Topics in Cryptography Lecture 5 Topic: Chosen Ciphertext Security Lecturer: Moni Naor

Recap: chosen ciphertext security Why chosen ciphertext/malleability matters Taxonomy of Attacks and Security Ideas for achieving CCA –Redundancy + Verification Simple scheme achieving CCA1 –Based on DDH

Breaking Notion Attack Chosen Plaintext CCA1 Chosen Ciphertext Preprocessing CCA2 Chosen Ciphertext Postprocessing Semantic Security Non Malleability All other implications: proper Open problem: construct a more secure version from the less secure one. Is it possible to construct a CCA2 from SS/CPA?

Ideas for achieving resistance to CCA Add redundancy - hard to generate frivolous ciphertexts Add methods to check consistency –This is the trickiest part: Non interactive zero-knowledge Specific schemes Decrypt only if given ciphertext passes the consistency checks Important point: may decrypt with several different private keys C2C2 Proof of consistency C1C1

How to prove Consistency? Zero-Knowledge proof system for language L ProverVerifier Soundness If x \ L Verifier rejects whp Completeness : If x 2 L Verifier accepts Zero Knowledge : there exists a simulator producing similar looking transcripts 2

Non Interactive Zero Knowledge ProverVerifier Soundness If x \ L Verifier rejects whp Completeness : If x 2 L Verifier accepts Zero Knowledge : there exists a simulator producing similar looking transcripts – including random string – ( , , x) 2 Shared random string   Simulator produces 

NIZK For full specification need to clarify When is x chosen – before or after  ? – Adaptive What does the simulator get? Does soundness need to hold given a simulated  –Cannot hold for simulated (false statement) – Simulation soundness For NP : Can be based on the existence of trapdoor permutations with some structure Relevant for soundness and zk

Achieving resistance to CCA with NIZK Two independent keys of some ``good” PKC K P 1 and K P 2 A public random string  for NIZK of the language {(K P 1, K P 2, C 1, C 2 )| C 1 and C 2 encrypt the same message } To encrypt message m generate ciphertexts C 1 and C 2 and add a proof of consistency  –Ciphertext: C 1, C 2,  To decrypt –Verify proof and then –Decrypt only if ciphertexts passed the consistency checks C2C2 Proof of consistency C1C1 Important point: may decrypt with two different private keys

Chosen Ciphertext Attack Public key K P Secret key K s Public key K P AliceBob Query c i a i =D(c i, K s ) a’ i =D(c’ i, K s ) Query c’ i {m 0, m 1 } c=E(m b, K P ) The post processing phase Guess b’ A Wins if b’=b b 2 R {0,1}

Theorem: The scheme is secure against CCA2 Proof of Security Pk = K P 1, K P 2,  KP1KP1 b’ cici aiai m 0, m 1 C 1, C 2,  Distinguisher for Original Scheme m 0, m 1 E pk (m b ) C 2 =E(m b’’,K P 2 ) b’’ 2 R {0,1},  from simulator

Theorem: The scheme is secure against CCA2 Proof of Security b’ Distinguisher for Original Scheme Claim : the distribution the adversary witnesses if b = b’’ is indistinguishable from real Prob[ b’ = b] ¸ ½ +  Claim : if b ≠ b’’ then Prob[ b’ = b] = ½ E pk (m b ) b’’ 2 R {0,1}, Only difference: simulated proof of consistency

Session Key Encryption Shared key K Plaintext m Ciphertext c=EA(m, K) AliceBob Decryption and Verification m=DV(E(m,K), K)

Structure of Construction: “Hybrid” Encryption: Use public key to generate shared session key Use shared key to encrypt + authenticate with one time scheme Decryption: Use secret key to obtain session key Use session decryption. Check authentication. If fails reject. Ow output message.

