Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe)
Public-Key Encryption
Public-Key Encryption ● Accepted security notion: chosen-ciphertext security (IND-CCA)
Public-Key Encryption ● Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk,·) pk m 0 ,m 1 Enc(pk,m b ) b' Adversary A Challenger
Public-Key Encryption ● Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk,·) pk m 0 ,m 1 Enc(pk,m b ) b' Adversary A Challenger Adv(A) = Pr [ b = b' ] – 1/2, should be negligible
Public-Key Encryption ● Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk,·) pk m 0 ,m 1 Enc(pk,m b ) b' Adversary A Challenger Adv(A) = Pr [ b = b' ] – 1/2, should be negligible ● Observation: covers only 1-user, 1-ciphertext scenario
Public-Key Encryption ● Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk,·) pk m 0 ,m 1 Enc(pk,m b ) b' Adversary A Challenger Adv(A) = Pr [ b = b' ] – 1/2, should be negligible ● Observation: covers only 1-user, 1-ciphertext scenario Hybrid argument → multi-user, multi-ciphertext security –
Public-Key Encryption ● Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk,·) pk m 0 ,m 1 Enc(pk,m b ) b' Adversary A Challenger Adv(A) = Pr [ b = b' ] – 1/2, should be negligible ● Observation: covers only 1-user, 1-ciphertext scenario Hybrid argument → multi-user, multi-ciphertext security – But: security guarantees may degrade in scenario size –
Public-Key Encryption ● Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk,·) pk m 0 ,m 1 Enc(pk,m b ) b' Adversary A Challenger Adv(A) = Pr [ b = b' ] – 1/2, should be negligible ● Observation: covers only 1-user, 1-ciphertext scenario Hybrid argument → multi-user, multi-ciphertext security – But: security guarantees may degrade in scenario size – So: scenario size may influence keylength recommendations –
This talk
This talk ● Tightly secure PKE: multi-challenge IND-CCA Dec(sk,·) pk m 0 ,m 1 repeat Enc(pk,m b ) b' Adversary A Challenger Adv(A) = Pr [ b = b' ] – 1/2, should be negligible
This talk ● Tightly secure PKE: multi-challenge IND-CCA Dec(sk,·) pk m 0 ,m 1 repeat Enc(pk,m b ) b' Adversary A Challenger Adv(A) = Pr [ b = b' ] – 1/2, should be negligible ● Goal: tight reduction to standard assumption (e.g., DDH)
This talk ● Tightly secure PKE: multi-challenge IND-CCA Dec(sk,·) pk m 0 ,m 1 repeat Enc(pk,m b ) b' Adversary A Challenger Adv(A) = Pr [ b = b' ] – 1/2, should be negligible ● Goal: tight reduction to standard assumption (e.g., DDH) Tight: reduction loss independent of # ciphertexts/queries –
This talk ● Tightly secure PKE: multi-challenge IND-CCA Dec(sk,·) pk m 0 ,m 1 repeat Enc(pk,m b ) b' Adversary A Challenger Adv(A) = Pr [ b = b' ] – 1/2, should be negligible ● Goal: tight reduction to standard assumption (e.g., DDH) Tight: reduction loss independent of # ciphertexts/queries – Enables security guarantees for arbitrary/unknown scenarios –
This talk ● Tightly secure PKE: multi-challenge IND-CCA Dec(sk,·) pk m 0 ,m 1 repeat Enc(pk,m b ) b' Adversary A Challenger Adv(A) = Pr [ b = b' ] – 1/2, should be negligible ● Goal: tight reduction to standard assumption (e.g., DDH) Tight: reduction loss independent of # ciphertexts/queries – Enables security guarantees for arbitrary/unknown scenarios – ● Difficulty: standard techniques yield non-tight reductions
Tight CCA security
Tight CCA security ● Tightly secure PKE: multi-challenge IND-CCA m 0 (1) ,m 1 (1) C (1) =Enc(pk,m b (1) ) … m 0 (Q) ,m 1 (Q) Adversary A Challenger C (Q) =Enc(pk,m b (Q) ) ● Standard techniques yield non-tight reductions, examples:
Tight CCA security ● Tightly secure PKE: multi-challenge IND-CCA m 0 (1) ,m 1 (1) C (1) =Enc(pk,m b (1) ) … m 0 (Q) ,m 1 (Q) Adversary A Challenger C (Q) =Enc(pk,m b (Q) ) ● Standard techniques yield non-tight reductions, examples: IBE: reduction knows "punctured" sk, randomize one C (i) –
Tight CCA security ● Tightly secure PKE: multi-challenge IND-CCA m 0 (1) ,m 1 (1) C (1) =Enc(pk,m b (1) ) … m 0 (Q) ,m 1 (Q) Adversary A Challenger C (Q) =Enc(pk,m b (Q) ) ● Standard techniques yield non-tight reductions, examples: IBE: reduction knows "punctured" sk, randomize one C (i) – HPS: reduction knows full sk, entropy in sk randomizes one C (i) –
