1 / 12

Rerandomizable and Replayable Adaptive Chosen Ciphertext Attack Secure Cryptosystems

Jens Groth BRICS, University of Aarhus Cryptomathic A/S. Rerandomizable and Replayable Adaptive Chosen Ciphertext Attack Secure Cryptosystems. IND-CCA2. Exp 0:. Pr[(pk,sk) ← K; (m 0 ,m 1 ) ← A O 1 (pk): A O 2 (E pk (m 0 ))=1]. Exp 1:.

cree
Download Presentation

Rerandomizable and Replayable Adaptive Chosen Ciphertext Attack Secure Cryptosystems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Jens Groth BRICS, University of Aarhus Cryptomathic A/S Rerandomizable and Replayable Adaptive Chosen Ciphertext Attack Secure Cryptosystems

  2. IND-CCA2 Exp 0: Pr[(pk,sk) ← K; (m0,m1) ← AO1(pk): AO2(Epk(m0))=1] Exp 1: Pr[(pk,sk) ← K; (m0,m1) ← AO1(pk): AO2(Epk(m1))=1] Where O1(y) = Dsk(y) O2(y) = if y is challenge answer test else answer Dsk(y) Dsk(y) = invalid on bad ciphertext

  3. RCCA Canetti, Krawczyk, Nielsen: Replayable CCA security Exp 0: Pr[(pk,sk) ← K; (m0,m1) ← AO1(pk): AO2(Epk(m0))=1] Exp 1: Pr[(pk,sk) ← K; (m0,m1) ← AO1(pk): AO2(Epk(m1))=1] Where O1(y) = Dsk(y) O2(y) = if Dsk(y) {m0,m1} answer test else answer Dsk(y)

  4. Goal RCCA Rerandomizable Cryptosystem Reasons • Practical: anonymization • Theoretical: targetted malleability

  5. Results O(|m|) exponentiations No security proof Cryptosystem Security argument • Standard model: Weak RCCA • Semi-generic model: RCCA

  6. Weak RCCA Exp 0: Pr[(pk,sk) ← K; (m0,m1) ← AO1(pk): AO2(Epk(m0))=1] Exp 1: Pr[(pk,sk) ← K; (m0,m1) ← AO1(pk): AO2(Epk(m1))=1] Where O1(y) = Dsk(y) O2(y) = if Dsk(y) {m0,m1} answer invalid else answer Dsk(y) IND-CCA1 < WRCCA < RCCA < IND-CCA2

  7. Cramer-Shoup pk = (gL, gR, h, c, d) Gq ≤ Zp*sk = (xL, xR, kL, kR, lL, lR) h = gLxL = gRxR c = gLkLgRkR, d = gLlLgRlR Epk(m;r) = (gLr, gRr, hrm, (cdH)r) H = hash(uL,uR,v) Dsk(uL,uR,v,α) if α = uLkL+HlLuRkR+HlR return m = vuR-xRelse return invalid

  8. WRCCA cryptosystem pk = (gL,1, gR,1, h1, ..., gL,k, gR,k, hk, c, d)sk = (xL,1, ..., xL,k, kL,1, lL,1, ..., kR,k, lR,k) hi = gL,ixL,i, c = ∏gL,ikL,igR,ikR,i, d = ∏gL,ilL,igR,ilR,i m = m1...mk {-1,1}k, H = hash(m)E(m;r)=(gL,1r, gR,1r, h1m1r,...,gL,kr, gR,kr, hkmkr, (cdH)r) D(uL,1, uR,1, v1,..., uL,k, uR,k, vk, α) if α = ∏uL,ikL,i+HlL,iuR,ikR,i+HlR,i return m else return invalid Rerandomization (uL,1s, uR,1s, v1s,..., uL,ks, uR,ks, vks, αs)

  9. RCCA attack • (pk, sk)  K • (m0, m1) A(pk) • (uL,1, uR,1, v1,...,uL,k, uR,k, vk, α) =(gL,1r, gR,1r, h1mb,1r,...,gL,kr, gR,kr, hkmb,kr, (cdH)r) • Query O2 (uL,1gL,1, uR,1gR,1, v1h1m0,1,..., αcdhash(m0)) if test return 0 if invalid return 1

  10. RCCA cryptosystem PK = (pkWRCCA, pkHom) WRCCA: Gn ≤ Zp*SK = (skWRCCA, skHom) EPK(m;r,R,Z) = (uL,1, uR,1, v1,..., αZ, EHom(Z;R)) EWRCCA(m;r) = (uL,1, uR,1, v1,..., α) DSK(uL,1, uR,1, v1,..., β, y) if β = (∏uL,ikL,i+HlL,iuR,ikR,i+HlR,i)Z return m else return invalid Rerandomization (uL,1s, uR,1s, v1s,..., βsz, yzEHom(0;S))

  11. Semi-generic model Idealized homomorphic encryption • (Encrypt, m) = y, store (y, m) • (Add, y, y') = y'' store (y'', m+m') if (m, y) and (m', y') stored • (Decrypt, y) = m if (m, y) stored

  12. Open problems Semi-generic model: Practical RCCA cryptosystem Standard model: RCCA cryptosystem Both models: Other forms of targetted malleability example: homomorphic cryptosystems

More Related