SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17th, 2012

Plan Lecture 1 Chosen Plaintext Attacks (CPA assumption) CPA schemes: ElGamal, Paillier Lecture 2 Game-based proofs CPA proof: ElGamal Today: CPA proof: Paillier Limits on provable cryptography Chosen Ciphertext Attacks (CCA assumption) CCA1 proof: using proof of knowledge-zero knowledge (PKZK) From interactive to non-interactive PKZK CCA2 an example of a CCA2 scheme

Observational Equivalence P0 and P1 are observational equivalent with respect to variable x, denoted P0 {x} P1 if Pr[P0; x = v] = Pr[P1; x =v] for all v P0 and P1 are observational equivalent with respect to variable x, denoted P0 {x1..xn} P1 if Pr[P0; x1 = v1 ˄.. x2 = v2 ˄..] = Pr[P1; x1 = v1 ˄.. x2 = v2 ˄..] for all v1…vn

Game-based proofs How to prove cryptography? G0  G1  G2 …  Gn For each arrow, we have that either : Pr[Gi; g=b] ≤ Pr[Gi+1; g=b] or Gi {g} Gi+1

p,q,g:= generateN(); n := p * q; ke := (n, g); kd:= (p,q) Paillier encryption PAILLIER ENCRYPTION Assume that generateN() is a probabilistic function that generates two primes with the property that gcd(p*q, (p*q) ) = 1 and g with g a generator for the multiplicative group {1 … n2-1}. Then Paillier encryption is defined by: G() = p,q,g:= generateN(); n := p * q; ke := (n, g); kd:= (p,q) Assume x is in {1…n-1} E (x, (n,g)) = y := {1.. n-1}; c:= yn * g x mod n2

PROVABLE CRYPTOGRAPHY Decisional Reduosity Assumption CR(x0, x1 ) = if (b = 0) then {y:= {1..n-1}; c :=yn mod n2} else {c:= {1.. n2 -1}} DRA = b := {0,1}; p,q,q:= generateN(); n := p * q; B[CR] | Pr[DRA; g’ =b] - ½ | is negligible for ɳ (ɳ is called security parameter, order of the group , ie n2 -1 ) . Attacker B does not have p, or q.

PROVABLE CRYPTOGRAPHY Decisional Reduosity Assumption CR(x0, x1 ) = if (b = 0) then {y:= {1..n-1}; c :=yn mod n2} else {c:= {1.. n2 -1}} DRA = b := {0,1}; p,q,g:= generateN(); n := p * q; B[CR] nth residuo modulo n2 | Pr[DRA; g’ =b] - ½ | is negligible for ɳ (ɳ is called security parameter, order of the group , ie n2 -1 )

PROVABLE CRYPTOGRAPHY Chosen-plaintext attack (CPA) E(x0, x1 ) = if (b = 0) then {c := E (x0, ke)} else {c := E(x1,ke)}; CPA = b := {0,1}; ke, kd := G(); A[E] | Pr[CPA; g =b] - ½ | is negligible for ɳ (ɳ is called security parameter)

THEOREM Theorem Paillier encryption scheme is resistent to Chosen Plaintext Attacks

proof of cpa of PAILLIER GAME 0 proof of cpa of PAILLIER E(x0, x1 ) = if (b = 0) then {c := E (x0, ke)} else {c := E(x1,ke)}; CPApaillier = b := {0,1}; ke, kd := G(); A[E]

proof of cpa of PAILLIER step 1: INLINE proof of cpa of PAILLIER E(x0, x1 ) = if (b = 0) then {y := {1.. n-1}; c:= yn * g x0 mod n2 } else {y := {1.. n-1}; c:= yn * g x1 mod n2 } CPApaillier1 = b := {0,1}; p,q,q:= generateN(); n := p * q; ke := (n, g); kd:= (p,q); A[E]

proof of cpa of PAILLIER step 1: INLINE proof of cpa of PAILLIER CPApaillier {g} CPApaillier1 E(x0, x1 ) = if (b = 0) then {y := {1.. n-1}; c:= yn * g x0 mod n2 } else {y := {1.. n-1}; c:= yn * g x1 mod n2 } CPApaillier1 = b := {0,1}; p,q,q:= generateN(); n := p * q; ke := (n, g); kd:= (p,q); A[E]

