adaptive partitioning
play

Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key - PowerPoint PPT Presentation

Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Public-Key Encryption Accepted security notion: chosen-ciphertext security


  1. Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe)

  2. Public-Key Encryption

  3. Public-Key Encryption ● Accepted security notion: chosen-ciphertext security (IND-CCA)

  4. Public-Key Encryption ● Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk,·) pk m 0 ,m 1 Enc(pk,m b ) b' Adversary A Challenger

  5. Public-Key Encryption ● Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk,·) pk m 0 ,m 1 Enc(pk,m b ) b' Adversary A Challenger Adv(A) = Pr [ b = b' ] – 1/2, should be negligible

  6. Public-Key Encryption ● Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk,·) pk m 0 ,m 1 Enc(pk,m b ) b' Adversary A Challenger Adv(A) = Pr [ b = b' ] – 1/2, should be negligible ● Observation: covers only 1-user, 1-ciphertext scenario

  7. Public-Key Encryption ● Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk,·) pk m 0 ,m 1 Enc(pk,m b ) b' Adversary A Challenger Adv(A) = Pr [ b = b' ] – 1/2, should be negligible ● Observation: covers only 1-user, 1-ciphertext scenario Hybrid argument → multi-user, multi-ciphertext security –

  8. Public-Key Encryption ● Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk,·) pk m 0 ,m 1 Enc(pk,m b ) b' Adversary A Challenger Adv(A) = Pr [ b = b' ] – 1/2, should be negligible ● Observation: covers only 1-user, 1-ciphertext scenario Hybrid argument → multi-user, multi-ciphertext security – But: security guarantees may degrade in scenario size –

  9. Public-Key Encryption ● Accepted security notion: chosen-ciphertext security (IND-CCA) Dec(sk,·) pk m 0 ,m 1 Enc(pk,m b ) b' Adversary A Challenger Adv(A) = Pr [ b = b' ] – 1/2, should be negligible ● Observation: covers only 1-user, 1-ciphertext scenario Hybrid argument → multi-user, multi-ciphertext security – But: security guarantees may degrade in scenario size – So: scenario size may influence keylength recommendations –

  10. This talk

  11. This talk ● Tightly secure PKE: multi-challenge IND-CCA Dec(sk,·) pk m 0 ,m 1 repeat Enc(pk,m b ) b' Adversary A Challenger Adv(A) = Pr [ b = b' ] – 1/2, should be negligible

  12. This talk ● Tightly secure PKE: multi-challenge IND-CCA Dec(sk,·) pk m 0 ,m 1 repeat Enc(pk,m b ) b' Adversary A Challenger Adv(A) = Pr [ b = b' ] – 1/2, should be negligible ● Goal: tight reduction to standard assumption (e.g., DDH)

  13. This talk ● Tightly secure PKE: multi-challenge IND-CCA Dec(sk,·) pk m 0 ,m 1 repeat Enc(pk,m b ) b' Adversary A Challenger Adv(A) = Pr [ b = b' ] – 1/2, should be negligible ● Goal: tight reduction to standard assumption (e.g., DDH) Tight: reduction loss independent of # ciphertexts/queries –

  14. This talk ● Tightly secure PKE: multi-challenge IND-CCA Dec(sk,·) pk m 0 ,m 1 repeat Enc(pk,m b ) b' Adversary A Challenger Adv(A) = Pr [ b = b' ] – 1/2, should be negligible ● Goal: tight reduction to standard assumption (e.g., DDH) Tight: reduction loss independent of # ciphertexts/queries – Enables security guarantees for arbitrary/unknown scenarios –

  15. This talk ● Tightly secure PKE: multi-challenge IND-CCA Dec(sk,·) pk m 0 ,m 1 repeat Enc(pk,m b ) b' Adversary A Challenger Adv(A) = Pr [ b = b' ] – 1/2, should be negligible ● Goal: tight reduction to standard assumption (e.g., DDH) Tight: reduction loss independent of # ciphertexts/queries – Enables security guarantees for arbitrary/unknown scenarios – ● Difficulty: standard techniques yield non-tight reductions

  16. Tight CCA security

  17. Tight CCA security ● Tightly secure PKE: multi-challenge IND-CCA m 0 (1) ,m 1 (1) C (1) =Enc(pk,m b (1) ) … m 0 (Q) ,m 1 (Q) Adversary A Challenger C (Q) =Enc(pk,m b (Q) ) ● Standard techniques yield non-tight reductions, examples:

  18. Tight CCA security ● Tightly secure PKE: multi-challenge IND-CCA m 0 (1) ,m 1 (1) C (1) =Enc(pk,m b (1) ) … m 0 (Q) ,m 1 (Q) Adversary A Challenger C (Q) =Enc(pk,m b (Q) ) ● Standard techniques yield non-tight reductions, examples: IBE: reduction knows "punctured" sk, randomize one C (i) –

