Public-Key Encryption
In a symmetric-key encryption scheme, both encryption and decryption use the same key. A public-key scheme disrupts this idea and uses different keys for encryption and decryption. The encryption key can be made public so that anyone can send encrypted messages. The decryption key is kept private, and only the holder of this key can decrypt these messages.
14.1. Security definitions for PKE
We start by introducing the syntax of a public-key encryption scheme. In the public-key setting, there is not one key but a key pair consisting of a private key and public key. These two keys must of course be correlated in some way. Therefore, a public-key encryption scheme must include a separate key generation algorithm .
A public-key encryption (PKE) scheme consists of the following algorithms:
-
: a randomized algorithm that takes no inputs (besides the security parameter, which we never write explicitly) and outputs a key pair , where is a public key and is a private key.
-
: a randomized algorithm that takes a public key and plaintext as input and returns a ciphertext .
-
: a deterministic algorithm that takes a private key and ciphertext as input, and returns a plaintext (or raises an error).
A PKE scheme is correct if the following program outputs with probability 1, for all :
What does it mean for a key to be public? In the security definition, the library provides a way for the adversary/calling program to learn it. By making this change to the security definitions for encryption, and also ensuring that the correct key is used for encryption/decryption, we obtain definitions of CPA and CCA security for PKE:
A PKE scheme has security against chosen-plaintext attacks (CPA security) if the following two libraries are indistinguishable:
A PKE scheme has security against chosen-ciphertext attacks (CCA security) if the following two libraries are indistinguishable:
As in the CCA security definition for SKE, ciphertexts generated by are called challenge ciphertexts.
After seeing CPA and CCA security defined for PKE, you may also expect a definition of public-key authenticated encryption (AE). The spirit of AE is that no one can generate valid ciphertexts except the person who holds the secret key. But the spirit of public-key encryption is that anyone can encrypt ciphertexts. The two concepts are incompatible, so in the public-key world we will stop at CCA security.
If anyone can encrypt, why can't I tell whether something is an encryption of by re-encrypting myself?
This attack would work if PKE encryption were deterministic.
But just like the case of SKE, public-key encryption cannot be deterministic.
It is tempting to think that has no secrets, because both of its arguments may be public.
But the randomness that samples is a secret that the adversary doesn't know!
The randomness used in an SKE's algorithm is often included in its output, but this cannot be the case for a public-key scheme.
14.2. One-time vs. many-time encryption
Before describing an actual PKE scheme, let's first discuss a property of PKE that will make future security proofs easier.
In the symmetric-key world, it makes a difference whether a key is used to encrypt many plaintexts or just one. For example, OTP is secure when a key is used to encrypt one plaintext, but insecure when used for many encryptions. In the public-key world, there is no such distinction: Any PKE scheme that is secure for a single encryption is also secure for many. What this means is that if we need to prove CPA security for a PKE scheme, it's enough to prove a simpler property of security for a single encryption.
Let be a PKE scheme. If the following two libraries are indistinguishable, then has CPA security:
In these libraries, is static/global, and its value is fixed upon the first call to . Subsequent calls to don't do anything, so the adversary can obtain only a single ciphertext encrypted under the key pair. These libraries are written somewhat differently than in the definition of one-time secrecy for SKE (definition 5.3.2) since here the adversary is allowed to see before choosing its plaintext.
The proof uses the following family of hybrids, parameterized by an integer :
This library responds with uniformly sampled ciphertexts the first times is called, and thereafter responds with ciphertexts encrypted in the normal way. Thus:
-
In , the else-branch is always taken, so the library behaves identically to . Every output of is an actual encryption of the given plaintext.
-
If is the number of queries that the calling program makes to enc then in the if-branch is always taken, so the library behaves identically to . Every output of is sampled uniformly.
It therefore suffices to show that for every .
An analogous property is true for CCA security as well. Any PKE scheme that is CCA-secure for a single encryption is secure against many: Its proof is mostly the same as the previous one, and is left as an exercise.
