Structure Preserving CCA Secure Encryption

Transcription

1 Structure Preserving CCA Secure Encryption presented by ZHANG Tao 1 / 9

2 Introduction Veriable Encryption enable validity check of the encryption (Camenisch et CRYPTO'03): veriable encryption of discrete logarithms, employ hash to achieve CCA security (Cramer et SIAM Journal on Computing'03): veriable encryption of group elements, employ hash to achieve CCA security Structure Preserving Encryption Its public key, plaintext, ciphertext consist of group elements. compatible with Groth-Sahai (GS) proof which allows ecient non-interactive zero-knowledge proof. Zero-Knowledge Proof: a prover convinces a verier of knowing something without revealing the thing to the verier, eg. proof of valid signature without revealing the message or the signature. 2 / 9

3 Security Model Adaptive Chosen Plaintext Attack(Adaptive CPA) 3 / 9

4 Security Model Adaptive Chosen Ciphertext Attack(Adaptive CCA) 4 / 9

5 Structure Preserving CCA Secure Encryption enable a user to eciently prove knowledge of a leakage-resilient signature (Dodis et ASIACRYPT'10) enable GS proof of the validity of a ciphertext enable joint computation of a ciphertext of two plaintexts 5 / 9

6 Structure Preserving CCA Secure Encryption Idea of constructing a Structure Preserving CCA Secure Encryption from a Structure Preserving CPA Secure Encryption: attach a strong unforgeable consistency check as a tag to the ciphertext the quadratic term in the tag makes the encryption non-homomorphism 6 / 9

7 Structure Preserving CCA Secure Encryption KeyGen(1 λ ) (pk, sk): Choose g 1, g 2, g 3 R G, α R Z3 p, set h 1 = g α 1 1 g α 3 3, h 2 = g2 α2 g α 3 3. Choose β i R Z 3 p for i [0, 5], set f i,1 = g β i,1 1 g β i,3 3, f i,2 = g β i,2 2 g β i,3 3. pk = (g 1, g 2, g 3, h 1, h 2, {f i,1, f i,2 } 5 i=0) sk = (α, {β i } 5 i=0) Enc(pk, L, M) C: To encrypt a message M with a label L, choose r, s R Zp u 1 = g1, r u 2 = g2, s u 3 = g r+s 3, c = M h1h r 2, s 3 v = e(fi,1f r i,2, s u i ) e(f4,1f r 4,2, s c) e(f5,1f r 5,2, s L), u 0 = g i=0 Output the ciphertext C = (u 1, u 2, u 3, c, v). Dec(sk, L, C) M: First, verify the validity of the ciphertext C v? = 3 i=0 e(u β i,1 1 u β i,2 2 u β i,3 3, u i ) e(u β 4,1 1 u β 4,2 2 u β 4,3 3, c) e(u β 5,1 1 u β 5,2 2 u β 5,3 3, L), u 0 = g If the verication fails, abort the ciphertext, otherwise, compute the plaintext M = c (u α 1 1 u α 2 2 u α 3 3 ) 1 7 / 9

8 Security Proof Decisional Linear Assumption: Games: g 1, g 2, g 3 R G, r, s, t R Zp (G, g 1, g 2, g 3, g r 1, g s 2, g t 3) (G, g 1, g 2, g 3, g r 1, g s 2, g r+s 3 ) Game 0: the standard IND CCA game Game 1: in the challenge ciphertext C = (u, c, v), c and v are computed using the decryption procedure c = M u α 1 1 u α 2 2 u α v = e(u β i,1 1 u β i,2 2 u β i,3 3, u i ) e(u β 4,1 1 u β 4,2 2 u β 4,3 3, c) e(u β 5,1 1 u β 5,2 2 u β 5,3 3, L) i=0 Game 2: in C = (u, c, v), u = (g r 1, g s 2, g t 3), where t r + s Game 3: reject decryption queries with non-dlin u Game 4: the challenge ciphertext encrypts a random message other than {M 0, M 1} 8 / 9

9 Camenisch et ASIACRYPT'11: Jan Camenisch, Kristiyan Haralambiev, Markulf Kohlweiss, Jorn Lapon, and Vincent Naessens. Structure preserving CCA secure encryption and applications, in ASIACRYPT, pp , Camenisch et CRYPTO'03, Jan Camenisch, Victor Shoup. Practical veriable encryption and decryption of discrete logarithms. in CRYPTO, pp , Cramer et SIAM Journal on Computing'03: Ronald Cramer, Victor Shoup. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. in SIAM Journal on Computing 33, no. 1 (2003): Dodis et ASIACRYPT'10: Yevgeniy Dodis, Kristiyan Haralambiev, Adriana López-Alt, Daniel Wichs. Ecient public-key cryptography in the presence of key leakage. in ASIACRYPT, pp , / 9