Non-Malleable Non-Interactive Zero Knowledge and Adaptive Chosen-Ciphertext Security

Transcription

1 Non-Malleable Non-Interactive Zero Knowledge and Adaptive Cosen-Cipertext Security AMIT SAHAI Abstract We introduce te notion of non-malleable noninteractive zero-knowledge (NIZK) proof systems. We sow ow to transform any ordinary NIZK proof system into one tat as strong non-malleability properties. We ten sow tat te elegant encryption sceme of Naor and Yung [NY] can be made secure against te strongest form of cosen-cipertext attack by using a non-malleable NIZK proof instead of a standard NIZK proof. Our encryption sceme is simple to describe and works in te standard cryptograpic model under general assumptions. Te encryption sceme can be realized assuming te existence of trapdoor permutations. 1 Introduction Modern cryptograpy provides us wit several fundamental tools, from encryption scemes to zeroknowledge proofs. For eac of tese tools, we ave some intuition about wat tey sould acieve. But we must be careful to understand te gap between our intuition and wat we can actually acieve. Indeed, a major goal of cryptograpy is to refine our tools to bring tem closer to acieving our intuition, wile simultaneously refining our intuitions to be consistent wit wat is attainable. In tis work, we focus on two basic cryptograpic tools: non-interactive zero-knowledge proofs and public-key encryption scemes. We refine our intuition beind non-interactive zero-knowledge (NIZK) proofs by defining te notion of non-malleable NIZK, and give constructions tat acieve non-malleability. We MIT Laboratory for Computer Science, 545 Tecnology Square, Cambridge, MA 02139, USA. amits@teory.lcs.mit.edu. Supported by a DOD/NDSEG Graduate Fellowsip and partially by DARPA grant DABT-96-C ten use non-malleable NIZK to build a simple public key encryption sceme under general assumptions tat acieves te igest level of privacy known to be possible, i.e. security against adaptive cosen-cipertext attack. Tis considerably simplifies te only previously known encryption sceme acieving tis level of security under general assumptions. Non-Malleable Non-Interactive Zero-Knowledge. Zero-knowledge proofs, introduced by Goldwasser, Micali, and Rackoff [GMR], are fascinating and extremely useful constructs. Te intuition beind tem is clear from teir name: tey sould be convincing, and yet yield noting beyond te validity of te assertion being proven. Blum, Feldman, and Micali [BFM] extend tis seemingly contradictory notion to te non-interactive setting as well; tey define a notion of non-interactive zero-knowledge proofs, wic are sent witout interaction from te Prover to te Verifier, in a model were all parties sare a common random reference string. NIZK proofs ave proved temselves of great value, and ave been used to acieve cosen-cipertext security for encryption scemes [NY, DDN] as well as signature scemes secure against cosen-message attack [BG]. For NIZK, te formal requirement of [BFM] (later refined by [FLS]) captures te following requirement: wat one can output after seeing an NIZK proof is indistinguisable from wat one can output witout seeing it, if te output is examined independent of te actual reference string. However, te reference string is precisely wat is used to build and verify NIZK proofs! Tus, noting in te formal definition prevents te possibility tat seeing one NIZK proof could enable an adversary to prove many oter statements it could not ave proved oterwise, wic is very far from te intuition of zeroknowledge. 1 To some extent, tis is unavoidable: one 1 Tis is true even for te adaptive zero-knowledge definition of NIZK. We give an example in te next paragrap. 1

2 can always duplicate an NIZK proof, and ence prove someting tat one possibly could not ave proved beforeand. But can we ope to demand te following requirement: watever one can prove after seeing an NIZK proof, one could also ave proved before seeing it, except for te ability to duplicate te proof? Tis would come muc closer to our intuition of zero-knowledge. Following te paradigm of [DDN] (wo studied, among oter topics, similar problems wic arise in concurrent executions of interactive zero-knowledge proofs), we call tis property non-malleability 2 for non-interactive zero-knowledge, and it is precisely tis property we introduce and examine in tis work. Note tat tis non-malleability property does not follow from te current definitions of NIZK, as te following simple example demonstrates: Suppose is a NIZK proof system for a ard language L 2 NP. Let L 0 be te language of pairs of strings in L, i.e. L 0 = f(x; y) : x 2 L and y 2 Lg. Ten if we define a new proof system tat uses a reference string = 1 2 consisting of te concatenation of two reference strings for, and as proofs simply consist of pairs of proofs under tat x 2 L and y 2 L using reference strings 1 and 2 respectively, it is easy to verify tat will be a NIZK proof system for L 0. However, suppose we see a proof p =(p 1 ;p 2 ) tat (x; y) 2 L 0 and we do not know ow to prove tat y 2 L, but we ave a witness to te fact tat x 0 2 L. Ten we can build a proof p 0 1 under tat x 0 2 L, and by splicing it wit te proof we were given, produce a new proof p 0 =(p 0 1;p 2 ) under tat (x 0 ;y) 2 L 0, wic we did not know ow to do before seeing p. Our Results on Non-Malleable NIZK. We formalize te notion of non-malleable NIZK, and give a construction tat transforms any ordinary NIZK proof system into a non-malleable NIZK proof system, under te assumption tat one-way functions exist. Our basic construction acieves non-malleability only wit respect to a single proof, i.e. te non-malleability is guaranteed wen te adversary only sees a single proof from te outside world. We note owever, tat tis suffices for our application of constructing encryption scemes secure against adaptive cosen-cipertext attack. We ten give anoter construction tat acieves non-malleability wit respect to any fixed polynomial number of proofs, were te size of te common random reference string grows wit te bound on te number of proofs, but te probability of ceating remains negligible. 