On the Memory-Tightness of Hashed ElGamal Ashrujit Ghoshal Stefano - PowerPoint PPT Presentation

On the Memory-Tightness of Hashed ElGamal Ashrujit Ghoshal Stefano Tessaro University of Washington University of Washington Eurocrypt 2020

Security reductions ➯ assumption scheme P S ElGamal, Cramer-Shoup, ECDSA, RSA-OAEP ⋯ CDH, DDH, DL, factoring … Reduction 𝑆 ➯ 𝐶 = 𝑆 ! 𝐵

Security reductions Reduction 𝑆 ➯ 𝐶 = 𝑆 ! 𝐵 time 𝑢 ! time 𝑢 " advantage 𝜁 ! advantage 𝜁 "

Tight reductions Reduction 𝑆 ➯ 𝐶 = 𝑆 ! 𝐵 time 𝑢 ! time 𝑢 " advantage 𝜁 ! advantage 𝜁 " Goal: tightness ⟹ 𝑢 ! ≈ 𝑢 " , 𝜁 ! ≈ 𝜁 " Time is not the only important resource!

Security reductions: memory perspective [ACFK17] Reduction 𝑆 𝐶 = 𝑆 ! 𝐵 ➯ time 𝑢 " time 𝑢 ! memory 𝑛 " memory 𝑛 ! advantage 𝜁 ! advantage 𝜁 "

Memory-tight reductions [ACFK17] uses memory 𝑛 ! Reduction 𝑆 𝐶 = 𝑆 ! 𝐵 ➯ memory 𝑛 ! memory 𝑛 " 𝑛 " = 𝑛 # + 𝑛 ! Goal: memory-tightness ⟹ 𝑛 ! ≈ 𝑛 " Common proof technique: 𝑛 ! small ⇒ memory-tight reduction

Motivation: more memory ⟹ faster solution Discrete logarithm (DL) in prime fields Goal: security wrt adversary with time 2 #$% , memory 2 &% memory-tight 𝑆 " : time 2 #$% , memory 2 &% not secure 2048 secure log(time) 156 non-memory-tight 𝑆 " : time 2 #$% , memory 2 #$% 70 78 160 log(memory)

Can we always make a reduction memory-tight?

This talk: certain reductions cannot be memory-tight, provably Prior work Here • mUFCMA to UFCMA Hashed [ACFK17] ElGamal • mCR t to CR t concrete [ACFK17,WMHT18] scheme generic • mU-mOW to mU-OW [WMHT18] Hashed ElGamal used in practice eg. SECG SEC-1, ISO/IEC 18033-2, IEEE 1363a and ANSI X9.63

Hashed ElGamal KEM Group 𝔿 , generator 𝑕 , order 𝑞 (𝑡𝑙, 𝐷) 𝑞𝑙 Gen Encap Decap $ ℤ * 𝑣 ← 𝐷 ← 𝑕 & , 𝐿 ← 𝐼(𝑞𝑙 & ) 𝑞𝑙 ← 𝑕 $% , 𝑡𝑙 𝐿 ← 𝐼 𝐷 '( KEM-CCA security ≡ Oracle Diffie-Hellman assumption [ABR `01]

Oracle Diffie-Hellman assumption (ODH) $ ℤ * 𝑣, 𝑤 ← $ 𝐿 % ← 𝐼 𝑕 +, , 𝐿 # ← 0,1 /012 $ {0,1} 𝑐 ← 𝑕 + , 𝑕 , , 𝐿 - 𝐸 , 𝑍 = A𝐼 𝑍 , if 𝑍 ≠ 𝑕 + 𝐸 , 𝑍 ⊥ otherwise 𝑬 𝒘 Pr 𝑐 = 𝑐 . = 1 𝑐′ 2 + negl

