1 / 37

Detecting Dangerous Queries:

Detecting Dangerous Queries:. A New Approach for Chosen Ciphertext Security. Susan Hohenberger. Allison Lewko. Brent Waters. SK. PubK. Public Key Encryption [DH76,RSA78,GM84]. Passive Attacker : Chosen Plaintext Attack (CPA). SK. PubK. Active Attackers [NY90,DDN91,RS91].

bessie
Download Presentation

Detecting Dangerous Queries:

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Detecting Dangerous Queries: A New Approach for Chosen Ciphertext Security SusanHohenberger Allison Lewko Brent Waters

  2. SK PubK Public Key Encryption [DH76,RSA78,GM84] Passive Attacker : Chosen Plaintext Attack (CPA)

  3. SK PubK Active Attackers [NY90,DDN91,RS91] Chosen Ciphertext Attack (CCA)

  4. IND-CPA [GM84] Indistinguishability under Chosen Plaintext Attack Challenger Setup PK M0 ,M1 b{0,1} CT* = Enc(PK, Mb) b’  {0,1} AdvA = Pr[b=b’]-1/2

  5. IND-CCA [NY90,DDN91,RS91] Indistinguishability under Chosen Ciphertext Attack Challenger Setup PK CT Dec(SK,CT) M0 ,M1 b{0,1} CT* = Enc(PK, Mb) CT CT  CT* Dec(SK,CT) b’  {0,1} AdvA = Pr[b=b’]-1/2

  6. IND-CCA [NY90,DDN91,RS91] Indistinguishability under Chosen Ciphertext Attack Challenger Setup PK CT Dec(SK,CT) M0 ,M1 b{0,1} CT* = Enc(PK, Mb) CT CT  CT* Dec(SK,CT) CCA-1: No 2nd phaseof oracle queries b’  {0,1} AdvA = Pr[b=b’]-1/2

  7. The Grand Goal: CCA from CPA CCA CPA

  8. Prior Methods (Standard Model) • NIZK [BFM88,NY90,DDN91,RS91,S99] • NIZK proves well formness • NIZKs are rare: TPD/RSA, Pairings No:DDH, Lattices • Cramer-Shoup plus [CS98,02,…] • Efficient systems from number theory • DDH,DCR, Factoring, IBE[CHK04], No:Lattices

  9. Prior Methods (Standard Model) • Lossy TDFs [PW08,RS09,…] • Randomness recovery => use to verify CT • Change PK in proof • DDH, Lattices • 1-bit to many bit CCA[MS09] • General techniques • Partial randomness recovery

  10. Our Result New General Approach for CCA security: Detectable Chosen Ciphertext Security (DCCA) CCA DCCA

  11. DCCA Security: Intuition CCA secure if avoid “dangerous” queries Hard to produce bad queries w/o challenge CT Can detect dangerous queries Example: Concatenate 1 bit CCA ciphertexts CT* 1 1 0 Dangerous Query for CT*: CT = Reorder of CT* 1)Hard to produce w/o CT* 2) Easy to detect

  12. Detectable Encryption System Setup(1n) ! (PK,SK) Encrypt(PK,M) ! CT Decrypt(SK,CT) ! M F( PK, CT* , CT) ! {0,1} Outputs ‘1’ if CT is a “dangerous” query for CT* Two Security Properties

  13. Property 1: Hard to Predict (Strong) Challenger Setup PK,SK CT M CT* = Enc(PK, M ) AdvA = Pr[F(PK,CT,CT*)=1]

  14. Property 2: Indistinguishability CCA2=>DCCA=>CCA1 Challenger Setup PK CT Dec(SK,CT) M0 ,M1 b{0,1} CT* = Enc(PK, Mb) CT F(PK,CT*,CT)=0 CT  CT* Dec(SK,CT) b’  {0,1} AdvA = Pr[b=b’]-1/2

  15. Ex. 1: n-bit DCCA from 1 bit CCA Idea: Use basic concatenation Enc(PK,m) !C1=Enc(PK,m1), …, Cn=Enc(PK,mn) 1 1 0 F(PK,CT*,CT): 9 (i,j) s.t.CTi*=CTj

  16. Ex. 2: Tag-Based Encryption [MRY04,K06] Tag-Based Encryption: Each ciphertext associated with a tag Is CCA secure as long as TagCT* not queried F(PK,CT*,CT): TagCT* = TagCT Examples: CHK04-lite, Kiltz06, PW08 (CCA-1 version), DDN91 (w/o signature)

  17. Ex. 3: Heuristic/Sloppy CCA Idea: DCCA easier to meet than CCA Heuristic approach Sloppy: E.g. “Slack” bit in group representation CT: Apply transformation in case messed up

  18. The Ingredients Msg2 {0,1}* and randomness 2 {0,1}n Justified by Pseudo Random Generators PSV06,CDMW08 1-Bounded CCA CPA Trivial Detectable CCA

  19. Our Construction

  20. Setup Setup(1n): Setup1B (1n) ! (PKA, SKA) SetupCPA (1n) ! (PKB, SKB) SetupDCCA (1n) ! (PKin, SKin) PK= PKA, PKB, PKin SK= SKA, SKB, SKin