  19. Tight CCA security ● Tightly secure PKE: multi-challenge IND-CCA m 0 (1) ,m 1 (1) C (1) =Enc(pk,m b (1) ) … m 0 (Q) ,m 1 (Q) Adversary A Challenger C (Q) =Enc(pk,m b (Q) ) ● Standard techniques yield non-tight reductions, examples: IBE: reduction knows "punctured" sk, randomize one C (i) – HPS: reduction knows full sk, entropy in sk randomizes one C (i) –

  20. Tight CCA security ● Tightly secure PKE: multi-challenge IND-CCA m 0 (1) ,m 1 (1) C (1) =Enc(pk,m b (1) ) … m 0 (Q) ,m 1 (Q) Adversary A Challenger C (Q) =Enc(pk,m b (Q) ) ● Standard techniques yield non-tight reductions, examples: IBE: reduction knows "punctured" sk, randomize one C (i) – HPS: reduction knows full sk, entropy in sk randomizes one C (i) – NY (double encryption with consistency proof): make one C (i) "special" (with – simulated proof), requires simulation-soundness Difficulty: simulation-soundness in face of many simulated proofs ●

  21. Previous work / contribution

  22. Previous work / contribution Scheme |pk| |C| (KEM) Loss Assumption CS98/BBM00 3 3 O(Q) DDH KD04/BBM00 2 2 O(Q) DDH CS03 3 2 O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H16 2 60 O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work 20 30 O(λ) DCR

  23. Previous work / contribution Scheme |pk| |C| (KEM) Loss Assumption CS98/BBM00 3 3 O(Q) DDH KD04/BBM00 2 2 O(Q) DDH CS03 3 2 O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H16 2 60 O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work 20 30 O(λ) DCR ● This work: not yet practical, but conceptual progress

  24. Previous work / contribution Scheme |pk| |C| (KEM) Loss Assumption CS98/BBM00 3 3 O(Q) DDH KD04/BBM00 2 2 O(Q) DDH CS03 3 2 O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H16 2 60 O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work 20 30 O(λ) DCR ● This work: not yet practical, but conceptual progress Generic new techniques to randomize challenge ciphertexts –

  25. Previous work / contribution Scheme |pk| |C| (KEM) Loss Assumption CS98/BBM00 3 3 O(Q) DDH KD04/BBM00 2 2 O(Q) DDH CS03 3 2 O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H16 2 60 O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work 20 30 O(λ) DCR ● This work: not yet practical, but conceptual progress Generic new techniques to randomize challenge ciphertexts – Yields first DCR-based tightly secure PKE scheme –

  26. Previous work / contribution Scheme |pk| |C| (KEM) Loss Assumption CS98/BBM00 3 3 O(Q) DDH KD04/BBM00 2 2 O(Q) DDH CS03 3 2 O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H16 2 60 O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work 20 30 O(λ) DCR ● This work: not yet practical, but conceptual progress Generic new techniques to randomize challenge ciphertexts – Yields first DCR-based tightly secure PKE scheme – ● Remaining talk: overview over new techniques

  27. Basic strategy

  28. Basic strategy ● This work: not yet practical, but conceptual progress – Generic new techniques to randomize challenge ciphertexts – Yields first DCR-based tightly secure PKE scheme ● Remaining talk: overview over new techniques ● Starting point: Naor-Yung double encryption: C = ( C 0 =Enc(pk 0 ,M 0 ), C 1 =Enc(pk 1 ,M 1 ), π )

  29. Basic strategy ● This work: not yet practical, but conceptual progress – Generic new techniques to randomize challenge ciphertexts – Yields first DCR-based tightly secure PKE scheme ● Remaining talk: overview over new techniques ● Starting point: Naor-Yung double encryption: C = ( C 0 =Enc(pk 0 ,M 0 ), C 1 =Enc(pk 1 ,M 1 ), π ) Consistency proof: proves that M 0 =M 1

  30. Naor-Yung encryption

  31. Naor-Yung encryption C = ( C 0 =Enc(pk 0 ,M 0 ), C 1 =Enc(pk 1 ,M 1 ), π ) ● One (known) way to prove Naor-Yung secure:

  32. Naor-Yung encryption C = ( C 0 =Enc(pk 0 ,M 0 ), C 1 =Enc(pk 1 ,M 1 ), π ) ● One (known) way to prove Naor-Yung secure: 0) IND-CCA experiment (many challenges), use sk 0 to decrypt

  33. Naor-Yung encryption C = ( C 0 =Enc(pk 0 ,M 0 ), C 1 =Enc(pk 1 ,M 1 ), π ) ● One (known) way to prove Naor-Yung secure: 0) IND-CCA experiment (many challenges), use sk 0 to decrypt NIZK ind. 1) simulate all proofs π (using NIZK simulator) in challenges

  34. Naor-Yung encryption C = ( C 0 =Enc(pk 0 ,M 0 ), C 1 =Enc(pk 1 ,M 1 ), π ) ● One (known) way to prove Naor-Yung secure: 0) IND-CCA experiment (many challenges), use sk 0 to decrypt NIZK ind. 1) simulate all proofs π (using NIZK simulator) in challenges CPA 2) randomize all M 1 in challenges

Recommend


More recommend