Advanced Cryptography April 3, 2007 Lecture 10 Lecturer: Victor Shoup 1 Scribe: Kristina Penfold CCA-Secure Public Key Encryption Today we will be discussing how to design a CCA(CCA-2) secure public key encryption scheme without the use of random oracles. 1.1 Background There have been some approaches suggested without random oracles. 1. Rackoff/Simon proposed a notion of chosen ciphertext security that is a weaker notion called lunchtime attack secure or CCA-1 secure. Here the adversary makes no decryption queries after the encryption query. 2. Dolev/Dwork/Naor then defined the full CCA-2 security usually referred to just as CCA security. 1.2 Rough Solution We can find a rough solution using non-interactive zero knowledge proofs of language membership. Here we use a common reference string, or CRS, generated by some trusted party. The prover generates a proof and the verifier checks it. The zero knowledge simulator can generate the CRS. However, here there are subleties in defining soundness in zero knowledge. The Construction: Ingredients: • Semanticallly secure encryption scheme (KeyGen, E, D) • NIZK proof system to prove that two ciphertexts decrypt the same way. Public Key: • Public keys P K0 , P K1 for SS scheme • CRS for NIZK To encrypt m: • c0 = E(P K0 , m) • c1 = E(P K1 , m) • π =proof that c0 , c1 encrypt the same message. 10-1 To decrypt (c0 , c1 , π): • Verify the proof. • Pick a ciphertext and decrypt. Proof of Security: We are going to prove that this scheme is secure using a sequence of games. Here we assume that given two messages m0 , m1 , there are two challengers, one who always encrypts m0 and another who always encrypts m1 . Our goal will be to show that an adversary can not tell which challenger he is playing. In the following diagram, the symbols under c0 , c1 , and π represent what and how the challenger is encrypting and the bracketed numbers represent what is being processed in the challenger’s decryption query. c0 [0] [0] [0] 0 1 [1] [1] c1 0 0 1 [1] [1] 1 1 π real sim sim sim sim sim real justification original game ZK property SS property soundness property* SS property soundness property ZK property *Here the soundness property refers to simulation soundness which means that it is hard to generate a bogus proof even after seeing a simulated bogus proof. 1.3 More Practical Schemes Recall that last time we discussed the El Gamal + Schnorr scheme which did not work due to a rewinding explosion. Here we had group generator g and h = g x . To encrypt a message m ∈ G, we computed u = g r , v = hr , and w = v · m. We sent u, w, and π, a proof that we “know” r. A better idea is to “somehow” use a proof of language membership rather than a proof of knowledge. To do so we let g1 , g2 be group generators, and h = g1x1 g2x2 . To encrypt m: Set u1 = g1r , u2 = g2r , v = hr , w = v · m. Send encryption (u1 , u2 , w, π) where π is a proof of equality of two logs, ie, logg1 u1 = logg2 u2 . To decrypt (u1 , u2 , w, π): Compute v = hr = (g1x1 g2x2 )r = (g1r )x1 (g2r )x2 = ux1 1 ux2 2 . Decrypt to get m = w/v. One idea is to implement π using the Fiat-Shamir Heuristic. Below we give a proof of security using a sequence of games with bit flipping. 10-2 Proof of Security Game 0: Original Game Game 1: For the encryption query compute v = ux1 1 ux2 2 . ( Here is only a conceptual change between games.) Game 2: Compute π using sim(g1 , g2 , u1 , u2 ). (By ZK property.) Game 3: Replace (u1 , u2 ) by random pair (u01 , u02 ), where logg1 u01 6= logg2 u02 . (By DDH assumption.) Game 4: Assume g2 = g1a . Reject all ciphertexts (ũ1 , ũ2 , w̃, π̃) such that logg1 ũ1 6= logg2 ũ2 , ie ũ2 6= ũa1 . (By soundness.) Claim: In Game 4, the advantage is zero. Public Key: h = g1x1 g2x2 = g1x1 +ax2 Encryption: (u1 , u2 , w, π) u1 = g1r1 , u2 = g2r2 = g1ar2 , r1 6= r2 w = v · mb , v = ux1 1 ux2 2 = g1r1 x1 +r2 ax2 Decryption: Given (ũ1 , ũ2 , w̃, π̃) t(x +ax ) Say ũ1 = g1t , ũ2 = g2t , then m̃ = w̃/ṽ where ṽ = (ũ1 )x1 (ũ2 )x2 = g1tx1 +tax2 = g1 1 2 . Claim: Message bit b is independent of the adversary’s view. Basically we want to show v acts as an information theoretically perfect one time pad. The adversary gets (∗)logg1 h = x1 + ax2 from P K. From the soundness property, the decryption queries give no more information than this and logg1 v = r1 x1 + r2 ax2 . Claim: (*) and (**) are independent random variables. We show this using simple linear algebra. logg1 h 1 a x1 = logg1 v r 1 r2 a x2 Since a 6= 0 and r1 6= r2 , the determinant of the 2 by 2 matrix above is a(r2 − r1 ) 6= 0 and thus the matrix is non-singular. Therefore, (*) and (**) are uniformly and independently distributed. Now we want to implement NIZK without random oracles by exploiting the asymmetry between the prover and the verifier. Here the verifier is the decryptor that can have a “secret key” that lets him verify proofs. 1.4 Security against lunch-time attacks (CCA-1) Consider the hash proof system. Here the prover gets the P K, an instance x ∈ L and witness w and makes a proof π = P (P K, x, w). The verifier has secret key SK and receives x, π from the prover and checks that V (SK, x) = π and returns accept or reject. 10-3 We require that this system has a k-wise pseudo-randomness property where k is a constant equal to 1 or 2. Also, we assume that language L has a “global” trapdoor, a in our example. Thus the attack game is as follows. The adversary gets P K and can make many V queries x1 , ..., xn obtaining V (SK, xi ) for i = 1, .., n, where at most k xi ’s are not in L. In Experiment 0 all responses are computed using V . In Experiment 1 all responses to queries xi 6∈ L are random. We have security if these two experiments are indistinguishable. If this security property holds and if the proof space is large, then k = 1 gives CCA-1 security and k = 2 gives CCA-2 security. In the case that k = 2, the ZK simulator is V so to generate a proof for x, we use the SK for the hash proof system. Thus, even if the adversary sees one proof of a bogus x, it is hard to predict a different proof for another bogus x. This is like simulation soundness. To implement for k = 1, fix g1 and g2 , let P K = c = g1y1 g2y2 and SK = (y1 , y2 ). To construct the proof set P (P K, (u1 , u2 ), r) = cr such that u1 = g1r , u2 = g2r and V (SK, (u1 , u2 )) = uy11 uy22 . By the same linear algebra argument as above, logg1 c and logg1 uy11 uy22 are independent when u1 = g1r1 and u2 = g2r2 and r1 6= r2 . An adversary who knows a and c will get a scalar multiple of logg1 c for valid queries and for invalid queries, the responses will look random. Thus this is CCA-1 secure against lunchtime attacks. A look ahead: Next time we will look at the hash proof system for k = 2. 10-4