Duncan S. Wong. Department of Computer Science. City University of Hong Kong. Joint work with . Guomin. Yang, . Chik. How Tan and . Qiong. Huang. 1. 2. What is . PKE with Equality Test. ?. Is it related to .

Embed :

Presentation Download Link

Download Presentation - The PPT/PDF document "Probabilistic Public Key Encryption with..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Slide1

Probabilistic Public Key Encryption with Equality Test

Duncan S. WongDepartment of Computer ScienceCity University of Hong Kong

Joint work with Guomin Yang, Chik How Tan and Qiong Huang

1Slide2

2

What is PKE with Equality Test?

Is it related to PKE with Keyword Search or Deterministic PKE?Applications

Our

constructionWhat security level can it achieve?Impossibility of achieving IND-ATK (e.g. IND-CPA or IND-CCA1/2)Extension: a non-pairing variantW-IND-CCA2

OutlineSlide3

3

What is

PKE with Equality Test (PKE-ET)?

Enc

M

1

pk

1

C

1

Enc

M

2

pk

2

C

2

M

1

=?

M

2

Test

C

1

C

2

1

iff

M

1

=

M

2Slide4

4

What is PKE with Equality Test (PKE-ET)?

1. Perfect Consistency2. Soundness

For every

M

in plaintext space PtSp(k), Pr[ Test(C1, C2

) = 1 ] = 1

if (

pk

1

,

sk

1

)

G(1

k), (pk2,

sk2) G(1

k), C1 E

(pk1, M) and

C2 E(

pk2, M).

For any PPT A

, Pr[ Test(C

1, C2) = 1

M1 M2

M1 M2

] (k)where (

C1, C2, sk1

, sk2) A(1

k), M1

D(sk1,

C1), M2

D(sk2

, C2).Slide5

5

Is PKE-ET related to PKE with Keyword Search?

PKE with Keyword Search (PKES)w : keywordC

= Enc(

pk

, w)TW = Trapdoor(sk, w)Test(pk,

C

,

T

W

) = 1

iff

C is an encryption of w under

pkEquality Test

Test(pk, C1

, TW) = 1 & Test(pk,

C2, TW) = 1

Both C1 and

C2 are encryptions of the same w.

LimitationsA tag

TW can only be generated if sk

is known.Test: only

applicable to ciphertexts generated under the same pk.Slide6

6

Is PKE-ET related to Deterministic PKE?

Deterministic Public Key Encryption (DPKE)S = Enc(pk, M

)

M

= Dec(sk, C)Equality TestGiven C1 = Enc(pk

,

M

1

) &

C

2

= Enc(

pk

, M2)

C1 = C2

M1 = M2.

LimitationOnly applicable to

ciphertexts generated under the same pk.Slide7

7

Applications of PKE-ETOutsourced Database, data are stored in encrypted form.

Searchable Encryption: anyone is able to search keywords of encrypted messages even if they are generated under different public keys.E.g. building a search engine capable of searching encrypted messages provided by different vendors

Partitioning Encrypted Data

: DBMS or the public is able to categorize or obtain statistical information on messages without any help from the encrypted message owners.

E.g. partitioning encrypted files based on file types such as images from videosSlide8

8

Our PKE-ET ConstructionSystem Parameters

G1, G2: cyclic groups of prime order qg

: generator of

G

1Bilinear pairing e: G1 x G1 G2

PtSp

:

G

1

\{1}

KeyGen

(1

k

)

sk =

x R

Zq*pk =

y = gx

Enc(pk,

m)r

R Zq

*Ciphertext C := (

U, V, W) where U = g

r, V

= mr,

W = H(U, V, y

r) m

||rDec(sk,

C)m||r

WH

(U, V, Ux)

Verify r

Zq* m

G

1

\{1}

U

=

g

r

V

=

m

r

If true, return

m

, else return

Test(

C

1

,

C

2

)

Given

C

1

= (

U

1

,

V

1

,

W

1

) and

C

2

= (

U

2

,

V

2

,

W

2

), if

e

(

U

1

,

V

2

) =

e

(

U

2

,

V

1

), return 1, else return 0.Slide9

9

What Security Level can our PKE-ET scheme achieve?(Impossibility of Achieving IND-ATK)

In general, PKE-ET cannot achieve IND-ATK (e.g. IND-CPA or IND-CCA1/2).

IND-ATK:

Reason why PKE-ET cannot achieve IND-ATK

: adversary knows the challenge plaintexts

x

0

and

x

1

; does not even need to resort its plaintext choosing capability.Slide10

10

What Security Level can our PKE-ET scheme achieve?

After challenge phase, the adversary knows:public key: pkchallenge plaintexts:

x

0

and x1challenge ciphertext: y

Adversary

A

2

computes

y

’ = Enc(

pk

’,

x

1

)returns Test(

y, y’)Slide11

11

What Security Level can our PKE-ET scheme achieve?

