DOCSLIB.ORG

The Cramer-Shoup Cryptosystem

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
The Cramer-Shoup Cryptosystem Motivation The Encryption Scheme History & Implementation Conclusion The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 Motivation The Encryption Scheme History & Implementation Conclusion The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive chosen ciphertext attack using standard cryptographic assumptions. [2] 2 / 28 Motivation The Encryption Scheme History & Implementation Conclusion Outline 1 Motivation What we've seen so far Stronger notions of security 2 The Encryption Scheme Cramer-Shoup Proof of Security Features 3 History & Implementation People Implementation 4 Conclusion 3 / 28 Motivation The Encryption Scheme History & Implementation Conclusion Outline 1 Motivation What we've seen so far Stronger notions of security 2 The Encryption Scheme Cramer-Shoup Proof of Security Features 3 History & Implementation People Implementation 4 Conclusion 4 / 28 Motivation The Encryption Scheme History & Implementation Conclusion What we've seen so far Public-key encryption Diffie-Hellman key exchange http://en.wikipedia.org/ wiki/File:Diffie-Hellman_ Key_Exchange.svg 5 / 28 Motivation The Encryption Scheme History & Implementation Conclusion What we've seen so far ElGamal encryption ' Alice $ n Gen: (q; g) G(1 ) ' Bob $ x G = hgi a group, jGj = q Decsk (c1; c2) = c2=c1 pk = (g; q; h) - r r x sk = x Zq Decsk (c1; c2)= h m=(g ) (g r ; hr m) x h := g Decsk (c1; c2)= m for m 2 G: get r Zq r r Encpk (m) = (g ; h m) & % & % 6 / 28 If the Decisional Diffie-Hellman problem is hard, then ElGamal is CPA-secure. If the RSA-assumption holds, then padded RSA is CCA-secure. Decisional Diffie-Hellman Problem j Pr[A(G; q; g; g x ; g y ; g z ) = 1]−Pr[A(G; q; g; g x ; g y ; g xy ) = 1]j ≤ negl(n) Motivation The Encryption Scheme History & Implementation Conclusion What we've seen so far Important results How secure are our schemes? 7 / 28 Decisional Diffie-Hellman Problem j Pr[A(G; q; g; g x ; g y ; g z ) = 1]−Pr[A(G; q; g; g x ; g y ; g xy ) = 1]j ≤ negl(n) Motivation The Encryption Scheme History & Implementation Conclusion What we've seen so far Important results How secure are our schemes? If the Decisional Diffie-Hellman problem is hard, then ElGamal is CPA-secure. If the RSA-assumption holds, then padded RSA is CCA-secure. 7 / 28 Motivation The Encryption Scheme History & Implementation Conclusion What we've seen so far Important results How secure are our schemes? If the Decisional Diffie-Hellman problem is hard, then ElGamal is CPA-secure. If the RSA-assumption holds, then padded RSA is CCA-secure. Decisional Diffie-Hellman Problem j Pr[A(G; q; g; g x ; g y ; g z ) = 1]−Pr[A(G; q; g; g x ; g y ; g xy ) = 1]j ≤ negl(n) 7 / 28 For example, in ElGamal, given (c1; c2) an adversary can query (c1; t · c2), which is a valid decryption for tm. Motivation The Encryption Scheme History & Implementation Conclusion Stronger notions of security CCA1 vs. CCA2 Malleability An encryption algorithm is malleable if it is possible for an adversary to transform a ciphertext into another ciphertext which decrypts to a related plaintext. 8 / 28 Motivation The Encryption Scheme History & Implementation Conclusion Stronger notions of security CCA1 vs. CCA2 Malleability An encryption algorithm is malleable if it is possible for an adversary to transform a ciphertext into another ciphertext which decrypts to a related plaintext. For example, in ElGamal, given (c1; c2) an adversary can query (c1; t · c2), which is a valid decryption for tm. 8 / 28 ! CCA2-security is equivalent to non-malleability [1] A CCA1-attack is also called a lunchtime attack. Motivation The Encryption Scheme History & Implementation Conclusion Stronger notions of security CCA1 vs. CCA2 Adaptive chosen ciphertext attacks An interactive chosen-ciphertext attack in which the adversary sends a number of ciphertexts to be decrypted, then uses the results of these decryptions to select subsequent ciphertexts. 