## Hedged Public-Key Encryption: How to Protect against Bad Randomness (2012)

### Cached

### Download Links

Venue: | IACR EPRINT |

Citations: | 24 - 12 self |

### BibTeX

@MISC{Bellare12hedgedpublic-key,

author = {Mihir Bellare and Zvika Brakerski and Moni Naor and Thomas Ristenpart and Gil Segev and Hovav Shacham and Scott Yilek},

title = {Hedged Public-Key Encryption: How to Protect against Bad Randomness},

year = {2012}

}

### OpenURL

### Abstract

Public-key encryption schemes rely for their IND-CPA security on per-message fresh randomness. In practice, randomness may be of poor quality for a variety of reasons, leading to failure of the schemes. Expecting the systems to improve is unrealistic. What we show in this paper is that we can, instead, improve the cryptography to offset the lack of possible randomness. We provide public-key encryption schemes that achieve IND-CPA security when the randomness they use is of high quality, but, when the latter is not the case, rather than breaking completely, they achieve a weaker but still useful notion of security that we call IND-CDA. This hedged public-key encryption provides the best possible security guarantees in the face of bad randomness. We provide simple RO-based ways to make in-practice IND-CPA schemes hedge secure with minimal software changes. We also provide non-RO model schemes relying on lossy trapdoor functions (LTDFs) and techniques from deterministic encryption. They achieve adaptive security by establishing and exploiting the anonymity of LTDFs which we believe is of independent interest. (Preliminary version was presented at AsiaCrypt 2009)

### Citations

1218 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...undational questions, namely to find appropriate definitions and to efficiently achieve them. Let us now look at all this in more detail. The problem. Achieving the standard IND-CPA notion of privacy =-=[23]-=- requires the encryption algorithm to be randomized. In addition to the public key and message, it takes as input a random string that needs to be freshly and independently created for each and every ... |

741 | Pseudo-random generation from one-way functions (extended abstract
- Impagliazzo, Levin, et al.
- 1989
(Show Context)
Citation Context ...mous. Here we refer to a new notion of anonymity for trapdoor functions that we introduce, one that strengthens the notion of [4]. This step exploits an adaptive variant of the leftover hash lemma of =-=[26]-=-. Why anonymity? It is exploited in our proofs of adaptive security. Our new notion of anonymity for trapdoor functions is matched by a corresponding one for encryption schemes. We show that any encry... |

617 |
How to Generate Cryptographically Strong Sequences of Pseudorandom Bits
- Blum, Micali
- 1984
(Show Context)
Citation Context ...ice. Here, an “entropy-gathering” process is used to get a seed which is then stretched to get “random” bits for the application. The theory of cryptographically strong pseudorandom number generators =-=[11]-=- implies that the stretching can in principle be sound, and extractors further allow us to reduce the requirement on the seed from being uniformly distributed to having high min-entropy, but we still ... |

341 | Fuzzy extractors: how to generate strong keys from biometrics and other noisy data,” Eurocrypt 2004, pp 523–540
- Dodis, Reyzin, et al.
- 2004
(Show Context)
Citation Context ...intuition would follow from straightforward application of the Leftover Hash Lemma (LHL) [26]. However our anonymity definitions are adaptive, so one cannot apply the LHL (or even the generalized LHL =-=[17]-=-) directly. Rather, we first show an adaptive variant of the LHL is implied by the standard LHL via a hybrid argument. See the full version for details. Here we use it to prove the following theorem; ... |

329 |
A public key cryptosystem and a signature scheme based on discrete logarithms
- Gamal
- 1985
(Show Context)
Citation Context ...r example, weakrandomness based encryption is easily seen to allow recovery of the plaintext from the ciphertext for the quadratic residuosity scheme of [23] as well as the El Gamal encryption scheme =-=[21]-=-. Brown [15] presents such an attack on RSAOAEP [10] with encryption exponent 3. Ouafi and Vaudenay [30] present such an attack on Rabin-SAEP [13]. We present an alternative attack in [7]. The above w... |

