1 \xcalways\section{Integrated public-key encryption schemes
}\x
3 The formulation here is original work by the author. I've tried to
4 generalize the work by (among others), Shoup, and Abdalla, Bellare and
5 Rogaway. The final proof is from a Usenet article prompted by David
6 Hopwood, but based on the DHAES proof by ABR.
8 \xcalways\subsection{Introduction and definitions
}\x
12 \head{Motivation for integrated encryption
}
14 Public-key encryption schemes are very useful, but there are disadvantages:
16 \item they tend not to be very fast; and
17 \item they don't tend to be able to encrypt arbitrarily large messages.
19 Symmetric schemes don't have these problems, but key distribution is
20 harder. It seems sensible to construct `hybrid' schemes which use
21 public-key techniques for exchanging keys for symmetric encryption schemes.
23 Throughout the following, we'll consider our objective to be resistance to
24 \emph{adaptive chosen-ciphertext
} attacks.
28 \head{An obvious approach
}
30 A simple approach would be to generate a random key for some secure (i.e.,
31 IND-CCA) symmetric scheme, encrypt the message under that key, and, encrypt
32 the key under the recipient's public key (using some IND-CCA2 public-key
35 This is obviously secure. But the security results for most public-key
36 schemes are less than encouraging: the reductions, even for OAEP+, are
39 Can we do
\emph{better
} than this na\"
{\i}ve approach?
43 \topic{key encapsulation
}
44 \head{Key-encapsulation mechanisms
\cite{Shoup:
2001:PIS
}}
46 A
\emph{key-encapsulation mechanism
} (KEM) $
\mathcal{K
} = (G, X, R)$ is a
49 \item a probabilistic
\emph{key-generation
} algorithm~$G$, which takes no
50 input (or a security parameter for asymptotic types) and returns a pair
52 \item a probabilistic
\emph{exchange
} algorithm~$E$, which is given a
53 as input a public key~$P$ and returns a
\emph{public value
}~$y$ and a
54 \emph{hash
} $h
\in \
{0,
1\
}^k$; and
55 \item a deterministic
\emph{recovery
} algorithm~$R$, which is given as
56 input a private key~$K$ and a public value~$y$ and returns a hash $h$.
58 We require for correctness that, if $(P, K)
\in G$ and $(y, h)
\in X_P$,
61 The idea is that the key-encapsulation mechanism invents a key and public
62 value simultaneously. We'll look at such mechanisms constructed from both
63 trapdoor one-way functions like RSA, and schemes like Diffie-Hellman.
67 \topic{oracle hash decision problems
}
68 \head{Oracle hash decision problems
}
70 We say that a key-encapsulation mechanisms is secure if the corresponding
71 \emph{oracle hash decision problem
} is hard. Consider this experiment:
73 Experiment $
\Expt{ohd-$b$
}{\mathcal{K
}}(A)$: \+ \\
75 $h_0
\getsr \
{0,
1\
}^k$; $(y, h_1)
\gets X_P$; \\
76 $b'
\gets A^
{R_K(
\cdot)
}(P, y, h_b)$; \\
79 We forbid the adversary from querying its $R_K$ oracle at $y$. We define
80 advantage and insecurity in the usual way:
82 \Adv{ohd
}{\mathcal{K
}}(A) &=
83 \Pr[\Expt{ohd-$
1$
}{\mathcal{K
}}(A) =
1] -
84 \Pr[\Expt{ohd-$
0$
}{\mathcal{K
}}(A) =
1]
86 \InSec{ohd
}(
\mathcal{K
}; t, q) &=
87 \max_A \Adv{ohd
}{\mathcal{K
}}(A)
89 where the maximum is taken over adversaries $A$ running in time $t$ and
90 issuing $q$ recovery queries.
