913 | ||
914 | Following our intuition above, we model Justin as an algorithm~$J$ which | |
915 | receives as input a message~$m$ and ciphertext~$c$, and some other | |
916 | information, and outputs either~$1$ or $0$ depending on whether it is | |
917 | convinced that $c$ represents an authentic encryption of $m$ sent from Bob to | |
918 | Alice. For deniability, we shall require the existence of a \emph{simulator} | |
919 | which forges ciphertexts sufficiently well that Justin can't distinguish them | |
920 | from ones that Bob made. The difficult questions concern which inputs we | |
921 | should give Justin on the one hand, and the simulator on the other. | |
922 | ||
923 | The simulator is easier. We must provide at least Bob's public key, in order | |
924 | to identify him as the `sender'. We must also provide Alice's \emph{private} | |
925 | key. This initially seems excessive; but a simulator which can forge | |
926 | messages without Alice's private key exhibits an outsider-authenticity | |
927 | failure. (We could get around this by providing Bob's private key and | |
928 | Alice's public key instead, but we already know that Bob can construct | |
929 | plausible ciphertexts, so this seems uninteresting -- for now.) We should | |
930 | also give the simulator the `target' message for which it is supposed to | |
931 | concoct a ciphertext: allowing the simulator to make up the target message | |
932 | yields a very poor notion of deniability. Finally, we might give the | |
933 | simulator a \emph{valid} ciphertext from Bob to Alice. Doing this weakens | |
934 | our deniability, because Bob may no longer be able to deny engaging in any | |
935 | form of communication with Alice; but this seems a relatively minor | |
936 | complaint. We therefore end up with two different notions: \emph{strong | |
937 | deniability}, where the simulator is given only the keys and the target | |
938 | message; and \emph{weak deniability}, where the simulator is also provided | |
939 | with a valid ciphertext. | |
940 | ||
941 | Now we turn to Justin's inputs. It's clear that if he can say whether a | |
942 | ciphertext is an encryption of some specified message given only Alice's and | |
943 | Bob's public keys then he exhibits an outsider-secrecy failure. If Alice is | |
944 | to prove anything useful about the ciphertext to Justin, then, she must | |
945 | provide additional information, possibly in the form of a zero-knowledge | |
946 | proof. We don't need to model this, though: it's clearly \emph{sufficient} | |
947 | to hand Alice's private key to Justin. On the other hand, this is also | |
948 | \emph{necessary}, since \emph{in extremis} Alice could do precisely this. | |
949 | Similarly, it might be the case that Justin demands that Bob engage in some | |
950 | protocol in an attempt to demonstrate his innocence. We can therefore also | |
951 | give Bob's private key to Justin. | |
952 | ||
953 | This gives us enough to define our notion of \emph{strong deniability}. As | |
954 | we shall see, however, weak deniability is somewhat trickier to capture. | |
955 | ||
956 | \begin{definition}[Strongly deniable authenticated asymmetric encryption] | |
957 | \label{def:aae-sdeny} | |
958 | ||
959 | Let $\Pi = (G, E, D)$ be an asymmetric authenticated encryption scheme, and | |
960 | let $S$ (the `simulator') and $J$ (the `judge') be algorithms. The | |
961 | simulator's ability to deceive the judge is measured by the following | |
962 | games. | |
963 | \begin{program} | |
964 | $\Game{sdeny-$b$}{\Pi, S}(J, m_0, m_1)$: \+ \\ | |
965 | $(x, X) \gets G()$; | |
966 | $(y, Y) \gets G()$; \\ | |
967 | $c_0 \gets E_y(X, m_0)$; \\ | |
968 | $c_1 \gets S(x, Y, m_1)$; \\ | |
969 | $b' \gets J(x, X, y, Y, c_b, m_b)$; \\ | |
970 | \RETURN $b'$; | |
971 | \end{program} | |
972 | ||
973 | We measure $J$'s \emph{advantage} in distinguishing simulated ciphertexts | |
974 | from genuine ones by | |
975 | \[ \Adv{sdeny}{\Pi, S}(J) = \max_{m_0, m_1 \in \Bin^*} \bigl( | |
976 | \Pr[\Game{sdeny-$1$}{\Pi, S}(J, m_0, m_1) = 1] - | |
977 | \Pr[\Game{sdeny-$0$}{\Pi, S}(J, m_0, m_1) = 1] \bigr) \] | |
978 | Finally, we define the \emph{insecurity function} of $S$ as a simulator for | |
979 | the deniability of $\Pi$ by | |
980 | \[ \InSec{sdeny}(\Pi, S; t) = \max_J \Adv{sdeny}{\Pi, S}(J) \] | |
981 | where the maximum is taken over all algorithms~$J$ completing the game in | |
982 | time~$t$. | |
983 | \end{definition} | |
984 | ||
985 | \subsection{Chameleon signatures and weak deniability} | |
986 | \label{sec:deny.weak} | |
987 | ||
988 | Unfortunately, this still isn't quite enough. Chameleon signatures | |
989 | \cite{cryptoeprint:1998:010} achieve weak deniability as we've outlined above | |
990 | but still provide a kind of nonrepudiation property. Briefly, a chameleon | |
991 | signature uses trapdoor commitments: Alice generates a trapdoor and a public | |
992 | key for the commitment scheme; Bob signs a message $m$ by creating a | |
993 | commitment for $m$ using Alice's public key, signs the commitment (and | |
994 | Alice's public commitment key) with an ordinary EUF-CMA signature scheme, and | |
995 | presents the pair of this signature and an opening of the commitment as his | |
996 | chameleon signature on~$m$. This achieves a limited form of deniability | |
997 | (called `non-transferability' in \cite{cryptoeprint:1998:010}): Alice can | |
998 | forge signatures using her trapdoor, so she can't convince others of the | |
999 | signature's validity -- but she can only do this for commitments that Bob has | |
1000 | already signed, or she'd break the unforgeability of the underlying signature | |
1001 | scheme. In theory, then, a dispute can be settled by demanding that Bob | |
1002 | provide an opening to the commitment different from Alice's: if he can, then | |
1003 | Alice must have used her trapdoor; otherwise he is deemed to accept the | |
1004 | validity of the signature. This looks like a deniability failure. | |
1005 | ||
1006 | (Di~Raimondo and Gennaro \cite{Raimondo:2005:NAD} frame the same problem in | |
1007 | terms of a deniability failure for the receiver, and describe a notion of | |
1008 | `forward deniability' which excludes this failure. The difference in point | |
1009 | of view is mainly whether we consider the sender acting voluntarily or under | |
1010 | compulsion.) | |
1011 | ||
1012 | None of this affects strong deniability. If Alice can make up plausible | |
1013 | messages from nothing but Bob's public key then Bob has nothing to prove. | |
1014 | (We prove a formal version of this statement in \xref{th:strong-weak}.) But | |
1015 | it means that our weak deniability is still too weak. | |
1016 | ||
1017 | The fundamental problem is that, if the recipient's simulator needs a valid | |
1018 | ciphertext to work on, then there must be at least one valid ciphertext for | |
1019 | any simulated one, and Bob should be able to produce it; if he can't, then we | |
1020 | conclude that the ciphertext we have is the valid original. To avoid this, | |
1021 | then, we must demand a \emph{second} simulator: given a genuine | |
1022 | ciphertext~$c$ corresponding to a message~$m$, Alice's public key, Bob's | |
1023 | private key, and a target message~$m'$, the simulator must construct a new | |
1024 | ciphertext~$c'$. To test the efficacy of this simulator, we ask that Justin | |
1025 | attempt to distinguish between, on the one hand, a legitimate | |
1026 | message/ciphertext pair and an `Alice-forgery' created by the first | |
1027 | simulator, and on the other hand, a `Bob-forgery' created by the second | |
1028 | simulator and a legitimate message/ciphertext pair: the simulator is good if | |
1029 | Justin can't distinguish these two cases. The intuition here is Justin is | |
1030 | being asked to adjudicate between Alice and Bob: each of them claims to have | |
1031 | the `legitimate' ciphertext, but one of them has secretly used the | |
1032 | simulator. Justin shouldn't be able to work out which is telling the truth. | |
1033 | ||
1034 | A scheme based on chameleon signatures fails to meet this stricter | |
1035 | definition. Justin looks at the two chameleon signatures: if they have the | |
1036 | same underlying signature, it's an Alice forgery; if the signatures differ | |
1037 | then it's a Bob forgery. If the second simulator, which isn't given Alice's | |
1038 | trapdoor key, can make a second ciphertext using the same underlying | |
1039 | signature then either it can find a new commitment with the same signature, | |
1040 | which is an non-repudiation failure for the signature,\footnote{% | |
1041 | Well, almost. In fact, signature schemes as we've defined them don't have | |
1042 | to be unforgeable in this case. In the EUF-CMA game | |
1043 | (\xref{def:sig-security}) the adversary is given only oracle access to the | |
1044 | signing algorithm, while the legitimate signer has access to the signing | |
1045 | algorithm's internal state which may help in the construction of forgeries. | |
1046 | We conclude that EUF-CMA is insufficient for non-repudiation.}% | |
1047 | or it can find a second opening of the commitment, which is a binding failure | |
1048 | for the commitment scheme. | |
1049 | ||
1050 | Again, we can distinguish two variant definitions, according to whether Bob's | |
1051 | simulator has to work only on the given ciphertext, or whether it's also | |
1052 | provided with a `hint' produced by the encryption algorithm but not made | |
1053 | available to the adversary in the IND-OCCA and UF-OCMA games. We prefer this | |
1054 | latter formulation;\footnote{% | |
1055 | As described in \cite{cryptoeprint:1998:010}, we could instead attach this | |
1056 | hint to the ciphertext, encrypted under a symmetric key. We shall describe | |
1057 | how this can be done with our proposed scheme.} % | |
1058 | we must therefore define formally our `leaky' encryption schemes which | |
1059 | provide such hints. As one would expect, the security notions carry over | |
1060 | directly because the adversary never gets to see the hints. | |
1061 | ||
1062 | \begin{definition}[Leaky authenticated asymmetric encryption] | |
1063 | \label{def:aae-leaky} | |
1064 | ||
1065 | A \emph{leaky authentic asymmetric encryption scheme} $\Pi_\textnm{laae} = | |
1066 | (G, E', D)$ is a triple of (maybe randomized) algorithms as follows. | |
1067 | \begin{itemize} | |
1068 | \item The \emph{leaky encryption algorithm} $E'$ accepts as input a private | |
1069 | key~$x$, a public key~$Y$, a message~$m$, and outputs a pair $(c, s) | |
1070 | \gets E'_x(Y, m)$ consisting of a ciphertext~$c$ and a \emph{hint}~$\nu$. | |
1071 | \item If we define $\bar E_x(Y, m)$ to perform $E$ and discard the hint | |
1072 | \begin{program} | |
1073 | $\bar E_x(Y, m)$: \+ \\ | |
1074 | $(c, \nu) \gets E_x(Y, m)$; \\ | |
1075 | \RETURN $c$ | |
1076 | \end{program} | |
1077 | then $\bar\Pi_\textnm{laae} = (G, \bar E, D)$ is an authenticated | |
1078 | asymmetric encryption scheme.\footnote{% | |
1079 | Think of the bar as `plugging the leak'.} % | |
1080 | \end{itemize} | |
1081 | For any adversary~$A$, time bound~$t$ and query bounds~$q_E$ and $q_D$, we | |
1082 | define | |
1083 | \begin{eqnarray*}[x] | |
1084 | \Adv{ind-occa}{\Pi_\textnm{laae}}(A) = | |
1085 | \Adv{ind-occa}{\bar\Pi_\textnm{laae}}(A) \qquad | |
1086 | \Adv{uf-ocma}{\Pi_\textnm{laae}}(A) = | |