9 / 28 A CCA1-attack is also called a lunchtime attack. Motivation The Encryption Scheme History & Implementation Conclusion Stronger notions of security CCA1 vs. CCA2 Adaptive chosen ciphertext attacks An interactive chosen-ciphertext attack in which the adversary sends a number of ciphertexts to be decrypted, then uses the results of these decryptions to select subsequent ciphertexts. ! CCA2-security is equivalent to non-malleability [1] 9 / 28 Motivation The Encryption Scheme History & Implementation Conclusion Stronger notions of security CCA1 vs. CCA2 Adaptive chosen ciphertext attacks An interactive chosen-ciphertext attack in which the adversary sends a number of ciphertexts to be decrypted, then uses the results of these decryptions to select subsequent ciphertexts. ! CCA2-security is equivalent to non-malleability [1] A CCA1-attack is also called a lunchtime attack. 9 / 28 Motivation The Encryption Scheme History & Implementation Conclusion Stronger notions of security Recall: OAEP for RSA Optimal asymmetric encryption padding http://en.wikipedia.org/ wiki/File: Oaep-diagram-20080305.png 10 / 28 Motivation The Encryption Scheme History & Implementation Conclusion Outline 1 Motivation What we've seen so far Stronger notions of security 2 The Encryption Scheme Cramer-Shoup Proof of Security Features 3 History & Implementation People Implementation 4 Conclusion 11 / 28 Motivation The Encryption Scheme History & Implementation Conclusion ElGamal encryption ' Alice $ n Gen: (q; g) G(1 ) ' Bob $ x G = hgi a group, jGj = q Decsk (c1; c2) = c2=c1 pk = (g; q; h) - r r x sk = x Zq Decsk (c1; c2)= h m=(g ) (g r ; hr m) x h := g Decsk (c1; c2)= m for m 2 G: get r Zq r r Encpk (m) = (g ; h m) & % & % 12 / 28 Motivation The Encryption Scheme History & Implementation Conclusion Cramer-Shoup Cramer-Shoup encryption ' Alice $ n Gen: (q; g1; g2) G(1 ) ' Bob $ sk =( x1; x2; y1; y2; z) Zq pk = (g1; g2; α := H(u1; u2; e) c; d; h; H) x1 x2 y1 y2 - x1+y1α x2+y2α c := g1 g2 ; d := g1 g2 u1 u2 (u1; u2; e; v) z ( h := g1 verified; v = for m 2 G: get r Zq abort; otherwise r r r u1 := g1 ; u2 := g2 ; e := h m z Decsk (u1; u2; e; v) = e=u r rα 1 α := H(u1; u2; e); v := c d Encpk (m) = (u1; u2; e; v) & % 13 / 28 & % z r z r 2 Since u1 = h , Decsk (u1; u2; e; v) = e=u1 = e=h = m Motivation The Encryption Scheme History & Implementation Conclusion Cramer-Shoup Cramer-Shoup encryption Correctness: x1+y1α x2+y2α x1 x2 y1α y2α rx1 rx2 ry1α ry2α 1 u1 u2 = u1 u2 u1 u2 = g1 g2 g1 g2 = x1 x2 r y1 y2 rα r rα (g1 g2 ) (g1 g2 ) = c d = v 14 / 28 Motivation The Encryption Scheme History & Implementation Conclusion Cramer-Shoup Cramer-Shoup encryption Correctness: x1+y1α x2+y2α x1 x2 y1α y2α rx1 rx2 ry1α ry2α 1 u1 u2 = u1 u2 u1 u2 = g1 g2 g1 g2 = x1 x2 r y1 y2 rα r rα (g1 g2 ) (g1 g2 ) = c d = v z r z r 2 Since u1 = h , Decsk (u1; u2; e; v) = e=u1 = e=h = m 14 / 28 Proof by reduction: Assuming that there is an adversary that can break the cryptosystem, and that the hash family is universal one-way, we can use this adversary to solve the Decisional Diffie-Hellman Problem. Motivation The Encryption Scheme History & Implementation Conclusion Proof of Security Theorem Cramer-Shoup is CCA2-secure The Cramer-Shoup cryptosystem is CCA2-secure assuming that (1) we have a universal one-way hash function H, and (2) the Decisional Diffie-Hellman Problem is hard in the group G. 15 / 28 Motivation The Encryption Scheme History & Implementation Conclusion Proof of Security Theorem Cramer-Shoup is CCA2-secure The Cramer-Shoup cryptosystem is CCA2-secure assuming that (1) we have a universal one-way hash function H, and (2) the Decisional Diffie-Hellman Problem is hard in the group G. Proof by reduction: Assuming that there is an adversary that can break the cryptosystem, and that the hash family is universal one-way, we can use this adversary to solve the Decisional Diffie-Hellman Problem. 