diff --git a/Main Paper/algorithms.tex b/Main Paper/algorithms.tex index fd24a6ecbbc47fa714c319f3971d0bf64cd608ff..7ff5e8db14bcd3341d202217c58f8d1f8e8590b2 100644 --- a/Main Paper/algorithms.tex +++ b/Main Paper/algorithms.tex @@ -170,27 +170,6 @@ For this scenario we take a secret sharing scheme \(\mathcal S\), comprised of a \todo{what todo, if the built transcript is identified as simulated?} \end{bem} -\begin{figure} - \procedure[linenumbering, space = auto]{$\mathsf{Exp}^\text{P-DDHA}_{\left(\mathcal E, \mathcal G\right)} \paren*{\mathcal D}$}{ - b\sample \bin\\ - E \sample \mathcal E\\ - a \sample \bracket*{\# G-1}\\ - \pcwhile a = 1\\ - a \sample \bracket*{\#G-1}\\ - \pcendwhile\\ - s \sample \mathcal G\\ - \pcif b = 0\\ - F \gets s^a \ast E\\ - \pcelse\\ - F \sample \mathcal E\\ - \pcfi\\ - b' \gets \mathcal D \paren*{\left(a,E,s\ast E, F\right)}\\ - \pcreturn \left( b = b'\right) - } - \caption{The Power-DDHA security experiment} - \label{fig:gamepddha} -\end{figure} - \begin{figure} \procedure[linenumbering, space = auto]{$\mathsf{Exp}^\text{Decaps-Transcript}_{\left(\mathcal E,\mathcal G\right)}\paren*{\mathcal D }$}{ b \sample \bin\\ diff --git a/Main Paper/keyexchange.tex b/Main Paper/keyexchange.tex index e3d87a2933ffec575db21f971f8d8df1f2b0dda3..87b1f590829d993d2a0ed07542a645905571bdfa 100644 --- a/Main Paper/keyexchange.tex +++ b/Main Paper/keyexchange.tex @@ -13,15 +13,17 @@ In this section we present a secret shared key exchange mechanism (SSKEM) based \procedure[linenumbering,space = auto]{Keygen}{ s \sample \Z_q\\ - \mathcal S.\mathsf{share}\paren* s\\ %\text{among shareholders accoring to access structure}~ \Gamma\\ - \text{publish}~ E_s := \bracket* s E_0 = g^s \ast E_0 + \set{s_1, \ldots, s_n} \gets \mathcal S.\mathsf{share}\paren* s\\ %\text{among shareholders accoring to access structure}~ \Gamma\\ + %\text{publish}~ E_s := \bracket* s E_0 = g^s \ast E_0\\ + E_s \gets \bracket* s E_0 = g^s \ast E_0\\ + \pcreturn \left(\pk,sk\right) = \left(E_s, \set{s_1, \ldots, s_n}\right) } \procedure[linenumbering,space = auto]{Encaps $\paren*{E_s}$}{ b \sample \mathcal G\\ %\mathcal K := \mathcal H \paren*{b\ast E_s} = \mathcal H \paren*{b \ast \left(g^s \ast E_0\right)}\\ - E_b := b \ast E_0\\ - E^\ast := b \ast E_s\\ + E_b \gets b \ast E_0\\ + E^\ast \gets b \ast E_s\\ \pcreturn \left(E_b, E^\ast\right) } @@ -41,15 +43,17 @@ In this section we present a secret shared key exchange mechanism (SSKEM) based \label{fig:sskem} \end{figure} -A key exchange mechanism (KEM) consists of three algorithms \(\mathsf{KeyGen}\), \(\mathsf{Encaps}\) and \(\mathsf{Decaps}\). Whereas many examples of KEMs have already been established and analysed in terms of efficiency as well as security, a rigorous security model for secret shared key exchange mechanisms remains to be introduced. We propose security notions adjusted for the secret shared setting in the following subsections and will prove, that our scheme fulfills those. +A traditional key exchange mechanism (KEM) consists of three algorithms \(\mathsf{KeyGen}\), \(\mathsf{Encaps}\) and \(\mathsf{Decaps}\). Whereas many examples of KEMs have already been established and analysed in terms of efficiency as well as security, a rigorous security model for secret shared key exchange mechanisms remains to be introduced. We propose security notions adjusted for the secret shared setting in the following