Rerandomizable and Replayable Adaptive Chosen Ciphertext Attack Secure Cryptosystems Jens Groth...
-
Upload
emily-grant -
Category
Documents
-
view
214 -
download
1
Transcript of Rerandomizable and Replayable Adaptive Chosen Ciphertext Attack Secure Cryptosystems Jens Groth...
Rerandomizable and Replayable Adaptive
Chosen Ciphertext Attack Secure Cryptosystems
Jens Groth
BRICS, University of Aarhus
Cryptomathic A/S
IND-CCA2
Pr[(pk,sk) ← K; (m0,m1) ← AO1(pk): AO2(Epk(m0))=1]
Exp 0:
Exp 1:
Pr[(pk,sk) ← K; (m0,m1) ← AO1(pk): AO2(Epk(m1))=1]
WhereO1(y) = Dsk(y)O2(y) = if y is challenge answer test
else answer Dsk(y)
Dsk(y) = invalid on bad ciphertext
RCCA
Pr[(pk,sk) ← K; (m0,m1) ← AO1(pk): AO2(Epk(m0))=1]
Exp 0:
Exp 1:
Pr[(pk,sk) ← K; (m0,m1) ← AO1(pk): AO2(Epk(m1))=1]
WhereO1(y) = Dsk(y)O2(y) = if Dsk(y) {m0,m1} answer test
else answer Dsk(y)
Canetti, Krawczyk, Nielsen: Replayable CCA security
Goal
RCCA
Rerandomizable
Practical: anonymization
Theoretical: targetted malleability
Cryptosystem
Reasons
Results
O(|m|) exponentiations
No security proof
Standard model: Weak RCCA
Semi-generic model: RCCA
Cryptosystem
Security argument
Weak RCCA
Pr[(pk,sk) ← K; (m0,m1) ← AO1(pk): AO2(Epk(m0))=1]
Exp 0:
Exp 1:
Pr[(pk,sk) ← K; (m0,m1) ← AO1(pk): AO2(Epk(m1))=1]
WhereO1(y) = Dsk(y)O2(y) = if Dsk(y) {m0,m1} answer invalid
else answer Dsk(y)
IND-CCA1 < WRCCA < RCCA < IND-CCA2
Cramer-Shoup
pk = (gL, gR, h, c, d) Gq ≤ Zp*sk = (xL, xR, kL, kR, lL, lR)
h = gLxL = gR
xR
c = gLkLgR
kR, d = gLlLgR
lR
Epk(m;r) = (gLr, gR
r, hrm, (cdH)r)H = hash(uL,uR,v)
Dsk(uL,uR,v,α)if α = uL
kL+HlLuRkR+HlR return m = vuR
-xR
else return invalid
WRCCA cryptosystem pk = (gL,1, gR,1, h1, ..., gL,k, gR,k, hk, c, d)
sk = (xL,1, ..., xL,k, kL,1, lL,1, ..., kR,k, lR,k)hi = gL,i
xL,i, c = ∏gL,ikL,igR,i
kR,i, d = ∏gL,ilL,igR,i
lR,i
m = m1...mk {-1,1}k, H = hash(m)E(m;r)=(gL,1
r, gR,1r, h1
m1r,...,gL,kr, gR,k
r, hkmkr, (cdH)r)
D(uL,1, uR,1, v1,..., uL,k, uR,k, vk, α)if α = ∏uL,i
kL,i+HlL,iuR,ikR,i+HlR,i return m
else return invalid
Rerandomization(uL,1
s, uR,1s, v1
s,..., uL,ks, uR,k
s, vks, αs)
– (pk, sk) K
– (m0, m1) A(pk)
– (uL,1, uR,1, v1,...,uL,k, uR,k, vk, α) =(gL,1
r, gR,1r, h1
mb,1r,...,gL,kr, gR,k
r, hkmb,kr, (cdH)r)
– Query O2
(uL,1gL,1, uR,1gR,1, v1h1m0,1,..., αcdhash(m0))
if test return 0if invalid return 1
RCCA attack
RCCA cryptosystem PK = (pkWRCCA, pkHom) WRCCA: Gn ≤ Zp*
SK = (skWRCCA, skHom)
EPK(m;r,R,Z) = (uL,1, uR,1, v1,..., αZ, EHom(Z;R))EWRCCA(m;r) = (uL,1, uR,1, v1,..., α)
DSK(uL,1, uR,1, v1,..., β, y)if β = (∏uL,i
kL,i+HlL,iuR,ikR,i+HlR,i)Z return m
else return invalid
Rerandomization(uL,1
s, uR,1s, v1
s,..., βsz, yzEHom(0;S))
Semi-generic model
(Encrypt, m) = y, store (y, m) (Add, y, y') = y'' store (y'', m+m')
if (m, y) and (m', y') stored (Decrypt, y) = m
if (m, y) stored
Idealized homomorphic encryption
Open problems
Semi-generic model: Practical RCCA cryptosystem
Standard model: RCCA cryptosystem
Both models: Other forms of targetted malleability
example: homomorphic cryptosystems