Foundations of Cryptography Lecture 14 Malleability Chosen Ciphertext

  • Slides: 70
Download presentation
Foundations of Cryptography Lecture 14: Malleability, Chosen Ciphertext Attacks, Cramer-Shoup Cryptosystem Lecturer: Moni Naor

Foundations of Cryptography Lecture 14: Malleability, Chosen Ciphertext Attacks, Cramer-Shoup Cryptosystem Lecturer: Moni Naor

Recap of last week’s lecture – Black-box zero-knowledge – Perfect and Statistical Zero-knowledge •

Recap of last week’s lecture – Black-box zero-knowledge – Perfect and Statistical Zero-knowledge • Limitations and relaxations – Proofs of knowledge • Public-key identification – Random oracles – Interactive Authentication

Interactive Authentication P wants to convince V that he is approving message m P

Interactive Authentication P wants to convince V that he is approving message m P has a public key KP of an encryption scheme E. To authenticate a message m: • V P: Choose r 2 R {0, 1}n. Send c=E(m ° r, KP) • P V: Receiving c Decrypt c using KS Verify that prefix of plaintext is m. If yes - send r. V is satisfied if he receives the same r he chose

Is it Safe? security: Existential unforgeability against adaptive chosen message attack – Adversary can

Is it Safe? security: Existential unforgeability against adaptive chosen message attack – Adversary can ask to authenticate any sequence of messages m 1, m 2, … – Has to succeed in making V accept a message m not authenticated – Has complete control over the channels • Intuition of security: if E does not leak information about plaintext – Nothing is leaked about r “just” • if E is semantically secure against chosen plaintext attacks: – Adversary might change c=E(m ° r, KP) into c’=E(m’ ° r, KP) • Malleability – not sufficient to verify correct form of ciphertext in

Encryption - Attacks • Chosen Plaintext – Minimal attack relevant to PKCs. Assumes decrypted

Encryption - Attacks • Chosen Plaintext – Minimal attack relevant to PKCs. Assumes decrypted messages remain secret. • CCA 1: Chosen Ciphertext - preprocessing mode (Lunch-break) – Challenge ciphertext is given after adversary relinquishes control of decryption device. – Good model for membership queries in computational learning. • CCA 2: Chosen Ciphertext - postprocessing mode – Challenge ciphertext is known when the attacks takes

Encryption - Notions of Breaking • Semantic Security: whatever is computable about the plaintext

Encryption - Notions of Breaking • Semantic Security: whatever is computable about the plaintext given the ciphertext is computable without it. – Minimal notion of security for single encrypter. • Non-malleable security - whatever is computable in an encrypted form about the plaintext given the ciphertext is computable without it.

Application: auctions • Bidders submit their bids Highest one should independent win • Want

Application: auctions • Bidders submit their bids Highest one should independent win • Want to keep values secret until all bids submitted

Example: Auctions Different requirements - different notions. • Semantic security is not sufficient for

Example: Auctions Different requirements - different notions. • Semantic security is not sufficient for guaranteeing the independence of bids. • If key is used for a Single auction and secrecy is not required after the auction is over – – Non-malleable security against chosen plaintext attacks. • If key is used for many auctions and secrecy is not required after the auction is over – – Non-malleable security against – Chosen Ciphertext Attack in the preprocessing mode. • If key is used for many auctions and secrecy is required after the auction is over – Non-malleable security against – Chosen Ciphertext Attacks in the postprocessing mode.

