Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme Dana Dachman-Soled University of Maryland.

Published byAraceli Wheller Modified over 10 years ago

Similar presentations

Presentation on theme: "A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme Dana Dachman-Soled University of Maryland."— Presentation transcript:

1 A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme Dana Dachman-Soled University of Maryland

2 CPA, CCA1 and CCA2

3 CPA-secure Public Key Encryption

4 CPA, CCA1 and CCA2 CCA1-secure Public Key Encryption

5 CPA, CCA1 and CCA2 CCA2-secure Public Key Encryption

6 Does CPA Security Imply CCA Security? [Naor, Yung 90], [Dolev, Dwork, Naor, 00] – CPA + NIZK -> CCA1 and CCA2 Partial black-box separation – [Gertner, Malkin, Myers, 07] no shielding construction of CCA1 from CPA. Question remains open! – Even whether CCA1 -> CCA2 is not known. – Long line of work showing black-box constructions of CCA2 encryption from lower level primitives. [Peikert, Waters 11], [Rosen, Segev, 10], [Kiltz, Mohassel, ONeill, 10]... – Our work continues this line of research.

7 Our Results Note: Construction is black-box, but reduction makes non-black-box use of the CCA2 adversary. [Myers, Sergi, shelat, 12]: Black-box construction of cNM- CCA1-secure encryption from the same assumptions. Our contribution: Extend to full CCA2 setting. Construction of a CCA2 scheme from encryption schemes with weaker security and no additional assumptions. black-boxCCA2 plaintext aware weakly simulatable Theorem: There is a black-box construction of CCA2- secure encryption from plaintext aware (sPA1) and weakly simulatable public key encryption.

8 Our AssumptionsPlaintext Awareness Note: No auxiliary input

9 Our AssumptionsWeak Simulatability Candidate constructions satisfying both assumptions ([MSs12]): Damgard Elgamal Encryption scheme (DEG) Cramer-Shoup lite (CS-lite)

10 Overview: CCA Proof Strategies HyridPublic KeyChallenge CiphertextDecryption Oracle...... cannot distinguish PPT adversary cannot distinguish consecutive hybrids. without knowing secret key. To reduce to security of underlying encryption scheme, must simulate decryption oracle without knowing secret key. Main Challenge: Main Challenge: Constructing the simulated decryption oracle

11 CCA1 from Plaintext Awareness? Trivial: Plaintext Aware scheme is itself CCA1- secure! – To simulate the decryption oracle without knowing the secret key, use the Extractor.

12 CCA2 from Plaintext Awareness?

13 Our Construction Combines techniques from [Hohenberger, Lewko, Waters 12] and [Myers, Sergi, shelat 12] 2. Inner ciphertexts: 3. Outer ciphertexts:...

14 Proof Intuition Idea: Use extractor to simulate oracle even in the CCA2 case. Now the extractor may answer incorrectly after the adversary receives the challenge ciphertext. Call this event BadExtEvent

15 Proof Intuition

16 Hard Case: Detecting BadExtEvent in CPA hybrid XOR to random

17 Future Directions Can high-level proof techniques be useful for constructing CCA2 from CCA1? – Non-black-box use of the adversary. – Detecting a bad event without fully simulating the decryption oracle. Can we reduce the underlying assumptions of our construction?

18 Thank you!

Download ppt "A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme Dana Dachman-Soled University of Maryland."

Similar presentations

Merkle Puzzles Are Optimal

Merkle Puzzles Are Optimal
Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Rerandomizable and Replayable Adaptive Chosen Ciphertext Attack Secure Cryptosystems Jens Groth BRICS, University of Aarhus Cryptomathic A/S.

Rerandomizable and Replayable Adaptive Chosen Ciphertext Attack Secure Cryptosystems Jens Groth BRICS, University of Aarhus Cryptomathic A/S.
Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption

Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Its Not The Assumption, Its The Reduction GMfest13c Assumptions Panel Presentation Ran Canetti.

Its Not The Assumption, Its The Reduction GMfest13c Assumptions Panel Presentation Ran Canetti.
CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs MIT/MSR Reading Group NYU.

CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs MIT/MSR Reading Group NYU.
Anonymity-preserving Public-Key Encryption Markulf Kohlweiss Ueli Maurer, Cristina Onete, Björn Tackmann, and Daniele Venturi PETS 2013.

Anonymity-preserving Public-Key Encryption Markulf Kohlweiss Ueli Maurer, Cristina Onete, Björn Tackmann, and Daniele Venturi PETS 2013.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
SECURITY AND VERIFICATION

SECURITY AND VERIFICATION
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.

Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.

New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)

REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.

1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.

Similar presentations

Ads by Google