208 | Optimal asymmetric encryption - How to encrypt with
- Bellare, Rogaway
- 1995
(Show Context)
Citation Context ... seen to allow recovery of the plaintext from the ciphertext for the quadratic residuosity scheme of [23] as well as the El Gamal encryption scheme [21]. Brown [15] presents such an attack on RSAOAEP =-=[10]-=- with encryption exponent 3. Ouafi and Vaudenay [30] present such an attack on Rabin-SAEP [13]. We present an alternative attack in [7]. The above would be of little concern if we could guarantee good... |

111 | Simulating BPP using a general weak random source - Zuckerman - 1996 |

106 | Public-Key Encryption in a Multiuser Setting: Security Proofs and Improvements," Eurocrypt 2000 - Bellare, Boldyreva, et al. - 1807 |

97 | Key-Privacy in Public-Key Encryption
- Bellare, Boldyreva, et al.
- 2001
(Show Context)
Citation Context ...us not requiring new certificates. It always provides non-adaptive H-IND security. It provides adaptive H-IND security if the starting scheme has the extra property of being anonymous in the sense of =-=[4]-=-. Anonymity is possessed by some deployed schemes like DHIES [1], making REwH1 attractive in this case. But some inpractice schemes, notably RSA ones, are not anonymous. If one wants adaptive H-IND se... |

90 |
The oracle Diffie-Hellman assumptions and an analysis of DHIES
- Abdalla, Bellare, et al.
- 2001
(Show Context)
Citation Context ...ve H-IND security. It provides adaptive H-IND security if the starting scheme has the extra property of being anonymous in the sense of [4]. Anonymity is possessed by some deployed schemes like DHIES =-=[1]-=-, making REwH1 attractive in this case. But some inpractice schemes, notably RSA ones, are not anonymous. If one wants adaptive H-IND security in this case we suggest REwH2, which provides it assuming... |

90 | B.: Lossy trapdoor functions and their applications
- Peikert, Waters
- 2011
(Show Context)
Citation Context ...V-secure for block sources and the latter is IND-CPA.) Adaptive security requires that the deterministic scheme be a u-LTDF. (A lossy trapdoor function whose lossy branch is a universal hash function =-=[31, 12]-=-.) PtD is simpler, merely concatenating the message to the randomness and then applying deterministic encryption. It achieves both non-adaptive and adaptive H-IND under the assumption that the determi... |

90 |
Finding a Small Root of a Univariate Modular Equation
- Coppersmith
- 1996
(Show Context)
Citation Context ..., X r ·M), so the ability to predict r immediately gives X r and leads to message recovery. The Goldwasser-Micali scheme fails analogously. One can utilize Coppersmith’s method in the univariate case =-=[16, 27]-=- to recover plaintexts from Rabin-SAEP [12] ciphertexts when randomness is known. The Rabin-SAEP padding function [12] for m-bit message M and s1-bit randomness r is ( (m ‖ 0 s0 ) ⊕ H(r) ) ‖ r, where ... |

81 | How to enhance the security of public-key encryption at minimum cost
- Fujisaki, Okamoto
- 1999
(Show Context)
Citation Context ...ncryption scheme, which is the only primitive it uses. the public key, so it does require new certificates. The schemes are extensions of the EwH deterministic encryption scheme of [6] and similar to =-=[20]-=-. Schemes without random oracles. It is easy to see that even the existence of a non-adaptively secure IND-CDA encryption scheme implies the existence of a PRIV-secure deterministic encryption (DE) sc... |

73 |
Deterministic and efficiently searchable encryption
- Bellare, Boldyreva, et al.
- 2007
(Show Context)
Citation Context ...requirement that might come to mind is that encryption with weak (even adversarially-known) randomness should be as secure as deterministic encryption, meaning achieve an analog of the PRIV notion of =-=[6]-=-. Butachieving this would require that the message by itself have high min-entropy. We can do better. Our new target notion of security, that we call Indistinguishability under a Chosen Distribution ... |

69 |
Finding small roots of univariate modular equations revisited
- Howgrave-Graham
- 1997
(Show Context)
Citation Context ..., X r ·M), so the ability to predict r immediately gives X r and leads to message recovery. The Goldwasser-Micali scheme fails analogously. One can utilize Coppersmith’s method in the univariate case =-=[16, 27]-=- to recover plaintexts from Rabin-SAEP [12] ciphertexts when randomness is known. The Rabin-SAEP padding function [12] for m-bit message M and s1-bit randomness r is ( (m ‖ 0 s0 ) ⊕ H(r) ) ‖ r, where ... |

69 | Using Hash Functions as a Hedge against Chosen Ciphertext Attack
- Shoup
- 2000
(Show Context)
Citation Context ...ibe an encryption scheme that is simultaneously provably secure under one set of assumptions in the random oracle model and provably secure under a (stronger) set of assumptions in the standard model =-=[38]-=-. 2 Preliminaries Notation. Vectors are written in boldface, e.g. x. If x is a vector then |x| denotes its length and x[i] denotes its i th component for 1 ≤ i ≤ |x|. We say that x is a vector over D ... |

60 | Simplified OAEP for the RSA and Rabin Functions - Boneh - 2001 |

60 |
Randomness and the Netscape browser
- Goldberg, Wagner
- 1996
(Show Context)
Citation Context ...on is often violated. This can happen because of faulty implementations, side-channel attacks, system resets or for a variety of other reasons. The resulting cryptographic failures can be spectacular =-=[22, 24, 29, 2, 15]-=-. What can we do about this? One answer is that system designers should build “better” systems, but this is clearly easier said than done. The reality is that random number generation is a complex and... |

49 | On notions of security for deterministic encryption, and efficient constructions without random oracles
- Boldyreva, Fehr, et al.
- 2008
(Show Context)
Citation Context ...e secure both in the sense of IND-CPA and in the sense of IND-CDA. Adaptivity. Our IND-CDA definition generalizes the indistinguishability-style formalizations of PRIV-secure deterministic encryption =-=[8, 12]-=-, which in turn extended entropic security [18]. But we consider a new dimension, namely, adaptivity. Our adversary is allowed to specify joint message-randomness distributions on to-be-encrypted chal... |

39 | Code-Based Game-Playing Proofs and the Security of Triple Encryption
- Bellare, Rogaway
(Show Context)
Citation Context ...zed. The set of possible outputs of algorithm A on inputs x1, x2, . . . is denoted [A(x1, x2, . . .)]. “PT” stands for polynomial-time. Games. Our security definitions and proofs use code-based games =-=[9]-=-, and so we recall some background from [9]. A game (look at Figure 2 for examples) has an Initialize procedure, procedures to respond to adversary oracle queries, and a Finalize procedure. A game G i... |

35 | Deterministic encryption: Definitional equivalences and constructions without random oracles
- Bellare, Fischlin, et al.
- 2008
(Show Context)
Citation Context ...e secure both in the sense of IND-CPA and in the sense of IND-CDA. Adaptivity. Our IND-CDA definition generalizes the indistinguishability-style formalizations of PRIV-secure deterministic encryption =-=[8, 12]-=-, which in turn extended entropic security [18]. But we consider a new dimension, namely, adaptivity. Our adversary is allowed to specify joint message-randomness distributions on to-be-encrypted chal... |

30 | Extended notions of security for multicast public key cryptosystems
- Baudron, Pointcheval, et al.
- 2000
(Show Context)
Citation Context ..., adaptive LR queries. This is true because in that setting a straightforward hybrid argument shows that security against multiple adaptive LR queries is implied by security against a single LR query =-=[5, 3]-=-. We wish to maintain the same standard of adaptive security in the IND-CDA setting. Unfortunately, in the IND-CDA setting, unlike the IND-CPA setting, adaptive security is not implied by nonadaptive ... |

26 | Encryption against storage-bounded adversaries from on-line strong extractors - Lu |

24 | Entropic security and the encryption of high entropy messages
- Dodis, Smith
- 2005
(Show Context)
Citation Context ...ense of IND-CDA. Adaptivity. Our IND-CDA definition generalizes the indistinguishability-style formalizations of PRIV-secure deterministic encryption [8, 12], which in turn extended entropic security =-=[18]-=-. But we consider a new dimension, namely, adaptivity. Our adversary is allowed to specify joint message-randomness distributions on to-be-encrypted challenges. The adversary is said to be adaptive if... |

22 |
On the impossibility of private key cryptography with weakly random keys
- McInnes, Pinkas
- 1990
(Show Context)
Citation Context ...andomness is bad as long as there is compensating entropy in the message. Also we deal with the public key setting. Many works consider achieving strong cryptography given only a “weak random source” =-=[28, 16, 14]-=-. This is a source that does have high min-entropy but may not produce truly random bits. They show that many cryptographic tasks including symmetric encryption [28], commitment, secret-sharing, and z... |

21 |
When private keys are public: Results from the 2008 Debian OpenSSL vulnerability
- Yilek, Rescorla, et al.
- 2009
(Show Context)
Citation Context ...s error-prone, consider the recent randomness failure in Debian Linux, where a bug in the OpenSSL package led to insufficient entropy gathering and thence to practical attacks on the SSH [29] and SSL =-=[2, 36]-=- protocols. Other exploits include [25, 19]. The new notion. The idea is to provide two tiers of security. First, when the “randomness” is really random, the scheme should meet the standard IND-CPA no... |

19 | Nonce-based symmetric encryption
- Rogaway
(Show Context)
Citation Context ...r than breaking completely, it achieves some weaker but still useful notion of security that is the best possible under the circumstances. We call this “hedged” cryptography. Previous work by Rogaway =-=[32]-=-, Rogaway and Shrimpton [33], and Kamara and Katz [27] considers various forms of hedging for the symmetric encryption setting. In this paper, we initiate a study of hedged public-key encryption. We a... |

17 |
Analysis of the Linux Random Number Generator
- Gutterman, Pinkas, et al.
- 2006
(Show Context)
Citation Context ...ess failure in Debian Linux, where a bug in the OpenSSL package led to insufficient entropy gathering and thence to practical attacks on the SSH [29] and SSL [2, 36] protocols. Other exploits include =-=[25, 19]-=-. The new notion. The idea is to provide two tiers of security. First, when the “randomness” is really random, the scheme should meet the standard IND-CPA notion of security. Otherwise, rather than fa... |

15 | On the (im)possibility of cryptography with imperfect randomness
- Dodis, Ong, et al.
- 2004
(Show Context)
Citation Context ...andomness is bad as long as there is compensating entropy in the message. Also we deal with the public key setting. Many works consider achieving strong cryptography given only a “weak random source” =-=[31, 17, 13]-=-. This is a source that does have high min-entropy but may not produce truly random bits. They show that many cryptographic tasks including symmetric encryption [31], commitment, secret-sharing, and z... |

14 |
Hold your sessions: An attack on Java session-id generation
- Gutterman, Malkhi
- 2005
(Show Context)
Citation Context ...on is often violated. This can happen because of faulty implementations, side-channel attacks, system resets or for a variety of other reasons. The resulting cryptographic failures can be spectacular =-=[22, 24, 29, 2, 15]-=-. What can we do about this? One answer is that system designers should build “better” systems, but this is clearly easier said than done. The reality is that random number generation is a complex and... |

11 | Cryptanalysis of the Windows random number generator
- Dorrendorf
- 2009
(Show Context)
Citation Context ...ess failure in Debian Linux, where a bug in the OpenSSL package led to insufficient entropy gathering and thence to practical attacks on the SSH [29] and SSL [2, 36] protocols. Other exploits include =-=[25, 19]-=-. The new notion. The idea is to provide two tiers of security. First, when the “randomness” is really random, the scheme should meet the standard IND-CPA notion of security. Otherwise, rather than fa... |

11 | Efficient lossy trapdoor functions based on the composite residuosity assumption. IACR ePrint Archive
- Rosen, Segev
- 2008
(Show Context)
Citation Context ...umber-theoretic assumptions, including the hardness of the decisional Diffie-Hellman problem, the worst-case hardness of lattice problems, and the hardness of Paillier’s composite residuosity problem =-=[31, 12, 34]-=-. Boldyreva et al. [12] observed that the DDH-based construction is universal.proc. Initialize(1 k ): par ←$ P(1 k ) (pk, sk) ←$ K(par) b ←$ {0, 1} Ret par proc. LR(M): If pkout = true then Ret ⊥ (m0... |

9 | Deterministic authenticated-encryption: A provable-security treatment of the key-wrap problem. IACR Cryptology ePrint Archive
- Rogaway, Shrimpton
- 2006
(Show Context)
Citation Context ...it achieves some weaker but still useful notion of security that is the best possible under the circumstances. We call this “hedged” cryptography. Previous work by Rogaway [32], Rogaway and Shrimpton =-=[33]-=-, and Kamara and Katz [27] considers various forms of hedging for the symmetric encryption setting. In this paper, we initiate a study of hedged public-key encryption. We address two central foundatio... |

7 | Smashing SQUASH-0
- Ouafi, Vaudenay
- 2009
(Show Context)
Citation Context ...phertext for the quadratic residuosity scheme of [23] as well as the El Gamal encryption scheme [21]. Brown [15] presents such an attack on RSAOAEP [10] with encryption exponent 3. Ouafi and Vaudenay =-=[30]-=- present such an attack on Rabin-SAEP [13]. We present an alternative attack in [7]. The above would be of little concern if we could guarantee good randomness. Unfortunately, this fails to be true in... |

4 | Does privacy require true randomness
- Bosley, Dodis
- 2007
(Show Context)
Citation Context ...andomness is bad as long as there is compensating entropy in the message. Also we deal with the public key setting. Many works consider achieving strong cryptography given only a “weak random source” =-=[28, 16, 14]-=-. This is a source that does have high min-entropy but may not produce truly random bits. They show that many cryptographic tasks including symmetric encryption [28], commitment, secret-sharing, and z... |

4 |
Debian OpenSSL predictable PRNG bruteforce SSH exploit
- Mueller
- 2008
(Show Context)
Citation Context ...on is often violated. This can happen because of faulty implementations, side-channel attacks, system resets or for a variety of other reasons. The resulting cryptographic failures can be spectacular =-=[22, 24, 29, 2, 15]-=-. What can we do about this? One answer is that system designers should build “better” systems, but this is clearly easier said than done. The reality is that random number generation is a complex and... |

4 | Tight bounds for hashing block sources - Chung, Vadhan - 2008 |

3 |
Exploiting DSA-1571: How to break
- Abeni, Bello, et al.
- 2008
(Show Context)
Citation Context |

3 | How to encrypt with a malicious random number generator
- Kamara, Katz
- 2008
(Show Context)
Citation Context ...t still useful notion of security that is the best possible under the circumstances. We call this “hedged” cryptography. Previous work by Rogaway [32], Rogaway and Shrimpton [33], and Kamara and Katz =-=[27]-=- considers various forms of hedging for the symmetric encryption setting. In this paper, we initiate a study of hedged public-key encryption. We address two central foundational questions, namely to f... |

2 |
A weak randomizer attack on RSA-OAEP with e=3. IACR ePrint Archive
- Brown
- 2005
(Show Context)
Citation Context |

1 |
Personal Communication to Hovav Shacham
- Waters
- 2008
(Show Context)
Citation Context ...he message, which is not done in [28, 16, 14]. This allows us to circumvent their negative results. Waters independently proposed hedge security as well as the PtD construction as a way to achieve it =-=[35]-=-. 2 Preliminaries Notation. Vectors are written in boldface, e.g. x. If x is a vector then |x| denotes its length and x[i] denotes its i th component for 1 ≤ i ≤ |x|. We say that x is a vector over D ... |