On Provable Security of Cryptographic Schemes

INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Turgut Hanoymak, Vol.2, No.2

Turgut Hanoymak

Institute of Applied Mathematics, Middle East Technical University, 06531, Ankara, Turkey Department of Mathematics, Yuz¨ unc¨ u¨ Yıl University, 65080, Van, Turkey e-mail: [email protected]

Abstract—Provable security is an important issue in modern cryptography because it satisfies the security of the encryption schemes in a theoretical way via a reduction method. To prove the security of a cryptographic scheme, it is necessarry to define the goals and the capabilities of the adversary. In this paper, we explain security models in terms of the adversarial goals and the adversarial capabilities. We define what security actually means to decide whether a scheme is secure. We review the definition of provable security by means of several games between the challenger and the adversary in some security models, namely the standard model and the random oracle model. We state the main differences between these two models and observe the advantage of the success probability of the adversary in breaking the cryptographic schemes. We investigate the security of some public key encryption schemes such as RSA, Rabin, Goldwasser-Micali, ElGamal, Cramer-Shoup and discuss under which circumstances they satisfy which security notions.

Keywords—provable security, security notions, public key encryption, standard model, random oracle model.

1. Introduction Goldwasser-Micali [11] and the notion of semantic security which is also called polynomial indistin- Throughout the last century, especially with the guishability was defined. Naor and Yung introduced beginning of public key cryptography due to Diffie- a more severe security notion called security against Hellman [7], many cryptographic schemes have non-adaptive chosen ciphertext attacks which is also been proposed and it is significant to note that called lunch time attacks denoted by CCA1 [14]. In their security depends on some mathematically hard this attack model, an adversary is given a decryption problems such as the integer factorization, RSA oracle and may access only before getting the chal- problem and knapsack problems. In fact, many peo- lenge ciphertext. Hence, the ciphertexts queried to ple think that a cryptographic algorithm is assumed the decryption oracle are uncorrelated with the chal- to be secure if it resists to cryptographic attacks lenge one but they may be related with one another. for a long time. However, some schemes may take Rackoff and Simon [16] improved this type of attack several years before widely studied in details so it is model and introduced the strongest notion of secu- possible to be broken in the future such as the Chor- rity which is called security against adaptive chosen Rivest system based on the knapsack problems. ciphertext attacks denoted by CCA2. In this attack Later, cryptographic researchers are focused on model, the attacker may query the decryption oracle trying to provide provable security for public key before and after getting the challenge ciphertext. cryptographic algorithms in a complexity theory. So, the ciphertexts queried to the decryption oracle The idea of provable security was first introduced by may be related with the challenge ciphertext. They

44 INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Turgut Hanoymak, Vol.2, No.2

presented cryptosystems whose security proofs are problem P which is well known to be intractable based on noninteractive zero knowledge proof tech- by any probabilistic polynomial time algorithm. niques which are horribly inefficient due to the fact Then, we provide a polynomial reduction from this that multiple gigabytes of ciphertext may be needed mathematical problem to the problem P0 of breaking to encrypt a single bit of plaintext. Dolev, Dwork the cryptosytem. Finally, we decide that if there and Naor proposed a notion of non-malleability exists an algorithm A breaking the cryptosystem in cryptography [8] meaning that the adversary who polynomial time, then we can build a probabilistic observes a ciphertext C of plaintext P, cannot mod- polynomial time algorithm A0 which uses A as a ify it consciously and obtain a valid ciphertext C0 subroutine, to get a contradiction. Therefore, we of a plaintext P0 which is related to P where this state that the scheme is computationally secure. relation is known by the adversary. Fujisaki and Okamoto [10] gave a generic construction from a Such security proofs in the standard model suffer one way trapdoor function which is secure against from efficiency and hence up to date very few chosen plaintext attacks to a public key encryption practical public key schemes can be proven secure scheme secure against chosen ciphertext attacks. in the standard model. But, Cramer and Shoup [4] Damgard [5] first initiated efficient and simply con- proposed such a scheme which is quite practical and structed public key encryption schemes which are is provably secure against adaptive chosen cipher- secure against nonadaptive chosen ciphertext attacks text attacks under standard intractability assump- based on Diffie-Hellman/ElGamal public key cryp- tions. Because of inefficiency to prove the security tosystems. Zheng and Seberry [18] proposed three in the standard model, researchers tried to provide immunizing methods to make public key encryption security proofs of public key encryption schemes in schemes secure against adaptive chosen ciphertext an efficient way. First attempt came from Bellare attacks by appending a tag to each ciphertext which and Rogaway [1]. They proposed a model, namely is related to the message. Zheng and Seberry also the random oracle model as a counterpart to the introduced sole-samplability security notion which standard version. In this model, hash functions are is especially related to chosen ciphertext attacks. considered behaving like truely random functions. Informally, it means that there is no other way Hence, it is reasonable to model a secure hash to generate ciphertext y than to pick a message x function as a completely random function in a first and compute y = E(x), i.e., there is no way security analysis. This mostly reduces the process of to generate valid ciphertexts without knowing the proving security of cryptographic scheme. By doing underlying plaintexts. so, we know that the output of the hash function is completely random and independently generated They also prove that if a scheme is sole- values on different inputs. Therefore, adversary can samplable, then the cryptosystem is semantically get no advantages about the outputs for any other secure against adaptively chosen ciphertext attacks inputs although he knows the hash values for several if and only if it is semantically secure against chosen different inputs. The RO model gives an opportunity plaintext attacks. for the designer of the scheme to construct the In provable security, the security is proved via responses about the outputs in order to prove the a reduction method. For this, we first consider security of the scheme, i.e, we may control the a computationally hard underlying mathematical attacker’s behavior which is imposibble in the real

