1 / 41

Detecting Dangerous Queries:

Detecting Dangerous Queries:. A New Approach for Chosen Ciphertext Security. Susan Hohenberger. Allison Lewko. Brent Waters. SK. PubK. Public Key Encryption [DH76,RSA78,GM84]. Passive Attacker : Chosen Plaintext Attack (CPA). SK. PubK. Active Attackers [NY90,DDN91,RS91].

joanna
Download Presentation

Detecting Dangerous Queries:

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Detecting Dangerous Queries: A New Approach for Chosen Ciphertext Security SusanHohenberger Allison Lewko Brent Waters

  2. SK PubK Public Key Encryption [DH76,RSA78,GM84] Passive Attacker : Chosen Plaintext Attack (CPA)

  3. SK PubK Active Attackers [NY90,DDN91,RS91] Chosen Ciphertext Attack (CCA)

  4. IND-CPA [GM84] Indistinguishability under Chosen Plaintext Attack Challenger Setup PK M0 ,M1 b{0,1} CT* = Enc(PK, Mb) b’  {0,1} AdvA = Pr[b=b’]-1/2

  5. IND-CCA [NY90,DDN91,RS91] Indistinguishability under Chosen Ciphertext Attack Challenger Setup PK CT Dec(SK,CT) M0 ,M1 b{0,1} CT* = Enc(PK, Mb) CT CT  CT* Dec(SK,CT) b’  {0,1} AdvA = Pr[b=b’]-1/2

  6. IND-CCA [NY90,DDN91,RS91] Indistinguishability under Chosen Ciphertext Attack Challenger Setup PK CT Dec(SK,CT) M0 ,M1 b{0,1} CT* = Enc(PK, Mb) CT CT  CT* Dec(SK,CT) CCA-1: No 2nd phaseof oracle queries b’  {0,1} AdvA = Pr[b=b’]-1/2

  7. The Grand Goal: CCA from CPA CCA CPA

  8. Some Prior Methods (Standard Model) • NIZK [BFM88,NY90,DDN91,RS91,S99] • TPD/RSA, Pairings No:DDH, Lattices • Cramer-Shoup plus [CS98,02,…] • DDH,DCR, Factoring, IBE[CHK04], No:Lattices • Lossy TDFs [PW08,RS09,…] • DDH, Lattices

  9. 1-bit CCA to n-bit CCA [MS09] • Straightforward appending won’t work! 1 1 0 • Neat ideas • Heavyweight machinery + complex • We will adapt + generalize some ideas

  10. Our Result New General Approach for CCA security: Detectable Chosen Ciphertext Security (DCCA) CCA DCCA

  11. DCCA Security: Intuition CCA secure if avoid “dangerous” queries Hard to produce bad queries w/o challenge CT Can detect dangerous queries Example: Concatenate 1 bit CCA ciphertexts CT* 1 1 0 Dangerous Query for CT*: CT = Reorder of CT* 1)Hard to produce w/o CT* 2) Easy to detect

  12. Detectable Encryption System Setup(1n) ! (PK,SK) Encrypt(PK,M) ! CT Decrypt(SK,CT) ! M F( PK, CT* , CT) ! {0,1} Outputs ‘1’ if CT is a “dangerous” query for CT* Two Security Properties

  13. Property 1: Hard to Predict (Strong) Challenger Setup PK,SK CT, M CT* = Enc(PK, M ) AdvA = Pr[F(PK,CT,CT*)=1]

  14. Property 2: Indistinguishability CCA2=>DCCA=>CCA1 Challenger Setup PK CT Dec(SK,CT) M0 ,M1 b{0,1} CT* = Enc(PK, Mb) CT F(PK,CT*,CT)=0 CT  CT* Dec(SK,CT) b’  {0,1} AdvA = Pr[b=b’]-1/2

  15. Examples One bit to many bit CCA Tag-Based Encryption [MRY04,K06] Sloppy/Heuristic CCA

  16. The Ingredients Msg2 {0,1}* and randomness 2 {0,1}n Justified by Pseudo Random Generators PSV06,CDMW08 1-Bounded CCA CPA Trivial Detectable CCA

  17. Our Construction

  18. Setup Setup(1n): Setup1B (1n) ! (PKA, SKA) SetupCPA (1n) ! (PKB, SKB) SetupDCCA (1n) ! (PKin, SKin) PK= PKA, PKB, PKin SK= SKA, SKB, SKin

  19. Encryption • Encrypt(PK,M): • Choose random ra ,rb , rin2 {0,1}n • Cin = EncDCCA( PKin, (M,ra, rb ) ; rin ) • CA=Enc1B (PKA, Cin; ra), CB=EncCPA (PKB,Cin; rb) • CT= CA , CB CA= ;ra CB= ;rb (M, ra ,rb); rin (M, ra ,rb); rin

  20. Decryption • Decrypt(SK, CT= (CA , CB) ) : • Cin’ = Dec(SKA , CA ) • (M’, ra’, rb’) = Dec(SKin , Cin’ ) • CA’=Enc1B (Cin’; ra’), CB’=EncCPA (Cin ;rb’) • If CA CA ’ OR CB CB’ reject ;else M’ CA= (M, ra ,rb); rin ;ra CB= ;rb (M, ra ,rb); rin Idea: Recover (M, ra , rb ) then re-encrypt

  21. A Few Comments CA= (M, ra ,rb); rin ;ra CB= ;rb Features: Naor-Yung 2-key & Myers-shelat nesting Embedded Randomness vs. NIZK Proof w/ embedding randomness: Good: Decrypt from either side Problem: Embedding challenge (M, ra ,rb); rin

