Topics in Cryptography

Lecture 6Topic: Chosen Ciphertext Security

Lecturer: Moni Naor

Recap: chosen ciphertext security• Why chosen ciphertext/malleability matters• Taxonomy of Attacks and Security• Ideas for achieving CCA

– Redundancy + Verification• The NIZK approach• Simple scheme achieving CCA1

– Based on DDH– Modification achieving CCA2

• Chosen-Ciphertext Security via Correlated Products

Homework: One time Signature Schemes • Show that if g is a one-way function the scheme is

indeed a one-time signature scheme.• Show how to obtain a strongly unforgeable signature

scheme – You may use the existence of Universal One-way Hash

Functions• Why do we need strongly unforgeable signature

schemes in the CCA2 scheme?

One-time Signature Schemes A signature scheme that is• Existentially unforgeable• Adversary A gets to pick and see signature on one

messageA Wins if he can find any other

(message,signature) that is accepted by signature verification algorithm– Message should be different– Strongly unforgeable: also cannot find another signature to

a message that has been signed

One-time Signature Schemes Construction can be based on any one-way function g

Public (y10,y1

1), (y20,y2

1) ), … (yk0,yk

1)

Secret (s10,s1

1), (s20,s2

1) ), … (sk0,sk

1)

Where y1b=g(s1

b)

Signature on message m 2R {0, 1}k: Output s1

m1, s1m2 … , s1

mk

y10 y1

1 y20 y2

1 yk0 yk

1…m

s10 s2

1 sk0

0

1

Universal One-Way Hash functionsUOWHFs

• A family of functions G={g|g:{0,1}n → {0,1}h(n)}

Such that• Easy to sample g from G and g G has succinct

description• Given (n, g, x) easy to compute g(x) • h(n) < n

• Hard to find target collisions: – Given (n,g,x) hard to find x’{0,1}n where

x ≠ x’ but g(x)=g(x’) Adversary picks x before seeing g

Homework: One time Signature Schemes • Show that if g is a one-way function the scheme is

indeed a one-time signature scheme.• Show how to obtain a strongly unforgeable signature

scheme – You may use the existence of Universal One-way Hash

Functions• Why do we need strongly unforgeable signature

schemes in the CCA2 scheme?

Motivation for Zero-knowledge

Can turn any protocol that:• works well when the parties are benign (but

curious) into • one that works well when the parties are

malicious

Usage of NIZK to obtain CCA is an exampel of the principle

Correlated Products

• For a collection F of one-way functions consider (f1(x1), . . . , fk(xk))

for every f1, . . . , fk ∈F.

• f1,...,fk is hard to invert for random (x1, … , xk)

• But what happens when x1, … , xk are correlated?

– For instance: x1 = x2 … = xk Repetition

CCA-Security from Repetition Collection F of injective TDFs secure under k-

repetition product

• Hard-core bit h for F – Given f(x) infeasible to guess h(x) with a

noticeable advantage

Goldreich-Levin (inner product) is still hard core

CCA1-Scheme Collection F of injective TDFs secure under k-

repetition productPublic (f1

0,f11), (f2

0,f21) )… (fk

0,fk1),h

Secret (s10,s1

1), (s20,s2

1) )… (sk0,sk

1)

Choose v 2R {0,1}k, x 2R {0,1}n

Output (v, fv1(x), … , fvk

(x), h(x) © b)

Key generation

Encpk(b)

f10 f1

1 f20 f2

1 fk0 fk

1…v

f10 f2

1 fk0

0

1

Construction of Correlation ProductLossy Trapdoor Functions [Peikert Waters ’08]• Two indistinguishable collections:

– F0 collection of many-to-one functions

– F1 collection of injective functionsF1

f2F1 f-1

F0

f2F0Large

indegree

Indistinguishability

Hardness of inversion

Construction of Correlation ProductLossy Trapdoor Functions [Peikert Waters ’08]• Two indistinguishable collections:

– F0 collection of many-to-one functions– F1 collection of injective functions

• Various number-theoretic assumptions [PW ’08, GRS ’08, BFO ’08,...]

Claim: F1 is secure under x1 = … = xk

– f is many-to-one: f(x) “reveals” only r ≪ n bits of x– f1(x), … , fk(x) is one-way as long as r ・ k = n−(log n)

Realizing Lossy Trapdoors from DDH

DDH: (g, gx, gy, gxy) (g, gx, gy, gz)El Gamal: public key hg, h=gxi secret key xEncrypt (small m): random r send (gr, hr gm )

Homomorphism on message and randomnessE(m1, r1) ¢ E(m0, r0) = E(m1 + m0, r1 + r0)

Coordinate wise

gxr+m

Ciphertext Matrix

Every row i has the same hi

=gxi

Every column j uses the same randomness ri

hirj gmij

For any matrix M={mij}ij define ciphertext matrix (plus vector):

grj

hi’s not published

Synthesizer of Ciphertext Matrix

Every row i has the same hi

=gxi

Every column j uses the same randomness ri

hirj gmij

Key property:

Matrix is indistinguishable wrt the M={mij}ij

grj

hi’s not published

Homework: getting rid of the one time Signature Schemes

• Prove that for any two matrices M0 and M1 the resulting ciphertext matrix plus randomness vector are indistinguishable

Generating Products

hirj gmij

Given ciphertext matrix of M and plaintext P 2 {0,1}n: can generate encryption of M ¢ P

grj Plaintext P for

encryption

0

1

1…

Every row i has the same hi

=gxi

Public Key

hirj gmij

Public key: the mij are either :

•the all zero matrix M0

•the Identity matrix MIgrj

Plaintext P for encryption

0

1

1…

Every row i has the same hi

=gxi

• Claim: if matrix is Identity: can reconstruct plaintext– From M ¢ P

• Claim if matrix is all zero: lossy when dimension n larger than log q– Each entry: just a sum of the rj‘s according to P

– Rest determined by hi

– log q bits of information

Identity Base Encryption (IBE)

A public-key* encryption system where any arbitrary string can be used as the public key– Examples: user’s e-mail address, current-date,

biometric data…An authority publishes public Master-key

Keeps secret private master key

Extract: Given any string ID∈{0,1}* can create SKID

To encrypt need public-key and IDTo decrypt need SKID

Identity-Based Encryption (IBE)

email encrypted using public key:

“bob@weizmann.ac.il”

Public Master-key

CA

Public Master-key

I am “bob@weizmann.ac.il”

SKBobAlice Bob

Could happen before or after the email was encrypted

ID can be: e-mail, e-mail+time, e-mail+ credentials, fingerprint…

Private Master-key

History

• The concept was formulated by Adi Shamir in 1984• First IBE schemes in 2001

– Boneh and Franklin - Crypto 2001• Based on Pairing

– Cocks – Intern. Conf. on Cryptography and Coding 2001• Based on quadratic residuousity

– First proposals: need random oracle– Later ones: standard model

Security Definition for IBE

Semantic security against an adaptive id extraction – No polynomially bound adversary can distinguish with non

neligible advantage between encryptions of m0 and m1 under key id

– m0 and m1 chosen by adversary– Adversary gets to issue extract requests

• given idi obtain SKidi

– How is id chosen:• Adaptively• Ahead of time: Selective-ID security

– Extract may not be issued on target id

Target id

Getting CCA1 from IBE• Public key: master public key of the IBE scheme, • Secret key: corresponding master secret key.• To encrypt a message m:

– Generate a random string vk – Encrypts the message m with respect to the ``identity"

vk. – Resulting ciphertext C – The ciphertext: hC, vki.

• To decrypt a ciphertext hC, vki:– Extract the corresponding key to vk Vand decrypt C

CCA from IBE• Public key: master public key of the IBE scheme, • Secret key: corresponding master secret key.• To encrypt a message m:

– Generate a key-pair (vk; sk) for a onetime strong signature scheme

– Encrypt the message m with respect to the ``identity" vk. – Resulting ciphertext C is then signed using sk to obtain a

signature .– The ciphertext: hC, vk, i.

• To decrypt a ciphertext hC, vk, i:– Verify the signature on C using vk– If pass: extract the corresponding key to vk and decrypt C

Getting rid of the one-time signatures• One time signature: long and not so efficient• Idea: replace signature with MACS

– unconditional authentication– Replace the signature key with a commitment to the (MAC) hash function

• To encrypt a message m:– Generate (h, ck, dk) - ck commitment to h and dk decommitment. – Encrypt the message m ° dk ° h with respect to the identity ck. – Resulting ciphertext C is then authenticated using h: = h(C)– The ciphertext: hC, ck, i.

• To decrypt a ciphertext hC, ck, i:– extract the corresponding key to ck and decrypt C to obtain m ° dk ° h – Verify that dk is proper and =h(C). Output m only if true

Pairwise ind

Homework: getting rid of the one time Signature Schemes

• Is it possible to use commitment instead of one-time signature in the correlated products?

Is it circular?

The value of h is still protected – from semantic security. Only know at one point all other points are unifomly ditributed

For a challenge ciphertext hC, ck, i• Any decryption query with ck’≠ ck is “useless”

– Can be answered by IBE query

• If ck’ = ck query can guess whp that either– dk is not proper– h(C’) ≠ ’ - from the pairwise independenceAnd hence reject

C ’≠ C

Interactive AuthenticationP wants to convince V that he is approving message mP has a public key KP of an encryption scheme E.

To authenticate a message m:• V P: Choose r 2R {0,1}n. Send c=E(m ° r, KP)• P V: Receiving c

Decrypt c using KS

Verify that prefix of plaintext is m. If yes - send r.V is satisfied if he receives the same r he choose

Is it Safe?Want: Existential unforgeability against adaptive chosen message

attack– Adversary can ask to authenticate any sequence m1, m2, …– Has to succeed in making V accept a message m not authenticated– Has complete control over the channels

• Intuition of security: if E does not leak information about plaintext – Nothing is leaked about r

• Several problems: if E is “just” semantically secure against chosen plaintext attacks: – Adversary might change c=E(m ° r, KP) into c’=E(m’ ° r, KP)

• Malleability– not sufficient to verify correct form of ciphertext in simulation

• Closer to a chosen ciphertext attack

Interactive AuthenticationP wants to convince V that he is approving message mP has a public key KP of an encryption scheme E.To authenticate a message m:• V P: Choose r 2R {0,1}n. Send c=E(m ° r, KP)• P V : Receiving c

Decrypt c using KS

Verify that prefix of plaintext is m. If yes - send r.V is satisfied if he receives the same r he chose

Claim: if E is CCA2 secure, then scheme is existentially unforgeable against active adversary

Theorem: If the E is secure against CCA2 then Interactive Authentication Scheme existentially unforgeable against CMA

Proof of Security

Pk = KP KP

b’=0 if forgery returns r

bi, ci

ri or nil

guess j

Plug C in protocol

Distinguisher for Original Scheme

m0, m1

C=Epk(mb)

authenticating message bi

(bj°r, bj°r’)

b’=1 if forgery returns r’

Flip a coin ow

No receipts

• Can the verifier convince third party that the prover approved a certain message?

Authentication and Non-Repudiation• Key idea of modern cryptography [Diffie-Hellman]:

can make authentication (signatures) transferable to third party - Non-repudiation.

– Essential to contract signing, e-commerce…• Digital Signatures: last 25 years major effort in

– Research• Notions of security• Computationally efficient constructions

– Technology, Infrastructure (PKI), Commerce, Legal

Is non-repudiation always desirable?Not necessarily so:• Privacy of conversation, no (verifiable) record.

– Do you want everything you ever said to be held against you?

• If Bob pays for the authentication, shouldn't be able to transfer it for free

• Perhaps can gain efficiency

Alternative: (Plausible) DeniabilityIf the recipient (or any recipient) could have generated the conversation himself

or an indistinguishable one

Deniable AuthenticationSetting:• Sender has a public key known to receiver• Want to an authentication scheme such that the receiver

keeps no receipt of conversation.

This means:• Any receiver could have generated the conversation itself.

– There is a simulator that for any message m and verifier V* generates an indistinguishable conversation.

– Exactly as in Zero-Knowledge!– An example where zero-knowledge is the ends, not the means!

Proof of security consists of Unforgeability and Deniability

Ring Signatures and AuthenticationCan we keep the sender anonymous?Idea: prove that the signer is a member of an ad hoc set

– Other members do not cooperate– Use their `regular’ public-keys

• Encryption – Should be indistinguishable which member of the set is

actually doing the authentication

Bob

Alice? Eve

Ring Signatures: Rivest, Shamir and Tauman

A Public Key Authentication Protocol

P has a public key PK of an encryption scheme E.To authenticate a message m:• V P : Choose r R {0,1}n and random bits

2{0,1}* Send Y=E(PK, mr, )• P V : Verify that prefix of plaintext is indeed m. If yes - send r.V accepts iff the received r’=r

Is it Unforgeable? Is it Deniable

Security of the schemeUnforgeability: depends on the strength of E• Sensitive to malleability:

– if given E(PK, mr, ) can generate E(PK, m’r’, ’) where m’ is related to m and r’ is related to x then can forge.

• The protocol allows a chosen ciphertext attack on E.– Even of the post-processing kind!

• Can prove that any strategy for existential forgery can be translated into a CCA strategy on E

• Works even against concurrent executions.

Deniability: does V retain a receipt??– It does not retain one for an honest V– Need to prove knowledge of r

We saw an encryption scheme satisfying the desired requirements

Simulator for honest receiverChoose r R {0,1}n. Output: hY=E(PK, mr, ), x, i

Has exactly the same distribution as a real conversation when the verifier is following the protocolStatistical indistinguishability

Verifier might cheat by checking whether certain ciphertext have as a prefix mNo known concrete way of doing harm this way

Encryption as Commitment

When the public key PK is fixed and known Y=E(PK, x, ) can be seen as commitment to x

To open x: reveal , the random bits used to create Y

Perfect binding: from unique decryption For any Y there are no two different x and x’ and and ’ s.t.

Y=E(PK, x, ) =E(PK, x’, ’)

Secrecy: no information about x is leaked to those not knowing private key PS

Deniable Protocol P has a public key PK of an encryption scheme E.

To authenticate message m:

• V P: Choose xR{0,1}n.

Send Y=E(PK, mx , )

• P V: Send E(PK, x, )

• V P: Send x and - opening Y=E(PK, mx, )

• P V: Open E(PK, x, ) by sending .

P commits to the value x. Does not want to reveal it

yet

Security of the schemeUnforgeability: as before - depends on the strength of E

can simulate previous scheme (with access to D(PK , . ))Important property: E(PK, x, ) is a non-malleable commitment (wrt

the encryption) to x.

Deniability: can run simulator:• Extract x by running with E(PK, garbage, ) and rewinding• Expected polynomial time• Need the semantic security of E - it acts as a commitment

scheme

Ring Signatures and AuthenticationWant to keep the sender anonymous by proving

that the signer is a member of an ad hoc set – Other members do not cooperate– Use their `regular’ public-keys– Should be indistinguishable which member of the set

is actually doing the authentication

Bob

Alice? Eve

Ring Authentication Setting• A ring is an arbitrary set of participants including the

authenticator • Each member i of the ring has a public encryption key

PKi

– Only i knows the corresponding secret key PSi

• To run a ring authentication protocol both sides need to know PK1

, PK2, …, PKn

the public keys of the ring members

...

An almost Good Ring Authentication ProtocolRing has public keys PK1

, PK2, …, PKn

of encryption scheme E

To authenticate message m with jth decryption key PSj:

V P: Choose x {0,1}n. Send E(PK1

, mx, r1), E(PK2, mx, r2), …, E(PKn

, mx, rn)

P V: Decrypt E(PKj, mx, rj), using PSj

and

Send E(PK1, x, 1), E(PK2

, x, 2), …, E(PKn, x, n)

V P: open all the E(PKi, mx, ri) by

Send x and r1, r2 ,… rn

P V: Verify consistency and open all E(PKi, x, ti) by

Send t 1, 2 ,… n

Problem: what if not all suffixes (x‘s) are equal?

The Ring Authentication ProtocolRing has public keys PK1

, PK2, …, PKn

of encryption scheme E

To authenticate message m with jth decryption key PSj:

V P: Choose x {0,1}n. Send E(PK1

, mx, r1), E(PK2, mx, r2), …, E(PK1

, mx, rn)

P V: Decrypt E(PKj, mx, rj), using PSj

and

Send E(PK1, x1, t1), E(PK2

, x2, t2), …, E(PKn, xn, tn)

Where x=x1+x2 + xn

V P: open all the E(PKi, mx, ri) by

Send x and r1, r2 ,… rn

P V: Verify consistency and open all E(PKi, x, ti) by

Send t1, t2 ,… tn and x1, x2 ,…, xn

Complexity of the scheme

Sender: single decryption, n encryptions and n encryption verifications

Receiver: n encryptions and n encryption verifications

Communication Complexity: O(n) public-key encryptions

Security of the schemeUnforgeability: as before (assuming all keys are well chosen)

since E(PK1

, x1, t1), E(PK2, x2, t2),…,E(PK1

, xn, tn) where x=x1+x2 + xn

is a non-malleable commitment to x

Source Hiding: which key was used (among well chosen keys) is – Computationally indistinguishable during protocol– Statistically indistinguishable after protocol

• If ends successfully

Deniability: Can run simulator `as before’

Universal One-Way Hash functionsUOWHFs

• A family of functions G={g|g:{0,1}n → {0,1}h(n)}

Such that• Easy to sample g from G and g G has succinct

description• Given (n, g, x) easy to compute g(x) • h(n) < n

• Hard to find target collisions: – Given (n,g,x) hard to find x’{0,1}n where

x ≠ x’ but g(x)=g(x’) Adversary picks x before seeing g

Sources• Dolev, Dwork and Naor: Non Malleable Cryptography, Siam J.

computing 2000. also Siam Review 2003• Peikert and Waters, Lossy Trapdoor Functions and Their

Applications, STOC 2008. • Rosen and Segev, Chosen Ciphertext Security via Correlated

Products, TCC 2009. • Naor, Deniable Ring Authentication, Crypto 2002

CCA2-Scheme Collection F of injective TDFs secure under k-repetition

A one time signature scheme ss

Public (f10,f1

1), (f20,f2

1) )… (fk0,fk

1), h

Secret (s10,s1

1), (s20,s2

1) )… (sk0,sk

1)

Choose (v,s) for one time ss, x 2R {0, 1}n

Output (v, fv1(x), … , fvkk(x), h(x) © b) and signature using s on message

Key generation

Encpk(b)

Invert y1,…,yk to obtain x1,…,xk

If all inverses consistent - x1=…=xk and signature ok

Output h(x) © d

Decpk(v, y1,… yk, d)