On the Memory-Tightness of Hashed ElGamal Ashrujit Ghoshal Stefano Tessaro University of Washington University of Washington Eurocrypt 2020
Security reductions ➯ assumption scheme P S ElGamal, Cramer-Shoup, ECDSA, RSA-OAEP ⋯ CDH, DDH, DL, factoring … Reduction 𝑆 ➯ 𝐶 = 𝑆 ! 𝐵
Security reductions Reduction 𝑆 ➯ 𝐶 = 𝑆 ! 𝐵 time 𝑢 ! time 𝑢 " advantage 𝜁 ! advantage 𝜁 "
Tight reductions Reduction 𝑆 ➯ 𝐶 = 𝑆 ! 𝐵 time 𝑢 ! time 𝑢 " advantage 𝜁 ! advantage 𝜁 " Goal: tightness ⟹ 𝑢 ! ≈ 𝑢 " , 𝜁 ! ≈ 𝜁 " Time is not the only important resource!
Security reductions: memory perspective [ACFK17] Reduction 𝑆 𝐶 = 𝑆 ! 𝐵 ➯ time 𝑢 " time 𝑢 ! memory 𝑛 " memory 𝑛 ! advantage 𝜁 ! advantage 𝜁 "
Memory-tight reductions [ACFK17] uses memory 𝑛 ! Reduction 𝑆 𝐶 = 𝑆 ! 𝐵 ➯ memory 𝑛 ! memory 𝑛 " 𝑛 " = 𝑛 # + 𝑛 ! Goal: memory-tightness ⟹ 𝑛 ! ≈ 𝑛 " Common proof technique: 𝑛 ! small ⇒ memory-tight reduction
Motivation: more memory ⟹ faster solution Discrete logarithm (DL) in prime fields Goal: security wrt adversary with time 2 #$% , memory 2 &% memory-tight 𝑆 " : time 2 #$% , memory 2 &% not secure 2048 secure log(time) 156 non-memory-tight 𝑆 " : time 2 #$% , memory 2 #$% 70 78 160 log(memory)
Can we always make a reduction memory-tight?
This talk: certain reductions cannot be memory-tight, provably Prior work Here • mUFCMA to UFCMA Hashed [ACFK17] ElGamal • mCR t to CR t concrete [ACFK17,WMHT18] scheme generic • mU-mOW to mU-OW [WMHT18] Hashed ElGamal used in practice eg. SECG SEC-1, ISO/IEC 18033-2, IEEE 1363a and ANSI X9.63
Hashed ElGamal KEM Group , generator , order 𝑞 (𝑡𝑙, 𝐷) 𝑞𝑙 Gen Encap Decap $ ℤ * 𝑣 ← 𝐷 ← & , 𝐿 ← 𝐼(𝑞𝑙 & ) 𝑞𝑙 ← $% , 𝑡𝑙 𝐿 ← 𝐼 𝐷 '( KEM-CCA security ≡ Oracle Diffie-Hellman assumption [ABR `01]
Oracle Diffie-Hellman assumption (ODH) $ ℤ * 𝑣, 𝑤 ← $ 𝐿 % ← 𝐼 +, , 𝐿 # ← 0,1 /012 $ {0,1} 𝑐 ← + , , , 𝐿 - 𝐸 , 𝑍 = A𝐼 𝑍 , if 𝑍 ≠ + 𝐸 , 𝑍 ⊥ otherwise 𝑬 𝒘 Pr 𝑐 = 𝑐 . = 1 𝑐′ 2 + negl
