Topics in Cryptography Lecture 4 Topic: Chosen Ciphertext Security - PowerPoint PPT Presentation

About This Presentation
Title:

Topics in Cryptography Lecture 4 Topic: Chosen Ciphertext Security

Description:

Example: Auctions. Different requirements - different notions. ... If key is used for a single auction and secrecy is not required after the auction is over ... – PowerPoint PPT presentation

Number of Views:293
Avg rating:3.0/5.0
Slides: 42
Provided by: wisdomWe
Category:

less

Transcript and Presenter's Notes

Title: Topics in Cryptography Lecture 4 Topic: Chosen Ciphertext Security


1
Topics in CryptographyLecture 4Topic Chosen
Ciphertext Security
  • Lecturer Moni Naor

2
Public Key Encryption
Alice
Bob
Ciphertext cE(m, KP)
Plaintext m
Public key KP
Public key KP
Secret key Ks
Decryption mD(E(m, KP), Ks)
3
Defining Security
  • How do we know that an encryption scheme is
    secure?
  • Are the following requirements sufficient?
  • Given E(m, KP), cannot compute m
  • Given E(m, KP), cannot compute ith bit of m
  • Given E(m, KP), cannot compute some f(m)
  • Definition must be
  • convincing
  • application independent

4
Example Interactive Authentication
  • P wants to convince V that he is approving
    message m
  • P has a public key KP of an encryption scheme E.
  • To authenticate a message m
  • V ? P Choose r 2R 0,1n.
  • Send cE(m r, KP)
  • P ? V Receiving c
  • Decrypt c using KS
  • Verify that prefix of
    plaintext is m.
  • If yes - send r.
  • V is satisfied if he receives the same r he choose

5
Is it Safe?
Definition of security
  • Existential unforgeability against adaptive
    chosen message attack
  • Adversary can ask to authenticate any sequence
    m1, m2,
  • Success makes V accept a message m not
    authenticated
  • Complete control over the channels
  • Intuition if E does not leak information about
    plaintext
  • Nothing is leaked about r
  • V ? P Choose r 2R 0,1n.
  • Send cE(m r, KP)
  • P ? V Receiving c
  • Decrypt c using KS
  • Verify prefix is m.
  • If yes - send r

Problems
  • If E is just semantically secure against chosen
    plaintext attacks
  • Adversary might change cE(m r, KP) into
    cE(m r, KP)
  • Malleability
  • not sufficient to verify correct form of
    ciphertext in simulation
  • Closer to a chosen ciphertext attack

6
Question
  • Can you think of a an example of an encryption
    scheme where
  • Encrpytion scheme is semantically secure against
    chosen plaintext attacks
  • Authentication scheme is forgeable
  • V ? P Choose r 2R 0,1n.
  • Send cE(m r, KP)
  • P ? V Receiving c
  • Decrypt c using KS
  • Verify prefix is m.
  • If yes - send r

Example bit by bit encryption
7
Attacks and Security
  • To define security of a system must specify
  • The power of the adversary both
  • Computational
  • access to the system.
  • What constitute a failure of the system
  • Often via a game and probability of winning

8
Taxonomy of Signature-Schemes Goldwasser, Micali
and Rivest (1984)
  • Attacks
  • Key-only attacks
  • Generic chosen message attack
  • key unknown when messages chosen
  • Non-Adaptive chosen message attack
  • key known when messages chosen.
  • Adaptive chosen message attack
  • What it means to break the scheme
  • Universal forgery ¼ key-recovery
  • Selective forgery target message chosen a
    priori.
  • Existential forgery - some message is forged.

All combination of attacks/breaking are relevant
9
(Public-key) Encryption Attacks
  • Chosen Plaintext
  • Minimal attack relevant to PKCs.
  • Assumes decrypted messages remain secret.
  • Chosen Ciphertext - preprocessing mode.
  • AKA Lunch-break, CCA1
  • There is a period where the device is handled by
    adversary
  • Should remain secure for ciphertext created
    afterwards
  • Chosen Ciphertext - postprocessing mode.
  • AKA CCA2
  • Challenge ciphertext is known when the attacks
    takes place
  • (but cannot submit it...).

