1 / 12

New Results on PA/CCA Encryption

New Results on PA/CCA Encryption. Carmine Ventre and Ivan Visconti Università di Salerno. Defining Security of Encryption Schemes. CCA2 security Non-malleable encryption. auctioneer. c. bidder 1. c’. c and c’ are somehow related. attacker.

iren
Download Presentation

New Results on PA/CCA Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno

  2. Defining Security of Encryption Schemes • CCA2 security • Non-malleable encryption auctioneer c bidder 1 c’ c and c’ are somehow related attacker e.g., the bid encrypted in c’ is a half of the bid encrypted in c

  3. Completely Non-Malleable (CCA2*) Encryption c bidder 1 c, pk and c*, pk* are somehow related c’ c* attacker pk* • The auctioneer receives a new bid from bidder 1 (c’ instead of c) • The auctioneer receives a new bid from a user with public key pk* • Concept introduced in [Fischlin, ICALP ’05]

  4. Why complete non-malleability? • Is it more general than CCA2? • Yes! • Cramer-Shoup and RSA-OAEP are CCA2 but not CCA2* [Fis05] • For every CCA2 encryption scheme there is a CCA2 encryption scheme which is not CCA2* [This work] • Simple proof…

  5. Proving separation between CCA2 and CCA2* • Given (G, E, D) which is CCA2 construct (G’, E’, D’) as follows: G’(1k) (pk, sk) ← G(1k) b ← {0,1} return (pk||b, sk) E’(pk||b, m) return E(pk, m) D’(sk, c) return D(sk, c) • (G’, E’, D’) is CCA2 (it never uses bit b) • It is easy to construct a winning CCA2* attacker for (G’, E’, D’)

  6. Defining Security of Encryption Schemes (cntd) • Plaintext awareness (PA) • “An encryption scheme is plaintext aware if it is practically impossible for any entity to produce a ciphertext without knowing the associated message” [Dent, Eurocrypt ‘06] D(sk, .) Ext(.) pk attacker challenger Indistinguishable output • Why we should care about? • PA + CPA implies CCA2 [Bellare & Palacio, AsiaCrypt ’04]

  7. Enriching PA concept • Defining PA*: two experiments D(sk, .) A pk pk A Ext challenger challenger pk*, Enc(pk*, x) pk*, x pk*, x pk*, x Any PPT machine can not distinguish

  8. Relating CCA2* and PA* • Theorem: PA* + CPA implies CCA2* • Similar relation to the CCA2/PA case [BP04] • Refining CCA2* definition • CCA2* does make sense when • the attacker does not know the secret key sk* (nor a user knowing sk*) • the attacker does not have any noticeable advantage in distinguishing messages that are in relation from message that are not in relation w.r.t. the new key pk*

  9. Construction of CCA2* and PA* encryption schemes • CCA2*: • Impossible in plain model (for non-interactive black-box security [Fis05]) • Constructions: • Plain model • Interactive Non-Black-Box Construction • Shared Random String model • Non-Interactive Black-Box Construction… • … which is also PA* when restricting to CRS model

  10. Details of the CRS construction • Ingredients: • Any CPA secure encryption scheme (G,E,D) • A robust NIZK [DDOPS, Crypto ’01] for an NP language L • Non-malleable NIZK (in the explicit witness sense) • Stronger than Simulation-Soundess • Same-String NIZK • (pk, sk) is in L if there exists randomness r such that G with random tape r outputs (pk, sk)

  11. Details of the CRS construction (2) G’(1k) (pk, sk) ← G(1k) p ← proof for L return ((pk, p), sk) E’((pk, p), m) Verify proof p return E(pk, m) D’(sk, c) return D(sk, c) • Relying on non-malleable NIZK proof we prove that (G’, E’, D’) is CCA2* • Relying on Same-String NIZK proof we prove that (G’, E’, D’) is PA*

  12. Conclusions • We give a stronger notion (PA*) of plaintext awareness • We relate the new notion with that of complete non-malleability (CCA2*) • We give general constructions relating previous notions and results • This yields a much more understandable framework • We construct a non black-box interactive CCA2*+PA* encryption scheme (plain model) • We construct a non-interactive CCA2*+PA* encryption scheme in the CRS model

More Related