2 We coose tis term since te definition deals wit te ability to modify (or maul ) an NIZK proof to produce different valid proofs. As we noted earlier, tis seems to us a minimal requirement one sould expect from zero-knowledge proofs. Indeed, it is fascinating to ask wat still stronger properties one could ope to define and acieve. CCA-Secure Encryption Discussion. In te context of encryption, wic is peraps te best studied notion in cryptograpy, our basic intuition is to tink of encryption scemes as providing a secure envelope, wic only te proper addressee can open. Tis is a very compelling metapor, and is undoubtedly te inspiration for te design of many cryptograpic protocols. But wat are te essential properties of a secure envelope? Te most basic is passive privacy tat a passive eavesdropper sould not learn any useful information about a message from its encryption. Goldwasser and Micali s notion of semantic security [GM] is te accepted formalization of tis property, and encryption scemes tat acieve tis property ave been studied extensively. However, we may require stronger privacy properties from encryption scemes: If encryption is to be used as a primitive in iger level protocols, we may need security against active attacks, sucas a cosen-cipertext attack (CCA), were te adversary as some access to a decryption mecanism. Tere are two commonly considered notions of cosen-cipertext attack. In te strongest proposed notion, known as an adaptive cosen-cipertext attack (denoted CCA2), te adversary is allowed to ask for te decryption of any cipertext oter tan te callenge cipertext. In te weaker form, known as a lunctime attack (denoted CCA1), te adversary as access to te decryption mecanism only prior to receiving te callenge cipertext wic it must deciper. (Formal definitions of security against various kinds of attacks are given in Definition 2.3). Security wit respect to te stronger notion (CCA2) implies oter desirable properties wic we do not ave space to discuss, suc as non-malleability (e.g. see [DDN, BDPR, BS]), as well. Tis kind of security is needed if encryption is to be used in general applications, suc as excange of , were users may unwittingly provide attackers wit decryptions of selected cipertexts. Encryption wit tis strongest property (CCA2-security) as beenproposedas a component in autentication and key excange protocols [BCK], electronic payment [SET], and deniable autentication protocols [DNS]. For more discussion on te importance of cosen-cipertext security, see [So98]. Prior Work on CCA-Secure Encryption. Muc work as been done on acieving cosen-cipertext security in encryption scemes. Naor and Yung [NY] gave an elegant construction based on general cryptograpic assumptions wic acieves security against te weaker form of cosen-cipertext attack (CCA1). Rackoff and Simon [RS] sowed ow to modify te sceme of Naor and Yung to acieve security against adaptive cosen-cipertext attack (CCA2), but only in a model wit a trusted center assigning certified keys to all

3 parties. More recently, Bellare and Rogaway [BR1, BR] ave proposed efficient scemes wose security relies on a random oracle, and Cramer and Soup [CS] ave given an efficient sceme based on te Decisional Diffie- Hellman assumption. Until now, te only known encryption sceme acieving adaptive cosen-cipertext (CCA2) security based on general assumptions was given by Dolev, Dwork, and Naor [DDN]. Our Results on CCA-Secure Encryption. In tis work, we sow ow to use non-malleable NIZK to modify te original elegant sceme of Naor and Yung and acieve provable security against adaptive cosencipertext attack based only on general assumptions. Te sceme of Naor and Yung is very simple: A message is encrypted using two independent semanticallysecure encryption functions, and an NIZK proof is provided sowing tat bot cipertexts are encryptions of te same message. Unfortunately, te NIZK proof alone fails to provide security against adaptive cosencipertext attack (CCA2). 3 We sow tat by simply replacing te NIZK proof wit a non-malleable NIZK proof, one acieves full security against adaptive cosen-cipertext attack. In contrast, te only previously known sceme based on general assumptions of [DDN] as a quite involved construction, wic exploits an intricate interplay betweeen many encryptions, NIZK proofs, and oter components. Our sceme gives a simple framework for building encryption scemes secure against CCA2 from two well-defined basic components, namely semantically-secure encryption scemes and non-malleable NIZK proofs. If efficient implementations of non-malleable NIZK proof systems for te consistency of encryptions were found for some particular semantically-secure encryption scemes, tis would yield efficient encryption scemes secure against adaptive cosen-cipertext attack, as well. Based on te current state of knowledge, te NIZK proof system needed for our sceme can be realized based on any trapdoor permutation. Tus trapdoor permutations suffice for realizing our encryption sceme. Overview. We will first formalize our notion of nonmalleable NIZK, as well as a closely related property called simulation soundness. We ten present a construction for acieving non-malleable NIZK, and give a generalization, based on polynomials, of our construction to acieve non-malleability against any fixed polynomial number of proofs. Finally, we present te construction of an encryption sceme secure against adap- 3 Tis can be seen trivially by considering an NIZK proof system wic simply ignores te last bit of any proof. Tus, in an adaptive cosen-cipertext attack, te adversary can simply flip te last bit of te NIZK proof in te callenge cipertext and query te decryption oracle to break te sceme. tive cosen-cipertext attack, and formally prove its correctness. 