Topics in Cryptography
Lecture 6Topic: Chosen Ciphertext Security
Lecturer: Moni Naor
Recap: chosen ciphertext security• Why chosen ciphertext/malleability matters• Taxonomy of Attacks and Security• Ideas for achieving CCA
– Redundancy + Verification• The NIZK approach• Simple scheme achieving CCA1
– Based on DDH– Modification achieving CCA2
• Chosen-Ciphertext Security via Correlated Products
Homework: One time Signature Schemes • Show that if g is a one-way function the scheme is
indeed a one-time signature scheme.• Show how to obtain a strongly unforgeable signature
scheme – You may use the existence of Universal One-way Hash
Functions• Why do we need strongly unforgeable signature
schemes in the CCA2 scheme?
One-time Signature Schemes A signature scheme that is• Existentially unforgeable• Adversary A gets to pick and see signature on one
messageA Wins if he can find any other
(message,signature) that is accepted by signature verification algorithm– Message should be different– Strongly unforgeable: also cannot find another signature to
a message that has been signed
One-time Signature Schemes Construction can be based on any one-way function g
Public (y10,y1
1), (y20,y2
1) ), … (yk0,yk
1)
Secret (s10,s1
1), (s20,s2
1) ), … (sk0,sk
1)
Where y1b=g(s1
b)
Signature on message m 2R {0, 1}k: Output s1
m1, s1m2 … , s1
mk
y10 y1
1 y20 y2
1 yk0 yk
1…m
s10 s2
1 sk0
0
1
Universal One-Way Hash functionsUOWHFs
• A family of functions G={g|g:{0,1}n → {0,1}h(n)}
Such that• Easy to sample g from G and g G has succinct
description• Given (n, g, x) easy to compute g(x) • h(n) < n
• Hard to find target collisions: – Given (n,g,x) hard to find x’{0,1}n where
x ≠ x’ but g(x)=g(x’) Adversary picks x before seeing g
Homework: One time Signature Schemes • Show that if g is a one-way function the scheme is
indeed a one-time signature scheme.• Show how to obtain a strongly unforgeable signature
scheme – You may use the existence of Universal One-way Hash
Functions• Why do we need strongly unforgeable signature
schemes in the CCA2 scheme?
Motivation for Zero-knowledge
Can turn any protocol that:• works well when the parties are benign (but
curious) into • one that works well when the parties are
malicious
Usage of NIZK to obtain CCA is an exampel of the principle
Correlated Products
• For a collection F of one-way functions consider (f1(x1), . . . , fk(xk))
for every f1, . . . , fk ∈F.
• f1,...,fk is hard to invert for random (x1, … , xk)
• But what happens when x1, … , xk are correlated?
– For instance: x1 = x2 … = xk Repetition
CCA-Security from Repetition Collection F of injective TDFs secure under k-
repetition product
• Hard-core bit h for F – Given f(x) infeasible to guess h(x) with a
noticeable advantage
Goldreich-Levin (inner product) is still hard core
CCA1-Scheme Collection F of injective TDFs secure under k-
repetition productPublic (f1
0,f11), (f2
0,f21) )… (fk
0,fk1),h
Secret (s10,s1
1), (s20,s2
1) )… (sk0,sk
1)
Choose v 2R {0,1}k, x 2R {0,1}n
Output (v, fv1(x), … , fvk
(x), h(x) © b)
Key generation
Encpk(b)
f10 f1
1 f20 f2
1 fk0 fk
1…v
f10 f2
1 fk0
0
1
Construction of Correlation ProductLossy Trapdoor Functions [Peikert Waters ’08]• Two indistinguishable collections:
– F0 collection of many-to-one functions
– F1 collection of injective functionsF1
f2F1 f-1
F0
f2F0Large
indegree
Indistinguishability
Hardness of inversion
Construction of Correlation ProductLossy Trapdoor Functions [Peikert Waters ’08]• Two indistinguishable collections:
– F0 collection of many-to-one functions– F1 collection of injective functions
• Various number-theoretic assumptions [PW ’08, GRS ’08, BFO ’08,...]
