Adaptive partitioning. Dennis Hofheinz (KIT, Karlsruhe)

Similar documents
Tightly CCA-Secure Encryption without Pairings. Romain Gay, ENS Dennis Hofheinz, KIT Eike Kiltz, RUB Hoeteck Wee, ENS

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)

Chosen-Ciphertext Security (I)

Tightly Secure CCA-Secure Encryption without Pairings

On Tightly Secure Non-Interactive Key Exchange

On Tightly Secure Non-Interactive Key Exchange

G /G Advanced Cryptography November 11, Lecture 10. defined Adaptive Soundness and Adaptive Zero Knowledge

On the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups

Applied cryptography

CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

Parallel Decryption Queries in Bounded Chosen Ciphertext Attacks

Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts

Standard Security Does Not Imply Indistinguishability Under Selective Opening

Smooth Projective Hash Function and Its Applications

G Advanced Cryptography April 10th, Lecture 11

Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter

Kurosawa-Desmedt Meets Tight Security

Circular chosen-ciphertext security with compact ciphertexts

Structure Preserving CCA Secure Encryption

14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University

A ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Leakage Resilient ElGamal Encryption

A New Paradigm of Hybrid Encryption Scheme

Lossy Trapdoor Functions and Their Applications

Efficient Public-Key Cryptography in the Presence of Key Leakage

SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL. Mark Zhandry Stanford University

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

6.892 Computing on Encrypted Data October 28, Lecture 7

Encryption Schemes Secure Against Chosen-Ciphertext Selective Opening Attacks

KDM-CCA Security from RKA Secure Authenticated Encryption

Non-malleability under Selective Opening Attacks: Implication and Separation

Gentry IBE Paper Reading

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Two-Round PAKE from Approximate SPH and Instantiations from Lattices

Public Key Cryptography

Dual-System Simulation-Soundness with Applications to UC-PAKE and More

Public-Key Encryption with Simulation-Based Selective-Opening Security and Compact Ciphertexts

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

All-But-Many Lossy Trapdoor Functions. Dennis Hofheinz (Karlsruhe Institute of Technology)

Compactly Hiding Linear Spans

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Secure Certificateless Public Key Encryption without Redundancy

III. Pseudorandom functions & encryption

A Twist on the Naor-Yung Paradigm and Its Application to Ecient CCA-Secure Encryption from Hard Search Problems

Chosen-Ciphertext Security from Subset Sum

2 Message authentication codes (MACs)

On the Selective-Opening Security of DHIES

Searchable encryption & Anonymous encryption

Efficient Fully-Leakage Resilient One-More Signature Schemes

Notes for Lecture 16

On the CCA1-Security of Elgamal and Damgård s Elgamal

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

Standard versus Selective Opening Security: Separation and Equivalence Results

Enhanced Chosen-Ciphertext Security and Applications

Simulation-based Selective Opening CCA Security for PKE from Key Encapsulation Mechanisms

Random Oracles in a Quantum World

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

On The Security of The ElGamal Encryption Scheme and Damgård s Variant

Strong Security Models for Public-Key Encryption Schemes

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

CS 6260 Applied Cryptography

Efficient Constructions of Deterministic Encryption from Hybrid Encryption and Code-Based PKE

Lossy Trapdoor Functions and Their Applications

Short Exponent Diffie-Hellman Problems

Stronger Public Key Encryption Schemes

On Notions of Security for Deterministic Encryption, and Efficient Constructions without Random Oracles

Disjunctions for Hash Proof Systems: New Constructions and Applications

Identity-based encryption

Hierarchical identity-based encryption

1 Number Theory Basics

ASYMMETRIC ENCRYPTION

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

Pairing-Based Cryptography An Introduction

Non-Malleable Codes from Average-Case Hardness: AC 0, Decision Trees, and Streaming Space-Bounded Tampering

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Public-Key Encryption

Tightly Secure Signatures and Public-Key Encryption

Lattice-Based Non-Interactive Arugment Systems

The Kernel Matrix Diffie-Hellman Assumption

8 Security against Chosen Plaintext

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Round-Optimal Password-Based Authenticated Key Exchange

Tamper and Leakage Resilience in the Split-State Model

On Post-Quantum Cryptography

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Non-Interactive Zero-Knowledge Proofs of Non-Membership

REMARKS ON IBE SCHEME OF WANG AND CAO

The Cramer-Shoup Cryptosystem

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

Tightly SIM-SO-CCA Secure Public Key Encryption from Standard Assumptions

CPA-Security. Definition: A private-key encryption scheme

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

A Strong Identity Based Key-Insulated Cryptosystem

Efficient Chosen-Ciphertext Security via Extractable Hash Proofs

Transcription:

Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe)

Public-Key Encryption

Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA)

Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' Challenger

Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible

Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Observation: covers only 1-user, 1-ciphertext scenario

Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Observation: covers only 1-user, 1-ciphertext scenario Hybrid argument multi-user, multi-ciphertext security

Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Observation: covers only 1-user, 1-ciphertext scenario Hybrid argument multi-user, multi-ciphertext security But: security guarantees may degrade in scenario size

Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Observation: covers only 1-user, 1-ciphertext scenario Hybrid argument multi-user, multi-ciphertext security But: security guarantees may degrade in scenario size So: scenario size may influence keylength recommendations

This talk

This talk Tightly secure PKE: multi-challenge IND-CCA Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' repeat Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible

This talk Tightly secure PKE: multi-challenge IND-CCA Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' repeat Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Goal: tight reduction to standard assumption (e.g., DDH)

This talk Tightly secure PKE: multi-challenge IND-CCA Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' repeat Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Goal: tight reduction to standard assumption (e.g., DDH) Tight: reduction loss independent of # ciphertexts/queries

This talk Tightly secure PKE: multi-challenge IND-CCA Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' repeat Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Goal: tight reduction to standard assumption (e.g., DDH) Tight: reduction loss independent of # ciphertexts/queries Enables security guarantees for arbitrary/unknown scenarios

This talk Tightly secure PKE: multi-challenge IND-CCA Dec(sk, ) pk m0,m1 Enc(pk,mb) Adversary A b' repeat Challenger Adv(A) = Pr [ b = b' ] 1/2, should be negligible Goal: tight reduction to standard assumption (e.g., DDH) Tight: reduction loss independent of # ciphertexts/queries Enables security guarantees for arbitrary/unknown scenarios Difficulty: standard techniques yield non-tight reductions

Tight CCA security

Tight CCA security Tightly secure PKE: multi-challenge IND-CCA m0(1),m1(1) C(1)=Enc(pk,mb(1)) m0(q),m1(q) Adversary A C(Q)=Enc(pk,mb(Q)) Challenger Standard techniques yield non-tight reductions, examples:

Tight CCA security Tightly secure PKE: multi-challenge IND-CCA m0(1),m1(1) C(1)=Enc(pk,mb(1)) m0(q),m1(q) Adversary A C(Q)=Enc(pk,mb(Q)) Challenger Standard techniques yield non-tight reductions, examples: IBE: reduction knows "punctured" sk, randomize one C (i)

Tight CCA security Tightly secure PKE: multi-challenge IND-CCA m0(1),m1(1) C(1)=Enc(pk,mb(1)) m0(q),m1(q) Adversary A C(Q)=Enc(pk,mb(Q)) Challenger Standard techniques yield non-tight reductions, examples: IBE: reduction knows "punctured" sk, randomize one C (i) HPS: reduction knows full sk, entropy in sk randomizes one C (i)

Tight CCA security Tightly secure PKE: multi-challenge IND-CCA m0(1),m1(1) C(1)=Enc(pk,mb(1)) m0(q),m1(q) Adversary A C(Q)=Enc(pk,mb(Q)) Challenger Standard techniques yield non-tight reductions, examples: IBE: reduction knows "punctured" sk, randomize one C (i) HPS: reduction knows full sk, entropy in sk randomizes one C (i) NY (double encryption with consistency proof): make one C(i) "special" (with simulated proof), requires simulation-soundness Difficulty: simulation-soundness in face of many simulated proofs

Previous work / contribution

Previous work / contribution Scheme pk C (KEM) Loss Assumption CS98/BBM00 3 3 O(Q) DDH KD04/BBM00 2 2 O(Q) DDH CS03 3 2 O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H16 2 60 O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work 20 30 O(λ) DCR

Previous work / contribution Scheme pk C (KEM) Loss Assumption CS98/BBM00 3 3 O(Q) DDH KD04/BBM00 2 2 O(Q) DDH CS03 3 2 O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H16 2 60 O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work 20 30 O(λ) DCR This work: not yet practical, but conceptual progress

Previous work / contribution Scheme pk C (KEM) Loss Assumption CS98/BBM00 3 3 O(Q) DDH KD04/BBM00 2 2 O(Q) DDH CS03 3 2 O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H16 2 60 O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work 20 30 O(λ) DCR This work: not yet practical, but conceptual progress Generic new techniques to randomize challenge ciphertexts

Previous work / contribution Scheme pk C (KEM) Loss Assumption CS98/BBM00 3 3 O(Q) DDH KD04/BBM00 2 2 O(Q) DDH CS03 3 2 O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H16 2 60 O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work 20 30 O(λ) DCR This work: not yet practical, but conceptual progress Generic new techniques to randomize challenge ciphertexts Yields first DCR-based tightly secure PKE scheme

