240 likes | 357 Views
Cramer-Shoup is Plaintext Aware in the Standard Model. Alexander W. Dent Information Security Group Royal Holloway, University of London. The short version.
E N D
Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London
The short version • Plaintext awareness is a property of an encryption scheme that roughly says “an attacker cannot create a ciphertext without knowing the underlying plaintext”. • Here “knowing” is in the zero-knowledge sense of the word. • Typically used to prove IND-CCA security. • New uses, e.g. deniable authentication.
The short version • Bellare and Palacio proposed a definition for assessing plaintext awareness in the standard model… • …and prove that the Cramer-Shoup encryption scheme is partially (PA1) plaintext aware. • This paper demonstrates that Cramer-Shoup is fully (PA2) plaintext aware. • This should be regarded as a feasibility result.
What is plaintext awareness? • A difficult notion to formalise. • We want to show that we can answer an attacker’s decryption oracle queries if we know how those queries were constructed. • Two flavours: • Partial (PA1) plaintext awareness, which can be used to prove IND-CCA1 security. • Full (PA2) plaintext awareness, which can be used to prove IND-CCA2 security.
PA1: The players • The ciphertext creator: the bad guy! A probabilistic, polynomial-time attacker who is trying to determine whether he is interacting with a real decryption oracle or not. • The plaintext extractor: the good guy! An algorithm which masquerades as a decryption oracle but doesn’t need to know the private key.
PA1: The game If b=1 then use plaintext extractor If b=0 then use decryption algorithm Compute m=Dec(sk,C) m C C m public key b’
PA1: The interpretation • For every ciphertext creator (attacker)… • …there exists a plaintext extractor who can successfully deceive the ciphertext creator… • …given the ciphertext creators random coins. • Note that the plaintext extractor knows the ciphertext creator’s general strategy, everything it has done and everything it is going to do.
PA2: The rematch • We need to allow the ciphertext creator to get access to ciphertexts for which he does not know the underlying message and/or the random coins used to encrypt that message. • The plaintext creator: An ally of the bad guy! Any polynomial time algorithm that randomly generates messages and encrypts them.
PA2: The game plaintext creator decryption oracle random coins C m aux C C public key b’ ciphertext creator
PA2: The interpretation • For every ciphertext creator (attacker)… • …there exists a plaintext extractor who can successfully deceive the ciphertext creator… • …given the ciphertext creators random coins… • …regardless of what the plaintext creator does. • Often regarded as a malleability condition. • Note that the plaintext extractor knows the ciphertext creator’s general strategy, and everything it’s has done in the past but can’t figure out everything it is going to do in the future.
Cramer-Shoup • The Cramer-Shoup scheme has been proven to be PA1 (under the DHK assumption). • It also has an interesting property in that you cannot distinguish real ciphertexts from elements chosen completely at random. • Hence, the ability to get hold of new ciphertexts is equivalent to the ability to get hold of random bit strings.
PA1+: An intermediary game • This paper proposes a new notion of PA. • Here the attacker has the ability to get hold of new random bit strings. • The randomness oracle: An ally of the bad guy! Randomly generates a bit-string of a fixed length and returns it to the ciphertext creator.
PA1+: The game randomness oracle decryption oracle random coins r m C r public key b’ ciphertext creator
PA1+: The interpretation • A scheme is PA1+ plaintext aware if for every ciphertext creator (with access to a randomness oracle) there exists a plaintext extractor that can deceive it. • Again, the plaintext extractor know the ciphertext creators strategy and past actions, but cannot predict its future actions.
PA1+: The interpretation • Suppose I wish to convince my boss that I’m a genius, and so I send him all of my papers. • My boss needs to decide if I’m a genius or not. • My boss will pick one at random and read it. • However, suppose that I’m actually a lucky idiot who has only written one decent paper. • If I know the random choices that my boss will make when selecting the paper, then I can deceive him.
PA1+: The interpretation • Suppose I wish to convince my boss that I’m a genius, and so I send him all of my papers. • My boss needs to decide if I’m a genius or not. • My boss will pick one at random and read it. • However, suppose that I’m actually a lucky idiot who has only written one decent paper. • If I don’t know the random choices that my boss will make when selecting the paper, then I cannot deceive him.
PA1+: The big theorem An encryption scheme that is simulatable and PA1+ is always PA2. • Simulatable just means that the real ciphertexts are indistinguishable from randomly generated elements – hence, a plaintext creator is roughly the same as a randomness oracle.
Cramer-Shoup • The original proof gives that Cramer-Shoup is simulatable. • (In fact, simulatable implies IND-CCA2). • It is fairly easy to adapt the ideas of Bellare-Palacio to show that Cramer-Shoup is PA1+ under the DHK assumption. • Hence, Cramer-Shoup is PA2 plaintext aware.
Open problems • Prove something is plaintext aware that wasn’t already known to be IND-CCA2. • Prove something is plaintext aware without having to prove that it is simulatable. • Prove something is plaintext aware without using an extractor-based assumption like DHK. THE END
Not the end? • The notions of plaintext awareness fit together as you might expect: • Perfect PA1 = Perfect PA1+. • Thus, perfect simulatable PA1 implies PA2. PA2 ≥ PA1+ ≥ PA1
Diffie-Hellman Knowledge • A computational assumption for a group G generated by a generator g. ( g , A ) ( B , C ) b (if B=gb and C=Ab)
Diffie-Hellman Knowledge • It is meant to be interpreted as “it is impossible to make a Diffie-Hellman tuple without knowing the discrete logarithm of one of the elements”. • Not efficiently falsifiable [Naor]. • True in the Generic Group Model [Dent,AF] • Although the GGM is not sound [Dent] • Used to show that Cramer-Shoup is PA1. Hence considered reasonable to used when showing Cramer-Shoup is PA2.