Chosen-Ciphertext Security (II)

Transcription

1 Chosen-Ciphertext Security (II) CS /642 Modern Cryptography Fall 2018 S /642 Modern Cryptography Chosen-Ciphertext Security (II) Fall / 13

2 Recall: Chosen-Ciphertext Attacks (CCA) Adversary can make decryption queries over ciphertext of its choice CCA-1: Decryption queries only before challenge ciphertext query CCA-2: Decryption queries before and after challenge ciphertext query No decryption query c should be equal to challenge ciphertext c Last time: Construction of CCA-1 secure PKE Today: Construction of CCA-2 secure PKE S /642 Modern Cryptography Chosen-Ciphertext Security (II) Fall / 13

3 Recall: CCA-2 Security Expt CCA2 A pb, zq: st z ppk, skq Ð Genp1 n q Decryption query phase 1 (repeated poly times): c Ð Appk, stq m Ð Decpsk, cq st pst, mq pm 0, m 1 q Ð Appk, stq c Ð Encppk, m b q Decryption query phase 2 (repeated poly times): c Ð Appk, c, stq If c c, output reject m Ð Decpsk, cq st pst, mq Output b 1 Ð Appk, c, stq S /642 Modern Cryptography Chosen-Ciphertext Security (II) Fall / 13

4 CCA-2 Security (contd.) Definition (IND-CCA-2 Security) A public-key encryption scheme pgen, Enc, Decq is IND-CCA-2 secure if for all n.u. PPT adversaries A, there exists a negligible function µp q s.t. for all auxiliary inputs z P t0, 1u : ı ˇ ˇPr Expt CCA2 A p1, zq 1 Pr Expt CCA2 A p0, zq 1ıˇˇˇ ď µpnq S /642 Modern Cryptography Chosen-Ciphertext Security (II) Fall / 13

5 How to Construct CCA-2 secure Encryption? Why doesn t a CCA-1 secure scheme also achieve CCA-2 security? Main problem: An adversary may be able to modify the challenge ciphertext to obtain a new ciphertext of a related plaintext and then request its decryption in the second decryption query phase of IND-CCA-2. E.g., the adversary may be able to maul an encryption of x into an encryption of x 1 without knowing x. This is called malleability attack Think: Is the IND-CPA PKE scheme based on trapdoor permutations that we studied in the class malleable? Solution Strategy: Ensure that adversary s decryption query is independent of (and not just different from) the challenge ciphertext. That is, make the encryption non-malleable S /642 Modern Cryptography Chosen-Ciphertext Security (II) Fall / 13

6 CCA-2 Secure Public-Key Encryption The first construction of CCA-2 secure encryption scheme was given by Dolev-Dwork-Naor. Ingredients: An IND-CPA secure encryption scheme pgen, Enc, Decq A NIZK proof pp, Vq (for simplicity of notation, we use NIZK in Random oracle model, but the construction also works if we use NIZKs in CRS model) A strongly unforgeable one-time signature (OTS) scheme psetup, Sign, Verifyq. Assume, wlog, that verification keys in OTS scheme are of length n. S /642 Modern Cryptography Chosen-Ciphertext Security (II) Fall / 13

7 Construction Construction of pgen 1, Enc 1, Dec 1 q: Gen 1 p1 n q: Execute the following steps Compute 2n key pairs of IND-CPA encryption scheme: pk j i, skj i Ð Genp1 n q, where j P t0, 1u, i P rns. Output pk 1 ` pki 0, pk1 i (, sk 1 `sk 1 0, sk1 1. S /642 Modern Cryptography Chosen-Ciphertext Security (II) Fall / 13

8 Construction (contd.) Enc 1 ppk 1, mq: Execute the following steps Compute key pair for OTS scheme: psk, V Kq Ð Setupp1 n q. Let V K V K 1,..., V K n. For every i P rns, encrypt m using pk V K i i and randomness r i : c i Ð Enc pk V K i i, m; r i Compute proof that each c i encrypts! the same message: π Ð Ppx, wq where x pk V K i i ), tc i u w pm, tr i uq and Rpx, wq 1 iff every c i encrypts the same message m. Sign everything: Φ Ð SignpSK, Mq where M ptc i u, πq Output c 1 pv K, tc i u, π, Φq, S /642 Modern Cryptography Chosen-Ciphertext Security (II) Fall / 13

9 Construction (contd.) Dec 1 psk 1, c 1 q: Execute the following steps Parse c 1 pv K, tc i u, π, Φq Let M ptc i u, πq Verify the signature: Output K if Verify pv K, M, Φq 0 Verify the NIZK! proof: ) Output K if Vpx, πq 0 where x pk V K i i, tc i u Else, decrypt the first ciphertext component: m 1 Ð Dec sk V K 1 1, c 1 Output m 1 S /642 Modern Cryptography Chosen-Ciphertext Security (II) Fall / 13

10 Security (Intuition) Consider decryption queries after adversary receives challenge ciphertext C : Let C C be a decryption query If verification key V K in C and verification key V K in challenge ciphertext C are same, then we can break the strong unforgeability of OTS If different, then V K and V K differ in at least one position l P rns: Answer decryption query using the secret key sk V Ki l. Don t need to know the secret keys sk V K i i for i P rns Reduce to IND-CPA security of underlying encryption scheme S /642 Modern Cryptography Chosen-Ciphertext Security (II) Fall / 13

11 Security (Hybrids) H 0 : (Honest) Encryption of m 0 H 1 : Compute proof π in challenge ciphertext using NIZK simulator H 2 : Choose V K in the beginning during Gen 1 H 3 : For any decryption query C pv K, tc i u, π, Φq: If V K V K and Verify pv K, ptc i u, πq, Φq 1, then abort Else, let l P rns be such that V K and V K in c differ at position l. " Set sk 1 sk V K i i *, i P rns, where V K i 1 V K i. Decrypt c by decrypting c l (instead of c 1 ) using sk V K l l. H 4 : Change every c i in C to encryption of m 1 H 5 : Compute proof π in challenge ciphertext honestly. This experiment is same as (honest) encryption of m 1. S /642 Modern Cryptography Chosen-Ciphertext Security (II) Fall / 13

12 Indistinguishability of Hybrids H 0 «H 1 : ZK property of NIZK H 1 «H 2 : Generating V K early or later does not change the distribution H 2 «H 3 : We argue indistinguishability as follows: First, we argue that probability of aborting is negligible. Recall that c c by the definition of CCA-2. Then, if V K V K, it must be that ptc i u, π, Φq ptc i u, π, Φ q. Now, if Verify pv K, ptc i u, πq, Φq 1, then we can break strong unforgeability of the OTS scheme. Now, conditioned on not aborting, let l be the position s.t. V K l V K l. Note that the only difference in H 2 and H 3 in this case might be the answers to the decryption queries of adversary. In particular, in H 2, we decrypt c 1 in c using sk V K1 1. In contrast, in H 3, we decrypt c l in c using sk V K l l. Now, from soundness of NIZK, it follows that except with negligible probability, all the c i s in c encrypt the same message. Therefore decrypting c l instead of c 1 does not change the answer. S /642 Modern Cryptography Chosen-Ciphertext Security (II) Fall / 13

13 Indistinguishability of Hybrids (contd.) H 3 «H 4 : IND-CPA security of underlying PKE H 4 «H 5 : ZK property of NIZK Combining the above, we get H 0 «H 5. S /642 Modern Cryptography Chosen-Ciphertext Security (II) Fall / 13