1 1 1 Trading PlaintextAwareness for Simulatability to Achieve Chosen Ciphertext Security Takahiro Matsuda Goichiro Hanaoka tmatsudaaistgojp ID: 761160
Download Presentation The PPT/PDF document "1 1 1 Trading Plaintext-Awareness for S..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1 1 1 Trading Plaintext-Awarenessfor Simulatability to AchieveChosen Ciphertext Security Takahiro Matsuda ( )Goichiro Hanaoka ( )t-matsuda@aist.go.jp2016/3/7 Mon. PKC 2016@Taipei, Taiwan3/7 - 3/9 This work presents new assumptions for CCA PKE ePrint 2016/235
Background It is important to clarify (necessary and) sufficient assumption to realize general cryptographic primitivesTo better understand how & whywe can construct/prove security of the primitives Ultimate goal: Draw a complete mapamong all cryptographic primitives This work focuses onCCA secure PKE (and KEM) 2About implications& separations???CCAPKE/KEMDesirable security for PKE・Security against Bleichenbacher’s attack・Implication to NM, UC security
3 Background Q. Which primitive(s) implies CCA secure PKE/KEM ?????CCAPKE/KEMCPA PKE+ NIZKIBE(or TBE)TDFw/ additionalpropertiesHom. PKEw/ additionalpropertiesLossy PKEw. large PT spaceCPA PKE+ UCE CPA PKE + Point Obf .PKE satisfyingsPA1 (for many keys)& weak simulatability Sender NCE+ KDM SKEDetectableCCA PKE1-bit PKEw/ circular security& reproducibility[DDN91] [CHK04,Kiltz06][PW08,RS09,KMO10,Wee10][HLW12][HO12][HO13][MH14a][MH14b][MH15] [ HK 15] [ Dac 14] iO + OWF [SW14]
Dachman-Soled@PKC’14 [Dac14] 4 PKE satisfying (Statistical) Plaintext Aware1under 2k+2 keys (sPA1 2k+2) & Weak SimulatabilityCCAPKEPlaintext-Awareness (PA) [BR94,BP04]“If you generate a ciphertextyou must know the plaintext”Standard model PA [BP04] hasseveral variationsOur focus is on “Statistical PA1” (sPA1),and its “many keys” extension C.f.) CPA + PA1 CCA1 Weak Simulatability [DN00, MMS12]Ciphertext(-like strings) can besampled obliviously, w/o knowingplaintext m > CPA securityk: security parameter
Motivation PA typically requires a “knowledge” assumptionIn addition, [Dac14] needs a “multi-key” extension of PA: ”sPA1” under 2k + 2 keys [MSS12] denoted by sPA12k + 2If x > y ≧ 1, then sPA1x ≧ sPA1y,but the opposite implication/separation is unknown[Dac14] observed that it seems difficult toreplace PA1 with CCA1 security in her constructionWe investigate whether the strength of PA in [Dac14] can be weakened, thereby contribute to clarifying new general assumptions for CCA PKE5CCAPKEsPA12k+2,Weakly SimulatablePKEk: security parameterThe number of keys [Dac14]
Our Results Based on [Dac14], we show 2 CCA PKE constructions whose assumptions are a “trade-off” with that of [Dac14] sPA1 2,CPAPKECCAPKE+Trapdoor-SimulatablePKEsPA11,1-Bounded CCAPKECCAPKE +Trapdoor- SimulatablePKE Const- ruction1Const-ruction2 (Actually, weconstruct KEMs)
[Dac14] vs. Ours [Dac14]Ours 7 CCA PKEsPA12k+2,Weakly SimulatablePKEsPA12,CPAPKE+Trapdoor-SimulatablePKECCAPKEsPA11,1-BCCAPKE+ Trapdoor-Simulatable PKE CCA PKE sPA1 2k+2 > sPA12 > sPA11Weak simulatability < Trapdoor-simulatability (qualitatively)These are formally incomparableOurs do not require “PA” and “simulatability” to be satisfied bya single building block PKEOurs trade the strength of “PA” for “simulatability” in [Dac14]Our constructions give new recipes for CCA PKE/KEM
Overview ofProposed ConstructionsBased on the “double-layered” construction [MS09,HLW12] Building blocks for outer encryption can be constructed only from Trapdoor simulatable PKE 8sPA12,CPAKEMDoubleLayer [MS09]CCAKEMTrapdoorSimulatable“Puncturable”TBE [MH14]Trapdoor-SimulatableCommitment Outer encryption Inner encryption Talk Outline :・ Building Blocks・ Proposed Constructions・ Security Proof OvervieworsPA11,1-Bounded CCAKEM
= “public-key” part of hybrid encryption Useful composition result [Cramer- Shoup03] Key Encapsulation Mechanism(KEM)SyntaxKey Generation:(pk, sk) KKG(1k)Encapsulation:(C, K) Encap(pk) K: a session-key used by SKEDecapsulation:K or Decap (sk , C) CCA Security:9Ab {0,1} pk, C*, K*bb’CK Dec. Oracle K = Decap ( sk , C ) C C* PPT A : | Pr [ b’ = b ] 1/2| = neg. Real K* 1 Random K* 0 CCA KEM CCA SKE + CCA PKE
(KEM’s) Statistical PA1 (sPA1) [BP04] ∀ PPT(ciphertext creator) , ∃ Stateful PPT(extractor) , 10 KiUpdatestate st pk , rACi st0 = (pk, rA)Pr[ i : Ki ≠ Decap(sk,Ci) ] = neg.
