Adaptive partitioning. Dennis Hofheinz (KIT, Karlsruhe)

Size: px

Start display at page:

Download "Adaptive partitioning. Dennis Hofheinz (KIT, Karlsruhe)"

Irma Norman
5 years ago
Views:

1 Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe)

2 Public-Key Encryption

3 Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA)

4 Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' Challenger

5 Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible

6 Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Observation: covers only 1-user, 1-ciphertext scenario

7 Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Observation: covers only 1-user, 1-ciphertext scenario Hybrid argument multi-user, multi-ciphertext security

8 Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Observation: covers only 1-user, 1-ciphertext scenario Hybrid argument multi-user, multi-ciphertext security But: security guarantees may degrade in scenario size

9 Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Observation: covers only 1-user, 1-ciphertext scenario Hybrid argument multi-user, multi-ciphertext security But: security guarantees may degrade in scenario size So: scenario size may influence keylength recommendations

10 This talk

11 This talk Tightly secure PKE: multi-challenge IND-CCA Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' repeat Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible

12 This talk Tightly secure PKE: multi-challenge IND-CCA Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' repeat Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Goal: tight reduction to standard assumption (e.g., DDH)

13 This talk Tightly secure PKE: multi-challenge IND-CCA Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' repeat Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Goal: tight reduction to standard assumption (e.g., DDH) Tight: reduction loss independent of # ciphertexts/queries

14 This talk Tightly secure PKE: multi-challenge IND-CCA Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' repeat Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Goal: tight reduction to standard assumption (e.g., DDH) Tight: reduction loss independent of # ciphertexts/queries Enables security guarantees for arbitrary/unknown scenarios

15 This talk Tightly secure PKE: multi-challenge IND-CCA Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' repeat Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Goal: tight reduction to standard assumption (e.g., DDH) Tight: reduction loss independent of # ciphertexts/queries Enables security guarantees for arbitrary/unknown scenarios Difficulty: standard techniques yield non-tight reductions

16 Tight CCA security

17 Tight CCA security Tightly secure PKE: multi-challenge IND-CCA m0(1),m1(1) C(1)=Enc(pk,mb(1)) m0(q),m1(q) Adversary A C(Q)=Enc(pk,mb(Q)) Challenger Standard techniques yield non-tight reductions, examples:

18 Tight CCA security Tightly secure PKE: multi-challenge IND-CCA m0(1),m1(1) C(1)=Enc(pk,mb(1)) m0(q),m1(q) Adversary A C(Q)=Enc(pk,mb(Q)) Challenger Standard techniques yield non-tight reductions, examples: IBE: reduction knows "punctured" sk, randomize one C (i)

19 Tight CCA security Tightly secure PKE: multi-challenge IND-CCA m0(1),m1(1) C(1)=Enc(pk,mb(1)) m0(q),m1(q) Adversary A C(Q)=Enc(pk,mb(Q)) Challenger Standard techniques yield non-tight reductions, examples: IBE: reduction knows "punctured" sk, randomize one C (i) HPS: reduction knows full sk, entropy in sk randomizes one C (i)

20 Tight CCA security Tightly secure PKE: multi-challenge IND-CCA m0(1),m1(1) C(1)=Enc(pk,mb(1)) m0(q),m1(q) Adversary A C(Q)=Enc(pk,mb(Q)) Challenger Standard techniques yield non-tight reductions, examples: IBE: reduction knows "punctured" sk, randomize one C (i) HPS: reduction knows full sk, entropy in sk randomizes one C (i) NY (double encryption with consistency proof): make one C(i) "special" (with simulated proof), requires simulation-soundness Difficulty: simulation-soundness in face of many simulated proofs

21 Previous work / contribution

22 Previous work / contribution Scheme pk C (KEM) Loss Assumption CS98/BBM O(Q) DDH KD04/BBM O(Q) DDH CS O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work O(λ) DCR

23 Previous work / contribution Scheme pk C (KEM) Loss Assumption CS98/BBM O(Q) DDH KD04/BBM O(Q) DDH CS O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work O(λ) DCR This work: not yet practical, but conceptual progress

24 Previous work / contribution Scheme pk C (KEM) Loss Assumption CS98/BBM O(Q) DDH KD04/BBM O(Q) DDH CS O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work O(λ) DCR This work: not yet practical, but conceptual progress Generic new techniques to randomize challenge ciphertexts

25 Previous work / contribution Scheme pk C (KEM) Loss Assumption CS98/BBM O(Q) DDH KD04/BBM O(Q) DDH CS O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work O(λ) DCR This work: not yet practical, but conceptual progress Generic new techniques to randomize challenge ciphertexts Yields first DCR-based tightly secure PKE scheme

26 Previous work / contribution Scheme pk C (KEM) Loss Assumption CS98/BBM O(Q) DDH KD04/BBM O(Q) DDH CS O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work O(λ) DCR This work: not yet practical, but conceptual progress Generic new techniques to randomize challenge ciphertexts Yields first DCR-based tightly secure PKE scheme Remaining talk: overview over new techniques