45 INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Turgut Hanoymak, Vol.2, No.2

world. 1 The key generation algorithm Gen takes as We note that the schemes with security proofs in input the security parameter and outputs a pair the random oracle model may not be necessarily of public and secret keys (pk, sk). secure when the hash function is fixed. Canetti et 2 The encryption algorithm Enc takes as input al. [3] showed that it was possible to construct a public key pk and a message m from some an encryption scheme that was provably secure in underlying plaintext message space. It outputs the random oracle model but insecure when the a ciphertext c, i.e, c = Encpk(m). random oracle was instantiated with any hash func- 3 The decryption algorithm Dec takes as input tion. In the standard model, the attacker knows the (sk, c) and outputs a message m or ⊥. We description of the hash function and then submits denote it by m = Decsk(m). it to the decryption oracle as a ciphertext and the We note that Enc may be probabilistic but Dec oracle outputs the secret key. So, their scheme is must be deterministic and it is required for any completely artificial. encryption scheme to be valid, In this paper, we review the security notions on Decsk(Encpkm) = m public key encryption schemes and discuss security models in terms of adversarial goals and adver- is satisfied. sarial capabilities. Then we give some public key encryption schemes and show that under which 2.2. Success Probability of The Adversary assumptions they satisfy which security notions in the standard model. We decide that a cryptographic scheme is secure if the success probability of an adversary trying to break the scheme is small. This notion is achieved 2. Security Notions and Public Key En- by negligible functions. cryption Schemes Definition 2.2: A function : N −→ R+ ∪ 0 is negligible, if for every positive polynomial p, there In this section, we review security models in exists an integer k such that terms of the adversarial goals and the adversarial p capabilities. We define what security actually means 1 for all n > kp, we have (n) < . to decide whether a scheme is secure. In this respect, p(n) we investigate some public key encryption schemes. In other words, a negligible function approaches Finally, we discuss the Cramer-Shoup encryption zero faster than the inverse of any polynomial. scheme [4] which is the first efficient and practical We denote this function by negl in the following scheme proven to be secure against adaptive chosen sections. ciphertext attacks in the standard model. 2.3. Security Models 2.1. Public Key Encryption Scheme In the cryptography literature, there are several Definition 2.1: A public key encryption scheme is adversarial goals and capabilities. When we talk a tuple of probabilistic polynomial time algorithms about the security of a cryptographic scheme, we Π = (Gen, Enc, Dec) such that: need to define them clearly. As the goal becomes

46 INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Turgut Hanoymak, Vol.2, No.2

more diﬃcult or as the capabilities are more limited, encrypts it and sends the challenge ciphertext back the security proof becomes easier. First, we review to the adversary. Here, the goal of the adversary is some adversarial goals and capabilities related to to ﬁnd out which of the plaintexts has been selected them, then give proof techniques of some public by the challenger. key encryption schemes in the standard model. ind−cpa Game 2 IND-CPA Game: PubKA,Π 2.4. Adversarial Goals 1: Gen is run to obtain public and secret keys (pk, sk). One-Wayness 2: Adversary A is given pk, outputs a pair of

messages (m0, m1) of equal length. This is a weak kind of adversarial goal where the 3: A random bit b ∈ (0, 1) is chosen, the challenge purpose of the adversary is to reveal the whole ciphertext c = Encpk(mb) is computed and given plaintext m of a particular ciphertext c. However, to A. 0 this is an extremely weak notion of security because 4: A outputs a bit b . revealing almost all of the plaintext is considered 5: The output of the game is defined to be 1 if 0 to be unsuccessful according to this definition b = b and 0 otherwise. but actually in almost all systems revealing the plaintext partially is considered successful. This Remark 2.3: We note that the encryption algo- goal is defined via a game between the adversary rithm has to be probabilistic although the decryption and the challenger as follows: algorithm is always deterministic. Because, otherwise, the adversary can encrypt both plaintexts that he has chosen and compare the resulting ciphertexts Game 1 The One Wayness Game: PubKow A,Π to the challenged one which would be a trivial 1: Gen is run to obtain the keys (pk, sk) solution. 2: m is chosen at random from message space Remark 2.4: Indistinguishability means that a ci- 3: The challenge ciphertext c = Encpk(m) 0 4: Adversary A is given pk and c to produce m = phertext gives semantically no information about A(pk, c) the plaintext. In other words, whatever a passive 5: The output of the game is defined to be 1 if adversary can compute about m given the challenge m0 = m and ⊥ otherwise. ciphertext c, he can also compute without c. This is why it is also called semantic security [11]. Definition 2.5: A public key encryption scheme Indistinguishability Π = (Gen, Enc, Dec) is IND-secure against chosen plaintext attacks if for all probabilistic polynomial This goal focuses on keeping the entire plaintext time adversaries A, there exists a negligible function information secret and it is the most popular ad- such that versarial goal. In this goal, the adversary selects 1 Pr[PubKcpa = 1] ≤ + negl. two plaintexts of his choice and sends them to an A,Π 2 hypothetical challenger who has the secret key. The challenger randomly selects one of the messages, Malleability