15 / 28 Motivation The Encryption Scheme History & Implementation Conclusion Proof of Security Proof of Security 'S $ (g ; g ; u ; u ) D or R 'A $ 1 2 1-2 (x1; x2; y1; y2; z1; z2) Zq m0; m1 2 G x1 x2 y1 y2 z1 z2 z1 z2 c := g1 g2 ; d := g1 g2 ; h := g1 g2 Decsk (c∗) = e=u1 u2 = mb0 b f0; 1g c∗ = (u1-; u2; e; v) e := uz1 uz2 m ; α := H(u ; u ; e) 1 2 b 1 2 ( x1+y1α x2+y2α output b'; D v = u1 u2 ( ?; R 1; b = b0 output = 0; b 6= b0 & % & 16 / 28% Computationally efficient, esp. when using hybrid encryption Intractability assumptions are minimal (only DDH & hash) Motivation The Encryption Scheme History & Implementation Conclusion Features Comparison One of the few CCA2-secure cryptosystems that do not require zero-knowledge proofs or the random oracle 17 / 28 Intractability assumptions are minimal (only DDH & hash) Motivation The Encryption Scheme History & Implementation Conclusion Features Comparison One of the few CCA2-secure cryptosystems that do not require zero-knowledge proofs or the random oracle Computationally efficient, esp. when using hybrid encryption 17 / 28 Motivation The Encryption Scheme History & Implementation Conclusion Features Comparison One of the few CCA2-secure cryptosystems that do not require zero-knowledge proofs or the random oracle Computationally efficient, esp. when using hybrid encryption Intractability assumptions are minimal (only DDH & hash) 17 / 28 Motivation The Encryption Scheme History & Implementation Conclusion Features Computation The ciphertext is about four times plaintext (not a big deal in most applications) and takes about twice as much computation as ElGamal.
Load more

Recommended publications
  • Modern Cryptography: Lecture 13 Digital Signatures
    Modern Cryptography: Lecture 13 Digital Signatures Daniel Slamanig Organizational ● Where to find the slides and homework? – https://danielslamanig.info/ModernCrypto18.html ● ow to conta!t me? – [email protected] ● #utor: Karen Klein – [email protected] ● Offi!ial page at #', )o!ation et!. – https://tiss.tuwien.ac.at/!ourse/!o$rseDetails.+html?dswid=86-2&dsrid,6/0. !ourseNr,102262&semester,2018W ● #utorial, #U site – https://tiss.tuwien.ac.at/!ourse/!o$rseAnnouncement.+html?dswid=4200.dsr id,-51.!ourseNum6er,10206-.!ourseSemester,2018W ● 8+am for the se!ond part: Thursday 31.21.2210 15:00-1/:00 (Tutorial slot; 2/26 Overview Digital Signatures message m / :m( σ; secret key skA Inse!$re !hannel p$bli! key pkA p$bli! key pkA σ σ :, 7igskA:m; 6 :, =rfypkA:m( ; 3: pkA -/26 Digital Signatures: Intuitive Properties Can 6e seen as the p$6li!9key analog$e of M3Cs with p$6li! >erifiability ● Integrity protection: 3ny modifi!ation of a signed message !an 6e detected ● 7o$r!e a$thenti!ity: The sender of a signed message !an be identified ● Non9rep$diation: The signer !annot deny ha>ing signed :sent) a message 7e!$rity :intuition;: sho$ld 6e hard to !ome $p with a signat$re for a message that has not 6een signed by the holder of the pri>ate key 5/26 Digital Signatures: pplications *igital signat$res ha>e many applications and are at the heart of implementing p$6lic9key !ryptography in practice ● <ss$ing !ertifi!ates 6y CAs (?$6lic %ey <nfrastr$!t$res;: 6inding of identities to p$6lic keys ● @$ilding authenticated !hannels: a$thenti!ate parties :ser>ers; in sec$rity proto!ols :e.g.( TL7; or se!$re messaging :Whats3pp( 7ignal, ...; ● Code signing: a$thenti!ate software/firmware :$pdates; ● 7ign do!$ments :e.g.( !ontra!ts;: )egal reg$lations define when digital signat$res are eq$ivalent to handwritten signat$res ● 7ign transa!tions: $sed in the !rypto!$rren!y realm ● et!.
