Non-Malleable Non-InteractiveNon-Malleable Non-InteractiveZero KnowledgeZero Knowledge

andandAdaptive Chosen-CiphertextAdaptive Chosen-Ciphertext

SecuritySecurity

Amit Sahai(MIT)

What We DoWhat We Do Identify a new security concern for Non-Interactive Zero Knowledge (NIZK) in shared random string model.

Show how to overcome this concern stronger notion of NIZK.

Show how to use this to build a simple general construction of a public-key encryption scheme secure against strongest form of chosen-ciphertext attack (CCA).

OutlineOutline Non-Interactive Zero Knowledge (NIZK)

The issue: multi-party scenario & malleability

Chosen-Ciphertext Security for Encryption

How NIZK fits in: [NY] scheme & our scheme

How to achieve non-malleable NIZK.

Non-Interactive Proof SystemNon-Interactive Proof System[BFM88][BFM88]

Proof

accept/reject

Prover Verifier

shared random

string

For any NP language L:• If x L with witness w, Verifier always accepts Prover(x,w).

• For any (even unbounded) cheating Prover P, Probability that P() outputs x L and such that Verifier accepts (x,) is negligible.

NIZK [BFM88,FLS90]NIZK [BFM88,FLS90]

Note: above is adaptive “one proof” version.

x, w

x, w

{0,1}k

Simulator

Simulator s.t. Verifiers: Cannot distinguish two scenarios.

NIZKNIZK NIZK: exists for all NP if trapdoor permutations exist [FLS90,BY92]

Interactive ZK: useful for security of high level protocols, e.g. general multi-party computation.

Non-Interactive ZK: useful for strengthening security of ordinary non-interactive cryptographic primitives:

Security against active adversaries:

Signatures: chosen-message attack [BG89]

Encryption: chosen-ciphertext attack [NY90,RS91,DDN91,here]

What can go wrong?What can go wrong?

x,

shared random

string

x’, ’

• Even though satisfies definition of NIZK, A can modify to produce proof of statement for which A does not know a witness.

P

A

V

MalleabilityMalleability This is the problem of malleability [DDN91].

[DDN91] introduced notion for interactive ZK in concurrent setting. (also for encryption, commitment)

For NIZK same problem arises even without concurrency.

Can this really happen? Isn’t it supposed to be zero-knowledge?

Yes! (we’ll see examples later)

Why? Look again at def. of NIZK:

“What one can output seeing an NIZK is indist. from what one can output without seeing it, but only if output is examined independently of the actual shared random string!”

NIZK [BFM88,FLS90]NIZK [BFM88,FLS90]

Note: above is adaptive “one proof” version.

x, w

x, w

{0,1}k

Simulator

Simulator s.t. Verifiers: Cannot distinguish two scenarios.

What can we hope for?What can we hope for? Cannot hope to achieve completely: “What one can output seeing an NIZK is indist. from what one can output without seeing it.”

Impossible, since adversary can always just copy proof.

Instead, following [DDN91], non-malleability of NIZK proofs:

“Whatever one can prove after seeing an NIZK proof, one could also have proved before seeing it, except for the ability to duplicate the proof.”

This is what we formulate and achieve.

CCA-secure Encryption:CCA-secure Encryption:Lunchtime Attack (CCALunchtime Attack (CCA11) [NY90]) [NY90]

public key

CCA1

(m0,m1)bR{0,1} y=E(mb)

guess for b

Experiment

We say scheme is CCA1-secure if no poly-time adversarycan guess correctly with prob. negligibly more than 1/2.

CCA-secure Encryption:CCA-secure Encryption:Adaptive Attack (CCAAdaptive Attack (CCA22)[RS91])[RS91]

public key

CCA1

(m0,m1)bR{0,1} y=E(mb)

CCA2 Cannot Ask for decryption of y

guess for b

Experiment

We say scheme is CCA2-secure if no poly-time adversarycan guess correctly with prob. negligibly more than 1/2.

EncryptionEncryption CCA2-security needed for use in general applications, e.g. encryption of e-mail.

CCA2-secure encryption is component in:

Authentication and Key Exchange Protocols [BCK98]

Electronic Payment Protocols [SET97]

Deniable Message Authentication [DNS98]

Encryption: Prior WorkEncryption: Prior Work [NY90]: CCA1-secure scheme on general assumptions.

[RS91]: CCA2-secure scheme on general assumptions in a trusted center model.

[DDN91]: CCA2-secure scheme on general assumptions, but quite involved construction, using many encryptions.

More recently, efficient CCA2-secure schemes:

Based on Random Oracles [BR93,BR94]

Based on Decisional Diffie-Hellman [CS98]

Here: simple modular CCA2-scheme based on general assumptions, using non-malleable NIZK.

[NY90][NY90] Based on any sem-secure encryption scheme and NIZK:

New Public Key: two encryption keys & random string: (E1, E2, )

To encrypt x: send E1(x), E2(x), NIZK proof that two encryptions are consistent.

[NY90] show that this is CCA1-secure.

[NY90]: Not CCA[NY90]: Not CCA22-secure-secure Problem: NIZK can be malleable:

Example: bit-by-bit encryption, bit-by-bit NIZK.

( E1(m0) E1(m1), E2(m0) E2(m1), NIZK = (0 1) )

( E1(m1) E1(m0), E2(m1) E2(m0), NIZK = (1 0) )

Get Decryption: m1 m0

Know message is m0 m1

SolutionSolution Modify [NY90] to use non-malleable NIZK instead:

Same Public Key: two encryption keys & random string: (E1, E2, )

To encrypt x: send E1(x), E2(x), non-malleable NIZK proof that two encryptions are consistent.

We show: this is CCA2-secure. Thus:

If efficient non-malleable NIZK proof of consistency found for some particular efficient encryption scheme, this implies new efficient CCA2-secure encryption scheme.

NIZK NIZK non-malleablenon-malleable NIZK NIZK We give transformation from NIZK non-malleable NIZK based on any one-way function.

Use idea introduced in [DDN91] in context of encryption.

We abstract and generalize this idea, which we call Unduplicatable Set Selection, and apply it to NIZK.

Unduplicatable Set SelectionUnduplicatable Set Selection Setup: q players

Set of Objects: O1, O2, …, Om

Function f(,): Takes an object Oj and other input x, e.g. f(O3,x).

Each player has some private inputs x1,…, xk

Each player should select a random subset of objects, and evaluate f on these objects with private inputs, e.g. f(O2,x1), f(O7,x2),…, f(O3,xk)

Want to force each player to either:

Completely duplicate another player’s output OR

Use a unique subset of objects.

Unduplicatable Set Selection (cont.)Unduplicatable Set Selection (cont.) Ingredients: (For q=2)

(one-time) signature scheme, produces keys (VK,SK).

Function g mapping distinct VK to distinct subsets of objects (i.e. g is 1-1). e.g. interpret VK as poly over finite field, and evaluate at several points.

Each player:

Picks (VK,SK) pair for signature scheme.

Uses g(VK) to select subset of objects {Oj}

Outputs ( VK, y = {f(Oj,xi)}, SignSK(y) )

Unduplicatable Set Selection (cont.)Unduplicatable Set Selection (cont.) Why does it work?

Suppose first player outputs: ( VK, y = {f(Oj,xi)}, SignSK(y) )

If second player chooses VK’ VK, then g(VK’) g(VK), so subset will be distinct.

If VK’=VK, then cannot sign any message except y. Hence, output is identical.

Actually need slightly stronger than normal signature scheme here -- to ensure that different signature of same message cannot be output. Construction is in paper.

non-malleablenon-malleable NIZK NIZK “Whatever one could prove after seeing an NIZK proof, one could also have proved before seeing it, except for the ability to duplicate the proof.”

Use Unduplicatable Set Selection where:

Objects are “shared” random strings

Function f produces (normal) NIZK proof.

Thus, given proof , force adversary to either:

Duplicate exactly, OR

Use a new random string for proof.

Open ProblemsOpen Problems Our transformation works against any fixed number of proofs. Can one achieve NIZK non-malleable after seeing any poly number of proofs?

Can one define and achieve yet stronger notions of NIZK?

NIZK [BFM88,FLS90]NIZK [BFM88,FLS90]

Note: above is adaptive “one proof” version.

x, w

x, w

{0,1}k

Simulator