47 INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Turgut Hanoymak, Vol.2, No.2

ind−cca1 The notion of malleability is introduced by Naor et Game 3 IND-CCA1 Game: PubKA,Π al. [8]. The goal of the adversary A who observes 1: Gen is run to obtain keys (pk, sk). a ciphertext c of plaintext m, cannot modify it 2: Adversary A is given pk, as well as oracle 0 consciously and obtain a valid ciphertext c of a access to Decsk and outputs a pair of messages 0 plaintext m which is related to m where this relation (m0, m1) of equal length. is known by the adversary. 3: A random bit b ∈ (0, 1) is chosen, and the

challenge ciphertext c = Encpk(mb) is computed 2.5. Adversarial Capabilities and IND-Games and given to A.

4: A continues to interact with Decsk before he There are several possible capabilities of an at- gets the challenge ciphertext c and later it is not tacker in the public key setting depending on the allowed, then this kind of experiment is called availability of the decryption oracle which is a hy- CCA-1 or lunch time attacks. 0 pothetical black box that is presented to the attacker 5: The output is deﬁned to be 1 if b = b and 0 so that it can make decryption queries of its own otherwise. choice and gets the corresponding plaintexts. This captures the possible real life attacks that consist ind−cca2 Game 4 IND-CCA2 Game: PubKA,Π of attackers that has gained temporary access to the 1: Gen is run to obtain keys (pk, sk). decryption oracle. In this respect, there are three 2: Adversary A is given pk, as well as oracle types of decryption oracle access: access to Decsk and outputs a pair of messages

• CPA (Chosen Plaintext Attack): if there is no (m0, m1) of equal length. decryption oracle access at all, we call this a 3: A random bit b ∈ (0, 1) is chosen, and the chosen plaintext attack. challenge ciphertext c = Encpk(mb) is computed • CCA1 (Non-adaptive Chosen Ciphertext Attack, and given to A. or lunchtime attack): Adversary A can access 4: A continues to have access to Decsk even after the decrpytion oracle until it sees the ciphertext he sees the challenge ciphertext, but may not it needs to break. request a decryption of the challenge ciphertext 0 • CCA2 (Adaptive Chosen Ciphertext Attack): itself and ﬁnally outputs a bit b . 0 Adversary A always has access to the decryption 5: The output is deﬁned to be 1 if b = b and 0 oracle but querying the ciphertext it needs to otherwise. break is prohibited.

Remark 2.6: Security against adaptive chosen ci- hard problem M is reduced to breaking the scheme phertext attacks is the most widely accepted level S that is assumed to be provable secure. Existence of security notion. of such a reduction implies that the problem of We explain them in Game 3 and Game 4. breaking the scheme S is as hard as M. This implication stems from the following contraction ar- 2.6. Computational Security and Reductions gument: If there exist a polynomial time algorithm A that breaks the scheme S , then due to this reduction, Most of the security proofs in the literature are in one may construct a polynomial time algorithm B the form of a reduction. Typically, a mathematically which uses A as a subroutine to solve M which

48 INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Turgut Hanoymak, Vol.2, No.2

Let N = p · q where p and p are prime numbers. Let e be an integer relatively prime to φ(N). The ∗ RSA problem states that for a given y ∈ ZN, compute the e-th root of y, namely x, such that y = xe mod N. If the factorization of N is known, then the RSA Fig. 1. The reduction idea to prove security of problem can be easily solved. public key schemes The RSA Assumption: is assumed to be impossible. This is explained in Given N = p · q, the RSA problem is intractable. Figure 1. • This encryption scheme is one-way secure due to the RSA problem. 3. Security Analysis of Some Public Key • Since RSA encryption is deterministic, it does Encryption Schemes not satisfy IND-CPA security notion (i.e, semantic secure). It is because, given the chal-

