A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme Dana Dachman-Soled University of Maryland CPA, CCA1 and CCA2 CPA, CCA1 and CCA2 CPA-secure Public Key Encryption ≈ ππ, πΈππππ (π0 ) ππ, πΈππππ (π1 ) CPA, CCA1 and CCA2 CCA1-secure Public Key Encryption ≈ π π ππ, πΈππ ππ ππ (π0 ) π π ππ, πΈππ ππ ππ (π1 ) CPA, CCA1 and CCA2 CCA2-secure Public Key Encryption ≈ π π π ≠ π∗ ππ, πΈππ ππ ππ (π0 ) π π π ≠ π∗ ππ, πΈππ ππ ππ (π1 ) Does CPA Security Imply CCA Security? • [Naor, Yung 90], [Dolev, Dwork, Naor, 00] – CPA + NIZK -> CCA1 and CCA2 • Partial black-box separation – [Gertner, Malkin, Myers, 07] no “shielding” construction of CCA1 from CPA. • Question remains open! – Even whether CCA1 -> CCA2 is not known. – Long line of work showing black-box constructions of CCA2 encryption from lower level primitives. • [Peikert, Waters 11], [Rosen, Segev, 10], [Kiltz, Mohassel, O’Neill, 10]. . . – Our work continues this line of research. Our Results Theorem: There is a black-box construction of CCA2secure encryption from plaintext aware (sPA1) and weakly simulatable public key encryption. • Note: Construction is black-box, but reduction makes non-black-box use of the CCA2 adversary. • [Myers, Sergi, shelat, 12]: Black-box construction of cNMCCA1-secure encryption from the same assumptions. • Our contribution: Extend to full CCA2 setting. • Construction of a CCA2 scheme from encryption schemes with “weaker” security and no additional assumptions. Our Assumptions—Plaintext Awareness πΆ = ciphertext creator, πΆ ∗ = extractor Note: No auxiliary ∗ , π): Experiment π ππ΄1 (πΈ, πΆ, πΆ β input • • • • • Intuition: πΆ “knows” the underlying plaintext. Note: πΆ ∗ uses πΆ in a non-black-box manner generated β(π) pairs of public + secret keys are πΆ, πΆ ∗ get random coins and public keys as input πΆ gets oracle access to πΆ ∗ , πΆ ∗ decrypts for πΆ Let π be the set of queries asked by πΆ Experiment outputs 1 if πΆ ∗ decrypted all queries in π “correctly.” Encryption scheme is π ππ΄1β -secure if for every ppt πΆ, there exists an extractor πΆ ∗ s.t. experiment outputs 0 with negligible probability. Our Assumptions—Weak Simulatability • π samples “ciphertexts” without knowing the plaintext. • π −1 on input ππ and valid ciphertext outputs coins for π • Correctness: π ππ, π −1 ππ, πΆ = πΆ π −1 ππ, π = πΈππππ π ,π ≈ π, π ππ, π Candidate constructions satisfying both assumptions ([MSs12]): • Damgard Elgamal Encryption scheme (DEG) • Cramer-Shoup lite (CS-lite) Overview: CCA Proof Strategies Hyrid Public Key Challenge Ciphertext Decryption Oracle π»0 ππ πΈππππ (π0 ) π·πππ π π»1 Simulated ππ Simulated π ∗ Simulated π·ππ . PPT adversary cannot . . distinguish consecutive hybrids. π»π−1 To reduce to security of underlying encryption scheme, π»π ππ must simulate decryption oracle without knowing secret key. Main Challenge: Constructing the simulated decryption oracle πΈππππ (π1 ) π·πππ π CCA1 from Plaintext Awareness? • Trivial: Plaintext Aware scheme is itself CCA1secure! – To simulate the decryption oracle without knowing the secret key, use the Extractor. CCA2 from Plaintext Awareness? • Is the plaintext aware scheme itself also CCA2-secure? • An attempt: As before, simulate decryption oracle using Extractor. • Problem: Extractor is no longer guaranteed to work in the second phase! – Once adversary receives challenge ciphertext π ∗ , Extractor can fail. – E.g. adversary can re-randomize π ∗ and submit to oracle. – Note that our candidate Plaintext-Aware schemes are homomorphic! So these attacks are possible. • Extractor seems to be useless. – At first glance, seems as hard as proving that CCA1 -> CCA2. – No: Having a faulty extractor algorithm is better than no extractor. Our Construction Combines techniques from [Hohenberger, Lewko, Waters 12] and [Myers, Sergi, shelat 12] 1. Generate (πππππ, πππππ) for one-time signature scheme 2. Inner ciphertexts: πΆπππ0 = πΈππππππ (π 0 ) 0 πΆπππ1 = πΈππππππ (π 1 ) 1 Public keys are chosen based on π£ππ ππ π 0 ⊕ π 1 = (π||π) π1 , … ππ = πππ(π) 3. Outer ciphertexts: πΆπ1 πΆπ2 πΆπ3 π encryptions of πΆπππ0 ||πΆπππ1 under πππ 4. Compute π = πΊππππππππ (πͺπ»π || β― ||πͺπ»π ) 5. Output: (πͺπ»π , … , πͺπ»π , πππππ, π) π£ππ πππ ... πΆππ and randomness ππ Proof Intuition • Idea: Use extractor to simulate oracle even in the CCA2 case. • Now the extractor may answer incorrectly after the adversary receives the challenge ciphertext. • Call this event BadExtEvent Proof Intuition • Sequence of hybrids: Show that BadExtEvent occurs with negligible probability in final hybrid. • For each hybrid, show that probability BadExtEvent occurs differs by a negligible amount. • In order to prove this, reduction must always be able to detect a bad extraction event by comparing the output of the Extractor with the output of π·πππ π . Hard Case: Detecting BadExtEvent in CPA hybrid XOR to randomto CPA security of inner Reduction π 0 = ππππ πΆπππ0 ∗ π 1 = ππππ πΆπππ1 ciphertexts ≈ π 0 = ππππ ∗ • Idea for how to detect BadExtEvent: πΆπππ0 ∗ XOR to (π||π) π 1 = π 0 ⊕ (π||π) πΆπππ1 ∗ – Randomly choose π½ ∈ {0,1}. – Show that the first BadExtEvent occurs on decryption of πΆππππ½ with probability 1 2 Pr[π΅πππΈπ₯π‘πΈπ£πππ‘]. – Say π½ = 0. CPA adv. knows secret key for πΆπππ0 but not πΆπππ1 . • Can detect first BadExtEvent on πΆπππ0 . • Places challenge ciphertext in πΆπππ1 position. – Note that in both hybrids, π 0 is individually uniformly distributed. – Simulated oracle answers correctly until the first BadExtEvent. Future Directions • Can high-level proof techniques be useful for constructing CCA2 from CCA1? – Non-black-box use of the adversary. – Detecting a “bad event” without fully simulating the decryption oracle. • Can we reduce the underlying assumptions of our construction? Thank you!