proof of cpa of PAILLIER step 2: DEADCODE proof of cpa of PAILLIER E(x0, x1 ) = if (b = 0) then {y := {1.. n-1}; c:= yn * g x0 mod n2 } else {y := {1.. n-1}; c:= yn * g x1 mod n2 } CPApaillier1 = b := {0,1}; p,q,q:= generateN(); n := p * q; ke := (n, g); kd:= (p,q); A[E]

proof of cpa of PAILLIER step 2: DEADCODE proof of cpa of PAILLIER CPApaillier1 {g} CPApaillier2 E(x0, x1 ) = if (b = 0) then {y := {1.. n-1}; c:= yn * g x0 mod n2 } else {y := {1.. n-1}; c:= yn * g x1 mod n2 } CPApaillier2 = b := {0,1}; p,q,q:= generateN(); n := p * q; ke := (n, g); A[E]

proof of cpa of PAILLIER step 3 INLINE proof of cpa of PAILLIER CR(x0, x1 ) = if (b = 0) then {y:= {1..n-1}; c :=yn mod n2} else {c:= {1.. n2 -1}} E(x0, x1 ) = if (b = 0) then {y := {1.. n-1}; c:= yn * g x0 mod n2 } else {y := {1.. n-1}; c:= yn * g x1 mod n2 } DRA = b := {0,1}; p,q,q:= generateN(); n := p * q; B[CR] B = ke := (n, g); A[CR; c:= c * g x0 mod n2 ]; g0:=g; A[CR; c:= c * g x1 mod n2 ]; g1:=g; if (g0 =0 OR g1 =1 ) then g’ = 0 else g’:= 1

proof of cpa of PAILLIER Calculating probabilities proof of cpa of PAILLIER CR(x0, x1 ) = if (b = 0) then {y:= {1..n-1}; c :=xn mod n2} else {c:= {1.. n2 -1}} DRA = b := {0,1}; p,q,q:= generateN(); n := p * q; B[CR] B = ke := (n, g); A[CR; c:= c * g x0 mod n2 ]; g0:=g; A[CR; c:= c * g x1 mod n2 ]; g1:=g; if (g0 =0 OR g1 =1 ) then g’ = 0 else g’:= 1 ½ Pr[CPApaillier2;g=b] = Pr[DRA;g’=0 and b=0] ½ Pr[CPApaillier2;g=b] ≤ Pr[DRA;g’=b]

proof of cpa Of paillier step 3 INLINE proof of cpa Of paillier CR(x0, x1 ) = if (b = 0) then {y:= {1..n-1}; c :=xn mod n2} else {c:= {1.. n2 -1}} DRA = b := {0,1}; p,q,q:= generateN(); n := p * q; B[CR] B = ke := (n, g); A[CR; c:= c * g x0 mod n2 ]; g0:=g; A[CR; c:= c * g x1 mod n2 ]; g1:=g; if (g0 =0 OR g1 =1 ) then g’ = 1 else g’:= 0 negligible ½ Pr[CPApaillier2;g=b] = Pr[DRA;g’=1 and b=1] ½ Pr[CPApaillier2;g=b] ≤ Pr[DRA;g’=b]

We have proved Paillier to be CPA. Then is Paillier encryption secure?

We have proved Paillier to be CPA. Then is Paillier encryption secure? NO

A property of Paillier encryptions: Assume that generateN() is a probabilistic function that generates two primes with the property that gcd(p*q, (p*q) ) = 1 and g with g a generator for the multiplicative group {1 … n2-1}. Then Paillier encryption is defined by: G() = p,q,q:= generateN(); n := p * q; ke := (n, g); kd:= (p,q) Assume x is in {1…n-1} E (x, (n,g)) = y := {1.. n-1}; c:= yn * g x mod n2 E (x0, (n,g)) * E (x1, (n,g)) = y0n * g x0 mod n2 * y1n * g x1 mod n2 = y0n *y1 n * g x0 *g x1 mod n2 = (y0 *y1 )n * g x0 +x1 mod n2 = E (x0+x1, (n,g))

An attack to Paillier encryption: E(x0, x1 ) = if (b = 0) then {y := {1.. n-1}; c:= yn * g x0 mod n2 } else {y := {1.. n-1}; c:= yn * g x1 mod n2 }; log := log + m D(m) = if (m  log) then {x := 0} else {x := D(m,kd)}; GamePaillier = b := {0,1}; p,q,q:= generateN(); n := p * q;ke := (n, g); kd:= (p,q);A[E, D]