subsections and will prove, that our scheme fulfills those. -We consider two main categories of security guarantees regarding KEMs. On the one hand there is indistinguishability of an encapsulated key, that an adversary who obtains a ciphertext generated by \(\mathsf{Encaps}\) cannot distinguish the true encapsulated key from a random one with overwhelming probability. And on the other hand there is confidentiality of the secret key, that is an adversary cannot derive any meaningful information regarding the secret key from a decapsulation transcript. We discuss the former aspect in \autoref{subsec.kemind}, and the latter in \autoref{subsec.kemsimul}. +We consider two main categories of security guarantees regarding KEMs. On the one hand there is indistinguishability of an encapsulated key, that is an adversary who obtains a ciphertext generated by \(\mathsf{Encaps}\) cannot distinguish the true encapsulated key from a random one with overwhelming probability. And on the other hand there is confidentiality of the secret key, that is an adversary cannot derive any meaningful information regarding the secret key from a decapsulation transcript. We discuss the former aspect in \autoref{subsec.kemind}, and the latter in \autoref{subsec.kemsimul}. \subsection{Indistinguishability of Encapsulated Keys}\label{subsec.kemind} -We capture the notion of indistinguishability of the encapsulated keys by adapting the \(\indcpa\), respectively \(\indcca\), games of traditional KEMs as can be found in \autoref{fig:kemgame} to the setting of a secret shared secret key. For that we consider an adversary, that at the beginning of the game picks an unauthorised set of shareholders and obtains their shares of the secret key. +We capture the notion of indistinguishability of the encapsulated keys by adapting the \(\indcpa\) or \(\indcca\) games, respectively, of traditional KEMs as can be found in \autoref{fig:kemgame} to the setting of a secret shared secret key. For that we generate a public/ secret key pair \(\left(\pk,\set{s_1,\ldots, s_n}\right)\), where the secret key is shared. The adversary \(\adv\) then picks an unauthorised set of shareholders \(S\) and obtains the secret key shares of the parties in \(S\). \todo{does \(\mathcal O_\mathsf{Decaps}\) only return result or transcript?} +In the case of \(\indcca\), some amendments to the decapsulation oracle have to be made. +The resulting security game can be seen in \autoref{fig:sskemgame}. -A KEM \(\kem\)'s primary purpose is to provide the means of secure key exchange to any party \(B\) with the holder \(A\) of secret key \(\sk\), generated by \(\left(\sk,\pk\right) \gets \kem.\mathsf{KeyGen}\). That is, by executing \(\kem.\mathsf{Encap}\paren*\pk\), \(B\) obtains a key \(\mathcal K\) and a ciphertext \(c\). The ciphertext is then sent to \(A\), who runs \(\kem.\mathsf{Decaps}\paren*{c, \sk}\) and thereby also obtains \(\mathcal K\). Since it can rarely be guaranteed with absolute certainty, that \(c\) is not leaked during the transfer to \(A\), it has to be certain, that an eavesdropper cannot derive any information about \(\mathcal K\) without knowing \(\sk\). This notion is usually captured in an \(\indcpa\) or an \(\indcca\) security game, as can be seen in \autoref{fig:kemgame} and found for example in \cite{cryptoeprint:2019:1356}. +%A KEM \(\kem\)'s primary purpose is to provide the means of secure key exchange to any party \(B\) with the holder \(A\) of secret key \(\sk\), generated by \(\left(\sk,\pk\right) \gets \kem.