    [Show full text]
  • A Provably-Unforgeable Threshold Eddsa with an Offline Recovery Party
    A Provably-Unforgeable Threshold EdDSA with an Offline Recovery Party Michele Battagliola,∗ Riccardo Longo,y Alessio Meneghetti,z and Massimiliano Salax Department of Mathematics, University Of Trento Abstract A(t; n)-threshold signature scheme enables distributed signing among n players such that any subset of size at least t can sign, whereas any subset with fewer players cannot. The goal is to produce threshold digital signatures that are compatible with an existing centralized sig- nature scheme. Starting from the threshold scheme for the ECDSA signature due to Battagliola et al., we present the first protocol that supports EdDSA multi-party signatures with an offline participant dur- ing the key-generation phase, without relying on a trusted third party. Under standard assumptions we prove our scheme secure against adap- tive malicious adversaries. Furthermore we show how our security notion can be strengthen when considering a rushing adversary. We discuss the resiliency of the recovery in the presence of a malicious party. Using a classical game-based argument, we prove that if there is an adversary capable of forging the scheme with non-negligible prob- ability, then we can build a forger for the centralized EdDSA scheme with non-negligible probability. Keywords| 94A60 Cryptography, 12E20 Finite fields, 14H52 Elliptic curves, 94A62 Authentication and secret sharing, 68W40 Analysis of algorithms 1 Introduction A(t; n)-threshold signature scheme is a multi-party computation protocol that en- arXiv:2009.01631v1 [cs.CR] 2 Sep 2020 ables a subset of at least t among n authorized players to jointly perform digital signatures. The flexibility and security advantages of threshold protocols have be- come of central importance in the research for new cryptographic primitives [9].
    [Show full text]
  • On Notions of Security for Deterministic Encryption, and Efficient Constructions Without Random Oracles
    A preliminary version of this paper appears in Advances in Cryptology - CRYPTO 2008, 28th Annual International Cryptology Conference, D. Wagner ed., LNCS, Springer, 2008. This is the full version. On Notions of Security for Deterministic Encryption, and Efficient Constructions without Random Oracles Alexandra Boldyreva∗ Serge Fehr† Adam O’Neill∗ Abstract The study of deterministic public-key encryption was initiated by Bellare et al. (CRYPTO ’07), who provided the “strongest possible” notion of security for this primitive (called PRIV) and con- structions in the random oracle (RO) model. We focus on constructing efficient deterministic encryption schemes without random oracles. To do so, we propose a slightly weaker notion of security, saying that no partial information about encrypted messages should be leaked as long as each message is a-priori hard-to-guess given the others (while PRIV did not have the latter restriction). Nevertheless, we argue that this version seems adequate for certain practical applica- tions. We show equivalence of this definition to single-message and indistinguishability-based ones, which are easier to work with. Then we give general constructions of both chosen-plaintext (CPA) and chosen-ciphertext-attack (CCA) secure deterministic encryption schemes, as well as efficient instantiations of them under standard number-theoretic assumptions. Our constructions build on the recently-introduced framework of Peikert and Waters (STOC ’08) for constructing CCA-secure probabilistic encryption schemes, extending it to the deterministic-encryption setting and yielding some improvements to their original results as well. Keywords: Public-key encryption, deterministic encryption, lossy trapdoor functions, leftover hash lemma, standard model. ∗ College of Computing, Georgia Institute of Technology, 266 Ferst Drive, Atlanta, GA 30332, USA.
    [Show full text]
  • Securing Threshold Cryptosystems Against Chosen Ciphertext Attack∗
    Securing Threshold Cryptosystems against Chosen Ciphertext Attack∗ Victor Shoupy Rosario Gennaroz September 18, 2001 Abstract For the most compelling applications of threshold cryptosystems, security against chosen ciphertext attack is a requirement. However, prior to the results presented here, there appeared to be no practical threshold cryptosystems in the literature that were provably chosen-ciphertext secure, even in the idealized random oracle model. The contribution of this paper is to present two very practical threshold cryptosystems, and to prove that they are secure against chosen ciphertext attack in the random oracle model. Not only are these protocols computationally very efficient, but they are also non-interactive, which means they can be easily run over an asynchronous communication network. 1 Introduction In a threshold cryptosystem, the secret key of a public key cryptosystem is shared among a set of decryption servers, so that a quorum of servers can act together to decrypt a given ciphertext. Just as for ordinary, non-threshold cryptosystems, a natural and very useful notion of security is that of security against chosen ciphertext attack. In this paper, we consider the problem of designing threshold cryptosystems that are secure against chosen ciphertext attack. Our goal is to design a practical scheme, and provide strong evidence that it cannot be broken. Even though the most compelling applications of threshold cryptosystems seem to require chosen-ciphertext security, prior to the results presented here, there appeared to be no practi- cal threshold cryptosystems in the literature that were provably secure | even in the random oracle model, where one models a cryptographic hash function as a random oracle.
