Resisting Randomness Subversion: Fast Deterministic and Hedged Public-Key Encryption in the Standard Model [chapter]

Mihir Bellare, Viet Tung Hoang
2015 Lecture Notes in Computer Science  
This paper provides the first efficient, standard-model, fully-secure schemes for some related and challenging forms of public-key encryption (PKE), namely deterministic and hedged PKE. These forms of PKE defend against subversion of random number generators, an end given new urgency by recent revelations on the nature and extent of such subversion. We resolve the (recognized) technical challenges in reaching these goals via a new paradigm that combines UCEs (universal computational extractors)
more » ... with LTDFs (lossy trapdoor functions). Crucially, we rely only on a weak form of UCE, namely security for statistically (rather than computationally) unpredictable sources. We then define and achieve unique-ciphertext PKE as a way to defend against implementation subversion via algorithm-substitution attacks. Recent revelations about the prevalence of mass-surveillance and subversion raise new challenges for cryptography. This paper is concerned with subversion of public-key encryption (PKE). We first consider randomness-subversion attacks, namely ones that undermine randomness-generation processes. Forms of PKE resisting these have in fact already been defined, namely deterministic public-key encryption (D-PKE) [4] and hedged public-key encryption (H-PKE) [5] . However, good schemes -we mean efficient ones providing full security in the standard model-are not only lacking but a recognized challenge [53] . With the new impetus and urgency arising from the subversion perspective, we revisit these goals to provide such schemes. We achieve our ends via a new PKE paradigm in which universal computational extractors (UCEs) [8] -of the weaker ilk requiring only statistical rather than computational unpredictability-are combined with lossy trapdoor functions (LTDFs) [48] . We then turn to defending against subversion of encryption implementations via algorithm-substitution attacks [12, 56] . Here we follow [12] to define the new goal of unique ciphertext public-key encryption (U-PKE) and then reach it generically and efficiently from D-PKE. Deterministic PKE. Technically, conceptually and historically, D-PKE is the core goal in this domain, and we begin there. The encryption algorithm of a D-PKE scheme takes public encryption key ek and message m to deterministically return a ciphertext c. We use the IND formalization of [7] which they show equivalent to the PRIV formalization of [4] . These formalizations capture the best possible privacy, namely semantic security for unpredictable messages that do not depend on the public key. The core IND requirement asks for privacy when messages are individually unpredictable but may be arbitrarily correlated. We call this full IND security for emphasis. Full security is important in practice. For example, I might upload an encrypted file, then make a small edit to the file, re-encrypt and reupload, so that the messages underlying the successive ciphertexts are very similar. It is thus the desired goal. The EwH -encrypt with hash-D-PKE scheme of [4] encrypts message m under a (any) randomized IND-CPA scheme RE with the coins set to a hash of m. When the hash function is a random oracle, they showed EwH achieves full IND security. Achieving full IND security in the standard model however seemed out of reach. Many standard-model D-PKE schemes, using sophisticated techniques [17, 7, 19, 33, 11, 49, 30] , have been proposed, but the security they achieve is not full. They only achieve security for block sources, where each message is assumed unpredictable even given prior ones, which is not realistic in practice. The elusiveness of full security in the standard model was explained by Wichs [53] , who showed that it could not be achieved under any single-stage assumption. To achieve full security one thus needs a multi-stage assumption. However most assumptions are single stage and it was not immediately clear what would even be a candidate for a suitable multi-stage assumption. Such a candidate emerged with the UCE class of assumptions of security for hash functions of BHK1 [8]. The latter showed that the RO in EwH could be securely instantiated with a function family H that is UCE[S cup ] -UCE-secure for computationally unpredictable sources-to yield a standard model, fully IND secure D-PKE scheme. Unfortunately, soon after, Brzuska, Farshim and Mittelbach (BFM) [21] showed that UCE[S cup ]-security is not achievable if indistinguishability obfuscation (iO) [3, 34, 35] is possible. BFM [21] and BHK1 [8] independently proposed to instead use UCE[S sup ]-UCE-security for statistically unpredictable sources. BFM [21] give some evidence that their attacks will not extend to UCE[S sup ] and that