Chosen Ciphertext Security via BARGs - Insights on CPA vs CCA PKE
Gain insights into the long-standing open problem on PKE: CPA PKE vs CCA PKE and explore additional assumptions/primitives that are sufficient for secure PKE. Discover the Main Result in Batch ARGument system for proving NP statements and the proposed construction of Weak CCA Tag-Based Encryption.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
PKC 2025 @ Rros 2025/5/12 ~ 15 Chosen Ciphertext Security via BARGs Takahiro Matsuda ( ) https://eprint.iacr.org/2023/1957 1 1 1
Background & Motivation CCA secure PKE is one of the most important, fundamental, and intensively studied cryptographic primitives Long-standing Open Problem on PKE: CPA PKE ?? CCA PKE To gain insights, we would like to find what additional assumptions/primitives are sufficient, as many as possible + CPA PKE CCA PKE 2 (additional assumption and/or primitive)
Main Result + CCA PKE CPA PKE BARG BARG = Batch ARGument = Non-interactive argument system in which the correctness of multiple NP statements can be proved in one shot Requirement 1: (Semi-adaptive) Soundness Requirement 2: Succinctness of Proof Size: When proving k statements, the bit-length | | of the proof must be non-trivially smaller than just sending k witnesses Presumably, | | = poly( , n) o(k), and ideally, | | = poly( , n, log k) n: Bit-length of each statement + witness : Security parameter 3 Shorter | | = stronger requirement
Relations to Existing Works Our Work BARG No implications or separations between BARG and other primitives NIZK [DDN91] PKE + KDM-secure SKE CPA [KMT19, KM20] CCA PKE Randomness Recoverability [HKW21] Simulatability + Plaintext- awareness [Dac14, MH16] 4
Relations with Recent NIZK from BARG Results [BKPRV24], [BWW24] (c.f. [CW23]) CCA PKE Naor-Yung paradigm NIZK BARG + OWF At the time our paper first appeared in ePrint (Dec. 2023), yes But in the PKC 2025 version, no Is our result implied by these works? Requirement in [BKPRV24] (for NIZK) Requirement in our work: | | = ???? ,? ?? ? ( < 1) | | = 1 ? + ???? ,? ?? ???? ?,? ( < 1) Succinctness requirement in terms of #statements k Polylog(k) Sending k witnesses (trivial) O(k) with <k o(k) k ( <1) k: #statements n: Bit-length of each statement + witness : Security parameter 5 Not known to imply NIZKs
Technical Overview Actual Proposed Construction: Weak CCA Tag-Based Encryption (TBE) + + Equivocal tag-based Bit- Commitment CPA PKE BARG 6
Tag-Based Encryption (TBE) = PKE in which Enc/Dec uses an additional input called tag (Selective-tag) Weak CCA security pk t* (pk, sk) TKG(1 ) b {0,1} m0, m1 Challenge Oracle c* TEnc(pk, t*, mb) c TEnc(pk, t, m) c* A t t* t, c m or TDec(sk, t, c) Decryption Oracle m = TDec(sk, t, c) m b PPT A: |Pr[b = b] 1/2| = neg. + [CHK04, Kiltz06] One-time Signature Weak-CCA TBE CCA PKE 7
(Tag-Based) Equivocal Bit-Commitment Normal mode and EQ mode = Bit-commitment with two modes of operation Two modes are indistinguishable Equivocability ck CKG(1 ) m, t* : { (ck, com, ) } { (ck~, com~, ~m) } com Com(ck, t, m; ) (ck~, com~, ~0, ~1) EQSetup(t*) Statistical Binding s.t. com~ = Com(ck~, t*, 0; ~0) = Com(ck~, t*, 1; ~1) Under tags t t*, com~ can t be opened to both m=0 and m=1 t* : Pr[ ] Com(ck~, t, 0; 0) = Com(ck~, t, 1; 1) t t* and 0, 1 s.t. = neg. Can be constructed from a one-way function (based on Naor s bit commitment) 8
Technical Overview Actual Proposed Construction: + Equivocal tag-based Bit- Commitment + Weak CCA TBE CPA PKE BARG Our approach: Koppula-Waters-style construction [KW19, KMT19], with a ciphertext validity check using a BARG CPA PKE TBE Base (1-bit) Step 1 Weak CCA TBE Step 2 Equivocal tag-based Bit- Commitment BARG 9
