440 likes | 665 Views
Constructions Secure against Receiver Selective Opening and Chosen Ciphertext Attacks. Dingding Jia , Xianhui Lu, Bao Li jiadingding@iie.ac.cn CT-RSA 2017 02-17. Outline. Background Motivation Our contribution
E N D
Constructions Secure against Receiver Selective Opening and Chosen Ciphertext Attacks DingdingJia, Xianhui Lu, BaoLi jiadingding@iie.ac.cn CT-RSA 2017 02-17
Outline • Background • Motivation • Our contribution • Existence: RSO-CCA from RSO-CPA and IND-CCA • RSO-CPA from IND-CPA • The construction in [CS02] is RSO-CCA secure
Public Key Encryption with labels (PKE) Key Generator: sk pk Receiver: Sender: c () Adversary The adversary succeeds if
One-time unforgeable signature Key Generator: • The adversary succeeds if and vk sigk Receiver: Sender: m Adversary
Simulation Soundness NIZK • CRSGenCRS • Prover: P(CRS,x,w)to prove w witness • Verifier: V(CRS,x,){0,1} Adaversary CRSGenCRS CRSSimu (x,w) (x,w) Multi-time Multi-time P(CRS,x,w) Simu(CRS,x) Real world Simulated world indistinguishable
PKE with Receiver Selective Opening Security Corrupted, revealed Receiver1 Is protected well? Receiver2 Sender … … Receivern Corrupted , revealed What if the adversary also has access to the decryption oracle?
The formal definition of RSO Dec Oracle Adversary Challenger () multi-time
A simpler Case: single message security Dec Adversary Challenger (dist,Redist)
Motivation • RSO-CPA secure constructions • Key simuletabe PKE [HPW15] • NCER[CHK05,HPW15] • RSO-CCA secure construction • Not known yet
The challenge • For RSO case, the simulator should produce a CT satisfying: • With sk, CT and m are bonded • Without sk, CT computationally hides m A World just like the real experiment & embed the problem in the experiment Adversary simulator Hard solved problem Problem solved Remaining info after decryption queries for CCA case
RSO-CCA from RSO-CPA RSO-CCA • pk=(),sk= • CT=() Sig RSO-CPA IND-CCA NIZK
Security: high level idea • How to open secret key? • sksk for RSO-CPA • How to answer decryption queries? • sk for IND-CCA • Is this reasonable? • Simulation sound NIZKassured that for queries from the adversary, sk for RSO-CPA and sk for CCA PKElead to the same result
Security Proof: hybrid Game 0: real game when the challenger opens Game 1 Game 8 Game 9: real game when the challenger opens
RSO-CPA to RSA-CCA Simulation sound NIZK One-time signature CCA PKE RSO-CCA PKE + + RSO-CPA PKE CPA PKE Weak HPS universal2 HPS RSO-CCA PKE
RSO-CPA from IND-CPA pk sk Enc: IND-CPA
Security: high level • the simulator should produce a CT satisfying: • With sk, CT and m are bonded CT, hence m bonded • Without sk, CT computationally hides m and encapsulates different bits, hence m information-theoretically hidden
Warm up: DDH assumption • Group G of prime order p, generator g • a,b,c chosen uniformly random from
Review: CCA construction from CS98 • Keygen: , pk: ,,collision resistant H sk: • Enc: , where • Dec: , if yes, return
An observation: ciphertext only related pk ciphertext reveal more information about sk than pk
Security: high level • Challenge ciphertext With sk, bonded with m; without sk, information theoretically hides m • Decryption query ciphertext With out sk, the adversary can only produce cipher of this type; ciphertext of this type will not leak information of sk more than pk
Conclusion Simulation sound NIZK One-time signature CCA PKE RSO-CCA PKE + + RSO-CPA PKE CPA PKE Weak HPS universal2 HPS RSO-CCA PKE
Thanks for your attention! Questions?
New Revocable IBE in Prime-Order Groups:Adaptively Secure, Decryption Key Exposure Resistant, and with Short Public Parameters Yohei Watanabe CRYP-F03 JSPS Research Fellow (PD), The University of Electro Communications, Japan Collaborative Researcher, AIST, Japan Joint work with Keita Emura (NICT, Japan) and Jae Hong Seo (Myongji Univ., Korea)
Identity-Based Encryption (IBE) [Sha84,BF01] master key ID ID ID ID ID ID ID secret key Key Generation Center (KGC) ID plaintext ciphertext Sender Receiver Public-key encryption enabling to use arbitrary strings as public keys
Revocation Functionality in IBE master key ID secret key ID ID ID KGC Send secret key to every non-revoked user ID for each time period ID ID ID ID plaintext ciphertext Sender Receiver Naïve solution by Boneh and Franklin [BF01] Consider ID as the identity KGC’s overhead is huge
IBE with Efficient Revocation [BGK08] master key RL key update Revocation List ID ID ID ID ID ID KGC ID decryption key plaintext ciphertext Sender Receiver Called Revocable IBE (RIBE) Using the complete subtree (CS) method [NNL01] KGC broadcasts key update at each time period KGC’s overhead can be reduced!
