1. No category

Adaptive partitioning

Adaptive partitioning
Dennis Hofheinz (KIT, Karlsruhe)
Public-Key Encryption
Public-Key Encryption
●
Accepted security notion: chosen-ciphertext security (IND-CCA)
Public-Key Encryption
●
Accepted security notion: chosen-ciphertext security (IND-CCA)
Dec(sk,·)
pk
m0,m1
Enc(pk,mb)
Adversary A
b'
Challenger
Public-Key Encryption
●
Accepted security notion: chosen-ciphertext security (IND-CCA)
Dec(sk,·)
pk
m0,m1
Enc(pk,mb)
Adversary A
b'
Challenger
Adv(A) = Pr [ b = b' ] – 1/2, should be negligible
Public-Key Encryption
●
Accepted security notion: chosen-ciphertext security (IND-CCA)
Dec(sk,·)
pk
m0,m1
Enc(pk,mb)
Adversary A
b'
Challenger
Adv(A) = Pr [ b = b' ] – 1/2, should be negligible
●
Observation: covers only 1-user, 1-ciphertext scenario
Public-Key Encryption
●
Accepted security notion: chosen-ciphertext security (IND-CCA)
Dec(sk,·)
pk
m0,m1
Enc(pk,mb)
Adversary A
b'
Challenger
Adv(A) = Pr [ b = b' ] – 1/2, should be negligible
●
Observation: covers only 1-user, 1-ciphertext scenario
–
Hybrid argument → multi-user, multi-ciphertext security
Public-Key Encryption
●
Accepted security notion: chosen-ciphertext security (IND-CCA)
Dec(sk,·)
pk
m0,m1
Enc(pk,mb)
Adversary A
b'
Challenger
Adv(A) = Pr [ b = b' ] – 1/2, should be negligible
●
Observation: covers only 1-user, 1-ciphertext scenario
–
Hybrid argument → multi-user, multi-ciphertext security
–
But: security guarantees may degrade in scenario size
Public-Key Encryption
●
Accepted security notion: chosen-ciphertext security (IND-CCA)
Dec(sk,·)
pk
m0,m1
Enc(pk,mb)
Adversary A
b'
Challenger
Adv(A) = Pr [ b = b' ] – 1/2, should be negligible
●
Observation: covers only 1-user, 1-ciphertext scenario
–
Hybrid argument → multi-user, multi-ciphertext security
–
But: security guarantees may degrade in scenario size
–
So: scenario size may influence keylength recommendations
This talk
This talk
●
Tightly secure PKE: multi-challenge IND-CCA
Dec(sk,·)
pk
m0,m1
Enc(pk,mb)
Adversary A
b'
repeat
Challenger
Adv(A) = Pr [ b = b' ] – 1/2, should be negligible
This talk
●
Tightly secure PKE: multi-challenge IND-CCA
Dec(sk,·)
pk
m0,m1
Enc(pk,mb)
Adversary A
b'
repeat
Challenger
Adv(A) = Pr [ b = b' ] – 1/2, should be negligible
●
Goal: tight reduction to standard assumption (e.g., DDH)
This talk
●
Tightly secure PKE: multi-challenge IND-CCA
Dec(sk,·)
pk
m0,m1
Enc(pk,mb)
Adversary A
b'
repeat
Challenger
Adv(A) = Pr [ b = b' ] – 1/2, should be negligible
●
Goal: tight reduction to standard assumption (e.g., DDH)
–
Tight: reduction loss independent of # ciphertexts/queries
This talk
●
Tightly secure PKE: multi-challenge IND-CCA
Dec(sk,·)
pk
m0,m1
Enc(pk,mb)
Adversary A
b'
repeat
Challenger
Adv(A) = Pr [ b = b' ] – 1/2, should be negligible
●
Goal: tight reduction to standard assumption (e.g., DDH)
–
Tight: reduction loss independent of # ciphertexts/queries
–
Enables security guarantees for arbitrary/unknown scenarios
This talk
●
Tightly secure PKE: multi-challenge IND-CCA
Dec(sk,·)
pk
m0,m1
Enc(pk,mb)
Adversary A
b'
repeat
Challenger
Adv(A) = Pr [ b = b' ] – 1/2, should be negligible
●
●
Goal: tight reduction to standard assumption (e.g., DDH)
–
Tight: reduction loss independent of # ciphertexts/queries
–
