Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe)
Public-Key Encryption
Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA)
Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' Challenger
Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible
Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Observation: covers only 1-user, 1-ciphertext scenario
Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Observation: covers only 1-user, 1-ciphertext scenario Hybrid argument multi-user, multi-ciphertext security
Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Observation: covers only 1-user, 1-ciphertext scenario Hybrid argument multi-user, multi-ciphertext security But: security guarantees may degrade in scenario size
Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Observation: covers only 1-user, 1-ciphertext scenario Hybrid argument multi-user, multi-ciphertext security But: security guarantees may degrade in scenario size So: scenario size may influence keylength recommendations
This talk
This talk Tightly secure PKE: multi-challenge IND-CCA Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' repeat Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible
This talk Tightly secure PKE: multi-challenge IND-CCA Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' repeat Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Goal: tight reduction to standard assumption (e.g., DDH)
This talk Tightly secure PKE: multi-challenge IND-CCA Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' repeat Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Goal: tight reduction to standard assumption (e.g., DDH) Tight: reduction loss independent of # ciphertexts/queries
This talk Tightly secure PKE: multi-challenge IND-CCA Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' repeat Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Goal: tight reduction to standard assumption (e.g., DDH) Tight: reduction loss independent of # ciphertexts/queries Enables security guarantees for arbitrary/unknown scenarios
This talk Tightly secure PKE: multi-challenge IND-CCA Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' repeat Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Goal: tight reduction to standard assumption (e.g., DDH) Tight: reduction loss independent of # ciphertexts/queries Enables security guarantees for arbitrary/unknown scenarios Difficulty: standard techniques yield non-tight reductions
Tight CCA security
Tight CCA security Tightly secure PKE: multi-challenge IND-CCA m0(1),m1(1) C(1)=Enc(pk,mb(1)) m0(q),m1(q) Adversary A C(Q)=Enc(pk,mb(Q)) Challenger Standard techniques yield non-tight reductions, examples:
Tight CCA security Tightly secure PKE: multi-challenge IND-CCA m0(1),m1(1) C(1)=Enc(pk,mb(1)) m0(q),m1(q) Adversary A C(Q)=Enc(pk,mb(Q)) Challenger Standard techniques yield non-tight reductions, examples: IBE: reduction knows "punctured" sk, randomize one C (i)
Tight CCA security Tightly secure PKE: multi-challenge IND-CCA m0(1),m1(1) C(1)=Enc(pk,mb(1)) m0(q),m1(q) Adversary A C(Q)=Enc(pk,mb(Q)) Challenger Standard techniques yield non-tight reductions, examples: IBE: reduction knows "punctured" sk, randomize one C (i) HPS: reduction knows full sk, entropy in sk randomizes one C (i)
Tight CCA security Tightly secure PKE: multi-challenge IND-CCA m0(1),m1(1) C(1)=Enc(pk,mb(1)) m0(q),m1(q) Adversary A C(Q)=Enc(pk,mb(Q)) Challenger Standard techniques yield non-tight reductions, examples: IBE: reduction knows "punctured" sk, randomize one C (i) HPS: reduction knows full sk, entropy in sk randomizes one C (i) NY (double encryption with consistency proof): make one C(i) "special" (with simulated proof), requires simulation-soundness Difficulty: simulation-soundness in face of many simulated proofs
Previous work / contribution
Previous work / contribution Scheme pk C (KEM) Loss Assumption CS98/BBM00 3 3 O(Q) DDH KD04/BBM00 2 2 O(Q) DDH CS03 3 2 O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H16 2 60 O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work 20 30 O(λ) DCR
Previous work / contribution Scheme pk C (KEM) Loss Assumption CS98/BBM00 3 3 O(Q) DDH KD04/BBM00 2 2 O(Q) DDH CS03 3 2 O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H16 2 60 O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work 20 30 O(λ) DCR This work: not yet practical, but conceptual progress
Previous work / contribution Scheme pk C (KEM) Loss Assumption CS98/BBM00 3 3 O(Q) DDH KD04/BBM00 2 2 O(Q) DDH CS03 3 2 O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H16 2 60 O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work 20 30 O(λ) DCR This work: not yet practical, but conceptual progress Generic new techniques to randomize challenge ciphertexts
Previous work / contribution Scheme pk C (KEM) Loss Assumption CS98/BBM00 3 3 O(Q) DDH KD04/BBM00 2 2 O(Q) DDH CS03 3 2 O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H16 2 60 O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work 20 30 O(λ) DCR This work: not yet practical, but conceptual progress Generic new techniques to randomize challenge ciphertexts Yields first DCR-based tightly secure PKE scheme
