Presentation is loading. Please wait.

Presentation is loading. Please wait.

New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.

Published byMaeve Seabourn Modified over 9 years ago

Similar presentations

Presentation on theme: "New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno."— Presentation transcript:

1 New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno

2 Defining Security of Encryption Schemes CCA2 security  Non-malleable encryption auctioneer bidder 1 c attacker c’ c and c’ are somehow related e.g., the bid encrypted in c’ is a half of the bid encrypted in c

3 Completely Non-Malleable (CCA2*) Encryption The auctioneer receives a new bid from bidder 1 (c’ instead of c) The auctioneer receives a new bid from a user with public key pk*  Concept introduced in [Fischlin, ICALP ’05] bidder 1 c attacker c’ c, pk and c*, pk* are somehow related c* pk*

4 Why complete non-malleability? Is it more general than CCA2?  Yes! Cramer-Shoup and RSA-OAEP are CCA2 but not CCA2* [Fis05]  For every CCA2 encryption scheme there is a CCA2 encryption scheme which is not CCA2* [This work] Simple proof…

5 Proving separation between CCA2 and CCA2* Given (G, E, D) which is CCA2 construct (G’, E’, D’) as follows: G’(1 k ) (pk, sk) ← G(1 k ) b ← {0,1} return (pk||b, sk) E’(pk||b, m) return E(pk, m) D’(sk, c) return D(sk, c) (G’, E’, D’) is CCA2 (it never uses bit b) It is easy to construct a winning CCA2* attacker for (G’, E’, D’)

6 Defining Security of Encryption Schemes (cntd) Plaintext awareness (PA)  “An encryption scheme is plaintext aware if it is practically impossible for any entity to produce a ciphertext without knowing the associated message” [Dent, Eurocrypt ‘06] challenger Why we should care about?  PA + CPA implies CCA2 [Bellare & Palacio, AsiaCrypt ’04 ] attacker pk D(sk,.)Ext(.) Indistinguishable output

7 Enriching PA concept Defining PA*: two experiments challenger A pk D(sk,.) pk*, Enc(pk*, x) challenger Ext pk A pk*, x Any PPT machine can not distinguish pk*, x

8 Relating CCA2* and PA* Theorem: PA* + CPA implies CCA2*  Similar relation to the CCA2/PA case [BP04]  Refining CCA2* definition CCA2* does make sense when  the attacker does not know the secret key sk* (nor a user knowing sk*)  the attacker does not have any noticeable advantage in distinguishing messages that are in relation from message that are not in relation w.r.t. the new key pk*

9 Construction of CCA2* and PA* encryption schemes CCA2*:  Impossible in plain model (for non-interactive black-box security [Fis05])  Constructions: Plain model  Interactive Non-Black-Box Construction Shared Random String model  Non-Interactive Black-Box Construction…  … which is also PA* when restricting to CRS model

10 Details of the CRS construction Ingredients:  Any CPA secure encryption scheme (G,E,D)  A robust NIZK [DDOPS, Crypto ’01] for an NP language L Non-malleable NIZK (in the explicit witness sense)  Stronger than Simulation-Soundess Same-String NIZK (pk, sk) is in L if there exists randomness r such that G with random tape r outputs (pk, sk)

11 Details of the CRS construction (2) Relying on non-malleable NIZK proof we prove that (G’, E’, D’) is CCA2* Relying on Same-String NIZK proof we prove that (G’, E’, D’) is PA* G’(1 k ) (pk, sk) ← G(1 k ) p ← proof for L return ((pk, p), sk) E’((pk, p), m) Verify proof p return E(pk, m) D’(sk, c) return D(sk, c)

12 Conclusions We give a stronger notion (PA*) of plaintext awareness We relate the new notion with that of complete non- malleability (CCA2*) We give general constructions relating previous notions and results  This yields a much more understandable framework We construct a non black-box interactive CCA2*+PA* encryption scheme (plain model) We construct a non-interactive CCA2*+PA* encryption scheme in the CRS model

Download ppt "New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno."

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.

1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)

REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
Hybrid Signcryption with Insider Security Alexander W. Dent.

Hybrid Signcryption with Insider Security Alexander W. Dent.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.

1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

Similar presentations

Ads by Google