Step 1: Base 1-Bit TBE Equivocal tag-based Bit-Commitment + Base (1-bit) TBE CPA PKE (pk0,sk0), (pk1, sk1): key pairs of CPA PKE ck: commitment key PKbase= (pk0, pk1, ck), SKbase= sk0 Why the bit s is hidden? Encrypting s {0,1} under tag t : r0, r1, 0, 1 random com Com(ck, t, s; s) cs Enc(pks, s; rs) c1-s Enc(pk1-s, ; r1-s) 1. By the Equivocability of Com and CPA security of CPA PKE, 2. C = (c0, c1, com) C~ = (c~0, c~1, com~) 3. where (ck~, com~, ~0, ~1) EQSetup(t*) and c~v= Enc(pkv, ~v; rv) for both v {0,1} Ciphertext C = (c0, c1, com) C = (c0, c1, com) looks independent of s Decrypting C: s = 0 if Dec(sk0, c0) = Com(ck, t, 0; ) = com 1 otherwise 1. 10
Step 1: Base 1-Bit TBE Equivocal tag-based Bit-Commitment + Base (1-bit) TBE CPA PKE (pk0,sk0), (pk1, sk1): key pairs of CPA PKE ck: commitment key PKbase= (pk0, pk1, ck), SKbase= sk0 Existence of the alternative decryption procedure By the statistical binding of Com, if C is good, namely, witness (s, r, ) satisfying Enc(pks, ; r) = cs Com(ck, t, s; ) = com, then decryption with sk0and that with sk1agree Encrypting s {0,1} under tag t : r0, r1, 0, 1 random com Com(ck, t, s; s) cs Enc(pks, s; rs) c1-s Enc(pk1-s, ; r1-s) 1. 2. 3. Confidentiality (hiding of s) continues to hold even if an adversary is given (1) a dec oracle that only decrypts good CT s; & (2) the witness (s, r, ) for the challenge CT Alternaltive Decryption using sk1: s = 1 if Dec(sk1, c1) = Com(ck, t, 1; ) = com 0 otherwise Ciphertext C = (c0, c1, com) Decrypting C: s = 0 if Dec(sk0, c0) = Com(ck, t, 0; ) = com 1 otherwise 1. 1. 11
Step 2: Combining with BARG + Base (1-bit) TBE Weak CCA TBE BARG Universal hash CRS of BARG PK = (PKbase, crs, UH), SK = SKbase TEnc(PK, t, m): s = (s1 , , sk) {0,1}k Encrypt each bit si using the base 1- bit TBE and get ciphertexts C1, , Ck Generate a BARG proof that every Ci is good cm UH(s) m Return Ctbe= (C1, , Ck, , cm) TDec(SK, t, Ctbe): where Ctbe= (C1, , Ck, , cm) 1. 2. Verify the BARG proof Decrypt each Ci by the decryption procedure of the base 1-bit TBE and recover the bits s = (s1, , sk) {0,1}k Return m = UH(s) cm 1. 3. 2. 4. 5. 3. 12 In the actual construction, the commitment key ck has to be generated for each position i [k].
Ideas for Security Proof Succinctness Requirement: | | = 1 ???? ?,? ? ? + ???? ,? ?? ( < 1) Ctbe= ( C1, , Ck, , cm= UH(s1, , sk) m) Each Ciencrypts the bit si A BARG proof that every Ciis good Universal hash By the confidentiality of the base 1-bit TBE, (C1, , Ck) do not leak s = (s1, , sk) {0,1}k Dec. queries are handled using the two secret keys sk0, sk1(w/ the alternative decryption) and (semi-adaptive) soundness of BARG (analogous to the Naor-Yung paradigm[NY90]) Except for cm, the only remaining component in Ctbestill dependent on s is ? ? C1, , Ck, ) k | | Set k to be a sufficiently large polynomial (that depends on poly( , n) s and ) ? ? C1, , Ck, ) also becomes sufficiently large 13 Leftover Hash Lemma guarantees that UH(s) statistically hides m
Summary & Open Problems Our main result: + CCA PKE CPA PKE BARG Succinctness Requirement: Open Problems ? | | = 1 ? + ???? ,? ?? ( < 1) ???? ?,? Is a BARG with the above succinctness easier to construct than one that implies NIZKs? Can we weaken the requirement ? Succinctness requirement in terms of #statements k Can we construct a NIZK from BARGs with the above succinctness? Sending k witnesses (trivial) O(k) with <k k ( <1) o(k) Polylog(k) 14 https://eprint.iacr.org/2023/1957
Appendix: BARG Security Definitions Semi-adaptive Soundness 15