ODH in the random oracle model $ ℤ * 𝑣, 𝑤 ← $ 𝐿 % ← 𝐼 𝑕 +, , 𝐿 # ← 0,1 /012 $ {0,1} 𝑐 ← 𝑕 + , 𝑕 , , 𝐿 - 𝐸 , 𝑍 = A𝐼 𝑍 , if 𝑍 ≠ 𝑕 + 𝐸 , 𝑍 ⊥ otherwise 𝑬 𝒘 𝐼 𝑌 𝑰 random oracle Pr 𝑐 = 𝑐 . = 1 𝑐′ 2 + negl SDH ⟹ ODH [ABR ‘01]

Strong Diffie-Hellman assumption (SDH) (aka gap-DH) $ ℤ * 𝑣, 𝑤 ← 𝑕 + , 𝑕 , if 𝑍 = 𝑌 , 𝑃 , 𝑌, 𝑍 = A1 𝑃 , 𝑌, 𝑍 0 otherwise 𝑷 𝒘 𝑎 Pr 𝑎 = 𝑕 +, = negl

Strong Diffie-Hellman (SDH) ⟹ ODH [ABR ‘01] Theorem. ODH -adversary using memory 𝑛 ! ⟹ SDH -adversary using memory 𝑛 " 𝑛 " = 𝑛 ! + 𝑃(𝑟 # + 𝑟 $ ) ! t h g i t - y r o m e m # 𝐼 queries # 𝐸 ( queries t o n

SDH ⇒ ODH: the reduction 𝑕 + , 𝑕 , 𝑆 𝐵 $ 0,1 /012 𝑕 + , 𝑕 , , 𝐿 𝐿 ← 𝐸 , (𝑍 3 ) 𝒁 𝑬 𝒘 (𝒁) 𝒀 𝑰(𝒀) 𝑍 𝑌 # # 𝑍 𝑌 3 3 𝐼(𝑌 3 ) Main Problem: Consistency! Fix: use 𝑷 𝒘 oracle 𝐼 𝑍 # = 𝐸 # (𝑍)

𝑃 ! 𝑌, 𝑍 𝑷 𝒘 ? 𝑍 𝑌 ! = SDH ⇒ ODH: the reduction- 𝐸 # queries 𝑕 + , 𝑕 , 𝑆 𝐵 $ 0,1 /012 𝑕 + , 𝑕 , , 𝐿 𝐿 ← 𝑃 , (𝑌 # , 𝑍 3 ) 𝐸 , (𝑍 3 ) 𝒁 𝑬 𝒘 (𝒁) 𝒀 𝑰(𝒀) 0 𝑍 𝐸 , 𝑍 𝑷 𝒘 𝑌 # 𝐼(𝑌 # ) # # 𝑃 , (𝑌 3 , 𝑍 3 ) 𝑍 𝐼 𝑌 3 𝑌 3 𝐼 𝑌 3 3 1 ⋮ ⋮

𝑃 ! 𝑌, 𝑍 𝑷 𝒘 ? 𝑍 SDH ⇒ ODH: the reduction- 𝐼 queries 𝑌 ! = 𝑕 + , 𝑕 , 𝑆 𝐵 $ 0,1 /012 𝑕 + , 𝑕 , , 𝐿 𝐿 ← 𝑃 , (𝑌 3 , 𝑍 # ) 𝐼(𝑌 3 ) 𝒁 𝑬 𝒘 (𝒁) 𝒀 𝑰(𝒀) 0 𝑍 𝐸 , 𝑍 𝑌 # 𝐼(𝑌 # ) # # 𝑃 , (𝑌 3 , 𝑍 3 ) 𝑷 𝒘 𝑌 3 𝐸 , 𝑍 𝑍 𝐸 , 𝑍 3 3 3 ⋮ ⋮ 1 𝑃 , (𝑕 + , 𝑌 3 ) 𝑃 , 𝑕 + , 𝑌 3 = 1 ⇒ return 𝑌 3

