Title: Topics in Cryptography Lecture 4 Topic: Chosen Ciphertext Security
1Topics in CryptographyLecture 4Topic Chosen
Ciphertext Security
2Public Key Encryption
Alice
Bob
Ciphertext cE(m, KP)
Plaintext m
Public key KP
Public key KP
Secret key Ks
Decryption mD(E(m, KP), Ks)
3Defining Security
- How do we know that an encryption scheme is
secure? - Are the following requirements sufficient?
- Given E(m, KP), cannot compute m
- Given E(m, KP), cannot compute ith bit of m
- Given E(m, KP), cannot compute some f(m)
- Definition must be
- convincing
- application independent
4Example Interactive Authentication
- P wants to convince V that he is approving
message m - P has a public key KP of an encryption scheme E.
- To authenticate a message m
- V ? P Choose r 2R 0,1n.
- Send cE(m r, KP)
- P ? V Receiving c
- Decrypt c using KS
- Verify that prefix of
plaintext is m. - If yes - send r.
- V is satisfied if he receives the same r he choose
5Is it Safe?
Definition of security
- Existential unforgeability against adaptive
chosen message attack - Adversary can ask to authenticate any sequence
m1, m2, - Success makes V accept a message m not
authenticated - Complete control over the channels
- Intuition if E does not leak information about
plaintext - Nothing is leaked about r
- V ? P Choose r 2R 0,1n.
- Send cE(m r, KP)
- P ? V Receiving c
- Decrypt c using KS
- Verify prefix is m.
- If yes - send r
Problems
- If E is just semantically secure against chosen
plaintext attacks - Adversary might change cE(m r, KP) into
cE(m r, KP) - Malleability
- not sufficient to verify correct form of
ciphertext in simulation - Closer to a chosen ciphertext attack
6Question
- Can you think of a an example of an encryption
scheme where - Encrpytion scheme is semantically secure against
chosen plaintext attacks - Authentication scheme is forgeable
- V ? P Choose r 2R 0,1n.
- Send cE(m r, KP)
- P ? V Receiving c
- Decrypt c using KS
- Verify prefix is m.
- If yes - send r
Example bit by bit encryption
7Attacks and Security
- To define security of a system must specify
- The power of the adversary both
- Computational
- access to the system.
- What constitute a failure of the system
- Often via a game and probability of winning
8Taxonomy of Signature-Schemes Goldwasser, Micali
and Rivest (1984)
- Attacks
- Key-only attacks
- Generic chosen message attack
- key unknown when messages chosen
- Non-Adaptive chosen message attack
- key known when messages chosen.
- Adaptive chosen message attack
- What it means to break the scheme
- Universal forgery ¼ key-recovery
- Selective forgery target message chosen a
priori. - Existential forgery - some message is forged.
All combination of attacks/breaking are relevant
9(Public-key) Encryption Attacks
- Chosen Plaintext
- Minimal attack relevant to PKCs.
- Assumes decrypted messages remain secret.
- Chosen Ciphertext - preprocessing mode.
- AKA Lunch-break, CCA1
- There is a period where the device is handled by
adversary - Should remain secure for ciphertext created
afterwards - Chosen Ciphertext - postprocessing mode.
- AKA CCA2
- Challenge ciphertext is known when the attacks
takes place - (but cannot submit it...).
10Chosen Ciphertext Attack
Alice
Bob
Query c1
a1D(c1, Ks)
Public key KP
Public key KP
Query c2
Secret key Ks
a2D(c2, Ks)
Adversary can get decryptions of ciphertexts of
her choice
11Encryption - Notions of Breaking
- Semantic Security
- Whatever is computable about the plaintext given
the ciphertext is computable without it. - Given E(m, kp) it is infeasible to produce
related m - Can substitute with indistinguishability of
encryption - Cannot distinguish E(m0, kp) from E(m1, kp)
- Requires a proof in each setting
- Non-malleable security
- Whatever is computable in an encrypted form about
the plaintext given the ciphertext is computable
without it. - Given E(m, kp) it is infeasible to produce E(m,
kp) for a related m - Important for achieving independence of messages.
m and m satify R(m,m) R is poly time
12Indistinguishability under CCA
- Definition An encryption scheme is secure under
CCA if - no poly-time Adversary A can win with
non-negligible advantage - A is given the public key KP.
