topics in cryptography lecture 5 topic: chosen ciphertext security lecturer: moni naor
Post on 19-Dec-2015
223 Views
Preview:
TRANSCRIPT
Recap: chosen ciphertext security
• Why chosen ciphertext/malleability matters• Taxonomy of Attacks and Security• Ideas for achieving CCA
– Redundancy + Verification• Simple scheme achieving CCA1
– Based on DDH
Breaking Notion
AttackChosen
Plaintext
CCA1
Chosen Ciphertext Preprocessing
CCA2
Chosen Ciphertext Postprocessing
Semantic Security
Non Malleability
All other implications: proper
Open problem: construct a more secure version from the less secure one.
Is it possible to construct a CCA2 from SS/CPA?
Ideas for achieving resistance to CCA• Add redundancy - hard to generate frivolous ciphertexts• Add methods to check consistency
– This is the trickiest part:• Non interactive zero-knowledge• Specific schemes
• Decrypt only if given ciphertext passes the consistency checks
Important point: may decrypt with several different private keys
C2 Proof of consistencyC1
How to prove Consistency?
Zero-Knowledge proof system for language L
Prover Verifier
•Soundness If x \ L Verifier rejects whp
•Completeness: If x 2 L Verifier accepts
•Zero Knowledge: there exists a simulator producing similar looking transcripts
2
Non Interactive Zero Knowledge
Prover Verifier
•Soundness If x \ L Verifier rejects whp
•Completeness: If x 2 L Verifier accepts
•Zero Knowledge: there exists a simulator producing similar looking transcripts – including random string – (, , x)
2
Shared random string
Simulator produces
NIZKFor full specification need to clarify• When is x chosen – before or after ?
– Adaptive
• What does the simulator get?• Does soundness need to hold given a simulated
– Cannot hold for simulated (false statement)– Simulation soundness
For NP: Can be based on the existence of trapdoor permutations
with some structure
Relevant for soundness and zk
Achieving resistance to CCA with NIZK• Two independent keys of some ``good” PKC KP1
and KP2
• A public random string for NIZK of the language
{(KP1, KP2
, C1, C2)| C1 and C2 encrypt the same message}
• To encrypt message m generate ciphertexts C1 and C2 and add a proof of consistency
– Ciphertext: C1, C2,
• To decrypt – Verify proof and then – Decrypt only if ciphertexts passed the consistency checks
C2 Proof of consistencyC1
Important point: may decrypt with two different private keys
Chosen Ciphertext Attack
Public key KP
Secret key Ks
Public key KP
Alice BobQuery ci
ai=D(ci, Ks)
a’i=D(c’i, Ks)
Query c’i
{m0, m1}
c=E(mb, KP)
The postprocessing phase
Guess b’A Wins if b’=b
b 2R {0,1}
Theorem: The scheme is secure against CCA2
Proof of Security
Pk = KP1, KP2
, KP1
b’b’
ci
ai
m0, m1
C1, C2,
Distinguisher for Original Scheme
m0, m1
Epk(mb)
C2 =E(mb’’,KP2)
b’’ 2R {0,1}, from simulator
Theorem: The scheme is secure against CCA2
Proof of Security
b’b’
Distinguisher for Original Scheme
Claim: the distribution the adversary witnesses if b = b’’ is indistinguishable from real
Prob[b’ = b] ¸ ½ +
Claim: if b ≠ b’’ then
Prob[b’ = b] = ½
Epk(mb)
b’’ 2R {0,1},
Only difference: simulated proof of consistency
Session Key Encryption
Shared key KShared key K
Plaintext m
Ciphertext
c=EA(m, K)
Alice Bob
Decryption and Verification
m=DV(E(m,K), K)
Structure of Construction: “Hybrid”
Encryption:• Use public key to generate shared session key • Use shared key to encrypt + authenticate with one time
scheme
Decryption:• Use secret key to obtain session key• Use session decryption. Check authentication. • If fails reject. Ow output message.
