Abstract
Security against adaptive chosen-ciphertext attack (CCA) is a de facto standard for encryption. While we know how to construct CCA-secure encryption, there could be pragmatic issues such as black-box design, software mis-implementation, and lack of security-oriented code review which may put the security in doubt. On the other hand, for double-layer encryption in which the two decryption keys are held by different parties, we expect the scheme remains secure even when one of them is compromised or became an adversary. It is thus desirable to combine two encryption schemes, where we cannot be assured that which one is really CCA-secure, to a new scheme that is CCA-secure. In this paper we propose new solutions to this problem for symmetric-key encryption and public-key encryption. One of our result can be seen as a new application of the detectable CCA notion recently proposed by Hohenberger et al. (Eurocrypt 2012).
Sherman S.M. Chow is supported in part by the Early Career Award and the grants (CUHK 439713 & 14201914) of the Research Grants Council, Hong Kong.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We remark that it is called CCA2 in the literature when the adaptiveness matters.
- 2.
While the original paper has discussed the application of DCCA in ruling out some known implementation bug of a “sloppy” encryption scheme [8], our combiner does not assume the bug from the component scheme can be easily detected.
References
Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000). doi:10.1007/3-540-44448-3_41
Chow, S.S.M., Boyd, C., Nieto, J.M.G.: Security-mediated certificateless cryptography. In: Public Key Cryptography (PKC), pp. 508–524 (2006). http://dx.doi.org/10.1007/11745853_33
Chow, S.S.M., Roth, V., Rieffel, E.G.: General certificateless encryption and timed-release encryption. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 126–143. Springer, Heidelberg (2008). doi:10.1007/978-3-540-85855-3_9
Cramer, R., Hanaoka, G., Hofheinz, D., Imai, H., Kiltz, E., Pass, R., Shelat, A., Vaikuntanathan, V.: Bounded CCA2-secure encryption. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 502–518. Springer, Heidelberg (2007). doi:10.1007/978-3-540-76900-2_31
Dodis, Y., Katz, J.: Chosen-ciphertext security of multiple encryption. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 188–209. Springer, Heidelberg (2005). doi:10.1007/978-3-540-30576-7_11
Harnik, D., Kilian, J., Naor, M., Reingold, O., Rosen, A.: On robust combiners for oblivious transfer and other primitives. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 96–113. Springer, Heidelberg (2005). doi:10.1007/11426639_6
Herzberg, A.: Folklore, practice and theory of robust combiners. J. Comput. Secur. 17(2), 159–189 (2009). doi:10.3233/JCS-2009-0336
Hohenberger, S., Lewko, A., Waters, B.: Detecting dangerous queries: a new approach for chosen ciphertext security. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 663–681. Springer, Heidelberg (2012). doi:10.1007/978-3-642-29011-4_39
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A CCA Security from DCCA Security
A CCA Security from DCCA Security
CCA-secure PKE can be obtained by combining DCCA PKE, 1-bounded CCA PKE, and CPA PKE [8]. We remark that the same technique also works in identity-based encryption (IBE), attribute-based encryption (ABE), and threshold PKE/IBE. The same holds true for our combiner in Sect. 3.
We use \(\varPi _\text {DCCA}\), \(\varPi _\text {CPA}\), and \(\varPi _\text {qb}\) to denote the encryption primitives which are DCCA-secure, CPA-secure, and q-bounded-CCA-secure (where \(q=1\)) respectively. For a probabilistic algorithm \(\mathsf {Enc}(\cdot )\), we can transform it to a deterministic one \(\mathsf {Enc}(\cdot .; r)\) where r is a well-distributed random value.
We describe the CCA-secure encryption scheme in the context of IBE. It can easily degenerated to SKE/PKE, or extended into threshold PKE/IBE or ABE.
1.1 A.1 Syntax of IBE
In IBE, any user can request for a secret key \( SK _{ ID }\) related to her identity \( ID \) from a trusted private key generator. The secret key \( SK _{ ID }\) can decrypt the ciphertext encrypted for \( ID \) correctly. An IBE scheme is defined as follows.
-
\(( MPK , MSK ) \leftarrow \mathsf {Setup}(1^\lambda )\): This algorithm takes as the security parameter \(1^\lambda \) and returns a master public key \( MPK \) and a master secret key \( MSK \). \( MPK \) is omitted from the input of the rest of the algorithms.
