G /G Advanced Cryptography November 11, Lecture 10. defined Adaptive Soundness and Adaptive Zero Knowledge

Transcription

1 G /G Advanced Cryptography November 11, 2009 Lecture 10 Lecturer: Yevgeniy Dodis Scribe: Adriana Lopez Last time we: defined Adaptive Soundness and Adaptive Zero Knowledge defined Unbounded Zero Knowledge finished constructing unbounded (adaptive) NIZK for NP can prove many statements with the same crs crs = poly(λ) composable NIZK (ZK holds even if tk is given) easy to extend to a Proof of Knowledge (let c = Enc pk (x) and prove that Dec sk (c) is a witness for y). Today we ll cover: Simulation Soundness A One-Time Simulation-Sound NIZK Construction Two constructions of CCA-Secure Encryption from CPA-Secure Encryption Dolev, Dwork, Naor [DDN]: using One-Time signatures and One-Time NIZK (OT-NIZK) Naor, Yung [NY]: using One-Time Simulation-Sound NIZK (OT-SS-NIZK) 1 Simutation Soundness Motivation: Can P prove false statements given tk? Recall that in a proof, soundness holds even for unbounded P but we want the honest Prover to be efficient. In an argument, soundness only holds for bounded P. In either case, sim(tk, ) is efficient. Lemma 1 Let Y T be the distribution of true statements, and Y F be the distribution of false statements, and assume Y T Y F. Then sim(tk, Y F ) outputs an accepting proof with probability 1 negl(λ). Remark 2 We can assume Y T Y F given the existence of one-way functions (OWFs). L10-1

2 Proof: (Y F,sim(tk, Y F )) (Y T,sim(tk, Y T )) since Y T Y F (Y T, P(X T, Y T )) by Zero Knowledge By completeness, P(X T, Y T ) gives accepting proof. Since (Y F,sim(tk, Y F )) (Y T, P(X T, Y T )), then sim(tk, Y F ) must give an accepting proof with probability 1 negl(λ). Question: Can P prove false statements after seeing proofs of (possibly false) statements? It s unclear. We only know the answer is no if it only sees proofs of true statements (by adaptive soundness). Definition 3 We say a protocol Π is simulation-sound (SS) if ppt A Pr[A wins] negl(λ) in the following game: A sim(tk, ) (y, Π ), where sim(tk, ) gives proofs of (possibly false) statements. A wins if all of the following hold: V (y, Π,crs) = 1 y / L y was not a query to the simulator oracle sim(tk, ) We say a protocol Π is one-time simulation-sound (OT-SS) if in the game above, we only allow A to make one query to sim(tk, ). Remark 4 We can also define simulation-extractability, which is the equivalent of a simulationsound proof of knowledge. 1.1 Construction of OT-SS-NIZK We show a construction of OT-SS-NIZK (OT-SS and OT-ZK) based on OT-NIZK, OT signatures, and commitments. Let nizk-π =(nizk-gen, nizk-prove, nizk-ver) be a OT-NIZK protocol. Let nizk-prove(crs, (y, vk, c), x) prove statements of type: "either y L or c com(vk)". Let Σ =(sign-gen, sign, sign-ver) be a OT signature scheme, and let (com-gen, com, open) be a commitment scheme. Gen(1 λ ): (ot-crs, ot-tk) nizk-gen(1 λ ), (sk,vk ) sign-gen(1 λ ),ck com-gen(1 λ ), (c, d) com ck (vk ; r). Output crs = (ot-crs, c),tk = (ot-tk, sk, r). Prove(crs, x, y) : (sk,vk) sign-gen(1 λ ), Π nizk-prove(crs,(y,vk, c), x), σ sign sk (vk, Π, y). Output (vk, Π, σ). Verify(vk, Π, σ): Output 1 iff sign-ver(vk,π, y, σ) = 1 and nizk-ver(π,tk) = 1. We let sim(crs, y,tk) simulate a proof as follows: sim uses vk = vk, proves c = com(vk ) and uses sk to sign (vk, Π, y). L10-2