Tight CCA security ● Tightly secure PKE: multi-challenge IND-CCA m 0 (1) ,m 1 (1) C (1) =Enc(pk,m b (1) ) … m 0 (Q) ,m 1 (Q) Adversary A Challenger C (Q) =Enc(pk,m b (Q) ) ● Standard techniques yield non-tight reductions, examples: IBE: reduction knows "punctured" sk, randomize one C (i) – HPS: reduction knows full sk, entropy in sk randomizes one C (i) – NY (double encryption with consistency proof): make one C (i) "special" (with – simulated proof), requires simulation-soundness Difficulty: simulation-soundness in face of many simulated proofs ●
Previous work / contribution
Previous work / contribution Scheme |pk| |C| (KEM) Loss Assumption CS98/BBM00 3 3 O(Q) DDH KD04/BBM00 2 2 O(Q) DDH CS03 3 2 O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H16 2 60 O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work 20 30 O(λ) DCR
Previous work / contribution Scheme |pk| |C| (KEM) Loss Assumption CS98/BBM00 3 3 O(Q) DDH KD04/BBM00 2 2 O(Q) DDH CS03 3 2 O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H16 2 60 O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work 20 30 O(λ) DCR ● This work: not yet practical, but conceptual progress
Previous work / contribution Scheme |pk| |C| (KEM) Loss Assumption CS98/BBM00 3 3 O(Q) DDH KD04/BBM00 2 2 O(Q) DDH CS03 3 2 O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H16 2 60 O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work 20 30 O(λ) DCR ● This work: not yet practical, but conceptual progress Generic new techniques to randomize challenge ciphertexts –
Previous work / contribution Scheme |pk| |C| (KEM) Loss Assumption CS98/BBM00 3 3 O(Q) DDH KD04/BBM00 2 2 O(Q) DDH CS03 3 2 O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H16 2 60 O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work 20 30 O(λ) DCR ● This work: not yet practical, but conceptual progress Generic new techniques to randomize challenge ciphertexts – Yields first DCR-based tightly secure PKE scheme –
Previous work / contribution Scheme |pk| |C| (KEM) Loss Assumption CS98/BBM00 3 3 O(Q) DDH KD04/BBM00 2 2 O(Q) DDH CS03 3 2 O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H16 2 60 O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work 20 30 O(λ) DCR ● This work: not yet practical, but conceptual progress Generic new techniques to randomize challenge ciphertexts – Yields first DCR-based tightly secure PKE scheme – ● Remaining talk: overview over new techniques
Basic strategy
Basic strategy ● This work: not yet practical, but conceptual progress – Generic new techniques to randomize challenge ciphertexts – Yields first DCR-based tightly secure PKE scheme ● Remaining talk: overview over new techniques ● Starting point: Naor-Yung double encryption: C = ( C 0 =Enc(pk 0 ,M 0 ), C 1 =Enc(pk 1 ,M 1 ), π )
Basic strategy ● This work: not yet practical, but conceptual progress – Generic new techniques to randomize challenge ciphertexts – Yields first DCR-based tightly secure PKE scheme ● Remaining talk: overview over new techniques ● Starting point: Naor-Yung double encryption: C = ( C 0 =Enc(pk 0 ,M 0 ), C 1 =Enc(pk 1 ,M 1 ), π ) Consistency proof: proves that M 0 =M 1
Naor-Yung encryption
Naor-Yung encryption C = ( C 0 =Enc(pk 0 ,M 0 ), C 1 =Enc(pk 1 ,M 1 ), π ) ● One (known) way to prove Naor-Yung secure:
Naor-Yung encryption C = ( C 0 =Enc(pk 0 ,M 0 ), C 1 =Enc(pk 1 ,M 1 ), π ) ● One (known) way to prove Naor-Yung secure: 0) IND-CCA experiment (many challenges), use sk 0 to decrypt
Naor-Yung encryption C = ( C 0 =Enc(pk 0 ,M 0 ), C 1 =Enc(pk 1 ,M 1 ), π ) ● One (known) way to prove Naor-Yung secure: 0) IND-CCA experiment (many challenges), use sk 0 to decrypt NIZK ind. 1) simulate all proofs π (using NIZK simulator) in challenges
Naor-Yung encryption C = ( C 0 =Enc(pk 0 ,M 0 ), C 1 =Enc(pk 1 ,M 1 ), π ) ● One (known) way to prove Naor-Yung secure: 0) IND-CCA experiment (many challenges), use sk 0 to decrypt NIZK ind. 1) simulate all proofs π (using NIZK simulator) in challenges CPA 2) randomize all M 1 in challenges
Recommend
More recommend