On the Power of Misbehaving Adversaries and Security Analysis of the Original EPOC

  • Marc Joye
  • Jean-Jacques Quisquater
  • Moti Yung
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2020)

Abstract

Nowadays, since modern cryptography deals with careful modeling and careful proofs, there may be two levels of cryptanalysis. One, the traditional breaking or weakness demonstration in schemes which are not provably secure. The second level of cryptanalysis, geared towards provably secure schemes, has to do with refining models and showing that a model was either insuficient or somewhat unclear and vague when used in proving systems secure. The best techniques to per- form this second type of investigation are still traditional cryptanalysis followed by corrections. In this work, we put forth the second type of cryptanalysis.

We demonstrate that in some of the recent works modeling chosen ciphertext security (non-malleability), the notion of validity of ciphertext was left vague. It led to systems where under the model as defined/ understood, it was shown provably secure. Yet, under another (natural) behavior of the adversary, the “provably secure system” is totally broken, since key recovery attack is made possible. We show that this behavior of an adversary is possible and further there are settings (the context of escrowed public key cryptosystems) where it is even highly relevant. We mount the attack against systems which are chosen-ciphertext secure and non-malleable (assuming the adversary probes with valid messages), yet they are “universally” insecure against this attack: namely, the trap- door key gets known by the adversary (as in Rabin’s system under chosen ciphertext attacks). Specifically, the attack works against EPOC which has been considered for standardization by IEEE P1363 (the authors have already been informed of the attack and our fix to it and will consider this issue in future works). This re-emphasizes that when proving chosen-ciphertext security, allowing invalid ciphertext probes increases the adversary’s power and should be considered as part of the model and in proofs.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    FIPS PUB 185. Escrowed encryption standard (EES). Federal Information Processing Standards Publication 185, U.S. Dept of Commerce, February 1994.Google Scholar
  2. 2.
    Mihir Bellare, Anand Desai, David Pointcheval, and Phillip Rogaway. Relations among notions of security for public-key encryption schemes. Full paper (30 pages), available at URL <http://www-cse.ucsd.edu/users/mihir/papers/pke.html>, February 1999. An extended abstract appears in H. Krawczyk, ed., Advances in Cryptology-CRYPTO’98, volume 1462 of Lecture Notes in Computer Science, pages 26–45, Springer-Verlag, 1998.CrossRefGoogle Scholar
  3. 3.
    Mihir Bellare and Phillip Rogaway. Random oracles are practical: a paradigm for designing efficient protocols. In Proc. of the 1st ACM Conference on Computer and Communications Security, pages 62–73, ACM Press, 1993.Google Scholar
  4. 4.
    ______. Optimal asymmetric encryption. In A. De Santis, ed., Advances in Cryptology-EUROCRYPT’94, volume 950 of Lecture Notes in Computer Science, pages 92–111, Springer-Verlag, 1995.Google Scholar
  5. 5.
    Mihir Bellare and Amit Sahai. Non-malleable encryption: Equivalence between two notions. In M. Wiener, ed., Advances in Cryptology-CRYPTO’99, volume 1666 of Lecture Notes in Computer Science, pages 519–536, Springer-Verlag, 1999.CrossRefGoogle Scholar
  6. 6.
    Daniel Bleichenbacher. A chosen ciphertext attack against protocols based on the RSA encryption standard PKCS#1. In H. Krawczyk, ed., Advances in Cryptology-CRYPTO’98, volume 1462 of Lecture Notes in Computer Science, pages 1–12, Springer-Verlag, 1998.CrossRefGoogle Scholar
  7. 7.
    Matt Blaze. Protocol failure in the escrowed encryption standard. In Proc. of the 2nd ACM Conference on Computer and Communications Security, pages 59–67, ACM Press, 1994.Google Scholar
  8. 8.
    Dan Boneh, Glenn Durfee, and Nick Howgrave-Graham. Factoring N = p r q for large r. In J. Stern, ed., Advances in Cryptology-EUROCRYPT’99, volume 1592 of Lecture Notes in Computer Science, Springer-Verlag, 1999.Google Scholar
  9. 9.
    Colin Boyd. Enforcing traceability in software. In Y. Han, T. Okamoto, and S. Qing, eds., Information and Communications Security (ICICS’ 97), volume 1334 of Lecture Notes in Computer Science, pages 398–408, Springer-Verlag, 1997.CrossRefGoogle Scholar
  10. 10.
    Don Coppersmith. Finding a small root of a bivariate integer equation; factoring with high bits known. In U. Maurer, ed., Advances in Cryptology-EUROCRYPT’96, volume 1070 of Lecture Notes in Computer Science, pages 178–189, Springer-Verlag, 1996.Google Scholar