ODH in the random oracle model $ ℤ * 𝑣, 𝑤 ← $ 𝐿 % ← 𝐼 +, , 𝐿 # ← 0,1 /012 $ {0,1} 𝑐 ← + , , , 𝐿 - 𝐸 , 𝑍 = A𝐼 𝑍 , if 𝑍 ≠ + 𝐸 , 𝑍 ⊥ otherwise 𝑬 𝒘 𝐼 𝑌 𝑰 random oracle Pr 𝑐 = 𝑐 . = 1 𝑐′ 2 + negl SDH ⟹ ODH [ABR ‘01]
Strong Diffie-Hellman assumption (SDH) (aka gap-DH) $ ℤ * 𝑣, 𝑤 ← + , , if 𝑍 = 𝑌 , 𝑃 , 𝑌, 𝑍 = A1 𝑃 , 𝑌, 𝑍 0 otherwise 𝑷 𝒘 𝑎 Pr 𝑎 = +, = negl
Strong Diffie-Hellman (SDH) ⟹ ODH [ABR ‘01] Theorem. ODH -adversary using memory 𝑛 ! ⟹ SDH -adversary using memory 𝑛 " 𝑛 " = 𝑛 ! + 𝑃(𝑟 # + 𝑟 $ ) ! t h g i t - y r o m e m # 𝐼 queries # 𝐸 ( queries t o n
SDH ⇒ ODH: the reduction + , , 𝑆 𝐵 $ 0,1 /012 + , , , 𝐿 𝐿 ← 𝐸 , (𝑍 3 ) 𝒁 𝑬 𝒘 (𝒁) 𝒀 𝑰(𝒀) 𝑍 𝑌 # # 𝑍 𝑌 3 3 𝐼(𝑌 3 ) Main Problem: Consistency! Fix: use 𝑷 𝒘 oracle 𝐼 𝑍 # = 𝐸 # (𝑍)
𝑃 ! 𝑌, 𝑍 𝑷 𝒘 ? 𝑍 𝑌 ! = SDH ⇒ ODH: the reduction- 𝐸 # queries + , , 𝑆 𝐵 $ 0,1 /012 + , , , 𝐿 𝐿 ← 𝑃 , (𝑌 # , 𝑍 3 ) 𝐸 , (𝑍 3 ) 𝒁 𝑬 𝒘 (𝒁) 𝒀 𝑰(𝒀) 0 𝑍 𝐸 , 𝑍 𝑷 𝒘 𝑌 # 𝐼(𝑌 # ) # # 𝑃 , (𝑌 3 , 𝑍 3 ) 𝑍 𝐼 𝑌 3 𝑌 3 𝐼 𝑌 3 3 1 ⋮ ⋮
𝑃 ! 𝑌, 𝑍 𝑷 𝒘 ? 𝑍 SDH ⇒ ODH: the reduction- 𝐼 queries 𝑌 ! = + , , 𝑆 𝐵 $ 0,1 /012 + , , , 𝐿 𝐿 ← 𝑃 , (𝑌 3 , 𝑍 # ) 𝐼(𝑌 3 ) 𝒁 𝑬 𝒘 (𝒁) 𝒀 𝑰(𝒀) 0 𝑍 𝐸 , 𝑍 𝑌 # 𝐼(𝑌 # ) # # 𝑃 , (𝑌 3 , 𝑍 3 ) 𝑷 𝒘 𝑌 3 𝐸 , 𝑍 𝑍 𝐸 , 𝑍 3 3 3 ⋮ ⋮ 1 𝑃 , ( + , 𝑌 3 ) 𝑃 , + , 𝑌 3 = 1 ⇒ return 𝑌 3
Main theorem inefficient Theorem . ∀𝑙 ∃𝑃(𝑙) -query ODH-adv 𝐵 ∗ s.t. ODH 𝐵 ∗ ≈ 1 , • Adv • ∀ PPT black-box reductions 𝑆 using memory 𝑛 , SDH 𝑆 " ∗ = non−negl ⇒ 𝑛 = Ω(𝑙 log 𝑞) . Adv Issue: For which groups ? DL easy in ⇒ memory tight 𝑆 Resolution: 𝑆 only makes black-box access to the group ⇒ generic group model
Main theorem Theorem. In the generic group model, ∀𝑙 ∃O(𝑙) -query ODH- adv 𝐵 ∗ s.t. • AdvODH 𝐵 ∗ ≈ 1 , • ∀ PPT black-box reductions 𝑆 using memory 𝑛 , AdvSDH 𝑆 ! ∗ = non−negl ⇒ 𝑛 = Ω(𝑙 log 𝑞) . 𝐵 ∗ 𝑆 ! no rewinding! forwarding
Main theorem Theorem . In the generic group model, ∀𝑙 ∃O(𝑙) - query ODH-adv 𝐵 ∗ s.t. • AdvODH 𝐵 ∗ ≈ 1 , • ∀ PPT restricted black-box reductions 𝑆 using memory 𝑛 , AdvSDH 𝑆 " ∗ = non−negl ⇒ 𝑛 = Ω(𝑙 log 𝑞) .
