Presentation is loading. Please wait.

Presentation is loading. Please wait.

111 Trading Plaintext-Awareness for Simulatability to Achieve Chosen Ciphertext Security Takahiro Matsuda ( ) Goichiro Hanaoka ( )

Published byCatherine Todd Modified over 8 years ago

Similar presentations

Presentation on theme: "111 Trading Plaintext-Awareness for Simulatability to Achieve Chosen Ciphertext Security Takahiro Matsuda ( ) Goichiro Hanaoka ( )"— Presentation transcript:

1 111 Trading Plaintext-Awareness for Simulatability to Achieve Chosen Ciphertext Security Takahiro Matsuda ( ) Goichiro Hanaoka ( ) t-matsuda@aist.go.jp 2016/3/7 Mon. PKC 2016 @Taipei, Taiwan 3/7 - 3/9 This work presents new assumptions for CCA PKE ePrint 2016/235

2 Background It is important to clarify (necessary and) sufficient assumption to realize general cryptographic primitives To better understand how & why we can construct/prove security of the primitives Ultimate goal: Draw a complete map among all cryptographic primitives This work focuses on CCA secure PKE (and KEM) 2 About implications & separations ??? CCA PKE/KEM Desirable security for PKE ・ Security against Bleichenbacher’s attack ・ Implication to NM, UC security

3 3 Background Q. Which primitive(s) implies CCA secure PKE/KEM ?? ??? CCA PKE/KEM CPA PKE + NIZK IBE (or TBE) TDF w/ additional properties Hom. PKE w/ additional properties Lossy PKE w. large PT space CPA PKE + UCE CPA PKE + Point Obf. PKE satisfying sPA1 (for many keys) & weak simulatability Sender NCE + KDM SKE Detectable CCA PKE 1-bit PKE w/ circular security & reproducibility [DDN91] [CHK04,Kiltz06][PW08,RS09,KMO10,Wee10] [HLW12] [HO12] [HO13] [MH14a] [MH14b] [MH15] [HK15] [Dac14] iO + OWF [SW14]

4 Dachman-Soled@PKC’14 [Dac14] 4 PKE satisfying (Statistical) Plaintext Aware1 under 2k+2 keys (sPA1 2k+2 ) & Weak Simulatability CCA PKE Plaintext-Awareness (PA) [BR94,BP04] “If you generate a ciphertext you must know the plaintext” Standard model PA [BP04] has several variations Our focus is on “Statistical PA1” (sPA1), and its “many keys” extension C.f.) CPA + PA1  CCA1 Weak Simulatability [DN00, MMS12] Ciphertext(-like strings) can be sampled obliviously, w/o knowing plaintext m > CPA security k: security parameter

5 Motivation PA typically requires a “knowledge” assumption In addition, [Dac14] needs a “multi-key” extension of PA: ”sPA1” under 2k + 2 keys [MSS12] denoted by sPA1 2k + 2 If x > y ≧ 1, then sPA1 x ≧ sPA1 y, but the opposite implication/separation is unknown [Dac14] observed that it seems difficult to replace PA1 with CCA1 security in her construction We investigate whether the strength of PA in [Dac14] can be weakened, thereby contribute to clarifying new general assumptions for CCA PKE 5 CCA PKE sPA1 2k+2, Weakly Simulatable PKE k: security parameter The number of keys [Dac14]

6 Our Results Based on [Dac14], we show 2 CCA PKE constructions whose assumptions are a “trade-off” with that of [Dac14] sPA1 2, CPA PKE CCA PKE + Trapdoor- Simulatable PKE sPA1 1, 1-Bounded CCA PKE CCA PKE + Trapdoor- Simulatable PKE Const- ruction1 Const- ruction2 (Actually, we construct KEMs)

