 Hello everybody, my name is Mohammed. I'm going to present to our SAO AP without random oracles This is a joint work with Nive and Kao and other money Here's the outline of the talk. I will start by going over some background and motivation after that I will Give you some an overview of our results Then I will define the extractable functions and the primitives that be used in our results after that I will go over the details of one of our results instantiating S-Clear RSAO AP after that I will Finish with the conclusion I will start by Going over the definition of public encryption schemes We use public encryption schemes to transfer confidential messages through the internet and In this model in the in this encryption Everyone has a pair of key public key and a secret key for example if Alice wants to send a message through the internet to Bob he uses the Secret public key of Bob to encrypt the message M and get the Cypher text send a Cypher text through the Internet to Bob and Bob uses its own secret key to decrypt and get the message M We need this public the public encryption. We need to secure public encryption schemes and one of the kind of most basic security guarantees that we Define in photography is called indistinguishability of under chosen plaintext or INDC PA and this is defined as a game between a challenger and an adversary and and We require that in the game the Probability of the adversary winning the game should be negligible if you want to secure a public key encryption in this game INDC PA game the challenger choose a bit B and Runs the key generation to get the public key and the secret key then it sends the public key to the adversary Then adversary chooses two messages M0 and M1 and send it back to the challenger the challenger based on the the bit B Encrypts one of the messages either M0 or M1 under the public key pk and get the Cypher text see and send back the Cypher text to the adversary and the adversary needs to guess the bit B And we say if the public key encryption scheme is secure if the advantage of the adversary and guessing B is very close to half We can also get it We can also String in the security definition by giving the adversary an axe access to the decryption oracle where the adversary can do make the decryption query of CSR and gets the underlying message and a star if we do if we Give the adversary this oracle access then we'll have an ID CCA security one of the models that we Investigate the security of the public key encryption schemes in is called random oracle models And in this random oracle model is a idealized model Where all the parties have access to the same random functions This model proposed by Billarie and Rugway in 1993. This is a very popular Model to design practical encryption schemes and One of the things that we need to note is that the scheme that we design in the random oracle model We don't have any formal security proof for them except that they resist a generic attack when we treat the hash functions as a black box and One of the and even worse We there is a work in 98 by Kennedy Goldrich and Halvi and also some other works that show that there are schemes that that Then they might they might be secure under the random oracle model but if we replace the True random function be the real hash function md5 or show one we get we get the unsecured Schemes so at which they called we call these schemes on insatiable schemes And this is a very serious problem with the random oracle model So the question that we are trying to answer here is that how secure are these random oracle base schemes The scheme that we design in the in the random oracle model show the security They are indica or indica secure and we use in practice But we are not sure based on this negative result that I mentioned that are they really secure or not and one of the Kind of a schemes that we use in practice It's even in implemented in our in our browser is RSA OEP Which shown to be securing random oracle model But we don't have any results in a standard model for that and we are trying to investigate This scheme specifically in our work There's there are several Results For the RSA OEP for example in 94 It was shown to be secure in the CPA secure in the random oracle model And also I need CCA to in the random oracle model It was shown to be secure in the random oracle model in 2001 And there are also some a standard model results. Those are random oracle that I mentioned The standard model we have partial instantiation results for a variant of This scheme, which is called T clear in 2006 and under the strong assumptions on GNH and We also have a full instantiation results will where we get a non-malability not the CCA to For the same variant T clear we also have a Full instantiation results in a standard model that achieves IND CPA security when RSA is lossy and The assumption that we have on they have on G is that G is TY is independent and this was the work from 2010 All of these results about the RSA OEP that I mentioned They are under weak they achieve a weak and security notions. They did not achieve IND CCA to which is a gold kind of a security Requirement that we would like to have So there is no IND CCA to IND CCA security on random on the standard model and To recall in the IND CCA model the adversary have access to their decryption oracle and This CCA security model