G - group of order q Choose g 1, g 2 2 G and x 1, x 2 2 Z q Let h = g 1 x 1 g 2 x 2 Output sk = (x 1, x 2 ) and pk = (g 1, g 2, h) Key generation A Simple DDH Based Scheme MAIN IDEA: Redundancy : any pk corresponds to many possible sk ’s h=g 1 x 1 g 2 x 2 reveals only log(q) bits of information on sk=(x 1,x 2 )

G - group of order q Choose g 1, g 2 2 G and x 1, x 2 2 Z q Let h = g 1 x 1 g 2 x 2 Output sk = (x 1, x 2 ) and pk = (g 1, g 2, h) Choose r 2 Z q Output (g 1 r, g 2 r, AE(m,h r ) Let k= u 1 x 1 u 2 x 2. Output DV(e, k) Key generation Enc pk (m) Dec sk (u 1, u 2, e) A Simple Scheme – CCA1 u 1 x 1 u 2 x 2 = g 1 rx 1 g 2 rx 2 = (g 1 x 1 g 2 x 2 ) r = h r

Key property for security: no invalid ciphertexts accepted Given the public key pk = (g 1, g 2, h) one linear equation is known on x 1,x 2 Given h = g 1 x 1 g 2 x 2. Still log q entropy Claim: this entropy is kept during the query-attack phase In legitimate query ciphertexts: (v 1 =g 1 r, v 2 =g 2 r ) and AE(m,k)) and the decryption is independent of x 1, x 2 In invalid query ciphertexts: (v 1 =g 1 r, v 2 =g 2 r’ ) and AE(m,k)) is rejected whp Not clear what happens when challenge ciphertext is known during the attack Some info about h r is leaked in AE(m,h r )

Generalizing leftover hash lemma To assure independence make sure that AE(m,h r ) does not leak information about h r Have a family  of four-wise independent functions –For each  2   : G  {0,1} ℓ

G - group of order q  a family of four-wise independent functions Choose g 1, g 2 2 G, x 1, x 2 2 Z q and  2 R  Let h = g 1 x 1 g 2 x 2 Output sk = (x 1, x 2 ) and pk = (g 1, g 2, h,  ) Choose r 2 Z q Output (g 1 r, g 2 r, AE(m,  (h r )) Let k=  (u 1 x 1 u 2 x 2 ). Output DV(e, k) Key generation Enc pk (m) Dec sk (u 1, u 2, e) The Modified Scheme u 1 x 1 u 2 x 2 = g 1 rx 1 g 2 rx 2 = (g 1 x 1 g 2 x 2 ) r = h r

Theorem: The scheme is secure against CCA1 Generating the Challenge pk (g 1, g 2, g 1 r 1, g 2 r 2,  ) cici aiai m 0, m 1 E pk (m b ) Distinguisher for DDH Generating pk given (g 1, g 2, g 1 r 1, g 2 r 2 ) Choose x 1, x 2 2 Z q Let h = g 1 x 1 g 2 x 2 Output pk = (g 1, g 2, h) and remember sk = (x 1,x 2 ) Let k= g 1 r 1 x 1 g 2 r 2 x 2 Output (g 1 r 1, g 2 r 2, AE(m b,  (k)))

Min-Entropy For a probability distribution X over {0,1} n H 1 (X) = - log max x Pr[X = x] X is a k -source if H 1 (X) ¸ k (i.e., Pr[X = x] · 2 -k for all x ) Represents the probability of the most likely value of X ¢ (X,Y) =  a  |Pr[X=a] – Pr[Y=a]| Statistical distance :

Extractors Universal procedure for “purifying” an imperfect source Definition: Ext: {0,1} n £ {0,1} d ! {0,1} ℓ is a (k,  ) -extractor if: for any k -source X ¢ (Ext(X, U d ), U ℓ ) ·  d random bits “seed” E XT k -source of length n ℓ almost-uniform bits x s

Strong Extractors Output looks random even after seeing the seed Definition: Ext: {0,1} n £ {0,1} d ! {0,1} ℓ is a (k,  ) -strong extractor if Ext’(x, s) = s ◦ Ext(x,s) is a (k,  ) -extractor Leftover hash lemma [ILL 89]: Pairwise independent hash functions are strong extractors Example: Ext(x, (a,b)) = first ℓ bits of ax+b over GF[2 n ] Output length ℓ = k – 2log(1/  ) Seed length d = 2n, almost pairwise independence d = O(log n + k)

2 ( ℓ-  )/2 Generalizing leftover hash lemma Leftover hash lemma [ILL 89]: Pairwise independent hash functions are strong extractors ( ,  (X)) is close to uniform provided X has sufficient min entropy New lemma [KPSY 09]: If (X,X’) are random variables such that H 1 (X), H 1 (X’) ¸  Prob[X=X’] = 0  2 R  where  is four-wise independent and  (X) 2 {0,1} ℓ Then ( ,  (X),  (X’)) is 2 ℓ-  /2 close to uniform