3 Theorem 5 If nizk-π is OT-NIZK and Σ is a OT signature scheme, then the protocol described above is OT-SS-NIZK. Proof: We first prove that the protocol described above is one-time zero-knowledge. Consider the transcript output in each of the following games: Game 0: In game 0, everything is done as in the protocol described above: c = com(vk ), the real prover uses vk and proves that y L. Game 1: In game 1, c = com(vk), the real prover uses vk and proves that y L. Notice that game 1 is the same as game 0 except that c = com(vk). By the hiding property of the commitment scheme, the transcript in game 1 is indistinguishable from the one in game 0. Game 2: In game 2, c = com(vk), the real prover uses vk and proves that c = com(vk). By witness indistinguishability of nizk-π, the transcript in game 2 is indistinguishable from the one in game 1. Game 3: In game 3, c = com(vk ) and sim gives a proof that c = com(vk ). By one-time zero-knowledge of nizk-π, the transcript in game 3 is indistinguishable from the one in game 2. We have proven that the transcript in game 3 is indistinguishable from the transcript in game 0. This implies that the real transcript produced by the real prover is indistinguishable from the one produced by the simulator sim, as desired. We must also prove that the protocol above is one-time simulation-sound. Let Succ be the event that A makes query sim(y), and outputs a proof (vk, Π, σ ) for y such that y y, y / L, and Verify(vk, Π, σ ) = 1. Let Succ be the same as Succ except that we further require that vk vk. Notice that Pr[Succ] Pr[Succ ] = negl(λ) by the security of the one-time signature scheme. Now, consider the event Succ. Since vk vk, then c com(vk ). But we also have that y / L, so by soundness of nizk-π, Pr[nizk-Ver(Π,tk) = 1] = negl(λ). Thus, Pr[Succ ] = negl(λ) which implies that Pr[Succ] = negl(λ), as desired. 2 CCA-Secure Encryption from CPA-Secure Encryption Recall the following definitions of CPA and CCA-secure encryptions: Definition 6 An encryption scheme is said to be CPA-secure if ppt A, Pr[A wins] negl(λ) in the following game: (pk, sk) Gen(1 λ ) (m, state) A(pk) c 0 Enc pk (0), c 1 Enc pk (m) L10-3

4 b R {0, 1}, b A(c b, state) A wins if b = b. Definition 7 An encryption scheme is said to be CCA-secure if ppt A, Pr[A wins] negl(λ) in the game above, even when A has access to a decryption oracle Dec sk( ), with the restriction that A cannot query the oracle with c b. We show two constructions of CCA-secure encryption from CPA-secure encryption: Dolev, Dwork, Naor [DDN]: using One-Time signatures and One-Time NIZK (OT- NIZK) Naor, Yung [NY]: using One-Time Simulation-Sound NIZK (OT-SS-NIZK) 2.1 Dolev, Dwork, Naor [DDN] Let E = (Enc-Gen, Enc, Dec) be a CPA-secure encryption scheme, let Σ = (Sign-Gen, Sign, Sign-Ver) be a OT signature scheme, and let nizk-π = (nizk-gen, Prove, nizk-ver) be a OT- NIZK protocol. Let Prove(c 1, c 2,...,c n ) prove statements of the form "All the c i s decrypt to the same message m". CCA-Gen(1 λ ): crs nizk-gen(1 λ ). Let n = vk in the OT signature scheme. For i = 1 to n and b {0, 1}: (ek i,b,dk i,b ) Enc-Gen(1 λ ). Let ek = {ek i,b } i {1,...,n},b {0,1}. ek = ek 1,0 ek 2,0... ek n,0 ek 1,1 ek 2,1... ek n,1 Output ek=(ek,crs) and dk=(dk 1,0, dk 1,1 ). CCA-Enc ek (m): (vk,sk) sign-gen(1 λ ). Let vk = vk 1 vk 2... vk n. For i = 1 to n: c i Enc(ek i,vki, m). Let Π Prove(c 1, c 2,...c n ) be an NIZK proof that given (vk,ek, c 1, c 2,...,c n ) all the c i s decrypt to the same message m with respect to vk. Let c c 1 c 2...c n, σ Sign sk (vk, c,π), and output (vk, c,π, σ). CCA-Dec dk (c): If nizk-ver(π) = 1 and sign-ver(vk, c,π, σ) = 1, output m = Dec(dk 1,vk1, c 1 ). Otherwise, reect. Theorem 8 If E is CPA-secure, nizk-π is OT-NIZK, and Σ is a OT signature scheme, then the encryption scheme described above is CCA-secure. Proof: Consider the following sequence of games, and let Pr i [A wins] = Pr[A wins in game i]. Table 1 summarizes the games described below and the properties used to prove indistinguishability between consecutive games. Game 0: Game 0 is the real CCA game in the case when A receives CCA-Enc ek (m) = (vk, c, Π, σ ). L10-4

