1 / 41

Topics in Cryptography Lecture 4 Topic: Chosen Ciphertext Security

Topics in Cryptography Lecture 4 Topic: Chosen Ciphertext Security. Lecturer: Moni Naor. Public Key Encryption. Alice. Bob. Ciphertext c=E( m , K P ). Plaintext m. Public key K P. Public key K P. Secret key K s. Decryption m =D(E( m , K P ), K s ). Defining Security.

bdoughty
Download Presentation

Topics in Cryptography Lecture 4 Topic: Chosen Ciphertext Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Topics in CryptographyLecture 4Topic: Chosen Ciphertext Security Lecturer:Moni Naor

  2. Public Key Encryption Alice Bob Ciphertext c=E(m, KP) Plaintext m Public keyKP Public keyKP Secret keyKs Decryption m=D(E(m, KP), Ks)

  3. Defining Security • How do we know that an encryption scheme is secure? • Are the following requirements sufficient? • Given E(m, KP), cannot compute m • Given E(m, KP), cannot compute ith bit of m • Given E(m, KP), cannot compute some f(m) • Definition must be • “convincing” • “application independent”

  4. Example: Interactive Authentication Pwants to convince V that he is approving message m Phas a public key KP of an encryption scheme E. To authenticate a message m: • V  P: Choose r 2R {0,1}n. Send c=E(m°r, KP) • PV: Receiving c Decrypt c using KS Verify that prefix of plaintext is m. If yes - sendr. V is satisfied if he receives the same r he choose

  5. Existential unforgeability against adaptive chosen message attack Adversary can ask to authenticate any sequence m1,m2, … Success: makes V accept a message m not authenticated Complete control over the channels Intuition: if Edoes not leak information about plaintext Nothing is leaked about r Definition of security Is it Safe? • V  P: Choose r 2R {0,1}n. • Send c=E(m°r, KP) • PV: Receiving c • Decrypt c using KS • Verify prefix is m. • If yes - sendr Problems • If E is “just” semantically secure against chosen plaintext attacks: • Adversary might change c=E(m°r, KP) into c’=E(m’°r, KP) • Malleability • not sufficient to verify correct form of ciphertext in simulation • Closer to a chosen ciphertext attack

  6. Can you think of a an example of an encryption scheme where Encrpytion scheme is semantically secure against chosen plaintext attacks Authentication scheme is forgeable Question • V  P: Choose r 2R {0,1}n. • Send c=E(m°r, KP) • PV: Receiving c • Decrypt c using KS • Verify prefix is m. • If yes - sendr Example: bit by bit encryption

  7. Attacks and Security To define security of a system must specify: • The power of the adversary – both: • Computational • access to the system. • What constitute a failure of the system • Often via a game and probability of winning

  8. Attacks Key-only attacks Generic chosen message attack: key unknown when messages chosen Non-Adaptive chosen message attack: key known when messages chosen. Adaptive chosen message attack What it means to break the scheme Universal forgery ¼ key-recovery Selective forgery: target message chosen a priori. Existential forgery - some message is forged. Taxonomy of Signature-SchemesGoldwasser, Micali and Rivest (1984) All combination of attacks/breaking are relevant

  9. (Public-key) Encryption: Attacks • Chosen Plaintext • Minimal attack relevant to PKCs. • Assumes decrypted messages remain secret. • Chosen Ciphertext - preprocessing mode. AKA: Lunch-break, CCA1 • There is a period where the device is handled by adversary • Should remain secure for ciphertext created afterwards • Chosen Ciphertext - postprocessing mode. AKA: CCA2 • Challenge ciphertext is known when the attacks takes place • (but cannot submit it...).