Previous work / contribution Scheme pk C (KEM) Loss Assumption CS98/BBM00 3 3 O(Q) DDH KD04/BBM00 2 2 O(Q) DDH CS03 3 2 O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H16 2 60 O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work 20 30 O(λ) DCR This work: not yet practical, but conceptual progress Generic new techniques to randomize challenge ciphertexts Yields first DCR-based tightly secure PKE scheme Remaining talk: overview over new techniques

Basic strategy

Basic strategy This work: not yet practical, but conceptual progress Generic new techniques to randomize challenge ciphertexts Yields first DCR-based tightly secure PKE scheme Remaining talk: overview over new techniques Starting point: Naor-Yung double encryption: C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )

Basic strategy This work: not yet practical, but conceptual progress Generic new techniques to randomize challenge ciphertexts Yields first DCR-based tightly secure PKE scheme Remaining talk: overview over new techniques Starting point: Naor-Yung double encryption: C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) Consistency proof: proves that M0=M1

Naor-Yung encryption

Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure:

Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: 0) IND-CCA experiment (many challenges), use sk0 to decrypt

Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: NIZK ind. 0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges

Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: NIZK ind. CPA 0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges 2) randomize all M1 in challenges

Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: NIZK ind. CPA sim-snd 0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges 2) randomize all M1 in challenges 3) use sk1 (not sk0) to decrypt (in decryption queries)

Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: NIZK ind. CPA sim-snd CPA 0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges 2) randomize all M1 in challenges 3) use sk1 (not sk0) to decrypt (in decryption queries) 4) randomize all M0 in challenges

Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: NIZK ind. CPA sim-snd CPA 0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges 2) randomize all M1 in challenges 3) use sk1 (not sk0) to decrypt (in decryption queries) 4) randomize all M0 in challenges Difficulty outsourced into simulation-sound NIZK proofs π (many-challenge setting, with tight security reduction)

Naor-Yung encryption C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) One (known) way to prove Naor-Yung secure: NIZK ind. CPA sim-snd CPA 0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges 2) randomize all M1 in challenges 3) use sk1 (not sk0) to decrypt (in decryption queries) 4) randomize all M0 in challenges Difficulty outsourced into simulation-sound NIZK proofs π This work: (many-challenge with tightstrategy/ security reduction) New setting, randomization New way to prove NY in multi-challenge setting

Recap: hash proof systems

Recap: hash proof systems Ingredient: hash proof systems (designated-verifier NIZKs): Prover (knows hpk) (x,π) Verifier (knows hsk)

Recap: hash proof systems Ingredient: hash proof systems (designated-verifier NIZKs): Prover (x,π) (knows hpk) Verifier (knows hsk) Unique proofs for x L, can be computed in two ways: π = hpk(x,w) = hsk(x)

Recap: hash proof systems Ingredient: hash proof systems (designated-verifier NIZKs): Prover (x,π) (knows hpk) Verifier (knows hsk) Unique proofs for x L, can be computed in two ways: π = hpk(x,w) = hsk(x) NIZK simulator uses secret key hsk to compute π

Recap: hash proof systems Ingredient: hash proof systems (designated-verifier NIZKs): Prover (x,π) (knows hpk) Verifier (knows hsk) Unique proofs for x L, can be computed in two ways: π = hpk(x,w) = hsk(x) NIZK simulator uses secret key hsk to compute π Statistical soundness: if only proofs for true statements x known then any proof π for false x inf.th. hidden

Recap: hash proof systems Ingredient: hash proof systems (designated-verifier NIZKs): Prover (x,π) (knows hpk) Verifier (knows hsk) Unique proofs for x L, can be computed in two ways: π = hpk(x,w) = hsk(x) NIZK simulator uses secret key hsk to compute π Statistical soundness: if only proofs for true statements x known then any proof π for false x inf.th. hidden Efficient HPSs for linear [CS02] and OR-languages [ABP15] known

Idea for our proof system (uses HPSs)

Idea for our proof system (uses HPSs) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )

Idea for our proof system (uses HPSs) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) Structure of π: π = (π0, π1, Com(τ)), where

Idea for our proof system (uses HPSs) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) Structure of π: π = (π0, π1, Com(τ)), where τ is a random bit (similar to Katz-Wang signature scheme)

Idea for our proof system (uses HPSs) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) Structure of π: π = (π0, π1, Com(τ)), where τ is a random bit (similar to Katz-Wang signature scheme) π0 is a HPS proof (under hsk0) for (M0=M1 τ=0)

Idea for our proof system (uses HPSs) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) Structure of π: π = (π0, π1, Com(τ)), where τ is a random bit (similar to Katz-Wang signature scheme) π0 is a HPS proof (under hsk0) for (M0=M1 τ=0) π1 is a HPS proof (under hsk1) for (M0=M1 τ=1)

