Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Similar documents
Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

CMSC 858K Advanced Topics in Cryptography March 4, 2004

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Chosen-Ciphertext Security (I)

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

G /G Advanced Cryptography November 11, Lecture 10. defined Adaptive Soundness and Adaptive Zero Knowledge

Advanced Topics in Cryptography

Lecture 7: CPA Security, MACs, OWFs

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

CTR mode of operation

Lecture 5, CPA Secure Encryption from PRFs

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

CPA-Security. Definition: A private-key encryption scheme

Lecture 15: Interactive Proofs

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Lecture 13: Private Key Encryption

Lecture Notes 20: Zero-Knowledge Proofs

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Lecture 18: Message Authentication Codes & Digital Signa

Lecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004

Lecture 3: Interactive Proofs and Zero-Knowledge

III. Pseudorandom functions & encryption

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

2 Message authentication codes (MACs)

G Advanced Cryptography April 10th, Lecture 11

Lecture 15 - Zero Knowledge Proofs

Chapter 11. Asymmetric Encryption Asymmetric encryption schemes

Lectures 2+3: Provable Security

Computational security & Private key encryption

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Zero-Knowledge Proofs and Protocols

Lecture 14: Secure Multiparty Computation

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

Block Ciphers/Pseudorandom Permutations

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

Homework 7 Solutions

Non-Malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Interactive Zero-Knowledge with Restricted Random Oracles

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

Tamper and Leakage Resilience in the Split-State Model

CS 6260 Applied Cryptography

Adaptive partitioning. Dennis Hofheinz (KIT, Karlsruhe)

Modern symmetric-key Encryption

Modern Cryptography Lecture 4

Statistical WI (and more) in Two Messages

Block ciphers And modes of operation. Table of contents

CMSC 858K Introduction to Secure Computation October 18, Lecture 19

Efficient Identity-based Encryption Without Random Oracles

Short Exponent Diffie-Hellman Problems

Smooth Projective Hash Function and Its Applications

Tamper and Leakage Resilience in the Split-State Model

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Lecture 17: Constructions of Public-Key Encryption

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

: Cryptography and Game Theory Ran Canetti and Alon Rosen. Lecture 8

Cryptographic Protocols Notes 2

Provable security. Michel Abdalla

1 Indistinguishability for multiple encryptions

The Cramer-Shoup Cryptosystem

A Strong Identity Based Key-Insulated Cryptosystem

CS 395T. Probabilistic Polynomial-Time Calculus

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

On the CCA1-Security of Elgamal and Damgård s Elgamal

Impossibility and Feasibility Results for Zero Knowledge with Public Keys

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

8 Security against Chosen Plaintext

Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge

Lecture 2: Program Obfuscation - II April 1, 2009

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

Advanced Cryptography 03/06/2007. Lecture 8

COS Cryptography - Final Take Home Exam

Soundness in the Public-Key Model

6.080/6.089 GITCS Apr 15, Lecture 17

Non-malleability under Selective Opening Attacks: Implication and Separation

A Novel Strong Designated Verifier Signature Scheme without Random Oracles

Cryptography in the Multi-string Model

On The Security of The ElGamal Encryption Scheme and Damgård s Variant

Gentry IBE Paper Reading

Parallel Decryption Queries in Bounded Chosen Ciphertext Attacks

On the Non-malleability of the Fiat-Shamir Transform

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Public Key Cryptography

On the Security of Classic Protocols for Unique Witness Relations

Extractable Perfectly One-way Functions

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Equivalence between Semantic Security and Indistinguishability against Chosen Ciphertext Attacks

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

A New Paradigm of Hybrid Encryption Scheme

On The (In)security Of Fischlin s Paradigm

Transcription:

CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to construct a public-key encryption scheme secure against non-adaptive chosen-ciphertext attacks, given a semantically-secure public-key encryption scheme and an adaptively-secure non-interactive zero-knowledge proof system (in the common random string model). 2 Adaptively-Secure Non-Interactive Zero-Knowledge We begin with a definition of a basic case of non-interactive zero-knowledge. Definition 1 A pair of ppt algorithms (P, V) is a non-interactive zero-knowledge (NIZK ) proof system for a language L NP if there exists some polynomial poly such that: 1. Completeness (for x L, P generates proofs that V accepts): For all x L {0, 1} k and all witnesses w for x, Pr[r {0, 1} poly(k) ; Π P(r, x, w) : V(r, x, Π) = 1] = 1. 2. Soundness (for x L, no prover can generate proofs that V accepts with better than negligible probability): For all x {0, 1} k \L and all (possibly unbounded) algorithms P, the following is negligible in k: Pr[r {0, 1} poly(k) ; Π P (r, x) : V(r, x, Π) = 1]. 3. Zero-knowledge (for x L, the view of any verifier can be efficiently simulated without knowledge of a witness): There exists a ppt algorithm Sim such that for any x L {0, 1} k and any witness w for x, the following ensembles are computationally indistinguishable: { } (1) r {0, 1} poly(k) ; Π P(r, x, w) : (r, x, Π) k (2) {(r, Π) Sim(x) : (r, x, Π)} k. For our purposes, we need to strengthen the definition in two ways. In the soundness requirement, we would like to also protect against a prover who chooses x L after seeing the common random string r. In the zero-knowledge requirement, we would like to make the simulator s job a little harder by making it output a simulated common random string 6-1

