 Hi everyone, this talk will be about the CCA compatibility of public key infrastructure. I'm Lakshita Karana from UIUC and this is joint work with Brent Waters at UT Austin. The notion of public key encryption, which we all know and love, allows Bob to set up and publish a public key in such a way that Alice can send encrypted communication to Bob, which can only be decrypted given knowledge of the corresponding secret key. And any adversary that observes this communication but cannot compute the secret key will be unable to distinguish encryptions of one message from those of another. This notion of security is called CPA security, alternatively security against chosen plaintext attacks. What if the receiver only ever published a verification key for a digital signature scheme for which they possess the corresponding signing key? Can we still do public key encryption? Or what if the receiver published a hard puzzle for which they only possessed a solution? This question was one of the original motivations for the study of witness encryption, where Garg et al. showed that it is possible to encrypt a message so that it can only be opened by a recipient that knows an NP witness. And moreover, assuming the existence of an appropriate witness encryption scheme, any adversary that cannot find an NP witness will not be able to distinguish between encryptions of two different messages. To motivate our problem statement, let's take a deeper look at the security of public key encryption schemes. Schemes satisfying the notion of CPA security offer suffer from malleability attacks where an adversary can obtain a ciphertext and modify it to obtain an encryption of a related plaintext. To defend against such attacks, public key encryption schemes are now typically required to satisfy the stronger notion of CPA security. Here, an adversary cannot distinguish encryptions of two plaintexts, even given access to a decryption article that decrypts all possible related ciphertexts for the adversary. One important difference for the purposes of this talk is going to be the difference between CCA1 and CCA2 security. In CCA1 security, or often called the lunchtime attack scenario, the adversary has access to a decryption article only before it obtains the challenge ciphertext. And once it sends two messages, M0 and M1, and gets an encryption of one of them, it loses access to the decryption article. On the other hand, the case of CCA2 security, which is a stronger definition, allows the adversary to retain access to the decryption article even after it obtains the challenge ciphertext. And this means that in particular, the adversary can obtain a challenge ciphertext and modify it to get any related ciphertext and continue to query the decryption article. And this is allowed as long as the adversary does not query the decryption article on the exact same ciphertext that it obtained as a challenge. In this work, we generalize the examples discussed so far and put forth the notion of compatibility of any key generation or setup or puzzle generation algorithm. And we focus on the specific case of encryption schemes. So specifically focused on encryption, we investigate whether arbitrary setup key generation or puzzle algorithms can be used to derive CCA secure schemes. In a nutshell, we show that any key or puzzle generation algorithm that gives rise to a sub-exponentially in CPA secure encryption scheme also gives rise to a CCA secure encryption scheme. In some more detail under cryptographic assumptions that I will elaborate on in just a bit any key or puzzle generation algorithm that implies a sub-exponential in CPA secure encryption scheme against non-uniform adversaries also implies an in CCA secure encryption scheme against uniform adversaries. And I want to emphasize that the goal here is to have the key generation step in the CCA secure encryption be exactly the same as the key generation or the infrastructure of the CPA secure encryption scheme. Specifically, in order to upgrade any key generation algorithm for a CPA scheme into one for a CCA one scheme, we assume the existence of hinting PRGs as well as sub-exponential key less collision resistant hash functions against uniform adversaries. In order to achieve CCA security, we additionally assume the existence of sub-exponential non-interactive CCA commitments for small tag spaces. And these can in turn be obtained based on time lock puzzles with sub-exponential security that were achieved in a work of Lin Paas and Soni. Alternatively, they can be achieved from quantum hard one-way functions and classical hardwood quantum easy one-way functions with sub-exponential security that were obtained in a work with Yael Kalai. Let me describe some prior work in idealized models or with setup that achieves essentially the same objectives. And then I will discuss how what we aim to do is a little bit different. So the Fujisaki Okamoto transform that is in the random oracle model in fact does show that any key generation algorithm that implies a CPA encryption scheme can also be used as the key generation algorithm for a CCA encryption scheme. And this is essentially what we want to do except that the Fujisaki Okamoto transform assumes the existence of the idealized random oracle model. And on the other hand, we want to focus on the plain model. The Naor Young encryption system almost gives such a process in the CRS model. But in this work, our focus is on the plain model without setup or CRS or a random oracle. And we also aim to make black box use of the underlying CPA scheme. In fact, we also end up making black box use of all the other assumptions of all the other cryptographic assumptions. And one of our goals is also to make the weakest possible cryptographic