Trading Plaintext-Awareness for Simulatability to Achieve Chosen Ciphertext Security

In PKC 2014, Dachman-Soled showed a construction of a chosen ciphertext (CCA) secure public key encryption (PKE) scheme based on a PKE scheme which simultaneously satisfies a security property called weak simulatability and (standard model) plaintext awareness (sPA1) in the presence of multiple public keys. It is not well-known if plaintext awareness for the multiple keys setting is equivalent to the more familiar notion of that in the single key setting, and it is typically considered that plaintext awareness is a strong security assumption (because to achieve it we have to rely on a knowledge -type assumption). In Dachman-Soled\u27s construction, the underlying PKE scheme needs to be plaintext aware in the presence of $2k+2$ public keys. The main result in this work is to show that the strength of plaintext awareness required in the Dachman-Soled construction can be somehow traded with the strength of a simulatability property of other building blocks. Furthermore, we also show that we can separate the assumption that a single PKE scheme needs to be both weakly simulatable and plaintext aware in her construction. Specifically, in this paper we show two new constructions of CCA secure key encapsulation mechanisms (KEMs): Our first scheme is based on a KEM which is chosen plaintext (CPA) secure and plaintext aware only under the $2$ keys setting, and a PKE scheme satisfying a slightly stronger simulatability than weak simulatability, called \emph{trapdoor simulatability} (introduced by Choi et al. ASIACRYPT 2009). Our second scheme is based on a KEM which is $1$-bounded CCA secure (Cramer et al. ASIACRYPT 2007) and plaintext aware only in the \emph{single} key setting, and a trapdoor simulatable PKE scheme. Our results add new recipes for constructing CCA secure PKE/KEM from general assumptions (that are incomparable to those used by Dachman-Soled), and in particular show interesting trade-offs among building blocks with those used in Dachman-Soled\u27s construction

A Survey of Symbolic Methods in Computational Analysis of Cryptographic Systems

Since the 1980s, two approaches have been developed for analyzing security protocols. One of the approaches relies on a computational model that considers issues of complexity and probability. This approach captures a strong notion of security, guaranteed against all probabilistic polynomial-time attacks. The other approach relies on a symbolic model of protocol executions in which cryptographic primitives are treated as black boxes. Since the seminal work of Dolev and Yao, it has been realized that this latter approach enables significantly simpler and often automated proofs. However, the guarantees that it offers have been quite unclear. For more than twenty years the two approaches have coexisted but evolved mostly independently. Recently, significant research efforts attempt to develop paradigms for cryptographic systems analysis that combines the best of both worlds. There are two broad directions that have been followed. {\em Computational soundness} aims to establish sufficient conditions under which results obtained using symbolic models imply security under computational models. The {\em direct approach} aims to apply the principles and the techniques developed in the context of symbolic models directly to computational ones. In this paper we survey existing results along both of these directions. Our goal is to provide a rather complete summary that could act as a quick reference for researchers who want to contribute to the field, want to make use of existing results, or just want to get a better picture of what results already exist

Tightly-Secure Key-Encapsulation Mechanism in the Quantum Random Oracle Model

Key-encapsulation mechanisms secure against chosen ciphertext attacks (IND-CCA-secure KEMs) in the quantum random oracle model have been proposed by Boneh, Dagdelen, Fischlin, Lehmann, Schafner, and Zhandry (CRYPTO 2012), Targhi and Unruh (TCC 2016-B), and Hofheinz, Hövelmanns, and Kiltz (TCC 2017). However, all are non-tight and, in particular, security levels of the schemes obtained by these constructions are less than half of original security levels of their building blocks. In this paper, we give a conversion that tightly converts a weakly secure public-key encryption scheme into an IND-CCA-secure KEM in the quantum random oracle model. More precisely, we define a new security notion for deterministic public key encryption (DPKE) called the disjoint simulatability, and we propose a way to convert a disjoint simulatable DPKE scheme into an IND-CCA-secure key-encapsulation mechanism scheme without incurring a significant security degradation. In addition, we give DPKE schemes whose disjoint simulatability is tightly reduced to post-quantum assumptions. As a result, we obtain IND-CCA-secure KEMs tightly reduced to various post-quantum assumptions in the quantum random oracle model

How to prove security of communication protocols? A discussion on the soundness of formal models w.r.t. computational ones.

Security protocols are short programs that aim at securing communication over a public network. Their design is known to be error-prone with flaws found years later. That is why they deserve a careful security analysis, with rigorous proofs. Two main lines of research have been (independently) developed to analyse the security of protocols. On the one hand, formal methods provide with symbolic models and often automatic proofs. On the other hand, cryptographic models propose a tighter modeling but proofs are more difficult to write and to check. An approach developed during the last decade consists in bridging the two approaches, showing that symbolic models are sound w.r.t. symbolic ones, yielding strong security guarantees using automatic tools. These results have been developed for several cryptographic primitives (e.g. symmetric and asymmetric encryption, signatures, hash) and security properties. While proving soundness of symbolic models is a very promising approach, several technical details are often not satisfactory. Focusing on symmetric encryption, we describe the difficulties and limitations of the available results

