Topics in Cryptography Lecture 4 Topic: Chosen Ciphertext Security Lecturer: Moni Naor

Public Key Encryption Public key K P Secret key K s Public key K P Plaintext m Ciphertext c=E(m, K P ) AliceBob Decryption m=D(E(m, K P ), K s )

Defining Security How do we know that an encryption scheme is secure? Are the following requirements sufficient? 1.Given E(m, K P ), cannot compute m 2.Given E(m, K P ), cannot compute i th bit of m 3.Given E(m, K P ), cannot compute some f(m) Definition must be 1.“convincing” 2.“application independent”

Example: Interactive Authentication P wants to convince V that he is approving message m P has a public key K P of an encryption scheme E. To authenticate a message m: V  P : Choose r 2 R {0,1} n. Send c=E(m ° r, K P ) P  V : Receiving c Decrypt c using K S Verify that prefix of plaintext is m. If yes - send r. V is satisfied if he receives the same r he choose

Is it Safe? Existential unforgeability against adaptive chosen message attack –Adversary can ask to authenticate any sequence m 1, m 2, … –Success: makes V accept a message m not authenticated –Complete control over the channels Intuition: if E does not leak information about plaintext –Nothing is leaked about r V  P : Choose r 2 R {0,1} n. Send c=E(m ° r, K P ) P  V : Receiving c Decrypt c using K S Verify prefix is m. If yes - send r If E is “just” semantically secure against chosen plaintext attacks: –Adversary might change c=E(m ° r, K P ) into c’=E(m’ ° r, K P ) Malleability –not sufficient to verify correct form of ciphertext in simulation Closer to a chosen ciphertext attack Definition of security Problems

Question Can you think of a an example of an encryption scheme where Encrpytion scheme is semantically secure against chosen plaintext attacks Authentication scheme is forgeable V  P : Choose r 2 R {0,1} n. Send c=E(m ° r, K P ) P  V : Receiving c Decrypt c using K S Verify prefix is m. If yes - send r Example: bit by bit encryption

Attacks and Security To define security of a system must specify: The power of the adversary – both: –Computational –access to the system. What constitute a failure of the system –Often via a game and probability of winning

Taxonomy of Signature-Schemes Goldwasser, Micali and Rivest (1984) Attacks Key-only attacks Generic chosen message attack: –key unknown when messages chosen Non-Adaptive chosen message attack: –key known when messages chosen. Adaptive chosen message attack What it means to break the scheme Universal forgery ¼ key-recovery Selective forgery: target message chosen a priori. Existential forgery - some message is forged. All combination of attacks/breaking are relevant

(Public-key) Encryption: Attacks Chosen Plaintext –Minimal attack relevant to PKCs. –Assumes decrypted messages remain secret. Chosen Ciphertext - preprocessing mode. AKA: Lunch-break, CCA1 –There is a period where the device is handled by adversary –Should remain secure for ciphertext created afterwards Chosen Ciphertext - postprocessing mode. AKA: CCA2 –Challenge ciphertext is known when the attacks takes place (but cannot submit it...).

Chosen Ciphertext Attack Public key K P Secret key K s Public key K P AliceBob Query c 1 a 1 =D(c 1, K s ) a 2 =D(c 2, K s ) Query c 2 … Adversary can get decryptions of ciphertexts of her choice

Encryption - Notions of Breaking Semantic Security –Whatever is computable about the plaintext given the ciphertext is computable without it. –Given E(m, k p ) it is infeasible to produce related m’ –Can substitute with indistinguishability of encryption Cannot distinguish E(m 0, k p ) from E(m 1, k p ) Requires a proof in each setting Non-malleable security –Whatever is computable in an encrypted form about the plaintext given the ciphertext is computable without it. –Given E(m, k p ) it is infeasible to produce E(m’, k p ) for a “related” m’ –Important for achieving independence of messages. m and m’ satify R(m,m’) R is poly time