2 Preliminaries We use standard notations and conventions for writing probabilistic algoritms and experiments. If A is a probabilistic algoritm, ten A(x 1 ;x 2 ;:::; r) is te result of running A on inputs x 1 ;x 2 ;:::and coins r. We let y A(x 1 ;x 2 ;:::) denote te experiment of picking r at random and letting y be A(x 1 ;x 2 ;:::; r). If S is a finite set ten x S is te operation of picking an element uniformly from S. x := is a simple assignment statement. By a non-uniform (probabilistic) polynomial-time adversary, we always mean a circuit wose size is polynomial in te security parameter. Sometimes we break up algoritms (suc as simulators and adversaries) into multiple stages; in suc cases we will use or to denote state information passed from one stage to anoter. We first define efficient non-interactive proof systems, and ten give a definition of adaptive singleteorem non-interactive zero-knowledge (as in [FLS]): Definition 2.1 [NIPS] =(f; P; V) is an efficient noninteractive proof system for a language L 2 NP wit witness relation R if f is a polynomial and P and V are probabilistic polynomial-time macines suc tat: (Completeness): For all x 2 L and all w suc tat R(x; w) = true, for all strings of lengt f (jxj),weavetatv(x; P(x; w; ); )=true. (Soundness): For all adversaries A, if 2 f0; 1g f (k) is cosen randomly, ten te probability tat A() will output (x; p) suc tat x =2 L but V(x; p; ) = true is negligible in k. Definition 2.2 [NIZK] = (f; P; V; S = (S 1 ; S 2 )) is an efficient adaptive single-teorem non-interactive zero-knowledge proof system for te language L if (f; P; V) is an efficient non-interactive proof system and S 1 ; S 2 are probabilistic polynomial-time macines suc tat for all non-uniform polynomialtime adversaries A = (A 1 ;A 2 ), we ave tat Pr [ Expt A (k) =1], Pr[Expt S A (k) =1] is negligible in k,wereexpt A (k) and Expt S A (k) are: Expt A (k) : f0; 1g f (k) (x; w; ) A 1 () p P(x; w; ) return A 2 (p; ) Expt S A (k) : (;) S 1 (1 k ) (x; w; ) A 1 () p S 2 (x; ) return A 2 (p; )

4 We also use te standard definitions for encryption scemes secure against adaptive cosen-cipertext attack (denoted CCA2) and cosen-plaintext attack (denoted CPA), wic can be found for example in [BDPR]. Note tat semantic security is equivalent to security against cosen-plaintext attack. Definition 2.3 [CPA, CCA1, CCA2] Let (G; E; D) be an encryption sceme and let A = (A 1 ;A 2 ) be an adversary. For ATK 2fCPA; CCA1; CCA2g and k 2 N, define te advantage of A to be: were: Adv ATK def A (k) = 2 Pr[Expt ATK A (k) =1], 1 (k): Expt ATK A (pk; sk) G(1 k ) (m 0 ;m 1 ;) A O1 b f0; 1g y E pk (m b ) g A O2 2 (y; ) return 1 iff g = b 1 (pk) If ATK = CPA ten O 1 () =" and O 2 () =" If ATK = CCA1 ten O 1 () =D sk () and O 2 () =" If ATK = CCA2 ten O 1 () =D sk () and O 2 () =D (y) Above, D (y) () means te oracle tat decrypts any cipertext except y. We insist, above, tat A 1 outputs sk m 0 ;m 1 wit jm 0 j = jm 1 j. We say tat (G; E; D) is secure against ATK if A being non-uniform polynomialtime implies tat Adv ATK () is negligible. 3 Non-Malleable NIZK A sk In tis section, we define non-malleable NIZK and related notions. Te notion of non-malleability for NIZK is meant to capture te following requirement: watever one can prove after seeing an NIZK proof, one could also ave proved witout seeing it, except for te ability to duplicate te proof. Put a little more formally, suppose we are given an adversary A tat, after seeing a proof p of te statement x 2 L, isableto produce a proof p 0 6= p for some x 0 satisfying some polynomial-time verifiable property R(x 0 ), wit probability q. Ten we sould be able to transform A into anoter adversary A 0 tat directly produces a proof for some x 0 tat satisfies R(x 0 ), wit probability negligibly different tan q. We can turn tis into a formal definition of a nonmalleable NIZK proof system, wic we give wit respect to single proofs. It turns out, owever, tat we will need to capture a stronger notion of non-malleability, wic we call adaptive non-malleability, were we allow te adversary to ask for te proof of a teorem of its coosing. Note tat tis is not possible te usual scenario, since some party must supply a witness for every teorem in order for a proof of it to be produced. Of course if te adversary did tis, ten tis would make te definition trivial, since ten te adversary can produce te proof on its own and is not receiving any outside elp. Hence, we instead make tis definition wit respect to simulated proofs, wic do not require any witnesses. 4 We present ere tis stronger definition of non-malleability, and defer te weaker definition of ordinary (non-adaptive) non-malleability (wic is implied by te definition below) to te full version of tis paper. Definition 3.1 [Adaptive Non-Malleable NIZK] Let = (f ; P ; V ; S = (S 1 ; S 2 )) be an efficient non-interactive single-teorem adaptive zero-knowledge proof system for te language L. We say tat is an adaptively non-malleable NIZK proof system for L if tere exists an efficient non-interactive proof system =(f ; P ; V ) for te same language L, and a probabilistic polynomial-time oracle macine M suc tat: For all non-uniform polynomial-time adversaries A = (A 1 ;A 2 ) and for all non-uniform polynomial-time relations R, we ave tat Pr Expt A;R; (k), Pr Expt 0 A; (k) is negligible in k, wereexpt A;R; (k) and Expt 0 A;R; (k) are: Expt A;R; (k) : (;) S 1 (1 k ) (x; ) A 1 () p S 2 (x; ;) (x 0 ;p 0 ; aux) A 2 (x; p; ;) return true iff ( p 0 6= p ) and ( V (x 0 ;p 0 ; ) = true ) and ( R(x 0 ; aux) =true ) Expt 0 A;R; (k) : f0; 1g f(k) (x 0 ;p 0 ; aux) M A () return true iff ( V (x 0 ;p 0 ;)=true ) and ( R(x 0 ; aux) =true ) We also define anoter notion for NIZK wic we call simulation soundness, wic is similar to but incom- 4 It is conceivable tat we could introduce an all-powerful party tat supplies witnesses to true statements, and make te definition tis way. As done in [FLS] wen defining adaptive zero-knowledge, we coose not to take tis route, as it would necessarily give te adversary te power to ceck membersip in L, wic is a power we do not necessarily want to capture. We note, owever, tat if adaptive zero-knowledge is defined in tis manner, ten our simulation-based definition (giving M te additional power to make one oracle call to L) would imply te all-powerful party-based definition, as well.

