A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme...
-
Upload
araceli-wheller -
Category
Documents
-
view
220 -
download
1
Transcript of A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme...
A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1)
Encryption Scheme
Dana Dachman-SoledUniversity of Maryland
CPA, CCA1 and CCA2
CPA, CCA1 and CCA2
๐๐ ,๐ธ๐๐๐๐(๐0) ๐๐ ,๐ธ๐๐๐๐(๐1)
โ
CPA-secure Public Key Encryption
CPA, CCA1 and CCA2
โ
CCA1-secure Public Key Encryption
๐๐ ๐๐
๐ ๐ ๐ ๐
๐๐ ,๐ธ๐๐๐๐(๐0) ๐๐ ,๐ธ๐๐๐๐(๐1)
CPA, CCA1 and CCA2
โ
CCA2-secure Public Key Encryption
๐๐ ๐๐
๐ ๐ ๐ ๐๐โ ๐โ ๐โ ๐โ
๐๐ ,๐ธ๐๐๐๐(๐1)๐๐ ,๐ธ๐๐๐๐(๐0)
Does CPA Security Imply CCA Security?
โข [Naor, Yung 90], [Dolev, Dwork, Naor, 00]โ CPA + NIZK -> CCA1 and CCA2
โข Partial black-box separationโ [Gertner, Malkin, Myers, 07] no โshieldingโ construction of CCA1
from CPA.โข Question remains open!โ Even whether CCA1 -> CCA2 is not known.โ Long line of work showing black-box constructions of CCA2
encryption from lower level primitives.โข [Peikert, Waters 11], [Rosen, Segev, 10], [Kiltz, Mohassel, OโNeill, 10]. . .
โ Our work continues this line of research.
Our Results
โข Note: Construction is black-box, but reduction makes non-black-box use of the CCA2 adversary.
โข [Myers, Sergi, shelat, 12]: Black-box construction of cNM-CCA1-secure encryption from the same assumptions.
โข Our contribution: Extend to full CCA2 setting.โข Construction of a CCA2 scheme from encryption schemes
with โweakerโ security and no additional assumptions.
Theorem: There is a black-box construction of CCA2-secure encryption from plaintext aware (sPA1) and weakly
simulatable public key encryption.
Our AssumptionsโPlaintext Awareness = ciphertext creator, = extractor
Experiment โข pairs of public + secret keys are generatedโข get random coins and public keys as inputโข gets oracle access to decrypts for โข Let be the set of queries asked by โข Experiment outputs 1 if decrypted all queries in
โcorrectly.โ
Encryption scheme is -secure if for every ppt , there exists an extractor s.t. experiment outputs 0 with negligible
probability.
I โknowsโ the underlying plaintext.Note: uses in a non-
black-box manner
Note: No auxiliary input
Our AssumptionsโWeak Simulatability
โข samples โciphertextsโ without knowing the plaintext.โข on input and valid ciphertext outputs coins for โข Correctness:
Candidate constructions satisfying both assumptions ([MSs12]):โข Damgard Elgamal Encryption scheme (DEG)โข Cramer-Shoup lite (CS-lite)
( ๐ โ1 (๐๐ ,๐=๐ธ๐๐๐๐ (๐ ) ) ,๐ ) (๐ , ๐ (๐๐ ,๐ ) )โ
Overview: CCA Proof StrategiesHyrid Public Key Challenge Ciphertext Decryption Oracle
Simulated Simulated Simulated
.
.
.PPT adversary cannot
distinguish consecutive hybrids.
To reduce to security of underlying encryption scheme,
must simulate decryption oracle without knowing secret key.
Main Challenge: Constructing the
simulated decryption oracle
CCA1 from Plaintext Awareness?
โข Trivial: Plaintext Aware scheme is itself CCA1-secure!โ To simulate the decryption oracle without
knowing the secret key, use the Extractor.
CCA2 from Plaintext Awareness?โข Is the plaintext aware scheme itself also CCA2-secure?โข An attempt: As before, simulate decryption oracle using
Extractor.โข Problem: Extractor is no longer guaranteed to work in the
second phase!โ Once adversary receives challenge ciphertext , Extractor can fail.โ E.g. adversary can re-randomize and submit to oracle. โ Note that our candidate Plaintext-Aware schemes are
homomorphic! So these attacks are possible.โข Extractor seems to be useless.
โ At first glance, seems as hard as proving that CCA1 -> CCA2.โ No: Having a faulty extractor algorithm is better than no
extractor.
Our ConstructionCombines techniques from [Hohenberger, Lewko, Waters 12] and [Myers, Sergi, shelat 12]
๐ถ๐ ๐ ๐0=๐ธ๐๐๐ ๐๐ ๐0
(๐ 0) 2. Inner ciphertexts: ๐ถ๐ ๐ ๐1
=๐ธ๐๐๐๐๐ ๐1(๐ 1)
๐ 0โ๐ 1=(๐โจยฟ๐ )
๐ถ๐1 ๐ถ๐ 2 ๐ถ๐ 3
๐1 ,โฆ๐๐=๐๐๐(๐ )
3. Outer ciphertexts:
encryptions of under and randomness
. . . ๐ถ๐ ๐
Public keys are chosen based
on
1. Generate for one-time signature scheme
4. Compute
5. Output:
Proof Intuition
โข Idea: Use extractor to simulate oracle even in the CCA2 case.
โข Now the extractor may answer incorrectly after the adversary receives the challenge ciphertext.
โข Call this event BadExtEvent
Proof Intuition
โข Sequence of hybrids: Show that BadExtEvent occurs with negligible probability in final hybrid.
โข For each hybrid, show that probability BadExtEvent occurs differs by a negligible amount.
โข In order to prove this, reduction must always be able to detect a bad extraction event by comparing the output of the Extractor with the output of .
Hard Case:Detecting BadExtEvent in CPA hybrid
Reduction to CPA security of inner ciphertexts
โข Idea for how to detect BadExtEvent: โ Randomly choose โ Show that the first BadExtEvent occurs on decryption of with
probability .โ Say . CPA adv. knows secret key for but not
โข Can detect first BadExtEvent on . โข Places challenge ciphertext in position.
โ Note that in both hybrids, is individually uniformly distributed.โ Simulated oracle answers correctly until the first BadExtEvent.
๐ 0=๐๐๐๐ ๐ 1=๐๐๐๐ ๐ 0=๐๐๐๐ ๐ 1=๐ 0โ(๐โจยฟ๐ )โ๐ถ๐ ๐ ๐0
โ โ ๐ถ๐ ๐ ๐1โ โ ๐ถ๐ ๐ ๐0
โ โ ๐ถ๐ ๐ ๐1โ โ
XOR to random XOR to
๐ 0=๐๐๐๐ ๐ 0=๐๐๐๐
Future Directions
โข Can high-level proof techniques be useful for constructing CCA2 from CCA1?โ Non-black-box use of the adversary.โ Detecting a โbad eventโ without fully simulating
the decryption oracle.โข Can we reduce the underlying assumptions of
our construction?
Thank you!