An attack to Paillier encryption: E(x0, x1 ) = if (b = 0) then {m:=x0;y := {1.. n-1}; c:= yn * g x0 mod n2 } else {m:=x1;y := {1.. n-1}; c:= yn * g x1 mod n2 }; log := log + c D(m) = if (m  log) then {x := 0} else {x := D(m,kd)}; GamePaillier = b := {0,1}; p,q,q:= generateN(); n := p * q;ke := (n, g); kd:= (p,q);A[E, D] A[E, D] = x0 := 1; x1 := 2; E; m:=c * c; D; if (x = 2) then g:=0 else g:=1

We have proved Paillier to be CPA. This is only one kind of attack. Paillier is secure for an adversary with the power of making chosen plaintext attacks (usually, the weaker kind of attack possible), but not for all possible attacks: for example, it is not secure for chosen ciphertext attacks. Important: Provable cryptography only guarantees that no partial information is reveal for a given class of attack. It does not imply total security.

Another Look to Provable Cryptography “the treatment of hashed ElGamal encryption in is in some sense a remarkable achievement … so successful in turning something that should be interesting and accessible to everyone into something lengthy, unreadable, and boring.” Neal Koblitz

Another Look to ElGammal …

Another Look to Provable Cryptography A security theorem is conditional in a strong sense — it assumes the intractability of some mathematical problem… Often the intractability assumption is made for a complicated and contrived problem that has never been carefully studied. In fact, in some cases the problem is trivially equivalent to the cryptanalysis problem for the protocol whose security is being "proved," and the "proof" is essentially circular. Certain attacks — especially side-channel attacks — are very hard to model, and the models that have been proposed are woefully inadequate. The problem is that the adversary is always coming up with ingenious new methods to compromise the security of a cryptographic system. AND MORE Neal Koblitz

Chosen Ciphertext Attacks (CCA) CCA are strong forms of active attacks We will see two type of them a priori CCA and a posteriori CCA In both, the adversary has access to decryption requests CAVEAT: some use CCA to mean CCA2

Chosen-cyphertext attack 2 (CCA1) E = if (b = 0) then {m := E (x0, ke)} else {m := E(x1,ke)}; CCA1 = b := {0,1}; ke, kd := Ge(); A[D]; E;A’ D = x := D(m,kd);

Example: A CCA1 scheme We will define a CCA1 scheme < G’, E’ , D’ > It is based on a CPA scheme < G , E , D > It is based on a non-interactive ZK scheme (P , V , R, S)

Proof of Knowledge Zero Knowledge a prover gives a proof of some secret that he knows

Proof of Knowledge Zero Knowledge a prover gives a proof of some secret that he knows but without revealing the secret!

Proof of Knowledge Zero Knowledge a prover gives a proof of some secret that he knows but without revealing the secret! Example: If x in Zq is the secret, the prover can exhibit witnesses based on gx , showing that he knows x (a concrete protocol later)

Proof of Knowledge Zero Knowledge: properties ZK schemes have to satisfy: Soundness: the verification procedure cannot “accept” valid false statements, except for negligible probability Completeness: if a statement is true then the verifier “accepts” it, except for negligible probability Zero-Knowledge: the adversary cannot guess the secret by using the scheme!

Proof Systems Schemes for ZK A proof of knowledge zero knowledge scheme is a tuple (P , V , R, S) P (prover) is a probabilistic program that takes as inputs a secret s, a witness w, and outputs a proof p in D V (verifier) is a probabilistic program that takes a witness and a proof and outputs zero or one R is a NP relation that depends on secret s S is a simulator, a probabilistic program that outputs a “proof” in D without using secret s. (we do not include here the algorithm for “extraction”)

Zero Knowledge (indistinguishability) O = if (b = 0) then {p := P (s, w)} else {p:= S(w)}; ZK = b := {0,1}; A[O]

Example: A CCA1 scheme (Naor-Yung) We will define a CCA1 scheme < G’, E’ , D’ > It is based on a CPA scheme < G , E , D > It is based on a ZK scheme (P , V , R, S) G’‘ ( ) = k0e, k0d:= G( ); k1e, k1d:= G( ) E ‘(x, (k0e , k1e)) = e0, e1 := E (x, k0e ); E (x, k1e); p:= P(e0, e1, x); c:= e0,e1, p0,p1,p D ‘ ((e0,e1, p), (k0e , k1e)) = if V(e0, e1,,p) = true then x: = D(e1, k1d)

Proof of CCA1 of Naor-Yung scheme Naor-Yung scheme is CCA1 Theorem Naor-Yung encryption scheme is resistent to Chosen Ciphertext Attacks version 1 (CCA1)