\mathsf{KeyGen}\). That is, by executing \(\kem.\mathsf{Encap}\paren*\pk\), \(B\) obtains a key \(\mathcal K\) and a ciphertext \(c\). The ciphertext is then sent to \(A\), who runs \(\kem.\mathsf{Decaps}\paren*{c, \sk}\) and thereby also obtains \(\mathcal K\). Since it can rarely be guaranteed with absolute certainty, that \(c\) is not leaked during the transfer to \(A\), it has to be certain, that an eavesdropper cannot derive any information about \(\mathcal K\) without knowing \(\sk\). This notion is usually captured in an \(\indcpa\) or an \(\indcca\) security game, as can be seen in \autoref{fig:kemgame} and found for example in \cite{cryptoeprint:2019:1356}. \begin{figure} \begin{center}\begin{tabular}{c|c c} @@ -83,14 +87,17 @@ A KEM \(\kem\)'s primary purpose is to provide the means of secure key exchange \label{fig:kemgame} \end{figure} -We transfer these security games to the setting of secret shared key exchange mechanisms (SSKEM). In this scenario there is not one party \(A\) holding the secret key, but it has been shared among a set of shareholders according to a secret sharing scheme \(\mathcal S\) with access structure \(\Gamma\). We consider an adversary \(\adv\), that can corrupt any unauthorised set of shareholders \(S\not\in\Gamma\). Thus \(\adv\) gains knowledge of several shares of the secret key and is thus strictly more powerful than in the traditional KEM setting. In the case of the \(\indcca\) game, the decapsulation oracle becomes an interactive \(\ppt\) machine. That is, upon being queried by \(\adv\) to execute the decapsulation protocol upon an input \(c\), \(\mathcal O_\text{Decaps}\) requires the adversary \(\adv\) to contribute. +%We transfer these security games to the setting of secret shared key exchange mechanisms (SSKEM). In this scenario there is not one party \(A\) holding the secret key, but it has been shared among a set of shareholders according to a secret sharing scheme \(\mathcal S\) with access structure \(\Gamma\). We consider an adversary \(\adv\), that can corrupt any unauthorised set of shareholders \(S\not\in\Gamma\). Thus \(\adv\) gains knowledge of several shares of the secret key and is thus strictly more powerful than in the traditional KEM setting. In the case of the \(\indcca\) game, the decapsulation oracle becomes an interactive \(\ppt\) machine. That is, upon being queried by \(\adv\) to execute the decapsulation protocol upon an input \(c\), \(\mathcal O_\text{Decaps}\) requires the adversary \(\adv\) to contribute. +\begin{comment} \begin{defin} An adversary \(\adv\)'s advantage against a game \(\mathsf{Exp}^\text{type}_{\kem, \cdot}\paren* \lambda\), where \(\text{type} \in \set{\indcpa, \indcca}\), is defined as \[\advantage{\text{type}}{\kem,\adv}[\paren*\lambda] = \abs{\frac 12 - \prob{\mathsf{Exp}^\text{type}_{\kem,\adv} \paren*\lambda= \true} }.\] \label{def:advkemgame} \end{defin} -We define the advantage of an adversary \(\adv\) against the threshold games in \autoref{fig:tkemgame} similarly to \autoref{def:advkemgame}. +\end{comment} + +The advantage of an adversary \(\adv\) against the \(\mathsf{Exp}^\indcpa_{\sskem, \mathcal S, \adv}\paren*{\lambda}\) or \(\mathsf{Exp}^\indcca_{\sskem,\mathcal S,\adv}\paren*\lambda\) game, respectively, in \autoref{fig:sskemgame} is defined as follows. \begin{defin} An adversary \(\adv\)'s advantage against a game \(\mathsf{Exp}^\text{type}_{\sskem, \cdot}\paren* \lambda\), where \(\text{type} \in \set{\indcpa, \indcca}\), is defined as \[\advantage{\text{type}}{\mathsf{SSKEM},\adv}[\paren*\lambda] = \abs{\frac 12 - \prob{\mathsf{Exp}^\text{type}_{\mathsf{SSKEM},\adv} \paren*\lambda= \true} }.