  22. What is the trouble? CA*= Cin*= ;ra CB*= Cin*= ;rb (M, ra ,rb); rin (M, ra ,rb); rin Challenge CT= CA *, CB * encryptions of Cin * Problem Query: Get Cin’ s.t. F(PKDCCA, Cin *, Cin’) =1 • Bad Event: Query C= CA , CBs.t. • CACA * • Dec( SKA, CA) = Cin’ where F(PKDCCA, Cin *, Cin’) =1

  23. Nested Indist. Game If prove under this game we are done! Attacker gets CCA queries Challenge Inner encrypts Msg + randomness or all 0’s (M, ra ,rb); rin (00…00); rin (00…00); rin (M, ra ,rb); rin z=1 CA*= Cin*= ;ra CB*= Cin*= ;rb z=0 No embedded randomness CA*= Cin*= ;ra CB*= Cin*= ;rb

  24. Proof Overview Eliminate bad event => Security follows from DCCA • Eliminate with z=0 (no embedded randomness) • Indirectly infer z=1 case from (1) • Finish off

  25. Summary • New abstraction: Detectable CCA security • Build CCA from it • Cover 1 to many bit enc. , tag-based, & more • Embedded randomness --- blessing & problems • Indirect inference on bad event

  26. Our Picture (not necessarily to scale) CCA DCCA CCA-1 CPA

  27. Thank you

  28. Bad Event Analysis (no embedded randomness) Show probabilities are close (00…00); rin (00…00); rin (00…00); rin Nested ;ra ;rb IND-CPA Right-Erased ;ra 1111…111 ;rb Switch -Decrypt 1Bounded CCA Full-Erased 1111…111 ;ra 1111…111 ;rb =negl(n) unpredictability

  29. No Bad Event for embedded randomness Suppose it did happen => We break DCCA indist. 1) Run Indist Game on A (while playing DCCA) (00…00); rin (M, ra ,rb); rin 2) Submit Msg1 =(M, ra, rb) , Msg0 = (00…00) or 3) Get back either 4) Create challenge CT (know SKA, SKB) 5) Use DCCA oracle to answer non-dangerous queries What if get dangerous query? Stuck! But then we know it must be Msg1 => breaks DCCA!

  30. Finishing it off z=1 CA*= Cin*= (M, ra ,rb); rin (M, ra ,rb); rin (00…00); rin (00…00); rin ;ra CB*= Cin*= ;rb z=0 No embedded randomness CA*= Cin*= ;ra CB*= Cin*= ;rb N.I. easy to prove from DCCA if no bad events CCA security follows immediately

  31. Could CCA-1 work? Idea: Replace DCCA component w/ CCA-1 Problem 1: Proof needs to detect Problem 2: Counterexample (w/natural CCA-1 scheme )

  32. Ex. 1: n-bit DCCA from 1 bit CCA Idea: Use basic concatenation Enc(PK,m) !C1=Enc(PK,m1), …, Cn=Enc(PK,mn) 1 1 0 F(PK,CT*,CT): 9 (i,j) s.t.CTi*=CTj

  33. Ex. 2: Tag-Based Encryption [MRY04,K06] Tag-Based Encryption: Each ciphertext associated with a tag Is CCA secure as long as TagCT* not queried F(PK,CT*,CT): TagCT* = TagCT Examples: CHK04-lite, Kiltz06, PW08 (CCA-1 version), DDN91 (w/o signature)

  34. Ex. 3: Heuristic/Sloppy CCA Idea: DCCA easier to meet than CCA Heuristic approach Sloppy: E.g. “Slack” bit in group representation CT: Apply transformation in case messed up

  35. Could CCA-1 work? Idea: Replace DCCA component w/ CCA-1 Problem 1: Proof needs to detect Problem 2: Can create an oracle that breaks it (CT*) :Decrypts CT*, encrypts M in another CT’ Q1: The oracle is strong! Is there middle ground? Q2: Structure for CCA-1? Proof idea?

  36. Prior Methods (Standard Model) • NIZK [BFM88,NY90,DDN91,RS91,S99] • NIZK proves well formness • NIZKs are rare: TPD/RSA, Pairings No:DDH, Lattices • Cramer-Shoup plus [CS98,02,…] • Efficient systems from number theory • DDH,DCR, Factoring, IBE[CHK04], No:Lattices

  37. Prior Methods (Standard Model) • Lossy TDFs [PW08,RS09,…] • Randomness recovery => use to verify CT • Change PK in proof • DDH, Lattices • 1-bit to many bit CCA[MS09] • General techniques • Partial randomness recovery

  38. BE-Nested vs. BE-Right-Erase ;rb 1111…111 ;rb vs. (00…00); rin • Standard IND-CPA reduction • Know SKA, SKin , not SKB • Observe BE using SKA

  39. Switch Decrypt • Switch from using SKA to SKB to decrypt • These are equivalent from Attacker’s view • Best of both worlds: Challenge CT not embed randomness, but queries must!

  40. BE-Right-Erased vs. BE-Full-Erased Full-Erased 1111…111 ;ra 1111…111 ;rb (00…00); rin Cin*= is gone! Unpredictability: Pr[Bad event in Full Erase] = negl(n)

  41. BE-Right-Erased vs. BE-Full-Erased vs. 1111…111 ;ra (00…00); rin • 1-Bounded CCA reduction • Know SKB, SKin , not SKA • Problem: Cannot observe bad event using SKB • Solution: “Peek” at 1 A query using 1-Bounded 1/Q chance of seeing it

More Related