NonMalleable Encryption From Any Semantically Secure One

1
Non-Malleable Encryption From Any Semantically
Secure One
Rafael Pass
Abhi Shelat
Vinod Vaikuntanathan
Cornell
MIT
IBM Zurich
2
Public-Key Encryption
pk
sk
C Enc(pk,m)
C
ALICE
BOB
Can I find partial info about m ?
EVE
3
Privacy (Semantic-security) GM
? PPT adversary Eve, ? PPT Simulator S, ? PPT
Relation R
pk, Enc(m)
meve
Pr R(m,meve) 1 Pr R(m,msim) 1
4
Is Semantic Security enough ?
Auctioneer
Enc(x1)
Enc(x)
Eve does not necessarily know x, but she could
produce Enc(x1)
5
Coin-Tossing Protocols
Ha! I can make coin 0
C3Enc(b3)
C3Enc(b1?b2)
C1Enc(b1)
C2Enc(b2)
coinb1?b2?b3
Eve does not necessarily know b1 or b2, but she
could produce Enc(b1 ?b2)
6
Non-Malleability DDN
? PPT adversary Eve, ? PPT Simulator S, ? PPT
Relations R ? Message Samplers M
m ? M
pk, Enc(m)
pk
Csim
a valid ciphertext Ceve
meveDec(Ceve, sk)
msimDec(Csim, sk)
Pr R(pk,m,meve) 1 Pr R(pk,m,msim) 1
7
Non-malleability

• Many well-known cryptosystems are easily
  malleable
• GM Encryption Enc(0) r2, Enc(1) yr2.
• y.Enc(0) Enc(1)
• El-Gamal Enc(m) (gr, m.grx)
• Enc(2m) (gr,(2m)grx)
• In general any homomorphic encryption is
  malleable.

8
Previous Results

• Non-malleability Strictly Stronger DDN
• Private-key Encryption
• Semantically Secure Encryption -gt Non-malleable
  Encryption with no extra assumptions DDN

9
Previous Results

• Semantically Secure Encryption Trapdoor
  Permutation gt Non-malleable Encryption DDN
• DDN-Lite Semantically Secure Encryption gt
  One-message Non-malleable Encryption Naor,
  informal
• DDN-lite is not many-message NM GL

encryption doesnt ? TDP GMR
10
Are there Non-malleable Public-key Encryption
Schemes ?

• Yes! This work
• Semantically Secure Encryption gt
• Many-message (fully) Non-malleable Encryption

No extra assumptions
11
Construction Overview

• Step 1 Single messagegtMany message NM
• A new, stronger definition of NM Encryption
• For this definition, single-message NM gt
  many-message NM
• Step 2 Construct Single message NM Enc
• Secret-Parameter NIZK from Semantically Secure
  Enc
• NM Encryption using Secret Parameter NIZK

12
Recall DDN Definition
? PPT adversary Eve, ? PPT Simulator S, ? PPT
Relations R ? Message Samplers M
pk, Enc(m)
m ? M
pk
Csim
a valid ciphertext Ceve
meveDec(Ceve, sk)
msimDec(Csim, sk)
Pr R(pk,m,meve) 1 Pr R(pk,m,msim) 1
13
To Bot or Not to Bot ?
Dolev, Dwork, Naor 00
Implicitly, fi e E(ßi) implies fi is a valid
ciphertext. Thus, Adversary wins only if she
outputs a valid ciphertext.
14
Coin-flipping example
C1Enc(b1)
C2Enc(b2)
If C1 and C2 are valid, coinb1?b2 Else, if C1 is
valid, coinb1 Else, if C2 is valid, coinb2
Suppose Eve could Enc(1) ? Another Enc(1) Enc(0)
? Invalid ciphertext. Then coin 0!!
15
Our Definition
? PPT adversary Eve, ? PPT Simulator S, ? PPT
Relations R
pk, Enc(m)
pk
Could be an invalid ciphertext
Ceve
Csim
If Ceve is invalid, meve ?
meveDec(Ceve, sk)
msimDec(Csim, sk)
Pr R(pk,m,meve) 1 Pr R(pk,m,msim) 1
16
Further Issues Composability

• Many-message NM
• Eve gets encryptions of many messages Enc(m1),
  Enc(m2),
• She cannot produce Enc(m) such that
• R(m, m1, m2,) 1
• DDN definition does not compose GL
• Ours does

17
Definitions

• We work with an indistinguishability based
  definition,
• which is equivalent to simulation-based
  definition
• Makes clear the notion of computational
  independence

18
Indistinguishability-based Definition
? PPT adversary Eve, ? m0,m1
C0 Enc(pk,m0)
C1 Enc(pk,m1)
C?? C0
C ? C1
?
mDec(C, sk)
mDec(C, sk)
19
Definition (in all gory detail)
Indistinguishability Game
? PPT adversary Eve, ? PPT distinguisher Dist
pk
m10,, mk0 m11,, mk1
Expt(b)
Enc(pk,mbi)i
(C1,C2,,Ck)b
Dec
(D1,D2,,Dk)b
PrDist(D1,D2,,Dk)b 1 ? 1/2
20
Single-msg NM gt Many-msg NM

• Use the indistinguishability-based definition
• A simple hybrid argument

21
Now. . .

• Stronger definition can be met, assuming just
  semantically secure encryption
• Applications Fully Non-malleable encryption
  from
• Ajtai-Dwork, GGH
• Computational Diffie-Hellman

