Forward secure asynchronous messaging from puncturable encryption

1/27
Forward Secure Asynchronous Messaging from
Puncturable Encryption
2015 IEEE Symposium on Security and Privacy
Matthew D. Green and Ian Miers
Department of Computer Science
The Johns Hopkins University
20 July 2015
林彥賓
2020 年 7 月 8 日
Green and Miers 2020 年 7 月 8 日

2/27
Outline
Introduction
Background
Negligible function
Difinitions
Correctness
Security: INDPUN-ATK game
Construction
CPA-secure scheme
CCA-secure scheme
HIBE Construction Of Boneh, Boyen and Goh
Puncturable Forward Secure PKE
Appendix

3/27
definition
tag: unique string for the message identifier (ID of a message)
puncturing: revoke decryption capability of the secret key to some
message
fine-grained: do something to the specific messages
coarse-grained: do something to all messages
forward-secure: exposure of long-term secret information does not
compromise the security of previously-generated session keys.

4/27
Why Puncturable?
Suppose Alice want to
keep a lot of ciphertext
keep secrete of the category(attribute ot tag) of ciphertext
So she hash the tag with ciphertext
Suppose Alice only need the message that is not associate to tag A
someday
1 puncture secrete with tag A and get new secrete key
2 decrypt all ciphertext and get the correct message that is not
associate to tag A
if Alice need message associate to tag A someday, just use the origin key
to get result

5/27
Negligible function
definition: Negligible function
For every positive integer c there exists an integer Nc such that for all
x > Nc
|u(x)| <
1
xc
=
1
poly(x)
use in security proof of adversary bound
represent as negl() in this paper

6/27
A puncturable encryption scheme is a tuple of probabilistic algorithms
(PPKE.KeyGen, PPKE.Encrypt, PPKE.Decrypt, PPKE.Puncture) with the
following syntax:
PPKE.KeyGen(1k, d) −→ (PK, SK0):
input: security parameter k and maximum number of tags per
cipher-text d
output: public key PK and initial secret key SK0
PPKE.Encrypt(PK, M, t1, ..., td) −→ CT
input:public key PK, a plaintext M and a list of tags t1, ..., td
output:ciphertext CT
PPKE.Puncture(PK, SKi−1, t) −→ SKi
input: secrete key SKi−1 and tag t
output: secret key SKi that can decrypt any ciphertext SK’, except for
ciphertexts encrypted with t
PPKE.Decrypt(PK, SKi, CT, t1, ..., td) −→ {M}or{⊥}
input: secret key SKi and a ciphertext CT
output: plaintext M, or ⊥ if decryption fails

7/27
Correctness
on input (k, M, n, d, t1, ..., tn, t∗
1, ..., t∗
d)
1 Compute (PK, SK0) ←− PPKE.KeyGen(lk, d)
2 If n > 0 then for i = 1, ..., n compute
SKi = PPKE.Puncture(SKi−1, ti)
3 Set CT = PPKE.Encrypt(PK, M, t∗
1, ..., t∗
d)
The scheme is correct if for all sufficiently large k; d > 0, n ≥ 0 both
polynomial in k; t1, ..., tn ∈ T, t∗
1, ..., t∗
d ∈ T{t1, ..., tn} it holds that
PPKE.Decrypt(SKn, CT, t∗
1, ..., t∗
d) = M
with probability 1−negl(k) taken over the random coins of the experiment.

8/27
Setup: On input a security parameter k and a maximum number of
tags d, the challenger initializes two empty sets P, C and a counter
n = 0. It runs (PK, SK0) ←− PPKE.KeyGen(1k, d) and gives PK to
the adversary.
Phase 1: The adversary can repeatedly issue any of the following
queries:
Puncture(t): The challenger increments n, computes
SKn ←− PPKE.Puncture(SKn−1, t) and adds t to the set P
Corrupt(): The first time the adversary issues this query, the
challenger returns the most recent secret key SKn to the adversary and
sets C −→ P. All subsequent queries return ⊥
Decrypt(CT, t1, ..., td): If ATK = CPA the challenger returns ⊥. If
ATK = CCA the challenger computes
M ←− PPKE.Decrypt(SKn, CT, t1, ..., td) and returns M to the
adversary.