    [Show full text]
  • Towards Realizing Random Oracles: Hash Functions That Hide All Partial Information
    Towards Realizing Random Oracles: Hash Functions That Hide All Partial Information Ran Canetti IBM T.J.Watson Research Center. Email: canettiOwatson.ibm.com Abstract. The random oracle model is a very convenient setting for designing cryptographic protocols. In this idealized model all parties have access to a common, public random function, called a random or- acle. Protocols in this model are often very simple and efficient; also the analysis is often clearer. However, we do not have a general mech- anism for transforming protocols that are secure in the random oracle model into protocols that are secure in real life. In fact, we do not even know how to meaningfully specify the properties required from such a mechanism. Instead, it is a common practice to simply replace - often without mathematical justification - the random oracle with a ‘crypto- graphic hash function’ (e.g., MD5 or SHA). Consequently, the resulting protocols have no meaningful proofi of security. We propose a research program aimed at rectifying this situation by means of identifying, and subsequently realizing, the useful properties of random oracles. As a first step, we introduce a new primitive that realizes a specific aspect of random oracles. This primitive, cded omcle hashang, is a hash function that, like random oracles, ‘hides all partial information on its input’. A salient property of oracle hashing is that it is probabilistic: different applications to the same input result in Merent hash dues. Still, we maintain the ability to ueejy whether a given hash value was generated from a given input. We describe constructions of oracle hashing, as well as applications where oracle hashing successfully replaces random oracles.
    [Show full text]
  • Random Oracle Model, Hashing Applications
    Cryptography CS 555 Topic 14: Random Oracle Model, Hashing Applications 1 Recap • HMACs • Birthday Attack • Small Space Birthday Attack • Precomputation Attack Today’s Goals: • Random Oracle Model • Applications of Hash Functions 2 (Recap) Collision-Resistant Hash Function Intuition: Hard for computationally bounded attacker to find x,y s.t. H(x) = H(y) How to formalize this intuition? • Attempt 1: For all PPT A, Pr , 1 = , . = ( ) ( ) • The Problem: Let x,y be given s.t. H(x)=H(y) ≤ , 1 = ( , ) • We are assuming that |x| > |H(x)|. Why? • H(x)=x is perfectly collision resistant! (but with no compression) 3 (Recap) Keyed Hash Function Syntax • Two Algorithms • Gen(1 ; ) (Key-generation algorithm) • Input: Random Bits R • Output: Secret key s • ( ) (Hashing Algorithm) • Input: key and message m 0,1 (unbounded length) • Output: hash value ( ) 0,1 ∗ ∈ ℓ ∈ • Fixed length hash function 0,1 > • ′ with ℓ ′ ∈ ℓ ℓ 4 When Collision Resistance Isn’t Enough • Example: Message Commitment • Alice sends Bob: Hs (e.g., predicted winner of NCAA Tournament) • Alice can later reveal message (e.g., after the tournament is over) • Just send r and m (note: ∥ r has fixed length) • Why can Alice not change her message? • In the meantime Bob shouldn’t learn anything about m • Problem: Let (Gen,H’) be collision resistant then so is (Gen,H) 1, … , = 1, … , ′ ∥ 5 When Collision Resistance Isn’t Enough • Problem: Let (Gen,H’) be collision resistant then so is (Gen,H) 1, … , = 1, … , ′ ∥ • (Gen,H) definitely does not hide all
    [Show full text]
  • How Risky Is the Random-Oracle Model?
