setting if for any PPT adversary A, is ... The definition guarantees that the secret key, plaintexts, or ... All ciphertexts seen by the adversary are under a single.
Public-Key Encryption in a Multi-User Setting: Privacy, Anonymity and Efficiency Alexandra Boldyreva Georgia Institute of Technology
Plan • Encryption, a tool for data privacy • Provable security • Standard definitions of data privacy • The need to consider the multi-user setting • Security • Efficiency • Anonymity
Encryption is • a tool for achieving data-privacy, • is very important nowadays, • used by many people, often without realizing it, when: – doing on-line banking and shopping – talking on cell phones – watching satellite TV and payper-view movies
On-line shopping, banking rely on encryption
SSL protocol ensures privacy of communicated data (uses RSA-OAEP encryption scheme [BR])
Two settings 1. Symmetric-key setting K
K
2. Asymmetric (public-key) setting
PK SK
Public-key encryption coins
k coins
Receiver R
skR
Common-key generation algorithm G I Key generation pkR algorithm K
pkR coins M Encryption algorithm E Sender
Public key
Name
---
---
pkR
R
---
---
skR C
Decryption M/⊥ algorithm D Receiver R
How can we be confident that a given encryption scheme is secure? An attack found
Try to find an attack yes
Insecure Prove security (the absence of attacks) under some assumptions
An attack found yes Assumption was false
no ?
What does “security” mean? Security means that given a public key and a ciphertext it is infeasible to recover:
the secret key the plaintext etc. Any partial information about the plaintext
But…
Can be true if the plaintext is sent in the clear Can be true if all but the last bit are leaked etc.
Encryption security definition, IND-CPA [GM] k
Π=(G,K,E,D)
(pk,sk) I G K pk M0,M1
A
b
Mb
Epk(•)
C=Epk(Mb) d 1-ind-cpa A,!
Adv
(k)=2Pr[win]-1
Adversary wins if b=d
Probability is over coins of G,K,E,A and choice of b.
An encryption scheme Π is IND-CPA in the single user 1-ind-cpa Adv (k) is setting if for any PPT adversary A, A,! negligible in k.
Why IND-CPA? The definition guarantees that the secret key, plaintexts, or any partial information about the plaintexts are not leaked.
IND-CPA is not always enough Bleichenbacher’s attack on a previous version of SSL: C' “invalid ciphertext!”
pk
C'' “invalid ciphertext!”
C''' OK Alice's session key
C''''''''' “invalid ciphertext!”
C=
E
pk (
OK Al ice 's se ss ion ke y)
Encryption security definition, IND-CCA k
(pk,sk) I G K
Dsk(•)
Π=(G,K,E,D)
pk M0,M1
A
b
Mb
Epk(•)
C=Epk(Mb)
A is not allowed to query C to Dsk(•) A wins if b=d
d
Adv1-ind-cca (k)=2Pr[win]-1 A,! An encryption scheme Π is IND-CCA in the single user 1-ind-cca Adv (k) setting if for any PPT adversary A, A,! is negligible in k.
Proven secure schemes Scheme
Security
Proven assuming
ElGamal
IND-CPA
Decision Diffie-Hellman (DDH)
Cramer-Shoup
IND-CCA
DDH
RSA-OAEP [BR] DHIES [ABR]
Usage
IND-CCA One-wayness of RSA, RO PKCS #1 2.1 IND-CCA
ODH
IEEE P1363a
Data-privacy in the multi-user setting
Motivation All provably-secure encryption schemes are proven secure in the single-user setting Person with a public key, able to receive ciphertexts
C
Sender
pk Receiver
All ciphertexts seen by the adversary are under a single public key
But the single-user setting is very different from practice, where there are many users sending each other encrypted messages: pk1 C1
pk7
C2
C7
C
3
C4
C
6
pk4 pk6
pk3
pk2
Plain RSA encryption [RSA] G(k)
K(k)
Epk(M) M∈Ζ*N
k∈Ν Return
Dsk(C)
$ k p,q ← k-bit primes
C ← Me mod N Return C
N ← p·q $
M← Cd mod N Return M
e←
Ζ*(p-1)(q-1) d ← Ζ*(p-1)(q-1)
s.t. e·d≡1 mod (p-1)(q-1) pk ← (N, e) sk ← (N, d) Return (pk, sk) easy Believed to be one-way:
Cd = M
C = Me
easy given d hard not given d
Håstad-type attack on Plain RSA Plain RSA: pk=(N, e); Epk(M)=Me mod N C1, C2, C3, pk1, pk2, pk3 M
od N 1 m M C1 = C2 = 3 M m od N C 2 3 = M3 mo dN 3
3
pk1=(N1, 3)
pk2=(N2 , 3) pk3=(N3 , 3)
If N1,N2,N3 are relatively prime then by Chinese Remainder Theorem can combine C1 = M3 mod N1 C2 = M3 mod N2 C3 = M3 mod N3 to find C = M3 mod N1 N2 N3 Since M3 < N1 N2 N3 then 3
M←√C
• Plain RSA: – Is one-way in the single-user setting. – Is not one-way in the multi-user setting. – However, it is not IND-CPA in the singleuser setting.