E = if (b = 0) then {m := E (x0, ke)} else {m := E(x1,ke)}; CCA1 = b := {0,1}; ke, kd := Ge(); A[D]; E;A’ D = x := D(m,kd);

k1e, k1d:= G( ) D = if V(e0, e1,p0,p1,p) = true then x: = D(e1, k1d) Inline D = if V(e0, e1,p0,p1,p) = true then x: = D(e1, k1d) E = if (b = 0) then {e0, e1 := E r0 (x0, k0e ); Er1 (x0, k1e); p0,p1,p:= P (e0, e1, x0, r0,r1,); c:= e0,e1, p0,p1,p } else { e0, e1 := E r0’ (x1, k0e ); Er1’ (x1, k1e); p:= P(e0, e1, x1, r0’,r1’); c:= e0,e1, p0,p1,p }; CCA1-1 = b := {0,1}; k0e, k0d:= G( ); k1e, k1d:= G( ) A[D]; E;A’ CCA1 {g} CCA1-1

k1e, k1d:= G( ) D = if V(e0, e1,p0,p1,p) = true then x: = D(e1, k1d) Zero knowledge D = if V(e0, e1,p0,p1,p) = true then x: = D(e1, k1d) E = if (b = 0) then {e0, e1 := E (x0, k0e ); E (x0, k1e); p0,p1,p:= S(e0, e1);c:= e0,e1, p0,p1,p } else { e0, e1 := E (x1, k0e ); E (x1, k1e); p0,p1,p:= S(e0, e1); c:= e0,e1, p0,p1,p }; CCA1-2 = b := {0,1}; k0e, k0d:= G( ); k1e, k1d:= G( ) A[D]; E; A’ CCA1-1 {g} CCA1-2

k1e, k1d:= G( ) D = if V(e0, e1,p0,p1,p) = true then x: = D(e1, k1d) Code motion D = if V(e0, e1,p0,p1,p) = true then x: = D(e1, k1d) E = if (b = 0) then {e0, e1 := E (x0, k0e ); E (x0, k1e); } else { e0, e1 := E (x1, k0e ); E (x1, k1e); }; CCA1-3 = b := {0,1}; k0e, k0d:= G( ); k1e, k1d:= G( ) A[D]; E; p0,p1,p:= S(e0, e1); c:= e0,e1, p0,p1,p ; A’ CCA1-2 {g} CCA1-3

B D = if V(e0, e1,p0,p1,p) = true then x: = D(e1, k1d) E = if (b = 0) Inline D = if V(e0, e1,p0,p1,p) = true then x: = D(e1, k1d) E = if (b = 0) then {e0, e1 := E (x0, k0e ); E (x0, k1e); } else { e0, e1 := E (x1, k0e ); E (x1, k1e); }; CCA1-4 = b := {0,1}; k0e, k0d:= G( ); B B = k1e, k1d:= G( ) ; A[D]; E; p0,p1,p:= S(e0, e1); c:= e0,e1, p0,p1,p ; A’ CCA1-3 {g} CCA1-4

CPA = b := {0,1}; k0e, k0d:= G( ); B A cpa attacker D = if V(e0, e1,p0,p1,p) = true then x: = D(e1, k1d) E = if (b = 0) then {e0, e1 := E (x0, k0e ); E (x0, k1e); } else {e0, e1 := E (x1, k0e ); E (x1, k1e); }; E’ = if (b = 0) then {e0, := E (x0, k0e ) } else {e0 := E (x1, k0e ) }; CPA = b := {0,1}; k0e, k0d:= G( ); B B = k1e, k1d:= G( ) ;A[D]; E’; e1 := E (x0, k1e ); p0,p1,p:= S(e0, e1); c:= e0,e1, p0,p1,p ; if V(e0, e1,p0,p1,p) = true then A’ else g:=1

CPA = b := {0,1}; 0e, k0d:= G( ); B A cpa attacker D = if V(e0, e1,p0,p1,p) = true then x: = D(e1, k1d) E = if (b = 0) then {e0, e1 := E (x0, k0e ); E (x0, k1e); } else {e0, e1 := E (x1, k0e ); E (x1, k1e); }; E’ = if (b = 0) then {e0, := E (x0, k0e ) } else {e0 := E (x1, k0e ) }; CPA = b := {0,1}; 0e, k0d:= G( ); B B = k1e, k1d:= G( ) ;A[D]; E’; e1 := E (x0, k1e ); p0,p1,p:= S(e0, e1); c:= e0,e1, p0,p1,p ; if V(e0, e1,p0,p1,p) = true then A’ else g:=1 Pr[CCA1-4;g=b]= Pr[CCA1-4;g=0 and b=0] + Pr[CCA1-4;g=1 and b=1] = 1/2 Pr[CPA;g=b] + 1/2