    How Risky is the Random-Oracle Model? Ga¨etanLeurent1 and Phong Q. Nguyen2 1 DGA and ENS, France. http://www.eleves.ens.fr/leurent/ 2 INRIA and ENS, France. http://www.di.ens.fr/~pnguyen/ Abstract. RSA-FDH and many other schemes secure in the Random- Oracle Model (ROM) require a hash function with output size larger than standard sizes. We show that the random-oracle instantiations proposed in the literature for such cases are weaker than a random oracle, including the proposals by Bellare and Rogaway from 1993 and 1996, and the ones implicit in IEEE P1363 and PKCS standards: for instance, we obtain a practical preimage attack on BR93 for 1024-bit digests (with complexity less than 230). Next, we study the security impact of hash function defects for ROM signatures. As an extreme case, we note that any hash collision would suffice to disclose the master key in the ID-based cryptosystem by Boneh et al. from FOCS '07, and the secret key in the Rabin-Williams signature for which Bernstein proved tight security at EUROCRYPT '08. We also remark that collisions can be found as a precomputation for any instantiation of the ROM, and this violates the security definition of the scheme in the standard model. Hence, this gives an example of a natural scheme that is proven secure in the ROM but that in insecure for any instantiation by a single function. Interestingly, for both of these schemes, a slight modification can prevent these attacks, while preserving the ROM security result. We give evidence that in the case of RSA and Rabin/Rabin-Williams, an appropriate PSS padding is more robust than all other paddings known.
    [Show full text]
  • Hash Functions Part II
    Cryptographic Hash Functions Part II Cryptography 1 Andreas Hülsing, TU/e Some slides by Sebastiaan de Hoogh, TU/e Hash function design • Create fixed input size building block • Use building block to build compression function • Use „mode“ for length extension Engineering Generic transforms Permutation / Compression Hash function Block cipher function Cryptanalysis / Reductionist proofs best practices 1 (LENGTH-EXTENSION) MODES 2 Merkle-Damgård construction Given: • compression function: CF : {0,1}n x {0,1}r {0,1}n Goal: • Hash function: H : {0,1}* {0,1}n 3 Merkle-Damgård - iterated compression 4 Merkle-Damgård construction • assume that message m can be split up into blocks m1, …, ms of equal block length r – most popular block length is r = 512 • compression function: CF : {0,1}n x {0,1}r {0,1}n • intermediate hash values (length n) as CF input and output • message blocks as second input of CF • start with fixed initial IHV0 (a.k.a. IV = initialization vector) • iterate CF : IHV1 = CF(IHV0,m1), IHV2 = CF(IHV1,m2), …, IHVs = CF(IHVs-1,ms), • take h(m) = IHVs as hash value • advantages: – this design makes streaming possible – hash function analysis becomes compression function analysis – analysis easier because domain of CF is finite 5 padding • padding: add dummy bits to satisfy block length requirement • non-ambiguous padding: add one 1-bit and as many 0-bits as necessary to fill the final block – when original message length is a multiple of the block length, apply padding anyway, adding an extra dummy block – any other non-ambiguous
    [Show full text]
  • Random Oracles in a Quantum World
    Random Oracles in a Quantum World Dan Boneh1, Ozg¨urDagdelen¨ 2, Marc Fischlin2, Anja Lehmann3, Christian Schaffner4, and Mark Zhandry1 1 Stanford University, USA 2 CASED & Darmstadt University of Technology, Germany 3 IBM Research Zurich, Switzerland 4 University of Amsterdam and CWI, The Netherlands Abstract. The interest in post-quantum cryptography | classical sys- tems that remain secure in the presence of a quantum adversary | has generated elegant proposals for new cryptosystems. Some of these sys- tems are set in the random oracle model and are proven secure relative to adversaries that have classical access to the random oracle. We argue that to prove post-quantum security one needs to prove security in the quantum-accessible random oracle model where the adversary can query the random oracle with quantum state. We begin by separating the classical and quantum-accessible random or- acle models by presenting a scheme that is secure when the adversary is given classical access to the random oracle, but is insecure when the adversary can make quantum oracle queries. We then set out to develop generic conditions under which a classical random oracle proof implies security in the quantum-accessible random oracle model. We introduce the concept of a history-free reduction which is a category of classical random oracle reductions that basically determine oracle answers inde- pendently of the history of previous queries, and we prove that such reductions imply security in the quantum model. We then show that certain post-quantum proposals, including ones based on lattices, can be proven secure using history-free reductions and are therefore post- quantum secure.