Before we review public key encryption schemes, lenge ciphertext c of either m0 or m1, the we recall some definitions which are utilized e adversary A simply computes c0 = m0 mod N throughout this section. e and c1 = m1 mod N and checks the resulting Definition 3.1: The set of integers ciphertexts with the challenge one. {0, 1, 2, ..., N − 1} is defined as the integers • RSA encryption scheme is vulnerable to a chosen ciphertext attack. If an adversary A gets mod N and denoted by ZN. the challenge ciphertext c = me mod N, he can Definition 3.2: The multiplicative group of ZN is ∗ choose a random element r from ZN and com- ∗ pute the modified ciphertext as c0 = re·c mod N. ZN = {a ∈ ZN | gcd(a, N) = 1} Since c0 is different from the challenge, A asks it 0 3.1. The RSA Encryption Scheme to the decryption oracle, gives the decryption m of this ciphertext, then recovers m = m0 ·r−1 mod N. Rivest, Shamir, Adleman proposed this scheme • The scheme is malleable: Let the adversary A due to the trapdoor one way permutation property gets the challenge ciphertext c = me mod N, of the RSA function [17]. The key generation algo- then he is able to generate, for example, c0 = rithm produces a large composite number N = p · q 2e · c such that the underlying plaintexts satisfy where p and p are primes, a public key e and private a relation m0 = 2m This holds, because key d such that e · d = 1 mod φ(N) is satisfied. The ∗ 0 d e e d ed ed encryption of a message m from ZN is an element (c ) = (2 · m ) = 2 · m = 2 · m mod N. ∗ e of ZN, namely c = m mod N. One finds m using Remark 3.3: Bellare and Rogaway [2] proposed d the secret key d by computing m = c mod N. a padding scheme named Optimal Asymmetric En- We state the RSA problem as follows: cryption Padding which is often used with RSA

49 INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Turgut Hanoymak, Vol.2, No.2

encryption. It uses two random oracles and achieves 3.3. Goldwasser-Micali Encryption Scheme IND-CCA security with trapdoor one way permutation under the RSA assumption in the random oracle Goldwasser and Micali [11] introduced proba- model. bilistic encryption and proposed a scheme which was proven secure in the sense of semantic security assuming the intractability of the quadratic resid- 3.2. Rabin Encryption Scheme uosity problem which is defined as follows: ∗ Given N = p · q where p, q are primes and a ∈ Z Breaking a cryptographic scheme is not necessar- N with ily equivalent to solving the underlying mathemat- a = 1 ically hard problems. Rabin’s scheme is a counter N example of it. If we know the factorization of N, decide whether a is quadratic residue mod N. then we can convert the RSA function and anybody ∈ ∗ can not invert it without knowing p and q, i.e, RSA We note that a ZN is said to be a quadratic ∈ ∗ problem is polynomially reduced to factoring. It is residue modulo N if there exists an x ZN, such that 2 conjectured that there is no effective way except x ≡ a mod N and x is a square root of a mod N. ∈ ∗ factorization to find the e-th roots modulo N. Rabin We recall that if a ZN is quadratic residue, then a [15] proposed an encryption function that could be the Jacobi symbol denoted as N is 1, otherwise proved to be invertible only by someone who could −1. factor N. This system is similar to RSA, ciptertext Remark 3.4: The Jacobi symbol is an extension c is produced by squaring plaintext m modulo N, of the Legendre symbol for a prime N = p. i.e, Remark 3.5: Given a and N (with unknown fac- c = m2 mod N torization), it is possible to compute the Jacobi symbol of a in polynomial time. where N = p · q and the squaring map is 4-1. So, The Quadratic Residuosity Assumption: Rabin finds all four square roots of a ciphertext c. The most important fact about Rabin encryption Given N = p · q with unknown factorization, the scheme is that it is in some sense provably secure QRP is intractable. in reductionist argument meaning that if someone breaks the scheme and finds the plaintext m from Remark 3.6: If p, q are known and N = p·q, then ciphertext c, then he is able to factor N. there exists a polynomial time algorithm to decide whether a is quadratic residue mod N. • It is the first public key encryption scheme to be Goldwasser-Micali encryption scheme works on proposed with a reductionist security argument. bits. To encrypt m ∈ (0, 1), one first selects a • Since it is deterministic encryption, it does not y quadratic nonresidue y ∈ ZN satisfying N = 1. satisfy IND-CPA security notion. ∗ Then choosing a random value r ∈ ZN and produces • As RSA encryption, it is also vulnerable to cho- the challenge ciphertext sen ciphertext attacks, namely if an adversary gets m, he is able to factor N. c = ymr2 mod N.

