Presentation is loading. Please wait.

Presentation is loading. Please wait.

1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.

Published byLisa Preston Modified over 8 years ago

Similar presentations

Presentation on theme: "1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM."— Presentation transcript:

1 1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM

2 2/28 Motivation Security against chosen-ciphertext attacks (“CCA security”) is a powerful and useful notion –Often the security notion of choice when using encryption within a larger protocol Provably-secure constructions both theoretically and practically important

3 3/28 Motivation… Bidding on vouchers for this afternoon’s excursion… PK Voucher holderDesperate bidders C 1 = E PK (bid 1 ) C 2 = E PK (bid 2 ) In general, nothing preventing bid 2 = bid 1 +1 (secrecy of bid 1 not violated) Need non-malleability [DDN91]! Implied by CCA security [DDN91, BDPR98]

4 4/28 Known Constructions? Essentially only two techniques known for achieving CCA security (without random oracles): –Using NIZK, general assumptions [DDN91, S99, L03] (based on [NY90]) –Specific assumptions, “smooth hash proofs” [CS98, CS02, GL03, CS03]

5 5/28 Known Paradigms? In fact, almost all constructions are essentially “the same” [ES04] –Different instantiations of the same underlying paradigm –Very roughly: certain type of CPA-secure scheme plus “proof of well-formedness” NM-NIZK in [Sahai99, L03] Smooth hash proof systems in [CS98, CS02, GL03, CS03]

6 6/28 Overview of our Results We show a new technique for achieving chosen-ciphertext security –The technique does not (seem to) follow previously-known paradigms Our approach (along with other work) yields new CCA-secure schemes –Competitive with best previously known –Stay tuned for the next talk…

7 7/28 More Details… We show a simple and efficient way to achieve CCA security using any IBE scheme The IBE scheme needs to satisfy only a relatively “weak” notion of security –Achieved by IBE schemes of [CHK03, BB04] –Result: new CCA-secure schemes! Applications to CCA security for IBE, HIBE, BTE, and FSE…

8 8/28 Review of definitions

9 9/28 CCA Security Consider the following game [RS91]: –(PK, SK) generated at random –Adversary Adv given PK; can ask decryption oracle queries D SK (. ) –Adv outputs (m 0, m 1 ); given C  E SK (m b ) for random b; may continue to ask decryption queries (but not C itself) –Adv outputs b’; succeeds if b’=b

10 10/28 CCA Security An encryption scheme is CCA-secure if |Pr Adv [Succ] – ½| is negligible for all poly-time Adv

11 11/28 ID-Based Encryption (IBE) Overview: –PKG generates (PK, MSK) –PK publicly distributed… –For any string (identity) ID, the PKG, using MSK, can issue a secret key SK ID –(ID, SK ID ), along with PK, acts as a public/private key pair for a standard encryption scheme

12 12/28 Security? (Informally:) Knowledge of the secret keys for users I = {ID 1, …, ID n } does not allow adversary to “break” the scheme for any ID’  I –“Strong” IBE: choice of ID’ may depend on PK [BF01] –“Weak” IBE: ID’ is fixed independently of PK [CHK03]

13 13/28 More Formally… Consider the following game ( [CHK03], adapting [BF01] ): –Adv specifies challenge identity ID* –(PK, MSK) generated at random; Adv given PK –Adv may (adaptively) request secret keys for any ID’s other than ID* –Adv outputs (m 0, m 1 ), and is then given C  E PK (ID*, m b ) for random b

14 14/28 Definition, continued… –Adv may continue to request secret keys for ID’s other than ID* –Adv outputs b’; succeeds if b’ = b An IBE is “weakly” secure if |Pr Adv [Succ] – ½| is negligible for all poly-time Adv

15 15/28 Known Constructions? “Strong” IBE: [C01, BF01], both in random oracle model “Weak” IBE: [CHK03, BB04] “Strong” IBE: [BB04, to appear]

16 16/28 From IBE to chosen- ciphertext security

17 17/28 Our Construction Key generation: –Run PKG algorithm to obtain (PK, MSK) –Public key is PK; secret key is MSK To encrypt m using PK –Generate (vk, sk) for signature scheme –Encrypt m using PK and “identity” vk –Sign resulting ciphertext using sk –Send (vk, C,  )

18 18/28 Decryption… To decrypt (vk, C,  ): –Verify signature… –Use MSK to generate the secret key SK VK for the “identity” vk –Use SK VK to decrypt C –(Erase SK VK )

19 19/28 Theorem Statement If the IBE scheme is weakly secure, and a strong, one-time signature scheme is used, the resulting encryption scheme is secure against adaptive chosen-ciphertext attacks

20 20/28 Proof Intuition Let challenge ciphertext be (vk, C,  ) Adv submits different (vk’, C’,  ’) to its decryption oracle –Clearly, vk’  vk –So C’ will be decrypted with respect to a different “identity” vk’ –Even if Adv were given SK VK’ itself, encryption to vk would still be secure!

21 21/28 Remarks Weak IBE security is enough to achieve adaptive CCA security –vk chosen by encryption oracle, not by the adversary The conversion is efficient Non-adaptive CCA security can be achieved with virtually no overhead

22 22/28 Extensions and further applications

23 23/28 Binary Tree Enc. (BTE) Introduced by [CHK03] As before, PKG generates (PK, MSK) PKG viewed as “identity”  with secret key SK  = MSK Any secret key SK w can be used to derive secret keys SK w0 and SK w1 (ID, SK ID ) acts as a public/private key pair for a standard encryption scheme

24 24/28 “Weak” Security Ancestors of (ID 1 … ID n ) are identities of the form (ID 1 … ID i ) for 1  i  n (Informally:) Secret keys for any set of users I does not allow an adversary to “break” the scheme for any ID having no ancestors in I Constructions in standard model known ([CHK03, BB04], building on [GS02])

25 25/28 Our Construction CCA-secure (weak) BTE from CPA- secure (weak) BTE: –(Consider fixed-length BTE) –Key generation as before –To encrypt m for identity ID: generate (vk, sk), encrypt m for “identity” ID|vk, and sign ciphertext using sk –As before, decrypt using SK ID by first generating “transient” SK ID|vk

26 26/28 Results This approach yields a CCA-secure (weak) BTE scheme from any CPA- secure (weak) BTE scheme CPA-secure BTE  CCA-secure BTE –Analogous result not known for the case of standard public-key encryption

27 27/28 Applications (Weak) BTE implies (weak) IBE, (weak) HIBE, and forward-secure encryption [CHK03] Our results yield CCA-secure constructions of these primitives more efficient than those previously known

28 28/28 Summary New method for constructing CCA- secure public-key encryption Gives new, practical CCA-secure schemes in standard model Further applications to CCA-security in other contexts

Download ppt "1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM."

Similar presentations

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.

Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.

New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.

Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Identity Based Encryption

Identity Based Encryption
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

Similar presentations

Ads by Google