Previous work / contribution Scheme pk C (KEM) Loss Assumption CS98/BBM00 3 3 O(Q) DDH KD04/BBM00 2 2 O(Q) DDH CS03 3 2 O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H16 2 60 O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work 20 30 O(λ) DCR This work: not yet practical, but conceptual progress Generic new techniques to randomize challenge ciphertexts Yields first DCR-based tightly secure PKE scheme Remaining talk: overview over new techniques
Basic strategy
Basic strategy This work: not yet practical, but conceptual progress Generic new techniques to randomize challenge ciphertexts Yields first DCR-based tightly secure PKE scheme Remaining talk: overview over new techniques Starting point: Naor-Yung double encryption: C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
Basic strategy This work: not yet practical, but conceptual progress Generic new techniques to randomize challenge ciphertexts Yields first DCR-based tightly secure PKE scheme Remaining talk: overview over new techniques Starting point: Naor-Yung double encryption: C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) Consistency proof: proves that M0=M1
Naor-Yung encryption
Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure:
Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: 0) IND-CCA experiment (many challenges), use sk0 to decrypt
Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: NIZK ind. 0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges
Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: NIZK ind. CPA 0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges 2) randomize all M1 in challenges
Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: NIZK ind. CPA sim-snd 0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges 2) randomize all M1 in challenges 3) use sk1 (not sk0) to decrypt (in decryption queries)
Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: NIZK ind. CPA sim-snd CPA 0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges 2) randomize all M1 in challenges 3) use sk1 (not sk0) to decrypt (in decryption queries) 4) randomize all M0 in challenges
Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: NIZK ind. CPA sim-snd CPA 0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges 2) randomize all M1 in challenges 3) use sk1 (not sk0) to decrypt (in decryption queries) 4) randomize all M0 in challenges Difficulty outsourced into simulation-sound NIZK proofs π (many-challenge setting, with tight security reduction)
Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: NIZK ind. CPA sim-snd CPA 0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges 2) randomize all M1 in challenges 3) use sk1 (not sk0) to decrypt (in decryption queries) 4) randomize all M0 in challenges Difficulty outsourced into simulation-sound NIZK proofs π This work: (many-challenge with tightstrategy/ security reduction) New setting, randomization New way to prove NY in multi-challenge setting
Recap: hash proof systems
Recap: hash proof systems Ingredient: hash proof systems (designated-verifier NIZKs): Prover (knows hpk) (x,π) Verifier (knows hsk)
Recap: hash proof systems Ingredient: hash proof systems (designated-verifier NIZKs): Prover (x,π) (knows hpk) Verifier (knows hsk) Unique proofs for x L, can be computed in two ways: π = hpk(x,w) = hsk(x)
Recap: hash proof systems Ingredient: hash proof systems (designated-verifier NIZKs): Prover (x,π) (knows hpk) Verifier (knows hsk) Unique proofs for x L, can be computed in two ways: π = hpk(x,w) = hsk(x) NIZK simulator uses secret key hsk to compute π
Recap: hash proof systems Ingredient: hash proof systems (designated-verifier NIZKs): Prover (x,π) (knows hpk) Verifier (knows hsk) Unique proofs for x L, can be computed in two ways: π = hpk(x,w) = hsk(x) NIZK simulator uses secret key hsk to compute π Statistical soundness: if only proofs for true statements x known then any proof π for false x inf.th. hidden
Recap: hash proof systems Ingredient: hash proof systems (designated-verifier NIZKs): Prover (x,π) (knows hpk) Verifier (knows hsk) Unique proofs for x L, can be computed in two ways: π = hpk(x,w) = hsk(x) NIZK simulator uses secret key hsk to compute π Statistical soundness: if only proofs for true statements x known then any proof π for false x inf.th. hidden Efficient HPSs for linear [CS02] and OR-languages [ABP15] known
Idea for our proof system (uses HPSs)
Idea for our proof system (uses HPSs) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
Idea for our proof system (uses HPSs) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) Structure of π: π = (π0, π1, Com(τ)), where
Idea for our proof system (uses HPSs) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) Structure of π: π = (π0, π1, Com(τ)), where τ is a random bit (similar to Katz-Wang signature scheme)
Idea for our proof system (uses HPSs) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) Structure of π: π = (π0, π1, Com(τ)), where τ is a random bit (similar to Katz-Wang signature scheme) π0 is a HPS proof (under hsk0) for (M0=M1 τ=0)
Idea for our proof system (uses HPSs) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) Structure of π: π = (π0, π1, Com(τ)), where τ is a random bit (similar to Katz-Wang signature scheme) π0 is a HPS proof (under hsk0) for (M0=M1 τ=0) π1 is a HPS proof (under hsk1) for (M0=M1 τ=1)