(KEM’s) sPA1 in the Presence of ℓ Keys(sPA1ℓ) [MSS12] ∀ PPT(ciphertext creator) , ∃ Stateful PPT(extractor) , 11 pk1,…, pkℓ, rA( ji, Ci )Ki Pr [ i : Ki ≠ Decap( skji ,Ci) ] = neg. st0 = (pk1 ,…, pkℓ ,rA)Updatestate st
Simulatable PKE and Variants Simulatable PKE [DN00] pk and c can be sampled “obliviously”, w/o knowing actual randomness and/or plaintext, andHonestly generated pk and c can be “explained” that they are generated by oblivious sampling(Simplified) Syntax : (PKG, Enc, Dec) & (oSamp, rSamp)(pk, c) oSamp(1k; r’) r’ rSamp(pk, c) s.t. oSamp(1k; r’) = (pk, c) Weak Simulatability [MSS12,Dac14]Only c is obliviously samplableTrapdoor Simulatability [CDMW09]rSamp can use randomness andplaintext used to generate pk and c12 Weak Simulatability and Trapdoor Simulatability areincompatable(However, W-sim. can be seen weaker because it need not obliviously sample pk)(r’ is a randomness for oblivious sampling)
Simulatable PKE and Variants Q. What kinds of PKE satisfy (Trapdoor/Weak) Simulatability ?A. PKEs s.t. pk and c look like a pseudorandom string Ex1: PKE based on LWE or (Low-noise) LPNEx2: ElGamal (and variants) over a suitable elliptic curve (“simulatable” group [Dent06]) Can be instantiated from standard assumptions13
Puncturable Tag-Based Encryption (PTBE) [DDN91,MH14] TBE with two modes for decryptionCore structure of the Dolev-Dwork-Naor construction [DDN91] Correctness of punctured decryption for non-punctured point tag∀tag ≠ tag*, ∀ c TEnc(pk, tag, m): TDec(sk, tag, c) = PTDec(psktag*, tag, c) = mExtended CPA security [MH14]≒ CPA security in the presence of psktag*14Key Generation ( pk , sk) TKG(1k) Encryptionc TEnc ( tpk , tag , m ) Decryption m / ⊥ TDec ( tsk , tag , c ) Puncturing SK psk tag * Punc ( sk , tag* ) Punctured Decryption m / ⊥ PTDec ( psk tag * , tag , c ) tag*
How to Build Trapdoor Simulatable PTBE/COM from Trapdoor Simulatable PKE 15 Trapdoor SimulatablePTBE TrapdoorSimulatableCommitmentDDN-likeConstructionTrapdoorSimulatablePKEHash a ciphertextby UOWHFTrapdoorSimulatability+ (Target) Binding Defined analogously to PKE ( oSamp need to generate psktag*in addition to (pk, c) ・Generate 2k key pairs・Encrypt m independently byk keys chosen by tag
Proposed KEMs Overview Adapt the “Double-Layered” structure of [MS09,HLW12] 16 sPA1 2,CPAKEMDouble-LayerCCAKEMTrapdoorSimulatablePunc. TBETrapdoorSimulatableCommitment OuterEncryption Inner Encryption In our 2nd construction, sPA11,1-Bounded CCAKEM
Our 1st Construction KKG:(pk in0, skin0) KKGin(pkin1, skin1) KKGin(tpk, tsk) TKGck CKGPK = (pkin0, pkin1, tpk, ck)SK = (skin0, skin1 , tsk) Encap(PK):(c in0 , α0 ) Encapin(pkin0)(cin1 , α1 ) Encapin(pkin1)(rC || rT || K) α0 xor α 1 tag Com ( ck , ( c in0 || c in1 ); r C ) c TEnc ( tpk , tag , ( c in0 || c in1 ); r T ) C ( tag , c ) Return ( C , K ) 17 Decap ( SK , C = ( tag , c ) ): ( c in0 || c in1 ) TDec ( tsk , tag , c ) α 0 Decap in ( sk in0 , c in0 ) α 1 Decap in ( sk in1 , c in1 ) ( r C || r T || K ) α 0 xor α 1 If Com ( ck , ( c in0 || c in1 ); r C ) = tag and TEnc ( tpk , tag , ( c in0 || c in1 ); r T ) = c then return K else ⊥ Double-layered structure Inner encryption does multiple encryption by 2 KEMs Randomness for outer encryption is generated from inner KEM In Decap , the validity of outer CT is checked by re-encryption sPA1 2 & CPA KEM TS Punc . TBE CCA KEM TS Com I nner Outer
