Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.

Slides:



Advertisements
Similar presentations
Cryptography encryption authentication digital signatures
Advertisements

RSA.
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
Hybrid Signcryption with Insider Security Alexander W. Dent.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Security Definitions in Computational Cryptography
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
INFINITE SEQUENCES AND SERIES
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
1 Adapted from Oded Goldreich’s course lecture notes.
Cryptography 101 How is data actually secured. RSA Public Key Encryption RSA – names after the inventors –Rivest, Shamir, and Adleman Basic Idea: Your.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.
Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stéphanie Delaune / Steve Kremer / Mark D. Ryan.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
Foundations of Cryptography Lecture 10: Pseudo-Random Permutations and the Security of Encryption Schemes Lecturer: Moni Naor Announce home )deadline.
A Brief History of Provable Security and PKE Alex Dent Information Security Group Royal Holloway, University of London.
Foundations of Cryptography Lecture 9 Lecturer: Moni Naor.
0x1A Great Papers in Computer Security
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.
Cryptography Lecture 8 Stefan Dziembowski
Great Theoretical Ideas in Computer Science.
Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer.
Day 18. Concepts Plaintext: the original message Ciphertext: the transformed message Encryption: transformation of plaintext into ciphertext Decryption:
1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.
IND-CPA and IND-CCA Concepts Summary  Basic Encryption Security Definition: IND-CPA  Strong Encryption Security Definition: IND-CCA  IND-CPA, IND-CCA.
Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.
1 Reasoning about Concrete Security in Protocol Proofs A. Datta, J.Y. Halpern, J.C. Mitchell, R. Pucella, A. Roy.
Privacy versus Authentication Confidentiality (Privacy) –Interceptors cannot read messages Authentication: proving the sender’s identity –The Problem of.
Lecture 2: Introduction to Cryptography
CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.
Tae-Joon Kim Jong yun Jun
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa, Ibaraki Univ. Yvo Desmedt, UCL and FSU.
Weaknesses in the Generic Group Model
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
Does Privacy Require True Randomness? Yevgeniy Dodis New York University Joint work with Carl Bosley.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:
หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.
Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.
Topic 36: Zero-Knowledge Proofs
Authenticated encryption
Modern symmetric-key Encryption
Cryptography Lecture 12.
Topic 7: Pseudorandom Functions and CPA-Security
Soundness of Formal Encryption in the Presence of Key Cycles
Cryptography Lecture 11.
Cryptography Lecture 12.
Impossibility of SNARGs
Cryptography Lecture 11.
Cryptography Lecture 21.
Presentation transcript:

Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London

2 The short version Plaintext awareness is a property of an encryption scheme that roughly says “an attacker cannot create a ciphertext without knowing the underlying plaintext”. Here “knowing” is in the zero-knowledge sense of the word. Typically used to prove IND-CCA security. New uses, e.g. deniable authentication.

3 The short version Bellare and Palacio proposed a definition for assessing plaintext awareness in the standard model… …and prove that the Cramer-Shoup encryption scheme is partially (PA1) plaintext aware. This paper demonstrates that Cramer-Shoup is fully (PA2) plaintext aware. This should be regarded as a feasibility result.

What is plaintext awareness?

5 A difficult notion to formalise. We want to show that we can answer an attacker’s decryption oracle queries if we know how those queries were constructed. Two flavours: – Partial (PA1) plaintext awareness, which can be used to prove IND-CCA1 security. – Full (PA2) plaintext awareness, which can be used to prove IND-CCA2 security.

6 PA1: The players The ciphertext creator: the bad guy! A probabilistic, polynomial-time attacker who is trying to determine whether he is interacting with a real decryption oracle or not. The plaintext extractor: the good guy! An algorithm which masquerades as a decryption oracle but doesn’t need to know the private key.

7 PA1: The game public key Compute m=Dec(sk,C) C m C m If b=1 then use plaintext extractor If b=0 then use decryption algorithm b’

8 PA1: The interpretation For every ciphertext creator (attacker)… …there exists a plaintext extractor who can successfully deceive the ciphertext creator… …given the ciphertext creators random coins. Note that the plaintext extractor knows the ciphertext creator’s general strategy, everything it has done and everything it is going to do.