Semantic Security Whatever Adversary A can compute on encrypted string X 0, 1 n,

Semantic Security Whatever Adversary A can compute on encrypted string X 0, 1 n, so can A’ that does not see the encryption of X, A selects: • Distribution Dn on 0, 1 n • Relation R(X, Y) - computable in probabilistic polynomial time For every pptm A choosing a distribution Dn on 0, 1 n there is an pptm A’ so that for all pptm relation R for X R Dn Pr R(X, A(E(X)) - Pr R(X, A’( )) is negligible In other words: The outputs of A and A’ are indistinguishable even for a tester who is aware of X

A: Dn A’: Dn E(X) X 2 R D n . A X A’

A: Dn A’: Dn E(X) X 2 R D n . A X A’ Y X R Y R ¼

Non-Malleable Security Whatever Adversary A can compute on encrypted string X Encryp 0, 1

Non-Malleable Security Whatever Adversary A can compute on encrypted string X Encryp 0, 1 n, so can A’ that t does not see the encryption of X A selects: • Distribution Dn on 0, 1 n • Relation R(X, Y) - computable in probabilistic polynomial time For every pptm A choosing a distribution Dn on 0, 1 n there is an pptm A’ so that for all pptm relation R for X R Dn Pr R(X, D(A(E(X))) - Pr R(X, D(A’( ))) is negligible In other words: The outputs of A and A’ are indistinguishable even for a tester who gets the decryptions of what they output.

A: Dn A’: Dn E(X) Deal with invalid ciphertext X X 2 R D

A: Dn A’: Dn E(X) Deal with invalid ciphertext X X 2 R D n A A’ Y Y D R . X ¼ D R

All combinations are useful in some circumstances CPA Attack Breakin g Semanti c Combinations

All combinations are useful in some circumstances CPA Attack Breakin g Semanti c Combinations CCA 1 CCA 2 (lunch-time) (post-processing) Security Non. Malleabilit y All implications are proper

Principles for Increasing Security Essentially all constructions achieving better than semantic security against chosen

Principles for Increasing Security Essentially all constructions achieving better than semantic security against chosen plaintext attacks use: • Redundancy in the encryption. • Validation that ciphertext is of the right form. Validation is the trickiest part. • Relatively simple in:

Private-key World Preventing CCA in the postprocing mode: add private-key authentication. • Shared key:

Private-key World Preventing CCA in the postprocing mode: add private-key authentication. • Shared key: S 1 and S 2, seeds to a pseudo-random function F To encrypt m • Choose random r. Let Y=FS 1(r) © m and let Z= FS 2(r ◦Y) • Send (r, Y, Z) To decrypt (r, Y, Z): let Z’ = FS 2(r ◦Y). – If Z’ = Z let m = FS 1(r) © Y – If Z’ ≠ Z output invalid • No information from rejection! Claim: scheme is NM-secure against CCA 2

DDN Lite: The Idea Start with a Semantic secure PKC against CPA. • Have

DDN Lite: The Idea Start with a Semantic secure PKC against CPA. • Have many different instances of the original scheme • Each encryption should use a different subset of the keys – – enforce by one-time signatures. • Before decryption - verify consistency. • Properties: If the original scheme is SS against chosen plaintext attack the result is NM-secure against chosen plaintext attacks. • If the original scheme is S-secure against CCA in the preprocessing mode, the result is NM-secure against CCA in the preprocessing mode.

DDN Lite Each is the public key of a SS PKC Public-Key: h. K

DDN Lite Each is the public key of a SS PKC Public-Key: h. K 10, K 11 i, h. K 20, K 21 i, … h. Kn 0, Kn 1 i • A function h: {0, 1}* {0, 1}n - UOHWF Private-Key: Decryption keys of {Kib}. hard to find collision with target Encryption of a message m: input • Choose at random KOS, the public-key of a one-time signature scheme • Let b 1, b 2, … bn = h(K). • Encrypt m using keys Kibi to obtain C 1, C 2, …, Cn. • Sign h. C 1, C 2, … Cni using KOS-1 and h; Let S be the result • Ciphertext is: KOS, h. C 1, …, Cni, S. Decryption of ciphertext KOS, C 1, … Cn, S • Verify the signature S on h. C 1, C 2, … , Cni using KOS. • Verify the consistency (equality) of all the plaintexts. • Decrypt using any one of the keys.

Ideas for achieving resistance to CCA • Add redundancy - hard to generate frivolous

Ideas for achieving resistance to CCA • Add redundancy - hard to generate frivolous ciphertexts • Add methods to check consistency – This is the trickiest part: • Non interactive zero-knowledge • Specific schemes • Decrypt only if given ciphertext passes the consistency checks Important point: may decrypt with several different private keys C 1 C 2 Proof of consistency If we have consistency than can decrypt with either key

Proofs of consistency • How to have a proof of consistency that does not

Proofs of consistency • How to have a proof of consistency that does not leak the plaintext – Non-Interactive Zero-Knowledge (NIZK) • How to make the proof itself nonmalleable – Ow can change it and get a different ciphertext with the same plaintext

Approaches for obtaining CCA/NM • General NIZK • Specific NIZK – Cramer-Shoup: special verifier

Approaches for obtaining CCA/NM • General NIZK • Specific NIZK – Cramer-Shoup: special verifier • Through IBE – Identity Based Encryption

Discrete Log Problem • Let G be a group and g an element in

Discrete Log Problem • Let G be a group and g an element in G. • Let y=gz and x the minimal non negative integer satisfying the equation. x is called the discrete log of y to base g. • Example: y=gx mod p in the multiplicative group of Zp • In general: easy to exponentiate via repeated squaring – Consider binary representation • What about discrete log? – If difficult, f(g, x) = (g, gx) is a one-way function DL Assumption for group G: • No efficient algorithm can solve for X [0. . n-1] whp

Discrete Log Problem Very useful group for DL: • P and Q: Large primes,

Discrete Log Problem Very useful group for DL: • P and Q: Large primes, s. t. Q | P-1 • g: an element of order Q in ZP*. Best known algorithms – Q or – subexponential in log P Randomized reduction: given Y generate Y’ = Ygr for r R [Q]

Diffie-Hellman The Diffie-Hellman assumption Let G be a group and g an element in

Diffie-Hellman The Diffie-Hellman assumption Let G be a group and g an element in G. Given g, X=ga and Y=gb it is hard to find Z=gab for random a and b the probability of a poly-time machine outputting gab is negligible More accurately: a sequence of groups Don’t know how to verify whether given Z’ is equal to gab

Decisional Diffie-Hellman Problem For for generator g of a group of size Q and

Decisional Diffie-Hellman Problem For for generator g of a group of size Q and a, b [Q] Given g, Y=ga, X=gb and Z decide whether Z =gab or Z gab Equivalent: is logg Y = log. X Z DDH-Assumption: • The DDH-Problem is hard in the worst case.

Average DDH For a, b R [Q] and c which is either – c=

Average DDH For a, b R [Q] and c which is either – c= ab – c R [Q] Given Y=ga and X=gb and Z =gc decide whether Z =gab or Z gab DDH-Assumption average case: • The DDH-Problem is hard for above distribution

Worst to Average case reduction Theorem: The average case and worst case of the

Worst to Average case reduction Theorem: The average case and worst case of the DDH-Assumption are equivalent. • Given ga and gb and gc (and P, Q) • Sample r, s 1, s 2 R [Q] c is either ab or not • compute a’ = ra s 1 mod Q ga’ = (ga)r gs 1 b’ = b s 2 mod Q a’b’=rab+ras 2+bs 1+s 1 s 2 b’ b s g = (g ) g 2 gc’ = (gc)r (ga)rs 2 (gb)s 1 gs 1 s 2

…Worst to average If c = ab e mod Q then – a’ =

…Worst to average If c = ab e mod Q then – a’ = ra s 1 mod Q – b’ = b s 2 mod Q – c'= a'b'+ e r mod Q a’ = ra s 1 mod Q b’ = b s 2 mod Q a’b’=rab+ras 2+bs 1+s 1 s 2 • Always: a’ and b' are uniformly distributed. • If e =0, then c' = a'b'. • Otherwise c' is uniform and independent in [Q]

Evidence to Validity of DDH • Endured extensive research for DH search – DH-search

Evidence to Validity of DDH • Endured extensive research for DH search – DH-search related to discrete log • Hard for generic algorithms – that work in a black-box group) • Computing the most significant bits of gab is hard • Random-self-reducibility.

El-Gamal Cryptosystem variant: • Private key a R [Q] Subgroup of size Q h

El-Gamal Cryptosystem variant: • Private key a R [Q] Subgroup of size Q h • Public key Y=ga and P, Q and h • To encrypt M r – choose r R [Q] compute X=gr and Y Z r – send h. X , h(Y ) Mi How is h chosen? • To decrypt h. X, Wi: a r Pair-wise – compute X = Y and P a – output h(X ) W independence suffices {0, 1}k

El-Gamal Security Under the DDH assumption cryptosystem is semantically secure against chosen plaintext but.

El-Gamal Security Under the DDH assumption cryptosystem is semantically secure against chosen plaintext but. . . • Scheme is malleable – To change M to M’=M C : change h. X, Wi to h. X, W Ci

generators Proving consistency of exponentiations • Given g 1, g 2, X 1 ,

generators Proving consistency of exponentiations • Given g 1, g 2, X 1 , X 2 Is there is an r where X 1=g 1 r and X 2=g 2 r Honest verifier zero-knowledge proof: Verifier sends Z = g 1 b 1 g 2 b 2 for random b 1, b 2 Prover sends V = Zr Verifier accepts iff X 1 b 1 X 2 b 2 = V Leaks only a linear equation for b 1 and b 2 Simulator: choose random b 1, b 2 and output (g 1 b 1 g 2 b 2 , X 1 b 1 X 2 b 2 )

Proving consistency of exponentiations • Given g 1, g 2, X 1 , X

Proving consistency of exponentiations • Given g 1, g 2, X 1 , X 2 Is there is an r where X 1=g 1 r and Z can be known when r and X are chosen! X 2=g 2 X 1 2 Honest verifier zero-knowledge proof: Verifier sends Z = g 1 b 1 g 2 b 2 for random b 1, b 2 Prover sends V = Zr Verifier accepts iff X 1 b 1 X 2 b 2 = V Leaks only a linear equation for b 1 and b 2 Soundness: if X 1=g 1 r and X 2=g 2 r+e then X 1 b 1 X 2 b 2 = g 1 rb 1 g 2(r+e)b 2 = g 1 rb 1 g 2 rb 2 g 2 eb 2 = Zr (g 2 e ) b 2 Random in the group

Cramer-Shoup Lite • Private key: a, b 1, b 2 R [Q] • Public

Cramer-Shoup Lite • Private key: a, b 1, b 2 R [Q] • Public key: – g 1, g 2, Y=g 1 a and Z=g 1 b 1 g 2 b 2 • To encrypt M – choose r R [Q] r r – compute Y , X 1=g 1 r, X 2=g 2 r and Z r r h. X 1, X 2, h(Y ) M, Z i • To decrypt h. X 1, X 2, W, Vi – send – check validity: yes a X 1 b 1 X 2 b 2 = V and if r r

Cramer-Shoup Complexity • Encryption: 4 modular exponentiations • Decryption: 3 modular exponentiations

Cramer-Shoup Complexity • Encryption: 4 modular exponentiations • Decryption: 3 modular exponentiations

Cramer Shoup Security Under the DDH assumption cryptosystem is semantically secure against chosen plaintext

Cramer Shoup Security Under the DDH assumption cryptosystem is semantically secure against chosen plaintext Show that the scheme secure against chosen ciphertext attacks (preprocessing) but. . . • Scheme is malleable – To change M to M’=M C change h. X, Wi to h. X, W Ci

Chosen Ciphertext Attacks Lunchtime Adversary T has temporary access to decryption oracle. Then it

Chosen Ciphertext Attacks Lunchtime Adversary T has temporary access to decryption oracle. Then it is given a challenge • Semantic security - adversary chooses two message h. M 0, M 1 i • For d R 0, 1 it is given E(Md) and has to guess d. Let pd Pr T(E(Md )) ‘ 1’ d

Proof of security Show to use an adversary that can break CS scheme for

Proof of security Show to use an adversary that can break CS scheme for breaking DDH Given hg 1, g 2, X 1, X 2 i want to distinguish • X 1=g 1 r , X 2=g 2 r for r R [Q] and random g 1, g 2 or • X 1=g 1 r 1, X 2=g 2 r 2 for r 1, r 1 R [Q] and random g 1, g 2

. . . Proof of security - simulation Given hg 1, g 2, X

. . . Proof of security - simulation Given hg 1, g 2, X 1, X 2 i generate • Private key a 1, a 2, b 1, b 2 R [Q] and • Public key hg 1, g 2, Y = g 1 a 1 g 2 a 2, Z=g 1 b 1 g 2 b 2 i • To decrypt h. X’ 1, X’ 2 , W, V i – check X’ 1 b 1 X’ 2 b 2 = V and if pass a a r r compute X’ 1 1 X’ 2 2 = Y. Output h(Y ) W Normal operation, independent of X 1, X 2

. . . Proof of security - simulation When adversary chooses h M 0

. . . Proof of security - simulation When adversary chooses h M 0 , M 1 i : Generate For d R 0, 1 the ciphertext h X 1, X 2 , a h(X 1 1 a X 2 2 ) Md , V = b X 1 1 X 2 b 2 i Claim: If logg X 1 = logg X 2 then ciphertext is valid If logg X 1 logg X 2 then ciphertext is 1 2 inconsistent and independent of d

Important property of scheme For both real and simulated scheme: • no (even powerful)

Important property of scheme For both real and simulated scheme: • no (even powerful) adversary can find an inconsistent ciphertext that is considered `valid’. • Key point: b 1 and b 2 are random in [Q]. Z=g 1 b 1 g 2 b 2 reveals one linear equation still Q possibilities for (b 1, b 2 ).

Inconsistent = Invalid • Each candidate ciphertext h. X’ 1, X’ 2, W’, V’i

Inconsistent = Invalid • Each candidate ciphertext h. X’ 1, X’ 2, W’, V’i such that logg 1 X 1 logg 2 X 2 can be viewed as a query on value (b 1, b 2 ). • With probability 1 -1/Q the answer is invalid • Whp (1 -q/Q) adversary never gets decryption on invalid ciphertext • No ``information” from rejection!

 • No decryption of consistent ciphertext reveals information regarding a 1, a 2

• No decryption of consistent ciphertext reveals information regarding a 1, a 2 Y=g 1 a 1 g 2 a 2 reveals one linear equation decryptions do not reveal more equations • The only inconsistent ciphertext that adversary sees is the challenge ciphertext. If logg X 1 logg X 2 then ciphertext is invalid 1 2 and independent of d

 • Let p 0 Pr T(E(M 0 )) ‘ 1’ d 0 p

• Let p 0 Pr T(E(M 0 )) ‘ 1’ d 0 p 1 Pr T(E(M 1 )) ‘ 1’ d 1 p’ Pr T ‘ 1’ ciphertext is invalid • p 1 - p 0 either – p 1 - p’ /2 – p 0 - p’ /2 or Can distinguish DDH with advantage /2

Cramer-Shoup: Full Strength • Private key: a, b 1, b 2, c 1, c

Cramer-Shoup: Full Strength • Private key: a, b 1, b 2, c 1, c 2 R [Q] • Public key: – g 1, g 2, Y=g 1 a, Z=g 1 b 1 g 2 b 2, Z’=g 1 c 1 g 2 c 2 and H A UOWHF • To encrypt M, choose r R [Q] and r r – compute Y , X 1=g 1 X 2=g 2 W = h(Y ) M r, =H(W, X 1 , X 2 ) – send r, h. X 1, X 2 , W, Zr Z’ ri • To decrypt h. X 1, X 2, W, Vi – check validity: X 1 a b + c 1 1 r X 1 One-way hash b + c 2 2 r = V and if pass – compute X 1 = Y. Output h(Y ) W

Cramer Shoup (full strength) Security Under the DDH assumption cryptosystem is • non-malleable against

Cramer Shoup (full strength) Security Under the DDH assumption cryptosystem is • non-malleable against • chosen ciphertext attacks in postprocessing mode

Conclusions • The CS scheme is within a multiplicative constant of ``vanilla” Diffie-Hellman, yet

Conclusions • The CS scheme is within a multiplicative constant of ``vanilla” Diffie-Hellman, yet enjoys provable resistance to CCA • Authentication: given CCA resistance - the only known Diffie-Hellman based publickey authentication – can be used for deniable authentication

Interactive Authentication P wants to convince V that he is approving message m P

Interactive Authentication P wants to convince V that he is approving message m P has a public key KP of an encryption scheme E. To authenticate a message m: • V P: Choose r 2 R {0, 1}n. Send c=E(m ° r, KP) • P V: Receiving c Decrypt c using KS Verify that prefix of plaintext is m. If yes - send r. V is satisfied if he receives the same r he choose

Is it Safe? Want: Existential unforgeability against adaptive chosen message attack – Adversary can

Is it Safe? Want: Existential unforgeability against adaptive chosen message attack – Adversary can ask to authenticate any sequence m 1, m 2, … – Has to succeed in making V accept a message m not authenticated – Has complete control over the channels • Intuition of security: if E does not leak information about plaintext – Nothing is leaked about r • Several problems: if E is “just” semantically secure against chosen plaintext attacks: – Adversary might change c=E(m ° r, KP) into c’=E(m’ ° r, KP) • Malleability

No receipts • Can the verifier convince third party that the prover approved a

No receipts • Can the verifier convince third party that the prover approved a certain message?

Authentication and Non. Repudiation • Key idea of modern cryptography [Diffie. Hellman]: can make

Authentication and Non. Repudiation • Key idea of modern cryptography [Diffie. Hellman]: can make authentication (signatures) transferable to third party - Non-repudiation. – Essential to contract signing, e-commerce… • Digital Signatures: last 25 years major effort in – Research • Notions of security • Computationally efficient constructions – Technology, Infrastructure (PKI), Commerce,

Is non-repudiation always desirable? Not necessarily so: • Privacy of conversation, no (verifiable) record.

Is non-repudiation always desirable? Not necessarily so: • Privacy of conversation, no (verifiable) record. – Do you want everything you ever said to be held against you? • If Bob pays for the authentication, shouldn't be able to transfer it for free • Perhaps can gain efficiency Alternative: (Plausible) Deniability If the recipient (or any recipient) could have generated the conversation himself or an indistinguishable one

Deniable Authentication Setting: • Sender has a public key known to receiver • Want

Deniable Authentication Setting: • Sender has a public key known to receiver • Want to an authentication scheme such that the receiver keeps no receipt of conversation. This means: • Any receiver could have generated the conversation itself. – There is a simulator that for any message m and verifier V* generates an indistinguishable conversation. – Exactly as in Zero-Knowledge! – An example where zero-knowledge is the ends, not the means!

Ring Signatures and Authentication Can we keep the sender anonymous? Idea: prove that the

Ring Signatures and Authentication Can we keep the sender anonymous? Idea: prove that the signer is a member of an ad hoc set – Other members do not cooperate – Use their `regular’ public-keys • Encryption – Should be indistinguishable which member of the set is actually doing the authentication Bob Alice? Eve

A Public Key Authentication Protocol P has a public key PK of an encryption

A Public Key Authentication Protocol P has a public key PK of an encryption scheme E. To authenticate a message m: • V P : Choose r R {0, 1}n and random bits 2{0, 1}* Send Y=E(PK, m°r, ) • P V : Verify that prefix of plaintext is indeed m. If yes - send r. V accepts iff the received r’=r Is it Unforgeable? Is it Deniable

Security of the scheme Unforgeability: depends on the strength of E • Sensitive to

Security of the scheme Unforgeability: depends on the strength of E • Sensitive to malleability: – if given E(PK, m°r, ) can generate E(PK, m’°r’, ’) where m’ is related to m and r’ is related to x then can forge. • The protocol allows a chosen ciphertext attack on E. – Even of the post-processing kind! • Can prove that any strategy for existential forgery can be translated into a CCA strategy on E • Works even against concurrent executions. We saw an encryption scheme satisfying the desired requirements Deniability: does V retain a receipt? ? – It does not retain one for an honest V – Need to prove knowledge of r

Simulator for honest receiver Choose r R {0, 1}n. Output: h. Y=E(PK, m°r, ),

Simulator for honest receiver Choose r R {0, 1}n. Output: h. Y=E(PK, m°r, ), x, i Has exactly the same distribution as a real conversation when the verifier is following the protocol Statistical indistinguishability Verifier might cheat by checking whether certain ciphertext have as a prefix m No known concrete way of doing harm this way

Encryption as Commitment When the public key PK is fixed and known Y=E(PK, x,

Encryption as Commitment When the public key PK is fixed and known Y=E(PK, x, ) can be seen as commitment to x To open x: reveal , the random bits used to create Y Perfect binding: from unique decryption For any Y there are no two different x and x’ and ’ s. t. Y=E(PK, x, ) =E(PK, x’, ’) Secrecy: no information about x is leaked to those not knowing private key PS

Deniable Protocol P has a public key PK of an encryption scheme E. P

Deniable Protocol P has a public key PK of an encryption scheme E. P commits to the value x. To authenticate message m: Does not want to • V P: Choose x R{0, 1}n. reveal it yet Send Y=E(PK, m°x , ) • P V: Send E(PK, x, ) • V P: Send x and - opening Y=E(PK, m°x, ) • P V: Open E(PK, x, ) by sending .

Security of the scheme Unforgeability: as before - depends on the strength of E

Security of the scheme Unforgeability: as before - depends on the strength of E can simulate previous scheme (with access to D(PK , . )) Important property: E(PK, x, ) is a non-malleable commitment (wrt the encryption) to x. Deniability: can run simulator: • Extract x by running with E(PK, garbage, ) and rewinding • Expected polynomial time • Need the semantic security of E - it acts as a commitment scheme

Ring Signatures and Authentication Want to keep the sender anonymous by proving that the

Ring Signatures and Authentication Want to keep the sender anonymous by proving that the signer is a member of an ad hoc set – Other members do not cooperate – Use their `regular’ public-keys – Should be indistinguishable which member of the set is actually doing the authentication Bob Alice? Eve

Ring Authentication Setting • A ring is an arbitrary set of participants including the

Ring Authentication Setting • A ring is an arbitrary set of participants including the authenticator • Each member i of the ring has a public encryption key PKi – Only i knows the corresponding secret key P Si • To run a ring authentication protocol both sides need to know PK 1, PK 2, …, PKn the public keys of the ring members. . .

An almost Good Ring Authentication Protocol Ring has public keys PK 1, PK 2,

An almost Good Ring Authentication Protocol Ring has public keys PK 1, PK 2, …, PKn of encryption scheme E To authenticate message m with jth decryption key PSj: V P: Choose x {0, 1}n. Send E(PK 1, m°x, r 1), E(PK 2, m°x, r 2), …, E(PKn, m°x, rn) P V: Decrypt E(PKj, m°x, rj), using PSj and Send E(PK 1, x, 1), E(PK 2, x, 2), …, E(PKn, x, n) V P: open all the E(PKi, m°x, ri) by Send x and r 1, r 2 , … rn P V: Verify consistency and open all E(PKi, x, ti) by Send t 1, 2 , … n Problem: what if not all suffixes (x‘s) are equal

The Ring Authentication Protocol Ring has public keys PK 1, PK 2, …, PKn

The Ring Authentication Protocol Ring has public keys PK 1, PK 2, …, PKn of encryption scheme E To authenticate message m with jth decryption key PS : j V P: Choose x {0, 1}n. Send E(PK 1, m°x, r 1), E(PK 2, m°x, r 2), …, E(PK 1, m°x, rn) P V: Decrypt E(PKj, m°x, rj), using PSj and Send E(PK 1, x 1, t 1), E(PK 2, x 2, t 2), …, E(PKn, xn, tn) Where x=x 1+x 2 + xn V P: open all the E(PKi, m°x, ri) by Send x and r 1, r 2 , … rn P V: Verify consistency and open all E(PKi, x, ti) by Send t 1, t 2 , … tn and x 1, x 2 , …, xn

Complexity of the scheme Sender: single decryption, n encryptions and n encryption verifications Receiver:

Complexity of the scheme Sender: single decryption, n encryptions and n encryption verifications Receiver: n encryptions and n encryption verifications Communication Complexity: O(n) public-key encryptions

Security of the scheme Unforgeability: as before (assuming all keys are well chosen) since

Security of the scheme Unforgeability: as before (assuming all keys are well chosen) since E(PK 1, x 1, t 1), E(PK 2, x 2, t 2), …, E(PK 1, xn, tn) where x=x 1+x 2 + xn is a non-malleable commitment to x Source Hiding: which key was used (among well chosen keys) is – Computationally indistinguishable during protocol – Statistically indistinguishable after protocol • If ends successfully Deniability: Can run simulator `as before’

Properties of the Scheme • Works with any good encryption scheme members of the

Properties of the Scheme • Works with any good encryption scheme members of the ring are unwilling participants. • Fairly efficient scheme: – Need n encryptions n verifications and one decryption • Can extend the scheme so that convince a verifier that At least k members confirm the message. • What are the social implications of the

Sources • Dolev, Dwork and Naor: Non Malleable Cryptography, Siam J. computing 2000. also

Sources • Dolev, Dwork and Naor: Non Malleable Cryptography, Siam J. computing 2000. also Siam Review 2003 • Cramer and Shoup: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack (see www. shoup. net) • Lindell: A Simpler Construction of CCA 2 Secure Public-Key Encryption Under General Assumptions. In Eurocrypt 2003,

Question: zero-knowledge protocol for subset sum • Give a direct protocol (i. e. not

Question: zero-knowledge protocol for subset sum • Give a direct protocol (i. e. not through a reduction to hamiltoncity) for the subset sum problem • Subset sum problem: given – n numbers 0 ≤ a 1, a 2 , …, an < 2 m – Target sum T – Is there a subset S⊆ {1, . . . , n} such that ∑ i S ai, =T mod 2 m

Question: statistically hiding, computationally biding commitments from collision intractable hash functions • Goal: construct

Question: statistically hiding, computationally biding commitments from collision intractable hash functions • Goal: construct a commitment scheme where • the induced distribution of the transcript is (nearly independent of the string committed to • No PPT sender can with probability (1 -negligible) reveal two different strings following the commit phase. Protocol for committing to a bit b. Let H be a family of collision intractable hash functions Inner product Commit: over GF[2] • Receiver: choose h 2 H and give to sender • Sender: choose random z and r. Send h(z), r and hz¢ri©b Reveal: publish z Prove that the protocol satisfies the above requirements

Find the error Let E be an public-key encryption scheme which is errorless. Let

Find the error Let E be an public-key encryption scheme which is errorless. Let H be a family of collision intractable hash functions Commit: Sender chooses • Key for E(KP, KS) and h 2 H and sends h, KP, E(KP, x), h(x ◦ E(Kp, x)) Reveal: publish KS Assuming collision intractable hash functions exists Show that there exists a family H be a family of collision intractable hash functions such that the scheme is insecure for any E.