Topics in Cryptography Lecture 6 Topic: Chosen Ciphertext Security Lecturer: Moni Naor

Recap: chosen ciphertext security Why chosen ciphertext/malleability matters Taxonomy of Attacks and Security Ideas for achieving CCA –Redundancy + Verification The NIZK approach Simple scheme achieving CCA1 –Based on DDH –Modification achieving CCA2 Chosen-Ciphertext Security via Correlated Products

Homework: One time Signature Schemes Show that if g is a one-way function the scheme is indeed a one-time signature scheme. Show how to obtain a strongly unforgeable signature scheme –You may use the existence of Universal One-way Hash Functions Why do we need strongly unforgeable signature schemes in the CCA2 scheme?

One-time Signature Schemes A signature scheme that is Existentially unforgeable Adversary A gets to pick and see signature on one message A Wins if he can find any other (message,signature) that is accepted by signature verification algorithm –Message should be different – Strongly unforgeable: also cannot find another signature to a message that has been signed

One-time Signature Schemes Construction can be based on any one-way function g Public (y 1 0,y 1 1 ), (y 2 0,y 2 1 ) ), … (y k 0,y k 1 ) Secret (s 1 0,s 1 1 ), (s 2 0,s 2 1 ) ), … (s k 0,s k 1 ) Where y 1 b =g(s 1 b ) Signature on message m 2 R {0, 1} k : Output s 1 m 1, s 1 m 2 …, s 1 m k y10y10 y11y11 y20y20 y21y21 yk0yk0 yk1yk1 … m s10s10 s21s21 sk0sk0 0 1

Universal One-Way Hash functions UOWHFs A family of functions G={g|g:{0,1} n → {0,1} h(n) } Such that Easy to sample g from G and g  G has succinct description Given (n, g, x) easy to compute g(x) h(n) < n Hard to find target collisions : –Given (n,g,x) hard to find x’  {0,1} n where x ≠ x’ but g(x)=g(x’) Adversary picks x before seeing g

Homework: One time Signature Schemes Show that if g is a one-way function the scheme is indeed a one-time signature scheme. Show how to obtain a strongly unforgeable signature scheme –You may use the existence of Universal One-way Hash Functions Why do we need strongly unforgeable signature schemes in the CCA2 scheme?

Motivation for Zero-knowledge Can turn any protocol that: works well when the parties are benign (but curious) into one that works well when the parties are malicious Usage of NIZK to obtain CCA is an exampel of the principle

Correlated Products For a collection F of one-way functions consider (f 1 (x 1 ),..., f k (x k )) for every f 1,..., f k ∈ F. f 1,...,f k is hard to invert for random (x 1, …, x k ) But what happens when x 1, …, x k are correlated ? –For instance: x 1 = x 2 … = x k Repetition

CCA-Security from Repetition Collection F of injective TDFs secure under k - repetition product Hard-core bit h for F – Given f(x) infeasible to guess h(x) with a noticeable advantage Goldreich-Levin (inner product) is still hard core

CCA1-Scheme Collection F of injective TDFs secure under k - repetition product Public (f 1 0,f 1 1 ), (f 2 0,f 2 1 ) )… (f k 0,f k 1 ),h Secret (s 1 0,s 1 1 ), (s 2 0,s 2 1 ) )… (s k 0,s k 1 ) Choose v 2 R {0,1} k, x 2 R {0,1} n Output (v, f v 1 (x), …, f v k (x), h(x) © b) Key generation Enc pk (b) f10f10 f11f11 f20f20 f21f21 fk0fk0 fk1fk1 … v f10f10 f21f21 fk0fk0 0 1

Construction of Correlation Product Lossy Trapdoor Functions [Peikert Waters ’08] Two indistinguishable collections: – F 0 collection of many-to-one functions – F 1 collection of injective functions F1F1 f2F1f2F1 f -1 F0F0 f2F0f2F0 Large indegree Indistinguishability  Hardness of inversion

Construction of Correlation Product Lossy Trapdoor Functions [Peikert Waters ’08] Two indistinguishable collections: – F 0 collection of many-to-one functions – F 1 collection of injective functions Various number-theoretic assumptions [PW ’08, GRS ’08, BFO ’08,...] Claim: F 1 is secure under x 1 = … = x k –f is many-to-one: f(x) “reveals” only r ≪ n bits of x –f 1 (x), …, f k (x) is one-way as long as r ・ k = n−  (log n)

Realizing Lossy Trapdoors from DDH DDH : (g, g x, g y, g xy )  (g, g x, g y, g z ) El Gamal : public key h g, h=g x i secret key x Encrypt (small m ): random r send (g r, h r g m ) Homomorphism on message and randomness E(m 1, r 1 ) ¢ E(m 0, r 0 ) = E(m 1 + m 0, r 1 + r 0 ) Coordinate wise g xr+m