9 PA2: The rematch We need to allow the ciphertext creator to get access to ciphertexts for which he does not know the underlying message and/or the random coins used to encrypt that message. The plaintext creator: An ally of the bad guy! Any polynomial time algorithm that randomly generates messages and encrypts them.

10 PA2: The game public key aux C C m b’ ciphertext creator decryption oracle plaintext creator random coins C

11 PA2: The interpretation For every ciphertext creator (attacker)… …there exists a plaintext extractor who can successfully deceive the ciphertext creator… …given the ciphertext creators random coins… …regardless of what the plaintext creator does. Often regarded as a malleability condition. Note that the plaintext extractor knows the ciphertext creator’s general strategy, and everything it’s has done in the past but can’t figure out everything it is going to do in the future.

Cramer-Shoup is PA2 plaintext aware

13 Cramer-Shoup The Cramer-Shoup scheme has been proven to be PA1 (under the DHK assumption). It also has an interesting property in that you cannot distinguish real ciphertexts from elements chosen completely at random. Hence, the ability to get hold of new ciphertexts is equivalent to the ability to get hold of random bit strings.

14 PA1+: An intermediary game This paper proposes a new notion of PA. Here the attacker has the ability to get hold of new random bit strings. The randomness oracle: An ally of the bad guy! Randomly generates a bit-string of a fixed length and returns it to the ciphertext creator.

15 PA1+: The game public key r C m b’ ciphertext creator decryption oracle randomness oracle random coins r

16 PA1+: The interpretation A scheme is PA1+ plaintext aware if for every ciphertext creator (with access to a randomness oracle) there exists a plaintext extractor that can deceive it. Again, the plaintext extractor know the ciphertext creators strategy and past actions, but cannot predict its future actions.

17 PA1+: The interpretation Suppose I wish to convince my boss that I’m a genius, and so I send him all of my papers. My boss needs to decide if I’m a genius or not. My boss will pick one at random and read it. However, suppose that I’m actually a lucky idiot who has only written one decent paper. If I know the random choices that my boss will make when selecting the paper, then I can deceive him.

18 PA1+: The interpretation Suppose I wish to convince my boss that I’m a genius, and so I send him all of my papers. My boss needs to decide if I’m a genius or not. My boss will pick one at random and read it. However, suppose that I’m actually a lucky idiot who has only written one decent paper. If I don’t know the random choices that my boss will make when selecting the paper, then I cannot deceive him.

19 PA1+: The big theorem An encryption scheme that is simulatable and PA1+ is always PA2. Simulatable just means that the real ciphertexts are indistinguishable from randomly generated elements – hence, a plaintext creator is roughly the same as a randomness oracle.

20 Cramer-Shoup The original proof gives that Cramer-Shoup is simulatable. (In fact, simulatable implies IND-CCA2). It is fairly easy to adapt the ideas of Bellare- Palacio to show that Cramer-Shoup is PA1+ under the DHK assumption. Hence, Cramer-Shoup is PA2 plaintext aware.

21 Open problems Prove something is plaintext aware that wasn’t already known to be IND-CCA2. Prove something is plaintext aware without having to prove that it is simulatable. Prove something is plaintext aware without using an extractor-based assumption like DHK. THE END

22 Not the end? The notions of plaintext awareness fit together as you might expect: Perfect PA1 = Perfect PA1+. Thus, perfect simulatable PA1 implies PA2. PA2 ≥ PA1+ ≥ PA1

23 Diffie-Hellman Knowledge A computational assumption for a group G generated by a generator g. ( g, A ) ( B, C ) b (if B=g b and C=A b )

24 Diffie-Hellman Knowledge It is meant to be interpreted as “it is impossible to make a Diffie-Hellman tuple without knowing the discrete logarithm of one of the elements”. Not efficiently falsifiable [Naor]. True in the Generic Group Model [Dent,AF] – Although the GGM is not sound [Dent] Used to show that Cramer-Shoup is PA1. Hence considered reasonable to used when showing Cramer-Shoup is PA2.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.