1087 | \Adv{uf-ocma}{\bar\Pi_\textnm{laae}}(A) \\ | |
1088 | \InSec{ind-occa}(\Pi_\textnm{laae}; t, q_D) = | |
1089 | \InSec{ind-occa}(\bar\Pi_\textnm{laae}; t, q_D) \\ | |
1090 | \InSec{uf-ocma}(\Pi_\textnm{laae}; t, q_E) = | |
1091 | \InSec{uf-ocma}(\bar\Pi_\textnm{laae}; t, q_E) | |
1092 | \end{eqnarray*} | |
1093 | inheriting security definitions from the non-leaky version. | |
1094 | \end{definition} | |
1095 | ||
1096 | Obviously, any non-leaky scheme can easily be transformed into a leaky scheme | |
1097 | with a trivial `leak'. We shall make use of this below. | |
1098 | ||
1099 | We are now finally in a position to define \emph{weak deniability}. | |
1100 | ||
1101 | \begin{definition}[Weakly deniable authenticated asymmetric encryption] | |
1102 | \label{def:aae-wdeny} | |
1103 | ||
1104 | Let $\Pi = (G, E, D)$ be a leaky asymmetric authenticated encryption | |
1105 | scheme, and let $S$ and $S'$ (the `simulators'), and $J$ and $J'$ (the | |
1106 | `judges') be algorithms. The simulators' ability to deceive the judges is | |
1107 | measured using the following games. | |
1108 | \begin{program} | |
1109 | $\Game{wdeny-$b$}{\Pi, S}(J, m_0, m_1)$: \+ \\ | |
1110 | $(x, X) \gets G()$; | |
1111 | $(y, Y) \gets G()$; \\ | |
1112 | $(c_0, \nu) \gets E_y(X, m_0)$; \\ | |
1113 | $c_1 \gets S(x, Y, c_0, m_1)$; \\ | |
1114 | $b' \gets J(x, X, y, Y, c_b, m_b)$; \\ | |
1115 | \RETURN $b'$; | |
1116 | \next | |
1117 | $\Game{wdeny$'$-$0$}{\Pi, S, S'}(J', m_0, m_1)$: \+ \\ | |
1118 | $(x, X) \gets G()$; | |
1119 | $(y, Y) \gets G()$; \\ | |
1120 | $(c_0, \nu) \gets E_y(X, m_0)$; \\ | |
1121 | $c_1 \gets S'(X, y, c_0, \nu, m_1)$; \\ | |
1122 | $b' \gets J'(x, X, y, Y, c_0, m_0, c_1, m_1)$; \\ | |
1123 | \RETURN $b'$; | |
1124 | \- \\[\medskipamount] | |
1125 | $\Game{wdeny$'$-$1$}{\Pi, S, S'}(J', m_0, m_1)$: \+ \\ | |
1126 | $(x, X) \gets G()$; | |
1127 | $(y, Y) \gets G()$; \\ | |
1128 | $(c_1, \nu) \gets E_y(X, m_1)$; \\ | |
1129 | $c_0 \gets S(x, Y, c_1, m_0)$; \\ | |
1130 | $b' \gets J'(x, X, y, Y, c_0, m_0, c_1, m_1)$; \\ | |
1131 | \RETURN $b'$; | |
1132 | \end{program} | |
1133 | ||
1134 | We define the judges' \emph{advantage} at distinguishing the simulators' | |
1135 | output as follows. | |
1136 | \begin{eqnarray*}[x] | |
1137 | \begin{subsplit} \displaystyle | |
1138 | \Adv{wdeny}{\Pi, S}(J) = \max_{m_0, m_1 \in \Bin^*} \bigl( | |
1139 | \Pr[\Game{wdeny-$1$}{\Pi, S}(J, m_0, m_1) = 1] - {} \\ | |
1140 | \Pr[\Game{wdeny-$0$}{\Pi, S}(J, m_0, m_1) = 1] \bigr) | |
1141 | \end{subsplit} \\[\bigskipamount] | |
1142 | \begin{subsplit} \displaystyle | |
1143 | \Adv{wdeny$'$}{\Pi, S, S'}(J') = \max_{m_0, m_1 \in \Bin^*} \bigl( | |
1144 | \Pr[\Game{wdeny$'$-$1$}{\Pi, S, S'}(J', m_0, m_1) = 1] - {} \\ | |
1145 | \Pr[\Game{wdeny$'$-$0$}{\Pi, S, S'}(J', m_0, m_1) = 1] \bigr) | |
1146 | \end{subsplit} | |
1147 | \end{eqnarray*} | |
1148 | Finally, the insecurity function of the simulators is defined by | |
1149 | \[ \InSec{wdeny}(\Pi, S, S'; t) = \max\bigl( | |
1150 | \max_J \Adv{wdeny}{\Pi, S}(J), | |
1151 | \max_{J'} \Adv{wdeny$'$}{\Pi, S, S'}(J') | |
1152 | \bigr) | |
1153 | \] | |
1154 | where the maxima are taken over all judges~$J$ and~$J'$ completing their | |
1155 | respective games in time~$t$. | |
1156 | \end{definition} | |
1157 | ||
1158 | \subsection{Remarks} | |
1159 | \label{sec:deny.discuss} | |
1160 | ||
1161 | \subsubsection{Strong deniability implies weak deniability} | |
1162 | By now, it's probably not at all clear that strong deniability actually | |
1163 | implies weak deniability; but this is nonetheless true. The important | |
1164 | observation is that, since the recipient's simulator works without reference | |
1165 | to an existing ciphertext, the standard encryption algorithm works well as a | |
1166 | sender's simulator. This is expressed in the following theorem. | |
1167 | ||
1168 | \begin{theorem}[$\textrm{SDENY} \implies \textrm{WDENY}$] | |
1169 | \label{th:strong-weak} | |
1170 | ||
1171 | Let $\Pi = (G, E, D)$ be an authenticated asymmetric encryption scheme, and | |
1172 | let~$S$ be a simulator. Let $\Pi' = (G, E', D)$ where $E'_x(Y, m) = | |
1173 | (E_x(Y, m), \bot)$, so $\Pi'$ is a (trivially) `leaky' AAE scheme. Then | |
1174 | there exists a simulator~$S'$ such that | |
1175 | \[ \InSec{wdeny}(\Pi', S, S'; t) \le \InSec{sdeny}(\Pi, S; t') \] | |
1176 | where $t' - t$ is the time required for a single encryption. | |
1177 | \end{theorem} | |
1178 | \begin{proof} | |
1179 | The only difference between the SDENY and WDENY games is that the WDENY | |
1180 | simulator is given an additional argument; the simulator's output is the | |
1181 | same in both cases, as is the input to the judge. It follows, then, that | |
1182 | the strong-deniability simulator~$S$ is sufficient to show that, for | |
1183 | any judge~$J$ | |
1184 | \[ \Adv{wdeny}{\Pi', S}(J, m_0, m_1) \le \InSec{sdeny}(\Pi, S; t) \] | |
1185 | where $t$ is the running time of~$J$. | |
1186 | ||
1187 | The simulator~$S'$ simply uses the `proper' encryption algorithm: | |
1188 | \begin{program} | |
1189 | $S'(X, y, c, \nu, m)$: \+ \\ | |
1190 | $c' \gets E_y(X, m)$; \\ | |
1191 | \RETURN $c'$; | |
1192 | \end{program} | |
1193 | We must now show that this simulator is sufficient to convince any~$J'$ in | |
1194 | the WDENY$'$ game. | |
1195 | ||
1196 | The notation is uncomfortably heavyweight; let us write $\G{b} = | |
1197 | \Game{wdeny$'$-$b$}{\Pi', S, S'}$. In $\G1$ both ciphertexts are `genuine' | |
1198 | -- they were generated by the proper encryption algorithm, using the proper | |
1199 | private key. In $\G0$, on the other hand, the right-hand ciphertext is | |
1200 | genuine but the left-hand ciphertext is simulated by~$S$. However, $S$ is | |
1201 | meant to be a good simulator of genuine ciphertexts. Indeed, if $J'$ can | |
1202 | tell a pair of good, independently generated ciphertexts from a good | |
1203 | ciphertext and a (still independent) $S$-simulated one, then we can use it | |
1204 | to distinguish $S$'s simulations.\footnote{% | |
1205 | This independence, which follows from the fact that the strong | |
1206 | deniability simulator is required to work \emph{ab initio} without | |
1207 | reference to an existing ciphertext, is essential to the proof. Without | |
1208 | it, we'd `prove' that one needs only a single simulator to achieve weak | |
1209 | deniability -- but the previous discussion of chameleon signatures shows | |
1210 | that this is false.} % | |
1211 | ||
1212 | Choose some message~$m^*$. We construct an explicit~$J$ as follows. | |
1213 | \begin{program} | |
1214 | $J(x, X, y, Y, c, m)$: \+ \\ | |
1215 | $c^* \gets E_y(X, m^*)$; \\ | |
1216 | $b \gets J'(x, X, y, Y, c, m, c^*, m^*)$; \\ | |
1217 | \RETURN $b$; | |
1218 | \end{program} | |
1219 | This $J$ is given either a genuine or an $S$-simulated ciphertext and | |
1220 | message, allegedly for message~$m$. It generates a genuine ciphertext | |
1221 | independently for~$m'$. It now has either two independent genuine | |
1222 | ciphertexts or a genuine ciphertext and a simulation, and therefore | |
1223 | distinguishes the two cases exactly as well as $J'$. We conclude that | |
1224 | \[ \Adv{wdeny$'$}{\Pi', S, S'}(J') \le \InSec{sdeny}(\Pi S; t') \] | |
1225 | as required. | |
1226 | \end{proof} | |
1227 | ||
1228 | \subsubsection{Insider authenticity} | |
1229 | \label{sec:deny.insider} | |
1230 | There is a kind of attack considered in the study of key-exchange protocols | |
1231 | (see, for example, \cite{Blake-Wilson:1997:KAP}) called \emph{key-compromise | |
1232 | impersonation}. The adversary is assumed to know the long-term secret | |
1233 | information of one of the participants -- Alice, say. Clearly, he can now | |
1234 | impersonate Alice to Bob. If the protocol is vulnerable to key-compromise | |
1235 | impersonation attacks, however, he can also impersonate Bob -- or anybody | |
1236 | else of his choosing -- to Alice.\footnote{% | |
1237 | It is apparently considered unsatisfactory for a key-exchange protocol to | |
1238 | admit key-compromise impersonation, though it's unclear to us why we might | |
1239 | expect Alice to retain any useful security properties after having been | |
1240 | corrupted.} % | |
1241 | The analogue of key-compromise-impersonation resistance in the context of | |
1242 | noninteractive asymmetric encryption is \emph{insider authenticity}. | |
1243 | ||
1244 | Deniably authenticated asymmetric encryption schemes do not provide insider | |
1245 | authenticity: the two are fundamentally incompatible. Indeed, the existence | |
1246 | of the receiver simulator~$S$ in \xref{def:aae-sdeny} or \xref{def:aae-wdeny} | |
1247 | constitutes an insider-authenticity attack. | |
1248 | ||
1249 | Insider authenticity can be defined fairly easily by modifying the UF-OCMA | |
1250 | game of \xref{def:aae-security} to give the adversary the receiver's private | |
1251 | key~$y$; we shall omit the tedious formalities, but we shall end up with a | |
1252 | security measure $\InSec{uf-icma}(\Pi; t, q_E)$ (for `unforgeability under | |
1253 | insider chosen-message attack'). The attack is simple: retrieve a single | |
1254 | message~$m$ from the sender (if the scheme is only weakly deniable -- even | |
1255 | this is unnecessary if we have strong deniability), pass it to the | |
1256 | simulator~$S$, along with the private key~$y$ and a different message~$m' \ne | |
1257 | m$. Let $y'$ be the simulator's output. We know that the decryption | |
1258 | algorithm will always succeed on real ciphertexts; so if $p$ is the | |
1259 | probability that decryption fails, then | |
1260 | \[ \InSec{uf-icma}(\Pi; t_E + t_S, 1) \ge | |
1261 | p \ge 1 - \InSec{wdeny}(\Pi, S; t_D) \] | |
1262 | where $t_E$, $t_S$ and $t_D$ are the respective times required to encrypt a | |
1263 | message, run the receiver simulator, and decrypt a message. | |
1264 | ||
1265 | %%%-------------------------------------------------------------------------- | |
1266 | \section{Generic weakly deniable construction} | |
1267 | \label{sec:gwd} | |
1268 | ||
1269 | In this section we describe a generic construction meeting the definition of | |
1270 | `weak deniability' (\xref{def:aae-wdeny}), and prove its security. | |
1271 | ||
1272 | \subsection{Description of the construction} | |
1273 | \label{sec:gwd.description} | |
1274 | ||
1275 | Firstly, we give an informal description; then we present the formal version | |
1276 | as pseudocode. We need the following ingredients. | |
1277 | \begin{itemize} | |
1278 | \item A key encapsulation mechanism (KEM; | |
1279 | \xref{def:kem-syntax})~$\Pi_\textnm{kem} = (\ell, \mathcal{G}, \mathcal{E}, | |
1280 | \mathcal{D})$, secure against chosen-ciphertext attack (IND-CCA; | |
1281 | \xref{def:kem-security}). | |
1282 | \item A symmetric encryption scheme (\xref{def:se-syntax}) | |
1283 | scheme~$\Pi_\textnm{se} = (k, E, D)$, secure against chosen-ciphertext | |
1284 | attack and with integrity of ciphertexts (IND-CCA and INT-CTXT; | |
1285 | \xref{def:se-security}), where $k < \ell$. | |
1286 | \item A digital signature (\xref{def:sig-syntax}) scheme~$\Pi_\textnm{sig} = | |
1287 | (G, S, V)$, secure against existential forgery under chosen-message attack | |
1288 | (EUF-CMA; \xref{def:sig-security}) and satisfying the additional property | |
1289 | that the encoding $[\sigma]$ of any signature $\sigma$ has the same | |