r first, and only then supplying it with an x L for which it needs to generate a simulated proof. In particular, such an x may be chosen adaptively (by an adversary, say) based on r. In the following, we use Pr E [A] to denote the probability that event A occurs in the probabilistic experiment E. Definition 2 A pair of ppt algorithms (P, V) is an adaptive, non-interactive zero-knowledge (anizk 1 ) proof system for a language L NP if there exists a polynomial poly such that: 1. Completeness: Same as above. 2. Soundness (now, the cheating prover may choose x L after seeing r): For all (possibly unbounded) algorithms P, the following is negligible in k: [ ] Pr r {0, 1} poly(k) ; (x, Π) P (r) : V(r, x, Π) = 1 x {0, 1} k \ L. 3. Zero-knowledge (simulator must output r first, is then given x, and asked to produce a simulated proof): Let (Sim 1, Sim 2 ), (A 1, A 2 ) be a pair of two-staged algorithms (we may assume that the first stage outputs some state information which is passed as input to the second stage; this will be implicit). Consider the following experiments: Game ZK real r {0, 1} poly(k) (x, w) A 1 (r) (x L {0, 1} k ) Π P(r, x, w) b A 2 (r, x, Π) Game ZK sim r Sim 1 (1 k ) (x, w) A 1 (r) (x L {0, 1} k ) Π Sim 2 (x) b A 2 (r, x, Π) We require that there exist a ppt simulator (Sim 1, Sim 2 ) such that for any ppt algorithm (A 1, A 2 ) the following is negligible in k: Pr ZKreal [A 2 outputs 0] Pr ZKsim [A 2 outputs 0]. Equivalently, the real game ZK real is computationally indistinguishable from the simulated game ZK sim. (In other words, the adversary cannot tell whether it is participating in the first or the second experiment (except with negligible probability). A 2 s output can be thought of as its guess towards which experiment it is in. This means that the simulator is able to simulate the adversary s view in the real execution.) To simplify the notation a little, we will usually drop the stage identifier for A; when we refer to A s output in the experiment, we will mean A 2 s output. 3 A Public-Key Encryption Scheme Secure Against Non- Adaptive Chosen-Ciphertext Attacks Let (Gen, E, D) be a public-key encryption scheme and (P, V) be an adaptively-secure NIZK proof system for languages in NP. The following construction is due to Naor and Yung [1]. 1 This notation is non-standard. 6-2