Ciphertext Matrix Every row i has the same h i =g x i Every column j uses the same randomness r i h i r j g m ij For any matrix M={m ij } ij define ciphertext matrix (plus vector): grjgrj h i ’s not published

Synthesizer of Ciphertext Matrix Every row i has the same h i =g x i Every column j uses the same randomness r i h i r j g m ij Key property: Matrix is indistinguishable wrt the M={m ij } ij grjgrj h i ’s not published

Homework: getting rid of the one time Signature Schemes Prove that for any two matrices M 0 and M 1 the resulting ciphertext matrix plus randomness vector are indistinguishable

Generating Products h i r j g m ij Given ciphertext matrix of M and plaintext P 2 {0,1} n : can generate encryption of M ¢ P grjgrj Plaintext P for encryption … Every row i has the same h i =g x i

Public Key h i r j g m ij Public key: the m ij are either : the all zero matrix M 0 the Identity matrix M I grjgrj Plaintext P for encryption … Every row i has the same h i =g x i

Claim: if matrix is Identity: can reconstruct plaintext –From M ¢ P Claim if matrix is all zero: lossy when dimension n larger than log q –Each entry: just a sum of the r j ‘s according to P –Rest determined by h i –log q bits of information

Identity Base Encryption (IBE) A public-key* encryption system where any arbitrary string can be used as the public key –Examples: user’s address, current-date, biometric data… An authority publishes public Master-key Keeps secret private master key Extract: Given any string ID ∈ {0,1}* can create SK ID To encrypt need public-key and ID To decrypt need SK ID

Identity-Based Encryption (IBE) encrypted using public key: “ ” Public Master-key CA Public Master-key I am “ ” SK Bob Alice Bob Could happen before or after the was encrypted ID can be: , +time, + credentials, fingerprint… Private Master-key

History The concept was formulated by Adi Shamir in 1984 First IBE schemes in 2001 –Boneh and Franklin - Crypto 2001 Based on Pairing –Cocks – Intern. Conf. on Cryptography and Coding 2001 Based on quadratic residuousity –First proposals: need random oracle –Later ones: standard model

Security Definition for IBE Semantic security against an adaptive id extraction –No polynomially bound adversary can distinguish with non neligible advantage between encryptions of m 0 and m 1 under key id –m 0 and m 1 chosen by adversary –Adversary gets to issue extract requests given id i obtain SK id i –How is id chosen: Adaptively Ahead of time: Selective-ID security –Extract may not be issued on target id Target id

Getting CCA1 from IBE Public key : master public key of the IBE scheme, Secret key : corresponding master secret key. To encrypt a message m : –Generate a random string vk –Encrypts the message m with respect to the ``identity" vk. –Resulting ciphertext C –The ciphertext: h C, vk i. To decrypt a ciphertext h C, vk i : –Extract the corresponding key to vk Vand decrypt C

CCA from IBE Public key : master public key of the IBE scheme, Secret key : corresponding master secret key. To encrypt a message m : –Generate a key-pair (vk; sk) for a onetime strong signature scheme –Encrypt the message m with respect to the ``identity" vk. –Resulting ciphertext C is then signed using sk to obtain a signature . –The ciphertext: h C, vk,  i. To decrypt a ciphertext h C, vk,  i : –Verify the signature  on C using vk –If pass: extract the corresponding key to vk and decrypt C

Getting rid of the one-time signatures One time signature: long and not so efficient Idea: replace signature with MACS –unconditional authentication –Replace the signature key with a commitment to the (MAC) hash function To encrypt a message m : –Generate (h, ck, dk) - ck commitment to h and dk decommitment. –Encrypt the message m ° dk ° h with respect to the identity ck. –Resulting ciphertext C is then authenticated using h:  = h(C) –The ciphertext: h C, ck,  i. To decrypt a ciphertext h C, ck,  i : –extract the corresponding key to ck and decrypt C to obtain m ° dk ° h –Verify that dk is proper and  =h(C). Output m only if true Pairwise ind

Homework: getting rid of the one time Signature Schemes Is it possible to use commitment instead of one-time signature in the correlated products?