1290 | length.\footnote{% | |
1291 | Most practical signature schemes, e.g., based on RSA | |
1292 | \cite{Rivest:1978:MOD,Bellare:1996:ESD,RSA:2002:PVR,rfc3447} or DSA | |
1293 | \cite{FIPS:2000:DSS}, have this property for arbitrary messages. | |
1294 | Regardless, we investigate how to weaken this requirement in | |
1295 | \xref{sec:gwd.variant}.} % | |
1296 | \end{itemize} | |
1297 | ||
1298 | Alice's private key consists of a private key~$a$ for the KEM and a private | |
1299 | key~$a'$ for the signature scheme; her public key consists of the two | |
1300 | corresponding public keys $A$ and~$A'$. Similarly, Bob's private key | |
1301 | consists of $b$ and $b'$ for the KEM and signature scheme, and his public key | |
1302 | is $B$ and $B'$. A diagram of the scheme is shown in \xref{fig:gwd}. | |
1303 | ||
1304 | To send a message~$m$ to Bob, Alice performs the following steps. | |
1305 | \begin{enumerate} | |
1306 | \item She runs the KEM on Bob's public key~$B$; it returns a `clue'~$u$ and | |
1307 | an $\ell$-bit `key'~$Z$. | |
1308 | \item She splits $Z$ into a $k$-bit key~$K$ for the symmetric encryption | |
1309 | scheme, and a $t$-bit `tag'~$\tau$. | |
1310 | \item She signs $[\tau, B]$ using the signature scheme and her private | |
1311 | key~$a'$, producing a signature~$\sigma$. | |
1312 | \item She encrypts the signature and her message using the symmetric | |
1313 | encryption scheme, with key~$K$, producing a ciphertext $y$. | |
1314 | \item The final ciphertext consists of two elements: the KEM clue~$u$ and the | |
1315 | symmetric ciphertext~$y$. | |
1316 | \end{enumerate} | |
1317 | To decrypt the message represented by $(u, y)$, Bob performs these steps. | |
1318 | \begin{enumerate} | |
1319 | \item He applies the KEM to the clue~$u$ and his private key~$b$, obtaining | |
1320 | an $\ell$-bit `key'~$Z$. | |
1321 | \item He splits $Z$ into a $k$-bit key~$K$ for the symmetric encryption | |
1322 | scheme and a $t$-bit tag~$\tau$. | |
1323 | \item He decrypts the ciphertext~$y$ using the symmetric encryption scheme | |
1324 | with key~$K$, obtaining a signature~$\sigma$ and a message~$m$. | |
1325 | \item He verifies the signature $\sigma$ on the pair~$[\tau, B]$, using | |
1326 | Alice's public key~$A'$. | |
1327 | \end{enumerate} | |
1328 | ||
1329 | \begin{figure} | |
1330 | \centering | |
1331 | \begin{tikzpicture} | |
1332 | \tikzset{ | |
1333 | box/.style = {draw, minimum size = 14pt, fill = #1}, | |
1334 | around/.style = {inner sep = 0pt, fit = #1}, | |
1335 | node distance = 5mm, | |
1336 | rounded/.style = {rounded corners = 2mm} | |
1337 | } | |
1338 | \node[box = blue!20] (kem) {$\mathcal{E}$}; | |
1339 | \node[box = red!20, left = -0.3pt] at (0, -1) (K) {$K$}; | |
1340 | \node[box = green!20, right = -0.3pt] at (0, -1) (tau) {$\tau$}; | |
1341 | \node[around = (K) (tau)] (Z) {}; | |
1342 | \draw[->] (kem) -- (Z); | |
1343 | \node[box = green!20, right = of tau] (tau2) {$\tau$}; | |
1344 | \node[box = blue!20, right = -0.6pt of tau2] (B) {$B$}; | |
1345 | \node[around = (tau2) (B)] (sign-input) {}; | |
1346 | \node at (B |- kem) {$B$} edge [->] (kem) | |
1347 | edge [->] (B); | |
1348 | \draw[->] (tau) -- (tau2); | |
1349 | \node[box = green!20, below = of sign-input] (sig) {$S$} | |
1350 | edge [<-] (sign-input); | |
1351 | \node[left = of sig] {$a'$} edge [->] (sig); | |
1352 | \node[box = green!20, below = of sig] (sigma) {$\sigma$} | |
1353 | edge [<-] (sig); | |
1354 | \node[box = yellow!20, right = -0.6pt of sigma, minimum width = 30mm] | |
1355 | (m) {$m$}; | |
1356 | \node at (m |- kem) {$m$} edge [->] (m); | |
1357 | \node[around = (sigma) (m)] (enc-input) {}; | |
1358 | \node[box = red!20, below = of m.south west] (enc) {$E$}; | |
1359 | \draw[->, rounded] (enc-input) |- (enc); | |
1360 | \draw[->, rounded] (K) |- (enc); | |
1361 | \node[box = red!20, below = of enc, minimum width = 35mm] (y) {$y$}; | |
1362 | \node[box = blue!20, left = -0.6pt of y] (u) {$u$}; | |
1363 | \draw[->] (enc) -- (y); | |
1364 | \draw[->, rounded] (kem) -- +(-1, 0) |- (u); | |
1365 | \end{tikzpicture} | |
1366 | \caption{Generic weakly-deniable asymmetric encryption} | |
1367 | \label{fig:gwd} | |
1368 | \end{figure} | |
1369 | ||
1370 | More formally, we define our generic weakly-deniable scheme | |
1371 | $\Pi_\textnm{aae-gwd}(\Pi_\textnm{kem}, \Pi_\textnm{sig}, \Pi_\textnm{se})$ | |
1372 | to be the triple of algorithms $(\Xid{G}{aae-gwd}, \Xid{E'}{aae-gwd}, | |
1373 | \Xid{D}{aae-gwd})$ as follows. | |
1374 | \begin{program} | |
1375 | $\Xid{G}{aae-gwd}()$: \+ \\ | |
1376 | $(x, X) \gets \mathcal{G}()$; \\ | |
1377 | $(x', X') \gets G()$; \\ | |
1378 | \RETURN $\bigl( (x, x'), (X, X') \bigr)$; \- | |
1379 | \newline | |
1380 | $\Xid{E'}{aae-gwd}_{x, x'}\bigl((Y, Y'), m\bigr)$: \+ \\ | |
1381 | $(Z, u) \gets \mathcal{E}_Y()$; \\ | |
1382 | $K \gets Z[0 \bitsto k]$; | |
1383 | $\tau \gets Z[k \bitsto \ell]$; \\ | |
1384 | $\sigma \gets S_{x'}([\tau, Y])$; \\ | |
1385 | $y \gets E_K([\sigma] \cat m)$; \\ | |
1386 | \RETURN $\bigl((u, y), K\bigr)$; \- | |
1387 | \next | |
1388 | $\Xid{D}{aae-gwd}_{x, x'}\bigl((Y, Y'), (u, y)\bigr)$: \+ \\ | |
1389 | $Z \gets \mathcal{D}_x(u)$; | |
1390 | \IF $Z = \bot$ \THEN \RETURN $\bot$; \\ | |
1391 | $K \gets Z[0 \bitsto k]$; | |
1392 | $\tau \gets Z[k \bitsto \ell]$; \\ | |
1393 | $\hat{m} \gets D_K(y)$; | |
1394 | \IF $\hat{m} = \bot$ \THEN \RETURN $\bot$; \\ | |
1395 | $[\sigma] \cat m \gets \hat{m}$; | |
1396 | \IF $V_{Y'}([\tau, X], \sigma) = 0$ \THEN \RETURN $\bot$; \\ | |
1397 | \RETURN $m$; | |
1398 | \end{program} | |
1399 | ||
1400 | \subsection{Conventional security} | |
1401 | \label{sec:gwd.aae} | |
1402 | ||
1403 | Before we embark on the formal security proof, it's worth reflecting on the | |
1404 | intuitive reason that the generic scheme is secure -- in the sense of | |
1405 | providing (outsider) secrecy and authenticity. | |
1406 | ||
1407 | Secrecy is fairly straightforward: it follows directly from the security of | |
1408 | the KEM and the symmetric encryption scheme. | |
1409 | ||
1410 | ||
1411 | Firstly we consider secrecy, and initially restrict our attention to secrecy | |
1412 | under chosen-plaintext attack only. If the KEM is any good then the key~$Z$ | |
1413 | appears to be random and particularly the first $k$ bits -- i.e., the | |
1414 | symmetric key~$K$ -- are unknown to the adversary. Since~$K$ is good, and we | |
1415 | assume that the symmetric scheme is good, then the ciphertext~$y$ hides~$m$, | |
1416 | and since~$y$ is the only part of the overall ciphertext that depends on~$m$ | |
1417 | this is sufficient. | |
1418 | ||
1419 | For secrecy under chosen-ciphertext attack we must show that a decryption | |
1420 | oracle doesn't help. A decryption query may share a KEM clue with a given | |
1421 | target ciphertext. If it does then we appeal to symmetric security; if not, | |
1422 | then the KEM security suffices. | |
1423 | ||
1424 | Finally we deal with authenticity. For a forgery to be successful, it must | |
1425 | contain a signature which can be verified using the purported sender's public | |
1426 | key; if the signature scheme is good, then this must be a signature actually | |
1427 | made by the purported sender. If the KEM clue on the forgery doesn't match | |
1428 | the clue from the message from which the signature was extracted, then the | |
1429 | tag taken from the forgery will fail to match with high probability. If the | |
1430 | KEM clue does match then the symmetric key must also match, and so the | |
1431 | symmetric scheme's authentication will ensure that the signature and message | |
1432 | are both unaltered -- so the forgery is trivial. | |
1433 | ||
1434 | We now present the formal security theorems. | |
1435 | ||
1436 | \begin{theorem}[AAE-GWD secrecy] | |
1437 | \label{th:gwd-secrecy} | |
1438 | Let $\Pi = \Pi_\textnm{aae-gwd}(\Pi_\textnm{kem}, \Pi_\textnm{sig}, | |
1439 | \Pi_\textnm{se})$ be as defined above. Then | |
1440 | \[ \InSec{ind-occa}(\Pi; t, q_E, q_D) \le \\ | |
1441 | 2\,\InSec{ind-cca}(\Pi_\textnm{kem}; t, q_D) + | |
1442 | \InSec{ind-cca}(\Pi_\textnm{se}; t, 1, q_D) | |
1443 | \] | |
1444 | \end{theorem} | |
1445 | \begin{theorem}[AAE-GWD authenticity] | |
1446 | \label{th:gwd-authenticity} | |
1447 | Let $\Pi = \Pi_\textnm{aae-gwd}(\Pi_\textnm{kem}, \Pi_\textnm{sig}, | |
1448 | \Pi_\textnm{se})$ be as defined above. Then | |
1449 | \begin{spliteqn*} | |
1450 | \InSec{uf-ocma}(\Pi; t, q_E, q_D) \le | |
1451 | q_E \InSec{ind-cca}(\Pi_\textnm{kem}; t, 0) + | |
1452 | q_E \InSec{int-ctxt}(\Pi_\textnm{se}; t, 1, q_D) + {} \\ | |
1453 | q_E \InSec{ind-cca}(\Pi_\textnm{se}; t, 1, 0) + | |
1454 | \InSec{euf-cma}(\Pi_\textnm{sig}; t, q_E) | |
1455 | \end{spliteqn*} | |
1456 | \end{theorem} | |
1457 | \begin{proof}[Proof of \xref{th:gwd-secrecy}] | |
1458 | We use sequences of games over the same underlying probability space, as | |
1459 | described in \cite{Shoup:2002:OR,cryptoeprint:2004:332}. | |
1460 | ||
1461 | Let $A$ be any adversary attacking the outsider secrecy of $\Pi$ which runs | |
1462 | within the stated resource bounds. It will therefore suffice to bound | |
1463 | $A$'s advantage. | |
1464 | ||
1465 | In game~$\G0$, we toss a coin~$b \inr \{0, 1\}$, and play | |
1466 | $\Game{ind-occa-$b$}{\Pi}(A)$. The adversary's output is $b'$. Let $S_0$ | |
1467 | be the event that $b = b'$. We have, as a standard result, that | |
1468 | \begin{eqnarray*}[rl] | |
1469 | \Adv{ind-occa}{\Pi}(A) | |
1470 | & = \Pr[S_0 \mid b = 1] - \Pr[\bar S_0 \mid b = 0] \\ | |
1471 | & = \Pr[S_0 \mid b = 1] + \Pr[S_0 \mid b = 0] - 1 \\ | |
1472 | & = \frac{\Pr[S_0 \land b = 1]}{\Pr[b = 1]} + | |
1473 | \frac{\Pr[S_0 \land b = 0]}{\Pr[b = 0]} - 1 \\ | |
1474 | & = 2(\Pr[S_0 \land b = 1] + \Pr[S_0 \land b = 0]) - 1 \\ | |
1475 | & = 2\Pr[S_0] - 1 \eqnumber \label{eq:gwd-sec-s0} | |
1476 | \end{eqnarray*} | |
1477 | Hence bounding $\Pr[S_0]$ will be sufficient to complete the proof. In | |
1478 | each game~$\G{i}$ that we define, $S_i$ will be the event that $b' = b$ in | |
1479 | that game. As we define new games, we shall bound $\Pr[S_i]$ in terms of | |
1480 | $\Pr[S_{i+1}]$ until eventually we shall be able to determine this | |
1481 | probability explicitly. | |
1482 | ||
1483 | Before we start modifying the game, we shall pause to establish some | |
1484 | notation. The \emph{challenge ciphertext} passed to the \cookie{guess} | |
1485 | stage of the adversary is a clue/signature/ciphertext triple $c^* = (u^*, | |
1486 | y^*)$, where $(Z^*, u^*) \gets \mathcal{E}_Y()$, $K^* = Z^*[0 \bitsto k]$, | |
1487 | $\tau^* = Z^*[k \bitsto \ell]$, $\sigma^* \gets S_x([\tau^*, Y])$, and $y^* | |
1488 | \gets E_{K^*}([\sigma^*] \cat m_b)$. | |
1489 | ||
1490 | Game~$\G1$ works in almost the same way as $\G0$. The difference is that | |
1491 | rather than computing~$Z^*$ using the key-encapsulation algorithm | |
1492 | $\mathcal{E}_Y$, we simply choose it uniformly at random from $\Bin^\ell$. | |
1493 | Furthermore, the decryption oracle compensates for this by inspecting the | |
1494 | input ciphertext $c = (u, y)$: if and only if $u = u^*$ then decryption | |
1495 | proceeds using $Z = Z^*$ rather than using the key-decapsulation | |
1496 | algorithm~$\mathcal{D}$. | |
1497 | ||
1498 | We claim that | |
1499 | \begin{equation} | |
1500 | \label{eq:gwd-sec-g1} | |
1501 | \Pr[S_0] - \Pr[S_1] \le | |
1502 | \InSec{ind-cca}(\Pi_\textnm{kem}; t, q_D) | |
