Public key encryption without random oracle made truly practical

doi:10.1016/j.compeleceng.2012.02.001

Computers & Electrical Engineering

Volume 38, Issue 4, July 2012, Pages 975-985

https://doi.org/10.1016/j.compeleceng.2012.02.001 Get rights and content

Abstract

In this paper, we report our success in identifying an efficient public key encryption scheme whose formal security proof does not require a random oracle. Specifically, we focus our attention on a universal hash based public key encryption scheme proposed by Zheng and Seberry at Crypto’92. Although Zheng and Seberry’s encryption scheme is very simple and efficient, its reductionist security proof has not been provided. We show how to tweak the Zheng–Seberry scheme so that the resultant scheme not only preserves the efficiency of the original scheme but also admits provable security against adaptive chosen ciphertext attack without random oracle. For the security proof, our first attempt is based on a strong assumption called the oracle Diffie–Hellman⁺ assumption. This is followed by a more challenging proof that employs a weaker assumption called the adaptive decisional Diffie–Hellman assumption, which is in alignment with adaptively secure assumptions advocated by Pandey, Pass and Vaikuntanathan.

Graphical abstract

Highlights

► We introduce the adaptive decisional Diffie–Hellman assumption (DDH). ► The Zheng–Seberry encryption is secure under the oracle DDH+ assumption. ► The modified Zheng–Seberry encryption is secure under the adaptive DDH assumption.

Introduction

The notion of chosen ciphertext security was introduced by Naor and Yung [1]. Rackoff and Simon [2] provided a stronger notion called indistinguishability under adaptive chosen ciphertext attack (IND-CCA2), which is equivalent to the notion of non-malleability [3]. Adaptive chosen ciphertext security has since become a standard notion for the security of public key encryption.

A significant number of efforts have been devoted by researchers to the construction of public key encryption that is secure against adaptive chosen ciphertext attack. Some of the research outcomes of these efforts were based on non-interactive zero-knowledge proofs [3], which were not quite practical in real world applications. To construct an efficient encryption scheme, many encryption techniques have been proposed in the so-called random oracle model [4], [5], [6]. The random oracle model, however, is one of the most controversial issues in cryptography. A notable argument against the random oracle model was made by Canetti et al. [7] who demonstrated that there existed cryptographic schemes that were secure in the random oracle model but insecure for any instantiation of a random oracle. Recently, Leurent and Nguyen [8] showed that instantiations of full domain hash functions (random oracles) proposed in the literature are insecure. They also advocated to assess carefully the impact of potential flaws in random oracle instantiations on a system that relies on such instantiations.

To address the concern over random oracles, an obvious approach is to design a public key encryption scheme that does not rely on a random oracle for its security against adaptive chosen ciphertext attack. The often cited encryption scheme proposed by Cramer and Shoup [9] represents the first concrete result in this line of research. A multiple number of techniques have since been proposed and studied by many researchers. Most of these techniques, however, share a common drawback that impedes their possible adoption in practice, that is, they generally require at least a few times more computation than their random oracle based counterparts.

Given the superiority in computational efficiency of random oracle based encryption, it is a shared view among most researchers that alternative encryption techniques without random oracles will not be able to win over practitioners unless these alternatives afford a computational speed comparable to that enjoyed by random oracle based techniques.

Aside from computational efficiency, another major advantage of random oracle based schemes [4], [5], [6] lies in its simplicity. To preserve the simplicity while not relying on a random oracle for security proofs, new computational assumptions have been examined. One such effort was made by Pandey et al. [10] who introduced a few complexity theoretical hardness assumptions that abstracted out concrete properties of a random oracle. Based on these assumptions, they were able to solve a number of open problems, including the construction of a non-interactive concurrently non-malleable string commitment. Their results point to an interesting approach towards designing efficient and provably secure cryptographic schemes without random oracles. We note that although these assumptions are stronger than traditional cryptographic hardness assumptions, they seem quite reasonable and it is conceivable that, like many other assumptions in the field such as the decisional Diffie–Hellman assumption (DDH), this type of new assumptions may gain wider acceptance after further screening by peers in the field.

The goal of this paper is to search for a public key encryption scheme that (1) does not rely on a random oracle for its adaptive chosen ciphertext security, and (2) is truly practical in that it requires no more exponentiations of large integers than does a comparable random oracle based scheme. To achieve our goal, our first attempt is to prove Zheng and Seberry’s encryption scheme based on the oracle Diffie–Hellman assumption⁺ (ODH⁺). However, ODH⁺ is shown to be a very strong assumption. Hence, in order to use a more reasonable assumption, we examine a variant of Pandey et al.’s assumption [10], called the adaptive DDH assumption. Based on the adaptive DDH assumption, a modified version of Zheng and Seberry’s encryption scheme proposed in [11] is proved to be adaptive chosen ciphertext secure without a random oracle.

Zheng and Seberry [11] proposed three simple methods for immunizing public key cryptosystems against chosen ciphertext attacks. The nature of the three methods is the same. They immunize a public key cryptosystem by appending to each ciphertext a tag that is correlated to the message to be encrypted. Soldera et al. [12] showed a potential weakness of the first scheme, denoted by Zheng–Seberry_1wh, in some special circumstances. Based on the gap Diffie–Hellman assumption (GDH), Baek and Zheng [13] provided a security proof for the slightly modified version of Zheng–Seberry_1wh, in the random oracle model, leaving as an open problem proofs for the other two schemes. The focus of this paper is to modify the second scheme in [11], denoted by Zheng–Seberry_uh, so that the resultant scheme is adaptive chosen ciphertext secure (see Section 5). The scheme Zheng–Seberry_uh is worth studying for the following reasons: First, the scheme immunizes public key encryption against adaptive chosen ciphertext attacks with the help of a universal hash function. This allows the scheme to steer clear of a one-way hash function with non-standard output size, whereby successfully averting potential risks recently discovered in [8]. Second, the input length of a plaintext can be arbitrary, while the overhead of the corresponding ciphertext is a constant. As a result, the ratio between the length of the ciphertext and that of the plaintext can be close to 1 as the length of the plaintext increases.

Hybrid encryption, which is also known as the KEM–DEM approach [11], applies a public key cryptosystem to encapsulate the key of a symmetric cryptosystem (KEM) and the symmetric cryptosystem is subsequently used to conceal data (DEM). Cramer and Shoup first generalized the notion in their work [14], [15]. Kurosawa and Desmedt [16] later presented a more efficient hybrid encryption scheme by using a KEM which is not necessarily adaptive chosen ciphertext secure. More recently, Kiltz et al. [17] improved on the Kurosawa–Desmedt technique and proposed a new approach to designing adaptive chosen ciphertext secure hybrid encryption schemes without a random oracle. Compared with Kiltz et al.’s concrete scheme which relies on the DDH assumption and AE-OT¹ secure symmetric encryption, our modified Zheng–Seberry_uh scheme is conceptually much simpler and relies only on the adaptive DDH assumption. More important, this newly modified scheme requires significantly less computation time than Kiltz et al.’s.

Another important progress was made by Hofheinz and Kiltz [18] recently. They proposed a new public key encryption scheme based on factoring. Their scheme requires only roughly two exponentiations in encryption and roughly one exponentiation in decryption. (Here, “roughly” two or one exponentiation means two or one full exponentiation and additional exponentiations with small exponents.) While for the encryption schemes based on discrete logarithm, DHIES [19] is one of the most efficient schemes without random oracle.

Compared with DHIES which relies on the oracle Diffie–Hellman (ODH) assumption together with the security of symmetric encryption and a message authentication code (MAC), our modified scheme relies on the adaptive DDH assumption only and preserves the computational efficiency of Zheng–Seberry_uh. However, it is fair to say that our modified Zheng–Seberry scheme and DHIES are comparable, each having its own pros and cons in practice. With DHIES, all three assumptions on symmetric encryption, MAC and ODH are responsible for the security of DHIES and it is relatively easy to select practical candidates to instantiate functions underlying the assumptions. With our modified Zheng–Seberry scheme, the adaptive DDH assumption which is solely responsible for the security of the scheme is slightly stronger than the ODH assumption required by DHIES.

Section snippets

Preliminaries

Notation and definition: ∣X∣ denotes the length of a binary string X or the size of (or number of elements in) a set X. $x \overset{R}{\leftarrow} X$ denotes picking an element x from X uniformly at random. y ← A(x) denotes the experiment of running an algorithm A on input x and outputting y. PPT denotes probabilistic polynomial time. $x ∥ y$ denotes the concatenation of strings x and y. A function $μ : N \to R$ is called negligible in n if for every positive polynomial p(·) and all sufficiently large n’s, we have μ(n)<1/p(n).

New assumptions

In this section, we give the definitions of adaptive DDH and other related assumptions. First, we recall the definition of an adaptive one-to-one one-way function introduced in [10]. In the definition, an adversary picks an index tag^∗ and is given $y^{*} = f_{{tag}^{*}} (x^{*})$ for a random x^∗ in the domain of $f_{{tag}^{*}} (x)$ . The aim of the adversary is to compute x^∗. The difference between the traditional definition for an one-way function and the one in [10] is that the adversary in [10] has access to a “magic

Original Zheng–Seberry_uh encryption scheme (immunizing with universal hash function)

Assume that H: {0, 1}^∗ → {0, 1}^l is a family of universal hash functions. Each function in H is specified by a string of exactly Q bits. Denote by h_s the function in H that is specified by a string s ∈ {0,1}^Q. L denotes an encryption label, which consists of public data. In addition, m denotes a plaintext to be encrypted. Zheng–Seberry_uh scheme is described in Table 1.

Note that there are two minor differences between Zheng–Seberry_uh in Table 1 and the scheme B in [11]. The first difference is that a

Description of the modified Zheng–Seberry_uh scheme

Our major modification to the Zheng–Seberry_uh scheme is to increase the output length of the pseudorandom generator by W bits. These additional W bits play the role of a tag for an ephemeral key $y_{A}^{x}$ and will be sent to a recipient as part of a ciphertext. In practice, in order to minimize the impact of these additional bits on the efficiency of the scheme, W should be chosen to be as short as practical. For a security level of 2⁸⁰, we suggest W ⩾ 160.

Additionally, the pseudorandom generator G(·)

Instantiation

First we note that an ϵ-AXU hash function [27] can be used in place of a universal hash function. One may also use an efficient universal hash function family proposed by Bernstein [28]. Such a substitution requires only minor revisions to be made in the security proofs. Specifically, in Case 2 of the experiment for the security proof of the modified Zheng–Seberry_uh scheme, the probability that the adversary can find c₂ satisfying $(c_{2} \oplus z^{*})_{[P - l + 1, \dots, P]} = h_{s^{*}} ((c_{2} \oplus z^{*})_{[1, \dots, P - l]} ‖ L)$ and ${(c_{2}^{*} \oplus z^{*})}_{[P - l + 1, \dots, P]} =$

Comparison

For the modified Zheng–Seberry_uh scheme, the length of a ciphertext is ∣m∣ + ∣p∣ + 320, where ∣p∣ denotes the binary length of a element in $G$ . (We recall that for the original Zheng–Seberry_uh scheme, it is ∣m∣ + ∣p∣ + 160.) Thanks to the use of a pseudorandom generator and a universal hash function, no limit needs to be placed on the length of a plaintext. For a long plaintext m, the ratio between the lengths of a ciphertext and a plaintext, $α = \frac{| m | + | p | + 320}{| m |}$ , approaches to 1.

This advantage makes our

Concluding remarks

We have demonstrated how to modify a universal hash based public key encryption scheme by Zheng and Seberry so that the resultant scheme not only preserves the efficiency of the original scheme but also admits provable security against adaptive chosen ciphertext attack without random oracle. This represents the first public key encryption scheme that is practical in a true sense while not relying for its security on a random oracle. A further advantage of the scheme lies in its flexibility to

Puwen Wei received his Ph.D. degree in mathematics from Shandong University, China, in 2009. From 2008 to 2009, he was an exchange visitor at the Department of Software and Information Systems, University of North Carolina at Charlotte, USA. Currently, he is a lecturer of Shandong University. His research interests are in the field of public key cryptography.