5 parable to non-malleability, but wic our construction also acieves, and wic also suffices for constructing strong encryption scemes. Te soundness property of proof systems states tat wit overwelming probability, te prover sould be incapable of convincing te verifier of a false statement. In tis definition, we will ask tat tis remains te case even after a polynomially bounded party as seen a simulated proof of its coosing. Definition 3.2 [Simulation-Sound NIZK] Let = (f;p; V; S = (S 1 ; S 2 )) be an efficient non-interactive single-teorem adaptive zero-knowledge proof system for te language L. We say tat is simulation-sound if for all non-uniform probabilistic polynomial-time adversaries A =(A 1 ;A 2 ),weavetatpr Expt A; (k) is negligible in k,wereexpt A; (k) is te following experiment: Expt A; (k) : (;) S 1 (1 k ) (x; ) A 1 () p S 2 (x; ;) (x 0 ;p 0 ) A 2 (x; p; ;) return true iff ( p 0 6= p) and (x 0 =2 L) and (V(x 0 ;p 0 ; ) = true ) We furter define two tecnical properties we will desire from our NIZK proof systems. Te first captures te simple requirement tat simulated proofs sould ave sufficient internal randomness tat it sould be very unlikely tat one can predict wat te output of te simulator will be beforeand. Formally, we say an NIZK proof system as unpredictable simulated proofs if for all non-uniform polynomial-time adversaries A, weave tat te following experiment as a negligible probability of success: (;) S 1 (1 k ) (x; p) A() p 0 S 2 (x; ;) return true iff p = p 0 We also define te notion tat no single proof sould be convincing for more tan one teorem. Formally, we say an NIZK proof system as uniquely applicable proofs if for all x; p;,weavetatv(x; p; )=1implies V(x 0 ;p;)=0for all x 0 6= x. Te proof systems constructed in tis paper will always ave unpredictable simulated proofs and uniquely applicable proofs. Te Construction. We now sow, assuming tat oneway functions exist, ow to transform any efficient non-interactive single-teorem adaptive zero-knowledge proof system = (f ; P ; V ; S = (S 1 ; S 2 )) for a language L into an adaptively non-malleable and simulation-sound non-interactive zero-knowledge proof system =(f ; P ; V ; S =(S 1 ; S 2 )) for a language L. ( will also ave unpredictable simulated proofs and uniquely applicable proofs.) Te necessary additional component will be wat we call a strong one-time signature sceme (Gen; Sign; V er), were we strengten te usual unforgeability requirement to require tat no adversary, wen given a signature of a message of its coosing, can produce a different valid signature of any message, including te message tat was already signed. Suc a signature sceme can be built from any one-way function as follows: First, coose a universal one-way as function mapping f0; 1g to f0; 1g k (suc a as function can be based on any one-way function using te construction of [R]). Ten coose 2k strings x 0 1 ;:::;x0 k ;x1 1 ;:::;x1 k uniformly at random from f0; 1g 3k,andletyi b = (x b i ). Te verification key will be te yi b s and a description of. Te signing key will be te x b i s. Tosignamessagem 2 f0; 1g, one computes u = u 1 :::u k = (m), and outputs (x u1 1 ;:::;xu k k ). To verify a signature (z 1;:::;z k ) on message m, one simply computes u = (m), and verifies tat (z i ) = y ui i for all i. It is straigtforward to verify tat tis sceme as te properties we desire, and te details are skipped ere. Let us assume tat te public verification key VK produced by Gen(1 k ) is bounded in lengt by a polynomial q(k). We also assume tere is a known efficiently computable function g : f0; 1g q(k)! 2 [q0 (k)] mapping q(k) bit strings to distinct subsets of [q 0 (k)] = f1; 2;:::;q 0 (k)g containing precisely q 0 (k)=2 elements. For instance, one suc g could be gotten by letting q 0 (k) = 2q(k), and defining g(x) to be te subset of [q 0 (k)] tat contains 2i if x i =0and 2i, 1 if x i =1. Intuition. Dolev, Dwork, and Naor [DDN] implicitly introduced a powerful metod wic we call unduplicatable set selection using autentication mecanisms, and applied tis to encryption functions. We adapt tis tecnique to apply it to NIZK, and sow tat it can be used to acieve non-malleability ere, as well. Furtermore, by using tis in conjunction wit a particular combinatorial construction wic we can realize using polynomials over finite fields, we sow ow to acieve non-malleable NIZK for many proofs, if a polynomial bound on te number of proofs is known beforeand. We note tat Di Crescenzo et al. [DIO] also implicitly apply unduplicatable set selection to attack te problem of non-malleable commitment, but do so in a complicated way. Te tecniques in our work can be used to provide an alternative, simpler construction to teirs. Te additional resource of te strong one-time signature sceme will be used to implement tis notion of unduplicatable set selection: We coose a verification

6 key/signing key pair (VK;SK), and ten use g(vk) to select a set of some objects. We ten use SK to sign watever we do wit tese objects, but keep SK idden. To see wy we call tis unduplicatable set selection, consider wat appens if some oter party tries to use te same set of objects, but tries to do someting different wit tem. By te properties of g, itmustusete same verification key VK. By te security of te signature sceme, owever, it will be unable to produce a valid signature unless it merely replicates wat it already saw. Te idea will be to ave many reference strings for, and use unduplicatable set selection to select subsets of tese reference strings used to prove te desired statements (i.e. our objects will be reference strings, and wat we do wit tese objects is use tem to build proofs of some fixed teorem). To simulate a proof, one needs to only select a subset of te reference strings to come from te simulator, wile te rest can be truly random. But now, by te property of unduplicatable set selection, if te adversary is able to produce a different proof, it must ave used a different set of reference strings, including at least one truly random reference string. Hence, intuitively, we can produce a proof witout any elp by simply using te adversary wit a simulated proof, and ten outputing te proof it must produce wit respect to one of te truly random reference strings. We now formalize tis intuition and define : [Reference String Lengt] f (k) =q 0 (k) f (k). We tink of te new reference