\] @@ -99,10 +106,10 @@ We define the advantage of an adversary \(\adv\) against the threshold games in \begin{figure} \begin{center}\begin{tabular}{c|c c} - \procedure[space = auto]{$\mathsf{Exp}^\text{indcpa}_{\mathsf{SSKEM},\mathcal S ,\adv}\paren* \lambda$}{ + \procedure[space = auto]{$\mathsf{Exp}^\text{indcpa}_{\sskem,\mathcal S ,\adv}\paren* \lambda$}{ b \sample \bin\\ - \left(\pk,\sk\right)\gets \mathsf{KeyGen}\paren*{\lambda}\\ - \left(s_1, \ldots, s_n\right) \gets \mathcal S.\share\paren*\pk\\ + \left(\pk,\set{s_1,\ldots, s_n}\right)\gets \mathsf{KeyGen}\paren*{\lambda}\\ + %\left(s_1, \ldots, s_n\right) \gets \mathcal S.\share\paren*\pk\\ S\gets \adv \paren*{ \mathcal S}\\ \left(c^\ast, K_0^\ast\right) \gets\mathsf{Encaps}\paren* \pk\\ K_1^\ast \sample \mathcal K\\ @@ -113,10 +120,10 @@ We define the advantage of an adversary \(\adv\) against the threshold games in \pcfi\\ \pcreturn \left(b = b'\right) }& - \procedure[space = auto]{$\mathsf{Exp}^\text{indcca}_{\mathsf{SSKEM},\mathcal S, \adv}\paren* \lambda$}{ + \procedure[space = auto]{$\mathsf{Exp}^\text{indcca}_{\sskem,\mathcal S, \adv}\paren* \lambda$}{ b \sample \bin\\ - \left(\pk,\sk\right)\gets \mathsf{KeyGen}\paren*{\lambda}\\ - \left(s_1, \ldots, s_n\right) \gets \mathcal S.\share\paren*\pk\\ + \left(\pk,\set{s_1, \ldots, s_n}\right)\gets \mathsf{KeyGen}\paren*{\lambda}\\ + %\left(s_1, \ldots, s_n\right) \gets \mathcal S.\share\paren*\pk\\ S\gets \adv \paren*{\mathcal S}\\ \left(c^\ast, K_0^\ast\right) \gets\mathsf{Encaps}\paren* \pk\\ K_1^\ast \sample \mathcal K\\ @@ -138,19 +145,27 @@ We define the advantage of an adversary \(\adv\) against the threshold games in \end{center} \caption{\(\indcpa\) and \(\indcca\) security game for secret shared key exchange mechanism \(\mathsf{SSKEM} = \left(\mathsf{KeyGen, Encaps, Decaps}\right)\)} - \label{fig:tkemgame} + \label{fig:sskemgame} \end{figure} +\begin{thm} + If there exists an adversary \(\adv\) so that \(\advantage{\indcpa}{\sskem, \adv}[\paren* \lambda]\) is non-negligible, then there also exists an adversary \(\bdv\) for which \(\advantage{p-ddha}{\left(\mathcal E,\mathcal G\right), \bdv}[\paren* \lambda]\) is non-negligible. + \label{thm:pddhareducesskem} +\end{thm} + +\begin{proof} + We prove \autoref{thm:pddhareducesskem} by giving a reduction, that is we provide an adversarial algorithm \(\bdv\) that simulates an execution of \(\mathsf{Exp}^\indcpa_{\sskem, \mathcal S, \adv}\paren*\lambda\) to the adversary \(\adv\). \(\bdv\) then uses \(\adv\)'s answer to break an instance of \(\mathsf{Exp}^{p-ddha}_{\left(\mathcal E, \mathcal G\right),\bdv}\paren*\lambda\). + \todo{or \(\indcca\)?