Enables security guarantees for arbitrary/unknown scenarios
Difficulty: standard techniques yield non-tight reductions
Tight CCA security
Tight CCA security
●
Tightly secure PKE: multi-challenge IND-CCA
m0(1),m1(1)
C(1)=Enc(pk,mb(1))
…
m0(Q),m1(Q)
Adversary A
●
C(Q)=Enc(pk,mb(Q))
Challenger
Standard techniques yield non-tight reductions, examples:
Tight CCA security
●
Tightly secure PKE: multi-challenge IND-CCA
m0(1),m1(1)
C(1)=Enc(pk,mb(1))
…
m0(Q),m1(Q)
Adversary A
●
C(Q)=Enc(pk,mb(Q))
Challenger
Standard techniques yield non-tight reductions, examples:
–
IBE: reduction knows "punctured" sk, randomize one C (i)
Tight CCA security
●
Tightly secure PKE: multi-challenge IND-CCA
m0(1),m1(1)
C(1)=Enc(pk,mb(1))
…
m0(Q),m1(Q)
Adversary A
●
C(Q)=Enc(pk,mb(Q))
Challenger
Standard techniques yield non-tight reductions, examples:
–
IBE: reduction knows "punctured" sk, randomize one C (i)
–
HPS: reduction knows full sk, entropy in sk randomizes one C (i)
Tight CCA security
●
Tightly secure PKE: multi-challenge IND-CCA
m0(1),m1(1)
C(1)=Enc(pk,mb(1))
…
m0(Q),m1(Q)
Adversary A
●
C(Q)=Enc(pk,mb(Q))
Challenger
Standard techniques yield non-tight reductions, examples:
–
IBE: reduction knows "punctured" sk, randomize one C (i)
–
HPS: reduction knows full sk, entropy in sk randomizes one C (i)
–
NY (double encryption with consistency proof): make one C(i) "special" (with
simulated proof), requires simulation-soundness
●
Difficulty: simulation-soundness in face of many simulated proofs
Previous work / contribution
Previous work / contribution
Scheme
|pk|
|C| (KEM)
Loss
Assumption
CS98/BBM00
3
3
O(Q)
DDH
KD04/BBM00
2
2
O(Q)
DDH
CS03
3
2
O(Q)
DCR
HJ12
O(1)
O(λ)
O(1)
DLIN (PFG)
LPJY15
O(λ)
47
O(λ)
DLIN (PFG)
H16
2
60
O(λ)
DLIN (PFG)
GHKW16
2λ
3
O(λ)
DDH
This work
24
6
O(λ)
DLIN (PFG)
This work
20
30
O(λ)
DCR
Previous work / contribution
Scheme
●
|pk|
|C| (KEM)
Loss
Assumption
CS98/BBM00
3
3
O(Q)
DDH
KD04/BBM00
2
2
O(Q)
DDH
CS03
3
2
O(Q)
DCR
HJ12
O(1)
O(λ)
O(1)
DLIN (PFG)
LPJY15
O(λ)
47
O(λ)
DLIN (PFG)
H16
2
60
O(λ)
DLIN (PFG)
GHKW16
2λ
3
O(λ)
DDH
This work
24
6
O(λ)
DLIN (PFG)
This work
20
30
O(λ)
DCR
This work: not yet practical, but conceptual progress
Previous work / contribution
Scheme
●
|pk|
|C| (KEM)
Loss
Assumption
CS98/BBM00
3
3
O(Q)
DDH
KD04/BBM00
2
2
O(Q)
DDH
CS03
3
2
O(Q)
DCR
HJ12
O(1)
O(λ)
O(1)
DLIN (PFG)
LPJY15
O(λ)
47
O(λ)
DLIN (PFG)
H16
2
60
O(λ)
DLIN (PFG)
GHKW16
2λ
3
O(λ)
DDH
This work
24
6
O(λ)
DLIN (PFG)
This work
20
30
O(λ)
DCR
This work: not yet practical, but conceptual progress
–
Generic new techniques to randomize challenge ciphertexts
Previous work / contribution
Scheme
●
|pk|
|C| (KEM)
Loss
Assumption
CS98/BBM00
3
3
O(Q)
DDH
KD04/BBM00
2
2
O(Q)
DDH
CS03
3
2
O(Q)
DCR
HJ12
O(1)
O(λ)
O(1)
DLIN (PFG)
LPJY15
O(λ)
47
O(λ)
DLIN (PFG)
H16
2
60
O(λ)
DLIN (PFG)
GHKW16
2λ
3
O(λ)
DDH
This work
24
6
O(λ)
DLIN (PFG)
This work
20
30
O(λ)
DCR
This work: not yet practical, but conceptual progress
–
Generic new techniques to randomize challenge ciphertexts
–
Yields first DCR-based tightly secure PKE scheme
Previous work / contribution
Scheme
●
●
|pk|
|C| (KEM)
Loss
Assumption
CS98/BBM00
3
3
O(Q)
DDH
KD04/BBM00
2
2
O(Q)
DDH
CS03
3
2
O(Q)
DCR
HJ12
O(1)
O(λ)
O(1)
DLIN (PFG)
LPJY15
O(λ)
47
O(λ)
DLIN (PFG)
H16
2
60
O(λ)
DLIN (PFG)
