TODO:
- Probabilistic encryption
- GM82
- El-gamal
- Pailier
- trapdoor permutation
- [ ]
Public Key encryption scheme: :
- : public key defines the message space
- : takes secret key and message and outputs a ciphertext .
CPA security
eavesdropping indistinguishability experiment :
- is given pk, outputs a pair of messages
- uniform bit is chosen and challenge ciphertext is given to .
- outputs bit b’.
- experiment succeeds if and outputs 1.
No Deterministic public-key encryption is CPA-secure.
Proven in GM82, that any information that a adversary is able to gain about plaintext from ciphertext, it can gain that knowledge without ciphertext. Thus, any protocol designed on deterministic PK encryption is insecure. This includes, RSA without padding, block ciphers without IV.
TODO, read the paper in more detail.
CPA security for multiple encryption:
Prove that any CPA secure PK encryption scheme is also secure for multiple encryptions (adversary is given access to LR oracle that encrypts left or right message depending on the bit).
Informal proof using reduction approach:
- Create a new experiment , that allows maximum 2 oracle queries.
- selects two sets of message pairs: and , and gets back ciphertext that can be either equal to or from oracle, and need to differentiate between the two.
- Let denote distribution of messages in first pair, and denote second pair.
- Prove: .
- Create a new adversary that simulates oracle for , but fixes first message, i.e. receives either or . Let this distribution be denoted as
- If can distinguish between , then it can distinguish between . By simple linear algebra, it can distinguish between .
- Due to CPA security of , view of running as a subroutine by will be equal to that of . So, if is able to distinguish between, due to , then it will break CPA security. Since, this probability is negligible, can’t distinguish.
Formal proof using hybrid argument approach:
- TODO: need to read more about hybrid argument approach, but the experiment is again choosing an adversary that is able to break CPA security of if outputs correct bit.
- let be the maximum oracle queries can make, and t is polynomially bounded.
- chooses a random index: .
- For jth encrpytion:
- if j<i, then send , else if
- if j=i, then output , receive challenge ciphertext , send to
- outputs by . experiment succeeds if .
- Now, using a hybrid argument prove that probability of
CCA security
analogous to CCA security for CCA security, in PK encryption, adversary gets access to a decryption oracle and can query any ciphertext other than the challenge ciphertext. It can be proven that any PK encryption that’s CCA secure for single encryption is CCA secure for multiple encryption as well.
Examples where CCA encryption is needed:
- In a private auction, where an adversary can look at other bids as ciphertext, and instead send ciphertext . This property is known as malleability.
- modifying an encrypted message . If it receives any error, or a response quoting , then has now decrypted c’.
KEM
set of algorithms:
- : gives a uniform key
can be combined with a private key encryption to create a hybrid encryption scheme: :
- : , and
- : .
security
If KEM is CPA secure, and is EAV-secure, then is CPA secure PK encryption scheme.
Proof: TODO
If KEM is CCA secure, and is CCA secure, then is CCA secure encryption scheme.
CCA security for KEM: :
- is chosen, if else
- is given , and access to oracle, but can’t query decaps for challenge ciphertext itself.
- , if output 1, else 0.
.
- If is not CCA secure then, adversary can just modify ciphertext c’, as .
- For to be CCA secure, give access to decaps oracle which allows it to decapsulate any ciphertext and get key of its choice.
ElGamal KEM
- : Choose , then choose a uniform , set . Specify a function . Outputs .
- : choose a , output and calculate
- : compute key as .
Above model is CPA secure, if DDH problem is hard.
CDH based KEM in ROM
If is modelled as a random oracle, then above KEM is CPA secure, if CDH problem is hard.
CDH is a stronger security assumption that deals with extractability, i.e. adversary has to find out .
CCA security for Hybrid encryption
Gap-CDH assumption
For any adversary, it remains infeasible to compute even when given access to a oracle that returns 1 only when . Informally, CDH problems remains hard even when an oracle that solved DDH is given.
ElGamal KEM as stated above is CCA secure if the Gap-CDH assumption is hard.
Thus, to create a CCA secure hybrid encryption, one needs to use a CCA private-key encryption scheme. Alternatively, a CPA secure encryption scheme, and CPA secure MAC leads to a CCA secure PK scheme.