Let be a PKE scheme. If the following two libraries are indistinguishable, then has CCA security:
The library does not maintain a dictionary as in the usual CCA security definition (definition 14.1.3). This library generates only a single challenge ciphertext, so it would assign only one value to the dictionary, at . Instead, we simply rename to .
14.3. El Gamal encryption
Using the tools that you have learned about so far, how would you propose two users exchange secret messages when they don't have any shared secret key? First, they could run a key exchange protocol to establish a shared key. Then, they could use that key to encrypt their secret messages under a symmetric-key encryption scheme.
They can use DHKE for key exchange, but what would be a natural choice for the symmetric-key encryption scheme? In the previous section, we saw that it is enough for a PKE to be secure for only one encryption. Thus, perhaps they can consider something as simple as OTP. And since Diffie-Hellman outputs a key that is a cyclic group element, they could use a variant of OTP that uses the cyclic group operation (group multiplication) instead of xor.
If Bob wants to send Alice a private message following these recommendations, it looks like this:
If this picture makes sense to you, then you already understand our first PKE scheme, called El Gamal encryption after its creator Taher El Gamal. El Gamal encryption is what you get when you label Alice's message the public key and label Bob's two messages as the encryption of .
Let be a cyclic group of order with generator . El Gamal encryption is defined by the following algorithms:
Compared to the picture above, we have renamed values as follows:
If the DDH assumption is true, then El Gamal encryption (construction 14.3.1) is CPA-secure.
From claim 14.2.1, it suffices to prove that El Gamal is secure when encrypting one ciphertext. In other words, we will show that the following two libraries are indistinguishable:
14.4. The Fujisaki-Okamoto construction
In this section we describe how to efficiently convert any CPA-secure PKE into a CCA-secure one. The construction slightly breaks the usual abstraction of an encryption scheme, in an interesting way:
An encryption algorithm is randomized, but in this section it will be useful to run the encryption algorithm with some externally determined random choices. We write to denote the result of running but setting the random choices of to be . It is traditional to use a semicolon to separate the last argument. Note that , with the randomness as an explicit third argument, refers a deterministic algorithm.
Using this new notation, what we usually write as refers to the process:
refers to the space of possible random choices made by .
The El Gamal encryption algorithm chooses an exponent as its randomness, so above. Writing the encryption algorithm with this randomness as an explicit argument gives:
In this section we will assume that every encryption algorithm's randomness comes from . This is without loss of generality, because an encryption algorithm may use its randomness argument to seed a PRG and obtain as much randomness as needed.
The Fujisaki-Okamoto construction is a recipe for converting a CPA-secure PKE into a CCA-secure one, in the random oracle model. Its main idea is to encrypt (under the CPA scheme) plaintexts of the form using as the randomness. When the receiver decrypts a ciphertext, she will check that it was encrypted with randomness as expected—by re-encrypting it herself with that randomness!—and reject if this is not the case.
You may wonder why using for encryption randomness is useful for CCA security. The reasoning is subtle and clever. “Valid” ciphertexts must have the form , and in the random oracle model (it can be argued that) you can't produce a ciphertext of this form without first calling the random oracle at . But if the adversary has previously called the random oracle at input , then the library has a chance to compute the ciphertext and remember the association for later. The library is able to know that the decryption of should be , but it has deduced this fact without using the private key! When the library no longer needs the private key, we can apply the CPA security of the underlying PKE.
For technical reasons, is not the actual plaintext, but has the form , where is chosen uniformly. Thus, an encryption of has the form .
Let be a PKE scheme, and be a random oracle with output bits. Assume that uses bits of randomness. Then the Fujisaki-Okamoto PKE scheme consists of the following:
We will prove the security of Fujisaki-Okamoto using the following assumption about the underlying (CPA-secure) scheme.
An encryption algorithm has unique randomness if for all and all , the function is 1-to-1 (injective).
This property makes the Fujisaki-Okamoto construction easier to prove, but security can also be proven without it; see exercise 14.14.
Suppose is a CPA-secure PKE scheme with unique randomness. Then construction 14.4.3 is CCA-secure in the random oracle model. From claim 14.2.2 it suffices to show that the scheme is CCA-secure with respect to a single encryption.
In other words, if:
then:
One important idea in the proof is that an adversary cannot create a valid ciphertext if they have not already made the expected call to the random oracle . We formalize the idea as follows:
If has unique randomness then the following algorithm returns with probability at most :
The subroutine generates an encryption of and returns if the caller successfully predicted the resulting ciphertext. The encryption randomness is playing the role of a random oracle output that has not yet been sampled/observed. There are choices of , and since has unique randomness, each choice of leads to a distinct outcome . Since the caller's “guess” is fixed before is chosen, uniformly among possibilities, the algorithm returns with probability at most . (It may also be the case that is not one of the possible ciphertexts, in which case the probability is zero.)
The formal details of the proof follow.
We complete the proof by arguing that the bad event has negligible probability. If the adversary makes queries to the random oracle, then at the end of time contains at most values, and the bad event happens with probability at most , which is negligible.
Real-world Impact: Because the Fujisaki-Okamoto construction adds CCA security to a PKE with almost no overhead, it is used in many standard (and candidate standard) PKE algorithms. The US National Institute of Standards & Technology recently held a competition to standardize the next generation of public-key encryption schemes, holding the first round of submissions in 2017. Out of the forty-six PKE schemes proposed, twenty-five used the Fujisaki-Okamoto technique to achieve CCA security. All four schemes that advanced to the final round of the selection process use Fujisaki-Okamoto or similar variant.
14.5. Hybrid encryption
Public-key cryptography is much, much slower than symmetric-key cryptography. As a simple demonstration, one invocation of the AES block cipher requires only a few CPU cycles, but encrypting in a PKE scheme can take millions. In this section we explore a clever way to get the best of both worlds: the features of PKE, with cost as close as possible to SKE.
Suppose Alice has published her public key , and Bob wants to send her a large file. Using PKE directly on a large file would be incredibly expensive. Instead, Bob can do the following:
-
Sample a fresh key for a symmetric-key encryption scheme.
-
Encrypt under , using PKE, and send it to Alice. Although PKE encryption is slow, we are encrypting only a small value .
-
Encrypt the large file under , using SKE, and send it to Alice. SKE encryption is fast for this large file.
When Alice receives this data, she can decrypt the PKE ciphertext to learn , then decrypt the SKE ciphertext with to obtain the large file. The overall functionality is the same as PKE: Bob can encrypt data to Alice, knowing only her public key.
This method of public-key encryption is called hybrid encryption, where “hybrid” in this context means that the scheme consists of a combination of PKE and SKE.
Let be a PKE scheme and be a SKE scheme, such that (i.e., it is possible for to encrypt keys from ). Then hybrid encryption is defined by the following algorithms:
The value chosen in is called the ephemeral key.
Each ephemeral key is used to encrypt just a single plaintext, and therefore the symmetric-key scheme only needs to have one-time secrecy for the overall hybrid scheme to have CPA security.
If is a CPA-secure PKE and is a one-time secret SKE, then hybrid encryption (construction 14.5.1) is CPA-secure.
The proof is an easy consequence of the definitions.
CCA Security: The situation of CCA security for hybrid encryption is more subtle. Our usual way of using the real-or-random paradigm to define security doesn't quite work, in the sense that even if both the underlying PKE and SKE are (real-or-random) CCA-secure, the resulting hybrid scheme may not be.
There exists a (real-or-random) CCA-secure PKE and (real-or-random) CCA-secure SKE , such that the resulting hybrid encryption (construction 14.5.1) is not (real-or-random) CCA-secure.
However, if we consider the left-or-right paradigm for CCA security, then the property we hope to be true about hybrid encryption is true. Hybrid encryption achieves (left-or-right) CCA security if both its underlying PKE and SKE do.
If is a left-or-right CCA-secure PKE and is a left-or-right CCA-secure symmetric encryption scheme, then hybrid encryption (construction 14.5.1) is left-or-right CCA-secure.
Proofs of these two claims are left as exercises.
Hybrid encryption is the only example I know of a completely natural encryption scheme for which the distinction between left-or-right and real-or-random security is significant. In every other case, the encryption schemes we care about in practice satisfy both flavors of security.
14.6. Key encapsulation
Because of hybrid encryption, there is rarely any need to use “true” PKE for anything other than encrypting uniformly sampled values. A key encapsulation mechanism (KEM) is a specialized PKE that is capable of only that; it can encrypt only pseudorandom plaintexts. In a PKE we tell the encryption algorithm our choice of plaintext, but in a KEM we let the encryption algorithm itself choose the plaintext. Although this might seem like a strange modification to make to a PKE, the benefit is that a KEM ciphertext can be shorter than a traditional PKE ciphertext.
To differentiate KEMs from traditional PKE, we usually refer to the algorithms of a KEM as encapsulation/decapsulation rather than encryption/decryption.
A key encapsulation mechanism (KEM) consists of the following algorithms:
-
: same as in a PKE scheme, a randomized algorithm that takes no inputs and outputs a keypair .
-
: a randomized algorithm that takes only a public key as input and returns both a ciphertext and plaintext .
-
: same as in a PKE scheme, a deterministic algorithm that takes a private key and ciphertext as input, and returns a plaintext (or raises an error).
A KEM is correct if the following process outputs with probability 1:
The definitions of CPA and CCA security for KEMs are similar to those for traditional PKE. The adversary's interface now takes no arguments, since a KEM's algorithm does not take a plaintext argument. In addition to requiring that the ciphertext is pseudorandom, the definitions also require that the plaintext is pseudorandom (and independent of the ciphertext).
A KEM has security against chosen-plaintext attacks (CPA security) if the following two libraries are indistinguishable:
A KEM has security against chosen-ciphertext attacks (CCA security) if the following two libraries are indistinguishable:
Hybrid encryption is sometimes called the KEM-DEM paradigm, where DEM (the symmetric-key encryption scheme) stands for data encapsulation mechanism.
14.6.1. One-time vs. many-time
Just like PKE, if a KEM is secure for a single encryption, then it is secure against many encryptions. Hence we have the following results, analogous to the ones in section 14.2. Because KEM encapsulation takes no plaintext argument, these libraries are slightly simpler than their PKE counterparts; the ciphertext and plaintext can be generated at the beginning of time.
Let be a KEM scheme. If the following two libraries are indistinguishable, then has CPA security:
If the following two libraries are indistinguishable, then has CCA security:
The proofs follow the same structure as those in section 14.2, and are left as exercises.
14.6.2. El Gamal KEM
One reason for studying KEMs is that their ciphertexts can be smaller than those of a PKE; El Gamal encryption provides a great example. Recall that El Gamal ciphertexts consist of a pair of group elements that have the form . The security proof argues that hides the plaintext, because is pseudorandom given and . But if is pseudorandom, why not just consider to be the plaintext and let alone be the ciphertext? The result is El Gamal KEM, and its ciphertexts consist of just a single group element.
Let be a cyclic group of order with generator . Then El Gamal KEM is defined by the following:
El Gamal KEM (construction 14.6.5) is CPA-secure if the DDH assumption holds.
The proof is extremely similar to that of claim 14.3.2, and is left as an exercise.
Exercises
-
Prove that if a PKE scheme has a deterministic algorithm, then it cannot have CPA security.
-
Let be a PKE scheme with , and let be defined as follows:
-
Prove that is CPA-secure if is.
-
Prove that is not CCA-secure (even if is).
-
-
h Let be a CPA-secure symmetric-key encryption scheme, and suppose it has an additional randomized algorithm such that the following libraries are indistinguishable:
:return:returnThe idea behind is that when its input is an encryption of , then its output is also an encryption of . Not only do the input and output ciphertexts encrypt the same thing, the output ciphertext is distributed just like a fresh re-encryption of . And is able to do this all without knowing or the key .
Describe how to use this to construct a PKE, and prove that your construction is CPA-secure.
From exercise 14.2 it is enough to construct a PKE whose plaintext space is . The public key in your PKE scheme should include and .
-
Prove claim 14.2.2 (one-time CCA security implies many-time CCA security).
-
Below are parameters for El Gamal encryption (prime , generator , and a user's private key) and an El Gamal ciphertext .
-
What is the corresponding public key, and how did you compute it?
-
What is the result of decrypting the ciphertext, and how did you compute it?
-
-
Show that El Gamal is not a CCA-secure PKE.
-
h Suppose you are given a passively secure key exchange protocol (definition 13.3.3) , in which each user sends only one protocol message. Formally describe how to use to build a CPA-secure PKE scheme, and prove its security. Assume that the KE protocol generates a key from .
Take inspiration from the relationship between DHKE and El Gamal.
-
h Suppose you are given a CPA-secure PKE scheme . Formally describe how to use to build a passively secure key exchange protocol (definition 13.3.3), and prove its security.
The security definition for KE says that the key should be pseudorandom, but it does not require both parties to “contribute” to the key.
-
Given a plaintext consisting of two group elements, it is possible to encrypt each element with El Gamal, independently (exercise 14.2). This would result in a ciphertext consisting of four group elements. Consider the following variant of El Gamal, which can encrypt two plaintext group elements to a ciphertext of three group elements:
Prove that this scheme is CPA-secure if the DDH assumption is true in .
-
The scheme in the previous exercise has a longer public key than standard El Gamal. Suppose we compress the public key by letting , and thus :
Show that this scheme is not CPA-secure.
-
Suppose you are given an El Gamal ciphertext encrypting . Show how to construct a different ciphertext encrypting the same , even if you don't know or the private key. You can assume that the public key is known.
-
Suppose you are given two El Gamal ciphertexts: encrypting , and encrypting . Show how to construct a ciphertext encrypting , even if you don't know or , or the private key. You can assume that the public key is known.
-
h Describe a randomized algorithm with the following properties. It should take as input an El Gamal public key and ciphertext , and output a new ciphertext . The output should be distributed identically to the output of . In other words, the output should be a ciphertext encrypting the same plaintext as , and distributed precisely as a fresh encryption. The algorithm should do all of this without knowing or the El Gamal private key .
Use exercise 14.12 with and a fresh encryption of 1.
-
Our security proof for Fujisaki-Okamoto (theorem 14.4.5) assumes that the encryption algorithm has unique randomness. However, this assumption is not strictly necessary.
-
Prove that if is a CPA-secure PKE, then the following two libraries are indistinguishable:
:return:return:return:return -
Prove the security of Fujisaki-Okamoto without assuming the unique randomness property.
-
-
Below is an attempt to use the Fujisaki-Okamoto technique to construct a KEM, rather than a PKE:
Show that this construction is not a CCA-secure KEM (it's not even CPA-secure!).
-
Below is another attempt to use the Fujisaki-Okamoto technique to construct a KEM, rather than a PKE. It requires a random oracle whose outputs have length .
This KEM is more efficient that construction 14.4.3 because it uses to encrypt a plaintext of length instead of .
-
Prove that this construction is a CCA-secure KEM in the random oracle model, if is CPA-secure.
-
Even though the end result of this construction is a KEM, it requires the underlying scheme to be a PKE, not a KEM. What is the difficulty of applying the Fujisaki-Okamoto technique to an underlying KEM?
-
-
Construct a PKE and SKE which both have (real-or-random) CCA security, but whose combination as a hybrid encryption scheme does not have (real-or-random) CCA security (claim 14.5.3).
-
Given a (real-or-random) CCA-secure PKE, construct a new one that is also CCA-secure, and that has the property that a uniformly chosen ciphertext will raise a decryption error with high probability. Prove that your new PKE is CCA-secure.
-
Given a (real-or-random) CCA-secure SKE, construct a new one that is also CCA-secure, but in which the algorithm never raises an error. Prove that your new SKE is CCA-secure.
-
Show that the combination of these two new schemes as a hybrid encryption scheme does not have (real-or-random) CCA security.
-
-
h The previous exercise considered hybrid encryption where the underlying SKE never has decryption error. Suppose we instead insist that the SKE is AE-secure. Can you still construct a (real-or-random) CCA-secure PKE and (real-or-random) AE-secure SKE whose composition as a hybrid scheme is not (real-or-random) CCA-secure?
A PKE scheme can be CCA-secure and also have the property that a uniformly chosen ciphertext decrypts to a known, fixed value, like , with high probability.
-
Prove that hybrid encryption is (left-or-right) CCA-secure, if its underlying PKE and SKE both are (claim 14.5.4).
-
Formally prove claim 14.6.4 (one-time security implies many-time security, for a KEM).
-
Prove claim 14.6.6 (security of El Gamal KEM).
-
Formally describe a variant of hybrid encryption (construction 14.5.1) that uses a KEM rather than PKE to encrypt the ephemeral symmetric key. Formally prove its CPA security, using the CPA security of the underlying KEM.
-
Any PKE scheme can be converted into a KEM, by simply using the PKE scheme to encrypt a uniformly chosen plaintext. Formally describe this KEM construction, and prove that it is CPA-secure if the underlying PKE scheme is CPA-secure.
-
Consider a variant of El Gamal KEM in which the plaintext is not but . Prove that this variant is a secure KEM in the random oracle model, assuming the CDH assumption (defined in exercise 13.8).
-
Let be a random oracle, let be a cyclic group of order , and let and be two different generators. The Kurosawa-Desmedt KEM is defined as follows:
-
Show that the KEM satisfies correctness.
-
h Show that the KEM is not CCA-secure. You can assume that the order of the cyclic group is prime.
Let be an arbitrary ciphertext. Suppose an adversary chooses exponents and , and defines the new ciphertexts and . Show how the decapsulations of and can be used to predict the decapsulation of .
-
-
Prove that is a CPA-secure KEM if and only if the following is a passively secure KE protocol:
:sendrecvreturn:recvsendreturn
Chapter Notes
Public-key encryption was first conceived in 1970 by James Ellis, who was employed at British GCHQ at the time [97]. As such, his involvement in the history of public-key cryptography remained classified until 1997. He called his idea “non-secret encryption,” but was not able to propose a plausibly secure mechanism. Three years later another GCHQ employee, Clifford Cocks, proposed a non-secret encryption scheme which is identical to the well-known RSA scheme (chapter 15).
In 1974, Ralph Merkle proposed an asymmetric key exchange protocol, in a proposal for an undergraduate class project [159]. His contributions to the history of public-key cryptography were not recognized until around a decade later. Diffie and Hellman were the first to receive public recognition for the invention of public-key cryptography, in 1976 [83]. Bellare, Desai, Pointcheval, and Rogaway [16] study a variety of security definitions for public-key encryption, showing separations, equivalences, and implications among them.
El Gamal encryption is named after its creator, Taher El Gamal [96]. A security proof for El Gamal, based on the DDH assumption, was first given by Tsiounis and Yung [211].
Unsurprisingly, the Fujisaki-Okamoto construction is named for its creators, Fujisaki and Okamoto [104]. See Hofheinz, Hövelmanns, and Kiltz [122] for a comprehensive analysis of the scheme and its many variants.
Hybrid encryption is a natural way to combine public-key and symmetric-key encryption schemes. Its security was first formalized by Cramer and Shoup [76].
The KEM in exercise 14.25 was proposed by Kurosawa and Desmedt [144]. The attack against its CCA security was first shown by Choi, Herranz, Hofheinz, Hwang, Kiltz, Lee, and Yung [65].
Key encapsulation schemes were first defined by Shoup [203].