- A (adaptively) asks for decryptions under Ks.
- A produces two messages m0 and m1
- A receives a challenge c Epk(mb) for b ?R
0,1 - A wins if it guesses b correctly.
- CCA1 A only gets decryptions before challenge
- CCA2 A also gets decryptions after challenge
13Chosen Ciphertext Attack
Query ci
Alice
Bob
aiD(ci, Ks)
m0, m1
b 2R 0,1
Public key KP
Public key KP
cE(mb, KP)
Secret key Ks
Query ci
The postprocessing phase
aiD(ci, Ks)
A Wins if bb
Guess b
14(Public-key) Encryption Attacks
- Chosen Plaintext
- Minimal attack relevant to PKCs.
- Assumes decrypted messages remain secret.
- Chosen Ciphertext - preprocessing mode.
- AKA Lunch-break, CCA1
- Challenge ciphertext is given after adversary
relinquishes control of decryption device. - Good model for membership queries in
computational learning. - Chosen Ciphertext - postprocessing mode.
- AKA CCA2
- Challenge ciphertext is known when the attacks
takes place - (but cannot submit it...).
- Important in many protocols.
15Attack
Chosen Plaintext
Chosen Ciphertext Preprocessing
Chosen Ciphertext Postprocessing
Breaking Notion
Semantic Security
Non Malleability
16Auction
caE(bida,Kp)
Auctioneer
Public key KP
cbE(bidb,Kp)
Want to ensure that bidb is independent of bida
17Example Auctions
- Different requirements - different notions.
- Semantic security is not sufficient for
guaranteeing the independence of bids. - If key is used for a single auction and secrecy
is not required after the auction is over - Non-malleable security against chosen plaintext
attacks. - If key is used for many auctions and secrecy is
not required after the auction is over - Non-malleable security against chosen ciphertext
attack in the preprocessing mode. - If key is used for many auctions and secrecy is
required after the auction is over - Non-malleable security against chosen ciphertext
attack in the postprocessing mode.
18Attack
Chosen Plaintext
Chosen Ciphertext Preprocessing
Chosen Ciphertext Postprocessing
Breaking Notion
Semantic Security
Non Malleability
All other implications proper
Open problem construct a more secure version
from the less secure one. Is it possible to
constrcut a CCA2 from SS/CPA?
19Approaches for CCA-Security
- Redundancy verification of well-formedness
- The Naor-Yung paradigm NY90,
DDN91,Sahai,Lindell - CPA-secure scheme NIZK
- Smooth projective hashing Cramer Shoup 98, CS
02,... - Designated verifier proofs
- Simplified Kiltz, Pietrzak, Stam, Yung, 2009
- Lossy trapdoor functions Peikert Waters 08
- Correlated Products Rosen Segev09
- Identity-based encryption BCHK 04,...
- IBE (CPA)?IBE(CCA)
20Ideas for achieving resistance to CCA
- Add redundancy - hard to generate frivolous
ciphertexts - Add methods to check consistency
- This is the trickiest part
- Non interactive zero-knowledge
- Specific schemes
- Decrypt only if given ciphertext passes the
consistency checks - Important point may decrypt with several
different private keys
Could be NIZK based
C1
C2
Proof of consistency
21Min-Entropy
Probability distribution X over 0,1n
H1(X) - log maxx PrX x
Represents the probability of the most likely
value of X
X is a k-source if H1(X) k (i.e., PrX
x 2-k for all x)
Statistical distance
(X,Y) ?a PrXa PrYa
22Extractors
Universal procedure for purifying an imperfect
source
Definition Ext 0,1n 0,1d ! 0,1l is a
(k,?)-extractor if for any k-source X (Ext(X,
Ud), Ul) ?
k-source of length n
x
seed
EXT
d random bits
s
l almost-uniform bits
23Strong Extractors
Output looks random even after seeing the seed
Definition Ext 0,1n 0,1d ! 0,1l is a
(k,?)-strong extractor if Ext(x, s) s ?