G - group of order q
Choose g1, g2 2 G and x1, x2 2 Zq
Let h = g1x1 g2
x2
Output sk = (x1, x2) and pk = (g1, g2, h)
Key generation
A Simple DDH Based Scheme
MAIN IDEA: Redundancy: any pk corresponds to many possible sk’s h=g1
x1 g2x2 reveals only log(q) bits of information on
sk=(x1,x2)
G - group of order q
Choose g1, g2 2 G and x1, x2 2 Zq
Let h = g1x1 g2
x2
Output sk = (x1, x2) and pk = (g1, g2, h)
Choose r 2 Zq
Output (g1r, g2
r, AE(m,hr)
Let k= u1x1 u2
x2 . Output DV(e, k)
Key generation
Encpk(m)
Decsk(u1, u2, e)
A Simple Scheme – CCA1
u1x1 u2
x2 = g1rx1 g2
rx2 = (g1x1 g2
x2)r = hr
Key property for security: no invalid ciphertexts accepted
Given the public key pk = (g1, g2, h) one linear equation is known on x1,x2 Given h = g1
x1 g2x2.
Still log q entropy
Claim: this entropy is kept during the query-attack phase In legitimate query ciphertexts: (v1=g1
r, v2=g2r) and
AE(m,k)) and the decryption is independent of x1, x2
In invalid query ciphertexts: (v1=g1r, v2=g2
r’) and AE(m,k)) is rejected whpNot clear what happens when challenge ciphertext is known during the attack
Some info about hr is leaked in AE(m,hr)
Generalizing leftover hash lemma
To assure independence make sure that AE(m,hr)
does not leak information about hr
• Have a family of four-wise independent functions– For each 2
: G {0,1}ℓ
G - group of order q a family of four-wise independent functions
Choose g1, g2 2 G, x1, x2 2 Zq and 2R Let h = g1
x1 g2x2
Output sk = (x1, x2) and pk = (g1, g2, h, )
Choose r 2 Zq
Output (g1r, g2
r, AE(m, (hr))
Let k= (u1x1 u2
x2). Output DV(e, k)
Key generation
Encpk(m)
Decsk(u1, u2, e)
The Modified Scheme
u1x1 u2
x2 = g1rx1 g2
rx2 = (g1x1 g2
x2)r = hr
Theorem: The scheme is secure against CCA1
Generating the Challenge
pk(g1, g2, g1
r1, g2r2 ,)
ci
ai
m0, m1
Epk(mb)
Distinguisher for DDH
Generating pk given (g1, g2, g1
r1, g2r2)
Choose x1, x2 2 Zq
Let h = g1x1 g2
x2
Output pk = (g1, g2, h) and remember sk = (x1,x2)
Let k= g1r1
x1 g2
r2 x2
Output (g1r1, g2
r2, AE(mb, (k)))
Min-EntropyFor a probability distribution X over {0,1}n
H1(X) = - log maxx Pr[X = x]
X is a k-source if H1(X) ¸ k (i.e., Pr[X = x] · 2-k for all x)
Represents the probability of the most likely value of X
¢(X,Y) = a|Pr[X=a] – Pr[Y=a]|Statistical distance:
ExtractorsUniversal procedure for “purifying” an imperfect source
Definition:
Ext: {0,1}n £ {0,1}d ! {0,1}ℓ is a (k,)-extractor if:
for any k-source X
¢(Ext(X, Ud), Uℓ) ·
d random bits
“seed”
EXT
k-source of length n
ℓ almost-uniform bits
x
s
Strong ExtractorsOutput looks random even after seeing the seed
Definition:
Ext: {0,1}n £ {0,1}d ! {0,1}ℓ is a (k,)-strong extractor if
Ext’(x, s) = s ◦ Ext(x,s) is a (k, )-extractor
Leftover hash lemma [ILL 89]:Pairwise independent hash functions are strong extractors
Example: Ext(x, (a,b)) = first ℓ bits of ax+b over GF[2n] Output length ℓ = k – 2log(1/) Seed length d = 2n, almost pairwise independence d = O(log n + k)
2(ℓ-)/2
Generalizing leftover hash lemma
Leftover hash lemma [ILL 89]:Pairwise independent hash functions are strong extractors
(,(X)) is close to uniform provided X has sufficient min entropy
New lemma [KPSY 09]:If (X,X’) are random variables such that
•H1(X), H1(X’) ¸
•Prob[X=X’] = 0
2R where is four-wise independent and (X) 2 {0,1}ℓ
Then (,(X), (X’)) is 2ℓ-/2 close to uniform
(x1,x2) have log q
bits of entropy
G - group of order q a family of four-wise independent function
Choose r 2 Zq
Output (g1r, g2
r, AE(m, (hr))
Let k = (u1x1 u2
x2). Output DV(e, k)
Encpk(m)
Decsk(u1, u2, e)
The Modified Scheme
For (u1, u2 ) and (u’1, u’2) Let X = u1x1 u2
x2 and X’= u’1x1
u’2x2
Given (X) no information is leaked about (X’)
Still hard to find invalid ciphertext that pass the test
Provided
(u1, u2 )
(u’1, u’2)
(u1,u2) form challenge
(u’1,u’2) from adversary generated
query
Proof: summing up
During the attack:
• Chance for invalid ciphertext not labeled as such:
t ¢ Pr[forgery in AE]
• Entropy of (x1,x2) decreased by this amount
Challenge ciphertext valid or not depending on whether the input is in DDH or not.