27 Basic strategy

28 Basic strategy This work: not yet practical, but conceptual progress Generic new techniques to randomize challenge ciphertexts Yields first DCR-based tightly secure PKE scheme Remaining talk: overview over new techniques Starting point: Naor-Yung double encryption: C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )

29 Basic strategy This work: not yet practical, but conceptual progress Generic new techniques to randomize challenge ciphertexts Yields first DCR-based tightly secure PKE scheme Remaining talk: overview over new techniques Starting point: Naor-Yung double encryption: C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) Consistency proof: proves that M0=M1

30 Naor-Yung encryption

31 Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure:

32 Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: 0) IND-CCA experiment (many challenges), use sk0 to decrypt

33 Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: NIZK ind. 0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges

34 Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: NIZK ind. CPA 0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges 2) randomize all M1 in challenges

35 Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: NIZK ind. CPA sim-snd 0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges 2) randomize all M1 in challenges 3) use sk1 (not sk0) to decrypt (in decryption queries)

36 Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: NIZK ind. CPA sim-snd CPA 0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges 2) randomize all M1 in challenges 3) use sk1 (not sk0) to decrypt (in decryption queries) 4) randomize all M0 in challenges

37 Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: NIZK ind. CPA sim-snd CPA 0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges 2) randomize all M1 in challenges 3) use sk1 (not sk0) to decrypt (in decryption queries) 4) randomize all M0 in challenges Difficulty outsourced into simulation-sound NIZK proofs π (many-challenge setting, with tight security reduction)

38 Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: NIZK ind. CPA sim-snd CPA 0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges 2) randomize all M1 in challenges 3) use sk1 (not sk0) to decrypt (in decryption queries) 4) randomize all M0 in challenges Difficulty outsourced into simulation-sound NIZK proofs π This work: (many-challenge with tightstrategy/ security reduction) New setting, randomization New way to prove NY in multi-challenge setting

39 Recap: hash proof systems

40 Recap: hash proof systems Ingredient: hash proof systems (designated-verifier NIZKs): Prover (knows hpk) (x,π) Verifier (knows hsk)

41 Recap: hash proof systems Ingredient: hash proof systems (designated-verifier NIZKs): Prover (x,π) (knows hpk) Verifier (knows hsk) Unique proofs for x L, can be computed in two ways: π = hpk(x,w) = hsk(x)

42 Recap: hash proof systems Ingredient: hash proof systems (designated-verifier NIZKs): Prover (x,π) (knows hpk) Verifier (knows hsk) Unique proofs for x L, can be computed in two ways: π = hpk(x,w) = hsk(x) NIZK simulator uses secret key hsk to compute π

43 Recap: hash proof systems Ingredient: hash proof systems (designated-verifier NIZKs): Prover (x,π) (knows hpk) Verifier (knows hsk) Unique proofs for x L, can be computed in two ways: π = hpk(x,w) = hsk(x) NIZK simulator uses secret key hsk to compute π Statistical soundness: if only proofs for true statements x known then any proof π for false x inf.th. hidden

44 Recap: hash proof systems Ingredient: hash proof systems (designated-verifier NIZKs): Prover (x,π) (knows hpk) Verifier (knows hsk) Unique proofs for x L, can be computed in two ways: π = hpk(x,w) = hsk(x) NIZK simulator uses secret key hsk to compute π Statistical soundness: if only proofs for true statements x known then any proof π for false x inf.th. hidden Efficient HPSs for linear [CS02] and OR-languages [ABP15] known

45 Idea for our proof system (uses HPSs)

46 Idea for our proof system (uses HPSs) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )

47 Idea for our proof system (uses HPSs) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) Structure of π: π = (π0, π1, Com(τ)), where

48 Idea for our proof system (uses HPSs) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) Structure of π: π = (π0, π1, Com(τ)), where τ is a random bit (similar to Katz-Wang signature scheme)

49 Idea for our proof system (uses HPSs) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) Structure of π: π = (π0, π1, Com(τ)), where τ is a random bit (similar to Katz-Wang signature scheme) π0 is a HPS proof (under hsk0) for (M0=M1 τ=0)

50 Idea for our proof system (uses HPSs) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) Structure of π: π = (π0, π1, Com(τ)), where τ is a random bit (similar to Katz-Wang signature scheme) π0 is a HPS proof (under hsk0) for (M0=M1 τ=0) π1 is a HPS proof (under hsk1) for (M0=M1 τ=1)

51 Idea for our proof system (uses HPSs) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) Structure of π: where τ is a random bit (similar to Katz-Wang signature scheme) π0 is a HPS proof (under hsk0) for (M0=M1 τ=0) π1 is a HPS proof (under hsk1) for (M0=M1 τ=1) π = (π0, π1, Com(τ)), Simulated π for bad C breaks only hsk1-τ (but not hskτ)