string as consisting of q 0 (k) reference strings for, i.e. = 0 1 q0 (k). [Prover] P (x; w; ) : (1) Run Gen(1 k ) to obtain a verification key / signing key pair (VK;SK) for te one-time signature sceme. (2) For eac i in te set g(vk), obtain p i = P (x; w; i ). For i =2 g(vk), letp i =, te empty string. (3) Let p = p 1 p 2 p q0 (k). (4) Output (VK;x;p; Sign SK (x; p)). [Verifier] V (x; p =(VK;x 0 ; p; z); ) : (1) Ceck x = x 0, and validity of one-time signature z i.e. Ver VK ((x; p);z)=true. (2) Decompose p into p i for i in g(vk). (3) For eac i in g(vk), verify te proof p i, i.e. V (x; p i ; i )=true. [Simulator] S 1 (1 k ): (VK;SK) Gen(1 k ) ( i ; i ) S 1 (1 k ) for i 2 g(vk) i f0; 1g f(k) for i=2 g(vk) := 1 q0 (k) return (; =(VK;SK;f i g)) S 2 (x; ; =(VK;SK;f i g)) : S 2 (x; i ; i ) for i 2 g(vk). p i p i for i=2 g(vk). p = p 1 p q0 (k) return (VK;x;p; Sign SK (x; p)) Tat is an efficient non-interactive single-teorem adaptive zero-knowledge proof system for L, and tat it as unpredictable simulated proofs and uniquely applicable proofs is easy to verify from te construction. We now prove tat tis construction also acieves adaptive non-malleability: Proof: We follow te intuition presented above. First, we define a sligtly altered version 0 of te proof system. Proofs in 0 are identical to tose in, except te reference string 0 = 1 ::: q0 (k)=2 for 0 consists of q 0 (k)=2 different reference strings for, and a proof is considered valid if it is valid for any of tese reference strings. Clearly, te soundness error of 0 can only be polynomially iger tan tat of ; since as negligible soundness error, we ave tat 0 also as negligible soundness error, and tus is a non-interactive proof system for L. We now exibit an adversary transformer M tat transforms an adversary A = (A 1 ;A 2 ) into an adversary tat forges a proof for te proof system 0. On input 0 = 1 ::: q0 (k)=2 (wic is a reference string for 0 ), and given oracle access to A 1 and A 2, M simply simulates te experiment Expt A;R; above, except tat after calling S 1 to generate = 1 q0 (k), it replaces ai wit i, were fa 1 ;:::;a q0 (k)=2g = f1;:::;q 0 (k)gng(vk). Since te input distribution to M is uniform, te resulting distribution on is identical to te distribution output normally by S 1, and by construction S 2 will work precisely as before. Suppose tat A 2 (x; p; ;s) does output (x 0 ;p 0 ; aux) suc tat p 0 6= p yet V (x 0 ;p 0 ; ) = true and R(x 0 ; aux) = true. Now, since p 0 = (VK 0 ;x 0 ; p 0 ;z 0 ) 6= p = (VK;x;p; z), tisleavestwo possibilities: Te first case is tat VK = VK 0,sopand p 0 differ in some oter component. But te fact tat p 0 passed te verification implies tat A was able to produce a message/signature pair for VKdifferent tan te one given by M. If tis case occurs wit non-negligible probability, ten we can use A to forge signatures and break

7 te strong one-time signature sceme. We are assuming tis is not possible, tus te case tat VK = VK 0 must occur wit negligible probability. On te oter and, if VK 6= VK 0, ten we know tat te set g(vk) 6= g(vk 0 ). Tis means tat p 0 contains some valid proof p i for i=2 g(vk). Tus, M can simply output (x 0 ;p i ; aux), wic is a valid proof for 0.Tis establises te adaptive non-malleability of our NIZK proof system. Note tat precisely te same proof sows tat is simulation-sound, since te same reduction would sow tat if A is able to output false proofs wit repsect to wit non-negligibleprobability, ten M will output false proofs wit respect to wit non-negligible probability. But M receives as input only a truly random reference string for. Hence, by te definition of soundness for, it must be tat M as only negligible probability of outputing a false proof. We also note tat tis construction can be made more efficient by using a universal one-way as function tat maps f0; 1g q(k) to f0; 1g k, to ave te sets selected according to g((vk)). Te same analysis goes troug wit only minor modification, namely we must argue tat (VK 0 ) = (VK) occurs wit negligible probability rater tan VK 0 = VK, but tis will follow directly from te one-wayness of te as function. Generalizing to many proofs. Te proof above sows tat our construction acieves adaptive nonmalleability wen te adversary sees a single proof, but gives no guarantees for te case were more proofs are observed. Indeed, one can construct counterexamples were it fails against multiple proofs. Neverteless, somewat surprisingly, tis level of security suffices for te application of building encryption scemes tat are secure against adaptive cosen-cipertext attack, even for multiple messages. However, we can explicitly build proof systems tat remain non-malleable against multiple proofs, wen a polynomial bound of te number of proofs is known in advance. Note tat tis extension is non-trivial; for instance, te natural idea of simply concatenating polynomially many reference strings to form a new reference string, and coosing a random one eac time to prove a statement, does not work, since tis would retain an inverse polynomial probability of aving te same reference string used twice. Te framework we presented above, based on unduplicatable set selection, owever, was designed so tat we could extend it to te case of multiple proofs. Above, we simply wanted to ensure tat te set of i selected for eac verification key (or as of te verification key) was distinct, so tat at least one i would differ between te adversary s proof and te proof it received. Now, for any fixed polynomial bound t(k) on te number of proofs tat te adversary can ask for, we will need to ensure tat any set selected by te adversary (wic will be distinct from te t(k) sets it as already seen wit ig probability by te property of unduplicatable set selection), tere will be at least one i tat was not in any of te t(k) sets tat te adversary as already seen. Tis can be accomplised troug te use of a combinatorial set system were no t(k) sets cover any oter set, wic we can build efficiently using polynomials. To accomplis our modification, we take te construction above and use a new function g, and modify f accordingly. Recall tat te input to g, wic would be a verification key (or te as of a verification key), as lengt q(k), wile te output of g is to be some subset of [q 0 (k)]. We will now suppress te dependence on k for notational convenience. Let ` =2qt, and assume ` is a prime