GHKW16
2λ
3
O(λ)
DDH
This work
24
6
O(λ)
DLIN (PFG)
This work
20
30
O(λ)
DCR
This work: not yet practical, but conceptual progress
–
Generic new techniques to randomize challenge ciphertexts
–
Yields first DCR-based tightly secure PKE scheme
Remaining talk: overview over new techniques
Basic strategy
Basic strategy
●
This work: not yet practical, but conceptual progress
–
Generic new techniques to randomize challenge ciphertexts
–
Yields first DCR-based tightly secure PKE scheme
●
Remaining talk: overview over new techniques
●
Starting point: Naor-Yung double encryption:
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
Basic strategy
●
This work: not yet practical, but conceptual progress
–
Generic new techniques to randomize challenge ciphertexts
–
Yields first DCR-based tightly secure PKE scheme
●
Remaining talk: overview over new techniques
●
Starting point: Naor-Yung double encryption:
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
Consistency proof: proves that M0=M1
Naor-Yung encryption
Naor-Yung encryption
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
●
One (known) way to prove Naor-Yung secure:
Naor-Yung encryption
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
●
One (known) way to prove Naor-Yung secure:
0) IND-CCA experiment (many challenges), use sk0 to decrypt
Naor-Yung encryption
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
●
One (known) way to prove Naor-Yung secure:
NIZK ind.
0) IND-CCA experiment (many challenges), use sk0 to decrypt
1) simulate all proofs π (using NIZK simulator) in challenges
Naor-Yung encryption
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
●
One (known) way to prove Naor-Yung secure:
NIZK ind.
CPA
0) IND-CCA experiment (many challenges), use sk0 to decrypt
1) simulate all proofs π (using NIZK simulator) in challenges
2) randomize all M1 in challenges
Naor-Yung encryption
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
●
One (known) way to prove Naor-Yung secure:
NIZK ind.
CPA
sim-snd
0) IND-CCA experiment (many challenges), use sk0 to decrypt
1) simulate all proofs π (using NIZK simulator) in challenges
2) randomize all M1 in challenges
3) use sk1 (not sk0) to decrypt (in decryption queries)
Naor-Yung encryption
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
●
One (known) way to prove Naor-Yung secure:
NIZK ind.
CPA
sim-snd
CPA
0) IND-CCA experiment (many challenges), use sk0 to decrypt
1) simulate all proofs π (using NIZK simulator) in challenges
2) randomize all M1 in challenges
3) use sk1 (not sk0) to decrypt (in decryption queries)
4) randomize all M0 in challenges
Naor-Yung encryption
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
●
One (known) way to prove Naor-Yung secure:
NIZK ind.
CPA
sim-snd
CPA
●
0) IND-CCA experiment (many challenges), use sk0 to decrypt
1) simulate all proofs π (using NIZK simulator) in challenges
2) randomize all M1 in challenges
3) use sk1 (not sk0) to decrypt (in decryption queries)
4) randomize all M0 in challenges
Difficulty outsourced into simulation-sound NIZK proofs π
(many-challenge setting, with tight security reduction)
Naor-Yung encryption
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
●
One (known) way to prove Naor-Yung secure:
NIZK ind.