93 \xcalways\subsection{Constructions for key-encapsulation mechanisms
}\x
96 \topic{trapdoor one-way permutations
}
97 \head{Constructing a KEM from a trapdoor OWP
}
99 Why might key-encapsulation mechanisms exist, and how do we construct them?
101 In the random oracle model, we can construct a KEM from any trapdoor
102 one-way permutation. Let $
\mathcal{T
} = (G, f, T)$ be such a one-way
103 permutation, and let $H
\colon \
{0,
1\
}^*
\to \
{0,
1\
}^k$ be a public random
104 oracle. We can construct $
\Xid{\mathcal{K
}}{OWF
}^
{\mathcal{T
}, H
} = (G,
105 \Xid{X
}{OWF
}^
{\mathcal{T
}, H
},
\Xid{R
}{OWF
}^
{\mathcal{T
}, H
})$ as follows:
107 Algorithm $
\Xid{X
}{OWF
}^
{\mathcal{T
}, H(
\cdot)
}_P$: \+ \\
108 $x
\getsr \dom f_P$; \\
110 \RETURN $(f_P(x), h)$;
112 Algorithm $
\Xid{R
}{OWF
}^
{\mathcal{T
}, H(
\cdot)
}_K(y)$: \+ \\
117 The security of this scheme is then given by:
118 \
[ \InSec{ohd
}(
\Xid{\mathcal{K
}}{OWF
}^
{\mathcal{T
}, H
}; t, q_R, q_H)
\le
119 2 \cdot \InSec{owf
}(
\mathcal{T
}; t + O(q_H) + O(q_R)). \
]%
123 Let $A$ be an adversary solving the oracle hash decision problem. Let $y^*
124 = f_P(x^*)$ be the challenge public value, and let $h^*$ be the challenge
125 hash. Suppose that $A$ never queries its random oracle $H$ at $x^*$: then
126 obviously $h = H(x^*)$ is independent of $A$'s view, and $A$ has no
127 advantage, and its probability of guessing the hidden bit is precisely
130 Suppose that we choose which OHD experiment uniformly at random. Let $S$
131 be the event that the adversary wins, i.e., it correctly guesses the hidden
134 \frac{\Adv{ohd
}{\Xid{\mathcal{K
}}{OWF
}^
{\mathcal{T
}, H
}}(A)
}{2} +
136 Let $F$ be the event that $A$ queries $H$ at $x^*$. Then by Shoup's Lemma
137 (lemma~
\ref{lem:shoup
}, page~
\pageref{lem:shoup
}),
138 \
[ \left|
\Pr[S
] -
\frac{1}{2}\right|
\le \Pr[F
]. \
]
140 Now consider this adversary $I$, attempting to invert the one-way function.
142 Inverter $I(P, y^*)$: \+ \\
143 $
\Xid{H
}{map
} \gets \emptyset$; \\
144 $h^*
\gets \
{0,
1\
}^k$; $x^*
\gets \bot$; \\
145 $b
\gets A^
{\Xid{R
}{sim
}(
\cdot),
\Xid{H
}{sim
}(
\cdot)
}(P, y^*, h^*)$; \\
146 \RETURN $x^*$; \- \\
[\smallskipamount]
147 Oracle $
\Xid{R
}{sim
}(y)$: \+ \\
148 \IF $y
\in \dom\Xid{H
}{map
}$
\THEN \RETURN $
\Xid{H
}{map
}(y)$; \\
149 $h
\gets \
{0,
1\
}^k$; \\
150 $
\Xid{H
}{map
} \gets \Xid{H
}{map
} \cup \
{ y
\mapsto h \
}$; \\
151 \RETURN $h$; \- \\
[\smallskipamount]
152 Oracle $
\Xid{H
}{sim
}(x)$: \+ \\
154 \IF $y = y^*$
\THEN \\
\quad \= \+
\kill
156 \IF $y
\notin \dom\Xid{H
}{map
}$
\THEN \\
\quad \= \+
\kill
157 $b^*
\getsr \
{0,
1\
}$; \\
159 $
\Xid{H
}{map
} \gets \Xid{H
}{map
} \cup \
{ y
\mapsto h^* \
}$ \-\-\\
160 \RETURN $
\Xid{R
}{sim
}(y)$;
162 The simulation of the random and `recovery' oracles is a little subtle, but
163 from the adversary's point of view perfect. Clearly, then, $I$ inverts
164 $f_P$ whenever $F$ occurs, and
165 \
[ \Succ{owf
}{\mathcal{T
}}(I)
167 \ge \frac{1}{2} \Adv{ohd
}{\Xid{\mathcal{K
}}{OWF
}^
{\mathcal{T
}, H
}}(A). \
]%
172 \topic{Diffie-Hellman
}
173 \head{A KEM based on Diffie-Hellman
\cite{Abdalla:
2001:DHIES
}}
175 Let $G =
\langle g
\rangle$ be a cyclic group, with $q = |G|$. Then we can
176 construct a KEM based on the difficulty of the Diffie-Hellman problem in
177 $G$. Let $H
\colon G^
2 \to \
{0,
1\
}^k$ be a public random oracle.
