Encryption Schemes Secure against Chosen-Ciphertext Selective Opening Attacks [chapter]

Serge Fehr, Dennis Hofheinz, Eike Kiltz, Hoeteck Wee
2010 Lecture Notes in Computer Science  
Imagine many small devices send data to a single receiver, encrypted using the receiver's public key. Assume an adversary that has the power to adaptively corrupt a subset of these devices. Given the information obtained from these corruptions, do the ciphertexts from uncorrupted devices remain secure? Recent results suggest that conventional security notions for encryption schemes (like IND-CCA security) do not suffice in this setting. To fill this gap, the notion of security against
more » ... opening attacks (SOA security) has been introduced. It has been shown that lossy encryption implies SOA security against a passive, i.e., only eavesdropping and corrupting, adversary (SO-CPA). However, the known results on SOA security against an active adversary (SO-CCA) are rather limited. Namely, while there exist feasibility results, the (time and space) complexity of currently known SO-CCA secure schemes depends on the number of devices in the setting above. In this contribution, we devise a new solution to the selective opening problem that does not build on lossy encryption. Instead, we combine techniques from non-committing encryption and hash proof systems with a new technique (dubbed "cross-authentication codes") to glue several ciphertext parts together. The result is a rather practical SO-CCA secure public-key encryption scheme that does not suffer from the efficiency drawbacks of known schemes. Since we build upon hash proof systems, our scheme can be instantiated using standard number-theoretic assumptions such as decisional Diffie-Hellman (DDH), decisional composite residuosity (DCR), and quadratic residuosity (QR). Besides, we construct a conceptually very simple and comparatively efficient SO-CPA secure scheme from (slightly enhanced) trapdoor one-way permutations. We stress that our schemes are completely independent of the number of challenge ciphertexts, and we do not make assumptions about the underlying message distribution (beyond being efficiently samplable). In particular, we do not assume efficient conditional re-samplability of the message distribution. Hence, our schemes are secure in arbitrary settings, even if it is not known in advance how many ciphertexts might be considered for corruptions. Part of this work performed while at CWI. 382 S. Fehr et al. The generally accepted notion of security for public-key encryption is indistinguishability of ciphertexts under chosen-ciphertext attacks cf. [27, 30, 16] ). For IND-CCA security, it must not be possible to tell which one of two adversarially chosen messages is encrypted, even when given access to a decryption oracle. The notion of IND-CCA security has proved extremely useful. On the one hand, it essentially captures the notion of a secure channel against active attacks (see [9, 12] ). On the other hand, efficient IND-CCA secure encryption schemes can be constructed under standard number-theoretic assumptions (e.g., [13, 26, 23] ). However, there are realistic scenarios in which IND-CCA security is not known to provide security. For instance, consider a setting in which a large (and possibly a priori unknown) number of small devices send data to a single receiver. Each device encrypts its messages using the receiver's public key. Now assume an adversary that has the power to adaptively corrupt a subset of these devices. Say that, upon corrupting a device, the adversary learns the device's complete internal state, including the random coins used during previous encryptions. In that sense, the adversary may ask for selective openings of ciphertexts. The obvious question is: do the unopened ciphertexts remain secure? That is, can the adversary conclude anything about the plaintexts sent by uncorrupted devices, beyond of course what is implied already by the revealed plaintexts? While intuitively, the answer should be "no" for a secure public-key encryption system, IND-CCA security does not seem to be immediately useful in this setting. (E.g., [21] shows that whenever encryption constitutes a commitment to the respective message, the scheme cannot be proven secure using black-box techniques. This holds independent of whether the scheme is IND-CCA secure or not.) We clarify that the problem becomes moot if the senders can erase their randomness after sending the encrypted messages (cf. [1]). However, reliable erasure is difficult on a real system. As such, we will only focus on solutions that do not require erasures. So far, only little is known on the construction of public key encryption schemes that are secure under selective opening attacks (SOA secure) as discussed above. Concretely, [3, 5] have shown that every lossy encryption scheme (cf. [29] ) is SOA secure against passive (i.e., eavesdropping) adversaries. This