Indistinguishability under CCA Definition : An encryption scheme is secure under CCA if: no poly-time Adversary A can “win” with non-negligible advantage: 1.A is given the public key K P. 2.A (adaptively) asks for decryptions under K s. 3.A produces two messages m 0 and m 1 4.A receives a “challenge” c = E pk (m b ) for b ∈ R {0,1} 5.A “wins” if it guesses b correctly. CCA1 – A only gets decryptions before challenge CCA2 – A also gets decryptions after challenge

Chosen Ciphertext Attack Public key K P Secret key K s Public key K P AliceBob Query c i a i =D(c i, K s ) a’ i =D(c’ i, K s ) Query c’ i {m 0, m 1 } c=E(m b, K P ) The postprocessing phase Guess b’ A Wins if b’=b b 2 R {0,1}

(Public-key) Encryption: Attacks Chosen Plaintext –Minimal attack relevant to PKCs. –Assumes decrypted messages remain secret. Chosen Ciphertext - preprocessing mode. AKA: Lunch-break, CCA1 –Challenge ciphertext is given after adversary relinquishes control of decryption device. –Good model for membership queries in computational learning. Chosen Ciphertext - postprocessing mode. AKA: CCA2 –Challenge ciphertext is known when the attacks takes place (but cannot submit it...). –Important in many protocols.

Breaking Notion Attack Chosen Plaintext Chosen Ciphertext Preprocessing Chosen Ciphertext Postprocessing Semantic Security Non Malleability

Auction Auctioneer Public key K P c a =E(bid a,K p ) c b =E(bid b,K p ) Want to ensure that bid b is independent of bid a

Example: Auctions Different requirements - different notions. Semantic security is not sufficient for guaranteeing the independence of bids. If key is used for a single auction and secrecy is not required after the auction is over – Non-malleable security against chosen plaintext attacks. If key is used for many auctions and secrecy is not required after the auction is over: Non-malleable security against chosen ciphertext attack in the preprocessing mode. If key is used for many auctions and secrecy is required after the auction is over Non-malleable security against chosen ciphertext attack in the postprocessing mode.

Breaking Notion Attack Chosen Plaintext Chosen Ciphertext Preprocessing Chosen Ciphertext Postprocessing Semantic Security Non Malleability All other implications: proper Open problem: construct a more secure version from the less secure one. Is it possible to constrcut a CCA2 from SS/CPA?

Approaches for CCA-Security Redundancy + verification of well-formedness The “Naor-Yung paradigm” [NY’90, DDN’91,Sahai,Lindell] – CPA-secure scheme + NIZK Smooth projective hashing [Cramer Shoup ’98, CS ’02,...] –“Designated verifier” proofs –Simplified: [Kiltz, Pietrzak, Stam, Yung, 2009] Lossy trapdoor functions [Peikert Waters ’08] Correlated Products [Rosen Segev’09] Identity-based encryption [BCHK ’04,...] IBE (CPA)  IBE(CCA)

Ideas for achieving resistance to CCA Add redundancy - hard to generate frivolous ciphertexts Add methods to check consistency –This is the trickiest part: Non interactive zero-knowledge Specific schemes Decrypt only if given ciphertext passes the consistency checks Important point: may decrypt with several different private keys C2C2 Proof of consistency C1C1 Could be NIZK based

21 Min-Entropy Probability distribution X over {0,1} n H 1 (X) = - log max x Pr[X = x] X is a k -source if H 1 (X) ¸ k (i.e., Pr[X = x] · 2 -k for all x ) Represents the probability of the most likely value of X ¢ (X,Y) =  a  |Pr[X=a] – Pr[Y=a]| Statistical distance :

22 Extractors Universal procedure for “purifying” an imperfect source Definition: Ext: {0,1} n £ {0,1} d ! {0,1} ℓ is a (k,  ) -extractor if for any k - source X ¢ (Ext(X, U d ), U ℓ ) ·  d random bits “seed” E XT k -source of length n ℓ almost-uniform bits x s

23 Strong Extractors Output looks random even after seeing the seed Definition: Ext: {0,1} n £ {0,1} d ! {0,1} ℓ is a (k,  ) -strong extractor if Ext’(x, s) = s ◦ Ext(x,s) is a (k,  ) -extractor Leftover hash lemma [ILL 89]: Pairwise independent hash functions are strong extractors Example: Ext(x, (a,b)) = first ℓ bits of ax+b over GF[2 n ] Output length ℓ = k – 2log(1/  ) Seed length d = 2n, almost pairwise independence d = O(log n + k)

The One Time Problem With shared keys Alice and Bob share a secret key Alice wants to send a message m  {0,1} n to Bob Secrecy and authentication is maintained They want to prevent Eve from interfering –Bob should be sure that the message m’ he receives is equal to the message m Alice sent –For secrecy: one-time pad –For authentication: can use Universal 2 hash functions

Authentication using hash functions Suppose that – H= {h| h: {0,1} n → {0,1} k } is a family of functions – Alice and Bob share a random function h  H –To authenticate message m  {0,1} n Alice sends (m,h(m)) –When receiving (m’,z) Bob computes h(m’) and compares to z If equal, accept m’ If not equal, reject What properties do we require from H –hard to guess h(m’) - at most ε But clearly not sufficient: one-time pad. –hard to guess h(m’) even after seeing h(m) - at most ε Should be true for any m’ When a strongly universal 2 family is used in the protocol, Eve’s probability of cheating is at most 2 -k

Session Key Encryption Shared key K Plaintext m Ciphertext c=EA(m, K) AliceBob Decryption and Verification m=DV(E(m,K), K)

Structure of Construction: “Hybrid” Encryption: Use public key to generate shared session key Use shared key to encrypt + authenticate with one time scheme Decryption: Use secret key to obtain session key Use session decryption. Check authentication. If fails reject. Ow output message.

28 Decisional Diffie-Hellman gxgx gygy AliceBob Both parties compute K = g xy DDH assumption: (g, g x, g y, g xy )  (g, g x, g y, g z ) for random x, y, z 2 Z q (g 1, g 2, g 1 r, g 2 r )  (g 1, g 2, g 1 r 1, g 2 r 2 ) for random g 1, g 2 2 G and r, r 1, r 2 2 Z q

29 G - group of order q Ext : G £ {0,1} d ! {0,1} - strong extractor Choose g 1, g 2 2 G and x 1, x 2 2 Z q Let h = g 1 x 1 g 2 x 2 Output sk = (x 1, x 2 ) and pk = (g 1, g 2, h) Key generation A Simple DDH Based Scheme MAIN IDEA: Redundancy : any pk corresponds to many possible sk ’s h=g 1 x 1 g 2 x 2 reveals only log(q) bits of information on sk=(x 1,x 2 )

30 G - group of order q Ext : G £ {0,1} d ! {0,1} - strong extractor Choose g 1, g 2 2 G and x 1, x 2 2 Z q Let h = g 1 x 1 g 2 x 2 Output sk = (x 1, x 2 ) and pk = (g 1, g 2, h) Choose r 2 Z q Output (g 1 r, g 2 r, AE(m,h r ) Let k= u 1 x 1 u 2 x 2. Output DV(e, k) Key generation Enc pk (m) Dec sk (u 1, u 2, e) A Simple Scheme u 1 x 1 u 2 x 2 = g 1 rx 1 g 2 rx 2 = (g 1 x 1 g 2 x 2 ) r = h r

31 Theorem: The scheme is secure against CCA1 A Simple Scheme Proof by reduction: Adversary for the encryption scheme Distinguisher for decisional Diffie-Hellman

32 Theorem: The scheme is secure against CCA1 A Simple Scheme (sk, pk) pk cici Output b’ b à {0,1} m 0, m 1 E pk (m b ) aiai

33 Theorem: The scheme is secure against CCA1 A Simple Scheme pk (g 1, g 2, g 1 r 1, g 2 r 2 ) b’ r 1  r 2 r 1  r 2 or cici aiai m 0, m 1 E pk (m b ) Distinguisher for DDH