  10. Chosen Ciphertext Attack Alice Bob Query c1 a1=D(c1, Ks) Public keyKP Public keyKP Query c2 Secret keyKs a2=D(c2, Ks) Adversary can get decryptions of ciphertexts of her choice …

  11. Encryption - Notions of Breaking • Semantic Security • Whatever is computable about the plaintext given the ciphertext is computable without it. • Given E(m, kp) it is infeasible to produce related m’ • Can substitute with indistinguishability of encryption • Cannot distinguish E(m0, kp) from E(m1, kp) • Requires a proof in each setting • Non-malleable security • Whatever is computable in an encrypted form about the plaintext given the ciphertext is computable without it. • Given E(m, kp) it is infeasible to produce E(m’, kp) for a “related” m’ • Important for achieving independence of messages. m and m’ satify R(m,m’) R is poly time

  12. Indistinguishability under CCA • Definition: An encryption scheme is secure under CCA if: • no poly-time Adversary A can “win” with non-negligible advantage: • A is given the public key KP. • A (adaptively) asks for decryptions under Ks. • A produces two messages m0 and m1 • A receives a “challenge” c = Epk(mb) for b ∈R {0,1} • A “wins” if it guesses b correctly. • CCA1 – A only gets decryptions before challenge • CCA2 – A also gets decryptions after challenge

  13. Chosen Ciphertext Attack Query ci Alice Bob ai=D(ci, Ks) {m0, m1} b 2R {0,1} Public keyKP Public keyKP c=E(mb, KP) Secret keyKs Query c’i The postprocessing phase a’i=D(c’i, Ks) A Wins if b’=b Guessb’

  14. (Public-key) Encryption: Attacks • Chosen Plaintext • Minimal attack relevant to PKCs. • Assumes decrypted messages remain secret. • Chosen Ciphertext - preprocessing mode. AKA: Lunch-break, CCA1 • Challenge ciphertext is given after adversary relinquishes control of decryption device. • Good model for membership queries in computational learning. • Chosen Ciphertext - postprocessing mode. AKA: CCA2 • Challenge ciphertext is known when the attacks takes place • (but cannot submit it...). • Important in many protocols.

  15. Attack Chosen Plaintext Chosen Ciphertext Preprocessing Chosen Ciphertext Postprocessing Breaking Notion Semantic Security Non Malleability

  16. Auction ca=E(bida,Kp) Auctioneer Public keyKP cb=E(bidb,Kp) Want to ensure that bidb is independent of bida

  17. Example: Auctions Different requirements - different notions. Semantic security is not sufficient for guaranteeing the independence of bids. • If key is used for a single auction and secrecy is not required after the auction is over – Non-malleable security against chosen plaintext attacks. • If key is used for many auctions and secrecy is not required after the auction is over: Non-malleable security against chosen ciphertext attack in the preprocessing mode. • If key is used for many auctions and secrecy is required after the auction is over Non-malleable security against chosen ciphertext attack in the postprocessing mode.

  18. Attack Chosen Plaintext Chosen Ciphertext Preprocessing Chosen Ciphertext Postprocessing Breaking Notion Semantic Security Non Malleability All other implications: proper Open problem: construct a more secure version from the less secure one. Is it possible to constrcut a CCA2 from SS/CPA?

  19. Approaches for CCA-Security Redundancy + verification of well-formedness • The “Naor-Yung paradigm” [NY’90, DDN’91,Sahai,Lindell] • CPA-secure scheme + NIZK • Smooth projective hashing [Cramer Shoup ’98, CS ’02,...] • “Designated verifier” proofs • Simplified: [Kiltz, Pietrzak, Stam, Yung, 2009] • Lossy trapdoor functions [Peikert Waters ’08] • Correlated Products [Rosen Segev’09] Identity-based encryption [BCHK ’04,...] • IBE (CPA)IBE(CCA)

  20. Ideas for achieving resistance to CCA • Add redundancy - hard to generate frivolous ciphertexts • Add methods to check consistency • This is the trickiest part: • Non interactive zero-knowledge • Specific schemes • Decrypt only if given ciphertext passes the consistency checks Important point: may decrypt with several different private keys Could be NIZK based C1 C2 Proof of consistency