• If original adversary wins the game with probability ½+
• Advantage in distinguishing DDH from non-DDH is
Number of ciphertexts queried
Correlated Products of trapdoorsOne-Way Functions• Easy to evaluate: x 7→ f(x)• Hard to invert: For any efficient algorithm A
Prob[A(f(x)) ∈ f−1(f(x))]is negligible
• Injective trapdoor functions (f, f−1) ← F
Correlated Products
One-Way Functions• Easy to evaluate: x 7→ f(x)• Hard to invert: For any efficient algorithm A
Pr A(f(x)) ∈ f−1(f(x)) is negligible
• Injective trapdoor functions (f, f−1) ← F TDF
Correlated Products
• For a collection F of one-way functions consider (f1(x1), . . . , fk(xk))
for every f1, . . . , fk ∈F.
• f1,...,fk is hard to invert for random (x1, … , xk)
• But what happens when x1, … , xk are correlated?
– For instance: x1 = x2 … = xk
Secure or Insecure ExamplesSecure: Discrete log• x → (g1
x, g2x , … , gk
x) mod PAs secure as x →gx mod P
Through random self reducibility Insecure: Plain broadcast RSA• Can recover x from
– x3 mod N1
– X3 mod N2
– X3 mod N3
Using CRT
fi(x)=gix
fi(x)= x3
mod Ni
Security Under Correlated ProductsDefinition:• F is secure under a C-correlated product if for any efficient A
Pr[A(f1, …, fk, f1(x1), …, fk(xk)) = (x1, …, xk)]
is negligible,where f1, … , fk ← F and (x1, . . . , xk) ← C.
Natural correlations
• x1 = x2 … = xk k-repetition
• (x1, … , xk) are ℓ-wise independent for ℓ < k
Reminder: CPA-Security from TDFs Collection F of injective TDFs• Hard-core bit h for F
– Given f(x) infeasible to guess h(x) with a noticeable advantage
The scheme:• Key generation: (pk, sk) = (f, f−1)• Encryption: Enc(pk, b) = (f(x), h(x)©b) for
x2R {0,1}n
• Decryption: Dec(sk, (c, d)) = h(f−1(c)) © d
CCA-Security from Repetition Collection F of injective TDFs secure under k-
repetition product
• Hard-core bit h for F – Given f(x) infeasible to guess h(x) with a
noticeable advantage
Goldreich-Levin (inner product) is still hard core
CCA1-Scheme Collection F of injective TDFs secure under k-
repetition productPublic (f1
0,f11), (f2
0,f21) )… (fk
0,fk1),h
Secret (s10,s1
1), (s20,s2
1) )… (sk0,sk
1)
Choose v 2R {0,1}k, x 2R {0,1}n
Output (v, fv1(x), … , fvk
(x), h(x) © b)
Key generation
Encpk(b)
f10 f1
1 f20 f2
1 fk0 fk
1…v
f10 f2
1 fk0
0
1
CCA1-Scheme Collection F of injective TDFs secure under k-repetition
product
Public (f10,f1
1), (f20,f2
1) )… (fk0,fk
1), h
Secret (s10,s1
1), (s20,s2
1) )… (sk0,sk
1)
Choose v 2R {0, 1}k, x 2R {0, 1}n
Output (v, fv1(x), … , fvkk(x), h(x) ©
b)
Key generation
Encpk(b)
Invert y1,…,yk to obtain x1,…,xk
If all inverses consistent - x1=…=xk =x Output h(x) © d
Decpk(v, y1,… yk, d)
Need to know only one secret key to perform decryption
Theorem: The scheme is secure against CCA1
Proof of Security
Pk = (f10,f1
1), (f20,f2
1))…(fk0,fk
1),hf1, f2, … fk
b’b’ © b’’
ci
ai
ready
C
Distinguisher for k-repetition
C= v, f1(x),…, fk(x),b’’)
h, f1(x),…, fk(x))
Locations of input fi’s