1503 | \end{equation} | |
1504 | The proof of the claim is by a simple reduction argument: we define an | |
1505 | adversary~$\hat{A}$ which attacks the KEM. We describe the | |
1506 | adversary~$\hat{A}$ in detail by way of example; future reduction arguments | |
1507 | will be rather briefer. | |
1508 | ||
1509 | The adversary receives as input a public key~$Y$ for the KEM, an $\ell$-bit | |
1510 | string $Z^*$ and a clue~$u^*$. It generates signature key pairs ~$(x', | |
1511 | X')$ and $(y', Y')$, and a KEM key pair~$(x, X)$, using the key-generation | |
1512 | algorithms; it also chooses $b \in \{0, 1\}$ uniformly at random. It runs | |
1513 | the \cookie{find} stage of adversary~$A$, giving it $(X, X')$ and $(Y, Y')$ | |
1514 | as input. Eventually, the \cookie{find} stage completes and outputs $m_0$ | |
1515 | and $m_1$ and a state~$s$. Our KEM adversary computes $\sigma^*$ and $y^*$ | |
1516 | in terms of the $Z^*$ it was given and the message~$m_b$, and runs the | |
1517 | \cookie{guess} stage of adversary~$A$, providing it with the | |
1518 | ciphertext~$(u^*, \sigma^*, y^*)$ and the state~$s$. Eventually, $A$ | |
1519 | completes, outputting its guess~$b'$. If $b' = b$ then our KEM adversary | |
1520 | outputs~$1$; otherwise it outputs~$0$. | |
1521 | ||
1522 | During all of this, we must simulate $A$'s encryption and decryption | |
1523 | oracles. The encryption oracle poses no special difficulty, since we have | |
1524 | the signing key~$x'$. On input $\bigl((Q, Q'), (u, \sigma, y)\bigr)$, the | |
1525 | simulated decryption oracle works as follows. If $u = u^*$ then set $Z = | |
1526 | Z^*$; otherwise retrieve $Z$ by querying the decapsulation oracle at~$u$, | |
1527 | since this is permitted by the KEM IND-CCA game rules. Except for this | |
1528 | slightly fiddly way of discovering~$Z$, the simulated decryption oracle | |
1529 | uses the `proper' decryption algorithm, verifying the signature $\sigma$ on | |
1530 | the tag~$\tau = Z[k \bitsto \ell]$ using the public key~$Q'$. | |
1531 | ||
1532 | If the KEM adversary is playing the `real' | |
1533 | $\Game{ind-cca-$1$}{\Pi_\textnm{kem}}$ then our KEM adversary simulates | |
1534 | $\G0$ perfectly; hence, the probability that it outputs $1$ is precisely | |
1535 | $\Pr[S_0]$. On the other hand, if it is playing | |
1536 | $\Game{ind-cca-$0$}{\Pi_\textnm{kem}}$ then it simulates~$\G1$, and the | |
1537 | probability that it outputs $1$ is $\Pr[S_1]$. Hence | |
1538 | \[ \Pr[S_0] - \Pr[S_1] = \Adv{ind-cca}{\Pi_\textnm{kem}}(\hat{A}) | |
1539 | \le \InSec{ind-cca}(\Pi_\textnm{kem}; t, q_D) | |
1540 | \] | |
1541 | as claimed. | |
1542 | ||
1543 | Finally, we can bound $S_1$ explicitly in $\G1$: | |
1544 | \begin{equation} | |
1545 | \label{eq:gwd-sec-s1} | |
1546 | \Pr[S_1] \le \frac{1}{2} \InSec{ind-cca}(\Pi_\textnm{se}; t, 1, q_D) + | |
1547 | \frac{1}{2} | |
1548 | \end{equation} | |
1549 | This follows by a simple reduction to the chosen-ciphertext secrecy of | |
1550 | $\Pi_\textnm{se}$: $K^*$ will be known to the IND-CCA game, but not | |
1551 | directly to our adversary. It will generate all of the long-term | |
1552 | asymmetric keys, and run $A$'s \cookie{find} stage, collects the two | |
1553 | plaintext messages, encrypts them (making use of the left-or-right | |
1554 | $\Pi_\textnm{se}$ encryption oracle to find $y^* = E_{K^*}([\sigma] \cat | |
1555 | \id{lr}(m_0, m_1))$. The challenge ciphertext is passed to $A$'s | |
1556 | \cookie{guess} stage, which will eventually output a guess~$b'$; our | |
1557 | adversary outputs this guess. | |
1558 | ||
1559 | The decryption oracle is simulated as follows. Let $(u, y)$ be the | |
1560 | chosen-ciphertext query. If $u \ne u^*$ then we decrypt $y$ by recovering | |
1561 | $K \cat \tau = \mathcal{D}_y(u)$ as usual; otherwise we must have $y \ne | |
1562 | y^*$ so $y$ is a legitimate query to the symmetric decryption oracle, so we | |
1563 | recover $\hat{m} = D_{K^*}(y)$ and continue from there. | |
1564 | ||
1565 | This is a valid adversary, and runs in the stated resource bounds, so the | |
1566 | claim follows. | |
1567 | ||
1568 | We can bound the advantage of adversary~$A$ by combining | |
1569 | equations~\ref{eq:gwd-sec-s0}--\ref{eq:gwd-sec-s1}: | |
1570 | \begin{eqnarray*}[rl] | |
1571 | \Adv{ind-occa}{\Pi}(A) | |
1572 | & = 2\Pr[S_0] - 1 \\ | |
1573 | & \le 2 \, \InSec{ind-cca}(\Pi_\textnm{kem}; t, q_D) + | |
1574 | \InSec{ind-cca}(\Pi_\textnm{se}; t, 1, q_D) | |
1575 | \end{eqnarray*} | |
1576 | completing the proof. | |
1577 | \end{proof} | |
1578 | ||
1579 | \begin{proof}[Proof of \xref{th:gwd-authenticity}] | |
1580 | We use a sequence of games again. | |
1581 | ||
1582 | Let $A$ be any adversary attacking the outsider authenticity of $\Pi$ and | |
1583 | running within the specified resource bounds. It will suffice to bound | |
1584 | $A$'s advantage. | |
1585 | ||
1586 | Game~$\G0$ is precisely $\Game{uf-ocma}{\Pi}(A)$. We let $S_0$ be the | |
1587 | event that $A$ outputs a valid forgery, i.e., | |
1588 | \begin{equation} | |
1589 | \label{eq:gwd-auth-s0} | |
1590 | \Adv{uf-ocma}{\Pi}(A) = \Pr[S_0] | |
1591 | \end{equation} | |
1592 | As before, in each subsequent game~$\G{i}$ we let $S_i$ be the | |
1593 | corresponding event. The two key pairs will be $((x, x'), (X, X'))$ and | |
1594 | $((y, y'), (Y, Y'))$. For each $0 \le j < q_D$, let $(Q^*_j, u^*_j, | |
1595 | y^*_j)$ be the adversary's $j$th decryption query, and define $Z^*_j = | |
1596 | \mathcal{D}_y(u^*_j)$, $K^*_j = Z^*_i[0 \bitsto k]$, $\tau^*_j = Z^*_j[k | |
1597 | \bitsto \ell]$, and $[\sigma^*_j] \cat m^*_j = \hat{m}^*_j = | |
1598 | D_{K^*_j}(y^*_j)$, insofar as such quantities are well-defined. For each | |
1599 | $0 \le i < q_E$, we define $m_i$ to be the message in $A$'s $i$th | |
1600 | encryption-oracle query and $(P, P_i)$ as the corresponding public key; and | |
1601 | we set $(Z_i, u_i) \gets \mathcal{E}_{P_i}()$ to be the KEM output while | |
1602 | responding to that query, with $K_i \cat \tau_i = Z_i$, $\sigma_i = | |
1603 | S_{x'}([\tau_i, Q_i])$, and $y_i \gets E_{K_i}(m_i)$. | |
1604 | ||
1605 | Game~$\G1$ is the same as~$\G0$, except that the encryption oracle | |
1606 | generates random keys $Z_i \inr \Bin^\ell$ if $Q_i = Y$ rather than using | |
1607 | the keys output by the key encapsulation algorithm. The clue~$u_i$ | |
1608 | returned is valid; but the key $K_i$ used for the symmetric encryption, and | |
1609 | the tag~$\tau_i$ signed by the signature algorithm, are random and | |
1610 | independent of the clue. We also modify the decryption oracle: if $Q^*_j = | |
1611 | X$, and $u^*_j = u_i$ matches a clue returned by the encryption oracle with | |
1612 | $Q_i = Y$, then the decryption oracle sets $Z^*_j = Z_i$ rather than using | |
1613 | the decapsulation algorithm. | |
1614 | ||
1615 | We claim that | |
1616 | \begin{equation} | |
1617 | \label{eq:gwd-auth-g1} | |
1618 | \Pr[S_0] - \Pr[S_1] \le q_E \InSec{ind-cca}(\Pi_\textnm{kem}; t, 0) | |
1619 | \end{equation} | |
1620 | For this we use a hybrid argument: for $0 \le i \le q_E$ we define | |
1621 | game~$\G[H]{i}$ to use random keys to generate $Z_k$ for $0 \le k < i$ and | |
1622 | to use the `proper' encapsulation algorithm for the remaining $q_E - i$ | |
1623 | queries; let $T_i$ be the event that the adversary returns a valid forgery | |
1624 | in~$\G[H]{i}$. Then | |
1625 | \[ \G[H]{0} \equiv \G0 \qquad \textrm{and} \qquad \G[H]{q_E} \equiv \G1 \] | |
1626 | but a simple reduction argument shows that, for $0 \le i < q_E$, | |
1627 | \[ \Pr[T_i] - \Pr[T_{i+1}] \le \InSec{ind-cca}(\Pi_\textnm{kem}; t, q_D) \] | |
1628 | We construct an adversary~$\hat{A}$ attacking the KEM's secrecy by | |
1629 | simulating one of a pair of hybrid games. Let $\hat{A}$'s input be | |
1630 | $\hat{Z}, \hat{u}$. The KEM adversary proceeds by answering the first~$i$ | |
1631 | encryption queries using random keys, using $Z_i = \hat{Z}$ for query $i$, | |
1632 | and the key encapsulation algorithm for the remaining $q_E - i - 1$ | |
1633 | queries. A decryption query with $Q^*_j$ can be answered by using the key | |
1634 | decapsulation if $u^*_j \ne u_k$, or by setting $Z^*_j = Z_k$ directly | |
1635 | otherwise; clearly if $k = i$ then $Z^*_j = Z_i = \hat{Z}$. If $\hat{Z}$ | |
1636 | is a real KEM output then we have simulated $\G[H]{i}$; otherwise we have | |
1637 | simulated~$\G[H]{i+1}$. The claim follows since | |
1638 | \begin{eqnarray*}[rl] | |
1639 | \Pr[S_0] - \Pr[S_1] | |
1640 | & = \Pr[T_0] - \Pr[T_{q_E}] \\ | |
1641 | & = \sum_{0\le i<q_E} (\Pr[T_i] - \Pr[T_{i+1}]) \\ | |
1642 | & \le q_E \InSec{ind-cca}(\Pi_\textnm{kem}; t, 0) | |
1643 | \end{eqnarray*} | |
1644 | ||
1645 | Game~$\G2$ is the same as $\G1$, except that the decryption oracle returns | |
1646 | $\bot$ whenever a query is made with $Q^*_j = X$, $u^*_j = u_i$ and $y^*_j | |
1647 | \ne y_i$, where $u_i$ is any clue returned by the encryption oracle so far | |
1648 | and $y_i$ is the corresponding symmetric ciphertext. Let $F_2$ be the | |
1649 | event that a forgery of this form is rejected in $\G2$, when it would be | |
1650 | accepted in $\G1$. By \xref{lem:shoup} we have | |
1651 | \begin{equation} | |
1652 | \label{eq:gwd-auth-s2} | |
1653 | \Pr[S_1] - \Pr[S_2] \le \Pr[F_2] | |
1654 | \end{equation} | |
1655 | We claim that | |
1656 | \begin{equation} | |
1657 | \label{eq:gwd-auth-f2} | |
1658 | \Pr[F_2] \le q_E \InSec{int-ctxt}(\Pi_\textnm{se}; t, 1, q_D) | |
1659 | \end{equation} | |
1660 | Again the proof of this claim proceeds by a hybrid argument: we introduce | |
1661 | hybrid games $\G[H]{i}'$ for $0 \le i \le q_E$ in which forgeries where | |
1662 | $u^* = u_j$ are rejected if $0 \le j < i$; so | |
1663 | \[ \G[H]0' \equiv \G1 \qquad \textrm{and} \qquad \G[H]{q_E}' \equiv \G2 \] | |
1664 | Let $0 \le i < q_E$. Let $T'_i$ be the event that a ciphertext $u^*_j, | |
1665 | y^*_j$ is be rejected in $\G[H]{i+i}'$ which was not in $\G[H]i$. If this | |
1666 | occurs, then we must have | |
1667 | \[ u^*_j = u_i \textrm{,} \qquad | |
1668 | y^*_j \ne y_i \textrm{,} \qquad \textrm{and} \qquad | |
1669 | D_{K_i}(y^*_i) \ne \bot \] | |
1670 | $K_i$ is random in all of these games, so a simple reduction shows that | |
1671 | \[ \Pr[T'_i] \le \InSec{int-ctxt}(\Pi_\textnm{se}; t, 1, q_D) \] | |
1672 | The reduction uses the INT-CTXT encryption oracle to perform the $i$th | |
1673 | encryption query, and the decryption oracle to respond to any decryption | |
1674 | query with $Q^*_j = X \land u^*_j = u_i$. If $F_2$ occurs then $y^*_j \ne | |
1675 | y_i$ is an INT-CTXT forgery. Since the $T'_i$ form a partition of $F_2$, | |
1676 | \[ \Pr[F_2] = \sum_{0 \le i < q_E} T'_i \le | |
1677 | q_E \InSec{int-ctxt}(\Pi_\textnm{se}; t, 1, q_D) \] | |
1678 | and the claim is proven. | |
1679 | ||
1680 | Game~$\G3$ is the same as~$\G2$, except that the encryption oracle no | |
1681 | longer includes a valid signature in some ciphertexts, as follows. Let $n | |
1682 | = |[\sigma]|$ is the length of an encoded signature. Then, if $Q_i = Y$, | |
1683 | then we set $y_i = E_K(0^n \cat m_i)$ when encrypting message~$m_i$. Other | |
1684 | encryption queries are not affected. | |
1685 | ||
1686 | We claim that | |
1687 | \begin{equation} | |
1688 | \label{eq:gwd-auth-g3} | |
1689 | \Pr[S_2] - \Pr[S_3] \le q_E \InSec{ind-cca}(\Pi_\textnm{se}; t, 1, 0) | |
1690 | \end{equation} | |