CPA
sim-snd
CPA
●
0) IND-CCA experiment (many challenges), use sk0 to decrypt
1) simulate all proofs π (using NIZK simulator) in challenges
2) randomize all M1 in challenges
3) use sk1 (not sk0) to decrypt (in decryption queries)
4) randomize all M0 in challenges
Difficulty outsourced into simulation-sound
NIZK proofs π
This work:
(many-challenge
with tightstrategy/
security reduction)
New setting,
randomization
New way to prove NY in multi-challenge setting
Recap: hash proof systems
Recap: hash proof systems
●
Ingredient: hash proof systems (designated-verifier NIZKs):
Prover
(knows hpk)
(x,π)
Verifier
(knows hsk)
Recap: hash proof systems
●
Ingredient: hash proof systems (designated-verifier NIZKs):
Prover
(x,π)
(knows hpk)
–
Verifier
(knows hsk)
Unique proofs for x∊L, can be computed in two ways:
π = hpk(x,w) = hsk(x)
Recap: hash proof systems
●
Ingredient: hash proof systems (designated-verifier NIZKs):
Prover
(x,π)
(knows hpk)
–
Verifier
(knows hsk)
Unique proofs for x∊L, can be computed in two ways:
π = hpk(x,w) = hsk(x)
–
NIZK simulator uses secret key hsk to compute π
Recap: hash proof systems
●
Ingredient: hash proof systems (designated-verifier NIZKs):
Prover
(x,π)
(knows hpk)
–
Verifier
(knows hsk)
Unique proofs for x∊L, can be computed in two ways:
π = hpk(x,w) = hsk(x)
–
–
NIZK simulator uses secret key hsk to compute π
Statistical soundness:
● if only proofs for true statements x known…
… then any proof π for false x inf.th. hidden
Recap: hash proof systems
●
Ingredient: hash proof systems (designated-verifier NIZKs):
Prover
(x,π)
(knows hpk)
–
Verifier
(knows hsk)
Unique proofs for x∊L, can be computed in two ways:
π = hpk(x,w) = hsk(x)
–
–
●
NIZK simulator uses secret key hsk to compute π
Statistical soundness:
● if only proofs for true statements x known…
… then any proof π for false x inf.th. hidden
Efficient HPSs for linear [CS02] and OR-languages [ABP15] known
Idea for our proof system (uses HPSs)
Idea for our proof system (uses HPSs)
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
Idea for our proof system (uses HPSs)
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
●
Structure of π:
π = (π0, π1, Com(τ)) ,
where
Idea for our proof system (uses HPSs)
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
●
Structure of π:
–
π = (π0, π1, Com(τ)) ,
where
τ is a random bit (similar to Katz-Wang signature scheme)
Idea for our proof system (uses HPSs)
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
●
Structure of π:
–
–
π = (π0, π1, Com(τ)) ,
where
τ is a random bit (similar to Katz-Wang signature scheme)
π0 is a HPS proof (under hsk0) for (M0=M1 ∨ τ=0)
Idea for our proof system (uses HPSs)
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
●
Structure of π:
π = (π0, π1, Com(τ)) ,
where
–
τ is a random bit (similar to Katz-Wang signature scheme)
π0 is a HPS proof (under hsk0) for (M0=M1 ∨ τ=0)
–
π1 is a HPS proof (under hsk1) for (M0=M1 ∨ τ=1)
–
Idea for our proof system (uses HPSs)
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
●
Structure of π:
where
–
τ is a random bit (similar to Katz-Wang signature scheme)
π0 is a HPS proof (under hsk0) for (M0=M1 ∨ τ=0)
–
π1 is a HPS proof (under hsk1) for (M0=M1 ∨ τ=1)
–
●
π = (π0, π1, Com(τ)) ,
Simulated π for bad C breaks only hsk1-τ (but not hskτ)
Adaptive partitioning
Adaptive partitioning
π = (π0, π1, Com(τ))
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
π0 proves (M0=M1 ∨ τ=0) under hsk0
π1 proves (M0=M1 ∨ τ=1) under hsk1
●
Randomization strategy:
C(2)
C(1)
C(10)
C(5)
C(Q)
Adaptive partitioning
π = (π0, π1, Com(τ))
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
π0 proves (M0=M1 ∨ τ=0) under hsk0
π1 proves (M0=M1 ∨ τ=1) under hsk1
●
Randomization strategy:
τ=0
C(2)
τ=1
C(1)
C(10)
C(5)
C(Q)
Adaptive partitioning
π = (π0, π1, Com(τ))
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
π0 proves (M0=M1 ∨ τ=0) under hsk0
π1 proves (M0=M1 ∨ τ=1) under hsk1
●
Randomization strategy:
τ=0
C(2)
τ=1
C(1)
C(10)
C(5)
C(Q)
Adaptive partitioning
π = (π0, π1, Com(τ))
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
π0 proves (M0=M1 ∨ τ=0) under hsk0
π1 proves (M0=M1 ∨ τ=1) under hsk1
●
Randomization strategy:
