Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.

Similar presentations


Presentation on theme: "Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London."— Presentation transcript:

1 Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London

2 2 The short version Plaintext awareness is a property of an encryption scheme that roughly says “an attacker cannot create a ciphertext without knowing the underlying plaintext”. Here “knowing” is in the zero-knowledge sense of the word. Typically used to prove IND-CCA security. New uses, e.g. deniable authentication.

3 3 The short version Bellare and Palacio proposed a definition for assessing plaintext awareness in the standard model… …and prove that the Cramer-Shoup encryption scheme is partially (PA1) plaintext aware. This paper demonstrates that Cramer-Shoup is fully (PA2) plaintext aware. This should be regarded as a feasibility result.

4 What is plaintext awareness?

5 5 A difficult notion to formalise. We want to show that we can answer an attacker’s decryption oracle queries if we know how those queries were constructed. Two flavours: – Partial (PA1) plaintext awareness, which can be used to prove IND-CCA1 security. – Full (PA2) plaintext awareness, which can be used to prove IND-CCA2 security.

6 6 PA1: The players The ciphertext creator: the bad guy! A probabilistic, polynomial-time attacker who is trying to determine whether he is interacting with a real decryption oracle or not. The plaintext extractor: the good guy! An algorithm which masquerades as a decryption oracle but doesn’t need to know the private key.

7 7 PA1: The game public key Compute m=Dec(sk,C) C m C m If b=1 then use plaintext extractor If b=0 then use decryption algorithm b’

8 8 PA1: The interpretation For every ciphertext creator (attacker)… …there exists a plaintext extractor who can successfully deceive the ciphertext creator… …given the ciphertext creators random coins. Note that the plaintext extractor knows the ciphertext creator’s general strategy, everything it has done and everything it is going to do.

9 9 PA2: The rematch We need to allow the ciphertext creator to get access to ciphertexts for which he does not know the underlying message and/or the random coins used to encrypt that message. The plaintext creator: An ally of the bad guy! Any polynomial time algorithm that randomly generates messages and encrypts them.

10 10 PA2: The game public key aux C C m b’ ciphertext creator decryption oracle plaintext creator random coins C

11 11 PA2: The interpretation For every ciphertext creator (attacker)… …there exists a plaintext extractor who can successfully deceive the ciphertext creator… …given the ciphertext creators random coins… …regardless of what the plaintext creator does. Often regarded as a malleability condition. Note that the plaintext extractor knows the ciphertext creator’s general strategy, and everything it’s has done in the past but can’t figure out everything it is going to do in the future.

12 Cramer-Shoup is PA2 plaintext aware

13 13 Cramer-Shoup The Cramer-Shoup scheme has been proven to be PA1 (under the DHK assumption). It also has an interesting property in that you cannot distinguish real ciphertexts from elements chosen completely at random. Hence, the ability to get hold of new ciphertexts is equivalent to the ability to get hold of random bit strings.

14 14 PA1+: An intermediary game This paper proposes a new notion of PA. Here the attacker has the ability to get hold of new random bit strings. The randomness oracle: An ally of the bad guy! Randomly generates a bit-string of a fixed length and returns it to the ciphertext creator.

15 15 PA1+: The game public key r C m b’ ciphertext creator decryption oracle randomness oracle random coins r

16 16 PA1+: The interpretation A scheme is PA1+ plaintext aware if for every ciphertext creator (with access to a randomness oracle) there exists a plaintext extractor that can deceive it. Again, the plaintext extractor know the ciphertext creators strategy and past actions, but cannot predict its future actions.

17 17 PA1+: The interpretation Suppose I wish to convince my boss that I’m a genius, and so I send him all of my papers. My boss needs to decide if I’m a genius or not. My boss will pick one at random and read it. However, suppose that I’m actually a lucky idiot who has only written one decent paper. If I know the random choices that my boss will make when selecting the paper, then I can deceive him.

18 18 PA1+: The interpretation Suppose I wish to convince my boss that I’m a genius, and so I send him all of my papers. My boss needs to decide if I’m a genius or not. My boss will pick one at random and read it. However, suppose that I’m actually a lucky idiot who has only written one decent paper. If I don’t know the random choices that my boss will make when selecting the paper, then I cannot deceive him.

19 19 PA1+: The big theorem An encryption scheme that is simulatable and PA1+ is always PA2. Simulatable just means that the real ciphertexts are indistinguishable from randomly generated elements – hence, a plaintext creator is roughly the same as a randomness oracle.

20 20 Cramer-Shoup The original proof gives that Cramer-Shoup is simulatable. (In fact, simulatable implies IND-CCA2). It is fairly easy to adapt the ideas of Bellare- Palacio to show that Cramer-Shoup is PA1+ under the DHK assumption. Hence, Cramer-Shoup is PA2 plaintext aware.

21 21 Open problems Prove something is plaintext aware that wasn’t already known to be IND-CCA2. Prove something is plaintext aware without having to prove that it is simulatable. Prove something is plaintext aware without using an extractor-based assumption like DHK. THE END

22 22 Not the end? The notions of plaintext awareness fit together as you might expect: Perfect PA1 = Perfect PA1+. Thus, perfect simulatable PA1 implies PA2. PA2 ≥ PA1+ ≥ PA1

23 23 Diffie-Hellman Knowledge A computational assumption for a group G generated by a generator g. ( g, A ) ( B, C ) b (if B=g b and C=A b )

24 24 Diffie-Hellman Knowledge It is meant to be interpreted as “it is impossible to make a Diffie-Hellman tuple without knowing the discrete logarithm of one of the elements”. Not efficiently falsifiable [Naor]. True in the Generic Group Model [Dent,AF] – Although the GGM is not sound [Dent] Used to show that Cramer-Shoup is PA1. Hence considered reasonable to used when showing Cramer-Shoup is PA2.


Download ppt "Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London."

Similar presentations


Ads by Google