7 [Dac14] vs. Ours [Dac14] Ours 7 CCA PKE sPA1 2k+2, Weakly Simulatable PKE sPA1 2, CPA PKE + Trapdoor- Simulatable PKE CCA PKE sPA1 1, 1-BCCA PKE + Trapdoor- Simulatable PKE CCA PKE sPA1 2k+2 > sPA1 2 > sPA1 1 Weak simulatability < Trapdoor-simulatability (qualitatively) These are formally incomparable Ours do not require “PA” and “simulatability” to be satisfied by a single building block PKE Ours trade the strength of “PA” for “simulatability” in [Dac14] Our constructions give new recipes for CCA PKE/KEM

8 Overview of Proposed Constructions Based on the “double-layered” construction [MS09,HLW12] Building blocks for outer encryption can be constructed only from Trapdoor simulatable PKE 8 sPA1 2, CPA KEM Double Layer [MS09] CCA KEM Trapdoor Simulatable “Puncturable” TBE [MH14] Trapdoor- Simulatable Commitment Outer encryption Inner encryption Talk Outline : ・ Building Blocks ・ Proposed Constructions ・ Security Proof Overview or sPA1 1, 1-Bounded CCA KEM

9 = “public-key” part of hybrid encryption Useful composition result [Cramer- Shoup03] Key Encapsulation Mechanism (KEM) CCA Security: 9 A b  {0,1} pk, C*, K* b b’ C K Dec. Oracle K = Decap(sk, C) Real K* 1 Random K* 0 CCA KEM CCA SKE + CCA PKE

10 (KEM’s) Statistical PA1 (sPA1) [BP04] ∀ PPT(ciphertext creator), ∃ Stateful PPT(extractor), 10 KiKi Update state st pk, r A CiCi st 0 = (pk, r A )

11 (KEM’s) sPA1 in the Presence of ℓ Keys (sPA1 ℓ ) [MSS12] ∀ PPT(ciphertext creator), ∃ Stateful PPT(extractor), 11 pk 1,…, pk ℓ, r A ( j i, C i ) KiKi st 0 = (pk 1,…, pk ℓ,r A ) Update state st

12 Simulatable PKE and Variants Simulatable PKE [DN00] pk and c can be sampled “obliviously”, w/o knowing actual randomness and/or plaintext, and Honestly generated pk and c can be “explained” that they are generated by oblivious sampling (Simplified) Syntax : (PKG, Enc, Dec) & (oSamp, rSamp) (pk, c)  oSamp(1 k ; r’) r’  rSamp(pk, c) s.t. oSamp(1 k ; r’) = (pk, c) Weak Simulatability [MSS12,Dac14] Only c is obliviously samplable Trapdoor Simulatability [CDMW09] rSamp can use randomness and plaintext used to generate pk and c 12 Weak Simulatability and Trapdoor Simulatability are incompatable (However, W-sim. can be seen weaker because it need not obliviously sample pk) (r’ is a randomness for oblivious sampling)

13 Simulatable PKE and Variants Q. What kinds of PKE satisfy (Trapdoor/Weak) Simulatability? A. PKEs s.t. pk and c look like a pseudorandom string Ex1: PKE based on LWE or (Low-noise) LPN Ex2: ElGamal (and variants) over a suitable elliptic curve (“simulatable” group [Dent06] )  Can be instantiated from standard assumptions 13

14 Puncturable Tag-Based Encryption (PTBE) [DDN91,MH14] TBE with two modes for decryption Core structure of the Dolev-Dwork-Naor construction [DDN91] Correctness of punctured decryption for non-punctured point tag ∀ tag ≠ tag*, ∀ c  TEnc(pk, tag, m): TDec(sk, tag, c) = PTDec(psk tag*, tag, c) = m Extended CPA security [MH14] ≒ CPA security in the presence of psk tag* 14 Key Generation(pk, sk)  TKG(1 k ) Encryptionc  TEnc(tpk, tag, m) Decryption m / ⊥  TDec (tsk, tag, c) Puncturing SKpsk tag*  Punc(sk, tag*) Punctured Decryption m / ⊥  PTDec(psk tag*, tag, c) tag*

