Download presentation

Presentation is loading. Please wait.

Published byMaeve Seabourn Modified over 2 years ago

1
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno

2
Defining Security of Encryption Schemes CCA2 security Non-malleable encryption auctioneer bidder 1 c attacker c’ c and c’ are somehow related e.g., the bid encrypted in c’ is a half of the bid encrypted in c

3
Completely Non-Malleable (CCA2*) Encryption The auctioneer receives a new bid from bidder 1 (c’ instead of c) The auctioneer receives a new bid from a user with public key pk* Concept introduced in [Fischlin, ICALP ’05] bidder 1 c attacker c’ c, pk and c*, pk* are somehow related c* pk*

4
Why complete non-malleability? Is it more general than CCA2? Yes! Cramer-Shoup and RSA-OAEP are CCA2 but not CCA2* [Fis05] For every CCA2 encryption scheme there is a CCA2 encryption scheme which is not CCA2* [This work] Simple proof…

5
Proving separation between CCA2 and CCA2* Given (G, E, D) which is CCA2 construct (G’, E’, D’) as follows: G’(1 k ) (pk, sk) ← G(1 k ) b ← {0,1} return (pk||b, sk) E’(pk||b, m) return E(pk, m) D’(sk, c) return D(sk, c) (G’, E’, D’) is CCA2 (it never uses bit b) It is easy to construct a winning CCA2* attacker for (G’, E’, D’)

6
Defining Security of Encryption Schemes (cntd) Plaintext awareness (PA) “An encryption scheme is plaintext aware if it is practically impossible for any entity to produce a ciphertext without knowing the associated message” [Dent, Eurocrypt ‘06] challenger Why we should care about? PA + CPA implies CCA2 [Bellare & Palacio, AsiaCrypt ’04 ] attacker pk D(sk,.)Ext(.) Indistinguishable output

7
Enriching PA concept Defining PA*: two experiments challenger A pk D(sk,.) pk*, Enc(pk*, x) challenger Ext pk A pk*, x Any PPT machine can not distinguish pk*, x

8
Relating CCA2* and PA* Theorem: PA* + CPA implies CCA2* Similar relation to the CCA2/PA case [BP04] Refining CCA2* definition CCA2* does make sense when the attacker does not know the secret key sk* (nor a user knowing sk*) the attacker does not have any noticeable advantage in distinguishing messages that are in relation from message that are not in relation w.r.t. the new key pk*

9
Construction of CCA2* and PA* encryption schemes CCA2*: Impossible in plain model (for non-interactive black-box security [Fis05]) Constructions: Plain model Interactive Non-Black-Box Construction Shared Random String model Non-Interactive Black-Box Construction… … which is also PA* when restricting to CRS model

10
Details of the CRS construction Ingredients: Any CPA secure encryption scheme (G,E,D) A robust NIZK [DDOPS, Crypto ’01] for an NP language L Non-malleable NIZK (in the explicit witness sense) Stronger than Simulation-Soundess Same-String NIZK (pk, sk) is in L if there exists randomness r such that G with random tape r outputs (pk, sk)

11
Details of the CRS construction (2) Relying on non-malleable NIZK proof we prove that (G’, E’, D’) is CCA2* Relying on Same-String NIZK proof we prove that (G’, E’, D’) is PA* G’(1 k ) (pk, sk) ← G(1 k ) p ← proof for L return ((pk, p), sk) E’((pk, p), m) Verify proof p return E(pk, m) D’(sk, c) return D(sk, c)

12
Conclusions We give a stronger notion (PA*) of plaintext awareness We relate the new notion with that of complete non- malleability (CCA2*) We give general constructions relating previous notions and results This yields a much more understandable framework We construct a non black-box interactive CCA2*+PA* encryption scheme (plain model) We construct a non-interactive CCA2*+PA* encryption scheme in the CRS model

Similar presentations

Presentation is loading. Please wait....

OK

CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google