1/28

Chosen-Ciphertext Security from Identity-

Based Encryption

Jonathan KatzU. Maryland

Ran Canetti, Shai HaleviIBM

2/28

Motivation

• Security against chosen-ciphertext attacks (“CCA security”) is a powerful and useful notion– Often the security notion of choice when

using encryption within a larger protocol

• Provably-secure constructions both theoretically and practically important

3/28

Motivation…Bidding on vouchers for this afternoon’s excursion…

PKVoucher holderDesperate bidders

C1 = EPK(bid1)

C2 = EPK(bid2)

•In general, nothing preventing bid2 = bid1+1

(secrecy of bid1 not violated)

•Need non-malleability [DDN91]!

•Implied by CCA security [DDN91, BDPR98]

4/28

Known Constructions?

• Essentially only two techniques known for achieving CCA security (without random oracles):

– Using NIZK, general assumptions [DDN91, S99, L03] (based on [NY90])

– Specific assumptions, “smooth hash proofs” [CS98, CS02, GL03, CS03]

5/28

Known Paradigms?

• In fact, almost all constructions are essentially “the same” [ES04]– Different instantiations of the same

underlying paradigm

– Very roughly: certain type of CPA-secure scheme plus “proof of well-formedness”• NM-NIZK in [Sahai99, L03]• Smooth hash proof systems in [CS98,

CS02, GL03, CS03]

6/28

Overview of our Results

• We show a new technique for achieving chosen-ciphertext security– The technique does not (seem to) follow

previously-known paradigms

• Our approach (along with other work) yields new CCA-secure schemes– Competitive with best previously known– Stay tuned for the next talk…

7/28

More Details…

• We show a simple and efficient way to achieve CCA security using any IBE scheme

• The IBE scheme needs to satisfy only a relatively “weak” notion of security– Achieved by IBE schemes of [CHK03, BB04]– Result: new CCA-secure schemes!

• Applications to CCA security for IBE, HIBE, BTE, and FSE…

8/28

Review of definitions

9/28

CCA Security

• Consider the following game [RS91]:– (PK, SK) generated at random– Adversary Adv given PK; can ask

decryption oracle queries DSK(.)

– Adv outputs (m0, m1); given C ESK(mb) for random b; may continue to ask decryption queries (but not C itself)

– Adv outputs b’; succeeds if b’=b

10/28

CCA Security

• An encryption scheme is CCA-secure if |PrAdv[Succ] – ½| is

negligible for all poly-time Adv

11/28

ID-Based Encryption (IBE)

• Overview:– PKG generates (PK, MSK)– PK publicly distributed…– For any string (identity) ID, the PKG,

using MSK, can issue a secret key SKID

– (ID, SKID), along with PK, acts as a public/private key pair for a standard encryption scheme

12/28

Security?

• (Informally:) Knowledge of the secret keys for users I = {ID1, …, IDn} does not allow adversary to “break” the scheme for any ID’I– “Strong” IBE: choice of ID’ may

depend on PK [BF01] – “Weak” IBE: ID’ is fixed independently

of PK [CHK03]

13/28

More Formally…

• Consider the following game ([CHK03], adapting [BF01]):– Adv specifies challenge identity ID*– (PK, MSK) generated at random; Adv

given PK– Adv may (adaptively) request secret

keys for any ID’s other than ID* – Adv outputs (m0, m1), and is then given

C EPK(ID*, mb) for random b

14/28

Definition, continued…

– Adv may continue to request secret keys for ID’s other than ID*

– Adv outputs b’; succeeds if b’ = b

• An IBE is “weakly” secure if |PrAdv[Succ] – ½| is negligible for all

poly-time Adv

15/28

Known Constructions?

• “Strong” IBE: [C01, BF01], both in random oracle model

• “Weak” IBE: [CHK03, BB04]

• “Strong” IBE: [BB04, to appear]

16/28

From IBE to chosen-ciphertext security

17/28

Our Construction

• Key generation:– Run PKG algorithm to obtain (PK, MSK)– Public key is PK; secret key is MSK

• To encrypt m using PK– Generate (vk, sk) for signature scheme– Encrypt m using PK and “identity” vk– Sign resulting ciphertext using sk– Send (vk, C, )

18/28

Decryption…

• To decrypt (vk, C, ):– Verify signature…– Use MSK to generate the secret key

SKVK for the “identity” vk

– Use SKVK to decrypt C

– (Erase SKVK)

19/28

Theorem Statement

• If the IBE scheme is weakly secure, and a strong, one-time signature scheme is used, the resulting encryption scheme is secure against adaptive chosen-ciphertext attacks

20/28

Proof Intuition

• Let challenge ciphertext be (vk, C, )

• Adv submits different (vk’, C’, ’) to its decryption oracle– Clearly, vk’ vk– So C’ will be decrypted with respect to

a different “identity” vk’– Even if Adv were given SKVK’ itself,

encryption to vk would still be secure!

21/28

Remarks

• Weak IBE security is enough to achieve adaptive CCA security– vk chosen by encryption oracle, not by

the adversary

• The conversion is efficient

• Non-adaptive CCA security can be achieved with virtually no overhead

22/28

Extensions and further applications

23/28

Binary Tree Enc. (BTE)

• Introduced by [CHK03]

• As before, PKG generates (PK, MSK)

• PKG viewed as “identity” with secret key SK = MSK

• Any secret key SKw can be used to derive secret keys SKw0 and SKw1

• (ID, SKID) acts as a public/private key pair for a standard encryption scheme

24/28

“Weak” Security

• Ancestors of (ID1…IDn) are identities of

the form (ID1…IDi) for 1 i n

• (Informally:) Secret keys for any set of users I does not allow an adversary to “break” the scheme for any ID having no ancestors in I

• Constructions in standard model known ([CHK03, BB04], building on [GS02])

25/28

Our Construction

• CCA-secure (weak) BTE from CPA-secure (weak) BTE:– (Consider fixed-length BTE)– Key generation as before– To encrypt m for identity ID: generate

(vk, sk), encrypt m for “identity” ID|vk, and sign ciphertext using sk

– As before, decrypt using SKID by first generating “transient” SKID|vk

26/28

Results

• This approach yields a CCA-secure (weak) BTE scheme from any CPA-secure (weak) BTE scheme

• CPA-secure BTE CCA-secure BTE– Analogous result not known for the

case of standard public-key encryption

27/28

Applications

• (Weak) BTE implies (weak) IBE, (weak) HIBE, and forward-secure encryption [CHK03]

• Our results yield CCA-secure constructions of these primitives more efficient than those previously known

28/28

Summary

• New method for constructing CCA-secure public-key encryption

• Gives new, practical CCA-secure schemes in standard model

• Further applications to CCA-security in other contexts