10
Chosen Ciphertext Attack
Alice
Bob
Query c1
a1D(c1, Ks)
Public key KP
Public key KP
Query c2
Secret key Ks
a2D(c2, Ks)
Adversary can get decryptions of ciphertexts of
her choice

11
Encryption - Notions of Breaking
  • Semantic Security
  • Whatever is computable about the plaintext given
    the ciphertext is computable without it.
  • Given E(m, kp) it is infeasible to produce
    related m
  • Can substitute with indistinguishability of
    encryption
  • Cannot distinguish E(m0, kp) from E(m1, kp)
  • Requires a proof in each setting
  • Non-malleable security
  • Whatever is computable in an encrypted form about
    the plaintext given the ciphertext is computable
    without it.
  • Given E(m, kp) it is infeasible to produce E(m,
    kp) for a related m
  • Important for achieving independence of messages.

m and m satify R(m,m) R is poly time
12
Indistinguishability under CCA
  • Definition An encryption scheme is secure under
    CCA if
  • no poly-time Adversary A can win with
    non-negligible advantage
  • A is given the public key KP.
  • A (adaptively) asks for decryptions under Ks.
  • A produces two messages m0 and m1
  • A receives a challenge c Epk(mb) for b ?R
    0,1
  • A wins if it guesses b correctly.
  • CCA1 A only gets decryptions before challenge
  • CCA2 A also gets decryptions after challenge

13
Chosen Ciphertext Attack
Query ci
Alice
Bob
aiD(ci, Ks)
m0, m1
b 2R 0,1
Public key KP
Public key KP
cE(mb, KP)
Secret key Ks
Query ci
The postprocessing phase
aiD(ci, Ks)
A Wins if bb
Guess b
14
(Public-key) Encryption Attacks
  • Chosen Plaintext
  • Minimal attack relevant to PKCs.
  • Assumes decrypted messages remain secret.
  • Chosen Ciphertext - preprocessing mode.
  • AKA Lunch-break, CCA1
  • Challenge ciphertext is given after adversary
    relinquishes control of decryption device.
  • Good model for membership queries in
    computational learning.
  • Chosen Ciphertext - postprocessing mode.
  • AKA CCA2
  • Challenge ciphertext is known when the attacks
    takes place
  • (but cannot submit it...).
  • Important in many protocols.

15
Attack
Chosen Plaintext
Chosen Ciphertext Preprocessing
Chosen Ciphertext Postprocessing
Breaking Notion
Semantic Security
Non Malleability
16
Auction
caE(bida,Kp)
Auctioneer
Public key KP
cbE(bidb,Kp)
Want to ensure that bidb is independent of bida
17
Example Auctions
  • Different requirements - different notions.
  • Semantic security is not sufficient for
    guaranteeing the independence of bids.
  • If key is used for a single auction and secrecy
    is not required after the auction is over
  • Non-malleable security against chosen plaintext
    attacks.
  • If key is used for many auctions and secrecy is
    not required after the auction is over
  • Non-malleable security against chosen ciphertext
    attack in the preprocessing mode.
  • If key is used for many auctions and secrecy is
    required after the auction is over
  • Non-malleable security against chosen ciphertext
    attack in the postprocessing mode.

18
Attack
Chosen Plaintext
Chosen Ciphertext Preprocessing
Chosen Ciphertext Postprocessing
Breaking Notion
Semantic Security
Non Malleability
All other implications proper
Open problem construct a more secure version
from the less secure one. Is it possible to
constrcut a CCA2 from SS/CPA?
19
Approaches for CCA-Security
  • Redundancy verification of well-formedness
  • The Naor-Yung paradigm NY90,
    DDN91,Sahai,Lindell
  • CPA-secure scheme NIZK
  • Smooth projective hashing Cramer Shoup 98, CS
    02,...
  • Designated verifier proofs
  • Simplified Kiltz, Pietrzak, Stam, Yung, 2009
  • Lossy trapdoor functions Peikert Waters 08
  • Correlated Products Rosen Segev09
  • Identity-based encryption BCHK 04,...
  • IBE (CPA)?IBE(CCA)

20
Ideas for achieving resistance to CCA
  • Add redundancy - hard to generate frivolous
    ciphertexts
  • Add methods to check consistency
  • This is the trickiest part
  • Non interactive zero-knowledge
  • Specific schemes
  • Decrypt only if given ciphertext passes the
    consistency checks
  • Important point may decrypt with several
    different private keys