Claim: F1 is secure under x1 = … = xk
– f is many-to-one: f(x) “reveals” only r ≪ n bits of x– f1(x), … , fk(x) is one-way as long as r ・ k = n−(log n)
Realizing Lossy Trapdoors from DDH
DDH: (g, gx, gy, gxy) (g, gx, gy, gz)El Gamal: public key hg, h=gxi secret key xEncrypt (small m): random r send (gr, hr gm )
Homomorphism on message and randomnessE(m1, r1) ¢ E(m0, r0) = E(m1 + m0, r1 + r0)
Coordinate wise
gxr+m
Ciphertext Matrix
Every row i has the same hi
=gxi
Every column j uses the same randomness ri
hirj gmij
For any matrix M={mij}ij define ciphertext matrix (plus vector):
grj
hi’s not published
Synthesizer of Ciphertext Matrix
Every row i has the same hi
=gxi
Every column j uses the same randomness ri
hirj gmij
Key property:
Matrix is indistinguishable wrt the M={mij}ij
grj
hi’s not published
Homework: getting rid of the one time Signature Schemes
• Prove that for any two matrices M0 and M1 the resulting ciphertext matrix plus randomness vector are indistinguishable
Generating Products
hirj gmij
Given ciphertext matrix of M and plaintext P 2 {0,1}n: can generate encryption of M ¢ P
grj Plaintext P for
encryption
0
1
1…
Every row i has the same hi
=gxi
Public Key
hirj gmij
Public key: the mij are either :
•the all zero matrix M0
•the Identity matrix MIgrj
Plaintext P for encryption
0
1
1…
Every row i has the same hi
=gxi
• Claim: if matrix is Identity: can reconstruct plaintext– From M ¢ P
• Claim if matrix is all zero: lossy when dimension n larger than log q– Each entry: just a sum of the rj‘s according to P
– Rest determined by hi
– log q bits of information
Identity Base Encryption (IBE)
A public-key* encryption system where any arbitrary string can be used as the public key– Examples: user’s e-mail address, current-date,
biometric data…An authority publishes public Master-key
Keeps secret private master key
Extract: Given any string ID∈{0,1}* can create SKID
To encrypt need public-key and IDTo decrypt need SKID
Identity-Based Encryption (IBE)
email encrypted using public key:
Public Master-key
CA
Public Master-key
I am “[email protected]”
SKBobAlice Bob
Could happen before or after the email was encrypted
ID can be: e-mail, e-mail+time, e-mail+ credentials, fingerprint…
Private Master-key
History
• The concept was formulated by Adi Shamir in 1984• First IBE schemes in 2001
– Boneh and Franklin - Crypto 2001• Based on Pairing
– Cocks – Intern. Conf. on Cryptography and Coding 2001• Based on quadratic residuousity
– First proposals: need random oracle– Later ones: standard model
Security Definition for IBE
Semantic security against an adaptive id extraction – No polynomially bound adversary can distinguish with non
neligible advantage between encryptions of m0 and m1 under key id
– m0 and m1 chosen by adversary– Adversary gets to issue extract requests
• given idi obtain SKidi
– How is id chosen:• Adaptively• Ahead of time: Selective-ID security
– Extract may not be issued on target id
Target id
Getting CCA1 from IBE• Public key: master public key of the IBE scheme, • Secret key: corresponding master secret key.• To encrypt a message m:
– Generate a random string vk – Encrypts the message m with respect to the ``identity"
vk. – Resulting ciphertext C – The ciphertext: hC, vki.
• To decrypt a ciphertext hC, vki:– Extract the corresponding key to vk Vand decrypt C
CCA from IBE• Public key: master public key of the IBE scheme, • Secret key: corresponding master secret key.• To encrypt a message m:
– Generate a key-pair (vk; sk) for a onetime strong signature scheme
– Encrypt the message m with respect to the ``identity" vk. – Resulting ciphertext C is then signed using sk to obtain a
signature .– The ciphertext: hC, vk, i.
• To decrypt a ciphertext hC, vk, i:– Verify the signature on C using vk– If pass: extract the corresponding key to vk and decrypt C
Getting rid of the one-time signatures• One time signature: long and not so efficient• Idea: replace signature with MACS
– unconditional authentication– Replace the signature key with a commitment to the (MAC) hash function
• To encrypt a message m:– Generate (h, ck, dk) - ck commitment to h and dk decommitment. – Encrypt the message m ° dk ° h with respect to the identity ck. – Resulting ciphertext C is then authenticated using h: = h(C)– The ciphertext: hC, ck, i.
• To decrypt a ciphertext hC, ck, i:– extract the corresponding key to ck and decrypt C to obtain m ° dk ° h – Verify that dk is proper and =h(C). Output m only if true
Pairwise ind
Homework: getting rid of the one time Signature Schemes
• Is it possible to use commitment instead of one-time signature in the correlated products?
Is it circular?
The value of h is still protected – from semantic security. Only know at one point all other points are unifomly ditributed
For a challenge ciphertext hC, ck, i• Any decryption query with ck’≠ ck is “useless”
– Can be answered by IBE query
• If ck’ = ck query can guess whp that either– dk is not proper– h(C’) ≠ ’ - from the pairwise independenceAnd hence reject
C ’≠ C
Interactive AuthenticationP wants to convince V that he is approving message mP has a public key KP of an encryption scheme E.
To authenticate a message m:• V P: Choose r 2R {0,1}n. Send c=E(m ° r, KP)• P V: Receiving c
Decrypt c using KS
Verify that prefix of plaintext is m. If yes - send r.V is satisfied if he receives the same r he choose
Is it Safe?Want: Existential unforgeability against adaptive chosen message
attack– Adversary can ask to authenticate any sequence m1, m2, …– Has to succeed in making V accept a message m not authenticated– Has complete control over the channels
• Intuition of security: if E does not leak information about plaintext – Nothing is leaked about r
• Several problems: if E is “just” semantically secure against chosen plaintext attacks: – Adversary might change c=E(m ° r, KP) into c’=E(m’ ° r, KP)
• Malleability– not sufficient to verify correct form of ciphertext in simulation
• Closer to a chosen ciphertext attack
Interactive AuthenticationP wants to convince V that he is approving message mP has a public key KP of an encryption scheme E.To authenticate a message m:• V P: Choose r 2R {0,1}n. Send c=E(m ° r, KP)• P V : Receiving c
Decrypt c using KS
Verify that prefix of plaintext is m. If yes - send r.V is satisfied if he receives the same r he chose
Claim: if E is CCA2 secure, then scheme is existentially unforgeable against active adversary
Theorem: If the E is secure against CCA2 then Interactive Authentication Scheme existentially unforgeable against CMA
Proof of Security
Pk = KP KP
b’=0 if forgery returns r
bi, ci
ri or nil
guess j
Plug C in protocol
Distinguisher for Original Scheme
m0, m1
C=Epk(mb)
authenticating message bi
(bj°r, bj°r’)
b’=1 if forgery returns r’
Flip a coin ow
No receipts
• Can the verifier convince third party that the prover approved a certain message?
Authentication and Non-Repudiation• Key idea of modern cryptography [Diffie-Hellman]:
can make authentication (signatures) transferable to third party - Non-repudiation.
– Essential to contract signing, e-commerce…• Digital Signatures: last 25 years major effort in
– Research• Notions of security• Computationally efficient constructions
– Technology, Infrastructure (PKI), Commerce, Legal
Is non-repudiation always desirable?Not necessarily so:• Privacy of conversation, no (verifiable) record.
– Do you want everything you ever said to be held against you?
• If Bob pays for the authentication, shouldn't be able to transfer it for free
• Perhaps can gain efficiency
Alternative: (Plausible) DeniabilityIf the recipient (or any recipient) could have generated the conversation himself
or an indistinguishable one
Deniable AuthenticationSetting:• Sender has a public key known to receiver• Want to an authentication scheme such that the receiver
keeps no receipt of conversation.
This means:• Any receiver could have generated the conversation itself.
– There is a simulator that for any message m and verifier V* generates an indistinguishable conversation.
– Exactly as in Zero-Knowledge!– An example where zero-knowledge is the ends, not the means!
Proof of security consists of Unforgeability and Deniability
Ring Signatures and AuthenticationCan we keep the sender anonymous?Idea: prove that the signer is a member of an ad hoc set
– Other members do not cooperate– Use their `regular’ public-keys
• Encryption – Should be indistinguishable which member of the set is
actually doing the authentication
Bob
Alice? Eve
Ring Signatures: Rivest, Shamir and Tauman
A Public Key Authentication Protocol
P has a public key PK of an encryption scheme E.To authenticate a message m:• V P : Choose r R {0,1}n and random bits
2{0,1}* Send Y=E(PK, mr, )• P V : Verify that prefix of plaintext is indeed m. If yes - send r.V accepts iff the received r’=r
Is it Unforgeable? Is it Deniable
Security of the schemeUnforgeability: depends on the strength of E• Sensitive to malleability:
– if given E(PK, mr, ) can generate E(PK, m’r’, ’) where m’ is related to m and r’ is related to x then can forge.
• The protocol allows a chosen ciphertext attack on E.– Even of the post-processing kind!
• Can prove that any strategy for existential forgery can be translated into a CCA strategy on E
• Works even against concurrent executions.
Deniability: does V retain a receipt??– It does not retain one for an honest V– Need to prove knowledge of r
We saw an encryption scheme satisfying the desired requirements
Simulator for honest receiverChoose r R {0,1}n. Output: hY=E(PK, mr, ), x, i
Has exactly the same distribution as a real conversation when the verifier is following the protocolStatistical indistinguishability
Verifier might cheat by checking whether certain ciphertext have as a prefix mNo known concrete way of doing harm this way
Encryption as Commitment
When the public key PK is fixed and known Y=E(PK, x, ) can be seen as commitment to x
To open x: reveal , the random bits used to create Y
Perfect binding: from unique decryption For any Y there are no two different x and x’ and and ’ s.t.
Y=E(PK, x, ) =E(PK, x’, ’)
Secrecy: no information about x is leaked to those not knowing private key PS
Deniable Protocol P has a public key PK of an encryption scheme E.
To authenticate message m:
• V P: Choose xR{0,1}n.
Send Y=E(PK, mx , )
• P V: Send E(PK, x, )
• V P: Send x and - opening Y=E(PK, mx, )
• P V: Open E(PK, x, ) by sending .
P commits to the value x. Does not want to reveal it
yet
Security of the schemeUnforgeability: as before - depends on the strength of E
can simulate previous scheme (with access to D(PK , . ))Important property: E(PK, x, ) is a non-malleable commitment (wrt
the encryption) to x.
Deniability: can run simulator:• Extract x by running with E(PK, garbage, ) and rewinding• Expected polynomial time• Need the semantic security of E - it acts as a commitment
scheme
Ring Signatures and AuthenticationWant to keep the sender anonymous by proving
that the signer is a member of an ad hoc set – Other members do not cooperate– Use their `regular’ public-keys– Should be indistinguishable which member of the set
is actually doing the authentication
Bob
Alice? Eve
Ring Authentication Setting• A ring is an arbitrary set of participants including the
authenticator • Each member i of the ring has a public encryption key
PKi
– Only i knows the corresponding secret key PSi
• To run a ring authentication protocol both sides need to know PK1
, PK2, …, PKn
the public keys of the ring members
...
An almost Good Ring Authentication ProtocolRing has public keys PK1
, PK2, …, PKn
of encryption scheme E
To authenticate message m with jth decryption key PSj:
V P: Choose x {0,1}n. Send E(PK1
, mx, r1), E(PK2, mx, r2), …, E(PKn
, mx, rn)
P V: Decrypt E(PKj, mx, rj), using PSj
and
Send E(PK1, x, 1), E(PK2
, x, 2), …, E(PKn, x, n)
V P: open all the E(PKi, mx, ri) by
Send x and r1, r2 ,… rn
P V: Verify consistency and open all E(PKi, x, ti) by
Send t 1, 2 ,… n
Problem: what if not all suffixes (x‘s) are equal?
The Ring Authentication ProtocolRing has public keys PK1
, PK2, …, PKn
of encryption scheme E
To authenticate message m with jth decryption key PSj:
V P: Choose x {0,1}n. Send E(PK1
, mx, r1), E(PK2, mx, r2), …, E(PK1
, mx, rn)
P V: Decrypt E(PKj, mx, rj), using PSj
and
Send E(PK1, x1, t1), E(PK2
, x2, t2), …, E(PKn, xn, tn)
Where x=x1+x2 + xn
V P: open all the E(PKi, mx, ri) by
Send x and r1, r2 ,… rn
P V: Verify consistency and open all E(PKi, x, ti) by
Send t1, t2 ,… tn and x1, x2 ,…, xn
Complexity of the scheme
Sender: single decryption, n encryptions and n encryption verifications
Receiver: n encryptions and n encryption verifications
Communication Complexity: O(n) public-key encryptions
Security of the schemeUnforgeability: as before (assuming all keys are well chosen)
since E(PK1
, x1, t1), E(PK2, x2, t2),…,E(PK1
, xn, tn) where x=x1+x2 + xn
is a non-malleable commitment to x
Source Hiding: which key was used (among well chosen keys) is – Computationally indistinguishable during protocol– Statistically indistinguishable after protocol
• If ends successfully
Deniability: Can run simulator `as before’
Universal One-Way Hash functionsUOWHFs
• A family of functions G={g|g:{0,1}n → {0,1}h(n)}
Such that• Easy to sample g from G and g G has succinct
description• Given (n, g, x) easy to compute g(x) • h(n) < n
• Hard to find target collisions: – Given (n,g,x) hard to find x’{0,1}n where
x ≠ x’ but g(x)=g(x’) Adversary picks x before seeing g
Sources• Dolev, Dwork and Naor: Non Malleable Cryptography, Siam J.
computing 2000. also Siam Review 2003• Peikert and Waters, Lossy Trapdoor Functions and Their
Applications, STOC 2008. • Rosen and Segev, Chosen Ciphertext Security via Correlated
Products, TCC 2009. • Naor, Deniable Ring Authentication, Crypto 2002
CCA2-Scheme Collection F of injective TDFs secure under k-repetition
A one time signature scheme ss
Public (f10,f1
1), (f20,f2
1) )… (fk0,fk
1), h
Secret (s10,s1
1), (s20,s2
1) )… (sk0,sk
1)
Choose (v,s) for one time ss, x 2R {0, 1}n
Output (v, fv1(x), … , fvkk(x), h(x) © b) and signature using s on message
Key generation
Encpk(b)
Invert y1,…,yk to obtain x1,…,xk
If all inverses consistent - x1=…=xk and signature ok
Output h(x) © d
Decpk(v, y1,… yk, d)