1691 | Again we use a hybrid argument: we introduce hybrid games $\G[H]{i}''$ for | |
1692 | $0 \le i \le q_E$ in which the first $i$ encryption queries are performed | |
1693 | as in $\G3$ and the remaining $q_E - i$ queries are performed as in $\G2$. | |
1694 | Hence we have | |
1695 | \[ \G[H]0'' \equiv \G2 \qquad \textrm{and} \qquad | |
1696 | \G[H]{q_E}'' \equiv \G3 \] | |
1697 | Let $T''_i$ be the event that the adversary outputs a good forgery in | |
1698 | $\G[H]{i}''$. A reduction to IND-CCA security shows that | |
1699 | \[ \Pr[T''_i] - \Pr[T''_{i+1}] \le | |
1700 | \InSec{ind-cca}(\Pi_\textnm{se}; t, 1, 0) \] | |
1701 | The reduction works by querying the IND-CCA encryption oracle for the $i$th | |
1702 | query, using the pair $0^n \cat m_i$ and $[\sigma_i] \cat m_i$; other | |
1703 | queries are encrypted using randomly generated keys. We shall not require | |
1704 | the decryption oracle: if $Q^*_j = X$ and $u^*j = u_i$ then either $y^*_j = | |
1705 | y_i$, in which case we set $m^*_j = m_i$, or $y^*_j \ne y_i$ in which case | |
1706 | we immediately return $\bot$. The claim follows because | |
1707 | \begin{eqnarray*}[rl] | |
1708 | \Pr[S_0] - \Pr[S_1] | |
1709 | & = \Pr[T_0] - \Pr[T_{q_E}] \\ | |
1710 | & = \sum_{0\le i<q_E} (\Pr[T''_i] - \Pr[T''_{i+1}]) \\ | |
1711 | & \le q_E \InSec{ind-cca}(\Pi_\textnm{se}; t, 1, 0) | |
1712 | \end{eqnarray*} | |
1713 | ||
1714 | Observe that in $\G3$ we never generate a signature on a message of the | |
1715 | form $[\tau, Y]$. In order to generate a forgery in this game, though, the | |
1716 | adversary must construct such a signature. We can therefore bound | |
1717 | $\Pr[S_2]$ using a reduction to the authenticity of $\Pi_\textnm{sig}$: | |
1718 | \begin{equation} | |
1719 | \label{eq:gwd-auth-s3} | |
1720 | \Pr[S_2] \le \InSec{euf-cma}(\Pi_\textnm{sig}; t, q_E) | |
1721 | \end{equation} | |
1722 | The reduction uses the signing oracle in order to implement $A$'s | |
1723 | encryption oracle. Because no signing queries are on messages of the form | |
1724 | $[\tau, Y]$, and a successful forgery for $\Pi$ must contain a signature | |
1725 | $\sigma^*_j$ for which $V_{X'}([\tau^*_j, Y])$ returns $1$, our reduction | |
1726 | succeeds whenever $A$ succeeds in $\G2$. The claim follows. | |
1727 | ||
1728 | We can bound the advantage of adversary~$A$ by combining | |
1729 | equations~\ref{eq:gwd-auth-s0}--\ref{eq:gwd-auth-s3}: | |
1730 | \begin{eqnarray*}[rLl] | |
1731 | \Adv{uf-ocma}{\Pi}(A) | |
1732 | & = \Pr[S_0] \\ | |
1733 | & \le q_E \InSec{ind-cca}(\Pi_\textnm{kem}; t, 0) + | |
1734 | q_E \InSec{int-ctxt}(\Pi_\textnm{se}; t, 1, q_D) + {} \\ | |
1735 | & & q_E \InSec{ind-cca}(\Pi_\textnm{se}; t, 1, 0) + | |
1736 | \InSec{euf-cma}(\Pi_\textnm{sig}; t, q_E) | |
1737 | \end{eqnarray*} | |
1738 | and the theorem follows. | |
1739 | \end{proof} | |
1740 | ||
1741 | \subsection{Deniability} | |
1742 | \label{sec:gwd.deny} | |
1743 | ||
1744 | Examining the encryption algorithm for our scheme reveals that the | |
1745 | authentication and secrecy parts are almost independent. Most importantly, | |
1746 | the signature~$\sigma$ is the only part of the ciphertext dependent on the | |
1747 | sender's private key is used, and $\sigma$ is independent of the message~$m$. | |
1748 | As we've seen, encrypting the signature prevents outsiders from detaching and | |
1749 | reusing it in forgeries, but the recipient can extract the signature and | |
1750 | replace the message. | |
1751 | ||
1752 | This is the source of the scheme's deniability: anyone who knows the | |
1753 | symmetric key~$K$ can extract the signature and replace the encrypted message | |
1754 | with a different one. | |
1755 | ||
1756 | More formally, we have the following theorem. | |
1757 | ||
1758 | \begin{theorem} | |
1759 | Let $\Pi = \Pi_\textnm{aae-gwd}(\Pi_\textnm{kem}, \Pi_\textnm{sig}, | |
1760 | \Pi_\textnm{se})$ as defined above. There exist simulators $S$ and $S'$ | |
1761 | such that | |
1762 | \[ \InSec{wdeny}(\Pi, S, S'; t) = 0 \] | |
1763 | \end{theorem} | |
1764 | \begin{proof} | |
1765 | The simulators are simple. Recall that the `leaky' version of $\Pi$ leaks | |
1766 | the symmetric key, which the sender can use later to construct a new | |
1767 | ciphertext. | |
1768 | \begin{program} | |
1769 | $S((x, x'), (Y, Y'), (u, y), m')$: \+ \\ | |
1770 | $Z \gets \mathcal{D}_x(u)$; | |
1771 | \IF $Z = \bot$ \THEN \RETURN $\bot$; \\ | |
1772 | $K \gets Z[0 \bitsto k]$; \\ | |
1773 | $\hat{m} \gets D_K(y)$; | |
1774 | \IF $\hat{m} = \bot$ \THEN \RETURN $\bot$; \\ | |
1775 | $[\sigma] \cat m \gets \hat{m}$; \\ | |
1776 | $y' \gets E_K(\sigma \cat m')$; \\ | |
1777 | \RETURN $(u, y')$; \- | |
1778 | \next | |
1779 | $S'((Y, Y'), (x, x'), (u, y), K, m')$: \+ \\ | |
1780 | \\ | |
1781 | \\ | |
1782 | $\hat{m} \gets D_K(y)$; | |
1783 | \IF $\hat{m} = \bot$ \THEN \RETURN $\bot$; \\ | |
1784 | $[\sigma] \cat m \gets \hat{m}$; \\ | |
1785 | $y' \gets E_K(\sigma \cat m')$; \\ | |
1786 | \RETURN $(u, y')$; \- | |
1787 | \end{program} | |
1788 | We claim that these simulators are perfect, i.e., no judge has nonzero | |
1789 | advantage. To see this, note that the clue encrypted signature are simply | |
1790 | copied from the input original ciphertext in each case, and the symmetric | |
1791 | ciphertext in each case is constructed using the proper symmetric | |
1792 | encryption algorithm using the proper symmetric key. | |
1793 | \end{proof} | |
1794 | ||
1795 | However, this scheme is not strongly deniable unless signatures are easily | |
1796 | forged. | |
1797 | ||
1798 | \begin{theorem} | |
1799 | Let $\Pi = \Pi_\textnm{aae-gwd}(\Pi_\textnm{kem}, \Pi_\textnm{sig}, | |
1800 | \Pi_\textnm{se})$ as defined above. Then, for all simulators~$S$, we have | |
1801 | \[ \InSec{sdeny}(\Pi, S; t) \ge | |
1802 | 1 - \InSec{euf-cma}(\Pi_\textnm{sig}; t_S + t', 0) \] | |
1803 | where $t_S$ is the running time of $S$ and $t'$ is the time taken to | |
1804 | decrypt a ciphertext of $\Pi$. | |
1805 | \end{theorem} | |
1806 | \begin{proof} | |
1807 | Recall that a strong-deniability simulator does not require a sample | |
1808 | ciphertext to work from. | |
1809 | ||
1810 | Consider the judge~$J$ which, given a ciphertext and the appropriate keys, | |
1811 | recovers the symmetric key using the recipient's private key, decrypts the | |
1812 | symmetric ciphertext to extract the signature, and verifies it against the | |
1813 | tag using the sender's public key; if the signature verifies OK, it | |
1814 | outputs~$1$, otherwise~$0$. If given a genuine ciphertext, the judge | |
1815 | always outputs $1$. Let $\epsilon$ be the probability that the judge | |
1816 | outputs $1$ given a simulated ciphertext; then $J$'s advantage is $1 - | |
1817 | \epsilon$ by definition. We claim that | |
1818 | \[ \epsilon \le \InSec{euf-cma}(\Pi_\textnm{sig}; t_S + t', 0) \] | |
1819 | We prove this by a simple reduction: given a public verification key for | |
1820 | the signature scheme, generate a KEM key pair, and run $S$ on the KEM | |
1821 | private key, the verification key, and the empty message. Decrypt the | |
1822 | resulting ciphertext using the KEM private key, recovering the signature | |
1823 | and tag, and return both as the forgery. The reduction runs in the stated | |
1824 | time, proving the claim; the theorem follows immediately. | |
1825 | \end{proof} | |
1826 | ||
1827 | \subsubsection{Using one-time encryption schemes} | |
1828 | Given the secrecy and authenticity results, one might conclude that it | |
1829 | suffices to use a `one-time symmetric encryption scheme' -- i.e., one which | |
1830 | is secure only if used to encrypt a single plaintext. This is, alas, not | |
1831 | true if one factors in the requirement of deniability. | |
1832 | ||
1833 | Consider GCM \cite{McGrew:2004:SPG,cryptoeprint:2004:193}, which builds | |
1834 | authenticated encryption from a pseudorandom permutation. Full GCM requires | |
1835 | a nonce as an additional input; for one-time encryption, a fixed nonce is | |
1836 | clearly sufficient. However, if a nonce is reused, authenticity is | |
1837 | lost.\footnote{% | |
1838 | None of the following should be considered an attack on, or a disparagement | |
1839 | of, GCM. Indeed, we consider GCM to be a fine mode of operation.} % | |
1840 | ||
1841 | GCM uses a Carter--Wegman authenticator based on a polynomial-evaluation hash | |
1842 | in $\gf{2^{128}}$: the ciphertext blocks $c_i$ (for $0 \le i < \ell$) are | |
1843 | used as coefficients of a polynomial, evaluated at a secret point $x$ | |
1844 | determined by the key; the authentication tag is | |
1845 | \[ t = E_K(n) + \sum_{0\le i<\ell} c_i x^i \] | |
1846 | Suppose that $c_i$ and $c'_i$ are distinct $\ell$-block ciphertexts | |
1847 | authenticated using the same nonce, giving tags $t$ and $t'$; then adding the | |
1848 | authentication equations (and recalling that we're working in characteristic | |
1849 | 2), we have | |
1850 | \[ \sum_{0\le i<\ell} (c_i + c'_i) x^i = t + t' \] | |
1851 | This polynomial has at most $\ell$ roots in $\gf{2^{128}}$, so a candidate | |
1852 | can be verified in about $\ell$ chosen-ciphertext queries. | |
1853 | ||
1854 | GCM encryption works using counter mode, i.e., $c_i = E_K(n + i + 1) \xor | |
1855 | m_i$ for message blocks $m_i$; so constructing \emph{meaningful} forgeries is | |
1856 | easy given a single known plaintext/ciphertext pair. | |
1857 | ||
1858 | Suppose, then, that our scheme is instantiated using `one-time' GCM -- with | |
1859 | fixed nonce -- as the symmetric encryption scheme. If a sender or a | |
1860 | recipient wishes to construct a simulated ciphertext, then anyone who can see | |
1861 | both the simulated ciphertext and a different (genuine or simulated) | |
1862 | ciphertext will be able to construct forgeries. Obviously, if it causes | |
1863 | security failures, we should not expect users to construct simulated | |
1864 | ciphertexts, and therefore deniability suffers. | |
1865 | ||
1866 | As a possible countermeasure, the recipient can record the KEM clues | |
1867 | previously received and reject messages which reuse clues; but this seems | |
1868 | cumbersome compared to simply allowing a variable -- randomized! -- nonce and | |
1869 | including it in the ciphertext. | |
1870 | ||
1871 | \subsection{Variants} | |
1872 | \label{sec:gwd.variant} | |
1873 | ||
1874 | \subsubsection{Exposing the signature} | |
1875 | The authenticity of our scheme requires that the signature~$\sigma$ be | |
1876 | encrypted. Why is this? What are the consequences if it isn't encrypted? | |
1877 | ||
1878 | For secrecy, it's sufficient that the signature is covered by the symmetric | |
1879 | encryption's authenticity. A scheme for authenticated encryption with | |
1880 | additional data (AEAD) \cite{Rogaway:2002:AEA} would suffice, placing the | |
1881 | signature in the AEAD scheme's header input. (The reader may verify that the | |
1882 | proof of \ref{th:gwd-secrecy} still goes through with minimal changes.) | |
1883 | ||
1884 | This is not the case for authenticity.\footnote{% | |
1885 | We therefore find ourselves in the rather surprising position of requiring | |
1886 | authenticity of the signature for secrecy, and secrecy of the signature for | |
1887 | authenticity!} % | |
1888 | The problem is that it might be possible, through some backdoor in the | |
1889 | decapsulation function, to `direct' a KEM to produce a clue which | |