50 INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Turgut Hanoymak, Vol.2, No.2

The receiver decides the plaintext m is 0 if c is a We state the decisional Diffie-Hellman problem square, otherwise it must be 1 using the factors of as the following: N = p · q. Let G be a finite, multiplicative group of order q Remark 3.7: Although, Goldwasser-Micali en- with a generator g. Given three elements of G, x y z cryption scheme is the first probabilistic encryption (g , g , g ), it is asked to find whether xy = z mod q. scheme satisfiying semantic security, efficiency does not hold because of ciphertext expansion. The Decisional Diffie-Hellman Assumption:

3.4. ElGamal Encryption Scheme The DDH problem is computationally hard in the underlying group G. Before we give the description of the scheme, we This assumption can also be represented in terms recall some mathematically hardness assumptions of probabilities as follows: Let D be a polyno- and relations between them. mial time algorithm which is designed for deciding We state the discrete logarithm problem as fol- whether a three-tuple is a DDH tuple, and let lows: Pr[D(gx, gy, gxy) = 1] − Pr[D(gx, gy, gz) = 1] Let G be a ﬁnite, multiplicative group of order q with a generator g. The DLP asks x given a group where x, y, and z are selected randomly from q x Z element h = g . is deﬁned as the advantage of D in distinguishing a DDH tuple distribution from a random one. The The Discrete Logarithm Assumption: DDH assumption assumes that this advantage is negligible. The DLP is intractable in the underlying group G. Remark 3.8: The three assumptions are related We formally show this via adversarial view as the with each other such that if there exists a poly- following: For any polynomial time adversary A, the nomial time algorithm A solving DLP with non- probability that negligible probability, then using this algorithm as a

x subroutine, one can construct an efficient algorithm Pr[x = A(G, q, g, h): g = h] B for CDH problem and moreover, running B as a subroutine, there exists an algorithm C for DDH is negligible. problem which solves it in a polynomial amount of Recall that the computational Diffie-Hellman time. Hence, we decide that DDH assumption is the problem is defined as follows: strongest one. Let G be a finite, multiplicative group of order q with a generator g. Given two elements of G, gx We review the ElGamal encryption scheme [9] and gy, it is required to find gxy. whose security is based on the DLP. Let G be a finite cyclic group of order q with generator g. The secret and the public keys are x and y = gx, respectively. The Computational Diffie-Hellman Assumption: To encrypt m ∈ G, the sender chooses a random r ∈ Zq and produces the challenge ciphertext The CDH problem is intractable in the underlying r r group G. c = (c1, c2) = (g , y · m).

51 INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Turgut Hanoymak, Vol.2, No.2

x 0 The receiver gets m by calculating c2/c1 . outputs 1 if and only if b = b . Since the DDH assumption holds in and B is a PPT algorithm, We note that it is hard to ﬁnd x, given y = gx under G we have the discrete logarithm assumption but this does not 1 Pr[B = 1 | DDH tuple] − Pr[B = 1 | Random tuple ] ≤ +negl. guarantee the security of semantic notion sense. If 2 p ∗ we work on some groups such as for a prime , Zp, If the input to B is a DDH tuple, then we have where DLP holds, then there exists a polynomial time adversary violating the semantic security as Pr[B = 1 | DDH tuple] = Pr[Success of A]. follows: x When DDH tuple occurs, we have g2 = g1, g3 = • Adversary selects two messages m0 and m1 of r xr r g1 and g4 = g1 = g2 for some x, r ∈ Zq. But this is equal length such that one of them is quadratic exactly ElGamal encryption scheme in real life so residue and sends them to the challenger. B outputs 1 if and only if A succeeds in breaking • Given the challenge ciphertext c = (c1, c2) the scheme. To complete the proof, we show that where c = gr and c = yrm , it is easy to 1 2 b 1 distinguish which m is chosen. If c or y are Pr[B = 1 | Random tuple] = 1 2 quadratic residues, then at least r or x must be even, hence yr is also quadratic residue. So, is satisﬁed. In this case, g4 is uniformly distributed

upon receiving c2, one can determine whether in G and it is independent of g1, g2 or g3. So r mb is quadratic residue. If y is a not a residue the second component given to A is uniformly

but c2 is residue, then mb is also a non residue. distributed in G and independent of m. Thus, A has Hence, the semantic security of the scheme fails no information about b, therefore, there is no way 1 under the discrete logarithm assumption. other than predicting with probability 2 . We state a well known theorem about the semantic Remark 3.10: Like RSA and Rabin encryption security of the ElGamal encryption scheme [13]. schemes, ElGamal encryption scheme is also vulnerable to adaptive chosen ciphertext attacks. When ad- Theorem 3.9: Under the DDH assumption, ElGa- versary A gets the challenge ciphertext c = (c1, c2), mal encryption scheme is semantically secure. he can modify it by randomly selecting m0 and 0 0 Proof: The proof is done by using the reduc- getting c = (c1, c2 · m ). Since this is diﬀerent from tionist argument such that assuming there exists a the challenge, he can ask it to the decryption oracle polynomial time adversary A breaking the scheme, and by dividing the returned answer by m0, he can then we can construct a polynomial time algorithm get the plaintext m. B using A as a subroutine and solve the DDH Remark 3.11: Damgard proposed [5] a slight problem which is a contradiction under the DDH modiﬁcation of ElGgamal encryption scheme by assumption, hence we conclude that this scheme is just adding an exponentiation to ciphertexts to pro- semantically secure. vide security against nonadaptive chosen ciphertext The inputs to B is (G, q, g1, g2, g3, g4), where attacks. But it is vulnurable to an IND-CCA2 at- (g , g ) is the public key. B gives the public key 1 2 tacker. In 2008, Desmedt and Duong [6] showed that to A and asks to get messages (m0, m1) of equal length. B selects a bit b ∈ (0, 1) randomly, produces by employing a data encapsulation mechanism to the challenge ciphertext c = (g3, g4 · mb) and runs Damgard’s ElGamal scheme resulting in hybrid A(pk, c) to obtain b0 of a guess for b. Finally, B Damgard’s ElGamal encryption and is secure

