New Results on PACCA Encryption

1
New Results on PA/CCA Encryption

• Carmine Ventre and Ivan Visconti
• Università di Salerno

2
Defining Security of Encryption Schemes

• CCA2 security
• Non-malleable encryption

auctioneer
c
bidder 1
c
c and c are somehow related
attacker
e.g., the bid encrypted in c is a half of the
bid encrypted in c
3
Completely Non-Malleable (CCA2) Encryption
c
bidder 1
c, pk and c, pk are somehow related
c
c
attacker
pk

• The auctioneer receives a new bid from bidder 1
  (c instead of c)
• The auctioneer receives a new bid from a user
  with public key pk
• Concept introduced in Fischlin, ICALP 05

4
Why complete non-malleability?

• Is it more general than CCA2?
• Yes!
• Cramer-Shoup and RSA-OAEP are CCA2 but not CCA2
  Fis05
• For every CCA2 encryption scheme there is a CCA2
  encryption scheme which is not CCA2 This work
• Simple proof

5
Proving separation between CCA2 and CCA2

• Given (G, E, D) which is CCA2 construct (G, E,
  D) as follows

G(1k) (pk, sk) ? G(1k) b ? 0,1 return
(pkb, sk)
E(pkb, m) return E(pk, m)
D(sk, c) return D(sk, c)

• (G, E, D) is CCA2 (it never uses bit b)
• It is easy to construct a winning CCA2 attacker
  for (G, E, D)

6
Defining Security of Encryption Schemes (cntd)

• Plaintext awareness (PA)
• An encryption scheme is plaintext aware if it is
  practically impossible for any entity to produce
  a ciphertext without knowing the associated
  message Dent, Eurocrypt 06

D(sk, .)
Ext(.)
pk
challenger
attacker
Indistinguishable output

• Why we should care about?
• PA CPA implies CCA2 Bellare Palacio,
  AsiaCrypt 04

7
Enriching PA concept

• Defining PA two experiments

D(sk, .)
A
pk
pk
A
Ext
challenger
challenger
pk, Enc(pk, x)
pk, x
pk, x
pk, x
Any PPT machine can not distinguish
8
Relating CCA2 and PA

• Theorem PA CPA implies CCA2
• Similar relation to the CCA2/PA case BP04
• Refining CCA2 definition
• CCA2 does make sense when
• the attacker does not know the secret key sk
  (nor a user knowing sk)
• the attacker does not have any noticeable
  advantage in distinguishing messages that are in
  relation from message that are not in relation
  w.r.t. the new key pk

9
Construction of CCA2 and PA encryption schemes

• CCA2
• Impossible in plain model (for non-interactive
  black-box security Fis05)
• Constructions
• Plain model
• Interactive Non-Black-Box Construction
• Shared Random String model
• Non-Interactive Black-Box Construction
• which is also PA when restricting to CRS model

10
Details of the CRS construction

• Ingredients
• Any CPA secure encryption scheme (G,E,D)
• A robust NIZK DDOPS, Crypto 01 for an NP
  language L
• Non-malleable NIZK (in the explicit witness
  sense)
• Stronger than Simulation-Soundess
• Same-String NIZK
• (pk, sk) is in L if there exists randomness r
  such that G with random tape r outputs (pk, sk)

11
Details of the CRS construction (2)
G(1k) (pk, sk) ? G(1k) p ? proof for L
return ((pk, p), sk)
E((pk, p), m) Verify proof p return
E(pk, m)
D(sk, c) return D(sk, c)

• Relying on non-malleable NIZK proof we prove that
  (G, E, D) is CCA2
• Relying on Same-String NIZK proof we prove that
  (G, E, D) is PA

12
Conclusions

• We give a stronger notion (PA) of plaintext
  awareness
• We relate the new notion with that of complete
  non-malleability (CCA2)
• We give general constructions relating previous
  notions and results
• This yields a much more understandable framework
• We construct a non black-box interactive
  CCA2PA encryption scheme (plain model)
• We construct a non-interactive CCA2PA
  encryption scheme in the CRS model