detecting dangerous queries:
DESCRIPTION
Detecting Dangerous Queries:. A New Approach for Chosen Ciphertext Security. Susan Hohenberger. Allison Lewko. Brent Waters. SK. PubK. Public Key Encryption [DH76,RSA78,GM84]. Passive Attacker : Chosen Plaintext Attack (CPA). SK. PubK. Active Attackers [NY90,DDN91,RS91]. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/1.jpg)
Detecting Dangerous Queries:
Brent Waters
A New Approach for Chosen Ciphertext Security
Susan Hohenberger Allison Lewko
![Page 2: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/2.jpg)
2
Public Key Encryption [DH76,RSA78,GM84]
SKPubK
Passive Attacker : Chosen Plaintext Attack (CPA)
![Page 3: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/3.jpg)
3
Active Attackers [NY90,DDN91,RS91]
SKPubK
Chosen Ciphertext Attack (CCA)
![Page 4: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/4.jpg)
IND-CPA [GM84]
Ch
alle
ng
er
Setup PK
M0 ,M1
b’ {0,1}
CT* = Enc(PK, Mb )b{0,1}
AdvA = Pr[b=b’]-1/2
Indistinguishability under Chosen Plaintext Attack
![Page 5: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/5.jpg)
IND-CCA [NY90,DDN91,RS91]
Ch
alle
ng
er
Setup PK
M0 ,M1
b’ {0,1}
CT* = Enc(PK, Mb )b{0,1}
AdvA = Pr[b=b’]-1/2
Indistinguishability under Chosen Ciphertext Attack
CTDec(SK,CT)
CTDec(SK,CT) CT CT*
![Page 6: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/6.jpg)
IND-CCA [NY90,DDN91,RS91]
Ch
alle
ng
er
Setup
M0 ,M1
b’ {0,1}
CT* = Enc(PK, Mb )
AdvA = Pr[b=b’]-1/2
Indistinguishability under Chosen Ciphertext Attack
CTDec(SK,CT)
CTDec(SK,CT) CT CT*
CCA-1: No 2nd phase of oracle queries
b{0,1}
PK
![Page 7: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/7.jpg)
The Grand Goal: CCA from CPA
7
CCA
CPA
![Page 8: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/8.jpg)
Some Prior Methods (Standard Model)
8
NIZK [BFM88,NY90,DDN91,RS91,S99]
• TPD/RSA, Pairings No:DDH, Lattices
Cramer-Shoup plus [CS98,02,…]
• DDH,DCR, Factoring, IBE [CHK04],
No:LatticesLossy TDFs [PW08,RS09,…]
• DDH, Lattices
![Page 9: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/9.jpg)
1-bit CCA to n-bit CCA [MS09]
9
• Straightforward appending won’t work!
1 1 0
• Neat ideas
• Heavyweight machinery + complex
• We will adapt + generalize some ideas
![Page 10: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/10.jpg)
Our Result
10
New General Approach for CCA security:
Detectable Chosen Ciphertext Security (DCCA)
CCA
DCCA
![Page 11: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/11.jpg)
DCCA Security: Intuition
11
CCA secure if avoid “dangerous” queries
1) Hard to produce bad queries w/o challenge CT
2) Can detect dangerous queries
Example: Concatenate 1 bit CCA ciphertexts
1CT* 1 0
Dangerous Query for CT*: CT = Reorder of CT*
1)Hard to produce w/o CT* 2) Easy to detect
![Page 12: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/12.jpg)
Detectable Encryption System
12
Setup(1n) ! (PK,SK)
Encrypt(PK,M) ! CT
Decrypt(SK,CT) ! M
F( PK, CT* , CT) ! {0,1}
Outputs ‘1’ if CT is a “dangerous” query for CT*
Two Security Properties
![Page 13: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/13.jpg)
Property 1: Hard to Predict (Strong)
Challe
ng
er
Setup PK,SK
CT* = Enc(PK, M )
AdvA = Pr[F(PK,CT,CT*)=1]
CT, M
![Page 14: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/14.jpg)
Property 2: Indistinguishability
Ch
alle
ng
er
Setup PK
M0 ,M1
b’ {0,1}
CT* = Enc(PK, Mb )b{0,1}
AdvA = Pr[b=b’]-1/2
CTDec(SK,CT)
CTDec(SK,CT) CT CT*F(PK,CT*,CT)=0
CCA2=>DCCA=>CCA1
![Page 15: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/15.jpg)