52 INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Turgut Hanoymak, Vol.2, No.2

against adaptive chosen ciphertext attacks in the construct a polynomial time algorithm B which is standard model. able to break the DDH assumption by distinguishing a DDH tuple from a random one. B is given

3.5. Cramer-Shoup Encryption Scheme (g1, g2, g3, g4) as input. x, y ∈ are chosen randomly, h = gx · gy is set We discuss about the Cramer-Shoup public Zq 1 2 as the public key and (g , g , h) is given to A. A key encryption scheme which is the ﬁrst eﬃcient 1 2 chooses (m , m ) of equal length and sends them to scheme proven to be secure against adaptive chosen 0 1 B. B selects one of them, namely m and produces ciphertext attacks under the DDH assumption in b the challenge ciphertext (u, v, e) = (g , g , gx · gy · the standard model. It is an extension of the 3 4 3 4 m ) and send back to A. A guesses a bit b0 for b. ElGamal encryption scheme. We summarize the b If b0 = b, then we decide that (g , g , g , g ) is a proof techniques below, and inform that all the 1 2 3 4 DDH tuple, otherwise, random one. details and reductions can be found in [4], [12]. Claim 3.13: If the input to B is a DDH tuple, then A’s view is the same as in the real attack game, i.e,

The Modiﬁed ElGamal Encryption There exist α, r ∈ Zq such that:

(g , g , g , g ) = (g , gα, gr , gαr = gr ) In this section, we review the modified ElGamal 1 2 3 4 1 1 1 1 2 scheme and show that it is semantically secure under holds. Hence, the success probability of A in break- the DDH assumption. ing the scheme is directly related to the DDH Let G be a finite, cyclic group of prime order q assumption which is supposed to be intractable. meaning that every element of except the identity G Claim 3.14: If the input to B is a random tuple, is a generator. Let (g , g ) be two generators and 1 2 then b is theoretically hidden from the view of A (x, y) be the secret keys randomly chosen from . Zq and the scheme becomes a one time pad encryption, The public key is h = gx · gy. To encrypt m ∈ , 1 2 G hence the success probability is nothing but 1/2 plus one randomly chooses r ∈ and performs the Zq negligible probability. challenge ciphertext: Assume B gets a random tuple. Then there exists c = (u, v, e) = (gr , gr , hr · m). 1 2 α, β, r which are randomly chosen from ∈ Zq The receiver with secret key (x, y) decrypts c as such that the input (g1, g2, g3, g4) to B becomes α r β follows: (g1, g2 = g1 , g3 = g1, g4 = g1). Another saying 0 ∈ 0 r x y r r x r y r x y r of this, there exist r, r Zq with r , r , g3 = g1 0 e/u · v = h · m/(g1) · (g2) = h · m/(g1 · g2) = m. r and g4 = g2 . Given the public key, (g1, g2, h), it Theorem 3.12: If the DDH assumption is hard in is easily seen that there are exactly q possible pairs G, then the modified ElGamal scheme is secure (x, y) that could be chosen by A. Then we have against a CPA attacker. logg h = x + αy. Proof: We use the reductionist argument such 1 that if there exists a polynomial time attacker A We observe that for every x ∈ Zq, there is a unique breaking the semantic security of the modified y ∈ Zq satisfying this equation. So, there are exactly scheme in non-negligible probability, then we can q solutions due to the group order. Let us consider

53 INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Turgut Hanoymak, Vol.2, No.2

x y µ = g3 · g4 where µ is an arbitrary group element. exists a polynomial time attacker A breaking the By similar argument, we have semantic security of the reduced Cramer-Shoup scheme with a nonnegligible success probability, log µ = r · x + r0 · α · y. g1 then we can construct a polynomial time algorithm We see that these form a system of linear equations B which is able to break the DDH assumption by and has a unique solution in (x, y). But µ is an distinguishing a DDH tuple from a random one. The arbitrary group element so each possible value for µ important diﬀerence is that A has access decryption x y is possible meaning that A can not guess g3 ·g4 with oracle and is allowed to have polynomially many non negligible probability. It seems like a one-time queries until getting the challenge ciphertext. B is pad encryption. given (g1, g2, g3, g4) as input which is either a