179 We define $
\Xid{\mathcal{K
}}{DH
}^
{G, H
} = (
\Xid{G
}{DH
}^
{G, H
},
180 \Xid{X
}{DH
}^
{G, H
},
\Xid{R
}{DH
}^
{G, H
})$ as follows:
182 Algorithm $
\Xid{G
}{DH
}^
{G, H(
\cdot,
\cdot)
}$: \+ \\
183 $
\alpha \getsr \Z/q
\Z$; \\
184 \RETURN $(g^
\alpha,
\alpha)$;
186 Algorithm $
\Xid{X
}{DH
}^
{G, H(
\cdot,
\cdot)
}_a$: \+ \\
187 $
\beta \getsr \Z/q
\Z$; \\
188 $h
\gets H(g^
\beta, a^
\beta)$; \\
189 \RETURN $(g^
\beta, h)$;
191 Algorithm $
\Xid{R
}{DH
}^
{G, H(
\cdot,
\cdot)
}_
\alpha(b)$: \+ \\
192 $h
\gets H(b, b^
\alpha)$; \\
196 But the question of this scheme's security is tricky. It doesn't seem to
197 fit any of our standard problems. We therefore have to invent a new one!
201 \head{The Gap Diffie-Hellman problem
}
203 The `Gap Diffie-Hellman' problem is essentially the Computational problem,
204 but given an oracle which can answer the Decisional problem.
206 Consider this experiment.
208 Experiment $
\Expt{gdh
}{G
}(A)$: \+ \\
209 $
\alpha \getsr \Z/q
\Z$; $
\beta \getsr \Z/q
\Z$; \\
210 $c
\gets A^
{C(
\cdot,
\cdot)
}(g^
\alpha, g^
\beta)$; \\
211 \IF $c = g^
{\alpha\beta}$
\THEN \RETURN $
1$; \\
214 Oracle $C(x, y)$: \+ \\
215 \IF $y = x^
\alpha$
\THEN \RETURN $
1$; \\
218 We define the success probability of an adversary $A$ as
219 \
[ \Succ{gdh
}{G
}(A) =
\Pr[\Expt{gdh
}{G
}(A) =
1] \
]
220 and the insecurity, against algorithms running in time $t$ and making $q_C$
222 \
[ \InSec{gdh
}(G; t, q_C) =
\max_A \Succ{gdh
}{G
}(A). \
]
226 \head{Security of the Diffie-Hellman KEM
}
228 Now that we have our new problem, the security result is relatively easy.
229 \
[ \InSec{ohd
}(
\Xid{\mathcal{K
}}{DH
}^
{G, H
}; t, q_R, q_H)
230 \le 2\cdot \InSec{gdh
}(G; t + O(q_R + q_H), q_H). \
]%
232 Note that it's very important that the random oracle is given
\emph{both
}
233 the public value $b$ and the shared secret $b^
\alpha$! Otherwise, the
234 scheme is
\emph{malleable
} in a group of composite order. For example,
235 suppose that $q =
2r$ for some $r$; then if $
\alpha$ is even, we have
236 $(b
\cdot g^r)^
\alpha = b^
\alpha$. Passing $b$ to the oracle ensures that
237 these queries given independent answers, even if the shared secret is the
242 Suppose that $A$ solves the oracle hash decision problem for
243 $
\Xid{\mathcal{K
}}{DH
}^
{G, H
}$. Let the input to~$A$ be the triple $(a, b,
244 h^*)$, where $a = g^
\alpha$ and $b = g^
\beta$; and let $h^* =
245 H(g^
{\alpha\beta})$. $A$ must decide whether $h = h^*$. Clearly, if $A$
246 never queries $H$ at $(g^
\beta, g^
{\alpha\beta})$ then its advantage is
247 zero, since it has no information about $h^*$.
