Rerandomizable and Replayable Adaptive Chosen Ciphertext Attack Secure Cryptosystems

About This Presentation

Title:

Rerandomizable and Replayable Adaptive Chosen Ciphertext Attack Secure Cryptosystems

Description:

Rerandomizable and Replayable Adaptive Chosen Ciphertext Attack Secure Cryptosystems ... (Encrypt, m) = y, store (y, m) (Add, y, y') = y'' store (y'', m m' ... – PowerPoint PPT presentation

Number of Views:72

Avg rating:3.0/5.0

Slides: 13

Provided by: bri60

Category:

more less

Transcript and Presenter's Notes

Title: Rerandomizable and Replayable Adaptive Chosen Ciphertext Attack Secure Cryptosystems

1
Rerandomizable and Replayable Adaptive Chosen
Ciphertext Attack Secure Cryptosystems

Jens Groth
BRICS, University of Aarhus
Cryptomathic A/S

2
IND-CCA2
Exp 0
Pr(pk,sk) ? K (m0,m1) ? AO1(pk) AO2(Epk(m0))1
Exp 1
Pr(pk,sk) ? K (m0,m1) ? AO1(pk) AO2(Epk(m1))1
Where O1(y) Dsk(y) O2(y) if y is challenge
answer test else answer Dsk(y) Dsk(y)
invalid on bad ciphertext
3
RCCA
Canetti, Krawczyk, Nielsen Replayable CCA
security
Exp 0
Pr(pk,sk) ? K (m0,m1) ? AO1(pk) AO2(Epk(m0))1
Exp 1
Pr(pk,sk) ? K (m0,m1) ? AO1(pk) AO2(Epk(m1))1
Where O1(y) Dsk(y) O2(y) if Dsk(y) ? m0,m1
answer test else answer Dsk(y)
4
Goal
Cryptosystem

RCCA
Rerandomizable

Reasons

Practical anonymization
Theoretical targetted malleability

5
Results
Cryptosystem

O(m) exponentiations
No security proof

Security argument

Standard model Weak RCCA
Semi-generic model RCCA

6
Weak RCCA
Exp 0
Pr(pk,sk) ? K (m0,m1) ? AO1(pk) AO2(Epk(m0))1
Exp 1
Pr(pk,sk) ? K (m0,m1) ? AO1(pk) AO2(Epk(m1))1
Where O1(y) Dsk(y) O2(y) if Dsk(y) ? m0,m1
answer invalid else answer Dsk(y)
IND-CCA1 lt WRCCA lt RCCA lt IND-CCA2
7
Cramer-Shoup

pk (gL, gR, h, c, d) Gq Zpsk (xL, xR,
kL, kR, lL, lR) h gLxL gRxR c gLkLgRkR, d
gLlLgRlR
Epk(mr) (gLr, gRr, hrm, (cdH)r) H
hash(uL,uR,v)
Dsk(uL,uR,v,a) if a uLkLHlLuRkRHlR return m
vuR-xR else return invalid

8
WRCCA cryptosystem

pk (gL,1, gR,1, h1, ..., gL,k, gR,k, hk, c,
d)sk (xL,1, ..., xL,k, kL,1, lL,1, ..., kR,k,
lR,k) hi gL,ixL,i, c ?gL,ikL,igR,ikR,i, d
?gL,ilL,igR,ilR,i
m m1...mk ?-1,1k, H hash(m)E(mr)(gL,1r,
gR,1r, h1m1r,...,gL,kr, gR,kr, hkmkr, (cdH)r)
D(uL,1, uR,1, v1,..., uL,k, uR,k, vk, a) if a
?uL,ikL,iHlL,iuR,ikR,iHlR,i return m else
return invalid
Rerandomization (uL,1s, uR,1s, v1s,..., uL,ks,
uR,ks, vks, as)

9
RCCA attack

(pk, sk) ? K
(m0, m1)? A(pk)
(uL,1, uR,1, v1,...,uL,k, uR,k, vk, a) (gL,1r,
gR,1r, h1mb,1r,...,gL,kr, gR,kr, hkmb,kr, (cdH)r)
Query O2 (uL,1gL,1, uR,1gR,1, v1h1m0,1,...,
acdhash(m0)) if test return 0 if invalid return
1

10
RCCA cryptosystem

PK (pkWRCCA, pkHom) WRCCA Gn ZpSK
(skWRCCA, skHom)
EPK(mr,R,Z) (uL,1, uR,1, v1,..., aZ,
EHom(ZR)) EWRCCA(mr) (uL,1, uR,1, v1,..., a)
DSK(uL,1, uR,1, v1,..., ß, y) if ß
(?uL,ikL,iHlL,iuR,ikR,iHlR,i)Z return m else
return invalid
Rerandomization (uL,1s, uR,1s, v1s,..., ßsz,
yzEHom(0S))

11
Semi-generic model
Idealized homomorphic encryption

(Encrypt, m) y, store (y, m)
(Add, y, y') y'' store (y'', mm') if (m,
y) and (m', y') stored
(Decrypt, y) m if (m, y) stored

12
Open problems

Semi-generic model Practical RCCA cryptosystem
Standard model RCCA cryptosystem
Both models Other forms of targetted
malleability example homomorphic cryptosystems

Write a Comment

User Comments (0)