1 / 44

Constructions Secure against Receiver Selective Opening and Chosen Ciphertext Attacks

Constructions Secure against Receiver Selective Opening and Chosen Ciphertext Attacks. Dingding Jia , Xianhui Lu, Bao Li jiadingding@iie.ac.cn CT-RSA 2017 02-17. Outline. Background Motivation Our contribution

felton
Download Presentation

Constructions Secure against Receiver Selective Opening and Chosen Ciphertext Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Constructions Secure against Receiver Selective Opening and Chosen Ciphertext Attacks DingdingJia, Xianhui Lu, BaoLi jiadingding@iie.ac.cn CT-RSA 2017 02-17

  2. Outline • Background • Motivation • Our contribution • Existence: RSO-CCA from RSO-CPA and IND-CCA • RSO-CPA from IND-CPA • The construction in [CS02] is RSO-CCA secure

  3. Public Key Encryption with labels (PKE) Key Generator: sk pk Receiver: Sender: c () Adversary The adversary succeeds if

  4. One-time unforgeable signature Key Generator: • The adversary succeeds if and vk sigk Receiver: Sender: m Adversary

  5. Simulation Soundness NIZK • CRSGenCRS • Prover: P(CRS,x,w)to prove w witness • Verifier: V(CRS,x,){0,1} Adaversary CRSGenCRS CRSSimu (x,w) (x,w) Multi-time Multi-time P(CRS,x,w) Simu(CRS,x) Real world Simulated world indistinguishable

  6. PKE with Receiver Selective Opening Security Corrupted, revealed Receiver1 Is protected well? Receiver2 Sender … … Receivern Corrupted , revealed What if the adversary also has access to the decryption oracle?

  7. The formal definition of RSO Dec Oracle Adversary Challenger () multi-time

  8. A simpler Case: single message security Dec Adversary Challenger (dist,Redist)

  9. Motivation • RSO-CPA secure constructions • Key simuletabe PKE [HPW15] • NCER[CHK05,HPW15] • RSO-CCA secure construction • Not known yet

  10. The challenge • For RSO case, the simulator should produce a CT satisfying: • With sk, CT and m are bonded • Without sk, CT computationally hides m A World just like the real experiment & embed the problem in the experiment Adversary simulator Hard solved problem Problem solved Remaining info after decryption queries for CCA case

  11. RSO-CCA from RSO-CPA RSO-CCA • pk=(),sk= • CT=() Sig RSO-CPA IND-CCA NIZK

  12. Security: high level idea • How to open secret key? • sksk for RSO-CPA • How to answer decryption queries? • sk for IND-CCA • Is this reasonable? • Simulation sound NIZKassured that for queries from the adversary, sk for RSO-CPA and sk for CCA PKElead to the same result

  13. Security Proof: hybrid Game 0: real game when the challenger opens Game 1 Game 8 Game 9: real game when the challenger opens

  14. Security proof : concrete

  15. RSO-CPA to RSA-CCA Simulation sound NIZK One-time signature CCA PKE RSO-CCA PKE + + RSO-CPA PKE CPA PKE Weak HPS universal2 HPS RSO-CCA PKE

  16. RSO-CPA from IND-CPA pk sk Enc: IND-CPA

  17. Security: high level • the simulator should produce a CT satisfying: • With sk, CT and m are bonded CT, hence m bonded • Without sk, CT computationally hides m and encapsulates different bits, hence m information-theoretically hidden

  18. Warm up: DDH assumption • Group G of prime order p, generator g • a,b,c chosen uniformly random from

  19. Review: CCA construction from CS98 • Keygen: , pk: ,,collision resistant H sk: • Enc: , where • Dec: , if yes, return

  20. An observation: ciphertext only related pk ciphertext reveal more information about sk than pk

  21. Security: high level • Challenge ciphertext With sk, bonded with m; without sk, information theoretically hides m • Decryption query ciphertext With out sk, the adversary can only produce cipher of this type; ciphertext of this type will not leak information of sk more than pk

  22. Conclusion Simulation sound NIZK One-time signature CCA PKE RSO-CCA PKE + + RSO-CPA PKE CPA PKE Weak HPS universal2 HPS RSO-CCA PKE

  23. Thanks for your attention! Questions?

  24. New Revocable IBE in Prime-Order Groups:Adaptively Secure, Decryption Key Exposure Resistant, and with Short Public Parameters Yohei Watanabe CRYP-F03 JSPS Research Fellow (PD), The University of Electro Communications, Japan Collaborative Researcher, AIST, Japan Joint work with Keita Emura (NICT, Japan) and Jae Hong Seo (Myongji Univ., Korea)

  25. Identity-Based Encryption (IBE) [Sha84,BF01] master key ID ID ID ID ID ID ID secret key Key Generation Center (KGC) ID plaintext ciphertext Sender Receiver Public-key encryption enabling to use arbitrary strings as public keys

  26. Revocation Functionality in IBE master key ID secret key ID ID ID KGC Send secret key to every non-revoked user ID for each time period ID ID ID ID plaintext ciphertext Sender Receiver Naïve solution by Boneh and Franklin [BF01] Consider ID as the identity KGC’s overhead is huge

  27. IBE with Efficient Revocation [BGK08] master key RL key update Revocation List ID ID ID ID ID ID KGC ID decryption key plaintext ciphertext Sender Receiver Called Revocable IBE (RIBE) Using the complete subtree (CS) method [NNL01] KGC broadcasts key update at each time period KGC’s overhead can be reduced!