power (oterwise take te next iger prime power). We construct te finite field F` (wic can be done efficiently). Let q 0 = `2 = O(q 2 t 2 ), and associate [q 0 ] wit te set F` F`. Te size of te sets output by g will be `. Now, if g receives as input te bit string m = m 0 m 1 :::m (q,1), we consider te polynomial f m = m 0 + m 1 x + m 2 x m (q,1) x (q,1). Te set output by g(m) will be f(u; f m (u)) : u 2 F`g. Now, for any m 6= m 0, since te degree of f m, f m 0 is at most q, 1, we know tat f m and f m 0 can agree on at most q, 1 <`=2t values. Tus, for any set of t strings m 1 ;:::;m t different from m, t[ g(m)n g(m i ` ) `, t 2t i=1 = ` 2 : Te simulation sould pick t random verification key and signing key pairs aead of time, and use simulated reference strings for te i corresponding to tese verification keys. Now, by te analysis above, after seeing t proofs, te adversary is forced to select a set of i suc tat at least alf of tem are not ones tat were involved in te t proofs te adversary as seen. Tus, it can be seen tat te proof given for te original construction readily generalizes for tis case. 4 Encryption Secure Against Adaptive Cosen-Cipertext Attack In tis section, we present and prove te correctness of a simple construction of a public-key encryption sceme secure against adaptive cosen-cipertext attack (CCA2) based on: (1) Any semantically-secure public-key encryption sceme (G; E; D). (2) An adaptively non-malleable (or simulationsound) NIZK proof system = (f ; P; V; S =

8 (S 1 ; S 2 )) wit unpredictable simulated proofs and uniquely applicable proofs for te language L of consistent pairs of encryptions, defined formally below: L = f(e 0 ;e 1 ;c 0 ;c 1 ) : 9m; r 0 ;r 1 2f0; 1g : c 0 = E e0 (m; r 0 ) and c 1 = E e1 (m; r 1 )g We note tat L is certainly in NP, since te values of m; r 0 ;r 1 would witness membersip in L, and certainly suc values would always be of size polynomial in e 0 ;e 1 ;c 0 ;c 1. Our sceme is a modification te original elegant sceme of Naor and Yung. Te sceme of Naor and Yung is conceptually very simple: A message is encrypted using two independent semanticallysecure encryption functions, and an NIZK proof is provided sowing tat bot cipertexts are encryptions of te same message. Unfortunately, te NIZK proof alone fails to provide security against adaptive cosencipertext attack. We sow tat by simply replacing te NIZK proof wit an adaptively non-malleable NIZK proof, one acieves full security against adaptive cosen-cipertext attack. More precisely, te construction is as follows: Let `(k) be a polynomial bound on te lengt of messages to be encrypted. Let t(k) be te induced polynomial bound on te amount of randomness needed by E to encrypt messages of lengt up to `(k). Finally, let q(k) be ten te induced polynomial lengt of te reference string required by te proof system. G 0 (1 k ):Call G(1 k ) to generate two pairs (e 0 ;d 0 ) and (e 1 ;d 1 ) of encryption and decryption keys. Select a random reference string 2 f0; 1g q(k) for. Te public key is pk =(e 0 ;e 1 ; ). Te private key is sk =(d 0 ;d 1 ). E 0 (m) : Coose r pk 0;r 1 f0; 1g t(k). Let c 0 := E e0 (m; r 0 ) and c 1 := E e1 (m; r 1 ) and use P to generate a proof p relative to tat (e 0 ;e 1 ;c 0 ;c 1 ) 2 L,usingm; r 0 ;r 1 as te witness. Output (c 0 ;c 1 ;p). D 0 (c sk 0;c 1 ;p) : Use V to verify te correctness of p. If p is valid, output eiter of D d0 (c 0 ) or D d1 (c 1 ), cosen arbitrarily. We now prove our main Teorem: Teorem 4.1 Te encryption sceme (G 0 ; E 0 ; D 0 ) above is secure against CCA2. Proof: Our proof as te same overall structure as te proof of security found in [NY], but differs in most tecnical aspects. Te main idea will be to transform an adaptive cosen-cipertext attack against te new encryption sceme into a cosen-plaintext attack against te component encryption sceme (G; E; D). Hence we will conclude tat since (G; E; D) is secure against cosen-plaintext attack, te new sceme (G 0 ; E 0 ; D 0 ) is secure against adaptive cosen-cipertext attack. Suppose tat tere were a probabilistic polynomialtime attacker A = (A 1 ;A 2 ) wic acieved inverse polynomial advantage (k) in a CCA2-attack against (G 0 ; E 0 ; D 0 ). From now on, to reduce te cumbersome nature of our notation, we will suppress dependence on k, but it sould be clear were tis dependence arises. We define two experiments tat unfurl te definition of a CCA2-attack: In Expt A (b),wereb 2f0; 1g, te attack is carried out and te callenge given to te adversary A is m b (were m 0 and m 1 were te two messages specified by A after te first pase of te attack). Tus, by te definition of advantage in a CCA2 attack, we ave tat Pr [ Expt A (1)=1], Pr [ Expt A (0) = 1 ]. We also define Expt S A (b 0;b 1 ),wereb 0 ;b 1 2f0; 1g, in wic te attack is carried out by a simulator now te callenge is a cipertext tat consists of encryptions of m b0 and m b1, and a simulated proof of consistency. Note tat b 0 need not equal b 1, since te simulator does not need a witness to produce a proof. Formally, Expt S A (b 0;b 1 ) is as follows: Expt S A (b 0;b 1 ): Set up pk; sk:? (;) S 1 (1 k ) (e 0 ;d 0 ) G(1 k ); (e 1 ;d 1 ) G(1 k ) pk := (e 0 ;e 1 ; ) ; sk := (d 0 ;d 1 ) (m 0 ;m 1 ;) A D0 sk 1 (pk) Set up callenge: r 0 ;r 1 f0; 1g t(k) c 0 := E e0 (m b0 ; r 0 ); c 1 := E e1 (m b1 ; r 1 )? p S 2 ((e 0 ;e 1 ;c 0 ;c 1 ); ;) y := (c 0 ;c 1 ;p) g A D0(y) sk 2 (y; ) return g Note tat te only lines tat differ between Expt S A (b; b) and Expt A (b) are te ones marked wit a? above. For Expt A (b), tese would be replaced by f0; 1g q(k) and p P((e 0 ;e 1 ;c 0 ;c 1 ); (m b ;r 0 ;r 1 ); ), respectively. Since Pr [ Expt A (1)=1], Pr [ Expt A (0)=1], it must be te case tat one of te following four quantities is at least =4: i Pr [ Expt A (1) = 1 ], Pr Expt S A (1; 1) = 1 (1)