  11. 11.
    Ronald Cramer and Victor Shoup. A practical public-key cryptosystem provably secure against adaptive chosen ciphertext attack. In H. Krawczyk, ed., Advances in Cryptology-CRYPTO’98, volume 1462 of Lecture Notes in Computer Science, pages 13–25, Springer-Verlag, 1998.CrossRefGoogle Scholar
  12. 12.
    Ivan Damgård. Towards practical public key systems secure against chosen ciphertext attacks. In J. Feigenbaum, ed., Advances in Cryptology-CRYPTO’91, volume 576 of Lecture Notes in Computer Science, pages 445–456, Springer-Verlag, 1992.Google Scholar
  13. 13.
    Dorothy E. Denning and Dennis K. Brandstad. A taxonomy for key escrow encryption systems. Communications of the ACM, 39(3):34–40, 1996.CrossRefGoogle Scholar
  14. 14.
    Dorothy E. Denning and Miles Smid. Key escrowing today. IEEE Communications Magazine, 32(9):58–68, 1994.CrossRefGoogle Scholar
  15. 15.
    Yvo Desmedt. Securing traceability of ciphertexts: Towards a secure software key escrow system. In L. C. Guillou and J.-J. Quisquater, eds., Advances in Cryptology-EUROCRYPT’95, volume 921 of Lecture Notes in Computer Science, pages 147–157, Springer-Verlag, 1995.Google Scholar
  16. 16.
    Danny Dolev, Cynthia Dwork, and Moni Naor. Non-malleable cryptography. Manuscript (51 pages), available at URL <http://www.wisdom.weizmann.ac.il/~naor/onpub.html>, To appear in SIAM J. on Computing. A preliminary version appears in Proc. of the 23rd ACM Annual Symposium on the Theory of Computing (STOC’ 91), pages 542–552, ACM Press, 1991.
  17. 17.
    Roger Fischlin. Fast proof of plaintext-knowledge and deniable authentication based on Chinese remainder theorem. Theory of Cryptography Library, 99–06, available at URL <http://philby.ucsd.edu/cryptolib/1999.html>, March 1999.
  18. 18.
    Yair Frankel and Moti Yung. Escrow encryption systems visited: attacks, analysis and designs. In D. Coppersmith, ed., Advances in Cryptology-CRYPTO’95, volume 963 of Lecture Notes in Computer Science, pages 222–235, Springer-Verlag, 1995.Google Scholar
  19. 19.
    ______. Cryptanalysis of the immunized LL public key systems. In D. Coppersmith, ed., Advances in Cryptology-CRYPTO’95, volume 963 of Lecture Notes in Computer Science, pages 287–296, Springer-Verlag, 1995.Google Scholar
  20. 20.
    ______. On characterization of escrow encryption schemes. In P. Degano, R. Garriero, and A. Marchetti-Spaccamela, eds., Automata, Languages, and Programming (ICALP’ 97), volume 1256 of Lecture Notes in Computer Science, pages 705–715, Springer-Verlag, 1997.Google Scholar
  21. 21.
    Eiichiro Fujisaki and Tatsuaki Okamoto. How to enhance the security of public-key encryption at minimum cost. In H. Imai and Y. Zheng, eds., Public Key Cryptography, volume 1560 of Lecture Notes in Computer Science, pages 53–68, Springer-Verlag, 1999.CrossRefGoogle Scholar
  22. 22.
    ______. How to enhance the security of public-key encryption at minimum cost. IEICE Transactions on Fundamentals, E83-A(1): 24–32, 2000.Google Scholar
  23. 23.
    ______. Secure integration of asymmetric and symmetric encryption schemes. In M. Wiener, ed., Advances in Cryptology-CRYPTO’99, volume 1666 of Lecture Notes in Computer Science, pages 537–554, Springer-Verlag, 1999.Google Scholar
  24. 24.
    Henri Gilbert, Dipankar Gupta, Andrew Odlyzko, and Jean-Jacques Quisquater. Attacks on Shamir’s ‘RSA for paranoids’. Information Processing Letters, 68:197–199, 1998.CrossRefGoogle Scholar
  25. 25.
    Shafi Goldwasser and Silvio Micali. Probabilistic encryption. Journal of Computer and System Sciences, 28:270–299, 1984.MATHCrossRefMathSciNetGoogle Scholar
  26. 26.
    Chris Hall, Ian Goldberg, and Bruce Schneier. Reaction attacks against several public-key cryptosystems. In V. Varadharajan and Yi Mu, eds., Information and Communications Security, volume 1726 of Lecture Notes in Computer Science, pages 2–12, Springer-Verlag, 1999.Google Scholar
  27. 27.
    Michael Hartmann, Sachar Paulus, and Tsuyoshi Takagi. NICE-New ideal coset encryption. In Ç. K. Koç and C. Paar, eds., Cryptographic Hardware and Embedded Systems, volume 1717 of Lecture Notes in Computer Science, pages 328–339, Springer-Verlag, 1999.CrossRefGoogle Scholar
  28. 28.
    Detlef Hühnlein, Michael J. Jacobson Jr., Sachar Paulus, and Tsuyoshi Takagi. A cryptosystem based on non-maximal imaginary quadratic orders with fast decryption. In K. Nyberg, ed., Advances in Cryptology-EUROCRYPT’98, volume 1403 of Lecture Notes in Computer Science, pages 294–307. Springer-Verlag, 1998.CrossRefGoogle Scholar
  29. 29.
