1. Immunizing Encryption Schemes from Decryption Errors Cynthia Dwork Moni Naor Omer Reingold Weizmann Institute of ScienceMicrosoft Research

2. Public-Key Encryption Scheme A triple (G,E,D) such that: G generates : public key K P & secret key K S Encrypting message m (w/ public key K P & random coins r): c = E(K P, m, r) Decrypting ciphertext c=E(K P, m, r) (w/ secret key K S ) : D(K S, E(K P, m, r)) = m Should this hold:Always? (perfect correctness) With high probability? Correctness

3. What About Decryption Errors? Goldwasser and Micali 84 : required perfect correctness Two examples with imperfect correctness: –Ajtai-Dwork 97 (errors can be avoided [GGH97]) –NTRU Is low probability of error merely an aesthetic nuisance? Proos 03 : Chosen ciphertext attack on a version of NTRU that was supposed to be immune to such attacks –Used the small probability of error of NTRU In general : perfect security is vital for (current methods of) protecting against CCA CCA=Chosen Ciphertext Attacks

4. Non-Malleability and Immunity to CCA Add redundancy and prove consistency [NY90,DDN91…] –Knowing any of multiple private keys is sufficient for decryption –Indistinguishable to attacker which key you know Problem: what if there are errors: –you prove consistency with what? –proof may fail or be meaningless –reveal which key you know In an adversarial setting: the low probability event may be amplified by the attacker E 1 (M)E 2 (M)Proof of consistency

5. This Work When decryption errors are very infrequent: extremely efficient way to get perfect correctness. Amplification methods for handling frequent errors, even when encryption scheme is only weakly one-way. Conclude: error-prone encryption schemes can be turned non-malleable, CCA2-secure. –If proofs of consistency are available Efficient `direct’ solution using the random-oracle methodology.

6. Notion of Correctness Perfectly correct : –  private/public key pair K S, K P ;  possible m and r D(K S, E(K P, m, r)) = m  - correct : Pr [ D(K S, E(K P, m, r)) = m ] ≥  –prob. over K S, K P, m and r Almost all keys perfectly correct : –w/ probability ≥ 1-negligible over K S, K P ;  m and r D(K S, E(K P, m, r)) = m – sufficient to plug into standard constructions!

7. Infrequent Errors Let (G,E,D) be an  ≥1-2 -4n correct scheme – Assume, ℓ(n) random bits to encrypt an n bit message. Let g: {0,1} n  {0,1} ℓ(n) be a pseudo-random generator Define (G’,E’,D’): – G’ outputs a pair K S, K P as well as ρ 2 R {0,1} ℓ(n) Public key (K p,ρ) – To encrypt m choose t 2 R {0,1} n and evaluate E(K P, m, ρ  g(t)) – Decryption D’ is the same as in D

8. Security and Correctness of New Scheme Claim : Type of security (semantic or non-malleable) under type of attack (CPA, CCA) is preserved. Proof: For any fixed ρ the random string used ρ  g(t) is indistinguishable from random Theorem : If (G,E,D) is an  ≥ 1- 2 -4n - correct scheme then (G’,E’,D’) is almost-all-keys perfectly correct Proof : –With overwhelming prob. over ρ the set {ρ  g(t)} avoids all the bad random strings … –Similar technique in: Lautmann’s BPP in PH Bit commitment from p.r. (Naor) Zaps and Apps (Dwork-Naor)

9. Error Disappearance With probability at least 1- 2 -n over the choice of K S,K P : Prob m,r [D(K S, E(K P, m, r)) ≠ m] ≤ 2 -3n For such “good” K S, K P, since ρ 2 R {0,1} ℓ(n) Prob m,t,ρ [D(K S, E(K P, m, ρ  g(t)) ≠ m] ≤ 2 -3n Small enough to use union bound over all t,m 2 {0,1} n Get: With probability at least 1- 2 -(n-1) over the choice of K S,K P and ρ have that  t,m 2 {0,1} n D(K S, E(K P, m, ρ  g(t))) = m This effectively pushes all the errors into ρ which is part of the public key

10. Immunizing Weak Encryption Schemes What about smaller  ? Easy: simple repetition reduces error (semantic security and non-malleability are preserved). What if the adversary has a non-negligible probably of decrypting (i.e. the scheme is only weakly one-way)? –Cannot reduce error by simple repetition! Question: How do we go from an  - correct  - oneway cryptosystem (  >  ) to an almost-all-keys perfectly correct one? Alice Bob Eve  

11. Natural Approach Use error correcting codes that can be decoded from an  - fraction of correct symbols, but not from a  - fraction. This approach works in the information theoretic setting, much more subtle in the computational setting! – Reason : Eve may get more than just  - fraction of symbols, but rather some information about each symbol Example: Eve gets a list decoding Alice Bob Eve  

12. Other Information-Theoretic Tools Polarization in the statistical setting Sahai-Vadhan 97: given a pair of distributions X 0, X 1 create two new ones Y 0, Y 1 such that if Dist( X 0, X 1 ) ≤ threshold  ’  Dist( Y 0, Y 1 ) exp. small Dist( X 0, X 1 ) ≥ threshold  ’  Dist( Y 0, Y 1 ) exp. close to 1 Relation to error reduction: assume  - correct  - oneway one-bit encryption scheme –X 0 encryption of 0 and X 1 and encryption of 1 –Bob can distinguish X 0 from X 1 with advantage ≥  ’ –Eve cannot distinguish X 0 from X 1 with advantage ≤  ’ –Strengthened encryption scheme defines Y 0, Y 1 with polarized “distances”

