Combiners for Chosen-Ciphertext Security

Abstract

Security against adaptive chosen-ciphertext attack (CCA) is a de facto standard for encryption. While we know how to construct CCA-secure encryption, there could be pragmatic issues such as black-box design, software mis-implementation, and lack of security-oriented code review which may put the security in doubt. On the other hand, for double-layer encryption in which the two decryption keys are held by different parties, we expect the scheme remains secure even when one of them is compromised or became an adversary. It is thus desirable to combine two encryption schemes, where we cannot be assured that which one is really CCA-secure, to a new scheme that is CCA-secure. In this paper we propose new solutions to this problem for symmetric-key encryption and public-key encryption. One of our result can be seen as a new application of the detectable CCA notion recently proposed by Hohenberger et al.  (Eurocrypt 2012).

Sherman S.M. Chow is supported in part by the Early Career Award and the grants (CUHK 439713 & 14201914) of the Research Grants Council, Hong Kong.

A CCA Security from DCCA Security

CCA-secure PKE can be obtained by combining DCCA PKE, 1-bounded CCA PKE, and CPA PKE [8]. We remark that the same technique also works in identity-based encryption (IBE), attribute-based encryption (ABE), and threshold PKE/IBE. The same holds true for our combiner in Sect. 3.

We use \(\varPi _\text {DCCA}\), \(\varPi _\text {CPA}\), and \(\varPi _\text {qb}\) to denote the encryption primitives which are DCCA-secure, CPA-secure, and q-bounded-CCA-secure (where \(q=1\)) respectively. For a probabilistic algorithm \(\mathsf {Enc}(\cdot )\), we can transform it to a deterministic one \(\mathsf {Enc}(\cdot .; r)\) where r is a well-distributed random value.

We describe the CCA-secure encryption scheme in the context of IBE. It can easily degenerated to SKE/PKE, or extended into threshold PKE/IBE or ABE.

1.1 A.1 Syntax of IBE

In IBE, any user can request for a secret key \( SK _{ ID }\) related to her identity \( ID \) from a trusted private key generator. The secret key \( SK _{ ID }\) can decrypt the ciphertext encrypted for \( ID \) correctly. An IBE scheme is defined as follows.

• \(( MPK , MSK ) \leftarrow \mathsf {Setup}(1^\lambda )\): This algorithm takes as the security parameter \(1^\lambda \) and returns a master public key \( MPK \) and a master secret key \( MSK \). \( MPK \) is omitted from the input of the rest of the algorithms.

• \( SK _{ ID } \leftarrow \mathsf {Extract}( MSK , ID )\): This algorithm takes as inputs the master security key \( MSK \) and an user identity \( ID \), and it returns a user secret key \( SK _{ ID }\).

• \(C \leftarrow \mathsf {Enc}( ID , m)\): This algorithm takes as inputs a user identity \( ID \), and a message m, it then returns a ciphertext C encrypting m for \( ID \).

• \(m \leftarrow \mathsf {Dec}( ID , SK _{ ID }, C)\): It takes as inputs a secret key \( SK _{ ID }\) corresponding to the identity \( ID \), and a ciphertext C. It returns m or an invalid symbol \(\perp \).

1.2 A.2 CCA-Secure Construction

• \(( MPK , MSK ) \leftarrow \mathsf {Setup}(1^\lambda )\): Run all the underlying IBE setup algorithms: \(\mathsf {Setup}_\text {DCCA}(1^\lambda )\) to get \(( MPK _\text {DCCA}, MSK _\text {DCCA})\), then \(\mathsf {Setup}_\text {CPA}(1^\lambda )\) to obtain \( ( MPK _\text {CPA}, MSK _\text {CPA})\) and \(\mathsf {Setup}_\text {qb}(1^\lambda )\) to get \(( MPK _\text {qb}, SK _\text {qb})\). Keep \( MSK = ( MSK _\text {DCCA}, MSK _\text {CPA}, MSK _\text {qb})\) in secret and output the master public key as \( MPK \) \(= ( MPK _\text {DCCA}, MPK _\text {CPA}, MPK _\text {qb})\).

• \( SK _{ ID } \leftarrow \mathsf {Extract}( ID )\): Run \(\mathsf {Extract}_\text {DCCA}( ID )\) to obtain \( SK _{\text {DCCA}. ID }\), then \(\mathsf {Extract}_\text {CPA}( ID )\) to obtain \( SK _{\text {CPA}. ID }\), and \(\mathsf {Extract}_\text {qb}( ID )\) to obtain \( SK _{\text {qb}. ID }\). Finally, output \( SK _{ ID } = ( SK _{\text {DCCA}. ID }, SK _{\text {CPA}. ID }, SK _{\text {qb}. ID })\).

• \(C \leftarrow \mathsf {Enc}( ID , m)\): First pick three random values \(r_\text {DCCA}, r_\text {CPA}, r_\text {qb}\in \{0, 1\}^\lambda \), encrypt two of them with the message m in \(C_\text {DCCA}\) using \(r_\text {DCCA}\) as the encryption randomness, i.e., \(\mathsf {Enc}_\text {DCCA}( ID , (r_\text {CPA}|| r_\text {qb}|| m); r_\text {DCCA})\); then compute two more encryption of it via \(C_\text {qb}= \mathsf {Enc}_\text {qb}( ID , C_\text {DCCA}; r_\text {qb})\) and \(C_\text {CPA}= \mathsf {Enc}_\text {CPA}( ID , C_\text {DCCA}; r_\text {CPA})\). Finally, we set \(C = (C_\text {CPA}, C_\text {qb})\).

• \(m \leftarrow \mathsf {Dec}( ID , SK _{ ID }, C)\): Parse C into \((C_\text {CPA}, C_\text {qb})\). Decrypt the second ciphertext \(\mathsf {Dec}_\text {qb}( ID , SK_{ ID }, C_\text {qb})\) to obtain \(C_\text {DCCA}\). Then decrypt it to obtain \((r_\text {CPA}|| r_\text {qb}|| m)\). Check that both \(C_\text {qb}= \mathsf {Enc}_\text {qb}( ID , C_\text {DCCA}; r_\text {qb})\) and \(C_\text {CPA}= \mathsf {Enc}_\text {CPA}( ID , C_\text {DCCA}; r_\text {CPA})\) holds. If so, output m; otherwise output \(\perp \).