History of Security Models of RIBE DKER is important! RIBE should be an efficient realization of [BF01]’s solution [BF01]’s solution supports DKER Decryption keys potentially have the risk of leakage • [BGK08] proved their scheme is selectively secure • [LV09] proposed the first adaptively secure RIBE scheme • [SE13] introduced decryption key exposure resistance (DKER) • By defining a decryption key exposure oracle
Classification of Adaptively Secure RIBE Adaptively Secure Decryption Key Exposure Resistant (DKER) [CZ15] (lattice-based) with Short Public Parameters [LLP14] [SLLW14] [Lee16] over Prime-Order Groups [SE13] [IWS15] [This Work] [CLL+12] [LV09]
Our Contribution Propose a new RIBE scheme • Meets adaptive security • Under a mild variant of the symmetric external Diffie-Hellman (SXDH) assumption • Supports DKER[SE13] • Desirable security notion for RIBE • Achieves constant-size public parameters • NOT depend on the identity size • Constructed over asymmetric bilinear groups of prime order • Realize small element sizes and faster operations
RIBE: Model (Recall) RL Secret key generation Key update generation master key ID ID ID ID KGC key update Revocation List secret key ID ID ID ID Encryption Decryption key generation ID plaintext ciphertext decryption key Decryption Receiver Sender
RIBE: Adaptive Security with DKER RL SKGen If is issued, must be revoked before I secret key for I I*, updated Revoke I I (I, ) KeyUp Adversary Challenger key update Oracles DKGen (I, ) cannot be issued dec. key The oracle captures DKER!
What is the Difficulty of This Work? The dual system encryption technique [Wat09] seems not applicable to RIBE constructions with DKER… Seemingly suitable for constructing RIBE schemes from simple assumptions However, the approach does not work well The currently-known constant-size IBE schemes are constructed from stronger assumptions; or from simple assumptions via the dual system encryption approach
Dual System Encryption in IBE • Prepare semi-functional ciphertexts (SF-CT) and secret keys (SF-SK). • SF-CT can be decrypted by only normal SKs • SF-SK can decrypt only normal CTs
Essential Part in the Transition from Gamei-1 to Gamei • Simulator has to embed some function into public parameters • Randomness for the challenge CT • Randomness for the i-th SK query • is independent of from an adversarial view • Since is a pairwise independent function and The games are successfully simulated !
Dual System Encryption in RIBE with DKER • Adversary can also get … • Decryption keys for such that • Secret key for (though it should be revoked before ) • is NOT independent of from an adversarial view • If i-th SK query is (then it holds ) We cannot transition from Gamei-1 to Gamei
Our Approach Seo-Emura RIBE [SE13] Adaptively secure [Wat05] [SE13] Decisional Bilinear Diffie-Hellman (DBDH) assumption Waters IBE [Wat05] Adaptively secure Waters IBE [Wat05] Red. Red. Boneh-Boyen IBE [BB04] Dual system encryption Proposed RIBE Adaptively secure Basic IBE Adaptively secure Constant-size public parameter Simple and static computational assumption(s) Basic IBE Red. Red. Boneh-Boyen IBE [BB04] Taking the Seo-Emura approach [SE13] !
Details of the Seo-Emura technique Most non-trivial part is simulating decryption keys for s.t. Almost all queries can be easily simulated due to adaptive security of Waters IBE Seo and Emura employed two techniques: • Boneh-Boyen technique [BB04] • To answer all queries not related to by embedding into public parameters • can be guessed with polynomial loss • Secret-key re-randomization • To make biased distribution on randomness of decryption keys uniform
Requirements for Applying the Seo-Emura technique cf. Bone-Boyen IBE [BB04] , , For DBDH instance , Set ,, and Then Basic IBE must satisfies … (0) Constant-size public parameters (1) Secret-key re-randomization property (by public parameters) (2) Applicability of Boneh-Boyen technique (2-1) Each component of SK contains at most one component of the master key (MK) (2-2) Each component of MK is available in the public parameter in some form
Basic IBE Scheme from Jutla-Roy IBE [JR13,RS14] • Most of dual-system-encryption-based IBE schemes do not satisfy (1) and (2) • e.g., DPVS-based IBE schemes do not satisfy any requirement • We employ the Jutla-Roy IBE [JR13,RS14] as “Basic IBE” • Achieves constant-size public parameters • Satisfies requirements (1) and (2-1), but not (2-2) Modify the Jutla-Roy IBE to additionally satisfy the requirement (2-2) !
Security of Modified Jutla-Roy IBE [Original] DDH1 assumption and DDH2 assumption (SXDH assumption) Jutla-Roy IBE [JR13,RS14] Adaptively secure Reduction Static assumption Similar to DDH1v assumption [RCS12] [This Work] Augmented DDH1 (ADDH1) assumption and DDH2 assumption Modified Jutla-Roy IBE Adaptively secure Reduction Dual system encryption
Our RIBE Scheme: Construction Dual system encryption Proposed RIBE Adaptively secure ADDH1 assumption and DDH2 assumption Modified Jutla-Roy IBE Adaptively secure Jutla-Roy IBE Red. Red. Boneh-Boyen IBE Constructed based on the Jutla-Roy IBE Security is proved under adaptive security of the modified Jutla-Roy IBE
Comparison … No. of users; … No. of revoked users; … bit-length of ID;
Concluding Remarks Adaptively Secure DKER [CZ15] (lattice-based) with Short Public Parameters [LLP14] [SLLW14] [Lee16] over Prime-Order Groups [This Work] [CLL+12] [SE13] [IWS15] [LV09] Thank you! Icons: Material Design by Google | Apache License Ver. 2.0 Font Awesome by Dave Gandy | CC BY 3.0 Proposed a new RIBE scheme • Extension: • CCA security • Server-aided RIBE