Public-Key Encryption Resistant to Parameter Subversion and its Realization from Efficiently-Embeddable Groups

We initiate the study of public-key encryption (PKE) schemes and key-encapsulation mechanisms (KEMs) that retain security even when public parameters (primes, curves) they use may be untrusted and subverted. We define a strong security goal that we call ciphertext pseudo-randomness under parameter subversion attack (CPR-PSA). We also define indistinguishability (of ciphertexts for PKE, and of encapsulated keys from random ones for KEMs) and public-key hiding (also called anonymity) under parameter subversion attack, and show they are implied by CPR-PSA, for both PKE and KEMs. We show that hybrid encryption continues to work in the parameter subversion setting to reduce the design of CPR-PSA PKE to CPR-PSA KEMs and an appropriate form of symmetric encryption. To obtain efficient, elliptic-curve-based KEMs achieving CPR-PSA, we introduce efficiently-embeddable group families and give several constructions from elliptic-curves.

[1]  S. Galbraith,et al.  The Probability that the Number of Points on an Elliptic Curve over a Finite Field is Prime , 2000 .

[2]  Silvio Micali,et al.  Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements , 2000, EUROCRYPT.

[3]  Giuseppe Ateniese,et al.  Subversion-Resilient Signature Schemes , 2015, IACR Cryptol. ePrint Arch..

[4]  Burton S. Kaliski,et al.  One-way permutations on elliptic curves , 2004, Journal of Cryptology.

[5]  Pooya Farshim,et al.  A More Cautious Approach to Security Against Mass Surveillance , 2015, FSE.

[6]  Amit Sahai,et al.  Bringing People of Different Beliefs Together to Do UC , 2011, TCC.

[7]  Antoine Joux,et al.  Injective Encodings to Elliptic Curves , 2013, ACISP.

[8]  Mihir Bellare,et al.  The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES , 2001, CT-RSA.

[9]  Aggelos Kiayias,et al.  Distributing the setup in universally composable multi-party computation , 2014, PODC '14.

[10]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[11]  Moti Yung,et al.  Cliptography: Clipping the Power of Kleptographic Attacks , 2016, ASIACRYPT.

[12]  William M. Daley,et al.  Digital Signature Standard (DSS) , 2000 .

[13]  Daniel J. Bernstein,et al.  How to manipulate curve standards: a white paper for the black hat , 2014, IACR Cryptol. ePrint Arch..

[14]  Daniel J. Bernstein,et al.  Elligator: elliptic-curve points indistinguishable from uniform random strings , 2013, IACR Cryptol. ePrint Arch..

[15]  Mihir Bellare,et al.  Mass-surveillance without the State: Strongly Undetectable Algorithm-Substitution Attacks , 2015, IACR Cryptol. ePrint Arch..

[16]  Jean-René Reinhard,et al.  Diversity and Transparency for ECC , 2015, IACR Cryptol. ePrint Arch..

[17]  Moti Yung,et al.  The Dark Side of "Black-Box" Cryptography, or: Should We Trust Capstone? , 1996, CRYPTO.

[18]  Kenneth G. Paterson,et al.  Backdoors in Pseudorandom Number Generators: Possibility and Impossibility Results , 2016, CRYPTO.

[19]  M. Bellare,et al.  Searchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions , 2008, Journal of Cryptology.

[20]  Georg Fuchsbauer,et al.  NIZKs with an Untrusted CRS: Security in the Face of Parameter Subversion , 2016, IACR Cryptol. ePrint Arch..

[21]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[22]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[23]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[24]  Ilias Diakonikolas,et al.  Testing for Concise Representations , 2007, FOCS 2007.

[25]  Keisuke Tanaka,et al.  An RSA Family of Trap-Door Permutations with a Common Domain and Its Applications , 2004, Public Key Cryptography.

[26]  Tanja Lange,et al.  High-speed high-security signatures , 2011, Journal of Cryptographic Engineering.

[27]  Hovav Shacham,et al.  A Systematic Analysis of the Juniper Dual EC Incident , 2016, IACR Cryptol. ePrint Arch..

[28]  David Cash,et al.  The Twin Diffie–Hellman Problem and Applications , 2009, Journal of Cryptology.

[29]  Jean-Jacques Quisquater,et al.  On Polynomial Systems Arising from a Weil Descent , 2012, ASIACRYPT.

[30]  Rafail Ostrovsky,et al.  Cryptography in the Multi-string Model , 2007, CRYPTO.

[31]  Tanja Lange,et al.  Dual EC: A Standardized Back Door , 2015, The New Codebreakers.

[32]  Yevgeniy Dodis,et al.  A Formal Treatment of Backdoored Pseudorandom Generators , 2015, EUROCRYPT.

[33]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[34]  Moti Yung,et al.  Generic Semantic Security against a Kleptographic Adversary , 2017, CCS.

[35]  Mihir Bellare,et al.  Resisting Randomness Subversion: Fast Deterministic and Hedged Public-Key Encryption in the Standard Model , 2015, EUROCRYPT.

[36]  Hilarie K. Orman,et al.  The OAKLEY Key Determination Protocol , 1997, RFC.

[37]  Moti Yung,et al.  Kleptography: Using Cryptography Against Cryptography , 1997, EUROCRYPT.

[38]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[39]  Tancrède Lepoint,et al.  Trap Me If You Can - Million Dollar Curve , 2015, IACR Cryptol. ePrint Arch..

[40]  Bodo Möller,et al.  A Public-Key Encryption Scheme with Pseudo-random Ciphertexts , 2004, ESORICS.

[41]  Abhi Shelat,et al.  Cryptography from Sunspots: How to Use an Imperfect Reference String , 2007, 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07).

[42]  Kenneth G. Paterson,et al.  Security of Symmetric Encryption against Mass Surveillance , 2014, IACR Cryptol. ePrint Arch..

[43]  Mihir Bellare,et al.  Key-Privacy in Public-Key Encryption , 2001, ASIACRYPT.