a black-box construction of a cca2 encryption scheme from a plaintext aware (spa1) encryption scheme
DESCRIPTION
A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme. Dana Dachman -Soled University of Maryland. CPA, CCA1 and CCA2. CPA, CCA1 and CCA2. CPA-secure Public Key Encryption. CPA, CCA1 and CCA2. CCA1-secure Public Key Encryption. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816912550346895de02d58/html5/thumbnails/1.jpg)
A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1)
Encryption Scheme
Dana Dachman-SoledUniversity of Maryland
![Page 2: A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816912550346895de02d58/html5/thumbnails/2.jpg)
CPA, CCA1 and CCA2
![Page 3: A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816912550346895de02d58/html5/thumbnails/3.jpg)
CPA, CCA1 and CCA2
ππ ,πΈππππ(π0) ππ ,πΈππππ(π1)
β
CPA-secure Public Key Encryption
![Page 4: A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816912550346895de02d58/html5/thumbnails/4.jpg)
CPA, CCA1 and CCA2
β
CCA1-secure Public Key Encryption
ππ ππ
π π π π
ππ ,πΈππππ(π0) ππ ,πΈππππ(π1)
![Page 5: A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816912550346895de02d58/html5/thumbnails/5.jpg)
CPA, CCA1 and CCA2
β
CCA2-secure Public Key Encryption
ππ ππ
π π π ππβ πβ πβ πβ
ππ ,πΈππππ(π1)ππ ,πΈππππ(π0)
![Page 6: A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816912550346895de02d58/html5/thumbnails/6.jpg)
Does CPA Security Imply CCA Security?
β’ [Naor, Yung 90], [Dolev, Dwork, Naor, 00]β CPA + NIZK -> CCA1 and CCA2
β’ Partial black-box separationβ [Gertner, Malkin, Myers, 07] no βshieldingβ construction of CCA1
from CPA.β’ Question remains open!β Even whether CCA1 -> CCA2 is not known.β Long line of work showing black-box constructions of CCA2
encryption from lower level primitives.β’ [Peikert, Waters 11], [Rosen, Segev, 10], [Kiltz, Mohassel, OβNeill, 10]. . .
β Our work continues this line of research.
![Page 7: A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816912550346895de02d58/html5/thumbnails/7.jpg)
Our Results
β’ Note: Construction is black-box, but reduction makes non-black-box use of the CCA2 adversary.
β’ [Myers, Sergi, shelat, 12]: Black-box construction of cNM-CCA1-secure encryption from the same assumptions.
β’ Our contribution: Extend to full CCA2 setting.β’ Construction of a CCA2 scheme from encryption schemes
with βweakerβ security and no additional assumptions.
Theorem: There is a black-box construction of CCA2-secure encryption from plaintext aware (sPA1) and weakly
simulatable public key encryption.
![Page 8: A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816912550346895de02d58/html5/thumbnails/8.jpg)
Our AssumptionsβPlaintext Awareness = ciphertext creator, = extractor
Experiment β’ pairs of public + secret keys are generatedβ’ get random coins and public keys as inputβ’ gets oracle access to decrypts for β’ Let be the set of queries asked by β’ Experiment outputs 1 if decrypted all queries in
βcorrectly.β
Encryption scheme is -secure if for every ppt , there exists an extractor s.t. experiment outputs 0 with negligible
probability.
I βknowsβ the underlying plaintext.Note: uses in a non-
black-box manner
Note: No auxiliary input
![Page 9: A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816912550346895de02d58/html5/thumbnails/9.jpg)
Our AssumptionsβWeak Simulatability
β’ samples βciphertextsβ without knowing the plaintext.β’ on input and valid ciphertext outputs coins for β’ Correctness:
Candidate constructions satisfying both assumptions ([MSs12]):β’ Damgard Elgamal Encryption scheme (DEG)β’ Cramer-Shoup lite (CS-lite)
( π β1 (ππ ,π=πΈππππ (π ) ) ,π ) (π , π (ππ ,π ) )β
![Page 10: A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816912550346895de02d58/html5/thumbnails/10.jpg)
Overview: CCA Proof StrategiesHyrid Public Key Challenge Ciphertext Decryption Oracle
Simulated Simulated Simulated
.