    [Show full text]
  • Improved Bounds on Security Reductions for Discrete Log Based Signatures
    Improved Bounds on Security Reductions for Discrete Log Based Signatures Sanjam Garg1,, Raghav Bhaskar2, and Satyanarayana V. Lokam2 1 IIT, Delhi, India [email protected] 2 Microsoft Research India, Bangalore, India {rbhaskar,satya}@microsoft.com Abstract. Despite considerable research efforts, no efficient reduction from the discrete log problem to forging a discrete log based signature (e.g. Schnorr) is currently known. In fact, negative results are known. Paillier and Vergnaud [PV05] show that the forgeability of several dis- crete log based signatures cannot be equivalent to solving the discrete log problem in the standard model, assuming the so-called one-more dis- crete log assumption and algebraic reductions. They also show, under the same assumptions, that, any security reduction in the Random Oracle Model (ROM) from√ discrete log to forging a Schnorr signature must lose afactorofatleast qh in the success probability. Here qh is the num- ber of queries the forger makes to the random oracle. The best known positive result, due to Pointcheval and Stern [PS00], also in the ROM, gives a reduction that loses a factor of qh. In this paper, we improve the negative result from [PV05]. In particular, we show that any algebraic reduction in the ROM from discrete log to forging a Schnorr signature 2/3 must lose a factor of at least qh , assuming the one-more discrete log assumption. We also hint at certain circumstances (by way of restric- tions on the forger) under which this lower bound may be tight. These negative results indicate that huge loss factors may be inevitable in re- ductions from discrete log to discrete log based signatures.
    [Show full text]
  • CRYPTREC Review of Eddsa CRYPTREC EX-3003-2020
    CRYPTREC EX-3003-2020 CRYPTREC Review of EdDSA Steven D. Galbraith Mathematics Department, University of Auckland, Auckland, New Zealand. [email protected] 1 Executive summary The EdDSA signature scheme is a digital signature based on the Elliptic Curve Discrete Logarithm Problem (ECDLP). It was proposed by Bernstein, Duif, Lange, Schwabe and Yang in 2012 [18]. It builds on a long line of discrete logarithm based signature schemes, including Elgamal, Schnorr, DSA, and ECDSA. The security of signature schemes of this type is well-understood, and elliptic curve cryptography is a mature field. My conclusions and opinions: 1. EdDSA is a good design for a signature scheme (except perhaps for the key clamping, see Section 6.1, which seems to cause more difficulties than it provides benefits). 2. EdDSA is more closely related to Schnorr signatures than ECDSA, and so enjoys many of the rigorous security guarantees that are known for Schnorr signatures, including recent work on tight security proofs. 3. Deterministic signatures solve some of the security problems of discrete log signatures, but constant time imple- mentation is still critical in many settings. 4. EdDSA is superior to ECDSA when doing batch verification of a large number of signatures. 5. Curve 25519 provides a high level of security for the next 10-20 years, and 448-bit keys (such as in Ed448) are over-conservative and not recommended. 6. It is unlikely that quantum computers capable of solving 256-bit ECDLP instances can be built within the next 10 years. 7. I am confident that EdDSA using Curve25519 is a good signature scheme for use up to 2030.
    [Show full text]
  • Random Oracle Reducibility
    Random Oracle Reducibility Paul Baecher and Marc Fischlin Darmstadt University of Technology, Germany www.minicrypt.de Abstract. We discuss a reduction notion relating the random oracles in two cryptographic schemes A and B. Basically, the random oracle of scheme B reduces to the one of scheme A if any hash function instan- tiation of the random oracle (possibly still oracle based) which makes A secure also makes B secure. In a sense, instantiating the random or- acle in scheme B is thus not more demanding than the one for scheme A. If, in addition, the standard cryptographic assumptions for scheme B are implied by the ones for scheme A, we can conclude that scheme B actually relies on weaker assumptions. Technically, such a conclusion cannot be made given only individual proofs in the random oracle model for each scheme. The notion of random oracle reducibility immediately allows to transfer an uninstantiability result from an uninstantiable scheme B to a scheme A to which the random oracle reduces. We are nonetheless mainly in- terested in the other direction as a mean to establish hierarchically or- dered random-oracle based schemes in terms of security assumptions. As a positive example, we consider the twin Diffie-Hellman (DH) en- cryption scheme of Cash et al. (Journal of Cryptology, 2009), which has been shown to be secure under the DH assumption in the random oracle scheme. It thus appears to improve over the related hashed ElGamal en- cryption scheme which relies on the random oracle model and the strong DH assumption where the adversary also gets access to a decisional DH oracle.
    [Show full text]