1 / 28

Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption. Ran Canetti, Shai Halevi IBM. Jonathan Katz U. Maryland. Motivation. Security against chosen-ciphertext attacks (“CCA security”) is a powerful and useful notion

indiya
Download Presentation

Chosen-Ciphertext Security from Identity-Based Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chosen-Ciphertext Security from Identity-Based Encryption Ran Canetti, Shai Halevi IBM Jonathan Katz U. Maryland 1/28

  2. Motivation • Security against chosen-ciphertext attacks (“CCA security”) is a powerful and useful notion • Often the security notion of choice when using encryption within a larger protocol • Provably-secure constructions both theoretically and practically important 2/28

  3. PK C1 = EPK(bid1) C2 = EPK(bid2) Motivation… Bidding on vouchers for this afternoon’s excursion… Desperate bidders Voucher holder • In general, nothing preventing bid2 = bid1+1 (secrecy of bid1 not violated) • Need non-malleability [DDN91]! • Implied by CCA security [DDN91, BDPR98] 3/28

  4. Known Constructions? • Essentially only two techniques known for achieving CCA security (without random oracles): • Using NIZK, general assumptions [DDN91, S99, L03] (based on [NY90]) • Specific assumptions, “smooth hash proofs” [CS98, CS02, GL03, CS03] 4/28

  5. Known Paradigms? • In fact, almost all constructions are essentially “the same” [ES04] • Different instantiations of the sameunderlyingparadigm • Very roughly: certain type of CPA-secure scheme plus “proof of well-formedness” • NM-NIZK in [Sahai99, L03] • Smooth hash proof systems in [CS98, CS02, GL03, CS03] 5/28

  6. Overview of our Results • We show a new technique for achieving chosen-ciphertext security • The technique does not (seem to) follow previously-known paradigms • Our approach (along with other work) yields new CCA-secure schemes • Competitive with best previously known • Stay tuned for the next talk… 6/28

  7. More Details… • We show a simple and efficient way to achieve CCA security using any IBE scheme • The IBE scheme needs to satisfy only a relatively “weak” notion of security • Achieved by IBE schemes of [CHK03, BB04] • Result: new CCA-secure schemes! • Applications to CCA security for IBE, HIBE, BTE, and FSE… 7/28

  8. Review of definitions 8/28

  9. CCA Security • Consider the following game [RS91]: • (PK, SK) generated at random • Adversary Adv given PK; can ask decryption oracle queries DSK(.) • Adv outputs (m0, m1); given C  ESK(mb) for random b; may continue to ask decryption queries (but not C itself) • Adv outputs b’; succeeds if b’=b 9/28

  10. CCA Security • An encryption scheme is CCA-secure if |PrAdv[Succ] – ½| is negligible for all poly-time Adv 10/28

  11. ID-Based Encryption (IBE) • Overview: • PKG generates (PK, MSK) • PK publicly distributed… • For any string (identity) ID, the PKG, using MSK, can issue a secret key SKID • (ID, SKID), along with PK, acts as a public/private key pair for a standard encryption scheme 11/28

  12. Security? • (Informally:) Knowledge of the secret keys for users I = {ID1, …, IDn} does not allow adversary to “break” the scheme for any ID’I • “Strong” IBE: choice of ID’ may depend on PK [BF01] • “Weak” IBE: ID’ is fixed independently of PK [CHK03] 12/28

  13. More Formally… • Consider the following game ([CHK03], adapting [BF01]): • Adv specifies challenge identity ID* • (PK, MSK) generated at random; Adv given PK • Adv may (adaptively) request secret keys for any ID’s other than ID* • Adv outputs (m0, m1), and is then given C  EPK(ID*, mb) for random b 13/28

  14. Definition, continued… • Adv may continue to request secret keys for ID’s other than ID* • Adv outputs b’; succeeds if b’ = b • An IBE is “weakly” secure if |PrAdv[Succ] – ½| is negligible for all poly-time Adv 14/28

  15. Known Constructions? • “Strong” IBE: [C01, BF01], both in random oracle model • “Weak” IBE: [CHK03, BB04] • “Strong” IBE: [BB04, to appear] 15/28

  16. From IBE to chosen- ciphertext security 16/28

  17. Our Construction • Key generation: • Run PKG algorithm to obtain (PK, MSK) • Public key is PK; secret key is MSK • To encrypt m using PK • Generate (vk, sk) for signature scheme • Encrypt m using PK and “identity” vk • Sign resulting ciphertext using sk • Send (vk, C, ) 17/28

  18. Decryption… • To decrypt (vk, C, ): • Verify signature… • Use MSK to generate the secret key SKVK for the “identity” vk • Use SKVK to decrypt C • (Erase SKVK) 18/28

  19. Theorem Statement • If the IBE scheme is weakly secure, and a strong, one-time signature scheme is used, the resulting encryption scheme is secure against adaptive chosen-ciphertext attacks 19/28

  20. Proof Intuition • Let challenge ciphertext be (vk, C, ) • Adv submits different (vk’, C’, ’) to its decryption oracle • Clearly, vk’  vk • So C’ will be decrypted with respect to a different “identity” vk’ • Even if Adv were given SKVK’ itself, encryption to vk would still be secure! 20/28

  21. Remarks • Weak IBE security is enough to achieve adaptive CCA security • vk chosen by encryption oracle, not by the adversary • The conversion is efficient • Non-adaptive CCA security can be achieved with virtually no overhead 21/28

  22. Extensions and further applications 22/28

  23. Binary Tree Enc. (BTE) • Introduced by [CHK03] • As before, PKG generates (PK, MSK) • PKG viewed as “identity”  with secret key SK = MSK • Any secret key SKw can be used to derive secret keys SKw0 and SKw1 • (ID, SKID) acts as a public/private key pair for a standard encryption scheme 23/28

  24. “Weak” Security • Ancestors of (ID1…IDn) are identities of the form (ID1…IDi) for 1  i  n • (Informally:) Secret keys for any set of users I does not allow an adversary to “break” the scheme for any ID having no ancestors in I • Constructions in standard model known ([CHK03, BB04], building on [GS02]) 24/28

  25. Our Construction • CCA-secure (weak) BTE from CPA-secure (weak) BTE: • (Consider fixed-length BTE) • Key generation as before • To encrypt m for identity ID: generate (vk, sk), encrypt m for “identity” ID|vk, and sign ciphertext using sk • As before, decrypt using SKID by first generating “transient” SKID|vk 25/28

  26. Results • This approach yields a CCA-secure (weak) BTE scheme from any CPA-secure (weak) BTE scheme • CPA-secure BTE  CCA-secure BTE • Analogous result not known for the case of standard public-key encryption 26/28

  27. Applications • (Weak) BTE implies (weak) IBE, (weak) HIBE, and forward-secure encryption [CHK03] • Our results yield CCA-secure constructions of these primitives more efficient than those previously known 27/28

  28. Summary • New method for constructing CCA-secure public-key encryption • Gives new, practical CCA-secure schemes in standard model • Further applications to CCA-security in other contexts 28/28

More Related