Ext(x,s) is a (k, ?)-extractor
Leftover hash lemma ILL 89Pairwise
independent hash functions are strong extractors
Example Ext(x, (a,b)) first l bits of axb
over GF2n
- Output length l k 2log(1/?)
- Seed length d 2n, almost pairwise independence
d O(log n k)
24The One Time ProblemWith shared keys
- Alice and Bob share a secret key
- Alice wants to send a message m?0,1n to Bob
- Secrecy and authentication is maintained
- They want to prevent Eve from interfering
- Bob should be sure that the message m he
receives is equal to the message m Alice sent - For secrecy one-time pad
- For authentication can use Universal2 hash
functions
25Authentication using hash functions
- Suppose that
- H h h 0,1n ? 0,1k is a family of
functions - Alice and Bob share a random function h ? H
- To authenticate message m ? 0,1n Alice sends
(m,h(m)) - When receiving (m,z) Bob computes h(m) and
compares to z - If equal, accept m
- If not equal, reject
- What properties do we require from H
- hard to guess h(m) - at most e
- But clearly not sufficient one-time pad.
- hard to guess h(m) even after seeing h(m) - at
most e - Should be true for any m
- When a strongly universal2 family is used in the
protocol, Eves probability of cheating is at
most 2-k
26Session Key Encryption
Alice
Bob
Ciphertext cEA(m, K)
Plaintext m
Shared key K
Shared key K
Decryption and Verification mDV(E(m,K), K)
27Structure of Construction Hybrid
- Encryption
- Use public key to generate shared session key
- Use shared key to encrypt authenticate with one
time scheme - Decryption
- Use secret key to obtain session key
- Use session decryption. Check authentication.
- If fails reject. Ow output message.
28Decisional Diffie-Hellman
gx
Alice
Bob
gy
Both parties compute K gxy
(g, gx, gy, gxy) ? (g, gx, gy, gz)
(g1, g2, g1r, g2r) ? (g1, g2, g1r1, g2r2)
for random x, y, z 2 Zq
for random g1, g2 2 G and r, r1, r2 2 Zq
29A Simple DDH Based Scheme
- G - group of order q
- Ext G 0,1d ! 0,1 - strong extractor
- Choose g1, g2 2 G and x1, x2 2 Zq
- Let h g1x1 g2x2
- Output sk (x1, x2) and pk (g1, g2, h)
Key generation
- MAIN IDEA
- Redundancy any pk corresponds to many possible
sks - hg1x1 g2x2 reveals only log(q) bits of
information on sk(x1,x2)
30A Simple Scheme
- G - group of order q
- Ext G 0,1d ! 0,1 - strong extractor
- Choose g1, g2 2 G and x1, x2 2 Zq
- Let h g1x1 g2x2
- Output sk (x1, x2) and pk (g1, g2, h)
Key generation
- Choose r 2 Zq
- Output (g1r, g2r, AE(m,hr)
Encpk(m)
- Let k u1x1 u2x2 . Output DV(e, k)
Decsk(u1, u2, e)
u1x1 u2x2 g1rx1 g2rx2 (g1x1 g2x2)r hr
31A Simple Scheme
Theorem The scheme is secure against CCA1
Proof by reduction
Adversary for the encryption scheme
Distinguisher for decisional Diffie-Hellman
32A Simple Scheme
Theorem The scheme is secure against CCA1
pk
ci
ai
m0, m1
(sk, pk)
Output b
Epk(mb)