15 How to Build Trapdoor Simulatable PTBE/COM from Trapdoor Simulatable PKE 15 Trapdoor Simulatable PTBE Trapdoor Simulatable Commitment DDN-like Construction Trapdoor Simulatable PKE Hash a ciphertext by UOWHF Trapdoor Simulatability + (Target) Binding Defined analogously to PKE (oSamp need to generate psk tag* in addition to (pk, c) ・ Generate 2k key pairs ・ Encrypt m independently by k keys chosen by tag

16 Proposed KEMs Overview Adapt the “Double-Layered” structure of [MS09,HLW12] 16 sPA1 2, CPA KEM Double- Layer CCA KEM Trapdoor Simulatable Punc. TBE Trapdoor Simulatable Commitment Outer Encryption Inner Encryption In our 2nd construction, sPA1 1, 1-Bounded CCA KEM

17 Our 1st Construction KKG: 1. (pk in0, sk in0 )  KKG in 2. (pk in1, sk in1 )  KKG in 3. (tpk, tsk)  TKG 4. ck  CKG PK = (pk in0, pk in1, tpk, ck) SK = (sk in0, sk in1, tsk) Encap(PK): 1. (c in0, α 0 )  Encap in (pk in0 ) 2. (c in1, α 1 )  Encap in (pk in1 ) 3. (r C || r T || K)  α 0 xor α 1 4. tag  Com(ck, (c in0 ||c in1 ); r C ) 5. c  TEnc(tpk, tag, (c in0 ||c in1 ); r T ) 6. C  (tag, c) 7. Return (C, K) 17 Decap(SK, C = (tag, c) ): 1. (c in0 || c in1 )  TDec(tsk, tag, c) 2. α 0  Decap in (sk in0, c in0 ) 3. α 1  Decap in (sk in1, c in1 ) 4. (r C || r T || K)  α 0 xor α 1 5. If Com(ck, (c in0 ||c in1 ); r C ) = tag and TEnc(tpk, tag, (c in0 ||c in1 ); r T ) = c then return K else ⊥ Double-layered structure Inner encryption does multiple encryption by 2 KEMs Randomness for outer encryption is generated from inner KEM In Decap, the validity of outer CT is checked by re-encryption sPA1 2 & CPA KEM TS Punc. TBE CCA KEM TS Com Inner Outer

18 Our 2nd Construction KKG: 1. (pk in, sk in )  KKG in 2. (tpk, tsk)  TKG 3. ck  CKG PK = (pk in, tpk, ck) SK = (sk in, tsk) Encap(PK): 1. (c in, α )  Encap in (pk in ) 2. (r C || r T || K)  α 3. tag  Com(ck, c in ; r C ) 4. c  TEnc(tpk, tag, c in ; r T ) 5. C  (tag, c) 6. Return (C, K) 18 Decap(SK, C = (tag, c) ): 1. (c in0 || c in1 )  TDec(tsk, tag, c) 2. α  Decap in (sk in, c in ) 3. (r C || r T || K)  α 4. If Com(ck, c in ; r C ) = tag and TEnc(tpk, tag, c in ;r T ) = c then return K else ⊥ Inner encryption is replaced by one invocation of KEM sPA1 1 & 1-BCCA KEM TS Punc. TBE CCA KEM TS Com Inner Outer

19 Ideas for Security Proofs … are very similar to [Dac14] Using a CCA adversary for the proposed KEMs, we construct a reduction (CPA adversary) for the inner KEM Binding of commitment allows us to reject all dec. queries (tag, C) s.t. tag* = tag Q. How to answer dec. queries? A. For outer decryption, use punctured SK of PTBE For inner decryption, use a PA1-extractor 19 tag*

20 Illustration of Reduction 20 CCA Adv. CPA instance of inner KEM pk in, c in *, α* C = (tag, c) K or ⊥ Punc TDec tag* Inner CT c in Validity Check by Re-encryption Dec. Result PK = (pk in, tpk, ck) C* = (tag*, c*) K* Reduction (CPA Adv.) ???

