|
|
that the Cramer-Shoup cryptosystem in a Di e-Hellman group based on the DDH assumption is plaintext-aware [Den a] to cover more underlying groups and assumptions such as groups in which the quadratic residuosity or the higher residuosity problem is hard.
9.5Plaintext-Awareness
. . De nitions
Plaintext-awareness roughly states that if an adversary is able to produce a valid ciphertext di erent from ?, then she should know the corresponding plaintext m. is translates into saying that, for a plaintext-aware encryption scheme, the “only way” for this ciphertext creator to produce a valid ciphertext is to encrypt a known message m with the public key pk.
Formalizing this notion has proven to be a non-trivial task and has been the subject of several papers [BDPR , BP b, BR a, BD b, Den a]. In the end, several and separate levels of plaintext-awareness were de ned, namely, in increasing strength, PA , and PA , and their counterparts PA + and PA +.
e di erence between PA and PA lies in the attacker’s ability to get hold of ciphertexts for which she does not know the decryption. In the settings of PA , this ability is implemented by an oracle P(aux), called plaintext creator, that, on each query, picks a message at random (or possibly according to a distribution partially de ned by its input aux) and returns its encryption, i.e., it produces Encpk(P(aux)). Any ciphertext obtained through this oracle is added to a list CList, the list of ciphertexts for which the adversary does not know the corresponding plaintexts. An adversary A, called ciphertext creator, interacts with the plaintext creator and outputs ciphertexts to be submitted to a decryption oracle. e essence of plaintext-awareness is the existence of a polynomial-time algorithm A , whose construction may depend on A, called plaintext extractor that successfully decrypts any ciphertext given by the adversary that was not returned by the plaintext creator. In order to carry out the extraction, A is given the view of A (which includes CList and the random coins of A) and the target ciphertext c to be decrypted. e initial de nition of plaintext-awareness implies that c should not be in CList as the adversary does not “know” the decryption of ciphertexts returned by P. A scheme is thus said to be PA plaintext-aware if, for every polynomial-time ciphertext creator A, there exists a plaintext extractor A that is, for all plaintext creators P, indistinguishable from a decryption oracle. Since PA adversaries have no ciphertext creator at disposal, PA plaintext-awareness only requires indistinguishability between the knowledge extractor and the decryption oracle with respect to adversaries who have no access to
Encpk(P( )).
In order to capture any external knowledge the adversary can access, Dent [Den a] extended PA to PA + for adversaries who can get hold of uniformly distributed bits from an external source. Later, Birkett and Dent [BD b] introduced the analog notion of PA + for
. -
|
|
|
PA plaintext-awareness. ese last two notions were proven to be equivalent under the con- |
|
dition that the encryption scheme is IND-CPA [Bir ]. |
|
De nition . (Plaintext-Aware Encryption) |
|
Let O1 denote an oracle that on each query returns a single uniformly distributed bit. We say |
|
that a public key cryptosystem (KeyGen, Enc, Dec) is PA + plaintext-aware if, considering a ci- |
|
phertext creator A, a plaintext extractor A , a plaintext creator P, and a distinguisher D, all |
|
being polynomial-time algorithms, we have |
8A; 9A ; 8P; 8D :
Pr [DA |
Encpk(P( ));Decsk( );O1 (pk) |
k |
|
|
|
|
k |
|
|
|
|
|
||||
|
|
Encpk( ( )); |
(pk; ;view |
(1); 1 ) ! 1 (sk; pk) |
KeyGen(1 )] |
|
] |
|
|
|
||||||
|
[D |
|
|
|
|
k |
! |
|
|
|
|
|
|
|
||
Pr |
|
A |
P A |
A |
O (pk) |
|
|
|
KeyGen |
k |
|
|
negl |
|
||
|
|
|
|
(1 |
) |
|
1 (sk; pk) |
|
(1 ) |
|
= |
|
(k): |
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
We also consider three variants.
If the previous equality holds when the ciphertext creator A does not query O1, then the scheme is said to be PA plaintext-aware.
PA + plaintext-awareness is the case in which A is restricted to make no query to the oracle
Encpk(P( )).
When both restrictions are put together, i.e., that A neither queries O1 nor Encpk(P( )), then the scheme is said to be PA plaintext-aware.
. . Instances of Plaintext-Aware Encryption Schemes
As we will later use plaintext-aware encryption schemes in a concrete protocol, we present two schemes that satisfy our security requirements.
e Cramer-Shoup Encryption Scheme Not only it is the rst truly practical construction of an IND-CCA public-key encryption scheme [CS ], but the Cramer-Shoup encryption scheme is also the rst cryptosystem to have been proven to be PA + and PA plaintextaware [Den a] (In that work, it was proven treating it as as a KEM instanciated in a Di e-
Hellman group) and later generalized to any suitable group [Bir ]. |
e scheme works as |
follow. |
|
KeyGen. Oninputasecurityparameter k,thealgorithmpicksagenerator g1 ofagroup G with prime order q and a target collision-resistant hash function TCR : G2 ! Zq.