    Éliane Jaulmes and Antoine Joux. A NICE cryptanalysis. In B. Preneel, ed., Advances in Cryptology-EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, pages 382–391, Springer-Verlag, 2000.CrossRefGoogle Scholar
  30. 30.
    Nigel Jefferies, Chris Mitchell, and Michael Walker. A proposed architecture for trusted third parties services. In E. Dawson and J. Golić, eds., Cryptography: Policy and Algorithms, volume 1029 of Lecture Notes in Computer Science, pages 98–104, Springer-Verlag, 1996.CrossRefGoogle Scholar
  31. 31.
    Joe Kilian and Tom Leighton. Fair cryptosystems, revisited. In D. Coppersmith, ed., Advances in Cryptology-CRYPTO’95, volume 963 of Lecture Notes in Computer Science, pages 208–221, Springer-Verlag, 1995.Google Scholar
  32. 32.
    Lars R. Knudsen and Torben P. Pedersen. On the dificulty of software key escrow. In U. Maurer, ed., Advances in Cryptology-EUROCRYPT’96, volume 1070 of Lecture Notes in Computer Science, pages 237–244, Springer-Verlag, 1996.Google Scholar
  33. 33.
    Chae Hoon Lim and Pil Joong Lee. Another method for attaining security against chosen ciphertext attacks. In D. R. Stinson, ed., Advances in Cryptology-CRYPTO’93, volume 773 of Lecture Notes in Computer Science, pages 420–434, Springer-Verlag, 1994.Google Scholar
  34. 34.
    Silvio Micali. Fair public-key cryptosystems. In E. F. Brickell, ed., Advances in Cryptology-CRYPTO’92, volume 740 of Lecture Notes in Computer Science, pages 113–138, Springer-Verlag, 1993.Google Scholar
  35. 35.
    Silvio Micali and Ray Sidney. A simple method for generating and sharing pseudo-random functions, with applications to Clipper-like key escrow systems. In D. Coppersmith, ed., Advances in Cryptology-CRYPTO’95, volume 963 of Lecture Notes in Computer Science, pages 185–196, Springer-Verlag, 1995.Google Scholar
  36. 36.
    Moni Naor and Moti Yung. Public-key cryptosystems provably secure against chosen ciphertext attacks. In Proc. of the 22nd ACM Annual Symposium on the Theory of Computing (STOC’ 90), pages 427–437, ACM Press, 1990.Google Scholar
  37. 37.
    Tatsuaki Okamoto and Shigenori Uchiyama. A new public-key cryptosystem as secure as factoring. In K. Nyberg, ed., Advances in Cryptology-EUROCRYPT’98, volume 1403 of Lecture Notes in Computer Science, pages 308–318. Springer-Verlag, 1998.CrossRefGoogle Scholar
  38. 38.
    Tatsuaki Okamoto, Shigenori Uchiyama, and Eiichiro Fujisaki. EPOC: Efficient probabilistic public-key encryption. Submission to P1363a, available at URL <http://grouper.ieee.org/groups/1363/addendum.html>, November 1998.
  39. 39.
    Pascal Paillier and David Pointcheval. Efficient public-key cryptosystem provably secure against active adversaries. In Advances in Cryptology-ASIACRYPT’99, volume of Lecture Notes in Computer Science, Springer-Verlag, 1999.Google Scholar
  40. 40.
    David Pointcheval. New public-key cryptosystem based on the dependent-RSA problem. In J. Stern, ed., Advances in Cryptology-EUROCRYPT’99, volume 1592 of Lecture Notes in Computer Science, Springer-Verlag, 1999.Google Scholar
  41. 41.
    ______. Chosen ciphertext security for any one-way cryptosystem. In H. Imai and Y. Zheng, eds., Public Key Cryptography, volume 1751 of Lecture Notes in Computer Science, pages 129–146, Springer-Verlag, 2000.Google Scholar
  42. 42.
    Sachar Paulus and Tsuyoshi Takagi. A generalization of the Diffie-Hellman problem and related cryptosystems allowing fast decryption. In Proc. of the 1998 International Conference on Information Security and Cryptology (ICISC’ 98), Seoul, December 18–19, 1998.Google Scholar
  43. 43.
    Charles Racko and Daniel R. Simon. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In J. Feigenbaum, ed., Advances in Cryptology-CRYPTO’91, volume 576 of Lecture Notes in Computer Science, pages 433–444, Springer-Verlag, 1992.Google Scholar
  44. 44.
    Adi Shamir. RSA for paranoids. Cryptobytes, 1(2):1–4, 1995.Google Scholar
  45. 45.
    Victor Shoup and Rosario Gennaro. Securing threshold cryptosystems against chosen ciphertext attack. IBM Research Report RZ 2974, Zurich Research Laboratory, Zurich, November 1997. An extended abstract appears in K. Nyberg, ed., Advances in Cryptology-EUROCRYPT’98, volume 1403 of Lecture Notes in Computer Science, pages 1–16, Springer-Verlag, 1998.CrossRefGoogle Scholar
  46. 46.
    Yiannis Tsiounis and Moti Yung. On the security of ElGamal based encryption. In H. Imai and Y. Zheng, eds., Public Key Cryptography, volume 1431 of Lecture Notes in Computer Science, pages 117–134, Springer-Verlag, 1998.CrossRefGoogle Scholar
  47. 47.
    Yuliang Zheng and Jennifer Seberry. Immunizing public-key cryptosystems against chosen ciphertext attacks. IEEE Journal on Selected Areas in Communications, 11(5):715–724, 1993.CrossRefGoogle Scholar

