A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1)
Encryption Scheme
Dana Dachman-SoledUniversity of Maryland
CPA, CCA1 and CCA2
CPA, CCA1 and CCA2
ππ ,πΈππππ(π0) ππ ,πΈππππ(π1)
β
CPA-secure Public Key Encryption
CPA, CCA1 and CCA2
β
CCA1-secure Public Key Encryption
ππ ππ
π π π π
ππ ,πΈππππ(π0) ππ ,πΈππππ(π1)
CPA, CCA1 and CCA2
β
CCA2-secure Public Key Encryption
ππ ππ
π π π ππβ πβ πβ πβ
ππ ,πΈππππ(π1)ππ ,πΈππππ(π0)
Does CPA Security Imply CCA Security?
β’ [Naor, Yung 90], [Dolev, Dwork, Naor, 00]β CPA + NIZK -> CCA1 and CCA2
β’ Partial black-box separationβ [Gertner, Malkin, Myers, 07] no βshieldingβ construction of CCA1
from CPA.β’ Question remains open!β Even whether CCA1 -> CCA2 is not known.β Long line of work showing black-box constructions of CCA2
encryption from lower level primitives.β’ [Peikert, Waters 11], [Rosen, Segev, 10], [Kiltz, Mohassel, OβNeill, 10]. . .
β Our work continues this line of research.
Our Results
β’ Note: Construction is black-box, but reduction makes non-black-box use of the CCA2 adversary.
β’ [Myers, Sergi, shelat, 12]: Black-box construction of cNM-CCA1-secure encryption from the same assumptions.
β’ Our contribution: Extend to full CCA2 setting.β’ Construction of a CCA2 scheme from encryption schemes
with βweakerβ security and no additional assumptions.
Theorem: There is a black-box construction of CCA2-secure encryption from plaintext aware (sPA1) and weakly
simulatable public key encryption.
Our AssumptionsβPlaintext Awareness = ciphertext creator, = extractor
Experiment β’ pairs of public + secret keys are generatedβ’ get random coins and public keys as inputβ’ gets oracle access to decrypts for β’ Let be the set of queries asked by β’ Experiment outputs 1 if decrypted all queries in
βcorrectly.β
Encryption scheme is -secure if for every ppt , there exists an extractor s.t. experiment outputs 0 with negligible
probability.
I βknowsβ the underlying plaintext.Note: uses in a non-
black-box manner
Note: No auxiliary input
Our AssumptionsβWeak Simulatability
β’ samples βciphertextsβ without knowing the plaintext.β’ on input and valid ciphertext outputs coins for β’ Correctness:
Candidate constructions satisfying both assumptions ([MSs12]):β’ Damgard Elgamal Encryption scheme (DEG)β’ Cramer-Shoup lite (CS-lite)
( π β1 (ππ ,π=πΈππππ (π ) ) ,π ) (π , π (ππ ,π ) )β
Overview: CCA Proof StrategiesHyrid Public Key Challenge Ciphertext Decryption Oracle
Simulated Simulated Simulated
.
.
.PPT adversary cannot
distinguish consecutive hybrids.
To reduce to security of underlying encryption scheme,
must simulate decryption oracle without knowing secret key.
Main Challenge: Constructing the
simulated decryption oracle
CCA1 from Plaintext Awareness?
β’ Trivial: Plaintext Aware scheme is itself CCA1-secure!β To simulate the decryption oracle without
knowing the secret key, use the Extractor.
CCA2 from Plaintext Awareness?β’ Is the plaintext aware scheme itself also CCA2-secure?β’ An attempt: As before, simulate decryption oracle using
Extractor.β’ Problem: Extractor is no longer guaranteed to work in the
second phase!β Once adversary receives challenge ciphertext , Extractor can fail.β E.g. adversary can re-randomize and submit to oracle. β Note that our candidate Plaintext-Aware schemes are
homomorphic! So these attacks are possible.β’ Extractor seems to be useless.
β At first glance, seems as hard as proving that CCA1 -> CCA2.β No: Having a faulty extractor algorithm is better than no
extractor.
Our ConstructionCombines techniques from [Hohenberger, Lewko, Waters 12] and [Myers, Sergi, shelat 12]
πΆπ π π0=πΈπππ ππ π0
(π 0) 2. Inner ciphertexts: πΆπ π π1
=πΈπππππ π1(π 1)
π 0βπ 1=(πβ¨ΒΏπ )
πΆπ1 πΆπ 2 πΆπ 3
π1 ,β¦ππ=πππ(π )
3. Outer ciphertexts:
encryptions of under and randomness
. . . πΆπ π
Public keys are chosen based
on
1. Generate for one-time signature scheme
4. Compute
5. Output:
Proof Intuition
β’ Idea: Use extractor to simulate oracle even in the CCA2 case.
β’ Now the extractor may answer incorrectly after the adversary receives the challenge ciphertext.
β’ Call this event BadExtEvent
Proof Intuition
β’ Sequence of hybrids: Show that BadExtEvent occurs with negligible probability in final hybrid.
β’ For each hybrid, show that probability BadExtEvent occurs differs by a negligible amount.
β’ In order to prove this, reduction must always be able to detect a bad extraction event by comparing the output of the Extractor with the output of .
Hard Case:Detecting BadExtEvent in CPA hybrid
Reduction to CPA security of inner ciphertexts
β’ Idea for how to detect BadExtEvent: β Randomly choose β Show that the first BadExtEvent occurs on decryption of with
probability .β Say . CPA adv. knows secret key for but not
β’ Can detect first BadExtEvent on . β’ Places challenge ciphertext in position.
β Note that in both hybrids, is individually uniformly distributed.β Simulated oracle answers correctly until the first BadExtEvent.
π 0=ππππ π 1=ππππ π 0=ππππ π 1=π 0β(πβ¨ΒΏπ )βπΆπ π π0
β β πΆπ π π1β β πΆπ π π0
β β πΆπ π π1β β
XOR to random XOR to
π 0=ππππ π 0=ππππ
Future Directions
β’ Can high-level proof techniques be useful for constructing CCA2 from CCA1?β Non-black-box use of the adversary.β Detecting a βbad eventβ without fully simulating
the decryption oracle.β’ Can we reduce the underlying assumptions of
our construction?
Thank you!
Top Related