What Does Non-malleablity Provide? Improved security by knowing the encrypted message has not been tampered Ideologically equivalent to existentially unforgeable signatures Secrecy does not imply independence ◦Non-malleable cryptosystems prove this
Simple Example Professor Kaminsky enjoys encrypting his grades and giving each student their own symmetric key for decryption. Unfortunately you forgot how to add and did not do so well on the first test. With a malleable cryptosystem, this can be fixed! Encrypt D Various Operations α Relation Check β Decrypt If R(α, β) == 1 Done! A Start Grade End Grade (The previous assumes Professor Kaminsky uses a malleable encryption scheme. This is unlikely).
Types of Attacks Chosen Plaintext ◦Attacker can encrypt any plaintext to get the ciphertext ◦Least Powerful Chosen Ciphertext – Pre Processing ◦Access a decryption oracle < x p times, then remove oracle Chosen Ciphertext – Post Processing ◦Gets challenge ciphertext before oracle is removed ◦Can decrypt any ciphertext excluding the challenge via the oracle ◦Most Powerful
Incorrect Implementations (Dolav et al.) Appending encryption to a zero-knowledge proof ◦Proof could be malleable, therefore possible to generate new encryption and new proof Sending encryption plus signature ◦Possible to generate new encrypted message E(m+1) and new signature based-off that Signature inside Ciphertext ◦Same as above
Public Key Overview Scheme S (Dolev et al.) ◦Create public signature verification key/private signing key ◦Encrypt message using several keys derived from public signature verification key ◦Zero-knowledge proof used to show value encrypted is the same ◦Encryptions and proof are signed from using the key from step 1
Public Key Generation (Dolev et al.) GP – Key GeneratorU – Random String
Public Key Encryption (Dolev et al.) GS – Signature Key Generatorh – One Way Hash Function
Public Key Encryption (Dolev et al.) ZKP – Zero Knowledge Proofk – Length of inputn –size of the generator
Critical Components Security of the one-way hash function ◦If it is possible to reverse the hash function, then the Scheme is invalid ◦Does the hash function produce collisions? ◦Another failure case Is the Zero Knowledge Authentication system correct? ◦Otherwise verification of information is jeopardized.