Idea for our proof system (uses HPSs) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) Structure of π: where τ is a random bit (similar to Katz-Wang signature scheme) π0 is a HPS proof (under hsk0) for (M0=M1 τ=0) π1 is a HPS proof (under hsk1) for (M0=M1 τ=1) π = (π0, π1, Com(τ)), Simulated π for bad C breaks only hsk1-τ (but not hskτ)
Adaptive partitioning
Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: C(2) C(1) C(10) C(5) C(Q)
Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: τ=0 C(2) τ=1 C(1) C(10) C(5) C(Q)
Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: τ=0 C(2) τ=1 C(1) C(10) C(5) C(Q)
Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: C(2) C(1) C(10) C(5) τ=1 C(Q) τ=0
Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: C(2) C(1) C(10) C(5) τ=1 C(Q) τ=0
Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: C(2) C(1) C(10) C(5) C(Q)
Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: C(2) C(1) C(10) C(5) C(Q)
Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: C(2) C(1) C(10) C(5) C(Q) Requires O(λ) steps
Adaptive partitioning
Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Step 1: guess τ* (τ of first Dec-query with valid π and M0 M1) (This means adversary breaks soundness of hsk1-τ*)
Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Step 1: guess τ* (τ of first Dec-query with valid π and M0 M1) (This means adversary breaks soundness of hsk1-τ*) Step 2: randomize all challenge ciphertexts with τ=1-τ* (This allows to randomize half of all challenge ciphertexts)
Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Step 1: guess τ* (τ of first Dec-query with valid π and M0 M1) (This means adversary breaks soundness of hsk1-τ*) Step 2: randomize all challenge ciphertexts with τ=1-τ* (This allows to randomize half of all challenge ciphertexts) Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges)
Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Step 1: guess τ* (τ of first Dec-query with valid π and M0 M1) (This means adversary breaks soundness of hsk1-τ*) Step 2: randomize all challenge ciphertexts with τ=1-τ* (This allows to randomize half of all challenge ciphertexts) Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges) Difference to [KW03]: KW keep τ public (but simulation capabilities hidden)
Adaptive partitioning
Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Illustration: C(2) C(1) C* C(5) C(Q) C(10)
Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Illustration: τ=0 C(2) τ=1 C(1) C* C(5) C(Q) C(10)
Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Illustration: τ=0 C(2) τ=1 C(1) C* C(5) C(Q) C(10)
Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Illustration: C(2) C(1) C* C(10) C(5) τ=1 C(Q) τ=0
Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Illustration: C(2) C(1) C* C(10) C(5) τ=1 C(Q) τ=0
Adaptive partitioning
Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Omitted difficulty: how does this re-partitioning work? Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges)
Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Omitted difficulty: how does this re-partitioning work? Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges) Problem: how to manage/recall what is randomized
Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Omitted difficulty: how does this re-partitioning work? Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges) Problem: how to manage/recall what is randomized Solution idea: in i-th randomization cycle, use i-th bit of H(C0,C1)
Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Omitted difficulty: how does this re-partitioning work? Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges) Problem: how to manage/recall what is randomized Solution idea: in i-th randomization cycle, use i-th bit of H(C0,C1) Remaining problem: efficient HPSs for OR-proofs
Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Omitted difficulty: how does this re-partitioning work? Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges) Problem: how to manage/recall what is randomized Solution idea: in i-th randomization cycle, use i-th bit of H(C0,C1) Remaining problem: efficient HPSs for OR-proofs In pairing-friendly groups: [ABP15] In DCR setting: new proof system (uses that we can compute dlogs in DCR)
Summary
Summary New strategy to obtain tightly IND-CCA secure PKE schemes
Summary New strategy to obtain tightly IND-CCA secure PKE schemes Core difference to previous approaches: decide adaptively which ciphertexts are to be randomized in each randomization cycle
Summary New strategy to obtain tightly IND-CCA secure PKE schemes Core difference to previous approaches: decide adaptively which ciphertexts are to be randomized in each randomization cycle Main benefit: DCR-based solution (using new OR-proofs)
Summary New strategy to obtain tightly IND-CCA secure PKE schemes Core difference to previous approaches: decide adaptively which ciphertexts are to be randomized in each randomization cycle Main benefit: DCR-based solution (using new OR-proofs) Follow-up work shows potential of ideas
Summary New strategy to obtain tightly IND-CCA secure PKE schemes Core difference to previous approaches: decide adaptively which ciphertexts are to be randomized in each randomization cycle Main benefit: DCR-based solution (using new OR-proofs) Follow-up work shows potential of ideas Compact tightly secure PKE from DDH Compact tightly secure structure-preserving signatures