CPA = b := {0,1}; 0e, k0d:= G( ); B A cpa attacker D = if V(e0, e1,p0,p1,p) = true then x: = D(e1, k1d) E = if (b = 0) then {e0, e1 := E (x0, k0e ); E (x0, k1e); } else {e0, e1 := E (x1, k0e ); E (x1, k1e); }; E’ = if (b = 0) then {e0, := E (x0, k0e ) } else {e0 := E (x1, k0e ) }; CPA = b := {0,1}; 0e, k0d:= G( ); B B = k1e, k1d:= G( ) ;A[D]; E’; e1 := E (x0, k1e ); p0,p1,p:= S(e0, e1); c:= e0,e1, p0,p1,p ; if V(e0, e1,p0,p1,p) = true then A’ else g:=1 Pr[CCA1-4;g=b]= Pr[CCA1-4;g=0 and b=0] + Pr[CCA1-4;g=1 and b=1] = 1/2 Pr[CPA;g=b] + 1/2 negligeable

A simple ZK protocol There is a secret x that the prover wants to prove that he knows The NP relation that depends on x is “logg z = x and logh z’ = x“ , where g and h are generators for the multiplicative group { 1…q-1} The protocol for generating a proof is P0;V0;P1 and to verify isV1 where: P0(g,h) = w := {1…q-1} la, lb := gw, hw V0 (la,lb) = lc := {1…q-1}; P1 (w,x ,lc) = p := w + x * lc mod q V0 ( p, la,lb , gx, hx ) = if (gp = la * gx*lc and hp = lb * hx*lc ) then true else false

A simple ZK protocol Exercise: Assume that lc := {1…q-1} and that lc is a parameter of P0. Show that in the protocol for generating a proof is P0; P1 and to verify V1 the prover can cheat (he can prove he knows x, without knowing it) P0(g,h,lc) = w := {1…q-1} la, lb := gw, hw P1 (w,x ,lc) = p := w + x * lc mod q V0 ( p, la,lb , gx, hx ) = if (gp = la * gx*lc and hp = lb * hx*lc ) then true else false

A simple ZK protocol From interactive to non-interactive There is a secret x that the prover wants to prove that he knows The NP relation that depends on x is “logg z = x and logh z’ = x“ , where g and h are generators for the multiplicative group { 1…q-1} The protocol for generating a proof is P and to verify is V where: P(g,h,x) = w := {1…q-1} a, b := gw, hw lc := H( a + b); p := w + x * lc mod q V ( p, lc , gx, hx ) = a, b := gx lc * gp, hx lc * hp if (H(a+b) = lc ) then true else false

Chosen-cyphertext attack 2 (CCA2) E = if (b = 0) then {m := E (x0, ke)} else {m := E(x1,ke)}; log := log + m CCA2 = b := {0,1}; log := nil; ke, kd := Ge(); A[E,D] D = if (m  log) then {x := 0} else {x := D(m,kd)}; EJEMPLO 4,5 ++ SIGNING SCHEME.

Example of CCA2 scheme: RSA-OAEP (in PKCS standard) Let H : { 0,1}l  {0,1}l G : { 0,1}l  {0,1}p-l be two hash functions RSA-OAEP –ENC (m,ke)= r := { 0,1}l ; s:= H( r ) + m; t := G(s) + r c:= rsa-enc(s++t,ke) RSA-OAEP –DEC (c,kd)= (s,t) := rsa-dec(c,kd) ; r:= t + G(s) ; m: = s + H( r ) Proved in 2004, Fujisaki, Oksamoto, Pointcheval

www-sop.inria.fr/members/Tamara.Rezk/teaching Slides, Notes, Bibliography READING Slides and exercises: www-sop.inria.fr/members/Tamara.Rezk/teaching Public-key Cryptosystems Provably Secure against Chosen Ciphertext Attacks – Naor, Yung Non-Interactive Proof of Knowledge and Chosen Ciphertext Attacks Rackoff, Simon Another Look to Provable Cryptography – Neal Koblitz http://anotherlook.ca/ Code-based Game-Playing Proofs and the Security of Triple Encryption – Bellare, Rogaway