Gen (1 k ) (pk 1, sk 1 ) Gen(1 k ); (pk 2, sk 2 ) Gen(1 k ); r {0, 1} poly(k) ; pk = (pk 1, pk 2, r); sk = sk 1 E (pk 1,pk 2,r) (m) ; c 1 = E pk1 (m; w 1 ); c 2 = E pk2 (m; w 2 ); Π P(r, (c 1, c 2 ), (w 1, w 2, m)); Output (c 1, c 2, Π) D sk 1 (c 1, c 2, Π) If V(r, (c 1, c 2 ), Π) = 0 Output ; else Output D sk1 (c 1 ) A few words of explanation are due here. For key generation, we use the underlying key-generation algorithm to produce two pairs of (public, private) keys, publish the public keys and a random string r (to serve as the common random string for the proof system), and keep the first underlying private key as our private key (we discard the second private key). For encryption, we use the underlying algorithm to encrypt the given message m twice, under both pk 1 and pk 2, with the random tapes of the encryption algorithm fixed to w 1, w 2, respectively. 2 (For a probabilistic algorithm A( ), the notation A( ; w) is used to denote that A s random tape is fixed to a particular w {0, 1}.) We then use our prover to generate a proof that (c 1, c 2 ) are encryptions of the same message under pk 1, pk 2 in the underlying scheme; i.e., (c 1, c 2 ) L where L = {(c 1, c 2 ) m, w 1, w 2 such that c 1 = E pk1 (m; w 1 ), c 2 = E pk2 (m; w 2 )}, using w 1, w 2, and m as witnesses. Note that L NP. We send the ciphertexts and the proof to the receiver. For decryption, we use the underlying decryption algorithm on the first ciphertext, if the provided proof verifies correctly. Theorem 1 Assuming that (Gen, E, D) is semantically secure and that (P, V) is an adaptivelysecure NIZK proof system, (Gen, E, D ) is secure against non-adaptive ( lunchtime 3 ) chosen-ciphertext attacks (i.e., is CCA1 secure). The remainder of these notes is the beginning of a proof of this theorem (we continue the proof next lecture). Let A be a two-staged ppt algorithm, where the first stage has access to an oracle. Consider the following two experiments (their differences are in boldface): Game CCA1 0 Game CCA1 1 (pk 1, sk 1 ), (pk 2, sk 2 ) Gen(1 k ) (pk 1, sk 1 ), (pk 2, sk 2 ) Gen(1 k ) r {0, 1} poly(k) r {0, 1} poly(k) c 1 = E pk1 (m 0 ; w 1 ), c 2 = E pk2 (m 0 ; w 2 ) c 1 = E pk1 (m 1 ; w 1 ), c 2 = E pk2 (m 1 ; w 2 ) Π P(r, (c 1, c 2 ), (w 1, w 2, m 0 )) Π P(r, (c 1, c 2 ), (w 1, w 2, m 1 )) To prove the scheme CCA1 secure, we need to show that A cannot distinguish the above two games; i.e.,to show that the following is negligible: Pr CCA10 [b = 0] Pr CCA11 [b = 0]. 2 The notation w 1 {0, 1} just means that a long enough random string is chosen. 3 That is, the adversary is assumed to be able to play with the decryption oracle while people are out for lunch, but not afterward when he gets the challenge ciphertext. 6-3

To that effect, we introduce a sequence of intermediate games, and show that A cannot distinguish each game from its subsequent one; the theorem will then follow. Let Sim = (Sim 1, Sim 2 ) be the simulator for our proof system. In the first game, we replace the random string and legitimate proof of game CCA1 0 with a simulated random string and simulated proof. Once again, the differences between the new game and game CCA1 0 are highlighted. Game 1 (pk 1, sk 1 ), (pk 2, sk 2 ) Gen(1 k ) r Sim 1 (1 ) c 1 = E pk1 (m 0 ; w 1 ), c 2 = E pk2 (m 0 ; w 2 ) Π Sim 2 ((c 1, c 2 )) Claim 2 Pr CCA10 [A outputs 0] Pr 1 [A outputs 0] is negligible. Proof By reduction to the zero-knowledge property of the proof system: we use A to construct an algorithm B that attempts to distinguish real from simulated proofs. B(1 k ) Receive r as first-stage input; (pk 1, sk 1 ), (pk 2, sk 2 ) Gen(1 k ); pk = (pk 1, pk 2, r); sk = sk 1 ; ; // note that B has no trouble // simulating the decryption oracle for A ; c 1 = E pk1 (m 0 ; w 1 ), c 2 = E pk2 (m 0 ; w 2 ); Output ((c 1, c 2 ), (w 1, w 2, m 0 )) as first-stage output; Receive Π as second-stage input; ; Output b as second-stage output. Now, when the inputs to B are a random string r and a real proof Π, then A s view in the above experiment is precisely its view in game CCA1 0, and so Pr ZKreal [B outputs 0] = Pr CCA10 [A outputs 0]. On the other hand, when the inputs to B are a simulated string and a simulated proof, A s view in B is precisely its view in game 1, and so Pr ZKsim [B outputs 0] = Pr 1 [A outputs 0]. Since Pr ZKreal [B outputs 0] Pr ZKsim [B outputs 0] is negligible (since the proof system is adaptively-secure NIZK), we have that is negligible as well. Pr CCA10 [A outputs 0] Pr 1 [A outputs 0] The second game differs from game 1 in that it does not double-encrypt m 0, but instead encrypts m 0 once and m 1 once. 6-4

