Security with Functional Re-Encryption in Cryptography

Exploring the concept of functional re-encryption from the perspective of security in encryption schemes lies between CPA and CCA security levels. The work done by Yevgeniy Dodis, Shai Halevi, and Daniel Wichs delves into how functional re-encryption can enhance the security and privacy of encrypted data. The study investigates the implications and applications of funcCPA in encryption protocols, offering insights into its significance beyond traditional encryption methodologies.

• Cryptography
• Functional Re-Encryption
• Security Notions
• Encryption Schemes
• Privacy

persis Follow

Uploaded on Aug 30, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. SECURITY WITH FUNCTIONAL RE-ENCRYPTION FROM CPA YEVGENIY DODIS (NYU) SHAI HALEVI (AWS)* DANIEL WICHS (NORTHEASTERN AND NTT RESEARCH) * Work done while at the Algorand Foundation

2. funcCPA funcCPA: : Security Notion for Encryption Security Notion for Encryption Lies in between CPA and CCA security Introduced by Akavia et al. [AGHV22], in the context of FHE Rather than decryption, attacker gets a re-encryption oracle ?? ???? = ?????????????? Or even a functional re-encryption oracle FuncRE ?????, ,?????,? = ????? ? ??????????, ,??????????

3. Is Is funcCPA funcCPA Interesting? Interesting? Isn t funcCPA directly implied by CPA security? The attacker only sees valid ciphertexts [AGHV22]: Surprisingly, no! a CPA-secure encryption scheme, where a single re-encryption query reveals the secret decryption key Reason: adversary can submit mal-formed ????, ???could do weird things on such ciphertexts This makes funcCPA an interesting notion to study Even beyond the original FHE motivation of [AGHV22]

4. Sample (Non Sample (Non- -Homomorphic) Application Homomorphic) Application Confidential computing in a secure enclave ???(??)? ??? ? ,? ??? ? ? In a multi-user setting, some clients could be malicious Or a network adversary could play man-in-the-middle

5. Where Does Where Does funcCPA funcCPA Lie? Lie? Clearly*, CCA funcCPA CPA Is funcCPA closer to CPA or to CCA? Can we construct funcCPA secure encryption from CPA? Can we construct CCA secure encryption from funcCPA? Via black-box transformation? * Proving CCA funcCPA requires a little care

6. This Work: This Work: funcCPA funcCPA is Closer to CPA is Closer to CPA Theorem: funcCPA-secure encryption can be constructed from any CPA-secure scheme, via a black-box transformation Main technical observation: transformations from literature for CPA-to-non-malleability, can also be used to get funcCPA But the adaptation is subtle Those techniques were devised for non-adaptive decryption queries We show how to make them work for adaptive re-encryption queries

7. funcCPA funcCPA Security Definition Security Definition * ????????,??,???,? ????? ? ??????? ? = 1 ?????0 ? = 0 Security game: ??,?? ???? $ ,? ?,? , ? ??????? ?? ? wins if ? = ? , ? s advantage is |Pr ? ???? 1 2| * Slightly stronger than def in [AGHV22], also considered by [AV22]

8. Main Tool: The [CDMW18] Transformation Main Tool: The [CDMW18] Transformation Black-box construction of non-malleable encryption from CPA NM-security is similar to CCA-security But the attacker can only make a single parallel decryption query ? Challenger ?? ??,?? ???? $ ,? 0,1 A single parallel decryption query ??0,??1 ?? ?? = ???????? ?? ?? ? ?? = ??????? ? wins if ? = ? and ct ?? ? s advantage is |Pr ? ???? 1 2|

9. Main Tool: The [CDMW18] Transformation Main Tool: The [CDMW18] Transformation Black-box construction of non-malleable encryption from CPA Current work: The same transformation yields funcCPA If the underlying scheme is already non-malleable To get funcCPA from CPA-secure encryption: 1. Apply the [CDMW18] transformation to get non-malleability 2. Then apply it again to get funcCPA security

10. Some Hints About the Proof Some Hints About the Proof Valid [CDMW18] ciphertexts have a certain structure Bad event : Adversary sends invalid ctxt, but the decryption procedure fails to detect it As long as this doesn t happen, the proof is easy Many secret keys for each public key Any fixed invalid ctxt will be detected by most of them The only way to get information about the sk is via queries to oracle A single decryption query cannot trigger the bad event

11. Some Hints About the Proof (2) Some Hints About the Proof (2) For funcCPA we need to handle adaptive oracle queries Information about the secret key could perhaps leak But is computationally hidden behind the re-encryption Computational argument for why the bad event doesn t happen The reduction algorithm needs to know if the bad event happened It can use a single decryption call at the end to find out Reduction to non-malleability

12. Summary & Open Problems Summary & Open Problems Applying [CDMW18] twice yields funcCPA from CPA Do we really need to apply the transformation twice? We don t know how to show that applying once is enough But also don t have a counter example Are there simpler transformations? Maybe for the special case of non-functional re-encryption oracle? More applications of FuncCPA? That s All, Folks!