Advanced Cryptography
April 3, 2007
Lecture 10
Lecturer: Victor Shoup
1
Scribe: Kristina Penfold
CCA-Secure Public Key Encryption
Today we will be discussing how to design a CCA(CCA-2) secure public key encryption scheme
without the use of random oracles.
1.1
Background
There have been some approaches suggested without random oracles.
1. Rackoff/Simon proposed a notion of chosen ciphertext security that is a weaker notion called
lunchtime attack secure or CCA-1 secure. Here the adversary makes no decryption queries
after the encryption query.
2. Dolev/Dwork/Naor then defined the full CCA-2 security usually referred to just as CCA
security.
1.2
Rough Solution
We can find a rough solution using non-interactive zero knowledge proofs of language membership.
Here we use a common reference string, or CRS, generated by some trusted party. The prover
generates a proof and the verifier checks it. The zero knowledge simulator can generate the CRS.
However, here there are subleties in defining soundness in zero knowledge.
The Construction:
Ingredients:
• Semanticallly secure encryption scheme (KeyGen, E, D)
• NIZK proof system to prove that two ciphertexts decrypt the same way.
Public Key:
• Public keys P K0 , P K1 for SS scheme
• CRS for NIZK
To encrypt m:
• c0 = E(P K0 , m)
• c1 = E(P K1 , m)
• π =proof that c0 , c1 encrypt the same message.
10-1
To decrypt (c0 , c1 , π):
• Verify the proof.
• Pick a ciphertext and decrypt.
Proof of Security: We are going to prove that this scheme is secure using a sequence of games.
Here we assume that given two messages m0 , m1 , there are two challengers, one who always encrypts m0 and another who always encrypts m1 . Our goal will be to show that an adversary can
not tell which challenger he is playing. In the following diagram, the symbols under c0 , c1 , and π
represent what and how the challenger is encrypting and the bracketed numbers represent what is
being processed in the challenger’s decryption query.
c0
[0]
[0]
[0]
0
1
[1]
[1]
c1
0
0
1
[1]
[1]
1
1
π
real
sim
sim
sim
sim
sim
real
justification
original game
ZK property
SS property
soundness property*
SS property
soundness property
ZK property
*Here the soundness property refers to simulation soundness which means that it is hard to generate
a bogus proof even after seeing a simulated bogus proof.
1.3
More Practical Schemes
Recall that last time we discussed the El Gamal + Schnorr scheme which did not work due to a
rewinding explosion. Here we had group generator g and h = g x . To encrypt a message m ∈ G, we
computed u = g r , v = hr , and w = v · m. We sent u, w, and π, a proof that we “know” r.
A better idea is to “somehow” use a proof of language membership rather than a proof of
knowledge. To do so we let g1 , g2 be group generators, and h = g1x1 g2x2 .
To encrypt m:
Set u1 = g1r , u2 = g2r , v = hr , w = v · m. Send encryption (u1 , u2 , w, π) where π is a proof of equality
of two logs, ie, logg1 u1 = logg2 u2 .
To decrypt (u1 , u2 , w, π):
Compute v = hr = (g1x1 g2x2 )r = (g1r )x1 (g2r )x2 = ux1 1 ux2 2 .
Decrypt to get m = w/v.
One idea is to implement π using the Fiat-Shamir Heuristic. Below we give a proof of security
using a sequence of games with bit flipping.
10-2
Proof of Security
Game 0: Original Game
Game 1: For the encryption query compute v = ux1 1 ux2 2 . ( Here is only a conceptual change between
games.)
Game 2: Compute π using sim(g1 , g2 , u1 , u2 ). (By ZK property.)
Game 3: Replace (u1 , u2 ) by random pair (u01 , u02 ), where logg1 u01 6= logg2 u02 . (By DDH assumption.)
Game 4: Assume g2 = g1a . Reject all ciphertexts (ũ1 , ũ2 , w̃, π̃) such that logg1 ũ1 6= logg2 ũ2 , ie
ũ2 6= ũa1 . (By soundness.)
Claim: In Game 4, the advantage is zero.
Public Key: h = g1x1 g2x2 = g1x1 +ax2
Encryption: (u1 , u2 , w, π)
u1 = g1r1 , u2 = g2r2 = g1ar2 , r1 6= r2
w = v · mb , v = ux1 1 ux2 2 = g1r1 x1 +r2 ax2
Decryption: Given (ũ1 , ũ2 , w̃, π̃)
t(x +ax )
Say ũ1 = g1t , ũ2 = g2t , then m̃ = w̃/ṽ where ṽ = (ũ1 )x1 (ũ2 )x2 = g1tx1 +tax2 = g1 1 2 .
Claim: Message bit b is independent of the adversary’s view.
Basically we want to show v acts as an information theoretically perfect one time pad. The adversary gets (∗)logg1 h = x1 + ax2 from P K. From the soundness property, the decryption queries give
no more information than this and logg1 v = r1 x1 + r2 ax2 .
Claim: (*) and (**) are independent random variables.
We show this using simple linear algebra.
logg1 h
1
a
x1
=
logg1 v
r 1 r2 a
x2
Since a 6= 0 and r1 6= r2 , the determinant of the 2 by 2 matrix above is a(r2 − r1 ) 6= 0 and thus the
matrix is non-singular. Therefore, (*) and (**) are uniformly and independently distributed.
Now we want to implement NIZK without random oracles by exploiting the asymmetry between
the prover and the verifier. Here the verifier is the decryptor that can have a “secret key” that lets
him verify proofs.
1.4
Security against lunch-time attacks (CCA-1)
Consider the hash proof system. Here the prover gets the P K, an instance x ∈ L and witness w
and makes a proof π = P (P K, x, w). The verifier has secret key SK and receives x, π from the
prover and checks that V (SK, x) = π and returns accept or reject.
10-3
We require that this system has a k-wise pseudo-randomness property where k is a constant
equal to 1 or 2. Also, we assume that language L has a “global” trapdoor, a in our example.
Thus the attack game is as follows. The adversary gets P K and can make many V queries
x1 , ..., xn obtaining V (SK, xi ) for i = 1, .., n, where at most k xi ’s are not in L.
In Experiment 0 all responses are computed using V . In Experiment 1 all responses to queries
xi 6∈ L are random. We have security if these two experiments are indistinguishable.
If this security property holds and if the proof space is large, then k = 1 gives CCA-1 security
and k = 2 gives CCA-2 security. In the case that k = 2, the ZK simulator is V so to generate a
proof for x, we use the SK for the hash proof system. Thus, even if the adversary sees one proof
of a bogus x, it is hard to predict a different proof for another bogus x. This is like simulation
soundness.
To implement for k = 1, fix g1 and g2 , let P K = c = g1y1 g2y2 and SK = (y1 , y2 ). To construct
the proof set P (P K, (u1 , u2 ), r) = cr such that u1 = g1r , u2 = g2r and V (SK, (u1 , u2 )) = uy11 uy22 . By
the same linear algebra argument as above, logg1 c and logg1 uy11 uy22 are independent when u1 = g1r1
and u2 = g2r2 and r1 6= r2 . An adversary who knows a and c will get a scalar multiple of logg1 c
for valid queries and for invalid queries, the responses will look random. Thus this is CCA-1 secure
against lunchtime attacks.
A look ahead: Next time we will look at the hash proof system for k = 2.
10-4