More on Diffie-Hellman Encryption Schemes

More on Diffie-Hellman Encryption Schemes Joonsang Baek Information Security Research Group Khalifa University of Science, Technology and Research 21...
Author: Georgina Perry
2 downloads 0 Views 733KB Size
More on Diffie-Hellman Encryption Schemes Joonsang Baek Information Security Research Group Khalifa University of Science, Technology and Research

21 May 2012

What This Talk is About

Joonsang Baek (KUSTAR)

More on Diffie-Hellman Encryption Schemes

21 May 2012

2 / 21

Diffie-Hellman Key Exchange

Proposed by Diffie and Hellman by their seminal paper “New Directions in Cryptography” (1976).

Joonsang Baek (KUSTAR)

More on Diffie-Hellman Encryption Schemes

21 May 2012

3 / 21

Diffie-Hellman Key Exchange

Description: Alice’s public key: (G, q, g, yA ), where yA = g xA ; Alice’s private key: xA ∈ Zq . Bob’s public key: (G, q, g, yB ), where yB = g xB ; Bob’s private key: xB ∈ Zq . Alice and Bob’s public keys are published (exchanged). xA xB Alice computes: yB ; Bob computes: yA ;

Alice and Bob now shares the same key g xA xB .

Joonsang Baek (KUSTAR)

More on Diffie-Hellman Encryption Schemes

21 May 2012

4 / 21

ElGamal Encryption Proposed by Taher ElGamal. A public-key encryption scheme inspired by Diffie-Hellman protocol.

Joonsang Baek (KUSTAR)

More on Diffie-Hellman Encryption Schemes

21 May 2012

5 / 21

ElGamal Encryption

Basic idea: Make Alice’s public key ephemeral. Alice does not need to have a certificate any more. Description: Bob’s public key: (G, q, g, y), where y = g x ; Bob’s private key: x ∈ Zq . Alice encrypts: Pick r ∈ Zq at random and compute a ciphertext c = (g r , y r M ). Bob decrypt: Parse c as (c1 , c2 ). Compute M = c2 /c1 x .

Joonsang Baek (KUSTAR)

More on Diffie-Hellman Encryption Schemes

21 May 2012

6 / 21

Security of ElGamal Encryption

Indistinguishability under Chosen Plaintext Attack (IND-CPA) can be defined by the following game (a polynomial-time attacker) Malvin interacts with: 1

Malvin has access to Bob’s public key.

2

Malvin outputs two equal-length plaintexts (m0 , m1 ).

3

One of them is chosen at random (with probability 1/2), is encrypted and the resulting ciphertext is sent to Malvin by the game.

4

During the attack, Malvin can choose any plaintexts and encrypt them on his own. → CPA.

5

Malvin tells which one of m0 and m1 was encrypted.

Joonsang Baek (KUSTAR)

More on Diffie-Hellman Encryption Schemes

21 May 2012

7 / 21

Security of ElGamal Encryption

The public-key encryption scheme is IND-CPA if Malvin cannot succeed, with probability significantly greater than 1/2 (random guess). Theorem...Theorem...Theorem... Theorem The ElGamal Encryption scheme is IND-CPA secure assumming that the Decisional Diffie-Hellman problem is hard. Decisional Diffie-Hellman (DDH) Malvin is to distinguish (g, g a , g b , g ab ) from (g, g a , g b , g c ), where a, b, c ∈ Zq are chosen independently at random.

Joonsang Baek (KUSTAR)

More on Diffie-Hellman Encryption Schemes

21 May 2012

8 / 21

DHIES

DHIES → Diffie-Hellman Integrated Encryption Scheme Proposed by Abdalla, Bellare and Rogaway in 2001. In standards/draft standards of ANSI, IEEE, ISO, and SEC A hybrid encryption scheme inspired by the ElGamal encryption scheme. Hybrid Encryption: Public-key cryptosystem generates a random symmetric key, and then proceeds to encrypt the message with that symmetric key using an appropriate symmetric encryption scheme.

Joonsang Baek (KUSTAR)

More on Diffie-Hellman Encryption Schemes

21 May 2012

9 / 21

DHIES Basic idea: ElGamal-like scheme generates a random symmetric key. That key is used to encrypt a message using a symmetric encryption. To prevent chosen ciphertext attack, MAC is applied on the symmetric encryption. Description: Bob’s public key: (G, q, g, y), where y = g x ; Bob’s private key: x ∈ Zq . Alice encrypts: Pick r ∈ Zq at random and compute a session key kenc ||kmac = H(g r , y r ). Output a ciphertext c = (g r , Ekenc (m), MACkmac (Ekenc (m))) Bob decrypts: Parse c as (c1 , c2 , c3 ). Compute kenc ||kmac = H(c1 , c1 x ). Check MACVerifykmac (c2 , c3 ) = 1. If it is 1, output Dkenc (c2 ). Else output “reject”. Joonsang Baek (KUSTAR)

More on Diffie-Hellman Encryption Schemes

21 May 2012

10 / 21

Security of DHIES

Indistinguishability under Chosen Ciphertext Attack (IND-CCA): 1

Malvin has access to Bob’s public key.

2

Malvin outputs two equal-length plaintexts (m0 , m1 ).

3

One of them is chosen at random (with probability 1/2), is encrypted and the resulting ciphertext is sent to Malvin.

4

During the attack, Malvin can choose any plaintexts and encrypt them on his own. Malvin also queries arbitrary ciphertexts and receives corresponding plaintexts. However, he cannot query the ciphertext he obtained in Step 3.