C(2)
C(1)
C(10)
C(5)
τ=1
C(Q)
τ=0
Adaptive partitioning
π = (π0, π1, Com(τ))
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
π0 proves (M0=M1 ∨ τ=0) under hsk0
π1 proves (M0=M1 ∨ τ=1) under hsk1
●
Randomization strategy:
C(2)
C(1)
C(10)
C(5)
τ=1
C(Q)
τ=0
Adaptive partitioning
π = (π0, π1, Com(τ))
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
π0 proves (M0=M1 ∨ τ=0) under hsk0
π1 proves (M0=M1 ∨ τ=1) under hsk1
●
Randomization strategy:
C(2)
C(1)
C(10)
C(5)
C(Q)
Adaptive partitioning
π = (π0, π1, Com(τ))
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
π0 proves (M0=M1 ∨ τ=0) under hsk0
π1 proves (M0=M1 ∨ τ=1) under hsk1
●
Randomization strategy:
C(2)
C(1)
C(10)
C(5)
C(Q)
Adaptive partitioning
π = (π0, π1, Com(τ))
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
π0 proves (M0=M1 ∨ τ=0) under hsk0
π1 proves (M0=M1 ∨ τ=1) under hsk1
●
Randomization strategy:
C(2)
C(1)
C(10)
C(5)
C(Q)
●
Requires O(λ) steps
Adaptive partitioning
Adaptive partitioning
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
π = (π0, π1, Com(τ))
π0 proves (M0=M1 ∨ τ=0) under hsk0
π1 proves (M0=M1 ∨ τ=1) under hsk1
●
Step 1: guess τ* (τ of first Dec-query with valid π and M0≠M1)
(This means adversary breaks soundness of hsk1-τ*)
Adaptive partitioning
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
π = (π0, π1, Com(τ))
π0 proves (M0=M1 ∨ τ=0) under hsk0
π1 proves (M0=M1 ∨ τ=1) under hsk1
●
Step 1: guess τ* (τ of first Dec-query with valid π and M0≠M1)
(This means adversary breaks soundness of hsk1-τ*)
●
Step 2: randomize all challenge ciphertexts with τ=1-τ*
(This allows to randomize half of all challenge ciphertexts)
Adaptive partitioning
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
π = (π0, π1, Com(τ))
π0 proves (M0=M1 ∨ τ=0) under hsk0
π1 proves (M0=M1 ∨ τ=1) under hsk1
●
Step 1: guess τ* (τ of first Dec-query with valid π and M0≠M1)
(This means adversary breaks soundness of hsk1-τ*)
●
Step 2: randomize all challenge ciphertexts with τ=1-τ*
(This allows to randomize half of all challenge ciphertexts)
●
Step 3: re-randomize partitioning bit τ in challenges, then goto 1
(Prepare to randomize one half of another random partition of challenges)
Adaptive partitioning
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
π = (π0, π1, Com(τ))
π0 proves (M0=M1 ∨ τ=0) under hsk0
π1 proves (M0=M1 ∨ τ=1) under hsk1
●
Step 1: guess τ* (τ of first Dec-query with valid π and M0≠M1)
(This means adversary breaks soundness of hsk1-τ*)
●
Step 2: randomize all challenge ciphertexts with τ=1-τ*
(This allows to randomize half of all challenge ciphertexts)
●
Step 3: re-randomize partitioning bit τ in challenges, then goto 1
(Prepare to randomize one half of another random partition of challenges)
●
Difference to [KW03]: KW keep τ public (but simulation capabilities hidden)
Adaptive partitioning
Adaptive partitioning
π = (π0, π1, Com(τ))
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
π0 proves (M0=M1 ∨ τ=0) under hsk0
π1 proves (M0=M1 ∨ τ=1) under hsk1
●
Illustration:
C(2)
C(1)
C*
C(5)
C(Q)
C(10)
Adaptive partitioning
π = (π0, π1, Com(τ))
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
π0 proves (M0=M1 ∨ τ=0) under hsk0
π1 proves (M0=M1 ∨ τ=1) under hsk1
●
Illustration:
τ=0
C(2)
τ=1
C(1)
C*
C(5)
C(Q)
C(10)
Adaptive partitioning
π = (π0, π1, Com(τ))
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
π0 proves (M0=M1 ∨ τ=0) under hsk0
π1 proves (M0=M1 ∨ τ=1) under hsk1
●
Illustration:
τ=0
C(2)
τ=1
C(1)
C*
C(5)
C(Q)
C(10)
Adaptive partitioning
π = (π0, π1, Com(τ))
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
π0 proves (M0=M1 ∨ τ=0) under hsk0
π1 proves (M0=M1 ∨ τ=1) under hsk1
●
Illustration:
C(2)
C(1)
C*
C(10)
C(5)
τ=1
C(Q)
τ=0
Adaptive partitioning
π = (π0, π1, Com(τ))
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
π0 proves (M0=M1 ∨ τ=0) under hsk0
π1 proves (M0=M1 ∨ τ=1) under hsk1
●
Illustration:
C(2)
C(1)
C*
C(10)
C(5)
τ=1
C(Q)
τ=0
Adaptive partitioning
Adaptive partitioning
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
π = (π0, π1, Com(τ))
π0 proves (M0=M1 ∨ τ=0) under hsk0
π1 proves (M0=M1 ∨ τ=1) under hsk1
●
Omitted difficulty: how does this re-partitioning work?