5 Game 1: Game 1 is the same as game 0 except that A automatically wins if its query to the decryption oracle is a valid ciphertext (vk, c, Π, σ ) such that vk = vk. Notice that in order for the ciphertext to be valid, σ must be a valid signature with respect to vk. By the security of Σ, we know that the probability that A submits such a ciphertext is negligible, since otherwise he would have forged a signature with respect to the same verification key. This means that Pr 1 [A wins] Pr 0 [A wins] = negl(λ). Game 2: Game 2 is the same as game 1 except that the challenger selects vk,sk in advance, creates ek as before, but lets dk = (dk 1,vk,dk 1 2,vk,...,dk 2 n,vk n ), where vk i denotes the complement of the ith bit of vk. Since we allow A to win if its decryption query contains vk, we can assume that the query contains vk vk. This means that there exists some for which vk = vk. The challenger then answers the decryption query by decrypting c using dk,vk. By soundness of nizk-π, this will give the same decryption as if we had decrypted c 1 as before. Therefore, Pr 2 [A wins] Pr 1 [A wins] = negl(λ). Game 3: Game 3 is the same as game 2 except that we let Π = sim(vk,ek, c ). By zeroknowledge of nizk-π we know that Pr 3 [A wins] Pr 2 [A wins] = negl(λ). Game 4, i: Game 4, i is the same as game 3 except that for i : c = Enc(ek,vk, 0) and for > i : c = Enc(ek,vk, m). Because E is CPA-secure, we have that Pr 4,1 [A wins] Pr 3 [A wins] = negl(λ) and for i = 1,..., n 1: Pr 4,i+1 [A wins] Pr 4,i [A wins] = negl(λ). Game 5: Game 5 is the same as game 4, n except that we let Π = Prove(c 1, c 2,...c n). Notice that in this case, for all i we have that c i = Enc(ek i,vk i, 0) and the prover proves a true statement, that all the c i s are encryptions of the same message (0 in this case). By zero-knowledge of nizk-π we know that Pr 5 [A wins] Pr 4,n [A wins] = negl(λ). Game 6: Game 6 is the same as game 5 except that the challenger runs the Gen algorithm described above to create ek and dk, and only afterwards selects vk,sk, all as in the real CCA game. By soundness of nizk-π we know that Pr 6 [A wins] Pr 5 [A wins] = negl(λ). Game 7: Game 7 is the same as game 6 except that A does not automatically win if its query to the decryption oracle is a valid ciphertext (vk, c, Π, σ ) such that vk = vk. By the security of Σ, we know that Pr 7 [A wins] Pr 6 [A wins] = negl(λ). Notice that game 7 is exactly the CCA game when A receives CCA-Enc ek (0). We have proved that Pr 7 [A wins] Pr 0 [A wins] = negl(λ), which proves the theorem since game 0 is the CCA game when A receives CCA-Enc ek (m). L10-5

6 Table 1: Values of c for i, c for > i, Π, Dec( ), the conditions for A to win in each game, and properties used to prove indistinguishability of consecutive games. Game c : i c : > i Π Dec( ) A wins Property 0 Enc(m) Enc(m) real c 1 using dk 1 b = b 1 Enc(m) Enc(m) real c 1 using dk 1 b = b and Dec( ) security of Σ query does not use vk 2 Enc(m) Enc(m) real c using dk,vk b = b and Dec( ) soundness 3 Enc(m) Enc(m) fake c using dk,vk b = b and Dec( ) zero-knowledge 4, i Enc(0) Enc(m) fake c using dk,vk b = b and Dec( ) CPA of E query does not use vk 5 Enc(0) Enc(0) real c using dk,vk b = b and Dec( ) zero-knowledge 6 Enc(0) Enc(0) real c 1 using dk 1 b = b and Dec( ) soundness 7 Enc(0) Enc(0) real c 1 using dk 1 b = b security of Σ 2.2 Naor, Yung [NY] Let E 1 = (Gen 1,Enc 1,Dec 1 ) and E 2 = (Gen 2,Enc 2,Dec 2 ) be two CPA-secure encryption schemes. Let nizk-π = (nizk-gen, Prove, Ver) be a one-time simulation-sound NIZK protocol, and let Prove(c 1, c 2 ) prove statements of the form "Dec(c 1 ) = Dec(c 2 )". Gen(1 λ ): (ek 1, dk 1 ) Gen 1 (1 λ ), (ek 2, dk 2 ) Gen 2 (1 λ ),crs nizk-gen(1 λ ). Output ek = (ek 1,ek 2,crs) and dk = dk 1. Enc ek (m): c 1 Enc 1 (ek 1, m), c 2 Enc 2 (ek 2, m), Π Prove(c 1, c 2 ). Output c = (c 1, c 2, Π). Dec sk (c): If Ver(Π) = 1, output m = Dec 1 (dk 1, c). Otherwise, reect. Theorem 9 If E 1 and E 2 are CPA-secure and nizk-π is OT-SS-NIZK, then the encryption scheme described above is CCA-secure. Proof: Consider the following sequence of games, and let Pr i [A wins] = Pr[A wins in game i]. Table 2 summarizes the games described below and the properties used to prove indistinguishability between consecutive games. Game 0: Game 0 is the CCA game described above in the case when A receives Enc(m): c 1 = Enc 1 (ek 1, m), c 2 = Enc 2 (ek 2, m), Π = Prove(c 1, c 2 ), and Dec( ) decrypts c 1 with key dk 1. L10-6

7 Table 2: Values of c 1, c 2, Π, Dec( ) in each game, and properties used to prove indistinguishability of consecutive games. Game c 1 c 2 Π Dec( ) Property 0 Enc 1 (ek 1, m) Enc 2 (ek 2, m) real c 1 using dk 1 1 Enc 1 (ek 1, m) Enc 2 (ek 2, m) fake c 1 using dk 1 zero knowledge of nizk-π 2 Enc 1 (ek 1, m) Enc 2 (ek 2, 0) fake c 1 using dk 1 CPA of E 2 3 Enc 1 (ek 1, m) Enc 2 (ek 2, 0) fake c 2 using dk 2 simulation-soundness of nizk-π 4 Enc 1 (ek 1, 0) Enc 2 (ek 2, 0) fake c 2 using dk 2 CPA of E 1 5 Enc 1 (ek 1, 0) Enc 2 (ek 2, 0) real c 2 using dk 2 zero knowledge of nizk-π 6 Enc 1 (ek 1, 0) Enc 2 (ek 2, 0) real c 1 using dk 1 soundness of nizk-π Game 1: Game 1 is the same as Game 0 except that Π is a simulated proof. By zero knowledge of nizk-π: Pr 1 [A wins] = Pr 0 [A wins]. Game 2: Game 2 is the same as Game 1 except that c 2 = Enc 2 (ek 2, 0). By the CPA-security of E 2 : Pr 2 [A wins] Pr 1 [A wins] = negl(λ). Game 3: Game 3 is the same as Game 2 except that Dec( ) decrypts c 2 with key dk 2. By simulation-soundness of nizk-π: Pr 3 [A wins] Pr 2 [A wins] = negl(λ). Game 4: Game 4 is the same as Game 3 except that c 1 = Enc 1 (ek 1, 0). By the CPA-security of E 1 : Pr 4 [A wins] Pr 3 [A wins] = negl(λ). Game 5: Game 5 is the same as Game 4 except that Π = Prove(c 1, c 2 ). By zero knowledge of nizk-π: Pr 5 [A wins] = Pr 4 [A wins]. Game 6: Game 6 is the same as Game 5 except that Dec( ) decrypts c 1 with key dk 1. By soundness of nizk-π: Pr 6 [A wins] Pr 5 [A wins] = negl(λ). We have proved that Pr 6 [A wins] Pr 0 [A wins] = negl(λ). Notice that game 6 is the CCA game described above in the case when A receives Enc(0). We have thus proven that Pr[A wins CCA game] = negl(λ). Remark 10 If E 1 is CPA-secure and E 2 is CCA-secure, then nizk-π need not be simulation sound. But why create a CCA-secure encryption scheme from a CCA-secure encryption scheme? If E 1 is CPA-secure and E 2 is CCA-secure, then the above construction gives a CCA-secure scheme that has the combined properties of E 1 and E 2. For example, if E 1 is a leakage-resilient CPA-secure scheme and E 2 is CCA-secure, then the construction above gives a leakage-resilient CCA-secure encryption scheme. Remark 11 An important open problem in cryptography is the following: how to construct a CCA-secure encryption scheme from a CPA-secure encryption scheme without using NIZK? L10-7