Post on 06-Feb-2016
description
transcript
1/28
Chosen-Ciphertext Security from Identity-
Based Encryption
Jonathan KatzU. Maryland
Ran Canetti, Shai HaleviIBM
2/28
Motivation
• Security against chosen-ciphertext attacks (“CCA security”) is a powerful and useful notion– Often the security notion of choice when
using encryption within a larger protocol
• Provably-secure constructions both theoretically and practically important
3/28
Motivation…Bidding on vouchers for this afternoon’s excursion…
PKVoucher holderDesperate bidders
C1 = EPK(bid1)
C2 = EPK(bid2)
•In general, nothing preventing bid2 = bid1+1
(secrecy of bid1 not violated)
•Need non-malleability [DDN91]!
•Implied by CCA security [DDN91, BDPR98]
4/28
Known Constructions?
• Essentially only two techniques known for achieving CCA security (without random oracles):
– Using NIZK, general assumptions [DDN91, S99, L03] (based on [NY90])
– Specific assumptions, “smooth hash proofs” [CS98, CS02, GL03, CS03]
5/28
Known Paradigms?
• In fact, almost all constructions are essentially “the same” [ES04]– Different instantiations of the same
underlying paradigm
– Very roughly: certain type of CPA-secure scheme plus “proof of well-formedness”• NM-NIZK in [Sahai99, L03]• Smooth hash proof systems in [CS98,
CS02, GL03, CS03]
6/28
Overview of our Results
• We show a new technique for achieving chosen-ciphertext security– The technique does not (seem to) follow
previously-known paradigms
• Our approach (along with other work) yields new CCA-secure schemes– Competitive with best previously known– Stay tuned for the next talk…
7/28
More Details…
• We show a simple and efficient way to achieve CCA security using any IBE scheme
• The IBE scheme needs to satisfy only a relatively “weak” notion of security– Achieved by IBE schemes of [CHK03, BB04]– Result: new CCA-secure schemes!
• Applications to CCA security for IBE, HIBE, BTE, and FSE…
8/28
Review of definitions
9/28
CCA Security
• Consider the following game [RS91]:– (PK, SK) generated at random– Adversary Adv given PK; can ask
decryption oracle queries DSK(.)
– Adv outputs (m0, m1); given C ESK(mb) for random b; may continue to ask decryption queries (but not C itself)
– Adv outputs b’; succeeds if b’=b
10/28
CCA Security
• An encryption scheme is CCA-secure if |PrAdv[Succ] – ½| is
negligible for all poly-time Adv
11/28
ID-Based Encryption (IBE)
• Overview:– PKG generates (PK, MSK)– PK publicly distributed…– For any string (identity) ID, the PKG,
using MSK, can issue a secret key SKID
– (ID, SKID), along with PK, acts as a public/private key pair for a standard encryption scheme
12/28
Security?
• (Informally:) Knowledge of the secret keys for users I = {ID1, …, IDn} does not allow adversary to “break” the scheme for any ID’I– “Strong” IBE: choice of ID’ may
depend on PK [BF01] – “Weak” IBE: ID’ is fixed independently
of PK [CHK03]
13/28
More Formally…
• Consider the following game ([CHK03], adapting [BF01]):– Adv specifies challenge identity ID*– (PK, MSK) generated at random; Adv
given PK– Adv may (adaptively) request secret
keys for any ID’s other than ID* – Adv outputs (m0, m1), and is then given
C EPK(ID*, mb) for random b
14/28
Definition, continued…
– Adv may continue to request secret keys for ID’s other than ID*
– Adv outputs b’; succeeds if b’ = b
• An IBE is “weakly” secure if |PrAdv[Succ] – ½| is negligible for all
poly-time Adv
15/28
Known Constructions?
• “Strong” IBE: [C01, BF01], both in random oracle model
• “Weak” IBE: [CHK03, BB04]
• “Strong” IBE: [BB04, to appear]
16/28
From IBE to chosen-ciphertext security
17/28
Our Construction
• Key generation:– Run PKG algorithm to obtain (PK, MSK)– Public key is PK; secret key is MSK
• To encrypt m using PK– Generate (vk, sk) for signature scheme– Encrypt m using PK and “identity” vk– Sign resulting ciphertext using sk– Send (vk, C, )
18/28
Decryption…
• To decrypt (vk, C, ):– Verify signature…– Use MSK to generate the secret key
SKVK for the “identity” vk
– Use SKVK to decrypt C
– (Erase SKVK)
19/28
Theorem Statement
• If the IBE scheme is weakly secure, and a strong, one-time signature scheme is used, the resulting encryption scheme is secure against adaptive chosen-ciphertext attacks
20/28
Proof Intuition
• Let challenge ciphertext be (vk, C, )
• Adv submits different (vk’, C’, ’) to its decryption oracle– Clearly, vk’ vk– So C’ will be decrypted with respect to
a different “identity” vk’– Even if Adv were given SKVK’ itself,
encryption to vk would still be secure!
21/28
Remarks
• Weak IBE security is enough to achieve adaptive CCA security– vk chosen by encryption oracle, not by
the adversary
• The conversion is efficient
• Non-adaptive CCA security can be achieved with virtually no overhead
22/28
Extensions and further applications
23/28
Binary Tree Enc. (BTE)
• Introduced by [CHK03]
• As before, PKG generates (PK, MSK)
• PKG viewed as “identity” with secret key SK = MSK
• Any secret key SKw can be used to derive secret keys SKw0 and SKw1
• (ID, SKID) acts as a public/private key pair for a standard encryption scheme
24/28
“Weak” Security
• Ancestors of (ID1…IDn) are identities of
the form (ID1…IDi) for 1 i n
• (Informally:) Secret keys for any set of users I does not allow an adversary to “break” the scheme for any ID having no ancestors in I
• Constructions in standard model known ([CHK03, BB04], building on [GS02])
25/28
Our Construction
• CCA-secure (weak) BTE from CPA-secure (weak) BTE:– (Consider fixed-length BTE)– Key generation as before– To encrypt m for identity ID: generate
(vk, sk), encrypt m for “identity” ID|vk, and sign ciphertext using sk
– As before, decrypt using SKID by first generating “transient” SKID|vk
26/28
Results
• This approach yields a CCA-secure (weak) BTE scheme from any CPA-secure (weak) BTE scheme
• CPA-secure BTE CCA-secure BTE– Analogous result not known for the
case of standard public-key encryption
27/28
Applications
• (Weak) BTE implies (weak) IBE, (weak) HIBE, and forward-secure encryption [CHK03]
• Our results yield CCA-secure constructions of these primitives more efficient than those previously known
28/28
Summary
• New method for constructing CCA-secure public-key encryption
• Gives new, practical CCA-secure schemes in standard model
• Further applications to CCA-security in other contexts