Chosen-Ciphertext Security from Identity-Based Encryption - PowerPoint PPT Presentation

About This Presentation
Title:

Chosen-Ciphertext Security from Identity-Based Encryption

Description:

Security against chosen-ciphertext attacks ('CCA security') is a powerful and ... In general, nothing preventing bid2 = bid1 1 (secrecy of bid1 not violated) ... – PowerPoint PPT presentation

Number of Views:126
Avg rating:3.0/5.0
Slides: 29
Provided by: jka94
Category:

less

Transcript and Presenter's Notes

Title: Chosen-Ciphertext Security from Identity-Based Encryption


1
Chosen-Ciphertext Security from Identity-Based
Encryption
Jonathan Katz U. Maryland
Ran Canetti, Shai Halevi IBM
2
Motivation
  • Security against chosen-ciphertext attacks (CCA
    security) is a powerful and useful notion
  • Often the security notion of choice when using
    encryption within a larger protocol
  • Provably-secure constructions both theoretically
    and practically important

3
Motivation
Bidding on vouchers for this afternoons
excursion
Voucher holder
Desperate bidders
  • In general, nothing preventing bid2 bid11
    (secrecy of bid1 not violated)
  • Need non-malleability DDN91!
  • Implied by CCA security DDN91, BDPR98

4
Known Constructions?
  • Essentially only two techniques known for
    achieving CCA security (without random oracles)
  • Using NIZK, general assumptions DDN91, S99, L03
    (based on NY90)
  • Specific assumptions, smooth hash proofs CS98,
    CS02, GL03, CS03

5
Known Paradigms?
  • In fact, almost all constructions are essentially
    the same ES04
  • Different instantiations of the same underlying
    paradigm
  • Very roughly certain type of CPA-secure scheme
    plus proof of well-formedness
  • NM-NIZK in Sahai99, L03
  • Smooth hash proof systems in CS98, CS02, GL03,
    CS03

6
Overview of our Results
  • We show a new technique for achieving
    chosen-ciphertext security
  • The technique does not (seem to) follow
    previously-known paradigms
  • Our approach (along with other work) yields new
    CCA-secure schemes
  • Competitive with best previously known
  • Stay tuned for the next talk

7
More Details
  • We show a simple and efficient way to achieve CCA
    security using any IBE scheme
  • The IBE scheme needs to satisfy only a relatively
    weak notion of security
  • Achieved by IBE schemes of CHK03, BB04
  • Result new CCA-secure schemes!
  • Applications to CCA security for IBE, HIBE, BTE,
    and FSE

8
Review of definitions
9
CCA Security
  • Consider the following game RS91
  • (PK, SK) generated at random
  • Adversary Adv given PK can ask decryption oracle
    queries DSK(.)
  • Adv outputs (m0, m1) given C ? ESK(mb) for
    random b may continue to ask decryption queries
    (but not C itself)
  • Adv outputs b succeeds if bb

10
CCA Security
  • An encryption scheme is CCA-secure if
    PrAdvSucc ½ is negligible for all poly-time
    Adv

11
ID-Based Encryption (IBE)
  • Overview
  • PKG generates (PK, MSK)
  • PK publicly distributed
  • For any string (identity) ID, the PKG, using MSK,
    can issue a secret key SKID
  • (ID, SKID), along with PK, acts as a
    public/private key pair for a standard encryption
    scheme

12
Security?
  • (Informally) Knowledge of the secret keys for
    users I ID1, , IDn does not allow adversary
    to break the scheme for any ID?I
  • Strong IBE choice of ID may depend on PK
    BF01
  • Weak IBE ID is fixed independently of PK
    CHK03

13
More Formally
  • Consider the following game (CHK03, adapting
    BF01)
  • Adv specifies challenge identity ID
  • (PK, MSK) generated at random Adv given PK
  • Adv may (adaptively) request secret keys for any
    IDs other than ID
  • Adv outputs (m0, m1), and is then given C ?
    EPK(ID, mb) for random b

14
Definition, continued
  • Adv may continue to request secret keys for IDs
    other than ID
  • Adv outputs b succeeds if b b
  • An IBE is weakly secure if PrAdvSucc ½ is
    negligible for all poly-time Adv

15
Known Constructions?
  • Strong IBE C01, BF01, both in random oracle
    model
  • Weak IBE CHK03, BB04
  • Strong IBE BB04, to appear

16
From IBE to chosen- ciphertext security
17
Our Construction
  • Key generation
  • Run PKG algorithm to obtain (PK, MSK)
  • Public key is PK secret key is MSK
  • To encrypt m using PK
  • Generate (vk, sk) for signature scheme
  • Encrypt m using PK and identity vk
  • Sign resulting ciphertext using sk
  • Send (vk, C, ?)

18
Decryption
  • To decrypt (vk, C, ?)
  • Verify signature
  • Use MSK to generate the secret key SKVK for the
    identity vk
  • Use SKVK to decrypt C
  • (Erase SKVK)

19
Theorem Statement
  • If the IBE scheme is weakly secure, and a strong,
    one-time signature scheme is used, the resulting
    encryption scheme is secure against adaptive
    chosen-ciphertext attacks

20
Proof Intuition
  • Let challenge ciphertext be (vk, C, ?)
  • Adv submits different (vk, C, ?) to its
    decryption oracle
  • Clearly, vk ? vk
  • So C will be decrypted with respect to a
    different identity vk
  • Even if Adv were given SKVK itself, encryption
    to vk would still be secure!

21
Remarks
  • Weak IBE security is enough to achieve adaptive
    CCA security
  • vk chosen by encryption oracle, not by the
    adversary
  • The conversion is efficient
  • Non-adaptive CCA security can be achieved with
    virtually no overhead

22
Extensions and further applications
23
Binary Tree Enc. (BTE)
  • Introduced by CHK03
  • As before, PKG generates (PK, MSK)
  • PKG viewed as identity ? with secret key SK?
    MSK
  • Any secret key SKw can be used to derive secret
    keys SKw0 and SKw1
  • (ID, SKID) acts as a public/private key pair for
    a standard encryption scheme

24
Weak Security
  • Ancestors of (ID1IDn) are identities of the form
    (ID1IDi) for 1 ? i ? n
  • (Informally) Secret keys for any set of users I
    does not allow an adversary to break the scheme
    for any ID having no ancestors in I
  • Constructions in standard model known (CHK03,
    BB04, building on GS02)

25
Our Construction
  • CCA-secure (weak) BTE from CPA-secure (weak) BTE
  • (Consider fixed-length BTE)
  • Key generation as before
  • To encrypt m for identity ID generate (vk, sk),
    encrypt m for identity IDvk, and sign
    ciphertext using sk
  • As before, decrypt using SKID by first generating
    transient SKIDvk

26
Results
  • This approach yields a CCA-secure (weak) BTE
    scheme from any CPA-secure (weak) BTE scheme
  • CPA-secure BTE ? CCA-secure BTE
  • Analogous result not known for the case of
    standard public-key encryption

27
Applications
  • (Weak) BTE implies (weak) IBE, (weak) HIBE, and
    forward-secure encryption CHK03
  • Our results yield CCA-secure constructions of
    these primitives more efficient than those
    previously known

28
Summary
  • New method for constructing CCA-secure public-key
    encryption
  • Gives new, practical CCA-secure schemes in
    standard model
  • Further applications to CCA-security in other
    contexts
Write a Comment
User Comments (0)
About PowerShow.com