22
Construction of the Non-Malleable Encryption
Scheme
23
DDN Idea 50,000 feet

• Add redundancy to the cipher-text
• Not all strings are valid cipher-texts
• Prove consistency in zero-knowledge
• Prove that cipher-text is valid in
  non-interactive zero-knowledge

24
NIZK in CRS Model
God
V(PP,x,?) ACC ?
PP
(x,w)
Proof ?
Verifier
Prover
Soundness Pr??P(PP) V(PP,x, ?) ACC
negl ZK ? PPT Sim s.t ?x e L, Sim(x) PP,
P(PP,x,w)
25
The DDN Idea
For NIZK
(1) Generate n pairs of keys
PK11 PK21 ? ? ? PKn1 PK12 PK22 ? ? ?
PKn2
,PP)
(
PK
(2) Enc (PK, m) Generate (vk, sk) for a sig
scheme
Say n-bit vk 0, 1, ? ? ? 1
PK20
? ? ?
PKn0
PK10
(
)
? ? ?
PK11
PK21
PKn1
26
The DDN Idea
For NIZK
(1) Generate n pairs of keys
PK11 PK21 ? ? ? PKn1 PK12 PK22 ? ? ?
PKn2
,PP)
(
PK
(2) Enc (PK, m) Generate (vk, sk) for a sig
scheme
Say n-bit vk 0, 1, ? ?
1
? ?
Enc(PK10,m)
(
)
? ?
Enc(PK21,m)
Enc(PKn1,m)
27
The DDN Idea
For NIZK
(1) Generate n pairs of keys
PK11 PK21 ? ? ? PKn1 PK12 PK22 ? ? ?
PKn2
,PP)
(
PK
(2) Enc (PK, m) Generate (vk, sk) for a sig
scheme
n-bit vk 0, 1, ? ? 1
? ?
Enc(PK10,m)
(
)


? ?
Enc(PK21,m)
Enc(PKn1,m)
Signsk
NIZK proof that all components are encryptions
of the same message

28
The DDN Idea

• Cipher-text looks like
• C1,C2,,Cn, NIZK Proof, Signature
• To Decrypt
• Check the signature. If invalid signature, output
  ?
• Check the NIZK Proof. If proof is not accepting,
  output ?
• Otherwise decrypt the first component of
  ciphertext and output the message

29
Why does it work ? (Informally)

• For starters
• Given PK,PK and Enc(m, PK), can the adversary
  output Enc(m, PK) such that R(m,m) 1 ?
• No! That would violate semantic security of PK.

30
Why does it work ? (Informally)

• Given a cipher-text C1,C2,,Cn, NIZK Proof,
  Signature, what can adversary do?
• She has to give me n encryptions
• Encryptions of different messages ? No !
  (Soundness of NIZK)
• Encryptions on the same set of public-keys ? No !
  (Unforgeability of the signature)
• Has to contain an encryption on a different
  position, of a related message (Violation of
  semantic sec)

31

• Arent we done ?
• No! The state of the art requires trapdoor
  permutations
• Do we really need NIZK in CRS model ?
• Observe Decryptor is the one that checks the
  NIZK proof.
• Secret-Parameter NIZK To check the validity of
  the proof, need secret information

32
NIZK in CRS Model
God
V(PP,x,?) ACC ?
PP
(x,w)
Proof ?
Verifier
Prover
Soundness Pr??P(PP) V(PP,x, ?) ACC
negl ZK ? PPT Sim s.t ?x e L, Sim(x) PP,
P(PP,x,w)
33
Secret-Parameter NIZK
V(PP,SP, x,?) ACC ?
God
PP
PP,SP
(x,w)
Proof ?
Verifier
Prover
Soundness Pr??P(PP) V(PP, SP,x, ?) ACC
negl ZK ? PPT Sim s.t ?x e L, Sim(x) PP,SP,
P(PP,x,w)
34
Construct Secret-Parameter NIZK
Start with a ?-protocol
(x,w)
x
ce0,1
Verifier
Prover

• Completeness x e L gt Prover can compute both z0
  and z1
• Soundness If there is both an accepting z0 and
  z1, then x e L
• ZK If I know c before I send a, I can compute
  both z0 and z1

?-protocols exist for all L e NP Blums
Hamiltonicity
35
Construct Secret-Parameter NIZK
(x,w)
x
a
c
zc
Verifier
Prover
PK0 PK1
PK0 PK1
God
SKb
(x,w)
?a, Enc(PK0,z0), Enc(PK1,z1)
36
Proof

• Completeness Prover can compute both z0 and
  z1.
• Soundness If there is both an accepting z0 and
  an accepting z1, then x e L.
• ZK By Semantic security of the encryption,
  Verifier does not know z1-b.

37
Our NM Enc Construction
For NIZK
(1) Generate n pairs of keys
PK11 PK21 ? ? ? PKn1 PK12 PK22 ? ? ?
PKn2
,PP)
(
PK
(2) Enc (PK, m) Generate (vk, sk) for a sig
scheme
n-bit vk 0, 1, ? ? 1
? ?
Enc(PK10,m)
(
)


? ?
Enc(PK21,m)
Enc(PKn1,m)
Signsk
NIZK proof that all components are encryptions
of the same message

Designated verifier
38
CCA-2 Security ? ? ?

• Adv cannot win the indistinguishability game,
  even if she has access to a decryption oracle.
• No! Bounded Soundness. If I can query the
  verifier on poly(n) many proofs, I can find SP !

39
More Results

• Bounded CCA2-Security
• As long as the adversary queries the decryption
  oracle less than m times, security is maintained

40
Perspective

• Non-malleability models computational independence

41

• Thank You