(x 1,x 2 ) have log q bits of entropy G - group of order q  a family of four-wise independent function Choose r 2 Z q Output (g 1 r, g 2 r, AE(m,  (h r )) Let k =  (u 1 x 1 u 2 x 2 ). Output DV(e, k) Enc pk (m) Dec sk (u 1, u 2, e) The Modified Scheme For (u 1, u 2 ) and (u’ 1, u’ 2 ) Let X = u 1 x 1 u 2 x 2 and X’= u’ 1 x 1 u’ 2 x 2 Given  (X) n o information is leaked about  (X’) Still hard to find invalid ciphertext that pass the test Provided ( u 1, u 2 )  ( u’ 1, u’ 2 ) (u 1,u 2 ) form challenge (u’ 1,u’ 2 ) from adversary generated query

Proof: summing up During the attack: Chance for invalid ciphertext not labeled as such: t ¢ Pr[forgery in AE] Entropy of (x 1,x 2 ) decreased by this amount Challenge ciphertext valid or not depending on whether the input is in DDH or not. If original adversary wins the game with probability ½+  Advantage in distinguishing DDH from non-DDH is  Number of ciphertexts queried

Correlated Products of trapdoors One-Way Functions Easy to evaluate: x 7→ f(x) Hard to invert: For any efficient algorithm A Prob[A(f(x)) ∈ f −1 (f(x))] is negligible Injective trapdoor functions (f, f −1 ) ← F

Correlated Products One-Way Functions Easy to evaluate: x 7→ f(x) Hard to invert: For any efficient algorithm A Pr A(f(x)) ∈ f−1(f(x)) is negligible Injective trapdoor functions (f, f −1 ) ← F TDF

Correlated Products For a collection F of one-way functions consider (f 1 (x 1 ),..., f k (x k )) for every f 1,..., f k ∈ F. f 1,...,f k is hard to invert for random (x 1, …, x k ) But what happens when x 1, …, x k are correlated ? –For instance: x 1 = x 2 … = x k

Secure or Insecure Examples Secure: Discrete log x → (g 1 x, g 2 x, …, g k x ) mod P As secure as x → g x mod P Through random self reducibility Insecure: Plain broadcast RSA Can recover x from –x 3 mod N 1 –X 3 mod N 2 –X 3 mod N 3 Using CRT f i (x)=g i x f i (x)= x 3 mod N i

Security Under Correlated Products Definition: F is secure under a C-correlated product if for any efficient A Pr[A(f 1, …, f k, f 1 (x 1 ), …, f k (x k )) = (x 1, …, x k )] is negligible, where f 1, …, f k ← F and (x 1,..., x k ) ← C. Natural correlations x 1 = x 2 … = x k k -repetition (x 1, …, x k ) are ℓ-wise independent for ℓ < k

Reminder: CPA-Security from TDFs Collection F of injective TDFs Hard-core bit h for F – Given f(x) infeasible to guess h(x) with a noticeable advantage The scheme: Key generation: (pk, sk) = (f, f −1 ) Encryption: Enc(pk, b) = (f(x), h(x) © b) for x 2 R {0,1} n Decryption: Dec(sk, (c, d)) = h(f −1 (c)) © d

CCA-Security from Repetition Collection F of injective TDFs secure under k - repetition product Hard-core bit h for F – Given f(x) infeasible to guess h(x) with a noticeable advantage Goldreich-Levin (inner product) is still hard core

CCA1-Scheme Collection F of injective TDFs secure under k - repetition product Public (f 1 0,f 1 1 ), (f 2 0,f 2 1 ) )… (f k 0,f k 1 ),h Secret (s 1 0,s 1 1 ), (s 2 0,s 2 1 ) )… (s k 0,s k 1 ) Choose v 2 R {0,1} k, x 2 R {0,1} n Output (v, f v 1 (x), …, f v k (x), h(x) © b) Key generation Enc pk (b) f10f10 f11f11 f20f20 f21f21 fk0fk0 fk1fk1 … v f10f10 f21f21 fk0fk0 0 1