the active adversary that could inject packets into the network and this is Very important that we need it's important to consider a active adversary versus passive adversary because for example in 2016 We have a tackle in the active adversary attack on I message. So we would like our Securities are public encryption a scheme to be secure against active attackers Not just passive attacker So it's important to investigate the IND CCA security for RSA OEP So here are kind of an overview of our results we have partial instantiation results In the partial instantiation results we either instantiate g where we Model H as a random oracle or instantiate H when we Kind of assume g is a random oracle model and the Required we instantiate the partial instantiate under the mild assumption on G and H and RSA one one famous on RSA and The interest in the interesting point about this partial instantiation result is that because we partially instantiate both of G and H This implies that the adversary Needs to exploit the interaction of the two hash functions to be able to attack the RSA OEP This is the partial instantiation results is under IND CCA to security notion and The main tool that we use Is a kind of a algebraic properties of RSA The second input extractability and common input extractability and It was shown that the RSA have these properties for a small encryption exponents And we have a prior works on this the on RSA OEP Which shows IND CPA for a large exponent So we have to show We have to start with the IND CPA and then Extend it to IND CCA and we have other results Fully instantiate so the one that I explained was partial instantiation this one we have a full instantiation results for two ions of RSA OEP S clear and T clear these are variants giving insights to the OEP frameworks and For for the T clear we get we Got IND CCA one security when we model G and H as a Extractable functions and one famous assumption on RSA For the T clear for the S clear We would we would we were able to get IND CCA to security When we assume G is extractable function and we also have some novel assumption on RSA So by having these assumptions on RSA and G we could be able to get the IND CCA to security the main tool that we use for these full instantiation results are Extractable functions, which I explain if I go through the definition of them in the next slide So these extractable functions in intuitively capture the fact that if you know the Image a valid image of the function you must know the Crosponding pre-image so if the adversary come up with a valid image he already knows the pre-image There are three different notions for extractable functions We have ecc zero ecc one and ecc two In ecc zero the adversary produced jumps one image and it was this ecc zero was given was first introduced in 2009 and We have ecc one which the adversary can Intractively make many image and get their pre-image there as an answer and For ecc two the adversary have additional access to the image oracle and could get the fresh image of an unknown pre-image With some hint function About the pre-image So to go more into the detail of the definition Disfinition is defined as a game between a challenger adversary and extractor and In this game the challenger picks up some key of the function and also some coin Pass it to the adversary the adversary using the coin and the key deterministically come up with some image y and and Give it to the challenger or in this case extractor then the challenger extractor an input y And the pre-image the image y the function key k and the coin of the adversary outputs X and Pass it to the adversary and the adversary wins the game if the answer the Extractor answer is incorrect and For the this is for the ecc zero the adversary can make one query to the extractor for ecc one the adversary could make multiple Query to the extractor and For e for ecc two notion the adversary have access to the image oracle which gets the fresh image Random image of an unknown pre-image and We say a function is extractable ecc zero ecc one or ecc two if the Advantages of the adversary the probability of the adversary winning this game is negligible. So basically we are able to Invert any image that the adversary produce any valid image that the adversary produce by knowing the coins of the adversary and This gives us the ability to be able to answer into in our instantiation this primitive Gives us the ability to be able to answer to decryption oracle Queries that the adversary makes in our ind cca games and I'll show you how we make use of this primitive in our instantiation results So we are the first one to consider ecc one and ecc two definitions we also Define the L bit extractable functions when dad when the extractor could Could invert the Challenge image that the adversary makes by only knowing the L bit of the image and This L bit extractability is a specific Kind of a case for the general definition that was given in 2009 Where they assume any functions of their image Now we'll go a little bit more detail into our One of our results for a full instantiation of s clear First of all, we are the first one to give a positive results for these variants We have only negative results for from the career works and and We showed that by some novel assumption on the RSA and assumption on G and H we could Get the IMD CCA two results, which is very interesting and This is this is kind of a very efficient the most most efficient a scheme that we by By the best of our knowledge know in the that it exists in the literature for the IMD CCA secure Encryption a scheme in the sound art model We started showing the IMD CPA security We only because there are no positive results from the pure words. So we begin by the IMD CPA security We only assume mild assumption on G. We assume G is a pseudo random random generator and by some novel assumption of X or base kind of assumption on RSA or More specifically X or ind as something which we call X or ind we could have the IMD CPA security. So By assuming G to be PRG any assumption H could be any function RSA Being X or ind we could get IMD CPA security. I will go more into details of what we Mean by X or ind definitions Text or ind notion is defined as a game Between a challenger and adversary in this game the adversary the challenger sorry the challenger choose a bit B and Run the key trapdoor key generation gets the trapdoor F and the F minus F invert and pick a random Pre-image X and pass F and G of X which is a hint of Some heat on invertible hint on X to the adversary. So the adversary have F and G of X the adversary Output some Z and pass it to the challenger the challenger based on the bit B and Either Compute Y0 and Y1 Y0 is F of X Y1 is F of X XOR with Z and pass either Y0 or Y1 based on the bit B So the pass YB to the adversary the adversary now needs to guess the bit B If the advent the probability of the adversary guessing bit B is very close negligibly close to bit B to half then we say the tractor function F is XOR IND So we got IND CPA security on for the S clear by assuming XOR IND and So randomness on G What we now are trying would like to show is to Improve it and get the IND CCA security results for these primitives And there is a prior works the negative results that I mentioned That's in 2002 what should That shows that the one-wayness assumption on RSA is not enough to get IND CCA to security Even in the random oracle model. So if you have G as a random Model G as a random oracle and H as a random oracle and RSA is one way we cannot get IND CCA to security, which is interesting and basically the attack there is a simple attack that Kind of take advantage of the fact that if the underlying trap door In this case RSA or any trap door is malleable with respect to the XOR functions then the adversary could easily Attack and get against the bit B in the game IND CCA game So we need some novel assumption on RSA or are in our trap door function that we use on in our public encryption OEP public encryption and We argue that this kind of assumption that I will introduce in the next slides, which we call XOR and non-malleability Is very likely to be satisfied by RSA because RSA has a multiplicative structure and This XOR and non-malleability notion is defined as a game between challenger and adversary and The bait basically it shows that the adversary by getting F and F of X for random X Uniformly random X cannot come up with F of X prime and alpha where alpha is an XOR relation between X and X prime So the advantage of the adversary giving getting F of X By for outputting some F of X prime with the alpha Relationship between X and X prime is negligible and these assumptions by Knowing that the RSA have this nice multiplicative structure We believe that it might be it is reasonable to have this assumption on RSA and So in our instantiation, we use our strongest extractability notion on E or EXT2 notion on G. So we assume G is EXT2 and We also assume RSA is XOR non-malleable and We have Collision resistant assumption on H By these three assumptions we show that we could get IND-CCA2 security on RSA or EEP on S clear RSA or EEP and The proof idea is basically we know that it's IND-CPA secure now We have to improve it to IND-CCA2 So we have to show that we the I we could answer the decryption oracle and the decryption oracle To answer the decryption oracle of the adversary we use the extractor extractor for G Because we know that G is extractable. So we use that extractor to answer the Oracle the decryption oracle queries that the adversary makes We also need to show that The adversary could not come up with the ciphertext that the extractor could not extract and If the adversary we know that if the adversary come up with the With the ciphertext C prime with the same randomness as a challenge Cypher to exceed the the then the extractor phase so we have to bond this probability and to bond this probability we use the assumption on H and RSA so we show that if the adversary could come up with C prime we either could find a collision on H or we could attack the X or non-malibility on RSA So we bond these Bad events and we could show that we could easily answer the decryption oracle queries Okay, so to conclude via via study To what extent we could eliminate the RO assumptions on the G and H in the RSA OEP encryption In the prior works, there were no positive results in the standard model For RSA OEP or its variants under the IND CCA2 security We gave a partial instantiation results for RSA OEP Under CCA2 security notion, we also gave a full instantiation for one of the variants S clear under CCA2 notions. We also gave CCA1 for T clear RSA OEP Thank you very much. I Would be happy to Take any questions