Download presentation

Presentation is loading. Please wait.

Published byMaeve Seabourn Modified over 3 years ago

1
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno

2
Defining Security of Encryption Schemes CCA2 security Non-malleable encryption auctioneer bidder 1 c attacker c’ c and c’ are somehow related e.g., the bid encrypted in c’ is a half of the bid encrypted in c

3
Completely Non-Malleable (CCA2*) Encryption The auctioneer receives a new bid from bidder 1 (c’ instead of c) The auctioneer receives a new bid from a user with public key pk* Concept introduced in [Fischlin, ICALP ’05] bidder 1 c attacker c’ c, pk and c*, pk* are somehow related c* pk*

4
Why complete non-malleability? Is it more general than CCA2? Yes! Cramer-Shoup and RSA-OAEP are CCA2 but not CCA2* [Fis05] For every CCA2 encryption scheme there is a CCA2 encryption scheme which is not CCA2* [This work] Simple proof…

5
Proving separation between CCA2 and CCA2* Given (G, E, D) which is CCA2 construct (G’, E’, D’) as follows: G’(1 k ) (pk, sk) ← G(1 k ) b ← {0,1} return (pk||b, sk) E’(pk||b, m) return E(pk, m) D’(sk, c) return D(sk, c) (G’, E’, D’) is CCA2 (it never uses bit b) It is easy to construct a winning CCA2* attacker for (G’, E’, D’)

6
Defining Security of Encryption Schemes (cntd) Plaintext awareness (PA) “An encryption scheme is plaintext aware if it is practically impossible for any entity to produce a ciphertext without knowing the associated message” [Dent, Eurocrypt ‘06] challenger Why we should care about? PA + CPA implies CCA2 [Bellare & Palacio, AsiaCrypt ’04 ] attacker pk D(sk,.)Ext(.) Indistinguishable output

7
Enriching PA concept Defining PA*: two experiments challenger A pk D(sk,.) pk*, Enc(pk*, x) challenger Ext pk A pk*, x Any PPT machine can not distinguish pk*, x

8
Relating CCA2* and PA* Theorem: PA* + CPA implies CCA2* Similar relation to the CCA2/PA case [BP04] Refining CCA2* definition CCA2* does make sense when the attacker does not know the secret key sk* (nor a user knowing sk*) the attacker does not have any noticeable advantage in distinguishing messages that are in relation from message that are not in relation w.r.t. the new key pk*

9
Construction of CCA2* and PA* encryption schemes CCA2*: Impossible in plain model (for non-interactive black-box security [Fis05]) Constructions: Plain model Interactive Non-Black-Box Construction Shared Random String model Non-Interactive Black-Box Construction… … which is also PA* when restricting to CRS model

10
Details of the CRS construction Ingredients: Any CPA secure encryption scheme (G,E,D) A robust NIZK [DDOPS, Crypto ’01] for an NP language L Non-malleable NIZK (in the explicit witness sense) Stronger than Simulation-Soundess Same-String NIZK (pk, sk) is in L if there exists randomness r such that G with random tape r outputs (pk, sk)

11
Details of the CRS construction (2) Relying on non-malleable NIZK proof we prove that (G’, E’, D’) is CCA2* Relying on Same-String NIZK proof we prove that (G’, E’, D’) is PA* G’(1 k ) (pk, sk) ← G(1 k ) p ← proof for L return ((pk, p), sk) E’((pk, p), m) Verify proof p return E(pk, m) D’(sk, c) return D(sk, c)

12
Conclusions We give a stronger notion (PA*) of plaintext awareness We relate the new notion with that of complete non- malleability (CCA2*) We give general constructions relating previous notions and results This yields a much more understandable framework We construct a non black-box interactive CCA2*+PA* encryption scheme (plain model) We construct a non-interactive CCA2*+PA* encryption scheme in the CRS model

Similar presentations

OK

ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman

© 2018 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on five generation of computers Best ppt on water cycle Ppt on political parties and electoral process in kenya Ppt on nitrogen cycle Ppt on types of houses Ppt on south african culture dance Ppt on indian textile industries media Ppt on measuring area and volume Ppt on types of parallelograms pictures Ppt on levels of management