  21. Min-Entropy Probability distribution X over {0,1}n H1(X) = - log maxx Pr[X = x] Represents the probability of the most likely value of X X is a k-source if H1(X) ¸ k (i.e., Pr[X = x]·2-k for all x) Statistical distance: ¢(X,Y) = a|Pr[X=a] – Pr[Y=a]|

  22. Extractors Universal procedure for “purifying” an imperfect source Definition: Ext: {0,1}n£{0,1}d!{0,1}ℓ is a (k,)-extractor if for any k-source X ¢(Ext(X, Ud), Uℓ)· k-source of length n x “seed” EXT drandom bits s ℓalmost-uniform bits

  23. Strong Extractors Output looks random even after seeing the seed Definition: Ext: {0,1}n£{0,1}d!{0,1}ℓ is a (k,)-strong extractor if Ext’(x, s) =s ◦ Ext(x,s) is a (k, )-extractor Leftover hash lemma [ILL 89]:Pairwise independent hash functions are strong extractors Example:Ext(x, (a,b)) =first ℓbits ofax+boverGF[2n] • Output length ℓ= k – 2log(1/) • Seed length d = 2n, almost pairwise independence d = O(log n + k)

  24. The One Time ProblemWith shared keys • Alice and Bob share a secret key • Alice wants to send a message m{0,1}n to Bob • Secrecy and authentication is maintained • They want to prevent Eve from interfering • Bob should be sure that the message m’ he receives is equal to the message mAlice sent • For secrecy: one-time pad • For authentication: can use Universal2 hash functions

  25. Authentication using hash functions • Suppose that • H= {h| h: {0,1}n → {0,1}k } is a family of functions • Alice and Bob share a random function h H • To authenticate message m {0,1}nAlice sends (m,h(m)) • When receiving(m’,z) Bob computes h(m’) and compares to z • If equal, accept m’ • If not equal, reject • What properties do we require fromH • hard to guess h(m’) - at mostε • But clearly not sufficient: one-time pad. • hard to guess h(m’) even after seeing h(m) - at mostε • Should be true for anym’ When a strongly universal2 family is used in the protocol, Eve’s probability of cheating is at most 2-k

  26. Session Key Encryption Alice Bob Ciphertext c=EA(m, K) Plaintext m Shared keyK Shared keyK Decryption and Verification m=DV(E(m,K), K)

  27. Structure of Construction: “Hybrid” Encryption: • Use public key to generate shared session key • Use shared key to encrypt + authenticate with one time scheme Decryption: • Use secret key to obtain session key • Use session decryption. Check authentication. • If fails reject. Ow output message.

  28. Decisional Diffie-Hellman gx Alice Bob gy Both parties computeK = gxy • DDH assumption: (g, gx, gy, gxy)  (g, gx, gy, gz) (g1, g2, g1r, g2r)  (g1, g2, g1r1, g2r2) for random x, y, z 2 Zq for random g1, g22G and r, r1, r22 Zq

  29. A Simple DDH Based Scheme • G - group of order q • Ext : G£{0,1}d!{0,1} - strong extractor • Choose g1, g22 G and x1, x22 Zq • Let h = g1x1 g2x2 • Output sk = (x1, x2) and pk = (g1, g2, h) Key generation MAIN IDEA: • Redundancy: any pk corresponds to many possiblesk’s • h=g1x1 g2x2 reveals only log(q) bits of information on sk=(x1,x2)

  30. A Simple Scheme • G - group of order q • Ext : G£{0,1}d!{0,1} - strong extractor • Choose g1, g22 G and x1, x22 Zq • Let h = g1x1 g2x2 • Output sk = (x1, x2) and pk = (g1, g2, h) Key generation • Choose r 2 Zq • Output (g1r, g2r, AE(m,hr) Encpk(m) • Let k= u1x1 u2x2. Output DV(e, k) Decsk(u1, u2, e) u1x1 u2x2 = g1rx1 g2rx2 = (g1x1 g2x2)r = hr