●
Step 3: re-randomize partitioning bit τ in challenges, then goto 1
(Prepare to randomize one half of another random partition of challenges)
Adaptive partitioning
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
π = (π0, π1, Com(τ))
π0 proves (M0=M1 ∨ τ=0) under hsk0
π1 proves (M0=M1 ∨ τ=1) under hsk1
●
Omitted difficulty: how does this re-partitioning work?
●
Step 3: re-randomize partitioning bit τ in challenges, then goto 1
(Prepare to randomize one half of another random partition of challenges)
–
Problem: how to manage/recall what is randomized
Adaptive partitioning
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
π = (π0, π1, Com(τ))
π0 proves (M0=M1 ∨ τ=0) under hsk0
π1 proves (M0=M1 ∨ τ=1) under hsk1
●
Omitted difficulty: how does this re-partitioning work?
●
Step 3: re-randomize partitioning bit τ in challenges, then goto 1
(Prepare to randomize one half of another random partition of challenges)
–
Problem: how to manage/recall what is randomized
–
Solution idea: in i-th randomization cycle, use i-th bit of H(C0,C1)
Adaptive partitioning
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
π = (π0, π1, Com(τ))
π0 proves (M0=M1 ∨ τ=0) under hsk0
π1 proves (M0=M1 ∨ τ=1) under hsk1
●
Omitted difficulty: how does this re-partitioning work?
●
Step 3: re-randomize partitioning bit τ in challenges, then goto 1
(Prepare to randomize one half of another random partition of challenges)
●
–
Problem: how to manage/recall what is randomized
–
Solution idea: in i-th randomization cycle, use i-th bit of H(C0,C1)
Remaining problem: efficient HPSs for OR-proofs
Adaptive partitioning
C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )
π = (π0, π1, Com(τ))
π0 proves (M0=M1 ∨ τ=0) under hsk0
π1 proves (M0=M1 ∨ τ=1) under hsk1
●
Omitted difficulty: how does this re-partitioning work?
●
Step 3: re-randomize partitioning bit τ in challenges, then goto 1
(Prepare to randomize one half of another random partition of challenges)
●
–
Problem: how to manage/recall what is randomized
–
Solution idea: in i-th randomization cycle, use i-th bit of H(C0,C1)
Remaining problem: efficient HPSs for OR-proofs
–
In pairing-friendly groups: [ABP15]
–
In DCR setting: new proof system (uses that we can compute dlogs in DCR)
Summary
Summary
●
New strategy to obtain tightly IND-CCA secure PKE schemes
Summary
●
●
New strategy to obtain tightly IND-CCA secure PKE schemes
Core difference to previous approaches: decide adaptively which
ciphertexts are to be randomized in each randomization cycle
Summary
●
●
●
New strategy to obtain tightly IND-CCA secure PKE schemes
Core difference to previous approaches: decide adaptively which
ciphertexts are to be randomized in each randomization cycle
Main benefit: DCR-based solution (using new OR-proofs)
Summary
●
●
New strategy to obtain tightly IND-CCA secure PKE schemes
Core difference to previous approaches: decide adaptively which
ciphertexts are to be randomized in each randomization cycle
●
Main benefit: DCR-based solution (using new OR-proofs)
●
Follow-up work shows potential of ideas
Summary
●
●
New strategy to obtain tightly IND-CCA secure PKE schemes
Core difference to previous approaches: decide adaptively which
ciphertexts are to be randomized in each randomization cycle
●
Main benefit: DCR-based solution (using new OR-proofs)
●
Follow-up work shows potential of ideas
–
Compact tightly secure PKE from DDH
–
Compact tightly secure structure-preserving signatures

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz