Relations Among Notions of Security for Public-Key Encryption Schemes Debdeep Muhopadhyay IIT Kharagpur Notions To organize the definitions of secure encryptions Classified depending on: security goals: Indistinguishability (GM) Non-malleability (DDN) attac models: Chosen Plain Text (CPA) Non-adaptive Chosen Ciphertext (CCA) Adaptive Chosen Ciphertext (CCA)
Relations ne can mix and match the goals (IND,NM) and the attac models (CPA, CCA, CCA) thus there are 6 notions of security IND-X: IND-CPA, IND-CCA, IND-CCA NM-X: NM-CPA, NM-CCA, NM-CCA Non-malleability Danny Dolev, Cynthia Dwor and Moni Naor, Non-malleable Cryptography, Siam J of Computing,.
Motivation Consider a bidding scheme. Company A gives a bit of say Rs,. It communicates to the arbiter by using a Public Key Infrastructure (PKI), E() Another company B, should not able to compute a bid value say E(x), st. x< more liely than when B does not have a nowledge of E(). ther Motivations For ey agreement protocols lie Kerberos, after the mutual ey K AB is agreed there is an exchange of nonces, N. ne party sends to the other E KAB (N) and expects E KAB (N-). the assumption being that without KAB it is not feasible to compute N- (or any f(n)) with a probability better than without having the nowledge of the ciphertext of N with KAB). 3
Informally Informally, given the CT it is no easier to generate a different CT, so that the corresponding PTs are related, than it is do with out the ciphertext. Indistinguishability A public ey scheme (E,D,G) is (t,q,ε)- secure in the IND-X sense if for all pairs of different messages of the same length, and for every adversary A that runs in time t and maes at most q queries to oracle : Pr ( p, )[ (, ( ) )] Pr (, )[ (, ( )) ] ( ) s A p Ep m = p s A p Ep m = ε n where the oracle is:, if IND-CPA = Ds, if IND-CCA and the adversary cannot query the decryption oracle at E ( m ) p i 4
CCA vs CCA Imagine all the algorithms A=(A,A ), both of which are also polytime algorithms in n. A generates a message pair and encrypts one of them and gives it to A as a challenge. A has to be successful against the challenge, depending on the goal: IND: It has to tell message / which has been encryptes. NM: It has to return a ciphertext whose corresponding message is related to the plaintext encrypted. Inter-relation IND-CCA=>IND-CCA=>IND-CPA SS 5
Non-Malleability A public-ey scheme (E,D,G) is (t,q,ε)-secure in the NM-X sense if for all message distributions M, and all relations R:MxM {,}, and for every adversary A that runs in time t, and maes at most q queries to oracle, there exists another adversary A that runs in time poly(t), st: Pr ( p, ), [ (, ( (, ( )))] Pr (, ), [ (, ( '( )))] ( ) s mrmds A p Ep m p s mrmds A p ε n where the oracle is:, if IND-CPA = Ds, if IND-CCA and the adversary cannot query the decryption oracle at E ( m) p Relation NM-X=>IND-X If a public-ey scheme is (t,q,ε)-secure in NM-X sense, then it is (t,q,ε)-secure in IND-X sense. Contradict that the scheme is (t,q,ε)- secure in IND-X sense. Show that the scheme is also not (t,q,ε)- secure in NM-X sense. 6
Let us assume that the scheme is not IND-X secure. There exists messages m = m and an adversary A, st: Pr [ A ( p, E ( m ) = )] Pr [ A ( p, E ( m )) = ] > ε ( n) ( p, s) p ( p, s) p We need to prove that there exists B for which there exists a R, so that for all B': Pr [ RmD (, ( B ( p, E ( m)))] Pr [ RmD (, ( B'( p)))] > ε ( n) ( p, s), m s p ( p, s), m s Note :Pr [ R( m, D ( B '( p )))] = / ( p, s), i {,} i s, u = v Consider, R( u, v) =, u v and B ( p, c) = E ( m ) p A ( p, c) Thus, Pr [ R( m, D ( B ( p, E ( m )))] = ( p, s), i {,} i s p i = Pr [ m = D ( B ( p, E ( m )))] ( p, s), m {,} i s p i = Pr [ A ( p, E ( m)) = i] ( p, s), m {,} p i = Pr ( p, ), {,}[ (, ( )) ] Pr s m A pep m = + ( p, s), m {, } [ A ( p, Ep ( m )) = ] = ( Pr ( p, ), {,}[ (, ( )) ]) Pr (, ), {,}[ (, ( )) ] s m A pep m = + p s m A pep m = (Pr (, ), {,} [ (, ( )) ] Pr (, ), {,} [ = + p s m A pep m = p s m A ( p, Ep ( m )) = ]) = + Adv[ A ] Thus, LHS= Adv[ A ] > ε ( n),by our assumption. Thus the assumption leads to a successful adversary against the Encryption in the NM-X sense. A Separation IND CPA > NM CPA Suppose, we have (E,D,G) which satisfies IND-CPA. Consider, E'( p ) = E ( x) p Thus, D' ( b y) = D ( y) s s (E',D',G) is also an IND-CPA scheme. It may be shown that (E',D'G) is not IND-NM. Informally, the IND-NM adversary is provided with y and is ased to produce another ciphertext, whose corresponding plaintext is related to the original plaintext. With probability, the adversary can mae the first bit and obtain y, whose corresponding plaintext is the the same as that corresponding to the challenge. Thus adversary A(p, E' ( m)) outputs y, where y=e ( m). p For an adversary A' who does not have access to E' ( m), its probability of guessing or is /. NM-CPA Thus, Adv[A ] = / = /. p p 7
Another Separation IND CPA > IND CCA Consider 3 : E(m)=x (mod n) s x.s m If the RSA function is a one-way function, then E(x) is a IND-CPA scheme. But, this is clearly not an IND-CCA scheme. Why? Equivalence of NM-CCA and IND-CCA We have proved NM-CCA=>IND-CCA We have to prove that IND-CCA=>NM- CCA We shall assume there is an adversary in the NM-CCA sense. We shall construct an adversary in the IND-CCA sense. 8
Suppose there is an (t,q, ε ) adversary in the NM-CCA sense against the scheme E. p That is there exists a message distribution M and a relation R: M M {,} such that for all simulators S running in polynomial time t: Pr[ RmAp (, (, E ( m))] Pr[ RmS (, ( p))] > ε ( n) p Modify A Adversary B(p, E ( m)), where m { m, m} D R p s Run A ( p, E ( m)) and assign to y If Rm (, D ( y)) return else s return r {,} p 9
Proof (contd.) Simulator S( p ) Generate m" M D s Return A ( p, E ( m")) p Now A is a good adversary in NM-CCA sense. Thus, Pr [ R( md, ( A ( p, E ( m)))] Pr [ RmD (, ( S( p)))] > ε ( n) ( p, s), m s p ( p, s), m s Let, p = Pr [ R( m, D ( A ( p, E ( m )))] ( p, s) s p and p' = Pr [ R( m, D ( A ( p, E ( m )))] ( p, s) s p = Pr [ Rm (, D ( S( p))] ( p, s) s So, we have p- p' > ε ( n)
For IND-CCA we have an adversary B st. Pr [ B ( p, E ( m )) = ] Pr [ B ( p, E ( m )) = ] ε ( n) ( p, s) p ( p, s) p ( p, s) B pep m = = ( p, s) R m Ds A p E i p m Pr [ (, ( )) ] Pr [ (, ( (, ( ))))] + Pr ( p, )[not (, ( (, ( )))) s Rm D s Ap E i p m =p'+ ( p ') Pr [ B ( p, E ( m )) = ] = Pr [ R( m, D ( A( p, E ( m ))))] ( p, s) p ( p, s) s i p + Pr ( p, )[not (, ( (, ( )))) s Rm D s Ap E i p m =p+ ( p) Thus, Adv[B ( p )] = p+ ( p) p'+ ( p') = ( p p') > ε ( n) This completes the proof. Inter-relationship NM-CPA NM-CCA IND-CPA IND-CCA