} + + \(\bdv\) is handed an instance \(\left(a,E,s\ast E,F\right)\) of \(\mathsf{Exp}^\text{P-DDHA}_{\left(\mathcal E,\mathcal G\right), \bdv}\). \(\bdv\) now has to simulate an instance of \(\mathsf{Exp}^\indcpa_{\sskem,\mathcal S, \adv}\) to \(\adv\). \(\bdv\) picks an instance \(\mathcal S\) of a secret sharing scheme compatible to the HHS \(\left(\mathcal E, \mathcal G\right)\). \(\bdv\) then generates a public/ secret key pair \(\left(E_s, \set{s_1, \ldots, s_n}\right)\) from the arising secret shared key exchange mechanism \(\sskem\). \(\bdv\) then hands a description of \(\mathcal S\) to \(\adv\), who answers with a set of shareholders \(S\) he wishes to corrupt. If \(\adv\) returned an authorised set, \(\bdv\) stops. Otherwise \(\bdv\) hands the challenge \(\left(E_s, E,F,\set{s_i}_{P_i \in S}\right)\) to \(\adv\). Eventually, \(\adv\) answers with a bit \(b'\). \(\bdv\) adopts this \(b'\) as his answer. -We construct an adversary \(\bdv\) against the Power DDHA game in \autoref{fig:gamepddha}, that uses an instance of an adversary \(\adv\) against the \(\sskem\) \(\indcpa\) game in \autoref{fig:tkemgame} (\textcolor{red}{oder \(\indcca\)?}) to gain a non-negligible advantage. + \todo{correctly estimate advantages} +\end{proof} -In the Power DDHA game \(\mathsf{Exp}^\text{P-DDHA}_{\left(\mathcal E,\mathcal G\right), \bdv}\), \(\bdv\) is handed an instance \(\left(a, E, s\ast E, F\right)\). \(\bdv\) now has to simulate an instance of \(\mathsf{Exp}^\indcpa_{\mathsf{TKEM},\mathcal S, \adv}\) to \(\adv\). For that, he picks an instance of a secret sharing scheme \(\mathcal S\) compatible to the HHS \(\left(\mathcal E, \mathcal G\right)\). \(\bdv\) then generates a secret/ public key pair \(\left(s,E_s\right)\) and shares \(s\) as prescribed by \(\mathcal S\). \(\bdv\) then hands a description of \(\mathcal S\) to \(\adv\), who answers with a set of shareholders \(S\) he wishes to corrupt. If \(\adv\) returned an authorised set, \(\bdv\) stops. Otherwise \(\bdv\) hands the challenge \(\left(E_s, E,F,\set{s_i}_{P_i \in S}\right)\) to \(\adv\). +%We construct an adversary \(\bdv\) against the Power DDHA game in \autoref{fig:gamepddha}, that simulates an instance of \(\mathsf{Exp}^\indcpa_{\sskem, \mathcal S, \cdot}\paren*\lambda\) to an adversary \(\adv\) (\textcolor{red}{oder \(\indcca\)?}) to break the Power DDHA problem. +\begin{bem}[\(\indcca\) case] To reduce \(\mathsf{Exp}^\text{P-DDHA}_{\left(\mathcal E,\mathcal G\right), \bdv}\) to an instance of \(\mathsf{Exp}^\indcca_{\mathsf{TKEM},\mathcal S, \adv}\), \(\bdv\) acts exactly as he does in the \(\indcpa\) case. It remains to discuss how \(\bdv\) answer a query from \(\adv\) to the decapsulation oracle \(\mathcal O_\text{Decaps}\). Upon \(\adv\) putting a query \(c\) to the decapsulation oracle, \(\bdv\) checks, whether \(c\) agrees with the challenge \(c^\ast\), that \(\bdv\) handed \(\adv\) previously. If so, \(\bdv\) returns \(\bot\) to \(\adv\). Otherwise, \(\bdv\) chooses an authorised set of shareholders \(S'\) and executes the decapsulation algorithm presented in \autoref{fig:sskem} and returns the result to \(\adv\). -\begin{bem} - \(\indcpa\)/ \(\indcca\) is about the security of the encapsulated key. - Simulatability on the other hand is about the security of the secret key. - Thus both notions do imply different security aspects and should both be considered. \end{bem} %Picture of the distinguishers against Algorithm 1 diff --git a/Main Paper/main.tex b/Main Paper/main.tex index 7b5001a8851dd916adf56bb8857a9ebe6c4322cd..d235318ef845bcaa56f0f2c765b3568233547750 100644 --- a/Main Paper/main.tex +++ b/Main Paper/main.tex @@ -14,6 +14,7 @@ In this work we expand the range of secret sharing schemes able to support DeFeo's and Meyer's