9/27
Challenge: The adversary submits two messages m0, m1 along with
tags t∗
1, ..., t∗
d.
If the adversary has previously issued a Corrupt query and
{t∗
1, ..., t∗
d} ∩ C = ∅, the challenger rejects the challenge
Otherwise the challenger samples a random bit b, and returns
CT∗
←− PPKE.Encrypt(PK, Mb, t∗
1, ..., t∗
d) to the adversary
Phase 2: This phase is identical to Phase 1 with the following
restrictions:
Corrupt(): returns ⊥ if {t∗
1, ..., t∗
d} ∩ P = ∅
Decrypt(CT, t1, ..., td) returns ⊥ if (CT, t1, ..., td) = (CT∗
, t∗
1, ..., t∗
d
Guess: The adversary outputs a guess b′. The adversary wins if b = b′.
Definition: security for puncturable encryption
For ATK ∈ {CPA, CCA} if for all adversaries A and for sufficiently large
k, it holds that A’s advantage in the INDPUN- ATK game is bounded by
1/2 + negl(k)

10/27
Construction: CPA-secure scheme
PPKE.Keygen(1k, d): Input security parameter k and maximum
number of tags per cipher-text d
1 Choose a group G of prime order p, a generator g and a hash function
H : {0, 1}∗
−→ Zp
2 Choose random a, b, r ∈ Zp
3 Set g1 = ga
, g2 = gb
4 Set q() a degree-d polynomial that q(0) = b
5 Define V(x) = gq(x)
6 Let t0 a tag
7 Set sk
(1)
0 = ga+r
2 , sk
(2)
0 = V(H(t0))r
, sk
(3)
0 = gr
, sk
(4)
0 = t0
8 Output
PK = g, g1, g2, V(1), ..., V(d) SK0 = sk
(1)
0 , sk
(2)
0 , sk
(3)
0 , sk
(4)
0

11/27
PPKE.Encrypt(PK, M, t1, ..., td): Input the public parameters PK, a
message M to encrypt and a set of tags t1, ..., td ∈ {0, 1}∗{t0}
1 Select a random s ∈ Zp
2 Output CT = ct(1)
= Me(g1, g2)s
, ct(2)
= gs
, ct(3,1)
=
V(H(t1))s
, ..., ct(3,d)
= V(H(td))s
PPKE.Puncture(PK, SKi, t): Input an existing secret key SKi and a
tag t ∈ {0, 1}∗{t0}
1 Phase SKi = [sk0, ..., ski]
2 Phase sk0 = sk
(1)
0 , sk
(2)
0 , sk
(3)
0 , t0
3 Select random λ, r0, r1 ∈ Zp
4 Copute sk′
0 = sk
(1)
0 gr0−λ
2 , sk
(2)
0 V(H(t0))r0
, sk
(3)
0 gr0
, t0, ski+1 =
gλ+r1
2 , V(H(t))r1
, gr1
, t
5 Output SKi+1 = [sk′
0, (sk0) ?, sk1, ..., ski+1]

12/27
PPKE.Decrypt(SKi, CT, t1, ..., td): Input a private key SKi, a
ciphertext CT and a set of tags t1, ..., td associated with the
ciphertext
1 Parse the ciphertext CT as (ct(1)
, ct(2)
, ct(3,1)
, ..., ct(3,d))
and parse
SKi as [sk0, ..., ski]
2 Compute a set of coefficients 1, ..., d, ′
such that
w′
q(H(sk
(4)
i )) +
∑d
k=1(wkq(H(tk))) = q(0) = b
3 Output M = ct(1)
/
∏i
j=0 Zj, where
Zj =
e(sk
(1)
j , ct(2)
)
e(sk
(3)
j ,
∏d
k=1((ct(3,k))wj ))e(sk
(2)
j , ct(2))w′

13/27
CPA-secure scheme Decrypt
Without Puncture:
e(ga+r
2 , gs)
e(gr, gs
∑d
k=1(wkq(H(tk))))e(gq(H(t0=sk
(4)
0 ))r, gs)w′
=
e(g, g)sb(a+r)
e(g, g)srb
= e(g, g)sab
Puncture case Z0:
e(ga+r
2 gr0−λ
2 , gs)
e(grgr0 , gs
∑d
k=1(wkq(H(tk))))e(gq(H(t0=sk
(4)
0 ))(r+r0), gs)w′
=
e(g, g)sb(a+r+r0−λ)
e(g, g)sb(r+r0)
= e(g, g)sb(a−λ)

14/27
Puncture case Zj:
e(gr1+λ
2 , gs)
e(gr1 , gs
∑d
k=1(wkq(H(tk))))e(gq(H(t=sk
(4)
0 ))r1 , gs)w′
=
e(g, g)sb(λ+r1)
e(g, g)sbr1
= e(g, g)sbλ

15/27
Puncture case Zj:
e(gr1+λ
2 , gs)
e(gr1 , gs
∑d
k=1(wkq(H(tk))))e(gq(H(t=sk
(4)
0 ))r1 , gs)w′
=
e(g, g)sb(λ+r1)
e(g, g)sbr1
= e(g, g)sbλ

16/27
Correctness?
How to proof there is no coefficients that
w′
q(H(sk
(4)
i )) +
d∑
k=1
(wkq(H(tk))) = q(0) = b
if sk
(4)
i ∈ {t1, ..., td}