Constructing 𝐵 ∗ 𝐵 ∗ 𝑆 Force 𝑆 to 𝑷 𝒘 ⋮ complete memory- ⋮ intensive task R fails R succeeds brute force to output break ODH random bit Intuition: 𝐵 ∗ is useful to 𝑆 only if 𝑆 accomplishes memory-intensive task
Recall: 𝐸 , 𝑍 = 𝐼(𝑍 , ) Adversary 𝐵 ∗ + , , , 𝐿 𝐵 ∗ $ ℤ * 𝑆 𝑗 # , 𝑗 3 , ⋯ , 𝑗 ( ← < ! 𝐸 , query 𝑒 # ⋮ < # 𝐸 , query $ 𝑇 ( 𝑒 ( 𝜌 ← ,⋅< " ! 𝐼 query ℎ # ⋮ ,⋅< " # 𝑒 ? < = ℎ < ∀ 𝑗 ∈ [𝑙] 𝐼 query ℎ ( Answers consistent? no yes break ODH by brute force output random bit
Proof setting 𝐵 ∗ 𝑆 & 𝑷 𝒘 ⋮ 𝐸 , queries $ 𝑇 ( 𝑛 bits 𝜌 ← 𝑆 ' 𝐼 queries ⋮ Generic group oracle
Generic group model [Shoup 97, Maurer 05] 𝜏: ℤ # → 0,1 $ 𝑦 ∈ ℤ # : 𝜏 𝑦 ≜ % 𝜏 𝑦 , 𝜏 𝑧 𝜏 𝑦 , 𝜏 𝑧 Generic ? 𝑤 ⋅ 𝑦 𝑷 𝒘 group 𝜏(𝑦 + 𝑧) 𝑧 = oracle
𝜏 𝑦 , 𝜏 𝑧 𝜏 𝑦 , 𝜏 𝑧 Generic ? 𝑤 ⋅ 𝑦 𝑷 𝒘 Repeat queries- 1 group 𝜏(𝑦 + 𝑧) 𝑧 = oracle 𝑆 & 𝒃 𝟐 𝑷 𝒘 ⋮ (𝒃 𝒋 ,∗) 𝒃 𝒍 repeat queries 𝑆 ' 𝒄 𝟐 Generic group (∗, 𝒃 𝒌 ) ⋮ oracle 𝒄 𝒍
𝜏 𝑦 , 𝜏 𝑧 𝜏 𝑦 , 𝜏 𝑧 Generic ? 𝑤 ⋅ 𝑦 𝑷 𝒘 Repeat queries- 2 group 𝜏(𝑦 + 𝑧) 𝑧 = oracle 𝑆 & 𝒃 𝟐 𝑷 𝒘 ⋮ ) ∗ , 𝒅 𝒃 𝒍 ( repeat queries 𝒅 𝑆 ' 𝒄 𝟐 Generic group (∗, 𝒅) ⋮ oracle 𝒄 𝒍
𝒃 𝟐 𝑆 " ⋮ Proof overview 𝒃 𝒍 𝑛 bits 𝒄 𝟐 𝑆 # ⋮ (𝑆 # , 𝑆 3 ) answer consistently 𝒄 𝒍 Many > ( Few ≤ ( E% repeat queries E% repeat queries Need 𝒏 = 𝛁(𝒍 𝐦𝐩𝐡 𝐪) : Winning adversary against the permutation game intuitive, proof by compression argument, many subtleties Advantage negligible
The reduction’s perspective 𝐵 ∗ 𝑆 " 𝑷 𝒘 ⋮ $ 𝑇 % 𝜌 ← 𝑆 # ⋮ Generic group oracle 𝑆 & needs to figure out 𝜌 for consistent answers → Use 𝑃 # oracle!
𝒃 𝟐 𝑆 " 𝒘 𝒃 𝝆 𝒋 = 𝒄 𝒋 Using the 𝑃 # oracle ⋮ 𝒃 𝒍 𝒄 𝟐 𝑆 # ⋮ 𝒄 𝒍 𝑃 , (𝒃 𝒋 , 𝒄 𝒌 ) 𝑆 3 ? 𝑗 𝜌 𝑘 = 𝑷 𝒘 H . ⋯ 𝒃 𝒍 J . ⋯ 𝒄 𝒍 H ! 𝒃 𝟑 H # , 𝒄 𝟐 J ! 𝒄 𝟑 J # 𝑃 , 𝒃 𝟐 𝑆 # ? 𝑧 # 𝑧 3 ⋯ 𝑧 ( 𝑦 ?(#) 𝑦 ?(3) ⋯ 𝑦 ?(() = 𝑷 𝒘 Permutation game captures exactly this setting, combinatorially
= A1 if 𝑦 ?(#) 𝑦 ?(3) ⋯ 𝑦 ? ( = 𝑧 # 𝑧 3 ⋯ 𝑧 ( 𝑃 𝑦, 𝑧 Permutation game (PG) 0 otherwise. $ 𝑇 ( 𝜌 ← 𝐵 ( , 𝑧 ∈ ℤ * ( ) 𝑦 = 𝑦 # 𝑦 3 ⋯ 𝑦 ( 𝑃(𝑦 ∈ ℤ * 𝑧 = 𝑧 # 𝑧 3 ⋯ 𝑧 ( 𝑷 𝜌′ AdvPG 𝐵 = Pr[𝜌 . = 𝜌] Lemma: If (𝑦 ' , 𝑧 ' ) , ⋯ , (𝑦 ( , 𝑧 ( ) are the queries by 𝐵 that ) return 1 and rank 𝑦 ' , ⋯ , 𝑦 ( ≤ *+ , then, AdvPG 𝐵 = negl . 𝑆 # , 𝑆 3 make few repeat queries ⇒ 𝐵 of this form that wins PG if (𝑆 # , 𝑆 3 ) answer consistently
Conclusions • Impossibility result for a scheme with algebraic structure • Impossibility result can be “bypassed” • Memory-tight reduction in the Algebraic Group Model [FKL18] Adv sends a representation of the group elements for every query • Concurrent work [Bhattacharya 20] complements our result Different Hashed ElGamal variant, pairings
Open problems • Memory lower bound for rewinding 𝑆 ? Our conjecture: 𝑛 = Ω(𝑙 log 𝑙) • Separation for “memory-adaptive” reduction? • Memory lower bound for concrete schemes without the generic group model? • Memory lower bounds for other concrete schemes?
Recommend
More recommend