Our 2nd Construction KKG:(pk in, skin) KKGin(tpk, tsk) TKGck CKGPK = (pkin, tpk, ck)SK = (skin, tsk)Encap(PK):(c in, α ) Encapin( pkin ) (rC || rT || K) αtag Com(ck, cin ; rC )c TEnc(tpk, tag, cin ; rT)C (tag, c)Return (C, K ) 18 Decap ( SK , C = ( tag , c ) ): ( c in0 || c in1 ) TDec ( tsk , tag , c ) α Decap in ( sk in , c in ) ( r C || r T || K ) α If Com ( ck , c in ; r C ) = tag and TEnc ( tpk , tag , c in ; r T ) = c then return K else ⊥ Inner encryption is replaced by one invocation of KEM sPA1 1 & 1-BCCA KEM TS Punc . TBE CCA KEM TS Com I nner Outer
Ideas for Security Proofs … are very similar to [Dac14]Using a CCA adversary for the proposed KEMs, we construct a reduction (CPA adversary) for the inner KEMBinding of commitment allows us to reject all dec. queries (tag , C)s.t. tag* = tag Q. How to answer dec. queries? A. For outer decryption, use punctured SK of PTBE For inner decryption, use a PA1-extractor19tag*
Illustration of Reduction 20 CCA Adv. CPA instance of inner KEMpkin, cin*, α*C = (tag, c) K or ⊥ Punc TDec tag* Inner CT cinValidityCheck byRe-encryption Dec. Result PK = ( pk in , tpk , ck ) C* = ( tag* , c* ) K* Reduction (CPA Adv.) ???
sPA1 ℓ Security of KEM∀ PPT(ciphertext creator) , ∃Stateful PPT(extractor) , 21 pk1,… pkℓ, rA( ji, Ci )Ki Pr [ i : Ki ≠ Decap(skji ,Ci) ] = neg. st0 = (pk1 ,…, pk ℓ ,rA)AUpdatestate st (shown again)
Technical Subtleties (1/2) Q1: How to prepare the initial state of ?A1 : Use oblivious-sampling algorithms of outer trapdoor-simulatable P TBE & Com22
Illustration of Reduction 23 CCA Adv. C = (tag, c)K or ⊥ tag* PK = ( pk in, tpk, ck)C* = (tag*, c*)K* Obliviously sampletpk, ck, tag*, c*Randomness r’ for oblivious samplingpkin0, pk in1 , r ’ CPA instance of inner KEM pk in , c in * , α* Reduction (CPA Adv.) Inner CT c in Dec. Result Validity Check by Re-encryption Punc TDec
Technical Subtleties (2/2) Q2: Is the decryption using consistent with the decryption using the normal decryption algo .?A2: Yes. Thanks to the security properties of the inner KEM, can “detect” if it did an inconsistent answer to a dec. query from 1st construction: multiple-encryption by 2 KEM and sPA12For one position, embeds its CPA instance, and the secret key of the another position is used to detect inconsistencyIdea from [Dec14]2nd construction: 1-bounded CCA and sPA11 1 time dec. query by can be used to detect inconsistencyIdea from the double-layered constructions papers [MS09,HLW12] Actually, 1-bounded plaintext-checking attack security(1-bounded PCA) is sufficient
Why the Tradeoffs in Assumption with [Dac14]? [Dac14]Weak Simulatability only guarantees oblivious sampling for ciphertexts, and hence, the initial state of has to contain public keys for outer encryption as well Outer encryption in [Dac14] is arranged like “DDN-lite” construction sPA1O(k) is requiredOursTrapdoor Simulatability allows oblivious sampling also for public keys of outer encryption All information for outer encryption is obliviously samplable sPA1O(1) is sufficient25
Summary sPA1 2 ,CPAPKE CCAKEM+Trapdoor-SimulatablePKENew recipes for CCA PKE sPA11,1-Bounded CCAPKE CCAKEM + Trapdoor- SimulatablePKE Const-ruction1Const-ruction2sPA12k+2,Weakly SimulatablePKE CCAPKEC.f.) [Dac14]eprint 2016/235Our results: 2 CCA secure KEMs
On sPA1 1 & 1-Bounded CCA KEM We can construct from based on [DF14]’s CPA-to-1-bounded CCA PKE constructionHowever, if we use such construction to obtain CCA KEM, there is no merit compared to our first constructionThe merit of the second construction is that in the future, someone may come up with a direct construction better than known methods. As noted in the previous slide, 1-bounded CCA can beweakened to 1-bounded PCA security. Could this help…?27sPA11,1-Bounded CCAKEMsPA1O(k),CPAKEM