New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.

Presentation on theme: "New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno."— Presentation transcript:

New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno

Defining Security of Encryption Schemes CCA2 security  Non-malleable encryption auctioneer bidder 1 c attacker c’ c and c’ are somehow related e.g., the bid encrypted in c’ is a half of the bid encrypted in c

Completely Non-Malleable (CCA2*) Encryption The auctioneer receives a new bid from bidder 1 (c’ instead of c) The auctioneer receives a new bid from a user with public key pk*  Concept introduced in [Fischlin, ICALP ’05] bidder 1 c attacker c’ c, pk and c*, pk* are somehow related c* pk*

Why complete non-malleability? Is it more general than CCA2?  Yes! Cramer-Shoup and RSA-OAEP are CCA2 but not CCA2* [Fis05]  For every CCA2 encryption scheme there is a CCA2 encryption scheme which is not CCA2* [This work] Simple proof…

Proving separation between CCA2 and CCA2* Given (G, E, D) which is CCA2 construct (G’, E’, D’) as follows: G’(1 k ) (pk, sk) ← G(1 k ) b ← {0,1} return (pk||b, sk) E’(pk||b, m) return E(pk, m) D’(sk, c) return D(sk, c) (G’, E’, D’) is CCA2 (it never uses bit b) It is easy to construct a winning CCA2* attacker for (G’, E’, D’)

Defining Security of Encryption Schemes (cntd) Plaintext awareness (PA)  “An encryption scheme is plaintext aware if it is practically impossible for any entity to produce a ciphertext without knowing the associated message” [Dent, Eurocrypt ‘06] challenger Why we should care about?  PA + CPA implies CCA2 [Bellare & Palacio, AsiaCrypt ’04 ] attacker pk D(sk,.)Ext(.) Indistinguishable output

Enriching PA concept Defining PA*: two experiments challenger A pk D(sk,.) pk*, Enc(pk*, x) challenger Ext pk A pk*, x Any PPT machine can not distinguish pk*, x

Relating CCA2* and PA* Theorem: PA* + CPA implies CCA2*  Similar relation to the CCA2/PA case [BP04]  Refining CCA2* definition CCA2* does make sense when  the attacker does not know the secret key sk* (nor a user knowing sk*)  the attacker does not have any noticeable advantage in distinguishing messages that are in relation from message that are not in relation w.r.t. the new key pk*

Construction of CCA2* and PA* encryption schemes CCA2*:  Impossible in plain model (for non-interactive black-box security [Fis05])  Constructions: Plain model  Interactive Non-Black-Box Construction Shared Random String model  Non-Interactive Black-Box Construction…  … which is also PA* when restricting to CRS model

Details of the CRS construction Ingredients:  Any CPA secure encryption scheme (G,E,D)  A robust NIZK [DDOPS, Crypto ’01] for an NP language L Non-malleable NIZK (in the explicit witness sense)  Stronger than Simulation-Soundess Same-String NIZK (pk, sk) is in L if there exists randomness r such that G with random tape r outputs (pk, sk)

Details of the CRS construction (2) Relying on non-malleable NIZK proof we prove that (G’, E’, D’) is CCA2* Relying on Same-String NIZK proof we prove that (G’, E’, D’) is PA* G’(1 k ) (pk, sk) ← G(1 k ) p ← proof for L return ((pk, p), sk) E’((pk, p), m) Verify proof p return E(pk, m) D’(sk, c) return D(sk, c)

Conclusions We give a stronger notion (PA*) of plaintext awareness We relate the new notion with that of complete non- malleability (CCA2*) We give general constructions relating previous notions and results  This yields a much more understandable framework We construct a non black-box interactive CCA2*+PA* encryption scheme (plain model) We construct a non-interactive CCA2*+PA* encryption scheme in the CRS model

Download ppt "New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno."

Similar presentations