Main theorem inefficient Theorem . ∀𝑙 ∃𝑃(𝑙) -query ODH-adv 𝐵 ∗ s.t. ODH 𝐵 ∗ ≈ 1 , • Adv 𝔿 • ∀ PPT black-box reductions 𝑆 using memory 𝑛 , SDH 𝑆 " ∗ = non−negl ⇒ 𝑛 = Ω(𝑙 log 𝑞) . Adv 𝔿 Issue: For which groups 𝔿 ? DL easy in 𝔿 ⇒ memory tight 𝑆 Resolution: 𝑆 only makes black-box access to the group ⇒ generic group model

Main theorem Theorem. In the generic group model, ∀𝑙 ∃O(𝑙) -query ODH- adv 𝐵 ∗ s.t. • AdvODH 𝐵 ∗ ≈ 1 , • ∀ PPT black-box reductions 𝑆 using memory 𝑛 , AdvSDH 𝑆 ! ∗ = non−negl ⇒ 𝑛 = Ω(𝑙 log 𝑞) . 𝐵 ∗ 𝑆 𝑕 ! no rewinding! forwarding

Main theorem Theorem . In the generic group model, ∀𝑙 ∃O(𝑙) - query ODH-adv 𝐵 ∗ s.t. • AdvODH 𝐵 ∗ ≈ 1 , • ∀ PPT restricted black-box reductions 𝑆 using memory 𝑛 , AdvSDH 𝑆 " ∗ = non−negl ⇒ 𝑛 = Ω(𝑙 log 𝑞) .

Constructing 𝐵 ∗ 𝐵 ∗ 𝑆 Force 𝑆 to 𝑷 𝒘 ⋮ complete memory- ⋮ intensive task R fails R succeeds brute force to output break ODH random bit Intuition: 𝐵 ∗ is useful to 𝑆 only if 𝑆 accomplishes memory-intensive task

Recall: 𝐸 , 𝑍 = 𝐼(𝑍 , ) Adversary 𝐵 ∗ 𝑕 + , 𝑕 , , 𝐿 𝐵 ∗ $ ℤ * 𝑆 𝑗 # , 𝑗 3 , ⋯ , 𝑗 ( ← 𝑕 < ! 𝐸 , query 𝑒 # ⋮ 𝑕 < # 𝐸 , query $ 𝑇 ( 𝑒 ( 𝜌 ← 𝑕 ,⋅< " ! 𝐼 query ℎ # ⋮ 𝑕 ,⋅< " # 𝑒 ? < = ℎ < ∀ 𝑗 ∈ [𝑙] 𝐼 query ℎ ( Answers consistent? no yes break ODH by brute force output random bit

Proof setting 𝐵 ∗ 𝑆 & 𝑷 𝒘 ⋮ 𝐸 , queries $ 𝑇 ( 𝑛 bits 𝜌 ← 𝑆 ' 𝐼 queries ⋮ Generic group oracle

Generic group model [Shoup 97, Maurer 05] 𝜏: ℤ # → 0,1 $ 𝑦 ∈ ℤ # : 𝜏 𝑦 ≜ 𝑕 % 𝜏 𝑦 , 𝜏 𝑧 𝜏 𝑦 , 𝜏 𝑧 Generic ? 𝑤 ⋅ 𝑦 𝑷 𝒘 group 𝜏(𝑦 + 𝑧) 𝑧 = oracle

𝜏 𝑦 , 𝜏 𝑧 𝜏 𝑦 , 𝜏 𝑧 Generic ? 𝑤 ⋅ 𝑦 𝑷 𝒘 Repeat queries- 1 group 𝜏(𝑦 + 𝑧) 𝑧 = oracle 𝑆 & 𝒃 𝟐 𝑷 𝒘 ⋮ (𝒃 𝒋 ,∗) 𝒃 𝒍 repeat queries 𝑆 ' 𝒄 𝟐 Generic group (∗, 𝒃 𝒌 ) ⋮ oracle 𝒄 𝒍