References (31)

M. Naor et al.
Public-key cryptosystems provably secure against chosen cipher-text attacks
C. Rackoff et al.
Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack
D. Dolev et al.
Non-malleable cryptography
SIAM J Comput
(2000)
M. Bellare et al.
Optimal asymmetric encryption – how to encrypt with RSA
E. Fujisaki et al.
Secure integration of asymmetric and symmetric encryption schemes
Bellare M, Rogaway P. Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of...
R. Canetti et al.
The random oracle methodology, revisited
G. Leurent et al.
How risky is the random oracle model
R. Cramer et al.
A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
O. Pandey et al.
Adaptive one-way functions and applications

Zheng Y, Seberry J. Immunizing public key cryptosystems against chosen ciphertext attacks. IEEE journal on selected...

D. Soldera et al.

The analysis of Zheng–Seberry scheme

J. Baek et al.

Zheng and Seberry’s public key encryption scheme revisited

Int J Inform Security

(2003)

V. Shoup

Using hash functions as a hedge against chosen ciphertext attack

R. Cramer et al.

Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption

Cited by (1)

Survey and analysis on security requirements engineering
2012, Computers and Electrical Engineering
Citation Excerpt :
The common problem with security requirements, when they are specified, is that they tend to be accidentally replaced with security-specific architectural constraints that may unnecessarily constrain the security team from using the most appropriate security mechanisms for meeting the true underlying security requirements. There are also many recent works done in the area of security mechanism like authentication, signatures, encryption, access control [9,12,14,16] rather than analysis of security requirements which lead to poor security requirements specification. This paper helps to distinguish between security requirements and the mechanisms for achieving them and provides good examples of each type of security requirements.
Security Requirements Engineering is a new research area in software engineering, with the realization that security must be analyzed early during the requirements phase. Many researchers are working in this area; however, there is a lack in security requirements treatment. The security requirements are one of the non-functional requirements, which act as constraints on functions of the system. Organizations are depending on information systems for communicating and sharing information. Thus, IT security is becoming central in fulfilling business goals, to guard assets and to create trustworthy systems. To develop systems with adequate security features, it is essential to capture the security requirements. In this paper, we present a view on Security Requirements, issues, types, Security Requirements Engineering (SRE) and methods. We analyzed and compared different methods and found that SQUARE and Security Requirements Engineering Process methods cover most of the important activities of SRE. The developers can adopt these SRE methods and easily identify the security requirements for software systems.

Xiaoyun Wang received her Ph.D. degree in mathematics from Shandong University, China, in 1993. She is currently a professor of the Institute for Advanced Study, Tsinghua University, China. Her research interests include cryptography and secure computing in number theory and abstract algebra.

Yuliang Zheng received his Ph.D. degree in electrical and computer engineering from Yokohama National University, Japan, in 1991. He is currently a professor of Software and Information Systems, University of North Carolina at Charlotte, USA. His research interests include cryptography, network security, and the protection of critical infrastructures.

^☆: An extended abstract appears in the Proceedings of the 11th International Conference on Information and Communications Security, LNCS 5927, pp. 107–120, Springer-Verlag, 2009. The first author was supported by the National Natural Science Foundation of China under Grant No. 61103237; part of the third author’s work was done while visiting Shandong University on a Changjiang Scholars program sponsored by the Chinese Ministry of Education and Li Ka Shing Foundation in Hong Kong.

^☆☆: Reviews processed and approved for publication by Editor-in-Chief Dr. Manu Malek.

View full text

Public key encryption without random oracle made truly practical☆,☆☆

Abstract

Graphical abstract

Highlights

Introduction

Section snippets

Preliminaries

New assumptions

Original Zheng–Seberryuh encryption scheme (immunizing with universal hash function)

Description of the modified Zheng–Seberryuh scheme

Instantiation

Comparison

Concluding remarks

Public-key cryptosystems provably secure against chosen cipher-text attacks

Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack

Non-malleable cryptography

SIAM J Comput

Optimal asymmetric encryption – how to encrypt with RSA

Secure integration of asymmetric and symmetric encryption schemes

The random oracle methodology, revisited

How risky is the random oracle model

A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack

Adaptive one-way functions and applications