Rerandomizable and Replayable Adaptive Chosen Ciphertext Attack Secure Cryptosystems Jens Groth BRICS, University of Aarhus Cryptomathic A/S

IND-CCA2 Pr[(pk,sk) K; (m 0,m 1 ) A O 1 (pk): A O 2 (E pk (m 0 ))=1] Exp 0: Exp 1: Pr[(pk,sk) K; (m 0,m 1 ) A O 1 (pk): A O 2 (E pk (m 1 ))=1] Where O 1 (y) = D sk (y) O 2 (y) = if y is challenge answer test else answer D sk (y) D sk (y) = invalid on bad ciphertext

RCCA Pr[(pk,sk) K; (m 0,m 1 ) A O 1 (pk): A O 2 (E pk (m 0 ))=1] Exp 0: Exp 1: Pr[(pk,sk) K; (m 0,m 1 ) A O 1 (pk): A O 2 (E pk (m 1 ))=1] Where O 1 (y) = D sk (y) O 2 (y) = if D sk (y) {m 0,m 1 } answer test else answer D sk (y) Canetti, Krawczyk, Nielsen: Replayable CCA security

Goal RCCA Rerandomizable Practical: anonymization Theoretical: targetted malleability Cryptosystem Reasons

Results O(|m|) exponentiations No security proof Standard model: Weak RCCA Semi-generic model: RCCA Cryptosystem Security argument

Weak RCCA Pr[(pk,sk) K; (m 0,m 1 ) A O 1 (pk): A O 2 (E pk (m 0 ))=1] Exp 0: Exp 1: Pr[(pk,sk) K; (m 0,m 1 ) A O 1 (pk): A O 2 (E pk (m 1 ))=1] Where O 1 (y) = D sk (y) O 2 (y) = if D sk (y) {m 0,m 1 } answer invalid else answer D sk (y) IND-CCA1 < WRCCA < RCCA < IND-CCA2

Cramer-Shoup pk = (g L, g R, h, c, d)G q Z p * sk = (x L, x R, k L, k R, l L, l R ) h = g L x L = g R x R c = g L k L g R k R, d = g L l L g R l R E pk (m;r) = (g L r, g R r, h r m, (cd H ) r ) H = hash(u L,u R,v) D sk (u L,u R,v, α ) if α = u L k L +Hl L u R k R +Hl R return m = vu R -x R else return invalid

WRCCA cryptosystem pk = (g L,1, g R,1, h 1,..., g L,k, g R,k, h k, c, d) sk = (x L,1,..., x L,k, k L,1, l L,1,..., k R,k, l R,k ) h i = g L,i x L,i, c = g L,i k L,i g R,i k R,i, d = g L,i l L,i g R,i l R,i m = m 1...m k{-1,1} k, H = hash(m) E(m;r)=(g L,1 r, g R,1 r, h 1 m 1 r,...,g L,k r, g R,k r, h k m k r, (cd H ) r ) D(u L,1, u R,1, v 1,..., u L,k, u R,k, v k, α ) if α = u L,i k L,i +Hl L,i u R,i k R,i +Hl R,i return m else return invalid Rerandomization (u L,1 s, u R,1 s, v 1 s,..., u L,k s, u R,k s, v k s, α s )

–(pk, sk) K –(m 0, m 1 ) A(pk) –(u L,1, u R,1, v 1,...,u L,k, u R,k, v k, α ) = (g L,1 r, g R,1 r, h 1 m b,1 r,...,g L,k r, g R,k r, h k m b,k r, (cd H ) r ) –Query O 2 (u L,1 g L,1, u R,1 g R,1, v 1 h 1 m 0,1,..., α cd hash(m 0 ) ) if test return 0 if invalid return 1 RCCA attack

RCCA cryptosystem PK = (pk WRCCA, pk Hom )WRCCA: G n Z p * SK = (sk WRCCA, sk Hom ) E PK (m;r,R,Z) = (u L,1, u R,1, v 1,..., α Z, E Hom (Z;R)) E WRCCA (m;r) = (u L,1, u R,1, v 1,..., α ) D SK (u L,1, u R,1, v 1,..., β, y) if β = ( u L,i k L,i +Hl L,i u R,i k R,i +Hl R,i ) Z return m else return invalid Rerandomization (u L,1 s, u R,1 s, v 1 s,..., β sz, y z E Hom (0;S))

Semi-generic model (Encrypt, m) = y, store (y, m) (Add, y, y') = y'' store (y'', m+m') if (m, y) and (m', y') stored (Decrypt, y) = m if (m, y) stored Idealized homomorphic encryption

Open problems Semi-generic model: Practical RCCA cryptosystem Standard model: RCCA cryptosystem Both models: Other forms of targetted malleability example: homomorphic cryptosystems