Embed Size (px)
Citation preview
Cramer-Shoup is Plaintext Aware in the
Standard Model
Alexander W. Dent
Information Security Group
Royal Holloway, University of London
2
The short version
Plaintext awareness is a property of an encryption scheme that roughly says “an attacker cannot create a ciphertext without knowing the underlying plaintext”.
Here “knowing” is in the zero-knowledge sense of the word.
Typically used to prove IND-CCA security. New uses, e.g. deniable authentication.
3
The short version
Bellare and Palacio proposed a definition for assessing plaintext awareness in the standard model…
…and prove that the Cramer-Shoup encryption scheme is partially (PA1) plaintext aware.
This paper demonstrates that Cramer-Shoup is fully (PA2) plaintext aware.
This should be regarded as a feasibility result.
What is plaintext awareness?
5
What is plaintext awareness?
A difficult notion to formalise. We want to show that we can answer an
attacker’s decryption oracle queries if we know how those queries were constructed.
Two flavours:– Partial (PA1) plaintext awareness, which can be
used to prove IND-CCA1 security.– Full (PA2) plaintext awareness, which can be used
to prove IND-CCA2 security.
6
PA1: The players
The ciphertext creator: the bad guy! A probabilistic, polynomial-time attacker who is trying to determine whether he is interacting with a real decryption oracle or not.
The plaintext extractor: the good guy! An algorithm which masquerades as a decryption oracle but doesn’t need to know the private key.
7
PA1: The game
public key
Compute m=Dec(sk,C)
C
mC
m
If b=1 then use plaintext extractor
If b=0 then use decryption algorithm
b’
8
PA1: The interpretation
For every ciphertext creator (attacker)… …there exists a plaintext extractor who can
successfully deceive the ciphertext creator… …given the ciphertext creators random coins.
Note that the plaintext extractor knows the ciphertext creator’s general strategy, everything it has done and everything it is going to do.
9
PA2: The rematch
We need to allow the ciphertext creator to get access to ciphertexts for which he does not know the underlying message and/or the random coins used to encrypt that message.
The plaintext creator: An ally of the bad guy! Any polynomial time algorithm that randomly generates messages and encrypts them.
10
PA2: The game
public key
aux
CC
m
b’
ciphertext creator
decryption oracle plaintext creator
random coins C
11
PA2: The interpretation
For every ciphertext creator (attacker)… …there exists a plaintext extractor who can
successfully deceive the ciphertext creator… …given the ciphertext creators random coins… …regardless of what the plaintext creator does. Often regarded as a malleability condition. Note that the plaintext extractor knows the ciphertext
creator’s general strategy, and everything it’s has done in the past but can’t figure out everything it is going to do in the future.
Cramer-Shoup is PA2 plaintext aware
13
Cramer-Shoup
The Cramer-Shoup scheme has been proven to be PA1 (under the DHK assumption).
It also has an interesting property in that you cannot distinguish real ciphertexts from elements chosen completely at random.
Hence, the ability to get hold of new ciphertexts is equivalent to the ability to get hold of random bit strings.
14
PA1+: An intermediary game
This paper proposes a new notion of PA. Here the attacker has the ability to get hold of
new random bit strings.
The randomness oracle: An ally of the bad guy! Randomly generates a bit-string of a fixed length and returns it to the ciphertext creator.
15
PA1+: The game
public key
rC
m
b’
ciphertext creator
decryption oracle randomness oracle
random coins r
16
PA1+: The interpretation
A scheme is PA1+ plaintext aware if for every ciphertext creator (with access to a randomness oracle) there exists a plaintext extractor that can deceive it.
Again, the plaintext extractor know the ciphertext creators strategy and past actions, but cannot predict its future actions.
17
PA1+: The interpretation
Suppose I wish to convince my boss that I’m a genius, and so I send him all of my papers.
My boss needs to decide if I’m a genius or not. My boss will pick one at random and read it. However, suppose that I’m actually a lucky
idiot who has only written one decent paper. If I know the random choices that my boss will
make when selecting the paper, then I can deceive him.
18
PA1+: The interpretation
Suppose I wish to convince my boss that I’m a genius, and so I send him all of my papers.
My boss needs to decide if I’m a genius or not. My boss will pick one at random and read it. However, suppose that I’m actually a lucky
idiot who has only written one decent paper. If I don’t know the random choices that my
boss will make when selecting the paper, then I cannot deceive him.
19
PA1+: The big theorem
An encryption scheme that is simulatable and PA1+ is always PA2.
Simulatable just means that the real ciphertexts are indistinguishable from randomly generated elements – hence, a plaintext creator is roughly the same as a randomness oracle.
20
Cramer-Shoup
The original proof gives that Cramer-Shoup is simulatable.
(In fact, simulatable implies IND-CCA2). It is fairly easy to adapt the ideas of Bellare-
Palacio to show that Cramer-Shoup is PA1+ under the DHK assumption.
Hence, Cramer-Shoup is PA2 plaintext aware.
21
Open problems
Prove something is plaintext aware that wasn’t already known to be IND-CCA2.
Prove something is plaintext aware without having to prove that it is simulatable.
Prove something is plaintext aware without using an extractor-based assumption like DHK.
THE END
22
Not the end?
The notions of plaintext awareness fit together as you might expect:
Perfect PA1 = Perfect PA1+. Thus, perfect simulatable PA1 implies PA2.
PA2 ≥ PA1+ ≥ PA1
23
Diffie-Hellman Knowledge
A computational assumption for a group G generated by a generator g.
( g , A )
( B , C )
b (if B=gb and C=Ab)
24
Diffie-Hellman Knowledge
It is meant to be interpreted as “it is impossible to make a Diffie-Hellman tuple without knowing the discrete logarithm of one of the elements”.
Not efficiently falsifiable [Naor]. True in the Generic Group Model [Dent,AF]
– Although the GGM is not sound [Dent] Used to show that Cramer-Shoup is PA1.
Hence considered reasonable to used when showing Cramer-Shoup is PA2.
