A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme Dana Dachman-Soled University of Maryland.

Slides:



Advertisements
Similar presentations
Merkle Puzzles Are Optimal
Advertisements

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Rerandomizable and Replayable Adaptive Chosen Ciphertext Attack Secure Cryptosystems Jens Groth BRICS, University of Aarhus Cryptomathic A/S.
Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Its Not The Assumption, Its The Reduction GMfest13c Assumptions Panel Presentation Ran Canetti.
CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs MIT/MSR Reading Group NYU.
Anonymity-preserving Public-Key Encryption Markulf Kohlweiss Ueli Maurer, Cristina Onete, Björn Tackmann, and Daniele Venturi PETS 2013.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
SECURITY AND VERIFICATION
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Encryption Public-Key, Identity-Based, Attribute-Based.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland.
1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
Topics in Cryptography Lecture 5 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.
A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
Topics in Cryptography Lecture 4 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
A Brief History of Provable Security and PKE Alex Dent Information Security Group Royal Holloway, University of London.
Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.
Computer Security CS 426 Lecture 3
0x1A Great Papers in Computer Security
1 eill Adam O’Neill Georgetown University Joint work with Dana Dachman-Soled (Univ. of Maryland), Georg Fuchsbauer (IST Austria), and Payman Mohassel (Univ.
Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
Lower Bounds on Assumptions behind Indistinguishability Obfuscation
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa, Ibaraki Univ. Yvo Desmedt, UCL and FSU.
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
Compact CCA-Secure Encryption for Messages of Arbitrary Length Presentation By: D. Vamsi Krishna CS09B006.
Ilya Mironov, Omkant Pandey, Omer Reingold, Gil Segev Microsoft Research.
CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.
Cryptography Lecture 10 Arpita Patra © Arpita Patra.
111 Trading Plaintext-Awareness for Simulatability to Achieve Chosen Ciphertext Security Takahiro Matsuda ( ) Goichiro Hanaoka ( )
A plausible approach to computer-aided cryptographic proofs (a collection of thoughts) Shai Halevi – May 2005.
Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:
On the Hardness of Proving CCA-Security of Signed ElGamal Bogdan Warinschi (University of Bristol) joint work with David Bernhard, Marc Fischlin.
Lower Bounds on Assumptions behind Indistinguishability Obfuscation
On the Size of Pairing-based Non-interactive Arguments
Modern symmetric-key Encryption
Topic 11: Authenticated Encryption + CCA-Security
Semantic Security and Indistinguishability in the Quantum World
Cryptography Lecture 12.
Topic 30: El-Gamal Encryption
Topic 7: Pseudorandom Functions and CPA-Security
Cryptography Lecture 25.
Rishab Goyal Venkata Koppula Brent Waters
Cryptography Lecture 12 Arpita Patra © Arpita Patra.
Cryptography Lecture 11.
Topic 13: Message Authentication Code
Impossibility of SNARGs
The power of Pairings towards standard model security
Cryptography Lecture 22.
Cryptography Lecture 21.
Presentation transcript:

A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme Dana Dachman-Soled University of Maryland

CPA, CCA1 and CCA2

CPA-secure Public Key Encryption

CPA, CCA1 and CCA2 CCA1-secure Public Key Encryption

CPA, CCA1 and CCA2 CCA2-secure Public Key Encryption

Does CPA Security Imply CCA Security? [Naor, Yung 90], [Dolev, Dwork, Naor, 00] – CPA + NIZK -> CCA1 and CCA2 Partial black-box separation – [Gertner, Malkin, Myers, 07] no shielding construction of CCA1 from CPA. Question remains open! – Even whether CCA1 -> CCA2 is not known. – Long line of work showing black-box constructions of CCA2 encryption from lower level primitives. [Peikert, Waters 11], [Rosen, Segev, 10], [Kiltz, Mohassel, ONeill, 10]... – Our work continues this line of research.

Our Results Note: Construction is black-box, but reduction makes non-black-box use of the CCA2 adversary. [Myers, Sergi, shelat, 12]: Black-box construction of cNM- CCA1-secure encryption from the same assumptions. Our contribution: Extend to full CCA2 setting. Construction of a CCA2 scheme from encryption schemes with weaker security and no additional assumptions. black-boxCCA2 plaintext aware weakly simulatable Theorem: There is a black-box construction of CCA2- secure encryption from plaintext aware (sPA1) and weakly simulatable public key encryption.

Our AssumptionsPlaintext Awareness Note: No auxiliary input

Our AssumptionsWeak Simulatability Candidate constructions satisfying both assumptions ([MSs12]): Damgard Elgamal Encryption scheme (DEG) Cramer-Shoup lite (CS-lite)

Overview: CCA Proof Strategies HyridPublic KeyChallenge CiphertextDecryption Oracle cannot distinguish PPT adversary cannot distinguish consecutive hybrids. without knowing secret key. To reduce to security of underlying encryption scheme, must simulate decryption oracle without knowing secret key. Main Challenge: Main Challenge: Constructing the simulated decryption oracle

CCA1 from Plaintext Awareness? Trivial: Plaintext Aware scheme is itself CCA1- secure! – To simulate the decryption oracle without knowing the secret key, use the Extractor.

CCA2 from Plaintext Awareness?

Our Construction Combines techniques from [Hohenberger, Lewko, Waters 12] and [Myers, Sergi, shelat 12] 2. Inner ciphertexts: 3. Outer ciphertexts:...

Proof Intuition Idea: Use extractor to simulate oracle even in the CCA2 case. Now the extractor may answer incorrectly after the adversary receives the challenge ciphertext. Call this event BadExtEvent

Proof Intuition

Hard Case: Detecting BadExtEvent in CPA hybrid XOR to random

Future Directions Can high-level proof techniques be useful for constructing CCA2 from CCA1? – Non-black-box use of the adversary. – Detecting a bad event without fully simulating the decryption oracle. Can we reduce the underlying assumptions of our construction?

Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.