Secure Multi-party Computation Protocols from a High-Level Programming Language

Turvalise ühisarvutuse abil on võimalik sooritada privaatsust säilitavaid arvutusi mitmelt osapoolelt kogutud andmetega. Tänapäeva digitaalses maailmas on andmete konfidentsiaalsuse tagamine üha raskemini teostatav. Turvalise ühisarvutuse meetodid nagu ühissalastus ja Yao sogastatud loogikaskeemid võimaldavad teostada privaatsust säilitavaid arvutusprotokolle, mis ei lekita konfidentsiaalseid sisendandmeid. Aditiivne ühissalastuse skeem on väga efektiivne algebraliste ringide tehete sooritamiseks fikseeritud bitilaiusega andmetüüpide peal. Samas on seda kasutades raske ehitada protokolle, mis nõuavad paindlikumaid bititaseme operatsioone. Yao sogastatud loogikaskeemide meetod töötab aga igasuguse bitilaiusega andmete peal ja võimaldab väärtustada mistahes Boole'i funktsioone. Neid kahte meetodit koos kasutades ehitame turvalise hübriidprotokolli, mis kujutab endast üldist meetodit privaatsust säilitavate arvutuste teostamiseks bitikaupa ühissalastatud andmete peal. Loogikaskeeme vajalikeks arvutusteks on lihtne saada kahe kaasaegse turvalise ühisarvutuse jaoks mõeldud kompilaatori abil, mis muundavad C programmi loogikaskeemiks --- PCF ja CBMC-GC. Meie hübriidprotokolli prototüüp privaatsust säilitaval arvutusplatvormil Sharemind saavutab praktilisi jõudlustulemusi, mis on võrreldavad teiste kaasaegsete lahendustega. Lisaks kahe osapoolega arvutustele pakub meie prototüüp võimekust teostada mitmekesiseid arvutusi üldises turvalise ühisarvutuse arvutusmudelis. Hübriidprotokoll ja loogikaskeemide kompilaatorid võimaldavad koos kasutades lihtsalt ja efektiivselt luua üldkasutatavaid turvalise ühisarvutuse protokolle mistahes Boole'i funktsioonide väärtustamiseks.Secure multi-party computation (SMC) enables privacy-preserving computations on data originating from a number of parties. In today's digital world, data privacy is increasingly more difficult to provide. With SMC methods like secret sharing and Yao's garbled circuits, it is possible to build privacy-preserving computational protocols that do not leak confidential inputs to other parties. The additive secret sharing scheme is very efficient for algebraic ring operations on fixed bit-length data types. However, it is difficult to build protocols that require robust bit-level manipulation. Yao's garbled circuits approach, in contrast, works on arbitrary bit-length data and allows the evaluation of any Boolean function. Combining the two methods, we build a secure hybrid protocol, which provides a general method for building arbitrary secure computations on bitwise secret-shared data. We are able to generate circuits for the protocol easily by using two state-of-the-art C to circuit compilers designed for SMC applications --- PCF and CBMC-GC. Our hybrid protocol prototype on the Sharemind privacy-preserving computational platform achieves practical performance comparable to other recent work. In addition to two-party computations, our prototype provides the ability to perform a set of diverse computations in a generic SMC computational model. The hybrid protocol together with the circuit compilers provides a simple and efficient toolchain to build general-purpose SMC protocols for evaluating any Boolean function

Conditionally Verifiable Signatures

We introduce a new digital signature model, called conditionally verifiable signature (CVS), which allows a signer to specify and convince a recipient under what conditions his signature would become valid and verifiable; the resulting signature is not publicly verifiable immediately but can be converted back into an ordinary one (verifiable by anyone) after the recipient has obtained proofs, in the form of signatures/endorsements from a number of third party witnesses, that all the specified conditions have been fulfilled. A fairly wide set of conditions could be specified in CVS. The only job of the witnesses is to certify the fulfillment of a condition and none of them need to be actively involved in the actual signature conversion, thus protecting user privacy. It is guaranteed that the recipient cannot cheat as long as at least one of the specified witnesses does not collude. We formalize the concept of CVS and give a generic CVS construction based on any CPA-secure identity based encryption (IBE) scheme. Theoretically, we show that the existence of IBE with indistinguishability under a chosen plaintext attack (a weaker notion than the standard one) is necessary and sufficient for the construction of a secure CVS.\footnote{Due to page limit, some proofs are omitted here but could be found in the full version \cite{CB05ibecvs}.

What about Bob? The Inadequacy of CPA Security for Proxy Reencryption

In the simplest setting of proxy reencryption, there are three parties: Alice, Bob, and Polly (the proxy). Alice keeps some encrypted data that she can decrypt with a secret key known only to her. She wants to communicate the data to Bob, but not to Polly (nor anybody else). Using proxy reencryption, Alice can create a reencryption key that will enable Polly to reencrypt the data for Bob\u27s use, but which will not help Polly learn anything about the data. There are two well-studied notions of security for proxy reencryption schemes: security under chosen-plaintext attacks (CPA) and security under chosen-ciphertext attacks (CCA). Both definitions aim to formalize the security that Alice enjoys against both Polly and Bob. In this work, we demonstrate that CPA security guarantees much less security against Bob than was previously understood. In particular, CPA security does not prevent Bob from learning Alice\u27s secret key after receiving a single honestly reencrypted ciphertext. We also show that an existing construction of CPA secure proxy reencryption suffers from this type of weakness. As a result, CPA security provides scant guarantees in common applications. We propose security under honest reencryption attacks (HRA), a strengthening of CPA security that better captures the goals of proxy reencryption. In applications, HRA security provides much more robust security. We identify a property of proxy reencryption schemes that suffices to amplify CPA security to HRA security and show that two existing proxy reencryption schemes are in fact HRA secure