Is it circular? The value of h is still protected – from semantic security. Only know at one point all other points are unifomly ditributed For a challenge ciphertext h C, ck,  i Any decryption query with ck’≠ ck is “useless” –Can be answered by IBE query If ck’ = ck query can guess whp that either –dk is not proper –h(C’) ≠  ’ - from the pairwise independence And hence reject C ’≠ C

Interactive Authentication P wants to convince V that he is approving message m P has a public key K P of an encryption scheme E. To authenticate a message m: V  P : Choose r 2 R {0,1} n. Send c=E(m ° r, K P ) P  V : Receiving c Decrypt c using K S Verify that prefix of plaintext is m. If yes - send r. V is satisfied if he receives the same r he choose

Is it Safe? Want: Existential unforgeability against adaptive chosen message attack –Adversary can ask to authenticate any sequence m 1, m 2, … –Has to succeed in making V accept a message m not authenticated –Has complete control over the channels Intuition of security: if E does not leak information about plaintext –Nothing is leaked about r Several problems: if E is “just” semantically secure against chosen plaintext attacks: –Adversary might change c=E(m ° r, K P ) into c’=E(m’ ° r, K P ) Malleability –not sufficient to verify correct form of ciphertext in simulation Closer to a chosen ciphertext attack

Interactive Authentication P wants to convince V that he is approving message m P has a public key K P of an encryption scheme E. To authenticate a message m: V  P : Choose r 2 R {0,1} n. Send c=E(m ° r, K P ) P  V : Receiving c Decrypt c using K S Verify that prefix of plaintext is m. If yes - send r. V is satisfied if he receives the same r he chose Claim : if E is CCA2 secure, then scheme is existentially unforgeable against active adversary

Theorem: If the E is secure against CCA2 then Interactive Authentication Scheme existentially unforgeable against CMA Proof of Security Pk = K P KPKP b’=0 if forgery returns r b i, c i r i o r nil guess j Plug C in protocol Distinguisher for Original Scheme m 0, m 1 C=E pk (m b ) authenticating message b i (b j ° r, b j °r’) b’=1 if forgery returns r’ Flip a coin ow

No receipts Can the verifier convince third party that the prover approved a certain message?

Authentication and Non-Repudiation Key idea of modern cryptography [Diffie-Hellman]: can make authentication (signatures) transferable to third party - Non-repudiation. –Essential to contract signing, e-commerce… Digital Signatures: last 25 years major effort in –Research Notions of security Computationally efficient constructions –Technology, Infrastructure (PKI), Commerce, Legal

Is non-repudiation always desirable ? Not necessarily so: Privacy of conversation, no ( verifiable ) record. –Do you want everything you ever said to be held against you? If Bob pays for the authentication, shouldn't be able to transfer it for free Perhaps can gain efficiency Alternative: (Plausible) Deniability If the recipient (or any recipient) could have generated the conversation himself or an indistinguishable one

Deniable Authentication Setting: Sender has a public key known to receiver Want to an authentication scheme such that the receiver keeps no receipt of conversation. This means: Any receiver could have generated the conversation itself. –There is a simulator that for any message m and verifier V* generates an indistinguishable conversation. –Exactly as in Zero-Knowledge! –An example where zero-knowledge is the ends, not the means ! Proof of security consists of Unforgeability and Deniability

Ring Signatures and Authentication Can we keep the sender anonymous? Idea: prove that the signer is a member of an ad hoc set –Other members do not cooperate –Use their ` regular ’ public-keys Encryption –Should be indistinguishable which member of the set is actually doing the authentication Bob Alice? Eve Ring Signatures : Rivest, Shamir and Tauman

A Public Key Authentication Protocol P has a public key P K of an encryption scheme E. To authenticate a message m: V  P : Choose r  R {0,1} n and random bits  2 {0,1} * Send Y=E(P K, m  r,  ) P  V : Verify that prefix of plaintext is indeed m. If yes - send r. V accepts iff the received r’=r Is it Unforgeable? Is it Deniable

Security of the scheme Unforgeability: depends on the strength of E Sensitive to malleability : –if given E(P K, m  r,  ) can generate E(P K, m’  r’,  ’) w here m’ is related to m and r’ is related to x then can forge. The protocol allows a chosen ciphertext attack on E. –Even of the post-processing kind! Can prove that any strategy for existential forgery can be translated into a CCA strategy on E Works even against concurrent executions. Deniability: does V retain a receipt?? –It does not retain one for an honest V –Need to prove knowledge of r We saw an encryption scheme satisfying the desired requirements

Simulator for honest receiver Choose r  R {0,1} n. Output: h Y=E(P K, m  r,  ), x,  i Has exactly the same distribution as a real conversation when the verifier is following the protocol Statistical indistinguishability Verifier might cheat by checking whether certain ciphertext have as a prefix m No known concrete way of doing harm this way

Encryption as Commitment When the public key P K is fixed and known Y=E(P K, x,  ) can be seen as commitment to x To open x: reveal , the random bits used to create Y Perfect binding: from unique decryption For any Y there are no two different x and x’ and  and  ’ s.t. Y=E(P K, x,  ) =E(P K, x’,  ’) Secrecy: no information about x is leaked to those not knowing private key P S

Deniable Protocol P has a public key P K of an encryption scheme E. To authenticate message m : V  P : Choose x  R {0,1} n. Send Y=E(P K, m  x,  ) P  V : Send E(P K, x,  ) V  P : Send x and  - opening Y=E(P K, m  x,  ) P  V : Open E(P K, x,  ) by sending . P commits to the value x. Does not want to reveal it yet

Security of the scheme Unforgeability: as before - depends on the strength of E can simulate previous scheme (with access to D(P K,. )) Important property: E(P K, x,  ) is a non-malleable commitment (wrt the encryption) to x. Deniability: can run simulator: Extract x by running with E(P K, garbage,  ) and rewinding Expected polynomial time Need the semantic security of E - it acts as a commitment scheme

Ring Signatures and Authentication Want to keep the sender anonymous by proving that the signer is a member of an ad hoc set –Other members do not cooperate –Use their `regular’ public-keys –Should be indistinguishable which member of the set is actually doing the authentication Bob Alice? Eve

Ring Authentication Setting A ring is an arbitrary set of participants including the authenticator Each member i of the ring has a public encryption key P K i –Only i knows the corresponding secret key P S i To run a ring authentication protocol both sides need to know P K 1, P K 2, …, P K n the public keys of the ring members...

An almost Good Ring Authentication Protocol Ring has public keys P K 1, P K 2, …, P K n of encryption scheme E To authenticate message m with jth decryption key P S j : V  P : Choose x  {0,1} n. Send E(P K 1, m  x, r 1 ), E(P K 2, m  x, r 2 ), …, E(P K n, m  x, r n ) P  V : Decrypt E(P K j, m  x, r j ), using P S j and Send E(P K 1, x,  1 ), E(P K 2, x,  2 ), …, E(P K n, x,  n ) V  P : open all the E(P K i, m  x, r i ) by Send x and r 1, r 2,… r n P  V : Verify consistency and open all E(P K i, x, t i ) by Send t  1,  2,…  n Problem: what if not all suffixes ( x ‘s) are equal?

The Ring Authentication Protocol Ring has public keys P K 1, P K 2, …, P K n of encryption scheme E To authenticate message m with jth decryption key P S j : V  P : Choose x  {0,1} n. Send E(P K 1, m  x, r 1 ), E(P K 2, m  x, r 2 ), …, E(P K 1, m  x, r n ) P  V : Decrypt E(P K j, m  x, r j ), using P S j and Send E(P K 1, x 1, t 1 ), E(P K 2, x 2, t 2 ), …, E(P K n, x n, t n ) Where x=x 1 +x 2 +  x n V  P : open all the E(P K i, m  x, r i ) by Send x and r 1, r 2,… r n P  V : Verify consistency and open all E(P K i, x, t i ) by Send t 1, t 2,… t n and x 1, x 2,…, x n

Complexity of the scheme Sender: single decryption, n encryptions and n encryption verifications Receiver: n encryptions and n encryption verifications Communication Complexity: O(n) public-key encryptions

Security of the scheme Unforgeability: as before (assuming all keys are well chosen) since E(P K 1, x 1, t 1 ), E(P K 2, x 2, t 2 ),…,E(P K 1, x n, t n ) where x=x 1 +x 2 +  x n is a non-malleable commitment to x Source Hiding: which key was used (among well chosen keys) is –Computationally indistinguishable during protocol –Statistically indistinguishable after protocol If ends successfully Deniability: Can run simulator `as before’

Universal One-Way Hash functions UOWHFs A family of functions G={g|g:{0,1} n → {0,1} h(n) } Such that Easy to sample g from G and g  G has succinct description Given (n, g, x) easy to compute g(x) h(n) < n Hard to find target collisions : –Given (n,g,x) hard to find x’  {0,1} n where x ≠ x’ but g(x)=g(x’) Adversary picks x before seeing g

Sources Dolev, Dwork and Naor: Non Malleable Cryptography, Siam J. computing also Siam Review 2003 Peikert and Waters, Lossy Trapdoor Functions and Their Applications, STOC Rosen and Segev, Chosen Ciphertext Security via Correlated Products, TCC Naor, Deniable Ring Authentication, Crypto 2002

CCA2-Scheme Collection F of injective TDFs secure under k -repetition A one time signature scheme ss Public (f 1 0,f 1 1 ), (f 2 0,f 2 1 ) )… (f k 0,f k 1 ), h Secret (s 1 0,s 1 1 ), (s 2 0,s 2 1 ) )… (s k 0,s k 1 ) Choose (v,s) for one time ss, x 2 R {0, 1} n Output (v, f v1 (x), …, f vk k(x), h(x) © b) and signature using s on message Key generation Enc pk (b) Invert y 1,…, y k to obtain x 1,…, x k If all inverses consistent - x 1 =…=x k and signature ok Output h(x) © d Dec pk (v, y 1,… y k, d)