DDH tuple or a random tuple. A chooses (m0, m1) The Reduced Cramer-Shoup Encryption of equal length and sends them to B. B selects one of them, namely mb, produces the challenge ciphertext x · y · a · b In this section, we review the reduced Cramer- (g3, g4, g3 g4 mb, g3 g4) and sends it to A. Then, 0 0 Shoup encryption scheme and show that it is prov- A guesses a bit b for b. Finally, if b = b, then ably secure against non-adaptive chosen ciphertext (g1, g2, g3, g4) is a DDH tuple, otherwise random attacks under the DDH assumption, however, it is one. insecure against CCA2 attackers. Claim 3.16: If the input to B is a DDH tuple, then A’s view is the same as in the real encryption Let (g1, g2) be two generators of the group G and (x, y, a, b) be the secret key randomly chosen from scheme. . The public key is (h, c) = (gx · gy, ga · gb). To Zq 1 2 1 2 If (g1, g2, g3, g4) is a DDH tuple, we can write encrypt m ∈ , one randomly chooses r ∈ q and r r G Z g3 = g1 and g4 = g2 for a randomly selected r ∈ performs the challenge ciphertext: Zq. Hence, the success probability of A in breaking r r r r the scheme is directly related to the DDH problem c = (u, v, e, w) = (g1, g2, h · m, c ) which is supposed to be intractable. On receiving the challenge ciphertext (u, v, e, w), Claim 3.17: If the input to B is a random tuple, there is a checking mechanism and the receiver then b is theoretically hidden from the view of A checks whether w = ua · vb. If so, output is e/ux · vy, and the scheme becomes a one time pad encryption, else ⊥. hence the success probability of A guessing the true Correctness is satisﬁed, since b is about 1/2 plus some negligible probability. r a b r a b w = c = (g1 · g2) = u · v The proof is similar with the modiﬁed ElGamal and scheme so we omit it and refer [4], [12] for details, however we discuss below why this scheme is not x y r r x r y r x y r e/u · v = h · m/(g1) · (g2) = h · m/(g1 · g2) = m. secure against adaptive chosen ciphertext attacks. Theorem 3.15: Under the DDH assumption, the x On receiving the challenge ciphertext (g3, g4, g3 · scheme is IND-CCA1 secure. y a b g4 · mb, g3 · g4), A computes Proof: To prove this, as in the previous section, we use reductionist argument such that if there logg1 w = a · logg1 g3 + b · logg1 g4 (1)

54 INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Turgut Hanoymak, Vol.2, No.2

and from the public key c, A learns that Decryption:

· logg1 c = a + b logg1 g2. (2) • To decrypt the challenge ciphertext c = (u, v, e, w), there is a checking mechanism: 0 0 From (1) and (2), A theoratically learns (a, b). if ua+αa · vb+αb = w where α = H(u, v, e) then Then, in particular, makes a query of the form output is valid. (gr , gr0 , e, (gr )a, (gr0 )b) and return m, thus we have; 1 2 1 2 • Output is e/ux · vy, else ⊥. e log = x · r + y · r0 · log g (3) Theorem 3.18: Under the DDH assumption, the g1 m g1 2 Full Cramer-Shoup encryption scheme is secure from the public key h, A learns that against adaptive chosen ciphertext attacks in the standard model. logg1 h = x + y · logg1 g2. (4) Proof: Given a PPT algorithm A attacking Since (3) and (4) are linearly independent, A can the scheme with nonnegligible success probability, compute the values of (x, y) and ﬁnally decrypt the we construct an adversary B violating the DDH challenge ciphertext. assumption as follows:

B is given (g1, g2, g3, g4) as an input. The algorithm 0 0 The Full Cramer-Shoup Encryption selects (x, y, a, b, a , b ) from Zq and sets x y a b a0 b0 (g1, g2, h = g1 · g2, c = g1 · g2, d = g1 · g2 , H) as In the previous section, we analyse the reduced the public key. Then it runs A to produce (m0, m1) Cramer-Shoup version and briefly show that it satis- of equal length. B selects a bit b and gives the x challenge ciphertext (u, v, e, w) = (g3, g4, g · fies IND-CCA1 security under the DDH assumption 0 0 3 y a+αa b+αb 0 g4 · mb, g3 · g4 ). Then A guesses a bit b for but vulnerable against an CCA2 attacker. In order to 0 make the scheme provably secure against adaptive b. Finally, B outputs 1 if and only if b = b . We see chosen ciphertext attacks in the standard model, from the previous sections that if B is given a DDH a public collision-resistant hash function H which tuple, then A’s view is the same as in an execution of the real full Cramer-Shoup encryption scheme. hashes arbitrary length strings to Zq is used. Briefly, the full Cramer-Shoup encryption scheme is as Hence, we show that if B is given a random tuple, follows: then the bit b is theoratically hidden from A’s view, so A has no information about the bit chosen by B. From the public key, A learns Encryption:

