Cramer-Shoup is Plaintext Aware in the Standard Model

Cramer-Shoup is Plaintext Aware in the

Standard Model

Alexander W. Dent

Information Security Group

Royal Holloway, University of London

2

The short version

Plaintext awareness is a property of an encryption scheme that roughly says “an attacker cannot create a ciphertext without knowing the underlying plaintext”.

Here “knowing” is in the zero-knowledge sense of the word.

Typically used to prove IND-CCA security. New uses, e.g. deniable authentication.

3

The short version

Bellare and Palacio proposed a definition for assessing plaintext awareness in the standard model…

…and prove that the Cramer-Shoup encryption scheme is partially (PA1) plaintext aware.

This paper demonstrates that Cramer-Shoup is fully (PA2) plaintext aware.

This should be regarded as a feasibility result.

What is plaintext awareness?

5

What is plaintext awareness?

A difficult notion to formalise. We want to show that we can answer an

attacker’s decryption oracle queries if we know how those queries were constructed.

Two flavours:– Partial (PA1) plaintext awareness, which can be

used to prove IND-CCA1 security.– Full (PA2) plaintext awareness, which can be used

to prove IND-CCA2 security.

6

PA1: The players

The ciphertext creator: the bad guy! A probabilistic, polynomial-time attacker who is trying to determine whether he is interacting with a real decryption oracle or not.

The plaintext extractor: the good guy! An algorithm which masquerades as a decryption oracle but doesn’t need to know the private key.

7

PA1: The game

public key

Compute m=Dec(sk,C)

C

mC

m

If b=1 then use plaintext extractor

If b=0 then use decryption algorithm

b’

8

PA1: The interpretation

For every ciphertext creator (attacker)… …there exists a plaintext extractor who can

successfully deceive the ciphertext creator… …given the ciphertext creators random coins.

Note that the plaintext extractor knows the ciphertext creator’s general strategy, everything it has done and everything it is going to do.

9

PA2: The rematch

We need to allow the ciphertext creator to get access to ciphertexts for which he does not know the underlying message and/or the random coins used to encrypt that message.

The plaintext creator: An ally of the bad guy! Any polynomial time algorithm that randomly generates messages and encrypts them.

10

PA2: The game

public key

aux

CC

m

b’

ciphertext creator

decryption oracle plaintext creator

random coins C

11

PA2: The interpretation

For every ciphertext creator (attacker)… …there exists a plaintext extractor who can

successfully deceive the ciphertext creator… …given the ciphertext creators random coins… …regardless of what the plaintext creator does. Often regarded as a malleability condition. Note that the plaintext extractor knows the ciphertext

creator’s general strategy, and everything it’s has done in the past but can’t figure out everything it is going to do in the future.

Cramer-Shoup is PA2 plaintext aware

13

Cramer-Shoup

The Cramer-Shoup scheme has been proven to be PA1 (under the DHK assumption).

It also has an interesting property in that you cannot distinguish real ciphertexts from elements chosen completely at random.

Hence, the ability to get hold of new ciphertexts is equivalent to the ability to get hold of random bit strings.

14

PA1+: An intermediary game

This paper proposes a new notion of PA. Here the attacker has the ability to get hold of

new random bit strings.

The randomness oracle: An ally of the bad guy! Randomly generates a bit-string of a fixed length and returns it to the ciphertext creator.

15

PA1+: The game

public key

rC

m

b’

ciphertext creator

decryption oracle randomness oracle

random coins r

16

PA1+: The interpretation

A scheme is PA1+ plaintext aware if for every ciphertext creator (with access to a randomness oracle) there exists a plaintext extractor that can deceive it.

Again, the plaintext extractor know the ciphertext creators strategy and past actions, but cannot predict its future actions.

17

PA1+: The interpretation

Suppose I wish to convince my boss that I’m a genius, and so I send him all of my papers.

My boss needs to decide if I’m a genius or not. My boss will pick one at random and read it. However, suppose that I’m actually a lucky

idiot who has only written one decent paper. If I know the random choices that my boss will

make when selecting the paper, then I can deceive him.

18

PA1+: The interpretation

Suppose I wish to convince my boss that I’m a genius, and so I send him all of my papers.

My boss needs to decide if I’m a genius or not. My boss will pick one at random and read it. However, suppose that I’m actually a lucky

idiot who has only written one decent paper. If I don’t know the random choices that my

boss will make when selecting the paper, then I cannot deceive him.

19

PA1+: The big theorem

An encryption scheme that is simulatable and PA1+ is always PA2.

Simulatable just means that the real ciphertexts are indistinguishable from randomly generated elements – hence, a plaintext creator is roughly the same as a randomness oracle.

20

Cramer-Shoup

The original proof gives that Cramer-Shoup is simulatable.

(In fact, simulatable implies IND-CCA2). It is fairly easy to adapt the ideas of Bellare-

Palacio to show that Cramer-Shoup is PA1+ under the DHK assumption.

Hence, Cramer-Shoup is PA2 plaintext aware.

21

Open problems

Prove something is plaintext aware that wasn’t already known to be IND-CCA2.

Prove something is plaintext aware without having to prove that it is simulatable.

Prove something is plaintext aware without using an extractor-based assumption like DHK.

THE END

22

Not the end?

The notions of plaintext awareness fit together as you might expect:

Perfect PA1 = Perfect PA1+. Thus, perfect simulatable PA1 implies PA2.

PA2 ≥ PA1+ ≥ PA1

23

Diffie-Hellman Knowledge

A computational assumption for a group G generated by a generator g.

( g , A )

( B , C )

b (if B=gb and C=Ab)

24

Diffie-Hellman Knowledge

It is meant to be interpreted as “it is impossible to make a Diffie-Hellman tuple without knowing the discrete logarithm of one of the elements”.

Not efficiently falsifiable [Naor]. True in the Generic Group Model [Dent,AF]

– Although the GGM is not sound [Dent] Used to show that Cramer-Shoup is PA1.

Hence considered reasonable to used when showing Cramer-Shoup is PA2.