Could be NIZK based
C1
C2
Proof of consistency
21
Min-Entropy
Probability distribution X over 0,1n
H1(X) - log maxx PrX x
Represents the probability of the most likely
value of X
X is a k-source if H1(X) k (i.e., PrX
x 2-k for all x)
Statistical distance
(X,Y) ?a PrXa PrYa
22
Extractors
Universal procedure for purifying an imperfect
source
Definition Ext 0,1n 0,1d ! 0,1l is a
(k,?)-extractor if for any k-source X (Ext(X,
Ud), Ul) ?
k-source of length n
x
seed
EXT
d random bits
s
l almost-uniform bits
23
Strong Extractors
Output looks random even after seeing the seed
Definition Ext 0,1n 0,1d ! 0,1l is a
(k,?)-strong extractor if Ext(x, s) s ?
Ext(x,s) is a (k, ?)-extractor
Leftover hash lemma ILL 89Pairwise
independent hash functions are strong extractors
Example Ext(x, (a,b)) first l bits of axb
over GF2n
  • Output length l k 2log(1/?)
  • Seed length d 2n, almost pairwise independence
    d O(log n k)

24
The One Time ProblemWith shared keys
  • Alice and Bob share a secret key
  • Alice wants to send a message m?0,1n to Bob
  • Secrecy and authentication is maintained
  • They want to prevent Eve from interfering
  • Bob should be sure that the message m he
    receives is equal to the message m Alice sent
  • For secrecy one-time pad
  • For authentication can use Universal2 hash
    functions

25
Authentication using hash functions
  • Suppose that
  • H h h 0,1n ? 0,1k is a family of
    functions
  • Alice and Bob share a random function h ? H
  • To authenticate message m ? 0,1n Alice sends
    (m,h(m))
  • When receiving (m,z) Bob computes h(m) and
    compares to z
  • If equal, accept m
  • If not equal, reject
  • What properties do we require from H
  • hard to guess h(m) - at most e
  • But clearly not sufficient one-time pad.
  • hard to guess h(m) even after seeing h(m) - at
    most e
  • Should be true for any m
  • When a strongly universal2 family is used in the
    protocol, Eves probability of cheating is at
    most 2-k

26
Session Key Encryption
Alice
Bob
Ciphertext cEA(m, K)
Plaintext m
Shared key K
Shared key K
Decryption and Verification mDV(E(m,K), K)
27
Structure of Construction Hybrid
  • Encryption
  • Use public key to generate shared session key
  • Use shared key to encrypt authenticate with one
    time scheme
  • Decryption
  • Use secret key to obtain session key
  • Use session decryption. Check authentication.
  • If fails reject. Ow output message.

28
Decisional Diffie-Hellman
gx
Alice
Bob
gy
Both parties compute K gxy
  • DDH assumption

(g, gx, gy, gxy) ? (g, gx, gy, gz)
(g1, g2, g1r, g2r) ? (g1, g2, g1r1, g2r2)
for random x, y, z 2 Zq
for random g1, g2 2 G and r, r1, r2 2 Zq
29
A Simple DDH Based Scheme
  • G - group of order q
  • Ext G 0,1d ! 0,1 - strong extractor
  • Choose g1, g2 2 G and x1, x2 2 Zq
  • Let h g1x1 g2x2
  • Output sk (x1, x2) and pk (g1, g2, h)

Key generation
  • MAIN IDEA
  • Redundancy any pk corresponds to many possible
    sks
  • hg1x1 g2x2 reveals only log(q) bits of
    information on sk(x1,x2)

30
A Simple Scheme
  • G - group of order q
  • Ext G 0,1d ! 0,1 - strong extractor
  • Choose g1, g2 2 G and x1, x2 2 Zq
  • Let h g1x1 g2x2
  • Output sk (x1, x2) and pk (g1, g2, h)

Key generation
  • Choose r 2 Zq
  • Output (g1r, g2r, AE(m,hr)

Encpk(m)
  • Let k u1x1 u2x2 . Output DV(e, k)