249 As in the one-way function case, we have
250 \
[ \Pr[F
] \ge \frac{1}{2} \Adv{ohd
}{\Xid{\mathcal{K
}}{DH
}^
{G, H
}}(A) \
]
251 where $F$ is the event that $A$ queries $H$ at $(g^
\beta,
254 We present an algorithm~$B$ which can solve an instance of the Gap
255 Diffie-Hellman problem in~$G$ whenever event $F$ occurs.
257 Algorithm $B^
{C(
\cdot,
\cdot)
}(a^*, b^*)$: \+ \\
258 $
\Xid{R
}{map
} \gets \emptyset$; $
\Xid{H
}{map
} \gets \emptyset$; \\
259 $h^*
\gets \
{0,
1\
}^k$; \\
261 $b
\gets A^
{\Xid{R
}{sim
}(
\cdot),
\Xid{H
}{sim
}(
\cdot)
}
263 \RETURN $c^*$; \- \\
[\smallskipamount]
264 Oracle $
\Xid{R
}{sim
}(b)$: \+ \\
265 \IF $b
\in \dom\Xid{R
}{map
}$ \\
266 \THEN \RETURN $
\Xid{R
}{map
}(b)$; \\
267 $h
\gets \
{0,
1\
}^k$; \\
268 $
\Xid{R
}{map
} \gets \Xid{R
}{map
} \cup \
{ b
\mapsto h \
}$; \\
271 Oracle $
\Xid{H
}{sim
}(b, c)$: \+ \\
272 \IF $C(b, c) =
0$
\THEN \\
\quad \= \+
\kill
273 \IF $(b, c)
\in \dom\Xid{H
}{map
}$
\THEN
274 \RETURN $
\Xid{H
}{map
}(b, c)$; \\
275 $h
\gets \
{0,
1\
}^k$; \\
276 $
\Xid{H
}{map
} \gets \Xid{H
}{map
} \cup \
{ (b, c)
\mapsto h \
}$; \\
278 \IF $b = b^*$
\THEN \\
\quad \= \+
\kill
280 \IF $c
\notin \dom\Xid{R
}{map
}$
\THEN \\
\quad \= \+
\kill
281 $b^*
\getsr \
{0,
1\
}$; \\
283 $
\Xid{R
}{map
} \gets \Xid{R
}{map
} \cup \
{ y
\mapsto h^* \
}$ \-\-\\
284 \RETURN $
\Xid{R
}{sim
}(c)$; \- \\
288 \ge \frac{1}{2} \Adv{ohd
}{\Xid{\mathcal{K
}}{DH
}^
{G, H
}}(A) \
]%
292 \xcalways\subsection{An integrated encryption scheme
}\x
295 \head{An integrated encryption scheme
}
297 Let $
\mathcal{K
} = (G, X, R)$ be a key-encapsulation mechanism, and let
298 $
\mathcal{E
} = (E, D)$ be a symmetric encryption scheme. We define the
299 \emph{integrated encryption scheme
} $
\Xid{\mathcal{E
}}{IES
}^
{\mathcal{K
},
300 \mathcal{E
}} = (
\Xid{G
}{IES
}^
{\mathcal{K
},
\mathcal{E
}},
301 \Xid{E
}{IES
}^
{\mathcal{K
},
\mathcal{E
}},
\Xid{D
}{IES
}^
{\mathcal{K
},
302 \mathcal{E
}})$ as follows:
304 Algorithm $
\Xid{G
}{IES
}^
{\mathcal{K
},
\mathcal{E
}}$: \+ \\
308 Algorithm $
\Xid{E
}{IES
}^
{\mathcal{K
},
\mathcal{E
}}_P(x)$: \+ \\
309 $(y_0, h)
\gets X_P$; \\
310 $y_1
\gets E_h(x)$; \\
311 \RETURN $(y_0, y_1)$;
313 Algorithm $
\Xid{D
}{IES
}^
{\mathcal{K
},
\mathcal{E
}}_K(y_0, y_1)$: \+ \\
314 $h
\gets R_K(y_0)$; \\
315 $x
\gets D_h(y_1)$; \\
318 The security of this scheme relates tightly to that of the individual
320 \begin{eqnarray*
}[Ll
]
321 \InSec{ind-cca2
}(
\Xid{G
}{IES
}^
{\mathcal{K
},
\mathcal{E
}}; t, q_D) \\
323 2 \cdot \InSec{ohd
}(
\mathcal{K
}; t + O(q_D), q_D) +
324 \InSec{ftg-cca
}(
\mathcal{E
}; t + O(q_D),
0, q_D).