Examples
15
Tag-Based Encryption [MRY04,K06]
One bit to many bit CCA
Sloppy/Heuristic CCA
![Page 16: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/16.jpg)
The Ingredients
16
1-Bounded CCA CPA
Detectable CCA
PSV06,CDMW08
Trivial
Msg 2 {0,1}* and randomness 2 {0,1}n
Justified by Pseudo Random Generators
![Page 17: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/17.jpg)
Our Construction
17
![Page 18: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/18.jpg)
Setup
18
Setup(1n):
1) Setup1B (1n) ! (PKA, SKA)
2) SetupCPA (1n) ! (PKB, SKB)
3) SetupDCCA (1n) ! (PKin, SKin)
PK= PKA, PKB, PKin
SK= SKA, SKB, SKin
![Page 19: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/19.jpg)
Encryption
19
Encrypt(PK,M):
1) Choose random ra ,rb , rin 2 {0,1}n
2) Cin = EncDCCA( PKin, (M,ra, rb ) ; rin )
3) CA=Enc1B (PKA, Cin; ra), CB=EncCPA (PKB, Cin; rb)
4) CT= CA , CB
;ra(M, ra ,rb); rin ;rb(M, ra ,rb); rinCA= CB=
![Page 20: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/20.jpg)
Decryption
20
Decrypt(SK, CT= (CA , CB) ) :
1) Cin’ = Dec(SKA , CA )
2) (M’, ra’, rb’) = Dec(SKin , Cin’ )
3) CA’=Enc1B (Cin’; ra’), CB’=EncCPA (Cin ;rb’)
4) If CA CA ’ OR CB CB’ reject ;else M’
;ra(M, ra ,rb); rin ;rb(M, ra ,rb); rinCA= CB=
Idea: Recover (M, ra , rb ) then re-encrypt
![Page 21: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/21.jpg)
A Few Comments
21
;ra(M, ra ,rb); rin
Features: Naor-Yung 2-key & Myers-shelat nesting
;rb(M, ra ,rb); rinCA= CB=
Embedded Randomness vs. NIZK
Proof w/ embedding randomness:
Good: Decrypt from either side
Problem: Embedding challenge
![Page 22: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/22.jpg)
What is the trouble?
22
;ra(M, ra ,rb); rin
Challenge CT= CA *, CB * encryptions of Cin *
;rbCin*= CB*=
Problem Query: Get Cin’ s.t. F(PKDCCA, Cin *, Cin’) =1
Bad Event: Query C= CA , CB s.t.
(1)CA CA *
(2)Dec( SKA, CA) = Cin’ where F(PKDCCA, Cin *, Cin’) =1
CA*= Cin*= (M, ra ,rb); rin
![Page 23: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/23.jpg)
Nested Indist. Game
23
;ra(M, ra ,rb); rin
Attacker gets CCA queries
Challenge Inner encrypts Msg + randomness or all 0’s
;rbCin*= CB*=CA*= Cin*= (M, ra ,rb); rin
z=1
;ra(00…00); rin ;rbCin*= CB*=CA*= Cin*= (00…00); rin
z=0 No embedded randomness
If prove under this game we are done!
![Page 24: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/24.jpg)
Proof Overview
24
Eliminate bad event => Security follows from DCCA
(1)Eliminate with z=0 (no embedded randomness)
(2) Indirectly infer z=1 case from (1)
(3) Finish off
![Page 25: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/25.jpg)
Summary
25
• New abstraction: Detectable CCA security
• Build CCA from it
• Cover 1 to many bit enc. , tag-based, & more
• Embedded randomness --- blessing & problems
• Indirect inference on bad event
![Page 26: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/26.jpg)
Our Picture (not necessarily to scale)
26
CCA
CPA
DCCA
CCA-1
![Page 27: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/27.jpg)
27
Thank you
![Page 28: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/28.jpg)
Bad Event Analysis (no embedded randomness)
28
Nested ;ra(00…00); rin ;rb(00…00); rin
Right-Erased ;ra(00…00); rin ;rb1111…111
Switch -Decrypt
Full-Erased ;ra ;rb1111…111
Show probabilities are close
IND-CPA
1Bounded CCA
=negl(n) unpredictability
1111…111
![Page 29: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/29.jpg)
No Bad Event for embedded randomness
Suppose it did happen => We break DCCA indist.