21 sPA1 ℓ Security of KEM ∀ PPT(ciphertext creator), ∃ Stateful PPT(extractor), 21 pk 1,… pk ℓ, r A ( j i, C i ) KiKi st 0 = (pk 1,…, pk ℓ,r A ) A Update state st (shown again)

22 Technical Subtleties (1/2) Q1: How to prepare the initial state of ? A1: Use oblivious-sampling algorithms of outer trapdoor-simulatable PTBE & Com 22

23 Illustration of Reduction 23 CCA Adv. C = (tag, c) K or ⊥ tag* PK = (pk in, tpk, ck) C* = (tag*, c*) K* Obliviously sample tpk, ck, tag*, c* Randomness r’ for oblivious sampling pk in0, pk in1, r’ CPA instance of inner KEM pk in, c in *, α* Reduction (CPA Adv.) Inner CT c in Dec. Result Validity Check by Re-encryption Punc TDec

24 Technical Subtleties (2/2) Q2: Is the decryption using consistent with the decryption using the normal decryption algo.? A2: Yes. Thanks to the security properties of the inner KEM, can “detect” if it did an inconsistent answer to a dec. query from 1st construction: multiple-encryption by 2 KEM and sPA1 2 For one position, embeds its CPA instance, and the secret key of the another position is used to detect inconsistency Idea from [Dec14] 2nd construction: 1-bounded CCA and sPA1 1 1 time dec. query by can be used to detect inconsistency Idea from the double-layered constructions papers [MS09,HLW12] Actually, 1-bounded plaintext- checking attack security (1-bounded PCA) is sufficient

25 Why the Tradeoffs in Assumption with [Dac14]? [Dac14] Weak Simulatability only guarantees oblivious sampling for ciphertexts, and hence, the initial state of has to contain public keys for outer encryption as well  Outer encryption in [Dac14] is arranged like “DDN-lite” construction  sPA1 O(k) is required Ours Trapdoor Simulatability allows oblivious sampling also for public keys of outer encryption  All information for outer encryption is obliviously samplable  sPA1 O(1) is sufficient 25

26 Summary sPA1 2, CPA PKE CCA KEM + Trapdoor- Simulatable PKE New recipes for CCA PKE sPA1 1, 1-Bounded CCA PKE CCA KEM + Trapdoor- Simulatable PKE Const- ruction1 Const- ruction2 sPA1 2k+2, Weakly Simulatable PKE CCA PKE C.f.) [Dac14] eprint 2016/235 Our results: 2 CCA secure KEMs

27 On sPA1 1 & 1-Bounded CCA KEM We can construct from based on [DF14]’s CPA-to-1-bounded CCA PKE construction However, if we use such construction to obtain CCA KEM, there is no merit compared to our first construction The merit of the second construction is that in the future, someone may come up with a direct construction better than known methods. As noted in the previous slide, 1-bounded CCA can be weakened to 1-bounded PCA security. Could this help…? 27 sPA1 1, 1-Bounded CCA KEM sPA1 O(k), CPA KEM

Download ppt "111 Trading Plaintext-Awareness for Simulatability to Achieve Chosen Ciphertext Security Takahiro Matsuda ( ) Goichiro Hanaoka ( )"

Similar presentations

Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption

Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption
A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme Dana Dachman-Soled University of Maryland.

A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme Dana Dachman-Soled University of Maryland.
Anonymity-preserving Public-Key Encryption Markulf Kohlweiss Ueli Maurer, Cristina Onete, Björn Tackmann, and Daniele Venturi PETS 2013.

Anonymity-preserving Public-Key Encryption Markulf Kohlweiss Ueli Maurer, Cristina Onete, Björn Tackmann, and Daniele Venturi PETS 2013.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Hybrid Signcryption with Insider Security Alexander W. Dent.

Hybrid Signcryption with Insider Security Alexander W. Dent.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland.

On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland.
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.

Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.

1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Similar presentations

Ads by Google