.
.PPT adversary cannot
distinguish consecutive hybrids.
To reduce to security of underlying encryption scheme,
must simulate decryption oracle without knowing secret key.
Main Challenge: Constructing the
simulated decryption oracle
![Page 11: A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816912550346895de02d58/html5/thumbnails/11.jpg)
CCA1 from Plaintext Awareness?
β’ Trivial: Plaintext Aware scheme is itself CCA1-secure!β To simulate the decryption oracle without
knowing the secret key, use the Extractor.
![Page 12: A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816912550346895de02d58/html5/thumbnails/12.jpg)
CCA2 from Plaintext Awareness?β’ Is the plaintext aware scheme itself also CCA2-secure?β’ An attempt: As before, simulate decryption oracle using
Extractor.β’ Problem: Extractor is no longer guaranteed to work in the
second phase!β Once adversary receives challenge ciphertext , Extractor can fail.β E.g. adversary can re-randomize and submit to oracle. β Note that our candidate Plaintext-Aware schemes are
homomorphic! So these attacks are possible.β’ Extractor seems to be useless.
β At first glance, seems as hard as proving that CCA1 -> CCA2.β No: Having a faulty extractor algorithm is better than no extractor.
![Page 13: A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816912550346895de02d58/html5/thumbnails/13.jpg)
Our ConstructionCombines techniques from [Hohenberger, Lewko, Waters 12] and [Myers, Sergi, shelat 12]
πΆπ π π0=πΈπππ ππ π0(π 0) 2. Inner
ciphertexts: πΆπ π π1=πΈπππππ π1(π 1)
π 0βπ 1=(πβ¨ΒΏπ )
πΆπ1 πΆπ 2 πΆπ 3
π1 ,β¦ππ=πππ(π )
3. Outer ciphertexts:
encryptions of under and randomness
. . . πΆπ π
Public keys are chosen based
on
1. Generate for one-time signature scheme
4. Compute
5. Output:
![Page 14: A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816912550346895de02d58/html5/thumbnails/14.jpg)
Proof Intuition
β’ Idea: Use extractor to simulate oracle even in the CCA2 case.
β’ Now the extractor may answer incorrectly after the adversary receives the challenge ciphertext.
β’ Call this event BadExtEvent
![Page 15: A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816912550346895de02d58/html5/thumbnails/15.jpg)
Proof Intuition
β’ Sequence of hybrids: Show that BadExtEvent occurs with negligible probability in final hybrid.
β’ For each hybrid, show that probability BadExtEvent occurs differs by a negligible amount.
β’ In order to prove this, reduction must always be able to detect a bad extraction event by comparing the output of the Extractor with the output of .
![Page 16: A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816912550346895de02d58/html5/thumbnails/16.jpg)
Hard Case:Detecting BadExtEvent in CPA hybrid
Reduction to CPA security of inner ciphertexts
β’ Idea for how to detect BadExtEvent: β Randomly choose β Show that the first BadExtEvent occurs on decryption of with
probability .β Say . CPA adv. knows secret key for but not
β’ Can detect first BadExtEvent on . β’ Places challenge ciphertext in position.
β Note that in both hybrids, is individually uniformly distributed.β Simulated oracle answers correctly until the first BadExtEvent.
π 0=ππππ π 1=ππππ π 0=ππππ π 1=π 0β (πβ¨ΒΏπ )βπΆπ π π0
β β πΆπ π π1β β πΆπ π π0
β β πΆπ π π1β β
XOR to random XOR to
π 0=ππππ π 0=ππππ
![Page 17: A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816912550346895de02d58/html5/thumbnails/17.jpg)
Future Directions
β’ Can high-level proof techniques be useful for constructing CCA2 from CCA1?β Non-black-box use of the adversary.β Detecting a βbad eventβ without fully simulating
the decryption oracle.β’ Can we reduce the underlying assumptions of
our construction?
![Page 18: A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme](https://reader035.vdocuments.us/reader035/viewer/2022062815/56816912550346895de02d58/html5/thumbnails/18.jpg)
Thank you!