assumptions. Let me give a bird's eye view of our technique for achieving CCA1 security. A key requirement and the main motivation for our work is that the key generation algorithm remain identical to that for an arbitrary CPA secure encryption scheme, which means key gen is going to output a CPA public key and the corresponding secret key. The encrypt algorithm on input a message M is going to evaluate a PRG on a random seed and then exor the result with the message M. This will constitute the first component of the ciphertext. The rest of the ciphertext components will be generated in the following way. Let's say that the seed S is n bits long and for every index I in N, we will compute a special commitment to the seed. In addition, we will encrypt the opening of this commitment twice, once using the CPA encryption scheme and the other time using a general purpose statistically binding commitment. The reason we do this is because encryption using the CPA scheme and committing using the statistically binding commitment actually gives us two ways to open any given ciphertext. One is by decrypting the orange part, which is the public key encryption part of it using the corresponding secret key and the other is to break open the statistically binding commitment by running in sufficiently large time. So by trying all possible inputs and randomnesses to this commitment and figuring out what the yi is. And the reason that this helps is because we will maintain an invariant that for any query that the adversary makes to the decryption oracle, to the CCA decryption oracle, both decrypting by opening the orange box or the blue box is going to give, is going to lead to recovering the exact same seed, seed value Si, the IF bit of the seed. I'll talk, in a little bit I'll talk more about why this is helpful. Let me just complete this picture of CCA1 security by saying that the decrypt algorithm given a ciphertext C is going to simply decrypt using the orange box, using the corresponding secret key of the CPA Secure Scheme to recover an Si and then note that once you recovered the entire seed S, you can compute PRG of S and exhort it with the first component of the ciphertext, which is C, to recover the message M. Zooming in a little bit into what, into why we build our ciphertexts this way. Note that we want to enforce an invariant that says whether we decrypt using the orange box or the blue box, they both lead to recovering the exact same seed. This is a little bit reminiscent of, of many different templates to achieve CCA security, including the now young template, etc. However, here to enforce that these, both of these will lead to recovering the same seed, we're going to rely on redundancy and more specifically, we will enforce this by means of a hinting PRG via a mechanism that's inspired by the work of Coppilloy and Waters and Kitagawa et al. So opening things up a little bit, note that the way I've used randomness here is I'm using PI as the randomness used for the orange box and QI as the randomness for the blue box for the statistically binding commitment. And the way these are generated is they will actually depend on the ith bit of the seed S. More specifically, if SI is zero, then PI is going to be the output of the PRG and the value QI is going to be uniform. And if SI is one, then PI is going to be uniform and QI will be the output of the PRG. In some way, the P's and Q's can be thought of as being hints about the secret S. So that what can be done more specifically is if someone wants to extract the ith bit of the seed by decrypting the orange, by decrypting the ciphertext in the orange box, what they would do is obtain YI, which would be a candidate opening for the special commitment on the left and use it to obtain a candidate ith bit of seed. Once they have computed all the bits of the seed by decrypting all possible N orange boxes, they'll compute all the P's and Q's, relevant P's and Q's, by evaluating the PRG on the candidate seed S. Once this is done, they will use the P's and Q's that were recovered to actually re-encrypt and check whether the candidate S was correct or incorrect. And it is these checks that can be used to ensure that in a hybrid game, one can switch to answering the adversaries' oracle queries without ever relying on the decryption key escape. Instead, what is going to be done is in this hybrid experiment, the decryption oracle will be implemented by brute force breaking the statistically binding commitment and using it to obtain a candidate opening YI and using that to obtain a candidate bit of the seed S.I. as before. And then as before, once the seed has been obtained, one can compute the P's and Q's and use them to perform a series of checks. And it is ensured that as long as the checks pass, it's computationally hard for the adversary to come up with a decryption query such that the orange box and the blue box would lead to different decryption results. To enable this, the special commitment on the left is defined as a computationally binding statistically equivocal commitment. And what one can show is that if the checks pass and the adversary was able to come up with a query where the orange and blue boxes resulted in different decryption results, then the adversary must necessarily be breaking the computational binding property of the special commitment. And it is also here that we need to restrict the adversary to being a uniform machine and rely on specific types of assumptions like keyless collision resistant hashing against uniform adversaries to get such a computationally binding commitment. Moreover, in our hybrid experiments, it's going to be important to modify the challenge ciphertext slowly so that in some of these games, the challenge ciphertext contains special commitments that are actually generated in equivocal mode and so that the orange and blue boxes actually do encrypt different types of openings. But again, we will ensure that this is only done for the challenge ciphertext, whereas the adversary's challenge queries can never have such equivocation going on unless the adversary breaks some underlying computational assumptions. Another key tool that we make use of is a hinting PRG. These were developed by Coppola and Waters and are known based on various assumptions like computational defeat helman or the learning with errors assumption. These are just a special type of PRG where instead of requiring that the output of the PRG be indistinguishable from uniform, we require that the adversary not be able to distinguish between the following two games. In game 0, a seed s is sampled at random and the output of the PRG is computed on this c and then the adversary, instead of getting just the output of the PRG, instead gets what looks like an entire block of values where the first block consists of the first part of the output of the PRG. The second block contains the output of the PRG as well as a uniformly random string, but these are arranged in such a way that if the first bit of the seed is 0, then the output of the PRG is placed on top and a uniformly random string is placed on the bottom and if the first bit of the seed is 1, then these are placed the other way around, meaning that there will be a uniform value on the top block and the output of the PRG on the bottom. And this is done for every index i in n, where n is also the length of the seed and the adversary gets this entire set of blocks. In game 1, the adversary simply gets a uniform set of blocks and the idea is that the adversary should not be able to distinguish between these two games in polynomial time. So really the difference from the regular PRG is here, the location of these blocks, the output versus uniform actually depends on the seed itself and can be thought of as giving out hints about the seed and this type of structure is actually important to our proof of security. Now let me move on to say a little bit about our technique for achieving CCA2 security. The overall template for our construction is very similar to the CCA1 setting, except for one important difference, the difference is that instead of using a statistically binding commitment to set up our alternative decryption mechanism, we actually use a CCA secure commitment. As before, we will ensure that there are two ways to open any ciphertext that the adversary sends to the decryption oracle. One is to decrypt using the secret key of the CPA encryption scheme, which means open the orange box and the other is to open the blue box, which is to break open the CCA secure commitment and we're going to ensure the same invariant, which is that both lead to the recovery of the same seed SI. Now recall that the difference in the CCA2 setting from the CCA1 setting is that the adversary continues to have access to the decryption oracle even after it has obtained the challenge ciphertext. This makes the proof for the CCA2 setting significantly trickier and in particular, this means that despite the fact that in certain hybrids the challenger is going to be cheating in the challenge ciphertext in the way it generates the challenge ciphertext which will contain all these equivocations, we need to continue to ensure that the adversary maintains this invariant in all of their queries and this should be despite the fact that the challenge queries that the challenge ciphertexts that are being sent to the adversary actually do not satisfy this invariant at various steps in the game. This is where we rely on the CCA property of the commitment scheme. Let me also mention that we only require the CCA commitments to satisfy a special type of security, a special type of uniform security. We do not need full-fledged non-uniform security and what we actually need is for the CCA commitments to be secure against computation-enabled uniform adversaries. This is a new type of notion of uniform security which lies somewhere in between uniform and non-uniform where the adversary is uniform except getting access to an oracle in the beginning of the game that allows it to perform some more than polynomial time computations. These types of commitments were constructed in joint work with Rachid Gurg, George Liu and Brent Waters and they only require black box use of base commitment schemes. Like I said, these can be based, for example, on some exponential time lock puzzles and along with this they assume the existence of hinting PRGs and keyless collision-resistant hash functions which are assumptions that we are making anyway for our construction. In summary, we show that the setup or key generation algorithm used for any int-CPA secure public key encryption scheme also gives rise to an int-CCA2 secure public key encryption scheme under suitable cryptographic assumptions. In more detail, we assume that the CPA secure scheme satisfies sub-exponential CPA security and we additionally assume black box access to hinting PRGs, keyless collision-resistant hash functions and for the case of CCA2 security we assume access to a base CCA2 secure commitment scheme. An interesting direction for future research is to understand whether the setup or key generation algorithms for any public key encryption scheme can give rise to something like a digital signature and more generally, when can setup that was originally used for one type of crypto system be used to realize a completely different crypto system altogether without the need to assume any additional setup or infrastructure. With that, I'd like to conclude my talk. Thank you so much for listening.