CCA1-Scheme Collection F of injective TDFs secure under k -repetition product Public (f 1 0,f 1 1 ), (f 2 0,f 2 1 ) )… (f k 0,f k 1 ), h Secret (s 1 0,s 1 1 ), (s 2 0,s 2 1 ) )… (s k 0,s k 1 ) Choose v 2 R {0, 1} k, x 2 R {0, 1} n Output (v, f v1 (x), …, f vk k(x), h(x) © b) Key generation Enc pk (b) Invert y 1,…, y k to obtain x 1,…, x k If all inverses consistent - x 1 =…=x k =x Output h(x) © d Dec pk (v, y 1,… y k, d) Need to know only one secret key to perform decryption

Theorem: The scheme is secure against CCA1 Proof of Security Pk = (f 1 0,f 1 1 ), (f 2 0,f 2 1 ))…(f k 0,f k 1 ),h f 1, f 2, … f k b’ b’ © b’’ cici aiai ready C Distinguisher for k-repetition C= v, f 1 (x),…, f k (x),b’’) h, f 1 (x),…, f k (x)) Locations of input f i ’s determined by random v

One-time Signature Schemes A signature scheme that is Existentially unforgeable Adversary A gets to pick and see signature on one message A Wins if he can find any other (message,signature) that is accepted by signature verification algorithm –Message should be different – Strongly unforgeable: also cannot find another signature to a message that has been signed

One-time Signature Schemes Construction can be based on any one-way function g Public (y 1 0,y 1 1 ), (y 2 0,y 2 1 ) ), … (y k 0,y k 1 ) Secret (s 1 0,s 1 1 ), (s 2 0,s 2 1 ) ), … (s k 0,s k 1 ) Where y 1 b =g(s 1 b ) Signature on message m 2 R {0, 1} k : Output s 1 m 1, s 1 m 2 …, s 1 m k y10y10 y11y11 y20y20 y21y21 yk0yk0 yk1yk1 … m s10s10 s21s21 sk0sk0 0 1

CCA2-Scheme Collection F of injective TDFs secure under k -repetition A one time signature scheme ss Public (f 1 0,f 1 1 ), (f 2 0,f 2 1 ) )… (f k 0,f k 1 ), h Secret (s 1 0,s 1 1 ), (s 2 0,s 2 1 ) )… (s k 0,s k 1 ) Choose (v,s) for one time ss, x 2 R {0, 1} n Output (v, f v1 (x), …, f vk k(x), h(x) © b) and signature using s on message Key generation Enc pk (b) Invert y 1,…, y k to obtain x 1,…, x k If all inverses consistent - x 1 =…=x k and signature ok Output h(x) © d Dec pk (v, y 1,… y k, d)

Homework: One time Signature Schemes Show that if g is a one-way function the scheme is indeed a one-time signature scheme. Show how to obtain a strongly unforgeable signature scheme –You may use the existence of Universal One-way Hash Functions Why do we need strongly unforgeable signature schemes in the CCA2 scheme?

Universal One-Way Hash functions UOWHFs A family of functions G={g|g:{0,1} n → {0,1} h(n) } Such that Easy to sample g from G and g  G has succinct description Given (n, g, x) easy to compute g(x) h(n) < n Hard to find target collisions : –Given (n,g,x) hard to find x’  {0,1} n where x ≠ x’ but g(x)=g(x’) Adversary picks x before seeing g

Interactive Authentication P wants to convince V that he is approving message m P has a public key K P of an encryption scheme E. To authenticate a message m: V  P : Choose r 2 R {0,1} n. Send c=E(m ° r, K P ) P  V : Receiving c Decrypt c using K S Verify that prefix of plaintext is m. If yes - send r. V is satisfied if he receives the same r he chose Claim : if E is CCA2 secure, then scheme is existentially unforgeable against active adversary

Sources Dolev, Dwork and Naor: Non Malleable Cryptography, Siam J. computing also Siam Review 2003 Cramer and Shoup: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack (see Lindell: A Simpler Construction of CCA2-Secure Public-Key Encryption Under General Assumptions. In Eurocrypt 2003 Kiltz, Pietrzak, Stam and Yung, A New Randomness Extraction Paradigm for Hybrid Encryption. Eurocrypt Peikert and Waters, Lossy Trapdoor Functions and Their Applications, STOC Rosen and Segev, Chosen Ciphertext Security via Correlated Products, TCC 2009.