1890 | encapsulates a specified string. The security definition can't help us: it | |
1891 | deals only with honest users of the public key. Furthermore, some signature | |
1892 | schemes fail to hide the signed message -- indeed, signature schemes `with | |
1893 | message recovery' exist where this is an explicit feature. | |
1894 | ||
1895 | Suppose, then, that we have such a `directable' KEM and a non-hiding | |
1896 | signature scheme: we'd attack our deniable AAE scheme as follows. Request an | |
1897 | encryption of some arbitrary message~$m$ for the targetted recipient, extract | |
1898 | the tag from the signature, generate a random symmetric key, and construct a | |
1899 | KEM clue which encapsulates the symmetric key and tag. Now we send the clue, | |
1900 | copy the signature from the legitimate ciphertext, and encrypt a different | |
1901 | message, using the hash as additional data. | |
1902 | ||
1903 | We note that practical KEMs seem not to be `directable' in this manner. KEMs | |
1904 | which apply a cryptographic hash function to some value are obviously hard to | |
1905 | `direct'. KEMs based on Diffie--Hellman are likely to be undirectable anyway | |
1906 | assuming the difficulty of extracting discrete logarithms -- which is of | |
1907 | course at least as hard as computational Diffie--Hellman. | |
1908 | ||
1909 | \subsubsection{Non-leaky encryption} | |
1910 | We briefly sketch a variant of our weakly deniable scheme which doesn't need | |
1911 | to leak the symmetric key -- and therefore the sender doesn't need to | |
1912 | remember the symmetric key for every message he sends. We use Krawczyk and | |
1913 | Rabin's trick \cite{cryptoeprint:1998:010}. | |
1914 | ||
1915 | We include, in each participant's private key, a key~$R$ for the symmetric | |
1916 | encryption scheme. When encrypting a message, a sender computes an | |
1917 | additional ciphertext $d = E_R(K)$, and includes $d$ in the computation of | |
1918 | the signature $\sigma = S_{x'}([Y, \tau, d])$ and in the combined ciphertext. | |
1919 | This doesn't affect authenticity, but secrecy degrades by | |
1920 | $\InSec{euf-cma}(\Pi_\textnm{sig}; t, q_E)$, since we must appeal to | |
1921 | unforgeability of the signatures in order to demonstrate that a decryption | |
1922 | query with a reused clue will be rejected unless the rest of the ciphertext | |
1923 | is also reused. | |
1924 | ||
1925 | %%%-------------------------------------------------------------------------- | |
1926 | \section{Non-interactive deniable asymmetric authentication} | |
1927 | \label{sec:nidaa} | |
1928 | ||
1929 | %% NADIA = Noninteractive Asymmetric Deniable Integrity Algorithm | |
1930 | %% NAIAD = Noninteractive Asymmetric Integrity Algorithm with Deniability | |
1931 | ||
1932 | In this section, we describe and define an important ingredient in our | |
1933 | strongly deniable scheme, which we term \emph{non-interactive deniable | |
1934 | asymmetric authentication}, or NIDAA for short.\footnote{% | |
1935 | This could really do with a snappier name. Suggestions are welcome.} % | |
1936 | The basic setup is this. Alice and Bob both have private keys, and know each | |
1937 | others' public keys. (As mentioned in the introduction, the assumption that | |
1938 | both participants have keys is essential if we are to have non-interactive | |
1939 | deniable authentication.) Alice has a message that she wants to send to Bob, | |
1940 | so that Bob knows that it came from Alice, but nobody can prove this to | |
1941 | anyone else. | |
1942 | ||
1943 | This will be an essential ingredient in our quest for strongly deniable | |
1944 | authenticated encryption. We could get away with using a signature | |
1945 | scheme for weak deniability, but a digital signature is clear evidence that a | |
1946 | communication occurred, and we should like to avoid leaving such traces. | |
1947 | ||
1948 | \subsection{Definitions} | |
1949 | \label{sec:nidaa.defs} | |
1950 | ||
1951 | We have a fairly clear idea of what deniability and authentication should | |
1952 | mean now. Since we have seen that signatures suffice for weakly deniable | |
1953 | encryption, we shall focus only on strong deniability. | |
1954 | ||
1955 | \begin{definition} | |
1956 | \label{def:nidaa-syntax} | |
1957 | ||
1958 | A \emph{non-interactive deniable asymmetric authentication scheme} is a | |
1959 | triple $\Pi_\textnm{nidaa} = (G, T, V)$ of (maybe randomized) algorithms as | |
1960 | follows. | |
1961 | \begin{itemize} | |
1962 | \item The \emph{key-generation algorithm} $G$ accepts no parameters and | |
1963 | outputs a pair $(x, X) \gets G()$. We call $x$ the \emph{private key} | |
1964 | and $X$ the \emph{public key}. | |
1965 | \item The \emph{tagging algorithm} $T$ accepts a private key~$x$, a public | |
1966 | key~$Y$, and a message~$m \in \Bin^*$, and outputs a tag~$\tau \gets | |
1967 | T_x(Y, m)$. | |
1968 | \item The \emph{verification algorithm} $V$ accepts a private key~$x$, a | |
1969 | public key~$Y$, a message~$m \in \Bin^*$, and a tag~$\tau$, and outputs a | |
1970 | verdict $v \gets V_x(Y, m, \tau)$ which is a bit $v \in \{0, 1\}$. The | |
1971 | verification algorithm must be such that if $(x, X)$ and $(y, Y)$ are any | |
1972 | two pairs of keys produced by $G$, $m$ is any message, and $\tau$ is any | |
1973 | tag produced by $T_x(Y, m)$, then $V_y(X, m, \tau)$ outputs~$1$. \qed | |
1974 | \end{itemize} | |
1975 | \end{definition} | |
1976 | ||
1977 | \begin{definition} | |
1978 | \label{def:nidaa-security} | |
1979 | ||
1980 | Let $\Pi = (G, T, V)$ be a NIDAA scheme. We measure an adversary~$A$'s | |
1981 | ability to attack $\Pi$'s authenticity using the following game. | |
1982 | \begin{program} | |
1983 | $\Game{uf-ocma}{\Pi}(A)$: \+ \\ | |
1984 | $w \gets 0$; | |
1985 | $\mathcal{T} \gets \emptyset$; \\ | |
1986 | $(x, X) \gets G()$; | |
1987 | $(y, Y) \gets G()$; \\ | |
1988 | $A^{\id{tag}(\cdot, \cdot), \id{vrf}(\cdot, \cdot)}(X, Y)$; \\ | |
1989 | \RETURN $v$; \- | |
1990 | \newline | |
1991 | $\id{tag}(Q, m)$: \+ \\ | |
1992 | $\tau \gets T_x(Q, m)$; \\ | |
1993 | \IF $Q = Y$ \THEN | |
1994 | $\mathcal{T} \gets \mathcal{T} \cup \{ (m, \tau) \}$; \\ | |
1995 | \RETURN $\tau$; \- | |
1996 | \next | |
1997 | $\id{vrf}(Q, m, \tau)$: \+ \\ | |
1998 | $v \gets V_y(Q, m, \tau)$; \\ | |
1999 | \IF $v = 1 \land Q = X \land (m, \tau) \notin \mathcal{T}$ \THEN | |
2000 | $w \gets 1$; \\ | |
2001 | \RETURN $v$; | |
2002 | \end{program} | |
2003 | ||
2004 | The adversary's UF-OCMA \emph{advantage} is measured by | |
2005 | \[ \Adv{uf-ocma}{\Pi}(A) = \Pr[\Game{uf-ocma}{\Pi}(A) = 1] \] | |
2006 | Finally, the UF-OCMA insecurity function of $\Pi$ is defined by | |
2007 | \[ \InSec{uf-ocma}(\Pi; t, q_T, q_V) = \max_A \Adv{uf-ocma}{\Pi}(A) \] | |
2008 | where the maximum is taken over all adversaries~$A$ completing the game in | |
2009 | time~$t$ and making at most $q_T$ tagging queries and at most $q_V$ | |
2010 | verification queries. | |
2011 | \end{definition} | |
2012 | ||
2013 | \begin{definition} | |
2014 | \label{def:nidaa-deniability} | |
2015 | ||
2016 | Let $\Pi = (G, T, V)$ be a NIDAA scheme, and let $S$ (the `simulator') and | |
2017 | $J$ (the `judge') be algorithms. The simulator's ability to deceive the | |
2018 | judge is measured by the following games. | |
2019 | \begin{program} | |
2020 | $\Game{sdeny-$b$}{\Pi, S}(J, m_0, m_1)$: \+ \\ | |
2021 | $(x, X) \gets G()$; | |
2022 | $(y, Y) \gets G()$; \\ | |
2023 | $\tau_0 \gets T_y(X, m_0)$; \\ | |
2024 | $\tau_1 \gets S(x, Y, m_1)$; \\ | |
2025 | $b' \gets J(x, X, y, Y, \tau_b, m_b)$; \\ | |
2026 | \RETURN $b'$; | |
2027 | \end{program} | |
2028 | ||
2029 | We measure $J$'s \emph{advantage} in distinguishing simulated tags from | |
2030 | genuine ones by | |
2031 | \[ \Adv{sdeny}{\Pi, S}(J) = \max_{m_0, m_1 \in \Bin^*} \bigl( | |
2032 | \Pr[\Game{sdeny-$1$}{\Pi, S}(J, m_0, m_1) = 1] - | |
2033 | \Pr[\Game{sdeny-$0$}{\Pi, S}(J, m_0, m_1) = 1] \bigr) \] | |
2034 | Finally, we define the \emph{insecurity function} of $S$ as a simulator for | |
2035 | the deniability of $\Pi$ by | |
2036 | \[ \InSec{sdeny}(\Pi, S; t) = \max_J \Adv{sdeny}{\Pi, S}(J) \] | |
2037 | where the maximum is taken over all algorithms~$J$ completing the game in | |
2038 | time~$t$. | |
2039 | \end{definition} | |
2040 | ||
2041 | Thinking about the nature of the problem reveals a few properties that a | |
2042 | solution must exhibit. | |
2043 | \begin{itemize} | |
2044 | \item The | |
2045 | \end{itemize} | |
2046 | ||
2047 | ||
2048 | \begin{program} | |
2049 | $\Xid{G}{dh}()$: \+ \\ | |
2050 | $x \getsr \gf{p}$; | |
2051 | $x' \getsr \gf{p}$; \\ | |
2052 | $X \gets x P$; | |
2053 | $X' \gets x' P$; \\ | |
2054 | \RETURN $\bigl((x, x'), (X, X')\bigr)$; \- | |
2055 | \next | |
2056 | $\Xid{T}{dh}^{H(\cdot)}_{x, x'}((Y, Y'), m)$: \+ \\ | |
2057 | $\tau \gets H([m, x P, x' P, Y, Y', x Y, x Y', x' Y, x' Y'])$; \\ | |
2058 | \RETURN $\tau$; \- | |
2059 | \\[\medskipamount] | |
2060 | $\Xid{V}{dh}^{H(\cdot)}_{x, x'}((Y, Y'), m, \tau)$: \+ \\ | |
2061 | $\tau' \gets H([m, Y, Y', x P, x' P, y X, y' X, y X', y' X'])$; \\ | |
2062 | \IF $\tau = \tau'$ \THEN \RETURN $1$ | |
2063 | \ELSE \RETURN $0$; | |
2064 | \end{program} | |
2065 | ||
2066 | \begin{theorem}[Security of Diffie--Hellman NIDAA scheme] | |
2067 | \label{th:dh-security} | |
2068 | ||
2069 | Let $\Pi = \Pi_\textnm{dh}^{G, H, k}$ be as described above. Then | |
2070 | \[ \InSec{uf-ocma}(\Pi; t, q_T, q_V, q_H) \le | |
2071 | \InSec{cdh}(G; t + t') + | |
2072 | \frac{4 q_H}{\#G} + \frac{q_V}{2^k} | |
2073 | \] | |
2074 | where the $t'$ is the time taken to perform $4 q_H + 4$ multiplications and | |
2075 | $2 q_H + 2$ additions in $G$, and $q_T + q_V + q_H$ hashtable probes and | |
2076 | insertions. | |
2077 | \end{theorem} | |
2078 | \begin{proof} | |
2079 | Let~$A$ be any adversary which attacks the authenticity of $\Pi$ and runs | |
2080 | within the stated resource bounds. It will suffice to bound $A$'s | |
2081 | advantage. | |
2082 | ||
2083 | Game~$\G1 \equiv \Game{uf-ocma}{\Pi}(A)$ is the standard NIDAA attack game: | |
2084 | $A$ receives $X = x P$, $X' = x' P$, $Y = y P$, and $Y' = y' P$ as input; | |
2085 | its objective is to submit a forgery to its verification oracle. | |
2086 | ||
2087 | In order to simplify our presentation, we shall describe the tagging and | |
2088 | verification functions in a different way. Firstly, we define the function | |
2089 | $D\colon G^4 \to G^8$ by | |
2090 | \[ D(x P, x' P, Y, Y') = (x P, x' P, Y, Y', x Y, x Y', x' Y, x' Y') \] | |
2091 | (This function is clearly not easily computable, though it becomes so if we | |
2092 | know $x$ and $x'$.) $D$ is evidently injective, because it includes its | |
2093 | preimage in the image. | |
2094 | ||
2095 | Next, we define a simple permutation $\pi\colon G^8 \to G^8$ by | |
2096 | \[ \pi(X, X', Y, Y', Z, Z', W, W') = (Y, Y', X, X', Z, W, Z', W') \] | |
2097 | (It's not important, but $\pi = \pi^{-1}$.) If we define $D' = \pi \circ D$ | |
2098 | then | |
2099 | \[ D(Y, Y', X, X') = D'(X, X', Y, Y') \] | |
2100 | Finally, for any message~$m$, we define $H_m\colon G^8 \to \Bin^k$ by | |
2101 | \[ H_m(X, X', Y, Y', Z, Z', W, W') = H([m, X, X', Y, Y', Z, Z', W, W']) \] | |
2102 | We can now define | |
2103 | \[ T_m = H_m \circ D \qquad \textrm{and} \qquad | |
2104 | V_m = H_m \circ D' = H_m \circ \pi \circ D \] | |
