detecting dangerous queries:
DESCRIPTION
Detecting Dangerous Queries:. A New Approach for Chosen Ciphertext Security. Susan Hohenberger. Allison Lewko. Brent Waters. SK. PubK. Public Key Encryption [DH76,RSA78,GM84]. Passive Attacker : Chosen Plaintext Attack (CPA). SK. PubK. Active Attackers [NY90,DDN91,RS91]. - PowerPoint PPT PresentationTRANSCRIPT
Detecting Dangerous Queries:
Brent Waters
A New Approach for Chosen Ciphertext Security
Susan Hohenberger Allison Lewko
2
Public Key Encryption [DH76,RSA78,GM84]
SKPubK
Passive Attacker : Chosen Plaintext Attack (CPA)
3
Active Attackers [NY90,DDN91,RS91]
SKPubK
Chosen Ciphertext Attack (CCA)
IND-CPA [GM84]
Challenger
Setup PK
M0 ,M1
b’ {0,1}
CT* = Enc(PK, Mb )b{0,1}
AdvA = Pr[b=b’]-1/2
Indistinguishability under Chosen Plaintext Attack
IND-CCA [NY90,DDN91,RS91]
Challenger
Setup PK
M0 ,M1
b’ {0,1}
CT* = Enc(PK, Mb )b{0,1}
AdvA = Pr[b=b’]-1/2
Indistinguishability under Chosen Ciphertext Attack
CTDec(SK,CT)
CTDec(SK,CT) CT CT*
IND-CCA [NY90,DDN91,RS91]
Challenger
Setup
M0 ,M1
b’ {0,1}
CT* = Enc(PK, Mb )
AdvA = Pr[b=b’]-1/2
Indistinguishability under Chosen Ciphertext Attack
CTDec(SK,CT)
CTDec(SK,CT) CT
CT*CCA-1: No 2nd phase of oracle queries
b{0,1}
PK
The Grand Goal: CCA from CPA
7
CCA
CPA
Prior Methods (Standard Model)
8
NIZK [BFM88,NY90,DDN91,RS91,S99]
• NIZK proves well formness• NIZKs are rare: TPD/RSA, Pairings No:DDH,
Lattices
Cramer-Shoup plus [CS98,02,…]• Efficient systems from number theory• DDH,DCR, Factoring, IBE [CHK04],
No:Lattices
Prior Methods (Standard Model)
9
Lossy TDFs [PW08,RS09,…]
• Randomness recovery => use to verify CT
• Change PK in proof• DDH, Lattices
1-bit to many bit CCA[MS09]
• General techniques• Partial randomness recovery
Our Result
10
New General Approach for CCA security:
Detectable Chosen Ciphertext Security (DCCA)
CCA
DCCA
DCCA Security: Intuition
11
CCA secure if avoid “dangerous” queries1) Hard to produce bad queries w/o challenge CT2) Can detect dangerous queries
Example: Concatenate 1 bit CCA ciphertexts1CT* 1 0
Dangerous Query for CT*: CT = Reorder of CT*
1)Hard to produce w/o CT* 2) Easy to detect
Detectable Encryption System
12
Setup(1n) ! (PK,SK)
Encrypt(PK,M) ! CT
Decrypt(SK,CT) ! M
F( PK, CT* , CT) ! {0,1}
Outputs ‘1’ if CT is a “dangerous” query for CT*
Two Security Properties
Property 1: Hard to Predict (Strong)
Challenger
Setup PK,SK
MCT* = Enc(PK, M )
AdvA = Pr[F(PK,CT,CT*)=1]
CT
Property 2: Indistinguishability
Challenger
Setup PK
M0 ,M1
b’ {0,1}
CT* = Enc(PK, Mb )b{0,1}
AdvA = Pr[b=b’]-1/2
CTDec(SK,CT)
CTDec(SK,CT) CT CT*F(PK,CT*,CT)=0
CCA2=>DCCA=>CCA1
Ex. 1: n-bit DCCA from 1 bit CCA
15
Idea: Use basic concatenation
1 1 0
F(PK,CT*,CT): 9 (i,j) s.t. CTi*=CTj
Enc(PK,m) ! C1=Enc(PK,m1), …, Cn=Enc(PK,mn)
Ex. 2: Tag-Based Encryption [MRY04,K06]
16
Tag-Based Encryption: (1)Each ciphertext associated with a tag(2) Is CCA secure as long as TagCT* not queried
F(PK,CT*,CT): TagCT* = TagCT
Examples: CHK04-lite, Kiltz06, PW08 (CCA-1 version), DDN91 (w/o signature)
Ex. 3: Heuristic/Sloppy CCA
17
Idea: DCCA easier to meet than CCA(1)Heuristic approach(2) Sloppy: E.g. “Slack” bit in group
representation
Apply transformation in case messed up
CT:
The Ingredients
18
1-Bounded CCA CPA
Detectable CCA
PSV06,CDMW08
Trivial
Msg 2 {0,1}* and randomness 2 {0,1}n
Justified by Pseudo Random Generators
Our Construction
19
Setup
20
Setup(1n):1) Setup1B (1n) ! (PKA, SKA)2) SetupCPA (1n) ! (PKB, SKB)3) SetupDCCA (1n) ! (PKin, SKin)
PK= PKA, PKB, PKin
SK= SKA, SKB, SKin
Encryption
21
Encrypt(PK,M):1) Choose random ra ,rb , rin 2 {0,1}n 2) Cin = EncDCCA( (M,ra, rb ) ; rin ) 3) CA=Enc1B (Cin; ra), CB=EncCPA (Cin; rb) 4) CT= CA , CB
;ra(M, ra ,rb); rin ;rb(M, ra ,rb); rinCA= CB=
Decryption
22
Decrypt(SK, CT= (CA , CB) ) :1) Cin’ = Dec(SKA , CA )2) (M’, ra’, rb’) = Dec(SKin , Cin’ )3) CA’=Enc1B (Cin’; ra’), CB’=EncCPA (Cin ;rb’) 4) If CA CA ’ OR CB CB’ reject ;else M’
;ra(M, ra ,rb); rin ;rb(M, ra ,rb); rinCA= CB=
Idea: Recover (M, ra , rb ) then re-encrypt
A Few Comments
23
;ra(M, ra ,rb); rin
Features: Naor-Yung 2-key & Myers-shelat nesting
;rb(M, ra ,rb); rinCA= CB=
Embedded Randomness vs. NIZK
Proof w/ embedding randomness:Good: Decrypt from either sideProblem: Embedding challenge
What is the trouble?