determined by random v
One-time Signature Schemes A signature scheme that is• Existentially unforgeable• Adversary A gets to pick and see signature on one
messageA Wins if he can find any other
(message,signature) that is accepted by signature verification algorithm– Message should be different– Strongly unforgeable: also cannot find another signature to
a message that has been signed
One-time Signature Schemes Construction can be based on any one-way function g
Public (y10,y1
1), (y20,y2
1) ), … (yk0,yk
1)
Secret (s10,s1
1), (s20,s2
1) ), … (sk0,sk
1)
Where y1b=g(s1
b)
Signature on message m 2R {0, 1}k: Output s1
m1, s1m2 … , s1
mk
y10 y1
1 y20 y2
1 yk0 yk
1…m
s10 s2
1 sk0
0
1
CCA2-Scheme Collection F of injective TDFs secure under k-repetition
A one time signature scheme ss
Public (f10,f1
1), (f20,f2
1) )… (fk0,fk
1), h
Secret (s10,s1
1), (s20,s2
1) )… (sk0,sk
1)
Choose (v,s) for one time ss, x 2R {0, 1}n
Output (v, fv1(x), … , fvkk(x), h(x) © b) and signature using s on message
Key generation
Encpk(b)
Invert y1,…,yk to obtain x1,…,xk
If all inverses consistent - x1=…=xk and signature ok
Output h(x) © d
Decpk(v, y1,… yk, d)
Homework: One time Signature Schemes • Show that if g is a one-way function the scheme is
indeed a one-time signature scheme.• Show how to obtain a strongly unforgeable signature
scheme – You may use the existence of Universal One-way Hash
Functions• Why do we need strongly unforgeable signature
schemes in the CCA2 scheme?
Universal One-Way Hash functionsUOWHFs
• A family of functions G={g|g:{0,1}n → {0,1}h(n)}
Such that• Easy to sample g from G and g G has succinct
description• Given (n, g, x) easy to compute g(x) • h(n) < n
• Hard to find target collisions: – Given (n,g,x) hard to find x’{0,1}n where
x ≠ x’ but g(x)=g(x’) Adversary picks x before seeing g
Interactive AuthenticationP wants to convince V that he is approving message mP has a public key KP of an encryption scheme E.To authenticate a message m:• V P: Choose r 2R {0,1}n. Send c=E(m ° r, KP)• P V : Receiving c
Decrypt c using KS
Verify that prefix of plaintext is m. If yes - send r.V is satisfied if he receives the same r he chose
Claim: if E is CCA2 secure, then scheme is existentially unforgeable against active adversary
Sources• Dolev, Dwork and Naor: Non Malleable Cryptography, Siam J.
computing 2000. also Siam Review 2003• Cramer and Shoup: Design and analysis of practical public-key
encryption schemes secure against adaptive chosen ciphertext attack (see www.shoup.net)
• Lindell: A Simpler Construction of CCA2-Secure Public-Key Encryption Under General Assumptions. In Eurocrypt 2003
• Kiltz, Pietrzak, Stam and Yung, A New Randomness Extraction Paradigm for Hybrid Encryption. Eurocrypt 2009.
• Peikert and Waters, Lossy Trapdoor Functions and Their Applications, STOC 2008.
• Rosen and Segev, Chosen Ciphertext Security via Correlated Products, TCC 2009.
top related