Presentation is loading. Please wait.

Presentation is loading. Please wait.

Topics in Cryptography Lecture 5 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Topics in Cryptography Lecture 5 Topic: Chosen Ciphertext Security Lecturer: Moni Naor."— Presentation transcript:

1 Topics in Cryptography Lecture 5 Topic: Chosen Ciphertext Security Lecturer: Moni Naor

2 Recap: chosen ciphertext security Why chosen ciphertext/malleability matters Taxonomy of Attacks and Security Ideas for achieving CCA –Redundancy + Verification Simple scheme achieving CCA1 –Based on DDH

3 Breaking Notion Attack Chosen Plaintext CCA1 Chosen Ciphertext Preprocessing CCA2 Chosen Ciphertext Postprocessing Semantic Security Non Malleability All other implications: proper Open problem: construct a more secure version from the less secure one. Is it possible to construct a CCA2 from SS/CPA?

4 Ideas for achieving resistance to CCA Add redundancy - hard to generate frivolous ciphertexts Add methods to check consistency –This is the trickiest part: Non interactive zero-knowledge Specific schemes Decrypt only if given ciphertext passes the consistency checks Important point: may decrypt with several different private keys C2C2 Proof of consistency C1C1

5 How to prove Consistency? Zero-Knowledge proof system for language L ProverVerifier Soundness If x \ L Verifier rejects whp Completeness : If x 2 L Verifier accepts Zero Knowledge : there exists a simulator producing similar looking transcripts 2

6 Non Interactive Zero Knowledge ProverVerifier Soundness If x \ L Verifier rejects whp Completeness : If x 2 L Verifier accepts Zero Knowledge : there exists a simulator producing similar looking transcripts – including random string – ( , , x) 2 Shared random string   Simulator produces 

7 NIZK For full specification need to clarify When is x chosen – before or after  ? – Adaptive What does the simulator get? Does soundness need to hold given a simulated  –Cannot hold for simulated (false statement) – Simulation soundness For NP : Can be based on the existence of trapdoor permutations with some structure Relevant for soundness and zk

8 Achieving resistance to CCA with NIZK Two independent keys of some ``good” PKC K P 1 and K P 2 A public random string  for NIZK of the language {(K P 1, K P 2, C 1, C 2 )| C 1 and C 2 encrypt the same message } To encrypt message m generate ciphertexts C 1 and C 2 and add a proof of consistency  –Ciphertext: C 1, C 2,  To decrypt –Verify proof and then –Decrypt only if ciphertexts passed the consistency checks C2C2 Proof of consistency C1C1 Important point: may decrypt with two different private keys

9 Chosen Ciphertext Attack Public key K P Secret key K s Public key K P AliceBob Query c i a i =D(c i, K s ) a’ i =D(c’ i, K s ) Query c’ i {m 0, m 1 } c=E(m b, K P ) The post processing phase Guess b’ A Wins if b’=b b 2 R {0,1}

10 Theorem: The scheme is secure against CCA2 Proof of Security Pk = K P 1, K P 2,  KP1KP1 b’ cici aiai m 0, m 1 C 1, C 2,  Distinguisher for Original Scheme m 0, m 1 E pk (m b ) C 2 =E(m b’’,K P 2 ) b’’ 2 R {0,1},  from simulator

11 Theorem: The scheme is secure against CCA2 Proof of Security b’ Distinguisher for Original Scheme Claim : the distribution the adversary witnesses if b = b’’ is indistinguishable from real Prob[ b’ = b] ¸ ½ +  Claim : if b ≠ b’’ then Prob[ b’ = b] = ½ E pk (m b ) b’’ 2 R {0,1}, Only difference: simulated proof of consistency

12 Session Key Encryption Shared key K Plaintext m Ciphertext c=EA(m, K) AliceBob Decryption and Verification m=DV(E(m,K), K)

13 Structure of Construction: “Hybrid” Encryption: Use public key to generate shared session key Use shared key to encrypt + authenticate with one time scheme Decryption: Use secret key to obtain session key Use session decryption. Check authentication. If fails reject. Ow output message.