34 Theorem: The scheme is secure against CCA1 A Simple Scheme: Generating pk pk (g 1, g 2, g 1 r 1, g 2 r 2 ) cici aiai m 0, m 1 E pk (m b ) Distinguisher for DDH Generating pk given (g 1, g 2, g 1 r 1, g 2 r 2 ) Choose x 1, x 2 2 Z q Let h = g 1 x 1 g 2 x 2 Output pk = (g 1, g 2, h) and remember sk = (x 1,x 2 )

35 Theorem: The scheme is secure against CCA1 A Simple Scheme: Answering the Queries pk (g 1, g 2, g 1 r 1, g 2 r 2 ) cici aiai m 0, m 1 E pk (m b ) Distinguisher for DDH Generating pk given (g 1, g 2, g 1 r 1, g 2 r 2 ) Choose x 1, x 2 2 Z q Let h = g 1 x 1 g 2 x 2 Output pk = (g 1, g 2, h) and remember sk = (x 1,x 2 ) Answer queries using sk = (x 1,x 2 )

36 Theorem: The scheme is secure against CCA1 A Simple Scheme: Generating the Challenge pk (g 1, g 2, g 1 r 1, g 2 r 2 ) cici aiai m 0, m 1 E pk (m b ) Distinguisher for DDH Generating pk given (g 1, g 2, g 1 r 1, g 2 r 2 ) Choose x 1, x 2 2 Z q Let h = g 1 x 1 g 2 x 2 Output pk = (g 1, g 2, h) and remember sk = (x 1,x 2 ) Let k= g 1 r 1 x 1 g 2 r 2 x 2 Output (g 1 r 1, g 2 r 2, AE(m b,k))

37 Theorem: The scheme is secure against CCA1 A Simple Scheme: The Distinguisher pk (g 1, g 2, g 1 r 1, g 2 r 2 ) b’ r 1  r 2 r 1  r 2 cici aiai m 0, m 1 E pk (m b ) Distinguisher for DDH If b=b’ guess If b≠b’ guess

38 (g 1 r, g 2 r ’ )  (g 1 r ) x 1 (g 2 r ’ ) x 2 Invalid Ciphertext – Random Key (g 1 r ) x 1 (g 2 r ’ ) x 2 uniformly distributed given pk and (g 1 r, g 2 r ’ ) x 1 + wx 2 = log(h) rx 1 + r’wx 2 = log(k) Invalid ciphertext: r  r’ Therefore, random key is used with invalid ciphertext Two possibilities Valid: plaintext can be recovered, knowing sk Invalid: no info. on plaintext, given pk computationally indistinguishable

Proof: nothing leaked about x 1,x 2 Given the public key pk = (g 1, g 2, h) one linear equation is known on x 1,x 2 Given h = g 1 x 1 g 2 x 2. Still log q entropy Claim: this entropy is kept during the query-attack phase In legitimate query ciphertexts: (v 1 =g 1 r, v 2 =g 2 r ) and AE(m,k)) and the decryption is independent of x 1, x 2 In invalid query ciphertexts: (v 1 =g 1 r, v 2 =g 2 r’ ) and AE(m,k)) is rejected whp

Proof: when input not DDH – challenge ciphertext independent of message For the original input (g 1, g 2, g 1 r 1, g 2 r 2 ) : challenge ciphertext –Let k = g 1 r 1 x 1 g 2 r 2 x 2 –Output (g 1 r 1, g 2 r 2, AE(m b,k)) if r 1  r 2 then k is random and hence independent of m b Even an all powerful adversary cannot guess b with probability better than ½. if r 1  r 2 then challenge ciphertex is “normal”. Adversary should guess b with probability better than ½+ 

Proof: summing up During the attack: Chance for invalid ciphertext not labeled as such: q ¢ Pr[forgery in AE] Entropy of x 1,x 2 decreased by this amount Challenge ciphertext valid or not depending on whether the input is in DDH or not. If original adversary wins the game with probability ½+  Advantage in distinguishing DDH from non-DDH is 