52 Adaptive partitioning

53 Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: C(2) C(1) C(10) C(5) C(Q)

54 Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: τ=0 C(2) τ=1 C(1) C(10) C(5) C(Q)

55 Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: τ=0 C(2) τ=1 C(1) C(10) C(5) C(Q)

56 Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: C(2) C(1) C(10) C(5) τ=1 C(Q) τ=0

57 Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: C(2) C(1) C(10) C(5) τ=1 C(Q) τ=0

58 Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: C(2) C(1) C(10) C(5) C(Q)

59 Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: C(2) C(1) C(10) C(5) C(Q)

60 Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: C(2) C(1) C(10) C(5) C(Q) Requires O(λ) steps

61 Adaptive partitioning

62 Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Step 1: guess τ* (τ of first Dec-query with valid π and M0 M1) (This means adversary breaks soundness of hsk1-τ*)

63 Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Step 1: guess τ* (τ of first Dec-query with valid π and M0 M1) (This means adversary breaks soundness of hsk1-τ*) Step 2: randomize all challenge ciphertexts with τ=1-τ* (This allows to randomize half of all challenge ciphertexts)

64 Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Step 1: guess τ* (τ of first Dec-query with valid π and M0 M1) (This means adversary breaks soundness of hsk1-τ*) Step 2: randomize all challenge ciphertexts with τ=1-τ* (This allows to randomize half of all challenge ciphertexts) Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges)

65 Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Step 1: guess τ* (τ of first Dec-query with valid π and M0 M1) (This means adversary breaks soundness of hsk1-τ*) Step 2: randomize all challenge ciphertexts with τ=1-τ* (This allows to randomize half of all challenge ciphertexts) Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges) Difference to [KW03]: KW keep τ public (but simulation capabilities hidden)

66 Adaptive partitioning

67 Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Illustration: C(2) C(1) C* C(5) C(Q) C(10)

68 Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Illustration: τ=0 C(2) τ=1 C(1) C* C(5) C(Q) C(10)

69 Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Illustration: τ=0 C(2) τ=1 C(1) C* C(5) C(Q) C(10)

70 Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Illustration: C(2) C(1) C* C(10) C(5) τ=1 C(Q) τ=0

71 Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Illustration: C(2) C(1) C* C(10) C(5) τ=1 C(Q) τ=0

72 Adaptive partitioning

73 Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Omitted difficulty: how does this re-partitioning work? Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges)

74 Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Omitted difficulty: how does this re-partitioning work? Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges) Problem: how to manage/recall what is randomized

75 Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Omitted difficulty: how does this re-partitioning work? Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges) Problem: how to manage/recall what is randomized Solution idea: in i-th randomization cycle, use i-th bit of H(C0,C1)

76 Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Omitted difficulty: how does this re-partitioning work? Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges) Problem: how to manage/recall what is randomized Solution idea: in i-th randomization cycle, use i-th bit of H(C0,C1) Remaining problem: efficient HPSs for OR-proofs

77 Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Omitted difficulty: how does this re-partitioning work? Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges) Problem: how to manage/recall what is randomized Solution idea: in i-th randomization cycle, use i-th bit of H(C0,C1) Remaining problem: efficient HPSs for OR-proofs In pairing-friendly groups: [ABP15] In DCR setting: new proof system (uses that we can compute dlogs in DCR)

78 Summary

79 Summary New strategy to obtain tightly IND-CCA secure PKE schemes

80 Summary New strategy to obtain tightly IND-CCA secure PKE schemes Core difference to previous approaches: decide adaptively which ciphertexts are to be randomized in each randomization cycle

81 Summary New strategy to obtain tightly IND-CCA secure PKE schemes Core difference to previous approaches: decide adaptively which ciphertexts are to be randomized in each randomization cycle Main benefit: DCR-based solution (using new OR-proofs)

82 Summary New strategy to obtain tightly IND-CCA secure PKE schemes Core difference to previous approaches: decide adaptively which ciphertexts are to be randomized in each randomization cycle Main benefit: DCR-based solution (using new OR-proofs) Follow-up work shows potential of ideas

83 Summary New strategy to obtain tightly IND-CCA secure PKE schemes Core difference to previous approaches: decide adaptively which ciphertexts are to be randomized in each randomization cycle Main benefit: DCR-based solution (using new OR-proofs) Follow-up work shows potential of ideas Compact tightly secure PKE from DDH Compact tightly secure structure-preserving signatures

Tightly CCA-Secure Encryption without Pairings. Romain Gay, ENS Dennis Hofheinz, KIT Eike Kiltz, RUB Hoeteck Wee, ENS

Tightly CCA-Secure Encryption without Pairings Romain Gay, ENS Dennis Hofheinz, KIT Eike Kiltz, RUB Hoeteck Wee, ENS Security of encryption pk Alice Enc(pk, m) Bob sk Security of encryption pk Alice Enc(pk,