  31. A Simple Scheme Theorem: The scheme is secure against CCA1 Proof by reduction: Adversary for the encryption scheme Distinguisher for decisional Diffie-Hellman

  32. A Simple Scheme Theorem: The scheme is secure against CCA1 pk ci ai m0, m1 (sk, pk) Output b’ Epk(mb) b à {0,1}

  33. A Simple Scheme Theorem: The scheme is secure against CCA1 (g1, g2, g1r1, g2r2) pk ci ai m0, m1 Epk(mb) r1= r2 or b’ r1 r2 Distinguisher for DDH

  34. A Simple Scheme: Generating pk Theorem: The scheme is secure against CCA1 (g1, g2, g1r1, g2r2) pk ci ai Generating pk given (g1, g2, g1r1, g2r2) • Choose x1, x22 Zq • Let h = g1x1 g2x2 • Output pk = (g1, g2, h) and remember sk = (x1,x2) m0, m1 Epk(mb) Distinguisher for DDH

  35. A Simple Scheme: Answering the Queries Theorem: The scheme is secure against CCA1 (g1, g2, g1r1, g2r2) pk ci ai Generating pk given (g1, g2, g1r1, g2r2) • Choose x1, x22 Zq • Let h = g1x1 g2x2 • Output pk = (g1, g2, h) and remember sk = (x1,x2) m0, m1 Epk(mb) Distinguisher for DDH Answer queries usingsk = (x1,x2)

  36. A Simple Scheme: Generating the Challenge Theorem: The scheme is secure against CCA1 (g1, g2, g1r1, g2r2) pk ci Generating pk given (g1, g2, g1r1, g2r2) • Choose x1, x22 Zq • Let h = g1x1 g2x2 • Output pk = (g1, g2, h) and remember sk = (x1,x2) ai m0, m1 Epk(mb) Distinguisher for DDH Let k= g1r1x1 g2r2x2 Output (g1r1, g2r2, AE(mb,k))

  37. A Simple Scheme: The Distinguisher Theorem: The scheme is secure against CCA1 (g1, g2, g1r1, g2r2) pk ci ai If b=b’ guess m0, m1 Epk(mb) r1= r2 b’ If b≠b’ guess Distinguisher for DDH r1 r2

  38. Invalid Ciphertext – Random Key Two possibilities • Valid: plaintext can be recovered, knowing sk • Invalid: no info. on plaintext, given pk computationally indistinguishable (g1r, g2r’)  (g1r)x1(g2r’)x2 Invalid ciphertext: r  r’ x1 + wx2 = log(h) rx1 + r’wx2 = log(k) (g1r)x1(g2r’)x2uniformly distributed given pk and (g1r, g2r’) Therefore, random key is used with invalid ciphertext

  39. Proof: nothing leaked about x1,x2 • Given the public key pk = (g1, g2, h)one linear equation is known on x1,x2 • Given h = g1x1 g2x2. • Still log q entropy Claim: this entropy is kept during the query-attack phase • In legitimate query ciphertexts: (v1=g1r, v2=g2r) and AE(m,k)) and the decryption is independent of x1, x2 • In invalid query ciphertexts: (v1=g1r, v2=g2r’) and AE(m,k)) is rejected whp

  40. Proof: when input not DDH – challenge ciphertext independent of message For the original input (g1, g2, g1r1, g2r2): challenge ciphertext • Let k = g1r1x1 g2r2x2 • Output (g1r1, g2r2, AE(mb,k)) • if r1 r2 then k is random and hence independent of mb • Even an all powerful adversary cannot guess b with probability better than ½. • if r1= r2 then challenge ciphertex is “normal”. • Adversary should guess b with probability better than ½+

  41. Proof: summing up During the attack: • Chance for invalid ciphertext not labeled as such: q ¢ Pr[forgery in AE] • Entropy of x1,x2 decreased by this amount Challenge ciphertext valid or not depending on whether the input is in DDH or not. • If original adversary wins the game with probability ½+ • Advantage in distinguishing DDH from non-DDH is 

More Related