(00…00); rin
2) Submit Msg1 =(M, ra, rb) , Msg0 = (00…00)
1) Run Indist Game on A (while playing DCCA)
3) Get back either
(M, ra ,rb); rin or
4) Create challenge CT (know SKA, SKB)
5) Use DCCA oracle to answer non-dangerous queries
What if get dangerous query? Stuck!
But then we know it must be Msg1 => breaks DCCA!
![Page 30: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/30.jpg)
Finishing it off
30
;ra(M, ra ,rb); rin ;rbCin*= CB*=CA*= Cin*= (M, ra ,rb); rin
z=1
;ra(00…00); rin ;rbCin*= CB*=CA*= Cin*= (00…00); rin
z=0 No embedded randomness
N.I. easy to prove from DCCA if no bad events
CCA security follows immediately
![Page 31: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/31.jpg)
Could CCA-1 work?
31
Idea: Replace DCCA component w/ CCA-1
Problem 1: Proof needs to detect
Problem 2: Counterexample (w/natural CCA-1 scheme )
![Page 32: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/32.jpg)
Ex. 1: n-bit DCCA from 1 bit CCA
32
Idea: Use basic concatenation
1 1 0
F(PK,CT*,CT): 9 (i,j) s.t. CTi*=CTj
Enc(PK,m) ! C1=Enc(PK,m1), …, Cn=Enc(PK,mn)
![Page 33: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/33.jpg)
Ex. 2: Tag-Based Encryption [MRY04,K06]
33
Tag-Based Encryption:
(1)Each ciphertext associated with a tag
(2) Is CCA secure as long as TagCT* not queried
F(PK,CT*,CT): TagCT* = TagCT
Examples: CHK04-lite, Kiltz06, PW08 (CCA-1 version), DDN91 (w/o signature)
![Page 34: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/34.jpg)
Ex. 3: Heuristic/Sloppy CCA
34
Idea: DCCA easier to meet than CCA
(1)Heuristic approach
(2) Sloppy: E.g. “Slack” bit in group representation
Apply transformation in case messed up
CT:
![Page 35: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/35.jpg)
Could CCA-1 work?
35
Idea: Replace DCCA component w/ CCA-1
Problem 1: Proof needs to detect
(CT*) :Decrypts CT*, encrypts M in another CT’
Problem 2: Can create an oracle that breaks it
Q1: The oracle is strong! Is there middle ground?
Q2: Structure for CCA-1? Proof idea?
![Page 36: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/36.jpg)
Prior Methods (Standard Model)
36
NIZK [BFM88,NY90,DDN91,RS91,S99]
• NIZK proves well formness
• NIZKs are rare: TPD/RSA, Pairings No:DDH, Lattices
Cramer-Shoup plus [CS98,02,…]
• Efficient systems from number theory
• DDH,DCR, Factoring, IBE [CHK04],
No:Lattices
![Page 37: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/37.jpg)
Prior Methods (Standard Model)
37
Lossy TDFs [PW08,RS09,…]
• Randomness recovery => use to verify CT
• Change PK in proof
• DDH, Lattices
1-bit to many bit CCA[MS09]
• General techniques
• Partial randomness recovery
![Page 38: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/38.jpg)
BE-Nested vs. BE-Right-Erase
38
;rb(00…00); rin
Standard IND-CPA reduction
• Know SKA, SKin , not SKB
• Observe BE using SKA
;rb1111…111vs.
![Page 39: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/39.jpg)
Switch Decrypt
39
Switch from using SKA to SKB to decrypt
• These are equivalent from Attacker’s view
• Best of both worlds: Challenge CT not embed randomness, but queries must!
![Page 40: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/40.jpg)
BE-Right-Erased vs. BE-Full-Erased
Full-Erased ;ra ;rb1111…1111111…111
(00…00); rinCin*= is gone! Unpredictability: Pr[Bad event in Full Erase] =
negl(n)
![Page 41: Detecting Dangerous Queries:](https://reader036.vdocuments.net/reader036/viewer/2022062519/568150ae550346895dbec6fd/html5/thumbnails/41.jpg)
BE-Right-Erased vs. BE-Full-Erased
41
1-Bounded CCA reduction
• Know SKB, SKin , not SKA
• Problem: Cannot observe bad event using SKB
• Solution: “Peek” at 1 A query using 1-Bounded 1/Q chance of seeing it
vs.(00…00); rin ;ra1111…111