9 Pr Pr Expt S A (1; 1)=1 i Expt S A (0; 1)=1 i Pr Expt S A (0; 0) = 1 i i, Pr Expt S A (0; 1)=1 (2) i, Pr Expt S A (0; 0)=1 (3), Pr [ Expt A (0) = 1 ] (4) It is easily seen tat if eiter (1) or (4) were at least =4, ten tis would imply a distinguiser for te simulator for. Tis leaves only te two cases of eiter (2) or (3) being at least =4. To analyze tese cases, we first define some important concepts and prove a critical lemma. We define a cipertext c = (c 0 ;c 1 ;p) to be valid wit respect to a public key pk = (e 0 ;e 1 ; ) if V((e 0 ;e 1 ;c 0 ;c 1 );p;) = true. Note tat only valid cipertexts are ever decrypted. We define a cipertext c to be proper wit respect to a public key pk if (e 0 ;e 1 ;c 0 ;c 1 ) 2 L, i.e. te cipertexts c 0 and c 1 are encryptions of te same message. Te central observation now is tat if te adversary makes no improper but valid queries to te decryption oracle during te attack, ten te decryption mecanism needs only one of te decryption keys d 0 or d 1 in order to answer all queries made by te adversary, since all te valid queries are two encryptions of te same message. In tis case, we will sow ow to mount a cosenplaintext attack on te underlying encryption sceme (G; E; D) by simulating a cosen-cipertext attack wit te adversary and using it to break te underlying encryption sceme. We will fill in te details sortly. For tese ideas to work, owever, we need to ensure tat te adversary cannot make improper but valid queries. Te relevant experiments ere are Expt S A (1; 1), Expt S A (0; 1), and ExptS A (0; 0). Note tat in te case of Expt S A (0; 1), te adversary is given an improper but valid callenge cipertext, and yet we seek to ensure tat it will not be able to produce any oter suc cipertexts. Here we see tat te non-malleability of te NIZK proof system will be critical in denying te adversary te ability to produce valid improper cipertexts, even after it as seen suc a cipertext. We establis te following lemma: Lemma 4.2 For all b 0 ;b 1 2f0; 1g, and all non-uniform polynomial-time adversaries A = (A 1 ;A 2 ), te probability over te experiment Expt S A (b 0;b 1 ) tat A will make, in eiter stage A 1 or A 2, a valid but improper query to te decryption oracle (different from te callenge cipertext y) is negligible in k. Proof: Tis lemma follows from te simulation soundness (or similarly from adaptive non-malleability) of. We build te following macines, wic will be plugged into te definition of simulation soundness: A 0 1 (): Initialize c 0 :=? Set up pk; sk: (e 0 ;d 0 ) G(1 k ); (e 1 ;d 1 ) G(1 k ) pk := (e 0 ;e 1 ; ) ; sk := (d 0 ;d 1 ) Simulate first stage of attack: (m 0 ;m 1 ; 1 ) A D0 sk 1 (pk) were any queried valid improper cipertext is stored in c 0 Set up callenge encryptions: r 0 ;r 1 f0; 1g t(k) c 0 := E e0 (m b0 ; r 0 ); c 1 := E e1 (m b1 ; r 1 ) return (x =(e 0 ;e 1 ;c 0 ;c 1 ); =( 1 ;d 0 ;d 1 ;c 0 )) Above, A 0 implements 1 D0 for A sk 1, and at te same time wenever A 1 presents a query cipertext y 0 = (c 0 0;c 0 1;p 0 ),ify 0 is valid, A 1 also cecks weter y 0 is proper by cecking tat D d0 (c 0 0 ) = D d 1 (c 0 1 ). If tis is not te case, we let c 0 = y 0. Te simulator will provide te proof of consistency for te two callenge encryptions computed by A 0. We 1 ten build A 0 2 to complete te simulation of te second stage of te attack, again looking out for valid improper queries: A 0 (x =(e 2 0;e 1 ;c 0 ;c 1 );p;; =( 1 ;d 0 ;d 1 ;c 0 )): y := (c 0 ;c 1 ;p) Simulate second stage of attack: g A D0(y) sk 2 (y; s 1 ) were any queried valid improper cipertext is stored in c 0 if c 0 =? ten abort else return (x 0 =(e 0 ;e 1 ;c 0 0 ;c0 1 );p0 ) Above, A 0 2 implements D0(y) for A sk 2, and again simultaneously cecks as above to see if A 0 2 makes a valid improper query, and if so lets c 0 be tat query y 0 = (c 0 0 ;c0 1 ;p0 ). We plug te above two macines A 0 and 1 A0 2 into te definition of simulation soundness. Now, first we note tat if A 0 finds a valid improper query 1 c0 =(c 0 0 ;c0 1 ;p0 ), i.e. a valid improper cipertext is found before te callenge cipertext y =(c 0 ;c 1 ;p) is given, ten by unpredictability of simulated proofs, te probability tat te proof p 0 found by te adversary is identical to te te proof p output by te simulator is negligible (because of te independent randomization used by te simulator). On te oter and, if A 0 2 finds a valid improper cipertext c 0 6= y, since as uniquely applicable proofs yet p 0 passes te validity test, te proof components of c 0 and y must differ (because we assume no proof can be convincing for two different teorems). Tus we see tat te probability tat p 0 6= p, x 0 =2 L, and V(x 0 ;p 0 ; ) = true is at least te probability tat A makes a valid improper query less someting negligible.

10 But te definition of simulation soundness implies tat te former probability is negligible, and ence te latter must be negligible as well. Note tat since given te decryption keys one can efficiently ceck te properness of a cipertext, tis argument applies wit te definition of adaptive nonmalleability as well: te only canges required are tat A 0 sould output 2 aux = (d 0;d 1 ) and te relation R((e 0 ;e 1 ;c 0 ;c 1 ); (d 0 ;d 1 )) sould be true iff c 0 and c 1 decrypt to different messages. (End of Proof of Lemma 4.2) Now we are ready to sow ow to mount a cosenplaintext attack on te semantically-secure encryption sceme (G; E; D). ilet us consider te case i tat Pr Expt S A (1; 1) = 1, Pr Expt S A (0; 1)=1 =4. (Te oter case folows by an exactly parallel argument.) By te lemma, we may assume tat te adversary will never make an improper but valid query. Hence, a single decryption key will suffice to implement te decryption oracle for queries made by te adversary. Hence, we may build te following cosen-plaintext attacker B = (B 1 ;B 2 ): B 1 (e) : Set up pk; sk: S 1 (1 k ) e 0 := e ; (e 1 ;d 1 ) G(1 k ) pk := (e 0 ;e 1 ; ) ; sk := d 1 (m 0 ;m 1 ;s 1 ) A D0 sk 1 (pk) return (m 0 ;m 1 ; ) B 2 (c; ) : Set up callenge: r 1 f0; 1g t(k) c 0 := c ; c 1 := E e1 (m 1 ; r 1 ) p S 2 ((e 0 ;e 1 ;c 0 ;c 1 ); ) y := (c 0 ;c 1 ;p) g A D0(y) sk 2 (y; s 1 ) return g Above, stores all te necessary state needed to be transferred from B 1 to B 2, i.e. e 0 ;e 1 ;d 1 ; ;s 1 ; and te state information needed by te simulator. As in te proof of te lemma above, B 1 and B 2 implement te decryption oracle for A 1 and A 2, but because of te lemma, te single decryption key d 1 suffices. Tus, we ave tat B will acieve an advantage only negligibly smaller tan =4 in its plaintext attack on (G; E; D), wic we assumed is impossible. Anexactly parallel argument i olds for te case i wen Pr Expt S A (0; 1) = 1, Pr Expt S A (0; 0)=1 =4, except in tis case B knows d 0 and te first component of te callenge to A 2 is always an encryption of m 0. Tus, te advantage (k) of any adaptive cosencipertext attacker must be negligible, and te security of our encryption sceme is establised. Remark 4.3 We note tat a standard ybrid argument sows tat any encryption sceme secure against adaptive cosen-cipertext attack as defined ere is also secure if te adversary is given many encryptions of te callenge message. Wile one would certainly ope tat tis is te case, in tis case it is particularly surprising, since te non-interactive proof system used ere is only adaptively non-malleable and zero-knowledge for a single teorem. 5 Conclusions In tis paper we motivated and introduced te notion of non-malleable NIZK, sowed ow to acieve it against any fixed number of proofs, and constructed a new simple encryption sceme based on general assumptions secure against adaptive cosen-cipertext attack based on tis notion. As argued in te introduction, we believe tat non-malleable NIZK comes muc closer to acieving our intuitive notion of zero-knowledge for non-interactive proof systems, and ence will find many oter applications. We finis wit a couple of open problems. A major problem left open is ow to acieve non-malleable NIZK proof systems tat are secure against an unbounded number of proofs. Anoter question concerns our definition of non-malleability for NIZK (Definition 3.1), in wic te second experiment allowed te adversary to give a proof using a possibly different noninteractive proof system. Wile tis does capture te rigt semantics (since being able to prove a teorem witout outside elp sould imply knowledge of a witness regardless of wat proof system one uses), it may be useful to ave a construction in wic te adversary in te second experiment uses te same proof system. Tis would ensure a iger level of knowledgetigtness (te current definition allows for a polynomial loss), and could be needed in proofs of oter constructions tat utilize non-malleable NIZK. Acknowledgments Te autor wises to tank Safi Goldwasser for providing te impetus for tis work by suggesting tat tere sould be simpler way to acieve full cosen-cipertext security under general assumptions tan te construction given in [DDN], as well as for providing a great deal of assistance. We also tank Salil Vadan for elpful conversations and ideas early in tis researc. Te

11 autor gratefully tanks Cyntia Dwork for introducing im to te notion of non-malleability and convincing im of its importance. Finally, te autor tanks Oded Goldreic for many elpful comments on te write-up. References [BCK] M. BELLARE, R. CANETTI AND H. KRAWCZYK, A modular approac to te design and analysis of autentication and key excange protocols. Proceedings of te 30t Annual Symposium on Teory of Computing, ACM, [BDPR] M. BELLARE, A. DESAI, D. POINTCHEVAL AND P. ROGAWAY, Relations among notions of security for public-key encryption scemes. Advances in Cryptology Crypto 98 Proceedings, Lecture Notes in Computer Science Vol. 1462, H. Krawczyk ed., Springer-Verlag, [BG] M. BELLARE, S.GOLDWASSER, New paradigms for digital signatures and message autentication based on non-interactive zero knowledge proofs. In G. Brassard, editor, Advances in Cryptology CRYPTO 89, volume 435 of Lecture Notes in Computer Science, pages , August Springer- Verlag, [BR1] M. BELLARE AND P. ROGAWAY, Random oracles are practical: a paradigm for designing efficient protocols. First ACM Conference on Computer and Communications Security, ACM, [BR] M. BELLARE AND P. ROGAWAY, Optimal asymmetric encryption How to encrypt wit RSA. Advances in Cryptology Eurocrypt 94 Proceedings, Lecture Notes in Computer Science Vol. 950, A. De Santis ed., Springer-Verlag, [BS] M. BELLARE AND A. SAHAI, Non-Malleable Encryption: Equivalence between Two Notions, and an Indistinguisability-Based Caracterization, To appear, CRYPTO 99. [BDMP] M. BLUM, A. DE. SANTIS, S. MICALI AND G. PERSIANO, Non-Interactive Zero-Knowledge Proofs. SIAM Journal on Computing, vol. 6, December 1991, pp [BFM] M. BLUM, P. FELDMAN AND S. MICALI, Noninteractive zero-knowledge and its applications. Proceedings of te 20t Annual Symposium on Teory of Computing, ACM, [CS] R. CRAMER AND V. SHOUP, A practical public key cryptosystem provably secure against adaptive cosen cipertext attack. Advances in Cryptology Crypto 98 Proceedings, Lecture Notes in Computer Science Vol. 1462, H. Krawczyk ed., Springer- Verlag, [DIO] G. DI CRESCENZO, Y. ISHAI, AND R. OSTRO- VSKY, Non-Interactive and Non-Malleable Commitment. Proceedings of te 30t Annual Symposium on Teory of Computing, ACM, [DP] A. DE SANTIS AND G. PERSIANO, Zero-knowledge proofs of knowledge witout interaction. Proceedings of te 33rd Symposium on Foundations of Computer Science, IEEE, [DDN] D. DOLEV, C. DWORK, AND M. NAOR, Nonmalleable cryptograpy. Proceedings of te 23rd Annual Symposium on Teory of Computing, ACM, Also Manuscript, To appear, SIAM J. of Computing. [DNS] C. DWORK, M. NAOR, AND A. SAHAI, Concurrent Zero-Knowledge. Preliminary version appeared in Proceedings of te 30t Annual Symposium on Teory of Computing, ACM, Full version in preparation. [FLS] U. FEIGE, D.LAPIDOT, AND A. SHAMIR, Multiple non-interactive zero knowledge proofs based on a single random string (extended abstract). In 31st Annual Symposium on Foundations of Computer Science, volume I, pages , St. Louis, Missouri, October IEEE. [Go2] O. GOLDREICH, Foundations of cryptograpy. Class notes, Spring 1989, Tecnion University. [Go] O. GOLDREICH, A uniform complexity treatment of encryption and zero-knowledge. Journal of Cryptology, Vol. 6, 1993, pp [GM] S. GOLDWASSER AND S. MICALI, Probabilistic encryption. Journal of Computer and System Sciences, 28: , [GMR] S. GOLDWASSER, S.MICALI, AND C. RACKOFF, Te knowledge complexity of interactive proof systems. SIAM Journal on Computing, 18(1): , February [NY] M. NAOR AND M. YUNG, Public-key cryptosystems provably secure against cosen cipertext attacks. Proceedings of te 22nd Annual Symposium on Teory of Computing, ACM, [RS] C. RACKOFF AND D. SIMON, Non-interactive zeroknowledge proof of knowledge and cosen cipertext attack. Advances in Cryptology Crypto 91 Proceedings, Lecture Notes in Computer Science Vol. 576, J. Feigenbaum ed., Springer-Verlag, [R] JOHN ROMPEL, One-way functions are necessary and sufficient for secure signatures. Proceedings of te 22nd Annual Symposium on Teory of Computing, ACM, [SET] SETCO (Secure Electronic Transaction LLC), Te SET standard book 3 formal protocol definitions (version 1.0). May 31, Available from ttp:// [So98] VICTOR SHOUP, Wy cosen cipertext security matters, IBM Researc Report RZ 3076, November, 1998.