### Hedging Public-Key Encryption in the Real World

Alexandra Boldyreva, Christopher Patton, and Thomas Shrimpton

##### Abstract

Hedged PKE schemes are designed to provide useful security when the per-message randomness fails to be uniform, say, due to faulty implementations or adversarial actions. A simple and elegant theoretical approach to building such schemes works like this: Synthesize fresh random bits by hashing all of the encryption inputs, and use the resulting hash output as randomness for an underlying PKE scheme. The idea actually goes back to the Fujisaki-Okamoto transform for turning CPA-secure encryption into CCA-secure encryption, and is also used to build deterministic PKE schemes. In practice, implementing this simple construction is surprisingly difficult, as the high- and mid-level APIs presented by the most commonly used crypto libraries (e.g. OpenSSL and forks thereof) do not permit one to specify the per-encryption randomness. Thus application developers are forced to piece together low-level functionalities and attend to any associated, security-critical algorithmic choices. Other approaches to hedged PKE present similar problems in practice. We reconsider the matter of building hedged PKE schemes, and the security notions they aim to achieve. We lift the current best-possible security notion for hedged PKE (IND-CDA) from the CPA setting to the CCA setting, and then show how to achieve it using primitives that are readily available from high-level APIs. We also propose a new security notion, MM-CCA, which generalizes traditional IND-CCA to admit imperfect randomness. Like IND-CCA, and unlike IND-CDA, our notion gives the adversary the public key. We show that MM-CCA is achieved by RSA-OAEP in the random-oracle model; this is significant in practice because RSA-OAEP is directly available from high-level APIs across all libraries we surveyed. We sort out relationships among the various notions, and also develop new results for existing hedged PKE constructions.

Note: The latest version fixes a bug in Lemma 1 pointed out by Joseph Jaeger.

Available format(s)
Category
Public-key cryptography
Publication info
A major revision of an IACR publication in CRYPTO 2017
Keywords
hedged public-key encryptioncryptographic APIs
Contact author(s)
cjpatton @ ufl edu
History
2017-08-21: last of 3 revisions
See all versions
Short URL
https://ia.cr/2017/510

CC BY

BibTeX

@misc{cryptoeprint:2017/510,
author = {Alexandra Boldyreva and Christopher Patton and Thomas Shrimpton},
title = {Hedging Public-Key Encryption in the Real World},
howpublished = {Cryptology ePrint Archive, Paper 2017/510},
year = {2017},
note = {\url{https://eprint.iacr.org/2017/510}},
url = {https://eprint.iacr.org/2017/510}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.