  21. Encryption • Encrypt(PK,M): • Choose random ra ,rb , rin2 {0,1}n • Cin = EncDCCA( (M,ra, rb ) ; rin ) • CA=Enc1B (Cin; ra), CB=EncCPA (Cin; rb) • CT= CA , CB CA= ;ra CB= ;rb (M, ra ,rb); rin (M, ra ,rb); rin

  22. Decryption • Decrypt(SK, CT= (CA , CB) ) : • Cin’ = Dec(SKA , CA ) • (M’, ra’, rb’) = Dec(SKin , Cin’ ) • CA’=Enc1B (Cin’; ra’), CB’=EncCPA(Cin ;rb’) • If CA CA ’ OR CB CB’ reject ;else M’ CA= (M, ra ,rb); rin ;ra CB= ;rb (M, ra ,rb); rin Idea: Recover (M, ra , rb ) then re-encrypt

  23. A Few Comments CA= (M, ra ,rb); rin ;ra CB= ;rb Features: Naor-Yung 2-key & Myers-shelat nesting Embedded Randomness vs. NIZK Proof w/ embedding randomness: Good: Decrypt from either side Problem: Embedding challenge (M, ra ,rb); rin

  24. What is the trouble? CA*= Cin*= ;ra CB*= Cin*= ;rb (M, ra ,rb); rin (M, ra ,rb); rin Challenge CT= CA *, CB * encryptions of Cin * Problem Query: Get Cin’ s.t. F(PKDCCA, Cin *, Cin’) =1 • Bad Event: Query C= CA , CBs.t. • CACA * • Dec( SK_A, CA) = Cin’ where F(PKDCCA, Cin *, Cin’) =1

  25. Nested Indist. Game If prove under this game we are done! Attacker gets CCA queries Challenge Inner encrypts Msg + randomness or all 0’s (M, ra ,rb); rin (00…00); rin (00…00); rin (M, ra ,rb); rin z=1 CA*= Cin*= ;ra CB*= Cin*= ;rb z=0 No embedded randomness CA*= Cin*= ;ra CB*= Cin*= ;rb

  26. Roadmap Eliminate bad event => Security follows from DCCA • Eliminate with z=0 (no embedded randomness) • Indirectly infer z=1 case from (1)

  27. Bad Event Analysis (no embedded randomness) Show probabilities are close (00…00); rin (00…00); rin (00…00); rin Nested ;ra ;rb IND-CPA Right-Erased ;ra 1111…111 ;rb Switch -Decrypt 1Bounded CCA Full-Erased 1111…111 ;ra 1111…111 ;rb =negl(n) unpredictability

  28. BE-Nested vs. BE-Right-Erase ;rb 1111…111 ;rb vs. (00…00); rin • Standard IND-CPA reduction • Know SKA, SKin , not SKB • Observe BE using SKA

  29. Switch Decrypt • Switch from using SKA to SKB to decrypt • These are equivalent from Attacker’s view • Best of both worlds: Challenge CT not embed randomness, but queries must!

  30. BE-Right-Erased vs. BE-Full-Erased Full-Erased 1111…111 ;ra 1111…111 ;rb (M, ra ,rb); rin Cin*= is gone! Unpredictability: Pr[Bad event in Full Erase] = negl(n)

  31. BE-Right-Erased vs. BE-Full-Erased vs. 1111…111 ;ra (00…00); rin • 1-Bounded CCA reduction • Know SKB, SKin , not SKA • Problem: Cannot observe bad event using SKB • Solution: “Peek” at 1 A query using 1-Bounded 1/Q chance of seeing it

  32. No Bad Event for embedded randomness Suppose it did happen => We break DCCA indist. 1) Run Indist Game on A (while playing DCCA) (00…00); rin (M, ra ,rb); rin 2) Submit Msg0 =(M, ra, rb) , Msg1 = (00…00) or 3) Get back either 4) Create challenge CT (know SKA, SKB) 5) Use DCCA oracle to answer non-dangerous queries What if get dangerous query? Stuck! But then we know it must be Msg0 => breaks DCCA!

  33. Finishing it off z=1 CA*= Cin*= (M, ra ,rb); rin (M, ra ,rb); rin (00…00); rin (00…00); rin ;ra CB*= Cin*= ;rb z=0 No embedded randomness CA*= Cin*= ;ra CB*= Cin*= ;rb N.I. easy to prove from DCCA if no bad events CCA security follows immediately

  34. Summary • New abstraction: Detectable CCA security • Build CCA from it • Cover 1 to many bit enc. , tag-based, & more • Embedded randomness --- blessing & problems • Indirect inference on bad event

  35. Could CCA-1 work? Idea: Replace DCCA component w/ CCA-1 Problem 1: Proof needs to detect Problem 2: Can create an oracle that breaks it (CT*) :Decrypts CT*, encrypts M in another CT’ Q1: The oracle is strong! Is there middle ground? Q2: Structure for CCA-1? Proof idea?

  36. Our Picture (not necessarily to scale) CCA DCCA CCA-1 CPA

  37. Thank you

More Related