  28. History of Security Models of RIBE DKER is important! RIBE should be an efficient realization of [BF01]’s solution [BF01]’s solution supports DKER Decryption keys potentially have the risk of leakage • [BGK08] proved their scheme is selectively secure • [LV09] proposed the first adaptively secure RIBE scheme • [SE13] introduced decryption key exposure resistance (DKER) • By defining a decryption key exposure oracle

  29. Classification of Adaptively Secure RIBE Adaptively Secure Decryption Key Exposure Resistant (DKER) [CZ15] (lattice-based) with Short Public Parameters [LLP14] [SLLW14] [Lee16] over Prime-Order Groups [SE13] [IWS15] [This Work] [CLL+12] [LV09]

  30. Our Contribution Propose a new RIBE scheme • Meets adaptive security • Under a mild variant of the symmetric external Diffie-Hellman (SXDH) assumption • Supports DKER[SE13] • Desirable security notion for RIBE • Achieves constant-size public parameters • NOT depend on the identity size • Constructed over asymmetric bilinear groups of prime order • Realize small element sizes and faster operations

  31. RIBE: Model (Recall) RL Secret key generation Key update generation master key ID ID ID ID KGC key update Revocation List secret key ID ID ID ID Encryption Decryption key generation ID plaintext ciphertext decryption key Decryption Receiver Sender

  32. RIBE: Adaptive Security with DKER RL SKGen If is issued, must be revoked before I secret key for I I*, updated Revoke I I (I, ) KeyUp Adversary Challenger key update Oracles DKGen (I, ) cannot be issued dec. key The oracle captures DKER!

  33. What is the Difficulty of This Work? The dual system encryption technique [Wat09] seems not applicable to RIBE constructions with DKER… Seemingly suitable for constructing RIBE schemes from simple assumptions However, the approach does not work well The currently-known constant-size IBE schemes are constructed from stronger assumptions; or from simple assumptions via the dual system encryption approach

  34. Dual System Encryption in IBE • Prepare semi-functional ciphertexts (SF-CT) and secret keys (SF-SK). • SF-CT can be decrypted by only normal SKs • SF-SK can decrypt only normal CTs

  35. Essential Part in the Transition from Gamei-1 to Gamei • Simulator has to embed some function into public parameters • Randomness for the challenge CT • Randomness for the i-th SK query • is independent of from an adversarial view • Since is a pairwise independent function and The games are successfully simulated !

  36. Dual System Encryption in RIBE with DKER • Adversary can also get … • Decryption keys for such that • Secret key for (though it should be revoked before ) • is NOT independent of from an adversarial view • If i-th SK query is (then it holds ) We cannot transition from Gamei-1 to Gamei

  37. Our Approach Seo-Emura RIBE [SE13] Adaptively secure [Wat05] [SE13] Decisional Bilinear Diffie-Hellman (DBDH) assumption Waters IBE [Wat05] Adaptively secure Waters IBE [Wat05] Red. Red. Boneh-Boyen IBE [BB04] Dual system encryption Proposed RIBE Adaptively secure Basic IBE Adaptively secure Constant-size public parameter Simple and static computational assumption(s) Basic IBE Red. Red. Boneh-Boyen IBE [BB04] Taking the Seo-Emura approach [SE13] !

  38. Details of the Seo-Emura technique Most non-trivial part is simulating decryption keys for s.t. Almost all queries can be easily simulated due to adaptive security of Waters IBE Seo and Emura employed two techniques: • Boneh-Boyen technique [BB04] • To answer all queries not related to by embedding into public parameters • can be guessed with polynomial loss • Secret-key re-randomization • To make biased distribution on randomness of decryption keys uniform

  39. Requirements for Applying the Seo-Emura technique cf. Bone-Boyen IBE [BB04] , , For DBDH instance , Set ,, and Then Basic IBE must satisfies … (0) Constant-size public parameters (1) Secret-key re-randomization property (by public parameters) (2) Applicability of Boneh-Boyen technique (2-1) Each component of SK contains at most one component of the master key (MK) (2-2) Each component of MK is available in the public parameter in some form

  40. Basic IBE Scheme from Jutla-Roy IBE [JR13,RS14] • Most of dual-system-encryption-based IBE schemes do not satisfy (1) and (2) • e.g., DPVS-based IBE schemes do not satisfy any requirement • We employ the Jutla-Roy IBE [JR13,RS14] as “Basic IBE” • Achieves constant-size public parameters • Satisfies requirements (1) and (2-1), but not (2-2) Modify the Jutla-Roy IBE to additionally satisfy the requirement (2-2) !

  41. Security of Modified Jutla-Roy IBE [Original] DDH1 assumption and DDH2 assumption (SXDH assumption) Jutla-Roy IBE [JR13,RS14] Adaptively secure Reduction Static assumption Similar to DDH1v assumption [RCS12] [This Work] Augmented DDH1 (ADDH1) assumption and DDH2 assumption Modified Jutla-Roy IBE Adaptively secure Reduction Dual system encryption

  42. Our RIBE Scheme: Construction Dual system encryption Proposed RIBE Adaptively secure ADDH1 assumption and DDH2 assumption Modified Jutla-Roy IBE Adaptively secure Jutla-Roy IBE Red. Red. Boneh-Boyen IBE Constructed based on the Jutla-Roy IBE Security is proved under adaptive security of the modified Jutla-Roy IBE

  43. Comparison … No. of users; … No. of revoked users; … bit-length of ID;

  44. Concluding Remarks Adaptively Secure DKER [CZ15] (lattice-based) with Short Public Parameters [LLP14] [SLLW14] [Lee16] over Prime-Order Groups [This Work] [CLL+12] [SE13] [IWS15] [LV09] Thank you! Icons: Material Design by Google | Apache License Ver. 2.0 Font Awesome by Dave Gandy | CC BY 3.0 Proposed a new RIBE scheme • Extension: • CCA security • Server-aided RIBE

More Related