this assumption is weaker. This raises several questions. Can one show that EwH is secure under UCE[S sup ]? If not, can one provide a new, different D-PKE scheme that achieves full IND-security under UCE[S sup ]? Results for D-PKE. Our first result is negative. We show that if iO is possible then the RO in EwH is not universally instantiable. In more detail, given any family of functions H -in particular a UCE[S sup ] one-we build a (pathological and H-dependent) randomized PKE scheme RE such that (1) RE is IND-CPA secure, but (2) An attack shows that the D-PKE scheme EwH [H, RE] given by the EwH transform is not IND-secure. The starting point is ideas of BFM [21], but several new ideas are needed, including several applications of a variable-output-length PRF to allocate randomness for the iO and a base PKE scheme in such a way that both (1) and (2) are possible. We note that the same negative result was obtained independently and concurrently by [22] . A general framework to obtain RO un-instantiability results via iO is given in [38] but it applies to single-stage games and thus doesn't yield a result for D-PKE. Let H be a UCE[S sup ] function family. Then our negative result rules out showing an analogue of BHK1 [8], namely that EwH[H, RE] is fully IND secure for any IND-CPA RE. But there is a loophole, namely that the negative result does not preclude showing this for a particular choice of RE. We exploit this loophole to arrive at the desired goal of a fully IND secure D-PKE scheme under UCE[S sup ], as follows. We take the ROM BR93 PKE scheme [13], instantiate its trapdoor function with a lossy trapdoor function (LTDF) [48, 32], and instantiate its RO with H, to get a standard-model PKE scheme RE. Next, we take the D-PKE scheme EwH[H, RE], which has two uses of H, under two independent keys. Our D-PKE scheme DE1 is obtained by implementing these two uses of H with a single key. We prove that DE1 is fully IND secure assuming the LTDF is secure and H is UCE[S sup ]. We remark that using a single H key is important to prove security under UCE[S sup ], not just an efficiency optimization. The connection of LTDFs to D-PKE was first made by Boldyreva, Fehr and O'Neill (BFO) [17]. Their LTDF-based D-PKE schemes however only achieve security for block sources, not full IND security. The block source restriction seems quite inherent in their methods, and indeed due to Wichs [53] we do not expect to achieve fully IND secure D-PKE using LTDFs alone. Our approach combines LTDFs with UCE[S sup ] to surmount this obstacle. DE1 is the first D-PKE scheme that is fully IND secure in the standard model. Beyond that, however, it has the following important practical attributes: it is competitive on short messages, very fast on long messages, and supports variable-length messages directly. These practical attributes are a first for standard-model D-PKE schemes. LTDFs and UCE[S sup ] are a productive and (in retrospect) natural match. Intuitively, LTDFs allow us to move to a game with information-theoretic guarantees, at which point it becomes possible to exploit UCE under statistical unpredictability. We view DE1 as a relatively simple illustration of the power of the UCE+LTDF method. H-PKE brings new challenges, which we surmount via non-trivial extensions of the basic method. We believe the UCE+LTDF method will have applications beyond this as well. Hedged PKE. The encryption algorithm of a H-PKE scheme takes public encryption key ek, message m and randomness r to deterministically return a ciphertext c. The H-IND requirement of BBNRSS [5] has two parts: (1) standard IND-CPA security if r is good, meaning uniform and independent across encryptions, and (2) semantic security of m if the pair (m, r) is unpredictable and does not depend on the public key. This second requirement is formalized as indistinguishability under chosen-distribution attack (IND-CDA) [5]. H-IND-secure PKE aims to provide the best possible privacy in the face of untrusted randomness. If the randomness is good, it does as well as standard IND-CPA encryption. But, whereas schemes providing only IND-CPA can fail spectacularly under poor randomness [20, 46, 5] , H-IND PKE will not. It will compensate for poor randomness by also exploiting any available entropy in the message, protecting the latter as long as the message and randomness together are unpredictable. This is as good as it can get, since if the message-randomness pair is predictable, trial re-encryption on candidate pairs will recover the message underlying a target ciphertext. IND-CDA is an extension of IND that coincides with the latter if the randomness has no entropy at all. In practice the most desirable form of IND-CDA is, again, full, meaning privacy when messagerandomness pairs, although individually unpredictable, may be arbitrarily correlated. By full H-IND, we mean IND-CPA plus full IND-CDA. In the ROM, fully H-IND PKE is achieved by an extension of EwH called REwH that encrypts m under an IND-CPA scheme with the coins set to the hash of m r [5]. In the standard model, things are more difficult. Providing a fully IND-CDA PKE scheme is harder than providing a fully IND D-PKE scheme because the unpredictability pertains to (m, r) not just m and also, more importantly, because IND-CDA is formalized in [5] as an adaptive requirement. Additionally, while IND-CPA is easy in isolation, it is not in combination with IND-CDA. The reason is subtle, namely that IND-CDA breaks when m depends on the public key, but IND-CPA must remain secure in this case. This butting of heads of the IND-CPA and IND-CDA conditions doubles the challenge of achieving fully H-IND PKE compared to fully IND D-PKE. These technical difficulties are reflected in the landscape of standard-model schemes, where fully H-IND PKE has not been achieved under any assumption. BBNRSS [5] build standard-model H-IND PKE schemes by composition of standard-model D-PKE and IND-CPA schemes, and also directly via anonymous LTDFs, but these schemes achieve IND-CDA only for block sources. (The latter now means that message-randomness pairs are assumed to be unpredictable even given prior ones.) It is instructive that full H-IND PKE has not even been achieved under UCE[S cup ]. To elaborate, recall that BHK1 [8] showed that UCE[S cup ]-instantiating the RO in EwH results in a fully IND secure standard-model D-PKE scheme. We can correspondingly UCE[S cup ]-instantiate the RO in REwH. But, even if the resulting scheme can be shown fully IND-CDA, there seems no reason it is IND-CPA. The reason is the difficulty alluded to above. Namely, a UCE hash function may not provide security on messages that are a function of the hashing key, but the latter is part of the public key and IND-CPA requires security for messages depending on the public key. But the bar for us is even higher: due to the BFM attacks [21] on UCE[S cup ], we want to use the weaker UCE[S sup ] assumption, just as we did for DE1. We thus face at least two difficulties. The first is to achieve full IND-CDA under UCE[S sup ]. Here the main challenge is handling adaptivity. But beyond that the fundamental above-mentioned difficulty of achieving IND-CPA in the same scheme remains, because no form of UCE guarantees security for messages that depend on the hashing key. Results for H-PKE. We surmount the technical difficulties discussed above to provide the first standardmodel, fully H-IND PKE schemes. We specify three schemes, HE1, HE2 and HE3. All efficiently achieve our security goals, the second and third handle variable-length messages, and the third further adds better concrete security. Recall that we obtained DE1 as EwH[H, BR93[LT, H]], where H is UCE[S sup ] and LT is a LTDF. A natural idea is to similarly get H-PKE as REwH[H, BR93[LT, H]]. (In both cases we use one hash key rather than two.) We are able to show this achieves full IND-CDA. This is significant since handling adaptivity required anonymous LTDFs in [5] which we do not need. But we then hit the problem above, namely UCE[S sup ] security of H may not be enough to provide IND-CPA. We resolve this by building a particular, suitable UCE[S sup ] family H. We first build a particular family U of AU (almost universal) hash functions and then obtain H by applying the AU-then-Hash transform of BHK2 [9] to a fixed-input-length UCE[S sup ] family H and our U. We refer to the resulting PKE scheme as HE1. We are able to show that it is full IND-CDA as well as IND-CPA assuming UCE[S sup ] security of H and security of the LTDF. This achieves, for the first time, the security goal of fully H-IND PKE in the standard model, which we consider already significant. But in terms of practicality, HE1 is not ideal because it can only handle fixed-length messages. HE2 efficiently encrypts variable and arbitrary length messages while retaining full H-IND security. It uses a variable-output-length PRF in addition to the primitives used by HE1. Finally, HE3 exploits some combinatorial techniques to obtain better security bounds, as a result of which it offers security for lower values of the message min-entropy than the other schemes. Speed. Our D-PKE and H-PKE schemes are the first to achieve full security in the standard model, which we believe is a significant theoretical contribution. However, beyond that, they have important practical attributes, expanded on below and in Section 5. It is well known that asymmetric primitives are orders of magnitude less efficient than symmetric ones. Central to making standard IND-CPA encryption efficient is hybrid encryption as represented by the KEM-DEM paradigm [25] . Encryption generates a random asymmetrically-protected per-message
doi:10.1007/978-3-662-46803-6_21 fatcat:22ld7gamxzhbnicgdfbi37c244