References

  1. A1.
    E. Fujisaki and T. Okamoto. Secure integration of asymmetric and symmetric encryption schemes. In M. Wiener, editor, Advances in Cryptology-CRYPTO’99, volume 1666 of Lecture Notes in Computer Science, pages 537–554. Springer-Verlag, 1999.CrossRefGoogle Scholar
  2. A2.
    E. Fujisaki and T. Okamoto. How to enhance the security of public-key encryption at minimum cost. IEICE Transaction of Fundamentals of electronic Communications and Computer Science, E83-A(1):24–32, January 2000.Google Scholar
  3. A3.
    E. Fujisaki and T. Okamoto. A Chosen-Cipher Secure Encryption Scheme Tightly As Secure As Factoring. IEICE Transaction of Fundamentals of electronic Communications and Computer Science, E84-A(1), To appear in January 2001.Google Scholar
  4. A4.
    T. Okamoto and S. Uchiyama. A new public-key cryptosystem as secure as factoring. In K. Nyberg, editor, Advances in Cryptology-EUROCRYPT’98, Lecture Notes in Computer Science, pages 308–318. Springer-Verlag, 1998.CrossRefGoogle Scholar
  5. A5.
    T. Okamoto, S. Uchiyama, and E. Fujisaki. EPOC: Efficient probabilistic public-key encryption. Proposal to IEEE P1363a, November 1998.Google Scholar
  6. A6.
    T. Okamoto, S. Uchiyama, and E. Fujisaki. EPOC: Efficient probabilistic public-key encryption. Proposal to IEEE P1363a, ver. D6, Nov. 2000, available via:http://grouper.ieee.org/groups/1363/P1363a/draft.html
  7. A7.
    M. Joye, J.J. Quisquater, and M. Yung. On the power of misbehaving adversaries and security analysis of EPOC. Manuscript, February 2000.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Marc Joye
    • 1
  • Jean-Jacques Quisquater
    • 2
  • Moti Yung
    • 3
  1. 1.Gemplus Card InternationalGémenosFrance
  2. 2.UCL Crypto GroupLouvain-la-NeuveBelgium
  3. 3.CertCoNew York NYUSA

Personalised recommendations