Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 eill Adam O’Neill Georgetown University Joint work with Dana Dachman-Soled (Univ. of Maryland), Georg Fuchsbauer (IST Austria), and Payman Mohassel (Univ.

Published byJulia Byrd Modified over 8 years ago

Similar presentations

Presentation on theme: "1 eill Adam O’Neill Georgetown University Joint work with Dana Dachman-Soled (Univ. of Maryland), Georg Fuchsbauer (IST Austria), and Payman Mohassel (Univ."— Presentation transcript:

1 1 eill Adam O’Neill Georgetown University Joint work with Dana Dachman-Soled (Univ. of Maryland), Georg Fuchsbauer (IST Austria), and Payman Mohassel (Univ. of Calgary)

2 The talk will consist of three parts:  Definitions. Randomness-recovering PKE and enhanced chosen-ciphertext (ECCA) security.  Constructions. Achieving ECCA security from adaptive trapdoor functions.  Applications. Public-key encryption with non- interactive opening (time permitting). 2

3 3

4  In encryption, we typically think of decryption as a way for the receiver to recover a sender’s message.  In a randomness-recovering scheme, the receiver is able to recover a sender’s random coins as well. 4

5 5  A randomness-recovering public-key encryption (RR- PKE) scheme consists of four algorithms:

6  We require that.  We say that randomness recovery is unique if in addition.  Some applications of RR-PKE require uniqueness, for others (e.g. PKENO) non-unique is OK as long as there is no decryption error. 6

7 7 Repeats ! Hard to guess b Require

8 8 Repeats ! Hard to guess b Require

9 Theorem. Let be a CCA-secure RR-PKE scheme. Then there is a modified scheme that remains CCA-secure but is not ECCA-secure. Proof idea: 9 To prove CCA-security switch c* to encrypt 1; now, assuming no decryption error, it’s impossible to make Dec’ return sk!

10 Theorem. Let be a CCA-secure RR-PKE scheme. Then there is a modified scheme that remains CCA-secure but is not ECCA-secure. Motivates finding new (or existing) constructions that can be proven ECCA-secure! 10

11 11

12 A trapdoor function generator is such that where describes a function on k-bits and its inverse. 12

13 13 Hard to guess x

14 10 Repeats ! Hard to guess x Introduced by [KMO’10]  Constructions from lossy [PW’08] and correlated-product [RS’09] TDFs.  Implies CCA-secure PKE. Require

15 Theorem. ATDFs implies (unique) ECCA-secure RR-PKE. 15 Previously [KMO’10] constructed CCA-secure PKE from ATDFs, so let’s start there. The approach of [KMO’10] is as follows:  First construct a “one-bit” CCA-secure scheme from ATDFs.  Then compile the “one-bit” scheme to a “many-bit” scheme using [MS’09].

16 Let be a TDF generator with hardcore bit. Define the one-bit encryption algorithm via: 16 But trivially malleable no matter what is assumed about the hardcore bit  Hardcore bit

17 Let be a TDF generator with hardcore bit. Define the one-bit encryption algorithm via: 17 But this approach is not sufficient for us because: It gives non-unique randomness recovery  [MS’09] compiler preserves neither randomness recovery nor “enhanced” security  Rejection sampling

18 CCA security relative to a relation R on ciphertexts. 18 Repeats ! Hard to guess b Require AND [HLW’12] (building on [MS’09]) shows that any DCCA-secure scheme (for a “suitable” relation R) can be compiled into a CCA-secure scheme.

19 We now construct ECCA (uniquely) RR-PKE from ATDFs in three steps:  Show the “naïve” one-bit scheme is (1) randomness- recovering and (2) “enhanced” DCCA-secure.  Get a multi-bit “enhanced” DCCA-secure RR-PKE scheme by showing (1) and (2) are preserved under parallel composition.  Finally, show the compiler of [HLW’12] also preserves both (1) and (2) while boosting DCCA to CCA security. 19

20 20

21 Allows a receiver to non-interactively prove a ciphertext c decrypts to a claimed message m. Suggestion of [DT’08]: use RR-PKE where the recovered coins are the proof. 21 We observe that security of this suggestion fundamentally requires ECCA-security! Our techniques lead to the first secure (and even efficient) instantiations.

22 We gave definitions, constructions, and applications of enhanced CCA (ECCA) security. Not covered (see paper):  Using ECCA to prove equivalence of tag-based and standard ATDFs.  Efficient constructions of ECCA and PKENO. Open problems:  Relation between ATDFs and TDFs.  Other ECCA-secure constructions (e.g. using non- black-box assumptions?) 22

23 23

Download ppt "1 eill Adam O’Neill Georgetown University Joint work with Dana Dachman-Soled (Univ. of Maryland), Georg Fuchsbauer (IST Austria), and Payman Mohassel (Univ."

Similar presentations

CS555Spring 2012/Topic 171 Cryptography CS 555 Topic 17: Textbook RSA encryption.

CS555Spring 2012/Topic 171 Cryptography CS 555 Topic 17: Textbook RSA encryption.
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
RSA COSC 201 ST. MARY’S COLLEGE OF MARYLAND FALL 2012 RSA.

RSA COSC 201 ST. MARY’S COLLEGE OF MARYLAND FALL 2012 RSA.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.

New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.

1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Dual System Encryption: Concept, History and Recent works Jongkil Kim.

Dual System Encryption: Concept, History and Recent works Jongkil Kim.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland.

On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
Immunizing Encryption Schemes from Decryption Errors Cynthia Dwork Moni Naor Omer Reingold Weizmann Institute of ScienceMicrosoft Research.

Immunizing Encryption Schemes from Decryption Errors Cynthia Dwork Moni Naor Omer Reingold Weizmann Institute of ScienceMicrosoft Research.
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 18 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 18 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Similar presentations

Ads by Google