Plain RSA is not IND-CPA secure (as well as any deterministic scheme Π) pk M0,M1
A
If Epk(M0)=C
b
Mb
Epk(•)
Epk(Mb)
then d←0 else d←1
d
A always wins,
Adv1 (A) = 1 Adv1 (t ) = 1
A crucial question Are the “provably-secure” schemes (e.g. ElGamal, RSA-OAEP) really secure in the practical (multiuser) setting? To answer this one needs to define security in the multi-user setting
Towards a security definition for encryption in the multi-user setting
E = C1 pk2
C
2=
E
pk 2
(M)
pk1
pk 1
(M
C
3=
E
pk 3
(M
(M
) pk4
)
) M +
pk 4 E =
C4
Danger: the adversary can see encryptions of related messages under different public keys.
pk3
Security definition (many users, CPA) [BBM] k
G I I K (pk1,sk1)
Π=(G,K,E,D)
Ei(•,•) M0,M1
b
Mb
Epki (•)
Epk (Mb ) i
I
K
(pkn,skn)
b Adversary wins if b = d Adv n-ind-cpa (k) = 2Pr[win] " 1 A,! An encryption scheme Π is IND-CPA in the multi-user setting if for any polynomial n and PPT adversary A, Adv n-ind-cpa (k) is negligible in k. A,!
E1 E2 Ei En
d
A pk1 pki pkn
Reminder Adv attack type (resourses of attacker) = max probability of any attacker breaking the scheme Small = good Big = bad
General reduction [BBM] Theorem. Let Π = (K, E, D) be a public-key encryption scheme. Then
Adv n (t , qe ) ! qe n " Adv1 (t #) where t’≈t Corollary. Encryption schemes polynomially-secure in the single-user setting are polynomially-secure in the multi-user setting.
General reduction • implies schemes like El Gamal, RSA-OAEP are polynomially-secure in the multi-user setting. • shows benefits of targeting strong, welldefined security definitions in the single-user setting: security in extended settings follows automatically.
The need for concrete security improvements Consider a public-key encryption scheme Π 1 !60 # with Adv (t ) " 2 Assume in a real setting the number of users n = 200 000 000. Allow qe = 230 messages be encrypted under each public key. Then
n
Adv (t , q ) ! 0.2
Tightness of the general reduction Question. Is there a better reduction? No! Proposition. [BBM] There exists a public-key encryption scheme Π with n
1
Adv (t , qe ) = "(qe n) # Adv (t !) So, loss in security cannot be prevented in general. But we can hope to do better for specific schemes.
ElGamal encryption scheme G(k) k∈Ν p ← k-bit prime g ← generator of a group G of order p Return (g, p)
K(I) $
x←
Ζp
X ← gx pk ← (g, p, X) sk ← (g, p, x) Return (pk, sk)
Epk (M) M∈G $
r ← Ζp Return (gr, Xr ·M )
Dsk (C) K ← Yx M ← T·K-1 Return M
ElGamal in the multi-user setting Our general reduction implies Adv n (t , qe ) " 2qe n # Adv1 (t !)
