New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.

Slides:



Advertisements
Similar presentations
Perfect Non-interactive Zero-Knowledge for NP
Advertisements

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
ElGamal Security Public key encryption from Diffie-Hellman
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
Hybrid Signcryption with Insider Security Alexander W. Dent.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
CIS 5371 Cryptography 3b. Pseudorandomness.
Encryption Public-Key, Identity-Based, Attribute-Based.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
CS 395T Computational Soundness of Formal Models.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Topics in Cryptography Lecture 4 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
Non-interactive and Reusable Non-malleable Commitments Ivan Damgård, BRICS, Aarhus University Jens Groth, Cryptomathic A/S.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary.
Hybrid Signcryption with Outsider Security
A Brief History of Provable Security and PKE Alex Dent Information Security Group Royal Holloway, University of London.
Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.
1 eill Adam O’Neill Georgetown University Joint work with Dana Dachman-Soled (Univ. of Maryland), Georg Fuchsbauer (IST Austria), and Payman Mohassel (Univ.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Dan Boneh Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Online Cryptography Course Dan Boneh.
Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN.
Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen Tech. Univ. Vienna AUSTRIA Giuseppe Persiano Univ. Salerno ITALY Ivan.
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
Lecture 11 Chosen-Ciphertext Security Stefan Dziembowski MIM UW ver 1.0.
The Generic Transformation from Standard Signatures to Identity-Based Aggregate Signatures Bei Liang, Hongda Li, Jinyong Chang.
1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
IND-CPA and IND-CCA Concepts Summary  Basic Encryption Security Definition: IND-CPA  Strong Encryption Security Definition: IND-CCA  IND-CPA, IND-CCA.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.
Unconditionally Secure Chaffing-and-Winnowing for Multiple Use Wataru Kitada 1, Goichiro Hanaoka 2, Kanta Matsuura 1, Hideki Imai 2 1. IIS, the University.
Tae-Joon Kim Jong yun Jun
Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
Cryptography Lecture 9 Arpita Patra © Arpita Patra.
Cryptography Lecture 10 Arpita Patra © Arpita Patra.
A plausible approach to computer-aided cryptographic proofs (a collection of thoughts) Shai Halevi – May 2005.
Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:
Authenticated encryption
Modern symmetric-key Encryption
Secrecy of (fixed-length) stream ciphers
Cryptography Lecture 26.
Semantic Security and Indistinguishability in the Quantum World
Cryptography Lecture 12.
B504/I538: Introduction to Cryptography
Topic 30: El-Gamal Encryption
Cryptography Lecture 6.
Topic 7: Pseudorandom Functions and CPA-Security
Cryptography Lecture 25.
Rishab Goyal Venkata Koppula Brent Waters
Masayuki Fukumitsu Hokkaido Information University, Japan
Cryptography Lecture 12 Arpita Patra © Arpita Patra.
Cryptography Lecture 8.
Cryptography Lecture 11.
Cryptography Lecture 21.
Cryptography Lecture 24.
Presentation transcript:

New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno

Defining Security of Encryption Schemes CCA2 security  Non-malleable encryption auctioneer bidder 1 c attacker c’ c and c’ are somehow related e.g., the bid encrypted in c’ is a half of the bid encrypted in c

Completely Non-Malleable (CCA2*) Encryption The auctioneer receives a new bid from bidder 1 (c’ instead of c) The auctioneer receives a new bid from a user with public key pk*  Concept introduced in [Fischlin, ICALP ’05] bidder 1 c attacker c’ c, pk and c*, pk* are somehow related c* pk*

Why complete non-malleability? Is it more general than CCA2?  Yes! Cramer-Shoup and RSA-OAEP are CCA2 but not CCA2* [Fis05]  For every CCA2 encryption scheme there is a CCA2 encryption scheme which is not CCA2* [This work] Simple proof…

Proving separation between CCA2 and CCA2* Given (G, E, D) which is CCA2 construct (G’, E’, D’) as follows: G’(1 k ) (pk, sk) ← G(1 k ) b ← {0,1} return (pk||b, sk) E’(pk||b, m) return E(pk, m) D’(sk, c) return D(sk, c) (G’, E’, D’) is CCA2 (it never uses bit b) It is easy to construct a winning CCA2* attacker for (G’, E’, D’)

Defining Security of Encryption Schemes (cntd) Plaintext awareness (PA)  “An encryption scheme is plaintext aware if it is practically impossible for any entity to produce a ciphertext without knowing the associated message” [Dent, Eurocrypt ‘06] challenger Why we should care about?  PA + CPA implies CCA2 [Bellare & Palacio, AsiaCrypt ’04 ] attacker pk D(sk,.)Ext(.) Indistinguishable output

Enriching PA concept Defining PA*: two experiments challenger A pk D(sk,.) pk*, Enc(pk*, x) challenger Ext pk A pk*, x Any PPT machine can not distinguish pk*, x

Relating CCA2* and PA* Theorem: PA* + CPA implies CCA2*  Similar relation to the CCA2/PA case [BP04]  Refining CCA2* definition CCA2* does make sense when  the attacker does not know the secret key sk* (nor a user knowing sk*)  the attacker does not have any noticeable advantage in distinguishing messages that are in relation from message that are not in relation w.r.t. the new key pk*

Construction of CCA2* and PA* encryption schemes CCA2*:  Impossible in plain model (for non-interactive black-box security [Fis05])  Constructions: Plain model  Interactive Non-Black-Box Construction Shared Random String model  Non-Interactive Black-Box Construction…  … which is also PA* when restricting to CRS model

Details of the CRS construction Ingredients:  Any CPA secure encryption scheme (G,E,D)  A robust NIZK [DDOPS, Crypto ’01] for an NP language L Non-malleable NIZK (in the explicit witness sense)  Stronger than Simulation-Soundess Same-String NIZK (pk, sk) is in L if there exists randomness r such that G with random tape r outputs (pk, sk)

Details of the CRS construction (2) Relying on non-malleable NIZK proof we prove that (G’, E’, D’) is CCA2* Relying on Same-String NIZK proof we prove that (G’, E’, D’) is PA* G’(1 k ) (pk, sk) ← G(1 k ) p ← proof for L return ((pk, p), sk) E’((pk, p), m) Verify proof p return E(pk, m) D’(sk, c) return D(sk, c)

Conclusions We give a stronger notion (PA*) of plaintext awareness We relate the new notion with that of complete non- malleability (CCA2*) We give general constructions relating previous notions and results  This yields a much more understandable framework We construct a non black-box interactive CCA2*+PA* encryption scheme (plain model) We construct a non-interactive CCA2*+PA* encryption scheme in the CRS model

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.