approach by defining some characterising properties of suitable schemes. We also prove that for schemes with said properties the same security guarantees hold in regards to \cite{PKC:DeFMey20}'s approach. Furthermore we show that Shamir's scheme has our generalised properties, and thereby our approach truly is a generalisation of \cite{PKC:DeFMey20}. Finally, we give examples of more elaborate secret sharing schemes, respectively access structures, that are enabled by our approach. \end{abstract} +\tableofcontents \subfile{roadmap} \subfile{introduction} \subfile{preliminaries} diff --git a/Main Paper/preliminaries.tex b/Main Paper/preliminaries.tex index e72032cd79f414d63fc38f3e0e02c7aed4a4653a..b81a34812a9b2396941a658349f90dd9c63c8fa8 100644 --- a/Main Paper/preliminaries.tex +++ b/Main Paper/preliminaries.tex @@ -18,11 +18,36 @@ with the following properties: \todo{Does \(\mathcal G\) have to be finite? \cite{PKC:DeFMey20} uses \(\#G = q = \# \Z_q\). But can \(\# G = \infty\), e.g. \(G = \Z\)?} \subsubsection{Hard Problems} +\begin{figure} + \begin{center} + \procedure[linenumbering, space = auto]{$\mathsf{Exp}^\text{P-DDHA}_{\left(\mathcal E, \mathcal G\right),\adv} \paren*{\lambda}$}{ + b\sample \bin\\ + E \sample \mathcal E\\ + a \sample \set{2, \ldots, \# G-1}\\ + \mathfrak s \sample \mathcal G\\ + \pcif b = 0\\ + F \gets \mathfrak s^a \ast E\\ + \pcelse\\ + F \sample \mathcal E\\ + \pcfi\\ + b' \gets \adv \paren*{\left(a,E,\mathfrak s\ast E, F\right)}\\ + \pcreturn \left( b = b'\right) + } + \end{center} + \caption{The Power-DDHA game} + \label{fig:gamepddha} +\end{figure} + On a hard homogeneous space \(\left(\mathcal E, \mathcal G\right)\) we consider the following computational problems: \begin{problem}[Power-DDHA] - For an \(E \in \mathcal E\) and \(\mathfrak s\) chosen uniformly at random from \(\mathcal G\) as well as \(a\) with \(1< a < \# \mathcal G\), the \emph{Power-DDHA power} is denoted as a tuple \(\left(a, E, s\ast E, F\right)\). The challenge is for an adversary to determine whether \(F = \mathfrak s^a \ast E\) or \(F\) was drawn from \(E\) uniformly at random. + For an \(E \in \mathcal E\), \(\mathfrak s \in \mathcal G\) and \(a \in \set{2, \ldots, \#G-1}\) chosen uniformly at random, the tuple \(\left(a, E, s\ast E, F\right)\) defines an instance of the \emph{Power-DDHA problem}. The challenge is for an adversary \(\adv\) to determine whether \(F = \mathfrak s^a \ast E\) or \(F\) was drawn from \(E\) uniformly at random. \label{prob:pddha}\end{problem} +A sketch of the problem can be found in \autoref{fig:gamepddha}. +\begin{defin} + For an instance \(\left(a,E,s\ast E, F\right)\) of the Power-DDHA problem, we define the adversary \(\adv\)'s advantage in the \(\mathsf{Exp}^\text{P-DDHA}_{\left(\mathcal E, \mathcal G\right),\adv} \) game as + \[\advantage{\text{P-DDHA}}{\left(\mathcal E, \mathcal G\right), \adv}[\paren* \lambda] = \abs{ \frac 12 - \prob{\mathsf{Exp}^\text{P-DDHA}_{\left(\mathcal E, \mathcal G\right),\adv} = \true}}. \] +\end{defin} \begin{problem}[Group Action Inverse Problem] An instance of the \emph{Group Action Inverse Problem} (GAIP) is defined by the tuple \(\left(E, E'\right) \in \mathcal E\times \mathcal E\). The challenge is to provide \(g\in \mathcal G\) with \(g\ast E = E'\). Due to the transitivity of \(\mathcal E,\mathcal G\), such a \(g\) always exists, thus the GAIP is solvable for any \(E,E'\).