𝜏 𝑦 , 𝜏 𝑧 𝜏 𝑦 , 𝜏 𝑧 Generic ? 𝑤 ⋅ 𝑦 𝑷 𝒘 Repeat queries- 2 group 𝜏(𝑦 + 𝑧) 𝑧 = oracle 𝑆 & 𝒃 𝟐 𝑷 𝒘 ⋮ ) ∗ , 𝒅 𝒃 𝒍 ( repeat queries 𝒅 𝑆 ' 𝒄 𝟐 Generic group (∗, 𝒅) ⋮ oracle 𝒄 𝒍

𝒃 𝟐 𝑆 " ⋮ Proof overview 𝒃 𝒍 𝑛 bits 𝒄 𝟐 𝑆 # ⋮ (𝑆 # , 𝑆 3 ) answer consistently 𝒄 𝒍 Many > ( Few ≤ ( E% repeat queries E% repeat queries Need 𝒏 = 𝛁(𝒍 𝐦𝐩𝐡 𝐪) : Winning adversary against the permutation game intuitive, proof by compression argument, many subtleties Advantage negligible

The reduction’s perspective 𝐵 ∗ 𝑆 " 𝑷 𝒘 ⋮ $ 𝑇 % 𝜌 ← 𝑆 # ⋮ Generic group oracle 𝑆 & needs to figure out 𝜌 for consistent answers → Use 𝑃 # oracle!

𝒃 𝟐 𝑆 " 𝒘 𝒃 𝝆 𝒋 = 𝒄 𝒋 Using the 𝑃 # oracle ⋮ 𝒃 𝒍 𝒄 𝟐 𝑆 # ⋮ 𝒄 𝒍 𝑃 , (𝒃 𝒋 , 𝒄 𝒌 ) 𝑆 3 ? 𝑗 𝜌 𝑘 = 𝑷 𝒘 H . ⋯ 𝒃 𝒍 J . ⋯ 𝒄 𝒍 H ! 𝒃 𝟑 H # , 𝒄 𝟐 J ! 𝒄 𝟑 J # 𝑃 , 𝒃 𝟐 𝑆 # ? 𝑧 # 𝑧 3 ⋯ 𝑧 ( 𝑦 ?(#) 𝑦 ?(3) ⋯ 𝑦 ?(() = 𝑷 𝒘 Permutation game captures exactly this setting, combinatorially

= A1 if 𝑦 ?(#) 𝑦 ?(3) ⋯ 𝑦 ? ( = 𝑧 # 𝑧 3 ⋯ 𝑧 ( 𝑃 𝑦, 𝑧 Permutation game (PG) 0 otherwise. $ 𝑇 ( 𝜌 ← 𝐵 ( , 𝑧 ∈ ℤ * ( ) 𝑦 = 𝑦 # 𝑦 3 ⋯ 𝑦 ( 𝑃(𝑦 ∈ ℤ * 𝑧 = 𝑧 # 𝑧 3 ⋯ 𝑧 ( 𝑷 𝜌′ AdvPG 𝐵 = Pr[𝜌 . = 𝜌] Lemma: If (𝑦 ' , 𝑧 ' ) , ⋯ , (𝑦 ( , 𝑧 ( ) are the queries by 𝐵 that ) return 1 and rank 𝑦 ' , ⋯ , 𝑦 ( ≤ *+ , then, AdvPG 𝐵 = negl . 𝑆 # , 𝑆 3 make few repeat queries ⇒ 𝐵 of this form that wins PG if (𝑆 # , 𝑆 3 ) answer consistently

Conclusions • Impossibility result for a scheme with algebraic structure • Impossibility result can be “bypassed” • Memory-tight reduction in the Algebraic Group Model [FKL18] Adv sends a representation of the group elements for every query • Concurrent work [Bhattacharya 20] complements our result Different Hashed ElGamal variant, pairings

Open problems • Memory lower bound for rewinding 𝑆 ? Our conjecture: 𝑛 = Ω(𝑙 log 𝑙) • Separation for “memory-adaptive” reduction? • Memory lower bound for concrete schemes without the generic group model? • Memory lower bounds for other concrete schemes?