Game 2 (pk 1, sk 1 ), (pk 2, sk 2 ) Gen(1 k ) r Sim 1 (1 k ) c 1 = E pk1 (m 0 ; w 1 ), c 2 = E 2(m 1 ; w 2 ) Π Sim 2 ((c 1, c 2 )) Note that in the above, the simulator is given as input encryptions of two different messages. Such an input is not in L, and in general there is not much we can say about the simulator s output in this case. However, we will see that in this particular case the game is indistinguishable to A because the semantic security of the underlying encryption scheme implies that encryptions of m 0 are indistinguishable from encryptions of m 1. Of course, this will require a formal proof. Claim 3 Pr 1 [A outputs 0] Pr 2 [A outputs 0] is negligible. Proof We use A to construct B that attempts to break the semantic security of the underlying scheme. Recall that B is given a public key, outputs two messages (m 0, m 1 ), is given the encryption of one of these, and has to guess which one. But B does not have access to a decryption oracle. B(pk) Set pk 2 = pk; (pk 1, sk 1 ) Gen(1 k ); r Sim 1 (1 k ); ; ; // note that B has no trouble // simulating the decryption oracle for A Output (m 0, m 1 ); Receive c 2 (an encryption of either m 0 or m 1 using (unknown) random tape w 2 ); w 1 {0, 1} ; c 1 = E pk1 (m 0 ; w 1 ); Π Sim 2 ((c 1, c 2 )); ; Output b. Now, when c 2 is an encryption of m 0, then A s view above is precisely its view in game 1. On the other hand, when c 2 is an encryption of m 1, then A s view above is precisely its view in game 2. Therefore, the probability that A distinguishes game 1 from game 2 is precisely the probability that B distinguishes an encryption of m 0 from an encryption of m 1, which is negligible by the semantic security of the underlying encryption scheme. In the same way as above, we would now like to switch c 1 from being an encryption of m 0 to being an encryption of m 1. Here, however, a potential problem arises! To prove 6-5

a claim analogous to Claim 3, we would need to construct some adversary B that gets pk = pk 1 and then has to distinguish whether the ciphertext c 1 it receives is an encryption of m 0 or m 1. But, in order to do this it has to somehow simulate a decryption oracle for A and this seems to require sk 1, which B does not have! (If B has sk 1 then it would be easy for B to break semantic security of the scheme....) So, we will have to do a little more work before continuing. Let Fake be the event that A submits a query (c 1, c 2, Π) to its decryption oracle (in stage 1) such that D sk1 (c 1 ) D sk2 (c 2 ) but V(r, (c 1, c 2 ), Π) = 1. Note that Π is then a valid-looking proof for a false statement (since (c 1, c 2 ) L). Claim 4 Pr 2 [Fake] is negligible. Proof First, note that Pr 2 [Fake] = Pr 1 [Fake]. This is because A submits oracle queries only in its first stage, and up to that stage the games are identical. Next, we show that Pr 1 [Fake] Pr CCA10 [Fake] is negligible. Up to A s first stage, the games differ only in r being a random string or a simulated string. Construct an algorithm B that attempts to distinguish random from simulated strings, as follows: B(r) (pk 1, sk 1 ), (pk 2, sk 2 ) Gen(1 k ); pk = (pk 1, pk 2, r); Run A D sk ( ) (pk ), simulating the oracle for A normally except that if for any decryption query (c 1, c 2, Π) it is the case that V(r, (c 1, c 2 ), Π) = 1 but D sk1 (c 1 ) D sk2 (c 2 ), then output 1 and stop (note that now B does not throw away sk 2 ); Otherwise, once A is done with its first stage simply output 0 Now, Pr ZKsim [B outputs 0] = Pr 1 [Fake]. Similarly, Pr ZKreal [B outputs 0] = Pr CCA10 [Fake]. Since Pr ZKreal [B outputs 0] Pr ZKsim [B outputs 0] is negligible (since the proof system is adaptively-secure NIZK), we have that Pr 1 [Fake] Pr CCA10 [Fake] is negligible as well. Finally, note that Pr CCA10 [Fake] is negligible. This is because Fake occurs when A produces a valid proof for a (c 1, c 2 ) L, which can only happen with a negligible probability because of the soundness of the NIZK proof system (note that r now is a truly random string). The claim follows. We pick up the proof from here in the next lecture. Informally, the next game we introduce differs from game 2 only in that sk 2 is used for decryption instead of sk 1. The adversary s view in the games only differs if Fake occurs, which happens with negligible probability. All that s left to be done is to switch c 1 to an encryption of m 1 (similar to the introduction of game 2), switch the decryption key back to sk 1, and then go back to a random string and a real proof (similar to the introduction of game 1). This gets us back to game CCA1 1 as desired, and will complete the proof. References [1] M. Naor and M. Yung. Public-Key Cryptosystems Provably Secure Against Chosen Ciphertext Attacks. In Proceedings of the ACM Symposium on the Theory of Computing, pages 427-437, 1990. 6-6

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback