111 Trading Plaintext-Awareness for Simulatability to Achieve Chosen Ciphertext Security Takahiro Matsuda ( ) Goichiro Hanaoka ( ) 2016/3/7 Mon. PKC Taiwan 3/7 - 3/9 This work presents new assumptions for CCA PKE ePrint 2016/235
Background It is important to clarify (necessary and) sufficient assumption to realize general cryptographic primitives To better understand how & why we can construct/prove security of the primitives Ultimate goal: Draw a complete map among all cryptographic primitives This work focuses on CCA secure PKE (and KEM) 2 About implications & separations ??? CCA PKE/KEM Desirable security for PKE ・ Security against Bleichenbacher’s attack ・ Implication to NM, UC security
3 Background Q. Which primitive(s) implies CCA secure PKE/KEM ?? ??? CCA PKE/KEM CPA PKE + NIZK IBE (or TBE) TDF w/ additional properties Hom. PKE w/ additional properties Lossy PKE w. large PT space CPA PKE + UCE CPA PKE + Point Obf. PKE satisfying sPA1 (for many keys) & weak simulatability Sender NCE + KDM SKE Detectable CCA PKE 1-bit PKE w/ circular security & reproducibility [DDN91] [CHK04,Kiltz06][PW08,RS09,KMO10,Wee10] [HLW12] [HO12] [HO13] [MH14a] [MH14b] [MH15] [HK15] [Dac14] iO + OWF [SW14]
[Dac14] 4 PKE satisfying (Statistical) Plaintext Aware1 under 2k+2 keys (sPA1 2k+2 ) & Weak Simulatability CCA PKE Plaintext-Awareness (PA) [BR94,BP04] “If you generate a ciphertext you must know the plaintext” Standard model PA [BP04] has several variations Our focus is on “Statistical PA1” (sPA1), and its “many keys” extension C.f.) CPA + PA1 CCA1 Weak Simulatability [DN00, MMS12] Ciphertext(-like strings) can be sampled obliviously, w/o knowing plaintext m > CPA security k: security parameter
Motivation PA typically requires a “knowledge” assumption In addition, [Dac14] needs a “multi-key” extension of PA: ”sPA1” under 2k + 2 keys [MSS12] denoted by sPA1 2k + 2 If x > y ≧ 1, then sPA1 x ≧ sPA1 y, but the opposite implication/separation is unknown [Dac14] observed that it seems difficult to replace PA1 with CCA1 security in her construction We investigate whether the strength of PA in [Dac14] can be weakened, thereby contribute to clarifying new general assumptions for CCA PKE 5 CCA PKE sPA1 2k+2, Weakly Simulatable PKE k: security parameter The number of keys [Dac14]
Our Results Based on [Dac14], we show 2 CCA PKE constructions whose assumptions are a “trade-off” with that of [Dac14] sPA1 2, CPA PKE CCA PKE + Trapdoor- Simulatable PKE sPA1 1, 1-Bounded CCA PKE CCA PKE + Trapdoor- Simulatable PKE Const- ruction1 Const- ruction2 (Actually, we construct KEMs)
[Dac14] vs. Ours [Dac14] Ours 7 CCA PKE sPA1 2k+2, Weakly Simulatable PKE sPA1 2, CPA PKE + Trapdoor- Simulatable PKE CCA PKE sPA1 1, 1-BCCA PKE + Trapdoor- Simulatable PKE CCA PKE sPA1 2k+2 > sPA1 2 > sPA1 1 Weak simulatability < Trapdoor-simulatability (qualitatively) These are formally incomparable Ours do not require “PA” and “simulatability” to be satisfied by a single building block PKE Ours trade the strength of “PA” for “simulatability” in [Dac14] Our constructions give new recipes for CCA PKE/KEM
Overview of Proposed Constructions Based on the “double-layered” construction [MS09,HLW12] Building blocks for outer encryption can be constructed only from Trapdoor simulatable PKE 8 sPA1 2, CPA KEM Double Layer [MS09] CCA KEM Trapdoor Simulatable “Puncturable” TBE [MH14] Trapdoor- Simulatable Commitment Outer encryption Inner encryption Talk Outline : ・ Building Blocks ・ Proposed Constructions ・ Security Proof Overview or sPA1 1, 1-Bounded CCA KEM
= “public-key” part of hybrid encryption Useful composition result [Cramer- Shoup03] Key Encapsulation Mechanism (KEM) CCA Security: 9 A b {0,1} pk, C*, K* b b’ C K Dec. Oracle K = Decap(sk, C) Real K* 1 Random K* 0 CCA KEM CCA SKE + CCA PKE