logg1 c = a + b · logg1 g2 y • x a b pk = (g1, g2, h = g1 · g2, c = g1 · g2, d = 0 0 and ga · gb , H) 0 0 1 2 logg d = a + b · logg g2. 0 0 1 1 • sk x, y, a, b, a , b = ( ) r r 0 We write g3 = g1, g4 = g2 and when given the • To encrypt m, we choose random r ∈ Zq and challenge ciphertext, denoted by set the challenge ciphertext 0 0 ∗ x y ∗ a+αa b+αb (g3, g4, e = g3 · g4 · mb, w = g3 · g4 ). c = (gr , gr , hr · m, ((c · dα))r) 1 2 A learns where α = H(gr , gr , hr · m). ∗ 0 0 0 1 2 logg1 w = (a + α · a ) · r + (b + α · b ) · logg1 g2 · r .

55 INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Turgut Hanoymak, Vol.2, No.2

Hence, we have three cases to be considered about References the decryption oracle queries. We also note that it is not allowed to query the challenge ciphertext to [1] M. Bellare, P. Rogaway, Random oracles are practical: A Paradigm for designing efficient protocols. Proc. of the First the oracle. ACM Conference on Computer and Communications Security, pp. 62-73, 1993. ∗ ∗ ∗ ∗ • if (u, v, e) = (u , v , e ), and w , w then the [2] M. Bellare, P. Rogaway, Optimal Asymmetric Encryption - query is always rejected because of the checking How to encrypt with RSA. Extended abstract in Advances in mechanism. Cryptology - Proc., LNCS, vol. 950, EUROCRYPT’94. [3] R. Canetti, O. Goldreich, S. Halevi, The random oracle method- ∗ ∗ ∗ • if (u, v, e) , (u , v , e ) but the the hash values ology, revisited, Proc. of the 30th ACM Symp. on Theory of are the same, this happens with negligible prob- Computing (STOC), pp. 209-218, 1998. ability because of the collision resistant property [4] R. Cramer, Victor Shoup, A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack, Proc. of H. of the 18th Annual International Cryptology Conference on 0 ∗ ∗ ∗ • if α = H(u, v, e) , H(u , v , e ) = α. Then, Advances in Cryptology, pp. 13-25, CRYPTO ’98. with a careful analysis, we have more unknowns [5] I. Damgard, Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks, In Advances in Cryptology- than linear equations in these unknowns. CRYPTO’91. [6] Y. Desmedt, D. Phan, A CCA secure Hybrid Damgard’s ElGa- mal Encryption, Lecture Notes in Computer Science, vol. 5324, pp. 68-82, 2008. [7] W. Diffie, M. E. Hellman, New Directions in Cryptography, IEEE Transactions on Information Theory, vol. IT-22, pp. 644– 4. Conclusion 654, 1976. [8] D. Dolev, C. Dwork, M. Naor, Non-Malleable Cryptography, STOC’91. In this paper, we summarize the basic concepts [9] T. Elgamal, A public key cryptosystem and a signature scheme based on discrete logaritms, IEEE Transactions on Information about provable security of public key encryption Theory, pp. 469-472, 1984. schemes giving security models in terms of adver- [10] E.Fujisaki, T.Okamoto, How to Enhance the Security of Public- sarial goals and adversarial capabilities. In this re- Key Encryption at Minimum Cost. PKC’99, LNCS 1560, pp. 53-68, 1999. spect, we briefly explain several games between the [11] S. Goldwasser, S. Micali, Probabilistic encryption, Journal of challenger and the adversary to prove the security Computer and System Sciences, pp. 270–299, 1984. of a cryptographic scheme. Finally we give some [12] J. Katz, LectureNotes,http://www.cs.umd.edu/ jkatz [13] J. Katz, Y. Lindell, Introduction to Modern Cryptography, 2008. public key encryption schemes to demonstrate the [14] M. Naor, M. Yung, Public key cryptosystems provably secure ideas. We hope that the ideas presented here provide against chosen ciphertext attacks, Proceedings of the 22-th the readers a better understanding about the security annual ACM Symposium of Theory and Computing, 1990. [15] M. Rabin, Digitalized Signatures and Public-Key Functions proofs in modern cryptography. as Intractable as Factorization, MIT Laboratory for Computer Science, January 1979. [16] C. Rackoff, D. Simon, Noninteractive zero-knowledge proof Acknowledgment of knowl-edge and chosen ciphertext attack, In Advances in Cryptology, pp. 433-444, CRYPTO’91. [17] R. Rivest, A. Shamir, L. Adleman, A Method for Obtaining Dig- ital Signatures and Public-Key Cryptosystems, Communications We would like to express our sincere gratitude of the ACM 21 (2), pp. 120-126, 1978. to the anonymous referees for their valuable com- [18] Y. Zeng, J. Seberry, Immunizing public key cryptosystems ments, to Ersan Akyıldız for his diligent guidance against chosen ciphertext attacks, IEEE Journal on Selected Areas in Communications, 1992. and to Ali Aydın Selçuk for useful discussions.