17/27
Construction: CCA-secure scheme
Let hash H1 : GT × M × Td −→ Zp
Let hash H2 : GT −→ {0, 1}ℓ
PPKE.Encrypt′(PK, M, t1, ..., td):
1 Select a random σ ∈ GT
2 Compute s = H1(σ, M, (t1, ..., td))
3 Compute CT′
= PPKE.Encrypt(PK, σ, t1, ..., td)
4 Output
CT = (CT′
, H2(σ) ⊕ M)
PPKE.Decrypt′(SKi, CT, t1, ..., td):
1 Parse the ciphertext CT as (CT′
, S)
2 Compute σ′
= PPKE.Decrypt(SKi, CT′
, t1, ..., td)
3 Compute M′
= S ⊕ H2(σ)
4 Compute s′
= H1(σ, M′
, (t1, ..., td))
5 Compute CT′′
= PPKE.Encrypt(PK, σ′
, t1, ..., td)
if CT′
= CT′′
return M′
else return ⊥

18/27
BBG.Setup(G, ℓ, a): For a HIBE scheme at most depth ℓ given secret
a
1 Select random g ∈ G
2 Set g1 = ga
3 Select random g2, g3, h1, ..., hℓ ∈ G
4 Output:
MPK = (g, g1, g2, g3, h1, ..., hℓ), MSK = ga
2
BBG.Keygen(skID|k−1, suffix): To generate a a private key skID|k for
an identity ID||sufix = (I1, ..., Ik) of length k ≤ ℓ
1 Select random r ∈ Zp
2 Output:
skID|k = (ga
2(hI1
1 , ..., hIk
k g3)r
, gr
, hr
k, ..., hr
ℓ) = (a0, a1, bk, ..., bℓ)
BBG.Encrypt(PK, ID, M): Input a message M under ID
1 pick a random s ∈ Zp
2 Output:
CT = (e(g1, g2)s
M, gs
, (hI1
1 · ... · hIk
k g3)s
)

19/27
BBG.Decrypt(skID, CT) To decrypt a ciphertext CT = (A, B, C)
output:
A
e(a1, C)
e(B, a0)
= e(g1, g2)s
M
e(gr, (hI1
1 · ... · hIk
k g3)s)
e(gs, ga
2(hI1
1 · ... · hIk
k g3)r)
= e(g1, g2)s
M
e(g, (hI1
1 · ... · hIk
k g3))sr
e(g, (hI1
1 · ... · hIk
k g3))sre(g, g2)a
= M
e(g1, g2)s
e(g1 = ga, g2)s
= M (1)

20/27
PFSE.Keygen(1k, d, ℓ): Input a security parameter k, the number of
tags per ciphertext d and a tree depth ℓ
1 Select G, GT of order p
2 Select random a, b ∈ Zp, g3, h1, ..., hℓ ∈ G
3 Set g1 = ga
, g2 = gb
4 Select hash H : {0, 1} −→ Zp
5 Let t0 a tag
6 Set:
PKPPKE = (g, g1, g2, gq(1)
, ..., gq(d)
), PKPFSE = (g, g1, g2, g3, h1, ..., hℓ)
7 Select random r1, r2, r3, a1, a2 ∈ Zp, a1 + a2 = a
8 Set: hskL = BBG.Keygen(PKPFSE, a1, 0), hskR =
BBG.Keygen(PKPFSE, a1, 1)
9 Set: ppkesk∅ = [(ga2+r3
2 , V(H(t0))r3
, gr3
, t0)]
10 Set D0 = (0, {hskL, hskR}, ppkesk∅)
11 Set
SK = (tsk1
∅, D1) = PFSE.NextInterval(D0)
12 Output PK, SK

21/27
PFSE.Encrypt(PK, M, Tcur, t1, ..., td): Input PK, a message M, a
time period Tcur, a set of tags t1, ..., td ∈ {0, 1}∗t0
1 Select random s ∈ Zp
2 Compute HIBE identity T1, ..., Tk = IndexToPath(Tcur, ℓ)
3 Compute ct(1)
= e(g1, g2)s
M, ct(2)
= gs
, ct(3,1)
=
V(H(t1))s
, ..., ct(3,d)
= V(H(td))s
, ct(4)
= (hT1
1 · ... · hTk
k g3)s
4 Output ct = (ct(1)
, ct(2)
, ct(3,1)
, ..., ct(3,d)
, ct(4)
), Tcur, (t1, ..., td)
PFSE.Puncture(PK, SK, t): Input the current secret key
SK = (tski
T, Di) where T represents the set of punctures in the
current time period
1 Parse tski
T = (hski, ppkeskT)
2 Compute
ppkeskT∪{t} = PPKE.Puncture(PKPPKE, ppkeskT, t)
3 Output tski
T∪{t} = (hski, ppkeskT∪{t})