Theorem [BBM]: improved reduction 1 Adv (t , qe ) " 2Adv (t !) + p n
1
ElGamal scheme in the multi-user setting as secure as it is in the single user setting
Towards better efficiency of encryption in the multi-user setting
Consider a scenario where a sender needs to encrypt messages for several recipients: pk1 C1
pk7
pk2
C2
C7
C
3
C4
C
6
pk4 pk6
pk3
Simple solution Sender pk1 M1
E
C1
Receiver 1
E
C2
Receiver 2
E
Cn
coins1
pk2 M2 coins2
pkn Mn coinsn
Receiver n
• •
Computational cost is n times that of the standard scheme
•
Can we do it more efficiently?
Total length of all ciphertexts C1,..,Cn has size n times the size of a ciphertext in the standard scheme
An application. Pay-TV.
DirectTV Encrypted messages are being broadcast such that only legitimate recipients can decrypt them. It is desirable to shorten the broadcast communication
MRES Public key
Name
pk1
R1
pk1 M1
pkn coins
Encryption
C1
algorithm
pkn
Rn
Mn
E
Cn
Sender ski
Ci
Decryption Mi algorithm D
Receiver Ri
Naïve MRES Sender pk1 M1
E E
C1
Receiver 1
C2
Receiver 2
coins1
pk2 M2
E coins2
pkn Mn
E coinsn
coins=coins1||coins2||…||coinsn
Cn
Receiver n
Our suggestion We suggest a possibility to “reuse” random coins used in the naïve MRES encryption: Sender pk1 M1
E C1
Receiver 1
E
C2
Receiver 2
E
Cn
E coins
pk2 M2 coins
pkn Mn
Receiver n
coins coins
We call such schemes Randomness Reusing MRES (RR-MRES)
Why are RR-MRESs interesting? Consider ElGamal-based RR-MRES: Sender pk1= g
x1
x2
M2 xn g pkn=
Mn
r
C1 ! (g ,g
M1 pk2= g
EG
r
C2 ! (g ,g
x1r
" M1 )
x2r
" M2 )
Receiver 2
Cn ! (g r ,g x n r " M n ) coins= r
Receiver 1
Receiver n
Why are RR-MRESs interesting? • •
Half the number of exponentiations used by the naive ElGamalbased MRES. xr x r r If ciphertexts are broadcast, need only send (g ,g 1 ! M1 ,.., g n ! M n ) which is half the length of the broadcast vector for the naive MRES.
•
Saving 50% in computation is important: exponentiations are still relatively slow operations, people struggle to get any improvements.
•
Our results serve as a proof of concept, people could try to achieve even better savings.
But are these schemes secure? • To analyze security of MRESs one needs an appropriate security definition. – The security definitions for the multi-user setting are incompatible with syntax of MRESs. – New types of attacks arise in the multi-recipient setting.
What should an adversary be allowed to do? •
An adversary can see encryptions of related messages under different public keys
•
An adversary can be one of the recipients: – Learn the corresponding secret key, decrypt the ciphertexts – Register its own public key, which possibly depends on public keys of honest users
Rogue-key attacks: An example Receivers
Sender
pk1=gx M1
pk2=(gx)2 M2
pk3=(gx)3 M2
C’ 1
EG
C1 =(g r , g xr ! M 1 ) C2 =(g r , g 2 xr ! M 2 )
C3 =(g r , g 3 xr ! M 2 ) coins= r
C1! " g 2 xr " M 2 M 1 = 3 xr g " M2
Towards a security definition for MRESs •
Our model allows an adversary to corrupt some recipients and obtain their secret keys.
•
The model also allows an adversary to choose public keys of corrupted recipients as a function of the public keys of honest recipients.
•
But: Only if it also outputs valid corresponding secret keys. This abstraction avoids consideration of explicit proofs of knowledge of secret keys, which are done (should be done) when users register their public keys with the CAs.
•
Security requires it still be unable to obtain even partial information about messages sent to uncorrupted recipients.
MRESs security definition (against CPA) [BBS] pk pk1 ,.,pkl , pkl+1,.,pkn pk1+1,.,pkn sk1+1,.,skn M0,1,..,M0,l M ,..,M n M1,1,..,M1,l l+1
A
A wins if b=d
b C1,..,Cn←Epk(Mb,1,..,Mb,l ,Ml+1,…,Mn) d
MRES AE is IND-CPA secure in the multirecipient setting if ∀ PPT A mr ! cpa Adv An !, AE (k ) = 2 Pr[ A wins] ! 1
is negligible in k
The possibility of insider and rogue-key attacks exists for both standard and multi-recipient encryption schemes. The definition of security for MRESs takes them into account while the one for encryption in the multi-user setting does not. Why? It is not necessary: Claim. For ATK∈{CPA,CCA}, an encryption scheme AS is IND-ATK in the multi-user setting iff AS-based naïve MRES is IND-ATK in the multi-recipient setting.
Not all RR-MRESs are secure. Example. RSA-OAEP
pk1=(3,N1)
RSA
M
C1 = OAEP( M ; r )3 mod N1
pk2=(3,N2) M
C2 = OAEP( M ; r )3 mod N 2
pk3=(3,N3) M
C1,C2,C3 OAEP(M;r) M
C3 = OAEP( M ; r )3 mod N 3 coins=r
To facilitate finding secure RR-MRESs we suggest a special test: Standard secure encryption scheme
Reproducibility Test
Y: RR-MRES is secure N: it may not be
Avoids case-by-case security analysis of MRESs.
Reproducibility test and theorem A standard encryption scheme AE is reproducible if ∃ a PPT algorithm R: pk, C=Epk(M;r) pk’,sk’,M’
R
C’=Epk’(M’;r)
Theorem. For ATK∈{CPA,CCA}, if a standard encryption scheme AE is 1.
reproducible
2.
IND-ATK secure
then the corresponding RR-MRES is IND-ATK secure.
Security of ElGamal-based RR-MRES Lemma. El Gamal encryption scheme EG is reproducible. Proof.
pk=gx,
C=(gr,gxr·M)
pk’=gx’,sk’=
x’,M’
R
C’
C’=(gr,(gr)x’·M’)
Fact. DDH is hard => EG is IND-CPA secure Corollary.
Lemma + Fact + Reproducibility theorem
El Gamal-based RR=> MRES is IND-CPA secure
Anonymity (key-privacy) in the multi-user setting
x=? pk5 pk7
pk1 C=
C7
pk8
C4
C
6
pk4 pk6
pk2
Epk ( x M)
pk3
Anonymity (key privacy) • Data privacy was considered the sole goal of encryption • Key privacy is another, previously overlooked goal C=
Epk2(M)
x=2, => R2 is in Lyon
pk2
Public key
Name
pk1
R1
pkn
Rn
This property of encryption is required be various protocols, such as anonymous credentials, mix-nets, private keyword search, etc.
RSA is not anonymous Public key
Name
pk1=(e1,N1) pk2=(e2,N2)
R1 R2
Epki (M): Mei mod Ni
If C > N1, then it’s a ciphertext addressed to R2 The same attack applies to all popular variations of RSA scheme, including RSA-OAEP.
Anonymity. [BBDP] Summary of contributions • Defined an appropriate security definition • Proved that ElGamal and Cramer-Shoup provide anonymity under the same assumptions they provide data-privacy • Show how to modify RSA to provide anonymity
References. •
[BBM] With M. Bellare and S. Micali, “Public-Key Encryption in a Multi-User Setting: Security Proofs and Improvements.” In Eurocrypt 2000 Proceedings, (LNCS) Vol. 1807, pp. 259-274, 2000.
•
[BBDP] With M. Bellare, A. Desai and D. Pointcheval, “Key-Privacy in Public-Key Encryption.” In Asiacrypt 2001 Proceedings, LNCS Vol. 2248, pp. 566-582, 2001.
•
[BBS] With M. Bellare and J. Staddon, “Randomness Re-use in Multi-Recipient Encryption Schemes.” In Public Key Cryptography (PKC) 2003 Proceedings, LNCS Vol. 2567, pp. 85-99, 2003.
•
[BBKS] With M. Bellare, K. Kurosawa and J. Staddon, “Multi-Recipient Encryption Schemes: Security and Optimization.” Work in progress.
Available at http://www.cc.gatech.edu/~aboldyre/publications.html
Thank you!