yields a generic construction of SOA secure encryption that allows for fairly efficient instantiations. However, [3, 5] leave open the question of designing schemes that are SOA secure against active adversaries. Our contribution. We construct practical public key encryption schemes that are SO-CCA secure, i.e., SOA secure against active attacks. Interestingly, we substantially deviate from previous techniques to obtain SOA security. To explain our approach, let us briefly sketch how [3, 5] employ lossy encryption to achieve SOA security. (Passive) SOA security from lossy encryption. Lossy encryption schemes have the property that the scheme's "real" public key can be substituted with a "lossy" public key. Real and lossy keys are computationally indistinguishable, so -at least in a passive security experiment -this change cannot be detected by an adversary. Now lossy keys have the property that encryptions performed with them yield "lossy" ciphertexts that are statistically independent of the plaintext. In particular, a given lossy ciphertext can Encryption Schemes Secure against Chosen-Ciphertext Selective Opening Attacks 383 be -in general inefficiently -explained (or, opened) as an encryption of an arbitrary plaintext. Consequently, an SOA adversary cannot distinguish real keys, ciphertexts, and openings from those implied by lossy keys. But in the lossy case, the adversary's view is statistically independent of unopened messages; SOA security follows. SOA-CCA security from lossy encryption, and its limitations. Now consider an active SOA adversary (i.e., one that is equipped with a decryption oracle). To prove SO-CCA security, now additionally adversarial decryption queries have to be answered. Obviously, this is impossible with fully lossy keys (i.e., keys that always encrypt to ciphertexts that are independent of the plaintext). In the IND-CCA case (see [29] ), the solution to this dilemma is to make sure that only the challenge ciphertext is lossy. Technically, the security proof consider an "all-but-one" (ABO) public key. The ABO public key only encrypts the challenge ciphertext into a lossy ciphertext, and the corresponding ABO secret key can be used to decrypt any ciphertext except the lossy challenge ciphertext (and thus can be used to answer decryption queries). This technique works well in the IND-CCA case, since there we have only one challenge ciphertext. However, with SOA security, we have to deal with a -possibly huge -vector of challenge ciphertexts that correspond to all openable ciphertexts. We would need "all-but-many" public keys that allow to make only the challenge ciphertexts lossy. (In fact, this is the exact approach taken by [20] .) However, a counting argument shows that now the public-key size is at least linear in the maximal number of challenge ciphertexts. In realistic examples as the one above, there might be thousands of openable challenge ciphertexts. Hence, the lossy encryption approach leads to fairly impractical schemes, which have huge keys, and which actually achieve only bounded SO-CCA security. The latter means that the number of challenge ciphertexts for which the scheme is secure, is limited once the public key is chosen. If the number of potentially openable ciphertexts happens to exceed this limit, nothing is guaranteed anymore. Another limitation of this approach is that, unless a lossy ciphertext is efficiently openable (a property which is not known to hold for most lossy encryption schemes), the lossy encryption paradigm only achieves (bounded) so-called IND-SO-CCA security. This in particular means that SOA security is only guaranteed for joint message distributions that are efficiently conditionally re-samplable. This means that even when conditioned on an arbitrary fixed subvector of messages, the remaining messages need to be efficiently samplable. 1 Many realistic settings (e.g., encryptions of ciphertexts, commitments, or signatures for fixed messages) correspond to not efficiently conditionally re-samplable message distributions. So without extra assumptions, lossy encryption implies only bounded SOA security in a restricted class of settings. Our approach. We show SOA security using techniques from non-committing, resp. deniable encryption (e.g., [10, 15, 24, 11] ). Non-committing encryption (NCE) schemes allow for "equivocable" ciphertexts that are computationally indistinguishable from real 1 We remark that it is not obvious from [20] that their IND-SO-CCA secure scheme (Section 4.6) requires this additional condition on the distribution of the challenge messages. However, if this condition is not satisfied, then the challenger in the ideal game (in the definition of IND-SO-CCA security) is inefficient, and as such it cannot be argued in the security proof that in the ideal game the real public key can be replaced by a lossy key.
doi:10.1007/978-3-642-13190-5_20 fatcat:mz623dyan5gqno7njawwzbohny