13. New Results Provide a collection of basic transformations, for amplification. –Related to [SV97]. –Life is somewhat harder in the computational setting … Starting with an  - correct  - oneway cryptosystem  an almost-all- keys perfectly correct one  (previous results) CCA and non- malleability Relation between  and  (for which the transformation works): – Constant decryption errors: for any  < 1 there is an  <  <1 – Very frequent decryption errors: for any  > 1/poly and  <  4 /const Open: show the same for every  -  > 1/poly –Likely to imply similar improvement for the statistical case.

14. Basic Transformations Parallel Repetition repeat everything k times: –Choose k independent public/private key pairs –the encryption E k of a k- tuple m=(m 1, m 2,…m k ) is E k (m)=E(m 1 ), E(m 2 ),…, E(m k ) Bad news: probability of legitimate encryption for a random m is  k Good news: probability of adversarial encryption: –Would like it to be  k –Can view it as a three round game –[BIN 97] deals with such games gets us “close to that” ¼  k/c The adversary is hurt more if  ‹‹  V: choose (k p, k s,m) Send ( k p E p (m)) P: sends m’ V: Send (m,k s ) P wins if m’=m

15. Basic Transformations (cont.) Hard-Core Bit The encryption of a bit b is (E(m),r,r. m © b) where m is a random message Usage: turning one-wayness into indistinguishability Goldreich-Levin: an  advantage in guessing the inner product bit is translated into a list of at most √  candidates for m given E(m) Can use to invert E(m) with probability at least √  If  (=upper bound on inverting E ) is negligible we get semantic security

16. Basic Transformations (cont.) Direct Product Choose k independent public/private key pairs The encryption E  k of m is k independent encryptions E(m), E(m),…, E(m) Decryption is by plurality Reverse effect to parallel repetition: both legitimate recipient and the adversary can do better. –The legitimate recipient gains more if  ‹‹ 

17. Combining the Basic Transformations Best way of combining, depends on values of  and . Example, well separated constants: TransformationCorrectnessOne - Wayness Starting Point  O(log n) parallel-repetition 1/n1/n 8 Inner Product 1/2 + 1/(2n)1/2 + O(1/n 4 ) O(n 3 ) direct product 1- 2 -5n 1/2 + O(1/n) n parallel-repetition 1- n. 2 -5n neg Inner Product 1- (n/2). 2 -5n IND-CPA

18. Using the Random Oracles Methodology Let (G,E,D) be an  - correct scheme that is one-way For random message m and random encryption: probability adversary retrieves m is negligible If  is negligible, can transform (G,E,D) directly and very efficiently to a full fledged NM-CCA-post scheme.

19. The construction E is an  - correct  - oneway for negligible ,  H 1, H 2, H 3, H 4 be idealized random functions F S a shared-key encryption Encryption of message m: Choose t 2 R {0,1} n/2 Compute z=H 1 (t), w=H 2 (z) © t and r= H 3 (z ◦ w). The encrypted message is (c 1,c 2 ): –c 1 = E pk (z ◦ w,r) –c 1 = F S (m) where s=H 4 (t) Decryption of (c 1,c 2 ) Apply D to c 1 and obtain candidates for z and w. Set t=H 2 (z) © w and r = H 3 (z ◦ w). Check that H 1 (t) = z and that for $ r = H 3 (z ◦ w) we have that c 1 =E(z ◦ w,r). Check, using s=H 4 (t), that c 2 is a valid ciphertext under F s. If any of the tests fails, output “ invalid ”. Otherwise, output F s (c 2 ) - the decryption of c 2 using s.

20. Why is it secure? Once t 2 {0,1} n/2 has been chosen: unique ciphertext corresponding to it Once t 2 {0,1} n/2 is known, easy to decrypt ciphertext, even without access to sk. Security against chosen ciphertext attacks – follow the adversary calls to H 1. Immunity against decryption errors Decryption errors have NOT disappeared, but hard to find them. Partition all strings c into those the range of E and those not –Depending on the existence of m and r such that c= E pk (m,r). Consider a candidate ciphertext (c 1,c 2 ) given to D': If c 1 is not in the range of E, then it is going to be rejected by D' Security rests on the hardness of finding among the bad pairs z ◦ w,r one where – r= H 3 (z ◦ w). –H 1 (H 2 (z) © w) = z. This is difficult for any fixed sparse set of bad pairs and a random set of functions H 1, H 2, H 3 Encryption of message m: Choose t 2 R {0,1} n/2 and compute z=H 1 (t), w=H 2 (z) © t, r= H 3 (z ◦ w). The encrypted message is (c 1,c 2 ): –c 1 = E pk (z ◦ w,r) –c 1 = F S (m) where s=H 4 (t)

21. Concluding Remarks When decryption errors are very rare, they can be avoided almost for free. Can immune even very weak schemes against decryption errors Life is (as usual) relatively easy with random oracles Open problem: handle arbitrary  -  > 1/poly –Seems hard even in the (cleaner) statistical setting