It achieves one-way under chosen

ciphertext

attack (OW-CCA2)

.OW-ATK:Slide12

12

What Security Level can our PKE-ET scheme achieve?OW-CCA2 security in the random oracle model under the CDH assumption

Proof Idea:Game 1: the original scheme

Enc(

pk

, m) : U = gr, V = mr

,

W

=

H

(

U

,

V

, yr)

m||r

Game 2: Replace H

(U*, V*, yr*) of the challenge ciphertext

with a random string

Enc(pk, m*) : U*

= gr*, V*

= mr*, W* =

R* m||r

Game 1 and Game 2 are indistinguishable under the CDH assumption.

The adversary only has a negligible probability to win in Game 2 under the CDH assumption.Slide13

13

Extension: a non-pairing variant

In the PKE-ET, pairing is used in Test only.

If we remove

Test

, the scheme is a conventional PKE.KeyGen(1k)sk = x

R

Z

q

*

pk

=

y

= g

xEnc(pk

, m)r

R Zq

*Compute U =

gr, V = m

r, W = H(U, V, y

r)m||

rC := (U, V, W

)Dec(sk, C

)m||r

WH(

U, V, Ux)Verify r

R Zq

* m G1

\{1} U = g

r V = m

rIf true, return m

, else return

Observation:

in

a non-bilinear group,

this

PKE

achieves

a higher security

level.

The PKE can be implemented using a non-bilinear group. So we have more curves to choose from during implementation.Slide14

14

Extension: a non-pairing variant

Bad News: still cannot achieve IND-ATK

A

1

chooses x0 = gr0, x1 = g

r

1

where

r

0

r1

challenge stage: b {0,1}, Enc(pk

, xb) = (U = g

r, V = xbr, W

)A2 returns 0 if

V = Ur0; otherwise, returns 1.

Good News:

can achieve something stronger than OW-CCA2

W-IND-ATK where the adversary cannot select challenge plaintexts but the adversary is given the challenge plaintexts.Slide15

15

W-IND-ATK

In the random oracle model, the PKE in a non-bilinear group is W-IND-CCA2 secure under the DDH assumption.Slide16

16

Future Work

Standard model constructionAchieving IND-CCA2 for Test-removed version

Question:

is there any application for the property that the same scheme is PKE-ET

on bilinear group while being a PKE on non-bilinear group?Slide17

17

Q&AMore details can be found in

the Proc. of CT-RSA 2010

Duncan S Wong Department of Computer Science City University of Hong Kong Joint work with Guomin Yang Chik How Tan and Qiong Huang 1 2 What is PKE with Equality Test Is it related to ID: 129926 Download Presentation

Crypto Concepts Symmetric encryption, Public key encryption, and TLS Cryptography Is: A tremendous tool The basis for many security mechanisms Is not: The solution to all security problems Reliable unless implemented and used properly

pk. , . sk. pk. c. . . . Enc. pk. (m). m. = . Dec. sk. (c). c. pk. pk. Public-key encryption. A public-key encryption scheme is composed of three PPT algorithms:. Gen: . key-generation algorithm.

Cryptography. Is:. A tremendous tool. The basis for many security mechanisms. Is not:. The solution to all security problems. Reliable unless implemented and used properly. Something you should try to invent yourself.

Overview. Encryption technologies. Combining encryption technologies for practice. Using encryption technologies for identification – digital signatures. Public key infrastructure. 2. Introduction.

Rainbows (a.k.a. Spectrums). Public Private Key Encryption. HTTPS. Encryption. String Encryption. You have an account on . facebook. , LinkedIn, YouTube etc. . Your login: . costanza@seinfeld.com. Your password is : .

Public Private Key Encryption. HTTPS. Encryption. String Encryption. You have an account on . facebook. , LinkedIn, YouTube etc. . Your login: . costanza@seinfeld.com. Your password is : . bosco. If this data was stored in a database, it might look like:.

Name : . Maryam Mohammed . Alshami. ID:. H00204657. Encryption. : . is the process of encoding messages or information in such a way that only authorized parties can read it. .. Important part of computing to keep our file .

Rainbows (a.k.a. Spectrums). Public Private Key Encryption. HTTPS. Encryption. String Encryption. You have an account on . facebook. , LinkedIn, YouTube etc. . Your login: . costanza@seinfeld.com. Your password is : .

Dana . Dachman. -Soled. University of Maryland. Deniable Public Key Encryption. [Canetti, . Dwork. , . Naor. , . Ostrovsky. , 97]. Sender. Receiver. . . s. . For any . in the message space, can produce a .

Diffie. -Hellman. The . ElGamal. . Public-key System. Online Cryptography Course Dan Boneh. Recap: public key encryption: . (Gen, E, D). E. D. pk. m. c. c. m.

© 2021 docslides.com Inc.

All rights reserved.