Chosen-Ciphertext Security from Identity-Based Encryption

Click here to load reader

  • date post

  • Category


  • view

  • download


Embed Size (px)


Chosen-Ciphertext Security from Identity-Based Encryption. Ran Canetti, Shai Halevi IBM. Jonathan Katz U. Maryland. Motivation. Security against chosen-ciphertext attacks (“CCA security”) is a powerful and useful notion - PowerPoint PPT Presentation

Transcript of Chosen-Ciphertext Security from Identity-Based Encryption

  • Chosen-Ciphertext Security from Identity-Based EncryptionJonathan KatzU. MarylandRan Canetti, Shai HaleviIBM

  • MotivationSecurity against chosen-ciphertext attacks (CCA security) is a powerful and useful notionOften the security notion of choice when using encryption within a larger protocolProvably-secure constructions both theoretically and practically important

  • MotivationBidding on vouchers for this afternoons excursionVoucher holderDesperate biddersIn general, nothing preventing bid2 = bid1+1 (secrecy of bid1 not violated)Need non-malleability [DDN91]!Implied by CCA security [DDN91, BDPR98]

  • Known Constructions?Essentially only two techniques known for achieving CCA security (without random oracles):Using NIZK, general assumptions [DDN91, S99, L03] (based on [NY90])Specific assumptions, smooth hash proofs [CS98, CS02, GL03, CS03]

  • Known Paradigms?In fact, almost all constructions are essentially the same [ES04]Different instantiations of the same underlying paradigmVery roughly: certain type of CPA-secure scheme plus proof of well-formednessNM-NIZK in [Sahai99, L03]Smooth hash proof systems in [CS98, CS02, GL03, CS03]

  • Overview of our ResultsWe show a new technique for achieving chosen-ciphertext securityThe technique does not (seem to) follow previously-known paradigmsOur approach (along with other work) yields new CCA-secure schemesCompetitive with best previously knownStay tuned for the next talk

  • More DetailsWe show a simple and efficient way to achieve CCA security using any IBE schemeThe IBE scheme needs to satisfy only a relatively weak notion of securityAchieved by IBE schemes of [CHK03, BB04]Result: new CCA-secure schemes!Applications to CCA security for IBE, HIBE, BTE, and FSE

  • Review of definitions

  • CCA SecurityConsider the following game [RS91]:(PK, SK) generated at randomAdversary Adv given PK; can ask decryption oracle queries DSK(.)Adv outputs (m0, m1); given C ESK(mb) for random b; may continue to ask decryption queries (but not C itself)Adv outputs b; succeeds if b=b

  • CCA SecurityAn encryption scheme is CCA-secure if |PrAdv[Succ] | is negligible for all poly-time Adv

  • ID-Based Encryption (IBE)Overview:PKG generates (PK, MSK)PK publicly distributedFor any string (identity) ID, the PKG, using MSK, can issue a secret key SKID(ID, SKID), along with PK, acts as a public/private key pair for a standard encryption scheme

  • Security?(Informally:) Knowledge of the secret keys for users I = {ID1, , IDn} does not allow adversary to break the scheme for any IDIStrong IBE: choice of ID may depend on PK [BF01] Weak IBE: ID is fixed independently of PK [CHK03]

  • More FormallyConsider the following game ([CHK03], adapting [BF01]):Adv specifies challenge identity ID*(PK, MSK) generated at random; Adv given PKAdv may (adaptively) request secret keys for any IDs other than ID* Adv outputs (m0, m1), and is then given C EPK(ID*, mb) for random b

  • Definition, continuedAdv may continue to request secret keys for IDs other than ID*Adv outputs b; succeeds if b = bAn IBE is weakly secure if |PrAdv[Succ] | is negligible for all poly-time Adv

  • Known Constructions?Strong IBE: [C01, BF01], both in random oracle modelWeak IBE: [CHK03, BB04]Strong IBE: [BB04, to appear]

  • From IBE to chosen-ciphertext security

  • Our ConstructionKey generation:Run PKG algorithm to obtain (PK, MSK)Public key is PK; secret key is MSKTo encrypt m using PKGenerate (vk, sk) for signature schemeEncrypt m using PK and identity vkSign resulting ciphertext using skSend (vk, C, )

  • DecryptionTo decrypt (vk, C, ):Verify signatureUse MSK to generate the secret key SKVK for the identity vkUse SKVK to decrypt C(Erase SKVK)

  • Theorem StatementIf the IBE scheme is weakly secure, and a strong, one-time signature scheme is used, the resulting encryption scheme is secure against adaptive chosen-ciphertext attacks

  • Proof IntuitionLet challenge ciphertext be (vk, C, )Adv submits different (vk, C, ) to its decryption oracleClearly, vk vkSo C will be decrypted with respect to a different identity vkEven if Adv were given SKVK itself, encryption to vk would still be secure!

  • RemarksWeak IBE security is enough to achieve adaptive CCA securityvk chosen by encryption oracle, not by the adversaryThe conversion is efficientNon-adaptive CCA security can be achieved with virtually no overhead

  • Extensions and further applications

  • Binary Tree Enc. (BTE)Introduced by [CHK03]As before, PKG generates (PK, MSK)PKG viewed as identity with secret key SK = MSKAny secret key SKw can be used to derive secret keys SKw0 and SKw1(ID, SKID) acts as a public/private key pair for a standard encryption scheme

  • Weak SecurityAncestors of (ID1IDn) are identities of the form (ID1IDi) for 1 i n(Informally:) Secret keys for any set of users I does not allow an adversary to break the scheme for any ID having no ancestors in IConstructions in standard model known ([CHK03, BB04], building on [GS02])

  • Our ConstructionCCA-secure (weak) BTE from CPA-secure (weak) BTE:(Consider fixed-length BTE)Key generation as beforeTo encrypt m for identity ID: generate (vk, sk), encrypt m for identity ID|vk, and sign ciphertext using skAs before, decrypt using SKID by first generating transient SKID|vk

  • ResultsThis approach yields a CCA-secure (weak) BTE scheme from any CPA-secure (weak) BTE schemeCPA-secure BTE CCA-secure BTEAnalogous result not known for the case of standard public-key encryption

  • Applications(Weak) BTE implies (weak) IBE, (weak) HIBE, and forward-secure encryption [CHK03]Our results yield CCA-secure constructions of these primitives more efficient than those previously known

  • SummaryNew method for constructing CCA-secure public-key encryptionGives new, practical CCA-secure schemes in standard modelFurther applications to CCA-security in other contexts