326 Note how weak the security requirements on the encryption scheme are: no
327 chosen-plaintext queries are permitted!
331 Suppose $A$ attacks $
\Xid{G
}{IES
}^
{\mathcal{K
},
\mathcal{E
}}$ in the
332 IND-CCA2 sense. We construct an adversary $B$ which attacks the KEM.
334 Adversary $B^
{R(
\cdot)
}(P, y, h)$: \+ \\
335 $(x_0, x_1, s)
\gets A^
{\Xid{D
}{sim
}(
\cdot)
}(
\cookie{find
}, P)$; \\
336 $b
\gets \
{0,
1\
}$; \\
337 $z
\gets E_h(x_b)$; \\
338 $b'
\gets A^
{\Xid{D
}{sim
}(
\cdot)
}(
\cookie{guess
}, (y, z), s)$; \\
339 \IF $b = b'$
\THEN \RETURN $
1$; \\
342 Oracle $
\Xid{D
}{sim
}(y_0, y_1)$: \+ \\
343 \IF $y_0 = y$
\THEN \RETURN $D_h(y_1)$; \\
344 $h'
\gets R(y_0)$; \\
345 \RETURN $D_
{h'
}(y_1)$;
347 If the $h$-value matches the public value $y$ then $B$ provides a correct
348 simulation of $A$'s attack game, and hence wins with probability
349 \
[ \frac{\Adv{ind-cca2
}{\Xid{G
}{IES
}^
{\mathcal{K
},
\mathcal{E
}}}}{2} +
351 We construct a new adversary $C$, attacking $
\mathcal{E
}$ in the FTG-CCA
352 sense, to help us bound $B$'s probability of success when $h$ is chosen
355 Adversary $C^
{E(
\cdot), D(
\cdot)
}(
\cookie{find
})$: \+ \\
358 $(x_0, x_1, s_A)
\gets A^
{\Xid{D
}{sim
}(
\cdot)
}(
\cookie{find
}, P)$; \\
359 \RETURN $(x_0, x_1, (P, K, s_A))$;
361 Adversary $C^
{E(
\cdot), D(
\cdot)
}(
\cookie{guess
}, y, s)$: \+ \\
362 $(P, K, s_A)
\gets s$; \\
363 $(h', y')
\gets X_P$; \\
364 $b <- A^
{\Xid{D
}{sim
}(
\cdot)
}(
\cookie{guess
}, (y', y), s_A)$; \\
367 Oracle $
\Xid{D
}{sim
}(y_0, y_1)$: \+ \\
368 \IF $y_0 = y'$
\THEN \RETURN $D(y_1)$; \\
369 $h
\gets R_K(y_0)$; \\
372 Clearly, $C$ provides the same environment as $B$ does when $h$ is random;
373 hence, in this case, $B$ wins with probability at most
374 \
[ \frac{\Adv{ftg-cca2
}{\mathcal{E
}}(C)
}{2} +
\frac{1}{2}. \
]
376 \
[ \Adv{ohd
}{\mathcal{K
}}(B) =
378 \Adv{ind-cca2
}{\Xid{G
}{IES
}^
{\mathcal{K
},
\mathcal{E
}}} +
379 \Adv{ftg-cca2
}{\mathcal{E
}}(C)
\right). \
]%
380 Rearranging yields the required result.
387 %%% TeX-master: "ips"