120 likes | 290 Views
Jens Groth BRICS, University of Aarhus Cryptomathic A/S. Rerandomizable and Replayable Adaptive Chosen Ciphertext Attack Secure Cryptosystems. IND-CCA2. Exp 0:. Pr[(pk,sk) ← K; (m 0 ,m 1 ) ← A O 1 (pk): A O 2 (E pk (m 0 ))=1]. Exp 1:.
E N D
Jens Groth BRICS, University of Aarhus Cryptomathic A/S Rerandomizable and Replayable Adaptive Chosen Ciphertext Attack Secure Cryptosystems
IND-CCA2 Exp 0: Pr[(pk,sk) ← K; (m0,m1) ← AO1(pk): AO2(Epk(m0))=1] Exp 1: Pr[(pk,sk) ← K; (m0,m1) ← AO1(pk): AO2(Epk(m1))=1] Where O1(y) = Dsk(y) O2(y) = if y is challenge answer test else answer Dsk(y) Dsk(y) = invalid on bad ciphertext
RCCA Canetti, Krawczyk, Nielsen: Replayable CCA security Exp 0: Pr[(pk,sk) ← K; (m0,m1) ← AO1(pk): AO2(Epk(m0))=1] Exp 1: Pr[(pk,sk) ← K; (m0,m1) ← AO1(pk): AO2(Epk(m1))=1] Where O1(y) = Dsk(y) O2(y) = if Dsk(y) {m0,m1} answer test else answer Dsk(y)
Goal RCCA Rerandomizable Cryptosystem Reasons • Practical: anonymization • Theoretical: targetted malleability
Results O(|m|) exponentiations No security proof Cryptosystem Security argument • Standard model: Weak RCCA • Semi-generic model: RCCA
Weak RCCA Exp 0: Pr[(pk,sk) ← K; (m0,m1) ← AO1(pk): AO2(Epk(m0))=1] Exp 1: Pr[(pk,sk) ← K; (m0,m1) ← AO1(pk): AO2(Epk(m1))=1] Where O1(y) = Dsk(y) O2(y) = if Dsk(y) {m0,m1} answer invalid else answer Dsk(y) IND-CCA1 < WRCCA < RCCA < IND-CCA2
Cramer-Shoup pk = (gL, gR, h, c, d) Gq ≤ Zp*sk = (xL, xR, kL, kR, lL, lR) h = gLxL = gRxR c = gLkLgRkR, d = gLlLgRlR Epk(m;r) = (gLr, gRr, hrm, (cdH)r) H = hash(uL,uR,v) Dsk(uL,uR,v,α) if α = uLkL+HlLuRkR+HlR return m = vuR-xRelse return invalid
WRCCA cryptosystem pk = (gL,1, gR,1, h1, ..., gL,k, gR,k, hk, c, d)sk = (xL,1, ..., xL,k, kL,1, lL,1, ..., kR,k, lR,k) hi = gL,ixL,i, c = ∏gL,ikL,igR,ikR,i, d = ∏gL,ilL,igR,ilR,i m = m1...mk {-1,1}k, H = hash(m)E(m;r)=(gL,1r, gR,1r, h1m1r,...,gL,kr, gR,kr, hkmkr, (cdH)r) D(uL,1, uR,1, v1,..., uL,k, uR,k, vk, α) if α = ∏uL,ikL,i+HlL,iuR,ikR,i+HlR,i return m else return invalid Rerandomization (uL,1s, uR,1s, v1s,..., uL,ks, uR,ks, vks, αs)
RCCA attack • (pk, sk) K • (m0, m1) A(pk) • (uL,1, uR,1, v1,...,uL,k, uR,k, vk, α) =(gL,1r, gR,1r, h1mb,1r,...,gL,kr, gR,kr, hkmb,kr, (cdH)r) • Query O2 (uL,1gL,1, uR,1gR,1, v1h1m0,1,..., αcdhash(m0)) if test return 0 if invalid return 1
RCCA cryptosystem PK = (pkWRCCA, pkHom) WRCCA: Gn ≤ Zp*SK = (skWRCCA, skHom) EPK(m;r,R,Z) = (uL,1, uR,1, v1,..., αZ, EHom(Z;R)) EWRCCA(m;r) = (uL,1, uR,1, v1,..., α) DSK(uL,1, uR,1, v1,..., β, y) if β = (∏uL,ikL,i+HlL,iuR,ikR,i+HlR,i)Z return m else return invalid Rerandomization (uL,1s, uR,1s, v1s,..., βsz, yzEHom(0;S))
Semi-generic model Idealized homomorphic encryption • (Encrypt, m) = y, store (y, m) • (Add, y, y') = y'' store (y'', m+m') if (m, y) and (m', y') stored • (Decrypt, y) = m if (m, y) stored
Open problems Semi-generic model: Practical RCCA cryptosystem Standard model: RCCA cryptosystem Both models: Other forms of targetted malleability example: homomorphic cryptosystems