2105 | i.e., the following diagram commutes. | |
2106 | \[ \begin{tikzpicture} | |
2107 | \tikzset{ | |
2108 | every to/.style = {above, draw, font = \footnotesize}, | |
2109 | every edge/.style = {every to}, | |
2110 | node distance = 20mm | |
2111 | } | |
2112 | \node (xy) {$G^4$}; | |
2113 | \node[coordinate, below = of xy] (x) {}; | |
2114 | \node[left = 5mm of x] (d) {$G^8$} | |
2115 | edge [<-, left] node {$D$} (xy); | |
2116 | \node[right = 5mm of x] (dd) {$G^8$} | |
2117 | edge [<-, right] node {$D'$} (xy); | |
2118 | \draw ($(d.east) + (0, 2pt)$) | |
2119 | to[->] node {$\pi$} | |
2120 | ($(dd.west) + (0, 2pt)$); | |
2121 | \draw ($(dd.west) - (0, 2pt)$) | |
2122 | to[->, below] node {$\pi$} | |
2123 | ($(d.east) - (0, 2pt)$); | |
2124 | \node[left = of d] (t) {$\Bin^k$} | |
2125 | edge [<-, below] node {$H_m$} (d) | |
2126 | edge [<-, above left] node {$T_m$} (xy); | |
2127 | \node[right = of dd] (v) {$\Bin^k$} | |
2128 | edge [<-, below] node {$H_m$} (dd) | |
2129 | edge [<-, above right] node {$V_m$} (xy); | |
2130 | \end{tikzpicture} \] | |
2131 | ||
2132 | We can consequently rewrite | |
2133 | \[ T_{x, x'}((R, R'), m) = T_m(x P, x' P, R, R') \] | |
2134 | and | |
2135 | \[ V_{y, y'}((Q, Q'), m, \tau) = \begin{cases} | |
2136 | 1 & if $\tau = V_m(y P, y' P, Q, Q')$ \\ | |
2137 | 0 & otherwise | |
2138 | \end{cases} | |
2139 | \] | |
2140 | ||
2141 | Now, $H$ -- and hence its restriction $H_m$ -- is a random function, | |
2142 | assigning a uniformly distributed and independent $k$-bit string to each | |
2143 | point in its domain. Since $D$ and $D'$ are injective, the functions $T_m$ | |
2144 | and $V_m$ also have this property. (Obviously the outputs of $H_m$, $T_m$ | |
2145 | and $V_m$ are not independent of \emph{each other}, merely of other outputs | |
2146 | of the same function.) It's also clear that the action of $H_m$ on | |
2147 | $D(G^4)$ is determined by $T_m$, and similarly for $D'(G^4)$ and $V_m$. | |
2148 | This observation motivates the definition of the next game~$\G2$. | |
2149 | ||
2150 | Game~$\G2$ redefines the three oracles provided to the adversary in terms | |
2151 | of three new functions $T$, $V$ and $H$ shown in \xref{fig:dh-nidaa-g2}. | |
2152 | We use the `lazy sampling' technique; we implement $T$ directly as a lazily | |
2153 | sampled random function; $V$ consults $T$ where applicable, and otherwise | |
2154 | uses a separate lazily sampled random function; and $H$ consults $T$ or $V$ | |
2155 | where applicable. | |
2156 | ||
2157 | \begin{figure} | |
2158 | \begin{program} | |
2159 | Initialization: \+ \\ | |
2160 | $\mathcal{H} \gets \emptyset$; \\ | |
2161 | $\mathcal{T} \gets \emptyset$; \\ | |
2162 | $\mathcal{V} \gets \emptyset$; \- | |
2163 | \\[\medskipamount] | |
2164 | $T(R, R', m)$: \+ \\ | |
2165 | \IF $(R, R', m) \in \dom \mathcal{T}$ \THEN \\ | |
2166 | \quad $\tau \gets \mathcal{T}(R, R', m)$; \\ | |
2167 | \ELSE \\ \ind | |
2168 | $\tau \getsr \Bin^k$; \\ | |
2169 | $\mathcal{T} \gets \mathcal{T} \cup \{ (R, R', m) \mapsto \tau \}$; | |
2170 | \- \\ | |
2171 | \RETURN $\tau$; \- | |
2172 | \next | |
2173 | $V'(Q, Q', m)$: \+ \\ | |
2174 | \IF $(Q, Q', m) \in \dom \mathcal{V}$ \THEN \\ | |
2175 | \quad $\tau' \gets \mathcal{V}(Q, Q', m)$; \\ | |
2176 | \ELSE \\ \ind | |
2177 | \IF $Q = X \land Q' = X'$ \THEN | |
2178 | $\tau' \gets T(Y, Y', m)$; \\ | |
2179 | \ELSE | |
2180 | $\tau' \getsr \Bin^k$; \\ | |
2181 | $\mathcal{V} \gets \mathcal{V} \cup | |
2182 | \{ (Q, Q', m) \mapsto \tau' \}$; | |
2183 | \- \\ | |
2184 | \RETURN $\tau'$; \- | |
2185 | \\[\medskipamount] | |
2186 | $V(Q, Q', m, \tau)$: \+ \\ | |
2187 | $\tau' \gets V'(Q, Q', m)$; \\ | |
2188 | \IF $\tau = \tau'$ \THEN \RETURN $1$ \ELSE \RETURN $0$; \- | |
2189 | \newline | |
2190 | $H(s)$: \+ \\ | |
2191 | \IF $s \in \dom \mathcal{H}$ \THEN | |
2192 | $h \gets \mathcal{H}(s)$; \\ | |
2193 | \ELSE \\ \ind | |
2194 | \IF $s = [m, Q, Q', R, R', Z, Z', W, W']$ for some \\ | |
2195 | \hspace{4em} | |
2196 | $(m, Q, Q', R, R', Z, Z', W, W') \in \Bin^* \times G^8$ | |
2197 | \THEN \\ \ind | |
2198 | \IF $(Q, Q') = (X, X') \land | |
2199 | (Z, Z', W, W') = (x R, x R', x' R, x' R')$ \THEN | |
2200 | $h \gets T(R, R', m)$; \\ | |
2201 | \ELSE \IF $(R, R') = (Y, Y') \land | |
2202 | (Z, Z', W, W') = (y Q, y' Q, y Q', y' R')$ \THEN | |
2203 | $h \gets V'(Q, Q', m)$; \\ | |
2204 | \ELSE | |
2205 | $h \getsr \Bin^k$; \- \\ | |
2206 | \ELSE | |
2207 | $h \getsr \Bin^k$; \\ | |
2208 | $\mathcal{H} \gets \mathcal{H} \cup \{ s \mapsto h \}$; \- \\ | |
2209 | \RETURN $h$; | |
2210 | \end{program} | |
2211 | ||
2212 | \caption{Tagging, verification and hashing functions for $\G2$} | |
2213 | \label{fig:dh-nidaa-g2} | |
2214 | \end{figure} | |
2215 | ||
2216 | The adversary's oracles map onto these functions in a simple way: $H$ is | |
2217 | precisely the hashing oracle, and | |
2218 | \[ T_{x, x'}((R, R'), m) = T(R, R', m) \qquad \textrm{and} \qquad | |
2219 | V_{y, y'}((Q, Q'), m, \tau) = V(Q, Q', m) \] | |
2220 | Given the foregoing discussion, we see that, despite the rather radical | |
2221 | restructuring of the game, all of the quantities that the adversary sees | |
2222 | are distributed identically, and therefore | |
2223 | \begin{equation} | |
2224 | \label{eq:dh-nidaa-s1} | |
2225 | \Pr[S_2] = \Pr[S_1] | |
2226 | \end{equation} | |
2227 | ||
2228 | Game~$\G3$ is the same as $\G2$, except that we no longer credit the | |
2229 | adversary with a win if it makes a verification query $V_{y, y'}((X, X'), | |
2230 | m, \tau)$ without previously making a hashing query $H([m, X, X', Y, Y', y | |
2231 | X, y' X, y X', y' X'])$. If this happens, either there has been a previous | |
2232 | query to $T_{x, x'}((Y, Y'), m)$, in which case the verification query | |
2233 | can't count as a win in any case, or there was no such query, in which case | |
2234 | the true tag $\tau'$ will be freshly generated uniformly at random. | |
2235 | Evidently, then, | |
2236 | \begin{equation} | |
2237 | \label{eq:dh-nidaa-s2} | |
2238 | \Pr[S_2] - \Pr[S_3] \le \frac{q_V}{2^k} | |
2239 | \end{equation} | |
2240 | ||
2241 | Game~$\G4$ is similar to $\G3$, except that we change the way that the keys | |
2242 | are set up. Rather than choosing $x'$ and $y'$ at random and setting $(X', | |
2243 | Y') = (x' P, y' P)$, we choose $(u, u', v, v') \inr \gf{p}$ and set | |
2244 | \[ X' = u P + u' X \qquad \textrm{and} \qquad Y' = v P + v' Y \] | |
2245 | It's clear that (a) $X'$ and $Y'$ are still uniformly distributed on $G$, | |
2246 | and (b) they are independent of $u'$ and $v'$. Since this change doesn't | |
2247 | affect the distribution of $X'$ and $Y'$, we conclude that | |
2248 | \begin{equation} | |
2249 | \label{eq:dh-nidaa-s3} | |
2250 | \Pr[S_4] = \Pr[S_3] | |
2251 | \end{equation} | |
2252 | ||
2253 | Finally, we bound $\Pr[S_4]$ by a reduction from the computational | |
2254 | Diffie--Hellman problem in~$G$. The reduction receives points $X^* = x P$ | |
2255 | and $Y^* = y P$ and must compute $Z^* = x y P$. It sets $X = X^*$ and $Y = | |
2256 | Y^*$. It chooses $u$, $u'$, $v$, and $v'$, determines $X'$ and $Y'$ as in | |
2257 | $\G4$, and runs $A$ with simulated oracles: the tagging and verification | |
2258 | oracles work exactly as in $\G4$; however, it cannot implement the hashing | |
2259 | function as described, so we must change it: | |
2260 | \begin{itemize} | |
2261 | \item rather than checking whether $(Z, Z', W, W') = (x R, x R', x' R, x' | |
2262 | R')$, we check whether $(W, W') = (u R + u' Z, u R' + u' Z')$; and | |
2263 | \item rather than checking whether $(Z, Z', W, W') = (y Q, y' Q, y Q', y' | |
2264 | R')$, we check whether $(Z', W') = (v R + v' Z, v R' + v' W)$. | |
2265 | \end{itemize} | |
2266 | Let $F$ be the event that this change causes the reduction's hashing | |
2267 | function to make a decision that the proper $\G4$ wouldn't make. | |
2268 | ||
2269 | Let $T$ be the event that the adversary (apparently, using the reduction's | |
2270 | modified hashing function) makes a successful forgery. In this case, we | |
2271 | must have seen a hashing query $H([m, X, X', Y, Y', Z, v R + v' Z, W, v R' | |
2272 | + v' W])$. If $F$ doesn't occur, then we in fact have $Z = x y P = Z^*$; | |
2273 | the work we must do in the reduction over and above $\G1$ is to choose $u$ | |
2274 | etc., to compute $X'$ and $Y'$, perform the dictionary maintenance, and | |
2275 | use the twin-Diffie--Hellman detector, so | |
2276 | \[ \Pr[T \mid \bar{F}] \le \InSec{cdh}(G; t + t') \] | |
2277 | Furthermore, the reduction and $\G4$ proceed identically unless $F$ occurs, | |
2278 | so \xref{lem:shoup} gives | |
2279 | \[ \Pr[S_4] - \Pr[T] \le \Pr[F] \] | |
2280 | A simple calculation bounds $\Pr[T]$: | |
2281 | \begin{eqnarray*}[rl] | |
2282 | \Pr[T] & = \Pr[T \land F] + \Pr[T \land \bar{F}] \\ | |
2283 | & = \Pr[T \land F] + \Pr[T \mid \bar{F}] \Pr[\bar{F}] \\ | |
2284 | & \le \Pr[F] + \Pr[T \mid \bar{F}] \\ | |
2285 | & \le \InSec{cdh}(G; t + t') + \Pr[F] | |
2286 | \eqnumber \label{eq:dh-nidaa-t} | |
2287 | \end{eqnarray*} | |
2288 | Finally, we bound $\Pr[F]$ using \xref{lem:2dh-detect}: | |
2289 | \begin{equation} | |
2290 | \label{eq:dh-nidaa-f} | |
2291 | \Pr[F] \le \frac{2 q_H}{\#G} | |
2292 | \end{equation} | |
2293 | Piecing together equations~\ref{eq:dh-nidaa-s1}--\ref{eq:dh-nidaa-f} | |
2294 | completes the proof. | |
2295 | \end{proof} | |
2296 | ||
2297 | \subsection{Magic tokens: an alternative to NIDAA} | |
2298 | \label{sec:magic} | |
2299 | ||
2300 | For readers who dislike random oracles, we briefly sketch an alternative to | |
2301 | NIDAA schemes. If we're willing to encrypt the NIDAA tag then we don't | |
2302 | actually have to reveal to the adversary any tag intended for the target | |
2303 | recipient: we can replace them all with nonsense strings of the same length, | |
2304 | as we did with the signatures in the proof of \xref{th:gwd-authenticity}. | |
2305 | And if we don't have to reveal them, they don't have to be message-dependent! | |
2306 | We call these \emph{magic tokens}. | |
2307 | ||
2308 | The only requirements on a magic token are that the sender and recipient | |
2309 | should both be able to compute it, but the adversary shouldn't -- even if he | |
2310 | shares many other tokens with the sender. So how do we make a token? Well, | |
2311 | a Diffie--Hellman shared secret seems like a plausible choice. | |
2312 | ||
2313 | Again we work in a cyclic group~$G = \langle P \rangle$ with $p = \#G$ prime | |
2314 | If Alice's and Bob's private keys are $a$ and $b$ respectively, and their | |
2315 | public keys are $A = a P$ and $B = b P$, then their token is simply $Z = a b | |
2316 | P$. | |
2317 | ||
2318 | This doesn't quite work. Suppose the adversary chooses $X = A - r P$ as his | |
2319 | public key, for some $r \inr \gf{p}$. If Bob sends the adversary a token $Y | |
2320 | = b X = b A - b r P = Z - r B$, then the adversary computes $Z = Y + r B$ | |
2321 | which is the token shared by Alice and Bob. | |
2322 | ||
2323 | We can fix this. Along with the shared group, we select a random common | |
2324 | reference string, and include in each user's public key a non-malleable | |
2325 | non-interactive zero-knowledge proof of knowledge \cite{DeSantis:2001:RNI} of | |
2326 | the corresponding private key. Now before handing over a token, Bob will | |
2327 | check the NIZK. For maliciously formed public keys like $Y$ above, the | |