Decsk(u1, u2, e)
u1x1 u2x2 g1rx1 g2rx2 (g1x1 g2x2)r hr
31
A Simple Scheme
Theorem The scheme is secure against CCA1
Proof by reduction
Adversary for the encryption scheme
Distinguisher for decisional Diffie-Hellman
32
A Simple Scheme
Theorem The scheme is secure against CCA1
pk
ci
ai
m0, m1
(sk, pk)
Output b
Epk(mb)
b à 0,1
33
A Simple Scheme
Theorem The scheme is secure against CCA1
(g1, g2, g1r1, g2r2)
pk
ci
ai
m0, m1
Epk(mb)
r1 r2
b
or
r1 ? r2
Distinguisher for DDH
34
A Simple Scheme Generating pk
Theorem The scheme is secure against CCA1
(g1, g2, g1r1, g2r2)
pk
ci
ai
  • Generating pk given
  • (g1, g2, g1r1, g2r2)
  • Choose x1, x2 2 Zq
  • Let h g1x1 g2x2
  • Output pk (g1, g2, h) and remember sk (x1,x2)

m0, m1
Epk(mb)
Distinguisher for DDH
35
A Simple Scheme Answering the Queries
Theorem The scheme is secure against CCA1
(g1, g2, g1r1, g2r2)
pk
ci
ai
  • Generating pk given
  • (g1, g2, g1r1, g2r2)
  • Choose x1, x2 2 Zq
  • Let h g1x1 g2x2
  • Output pk (g1, g2, h) and remember sk (x1,x2)

m0, m1
Epk(mb)
Distinguisher for DDH
Answer queries using sk (x1,x2)
36
A Simple Scheme Generating the Challenge
Theorem The scheme is secure against CCA1
(g1, g2, g1r1, g2r2)
pk
ci
  • Generating pk given
  • (g1, g2, g1r1, g2r2)
  • Choose x1, x2 2 Zq
  • Let h g1x1 g2x2
  • Output pk (g1, g2, h) and remember sk (x1,x2)

ai
m0, m1
Epk(mb)
Distinguisher for DDH
Let k g1r1 x1 g2r2 x2 Output (g1r1, g2r2,
AE(mb,k))
37
A Simple Scheme The Distinguisher
Theorem The scheme is secure against CCA1
(g1, g2, g1r1, g2r2)
pk
ci
ai
If bb guess
m0, m1
Epk(mb)
r1 r2
b
If b?b guess
Distinguisher for DDH
r1 ? r2
38
Invalid Ciphertext Random Key
  • Two possibilities
  • Valid plaintext can be recovered, knowing sk
  • Invalid no info. on plaintext, given pk

computationally indistinguishable
(g1r, g2r) ? (g1r)x1 (g2r)x2
Invalid ciphertext r ? r
x1 wx2 log(h) rx1 rwx2 log(k)
(g1r)x1 (g2r)x2 uniformly distributed given pk
and (g1r, g2r)
Therefore, random key is used with invalid
ciphertext
39
Proof nothing leaked about x1,x2
  • Given the public key pk (g1, g2, h) one linear
    equation is known on x1,x2
  • Given h g1x1 g2x2.
  • Still log q entropy
  • Claim this entropy is kept during the
    query-attack phase
  • In legitimate query ciphertexts (v1g1r, v2g2r)
    and AE(m,k)) and the decryption is independent of
    x1, x2
  • In invalid query ciphertexts (v1g1r, v2g2r)
    and AE(m,k)) is rejected whp

40
Proof when input not DDH challenge ciphertext
independent of message
  • For the original input (g1, g2, g1r1, g2r2)
    challenge ciphertext
  • Let k g1r1 x1 g2r2 x2
  • Output (g1r1, g2r2, AE(mb,k))
  • if r1 ? r2 then k is random and hence independent
    of mb
  • Even an all powerful adversary cannot guess b
    with probability better than ½.
  • if r1 r2 then challenge ciphertex is normal.
  • Adversary should guess b with probability better
    than ½?

41
Proof summing up
  • During the attack
  • Chance for invalid ciphertext not labeled as
    such
  • q Prforgery in AE
  • Entropy of x1,x2 decreased by this amount
  • Challenge ciphertext valid or not depending on
    whether the input is in DDH or not.
  • If original adversary wins the game with
    probability ½?
  • Advantage in distinguishing DDH from non-DDH is ?
Write a Comment
User Comments (0)
About PowerShow.com