22/27
PFSE.NextInterval(Di): Parse Di = (i, HSKs, ppkesk∅)
1 Extract the HIBE key hskP corresponding to time period i from HSKs
2 Compute
hskL = BBG.Keygen(hskP, 0), hskR = BBG.Keygen(hskP, 1)
3 Compute HSKs′
including the two new keys but without the parent
(i.e. HSKs′
= (HSKshskP) ∪ {hskL, hskR})
4 Set D′
= (i + 1, HSKs′
, ppkesk∅)
5 Parse hskP = (a0, ...), ppkesk∅ = (sk
(1)
0 , sk
(2)
0 , sk
(3)
0 , t0)
6 Select random γ ∈ G, r ∈ Zp
7 Compute
hsk′
P = (a0gγ
2 , ...), ppkesk′
∅ = (sk
(1)
0 g−γ+r
2 , sk
(2)
0 V(H(t0))r
, sk
(3)
0 gr
, t0)
8 Output: (tski
∅ = (hsk′
P, ppkesk′
∅), D′
)

23/27
PFSE.NextInterval(D0 = (0, {hskL, hskR}, ppkesk∅))
1 D′
= (1, HSKs′
, ppkesk′
∅)
2 HIBE key
hskP = skID|k = (ga
2(hI1
1 , ..., hIk
k g3)r
, gr
, hr
k, ..., hr
ℓ) = (a0, a1, bk, ..., bℓ)
3 hsk′
P = (a0gγ
2 , ...) = (ga+γ
2 (hI1
1 , ..., hIk
k g3)r
, ...)
4 ppkesk∅ = [(ga2+r3
2 , V(H(t0))r3
, gr3
, t0)] = [sk
(1)
0 , sk
(2)
0 , sk
(3)
0 , t0]
5 ppkesk′
∅ = [ga2+r3−γ+r
2 , V(H(t0))r3+r
, gr3+r
, t0]

24/27
PFSE.Decrypt(tski
T, ct, t1, ..., td):
1 Parse tski
T = (hski, ppkeskT) and
ct = (ct(1)
, ct(2)
, ct(3,1)
, ..., ct(3,d)
, ct(4)
)
2 Set
A = PPKE.Decrypt(ppkeskT, (1, ct(2)
, ct(3,1)
, ...), t1, ..., td)
B = (HIBE)?BBG.Decrypt(hski, (1, ct(2)
, ct(4)
)
3 Output
M = (
ct(1)
AB
)?ct(1)
AB

25/27
A:
ppkesk∅ = [ga2+r3−γ+r
2 , V(H(t0))r3+r
, gr3+r
, t0]
PPKE.Decrypt(ppkesk∅, (1, gs
, V(H(t1)), ...), t1, ..., td)
A = (ct(1)
= 1)/
i∏
j=1
e(sk
(1)
j , ct(2)
)
e(sk
(3)
j ,
∏d
k=1((ct(3,k))wj ))e(sk
(2)
j , ct(2))w′
=>
e(gr3+r
, gs
∑d
k=1(wkq(H(tk)))
)e(gq(H(t0=sk
(4)
0 ))r3+r
, gs
)w′
e((g2 = gb)a2+r3−γ+r, gs)
=
e(g, g)sb(r3+r)
e(g, g)sb(a2+r3−γ+r)
= e(g, g)sb(γ−a2)
(2)

26/27
B:
hskP = (ga+γ
2 (hT1
1 · ... · hTk
k g3)r
, gr
, ...)
BBG.Decrypt(hskP, (1, gs
, (hT1
1 · ... · hTk
k g3)s
))
B = (ct(1)
= 1)
e(a1, ct(3)
)
e(ct(2), a0)
=
e(gr
, (hT1
1 · ... · hTk
k g3)s
)
e(gs, (g2 = gb)a1+γ(hT1
1 · ... · hTk
k g3)r)
=
1
e(g, g)sb(a1+γ)
= e(g, g)sb(−a1−γ)
(3)
M:
ct(1)
AB
=
e(g1, g2)sM
e(g, g)sb(γ(−a2−a1=−a)−γ)
= M
e(g, g)abs
e(g, g)−abs

27/27
Appendix
Double Ratchet Algorithm => Off-the-Record Messaging Protocol
=> TextSecure Protocol => What’s app
LINE Letter Sealing
MT protocal => Telgram

Forward secure asynchronous messaging from puncturable encryption

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Forward secure asynchronous messaging from puncturable encryption

Similar to Forward secure asynchronous messaging from puncturable encryption (20)

More from National Chengchi University

More from National Chengchi University (10)

Recently uploaded

Recently uploaded (20)

Forward secure asynchronous messaging from puncturable encryption