b à 0,1
33A Simple Scheme
Theorem The scheme is secure against CCA1
(g1, g2, g1r1, g2r2)
pk
ci
ai
m0, m1
Epk(mb)
r1 r2
b
or
r1 ? r2
Distinguisher for DDH
34A Simple Scheme Generating pk
Theorem The scheme is secure against CCA1
(g1, g2, g1r1, g2r2)
pk
ci
ai
- Generating pk given
- (g1, g2, g1r1, g2r2)
- Choose x1, x2 2 Zq
- Let h g1x1 g2x2
- Output pk (g1, g2, h) and remember sk (x1,x2)
m0, m1
Epk(mb)
Distinguisher for DDH
35A Simple Scheme Answering the Queries
Theorem The scheme is secure against CCA1
(g1, g2, g1r1, g2r2)
pk
ci
ai
- Generating pk given
- (g1, g2, g1r1, g2r2)
- Choose x1, x2 2 Zq
- Let h g1x1 g2x2
- Output pk (g1, g2, h) and remember sk (x1,x2)
m0, m1
Epk(mb)
Distinguisher for DDH
Answer queries using sk (x1,x2)
36A Simple Scheme Generating the Challenge
Theorem The scheme is secure against CCA1
(g1, g2, g1r1, g2r2)
pk
ci
- Generating pk given
- (g1, g2, g1r1, g2r2)
- Choose x1, x2 2 Zq
- Let h g1x1 g2x2
- Output pk (g1, g2, h) and remember sk (x1,x2)
ai
m0, m1
Epk(mb)
Distinguisher for DDH
Let k g1r1 x1 g2r2 x2 Output (g1r1, g2r2,
AE(mb,k))
37A Simple Scheme The Distinguisher
Theorem The scheme is secure against CCA1
(g1, g2, g1r1, g2r2)
pk
ci
ai
If bb guess
m0, m1
Epk(mb)
r1 r2
b
If b?b guess
Distinguisher for DDH
r1 ? r2
38Invalid Ciphertext Random Key
- Two possibilities
- Valid plaintext can be recovered, knowing sk
- Invalid no info. on plaintext, given pk
computationally indistinguishable
(g1r, g2r) ? (g1r)x1 (g2r)x2
Invalid ciphertext r ? r
x1 wx2 log(h) rx1 rwx2 log(k)
(g1r)x1 (g2r)x2 uniformly distributed given pk
and (g1r, g2r)
Therefore, random key is used with invalid
ciphertext
39Proof nothing leaked about x1,x2
- Given the public key pk (g1, g2, h) one linear
equation is known on x1,x2 - Given h g1x1 g2x2.
- Still log q entropy
- Claim this entropy is kept during the
query-attack phase - In legitimate query ciphertexts (v1g1r, v2g2r)
and AE(m,k)) and the decryption is independent of
x1, x2 - In invalid query ciphertexts (v1g1r, v2g2r)
and AE(m,k)) is rejected whp
40Proof when input not DDH challenge ciphertext
independent of message
- For the original input (g1, g2, g1r1, g2r2)
challenge ciphertext - Let k g1r1 x1 g2r2 x2
- Output (g1r1, g2r2, AE(mb,k))
- if r1 ? r2 then k is random and hence independent
of mb - Even an all powerful adversary cannot guess b
with probability better than ½. - if r1 r2 then challenge ciphertex is normal.
- Adversary should guess b with probability better
than ½?
41Proof summing up
- During the attack
- Chance for invalid ciphertext not labeled as
such - q Prforgery in AE
- Entropy of x1,x2 decreased by this amount
- Challenge ciphertext valid or not depending on
whether the input is in DDH or not. - If original adversary wins the game with
probability ½? - Advantage in distinguishing DDH from non-DDH is ?