-
\( SK _{ ID } \leftarrow \mathsf {Extract}( MSK , ID )\): This algorithm takes as inputs the master security key \( MSK \) and an user identity \( ID \), and it returns a user secret key \( SK _{ ID }\).
-
\(C \leftarrow \mathsf {Enc}( ID , m)\): This algorithm takes as inputs a user identity \( ID \), and a message m, it then returns a ciphertext C encrypting m for \( ID \).
-
\(m \leftarrow \mathsf {Dec}( ID , SK _{ ID }, C)\): It takes as inputs a secret key \( SK _{ ID }\) corresponding to the identity \( ID \), and a ciphertext C. It returns m or an invalid symbol \(\perp \).
1.2 A.2 CCA-Secure Construction
-
\(( MPK , MSK ) \leftarrow \mathsf {Setup}(1^\lambda )\): Run all the underlying IBE setup algorithms: \(\mathsf {Setup}_\text {DCCA}(1^\lambda )\) to get \(( MPK _\text {DCCA}, MSK _\text {DCCA})\), then \(\mathsf {Setup}_\text {CPA}(1^\lambda )\) to obtain \( ( MPK _\text {CPA}, MSK _\text {CPA})\) and \(\mathsf {Setup}_\text {qb}(1^\lambda )\) to get \(( MPK _\text {qb}, SK _\text {qb})\). Keep \( MSK = ( MSK _\text {DCCA}, MSK _\text {CPA}, MSK _\text {qb})\) in secret and output the master public key as \( MPK \) \(= ( MPK _\text {DCCA}, MPK _\text {CPA}, MPK _\text {qb})\).
-
\( SK _{ ID } \leftarrow \mathsf {Extract}( ID )\): Run \(\mathsf {Extract}_\text {DCCA}( ID )\) to obtain \( SK _{\text {DCCA}. ID }\), then \(\mathsf {Extract}_\text {CPA}( ID )\) to obtain \( SK _{\text {CPA}. ID }\), and \(\mathsf {Extract}_\text {qb}( ID )\) to obtain \( SK _{\text {qb}. ID }\). Finally, output \( SK _{ ID } = ( SK _{\text {DCCA}. ID }, SK _{\text {CPA}. ID }, SK _{\text {qb}. ID })\).
-
\(C \leftarrow \mathsf {Enc}( ID , m)\): First pick three random values \(r_\text {DCCA}, r_\text {CPA}, r_\text {qb}\in \{0, 1\}^\lambda \), encrypt two of them with the message m in \(C_\text {DCCA}\) using \(r_\text {DCCA}\) as the encryption randomness, i.e., \(\mathsf {Enc}_\text {DCCA}( ID , (r_\text {CPA}|| r_\text {qb}|| m); r_\text {DCCA})\); then compute two more encryption of it via \(C_\text {qb}= \mathsf {Enc}_\text {qb}( ID , C_\text {DCCA}; r_\text {qb})\) and \(C_\text {CPA}= \mathsf {Enc}_\text {CPA}( ID , C_\text {DCCA}; r_\text {CPA})\). Finally, we set \(C = (C_\text {CPA}, C_\text {qb})\).
-
\(m \leftarrow \mathsf {Dec}( ID , SK _{ ID }, C)\): Parse C into \((C_\text {CPA}, C_\text {qb})\). Decrypt the second ciphertext \(\mathsf {Dec}_\text {qb}( ID , SK_{ ID }, C_\text {qb})\) to obtain \(C_\text {DCCA}\). Then decrypt it to obtain \((r_\text {CPA}|| r_\text {qb}|| m)\). Check that both \(C_\text {qb}= \mathsf {Enc}_\text {qb}( ID , C_\text {DCCA}; r_\text {qb})\) and \(C_\text {CPA}= \mathsf {Enc}_\text {CPA}( ID , C_\text {DCCA}; r_\text {CPA})\) holds. If so, output m; otherwise output \(\perp \).
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Zhang, C., Cash, D., Wang, X., Yu, X., Chow, S.S.M. (2016). Combiners for Chosen-Ciphertext Security. In: Dinh, T., Thai, M. (eds) Computing and Combinatorics . COCOON 2016. Lecture Notes in Computer Science(), vol 9797. Springer, Cham. https://doi.org/10.1007/978-3-319-42634-1_21
Download citation
DOI: https://doi.org/10.1007/978-3-319-42634-1_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-42633-4
Online ISBN: 978-3-319-42634-1
eBook Packages: Computer ScienceComputer Science (R0)