14 G - group of order q Choose g 1, g 2 2 G and x 1, x 2 2 Z q Let h = g 1 x 1 g 2 x 2 Output sk = (x 1, x 2 ) and pk = (g 1, g 2, h) Key generation A Simple DDH Based Scheme MAIN IDEA: Redundancy : any pk corresponds to many possible sk ’s h=g 1 x 1 g 2 x 2 reveals only log(q) bits of information on sk=(x 1,x 2 )

15 G - group of order q Choose g 1, g 2 2 G and x 1, x 2 2 Z q Let h = g 1 x 1 g 2 x 2 Output sk = (x 1, x 2 ) and pk = (g 1, g 2, h) Choose r 2 Z q Output (g 1 r, g 2 r, AE(m,h r ) Let k= u 1 x 1 u 2 x 2. Output DV(e, k) Key generation Enc pk (m) Dec sk (u 1, u 2, e) A Simple Scheme – CCA1 u 1 x 1 u 2 x 2 = g 1 rx 1 g 2 rx 2 = (g 1 x 1 g 2 x 2 ) r = h r

16 Key property for security: no invalid ciphertexts accepted Given the public key pk = (g 1, g 2, h) one linear equation is known on x 1,x 2 Given h = g 1 x 1 g 2 x 2. Still log q entropy Claim: this entropy is kept during the query-attack phase In legitimate query ciphertexts: (v 1 =g 1 r, v 2 =g 2 r ) and AE(m,k)) and the decryption is independent of x 1, x 2 In invalid query ciphertexts: (v 1 =g 1 r, v 2 =g 2 r’ ) and AE(m,k)) is rejected whp Not clear what happens when challenge ciphertext is known during the attack Some info about h r is leaked in AE(m,h r )

17 Generalizing leftover hash lemma To assure independence make sure that AE(m,h r ) does not leak information about h r Have a family  of four-wise independent functions –For each  2   : G  {0,1} ℓ

18 G - group of order q  a family of four-wise independent functions Choose g 1, g 2 2 G, x 1, x 2 2 Z q and  2 R  Let h = g 1 x 1 g 2 x 2 Output sk = (x 1, x 2 ) and pk = (g 1, g 2, h,  ) Choose r 2 Z q Output (g 1 r, g 2 r, AE(m,  (h r )) Let k=  (u 1 x 1 u 2 x 2 ). Output DV(e, k) Key generation Enc pk (m) Dec sk (u 1, u 2, e) The Modified Scheme u 1 x 1 u 2 x 2 = g 1 rx 1 g 2 rx 2 = (g 1 x 1 g 2 x 2 ) r = h r

19 Theorem: The scheme is secure against CCA1 Generating the Challenge pk (g 1, g 2, g 1 r 1, g 2 r 2,  ) cici aiai m 0, m 1 E pk (m b ) Distinguisher for DDH Generating pk given (g 1, g 2, g 1 r 1, g 2 r 2 ) Choose x 1, x 2 2 Z q Let h = g 1 x 1 g 2 x 2 Output pk = (g 1, g 2, h) and remember sk = (x 1,x 2 ) Let k= g 1 r 1 x 1 g 2 r 2 x 2 Output (g 1 r 1, g 2 r 2, AE(m b,  (k)))

20 Min-Entropy For a probability distribution X over {0,1} n H 1 (X) = - log max x Pr[X = x] X is a k -source if H 1 (X) ¸ k (i.e., Pr[X = x] · 2 -k for all x ) Represents the probability of the most likely value of X ¢ (X,Y) =  a  |Pr[X=a] – Pr[Y=a]| Statistical distance :

21 Extractors Universal procedure for “purifying” an imperfect source Definition: Ext: {0,1} n £ {0,1} d ! {0,1} ℓ is a (k,  ) -extractor if: for any k -source X ¢ (Ext(X, U d ), U ℓ ) ·  d random bits “seed” E XT k -source of length n ℓ almost-uniform bits x s

22 Strong Extractors Output looks random even after seeing the seed Definition: Ext: {0,1} n £ {0,1} d ! {0,1} ℓ is a (k,  ) -strong extractor if Ext’(x, s) = s ◦ Ext(x,s) is a (k,  ) -extractor Leftover hash lemma [ILL 89]: Pairwise independent hash functions are strong extractors Example: Ext(x, (a,b)) = first ℓ bits of ax+b over GF[2 n ] Output length ℓ = k – 2log(1/  ) Seed length d = 2n, almost pairwise independence d = O(log n + k)

23 2 ( ℓ-  )/2 Generalizing leftover hash lemma Leftover hash lemma [ILL 89]: Pairwise independent hash functions are strong extractors ( ,  (X)) is close to uniform provided X has sufficient min entropy New lemma [KPSY 09]: If (X,X’) are random variables such that H 1 (X), H 1 (X’) ¸  Prob[X=X’] = 0  2 R  where  is four-wise independent and  (X) 2 {0,1} ℓ Then ( ,  (X),  (X’)) is 2 ℓ-  /2 close to uniform

24 (x 1,x 2 ) have log q bits of entropy G - group of order q  a family of four-wise independent function Choose r 2 Z q Output (g 1 r, g 2 r, AE(m,  (h r )) Let k =  (u 1 x 1 u 2 x 2 ). Output DV(e, k) Enc pk (m) Dec sk (u 1, u 2, e) The Modified Scheme For (u 1, u 2 ) and (u’ 1, u’ 2 ) Let X = u 1 x 1 u 2 x 2 and X’= u’ 1 x 1 u’ 2 x 2 Given  (X) n o information is leaked about  (X’) Still hard to find invalid ciphertext that pass the test Provided ( u 1, u 2 )  ( u’ 1, u’ 2 ) (u 1,u 2 ) form challenge (u’ 1,u’ 2 ) from adversary generated query

25 Proof: summing up During the attack: Chance for invalid ciphertext not labeled as such: t ¢ Pr[forgery in AE] Entropy of (x 1,x 2 ) decreased by this amount Challenge ciphertext valid or not depending on whether the input is in DDH or not. If original adversary wins the game with probability ½+  Advantage in distinguishing DDH from non-DDH is  Number of ciphertexts queried

26 Correlated Products of trapdoors One-Way Functions Easy to evaluate: x 7→ f(x) Hard to invert: For any efficient algorithm A Prob[A(f(x)) ∈ f −1 (f(x))] is negligible Injective trapdoor functions (f, f −1 ) ← F

27 Correlated Products One-Way Functions Easy to evaluate: x 7→ f(x) Hard to invert: For any efficient algorithm A Pr A(f(x)) ∈ f−1(f(x)) is negligible Injective trapdoor functions (f, f −1 ) ← F TDF

28 Correlated Products For a collection F of one-way functions consider (f 1 (x 1 ),..., f k (x k )) for every f 1,..., f k ∈ F. f 1,...,f k is hard to invert for random (x 1, …, x k ) But what happens when x 1, …, x k are correlated ? –For instance: x 1 = x 2 … = x k

29 Secure or Insecure Examples Secure: Discrete log x → (g 1 x, g 2 x, …, g k x ) mod P As secure as x → g x mod P Through random self reducibility Insecure: Plain broadcast RSA Can recover x from –x 3 mod N 1 –X 3 mod N 2 –X 3 mod N 3 Using CRT f i (x)=g i x f i (x)= x 3 mod N i

30 Security Under Correlated Products Definition: F is secure under a C-correlated product if for any efficient A Pr[A(f 1, …, f k, f 1 (x 1 ), …, f k (x k )) = (x 1, …, x k )] is negligible, where f 1, …, f k ← F and (x 1,..., x k ) ← C. Natural correlations x 1 = x 2 … = x k k -repetition (x 1, …, x k ) are ℓ-wise independent for ℓ < k

31 Reminder: CPA-Security from TDFs Collection F of injective TDFs Hard-core bit h for F – Given f(x) infeasible to guess h(x) with a noticeable advantage The scheme: Key generation: (pk, sk) = (f, f −1 ) Encryption: Enc(pk, b) = (f(x), h(x) © b) for x 2 R {0,1} n Decryption: Dec(sk, (c, d)) = h(f −1 (c)) © d

32 CCA-Security from Repetition Collection F of injective TDFs secure under k - repetition product Hard-core bit h for F – Given f(x) infeasible to guess h(x) with a noticeable advantage Goldreich-Levin (inner product) is still hard core

33 CCA1-Scheme Collection F of injective TDFs secure under k - repetition product Public (f 1 0,f 1 1 ), (f 2 0,f 2 1 ) )… (f k 0,f k 1 ),h Secret (s 1 0,s 1 1 ), (s 2 0,s 2 1 ) )… (s k 0,s k 1 ) Choose v 2 R {0,1} k, x 2 R {0,1} n Output (v, f v 1 (x), …, f v k (x), h(x) © b) Key generation Enc pk (b) f10f10 f11f11 f20f20 f21f21 fk0fk0 fk1fk1 … v f10f10 f21f21 fk0fk0 0 1

34 CCA1-Scheme Collection F of injective TDFs secure under k -repetition product Public (f 1 0,f 1 1 ), (f 2 0,f 2 1 ) )… (f k 0,f k 1 ), h Secret (s 1 0,s 1 1 ), (s 2 0,s 2 1 ) )… (s k 0,s k 1 ) Choose v 2 R {0, 1} k, x 2 R {0, 1} n Output (v, f v1 (x), …, f vk k(x), h(x) © b) Key generation Enc pk (b) Invert y 1,…, y k to obtain x 1,…, x k If all inverses consistent - x 1 =…=x k =x Output h(x) © d Dec pk (v, y 1,… y k, d) Need to know only one secret key to perform decryption

35 Theorem: The scheme is secure against CCA1 Proof of Security Pk = (f 1 0,f 1 1 ), (f 2 0,f 2 1 ))…(f k 0,f k 1 ),h f 1, f 2, … f k b’ b’ © b’’ cici aiai ready C Distinguisher for k-repetition C= v, f 1 (x),…, f k (x),b’’) h, f 1 (x),…, f k (x)) Locations of input f i ’s determined by random v

36 One-time Signature Schemes A signature scheme that is Existentially unforgeable Adversary A gets to pick and see signature on one message A Wins if he can find any other (message,signature) that is accepted by signature verification algorithm –Message should be different – Strongly unforgeable: also cannot find another signature to a message that has been signed

37 One-time Signature Schemes Construction can be based on any one-way function g Public (y 1 0,y 1 1 ), (y 2 0,y 2 1 ) ), … (y k 0,y k 1 ) Secret (s 1 0,s 1 1 ), (s 2 0,s 2 1 ) ), … (s k 0,s k 1 ) Where y 1 b =g(s 1 b ) Signature on message m 2 R {0, 1} k : Output s 1 m 1, s 1 m 2 …, s 1 m k y10y10 y11y11 y20y20 y21y21 yk0yk0 yk1yk1 … m s10s10 s21s21 sk0sk0 0 1

38 CCA2-Scheme Collection F of injective TDFs secure under k -repetition A one time signature scheme ss Public (f 1 0,f 1 1 ), (f 2 0,f 2 1 ) )… (f k 0,f k 1 ), h Secret (s 1 0,s 1 1 ), (s 2 0,s 2 1 ) )… (s k 0,s k 1 ) Choose (v,s) for one time ss, x 2 R {0, 1} n Output (v, f v1 (x), …, f vk k(x), h(x) © b) and signature using s on message Key generation Enc pk (b) Invert y 1,…, y k to obtain x 1,…, x k If all inverses consistent - x 1 =…=x k and signature ok Output h(x) © d Dec pk (v, y 1,… y k, d)

39 Homework: One time Signature Schemes Show that if g is a one-way function the scheme is indeed a one-time signature scheme. Show how to obtain a strongly unforgeable signature scheme –You may use the existence of Universal One-way Hash Functions Why do we need strongly unforgeable signature schemes in the CCA2 scheme?

40 Universal One-Way Hash functions UOWHFs A family of functions G={g|g:{0,1} n → {0,1} h(n) } Such that Easy to sample g from G and g  G has succinct description Given (n, g, x) easy to compute g(x) h(n) < n Hard to find target collisions : –Given (n,g,x) hard to find x’  {0,1} n where x ≠ x’ but g(x)=g(x’) Adversary picks x before seeing g

41 Interactive Authentication P wants to convince V that he is approving message m P has a public key K P of an encryption scheme E. To authenticate a message m: V  P : Choose r 2 R {0,1} n. Send c=E(m ° r, K P ) P  V : Receiving c Decrypt c using K S Verify that prefix of plaintext is m. If yes - send r. V is satisfied if he receives the same r he chose Claim : if E is CCA2 secure, then scheme is existentially unforgeable against active adversary

42 Sources Dolev, Dwork and Naor: Non Malleable Cryptography, Siam J. computing 2000. also Siam Review 2003 Cramer and Shoup: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack (see www.shoup.net)www.shoup.net Lindell: A Simpler Construction of CCA2-Secure Public-Key Encryption Under General Assumptions. In Eurocrypt 2003 Kiltz, Pietrzak, Stam and Yung, A New Randomness Extraction Paradigm for Hybrid Encryption. Eurocrypt 2009. Peikert and Waters, Lossy Trapdoor Functions and Their Applications, STOC 2008. Rosen and Segev, Chosen Ciphertext Security via Correlated Products, TCC 2009.

Download ppt "Topics in Cryptography Lecture 5 Topic: Chosen Ciphertext Security Lecturer: Moni Naor."

Similar presentations

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.

Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
7. Asymmetric encryption-

7. Asymmetric encryption-
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 14: Malleability, Chosen Ciphertext Attacks, Cramer-Shoup Cryptosystem Lecturer: Moni Naor.

Foundations of Cryptography Lecture 14: Malleability, Chosen Ciphertext Attacks, Cramer-Shoup Cryptosystem Lecturer: Moni Naor.
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.
Foundations of Cryptography Lecture 5: Signatures and pseudo-random generators Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5: Signatures and pseudo-random generators Lecturer: Moni Naor.
Lecturer: Moni Naor Foundations of Cryptography Lecture 4: One-time Signatures, UOWHFs.

Lecturer: Moni Naor Foundations of Cryptography Lecture 4: One-time Signatures, UOWHFs.
Topics in Cryptography Lecture 6 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.

Topics in Cryptography Lecture 6 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.
Foundations of Cryptography Lecture 13: Zero-Knowledge Variants and Applications Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13: Zero-Knowledge Variants and Applications Lecturer: Moni Naor.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Similar presentations

Ads by Google