Idea for our proof system (uses HPSs) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) Structure of π: where τ is a random bit (similar to Katz-Wang signature scheme) π0 is a HPS proof (under hsk0) for (M0=M1 τ=0) π1 is a HPS proof (under hsk1) for (M0=M1 τ=1) π = (π0, π1, Com(τ)), Simulated π for bad C breaks only hsk1-τ (but not hskτ)

Adaptive partitioning

Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: C(2) C(1) C(10) C(5) C(Q)

Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: τ=0 C(2) τ=1 C(1) C(10) C(5) C(Q)

Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: τ=0 C(2) τ=1 C(1) C(10) C(5) C(Q)

Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: C(2) C(1) C(10) C(5) τ=1 C(Q) τ=0

Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: C(2) C(1) C(10) C(5) τ=1 C(Q) τ=0

Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: C(2) C(1) C(10) C(5) C(Q)

Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: C(2) C(1) C(10) C(5) C(Q)

Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Randomization strategy: C(2) C(1) C(10) C(5) C(Q) Requires O(λ) steps

Adaptive partitioning

Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Step 1: guess τ* (τ of first Dec-query with valid π and M0 M1) (This means adversary breaks soundness of hsk1-τ*)

Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Step 1: guess τ* (τ of first Dec-query with valid π and M0 M1) (This means adversary breaks soundness of hsk1-τ*) Step 2: randomize all challenge ciphertexts with τ=1-τ* (This allows to randomize half of all challenge ciphertexts)

Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Step 1: guess τ* (τ of first Dec-query with valid π and M0 M1) (This means adversary breaks soundness of hsk1-τ*) Step 2: randomize all challenge ciphertexts with τ=1-τ* (This allows to randomize half of all challenge ciphertexts) Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges)

Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Step 1: guess τ* (τ of first Dec-query with valid π and M0 M1) (This means adversary breaks soundness of hsk1-τ*) Step 2: randomize all challenge ciphertexts with τ=1-τ* (This allows to randomize half of all challenge ciphertexts) Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges) Difference to [KW03]: KW keep τ public (but simulation capabilities hidden)

Adaptive partitioning

Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Illustration: C(2) C(1) C* C(5) C(Q) C(10)

Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Illustration: τ=0 C(2) τ=1 C(1) C* C(5) C(Q) C(10)

Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Illustration: τ=0 C(2) τ=1 C(1) C* C(5) C(Q) C(10)

Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Illustration: C(2) C(1) C* C(10) C(5) τ=1 C(Q) τ=0

Adaptive partitioning π = (π0, π1, Com(τ)) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Illustration: C(2) C(1) C* C(10) C(5) τ=1 C(Q) τ=0

Adaptive partitioning

Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Omitted difficulty: how does this re-partitioning work? Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges)

Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Omitted difficulty: how does this re-partitioning work? Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges) Problem: how to manage/recall what is randomized

Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Omitted difficulty: how does this re-partitioning work? Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges) Problem: how to manage/recall what is randomized Solution idea: in i-th randomization cycle, use i-th bit of H(C0,C1)

Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Omitted difficulty: how does this re-partitioning work? Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges) Problem: how to manage/recall what is randomized Solution idea: in i-th randomization cycle, use i-th bit of H(C0,C1) Remaining problem: efficient HPSs for OR-proofs

Adaptive partitioning C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ)) π0 proves (M0=M1 τ=0) under hsk0 π1 proves (M0=M1 τ=1) under hsk1 Omitted difficulty: how does this re-partitioning work? Step 3: re-randomize partitioning bit τ in challenges, then goto 1 (Prepare to randomize one half of another random partition of challenges) Problem: how to manage/recall what is randomized Solution idea: in i-th randomization cycle, use i-th bit of H(C0,C1) Remaining problem: efficient HPSs for OR-proofs In pairing-friendly groups: [ABP15] In DCR setting: new proof system (uses that we can compute dlogs in DCR)

Summary

Summary New strategy to obtain tightly IND-CCA secure PKE schemes

Summary New strategy to obtain tightly IND-CCA secure PKE schemes Core difference to previous approaches: decide adaptively which ciphertexts are to be randomized in each randomization cycle

Summary New strategy to obtain tightly IND-CCA secure PKE schemes Core difference to previous approaches: decide adaptively which ciphertexts are to be randomized in each randomization cycle Main benefit: DCR-based solution (using new OR-proofs)

Summary New strategy to obtain tightly IND-CCA secure PKE schemes Core difference to previous approaches: decide adaptively which ciphertexts are to be randomized in each randomization cycle Main benefit: DCR-based solution (using new OR-proofs) Follow-up work shows potential of ideas

Summary New strategy to obtain tightly IND-CCA secure PKE schemes Core difference to previous approaches: decide adaptively which ciphertexts are to be randomized in each randomization cycle Main benefit: DCR-based solution (using new OR-proofs) Follow-up work shows potential of ideas Compact tightly secure PKE from DDH Compact tightly secure structure-preserving signatures

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback