Topics in Cryptography

Lecture 5Topic: Chosen Ciphertext Security

Lecturer: Moni Naor

Recap: chosen ciphertext security

• Why chosen ciphertext/malleability matters• Taxonomy of Attacks and Security• Ideas for achieving CCA

– Redundancy + Verification• Simple scheme achieving CCA1

– Based on DDH

Breaking Notion

AttackChosen

Plaintext

CCA1

Chosen Ciphertext Preprocessing

CCA2

Chosen Ciphertext Postprocessing

Semantic Security

Non Malleability

All other implications: proper

Open problem: construct a more secure version from the less secure one.

Is it possible to construct a CCA2 from SS/CPA?

Ideas for achieving resistance to CCA• Add redundancy - hard to generate frivolous ciphertexts• Add methods to check consistency

– This is the trickiest part:• Non interactive zero-knowledge• Specific schemes

• Decrypt only if given ciphertext passes the consistency checks

Important point: may decrypt with several different private keys

C2 Proof of consistencyC1

How to prove Consistency?

Zero-Knowledge proof system for language L

Prover Verifier

•Soundness If x \ L Verifier rejects whp

•Completeness: If x 2 L Verifier accepts

•Zero Knowledge: there exists a simulator producing similar looking transcripts

2

Non Interactive Zero Knowledge

Prover Verifier

•Soundness If x \ L Verifier rejects whp

•Completeness: If x 2 L Verifier accepts

•Zero Knowledge: there exists a simulator producing similar looking transcripts – including random string – (, , x)

2

Shared random string

Simulator produces

NIZKFor full specification need to clarify• When is x chosen – before or after ?

– Adaptive

• What does the simulator get?• Does soundness need to hold given a simulated

– Cannot hold for simulated (false statement)– Simulation soundness

For NP: Can be based on the existence of trapdoor permutations

with some structure

Relevant for soundness and zk

Achieving resistance to CCA with NIZK• Two independent keys of some ``good” PKC KP1

and KP2

• A public random string for NIZK of the language

{(KP1, KP2

, C1, C2)| C1 and C2 encrypt the same message}

• To encrypt message m generate ciphertexts C1 and C2 and add a proof of consistency

– Ciphertext: C1, C2,

• To decrypt – Verify proof and then – Decrypt only if ciphertexts passed the consistency checks

C2 Proof of consistencyC1

Important point: may decrypt with two different private keys

Chosen Ciphertext Attack

Public key KP

Secret key Ks

Public key KP

Alice BobQuery ci

ai=D(ci, Ks)

a’i=D(c’i, Ks)

Query c’i

{m0, m1}

c=E(mb, KP)

The postprocessing phase

Guess b’A Wins if b’=b

b 2R {0,1}

Theorem: The scheme is secure against CCA2

Proof of Security

Pk = KP1, KP2

, KP1

b’b’

ci

ai

m0, m1

C1, C2,

Distinguisher for Original Scheme

m0, m1

Epk(mb)

C2 =E(mb’’,KP2)

b’’ 2R {0,1}, from simulator

Theorem: The scheme is secure against CCA2

Proof of Security

b’b’

Distinguisher for Original Scheme

Claim: the distribution the adversary witnesses if b = b’’ is indistinguishable from real

Prob[b’ = b] ¸ ½ +

Claim: if b ≠ b’’ then

Prob[b’ = b] = ½

Epk(mb)

b’’ 2R {0,1},

Only difference: simulated proof of consistency

Session Key Encryption

Shared key KShared key K

Plaintext m

Ciphertext

c=EA(m, K)

Alice Bob

Decryption and Verification

m=DV(E(m,K), K)

Structure of Construction: “Hybrid”

Encryption:• Use public key to generate shared session key • Use shared key to encrypt + authenticate with one time

scheme

Decryption:• Use secret key to obtain session key• Use session decryption. Check authentication. • If fails reject. Ow output message.

G - group of order q

Choose g1, g2 2 G and x1, x2 2 Zq

Let h = g1x1 g2

x2

Output sk = (x1, x2) and pk = (g1, g2, h)

Key generation

A Simple DDH Based Scheme

MAIN IDEA: Redundancy: any pk corresponds to many possible sk’s h=g1

x1 g2x2 reveals only log(q) bits of information on

sk=(x1,x2)

G - group of order q

Choose g1, g2 2 G and x1, x2 2 Zq

Let h = g1x1 g2

x2

Output sk = (x1, x2) and pk = (g1, g2, h)

Choose r 2 Zq

Output (g1r, g2

r, AE(m,hr)

Let k= u1x1 u2

x2 . Output DV(e, k)

Key generation

Encpk(m)

Decsk(u1, u2, e)

A Simple Scheme – CCA1

u1x1 u2

x2 = g1rx1 g2

rx2 = (g1x1 g2

x2)r = hr

Key property for security: no invalid ciphertexts accepted

Given the public key pk = (g1, g2, h) one linear equation is known on x1,x2 Given h = g1

x1 g2x2.

Still log q entropy

Claim: this entropy is kept during the query-attack phase In legitimate query ciphertexts: (v1=g1

r, v2=g2r) and

AE(m,k)) and the decryption is independent of x1, x2

In invalid query ciphertexts: (v1=g1r, v2=g2

r’) and AE(m,k)) is rejected whpNot clear what happens when challenge ciphertext is known during the attack

Some info about hr is leaked in AE(m,hr)

Generalizing leftover hash lemma

To assure independence make sure that AE(m,hr)

does not leak information about hr

• Have a family of four-wise independent functions– For each 2

: G {0,1}ℓ

G - group of order q a family of four-wise independent functions

Choose g1, g2 2 G, x1, x2 2 Zq and 2R Let h = g1

x1 g2x2

Output sk = (x1, x2) and pk = (g1, g2, h, )

Choose r 2 Zq

Output (g1r, g2

r, AE(m, (hr))

Let k= (u1x1 u2

x2). Output DV(e, k)

Key generation

Encpk(m)

Decsk(u1, u2, e)

The Modified Scheme

u1x1 u2

x2 = g1rx1 g2

rx2 = (g1x1 g2

x2)r = hr

Theorem: The scheme is secure against CCA1

Generating the Challenge

pk(g1, g2, g1

r1, g2r2 ,)

ci

ai

m0, m1

Epk(mb)

Distinguisher for DDH

Generating pk given (g1, g2, g1

r1, g2r2)

Choose x1, x2 2 Zq

Let h = g1x1 g2

x2

Output pk = (g1, g2, h) and remember sk = (x1,x2)

Let k= g1r1

x1 g2

r2 x2

Output (g1r1, g2

r2, AE(mb, (k)))

Min-EntropyFor a probability distribution X over {0,1}n

H1(X) = - log maxx Pr[X = x]

X is a k-source if H1(X) ¸ k (i.e., Pr[X = x] · 2-k for all x)

Represents the probability of the most likely value of X

¢(X,Y) = a|Pr[X=a] – Pr[Y=a]|Statistical distance:

ExtractorsUniversal procedure for “purifying” an imperfect source

Definition:

Ext: {0,1}n £ {0,1}d ! {0,1}ℓ is a (k,)-extractor if:

for any k-source X

¢(Ext(X, Ud), Uℓ) ·

d random bits

“seed”

EXT

k-source of length n

ℓ almost-uniform bits

x

s

Strong ExtractorsOutput looks random even after seeing the seed

Definition:

Ext: {0,1}n £ {0,1}d ! {0,1}ℓ is a (k,)-strong extractor if

Ext’(x, s) = s ◦ Ext(x,s) is a (k, )-extractor

Leftover hash lemma [ILL 89]:Pairwise independent hash functions are strong extractors

Example: Ext(x, (a,b)) = first ℓ bits of ax+b over GF[2n] Output length ℓ = k – 2log(1/) Seed length d = 2n, almost pairwise independence d = O(log n + k)

2(ℓ-)/2

Generalizing leftover hash lemma

Leftover hash lemma [ILL 89]:Pairwise independent hash functions are strong extractors

(,(X)) is close to uniform provided X has sufficient min entropy

New lemma [KPSY 09]:If (X,X’) are random variables such that

•H1(X), H1(X’) ¸

•Prob[X=X’] = 0

2R where is four-wise independent and (X) 2 {0,1}ℓ

Then (,(X), (X’)) is 2ℓ-/2 close to uniform

(x1,x2) have log q

bits of entropy

G - group of order q a family of four-wise independent function

Choose r 2 Zq

Output (g1r, g2

r, AE(m, (hr))

Let k = (u1x1 u2

x2). Output DV(e, k)

Encpk(m)

Decsk(u1, u2, e)

The Modified Scheme

For (u1, u2 ) and (u’1, u’2) Let X = u1x1 u2

x2 and X’= u’1x1

u’2x2

Given (X) no information is leaked about (X’)

Still hard to find invalid ciphertext that pass the test

Provided

(u1, u2 )

(u’1, u’2)

(u1,u2) form challenge

(u’1,u’2) from adversary generated

query

Proof: summing up

During the attack:

• Chance for invalid ciphertext not labeled as such:

t ¢ Pr[forgery in AE]

• Entropy of (x1,x2) decreased by this amount

Challenge ciphertext valid or not depending on whether the input is in DDH or not.

• If original adversary wins the game with probability ½+

• Advantage in distinguishing DDH from non-DDH is

Number of ciphertexts queried

Correlated Products of trapdoorsOne-Way Functions• Easy to evaluate: x 7→ f(x)• Hard to invert: For any efficient algorithm A

Prob[A(f(x)) ∈ f−1(f(x))]is negligible

• Injective trapdoor functions (f, f−1) ← F

Correlated Products

One-Way Functions• Easy to evaluate: x 7→ f(x)• Hard to invert: For any efficient algorithm A

Pr A(f(x)) ∈ f−1(f(x)) is negligible

• Injective trapdoor functions (f, f−1) ← F TDF

Correlated Products

• For a collection F of one-way functions consider (f1(x1), . . . , fk(xk))

for every f1, . . . , fk ∈F.

• f1,...,fk is hard to invert for random (x1, … , xk)

• But what happens when x1, … , xk are correlated?

– For instance: x1 = x2 … = xk

Secure or Insecure ExamplesSecure: Discrete log• x → (g1

x, g2x , … , gk

x) mod PAs secure as x →gx mod P

Through random self reducibility Insecure: Plain broadcast RSA• Can recover x from

– x3 mod N1

– X3 mod N2

– X3 mod N3

Using CRT

fi(x)=gix

fi(x)= x3

mod Ni

Security Under Correlated ProductsDefinition:• F is secure under a C-correlated product if for any efficient A

Pr[A(f1, …, fk, f1(x1), …, fk(xk)) = (x1, …, xk)]

is negligible,where f1, … , fk ← F and (x1, . . . , xk) ← C.

Natural correlations

• x1 = x2 … = xk k-repetition

• (x1, … , xk) are ℓ-wise independent for ℓ < k

Reminder: CPA-Security from TDFs Collection F of injective TDFs• Hard-core bit h for F

– Given f(x) infeasible to guess h(x) with a noticeable advantage

The scheme:• Key generation: (pk, sk) = (f, f−1)• Encryption: Enc(pk, b) = (f(x), h(x)©b) for

x2R {0,1}n

• Decryption: Dec(sk, (c, d)) = h(f−1(c)) © d

CCA-Security from Repetition Collection F of injective TDFs secure under k-

repetition product

• Hard-core bit h for F – Given f(x) infeasible to guess h(x) with a

noticeable advantage

Goldreich-Levin (inner product) is still hard core

CCA1-Scheme Collection F of injective TDFs secure under k-

repetition productPublic (f1

0,f11), (f2

0,f21) )… (fk

0,fk1),h

Secret (s10,s1

1), (s20,s2

1) )… (sk0,sk

1)

Choose v 2R {0,1}k, x 2R {0,1}n

Output (v, fv1(x), … , fvk

(x), h(x) © b)

Key generation

Encpk(b)

f10 f1

1 f20 f2

1 fk0 fk

1…v

f10 f2

1 fk0

0

1

CCA1-Scheme Collection F of injective TDFs secure under k-repetition

product

Public (f10,f1

1), (f20,f2

1) )… (fk0,fk

1), h

Secret (s10,s1

1), (s20,s2

1) )… (sk0,sk

1)

Choose v 2R {0, 1}k, x 2R {0, 1}n

Output (v, fv1(x), … , fvkk(x), h(x) ©

b)

Key generation

Encpk(b)

Invert y1,…,yk to obtain x1,…,xk

If all inverses consistent - x1=…=xk =x Output h(x) © d

Decpk(v, y1,… yk, d)

Need to know only one secret key to perform decryption

Theorem: The scheme is secure against CCA1

Proof of Security

Pk = (f10,f1

1), (f20,f2

1))…(fk0,fk

1),hf1, f2, … fk

b’b’ © b’’

ci

ai

ready

C

Distinguisher for k-repetition

C= v, f1(x),…, fk(x),b’’)

h, f1(x),…, fk(x))

Locations of input fi’s

determined by random v

One-time Signature Schemes A signature scheme that is• Existentially unforgeable• Adversary A gets to pick and see signature on one

messageA Wins if he can find any other

(message,signature) that is accepted by signature verification algorithm– Message should be different– Strongly unforgeable: also cannot find another signature to

a message that has been signed

One-time Signature Schemes Construction can be based on any one-way function g

Public (y10,y1

1), (y20,y2

1) ), … (yk0,yk

1)

Secret (s10,s1

1), (s20,s2

1) ), … (sk0,sk

1)

Where y1b=g(s1

b)

Signature on message m 2R {0, 1}k: Output s1

m1, s1m2 … , s1

mk

y10 y1

1 y20 y2

1 yk0 yk

1…m

s10 s2

1 sk0

0

1

CCA2-Scheme Collection F of injective TDFs secure under k-repetition

A one time signature scheme ss

Public (f10,f1

1), (f20,f2

1) )… (fk0,fk

1), h

Secret (s10,s1

1), (s20,s2

1) )… (sk0,sk

1)

Choose (v,s) for one time ss, x 2R {0, 1}n

Output (v, fv1(x), … , fvkk(x), h(x) © b) and signature using s on message

Key generation

Encpk(b)

Invert y1,…,yk to obtain x1,…,xk

If all inverses consistent - x1=…=xk and signature ok

Output h(x) © d

Decpk(v, y1,… yk, d)

Homework: One time Signature Schemes • Show that if g is a one-way function the scheme is

indeed a one-time signature scheme.• Show how to obtain a strongly unforgeable signature

scheme – You may use the existence of Universal One-way Hash

Functions• Why do we need strongly unforgeable signature

schemes in the CCA2 scheme?

Universal One-Way Hash functionsUOWHFs

• A family of functions G={g|g:{0,1}n → {0,1}h(n)}

Such that• Easy to sample g from G and g G has succinct

description• Given (n, g, x) easy to compute g(x) • h(n) < n

• Hard to find target collisions: – Given (n,g,x) hard to find x’{0,1}n where

x ≠ x’ but g(x)=g(x’) Adversary picks x before seeing g

Interactive AuthenticationP wants to convince V that he is approving message mP has a public key KP of an encryption scheme E.To authenticate a message m:• V P: Choose r 2R {0,1}n. Send c=E(m ° r, KP)• P V : Receiving c

Decrypt c using KS

Verify that prefix of plaintext is m. If yes - send r.V is satisfied if he receives the same r he chose

Claim: if E is CCA2 secure, then scheme is existentially unforgeable against active adversary

Sources• Dolev, Dwork and Naor: Non Malleable Cryptography, Siam J.

computing 2000. also Siam Review 2003• Cramer and Shoup: Design and analysis of practical public-key

encryption schemes secure against adaptive chosen ciphertext attack (see www.shoup.net)

• Lindell: A Simpler Construction of CCA2-Secure Public-Key Encryption Under General Assumptions. In Eurocrypt 2003

• Kiltz, Pietrzak, Stam and Yung, A New Randomness Extraction Paradigm for Hybrid Encryption. Eurocrypt 2009.

• Peikert and Waters, Lossy Trapdoor Functions and Their Applications, STOC 2008.

• Rosen and Segev, Chosen Ciphertext Security via Correlated Products, TCC 2009.