Jan Camenisch Nishanth Chandran Victor Shoup

About This Presentation

Title:

Jan Camenisch Nishanth Chandran Victor Shoup

Description:

Jan Camenisch Nishanth Chandran Victor Shoup. IBM Zurich UCLA NYU & IBM Zurich ... KeyGen(): pk = (pkkdm, pkcca, CRS); sk = skkdm. Enc(pk, m): (VK, SK) : keys for OTS ... – PowerPoint PPT presentation

Number of Views:65

Avg rating:3.0/5.0

Slides: 26

Provided by: CSU117

Category:

more less

Transcript and Presenter's Notes

Title: Jan Camenisch Nishanth Chandran Victor Shoup

1
A PKE Secure Against Key Dependent Chosen
Plaintext Adaptive Chosen Ciphertext Attacks

Jan Camenisch Nishanth Chandran Victor
Shoup
IBM Zurich UCLA
NYU IBM Zurich

2
Public Key Encryption
Enc(pkB,m1)
pkA, skA
pkB, skB
Enc(pkA,m2)
Enc(pkB,m3)
3
Semantic Security GM82
sk
pk
b 0/1
m
Enc(pk,m) / Enc(pk,?)
b'
Adv wins if b b'
4
CCA Security NY90,RS91
pk
sk
c
Dec(sk,c)
b 0/1
poly times
m
c Enc(pk,m) / Enc(pk,?)
c ? c
poly times
Dec(sk,c)
b'
CCA1
CCA2
Adv wins if b b'
5
Encrypting Keys
Token 1
Enc(pk2, sk1)
Enc(pk1, sk2)
Token 2
PKCS 11, IBM CCA, KMIP
Enc(pk, sk)
Key Backup
Circular Encryption
6
Encrypting Keys
sk
pk
Enc(pk,sk)
Secure??
In general NO! GM84
7
Key Dependent Message (KDM) Security CL01, BRS02
pk1, pk2, ., pkn
sk1, sk2, ., skn
i, j
b 0/1
Enc(pki,skj) / Enc(pki,?)
b'
Adv wins if b b'
8
KDM Security BHHO08
pk1, pk2, ., pkn and F
sk (sk1, sk2, ., skn)
i and f in F
b 0/1
Enc(pki,f(sk)) / Enc(pki,?)
b'
Adv wins if b b'
9
Previous Constructions of KDM Secure Schemes

CL01, BRS02 first constructions in RO model
BDU08 stronger security, in RO model
Without RO ???
BHHO08 CPA secure against linear
functions F of keys
CCA security ???
This work CCA secure against linear
functions F of keys

10
Why care about KDM CCA ?
Enc(pk2, sk1)
Enc(pk1, sk2)
pk2, sk2
pk1, sk1
c, 2
Dec(c, sk2)
11
Rest of the Talk

KDM CCA Definition
Building blocks
KDM CPA secure scheme
CCA secure scheme with labels
NIZK proof system
Strong one-time signatures
General Construction
Concrete Instantiation

12
KDM CCA Security Definition
pk1,., pkn and F
(i, f)
sk (sk1,., skn)
Encryption queries
c Enc(pki,f(sk)) / Enc(pki,?)
b 0/1
(i, c) ? (i, c)
Decryption queries
Dec(ski,c)
b'
Adv wins if b b'
13
Building Blocks

Start with any KDM CPA secure scheme supporting
function family F
General scheme to convert this to KDM CCA
secure scheme supporting function family F
High level idea
Naor-Yung double encryption Encrypt msg with
KDM-CPA and CCA schemes prove that same message
was used.

Use labeled CCA scheme to prevent
malleability.

14
Labeled CCA Encryption

Label Public data attached non-malleably
to a ciphertext
Changing the label, changes the ciphertext
In our application, we will use labels to bind
together the two ciphertexts and the NIZK proof

15
NIZK Proof System BFM88, FLS90
Statement x in L
Common Reference String
Prover P
Verifier V
Witness w
p P(CRS, x, w)

Completeness V(CRS, x, p) 1 if CRS, p
generated
correctly and x in L

Soundness No P, given CRS, can output (x, p)
s.t. x not in L and V(CRS, x, p) 1

Zero-knowledge No V can distinguish between
real
proofs and
simulated proofs

16
NIZK Proof System BFM88, FLS90
Statement x in L
Common Reference String
Prover P
Verifier V
Witness w
p P(CRS, x, w)
Note We do not require proof to have Simulation
Soundness Sahai99, DDOPS01
Simulation Soundness Even if P sees several
simulated proofs of false statements, he cannot
give valid proof for a new false statement
17
Strong One-Time Signatures
VK
SK
m
s SignSK(m)
(m, s)
Adv wins if (m, s) ? (m, s) and VerifyVK(m,
s) accept
18
General Construction

KeyGen() pk (pkkdm, pkcca, CRS) sk skkdm
Enc(pk, m)
(VK, SK) keys for OTS
ckdm Enckdm(pkkdm,m) ccca Enccca(pkcca,m,VK)
p proof that ckdm and ccca encrypt same m
s SignSK(ckdmcccap)
Output (ckdmcccapVKs)

19
General Construction

KeyGen() pk (pkkdm, pkcca, CRS) sk skkdm
Enc(pk, m) c (ckdmcccapVKs)
Dec(sk, c)
Parse c as ckdmcccapVKs . Reject if bad
format.
If s is valid signature and p is valid proof,
output Deckdm(sk, ckdm) Otherwise, reject.

20
Proof Main Points