2328 | adversary doesn't know the private key, and so Bob will fail to verify the | |
2329 | NIZK. | |
2330 | ||
2331 | Slightly more formally, we sketch a reduction from the computational | |
2332 | Diffie--Hellman problem to forging Alice and Bob's token. The reduction | |
2333 | passes $A$ and $B$ to the forger, along with a freshly generated common | |
2334 | reference string and simulated NIZKs for $A$ and $B$. The forger runs and | |
2335 | outputs its guess as to the token, which (if the token is correct) is | |
2336 | precisely the solution to the CDH problem. All that remains is to implement | |
2337 | a token-issuing oracle: given $(Y, N)$, we must compute $b Y$, where $B = b | |
2338 | P$ and $N$ is a NIZK proof of knowledge for $y$ such that $Y = y P$. To do | |
2339 | this, we use the NIZK extractor to recover $y$ from the adversary and return | |
2340 | $y B = b Y$; this will work despite the adversary having seen the simulated | |
2341 | proofs for $A$ and $B$ because the NIZK is non-malleable. | |
2342 | ||
2343 | \part{trailing cruft} | |
2344 | %%%-------------------------------------------------------------------------- | |
2345 | \section{Diffie--Hellman-based strongly deniable construction} | |
2346 | ||
2347 | This section describes an authenticated asymmetric encryption scheme which | |
2348 | achieves a stronger definition of deniability: a simulator can construct a | |
2349 | convincing ciphertext without having to see a genuine one. | |
2350 | ||
2351 | The scheme's security depends on a number of ingredients: | |
2352 | \begin{itemize} | |
2353 | \item a cyclic group~$G = \langle P \rangle$, with prime order~$p$, in which | |
2354 | the computational Diffie--Hellman problem is hard; | |
2355 | \item a symmetric encryption scheme~$\Pi_\textnm{se} = (k, E, D)$ which | |
2356 | provides secrecy under chosen-plaintext attack; and | |
2357 | \item a cryptographic hash function~$H\colon \Bin^* \to \Bin^k$, which we | |
2358 | shall model as a random oracle. | |
2359 | \end{itemize} | |
2360 | ||
2361 | \subsection{Prologue: asymmetric deniable authentication} | |
2362 | ||
2363 | Rather than present the entire scheme in one go, we first present the | |
2364 | important central part, which provides deniable authentication using | |
2365 | asymmetric keys. | |
2366 | ||
2367 | \begin{definition}[$\Pi_\textnm{auth}^{G, H}$] | |
2368 | \label{def:pi-auth} | |
2369 | ||
2370 | Let $G$ be a cyclic group, of prime order~$p$, generated by $P$; and let | |
2371 | $H\colon \Bin^* \to \Bin^k$ be a hash function. | |
2372 | ||
2373 | The asymmetric authentication scheme $\Pi_\textnm{auth}^{G, H} = | |
2374 | (\Xid{G}{auth}^{G, H}, \Xid{T}{auth}^{G, H}, \Xid{V}{auth}^{G, H})$ is | |
2375 | defined as follows. | |
2376 | \begin{program} | |
2377 | $\Xid{G}{auth}^{G, H}()$: \+ \\ | |
2378 | $x \getsr \gf{p}$; $x' \getsr \gf{p}$; | |
2379 | $X \gets x P$; $X' \gets x' P$; \\ | |
2380 | $y \getsr \gf{p}$; | |
2381 | $Y \gets y' P$; \\ | |
2382 | \RETURN $\bigl( (x, x', y), (X, X', Y) \bigr)$; | |
2383 | \- \\[\medskipamount] | |
2384 | $\Xid{T}{auth}^{G, H}_{x, x', y}(m)$: \+ \\ | |
2385 | $h \gets H_p([\cookie{msg}, m]) + p \Z$; \\ | |
2386 | $Z \gets x y h P$; | |
2387 | $Z' \gets x' y h P$; \\ | |
2388 | $\tau \gets H([\cookie{tag}, Z, Z'])$; \\ | |
2389 | \RETURN $\tau$; | |
2390 | \- \\[\medskipamount] | |
2391 | $\Xid{V}{auth}^{G, H}_{x, x', y}(m, \tau)$: \+ \\ | |
2392 | \IF $\tau = \Xid{T}{auth}^{G, H}_{x, x', y}(m)$ | |
2393 | \THEN \RETURN $1$ \\ \ELSE \RETURN $0$; | |
2394 | \next | |
2395 | $H_n(x)$: \+ \\ | |
2396 | $i \gets 0$; \\ | |
2397 | $\ell \gets \lfloor \log_2 n \rfloor + 1$; \\ | |
2398 | \REPEAT \\ \ind | |
2399 | $h \gets \emptystring$; \\ | |
2400 | \WHILE $|h| < \ell$ \DO \\ \ind | |
2401 | $h \gets h \cat H([i, n, x])$; \\ | |
2402 | $i \gets i + 1$; \- \\ | |
2403 | $[y]_\ell \gets h[0 \bitsto \ell]$; \- \\ | |
2404 | \UNTIL $y < n$; \\ | |
2405 | \RETURN $y$; | |
2406 | \end{program} | |
2407 | \end{definition} | |
2408 | ||
2409 | Observe that $Z = x h Y = y h X$ and $Z' = z' h Y = y h X'$, so either $(x, | |
2410 | x')$ or $y$, together with the public keys $(X, X', Y)$, are sufficient to | |
2411 | compute or verify tags. | |
2412 | ||
2413 | The function~$H_n\colon \Bin^* \to \{0, 1, \ldots, n - 1\}$ is a random | |
2414 | mapping | |
2415 | ||
2416 | \subsubsection{System parameters} | |
2417 | Let $(G, +)$ be a finite, prime-order (necessarily cyclic) group in which the | |
2418 | computational Diffie--Hellman problem is difficult; let $p = \#G$ be the | |
2419 | order of $G$, and let $P \in G - \{ 0 \}$ be a generator of $G$. Let | |
2420 | $H\colon \Bin^* \to \Bin^k$ be a hash function (to be modelled as a random | |
2421 | oracle) and $\Pi_{se} = (k, E, D)$ be a symmetric encryption scheme. | |
2422 | ||
2423 | \subsubsection{Keys} | |
2424 | Each user chooses two indices $x, x' \getsr \gf{p}$. The pair $(x, x')$ is | |
2425 | the user's private key, and the pair $(X, X') = (x P, x' P)$ is the | |
2426 | corresponding public key. | |
2427 | ||
2428 | \begin{program} | |
2429 | Algorithm $\Xid{G}{dh}^{G, \Pi_\textnm{se}, H}()$: \+ \\ | |
2430 | $x \getsr \gf{p}$; $X \gets x P$; \\ | |
2431 | $x' \getsr \gf{p}$; $X' \gets x' P$; \\ | |
2432 | \RETURN $\bigl( (x, x'), (X, X') \bigr)$; \- | |
2433 | \newline | |
2434 | Algorithm $\Xid{E}{dh}^{G, \Pi_\textnm{se}, H}_{x, x'}(Y, Y', m)$: \+ \\ | |
2435 | $r \getsr \gf{p}$; $R \gets r P$; \\ | |
2436 | $K \gets H(\cookie{key}, R, r Y, r Y')$; \\ | |
2437 | $c \gets E_K(\empty, m)$; \\ | |
2438 | $h \gets H(\cookie{msg}, c)$; \\ | |
2439 | $\sigma \gets H(\cookie{sig}, R, x h Y, x h Y')$; \\ | |
2440 | \RETURN $(R, \sigma, c)$; \- | |
2441 | \next | |
2442 | Algorithm $\Xid{D}{dh}^{G, \Pi_\textnm{se}, H}_{x, x'} | |
2443 | (Y, Y', R, \sigma, c)$: \+ \\ | |
2444 | $h \gets H(\cookie{msg}, c)$; \\ | |
2445 | \IF $\sigma \ne H(\cookie{sig}, R, x h Y, x' h Y)$ \THEN | |
2446 | \RETURN $\bot$; \\ | |
2447 | $K \gets H(\cookie{msg}, R, x R, x' R)$; \\ | |
2448 | $m \gets D_K(c)$; \\ | |
2449 | \RETURN $m$; | |
2450 | \end{program} | |
2451 | ||
2452 | Deniable authentication is somewhat slippery to define. | |
2453 | ||
2454 | Here, then, is a first stab at a definition. We'll capture Alice's attempt | |
2455 | at presenting evidence as an algorithm. It runs in two parts. The first | |
2456 | part is given Alice's private key~$a$ and Bob's public key~$B$; it runs for a | |
2457 | while, and eventually produces a message~$m$, and a state~$s$ for the second | |
2458 | part. We get Bob to encrypt this message, and then run the second part of | |
2459 | Alice's algorithm, giving it the state~$s$ from the first part and the | |
2460 | ciphertext $c = E_b(A, m)$; it too runs for a while, and eventually outputs | |
2461 | an evidence package~$v$. Finally, we run Justin's algorithm~$J$ on~$c$, $m$ | |
2462 | and $v$, and Justin outputs either 1 or~0 depending on whether he was | |
2463 | convinced. For deniability, then, we'd demand that, for any Alice | |
2464 | algorithm~$A$, there's a simulator $S(A)$ which accepts $a$, $m$, $c$ and~$s$ | |
2465 | from the first part of $A$, and some $m' \ne m$, and outputs $c'$ and $v'$ | |
2466 | such that $J$ can't distinguish simulated inputs $(c', m', v')$ from genuine | |
2467 | ones $(c, m, v)$. | |
2468 | ||
2469 | Unfortunately, it seems really hard to make this work. For example, $v$ | |
2470 | might contain a hash of $m$, which would make Justin's job really easy. We | |
2471 | can't simulate this kind of evidence in a black-box way: the first part of | |
2472 | Alice's algorithm can encode the hash in its state, so the simulator can't | |
2473 | substitute a different message without understanding the structure of either | |
2474 | the state or the evidence package. | |
2475 | ||
2476 | This isn't the only problem with the above definition. | |
2477 | \begin{itemize} | |
2478 | \item It only models Alice presenting her evidence noninteractively. We'd | |
2479 | like to be able to rule out interactive proofs between Alice and Justin. | |
2480 | \item It allows the simulator a choice of alternative message $m'$. While | |
2481 | the simulator might be able to raise a doubt that Alice's claimed | |
2482 | message~$m$ might not have been sent by Bob, she might still be able to | |
2483 | demonstrate that Bob's message was very \emph{similar} to~$m$. | |
2484 | \end{itemize} | |
2485 | ||
2486 | In fact, the definition is unnecessarily complicated. | |
2487 | ||
2488 | ||
2489 | %% What we /don't/ want to happen: Alice receives message from Bob, presents | |
2490 | %% judge with convincing evidence that Bob sent it. So we want a simulator | |
2491 | %% which makes equally convincing evidence. | |
2492 | %% | |
2493 | %% Judge can't decrypt message sent to Alice without help. Alice might just | |
2494 | %% turn over her private key, or maybe reveal some partial information | |
2495 | %% sufficient to decrypt the message. | |
2496 | %% | |
2497 | %% Oooh: Alice might try to prove stuff about the plaintext in | |
2498 | %% zero-knowledge. Do I really need to capture full interaction? This will | |
2499 | %% turn into a disaster. | |
2500 | %% | |
2501 | %% What inputs do I give Alice, the judge, and the simulator? Simulation | |
2502 | %% without Alice's private key (or something like it) isn't going to work | |
2503 | %% well: IND-CCA! We could consider partial information about Alice's key, | |
2504 | %% but it's going to have to come from somewhere, so we'll suppose that Alice | |
2505 | %% uses it directly. (Working with partial information seems really hard, so | |
2506 | %% I'll leave that one for someone cleverer.) | |
2507 | %% | |
2508 | %% What does Alice give the judge? Ciphertext, plaintext, supporting | |
2509 | %% evidence. The supporting evidence is tough: want to allow stuff like | |
2510 | %% proofs or session keys, but disallow things like hashes of plaintext. | |
2511 | %% | |
2512 | %% Game, initial stab | |
2513 | %% | |
2514 | %% 1. Alice chooses message $m$. | |
2515 | %% 2. Sends $m$ to Bob. Bob encrypts $m$, and returns ciphertext $y$. | |
2516 | %% 3. Alice examines $y$ and constructs evidence $v$. | |
2517 | %% 4. Alice sends $(m, y, v)$ to judge | |
2518 | %% | |
2519 | %% This is going to be hard. Provide input message to Alice and universally | |
2520 | %% quantify? Maximize? | |
2521 | %% | |
2522 | %% So, the real game, for a message $m$ is to run Alice with $m$ and $y$. | |
2523 | ||
2524 | %%%-------------------------------------------------------------------------- | |
2525 | \section{Open problems} | |
2526 | \label{sec:open} | |
2527 | ||
2528 | A number of problems remain outstanding. | |
2529 | \begin{itemize} | |
2530 | \item Construct a strongly deniably authenticated encryption scheme which is | |
2531 | secure in the standard model. | |
2532 | \end{itemize} | |
2533 | ||
2534 | ||
2535 | \section{Acknowledgements} | |
2536 | \label{sec:ack} | |
2537 | ||
2538 | I'm very grateful to Christine Swart for encouraging me to actually write | |
2539 | this up properly. | |
2540 | ||
2541 | \bibliography{mdw-crypto,cryptography,cryptography2000,eprint,jcryptology,lncs1991,lncs1997b,lncs2002b,rfc} | |
2542 | ||
2543 | \end{document} | |
2544 | ||
2545 | %%% Local variables: | |
2546 | %%% mode: LaTeX | |
2547 | %%% TeX-PDF-mode: t | |
2548 | %%% End: |