24
;ra(M, ra ,rb); rin
Challenge CT= CA *, CB * encryptions of Cin *
;rbCin*= CB*=
Problem Query: Get Cin’ s.t. F(PKDCCA, Cin *, Cin’) =1
Bad Event: Query C= CA , CB s.t.(1)CA CA *(2)Dec( SK_A, CA) = Cin’ where F(PKDCCA, Cin *, Cin’)
=1
CA*= Cin*= (M, ra ,rb); rin
Nested Indist. Game
25
;ra(M, ra ,rb); rin
Attacker gets CCA queries Challenge Inner encrypts Msg + randomness or all 0’s
;rbCin*= CB*=CA*= Cin*= (M, ra ,rb); rin
z=1
;ra(00…00); rin ;rbCin*= CB*=CA*= Cin*= (00…00); rin
z=0 No embedded randomness
If prove under this game we are done!
Roadmap
26
Eliminate bad event => Security follows from DCCA
(1)Eliminate with z=0 (no embedded randomness)(2) Indirectly infer z=1 case from (1)
Bad Event Analysis (no embedded randomness)
27
Nested ;ra(00…00); rin ;rb(00…00); rin
Right-Erased ;ra(00…00); rin ;rb1111…111
Switch -Decrypt
Full-Erased ;ra ;rb1111…111
Show probabilities are close
IND-CPA
1Bounded CCA
=negl(n) unpredictability
1111…111
BE-Nested vs. BE-Right-Erase
28
;rb(00…00); rin
Standard IND-CPA reduction• Know SKA, SKin , not SKB
• Observe BE using SKA
;rb1111…111vs.
Switch Decrypt
29
Switch from using SKA to SKB to decrypt• These are equivalent from Attacker’s
view• Best of both worlds: Challenge CT not
embed randomness, but queries must!
BE-Right-Erased vs. BE-Full-ErasedFull-Erased ;ra ;rb1111…1111111…111
(M, ra ,rb); rinCin*= is gone! Unpredictability: Pr[Bad event in Full Erase] =
negl(n)
BE-Right-Erased vs. BE-Full-Erased
31
1-Bounded CCA reduction• Know SKB, SKin , not SKA
• Problem: Cannot observe bad event using SKB
• Solution: “Peek” at 1 A query using 1-Bounded 1/Q chance of seeing it
vs.(00…00); rin ;ra1111…111
No Bad Event for embedded randomness
Suppose it did happen => We break DCCA indist.
(00…00); rin
2) Submit Msg0 =(M, ra, rb) , Msg1 = (00…00)1) Run Indist Game on A (while playing DCCA)
3) Get back either
(M, ra ,rb); rin or
4) Create challenge CT (know SKA, SKB)5) Use DCCA oracle to answer non-dangerous
queriesWhat if get dangerous query? Stuck!But then we know it must be Msg0 => breaks
DCCA!
Finishing it off
33
;ra(M, ra ,rb); rin ;rbCin*= CB*=CA*= Cin*= (M, ra ,rb); rin
z=1
;ra(00…00); rin ;rbCin*= CB*=CA*= Cin*= (00…00); rin
z=0 No embedded randomness
N.I. easy to prove from DCCA if no bad eventsCCA security follows immediately
Summary
34
• New abstraction: Detectable CCA security• Build CCA from it• Cover 1 to many bit enc. , tag-based, & more• Embedded randomness --- blessing & problems• Indirect inference on bad event
Could CCA-1 work?
35
Idea: Replace DCCA component w/ CCA-1Problem 1: Proof needs to detect
(CT*) :Decrypts CT*, encrypts M in another CT’
Problem 2: Can create an oracle that breaks it
Q1: The oracle is strong! Is there middle ground?
Q2: Structure for CCA-1? Proof idea?
Our Picture (not necessarily to scale)
36
CCA
CPA
DCCA
CCA-1
37
Thank you