(KEM’s) Statistical PA1 (sPA1) [BP04] ∀ PPT(ciphertext creator), ∃ Stateful PPT(extractor), 10 KiKi Update state st pk, r A CiCi st 0 = (pk, r A )
(KEM’s) sPA1 in the Presence of ℓ Keys (sPA1 ℓ ) [MSS12] ∀ PPT(ciphertext creator), ∃ Stateful PPT(extractor), 11 pk 1,…, pk ℓ, r A ( j i, C i ) KiKi st 0 = (pk 1,…, pk ℓ,r A ) Update state st
Simulatable PKE and Variants Simulatable PKE [DN00] pk and c can be sampled “obliviously”, w/o knowing actual randomness and/or plaintext, and Honestly generated pk and c can be “explained” that they are generated by oblivious sampling (Simplified) Syntax : (PKG, Enc, Dec) & (oSamp, rSamp) (pk, c) oSamp(1 k ; r’) r’ rSamp(pk, c) s.t. oSamp(1 k ; r’) = (pk, c) Weak Simulatability [MSS12,Dac14] Only c is obliviously samplable Trapdoor Simulatability [CDMW09] rSamp can use randomness and plaintext used to generate pk and c 12 Weak Simulatability and Trapdoor Simulatability are incompatable (However, W-sim. can be seen weaker because it need not obliviously sample pk) (r’ is a randomness for oblivious sampling)
Simulatable PKE and Variants Q. What kinds of PKE satisfy (Trapdoor/Weak) Simulatability? A. PKEs s.t. pk and c look like a pseudorandom string Ex1: PKE based on LWE or (Low-noise) LPN Ex2: ElGamal (and variants) over a suitable elliptic curve (“simulatable” group [Dent06] ) Can be instantiated from standard assumptions 13
Puncturable Tag-Based Encryption (PTBE) [DDN91,MH14] TBE with two modes for decryption Core structure of the Dolev-Dwork-Naor construction [DDN91] Correctness of punctured decryption for non-punctured point tag ∀ tag ≠ tag*, ∀ c TEnc(pk, tag, m): TDec(sk, tag, c) = PTDec(psk tag*, tag, c) = m Extended CPA security [MH14] ≒ CPA security in the presence of psk tag* 14 Key Generation(pk, sk) TKG(1 k ) Encryptionc TEnc(tpk, tag, m) Decryption m / ⊥ TDec (tsk, tag, c) Puncturing SKpsk tag* Punc(sk, tag*) Punctured Decryption m / ⊥ PTDec(psk tag*, tag, c) tag*
How to Build Trapdoor Simulatable PTBE/COM from Trapdoor Simulatable PKE 15 Trapdoor Simulatable PTBE Trapdoor Simulatable Commitment DDN-like Construction Trapdoor Simulatable PKE Hash a ciphertext by UOWHF Trapdoor Simulatability + (Target) Binding Defined analogously to PKE (oSamp need to generate psk tag* in addition to (pk, c) ・ Generate 2k key pairs ・ Encrypt m independently by k keys chosen by tag
Proposed KEMs Overview Adapt the “Double-Layered” structure of [MS09,HLW12] 16 sPA1 2, CPA KEM Double- Layer CCA KEM Trapdoor Simulatable Punc. TBE Trapdoor Simulatable Commitment Outer Encryption Inner Encryption In our 2nd construction, sPA1 1, 1-Bounded CCA KEM
Our 1st Construction KKG: 1. (pk in0, sk in0 ) KKG in 2. (pk in1, sk in1 ) KKG in 3. (tpk, tsk) TKG 4. ck CKG PK = (pk in0, pk in1, tpk, ck) SK = (sk in0, sk in1, tsk) Encap(PK): 1. (c in0, α 0 ) Encap in (pk in0 ) 2. (c in1, α 1 ) Encap in (pk in1 ) 3. (r C || r T || K) α 0 xor α 1 4. tag Com(ck, (c in0 ||c in1 ); r C ) 5. c TEnc(tpk, tag, (c in0 ||c in1 ); r T ) 6. C (tag, c) 7. Return (C, K) 17 Decap(SK, C = (tag, c) ): 1. (c in0 || c in1 ) TDec(tsk, tag, c) 2. α 0 Decap in (sk in0, c in0 ) 3. α 1 Decap in (sk in1, c in1 ) 4. (r C || r T || K) α 0 xor α 1 5. If Com(ck, (c in0 ||c in1 ); r C ) = tag and TEnc(tpk, tag, (c in0 ||c in1 ); r T ) = c then return K else ⊥ Double-layered structure Inner encryption does multiple encryption by 2 KEMs Randomness for outer encryption is generated from inner KEM In Decap, the validity of outer CT is checked by re-encryption sPA1 2 & CPA KEM TS Punc. TBE CCA KEM TS Com Inner Outer
Our 2nd Construction KKG: 1. (pk in, sk in ) KKG in 2. (tpk, tsk) TKG 3. ck CKG PK = (pk in, tpk, ck) SK = (sk in, tsk) Encap(PK): 1. (c in, α ) Encap in (pk in ) 2. (r C || r T || K) α 3. tag Com(ck, c in ; r C ) 4. c TEnc(tpk, tag, c in ; r T ) 5. C (tag, c) 6. Return (C, K) 18 Decap(SK, C = (tag, c) ): 1. (c in0 || c in1 ) TDec(tsk, tag, c) 2. α Decap in (sk in, c in ) 3. (r C || r T || K) α 4. If Com(ck, c in ; r C ) = tag and TEnc(tpk, tag, c in ;r T ) = c then return K else ⊥ Inner encryption is replaced by one invocation of KEM sPA1 1 & 1-BCCA KEM TS Punc. TBE CCA KEM TS Com Inner Outer
Ideas for Security Proofs … are very similar to [Dac14] Using a CCA adversary for the proposed KEMs, we construct a reduction (CPA adversary) for the inner KEM Binding of commitment allows us to reject all dec. queries (tag, C) s.t. tag* = tag Q. How to answer dec. queries? A. For outer decryption, use punctured SK of PTBE For inner decryption, use a PA1-extractor 19 tag*
Illustration of Reduction 20 CCA Adv. CPA instance of inner KEM pk in, c in *, α* C = (tag, c) K or ⊥ Punc TDec tag* Inner CT c in Validity Check by Re-encryption Dec. Result PK = (pk in, tpk, ck) C* = (tag*, c*) K* Reduction (CPA Adv.) ???
sPA1 ℓ Security of KEM ∀ PPT(ciphertext creator), ∃ Stateful PPT(extractor), 21 pk 1,… pk ℓ, r A ( j i, C i ) KiKi st 0 = (pk 1,…, pk ℓ,r A ) A Update state st (shown again)
Technical Subtleties (1/2) Q1: How to prepare the initial state of ? A1: Use oblivious-sampling algorithms of outer trapdoor-simulatable PTBE & Com 22
Illustration of Reduction 23 CCA Adv. C = (tag, c) K or ⊥ tag* PK = (pk in, tpk, ck) C* = (tag*, c*) K* Obliviously sample tpk, ck, tag*, c* Randomness r’ for oblivious sampling pk in0, pk in1, r’ CPA instance of inner KEM pk in, c in *, α* Reduction (CPA Adv.) Inner CT c in Dec. Result Validity Check by Re-encryption Punc TDec
Technical Subtleties (2/2) Q2: Is the decryption using consistent with the decryption using the normal decryption algo.? A2: Yes. Thanks to the security properties of the inner KEM, can “detect” if it did an inconsistent answer to a dec. query from 1st construction: multiple-encryption by 2 KEM and sPA1 2 For one position, embeds its CPA instance, and the secret key of the another position is used to detect inconsistency Idea from [Dec14] 2nd construction: 1-bounded CCA and sPA1 1 1 time dec. query by can be used to detect inconsistency Idea from the double-layered constructions papers [MS09,HLW12] Actually, 1-bounded plaintext- checking attack security (1-bounded PCA) is sufficient
Why the Tradeoffs in Assumption with [Dac14]? [Dac14] Weak Simulatability only guarantees oblivious sampling for ciphertexts, and hence, the initial state of has to contain public keys for outer encryption as well Outer encryption in [Dac14] is arranged like “DDN-lite” construction sPA1 O(k) is required Ours Trapdoor Simulatability allows oblivious sampling also for public keys of outer encryption All information for outer encryption is obliviously samplable sPA1 O(1) is sufficient 25
Summary sPA1 2, CPA PKE CCA KEM + Trapdoor- Simulatable PKE New recipes for CCA PKE sPA1 1, 1-Bounded CCA PKE CCA KEM + Trapdoor- Simulatable PKE Const- ruction1 Const- ruction2 sPA1 2k+2, Weakly Simulatable PKE CCA PKE C.f.) [Dac14] eprint 2016/235 Our results: 2 CCA secure KEMs
On sPA1 1 & 1-Bounded CCA KEM We can construct from based on [DF14]’s CPA-to-1-bounded CCA PKE construction However, if we use such construction to obtain CCA KEM, there is no merit compared to our first construction The merit of the second construction is that in the future, someone may come up with a direct construction better than known methods. As noted in the previous slide, 1-bounded CCA can be weakened to 1-bounded PCA security. Could this help…? 27 sPA1 1, 1-Bounded CCA KEM sPA1 O(k), CPA KEM