A er that, it randomly selects w; x; y; z 2 Zq and let g2 = g1w, e = g1x, f = g1y, h = g1z. e public key is de ned as pk = (g1; g2; e; f; h) and the corresponding secret key is sk = (w; x; y; z).
Encapsulation. is algorithm works by picking r 2R Zq and computing c1 = g1r, c2 = g2r, t TCR(c1; c2), and = ertfr. Letting C = (c1; c2; ) and K = hr, the output is the pair (C; K).
.
|
Decapsulation. |
To |
extract K, parse C as (c1; c2; ) and recompute t |
TCR(c1; c2). |
|
|
xt+y |
then output c1w. Otherwise output ?. |
|
||
|
If c2 = c1w and = c1 |
|
|||
eorem . ([Bir ])
Suppose the DDH problem is hard in the group G and the hash function TCR is target collision resistant. If the group G is a statistically simulatable group on which the DHK assumption holds, then the Cramer-Shoup KEM is PA + plaintext-aware.
eKurosawa-DesmedtScheme A er the publication of the Cramer-Shoup public-key encryption scheme, Kurosawa and Desmedt proposed a similar but more e cient cryptosystem and proved that it is IND-CCA secure [KD ] (but the underlying public-key encryption scheme is proven to not be IND-CCA secure [CHH+ ]). Independently, Jiang and Wang [JW ] and Birkett [Bir ] showed that the scheme is PA plaintext aware. Although thelasttwoworksconsideredamoregeneralvariantoftheCramer-Shoupcryptosystembased on hash proof systems [CS ], we present a simplest variant using a group in which the DDH assumption can be assumed to be hard.
KeyGen. On input a security parameter, pick two distinct generators g1 and g2 of a group G with prime order q and a target collision-resistant hash function TCR : G2 !
Zq |
A |
|
er that, randomly select x1; x2; y1; y2 |
2 |
Zq and let g = gx1 gx2 and h = |
|
y1. |
y2 |
. |
|
|
1 2 |
|
g1 |
g2 |
e public key is pk = (g; h; g1; g2) and the corresponding secret key is sk = |
||||
(x1; x2; y1; y2). |
|
|
|
|||
Encapsulation. Pick r 2R Zq and compute c1 |
= g1r, c2 |
= g2r, t = TCR(c1; c2), and |
||||
K= cr1crt2 . Let C = (c1; c2) and output (C; K).
Decapsulation. To extract K, parse C as (c1; c2) and recompute t = TCR(c1; c2). en recover the key K = cx11+ty1 cx22+ty2 .
eorem . ([Bir , JW ])
Suppose the DDH problem is hard in the group G and the hash function TCR is target collision resistant. If the group G is a statistically simulatable group on which the DHK assumption holds, then the Kurosawa-Desmedt KEM/DEM is PA + and PA plaintext-aware.
. . From PA+ to PA++ Plaintext-Awareness
We generalize this notion further and de ne PA ++ and PA ++ plaintext-awareness for adversaries who can submit sampling request to an external oracle. On one side, e ciency considerations restrict the sampling algorithms to be computable in polynomial-time. On the other side, we will require the system composed of the adversary and its randomness oracle to be simulatable by the plaintext extractor, that is because the plaintext extractor will need to be able to nd suitable random coins for OS. However, as we noted in Section . , assuming the existence of plaintext-aware encryption schemes forces us to assume that the ISH hypothesis is false so the restriction on the sampling algorithms becomes e ective. In a general sense,
. -
|
|
|
|
|
|
we conjecture that it is impossible to achieve plaintext-awareness for adversaries allowed to |
|||
|
submit non inverse-sampling algorithms. |
|
|
|
|
De nition . (PA ++ and PA ++ Plaintext-Awareness) |
|
|
|
|
Starting |
om the notions of PA and PA plaintext-awareness, we de ne two new conditions, |
||
|
PA ++ and PA ++, by adding one randomness oracle OS. |
is oracle takes as input the de- |
||
|
scription of an in erse-sampling algorithm, executes it using its own random tape, and returns its |
|||
|
output to the ciphertext creator. |
|
|
|
|
We say that a public-key encryption scheme is PA ++, respectively PA ++, plaintext-aware if |
|||
|
De nition . holds for PA , respectively PA , adversaries having access to the oracle OS. |
|||
|
Note that PA ++ (resp. PA ++) plaintext-awareness trivially implies PA and PA + (resp. |
|||
|
PA and PA +) plaintext-awareness, since the ciphertext creator may simply not use the ran- |
|||
|