5

Malvin tells which one of m0 and m1 was encrypted.

Joonsang Baek (KUSTAR)

More on Diffie-Hellman Encryption Schemes

21 May 2012

11 / 21

Security of DHIES The public-key encryption scheme is IND-CCA if Malvin cannot succeed, with probability significantly greater than 1/2 (random guess). Theorem...Theorem...Theorem... Theorem In the random oracle model, the DHIES scheme is IND-CCA secure assuming that the Gap Diffie-Hellman problem is hard, the symmetric encryption is one-time IND-secure and the MAC is unforgeable. Gap Diffie-Hellman (GDH) Given (g, g a , g b ), Malvin is to compute g ab (CDH) with the help of DDH oracle which can distinguish (g, g a , g b , g ab ) from (g, g a , g b , g c ), where a, b, c ∈ Zq are chosen at random.

Joonsang Baek (KUSTAR)

More on Diffie-Hellman Encryption Schemes

21 May 2012

12 / 21

Stateful DH Encryption

Proposed by Bellare, Khono and Shoup in 2007 (ACM-CCS). A hybrid encryption scheme inspired by DHIES with some very nice observation. :) Basic idea: Alice maintains state and reuses it. This way, Alice can save computations needed to produce ephemeral keys.

Joonsang Baek (KUSTAR)

More on Diffie-Hellman Encryption Schemes

21 May 2012

13 / 21

Stateful DH Encryption

Description: Bob’s public key: (G, q, g, y), where y = g x ; Bob’s private key:x ∈ Zq . Alice creates state: Pick r ∈ Zq at random and compute g r . Output a state: st = (r, g r ). (st will be reused until Alice wants to create a new state.) Alice encrypts: Parse st as (r, g r ) and compute a session key k = H(y, g r , y r ). Output a ciphertext c = (g r , E(m)) Bob decrypt: Parse c as (c1 , c2 ). Compute k = H(y, c1 , c1 x ). Output Dk (c2 ).

Joonsang Baek (KUSTAR)

More on Diffie-Hellman Encryption Schemes

21 May 2012

14 / 21

Stateful DH Encryption

Saving of computations Since (r, g r ) is reused, Alice does not need to compute g r every time she wants to encrypt a new message. Alice can compute state as (r, g r , y r ). In this case, she does not even have to compute y r . As a result, two exponentiations are saved for each encryption.

Joonsang Baek (KUSTAR)

More on Diffie-Hellman Encryption Schemes

21 May 2012

15 / 21

Security of Stateful DH Encryption

The security model for stateful public-key encryption (StPE) is based on IND-CCA but much more is involved: To provide indistinguishability, randomizing symmetric-key encryption is important. (Note that if the encryption is deterministic, we cannot expect it to be indistinguishable.) But this can be done faster than calculating g r for random r whenever new encryption is performed. The same state can be used to encrypt multiple messages to a single receiver. The same state can be used to encrypt a message to multiple receivers.

Joonsang Baek (KUSTAR)

More on Diffie-Hellman Encryption Schemes

21 May 2012

16 / 21

Security of Stateful DH Encryption

Theorem...Theorem...Theorem... Theorem In the random oracle model, the stateful DH Encryption scheme is StPE-IND-CCA secure assuming that the GDH problem is hard and the symmetric encryption scheme is IND-CCA secure. Gap Diffie-Hellman (GDH) Given (g, g a , g b ), Malvin is to compute g ab (CDH) with the help of DDH oracle which distinguishes a distribution (g, g a , g b , g ab ) from (g, g a , g b , g c ), where a, b, c ∈ Zq are chosen at random.

Joonsang Baek (KUSTAR)

More on Diffie-Hellman Encryption Schemes

21 May 2012

17 / 21

Then... Why Stateful Public-Key Encryption? Efficiency...Efficiency..Efficiency Saving g r and y r do not seem to be a big deal in very powerful machines readily available these days but they turned out to be useful in resource-constrained devices like wireless sensors. For example, the following table shows the capacity for MICAz sensor, developed by Crossbow inc. CPU: ATmega128 Speed: 8 MHz ROM: 128 KB RAM: 4 KB

Joonsang Baek (KUSTAR)

More on Diffie-Hellman Encryption Schemes

21 May 2012

18 / 21

Then... Why Stateful Public-Key Encryption? Efficiency...Efficiency..Efficiency My previous work shows that carefully-implemented stateful DH encryption saves significant about of computations and hence energy on MICAz platform.

Joonsang Baek (KUSTAR)

More on Diffie-Hellman Encryption Schemes

21 May 2012

19 / 21

Some ongoing and future work

Security against state exposure or leakage (Ongoing): If Alice loses state, the past and future encryptions will be compromised. This is quite likely when encryptors do not have good physical protection like sensors. Application of state reuse technique to other crypto schemes: (ACNS ’08, CT-RSA ’11): There is a stateful IBE. But a care should be taken as not all IBEs can be sure under the randomness reuse. Unexpected applications of randomness reuse technique: Who knows there may be some schemes whose structures are heavily dependent on state reuse. Implementations of stateful schemes on the resource-constrained devices. → Lightweight PKC

Joonsang Baek (KUSTAR)

More on Diffie-Hellman Encryption Schemes

21 May 2012

20 / 21

Thank you very much! For more details, please apply for MSc in Information Security at KUSTAR!!!

Suggest Documents