domness oracle or just query using a sampling algorithm from the uniform distribution over |
|||
|
f0; 1g. Actually, we can even show that these two notions are equivalent, i.e., any scheme that |
|||
|
is PA + is PA ++ and any scheme that is PA + is PA ++. |
|
|
|
|
eorem . |
|
|
|
|
Suppose a public key encryption scheme is PA + (resp. PA +) plaintext-aware. |
en it is PA ++ |
||
|
(resp. PA ++) plaintext-aware. |
|
|
|
|
Proof. |
We prove the theorem for the case of PA ++. It can be easily modi ed so that it |
||
|
applies to PA ++. Let A be a ciphertext creator for the PA ++ plaintext-aware encryption |
|||
|
scheme. |
|
|
|
We construct a PA + ciphertext creator B as follows: B takes input pk and simulates A, forwarding all its decryption queries to the decryption oracle. In order to answer A’s queries to the randomness oracle, B runs the provided sampling algorithm and query its randomness oracle, that we denote O1, every time a new random bit is asked for. Clearly, B terminates in polynomial-time if all samplings can be performed in polynomial-time. Remark that B does not use any internal randomness besides the one used to initialize A.
Since B isavalidPA +ciphertextcreator, wecanasserttheexistenceofaplaintextextractor B indistinguishable from a decryption oracle. We use B to construct a plaintext extractor A for A. In the following, we assume that A maintains a state view′ initialized to viewA that will be used to simulate B’s view. To answer A’s decryption queries, A proceeds as follow:
. If A queried the randomness oracle with an inverse-sampling algorithm Samp and received x since the last invocation of A , then A computes S Samp 1(x). A er that, A updates the simulated view of B to include the random bits S, i.e., it sets view′ view′ S. Due to the property of inverse-sampling algorithms, ( S; viewA) is indistinguishable from (; viewA), where is the random string returned by OS for the sampling request. us, a simple induction argument su ces to show that viewB and view′ are indistinguishable.
is procedure is repeated for every new sampling query.
.
|
|
. A then calls upon B (pk; c; view′) and forwards its output to A.
Since viewA is included in view′ and that this last variable is indistinguishable from viewB,
|
|
|
|
|
|
|
|
Pr[DAB (pk; ;view′);OS (pk)(1k) ! 1] |
Pr[DAB (pk; ;viewB);OS (pk)(1k) ! 1] = negl(k): |
||||||
|
|
|
(pk; ; |
view |
|
|
|
Recalling that B |
|
|
B) is indistinguishable from a decryption oracle to A, we de- |
||||
duce that A is a valid plaintext extractor. In other words, |
|
||||||
|
|
|
|
|
|
|
= negl(k): |
Pr[DAB (pk; ;view′);OS (pk)(1k) ! 1] |
Pr[DADecsk( );OS (pk)(1k) ! 1] |
||||||
is concludes |
the proof. |
|
|
|
|
||
e following corollary is the combination of eorem . with the equivalence result between PA + and PA [Bir ], under the assumption that the scheme is IND-CPA secure.
Corollary .
If an encryption scheme is IND-CPA and PA plaintext-aware, then it is PA ++ plaintextaware.
9.6Adapting Vaudenay’s De nitions
. . Limiting the Adversary’s Sampling Queries
In the sequel, we will restrict to adversaries who use distributions to the D T such that, atanystep,thetable T canbesuccessfullysimulatedbyanalgorithmthatisonlygiventheview of the adversary as input. at is, we require adversaries to only submit sampling algorithms that are inverse-samplable and allow them to compute a plausible guess for the identity of drawn tags in polynomial-time. We refer to such adversaries as simulatable adversaries.
De nition . (Simulatable Adversary)
Let A be an adversary interacting with an RFID system. Let viewtA be the view of A at its t- th step and let T t denote the table T of the D T oracle at step t of A. We say that the adversary A is simulatable if all her sampling algorithms submitted to D T are in ersesamplable and, for all t, there exists a polynomial-time algorithm A′, such that (viewAt ; T t) and (viewAt ; A′(viewAt )) are indistinguishable.
Wenotethatwhentheadversaryonlydrawsonetagatthetime,or,ingeneral,avectorofsize logarithmicinthesecurityparameter,thenourrestrictionsdonota ecttheoriginalde nition as any sampling algorithm over such a set is inverse-samplable. e di erence may arise when
. ’